Myspace hack puts at least 360 million users at risk

By | TechSpot

Time Inc., which recently acquired pioneering social network Myspace, has confirmed reports that the site was hacked. Like the Tumblr breach that we reported on yesterday, the compromised Myspace data dates back several years.

Time said earlier today that it first became aware shortly before Memorial Day weekend that stolen Myspace credentials were being made available in an online hacker forum. The data, which consists of usernames, passwords and e-mail addresses, was apparently swiped from the old Myspace platform – or in other words, prior to June 11, 2013, when the site was relaunched with strengthened security.

As of writing, Time says it doesn’t appear as though any financial data was compromised. What’s more, the breach does not impact any of Time’s other systems or subscribers.

Myspace is in the process of notifying affected users and is working with law enforcement in hopes of figuring out who was behind the attack. The site has also wiped all of the passwords of impacted users so at the very least, the data can’t be used to log into Myspace.

This is the second major security breach to surface this week in which the theft of data took place years earlier. Dated breaches like this may seem like less of a concern given their age but in fact, they present some unique challenges.

With data this old, it’s entirely possible that it has already been picked through before being made available on the black market. Furthermore, people weren’t quite as concerned with security and privacy in early 2013 as they are today meaning passwords were probably a bit less complex on average. Using the same password across multiple sites was also more common back then and it’s entirely possible that some haven’t gone back and changed passwords for older accounts they might not use as often these days, like Myspace.

The only real silver lining here is that yes, the data is old and is less likely to be up-to-date.

In a post on Myspace’s blog, the site says it suspects Russian hacker “Peace” is responsible for the attack, the same person that recently posted LinkedIn and Tumblr data on the underground market.

Neither Time nor Myspace would say how many accounts were compromised although a report from LeakedSource says the data set contains a whopping 360,213,024 records. Each “record” may contain a username, e-mail address, password and in some cases, a second password. The site notes that more than 68 million records had a second password attached.

The publication further reports that passwords were hashed and stored using SHA1 encryption without salting. As you may know, salting is a technique that makes it much more difficult to crack passwords. Worse yet, LeakedSource reports that very few passwords were over 10 characters in length and nearly none of them contained an upper case letter, making them even easier to decrypt.

Report: New hack lets an attacker bypass password-locked Android home screens

If no one has been able to convince you to take your device’s security seriously, perhaps this hack will do it.

A video uncovered by Ars Technica shows someone able to use the emergency call access to gain entry to a locked phone, even though it’s protected with a password.

The individual in the video types a large string of characters into the call window and copies them to the device’s clipboard. The hacker is then able to open the camera from the locked device, access the options menu, and paste several characters into the password prompt. The phone then unlocks.

The vulnerability was introduced in Android 5.0 and was fixed in the LMY48M Android 5.1.1 build released to Nexus devices (you can always grab it yourself from the Nexus Factory Images page.) However, the vast majority of Android handsets aren’t of the Nexus variety, which means you’re vulnerable to this hack until your device is updates. Fortunately, the attack only works if you use a password to unlock your device; you can use a PIN or pattern unlock to protect yourself. If you use a fingerprint unlock, you would need to have a PIN or pattern as the backup to fully stay secure.

Why this matters: It hasn’t been a great year for Android security, as this minor hack comes after the big scare of Stagefright. It demonstrates that Google and device manufacturers all need to step up their game so everyone can enjoy better security and not worry about a new hack every week.

Source: Report: New hack lets an attacker bypass password-locked Android home screens | PCWorld

Just-released WordPress 0day makes it easy to hijack millions of websites [Updated]

Our blog was not affected…NCCT

Update: About two hours after this post went live, WordPress released a critical security update that fixes the 0day vulnerability described below.

The WordPress content management system used by millions of websites is vulnerable to two newly discovered threats that allow attackers to take full control of the Web server. Attack code has been released that targets one of the latest versions of WordPress, making it a zero-day exploit that could touch off a series of site hijackings throughout the Internet.

Both vulnerabilities are known as stored, or persistent, cross-site scripting (XSS) bugs. They allow an attacker to inject code into the HTML content received by administrators who maintain the website. Both attacks work by embedding malicious code into the comments section that appear by default at the bottom of a WordPress blog or article post. From there, attackers can change passwords, add new administrators, or take just about any other action legitimate admins can perform. The most serious of the two vulnerabilities is in WordPress version 4.2 because as of press time there is no patch.

“If triggered by a logged-in administrator, under default settings the attacker can leverage the vulnerability to execute arbitrary code on the server via the plugin and theme editors,” Jouko Pynnönen, a researcher with Finland-based security firm Klikki Oy, wrote in a blog post published Sunday evening. “Alternatively the attacker could change the administrator’s password, create new administrator accounts, or do whatever else the currently logged-in administrator can do on the target system.”

The exploit works by posting some simple JavaScript code as a comment and then adding a massive amount of text—about 66,000 characters or more than 64 kilobytes worth. Once the comment is processed by someone logged in with WordPress administrator rights to the site, the malicious code will be executed with no outward indication that an attack is under way. By default, WordPress doesn’t automatically publish comments to a post unless the user has already been approved by an administrator. Attackers can work around this limitation by posting a benign comment that gets approved. By default, subsequent comments from that person will be automatically approved and published to the same post.

Here’s a video of the proof-of-concept attack in progress:

The attack is similar to one disclosed last week by researcher Cedric Van Bockhaven. That attack also embedded malicious comments into comments that were executed when viewed by admins. The underlying vulnerability was fixed with last week’s release of WordPress 4.2. A swarm of WordPress plugins were also recently updated to kill XSS vulnerabilities. At the moment, there’s no fix for the most recently disclosed bug. Once a patch is available, WordPress admins should install it right away. In the meantime, they should consider disabling comments or installing a comment plugin such as Akismet to mitigate exploits.

via Just-released WordPress 0day makes it easy to hijack millions of websites [Updated] | Ars Technica.

Google wrangles with Mississippi attorney general after Sony leaks

The recent data breach at Sony Pictures Entertainment has prompted a war of words between Google and the U.S movie industry, with the Internet giant accusing a state attorney general of collaborating with movie studios in a copyright enforcement campaign against it.

The dispute has spilled over into the U.S. court system. On Monday, Judge Henry Wingate of the U.S. District Court for the Southern District of Mississippi gave Google an additional two months to respond to a 79-page subpoena filed in October by Mississippi Attorney General Jim Hood, according to an Associated Press report. Hood had originally given Google until Jan. 5 to respond.

Google on Friday asked the court to throw out the subpoena, days after the company accused Hood of using Motion Picture Association of America lawyers to draft a letter accusing Google of profiting from online piracy and illegal drug sales.

The movie studios have long accused Google of not doing enough to stop online distribution of pirated films. But the latest tiff started after emails released by Sony hackers showed the MPAA, Sony and five other large movie studios working together to attack a company code-named Goliath, widely believed to be Google.

The multi-year campaign by the studios would “rebut Goliath’s public advocacy” and “amplify negative Goliath news,” the Verge reported in mid-December. The campaign included an effort to work with state attorneys general and major ISPs to control the flow of data online, the Verge reported.

News reports about the MPAA’s Goliath campaign prompted Google general counsel Kent Walker, in a blog post last Thursday, to accuse the MPAA and Hood of trying to revive the controversial Stop Online Piracy Act [SOPA], the antipiracy bill killed in the U.S. Congress in early 2012 after massive online protests.

In the Friday filing asking the Mississippi court to kill Hood’s subpoena, Google’s lawyers argue that Hood’s investigation of Google is trumped by federal laws, including legal protections in the Communications Decency Act for Web-based services that publish third-party content.

“For the last 18 months, the Mississippi attorney general has threatened to prosecute, sue or investigate Google unless it agrees to block from its search engine, YouTube video-sharing site, and advertising systems third-party content … that the attorney general deems objectionable,” Google’s lawyers wrote. “When Google did not agree to his demands, the attorney general retaliated, issuing an enormously burdensome subpoena and asserting he now has ‘reasonable grounds to believe’ that Google has engaged in ‘deceptive’ or ‘unfair’ trade practice.”

A spokeswoman for Hood didn’t respond to a request for comment on the Google court filing, but Hood on Friday reportedly called for a “time out” in his dispute with Google.

The MPAA, however, has not backed down. “Google’s effort to position itself as a defender of free speech is shameful,” MPAA spokeswoman Kate Bedingfield said by email. “Freedom of speech should never be used as a shield for unlawful activities and the internet is not a license to steal.”

Google’s blog post last week was a “transparent attempt to deflect focus from its own conduct and to shift attention from legitimate and important ongoing investigations by state attorneys general into the role of Google search in enabling and facilitating illegal conduct,” she added.

Bedingfield, responding to the accusations that MPAA lawyers have assisted Hood’s investigation, pointed to a Public Citizen blog post defending the practice of state attorneys general getting assistance from outside lawyers.

“Hiring outside counsel to do consumer protection work that many AG offices are understaffed to handle expands the enforcement power of those offices,” wrote Scott Michelman of Public Citizen’s Litigation Group. “The state can better enforce its laws, protect its citizens, and potentially reap financial benefits by recovering money it wouldn’t have otherwise.”

via Google wrangles with Mississippi attorney general after Sony leaks | PCWorld.

Popular websites still vulnerable to OpenSSL hijacking attack

Popular websites still vulnerable to OpenSSL hijacking attack

Some of the Internet’s most visited websites that encrypt data with the SSL protocol are still susceptible to a recently announced vulnerability that could allow attackers to intercept and decrypt connections.

On June 5, developers of the widely used OpenSSL crypto library released emergency security patches to address several vulnerabilities, including one tracked as CVE-2014-0224 that could allow attackers to spy on encrypted connections if certain conditions are met.

Until a few years ago, full-session encryption via HTTPS (HTTP with SSL) was mainly used by financial, e-commerce, and other sites dealing with sensitive information. However, the increasing use of mobile devices that often connect over insecure wireless networks, coupled with the past year’s revelations of upstream bulk data collection by spy agencies, led to a large number of sites adding support for it.

OpenSSL is the most popular cryptographic library for implementing SSL/TLS support on Web servers.

In order to exploit CVE-2014-0224 to decrypt and modify SSL traffic, attackers would need to have a “man-in-the-middle” position between a client and a server that both use OpenSSL. Furthermore, the server would need to run an OpenSSL version from the 1.0.1 branch.

According to scans performed Thursday by Ivan Ristic, who runs the SSL Labs at security vendor Qualys, about 14 percent of sites monitored by the SSL Pulse project run a version of OpenSSL that allows exploiting the CVE-2014-0224 flaw.

The SSL Pulse project monitors the strength of SSL implementations on HTTPS-enabled sites from the list of top 1 million most visited sites as published by Internet statistics firm Alexa—154,406 sites as of June 2nd.

An additional 36 percent of websites from the SSL Pule data set run OpenSSL versions from the 0.9.x or 1.0.0 branches that also contain the flaw, but against which the exploit known so far doesn’t work.

Those servers should be upgraded too because it’s possible that there are other yet-to-be-discovered ways to exploit the problem, Ristic said in a blog post Friday.

The patching rate for CVE-2014-0224 does not appear to be as high as the one for Heartbleed, a more serious vulnerability revealed at the beginning of April that also affected OpenSSL clients and servers.

“The good news is that most browsers don’t rely on OpenSSL, which means that most browser users won’t be affected,” Ristic said. “However, Android browsers do use OpenSSL and are vulnerable to this attack. Additionally, many command-line and similar programmatic tools use OpenSSL. A particularly interesting target will be various VPN products, provided they are based on OpenSSL (like, for example, OpenVPN).”

Website administrators who want to check if their servers are vulnerable to CVE-2014-0224 can use a free online testing tool developed by Qualys SSL Labs.

via Popular websites still vulnerable to OpenSSL hijacking attack | PCWorld.

Critical Windows USB exploit allows flash drives to grant root access, patch issued

Microsoft’s Patch Tuesday yielded an interesting security fix for a glaring vulnerability in how the Windows kernel handles USB device enumeration. The critical vulnerability allowed potential hackers with physical access to a Windows PC to run arbitrary code with system user privileges — even while Windows was locked and users logged off.
Would-be hackers could exploit the security hole by merely inserting a specially-formatted USB flash drive with a custom device descriptor. During device detection, the Windows kernel would parse this information and execute malicious code found on such a USB drive, irrespective of autorun or AutoPlay settings. The code would run with elevated system privileges.
Microsoft’s researchers admit this attack may indicate other, similar “avenues of exploitation” — but perhaps where physical access to the host system is not required.
The vulnerability (MS13-027) is found across all versions of Windows ranging from Windows 8 to as far back as Windows XP SP2, including Windows Server variants.
Because the hack requires no user interaction and exploits how Windows kernel-mode drivers handles memory-resident objects, the security snafu could be exploited even without a logged on user or while a Windows system is locked.
Having physical access to a computer can make rooting a standard Windows box relatively straightforward; however, exploits which require only brief casual access can be dangerous, particularly in office and educational settings — a user’s privacy and security can be compromised in a matter of seconds.
Microsoft addressed this security issue in yesterday’s round of updates. Windows Update is the simplest way to install the patch, but it can also be downloaded and install manually.
via Critical Windows USB exploit allows flash drives to grant root access, patch issued – TechSpot.