Information Security News
MacRumors user forums have been breached by hackers who may have acquired cryptographically protected passwords belonging to all 860,000 users, one of the top editors of the news website said Tuesday evening.
"In situations like this, it's best to assume that your MacRumors Forum username, e-mail address and (hashed) password is now known," Editorial Director Arnold Kim wrote in a short advisory. He went on to advise users to change their passwords for their MacRumors accounts and any other website accounts that were protected by the same passcode.
The MacRumors intrusion involved "a moderator account being logged into by the hacker who then was able to escalate their privileges with the goals of stealing user login credentials," Kim said. The company is still investigating how the attacker managed to compromise the privileged account.
Microsoft is retiring two widely used cryptographic technologies that are growing increasingly vulnerable to attacks that seemed unlikely just a decade ago.
The company's software will stop recognizing the validity of digital certificates that use the SHA1 cryptographic algorithm after 2016, officials said on Tuesday. SHA1 is widely used to underpin secure socket layer (SSL) and transport layer security (TLS) certificates that authenticate websites and encrypt traffic passing between their servers and end users. SHA1-based certificates are also used to digitally verify that specific software applications are legitimate and not imposter programs or programs that have been tampered with to include hidden backdoors.
The move comes as hardware improvements and research breakthroughs have made SHA1 and several other cryptographic hashing algorithms more susceptible to so-called collision attacks. Collisions occur when two distinct plaintext "messages" produce an identical hash or "digest." The security of an algorithm rests on it producing unique hashes for each plaintext string or file. The growing ease of producing collisions makes it possible for attackers to create digital forgeries that completely undermine the security of systems that rely on the weak algorithms.
by Tiffany Sale
One Sunday late last month, administrators at Orlando, Florida-based TorGuard were in high spirits. They had just successfully rebuffed the latest in a series of increasingly powerful denial-of-service attacks designed to cripple their virtual private networking service. Despite torrents of junk traffic that reached peaks as high as 15Gbps, the admins had neutralized the offensive by locking down the TorGuard servers and then moving them behind the protective services of anti-DoS service CloudFlare.
"This seemed to anger the attackers, however, because on Monday things got a bit more personal," TorGuard administrator Ben Van Pelt told Ars. "Unable to spam, DDoS, hack, or social engineer us, they employed the tactics of the '4chan party van.' Throughout the day our office received multiple unrequested deliveries from local pizza chains, Chinese food, and one large order of sushi. A handful of local electricians and plumbing services were also disappointed to be turned away. To my knowledge no fake calls have been placed to law enforcement yet, however nothing would surprise me at this point."
The two-month-long campaign of harassment and attacks, which Van Pelt suspects was carried out by a competing virtual private networking service, illustrates the lengths some people will go to goad their online adversaries. His experience provides a vivid account of what it’s like to be on the receiving end of a relentless stream of distributed denial-of-service attacks and ultimately what can be done to mitigate them.
by jordan retro 3
Posted by InfoSec News on Nov 12http://ajw.asahi.com/article/behind_news/social_affairs/AJ201311100027
Posted by InfoSec News on Nov 12http://blogsofwar.com/2013/11/11/interview-hacker-opsec-with-the-grugq/
Posted by InfoSec News on Nov 12http://www.ibtimes.co.uk/articles/521246/20131111/international-space-station-infected-malware-russian-astronaut.htm
Posted by InfoSec News on Nov 12http://www.smh.com.au/federal-politics/political-news/asis-website-attacked-by-indonesian-hackers-20131111-2xbuc.html
Posted by InfoSec News on Nov 12http://www.wired.com/threatlevel/2013/11/british-spies-hacked-telecom/