May 31 2016

Cluster of “megabreaches” compromise a whopping 642 million passwords

(credit: CBS)

Less than two weeks after more than 177 million LinkedIn user passwords surfaced, security researchers have discovered three more breaches involving MySpace, Tumblr, and dating website Fling that all told bring the total number of compromised accounts to more than 642 million.

"Any one of these 4 I'm going to talk about on their own would be notable, but to see a cluster of them appear together is quite intriguing," security researcher Troy Hunt observed on Monday. The cluster involves breaches known to have happened to Fling in 2011, to LinkedIn in 2012, and to Tumblr 2013. It's still not clear when the MySpace hack took place, but Hunt, operator of the Have I been pwned? breach notification service, said it surely happened sometime after 2007 and before 2012. He continued:

There are some really interesting patterns emerging here. One is obviously the age; the newest breach of this recent spate is still more than 3 years old. This data has been lying dormant (or at least out of public sight) for long periods of time.

The other is the size and these 4 breaches are all in the top 5 largest ones HIBP has ever seen. That's out of 109 breaches to date, too. Not only that, but these 4 incidents account for two thirds of all the data in the system, or least they will once MySpace turns up.

Then there's the fact that it's all appearing within a very short period of time - all just this month. There's been some catalyst that has brought these breaches to light and to see them all fit this mould and appear in such a short period of time, I can't help but wonder if they're perhaps related.

All four of the password dumps are being sold on a darkweb forum by peace_of_mind, a user with 24 positive feedback ratings, two neutral ratings, and zero negative ratings. That's an indication the unknown person isn't exaggerating the quality of the data. The megabreach trend is troubling for at least a couple of reasons. First, it demonstrates that service providers are either unable to detect breaches or are willing to keep them secret years after they're discovered. Second, it raises the unsettling question where the trend will end, and if additional breaches are in store before we get there?

Read 2 remaining paragraphs | Comments

May 31 2016

Android Spyware Targets Security Job Seekers in Saudi Arabia

The Middle East is the new Wild West of mobile malware, especially for targeted attacks and intelligence gathering campaigns. During the past few years, Intel Security Mobile Research has monitored and reported on several countries in the region and has found an alarming increasing in campaigns using mobile malware for not only disruption and hacktivism but also for intelligence gathering. Today we shed light on a new campaign targeting Saudi Arabia.

We have identified a campaign that is working in tangent with a job site that offers work for security personal in government or military jobs.

20160527-website

The spyware, Android/ChatSpy, was distributed as a private chat application. It steals user contacts, SMS messages, and voice calls from infected devices and forwards them to the attacker’s server, which is in the same location as the job site.

20160527-icon

The motives behind the spyware author are not clear, but considering the jobs that were being advertised on the site, the implications should not be underestimated. The leaked information poses a serious security threat. We have reported this spyware campaign to the Computer Emergency Response Team in Saudi Arabia for additional investigation.

Let’s take a look at spyware’s behavior. After it runs, the spyware shows only a screen with the network carrier and user’s phone number information, nothing more.

20160527-screenshot

At the same time, the spyware runs in the background and gathers device information, contacts, browser history, SMS messages, and call logs on the infected device, and posts them to the attacker’s server. Then Then the spyware sends the message “New victim arrived” to notify the attacker of the infection and hides its application icon from the menu to prevent uninstallation and keep its spying activities secret.

20160527-code1

The spyware keeps monitoring incoming SMS messages and takes screenshots, and records incoming/outgoing voice calls in the background. This user-sensitive information is also posted to the attacker’s server. The server runs a MySQL database and collects the data from infected devices. How is the information used? Most likely in a subsequent targeted attack.

20160527-code2

Although the spyware works cleanly and quietly, the application code is of poor quality. The spyware has “spy” in the package name, and the hardcoded SMS message to the attacker has “victim” in plain text. The spyware uses an open-source “call-recorder-for-android,” found on GitHub, to implement the voice-call recording function. With such sloppy coding, the spyware must have been developed in a rush job by a “script kiddie.”

Intel Security recommends you install mobile security software, and not trust applications downloaded from unknown sources. McAfee Mobile Security detects this threat as Android/ChatSpy and alerts mobile users if it is present, while protecting them from any data loss. For more information about McAfee Mobile Security, visit http://www.mcafeemobilesecurity.com.

SHA-256 hash of analyzed sample(s):

  • 7cbf61fbb31c26530cafb46282f5c90bc10fe5c724442b8d1a0b87a8125204cb
  • 4aef8d9a3c4cc1e66a6f2c6355ecc38d87d9c81bb2368f4ca07b2a02d2e4923b

Control server:

  • hxxp://ksa-sef[dot]com/Hack%20Mobaile/

The post Android Spyware Targets Security Job Seekers in Saudi Arabia appeared first on McAfee.

May 31 2016

Wfuzz – Web Application Brute Forcer

Wfuzz is a Python based flexible web application brute forcer which supports various methods and techniques to expose web application vulnerabilities. This allows you to audit parameters, authentication, forms with brute-forcing GET and POST parameters, discover unlinked resources such as directories/files, headers and so on. A brute force attack...

Read the full post at darknet.org.uk
May 27 2016

Office of the Privacy Commissioner announces first investigation under the address harvesting provisions

Today, the Office of the Privacy Commissioner (OPC) announced its report of findings against Compu-Finder, a Quebec-based company that offers face-to-face professional training courses.

The OPC alleges Compu-Finder used address harvesting programs to search and collect e-mails on the internet. This marks the first investigation by the OPC involving its address harvesting provisions under the Personal Information and Electronic Documents Act (PIPEDA). The OPC concluded that Compu-Finder did use e-mail addresses of individuals to send e-mails promoting its business activities, without the consent of the individuals concerned. Compu-Finder was unable to demonstrate it had the appropriate consent for the collection and use for many of the e-mail addresses. Further, the OPC found Compu-Finder lacked basic privacy knowledge of its obligations and failed in demonstrating accountability and openness of its privacy practices.

This investigation also debuts the OPC’s compliance agreement power since the tool was added by the Digital Privacy Act on June 18, 2015. The compliance agreement between the Privacy Commissioner of Canada and Compu-Finder lists over ten remedial measures imposed on Compu-Finder. Some of the following measures that Compu-Finder has agreed to implement, include:

  • collect and use only e-mail addresses with proper consent;
  • destroy all e-mail addresses in its possessions which were collected without obtaining consent;
  • refrain from collecting any electronic addresses of individuals through the use of a harvesting computer program;
  • develop and implement a privacy program; and
  • obtain a third-party audit of its privacy program.

Compu-Finder is also under investigation by the Canadian Radio-television and Telecommunications Commission (CRTC). The CRTC issued a Notice of Violation against Compu-Finder pursuant to Canada’s Anti-Spam Legislation (CASL) on March 5, 2016.  The OPC acknowledged the CRTC shared investigative information with the OPC pursuant to CASL and a Memorandum of Understanding between the two agencies.

The CRTC’s proceedings against Compu-Finder are still on going.

You can read the full report of findings and compliance agreement online  here.