Facebook Apps Harvest and Sell Private Information in the Open Market

It’s often said that if you are not paying for something then you are the product. The reckless abuse of privacy information by millions of free apps available in various repositories regularly drives home this point.

Bogomil Shopov stumbled upon a deal selling more than a million Facebook profiles, each of which accompanied with the name and email address of the user, for only five bucks. Although he didn’t specify the source, it is probably the GigBucks listing pictured below. According to the offer description, the list consists only of active Facebook users, mostly from the US, Canada, UK and Europe. The data was harvested through Facebook apps.


An opt-in list with a million verified email addresses and names would have easily fetched hundreds of dollars in the decade gone by. However, now, it’s available for just five bucks. That in itself suggests that perhaps lists like these are not all that rare or difficult to find. Social media services like Twitter and Facebook have dramatically lowered the expectations of privacy among users. Most people will think twice before signing up for a dicey looking website, but will not hesitate to sign in through Facebook to play a quiz or take an IQ test. A little bit of carelessness and a little bit breach of trust is all it takes for your name to appear in a list like this.

What is the World’s Strongest Password?

Password strength is one thing that worries everyone when choosing a password for a new account. Most web-applications we see nowadays enforce strong password policies by advising their users to enter weird combinations of letters, numbers, and special characters. However, passwords made in this manner are safe only from prying eyes. Moreover, people still end up using the names of their girlfriend/son/daughter/wife/mother in their passwords, which makes them vulnerable to social hacking. So, how do we come up with a safe password?

An important part of answering that question is to know what you are protecting your password against. Is it against prying eyes, is it against social hacking or is it against automated attacks? The answer is all of them, and there is a way to protect yourself against all of these.

The Sneak Peek


I am a big fan of LastPass and it is an absolutely wonderful application. Using LastPass has many advantages. You never have to enter your password on every website you visit, except for a single master password, which signs you into LastPass. This can potentially reduce the risk from people who like to sneak up and look at your passwords. It also offloads the responsibility of remembering a huge load of passwords to LastPass. There is one more advantage of using LastPass, which is not much touted — it protects from phishing attacks as it works only on correct URLs of websites.

Social Hacking


There is no technology that can prevent people from giving away all sorts of personal information about themselves, to someone who seems to be a friendly and harmless guy from a business where you have an account. This bit of safety can come from awareness and awareness alone. Do not give away any of your personal information to an unknown person, or even to a known person unless you are sure about the reasons why you need to give it. This includes safe behavior on social networks as well. Do not go around making Facebook friends out of people you have not met in real life, because your Facebook account is always spilling all sorts of personal information.

In addition, your mother’s maiden name is not the most exclusive information in the world, and it is a very bad choice for a security question.

Automated attacks

If you are trying to protect against brute force or a directory attack, your safest bet is a long password. This XKCD says it all. However, entropy is more mathematical than practical; for instance, a 30 character long sequence of ‘a’s has a low entropy but is a strong password for any brute-force program.

So, what is the world’s strongest password? Perhaps you can tell me.

Further reading: StackExchange and more StackExchange

Kaspersky Lab is Creating a Secure Operating System for Use in Industrial Control Systems

Recently, there have been rumor of Kaspersky Lab building an operating system for industrial machinery. Yesterday, Eugene Kaspersky finally confirmed the rumors, saying that Kaspersky Laps is indeed working on an operating system for Industrial Control Systems (ICS). Eugene Kaspersky writes on the Kaspersky blog, saying,

Today I’d like to talk about the future. About a not-so-glamorous future of mass cyber-attacks on things like nuclear power stations, energy supply and transportation control facilities, financial and telecommunications systems, and all the other installations deemed “critically important”.


The biggest problems with ICS is that these systems are required to maintain a high availability, and in case of attacks and hacks, it becomes extremely difficult to shut down an infected component without bringing down the whole system. These systems are so cohesive, that it is nearly impossible to isolate an infected node, as they were never designed considering such sophisticated attacks. Kaspersky Lab is working on a secure operating system that will be effective against nation-state funded cyber-attacks, like the ones we have seen over the last few months.

The operating system from Kaspersky Lab has security as its top priority, but it will also address issues of availability by providing hot reboot-less patches. Nonetheless, it will also proactively be checked for security exploits to stay one-step ahead of hackers. This is one operating system designed from the ground up keeping one thing in mind — security. Read more about the Kaspersky Operating System here.

CERT Issues Alert for Possible SCADA Vulnerability

ICS-CERT (Industrial Control Systems Cyber Emergency Response Team), under the Department of Homeland Security of the US government, has issued an alert of a possible SCADA vulnerability affecting solar power plants.

The affected product is the Sinapsi eSolar Light Photovoltaic System Monitor which is used to communicate with photovoltaic inverters, gauges, energy meters, network analysers etc. The exploit allows a hacker to “remotely connect to the server and executing remote code, possibly affecting the availability and integrity of the device,” according to the report issued at the CERT website.

The vulnerabilities are exploited by authenticating to the service using hard coded credentials as per two security researchers, Roberto Paleari and Ivan Speziale, who identified the vulnerable system as the Schneider Electric Ezylog photovoltaic SCADA management server. It is stated to suffer from multiple vulnerabilities including SQL injection vulnerabilities and hard coded authorizations.

ICS-CERT has a working proof of concept code and has contacted the vendor of the software to confirm the vulnerability and identify mitigations. This is days after Defense Secretary Leon Panetta had warned about possible ‘cyber Pearl Harbour’ in a speech at the Interpid Air and Space Museum. SCADA systems are the underlying control systems of important national infrastructures such as power plants and even small cyber-attacks on them could have big repercussions on the nation as a whole.

Source: ICS-CERT (PDF)

Via: Naked Security

Researcher Discovers 100k IEEE User Passwords on Public FTP

If you are a member of IEEE, it might be the time for you to change the password.

A Romanian university teaching assistant, Radu Dragusin, has discovered a publicly accessible FTP server that stored around 100,000 usernames and passwords in plain text.  The passwords where found in logs stored on the FTP server. There where around 100GBs of logs which contained 376 million HTTP requests. Out of these, 411,308 entries contained passwords.

He reported the vulnerability to the officials on September 24th and they are rectifying the issue at the moment. The FTP server which contained the information has been taken offline and they are sending password reset email to all those affected. But we are yet to see a public statement from them.

IEEE, if you are not aware, stands for Institute of Electrical and Electronic Engineers and is an international organization that promotes technology and science. Its members include high position holders from various prestigious institutions. Radu says that the logs consisted passwords of Apple, Google, IBM, Oracle and Samsung employees, as well as researchers from NASA, Stanford etc. The data is assumed to have been available online for about a month. But it is not certain whether the data has been acquired by hackers.

IEEE officials will have to answer a lot of questions in the coming days. Most importantly, why was the password stored as plain text. Secondly, why was the FTP server permissions not set correctly, when it contained massive amount of logs. Hopefully, they will rectify the issues as soon as possible and this should be a cue for others to secure the customer’s data.

Source: IEEE Log

Extremist Hacker Group Takes Down Wells Fargo Website

“Izz ad-din Al qassam” has become quite notorious over the last few days because of its series of attacks on US financial institutions. Last week, they targeted The Bank of America, The NYSE and Chase bank. Their modus operandi is a DDoS attack, and it speculated that they are being sponsored by the Government of Iran. However, they have denied any such political affiliation. Just like Anonymous and its affiliate hacker groups, they have taken to Pastebin to announce their wins.


Apparently, this is the second week of their operation Ababil, and they explain their operation as:

In the previous announcements, we stated that we will not tolerate insulting exalted character of the prophet of mercy and kindness. Due to the insult, we planned and accomplished a series of cyber operations against the insulting country’s credit and financial centers.

Insult to a prophet is not acceptable especially when it is the Last prophet Muhammad (Peace Be upon Him). So as we promised before, the attack will be continued until the removal of that sacrilegious movie from the Internet.

The hacker group has a “timetable” for this week’s attack, with Wells Fargo, the US Bank and the PNC websites scheduled for Tuesday, Wednesday and Thursday respectively. The “Izz ad-din Al qassam” group has claimed that these attacks will continue until the movie defaming Prophet Muhammad is removed from YouTube. The movie has already resulted in a lot of violence in Syria, and now this cyber-warfare against the US is taking further toll.

You can read this Pastebin paste for the complete declaration.


Flame Command & Control Server Password Cracked

Flame was arguably the next big thing in the state sponsored malware section after Stuxnet. If you are not aware, Flame is a malware that was used to infect computers in the Middle East for espionage purposes.

Flame was investigated by a joint effort of Kaspersky, Symantec, ITU-IMPACT and CERT-Bund/BSI. Symantec had earlier failed to crack the password of Flame’s Control Centre and had put out a blog post asking for help in cracking the hash, 27934e96d90d06818674b98bec7230fa. Dmitry Bestuzhev of Kaspersky cracked the hash to find the clear text password as [email protected]#. We are not yet aware of the method he used to crack the hash.

The decoding of the hash led to the researchers being able to see the Command-and-Control servers for the Flame malware. Kaspersky has posted a detailed blog post analyzing the C&C. All of the servers were running a 64-bit version of Linux called Debian. The programming languages used where PHP, Python and bash and virtualization was run under OpenVZ.

An initial look at the C&C revealed that the attackers had used a minimal interface with no terms such as bot or botnet, possibly to avoid suspicion of hosting company. There was no way to send commands to the C&C as well.

To send a command or set of commands to a victim, the attacker uploaded a specially crafted tar.gz archive, which was processed on the server. A special server script extracted the archive contents and looked for *.news and *.ad files. These files were put into corresponding directories “news” and “ads”. The C&C allows an attacker to push an update to a specific victim, or all victims at a time. It is possible to prioritize a command which allows to organize an order of commands (i.e. collect all data and only after self-removal). The priority and target client ID was transferred in an unconventional way. They were stored in the filename that the attacker uploaded to a C&C.

The researchers also discovered three protocols – SP, SPE, FL and IP which were used to communicate with different clients of which, Flame was identified as FL. This suggests that there are three more Flame like malware in the wild which have not been discovered yet.

The analysis of the C&C shows that servers were first setup on 03 December, 2006 which suggests that Flame was operational for much longer than what we had first thought. The scripts used by the operators also contained other valuable information, the nick name of the developers. Kaspersky hasn’t published their names and has only identified them as D, H, O and R in the blog post.

You can read more about the Kaspersky’s analysis of Flame’s C&C here and a whitepaper by Symantec on Flame here [PDF].

New Critical 0-day Internet Explorer Vulnerability Being Used to Deliver Poison Ivy Trojan

If you are still using Internet Explorer 9 or below, here is one more reason to upgrade to Internet Explorer 10, or perhaps take a look at one of the many excellent free alternatives. A critical zero-day vulnerability has been uncovered in Internet Explorer that could allow a remote hacker to execute arbitrary code on your system even if you simply browse to an infected page. The vulnerability is already being actively exploited in the wild. Affected versions include Internet Explorer 6, 7, 8, and 9.

Eric Romang was the first to report the vulnerability, which has since been confirmed by Microsoft. The exploit has four main components: the Exploit.html file which acts as the starting point, the Moh2010.swf flash file that is responsible for spraying the heap with the payload that will be executed, the Protect.html file that is the actual trigger for the vulnerability, and additional malicious components that are downloaded and executed on the compromised system by the payload. The payload being dropped by the flash file has been identified to be the infamous Poison Ivy trojan.

If Internet Explorer 10 is not supported on your system and you don’t want to move to an alternate browser, Microsoft is recommending that you add Internet Explorer to the Enhanced Mitigation Experience Toolkit, or set Internet and Local intranet security zone settings to “High” to block ActiveX Controls and Active Scripting. Detailed workaround instructions are available in Microsoft’s Security Advisory.

Microsoft Disrupts Nitol Botnet

In an operation named Operation b70, Microsoft was able to disrupt the Nitol botnet that was used to spread malware and launch DDoS attacks. The operation was carried out by Microsoft’s Digital Crimes Unit with the permission of U.S. District Court for the Eastern District of Virginia.

The operation was a result of a study conducted by Microsoft which discovered hackers selling pirated copies of Windows that was embedded with malware. They then got these copies into different unsecured (a distributor or reseller selling products from unconfirmed or unauthorized sources) supply chains for distribution. In the research, it was found that about 20% of pirated copies of Windows consisted of different types of malware.

These malware was used for a multitude of illegal purposes including stealing passwords, credit card information and even remotely turning on the microphone and webcam connected to the victim’s computer.

The computers that were part of the Nitol botnet was controlled by a Nitol command server. The DNS of the server was found to be provided by a rogue website called 3322.org which has been known to be a part of several targeted attacks in the past. With the successful takedown of 3322.org, Microsoft was also able to take down around 500 different strains of malware stored in 70,000 sub-domains of the rogue website.

The operation was part of Microsoft’s wider MAPS (Microsoft Active Response for Security) program which is intended to protect Windows users against malware. This is the second such action against botnets by Microsoft, which had taken down Zeus botnet earlier this year.

Via: Official Microsoft Blog

Brazilian Trojan Issued Digital Certificate; Revoked Later

Wikipedia defines a digital certificate as ‘an electronic document which uses a digital signature to bind a public key with an identity — information such as the name of a person or an organization, their address, and so forth. The certificate can be used to verify that a public key belongs to an individual.’

In the case of software, it is used to ensure that the software is what it claims. Operating Systems use digital certificates to make sure that an application that is being installed is valid. But what if the digital certificate is obtained by giving fake information?

There have been cases in the past were malware authors used stolen digital certificates for their rogue apps. But according to a report from Kaspersky, a group of Brazilian Trojan authors was able to obtain genuine certificates from Comodo by using fake data.

The authors used a fake company name gastecnology.org for obtaining the certificate. As shown in the Securelist blog, a simple DNS lookup of that particular domain name gives use some clues as to the veracity of that company.

Firstly, the email address used to register the account is a free Yahoo Mail account and secondly, the phone number as well as the address provided was fake.

After obtaining the digital certificate, the malware authors used an extensive email campaign to spread the malware. The certificate has been revoked since then and the application is now flagged as malware.

Although the certificate was revoked, the big question here is why the certificate was allowed in the first place. Since digital certificate plays an integral part in verifying the validity of an application, signing an application should be only done after verifying the submitted data which was not the case here. Hopefully certification authorities will be more careful after this incident.