Twitter Suffers Data Breach; 250k Accounts Affected

Twitter has released information regarding a hacking attempt which has led to partial breach of around 250,000 accounts.

In a blog post, Bob Lord, director of Information Security states,

This week, we detected unusual access patterns that led to us identifying unauthorized access attempts to Twitter user data. We discovered one live attack and were able to shut it down in process moments later. However, our investigation has thus far indicated that the attackers may have had access to limited user information – usernames, email addresses, session tokens and encrypted/salted versions of passwords – for approximately 250,000 users.

Twitter will be notifying the affected users for resetting the passwords and their old passwords will no longer work. Now, if you have received such an email from Twitter, immediately change your password and make sure that it is a strong password. A strong password should have at least 8 characters, should be alphanumeric and should contain upper case letters, lower case letters and special characters. You could also use services like LastPass and 1Password to generate and manage passwords.

As of now, we don’t know how they were able to breach Twitter’s security. Twitter says that it was not an isolated incident and that the attacks were highly sophisticated. Just two weeks ago, major newspapers such as New York Times and Washington Post suffered data breaches which allegedly originated from China. So far, there are no reports that these attacks are linked.

Citibank and BoA Websites DDoSed by Al-Qassam Cyber Fighters

The new year has started on a disturbing note for Citibank and Bank of America (BoA), as Al-Qassam Cyber Fighters have started attacking them with a DDoS. The attack is not a surprise, as it was announced back in December last year. This is the second phase of their Operation Ababil, which started on 27 December, last year. The operation seems to have one agenda only — to get the controversial anti-Islamic video removed from YouTube and to stop the organized western offensive against Islam (if there is such a thing).

bank-of-america

The first phase of Al-Qassam’s attack took place in October, after which they took a break for Eid al-Adha. The list of targets for this second phase includes US Bancorp, JPMorgan Chase, Bank of America (BoA), PNC Financial Services Group and SunTrust. The hackers at Al-Qassam said,

In new phase, the wideness and the number of attacks will increase explicitly; and offenders and subsequently their governmental supporters will not be able to imagine and forecast the widespread and greatness of these attacks.

The hackers are extremely confident about their mission and have been able to cause temporary interruption of services in BoA and Citibank. While Bank of America has been attacked earlier in the first phase, Citibank is being attacked by Al-Qassam Cyber Fighters for the first time.

Citibank has announced about the disruption in service on its official Twitter account.

This hacker collective does not have any affiliation with Anonymous, and is one of its kind as it has risen to defend Islam, unlike other hacker groups.

Skype Password Reset Bug Allows Anyone to Hack a Skype Account

Hackers have discovered a new vulnerability in Skype that could allow anyone to practically reset any Skype account if the email associated is known.

The vulnerability which first surfaced on Russian hacker forums was first reported by The Next Web. The Next Web has verified the vulnerability and was able to successfully reproduce the hack twice. The hack basically includes creating a secondary account using the target’s email id associated with Skype. Using this secondary account, one can access the original Skype account and change the password of the target.

Microsoft has since acknowledged the issue and at the moment, they have taken down the Password reset page from Skype’s website.

We have had reports of a new security vulnerability issue. As a precautionary step we have temporarily disabled password reset as we continue to investigate the issue further. We apologize for the inconvenience but user experience and safety is our first priority.

This issue is only applicable to Skype accounts while Microsoft accounts which can also be used to login to Skype are safe from this vulnerability.

Zero-day Adobe Reader Exploit Being Sold in the Black Market

Adobe Reader is notorious for having security flaws and these flaws are always exploited eventually. By now, you might have lost count of the number of times exploits have been discovered for Adobe’s PDF reader. However, what is interesting this time is that this unknown security flaw has made its way to the black-market and is selling at a considerably high price. This is not a hacker group trying to get some adrenaline flowing from hacking Adobe Reader. This qualifies for organized crime, and Adobe has no clue of what it can do to curb this problem.

adobe-reader-security-flaw

The research on this exploit has been carried out by Group-IB. Group-IB is based off Moscow, and is the country’s leading computer security-company. A spokesperson for Adobe, Wiebke Lips, says,

Adobe will reach out to Group-IB. But without additional details, there is nothing we can do, unfortunately— beyond continuing to monitor the threat landscape and working with our partners in the security community, as always.

Adobe was not contacted by Group-IB over this exploit and the exploit is rumored to sell in the black market at $50,000. This is a significant blow for Adobe, as it introduced a sandbox for Reader X. The sandbox was supposed to hold ground against unknown exploit. However, if this exploit really is working, the sandbox has obviously failed and has provided a false sense of security until now.

The exploit works on Microsoft Windows, and starts only after the user closes his web-browser or Reader application. For now, it would be safer to switch to an alternative to Adobe Reader.

LG Smart World Hacked, User Information Leaked

A hacker going by the Twitter handle @Ur0b0r0x has breached LG Smart World, and leaked email addresses and password hashes of 11,316 users [Please see update below]. Smart World is LG’s official app store, providing apps for smart TVs, smartphones, and home appliances. The same hacker had earlier hacked 32 websites belonging to the Government of Columbia.

LG-Smart-World-Hacked

The hacked data dump has already been indexed by OZ Data Centa. If you want to find out if your info has been leaked, head over to ozdc.net and search for your email address. According to OZDC, the leaked information contains 11203 valid emails, out of which, 284 had already been compromised by some other data breach incident. Thankfully, LG was not storing passwords in plain text. However, I am not sure exactly what hashing algorithm it was using. If your account has been affected, immediately change your password on Smart World as well as all other websites on which you were using the same password.

Nothing on the internet is truly secure. Data and privacy breaches are often inevitable. However, you can avoid being burned by being prepared for the worst case scenario. Some of the elementary precautions are:

  • Using distinct, non-guessable, and non-dictionary word passwords. You can use a password manager like Lastpass to manage your various accounts.
  • Enabling two-step authentication on services like Gmail that supported it.
  • Using a truly secure secret question for password reset options.

Update: LG spokeperson reached out to us stating that LG has been unable to verify a breach. “Äs far as we know, no private or sensitive information has been accessed”, he added.

Facebook Glitch Exposes User Accounts

A serious flaw has been discovered that allowed anyone to basically login to other’s Facebook account without the need of a password.

The flaw, which was posted on The Hacker News website, uses a search string. When you google this search string, around 1.34 million results of different Facebook profiles are obtained and when you click on some of the links, you will automatically log in to the profile associated with that particular link.

The flawed links are the ones that are mailed to users to notify them of comments or other notifications. These are designed to help users to respond quickly to those notifications without having to login. Those URLs are designed in such a way that they will only work once, Matt Jones, a Facebook engineer said in a comment made at the Hacker News.

For a search engine to come across these links, the content of the emails would need to have been posted online.

Regardless, due to some of these links being disclosed, we’ve turned the feature off until we can better ensure its security for users whose email contents are publicly visible.

Facebook has now disabled the feature to protect its users and is helping exposed users with securing their accounts. Most of the exposed users are said to be from Russia and China.

HSBC Bank Employee Resigns and Steals Customer Information on the Way Out

Back in March of 2010, HSBC had a huge and embarrassing data breach where an employee resigned and stole details on the bank’s private operations in Switzerland. Around 24,000 accounts were compromised in that theft, and more than 15,000 of those accounts are still active. Although HSBC Bank claimed that the stolen data could not be used to access accounts, a data breach is a data breach and the manner in which it happened was suggestive of lax security on the spot. An investigation followed the incident and HSBC bank invested in better security in their Swiss office.

hsbc-bank

This time, HSBC bank customers had a deja vu when HSBC bank reported that another employee has pulled off the same stunt (resign, steal customer records and walk out) in California. The information contains HSBC Bank customer account numbers, account types, phone numbers and names. HSBC bank has also sent a letter to its customers, an excerpt from which reads:

If you find suspicious activity on your credit reports or have reason to believe your information is being misused, call or contact your local law enforcement and file a police report. Get a copy of the report; many creditors want the
information it contains to absolve you of the fraudulent debts. You also should file a complaint with the FTC at www.ftc.gov/idtheft or at 1-877-ID-THEFT (877-438-4338). Your complaint will be added to the FTC’s Identity Theft
Data Clearinghouse, where it will be accessible to law enforcers for their investigations.

Although the data breach took place last Saturday, HSBC Bank did not report it before this Tuesday. As remedial measures, HSBC Bank is offering one year of subscription to ITAC Sentinel, a credit card monitoring service. But will that make existing customers feel any safer?

Trend Micro Unearths a Massive Android Adware and Data-harvesting Ploy

The world is seeing a paradigm shift from PCs to mobile solutions. While performance improvements, availability of apps and aggressive marketing has skyrocketed Android’s popularity, there is a vital area that has been ignored — Security. Android phones run apps, which connect to the Internet the same way your browser connects to the Internet. While, the browser’s access to your operating system is well regulated by the browser manufacturer, an app’s access to your system is defined by the app developer at his own will. Some apps use ad networks for monetization, and these ad networks gobble up all kinds of personal information notoriously. This poses a serious security threat, which is being exploited now.

trend-micro

In a report titled “Android Under Siege: Popularity Comes at a Price”, Trend Micro has released the scariest report out there for Android enthusiasts. Android malware count has increased 600% from about 30,000 mid-2012 to about 175,000 now. Most of these infected apps are fake versions of popular android apps. Some others do not have proper disclosures of activities listed on their EULA.

A dangerous malware called Zero Access Malware that can patch system files has been seen on more than 900,000 devices, and there are over 7000 Android devices that are infected with a dangerous adware, which harvests your personal data without permission. The top two countries sending out malware and hosting data harvesting botnets are Saudi Arabia and India. These are good choices for running such operations, as they are not seen as the conventional cybersecurity threats.

Clearly, the openness and regulation-free nature of the Android platform is taking a toll on security. Android developers need to address this issue and come up with a secure platform. Failing that, Android will soon become the Windows OS of the mobile world.

Read Trend-Micro’s report here [PDF link].

Top Passwords of 2012

Halloween is fast approaching, and if you don’t want to deal with a security nightmare, it might be prudent to take another look at your passwords. Earlier in the year, I had shared with you a list of 25 Passwords and ATM PINs You Should Never Use. Now, here is another similar list. This one comes courtesy of Splashdata and contains the most common passwords compiled from files containing millions of stolen passwords posted online by hackers.

Top-Passwords-2012

Passwords like password, 123456, abc123, and qwerty once again top the list. There are some new entries into the list like welcome, jesus, ninja, mustang, and password1. However, most of the passwords in the top 25 are carried over from Splashdata’s previous year’s list. The infographic above shows the top ten passwords. You can find the full list of passwords that you should never use over here. As always, if you truly want to remain secure you should avoid using guessable passwords (like your birthday) and hints, and use distinct passwords. Remembering several dozens of unique passwords is not an easy feat; hence, you can rely on tools like LastPass to generate and remember passwords for you.

Tech Giants Come Together to Form Cyber Security Research Alliance

In the wake of the ongoing cyber-warfare, tech giants have come together to form a consortium that will focus on cyber-security. The consortium is called Cyber Security Research Alliance (CSRA) and it counts AMD, Intel, RSA, Lockheed Martin and Honeywell as its members. Problems in cyber-security are getting complex every day, and this private alliance will create a rich knowledge pool to address the security issues of the present and the future.

csra-logo

The primary aim of the CSRA is to bridge the gap between Government-funded R&D efforts and commercial cyber-security solutions. It will bring together expertise from member companies and the R&D efforts of the Government. Chuck Romine, Director of NIST’s Information Technology Laboratory, says,

Putting into practice the exciting cyber security innovations that emerge from research requires active partnerships between government and industry and also among private sector stakeholders. The emergence of CSRA can strengthen both kinds of partnerships and we look forward to working with this new organization to promote a trustworthy cyberspace for our nation and its citizens.

Most of the mega-attacks that we have seen over the last few days have been on control systems (think Flame and Stuxnet). It is good to see that cyber-security efforts for protection of control systems have stepped up, after Stuxnet. Visit the CSRA homepage to know more.

Also, read how Kaspersky is creating a high-availability operating system for control systems that primarily addresses security.