hack – Tech Today w/ Ken May

Yahoo’s 2013 hack impacted all 3 billion accounts

Last year Yahoo (now part of Oath along with AOL after its acquisition by Verizon) announced that back in 2013, hackers had stolen info covering over one billion of its accounts . Today, the combined company announced that further investigation reveals the 2013 hack affected all of its accounts that existed at the time — about three billion. The information taken “may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers.” For users being notified of the hack now, the notification is that their information is included. At the time the breach was first announced, Yahoo required everyone who had not reset their passwords since the breach to do so. According to the FAQ posted, it doesn’t appear there’s any new action being taken. The announcement isn’t very specific about why or how it determined the breach was so much larger — or how it was missed in the original forensic analysis, or how this happened in the first place — likely due to pending lawsuits over the issue. Subsequent to Yahoo’s acquisition by Verizon, and during integration, the company recently obtained new intelligence and now believes, following an investigation with the assistance of outside forensic experts, that all Yahoo user accounts were affected by the August 2013 theft. While this is not a new security issue, Yahoo is sending email notifications to the additional affected user accounts. The investigation indicates that the user account information that was stolen did not include passwords in clear text, payment card data, or bank account information. The company is continuing to work closely with law enforcement. Source: Oath , Yahoo FAQ

See the original article here:
Yahoo’s 2013 hack impacted all 3 billion accounts

IRS hands fraud prevention contract to Equifax despite massive hack

You’d think that government agencies would be reticent to work with Equifax given that it just exposed the private info of more than 145 million people through a preventable hack , but a massive data breach apparently isn’t enough of a deterrent. The Internal Revenue Service recently awarded Equifax a fraud prevention contract that will have it verifying taxpayer identities. And crucially, it was a no-bid, “sole source” contract — Equifax was deemed the only company capable of fulfilling demand. In practice, officials didn’t have much of a choice. Credit reporting in the US is dominated by three large companies (Equifax, Experian and TransUnion), and Equifax is arguably the powerhouse of the bunch. However, that only underscores the problem here: the IRS had to trust a crucial anti-fraud system to a company that not only had sloppy online security practices, but has been reluctant to take full responsibility for its mistakes. There’s a real chance that the hack will get Equifax to clean up its act in time to improve its handling of IRS data. We wouldn’t count on it, though, and there’s always the possibility that the IRS will fall afoul of the kind of data breach that prompted this anti-fraud contract in the first place. Via: Politico Source: FedBizOpps.gov

Follow this link:
IRS hands fraud prevention contract to Equifax despite massive hack

Leaked memo says hackers may have compromised UK power plants

State-sponsored hackers have “probably compromised” the UK’s energy industry. A leaked memo from the National Cybersecurity Centre (NCSC) identifies links “from multiple UK IP addresses to infrastructure associated with advanced state-sponsored hostile threat actors.” These threats are “known to target the energy and manufacturing sectors, ” the document says. The memo, obtained by Motherboard and verified by a number of sources, goes on to say that as a result of these connections, “a number of industrial control system engineering and services organisations are likely to have been compromised.” The NCSC has neither confirmed nor denied the authenticity of the memo. However, in a statement given to the BBC it said: “We are aware of reports of malicious cyber-activity targeting the energy sector around the globe … We are liaising with our counterparts to better understand the threat and continue to manage any risks to the UK.” The leaked memo follows claims that Russian hackers have tried to infiltrate America’s nuclear power industry via phishing emails, as well as allegations that Ireland’s Electricity Supply Board has been targeted by groups with links to the Kremlin. These reports appear to be connected, suggesting there may be a large-scale effort brewing to identify vulnerabilities in global energy industry. It appears that despite the hack no actual damage has been done, but we’ve seen the consequences of cyberattacks on critical infrastructure — this development will no doubt call into question the effectiveness of national security once again. Via: The Guardian Source: Motherboard

Taken from:
Leaked memo says hackers may have compromised UK power plants

Researchers Find New Version Of WanaDecrypt0r Ransomware Without A Kill Switch

Remember that “kill switch” which shut down the WannCry ransomware? An anonymous reader quotes Motherboard: Over Friday and Saturday, samples of the malware emerged without that debilitating feature, meaning that attackers may be able to resume spreading ransomware even though a security researcher cut off the original wave. “I can confirm we’ve had versions without the kill switch domain connect since yesterday, ” Costin Raiu, director of global research and analysis team at Kaspersky Lab told Motherboard on Saturday… Another researcher confirmed they have seen samples of the malware without the killswitch. Read more of this story at Slashdot.

Originally posted here:
Researchers Find New Version Of WanaDecrypt0r Ransomware Without A Kill Switch

How did Yahoo get breached? Employee got spear phished, FBI suggests

Enlarge / Dmitry Dokuchaev, Igor Sushchin, Alexsey Belan, and Karim Baratov—the four indicted by the US in the Yahoo hacking case. SAN FRANCISCO—The indictment unsealed Wednesday by US authorities against two agents of the Russian Federal Security Service, or FSB, (Dmitry Dokuchaev and Igor Sushchin) and two hackers (Alexsey Belan and Karim Baratov) provides some details of how Yahoo was pillaged of user data and its own technology over a period of over two years. But at a follow-up briefing at the FBI office here today, officials gave fresh insight into how they think the hack began—with a “spear phishing” e-mail to a Yahoo employee early in 2014. Malcolm Palmore, the FBI special agent in charge of the bureau’s Silicon Valley office, told Ars in an interview that the initial breach that led to the exposure of half a million Yahoo accounts likely started with the targeting of a “semi-privileged” Yahoo employee and not top executives. He said social engineering or spear phishing “was the likely avenue of infiltration” used to gain the credentials of an “unsuspecting employee” at Yahoo. Palmore declined Ars’ request to elaborate during a brief interview inside the San Francisco FBI office, and he would not say whether the government or Yahoo discovered the breach. He also would not say how long the intrusion lasted before it was cut off. Read 11 remaining paragraphs | Comments

Visit link:
How did Yahoo get breached? Employee got spear phished, FBI suggests

Critical vulnerability under “massive” attack imperils high-impact sites [Updated]

Enlarge / One of two publicly available exploits for a critical Apache Struts vulnerability. (credit: Kevin Beaumont ) In a string of attacks that have escalated over the past 48 hours, hackers are actively exploiting a critical vulnerability that allows them to take almost complete control of Web servers used by banks, government agencies, and large Internet companies. The code-execution bug resides in the Apache Struts 2 Web application framework and is trivial to exploit. Although maintainers of the open source project patched the vulnerability on Monday , it remains under attack by hackers who are exploiting it to inject commands of their choice into Struts servers that have yet to install the update, researchers are warning. Making matters worse, at least two working exploits are publicly available. “If you run it against a vulnerable application, the result will be the remote execution of commands with the user running the server,” Vicente Motos wrote of one of the exploits in a post published late Wednesday afternoon on the Hack Players website. “We have dedicated hours to reporting to companies, governments, manufacturers, and even individuals to patch and correct the vulnerability as soon as possible, but the exploit has already jumped to the big pages of ‘advisories,’ and massive attempts to exploit the Internet have already been observed.” Read 8 remaining paragraphs | Comments

Originally posted here:
Critical vulnerability under “massive” attack imperils high-impact sites [Updated]

Hack knocks out a fifth of the Dark Web

The Dark Web is having a rough time right now… although the victims in this case won’t earn too much sympathy. An Anonymous-linked hacker speaking to Motherboard brought down about a fifth of the Tor network’s ‘secret’ websites (over 10, 000 of them) in a claimed vigilante move. The intruder decided to attack a Dark Web hosting service, Freedom Hosting II, after discovering that it was managing child porn sites it had to be aware of — they were using gigabytes of data each when the host officially allows no more than 256MB. Each site had its usual pages replaced with a message that not only chastised FH2, but offered a data dump (minus user info) and explained the nature of the hack. Reportedly, the attack wasn’t difficult. The hacker only needed to have control over a site (new or existing) to get started. After that, it was mostly a matter of modifying a configuration file, triggering a password reset and getting root access. From early indications, the perpetrator is handling the data relatively responsibly. It’s going to a security researcher who’ll hand it over to law enforcement, which might just use it to bust the porn peddlers. Investigators may be as frustrated as they are happy, though. When the FBI infiltrated Dark Web porn sites , it used location-tracking malware to help identify individual users. Well, it probably can’t do that now — investigators might pinpoint the site operators, but the clients will have scattered to the four winds. While this is still a blow to the internet’s criminal underbelly, it’s not as big a victory as it could have been. Looks like Freedom Hosting II got pwned. They hosted close to 20% of all dark web sites (previous @OnionScan report) https://t.co/JOLXFJQXiH — Sarah Jamie Lewis (@SarahJamieLewis) February 3, 2017 Source: Motherboard , Sarah Jamie Lewis (Twitter)

Read the article:
Hack knocks out a fifth of the Dark Web

Netflix project lets you mind-control its interface

Netflix’s developers are at it again , using the company’s annual Hack Day to come up with clever, if sometimes wild, ideas on how to improve the streaming service. This year’s crop of hacks mostly focus on intriguing Stranger Things integrations, but the most interesting result is one named MindFlix, that lets you navigate and control Netflix with your mind. In a video demonstrating MindFlix , the team showed how you can, with a Muse EEG-detecting headband strapped on, move your head up and down or side to side to scroll vertically and horizontally through Netflix’s interface. Then, when you’ve landed on a title you like, just think of the word or action “Play.” This worked in the clip, with the test subject happily proclaiming that he never had to move again. Of course, whether it works as well in real life can’t be determined, but if it does, it could make Netflix binging far more enjoyable. Other Hack Day Winter 2017 projects run the gamut from noble to somewhat sinister. Netflix For Good lets viewers donate to related or well-known charity organizations after watching a socially conscious video, while Picture-in-Picture lets you monitor what other profiles in your account are watching at the same time. There doesn’t appear to be plans to make these implementations widely available. In fact, Netflix states in a blog post that “they may never become part of the Netflix product, internal infrastructure, or otherwise be used beyond Hack Day.” Still, though, we can always hope that Netflix puts out the instructions on how to make these real, as it did for the sleep-detecting socks that pause your videos for you. Via: Variety Source: Netflix

Continued here:
Netflix project lets you mind-control its interface

Hacker Steals 900 GB of Cellebrite Data

An anonymous reader shares a Motherboard report: Motherboard has obtained 900 GB of data related to Cellebrite, one of the most popular companies in the mobile phone hacking industry. The cache includes customer information, databases, and a vast amount of technical data regarding Cellebrite’s products. The breach is the latest chapter in a growing trend of hackers taking matters into their own hands, and stealing information from companies that specialize in surveillance or hacking technologies. Cellebrite is an Israeli company whose main product, a typically laptop-sized device called the Universal Forensic Extraction Device (UFED), can rip data from thousands of different models of mobile phones. That data can include SMS messages, emails, call logs, and much more, as long as the UFED user is in physical possession of the phone. Read more of this story at Slashdot.

Read this article:
Hacker Steals 900 GB of Cellebrite Data

Dailymotion Hack Exposes Millions of Accounts

Millions of accounts associated with video sharing site Dailymotion, one of the biggest video platforms in the world, have been stolen. From a ZDNet report: A hacker extracted 85.2 million unique email addresses and usernames from the company’s systems, but about one-in-five accounts — roughly 18.3 million– had associated passwords, which were scrambled with the bcrypt hashing function, making the passwords difficult to crack. The hack is believed to have been carried out on October 20 by a hacker, whose identity isn’t known, according to LeakedSource, a breach notification service, which obtained the data. Dailymotion launched in 2005, and is currently the 113rd most visited website in the world, according to Alexa rankings. Read more of this story at Slashdot.