Hacking & Security

Vulnerabilities Identified in Dolphin, Mercury Android Browsers

Threatpost - 24 Srpen, 2015 - 21:33
Vulnerabilities exist in two fairly popular alternative browsers for Android – Dolphin and Mercury -- that depending on the browser could result in either remote code execution or arbitrary read/write access.
Kategorie: Hacking & Security

Leaked AshleyMadison Emails Suggest Execs Hacked Competitors

Krebs on Security - 24 Srpen, 2015 - 21:16

Hacked online cheating service AshleyMadison.com is portraying itself as a victim of malicious cybercriminals, but leaked emails from the company’s CEO suggests that AshleyMadison’s top leadership hacked into a competing dating service in 2012.

AshleyMadison CEO Noel Biderman. Source: Twitter.

Late last week, the Impact Team — the hacking group that has claimed responsibility for leaking personal data on more than 30 million AshleyMadison users — released a 30-gigabyte archive that it said were emails lifted from AshleyMadison CEO Noel Biderman.

A review of those missives shows that on at least one occasion, a former company executive hacked another dating website, exfiltrating their entire user database. On Nov. 30, 2012, Raja Bhatia, the founding chief technology officer of AshleyMadison.com, sent a message to Biderman notifying his boss of a security hole discovered in nerve.com, an American online magazine dedicated to sexual topics, relationships and culture.

At the time, nerve.com was experimenting with its own adult dating section, and Bhatia said he’d uncovered a way to download and manipulate the nerve.com user database.

“They did a very lousy job building their platform. I got their entire user base,” Bhatia told Biderman via email, including in the message a link to a Github archive with a sample of the database. “Also, I can turn any non paying user into a paying user, vice versa, compose messages between users, check unread stats, etc.”

Neither Bhatia nor Biderman could be immediately reached for comment. KrebsOnSecurity.com spoke with Bhatia last week after the Impact Team made good on its threat to release the Ashley Madison user database. At the time, Bhatia was downplaying the leak, saying that his team of investigators had found no signs that the dump of data was legitimate, and that it looked like a number of fake data dumps the company had seen in the weeks prior. Hours later, the leak had been roundly confirmed as legitimate by countless users on Twitter who were able to find their personal data in the cache of account information posted online.

The leaked Biderman emails show that a few months before Bhatia infiltrated Nerve.com, AshleyMadison’s parent firm — Avid Life Media — was approached with an offer to partner with and/or invest in the property. Email messages show that Bhatia initially was interested enough to offer at least $20 million for the company along with a second property called flirts.com, but that AshleyMadison ultimately declined to pursue a deal.

More than six months after Bhatia came to Biderman with revelations of the nerve.com security vulnerabilities, Biderman was set to meet with several representatives of the company. “Should I tell them of their security hole?” Biderman wrote to Bhatia, who doesn’t appear to have responded to that question via email.

The cache of emails leaked from Biderman run from January 2012 to July 7, 2015 — less than two weeks before the attackers publicized their break-in on July 19. According to a press conference held by the Toronto Police today, AshleyMadison employees actually discovered the breach on the morning of July 12, 2015, when they came to work and powered on their computers only to find their screens commandeered  with the initial message from the Impact Team — a diatribe accompanied by the song “Thunderstruck” from rock band AC/DC playing in the background.

Interestingly, less than a month before that episode, AshleyMadison executives seemed very keen on completing a series of internal security assessments, audits and security awareness training exercises for employees.

“Given our open registration policy and recent high profile exploits, every security consultant and their extended family will be trying to trump up business,” wrote Ashley Madison Director of Security Mark Steele to Biderman in an email dated May 25, 2015. “Our codebase  has many (riddled?) XSS/CRSF vulnerabilities which are relatively easy to find (for a security researcher), and somewhat difficult to exploit in the wild (requires phishing). Other vulnerabilities would be things like SQL injection/data leaks, which would be much more damaging” [links added].

As bad as this breach has been for AshleyMadison and its millions of users, it’s likely nowhere near over: Hackers who have been combing through the company’s leaked email records have just released a “selected dox” archive — a collection of documents, images and other data from Biderman’s inbox, including a 100-page movie script co-written by Biderman called “In Bed With Ashley Madison.” Also included in the archive are dozens of other sensitive documents, including a scan of the CEO’s drivers license, copies of personal checks, bank account numbers, home address, and his income statements for the last four years.

Also, the Impact Team still have not released data from the other Avid Life Media property they claim to have hacked — Establishedmen.com, a “sugar daddy” site that claims to connect wealthy men with willing young women.

Earlier today, Toronto Police announced that Avid Life Media had offered a $500,000 reward for information leading to the arrest and prosecution of the hacker or hackers responsible for the breach. But many readers took to Twitter or to the comments section on this site to denounce the bounty as an overdue or cynical ploy, with some saying the company should have offered the reward weeks ago — before the Impact Team released the company’s entire user database and caused so much irreversible damage.

Leaving aside the proliferation of sites that now allow suspicious spouses to search for their significant other’s email address in the AshleyMadison data leak, some users are finding themselves on the receiving end of online extortion attacks. Worse still, Toronto Police told reporters this morning that they have two unconfirmed reports of suicides associated with the leak of AshleyMadison customer profiles.

Kategorie: Hacking & Security

Court Rules FTC Has Authority to Punish Wyndham Over Breaches

Threatpost - 24 Srpen, 2015 - 20:20
In the latest installment of a long and winding court case related to multiple data beaches at Wyndham Worldwide several years ago, an appellate court has upheld the authority of the Federal Trade Commission to punish the hotel chain for lax security practices that allegedly led to the breaches.
Kategorie: Hacking & Security

AlienSpy RAT Resurfaces as JSocket

Threatpost - 24 Srpen, 2015 - 19:37
The dismantled AlientSpy remote access Trojan, the same malware found on the phone of dead Argentine prosecutor Alberto Nisman, has resurfaced with new crypto and a new name.
Kategorie: Hacking & Security

Reflective satellites may be the future of high-end encryption

Ars Technica - 24 Srpen, 2015 - 19:02

Quantum key distribution is regularly touted as the encryption of the future. While the keys are exchanged on an insecure channel, the laws of physics provide a guarantee that two parties can exchange a secret key and know if they're being overheard. This unencrypted-but-secure form of key exchange circumvents one of the potential shortcomings of some forms of public key systems.

However, quantum key distribution (QKD) has one big downside: the two parties need to have a direct link to each other. So, for instance, banks in and around Geneva use dedicated fiber links to perform QKD, but they can only do this because the link distance is less than 100km. These fixed and short links are an expensive solution. A more flexible solution is required if QKD is going to be used for more general encryption purposes.

A group of Italian researchers have demonstrated the possibility of QKD via a satellite, which in principle (but not in practice) means that any two parties with a view of a satellite can exchange keys.

Read 20 remaining paragraphs | Comments

Kategorie: Hacking & Security

Ashley Madison offers $500,000 reward amid reports of member suicides

Ars Technica - 24 Srpen, 2015 - 18:42

An international roster of police and private investigators are vowing to vigorously pursue the people who hacked the Ashley Madison dating website for cheaters, with the cheating site offering a $500,000 reward and appealing for help from hackers around the world.

The full-court press comes amid a report of at least two suicides of people whose personal information was included in the massive dump of account data for Ashley Madison, which carried the tag line "Life is short. Have an affair." It's too early to say if the exposures were the proximate reason the individuals took their lives, but the deaths were discussed during a press conference the Toronto Police Service held early Monday morning. Bryce Evans, acting staff superintendent, said the outing of so many people in committed relationships cheating on their partners crossed a line that could destroy lives and careers of millions of people around the world.

Wakeup call

He called on hackers around the world to provide tips to law enforcement agencies working to identify the people who thoroughly rooted the servers of Ashley Madison parent company Avid Life Media. He also said the investigation was being carried out jointly by his department, the Royal Canadian Mounted Police, the US Department of Homeland Security, the FBI, and others. A Homeland Security official said the department investigates matters potentially involving the extortion of federal employees. As Ars reported last week, leaked account details showed hundreds of federal workers used Internet connections in their federal offices to pay membership fees for and use the site. Additionally, he said Avid Life Media has pledged a $500,000 reward for information leading to the identification of the people responsible for the compromise, who have dubbed themselves Impact Team.

Read 5 remaining paragraphs | Comments

Kategorie: Hacking & Security

AshleyMadison: $500K Bounty for Hackers

Krebs on Security - 24 Srpen, 2015 - 17:20

AshleyMadison.com, an online cheating service whose motto is “Life is Short, Have an Affair,” is offering a $500,000 reward for information leading to the arrest and prosecution of the individual or group of people responsible for leaking highly personal information on the company’s more than 30 million users.

A snippet of the message left behind by the Impact Team.

The bounty offer came at a press conference today by the police in Toronto — where AshleyMadison is based. At the televised and Webcast news conference, Toronto Police Staff Superintendant Bryce Evans recounted the key events in “Project Unicorn,” the code name law enforcement officials have assigned to the investigation into the attack. In relaying news of the reward offer, Evans appealed to the public and “white hat” hackers for help in bringing the attackers to justice.

“The ripple effect of the impact team’s actions has and will continue to have a long term social and economic impacts, and they have already sparked spin-offs of crimes and further victimization,” Evans said. “As of this morning, we have two unconfirmed reports of suicides that are associated [with] the leak of AshleyMadison customer profiles.”

Evans did not elaborate on the suicides, saying only that his office is investigating those reports. The San Antonio Express-News reported Friday that a city worker whose information was found in the leaked AshleyMadison database took his life last Thursday, although the publication acknowledges that it’s unclear whether the worker’s death had anything to do with the leak.

Evans warned the public and concerned AshleyMadison users to be on guard against a raft of extortion scams that are already popping up and targeting the site’s customers. On Friday, KrebsOnSecurity featured an exclusive story about one such extortion scheme that threatened to alert the victim’s spouse unless the recipient paid the attacker a Bitcoin (worth slightly more than USD $250). The Toronto Police posted this image of a similar extortion attempt that they have seen making the rounds.

“Criminals have already engaged in online scams by claiming to provide access to the leaked web site,” he said. “The public needs to be aware that by clicking on these links, you are exposing your computer to adware and spyware and viruses. Also there are those offering to erase customer profiles from the list. Nobody is going to be able to erase that information.”

Evans said AshleyMadison employees first learned of the intrusion when they arrived at work on the morning July 12, 2015. Evans said employees powered on their computers and were presented with the initial message from the Impact Team — the hacker group that has claimed responsibility for the breach — accompanied by the song “Thunderstruck” from rock band AC/DC playing in the background.

The Toronto Police Department is encouraging anyone with information about the attacker(s) to contact them via phone or Twitter. Likewise, the department is asking victims of extortion attacks tied to the data leak not to pay the ransom demands, but instead to report the crimes at the addresses and/or numbers listed below.

Toronto Police are asking anyone with information about the attacker(s) to contact them. AshleyMadison.com is offering a $500,000 reward for information leading to the arrest and prosecution of the intruders.

Kategorie: Hacking & Security

White House Support for CISA Worries Privacy Advocates

Threatpost - 24 Srpen, 2015 - 17:10
While Congress is enjoying its annual summer recess, privacy advocates are worried that the White House’s recent endorsement of the controversial CISA bill–which has been criticized by DHS officials, among others–will push the information-sharing bill over the goal line. The Cybersecurity Information Sharing Act is the latest incarnation of Congress’s decade-long effort to legislate some […]
Kategorie: Hacking & Security

Proxy Chaining

InfoSec Institute Resources - 24 Srpen, 2015 - 15:26

We live in a world where privacy has an important role in our day-to-day life. The activities we perform using the Internet can tell a lot about a person’s social and professional life. In the wrong hands, this information could result in various problems. Data collected could be used to hack bank accounts, social media […]

The post Proxy Chaining appeared first on InfoSec Resources.

Kategorie: Hacking & Security

Spotify explains its new "give us your data" policy

Sophos Naked Security - 24 Srpen, 2015 - 15:20
Spotify confused everyone with its recent privacy policy update. CEO Daniel Ek has now said, "Sorry," and tried to explain...

Explaining how to use pirate site Popcorn Time can get you arrested

Sophos Naked Security - 24 Srpen, 2015 - 13:51
The law is moving to crush the "Netflix for pirated movies" like so many crunchy snacks littering the floor of a crowded movie theater.

Teen nabbed after attacks on UK government and FBI sites

Sophos Naked Security - 24 Srpen, 2015 - 13:23
His lawyers claim that their client was only on the "periphery" of the conspiracy, but that didn't stop him from boasting about it.

Mozilla Firefox Launches Web Extensions API to Support Chrome and Opera Extensions

The Hacker News - 24 Srpen, 2015 - 13:14
Should we feel happy about it? Let's find out! What Firefox has been thinking of is, it is planning to bring in Google chrome's web browser extensions to support the features of Mozilla Firefox. The parent company of Firefox i. e. Mozilla Foundation has decided to update their add-on and extension infrastructure, making Firefox more capable and user-friendly. Ranked number three,
Kategorie: Hacking & Security

Hack Codegen - Facebook Open-Sources Code That Writes Code

The Hacker News - 24 Srpen, 2015 - 12:20
Good news for Open Source Lovers! Facebook has open-sourced Hack Codegen – its library for automatically generating Hack code, allowing outside developers to automate some of their routine work while developing large programs. HACK is the Facebook's own programming language designed to build complex web sites and other software quickly and without many flaws. HACK programming
Kategorie: Hacking & Security

Monday review - the hot 24 stories of the week

Sophos Naked Security - 24 Srpen, 2015 - 11:31
Here are the top stories from the past week so you can catch up with what you missed!

New Android Vulnerable Lets Hackers Take Over Your Phone

The Hacker News - 24 Srpen, 2015 - 10:11
This time Everything is Affected! Yet another potentially dangerous vulnerability has reportedly been disclosed in the Google's mobile operating system platform – Android. Android has been hit by a number of security flaws this month, including:  Stagefright vulnerability that affects 950 Million Android devices worldwide A critical mediaserver vulnerability that threatened to crash
Kategorie: Hacking & Security

What part of "Prohibited" don't you understand? 60 Second Security

Sophos Naked Security - 23 Srpen, 2015 - 23:19
Enjoy the latest episode of our weekly 1-minute video - short and sweet security!

Highway to hack: Why we’re just at the beginning of the auto-hacking era

Ars Technica - 23 Srpen, 2015 - 17:00

Imagine it’s 1995, and you’re about to put your company’s office on the Internet. Your security has been solid in the past—you’ve banned people from bringing floppies to work with games, you’ve installed virus scanners, and you run file server backups every night. So, you set up the Internet router and give everyone TCP/IP addresses. It’s not like you’re NASA or the Pentagon or something, so what could go wrong?

That, in essence, is the security posture of many modern automobiles—a network of sensors and controllers that have been tuned to perform flawlessly under normal use, with little more than a firewall (or in some cases, not even that) protecting it from attack once connected to the big, bad Internet world. This month at three separate security conferences, five sets of researchers presented proof-of-concept attacks on vehicles from multiple manufacturers plus an add-on device that spies on drivers for insurance companies, taking advantage of always-on cellular connectivity and other wireless vehicle communications to defeat security measures, gain access to vehicles, and—in three cases—gain access to the car’s internal network in a way that could take remote control of the vehicle in frightening ways.

While the automakers and telematics vendors with targeted products were largely receptive to this work—in most cases, they deployed fixes immediately that patched the attack paths found—not everything is happy in auto land. Not all of the vehicles that might be vulnerable (including vehicles equipped with the Mobile Devices telematics dongle) can be patched easily. Fiat Chrysler suffered a dramatic stock price drop when video of a Jeep Cherokee exploit (and information that the bug could affect more than a million vehicles) triggered a large-scale recall of Jeep and Dodge vehicles.

Read 49 remaining paragraphs | Comments

Kategorie: Hacking & Security

Ashley Madison hackers leave footprints that may help investigators

Ars Technica - 22 Srpen, 2015 - 18:10

The people who leaked more than 200,000 e-mails from the Ashley Madison dating service for cheaters left behind footprints that will almost certainly be of interest to police and company officials.

The BitTorrent file containing e-mail for Noel Biderman, the CEO of Ashley Madison parent company Avid Life Media, was originally uploaded by someone using a server operated by Ecatel Ltd., an ISP headquartered in the Netherlands. A Web interface for administering the BitTorrent server was left exposed to the Internet without a password, making it possible for outsiders to access. A few hours after the BitTorrent went live, the server went dark after an outsider accessed the wide-open interface and began making changes to the server configuration. The above screenshot, published by a Twitter user calling himself Mr. Green, is just one example of such an outside access.

"Somehow, the person(s) setting up the original uploading (=seeding) of the file forgot to password protect the Web interface, or turn the feature off," Per Thorsheim, an independent security researcher in Bergen, Norway, told Ars. "I suspect [the hackers] used the Web interface to administer the various uploads of the leaks using BitTorrent."

Read 4 remaining paragraphs | Comments

Kategorie: Hacking & Security

Meet Linux's New Fastest File-System – Bcachefs

The Hacker News - 22 Srpen, 2015 - 16:31
First announced over five years ago, ex-Google engineer Kent Overstreet is pleasured in announcing the general availability of a new open-source file-system for Linux, called the Bcache File System (or Bcachefs). Bcachefs is a Linux kernel block layer cache that aims at offering a speedier and more advanced way of storing data on servers. Bcachefs promises to provide the same
Kategorie: Hacking & Security
Syndikovat obsah