Information Security Blog | Cyber Security Blog

others

Information Security Blog | Cyber Security Blog
others

others (95)

Read More

Over 117 million LinkedIn users have had their details sold over the Darknet, it has emerged.

A hacker by the name of 'Peace' told Motherboard that they had gained access to the site and posted 5.6 million users' passwords on a Russian hacker forum back in 2012. LinkedIn reset the accounts of those it believed it be affected.

Now Peace is selling the data on Darkweb illegal marketplaces for around 5 bitcoin or around $2000, and it turns out that the breach is much larger than first anticipated. Hacked data search engine LeakedSource said that there are 167 million accounts in the hacked database, 117 million of which include both emails and encrypted passwords.

A $5 million lawsuit was filed against the business networking giant in the wake of the 2012 hack, blaming the company for its outdated security measures, including failing to 'salt' passwords - a security measure that 'hashes' more common passwords, making them more difficult to crack.

'Yesterday, we became aware of an additional set of data that had just been released that claims to be email and hashed password combinations of more than 100 million LinkedIn members from that same theft in 2012.'

'We are taking immediate steps to invalidate the passwords of the accounts impacted, and we will contact those members to reset their passwords. We have no indication that this is as a result of a new security breach.'

The company has said that since the incident in 2012 it has hashed and salted every password in its database, offering protection tools such as email challenges and dual factor authentication.

'We encourage our members to visit our safety center to learn about enabling two-step verification, and to use strong passwords in order to keep their accounts as safe as possible,' added the blog. 

But Liviu Itoafa, security researcher at Kaspersky Lab, bemoans the fact that LinkedIn are acting to improve their security only after the worst occured.

'The reports of further LinkedIn user’s passwords being sold online, following a hack four years ago, demonstrates the need for businesses to consider security procedures before a data breach forces them to - prevention is always better than cure,' says Itoafa.

'Customers that entrust their private information to an online provider should be able to rest safely in the knowledge it is kept in a secure manner; and all companies who handle private data have a duty to secure it.'

In this particular case, thanks to the email addresses and unsalted passwords leaked, cybercriminals have the opportunity to use this information to steal personal identities or more.

'Unfortunately, once a breach of this nature has occurred, there is not much that can be done about the leaked data,' said Itoafa. 'While LinkedIn has taken the precaution of invalidating the passwords of the accounts impacted, and contacting those members to reset their passwords, the chances are that many will use the same password across multiple online accounts. So it’s important that LinkedInusers take steps to change the password for other online accounts where they have used the same password.'

LinkedIn added: 'We have demanded that parties cease​ making stolen password data available​ and will evaluate potential legal action if they fail to comply. In the meantime, we are using automated tools to attempt to identify and block any suspicious activity that might occur on affected accounts.'

The website, which has 400 million members, will be letting individual members know if they need to change their password.

Read More

In 2014, as the hype and newness die down, social media is increasingly something we take for granted in our daily lives. There’s a big battle going on to keep our social attention: which of these two companies will prove dominant and win?

Twitter and Facebook: Competing or completely different?

Last week, Facebook founder & CEO Mark Zuckerberg used an earnings conference call to reaffirm Facebook’s grand vision, saying it was about “connecting everyone & improving the world through sharing."

Twitter CEO Dick Costolo also talks a lot about how he sees Twitter as “the global town square." On Twitter’s website, it states that its mission is “to give everyone the power to create and share ideas and information instantly, without barriers.”

Both visions overlap – they cater for “everyone” and are about opening up the world through sharing. However, a subtle difference in emphasis accounts for a lot of the differences in the role they play in our lives – Facebook talks about “connecting” whereas Twitter talks about “ideas and information." I think this is ultimately what makes Facebook a true social network whereas Twitter is more of an information network.

Both connection and information play valuable roles, but over time, depending on the focus of our lives, we will ultimately favor one over the other in deciding where to focus our social attention.

In the below diagram, I’ve looked at the areas where Facebook and Twitter connect and inform us, where they overlap and fulfill similar roles, and also the areas where, segment-by-segment, new competitors are challenging them both.

Read More

If you use Firefox, you should update your browser now to prevent a flaw in the software that could allow hackers to “search for and upload potentially sensitive” from your hard drive to their servers.

Mozilla isasking all Firefox users to upgrade to version 39.0.3. Most users have automatic updates turned on, however it’s important to make sure you’re running the most recent version of Firefox.

The security issue only impacts PCs because the flaw relies on an interaction between the browser’s PDF viewer and other features in the browser. Mac and Android users are not impacted.

“The vulnerability comes from the interaction of the mechanism that enforces JavaScript context separation (the “same origin policy”) and Firefox’s PDF Viewer. Mozilla products that don’t contain the PDF Viewer, such as Firefox for Android, are not vulnerable. The vulnerability does not enable the execution of arbitrary code but the exploit was able to inject a JavaScript payload into the local file context. This allowed it to search for and upload potentially sensitive local files.” — Daniel Veditz, Mozilla

People who use ad-blocking software may have been protected from this exploit depending on the software and specific filters being used.

The exploit leaves no trace it has been run on the local machine.

A Firefox user alerted Mozilla after discovering the flaw while browsing on a Russian news website.

Read More

German researchers have discovered security flaws that could let hackers, spies and criminals listen to private phone calls and intercept text messages on a potentially massive scale – even when cellular networks are using the most advanced encryption now available.
    The flaws, to be reported at a hacker conference in Hamburg this month, are the latest evidence of widespread insecurity on SS7, the global network that allows the world’s cellular carriers to route calls, texts and other services to each other. Experts say it’s increasingly clear that SS7, first designed in the 1980s, is riddled with serious vulnerabilities that undermine the privacy of the world’s billions of cellular customers.
    The flaws discovered by the German researchers are actually functions built into SS7 for other purposes – such as keeping calls connected as users speed down highways, switching from cell tower to cell tower – that hackers can repurpose for surveillance because of the lax security on the network.
    Those skilled at the myriad functions built into SS7 can locate callers anywhere in the world, listen to calls as they happen or record hundreds of encrypted calls and texts at a time for later decryption. There also is potential to defraud users and cellular carriers by using SS7 functions, the researchers say.
    These vulnerabilities continue to exist even as cellular carriers invest billions of dollars to upgrade to advanced 3G technology aimed, in part, at securing communications against unauthorized eavesdropping. But even as individual carriers harden their systems, they still must communicate with each other over SS7, leaving them open to any of thousands of companies worldwide with access to the network. That means that a single carrier in Congo or Kazakhstan, for example, could be used to hack into cellular networks in the United States, Europe or anywhere else.
    “It’s like you secure the front door of the house, but the back door is wide open,” said Tobias Engel, one of the German researchers.
    Engel, founder of Sternraute, and Karsten Nohl, chief scientist for Security Research Labs, separately discovered these security weaknesses as they studied SS7 networks in recent months, after The Washington Post reported the widespread marketing of surveillance systems that use SS7 networks to locate callers anywhere in the world. The Post reported that dozens of nations had bought such systems to track surveillance targets and that skilled hackers or criminals could do the same using functions built into SS7. (The term is short for Signaling System 7 and replaced previous networks called SS6, SS5, etc.)
    The researchers did not find evidence that their latest discoveries, which allow for the interception of calls and texts, have been marketed to governments on a widespread basis. But vulnerabilities publicly reported by security researchers often turn out to be tools long used by secretive intelligence services, such as the National Security Agency or Britain’s GCHQ, but not revealed to the public.
    “Many of the big intelligence agencies probably have teams that do nothing but SS7 research and exploitation,” said Christopher Soghoian, principal technologist for the ACLU and an expert on surveillance technology. “They’ve likely sat on these things and quietly exploited them.”

Read More

The co-founder of Liberty Reserve, the operator of what had been a widely-used digital currency, was sentenced to 20 years in prison on Friday for conspiring to help cyber criminals launder hundreds of millions of dollars using its services.

Arthur Budovsky, 42, was sentenced by U.S. District Judge Denise Cote in Manhattan, who said a substantial punishment was warranted for his role in running a money laundering operation that prosecutors said was of unprecedented scope.

"Sad to say, Mr. Budovsky used his enormous talents here in a way that led to widespread harm," she said.

Budovsky, who pleaded guilty in January to conspiracy to commit money laundering, was also ordered to forfeit USD122 million and fined USD500, 000. He said nothing in court as his lawyer, John Kaley, argued for less than 15 years in prison.

"Remorse has been exhibited here," he said.

But Assistant U.S. Attorney Christian Everdell sought the maximum 20-year sentence given Budovsky's role "at the helm of this sweeping enterprise."

Liberty Reserve operated a widely used digital currency, processing more than USD8 billion in financial transactions and earning Budovsky over USD25 million, prosecutors said.

Much of its business came from criminals seeking to launder proceeds from Ponzi schemes, credit card trafficking, identity thefts and computer hacking, prosecutors said.

The company was shuttered in May 2013 as Budovsky was arrested amid U.S. efforts to crack down on the use of digital currencies including bitcoin to evade law enforcement and launder money.

Four other people pleaded guilty, including Liberty Reserve co-founder Vladimir Kats, who is set to be sentenced next week.

Budovsky and Kats, who met as teenagers working as camp counsellors in Brooklyn, previously were convicted in 2006 on New York state charges for operating an earlier digital currency exchange as an unlicensed money transmitting business.

They launched Liberty Reserve in 2005, and after their arrests, moved it to Costa Rica, where Budovsky became a citizen.

Liberty Reserve users would buy and redeem its digital currency, LR, through third-party exchangers who in turn bought and sold LR in bulk from Liberty Reserve, authorities said.

Users did not have to validate their identities, prosecutors said, allowing an undercover Secret Service agent to establish an account for a "Joe Bogus" from "Completely Made Up City, New York, United States."

Of USD7.26 billion in transactions by Liberty Reserve's top 500 accounts, USD2.6 billion were for investment opportunities, mostly Ponzi schemes, prosecutors said.

The case is U.S. v. Kats et al, U.S. District Court, Southern District of New York, No. 13-00368.

Read More

In the movies, people on the run are often hunted down because of their cell phones. There are countless scenes where expensive smartphones are smashed to bits, or dropped in rivers, to evade capture by nefarious government operatives or well-equipped mobsters.

Hopefully you’re not in that situation. But if you were, do you really need to go that far? We asked the experts what information your cell phone is really broadcasting about you, how to protect yourself, and what it would take to truly go off the grid.

The simple options don’t work

If you suspected your phone were being tracked and wanted to start covering your tracks without snapping it in half, your first bet might be to simply turn on airplane mode. That won’t cut it.

“Every phone has two operating systems,” explains Gary S. Miliefsky, CEO of SnoopWall, “One that connects to cellular networks, and one that interfaces with the consumer. Airplane mode may only disable features in the consumer facing operating system, such as Android or iOS, but not in the OS used between the phone and the carrier network. A phone may be giving out a ‘ping’ and you’d never know it.”

Communicating at all with a cell tower could expose you

It doesn’t even need to be sending out GPS coordinates — communicating at all with a cell tower could expose you. By comparing the signal strength of your cell phone on multiple cell towers, someone looking for you can approximate your location with triangulation. This requires access to data from your mobile network, which should keep it out of reach for criminals, but carriers can be compelled to provide that data to law-enforcement agencies.

So how about removing the SIM card?

“Removing the SIM may work to stop most cyber criminals, but every phone has a built-in feature set of identifiers that may be detected via tools like Stingray devices now used by the police and military, as well as fake 2G cell towers put up by the NSA,” Gary explains, “Forcing a phone to 2G means no encryption and it’s easily detected and tracked.”

Stingrays are also known as cell-site simulators, or IMSI catchers. They mimic cell phone towers and send out signals that can trick your cell phone into replying with your location and data that can be used to identify you. And they’re surprisingly widely used.

The American Civil Liberties Union has a map and list of federal agencies known to use cell-site simulators, which includes the FBI, the DEA, the Secret Service, the NSA, the U.S. Army, Navy, Marshals Service, Marine Corps, National Guard, and many more. For obvious reasons, it’s not an exhaustive list.

What about Wi-Fi?

At short range, you can be tracked by Wi-Fi. Every time you turn Wi-Fi on, your phone is sending out a signal that includes your unique MAC address, which is kind of like a fingerprint for digital devices. This kind of technology is already being used by stores to track your movements. It’s not ideal for surveillance, because of the limited range, but if someone has obtained your MAC address it could be used to deduce something like when you enter or leave a specific building.

Read More

"The vulnerability was introduced when Qualcomm provided new APIs as part of the "network_manager" system service, and subsequently the "netd" daemon, that allow additional tethering capabilities, possibly among other things. I would say that there is probably a large portion of devices on the market that are vulnerable". The issue affects both flagship and non-flagship devices that use Qualcomm chips and/or Qualcomm code, meaning that hundreds of models are affected and likely millions of gadgets.

"The patch for this issue is not in AOSP. Qualcomm had modified the "netd" daemon", Mandiant said in an advisory. "People are using the code for a variety of projects, including Cyanogenmod (a fork of Android)", the researchers noted. Handset makers have to include the patch in their updates, then work with the cellular carriers to actually deliver the software to individual devices. In layman's terms, the manufacturers themselves probably don't know for sure all devices that are affected... A Google representative said Nexus devices were never affected. We are not aware of any exploitation of this vulnerability. Mandiant says it can be exploited either by a hacker physically unlocking an unprotected device, or by the user installing a malicious application.

 "Additionally, the permission required to perform this is requested by millions of applications, so it wouldn't tip the user off that something is wrong". "It's hard to believe that any antivirus would flag this threat", Mandiant wrote in a blog. Android is no stranger to being the subject of cybercrime attacks, with Google needing to continually extend and improve the security needs to ensure users stay safe. In this case, the app would be able to execute commands as the "radio" user, which means it has access to other system resources, such as Phone and Telephony Providers, and to system settings such as WRITE_SETTINGS_SECURE (change key system settings), BLUETOOTH_ADMIN (discover and pair Bluetooth devices), WRITE_APN_SETTINGS (change APN settings), DISABLE_KEYGUARD (disable lock screen).

 However, Android Gingerbread (2.3.x), Ice Cream Sandwich MR1 (4.0.3), Jellybean MR2 (4.3), KitKat (4.4), and Lollipop (5.0) are all vulnerable to some degree. This vulnerability has been identified as CVE-2016-2060 which exists in a software package maintained by Qualcomm and if exploited, can grant the attacker access to the victim's SMS database, phone history, and more. "There is no performance impact or risk of crashing the device", the report added. The vulnerability seems to affect all Android devices with Qualcomm chips and/or Qualcomm code. Fayette Advocate

Read More

The US Supreme Court has approved a change in Rule 41 of the Federal Rules of Criminal Procedure, so judges across the country now have the authority to issue warrants for remote electronic searches outside their district.

That means that a judge can grant an FBI agent in, say, New York, permission to hack into a computer in San Francisco, or potentially any city in the world, in order to further their investigation.The court documents pertaining to the matter indicate that a warrant will be granted if a suspect uses tools to hide their identity, such as Tor.

The amendment, first introduced in 2014, seems intended as a step towards keeping pace with the ever-changing world of cyber crime, but it raises privacy and security issues that tech firms like Google say require further debate.

It comes just a week after a Massachusetts judge dismissed evidence obtained by the FBI using a network investigative technique in a case involving a Dark Web site that distributed images of child sexual abuse. It was Rule 41 that rendered the FBI’s findings invalid in court.

Privacy advocates are concerned that the government is attempting to grant itself this kind of power to snoop on just about anyone while disguising it as a procedural rule. It’s a problem because, as Oregon Senator Ron Wyden, who has vowed to mobilize opposition to the update notes, “This rule change could potentially allow federal investigators to use one warrant to access millions of computers, and it would treat the victims of the hack the same as the hacker himself.”

The change is yet to come into play – Congress has until December 1 to share its thoughts on the matter. If it fails to do so, the amended rule will become law. The trouble is, both chambers of Congress have to agree on how to address it, and that seems unlikely, given the current gridlock in the legislature ahead of the presidential election.

Read More

A Cherry Hill man charged with producing child pornography will remain in custody until his trial, the Courier Post reports.

Burton Gersh, 68, is in a federal detention facility, according to the report. He was looking to be released until his trial begins on May 19, but a judge ruled that Gersh had reason to flee between the possibility of a long prison term and over $2 million in assets, according to the report.

Gersh and Les Sidweber, 73, were each charged with two counts of production of child pornography on Nov. 3.

Gersh and Sidweber face a mandatory minimum term of 15 years in prison, with a maximum possible sentence of 60 years in prison, a $500,000 fine, a period of supervised release of five years to life, and a $200 special assessment.

The two allegedly transported two minors, ages 16 and 17, from the Philadelphia area, on multiple occasions, to their homes in Cherry Hill, according to court documents.

While there, Sidweber took pictures of the teenagers engaging in sexually explicit acts at Gersh’s behest.

Gersh claims the girls told him they were 18, but federal courts have deemed suspects of child pornography are not permitted to use that as an excuse, according to the report.

Read More

In late 2014, an anonymous whistle-blower contacted the German newspaper Suddeutsche Zeitung stating that they had “more data than you have ever seen” in relation to crimes that the person wanted to make public. At this time, it is not publicly known how the whistle-blower was able to send so much data undetected over such a period of time however Bastian Obermayer, the reporter for Suddeutsche Zeitung who was contacted by the whistle-blower, stated that he “learned a lot about making the safe transfer of big files”.

Obermayer indicated that he communicated through various encrypted channels with the whistle-blower who sent the data in chunks until the 2.7 TB were amassed. Suddeutsche Zeitung contacted the ICIJ and the ICIJ created a secure portal where journalists could research the data. Over 400 journalists kept the information a secret until Sunday when over 100 news outlets published the first articles about the data leak.

Earlier, the Mossack Fonseca website told its customers that their email server suffered an unauthorized breach. The company denies any wrongdoing and has published a lengthy rebuttal to the media reports. A spokesperson has stated that the company may pursue legal action against the news agencies for using the information that was obtained illegally.

It appears that you have had unauthorized access to proprietary documents and information taken from our company and have presented and interpreted them out of context. We trust that you are fully aware that using information/documentation unlawfully obtained is a crime, and we will not hesitate to pursue all available criminal and civil remedies.

The one thing that has not been mentioned yet is the data protection liability suit that the 4th largest offshore law firm in the world may have coming in the near future. Target settled its data breach for $100 million… this one is going to be much larger.

While the Cisco CEO says that there are two types of companies, ones that have been hacked and ones that know they’ve been hacked; the cybersecurity future is not completely doom and gloom for businesses. There are some basic things that businesses can do to better protect themselves.

Use endpoint (anti-virus and anti-malware) software on all devices and keep it up-to-date

Protect the business with a firewall that inspects traffic both in and out of the business

Get a vulnerability and penetration assessment