Disqus has confirmed its web commenting system was hacked.

The company, which builds and provides a web-based comment plugin for news websites, said Friday that hackers stole more than 17.5 million email addresses in a data breach in July 2012.

About a third of those accounts contained passwords, salted and hashed using the weak SHA-1 algorithm, which has largely been deprecated in recent years in favor of stronger password scramblers. The data also contained sign-up dates and the date of the last login.

Some of the exposed user information dates back to 2007.

Many of the accounts don’t have passwords because they signed up to the commenting tool using a third-party service, like Facebook or Google.

The theft was only discovered this week after the database was sent to Troy Hunt, who runs data breach notification service Have I Been Pwned, who then informed Disqus of the breach.

The company said in a blog post, posted less than a day after Hunt’s private disclosure, that although there was no evidence of unauthorized logins, affected users will be emailed about the breach.

Users whose passwords were exposed will have their passwords force-reset.

The company warned users who have used their Disqus password on other sites to change the password on those accounts

Source: Disqus reveals its comments tool was hacked

These guys obviously have a well thought out CERT in place. Unlike many others.

Using your favourite BLE sniffing hardware (we used a Bluefruit but an Ubertooth is just as great) you can visualise the BLE packets in Wireshark.

In this case we can see the app has caused the Hush to start vibrating when the handle 0x000e has “Vibrate:5” written to it.
We can also start to replay commands from within Kali, so no smartphone app is required.
BLE devices also advertise themselves for discovery, which anyone can find, in this case the Hush calls itself LVS-Z001 – this is the same across all Hush devices we’ve looked at, so it’s like a unique fingerprint.
Note that there is no PIN or password protection, or the PIN is static and generic (0000 / 1234 etc) on these devices. This isn’t a problem just with the Hush, we’ve found the same problem in the following:

Kiiroo Fleshlight
Lelo
Lovense Nora and Max

In fact, we’ve found this issue in every Bluetooth adult toy we’ve looked at!

The challenge is the lack of a UI to enter a classic Bluetooth pairing PIN. Where do you put a UI on a butt plug, after all?

The only protection you have is that BLE devices will generally only pair with one device at a time, but range is limited and if the user walks out of range of their smartphone or the phone battery dies, the adult toy will become available for others to connect to without any authentication.

[…]
It’s important at this point to say that we’ve not set out to kink-shame anyone for their use of these devices: adult toys appeal to a huge spectrum of people and their ubiquity allows people to enjoy a sex-positive life, however we think that these same people should be able to use them without fear of compromise or injury. Talking about these issues will hopefully lead the industry to improve the security of its toys.

Having an adult toy unexpectedly start vibrating could cause a great deal of embarrassment.
[…]
I managed to find them [hearing aids] broadcasting whilst we were having lunch one day. They have BLE in them to allow you to play back music, but also control and adjust their settings (like if you’re in a noisy restaurant or a concert hall). These things cost £3500 and need to be programmed by an audiologist so not only could an attacker damage or deprive someone of their hearing, but it’s going to cost them to get it fixed.

Yes, that’s Gartner’s security consultancy of the year
[…]
On Tuesday, what seemed to be a collection of Deloitte’s corporate VPN passwords, user names, and operational details were found lurking within a public-facing GitHub-hosted repository. These have since been removed in the past hour or so. In addition, it appears that a Deloitte employee uploaded company proxy login credentials to his public Google+ page. The information was up there for over six months – and was removed in the past few minutes.
[…]
On top of these potential leaks of corporate login details, Deloitte has loads of internal and potentially critical systems unnecessarily facing the public internet with remote-desktop access enabled. All of this gear should be behind a firewall and/or with two-factor authentication as per industry best practices. And likely the best practices Deloitte recommends to its clients, ironically.

“Just in the last day I’ve found 7,000 to 12,000 open hosts for the firm spread across the globe,” security researcher Dan Tentler, founder of Phobos Group, told The Register today. “We’re talking dozens of business units around the planet with dozens of IT departments showing very different aptitude levels. The phrase ‘truly exploitable’ comes to mind.”

For example, he found a Deloitte-owned Windows Server 2012 R2 box in South Africa with RDP wide open, acting as what appears to be an Active Directory server – a crucial apex of a Microsoft-powered network – and with, worryingly, security updates still pending installation. Other cases show IT departments using outdated software, and numerous other security failings.

Source: Deloitte is a sitting duck: Key systems with RDP open, VPN and proxy ‘login details leaked’

Ouch

Armis Labs revealed a new attack vector endangering major mobile, desktop, and IoT operating systems, including Android, iOS, Windows, and Linux, and the devices using them. The new vector is dubbed “BlueBorne”, as it spread through the air (airborne) and attacks devices via Bluetooth. Armis has also disclosed eight related zero-day vulnerabilities, four of which are classified as critical. BlueBorne allows attackers to take control of devices, access corporate data and networks, penetrate secure “air-gapped” networks, and spread malware laterally to adjacent devices. Armis reported these vulnerabilities to the responsible actors, and is working with them as patches are being identified and released.
[…]
BlueBorne is an attack vector by which hackers can leverage Bluetooth connections to penetrate and take complete control over targeted devices. BlueBorne affects ordinary computers, mobile phones, and the expanding realm of IoT devices. The attack does not require the targeted device to be paired to the attacker’s device, or even to be set on discoverable mode. Armis Labs has identified eight zero-day vulnerabilities so far, which indicate the existence and potential of the attack vector. Armis believes many more vulnerabilities await discovery in the various platforms using Bluetooth. These vulnerabilities are fully operational, and can be successfully exploited, as demonstrated in our research. The BlueBorne attack vector can be used to conduct a large range of offenses, including remote code execution as well as Man-in-The-Middle attacks.

Source: BlueBorne Information from the Research Team – Armis Labs

Microsoft’s email services got hit with not one but two bugs today: in addition to an earlier blip with Exchange Online, Microsoft confirmed it is now probing “issues” with “some” Outlook.com users in Europe.

According to downdetector.com, more than a thousand users have reported problems such as trouble receiving messages and logging in to their webmail accounts (Outlook used to be Hotmail and Windows Live Hotmail) since around 9.00am.

The site, which provides a handy snapshot of partial and total service eclipses map, revealed most of the reports are coming from western Europe.

Source: Outlook.com looking more like an outage outbreak for Europe

Clouds!

One of the world’s “big four” accountancy firms has been targeted by a sophisticated hack that compromised the confidential emails and plans of some of its blue-chip clients, the Guardian can reveal.
[…]
One of the largest private firms in the US, which reported a record $37bn (£27.3bn) revenue last year, Deloitte provides auditing, tax consultancy and high-end cybersecurity advice to some of the world’s biggest banks, multinational companies, media enterprises, pharmaceutical firms and government agencies.

The Guardian understands Deloitte clients across all of these sectors had material in the company email system that was breached. The companies include household names as well as US government departments.

So far, six of Deloitte’s clients have been told their information was “impacted” by the hack. Deloitte’s internal review into the incident is ongoing.

The Guardian understands Deloitte discovered the hack in March this year, but it is believed the attackers may have had access to its systems since October or November 2016.

The hacker compromised the firm’s global email server through an “administrator’s account” that, in theory, gave them privileged, unrestricted “access to all areas”.

The account required only a single password and did not have “two-step“ verification, sources said.

Emails to and from Deloitte’s 244,000 staff were stored in the Azure cloud service, which was provided by Microsoft. This is Microsoft’s equivalent to Amazon Web Service and Google’s Cloud Platform.

Source: Deloitte hit by cyber-attack revealing clients’ secret emails

When news of the hack was published on September 7, over a month after its scale had been discovered, Equifax set up a website for worried customers to check if they had been affected – equifaxsecurity2017.com – rather than setting it up on the equifax.com domain.

As a bit of fun security researcher Nick Sweeting set up securityequifax2017.com with a familiar look and feel, just like phishers do every day. To make that point the headline on the website was “Cybersecurity Incident & Important Consumer Information which is Totally Fake, why did Equifax use a domain that’s so easily impersonated by phishing sites?”

Turns out he had a point, since the site fooled Equifax itself. Shortly after setting up the site, Equifax’s official Twitter feed started to link to Sweeting’s fake page and in a series of posts dating from September 9 Tim on Equifax’s social media team began tweeting out the wrong URL to customers concerned about their data.
equifax

Seriously, Tim?

The tweets (now removed by red-faced Equifax staff) continued until Sept 18 before they were spotted by stanleyspadowski on imgur and @aaronkkruse on Twitter. It’s not known how many people were directed to the site, and it has since been blocked by Google.

Source: Equifax fooled again! Blundering credit biz directs hack attack victims to parody site

Security researchers from Adguard have issued a warning that the popular GO Keyboard app is spying on users. Produced by Chinese developers GOMO Dev Team, GO Keyboard was found to be transmitting personal information about users back to remote servers, as well as “using a prohibited technique to download dangerous executable code.”

Adguard made the discovery while conducting research into the traffic consumption and unwanted behavior of various Android keyboards. The AdGuard for Android app makes it possible to see exactly what traffic an app is generating, and it showed that GO Keyboard was making worrying connections, making use of trackers, and sharing personal information.

Adguard notes that there are two versions of the keyboard in Google Play which it claims have more than 200 million users in total.

Source: Security researchers warn that GO Keyboard is spying on millions of Android users

Cyber-crime blogger Brian Krebs said that an online employee tool used in the country could be accessed by typing “admin” as both a login and password.

He added that this gave access to records that included thousands of customers’ national identity numbers.

Last week, the firm revealed a separate attack affecting millions in the US.

Source: Equifax suffers fresh data breach

These guys don’t seem to take privacy very seriously, and there is almost no legislation to punish these guys.

Have you been to Mexico in the last year as a tourist and applied for a tax refund on the money you spent while shopping there? If you have, chances are your passport, credit card, or other identification might have been leaked online. The Kromtech Security Research Center has discovered a misconfigured database with nearly half a million customer files that were left publically accessible. These tourists traveled from around the world to enjoy Mexico’s beaches, warm weather, historical sites, or cities and had their private data exposed in the process.

The database appears to be connected with MoneyBack, a leading provider of tax refund (value-added tax refund or sales tax refund) services for international travelers in Mexico.
[…]
Researchers identified passports from all over the world who used MoneyBack’s services. Among the top passports identified were citizens of the US, Canada, Argentina, Colombia, Italy, and many more. It appears to be every client that has used their services between 2016 and 2017.

Over 300 GB+ database in size

455,038 Scanned Doccuments (Passports, IDs, Credit Cards, Travel Tickets & More)

88,623 unique passport numbers registered or scanned

Mexican Tourist Tax Refund Company Leaks Customer Records

September 7, 2017 — Equifax Inc. (NYSE: EFX) today announced a cybersecurity incident potentially impacting approximately 143 million U.S. consumers. Criminals exploited a U.S. website application vulnerability to gain access to certain files. Based on the company’s investigation, the unauthorized access occurred from mid-May through July 2017. The company has found no evidence of unauthorized activity on Equifax’s core consumer or commercial credit reporting databases.

The information accessed primarily includes names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers. In addition, credit card numbers for approximately 209,000 U.S. consumers, and certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers, were accessed. As part of its investigation of this application vulnerability, Equifax also identified unauthorized access to limited personal information for certain UK and Canadian residents. Equifax will work with UK and Canadian regulators to determine appropriate next steps. The company has found no evidence that personal information of consumers in any other country has been impacted.

Source: Cybersecurity Incident & Important Consumer Information | Equifax

Servers and data stored by dozens of Fortune 100 companies are at risk, including airlines, banks and financial institutions, and social media sites.

A critical security vulnerability in open-source server software enables hackers to easily take control of an affected server — putting sensitive corporate data at risk.

The vulnerability allows an attacker to remotely run code on servers that run applications using the REST plugin, built with Apache Struts, according to security researchers who discovered the vulnerability.

All versions of Struts since 2008 are affected, said the researchers.

[…]
Mo said that all a hacker needs “is a web browser.”

“I can’t stress enough how incredibly easy this is to exploit,” said Bas van Schaik, product manager at Semmle, a company whose analytical software was used to discover the vulnerability.

“If you know what request to send, you can start any process on the web server running a vulnerable application,” he said.

Source: ZDNet

Get patching!

Researchers with security company Kromtech said freelancers who handled web applications for TWC and other companies had left one of its AWS S3 storage bins containing seven years’ worth of subscriber data wide open on the ‘net. That data included addresses and contact numbers, information about their home gateways, and account settings.

Just before the weekend, Kromtech said the vulnerable AWS instance was operated by BroadSoft, a cloud service provider that had been using the S3 silos to hold the SQL database information that included customer records.

When Kromtech spotted the repository in late August, it realized that databases had been set to allow public access, rather than limit access to administrators or authorized users.

Source: Yet another AWS config fumble: Time Warner Cable exposes 4 million subscriber records

Oh dear, is AWS so hard to configure then?!

The Rabobank has started warning users when the name doesn’t match an IBAN account. A trivial function that used to work before IBAN but apparently was so hard to implement that users have had to wait for years to get. If you put in the wrong number – then sorry, you were screwed! Now for the rest of banking Netherlands, please?

Source: ‘Banken moeten Rabo snel volgen met naam-nummercontrole’ – Emerce

Thousands of files containing the personal information and expertise of Americans with classified and up to Top Secret security clearances have been exposed by an unsecured Amazon server, potentially for most of the year.
[…]
Thousands of files containing the personal information and expertise of Americans with classified and up to Top Secret security clearances have been exposed by an unsecured Amazon server, potentially for most of the year.

The files have been traced back to TigerSwan, a North Carolina-based private security firm. But in a statement on Saturday, TigerSwan implicated TalentPen, a third-party vendor apparently used by the firm to process new job applicants.
[…]
Found on an insecure Amazon S3 bucket without the protection of a password, the cache of roughly 9,400 documents reveal extraordinary details about thousands of individuals who were formerly and may be currently employed by the US Department of Defense and within the US intelligence community.

Other documents reveal sensitive and personal details about Iraqi and Afghan nationals who have cooperated and worked alongside US military forces in their home countries, according to the security firm who discovered and reviewed the documents. Between 15 and 20 applicants reportedly meet this criteria.
[…]
Many of the files are timestamped and indicate that they were uploaded to the server in mid-February. Gizmodo has yet to confirm for how long the data was left publicly accessible, information only accessible to Amazon and the server’s owner.

“A cursory examination of some of the exposed resumes indicates not merely the varied and elite caliber of many of the applicants as experienced intelligence and military figures, but sensitive, identifying personal details,” UpGuard said in a statement.

Source: Data Breach Exposes Thousands of Job Seekers Citing Top Secret Government Work [Updated]

Roughly four million records containing the personal details of Time Warner Cable (TWC) customers were discovered stored on an Amazon server without a password late last month.

The files, more than 600GB in size, were discovered on August 24 by the Kromtech Security Center while its researchers were investigating an unrelated data breach at World Wrestling Entertainment. Two Amazon S3 buckets were eventually found and linked to BroadSoft, a global communications company that partners with service providers, including AT&T and TWC.
[…]
he leaked data included usernames, emails addresses, MAC addresses, device serial numbers, and financial transaction information
[…]
Other databases revealed billing addresses, phone numbers, and other contact info for at least hundreds of thousands of TWC subscribers. The servers also contained a slew of internal company records, including SQL database dumps, internal emails, and code containing the credentials to an unknown number of external systems..
[…]
CCTV footage, presumably of BroadSoft’s workers in Bengaluru, India—where the breach is believed to have originated—was also discovered on the Amazon bucket.

Source: Millions of Time Warner Cable Customer Records Exposed in Third-Party Data Leak

Ouch!

Security researchers at Moscow-based Positive Technologies have identified an undocumented configuration setting that disables Intel Management Engine 11, a CPU control mechanism that has been described as a security risk.

Intel’s ME consists of a microcontroller that works with the Platform Controller Hub chip, in conjunction with integrated peripherals. It handles much of the data travelling between the processor and external devices, and thus has access to most of the data on the host computer.

If compromised, it becomes a backdoor, giving an attacker control over the affected device.

Source: Intel ME controller chip has secret kill switch

Last week I was contacted by someone alerting me to the presence of a spam list. A big one. That’s a bit of a relative term though because whilst I’ve loaded “big” spam lists into Have I been pwned (HIBP) before, the largest to date has been a mere 393m records and belonged to River City Media. The one I’m writing about today is 711m records which makes it the largest single set of data I’ve ever loaded into HIBP. Just for a sense of scale, that’s almost one address for every single man, woman and child in all of Europe. This blog posts explains everything I know about it.

Source: Inside the Massive 711 Million Record Onliner Spambot Dump

The Internet of Things Cybersecurity Improvement Act would require that IoT devices purchased by the American government must not have any known security vulnerabilities, must have the ability to be patched, and may not have hardcoded passwords built in. It mandates that every government department inventory all IoT devices on their networks.
[…]
The bill also directs Homeland Security to come up with a vulnerability disclosure program so that departments can get patched and updated. Another requirement says the Office of Management and Budget must come up with reasonable standards as to what IoT security should actually entail.
[…]
A key element of the proposed legislation is that it would make it legal for security researchers to tear these devices apart and search for security bugs. Currently a broad interpretation of the Digital Millennium Copyright Act means that a company could prosecute a researcher who looks into the firmware for breaking the terms and conditions of its use.

Source: No vulns. No hardwired passwords. Patchable. Congress dreams of IoT: Impossible Online Tech

In a new study that will be presented next week at the 26th USENIX Security Symposium in Vancouver, University of Washington researchers analyzed the security practices of common, open-source DNA processing programs and found that they were, in general, lacking. That means all that super-sensitive information those programs are processing is potentially vulnerable to hackers. If you think social security fraud is bad, imagine someone hacking your genetic code.

“You can imagine someone altering the DNA at a crime scene, or making it unreadable. Or an attacker stealing data or modifying it in a certain way to make it seem like someone has a disease someone doesn’t actually have,” Peter Ney, a co-author of the peer-reviewed study and Ph.D. student at the school’s Computer Security and Privacy Research Lab, told Gizmodo

Source: DNA Testing Data Is Disturbingly Vulnerable to Hackers

Currently, the infosec community and former Hansa vendors themselves have spotted two ways in which Dutch authorities are going after former Hansa vendors.
Police gain access to Dream accounts via password reuse

In the first, Dutch investigators have taken the passwords of vendors who have the same usernames on both the old Hansa Market and the Dream Market — today’s top Dark Web marketplace after the seizure of the Hansa and AlphaBay marketplaces.

If vendors reused passwords and they didn’t activate 2FA for their Dream Market accounts, authorities take over the profiles, change passwords, and lock the vendors out of their shops.
[…]
The second method of operation spotted by the Dark Web community involves so-called “locktime” files that were downloaded from the Hansa Market before Dutch authorities shut it down on July 20.

Under normal circumstances a locktime file is a simple log of a vendor’s market transaction, containing details about the sold product, the buyer, the time of the sale, the price, and Hansa’s signature. The files are used as authentication by vendors to request the release of Bitcoin funds after a sale’s conclusion, or if the market was down due to technical reasons.

According to people familiar with Hansa’s inner workings who shared their knowledge with Bleeping Computer, Hansa locktime files were usually just a simple text file.

Source: Crooks Reused Passwords on the Dark Web, so Dutch Police Hijacked Their Accounts

This year at the DEF CON hacking conference in Las Vegas, 30 computer-powered ballot boxes used in American elections were set up in a simulated national White House race – and hackers got to work physically breaking the gear open to find out what was hidden inside.

In less than 90 minutes, the first cracks in the systems’ defenses started appearing, revealing an embarrassing low level of security. Then one was hacked wirelessly.
[…]
The machines – from Diebolds to Sequoia and Winvote equipment – were bought on eBay or from government auctions, and an analysis of them at the DEF CON Voting Village revealed a sorry state of affairs. Some were running very outdated and exploitable software – such as unpatched versions of OpenSSL and Windows XP and CE. Some had physical ports open that could be used to install malicious software to tamper with votes.

Source: It took DEF CON hackers minutes to pwn these US voting machines