11 total posts
GitHub Resets Users' Passwords Following Brute Force Attack
The web hosting development site GitHub reset a number of users' passwords and revoked a slew of user security authorizations this week following a wave of brute-force attacks.
According to a blog entry by GitHub's Security Manager Shawn Davenport yesterday, the incident involved login attempts from almost 40,000 distinct IP addresses and was a slow, concerted effort to break into user accounts using multiple passwords.
It's not known exactly how many accounts were compromised but users with weak passwords and even in some cases those with stronger passwords had their passwords reset and all of their tokens, OAuth authorizations and SSH keys revoked. Affected users were sent an email yesterday requesting they create a stronger password, examine their account for "suspicious activity" and urging them to set up two-factor authentication.
Continued : http://threatpost.com/github-resets-users-passwords-following-brute-force-attack/102983
GitHub users with weak passwords - you have been warned!
GitHub accounts hacked in ongoing brute force attack
CryptoLocker: Please Kindly Find Our New PO
F-Secure Antivirus Research Weblog:
Yesterday's CryptoLocker post mentioned that it's spreading via spam. It's actually a spam campaign that installs an intermediary, and then CryptoLocker is installed. But in any case, the first link in the chain that results in a CryptoLocker infection is spam.
And here's a fresh example of the message being used: "Please kindly find our new PO per attachment. Could you provide your PI for confirmation. Our Order file is password protected and can be opened/accessed with password: TRADING" [Screenshot]
The company from which the message claims to be from (blurred in the example above) is of course an innocent bystander whose good name is being abused as part of this scheme.
Note that the attachments are password protected. This allows the threat to bypass gateway security measures. If you're an information security manager, don't take it for granted that the people in your organization know not to open attachments.
Don't Like Spam? Complain About It.
Cynical security experts often dismiss anti-spam activists as grumpy idealists with a singular, Sisyphean obsession. The cynics question if it's really worth all that time and effort to complain to ISPs and hosting providers about customers that are sending junk email? Well, according to at least one underground service designed for spammers seeking to avoid anti-spam activists, the answer is a resounding "yes!"
Until recently, this reporter was injected into one of the most active and private underground spam forums (the forum no longer exists; for better or worse, the administrator shuttered it in response to this story). Members of this spam forum sold and traded many types of services catering to the junk email industry, including comment spam tools, spam bots, malware, and "installs" — the practice of paying for the privilege of uploading your malware to machines that someone else has already infected.
Feds Charge Cybercriminals as 21st Century Racketeers
With his angular face and hooded eyes, Andrew Duncan is a federal prosecutor right out of Central Casting. But his message on the opening day of the trial of an alleged cybercriminal yesterday was anything but old fashioned.
"Television and the movies have always portrayed organized criminal enterprises in a certain way," he says — mafia hoodlums plotting in a smoky backroom, "Vinnie the Bull" guarding the door.
Things have changed. "Flash forward to the 21st century," he says, raising his voice and shouting out the domain name of a website, www.Carder.su. He pauses between each of the W's so they ring like gunshots through the courtroom.
Until it closed two years ago, Carder.su was an online cybercrime forum used by some 7,900 fraudsters around the world. It was essentially a criminal eBay. Carefully screened "vendors" sold a wealth of products: counterfeiting gear, stolen identify information, skimmed or stolen credit card magstripe data, hacker tools, botnets for rent, and online banking credentials. Forum administrations and moderators kept the system purring, and ordinary members could post reviews of the products they'd bought.
How your LG Smart TV can spy on you
There's a fascinating blog post by "DoctorBeet", which anyone who owns an LG Smart TV should probably read.
It turns out that your LG Smart TV might be silently logging what channels you watch, and when you switch channel - sending the data back to the South Korean company so it can target you with advertisements.
And, surprise surprise, the data is sent in an unencrypted format.
DoctorBeet, a UK computer enthusiast, stumbled across the "feature" while fiddling with the settings on his LG Smart TV.
Astonishingly, DoctorBeet subsequently discovered by examining network traffic that his TV was reporting information about his viewing habits back to LG *regardless* of whether he had the system option "Collection of watching info" enabled or not. [Screenshot]
Here is the reply that DoctorBeet got back from LG's helpdesk when he asked them to comment on the enforced data collection and profiling of customers:
Continued : http://grahamcluley.com/2013/11/lg-smart-tv-can-spy/
Related: Smart TV from LG phones home with user's viewing habits, USB file names
LG smart TV snooping extends to home networks, 2nd blogger
A second blogger has published evidence that his LG-manufactured smart television is sharing sensitive user data with the Korea-based company in a post that offers support for the theory that the snooping isn't isolated behavior that affects a small number of sets.
In addition to transmitting a list of shows being watched and the names of files contained on USB drives, the Internet-connected TV also sent the names of files shared on home or office networks, the blogger reported. He made the discovery after plugging the Wireshark packet-sniffing program into his home network and noticing that an LG TV—model number 42ls570, purchased in April—was transmitting file names that sounded vaguely familiar even though there was no USB drive plugged in.
"It turns out it was pulling filenames from my shared folders over the network and broadcasting those instead," he wrote in a blog post published Thursday. "I moved all the media out of the folder and put a few duds in named 'GiantPorn,' turned the TV off and on and it was still broadcasting the old filenames. The TV couldn't see those files whilst browsing manually so I'd hazard a guess it's caching some of these locally."
Continued : http://arstechnica.com/security/2013/11/lg-smart-tv-snooping-extends-to-home-networks-second-blogger-says/
Cryptolocker infects cop PC: Mass plod fork out Bitcoin ..
"Police learn about crypto-currency and AES256 crypto the hard way"
Massachusetts cops have admitted paying a ransom to get their data back on an official police computer infected with the devilish Cryptolocker ransomware.
Cryptolocker is a rather unpleasant strain of malware, first spotted in August, that encrypts documents on the infiltrated Windows PC and will throw away the decryption key unless a ransom is paid before a time limit. The sophisticated software, which uses virtually unbreakable 256-bit AES and 2048-bit RSA encryption, even offers a payment plan for victims who have trouble forking out the two Bitcoins (right now $1,200) required to recover the obfuscated data.
On November 6, a police computer in the town of Swansea, Massachusetts, was infected by the malware, and the cops called in the FBI to investigate. However, in order to get access to the system the baffled coppers decided that it would be easier to pay the ransom of 2 BTC, then worth around $750, and received the private key to unlock the computer's data on November 10.
"It was an education for [those who] had to deal with it," Swansea police lieutenant Gregory Ryan told the Herald News. "The virus is so complicated and successful that you have to buy these Bitcoins, which we had never heard of."
Bitcoin Boom Leads to Malware Badness
ThreatTrack Security Blog:
If you're not already sitting on top of a mountain of cash thanks to the Bitcoin boom, you may be tempted to mine some Bitcoins via the art of downloading random files from the internet (you may also be tempted to do this. Don't do this, it won't end well).
The are certainly more than enough options to choose from; Youtube videos, promo sites, Pastebin posts - you name it, they're all out there and they're all clamouring for your attention.
Just keep in mind that you never really know what you're signing up to when playing the random download game, and big winnings on Bitcoin are a tasty proposition for anybody wanting to make a little money.
Scammers are promoting "no survey Bitcoin generators", which come with surveys attached regardless. [Screenshot]
Related: Bogus "free Bitcoin generator" offer leads to malware
Most iOS Apps Are Vulnerable to Hackers, Study Shows
Some 90 percent of iOS mobile applications have at least one security vulnerability, according to HP research quoted by ZDNet. The company's enterprise security team, HP Fortify, tested 2,107 mobile apps from the Forbes Global 2000, published by more than 600 developers.
The research showed that 86 percent of iOS apps that accessed private data, such as address books or Bluetooth connections, had insufficient security measures in place to prevent hacking.
Most applications tested lacked binary hardening protection that should prevent problems such as buffer overflows, path disclosure and jailbreak detection.
Mike Armistead, HP Fortify vice president and general manager for Enterprise Security Products, told ZDNet that 71 percent of the vulnerabilities found were actually problems on the server end of the app, usually common vulnerabilities such as SQL injection and cross-site scripting bugs.
Moving From Do Not Track to Can Not Track
The movement in the security and privacy communities to push the Do Not Track standard as an answer to the problem of pervasive online tracking by ad companies and other entities has resulted in the major browser vendors including DNT as an option for users, giving them a method for telling advertisers and Web sites their preferences on tracking. But DNT may well have outlived its usefulness and needs to be replaced by something that's more effective and efficient, security experts say.
DNT was conceived as a way for users to communicate their preferences on Web and ad tracking to the sites that they visit. The major browsers, including Internet Explorer, Firefox and Chrome, all have an option that allows users to enable DNT, which essentially sends an HTTP header to sites the users visit telling them whether the users consent to tracking. Advertisers and Web site owners rely on tracking to help them determine user preferences and behaviors and see where users are coming from and going to after leaving their sites. The Federal Trade Commission has pushed DNT as a privacy protecting technology and something that helps consumers defend against unwanted tracking of their online activities.