Category Archives: breach

1.2 billion stolen login details put a spotlight on the broken password system

Russian cybercrime group stole user names and passwords from 420,000 sites. Perhaps it’s time to move on from the password.

Spotify, security firm Avast report hacks that spill user data

The list of companies suffering security breaches that spill users' password data or other personal information grew by at least two this week with disclosures from security firm Avast and music subscription service Spotify.

Prague-based Avast said its user support forum was hacked over the weekend. Attackers got access to cryptographically hashed passwords, usernames, and e-mail addresses for about 400,000 people who had accounts on the service, which was hosted on a third-party software platform. Credit card data, license numbers, and other personal information belonging to Avast customers at large were unaffected. The forum will remain offline for the time being, while the service is rebuilt and moved to a different platform.

"We realize that it is serious to have these usernames stolen and regret the concern and inconvenience it causes you," Avast CEO Vince Steckler wrote in an advisory posted Monday. "However, this is an isolated third-party system and your sensitive data remains secure."

Read 3 remaining paragraphs | Comments

After the breach: eBay’s flawed password reset leaves much to be desired

eBay has finally stopped burying its own advisory to change passwords following a major hack on its corporate network by adding an important password update to the top of its home page. Now, engineers should turn their attention to flaws on the site's password reset page that may prevent users from choosing passcodes that are truly hard to crack.

When strong is weak

Chief among the imperfections is eBay's meter that labels chosen passwords as "weak," "medium," or "strong" depending on their resistance to common cracking techniques. It showed "Stlk/v/FqSx"lireFTzidyS/m" (minus the beginning and ending quotation marks) as being weak, even though the password has 25 characters that include a mix of upper- and lower-case letters and symbols, plus it isn't included any obvious dictionary or word list. (Thanks to @digininja for the example.) That means the only likely way to crack it is to employ a brute force technique in which an attacker tries every possible combination. The involved "keyspace"—that is, the number of possible combinations of a 25-character string with upper- and lower-case letters with special characters—is 8525, which is calculated by adding the number of possible letters (52) and the number of possible symbols (33) and raising the sum to the power of the password length (25).

It would take huge amounts of time and computation power to crack the password, and yet for some unexplained reason, eBay is telling users it's weak. The site's password meter similarly grades as weak the inversion, "m/SydizTFeril"xSqF/v/kltS", as well as smaller subsets. It also gave a "weak" mark to the password choices of "bEDl(<y|" and ">advice to eBay customers—as medium strength.

Read 3 remaining paragraphs | Comments

Opera Breach – When Cybercriminals take on Targeted Attacks

On June 26 2013, browser manufacturer Opera announced that they had been breached as a result of a targeted attack against their infrastructure. However, this was no ordinary targeted attack. The attackers in this case weren't looking to steal intellectual property. They wanted to use Opera's auto-update mechanism in order to propagate a piece of malware normally associated with financial Trojans.

When attackers breached the Opera network sometime around June 19 2013, they first stole an expired Opera code signing certificate to sign a piece of malware. Signing the malware allowed them to distribute it via Opera's auto-update mechanism. Users would receive the malware as part of a browser update. The malware in question is Downloader.Ponik, a downloader Trojan typically used to propagate cybercrime-related malware, such as financial Trojans and infostealers.

Opera, in their statement, estimates that a few thousand users may have automatically received the malware sometime between 01:00 and 01:36. Opera spotted the breach and were able to halt any further propagation of the malware. As the attackers only had a small window in which to operate they had limited success. Had they had more prolonged access to the Opera network they would have been much more successful. Or would they?

Had the attackers had access to the Opera servers for a longer period they would have been able to propagate their malware to a much larger number of users. However, such an attack would be very noisy, drawing the attention of security companies who would quickly provide protection and lead a concerted effort to take down command-and-control (C&C) servers. All of this would render the malware effectively useless. This is reminiscent of Conficker, a threat which spread to millions of computers and was due to trigger a payload on April 1, 2009. However, by that time, security organizations and hosting providers had worked together to take control of the C&C servers. The threat was being so closely monitored that the attackers were unable to leverage it.

When attackers try aggressive propagation methods they become victims of their own success. For now this attack has been neutralized. Opera recommends that users update their browsers as proactive measure against further attacks. Symantec provides protection for this as Downloader.Ponik. We also recommend that users who think they may have been affected reset their passwords.

ColdFusion hack used to steal hosting provider’s customer data

A vulnerability in the ColdFusion Web server platform, reported by Adobe less than a week ago, has apparently been in the wild for almost a month and has allowed the hacking of at least one company website, exposing customer data. Yesterday, it was revealed that the virtual server hosting company Linode had been the victim of a multi-day breach that allowed hackers to gain access to customer records.

The breach was made possible by a vulnerability in Adobe's ColdFusion server platform that could, according to Adobe, "be exploited to impersonate an authenticated user." A patch had been issued for the vulnerability on April 9 and was rated as priority "2" and "important." Those ratings placed it at a step down from the most critical, indicating that there were no known exploits at the time the patch was issued but that data was at risk. Adobe credited "an anonymous security researcher," with discovering the vulnerability.

But according to IRC conversation including one of the alleged hackers of the site, Linode's site had been compromised for weeks before its discovery. That revelation leaves open the possibility that other ColdFusion sites have been compromised as hackers sought out targets to use the exploit on.

Read 5 remaining paragraphs | Comments

LogMeIn, DocuSign Investigate Breach Claims

Customers of remote PC administration service Logmein.com and electronic signature provider Docusign.com are complaining of a possible breach of customer information after receiving malware-laced emails to accounts they registered exclusively for use with those companies. Both companies say they are investigating the incidents, but so far have found no evidence of a security breach.

Some LogMeIn users began complaining of receiving malware spam to LogMeIn-specific email addresses on Dec. 3, 2012. The messages matched spam campaigns that spoofed the U.S. Internal Revenue Service (IRS) and other organizations in a bid to trick recipients into opening a malicious attachment.  Multiple LogMeIn users reported receiving similar spam to addresses they had created specifically for their LogMeIn accounts and that had not been used for other purposes. The first LogMeIn user to report the suspicious activity said he received a malicious email made to look like it came from DocuSign but was sent to an address that was created exclusively for use with LogMeIn (hat tip to @PogoWasRight).

“I have an email account that allows me to put anything in front of the @ (at), which helps keep track of what/who I sign up to,” wrote LogMeIn user “Droolio” in a thread on the company’s support forum. “This way, not only do I know who leaks my email addresses (as did happen with Dropbox a few months back), spammers can be blocked after they get ahold of it. My PC is malware-free and I hardly use LogMeIn (although it is installed albeit disabled) and the last time it was used was months ago.” [link added].

LogMeIn user Justin McMurtry, a realtor in Houston, Texas, said he received a Trojan-spam message to his LogMeIn-specific email address at the same time he received the same message at an address he used exclusively for DocuSign.

“It is especially worrisome to consider the possibility that LogMeIn and/or Docusign account passwords could have been leaked as well,” McMurtry wrote on LogMeIn’s support forum. “Attackers able to actually log in using someone’s LogMeIn credentials could conceivably have full interactive access to any number of computers and mobile devices.”

LogMeIn spokesman Craig VerColen, said that while the investigation remains open, the company has so far found no signs of any compromises to its users’ information.

“It is worth noting, as part of the investigation, we did find some commonality with the naming conventions of the emails associated with the reports,” VerColen wrote in an email to KrebsOnSecurity. “Many (nearly 30%) of the reports – and this includes all reports, not just the handful of people reporting the unique email claim – included variations of LogMeIn in the name, e.g. logmein@acme.com, LMI@acme.com, logmeinrescue@acme.com.  The majority of the others used either common prefixes, e.g. info@acme.com, sales@acme.com, tech@acme.com, or common first names, e.g. joe@acme.com.  While this is not the case with all of the email addresses, the commonality would seem to suggest a pattern.”

For its part, DocuSign released a statement saying that it is investigating the incident and is working with law enforcement agencies to take further action. But it chalked the incident up to aggressive phishing attacks, noting that “antivirus vendors report malicious code incidents have been increasing by as much as 3600% in recent weeks.”

“The investigation is still underway, but we have not seen any kind of indication of a data breach,” said Dustin Grosse, DocuSign’s chief marketing officer.

In July, users of file syncing and sharing service DropBox.com began complaining of receiving spam emails to addresses they’d registered for exclusive use with the service. DropBox initially said its investigation turned up no internal breach, but two weeks later the company disclosed that an employee misstep caused the inadvertent leak.

Copyright © 2014. Powered by WordPress & Romangie Theme.