Movie Rental Site Vudu Suffers Break-in; Customer Data Stolen

Wal-Mart owned movie rental/purchase site has become the latest victim of data breach. But unlike some of the previous attacks, Vudu data breach didn’t involve any remote hacking attempts.

Some lawbreakers broke into Vudu’s office and stole a number of items including hard drives. Unfortunately for its users, the same hard drives contained usernames, passwords and the last four digits of credit cards of some customers.

Vudu has sent out emails to all affected users urging them to reset their passwords. They have also released a press release which is provided below.

On March 24, 2013, there was a break in at the VUDU office and a number of items were stolen, including hard drives. These hard drives contained customer data including names, email addresses, mailing addresses, account activity, dates of birth, and encrypted passwords, but NO full credit card numbers. We are proactively retiring and resetting all passwords and notifying all customers. As another level of protection for customers we are also providing AllClear ID identity protection services. We reported the theft to law enforcement immediately, and are cooperating fully with their investigation.

Luckily, Vudu doesn’t store full credit card numbers of its users. Hence the damage was greatly reduced. So, if you are a Vudu customer, we strongly recommend changing your password as soon as possible. Also, if you have used the same password for some other service(which is actually a very bad idea), please change those passwords as well.

Evernote Breached; Enforces Password Reset

Popular note taking service, Evernote has announced that they suffered a data breach recently. But thankfully, according to a blog post made at the Evernote blog, the hackers were not able to break into and access stored notes of individual users.

However, they did get access to usernames and encrypted passwords. Evernote stores passwords after hashing and salting process. So there’s little chance that even if the hacker did get the encrypted passwords, they will be able to decode the original ones.

Nonetheless, Evernote is asking its users to reset their password to ensure maximum safety.

After signing in, you will be prompted to enter your new password. Once you have reset your password on, you will need to enter this new password in other Evernote apps that you use. We are also releasing updates to several of our apps to make the password change process easier, so please check for updates over the next several hours.

Evernote hacking is in the wake of a series of data breaches on high profile tech companies such as Facebook, Twitter, Microsoft, Apple etc. Now, they haven’t released any details on how the actual hacking occurred, but props have to be given to the company for quick action on their part in letting the users know about the hacking and taking actions to reset their passwords as soon as possible.

Zero Day Java Vulnerability Compromises Computers of Facebook Employees

Last month, a number of major companies such as the New York Times, Washington Post and most recently, Twitter had revealed that they were targeted by hackers leading to some form of data breach.

In a recent development, Facebook has also now revealed that some of the computers of its employees were hacked by using a Java exploit. In a blog post penned yesterday, Facebook security team says,

[…] In this particular instance, we flagged a suspicious domain in our corporate DNS logs and tracked it back to an employee laptop. Upon conducting a forensic examination of that laptop, we identified a malicious file, and then searched company-wide and flagged several other compromised employee laptops.

After analyzing the compromised website where the attack originated, we found it was using a “zero-day” (previously unseen) exploit to bypass the Java sandbox (built-in protections) to install the malware.

The computers were compromised when the victims visited a mobile developer website that was compromised to host a zero day exploit, which installed malware on the victim’s PCs. Facebook contacted Oracle regarding the exploit and they released a patch for the same on February 1st.

Facebook says that other companies were targeted in a similar manner and they are working with the affected companies and law enforcement officials to track the source of the attack.

And most importantly for us, there is no evidence that any kind of user data was exposed. Well, that’s a relief!

Source: Facebook

Twitter Suffers Data Breach; 250k Accounts Affected

Twitter has released information regarding a hacking attempt which has led to partial breach of around 250,000 accounts.

In a blog post, Bob Lord, director of Information Security states,

This week, we detected unusual access patterns that led to us identifying unauthorized access attempts to Twitter user data. We discovered one live attack and were able to shut it down in process moments later. However, our investigation has thus far indicated that the attackers may have had access to limited user information – usernames, email addresses, session tokens and encrypted/salted versions of passwords – for approximately 250,000 users.

Twitter will be notifying the affected users for resetting the passwords and their old passwords will no longer work. Now, if you have received such an email from Twitter, immediately change your password and make sure that it is a strong password. A strong password should have at least 8 characters, should be alphanumeric and should contain upper case letters, lower case letters and special characters. You could also use services like LastPass and 1Password to generate and manage passwords.

As of now, we don’t know how they were able to breach Twitter’s security. Twitter says that it was not an isolated incident and that the attacks were highly sophisticated. Just two weeks ago, major newspapers such as New York Times and Washington Post suffered data breaches which allegedly originated from China. So far, there are no reports that these attacks are linked.

MSE Fail’s AV-Test Certification; Microsoft Challenges the Testing Methodology

Microsoft’s antivirus product, Microsoft Security Essentials has once again failed AV-Test’s criteria for Certification. MSE was able to garner a score of 10 out of a possible 18, while a score of at least 11 was needed to obtain the certification.

The area where MSE failed was on detecting zero day attacks. MSE detected only around 78% of the attacks, whereas the industry standard is 91%. The test included 24 other security solutions out of which two other products also failed to obtain the certification. While Bit Defender Internet Security, Kaspersky Internet Security and Norton Internet Security got the highest ratings, AhnLab and PC Tools Internet Security failed.

Obviously, Microsoft was not happy with the test results and challenged AV-Test’s results in a blog post,

Our review showed that 0.0033 percent of our Microsoft Security Essentials and Microsoft Forefront Endpoint Protection customers were impacted by malware samples not detected during the test. In addition, 94 percent of the malware samples not detected during the test didn’t impact our customers.

AV-Test reports on samples hit/missed by category. We report (and prioritize our work) based on customer impact.

AV-Test’s test results indicate that our products detected 72 percent of all “0-day malware” using a sample size of 100 pieces of malware. We know from telemetry from hundreds of millions of systems around the world that 99.997 percent of our customers hit with any 0-day did not encounter the malware samples tested in this test.

AV-Test’s test results indicate that our products missed 9 percent of “recent malware” using a sample size of 216,000 pieces of malware. We know from telemetry that 94 percent of these missed malware samples were never encountered by any of our customers.

You can read the full response here.

Skype Password Reset Bug Allows Anyone to Hack a Skype Account

Hackers have discovered a new vulnerability in Skype that could allow anyone to practically reset any Skype account if the email associated is known.

The vulnerability which first surfaced on Russian hacker forums was first reported by The Next Web. The Next Web has verified the vulnerability and was able to successfully reproduce the hack twice. The hack basically includes creating a secondary account using the target’s email id associated with Skype. Using this secondary account, one can access the original Skype account and change the password of the target.

Microsoft has since acknowledged the issue and at the moment, they have taken down the Password reset page from Skype’s website.

We have had reports of a new security vulnerability issue. As a precautionary step we have temporarily disabled password reset as we continue to investigate the issue further. We apologize for the inconvenience but user experience and safety is our first priority.

This issue is only applicable to Skype accounts while Microsoft accounts which can also be used to login to Skype are safe from this vulnerability.

Facebook Glitch Exposes User Accounts

A serious flaw has been discovered that allowed anyone to basically login to other’s Facebook account without the need of a password.

The flaw, which was posted on The Hacker News website, uses a search string. When you google this search string, around 1.34 million results of different Facebook profiles are obtained and when you click on some of the links, you will automatically log in to the profile associated with that particular link.

The flawed links are the ones that are mailed to users to notify them of comments or other notifications. These are designed to help users to respond quickly to those notifications without having to login. Those URLs are designed in such a way that they will only work once, Matt Jones, a Facebook engineer said in a comment made at the Hacker News.

For a search engine to come across these links, the content of the emails would need to have been posted online.

Regardless, due to some of these links being disclosed, we’ve turned the feature off until we can better ensure its security for users whose email contents are publicly visible.

Facebook has now disabled the feature to protect its users and is helping exposed users with securing their accounts. Most of the exposed users are said to be from Russia and China.

Experiencing Windows 8: From Exasperating to Adoring

First of all, here’s some history. When Windows 8 was first shown in ‘Allthings D’ conference last year, I was skeptical  The interface was intuitive on a touch enabled device, but for a non-touch device, I was not so sure. And with that in mind, I tried the very first release for the public, the Developer Preview or DP and as expected, I was not impressed. It didn’t feel quite that well when used with a keyboard and mouse. I went back to Windows 7 in around three days. The same was the case with the Consumer Preview. And although I downloaded the Release Preview as soon it was released, for some reason, I didn’t even bother installing it.

Last month, I got access to the RTM version of Windows 8 via the Dreamspark subscription. Since it was the final version, I decided to give it a chance. And on September 29th, I finally installed Windows 8 on my primary system as the only OS. I was certain that if I had installed it along with Windows 7 as a dual boot setup, I would just keep on switching back and forth between the two operating systems and that wouldn’t be doing a fair assessment and would just lead to decrease in productivity. So, here’s my initial experience with Windows 8 RTM and how it has evolved over time.

Initial Setup

The installation was smooth with the need of minimal user interference. Microsoft has really worked on improving the installation experience through the years from Vista onwards. Unfortunately for me, the simplicity ended right there. I had to face some driver issues, particularly with the Wi-Fi driver. Since Windows 8 was not yet released, I couldn’t find drivers on the manufacturer’s website. And, there was no generic driver available. I tried installing Windows 7 driver, but it gave me an error. But ultimately, I was able to solve the issue by installing the same driver in compatibility mode.


The next thing to do after installing Windows was of course installing the required apps. Now I use a multitude of apps ranging from big software like Visual Studio and Photoshop to tiny applications like NetWorx. I could install all of them on the new setup without any hassle. But the big change here is the introduction of the new Modern (formerly metro) applications.  Although Windows 8 was not released, there were still around 4000+ apps in the Windows Store which I think is incredible. But how many of it were actually usable or more importantly, does it include the apps that I need was the real question. Windows 8 comes with a bunch of useful apps such as Mail, Messaging, Bing News and which are really nice. I was particularly fond of People Hub and Photos app. The People hub connects to various major social networks such as Twitter, Facebook and LinkedIn and shows updates and notifications. The Photos app aggregate photos from various services including your photo library to one location.

Although I couldn’t find replacement for the majority of my software, there were quite a few nice apps that I liked. Being a heavy user of various social networks, the first few apps that I downloaded were the ones for various social networks such as Twitter and Facebook.  For Twitter, I am using MetroTwit which is very good. I used to have Fliptoast for Facebook, but recently it started crashing on me, even after doing a reinstall. So I am pretty much using the Facebook web interface as of now, until there’s a good app. Another important app that I required was a good reader for fetching feeds from Google Reader. I rely on Google Reader heavily for keeping up with the latest developments on technology as well as information security. Fortunately for me, I keep some good company. Ed Bott directed me to an excellent app called Feed Reader (which is a paid app). I also discovered a free app called Flux which was really nice, but didn’t have all the features that Feed Reader had. For browser, rather than using the default IE10 as my primary browser, I installed the metro version of Chrome. The metro is just in the name and it looks just like the original Chrome window maximized with the title-bar removed. But that did the job for me as I wanted a browser that would display the tabs by default whereas with IE10, one has to right click in order to see the open tabs.

As I mentioned earlier, the majority of the software I am using are legacy desktop apps and although it is not really inconvenient to switch back and forth between desktop and start screen, when you are forced to use desktop for simple tasks like copying files, it feels like a compromise, something that Sinofsky had said you wouldn’t have to deal with.

So, what Microsoft has to do here is to maintain developer interest in the new OS and to make sure that Windows Store gets all those popular apps that people care about. How well the developers accept the new OS will have a huge impact on the market share for Windows, especially for Windows RT which will only be able to run Windows Store apps.


Once I had all the apps in order, the biggest challenge for me was to get used to the operating system itself, especially the Charms bar. For example, while using the Music app, I was foolishly looking for the volume changer while it was in the Charms bar (which had to be opened by swiping from the right edge of the screen or by hovering the mouse to the top/bottom right corner). Charms bar provides a set of commonly used commands and settings option that could change with the app that is currently open. For example, when you have a webpage open, you can share it on a social network or email it to a friend using the Charms bar. Once I got accustomed to Charms bar, it was much easier to use Windows 8. I knew exactly where to look and that made a hell lot of difference. For using general settings or for interacting between apps, use the Charms bar and for viewing the specific app settings or controls, you can right click the app or swipe down from top of the screen. Once you get hold of this, Windows 8 will be pretty much easy to use.

Then there are things that I hated first, but as I got to use it, I started loving it. The snapping of apps was one such feature. I was not a fan of the fact that you cannot snap two apps side by side like in Windows 7. One app will go into a minimized state whereas the other one will take the majority of the screen real estate. But after using Windows 8 for a few weeks, I have started loving this feature. I can read articles from Bing News or Feed Reader while the Music app or Metrotwit is snapped to the side for easy viewing of ‘Now Playing’ list or my Twitter feed. And when I need traditional multitasking, I just go to the desktop.

Some of the issues I had issues with Windows 8 were solved with driver updates. Previously, when I was using Windows 7, after I unplugged the HDMI cable that connected my laptop to an external display, the display would automatically reset to the default laptop panel. But that was not the case with Windows 8. I had to first change the display before unplugging the cable. This issue has since been solved after a driver update. Also the Synaptics driver for the touchpad still has some inconsistencies. Vertical scrolling is only present in desktop mode and doesn’t work with start screen for some reason. I’m hoping that this will also be fixed soon like the display driver.


It’s been a month since I started using Windows 8. And how has it affected my life? I can now safely say that it has transformed me from a web person into an app person. Previously, I just used Chrome to check my mail, Twitter, Facebook and Google Reader. I now use different apps for each of those tasks. My mornings now start with reading news using the Bing News app along with my morning coffee. I listen to my favourite albums using the Music app, surf twitter using Metrotwit and when I stumble on an article I feel like sharing, I just use the share option in the Charms bar. I use Feed Reader to keep up with the latest happening in the world of technology and when I need it, I head to desktop to use Word 2010 or Visual Studio 2012. It’s all good.

And what’s better? The performance of my computer has improved a lot from what was with Windows 7. Now my laptop takes just around 10 seconds to boot which is incredible considering the fact that Windows 7 took around a minute to boot.  The battery life has also increased but not by a great margin.

Wrapping up, I would say that Windows 8 is like a roller coaster rider. You might be a little bit afraid to get into one at first and might not feel comfortable during the initial climb, but once you get comfortable, it’s one hell of a joy ride.

It is fast, fluid and intuitive and has improved a lot from the early DP or CP stages that I had encountered earlier. Microsoft’s biggest challenge now would be to educate its user base and to make sure that they do not dump the OS before they realize how great it is. So my advice to everyone going to try Windows 8 is, give it a chance and give yourself a little bit of time to get accustomed to it. Because once you get the hang of it, there’s a very good chance that you are going to love it, just like I did.


CERT Issues Alert for Possible SCADA Vulnerability

ICS-CERT (Industrial Control Systems Cyber Emergency Response Team), under the Department of Homeland Security of the US government, has issued an alert of a possible SCADA vulnerability affecting solar power plants.

The affected product is the Sinapsi eSolar Light Photovoltaic System Monitor which is used to communicate with photovoltaic inverters, gauges, energy meters, network analysers etc. The exploit allows a hacker to “remotely connect to the server and executing remote code, possibly affecting the availability and integrity of the device,” according to the report issued at the CERT website.

The vulnerabilities are exploited by authenticating to the service using hard coded credentials as per two security researchers, Roberto Paleari and Ivan Speziale, who identified the vulnerable system as the Schneider Electric Ezylog photovoltaic SCADA management server. It is stated to suffer from multiple vulnerabilities including SQL injection vulnerabilities and hard coded authorizations.

ICS-CERT has a working proof of concept code and has contacted the vendor of the software to confirm the vulnerability and identify mitigations. This is days after Defense Secretary Leon Panetta had warned about possible ‘cyber Pearl Harbour’ in a speech at the Interpid Air and Space Museum. SCADA systems are the underlying control systems of important national infrastructures such as power plants and even small cyber-attacks on them could have big repercussions on the nation as a whole.

Source: ICS-CERT (PDF)

Via: Naked Security

Microsoft Settles with Defendants in Nitol Botnet Case

Last month, we reported about an operation conducted by Microsoft to disrupt the Nitol botnet. The operation, titled Operation b70 was a result of a study conducted by Microsoft which discovered pirated copies of Windows embedded with malware. As a part of the operation  Microsoft’s Digital Crimes Unit had asked to be allowed to take control of the domain which was used to host the botnet.

Assistant General Counsel for Microsoft Digital Crimes Unit,Richard Domingues Boscovich has stated in a blog post that they have reached a settlement with Peng Yong, operators of domain. He states:

Today, I am pleased to announce that Microsoft has resolved the issues in the case and has dismissed the lawsuit pursuant to the agreement. As part of the settlement, the operator of, Peng Yong, has agreed to work in cooperation with Microsoft and the Chinese Computer Emergency Response Team (CN-CERT) to:

· Resume providing authoritative name services for, at a time and in a manner consistent with the terms and conditions of the settlement.

· Block all connections to any of the subdomains identified in a “block-list,” by directing them to a sinkhole computer which is designated and managed by CN-CERT.

· Add subdomains to the block-list, as new subdomains associated with malware are identified by Microsoft and CN-CERT.

· Cooperate, to the extent necessary, in all reasonable and appropriate steps to identify the owners of infected computers in China and assist those individuals in removing malware infection from their computers.

In accordance with the settlement, Peng Yong will work with Microsoft and Chinese Computer Emergency Response Team to remove all malware associated with the domain and bring to justice all those responsible for spreading the malware.

Richard also shared some statistics regarding the blocked domains.

Of note, in 16 days since we began collecting data on the 70,000 malicious subdomains, we have been able to block more than 609 million connections from over 7,650,000 unique IP addresses to those malicious subdomains. In addition to blocking connections to the malicious domains, we have continued to provide DNS services for the unblocked subdomains. For example, on Sept. 25, we successfully processed 34,954,795 DNS requests for subdomains that were not on our block list.

The operation is a part of Microsoft’s larger MAPS program intended to provide protection to the users of its Windows operating system.

Via: Technet