Hack on PS and Xbox attackers leaks DDoS customers’ plaintext passwords

It's payback time for the group that knocked the Sony PlayStation and Microsoft Xbox networks offline in December. First came the report Friday morning that a UK man was arrested in connection with the distributed denial-of-service attacks, making him at least the second person to be detained in an ongoing investigation. Now comes word the customer database Lizard Squad members maintained as part of their DDoS-for-hire service has been breached, spilling details on more than 14,241 users.

But the comeuppance doesn't end there. According to KrebsOnSecurity reporter Brian Krebs, who broke the story about the compromised database, all registered names and passwords were stored in plaintext. The cache shows that customers deposited $11,000 in bitcoins to pay for attacks on thousands of Internet addresses. The information will no doubt prove interesting to members of rival gangs and law enforcement agencies around the world.

The database was tied to LizardStresser[dot]ru, a so-called stresser or boot service ostensibly available to test a website's resistance to attacks. In the vast majority of cases, they're nothing more than fronts for DDoS services. According to Krebs, the December attacks on the PlayStation and Xbox networks were designed to be advertisements promoting the service. Given the breach that has now leaked potentially sensitive customer information that was left woefully unprotected, it's safe to assume any buzz in underground markets surrounding the LizardStresser service is over.

Read on Ars Technica | Comments

How dating app Grindr makes it easy to stalk 5 million gay men

Mobile dating apps have revolutionized the pursuit of love and sex by allowing people not only to find like-minded mates but to identify those who are literally right next door, or even in the same bar, at any given time. That convenience is a double-edge sword, warn researchers. To prove their point, they exploited weaknesses in Grindr, a dating app with more than five million monthly users, to identify users and construct detailed histories of their movements.

The proof-of-concept attack worked because of weaknesses identified five months ago by an anonymous post on Pastebin. Even after researchers from security firm Synack independently confirmed the privacy threat, Grindr officials have allowed it to remain for users in all but a handful of countries where being gay is illegal. As a result, geographic locations of Grindr users in the US and most other places can be tracked down to the very park bench where they happen to be having lunch or bar where they're drinking and monitored almost continuously, according to research scheduled to be presented Saturday at the Shmoocon security conference in Washington, DC.

Grindr officials declined to comment for this post beyond what they said in posts here and here published more than four months ago. As noted, Grindr developers modified the app to disable location tracking in Russia, Egypt, Saudi Arabia, Nigeria, Liberia, Sudan, Zimbabwe, and any other place with anti-gay laws. Grindr also locked down the app so that location information is available only to people who have set up an account. The changes did nothing to prevent the Synack researchers from setting up a free account and tracking the detailed movements of several fellow users who volunteered to participate in the experiment.

Read 8 remaining paragraphs | Comments

Google drops more Windows 0-days. Something’s gotta give

Google's security researchers have published another pair of Windows security flaws that Microsoft hasn't got a fix for, continuing the disagreement between the companies about when and how to disclose security bugs.

The first bug affects Windows 7 only and results in minor information disclosure. Microsoft says, and Google agrees, that this does not meet the threshold for a fix. Windows 8 and up don't suffer the same issue.

The second bug is more significant. In certain situations, Windows doesn't properly check the user identity when performing cryptographic operations, which results in certain shared data not being properly encrypted. Microsoft has developed a fix for this bug, and it was originally scheduled for release this past Tuesday. However, the company discovered a compatibility issue late in testing, and so the fix has been pushed to February.

Read 7 remaining paragraphs | Comments

Survey says security products waste our time

For anyone who has freaked out when an antivirus alert popped up on their screen and spent time researching it only to find out it was a false alarm, a recent survey will hit home.

A survey of information-technology professionals published on Friday found that the average large organization has to sift through nearly 17,000 malware alerts each week to find the 19 percent that are considered reliable. The efforts at triage waste employees’ time—to the tune of a total estimated annual productivity loss of $1.3 million per organization. In the end, security professionals only have time to investigate four percent of the warnings, according to the survey conducted by the market researcher Ponemon Institute.

The survey results show the problems posed by security software that alerts for any potential threat, says Brian Foster, chief technology officer of network-security firm Damballa, the sponsor of the research.

Read 9 remaining paragraphs | Comments