YVRGeek shares a report from IT World Canada: A security vendor has discovered a huge list of easily searchable stolen credentials in cleartext on the dark web, which it fears could lead to a new wave of cyber attacks. Julio Casal, co-founder of identity threat intelligence provider 4iQ, which has offices in California and Spain, said in a Dec. 8 blog his firm found the database of 1.4 billion username and password pairs while scanning the dark web for stolen, leaked or lost data. He said the company has verified at least a group of credentials are legitimate. What is alarming is the file is what he calls “an aggregated, interactive database that allows for fast (one second response) searches and new breach imports.” For example, searching for “admin, ” “administrator” and “root” returned 226, 631 passwords of admin users in a few seconds. As a result, the database can help attackers automate account hijacking or account takeover. The dump file was 41GB in size and was found on December 5th in an underground community forum. The total amount of credentials is 1, 400, 553, 869. Read more of this story at Slashdot.
Original post:
Searchable Database of 1.4 Billion Stolen Credentials Found On Dark Web
An anonymous reader writes: Samsung cellphones used to have a stock app called S Suggest. The company apparently discontinued the app recently, and then forgot to renew a domain that was used to control it. This snafu left millions of smartphone users vulnerable to hackers who could’ve registered the domain and installed malicious apps on the phones. Read more of this story at Slashdot. 
After a North Korean system administrator misconfigured its nameserver allowing anyone to query it and get the list of the domains that exist for .kp, it was revealed that the secretive country only has 28 websites. That’s 28 websites for a country with nearly 25 million people. Naturally, the story was published all across the web, including on Reddit, which resulted in a high number of users visiting North Korea’s websites. Mirror.co.uk reports: When a list of North Korea’s available websites was posted on Reddit, the surge of visitors to the reclusive state’s online offering overloaded the servers. North Korea runs a completely locked-down version of the internet that consists of only 28 “websites” that the population is allowed to view. However, a technical slip-up allowed a GitHub user to work their way into the country’s computer network and view the websites from the outside. As the GitHub user puts it: “One of North Korea’s top level name servers was accidentally configured to allow global [Domain Name System] transfers. This allows anyone who performs [a zone transfer request] to the country’s ns2.kptc.kp name server to get a copy of the nation’s top level DNS data.” Pretty soon, links to all the websites were posted on Reddit, where thousands of visitors took the opportunity to see what the web looks like from Pyongyang. Reddit’s surge of traffic isn’t the first time North Korea’s internet has been knocked out. In 2014, the country suffered a distributed denial of service (DDoS) attack that was believed to have originated from the U.S. Redditor BaconBakin points out that while North Korea has 28 websites, GTA V has 83 websites. They added, “I think it’s safe to say that San Andreas is more technologically advanced than North Korea.” Read more of this story at Slashdot. 
An anonymous reader writes: The X.Org domain predates the X.Org Foundation. It was used in the ’90s as a destination by The Open Group around the X Window System. While many are expecting Mir and Wayland to eventually succeed the X.Org Server, it seems the X.Org/X11 Server may outlive the valuable domain. Thanks to poor management by the X.Org Foundation, they risk losing access to their one-letter domain. Procrastination, paired with not transferring the domain when forming the non-profit foundation, has led to a last-minute mess. They left the domain registered for years to a person who is no longer involved with X.Org — and doesn’t want to relinquish it. In the few days until the domain expires, they are hoping for a “Hail Mary.” Let this be a lesson for open-source projects to better manage their assets. Read more of this story at Slashdot. 
jfruh writes While several U.S. judges have refused overly broad warrants that sought to grant police access to a suspects complete Gmail account, a federal judge in New York State OK’d such an order this week. Judge Gabriel W. Gorenstein argued that a search of this type was no more invasive than the long-established practice of granting a warrant to copy and search the entire contents of a hard drive, and that alternatives, like asking Google employees to locate messages based on narrowly tailored criteria, risked excluding information that trained investigators could locate. Read more of this story at Slashdot. 
