Security breach/compromise - 2013

Hetzner hacked, customer data copied

FYI...

Hetzner web hosting service hacked, customer data copied
- http://h-online.com/-1884574
7 June 2013 - "Web hosting service Hetzner has fallen victim to an attack during which hackers managed to harvest customer data. Among other things, the intruders had access to password hashes and customers' payment information. Apparently, a previously unknown server rootkit was used for the attack. In an email sent to customers on Thursday afternoon, the company said that unknown intruders had compromised several Hetzner systems. Apparently, the incident was discovered at the end of last week... although this data is encrypted asymmetrically, it can't be ruled out at this point that the private crypto keys that are required for decryption were copied as well. The attackers were also able to access customers' credit card data (the last three digits of credit card numbers, the expiry date and the card type) as well as salted SHA256 password hashes... current information suggests that the manipulated Apache instances were not used to deploy malware. It remains unclear who is behind the attack. How the hackers intruded into the server has yet to be established as well. The hosting company said that the German Federal Criminal Police Office (BKA) has been informed."

:fear::fear: :sad:
 
Last edited:
Facebook - potential leak of User Data

FYI...

Facebook - potential leak of User Data
- https://isc.sans.edu/diary.html?storyid=16043
Last Updated: 2013-06-22 - "Facebook recently received a report that may have allowed some user information (email or phone number) to be accessed by people who either had some contact information about that person or some connection to them. Based on their analysis, they estimate that approximately 6 million users had their email addresses or telephone numbers shared. However, they don't have any evidence this bug was exploited because they have not received any user complaints or seen strange activity related to this bug. The complete Facebook message to users is posted here*..."
* https://www.facebook.com/notes/face...facebooks-white-hat-program/10151437074840766

:fear::fear:
 
Mass-login attack hijacks accounts ...

FYI...

Mass-login attack hijacks accounts...
- http://arstechnica.com/security/201...-on-nintendo-fan-site-hijacks-24000-accounts/
July 8 2013 - "Almost 24,000 user accounts on Nintendo's main fan site have been hijacked in a sustained mass-login attack that began early last month, the company said. The wave of attacks on Club Nintendo exposed personal information associated with 23,926 compromised accounts, including users' real names, addresses, phone numbers and e-mail addresses, according to a press release Nintendo issued over the weekend. The campaign began on June 9 and attempted more than 15.5 million logins over the following month. Attackers likely relied on a list of login credentials taken from a site unrelated to Nintendo. Club Nintendo offers rewards to Nintendo customers in exchange for having them register their products, answer surveys, and provide personal data. The site operates internationally and has about four million users in Japan, the primary region of most affected users. Things came to a head on July 2, when the wave of logins crested. By Friday, July 5, Nintendo had reset passwords on the site. "There were scattered illicit attempts to log in since June 9, but we became aware of the issue after the mass attempts on July 2," company spokesman Yasuhiro Minagawa told IDG News.
Other game companies recently hit by security problems include Ubisoft, which last week warned that customer user names, e-mail addresses and cryptographically hashed passwords were illegally accessed from an account database that had been breached. More recently, the alpha launch of a new indie game called Cube World has been reportedly disrupted by denial-of-service attacks."

:fear::mad::fear:
 
NL Registrar compromise

FYI...

.NL Registrar compromise
- https://isc.sans.edu/diary.html?storyid=16138
Last Updated: 2013-07-10 20:00:51 UTC - "Based on a note on the website of SIDN [1], an SQL injection vulnerability was used to compromise the site and place malicious files in the document root. SIDN is the registrar for the .NL country level domain (Netherlands). As a result of the breach, updates to the zone file are suspended. There is no word as to any affects to the zone files, or if the attackers where able to manipulate them."

1] Precautionary action taken to ensure security
* https://www.sidn.nl/en/news/news/article/preventieve-maatregelen-genomen-2/
10 July 2013 - "On Tuesday, it came to light that malicious files were present on a number of SIDN websites – files that should not have been there. In order to prevent abuse, SIDN immediately took a number of precautionary measures: the DRS web application was shut down and zone file publication was temporarily suspended. As a result of our precautionary action, some areas of the website that registrars use to download registrarship-related data have been unavailable since Tuesday evening. We believe that the attack began with an SQL injection on the website 25jaarvan .nl. That site is therefore inaccessible for the time being. The precise nature of the vulnerability is currently being investigated. Further information about the security alert will continue to be made available on the site you are now viewing*."

:sad: :fear:
 
Tumblr critical security update ...

FYI...

Tumblr critical security update ...
- http://staff.tumblr.com/post/55648373578/important-security-update-for-iphone-ipad-users
July 16, 2013 - "We have just released a very important security update for our iPhone and iPad apps addressing an issue that allowed passwords to be compromised in certain circumstances¹. Please download the update now*. If you’ve been using these apps, you should also update your password on Tumblr and anywhere else you may have been using the same password... Please know that we take your security very seriously and are tremendously sorry for this lapse and inconvenience."
¹ "Sniffed" in transit on certain versions of the app

* https://itunes.apple.com/us/app/tumblr/id305343404?mt=8
___

- https://secunia.com/advisories/54205/
Release Date: 2013-07-18
Where: From remote
Impact: Exposure of sensitive information
... security issue is reported in versions prior to 3.4.1.
Solution: Update to version 3.4.1.
Original Advisory:
http://staff.tumblr.com/post/55648373578/important-security-update-for-iphone-ipad-users
https://itunes.apple.com/us/app/tumblr/id305343404?mt=8

:fear::fear:
 
Last edited:
Network Solutions Outage...

FYI...

Network Solutions Outage...
- https://isc.sans.edu/diary.html?storyid=16180
Last Updated: 2013-07-17 15:28:23 UTC - "Network Solutions appears to be experiencing an extended outage. Based on a note posted to Facebook, the note indicates that the outage may be related to a larger compromise of customer sites.
"Network Solutions is experiencing a Distributed Denial of Service (DDOS) attack that is impacting our customers as well as the Network Solutions site. Our technology team is working to mitigate the situation... check back for updates." *
The referenced blog website is currently responding slowly as well (it redirects to a networksolutions.com site, which may be affected by the overall outage of "networksolutions.com" ). After a couple minutes, the blog post loaded for me...
"On July 15, some Network Solutions customer sites were compromised. We are investigating the cause of this situation, but our immediate priority is restoring the sites as quickly as possible. If your site has been impacted and you have questions, please call us at 1-866-391-4357."
Various web sites hosting DNS with Network Solutions appear to be down as well as a result. The outage appears to be diminishing over the last 15-30 min or so (4pm GMT) with some affected sites returning back to normal. This outage comes about 3-4 weeks after the bad DDoS mitigation incident that redirected a large number of Network Solution Hosted sites to an IP in Korea**..."

- http://blogs.cisco.com/security/network-solutions-customer-site-compromises-and-ddos/
July 17, 2013 10:03 am PST

* https://www.networksolutions.com/bl...es/?channelid=P99C425S627N0B142A1D38E0000V100
July 16, 2013

** http://blogs.cisco.com/security/hijacking-of-dns-records-from-network-solutions/
June 20, 2013

:fear::fear:
 
Last edited:
Ubuntu Forums - Security Breach

FYI...

Ubuntu Forums - Security Breach
- https://isc.sans.edu/diary.html?storyid=16201
Last Updated: 2013-07-21 15:28:48 UTC - "Ubuntu forums are currently down because they have been breached. According to their post, "the attackers have gotten -every- user's local username, password, and email address from the Ubuntu Forums database."* They have advised their users that if they are using the same password with other services, to change their password immediately. Other services such as Ubuntu One, Launchpad and other Ubuntu/Canonical services are not affected. Their current announcement is can be read here*."
* http://ubuntuforums.org/announce.html

:fear::fear: :sad:
 
Apple Developer site Breach

FYI...

Apple Developer site Breach
- https://isc.sans.edu/diary.html?storyid=16210
Last Updated: 2013-07-22 10:24:34 UTC - "Apple closed access to it's developer site after learning that it had been compromised and developers personal information had been breached [1]. In the notice posted to the site, Apple explained that some developers personal information like name, e-mail address and mailing address may have been accessed. The note does not mention passwords, or if password hashes were accessed. One threat often forgotten in these breaches is phishing. If an attacker has access to some personal information associated with a site, it is fairly easy to craft a reasonably convincing phishing e-mail using the fact that the site was breached to trick users to reset their password. These e-mail may be more convincing if they include the user's user name, real name or mailing address as stored with the site. A video on YouTube claims to show records obtained in the compromise [2] . The video states that 100,000 accounts were accessed to make Apple aware of the vulnerability in its site and that the data will be deleted."

[1] http://devimages.apple.com/maintenance/
[2] http://www.youtube.com/watch?v=q000_EOWy80

- https://www.sans.org/newsletters/newsbites/newsbites.php?vol=15&issue=59#sID300
July 25, 2013
___

- https://developer.apple.com/support/system-status/
Jul 29 2013 - Updated 5:13 AM PDT

:sad: :fear:
 
Last edited:
OVH hacked ...

FYI...

OVH hacked ...
- http://blog.dynamoo.com/2013/07/ovh-hacked.html
22 July 2013 - "A bad thing to happen, but kudos to OVH for being transparent about this issue* ...":
* http://status.ovh.net/?do=details&id=5070
"... A few days ago, we discovered that the security of our internal network at our offices in Roubaix had been compromised. After internal investigations, it appeared that a hacker was able to obtain access to an email account of one of our system administrators. With this email access, they was able to gain access to the internal VPN of another employee. Then with this VPN access, they was able to compromise the access of one of the system administrators who handles the the internal backoffice...
Immediately following this hack, we changed the internal security rules:
- Passwords of all employees were regenerated for all types of access.
- We set up a new VPN in a secure PCI-DSS room with highly restricted access
- Consulting internal emails is now only possible from the office / VPN
- All those who have critical access now have 3 verification levels:
- Ip source
- Password
- Staff's USB security token (YubiKey)...
The European customer database includes personal customer information such as: surname, first name, nic, address, city, country, telephone, fax and encrypted password.
The encryption password is "Salted" and based on SHA-512, to avoid brute-force attacks. It takes a lot of technical means to find the word password clearly. But it is possible. This is why we advise you to change the password for your user name. An email will be sent today to all our customers explaining these security measures and inviting them to change their password.
No credit card information is stored at OVH. Credit card information was not viewed or copied...
Overall, in the coming months the back office will be under PCI-DSS which will allow us to ensure that the incident related to a specific hack on specific individuals will have no impact on our databases...
We also filed a criminal complaint about this to the judicial authorities. In order not to disrupt the work of investigators, we will not give other details before the final conclusions..."


- https://en.wikipedia.org/wiki/OVH
"OVH is a privately owned web hosting service company in France that provides dedicated servers, mutual hosting, domain names and VOIP telephony services..."

:sad: :fear:
 
SERT Q2-2013 Threat Report

FYI...

SERT Q2-2013 Threat Report
- http://www.darkreading.com/vulnerab...sites-we/240158750?printer_friendly=this-page
Jul 23, 2013 - "... In addition to OpUSA and PRISM investigations, the SERT Q2 Threat Report summarizes the significant increase in malicious Domain Name System (DNS) requests and denial of service (DoS) activity...
Key Findings:
· 73% of sites -compromised- during OpUSA were hosted on Microsoft IIS web servers
· 17% of the compromised OpUSA targets hosted on Microsoft IIS platforms are running IIS versions 5.0 and 5.1, which are over 10 years old and no longer supported by Microsoft
· 68% of sites compromised by OpUSA attacks were hosted -outside- of the United States
· Increased -malicious- DNS-request traffic was observed originating from global sources
· NSA PRISM has heightened concerns about privacy and data access by the United States Government ..."
* http://www.solutionary.com/research...orts/sert-threat-intelligence-report-q2-2013/

:fear::fear::fear:
 
Malware using GoogleCode for distribution

FYI...

Malware using GoogleCode for distribution
- http://research.zscaler.com/2013/07/malware-using-googlecode-for.html
July 31, 2013 - "Malware hosting sites rarely stay up for too long. After the first few instances are seen by security vendors, they are added to blacklists which, in turn, are fed into other blacklists throughout the industry. Malware writers are now turning to commercial file hosting sites to peddle their warez. If these legitimate file hosts are not scanning the content they are hosting, it may force network administrators to block the service altogether. The kicker is that this time we see that GoogleCode seems to have swallowed the bad pill.
> https://lh3.ggpht.com/-vDbU-4G4ph8/UfcFaL-iECI/AAAAAAAAAI4/4IhzD98KVoU/s1600/googlecode.png
... We also have reports of this file being downloaded via Dropbox, but it appears to have been taken down at the time of research
> https://lh3.ggpht.com/-F5u9cMXMclM/UfgKFOOYYDI/AAAAAAAAAJI/Yf7JjGXMjDY/s1600/BA.png
This incident sets a precedent that no file hosting service is beyond reproach. Blind trust of specific domains should not be tolerated from an organizational or personal perspective. So set those security privileges to kill and keep one eye open for shady files coming from even a seemingly trusted location. Other files from this location that were also flagged as malicious as noted below..."
(More detail at the zscaler URL above.)

- http://www.theinquirer.net/inquirer...ogle-code-developer-website-to-spread-malware
Aug 01 2013 - "... Fireeye said the use of developer websites by hackers to spread malware isn't anything new and it expects to see similar attacks in the very near future..."

:fear: :mad:
 
BANKER Malware hosted on Google Code

FYI...

BANKER Malware hosted on Google Code
- http://blog.trendmicro.com/trendlab...e/banker-malware-found-hosted-on-google-code/
Aug. 8, 2013 - "... we were able to capture a malware written in Java that downloads BANKER malware from a recently created project called “flashplayerwindows”. Of course, this -bogus- project has nothing to do with Adobe. The said file (detected as JAVA_DLOAD.AFJ) is a compiled file that downloads and execute the “AdobeFlashPlayer.exe”, which we have verified to be malicious (detected as TROJ_BANLOAD.JFK). Once executed, this Trojan connects to Google Code to download other files. The people behind this threat may have uploaded these files to the said Google Code page, which notably include BANKER variants. These malware are notorious for stealing banking and email account information. Typically, they perform their data stealing routine by using phishing sites spoofing banking sites to lure users into disclosing information. Once they gather these data, they can use these to initiate unauthorized transactions such as money transfers. Previously, BANKER malware were seen hosted on compromised Brazilian government sites, which affected users from Brazil, the United States, and Angola. Another fraud project containing malware was also discovered, which goes to show that similar threats might still be out there. Besides the danger of the BANKER malware, this use of a well-known site like Google Code provides a good cover-up for cybercriminals. The malware being hosted in an official Google website means that downloading the malware will be encrypted with valid SSL certificates, which can bypass traditional security technologies. Because Google is a legitimate and reputable domain, traditional reputable services may not prevent the downloading. If this threat seems familiar, it’s because this abuse of open-source project sites has been done before... legitimate cloud providers like Google Code are likely to come under attack this year. With services like Google Code are likely to increase traction among users, we can expect that similar cases will appear (and increase) in the coming days... As of this writing, the said files are no longer available on Google Code."

:mad:
 
Adobe network compromised...

FYI...

Adobe network compromised...
- http://blogs.adobe.com/conversations/2013/10/important-customer-security-announcement.html
Oct 3, 2013 - "... Very recently, Adobe’s security team discovered sophisticated attacks on our network, involving the illegal access of customer information as well as source code for numerous Adobe products. We believe these attacks may be related. Our investigation currently indicates that the attackers accessed Adobe customer IDs and encrypted passwords on our systems. We also believe the attackers removed from our systems certain information relating to 2.9 million Adobe customers, including customer names, encrypted credit or debit card numbers, expiration dates, and other information relating to customer orders. At this time, we do not believe the attackers removed decrypted credit or debit card numbers from our systems. We deeply regret that this incident occurred. We’re working diligently internally, as well as with external partners and law enforcement, to address the incident..."
(More detail at the Adobe URL above.)

- https://www.us-cert.gov/ncas/curren...tomer-Information-and-Source-Code-Compromises
Oct 3, 2013

- http://www.databreaches.net/adobe-warns-2-9-million-customers-of-data-breach-after-cyber-attack/
3 Oct 2013

- http://www.theguardian.com/technology/2013/oct/03/adobe-hacking-data-breach-cyber-attack
3 Oct 2013 - "... It has reset passwords on customers' accounts and recommended that customers change their passwords on any other website where they used the same code..."
___

- http://blogs.adobe.com/asset/2013/10/illegal-access-to-adobe-source-code.html
Oct 2, 2013

- https://www.trusteer.com/blog/massive-adobe-breach-puts-organizations-at-risk-of-zero-day-exploits
Oct 04, 2013 - "... The Adobe network breach puts organizations and users at significant risk. If the source code for Adobe Reader or other popular Adobe applications was stolen, it means that cyber-criminals now have the opportunity to search this code for new unknown vulnerabilities, and develop malicious code that exploits these vulnerabilities. You can expect that we will soon have a stream of new, nasty zero-day exploits..."

:fear::fear:
 
Last edited:
DNS hijack - leaseweb .com ...

FYI...

DNS hijack - leaseweb .com website
- http://blog.leaseweb.com/2013/10/06/statement-on-dns-hijack-of-leaseweb-com-website/
Oct 6, 2013 - "As one of the largest hosting providers in the world, with almost four percent of the entire global IP traffic under our management, LeaseWeb continuously combats cybercrime in its many forms, dealing swiftly and professionally with any detected malicious activity within its network. Last weekend the leaseweb .com website was unfortunately a direct target of cybercriminals itself. For a short period of time some visitors of leaseweb .com were redirected to another, non-LeaseWeb IP address, after the leaseweb .com DNS was -changed- at the registrar. This DNS hijack was quickly detected and rectified by LeaseWeb’s security department. Although it seems to have had only superficial effects, we seriously regret this event from happening. Our security investigation so far shows that no domains other than leaseweb.com were accessed and changed. No internal systems were compromised. One of the security measures we have in place is to store customer data separately from any publicly accessible servers; we have no indication that customer data was compromised as a result of this DNS hijack... The unauthorized name server change for leaseweb.com took place at our registrar on Saturday 5 October, around 19:00 hours CET / 1 PM EST. While the hijack was soon detected and mitigated, it took some time before our adjustments in the DNS cache were propagated across the internet. During this period the following systems and services were affected:
- Some visitors of http ://www.leaseweb .com were redirected to a non-LeaseWeb IP address
- E-mails sent to @ leaseweb .com addresses during the DNS hijack were not received by LeaseWeb
- Domain name registration and server reinstallation via our Self Service Center was disabled
... We sincerely apologize for any inconvenience this unfortunate event might have caused. Security will always be a battle between good and evil, with one trying to outsmart the other in whatever way possible. We will learn from this incident, intensively review our security systems and protocols, and adjust where necessary..."

- http://www.theinquirer.net/inquirer...ays-no-customer-data-was-harmed-in-dns-hijack
Oct 07 2013 - "... it appears that the hijackers obtained the domain administrator password and used that information to access the registrar. We will continue to investigate this incident thoroughly and take decisive action accordingly."

:fear::fear: :sad:
 
Avira homepage defaced

FYI...

Avira homepage defaced
- https://isc.sans.edu/diary.html?storyid=16754
Last Updated: 2013-10-08 12:58:56 UTC - "The home page of anti virus company Avira has been defaced, likely by altering the DNS zone for Avira .com... Once an attacker has control of the NS records, they may also change MX records and redirect e-mail, or in the case of an Antivirus company like Avira change the addresses used to download signature updates. According to domaintools.com, the last address for avira.com was 62.146.210.2 and that address still appears to host Avira's site... The domain is hosted with Network Solutions. At this point, this looks like an isolated incident and not a more wide spread issue with Network Solutions. I hope this will not be considered an "advanced sophisticated highly skilled attack", as the attackers have issues spelling "Palestine" consistently. The content of the defaced site is political and no malware has been spotted on the site so far.
Partial screenshot of the site:
> https://isc.sans.edu/diaryimages/images/wrisXzjbSsg-O4Red7i0D5ORt4NkqdOrIanEsq7RXMY.png
... a screenshot with a similar defacement of Antivirus vendor AVG (avg.com), but the site appears to be back to normal now... Instant messaging software maker Whatsapp was apparently a third victim of this attack."

- http://techblog.avira.com/2013/10/0...ecting-major-websites-including-avira-com/en/
Oct 8 2013 - "... It appears that our account used to manage the DNS records registered at Network Solutions has received a fake password-reset request which was honored by the provider. Using the new credentials the cybercriminals have been able to change the entries to point to their DNS servers. Our internal network has not has not been compromised in any way. As a measure of security we have shut down all exterior services until we have all DNS entries in our possession again... We are working with the ISP to receive control on the domain name and only when we have solved the problem we will restore the access to the Avira services..."
Update: October 8th 23:15 CET+2 - "The DNS settings have been restored. We will continue to restore all our services in the next hours."
___

AVG, Avira and WhatsApp - DNS hijack
- http://www.theregister.co.uk/2013/10/08/dns_hijack_attack_spree/
8 Oct 2013

- http://atlas.arbor.net/briefs/index#1211343777
Hijacking of AV firms websites may be linked to hack on Network Solutions ...
Elevated Severity
October 11, 2013 00:53
Several high profile sites, including two anti-virus vendors, were hijacked at the DNS level recently. DNS resource records are a significant target for attackers and should be carefully protected.
Analysis: While a full sense of the damage is not known by this author, the apparent defacement of a public website - and the tainting of traffic destinations- through DNS re-direction is an old trick that is still bearing fruit. In this case, it appears that credentials have been obtained via a bogus password reset phishing e-mail sent to the authoritative registrar. If this is the actual attack vector, then security awareness training needs to increase at the affected organization. Organizations that protect DNS resource records need to understand that they are a target, and that anyone can become a target. Not only will HTTP traffic redirect to the wrong location, but attackers can and have used this technique to install malware from sites that would normally be trusted and appear to be legitimate to the end user. Additionally, if other RR's such as MX records were modified, then attackers could obtain a significant amount of e-mail. The triggering of password reset functionality associated with any of those domains would then return the password reset process into the hands of the attackers. This is just one possible example of the risks inherent in such an attack. DNS providers need to ensure that security is improved and that such attacks become much more difficult to implement and that they are caught proactively.
Source: http://arstechnica.com/security/201...websites-linked-to-hack-on-network-solutions/

:mad: :sad:
 
Last edited:
Compromised Turkish Gov't Web site leads to malware

FYI...

Compromised Turkish Gov't Web site leads to malware
- http://www.webroot.com/blog/2013/10/10/compromised-turkish-government-web-site-leads-malware/
Oct 10th, 2013 - "... Web server belonging to the Turkish government, where the cybercriminals behind the campaign have uploaded a malware-serving fake ‘DivX plug-in Required!” Facebook-themed Web page. Once socially engineered users execute the malware variant, their PCs automatically join the botnet operated by the cybercriminals behind the campaign.
Sample screenshot of the fake DivX, Facebook-themed page uploaded on the compromised Web server:
> https://www.webroot.com/blog/wp-con..._Site_Compromised_Hacked_Malware-1024x682.png
Compromised URL: hxxp ://www.manisahem .gov .tr/giorgia.html
The malware’s download URL: hxxp ://hyfcst.best.volyn .ua:80/dlimage11.php – 103.246.115.238
Detection rate for the malicious variant: MD5: adc9cafbd4e2aa91e4aa75e10a948213 * Heuristic.LooksLike.Win32.Suspicious.J!89
... malicious sub-domains are also known to have responded to the same IP (103.246.115.238)
... malicious subdomains are also known to have responded to... IP (103.9.150.244)..."
* https://www.virustotal.com/en/file/...31940bddf23f8a6a2bc9e43ba5f831fe7f5/analysis/
File name: vti-rescan

- https://www.virustotal.com/en-gb/ip-address/103.246.115.238/information/

- https://www.virustotal.com/en-gb/ip-address/103.9.150.244/information/

:mad: :fear: :sad:
 
Adobe user data found on Web after breach

FYI...

Trove of Adobe user data found on Web after breach
- http://www.reuters.com/article/2013/11/07/us-adobe-cyberattack-idUSBRE9A61D220131107
Nov 7, 2013 - "A computer security firm has uncovered data it says belongs to some 152 million Adobe Systems Inc user accounts, suggesting that a breach reported a month ago is far bigger than Adobe has so far disclosed and is one of the largest on record. LastPass, a password security firm, said on Thursday that it has found email addresses, encrypted passwords and password hints stored in clear text from Adobe user accounts on an underground website frequented by cyber criminals. Adobe said last week that attackers had stolen data on more than 38 million customer accounts, on top of the theft of information on nearly 3 million accounts that it disclosed nearly a month earlier... Because the passwords were not salted, Siegrist said he was able to identify the most frequently used password in the group, which was used 1.9 million times. The database has 108 million email addresses with passwords -shared- in multiple accounts... The number of records stolen appears to be the largest taken in any publicly disclosed cyber attack to date... the attack was a strong reminder that consumers and businesses need to be vigilant about making sure they do -not- reuse passwords..."
___

- http://atlas.arbor.net/briefs/index#1886717424
7 Nov 2013 21:27:07 +0000
When it comes to protecting sensitive information, Implementation is key. An improper implementation can lead to weaknesses that can result in data compromise.
Source: http://nakedsecurity.sophos.com/201...ter-adobes-giant-sized-cryptographic-blunder/

- http://atlas.arbor.net/briefs/index#124925286
Elevated Severity
7 Nov 2013 21:27:07 +0000
After becoming available, credential leaks from the Adobe breach are being analyzed. Predictably, many users password choices are poor. Analysis and password-cracking efforts are well underway.
Source: http://www.welivesecurity.com/2013/...ords-are-still-popular-2-million-used-123456/

:fear::fear::sad:
 
Last edited:
GitHub - Weak passwords brute forced ...

FYI...

GitHub - Weak passwords brute forced
- https://github.com/blog/1698-weak-passwords-brute-forced
Nov 19, 2013 - "Some GitHub user accounts with weak passwords were recently compromised due to a brute force password-guessing attack... We sent an email to users with compromised accounts letting them know what to do. Their passwords have been reset and personal access tokens, OAuth authorizations, and SSH keys have all been revoked. Affected users will need to create a new, strong password and review their account for any suspicious activity. This investigation is ongoing and we will notify you if at any point we discover unauthorized activity relating to source code or sensitive account information. Out of an abundance of caution, some user accounts may have been reset even if a strong password was being used. Activity on these accounts showed logins from IP addresses involved in this incident..."

- http://www.theregister.co.uk/2013/11/21/github_password_probing_reveal/
Nov 21, 2013 - "... GitHub's recent bout of probing may stem from crackers using the 38 million user details that were sucked out of Adobe recently to check for duplicate logins on other sites. Never use the same password and username combination on other sites..."
___

- https://isc.sans.edu/diary.html?storyid=17087
Last Updated: 2013-11-22 15:45:51 UTC - "... Yesterday I got an email from Evernote telling me that I had used the same password at Evernote that I had used at Adobe. The Evernote account probably got my throwaway password before I realized the value of the Evernote service. I now use Evernote nearly every day from my mobile devices; where I don't get prompted for the credentials; but never log into it over the web, so I didn't remember what the password was set to.
> https://isc.sans.edu/diaryimages/images/ev.jpg
... I quickly changed my Evernote password and enabled Evernote's two-step authentication... this was not your typical brute force employing obvious userids and incredibly inane passwords, but a targeted attack against password reuse... Guess I will be looking at all my passwords again, including the ones used by my mobile devices!"

:fear::fear: :sad:
 
Last edited:
2M Facebook, Gmail and Twitter passwords stolen in massive hack

FYI...

2 million Facebook, Gmail and Twitter passwords stolen in massive hack
- http://money.cnn.com/2013/12/04/technology/security/passwords-stolen/index.html
Dec 4, 2013 - "Hackers have stolen usernames and passwords for nearly two million accounts at Facebook, Google, Twitter, Yahoo and others, according to a report released this week. The massive data breach was a result of keylogging software maliciously installed on an untold number of computers around the world, researchers at cybersecurity firm Trustwave said. The virus was capturing log-in credentials for key websites over the past month and sending those usernames and passwords to a server controlled by the hackers. On Nov. 24, Trustwave researchers tracked that server, located in the Netherlands... Trustwave* notified these companies of the breach. They posted their findings publicly on Tuesday..."
* http://blog.spiderlabs.com/2013/12/look-what-i-found-moar-pony.html
3 Dec 2013 - "... Looking at the domains from which passwords were stolen:
> http://a7.typepad.com/6a0168e94917b4970c019b01aaed57970c-pi
As one might expect, most of the compromised web log-ins belong to popular websites and services such as Facebook, Google, Yahoo, Twitter, LinkedIn, etc...
Geo-Location Statistics:
> http://a3.typepad.com/6a0168e94917b4970c019b01f0eb9b970c-pi
... We looked at the length and complexity of the passwords to get a better idea about the rest of the passwords, and here's what we found:
> http://a0.typepad.com/6a0168e94917b4970c019b01aaee40970c-pi
... Since both the length and type of characters in a password make up its ultimate complexity, we grouped those two characteristics to get an overall impression of how strong the passwords are:
> http://a1.typepad.com/6a0168e94917b4970c019b01aaedd1970c-pi
... Unfortunately, there were more terrible passwords than excellent ones, more bad passwords than good, and the majority, as usual, is somewhere in between in the Medium category..."
(More detail at the spiderlabs URL above.)
___

JPMorgan warns 465,000 card users on data loss after cyber attack
- http://www.reuters.com/article/2013/12/05/us-jpmorgan-dataexposed-idUSBRE9B405R20131205
Dec 5, 2013 - " JPMorgan Chase & Co is warning some 465,000 holders of prepaid cash cards issued by the bank that their personal information may have been accessed by hackers who attacked its network in July. The cards were issued for corporations to pay employees and for government agencies to issue tax refunds, unemployment compensation and other benefits. JPMorgan said on Wednesday it detected that its web servers used by its site www .ucard .chase .com had been breached in the middle of September. It then fixed the issue and reported it to law enforcement. Bank spokesman Michael Fusco said that in the months since the breach was discovered the bank has been investigating to find out exactly which accounts were involved and what pieces of information could have been taken. He declined to discuss how the attackers breached the bank's network. Fusco said the bank is notifying the cardholders, who account for about 2 percent of its roughly 25 million UCard users, about the breach because it cannot rule out the possibility that their personal information was among the data removed from its servers..."

:mad: :fear::fear:
 
Last edited:
Cards Stolen in Target Breach Flood Underground Markets ...

FYI...

Cards Stolen in Target Breach Flood Underground Markets
- http://krebsonsecurity.com/2013/12/cards-stolen-in-target-breach-flood-underground-markets/
Dec 20, 2013 - "Credit and debit card accounts stolen in a recent data breach at retail giant Target have been flooding underground black markets in recent weeks, selling in batches of one million cards and going for anywhere from $20 to more than $100 per card... At least two sources at major banks said they’d heard from the credit card companies: More than a million of their cards were thought to have been compromised in the Target breach... On Dec. 19, Target would confirm that crooks had stolen 40 million debit and credit cards from stores nationwide in a breach that extended from Nov. 27 to Dec. 15..."
(More detail at the krebsonsecurity URL above.)

:fear::fear: :mad:
 
Back
Top