A Russian group has hacked 1.2 billion usernames and passwords belonging to more than 500 million email addresses, according to Hold Security – a US firm specialising in discovering breaches.
Hold Security described the hack as the "largest data breach known to date".
It claimed the stolen information came from more than 420,000 websites, including "many leaders in virtually all industries across the world".
via BBC News – Russia gang hacks 1.2 billion usernames and passwords.
As the entry point, they exploit a vulnerability in Microsoft Word with the help of a crafted Word document they spread via email. The same approach would work with any other exploit.
After that, they make sure that the malicious activities survive system re-boot by creating an encoded autostart registry key. To remain undetected, this key is disguised/hidden.
Decoding this key shows two new aspects: Code which makes sure the affected system has Microsoft PowerShell installed and additional code.
The additional code is a Base64-encoded PowerShell script, which calls and executes the shellcode (assembly).
As a final step, this shellcode executes a Windows binary, the payload. In the case analyzed, the binary tried to connect to hard coded IP addresses to receive further commands, but the attackers could have triggered any other action at this point.
All activities are stored in the registry. No file is ever created.
Malware that resides in the registry only – a rare and rather new approach
Once reprogrammed, benign devices can turn malicious in many ways, including:
A device can emulate a keyboard and issue commands on behalf of the logged-in user, for example to exfiltrate files or install malware. Such malware, in turn, can infect the controller chips of other USB devices connected to the computer.
The device can also spoof a network card and change the computer’s DNS setting to redirect traffic.
A modified thumb drive or external hard disk can – when it detects that the computer is starting up – boot a small virus, which infects the computer’s operating system prior to boot.
via Turning USB peripherals into BadUSB | Security Research Labs.
Looks like Karsten Nohl has done it again!
In January 2013, a chap called Jonathan Moylan sent a single email that caused an AU$314m – £174m or $295m – dip in a coal company’s value.
The email was a fake press release stating that Whitehaven Coal’s bank, ANZ, had decided not to lend the mining firm the billion or so dollars needed to open a new pit.
Moylan’s message was sent from a domain that riffed on ANZ Bank’s name, used the bank’s logo and included the name of an ANZ Bank PR person and a phone number. That number was Moylan’s own, so when journalists called to confirm the details of the fake press release, Moylan simply told them it was all kosher.
ONE EMAIL costs mining company $300 MEEELION • The Register.
Think W3 Limited was hacked in December 2012 in an attack that relied on what the ICO described as "insecure" coding on the website of its subsidiary business, Essential Travel Ltd. The unidentified hacker behind the attack siphoned off a total of 1,163,996 credit and debit card records (431K current and 733K expired).
"Cardholder details had not been deleted since 2006 and there had been no security checks or reviews since the system had been installed," according to a subsequent investigation into the incident by data privacy watchdogs at the Information Commissioner’s Office (ICO). Think W3 was found guilty of a "serious" breach of the DPA.
via Who has your credit card data? 1 million HOLIDAY-MAKERS' RECORDS exposed • The Register.
The European Central Bank (ECB) said on Thursday there had been a breach of the security protecting a database serving its public website. This led to the theft of email addresses and other contact data left by people registering for events at the ECB.
via ECB: ECB announces theft of contact information.
In an unbelievably sane move, the UK has accepted that piracy exists and that cutting people from the internet won’t work very well.
Geoff Taylor, chief executive of music trade body the BPI, said VCAP was about “persuading the persuadable, such as parents who do not know what is going on with their net connection.”
He added: “VCAP is not about denying access to the internet. It’s about changing attitudes and raising awareness so people can make the right choice.”
Britain just decriminalised online game piracy | VG247.
the distributor (Source Interlink) decided to close its doors to magazine distribution after losing Time Inc.’s business. This caused us to scramble to find alternative methods of getting our magazine into stores around the world, a feat we accomplished without too much difficulty. But getting what was left of Source Interlink, now rebranded as “TEN: The Enthusiast Network,” to pay us for the two issues retailers paid them for, is proving much more difficult.
SOURCE INTERLINK CLOSURE AND REBRANDING PUTS 2600 IN LIMBO | 2600.
SHODAN is a search engine that lets you find specific computers (routers, servers, etc.) using a variety of filters. Some have also described it as a public port scan directory or a search engine of banners.
SHODAN – Computer Search Engine.
Cupid is a pair of patches for hostapd-2.1 and wpa_supplicant-2.1 to exploit heartbleed on Wireless networks that use EAP Authentication methods based on TLS (specifically OpenSSL)
"NICE Recording eXpress is designed specifically for the audio recording needs of the small and medium sized Public Safety organisation. This advanced recording solution offers a comprehensive, advanced, easy-to-install and affordable platform built for the Public Safety environment and Command and Control operations delivering optimal recording functionality and quality management."
Source: http://www.nice.com/sites/default/files/nicerecordingexpress050112.pdf.pdf.pdf
Business recommendation: ========================
Attackers are able to completely compromise the voice recording / surveillance solution as they can gain access to the system and database level and listen to recorded calls without prior authentication. Furthermore, attackers would be able to use the voice recording server as a jumphost for further attacks of the internal voice VLAN, depending on the network setup.
If you have an eBay account, it’s time to change your password. The company released a statement today saying their internal and customer databases were compromised earlier this year, and starting today they’ll prompt everyone to change their passwords.
Attackers made off with names, addresses, email addresses, phone numbers, birth dates, and of course, encrypted passwords. eBay explained that financial info like credit card numbers and other sensitive data (like PayPal accounts) are kept in a separate encrypted database which wasn’t compromised. They also said they’ve found no evidence of unauthorized access or activity by registered eBay users—which is code for "we don’t think anyone’s used these passwords yet." According to the statement, intruders compromised employee accounts first, and used their access to get the data they really wanted. They discovered the breach about two weeks ago, but the actual attack took place back in late February and early March.
via eBay Hacked, Change Your Passwords Now.
Samsung Galaxy devices running proprietary Android versions come with a back-door that provides remote access to the data stored on the device.
In particular, the proprietary software that is in charge of handling the communications with the modem, using the Samsung IPC protocol, implements a class of requests known as RFS commands, that allows the modem to perform remote I/O operations on the phone’s storage. As the modem is running proprietary software, it is likely that it offers over-the-air remote control, that could then be used to issue the incriminated RFS messages and access the phone’s file system.
via SamsungGalaxyBackdoor – Replicant.
Which goes to show – closed, proprietary code is almost never a good thing!
The man used his first-class ticket to score free meals and drinks at a VIP airport lounge nearly every day for a year, the Kwong Wah Yit Poh reported.
He changed his flight itinerary more than 300 times within the year so he could enjoy the facilities at the Xi’an Airport in Shaanxi, China.
What’s more, he cancelled his ticket for a refund when its validity was about to expire.
via China Eastern Airlines passenger uses first class ticket for free meals | News.com.au.
70,000 was just one of the numbers that I was able to go up to. And I stopped after that. You know, and I’m sure it’s hundreds of thousands, if not more and it was done within about a four-minute time frame. So, it’s just wide open. You can literally just open up your browser, go to this and extract all this information without actually having to hack the website itself.
via Insecure healthcare.gov allowed hacker to access 70,000 records in 4 minutes | Computerworld Blogs.
Many top notch hackers blasted the site and the lack of any basic security. An audit found 17(!) vulnerabilies originally, and after ‘fixes’ an extra 20+
Any person with a mailbox in a company using Office 365 could exploit this vulnerability to obtain full Administrative permissions over their entire company’s Office 365 environment using just a few lines of JavaScript
Office 365 Vulnerability Allowed Unauthorized Administrator Access.
It’s been fixed now 🙂
These are some volatility plugins that extract the masterkeys from a memory dump, enabling you to extract them from Windows / Linux machines and giving you full acces to the disks as well as identifying the disks.
Volatility Labs: TrueCrypt Master Key Extraction And Volume Identification.
Turns out that to correct errors, each SD card comes with a 100mhz microcontroller which reports on the size of the device and runs algorithms to block out certain errors. On at least one brand, the firmware loader is not secured. This opens up a host of possibilities, from a very cheap source of Arduino alternatives, to a smtp server that sends copies of your files to an external source, or more complexity, as sd cards tend to be trusted once inserted.
http://www.bunniestudios.com/blog/?p=3554
According to revelations about the QUANTUM program, the NSA can “shoot” (their words) an exploit at any target it desires as his or her traffic passes across the backbone. It appears that the NSA and GCHQ were the first to turn the internet backbone into a weapon; absent Snowdens of their own, other countries may do the same and then say, “It wasn’t us. And even if it was, you started it.”
via Our Government Has Weaponized the Internet. Here's How They Did It | Wired Opinion | Wired.com.
This includes a fairly detailed list of the methodologies employed.
SkyJack (available from github) is primarily a perl application which runs off of a Linux machine, runs aircrack-ng in order to get its wifi card into monitor mode, detects all wireless networks and clients around, deactivates any clients connected to Parrot AR.drones, connects to the now free Parrot AR.Drone as its owner, then uses node.js with node-ar-drone to control zombie drones
A hack attack against an Irish loyalty programme firm, Loyaltybuild, has led to the theft of the full credit card details of at least 376,000 consumers, says the country’s data protection watchdog.According to the results of a preliminary investigation by the Office of the Data Protection Commissioner (ODPC), credit card and – contrary to all payment storage rules – CVV details were held unencrypted on Loyaltybuild’s systems in the run-up to attacks in the middle of October.
http://www.theregister.co.uk/2013/11/14/irish_loyalty_card_breach/
One of the better, understandable, but still technical, explanations of why the encrypted password list of 38 million users being out in the open is such a disaster.
Anatomy of a password disaster – Adobe’s giant-sized cryptographic blunder | Naked Security.
A Melbourne security professional has sent ear-piercing ‘garbage’ tunes to the top of online music charts by spoofing track plays.
Despite that Peter Filimore (@typhoonfilsy) has never played an instrument, in a month he accrued hundreds of thousands of plays for his tunes hosted in online music charts, trumping artists like P!nk, Nicki Minaj, Flume and chart topper album The Heist and making $1000 in royalties in the process.
Not only that, but he’s thought of a way to use his technique to bump rival artists off the services entirely as a DDoS.
