Information Security Blog | Cyber Security Blog

Sreejith C

Information Security Blog | Cyber Security Blog
Read More

Linkedin Passwords for sale

Friday, 20 May 2016 05:30

Over 117 million LinkedIn users have had their details sold over the Darknet, it has emerged.

A hacker by the name of 'Peace' told Motherboard that they had gained access to the site and posted 5.6 million users' passwords on a Russian hacker forum back in 2012. LinkedIn reset the accounts of those it believed it be affected.

Now Peace is selling the data on Darkweb illegal marketplaces for around 5 bitcoin or around $2000, and it turns out that the breach is much larger than first anticipated. Hacked data search engine LeakedSource said that there are 167 million accounts in the hacked database, 117 million of which include both emails and encrypted passwords.

A $5 million lawsuit was filed against the business networking giant in the wake of the 2012 hack, blaming the company for its outdated security measures, including failing to 'salt' passwords - a security measure that 'hashes' more common passwords, making them more difficult to crack.

'Yesterday, we became aware of an additional set of data that had just been released that claims to be email and hashed password combinations of more than 100 million LinkedIn members from that same theft in 2012.'

'We are taking immediate steps to invalidate the passwords of the accounts impacted, and we will contact those members to reset their passwords. We have no indication that this is as a result of a new security breach.'

The company has said that since the incident in 2012 it has hashed and salted every password in its database, offering protection tools such as email challenges and dual factor authentication.

'We encourage our members to visit our safety center to learn about enabling two-step verification, and to use strong passwords in order to keep their accounts as safe as possible,' added the blog. 

But Liviu Itoafa, security researcher at Kaspersky Lab, bemoans the fact that LinkedIn are acting to improve their security only after the worst occured.

'The reports of further LinkedIn user’s passwords being sold online, following a hack four years ago, demonstrates the need for businesses to consider security procedures before a data breach forces them to - prevention is always better than cure,' says Itoafa.

'Customers that entrust their private information to an online provider should be able to rest safely in the knowledge it is kept in a secure manner; and all companies who handle private data have a duty to secure it.'

In this particular case, thanks to the email addresses and unsalted passwords leaked, cybercriminals have the opportunity to use this information to steal personal identities or more.

'Unfortunately, once a breach of this nature has occurred, there is not much that can be done about the leaked data,' said Itoafa. 'While LinkedIn has taken the precaution of invalidating the passwords of the accounts impacted, and contacting those members to reset their passwords, the chances are that many will use the same password across multiple online accounts. So it’s important that LinkedInusers take steps to change the password for other online accounts where they have used the same password.'

LinkedIn added: 'We have demanded that parties cease​ making stolen password data available​ and will evaluate potential legal action if they fail to comply. In the meantime, we are using automated tools to attempt to identify and block any suspicious activity that might occur on affected accounts.'

The website, which has 400 million members, will be letting individual members know if they need to change their password.

Read More

Facebook VS Twitter: Race continues

Tuesday, 17 May 2016 05:30

In 2014, as the hype and newness die down, social media is increasingly something we take for granted in our daily lives. There’s a big battle going on to keep our social attention: which of these two companies will prove dominant and win?

Twitter and Facebook: Competing or completely different?

Last week, Facebook founder & CEO Mark Zuckerberg used an earnings conference call to reaffirm Facebook’s grand vision, saying it was about “connecting everyone & improving the world through sharing."

Twitter CEO Dick Costolo also talks a lot about how he sees Twitter as “the global town square." On Twitter’s website, it states that its mission is “to give everyone the power to create and share ideas and information instantly, without barriers.”

Both visions overlap – they cater for “everyone” and are about opening up the world through sharing. However, a subtle difference in emphasis accounts for a lot of the differences in the role they play in our lives – Facebook ads talks about “connecting” whereas Twitter talks about “ideas and information." I think this is ultimately what makes Facebook a true social network whereas Twitter is more of an information network.

Both connection and information play valuable roles, but over time, depending on the focus of our lives, we will ultimately favor one over the other in deciding where to focus our social attention.

In the below diagram, I’ve looked at the areas where Facebook and Twitter connect and inform us, where they overlap and fulfill similar roles, and also the areas where, segment-by-segment, new competitors are challenging them both.

Read More

If you use Firefox, you should update your browser now to prevent a flaw in the software that could allow hackers to “search for and upload potentially sensitive” from your hard drive to their servers.

Mozilla isasking all Firefox users to upgrade to version 39.0.3. Most users have automatic updates turned on, however it’s important to make sure you’re running the most recent version of Firefox.

The security issue only impacts PCs because the flaw relies on an interaction between the browser’s PDF viewer and other features in the browser. Mac and Android users are not impacted.

“The vulnerability comes from the interaction of the mechanism that enforces JavaScript context separation (the “same origin policy”) and Firefox’s PDF Viewer. Mozilla products that don’t contain the PDF Viewer, such as Firefox for Android, are not vulnerable. The vulnerability does not enable the execution of arbitrary code but the exploit was able to inject a JavaScript payload into the local file context. This allowed it to search for and upload potentially sensitive local files.” — Daniel Veditz, Mozilla

People who use ad-blocking software may have been protected from this exploit depending on the software and specific filters being used.

The exploit leaves no trace it has been run on the local machine.

A Firefox user alerted Mozilla after discovering the flaw while browsing on a Russian news website.

Read More

German researchers have discovered security flaws that could let hackers, spies and criminals listen to private phone calls and intercept text messages on a potentially massive scale – even when cellular networks are using the most advanced encryption now available.
    The flaws, to be reported at a hacker conference in Hamburg this month, are the latest evidence of widespread insecurity on SS7, the global network that allows the world’s cellular carriers to route calls, texts and other services to each other. Experts say it’s increasingly clear that SS7, first designed in the 1980s, is riddled with serious vulnerabilities that undermine the privacy of the world’s billions of cellular customers.
    The flaws discovered by the German researchers are actually functions built into SS7 for other purposes – such as keeping calls connected as users speed down highways, switching from cell tower to cell tower – that hackers can repurpose for surveillance because of the lax security on the network.
    Those skilled at the myriad functions built into SS7 can locate callers anywhere in the world, listen to calls as they happen or record hundreds of encrypted calls and texts at a time for later decryption. There also is potential to defraud users and cellular carriers by using SS7 functions, the researchers say.
    These vulnerabilities continue to exist even as cellular carriers invest billions of dollars to upgrade to advanced 3G technology aimed, in part, at securing communications against unauthorized eavesdropping. But even as individual carriers harden their systems, they still must communicate with each other over SS7, leaving them open to any of thousands of companies worldwide with access to the network. That means that a single carrier in Congo or Kazakhstan, for example, could be used to hack into cellular networks in the United States, Europe or anywhere else.
    “It’s like you secure the front door of the house, but the back door is wide open,” said Tobias Engel, one of the German researchers.
    Engel, founder of Sternraute, and Karsten Nohl, chief scientist for Security Research Labs, separately discovered these security weaknesses as they studied SS7 networks in recent months, after The Washington Post reported the widespread marketing of surveillance systems that use SS7 networks to locate callers anywhere in the world. The Post reported that dozens of nations had bought such systems to track surveillance targets and that skilled hackers or criminals could do the same using functions built into SS7. (The term is short for Signaling System 7 and replaced previous networks called SS6, SS5, etc.)
    The researchers did not find evidence that their latest discoveries, which allow for the interception of calls and texts, have been marketed to governments on a widespread basis. But vulnerabilities publicly reported by security researchers often turn out to be tools long used by secretive intelligence services, such as the National Security Agency or Britain’s GCHQ, but not revealed to the public.
    “Many of the big intelligence agencies probably have teams that do nothing but SS7 research and exploitation,” said Christopher Soghoian, principal technologist for the ACLU and an expert on surveillance technology. “They’ve likely sat on these things and quietly exploited them.”