Reports are coming in that hackers have managed to hack into a Yahoo service and steal sensitive data of more than 453000 of its customers. According to a security firm, Trustedsec, who first reported the incident, the service that was compromised was Yahoo Voice.
The affected website was only named as a subdomain of yahoo.com however digging through and searching for the hostname, the attacker forgot to remove the hostname “dbb1.ac.bf1.yahoo.com” (credit to Mubix for the hostname find). Looking through a variety of sources, it appears that the compromised server was likely “Yahoo! Voice” which was formally known as Associated Content (credit to Adam Caudill for the linkage).
The hackers have posted the database containing the email ids and passwords as a proof. According to the dump, the hackers used a method called union based SQL injection to hack the database. It is a method, where one enter codes to improperly protected text boxes which treat them as commands.
The most scary part, according to TrustedSec, is that the passwords were stored as plain text without any kind of encryption. If this was indeed the case, it would have been a highly irresponsible action on Yahoo’s part.
The hackers posted the following statement along with the dump,
We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call, and not as a threat. There have been many security holes exploited in webservers belonging to Yahoo! Inc. that have caused far greater damage than our disclosure. Please do not take them lightly. The subdomain and vulnerable parameters have not been posted to avoid further damage.
If you are a Yahoo Voice customer, I recommend you change your password immediately and if you are using the same passwords for any other service (which is a bad practice), it is better to change that as well.
Social question and answer website Formspring has been breached, and a dump of 420,000 passwords is spreading around the interwebs. Formspring, which was founded in 2009, has more than 20 million registered users. It recently gained notoriety due to incidents of bullying leading to death of teenagers.
Formspring has confirmed that an unknown attacker managed to break into one of its development server to extract account information from a production database. Fortunately, Formspring had significantly better security practices than most other recently hacked web services. All the passwords were hashed using SHA-256 with salting. Thus, if you have a reasonably secure password, you will most probably be safe. However, users with insecure passwords still stand the risk of being exposed. As a precautionary measure, Formspring is forcing all of its users to change their password. It has also updated its authentication system to use bcrypt hashing function that is practically impossible to brute force.
Formspring needs to be applauded for employing a fairly strong hashing mechanism, and being quick to react. However, the security breach once again reinforces the belief that no web service is truly safe. Hence, it’s always a good idea to have a unique password for every website. If you use your Formspring password on other services also, it is advised that you change your password on those services too. Going forward, you might want to use a password manager like LastPass.
Self-styled cyber Robin hood, Glenn Mangham, who is only a year younger than Facebook CEO Mark Zuckerberg, was jailed for 8 months by the British court today. He was also given a serious crime prevention order restricting his access to the internet and forfeiting his computer equipment. He admitted infiltrating the website from his bedroom between April and May last year.
As part of his operation, he hacked into the account of a Facebook employee and managed to reset his password. He used it to access restricted internal information while the staff member was away on holiday. Though he deleted his electronic footprint, his penetration was discovered by a routine security review by Facebook. He had apparently stolen “invaluable” intellectual property that was downloaded on his external hard drive.
The self-described “ethical hacker” said that he wanted a mini project to point out vulnerabilities, and chose Facebook because of its high-profile. He is no newbie at high-profile hacking. He had also hacked into Yahoo, but then his actions were looked upon by Yahoo as an opportunity for it to improve its security. In his defense, it was claimed that he had not tried to sell any of the information he obtained from Facebook or pass it on to anyone else. But prosecutor Sandip Patel rejected his claims and said, “He acted with determination, undoubted ingenuity and it was sophisticated, it was calculating.”
Judge McCreath said,
“I bear in mind you have never been in trouble before, that you’re young in physical years and maybe emotionally younger than your physical age, and I bear in mind all the aspects of your psychological and personal make-up. I acknowledge also that you never intended to pass any information you got through these criminal offences to anyone else and you never did so, and I acknowledge you never intended to make any financial gain for yourself from these offences.
You and others who are tempted to act as you did really must understand how serious this is. The creation of that risk, the extent of that risk and the cost of putting it right mean at the end of it all. I’m afraid a prison sentence is inevitable. You accessed the very heart of the system of an international business of massive size, so this was not just fiddling about in the business records of some tiny business of no great importance.”
Facebook spent $200,000 (£126,400) dealing with Mangham’s crime. A Facebook spokesman said, “We applaud the efforts of the Metropolitan Police and the Crown Prosecution Service in this case, which did not involve any compromise of personal user data.”
Valve’s Gabe Newell issued a statement on the digital distribution giant’s news portal regarding the hacker intrusion of its systems last year. Newell, the CEO of the gaming company, stated that amongst other harmless data the intruders may have stolen logs that contain credit card numbers and other such things – encrypted mind – and data of all the transactions done between 2004-2008. He further advises everyone to monitor their credit card statements carefully and change the Steam passwords.
Recently we learned that it is probable that the intruders obtained a copy of a backup file with information about Steam transactions between 2004 and 2008. This backup file contained user names, email addresses, encrypted billing addresses and encrypted credit card information. It did not include Steam passwords.
We do not have any evidence that the encrypted credit card numbers or billing addresses have been compromised. However as I said in November it’s a good idea to watch your credit card activity and statements. And of course keeping Steam Guard on is a good idea as well.
Steam Guard is the secondary authentication token provided directly to your registered email ID when you sign it to Steam from a new computer. This is like Google’s authentication and provides a code that you have to enter after typing in your username and password. This is to ensure that unauthorized access to your Steam account is not easy.
As always, we ask our readers to remain vigilant against these threats as well as phishing scams and other things that have been talked about recently on Techie Buzz.
In the past couple of weeks, more than 300 people have been arrested in connection with the Occupy Oakland protests. Multiple incidents of violence were reported across Oakland with the police often resorting to the use of excessive force. As you might have guessed, the police clampdown didn’t sit well with Anonymous, which has retaliated in the only way it knows how. Anonymous has leaked private information of several top city officials, who may or may not have had a role to play in the reported police brutality.
Date of birth, address, private phone number, salary, social media accounts and other information of several prominent Oakland officials including the Mayor Jean Quan and her husband, City Administrator Deanna Santana, police Chief Howard Jordan, City Attorney Barbara Parker, and all City Council members, have been leaked. The only council member to be spared is Rebecca Kaplan. Anonymous thanked her for “being a true leader in the community” and revealed only her public phone number.
The hacked information is available on Pastebin, but Anonymous being Anonymous also released a dramatic video to announce their latest move. The video and its transcript are embedded below.
Anonymous has been watching. Since the inception of Occupy Oakland, We have been actively monitoring your behavior, and exposing the identities and sensitive information of Officers of the Oakland Police Department; as they have continued to act in an unprofessional and violent manner. You tear gassed Us. You shot Us with your weapons. You arrested Us. You beat Us. You also did this to Our Friends, and to Our Families. We watched as you cut budgets, cut Our jobs, closed Our schools, Our parks, and Our libraries, while leaving your own salaries alone. We laughed in disgust as Deanna Santana said she would need to speak to her attorney before discussing her pay cut. The people on this list are supposed to represent the best of what the City of Oakland has to offer. If they are the best, why is there so much trouble within the Police Department, and in the City of Oakland?
We are shocked and disgusted by your behavior. Before you commit atrocities against innocent people again, think twice.
You should have expected Us.
It looks like the SOPA war is getting bigger with another new group called UGNazi stepping in and hacking sites which support SOPA. The group has currently hacked Coach.com and Coachfactory.com to protest SOPA and are going to hack more sites in retaliation.
All the three sites are currently redirecting to a site called ugnazi.com which was created yesterday. It is not clear as to whether this is a new group or another form of Anonymous who have been taking down websites like that of FBI, CIA and more to retaliate government control and shutdown of sites like Megaupload.
Over the past few days, Megaupload was shut down by FBI and several other file sharing websites pulled the trigger on themselves with FileSonic stopping downloads, Uploaded.to blocking the U.S. users and several other file sharing websites shutting operations.
The UGNazi group had earlier hacked UFC.com website and is against the SOPA from USA and ACTA bill from Europe which are draconian piracy bills in their current form.
We understand that these websites will enevitably (sic) take back their website.
We don’t steal users data, only here to make them aware.
From SOPA/PIPA, to ACTA to just pissing us off…there is always a reason
It is unclear if the group is associated with Anonymous, but it looks like their motives are same. SOPA, PIPA and now ACTA have definitely stirred quite a few users on the internet and we will definitely keep seeing more such attacks in the future.
Continuing their role of being a silly bunch of hackers with vague goals and assaulting easy-to-hack sites and then twisting their victims to somehow fit into their agenda, the #Antisec team of [probably] Anonymous has struck again! Now as you can see, I have a poor opinion about these attacks. This is mostly due to their terrible handling of the previous attack on Stratfor and misappropriating stealing money from credit cards. Now I do not know what wrong Stratfor, or their latest target SpecialForces.com did but merely standing by and doing business is something these Anons cannot stand. As I have said before, we live in sad times.
The pretext that Antisec put up to attack SpecialForces.com, a security gear supply store (they stock items like knives, combat apparel and the like), is merely existing:-
[W]e are announcing our next target: the online piggie supply store SpecialForces.com. Their customer base is comprised primarily of military and law enforcement affiliated individuals, who have for too long enjoyed purchasing tactical combat equipment from their slick and professionallooking website.
According to the group which is yet to be properly identified (they just mentioned Merry LulzXmasand #Antisec in their release and since they mentioned Stratfor, I am assuming they are Anonymous), this attack is indirectly related to the pepper spraying cop of UC Davis fame. How veryâ€¦ precise, Anons.
We will have more on this as it develops.
Anonymous, being the decentralized hacker group that it is, does newsworthy works of note as well as rather asinine things that despoil its name as well as the term hacktivistfor the rest of the world. Its recent escapade falls under the second category wherein Anonymous hackers hacked into security company Stratfor and mined it for credit card information. Apparently this was done to misappropriate the money and use it for donations to charitable institutions for Christmas.
The Austin, Texas-based security company is already in talks with law enforcement to contain the confidential documents’ leak. With clients ranging from Apple Inc. to the U.S. Air Force, the company had better work quickly to save both its reputation and corporate and military secrets. In addition, it seems that Stratfor has pulled a Sony by not encrypting the credit card information, leading to many unauthorized transactions alleged by the victims, especially for those who were in need of the money to get home for the Holidays and the like. Terrible move there, Anonymous.
It also seems like Anonymous forgot about the chargeback fees for unauthorized transactions that have to be borne by charitable institutions like the Red Cross.
I am not sure if Anonymous wants to play Robin Hood and hide behind the veneer and motto of steal from the rich and give it to the poor, but this is not medieval England and they are not exactly stealing from the rich. Their current communiquÃ©s glorify this act of blatant stealing in the name of freedom and lulz’. This is definitely not what we expected from Anonymous. It’s a sad Christmas for hacktivism.
[Photo Anonymous is Friendly? by liryon]
Japan’s top defense contractor, Mitsubishi Heavy, has confirmed that it was a victim of a cyber-attack recently. The hack attempt targeted submarine, missile and nuclear plant data stored on their computers. Reportedly, malware was found on almost 80 computers inside the company, including 45 servers and 38 PCs. This confirms that there were 80 infected computers running at 11 Mitsubishi Heavy sites for an uncertain period, nearly half of which were servers.
The attacks on Mitsubishi Heavy were spotted for the first time on August 11 and the intrusion seems to have come from a spear-phishing attack. This form of phishing involves sending spoofed emails to the recipient, making it look like it comes from a known email address. The day of this attack was the 80th anniversary of the Manchurian incident.
China has denied involvement with this attack. Chinese Foreign Ministry spokesperson Hong Lei says,
Such allegations are groundless. The Chinese government has always opposed Internet hacking. Chinese laws prohibit hacking and other cybercrimes. I would like to emphasize that the Chinese government is willing to cooperate with other countries to fight against cybercrimes including hacking.
The matter is still under investigation and a Mitsubishi Heavy spokesperson has said,
There is no possibility of any leakage of defense-related information at this point.
Mitsubishi heavy is the largest and the most reputed defense contractor in Japan. IHI (Ishikawajima-Harima Heavy Industries), which is another defense contractor at Japan, was also hit by a similar attack. While Mitsubishi Heavy specializes in submarine technology, IHI is famous for its aircraft turbochargers.
This event has occurred four months after the largest defense contractor in the US was hit by a cyber-attack. In both these cases, it is amusing to see how China is linked to every cyber-attack on defense contractors.
(Via: WSJ, Source: Al Jazeera)
You are probably aware of the shameful display of hooliganism that has ravaged several British cities including London, just a year before it is due to host the Olympics. According to reports, BlackBerry Messenger (BBM) was the primary tool used to spread and organize the riots.
The riots started on August 6, in response to the Police shooting of Mark Duggan in Tottenham. A protest march by a couple of hundred people turned violent, and resorted to rioting, vandalism, and looting. Over the next few days, the disturbance spread to several other cities including Birmingham, Liverpool, and Nottingham. As mentioned earlier, the vandals, who were mostly youths, resorted to using BBM as the primary means of communication. UrbanMashup has dug up evidence that illustrates how BBM was used to spread information about areas that were being attacked and were vulnerable.
Reacting to the widespread allegations of misuse of BBM during the riots, the official BlackBerry UK Twitter account promised to co-operate with the police during the investigation. It issued the following brief statement on the aforementioned micro-blogging platform:
Although RIM has declined to reveal the extent of its co-operation with the police, according to The Inquirer, The Regulation of Investigatory Powers Act could be used to force Research in Motion (RIM) – the Canadian manufacturer of BlackBerry, to hand over data from its encrypted BBM network.
This announcement obviously didn’t sit well with some people. A group called Team Poison defaced the official BlackBerry blog in retaliation. Team Poison has urged RIM to not cooperate with the UK police, as it believes that handing over BBM data will lead to innocent bystanders, who were at the wrong place at the wrong time, getting implicated. It also threatened to release RIM’s UK employee database to the angry rioters, if the Canadian company didn’t back down. The offending blog post has already been removed by RIM, but a screenshot provided by an HN user is embedded below.