Aug 31 2016

Dropbox hackers stole e-mail addresses, hashed passwords from 68M accounts

(credit: Jim Barton)

Dropbox hurriedly warned its users last week to change their passwords if their accounts dated back prior to mid-2012. We now know why: the cloud-based storage service suffered a data breach that's said to have affected more than 68 million accounts compromised during a hack that took place roughly four years ago.

The company had previously admitted that it was hit by a hack attack, but it's only now that the scale of the operation has seemingly come to light.

Tech site Motherboard reported—citing "sources in the database trading community"—that it had obtained four files, totalling 5GB in size, which apparently contained e-mail addresses and hashed passwords for 68,680,741 Dropbox users.

Read 7 remaining paragraphs | Comments

Aug 31 2016

Building a new Tor that can resist next-generation state surveillance

Since Edward Snowden stepped into the limelight from a hotel room in Hong Kong three years ago, use of the Tor anonymity network has grown massively. Journalists and activists have embraced the anonymity the network provides as a way to evade the mass surveillance under which we all now live, while citizens in countries with restrictive Internet censorship, like Turkey or Saudi Arabia, have turned to Tor in order to circumvent national firewalls. Law enforcement has been less enthusiastic, worrying that online anonymity also enables criminal activity.

Tor's growth in users has not gone unnoticed, and today the network first dubbed "The Onion Router" is under constant strain from those wishing to identify anonymous Web users. The NSA and GCHQ have been studying Tor for a decade, looking for ways to penetrate online anonymity, at least according to these Snowden docs. In 2014, the US government paid Carnegie Mellon University to run a series of poisoned Tor relays to de-anonymise Tor users. A 2015 research paper outlined an attack effective, under certain circumstances, at decloaking Tor hidden services (now rebranded as "onion services"). Most recently, 110 poisoned Tor hidden service directories were discovered probing .onion sites for vulnerabilities, most likely in an attempt to de-anonymise both the servers and their visitors.

Cracks are beginning to show; a 2013 analysis by researchers at the US Naval Research Laboratory (NRL), who helped develop Tor in the first place, concluded that "80 percent of all types of users may be de-anonymised by a relatively moderate Tor-relay adversary within six months."

Read 62 remaining paragraphs | Comments

Aug 30 2016

FTC Releases Alert on Securing Personal Information When Using Rental Vehicles

Original release date: August 30, 2016

The Federal Trade Commission (FTC) has released recommendations for consumers to protect their personal data when using rental vehicles. Rental vehicles may contain infotainment systems that can connect with personal devices to stream music, allow hands-free calls and texts, or guide navigation. However, using connected vehicles can increase the risks of having personal data compromised. By taking precautions, users can protect themselves and their personal information.

US-CERT encourages users to review the FTC Alert and US-CERT's Tip on Cybersecurity for Electronic Devices for more information.


This product is provided subject to this Notification and this Privacy & Use policy.


Aug 30 2016

Officials blame “sophisticated” Russian hackers for voter system attacks

Sophisticated hackers use the command line with their pinkies raised and wear cashmere balaclavas.

The profile of attacks on two state voter registration systems this summer presented in an FBI "Flash" memo suggests that the states were hit by a fairly typical sort of intrusion. But an Arizona official said that the Federal Bureau of Investigation had attributed an attack that succeeded only in capturing a single user's login credentials to Russian hackers and rated the threat from the attack as an "eight on a scale of ten" in severity. An Illinois state official characterized the more successful attack on that state's system as "highly sophisticated" based on information from the FBI.

Arizona Secretary of State Office Communications Director Matt Roberts told the Post's Ellen Nakashima that the FBI had alerted Arizona officials in June of an attack by Russians, though the FBI did not state whether they were state-sponsored or criminal hackers. The attack did not gain access to any state or county voter registration system, but the username and password of a single election official was stolen. Roberts did not respond to requests from Ars for clarification on the timeline and other details of the attack.

Based on the details provided by Roberts to the Post, it's not clear if the Arizona incident was one of the two referred to in the FBI "Flash" published this month. The FBI has not responded to questions about the memorandum on the attacks first published publicly by Yahoo News' Michael Isikoff, but a SQL injection attack wouldn't seem to be the likely culprit for stealing a single username and password. It's more likely that the Gila County election official whose credentials were stolen was the victim of a phishing attack or malware.

Read 5 remaining paragraphs | Comments