security – Ars Technica 2017-08-25 15:40:03

Enlarge (credit: Michael Theis)

Security researchers have unearthed a sprawling list of login credentials that allows anyone on the Internet to take over home routers and more than 1,700 "Internet of things" devices and make them part of a destructive botnet.

The list of telnet-accessible devices, currently posted at this Pastebin address, was first posted in June, but it has been updated several times since then. It contains user names and passwords for 8,233 unique IP addresses, 2,174 of which were still running open telnet servers as of Friday morning, said Victor Gevers, chairman of the GDI Foundation, a Netherlands-based nonprofit that works to improve Internet security. Of those active telnet services, 1,774 remain accessible using the leaked credentials, Gevers said. In a testament to the poor state of IoT security, the 8,233 hosts use just 144 unique username-password pairs.

It is likely that criminals have been using the list for months as a means to infect large numbers of devices with malware that turns them into powerful denial-of-service platforms. Still, for most of its existence, the list remained largely unnoticed, with only some 700 views. That quickly changed Thursday with this Twitter post. By Friday afternoon, there were more than 13,300 views.

Read 10 remaining paragraphs | Comments

Mac users installing popular DVD ripper get nasty backdoor instead

(credit: Patrick Wardle)

Hackers compromised a download server for a popular media-encoding software named HandBrake and used it to push stealthy malware that stole victims' password keychains, password vaults, and possibly the master credentials that decrypted them, security researchers said Monday.

Over a four-day period ending Saturday, a download mirror located at download.handbrake.fr delivered a version of the DVD ripping and video conversion software that contained a backdoor known as Proton, HandBrake developers warned over the weekend. At the time that the malware was being distributed to unsuspecting Mac users, none of the 55 most widely used antivirus services detected it. That's according to researcher Patrick Wardle, who reported results here and here from the VirusTotal file-scanning service. When the malicious download was opened, it directed users to enter their Mac administrator password, which was then uploaded in plain text to a server controlled by the attackers. Once installed, the malware sent a variety of sensitive user files to the same server.

In a blog post published Monday morning, Thomas Reed, director of Mac offerings at antivirus provider Malwarebytes, wrote:

Read 5 remaining paragraphs | Comments

Microsoft turns two-factor authentication into one-factor by ditching password

(credit: Microsoft)

Microsoft Authenticator is a pleasant enough two-factor authentication app. You can use it to generate numeric authentication codes for accounts on Google, Facebook, Twitter, and indeed, any other service that uses a standard one-time password. The login process is straightforward: first you sign in to each site with your username and regular, fixed password, then you use the code generated by the app.

But for Microsoft accounts, Redmond is offering something new: getting rid of that first password and using just the phone to authenticate. With phone-based authentication enabled, after entering your Microsoft Account e-mail address, you'll receive an alert on your phone. From that alert, you can either approve or reject the authentication attempt—no password necessary.

This same approve-or-reject choice on the phone has been offered previously to Microsoft Accounts, but in the past, it still required the use of the fixed password.

Read 2 remaining paragraphs | Comments

Yahoo admits it’s been hacked again, and 1 billion accounts were exposed

Someone had faster access to over a billion Yahoo accounts' data. (credit: Scott Schiller)

On December 14, Yahoo announced that after an investigation into data provided by law enforcement officials in November, the company and outside forensics experts have determined that there was in fact a previously undetected breach of data from over 1 billion user accounts. The breach took place in August 2013, and is apparently distinct from the previous mega-breach revealed this fall—one Yahoo claims was conducted by a "state-sponsored actor".

The information accessed from potentially exposed accounts "may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers," Yahoo's chief information security officer Bob Lord reported in the statement issued by the company. "The investigation indicates that the stolen information did not include passwords in clear text, payment card data, or bank account information. Payment card data and bank account information are not stored in the system the company believes was affected."

It's not clear whether the data provided by law enforcement to Yahoo is connected to samples offered on an underground site this past August, particularly since Yahoo still remains unsure of how the user data was spirited out of its systems in the first place. But the breach news doesn't end there.

Read 4 remaining paragraphs | Comments