Information Security News
A Wisconsin security firm claims that a Russian criminal group has accumulated the largest known collection of stolen online usernames and passwords via SQL injections, according to a new report in The New York Times on Tuesday.
Hold Security, which did not immediately respond to Ars’ request for comment, apparently has 1.2 billion usernames and passwords across 420,000 sites. It declined to tell The Times which companies were affected, nor name the group specifically.
In February 2014, Hold Security also discovered 360 million compromised login credentials for sale in underground crime forums. The haul, which included an additional 1.25 billion records containing only e-mail addresses, came from multiple breaches. In October 2013, the same firm discovered the circulation of 153 million user names and passwords stolen during a massive breach of Adobe's corporate network. A month later, the security firm uncovered 42 million plaintext passwords taken during a hack on niche dating service Cupid Media.
Open source threat visualization engine for infosec pros
Help Net Security
OpenDNS has released OpenGraphiti, an interactive open source data visualization engine that enables security analysts, researchers and data scientists to pair visualization and Big Data to create 3D representations of threats.
A teenage whitehat hacker said he has found a simple way that attackers can bypass the two-factor authentication system PayPal uses to protect user accounts.
The circumvention requires little more than spoofing a browser cookie set when users link their eBay and PayPal accounts, according to Joshua Rogers, a 17-year-old living in Melbourne, Australia. Once the cookie—which is tied to a function PayPal identifies as "=_integrated-registration"—is active in a user's browsing session, the two-factor authentication is circumvented, Rogers reported. That means attackers who somehow acquire someone else's login credentials would be able to log in without having to enter the one-time passcode sent to the account holder's mobile phone.
Rogers said he reported the vulnerability privately to PayPal on June 5. He said he went public two months later after receiving no response. He went on to write:
One current threat causing a lot of sleepless nights to victims is "Cryptolocker" like malware. Various variations of this type of malware are still haunting small businesses and home users by encrypting files and asking for ransom to obtain the decryption key. Your best defense against this type of malware is a good backup. Shadow volume copies may help, but aren't always available and complete.
In particular for small businesses, various simple NAS systems have become popular over the recent years. Different manufacturers offer a set of Linux based devices that are essentially "plug and play" and offer high performance RAID protected storage that is easily shared on the network. One of these vendors, Synology, has recently been somewhat in the cross hairs of many attacks we have seen. In particular vulnerabilities int he web based admin interface of the device have led to numerous exploits we have discussed before.Â
The most recent manifestation of this is "Synolocker", malware that infects Synology disk storage devices and encrypts all files, similar to the original cryptolocker. Submissions to the Synology support forum describe some of the results .
The malware will also replace the admin console index web page with a ransom message, notifying the user of the exploit. It appears however that this is done before the encryption finishes. Some users where lucky to notice the message in time and were able to save some files from encryption.
It appears that the best way to deal with this malware if found is to immediatly shut down the system and remove all drives. Then reinstall the latest firmware (may require a sacrificial drive to be inserted into the system) before re-inserting the partially encrypted drives.
To protect your disk station from infection, your best bet is:
It is important to note that while Synology has been hit the hardest with these exploits, other devices from other manufacturers had vulnerabilities as well and the same security advice applies (but typically, they listen on ports other then 5000).Â
Yesterday, I spotted the following tweet mentioning me:
Needless to say, I got intrigued, and luckily the sender of the tweet was willing to share a sample.
The sample turned out to be simple legal threat malware e-mail written in German. The e-mail claimed that the recipient downloaded a copyrighted movie and it asked for legal fees. The invoice for the legal fees was supposed to be included in the attached ".cab" file.
From: "Johannes Ullrich" Â
2014Â wurde von Ihrem Rechner mit der IP-Addresse 192.0.2.1Â um 12:13:01 der Film "Need for Speed" geladen. Nach Â§19a UrhG ist dies eine kriminelle Handlung. Unsere Anwaltskanzlei Â muss dies ans zustÃ¤ndige Amtsgericht melden, auÃer Sie Zahlen ein auÃergerichtliches Strafgeld in HÃ¶he von 436.43 EuroÂ an uns.
Die Rechnung "1234.cab" entnehmen Sie dem Anhang.
The attached .cab file runs a typical trojan downloader that could download various pieces of malware. A quick search shows a number of other reports of this email, with different "From:" names. It looks like it picks plausible German names, maybe from the contact list of infected systems. My names isn't that terrible unusual, so I don't think this is targeted at all. Sometimes it is just an odd coincidence, and they aren't really after you.
In the case above, the "From" e-mail address is not related to me. However, if an attacker sends spam using your e-mail address, it is very useful to have DMARC configured for your domain. With DMARC, you give the receiving mail server the option to report any e-mail that fails the DKIM or SPF tests to you. Only a few mail servers do so, but some of them are major public web mail systems. For example, here a quick report I just received for a domain I own:
The attachment does include a report with details why the e-mail was found to be suspect (of course, you should still be careful with attachments. These reports can be faked too!) ;-).
Infosecurity Magazine Home » Webinars » Does certification matter in infosec?
To watch this webinar you'll need an Infosecurity Magazine account. Log in or sign up for your's below. Log In. Email Address. Password Forgotten your password? Or. Sign Up. Get up-to-the-minute news and opinions, plus access to a wide assortment of ...