Investigation of password crackers busts site feds say hacked 6,000 accounts

An international law-enforcement crackdown on paid password cracking services has resulted in at least 11 arrests, including the operators of an alleged cracker-for-hire site in the US that prosecutors said compromised almost 6,000 e-mail accounts.

Mark Anthony Townsend, 45, of Cedarville, Arkansas, and Joshua Alan Tabor, 29, of Prairie Grove, Arkansas, ran a site called needapassword.com, according to court documents filed this week in federal court in Los Angeles. The site accepted user requests to hack into specific e-mail accounts hosted by Google, Yahoo, and other providers, prosecutors alleged. According to charging documents, the operators would break into the accounts, access their contents and send screenshots to the users proving the accounts had been compromised. The men would then send passwords in exchange for a fee paid to their PayPal account, prosecutors said.

"Through www.needapassword.com, defendant and others known and unknown to the United States Attorney obtained unauthorized access to over 5,900 e-mail accounts submitted by customers," a criminal information filed against Townsend stated. During the time of Tabor's involvement, needapassword.com broke into at least 250 accounts, a separate charging document claimed.

Read 3 remaining paragraphs | Comments


    






Apple.com does more to protect your password, study of top 100 sites finds

Aurich Lawson / Thinkstock

Apple, Microsoft, Chegg, Newegg, and Target do the best job of safeguarding customer passwords, according to a comprehensive study of the top 100 e-commerce websites that also ranked Major League Baseball, Karmaloop, Dick's Sporting Goods, Toys R Us, and Aeropostale as performing the worst.

Apple.com was the only site to receive a perfect score of 100, which was based on 24 criteria, such as whether the site accepts "123456" and other extremely weak passwords and whether it sends passwords in plaintext by e-mail. Microsoft and academic supplier Chegg tied for second place with 65, while Newegg and Target came in third with 60. By contrast, MLB received a score of -75, Karmaloop a -70, Dick's Sporting Goods a -65, and Aeropostale and Toys R US each got a -60. Each site was awarded or deducted points based on each criterion, leading to a possible score from -100 and 100. The study was conducted by researchers from password manager Dashlane based on the password policies in effect on the top 100 e-commerce sites from January 17 through January 22.

An epidemic of poor passwords

Amazingly, 55 percent of the sites accepted weak passwords such as "123456" and "password," while Toys R US, J.Crew, 1-800-Flowers.com, and five other sites sent passwords as plaintext in e-mails. Sixty-one of the sites provided no advice on how to create a strong password when creating an account, while only seven sites provided any type of on-screen meter to help assess the strength of a chosen password.

Read 7 remaining paragraphs | Comments


    






Samsung patches store site for account takeover bug

Samsung has fixed a vulnerability on at least one of its Samsung.com sites that allowed attackers to take over the account of a target by creating a lookalike user name. The vulnerability, reported by security researcher Matthew Bryant (who goes by the hacker name "mandatory"), made it possible for someone to create a username using an intended victim’s e-mail address with added trailing spaces. While this created a separate account, the attacker would then be authenticated as the targeted user when going to other subdomains within Samsung.com.

The bug, caused by the way Samsung’s Web applications pruned (or “scrubbed”) extra trailing characters off of account e-mail addresses, affected all of Samsung.com’s subdomains. But according to Bryant, Samsung has now fixed the problem on its e-commerce site—the one with the most sensitive user data.

“If your username was originally ‘[email protected]<SPACE><SPACE>,’” Bryant wrote in a blog post today, “after visiting http://shop.us.samsung.com/ it would be scrubbed to ‘[email protected]’.”  While the webpage for creating new accounts prevents adding trailing spaces to user names through form validation, the spaces can be added using an HTTP intercept tool such as the Tamper Data Firefox add-on.

Read 1 remaining paragraphs | Comments


    






1.1 million payment cards exposed to malware in Neiman Marcus hack

Neiman Marcus has determined that a data breach extending from July until October of 2013 exposed as many as 1.1 million payment cards to malware, and that 2,400 cards have been used fraudulently as a result.
Neiman Marcus acknowledged the breach two weeks ago and made further details available in a statement this week.

"While the forensic and criminal investigations are ongoing, we know that malicious software (malware) was clandestinely installed on our system," Neiman Marcus wrote. "It appears that the malware actively attempted to collect or 'scrape' payment card data from July 16, 2013 to October 30, 2013. During those months, approximately 1,100,000 customer payment cards could have been potentially visible to the malware. To date, Visa, MasterCard, and Discover have notified us that approximately 2,400 unique customer payment cards used at Neiman Marcus and Last Call stores were subsequently used fraudulently."

The New York Times reported that "the malware installed on terminals in Neiman Marcus stores seems to be the same malware that infiltrated Target’s systems." The Target breach was much bigger, exposing credit and debit card information for about 40 million customers and a separate set of personal information on an additional 70 million customers.

Read 2 remaining paragraphs | Comments