Category: breach

Sep 02 2016

Feds pin brazen kernel.org intrusion on 27-year-old programmer

Enlarge (credit: Ildar Sagdejev)

In August 2011, multiple servers used to maintain and distribute the Linux operating system kernel were infected with malware that gave an unknown intruder almost unfettered access. Earlier this week, the five-year-old breach investigation got its first big break when federal prosecutors unsealed an indictment accusing a South Florida computer programmer of carrying out the attack.

Donald Ryan Austin, 27, of El Portal, Florida, used login credentials belonging to a Linux Kernel Organization system administrator to install a hard-to-detect backdoor on servers belonging to the organization, according to the document that was unsealed on Monday. The breach was significant because the group manages the network and the website that maintain and distribute the open source OS that's used by millions of corporate and government networks around the world. One of Austin's motives for the intrusion, prosecutors allege, was to "gain access to the software distributed through the www.kernel.org website."

The indictment refers to kernel.org officials P.A. and J.H., who are presumed to be Linux kernel developer H. Peter Anvin and kernel.org Chief System Administrator John "'Warthog9" Hawley, respectively. It went on to say that Austin used the credentials to install a class of extremely hard-to-detect malware known as a rootkit and a Trojan that logs the credentials of authorized users who use the secure shell protocol to access an infected computer.

Read 7 remaining paragraphs | Comments

Sep 02 2016

Over 40 million usernames, passwords from 2012 breach of Last.fm surface

Enlarge / If you haven't changed your password for Last.fm since 2012, it's long past time—the passwords are now easily grabbed from the Internet.

The contents of a March 2012 breach of the music tracking website Last.fm have surfaced on the Internet, joining a collection of other recently leaked "mega-breaches" from Tumblr, LinkedIn, and MySpace. The Last.fm breach differs from the Tumblr breach, however, in that Last.fm knew about the breach when it happened and informed users in June of 2012. But more than 43 million user accounts were exposed, including weakly encrypted passwords—96 percent of which were cracked within two hours by researchers associated with the data breach detection site LeakedSource.

Last.fm is a music-centered social media platform—it tracks the music its members play, aggregating the information to provide a worldwide "trending" board for music, letting users learn about new music and share playlists, among other things. The 2012 database breach contained usernames, passwords, the date each member joined the service, and internal data associated with the account. The passwords were encrypted with an unsalted MD5 hash.

"This algorithm is so insecure it took us two hours to crack and convert over 96 percent of them to visible passwords, a sizable increase from prior mega breaches," a member of LeakedSource wrote in a post about the data. Ars confirmed the LeakedSource data using our own Last.fm account information.

Read 2 remaining paragraphs | Comments

Aug 08 2016

Oracle-owned point-of-sale service suffers from malware attack

MICROS, an Oracle-owned division that's one of the world's top three point-of-sale services, has suffered a security breach. The attack possibly comes at the hands of a Russian crime gang that siphoned out more than $1 billion from banks and retailers in past hacks, security news site KrebsOnSecurity reported Monday.

Oracle representatives have told reporter Brian Krebs that company engineers "detected and addressed malicious code in certain legacy MICROS systems" and that the service has asked all customers to reset their passwords for the MICROS online support site. Anonymous people have told Krebs that Oracle engineers initially thought the breach was limited to a small number of computers in the company's retail division. The engineers later realized the infection affected more than 700 systems.

Krebs went on to report that two security experts briefed on the breach investigation said the MICROS support portal was seen communicating with a server that's known to be used by the Carbanak Gang. Over the past few years, Carbanak members are suspected of funneling more than $1 billion out of banks, retailers, and hospitality firms the group hacked into.

Read 4 remaining paragraphs | Comments

Aug 03 2016

New attack steals SSNs, e-mail addresses, and more from HTTPS pages

Enlarge / A demo planned for Wednesday will show how an ad hosted on nytimes.com could attack other HTTPS-protected sites. (credit: Vanhoef, Van Goethem)

The HTTPS cryptographic scheme protecting millions of websites is vulnerable to a newly revived attack that exposes encrypted e-mail addresses, social security numbers, and other sensitive data even when attackers don't have the ability to monitor a targeted end user's Internet connection.

The exploit is notable because it doesn't require a man-in-the-middle position. Instead, an end user need only encounter an innocuous-looking JavaScript file hidden in an Web advertisement or hosted directly on a webpage. The malicious code can then query a variety of pages protected by the secure sockets layer or transport layer security protocols and measure the precise file sizes of the encrypted data they transmit. As its name suggests, the HEIST technique—short for HTTP Encrypted Information can be Stolen Through TCP-Windows—works by exploiting the way HTTPS responses are delivered over the transmission control protocol, one of the Internet's most basic building blocks.

Once attackers know the size of an encrypted response, they are free to use one of two previously devised exploits to ferret out the plaintext contained inside it. Both the BREACH and the CRIME exploits are able to decrypt payloads by manipulating the file compression that sites use to make pages load more quickly. HEIST will be demonstrated for the first time on Wednesday at the Black Hat security conference in Las Vegas.

Read 12 remaining paragraphs | Comments