(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Enlarge (credit: @amlolzz)

Hackers have published almost 15 gigabytes worth of password data, donation records, and source code taken during the recent hack of the Patreon funding website.

The data has been circulating in various online locations and was reposted here by someone who said it wasn't immediately possible to confirm the authenticity of the data. Security researcher Troy Hunt has since downloaded the archive file, inspected its contents, and concluded that they almost certainly came from Patreon servers. He said the amount and type of data posted by the hackers suggest the breach was more extensive and potentially damaging to users than he previously assumed.

"The fact that source code exists ... is interesting [and] suggests much more than just a typical SQL injection attack and points to a broader compromise," he told Ars. Referring to the inclusion of a 13.7-gigabyte database, he added: "At the very least, it means mapping individuals with the Patreon campaigns they supported. There's more data. I'll look closer once the restore is complete."

Read 5 remaining paragraphs | Comments


Hackers broke into a server and made off with names, driver license numbers, and other personal information belonging to more than 15 million US consumers who applied for cellular service from T-Mobile.

The breach was the result of an attack on a database maintained by credit-reporting service Experian, which was contracted to process credit applications for T-Mobile customers, T-Mobile CEO John Legere said in a statement posted online. The investigation into the hack has yet to be completed, but so far the compromise is known to affect people who applied for T-Mobile service from September 1, 2013 through September 16 of this year. It's at least the third data breach to affect Experian disclosed since March 2013.

"Obviously I am incredibly angry about this data breach and we will institute a thorough review of our relationship with Experian, but right now my top concern and first focus is assisting any and all consumers affected," Legere wrote. "I take our customer and prospective customer privacy VERY seriously. This is no small issue for us. I do want to assure our customers that neither T-Mobile’s systems nor network were part of this intrusion and this did not involve any payment card numbers or bank account information."

Read 2 remaining paragraphs | Comments

[security bulletin] HPSBPV03516 rev.1 - HP VAN SDN Controller, Multiple Vulnerabilities

(credit: Patreon)

Patreon, the website that allows people to maintain regular donations to a website, an artist, or project, announced late Wednesday that it had sustained a security breach.

The site said some registered names, e-mail addresses, and mailing addresses were accessed after someone managed to access a “debug version of our website” that at the time was accessible to the public.

Jack Conte, the co-founder and CEO, wrote in a statement:

Read 4 remaining paragraphs | Comments


Defense One

DOD's Current InfoSec Strategy Is 'Patch and Pray'
Defense One
DOD's Current InfoSec Strategy Is 'Patch and Pray'. October 1, 2015 By Mohana Ravindranath Nextgov. But DARPA Director Arati Prabhakar says that her agency is working to make computing 'mathematically, provably secure.' Research & Development.


Enlarge (credit: Ron Amadeo)

There's a new round of Stagefright vulnerabilities that allows attackers to execute malicious code on more than one billion phones running ancient as well as much more recent versions of Google's Android operating system.

Stagefright 2.0, as it's being dubbed by researchers from security firm Zimperium, is a set of two bugs that are triggered when processing specially designed MP3 audio or MP4 video files. The first flaw, which is found in the libutils library and is indexed as CVE-2015-6602, resides in every Android version since 1.0, which was released in 2008. The vulnerability can be exploited even on newer devices with beefed up defenses by exploiting a second vulnerability in libstagefright, a code library Android uses to process media files. Google still hasn't issued a CVE index number for this second bug.

When combined, the flaws allow attackers to used booby-trapped audio or video files to execute malicious code on phones running Android 5.0 or later. Devices running 5.0 or earlier can be similarly exploited when they use the vulnerable function inside libutils, a condition that depends on what third-party apps are installed and what functionality came preloaded on the phone. In a blog post published Thursday, Zimperium researchers wrote:

Read 2 remaining paragraphs | Comments

[security bulletin] HPSBGN03424 rev.1 - HP Cloud Service Automation, Remote Authentication Bypass
[SYSS-2015-001] Kaspersky Endpoint Security - Authentication Bypass
[SYSS-2015-003] Kaspersky Small Office Security - Authentication Bypass
[SYSS-2015-002] Kaspersky Endpoint Security - Use of One-Way Hash withouth a Salt
[SYSS-2015-010] Kaspersky Anti-Virus - Use of One-Way Hash withouth a Salt
[SYSS-2015-009] Kaspersky Anti-Virus - Authentication Bypass
[SYSS-2015-008] Kaspersky Internet Security - Use of One-Way Hash withouth a Salt
[SYSS-2015-007] Kaspersky Internet Security - Authentication Bypass
Internet Storm Center Infocon Status