Tag: Hack

Microsoft’s internal bug database was hacked in 2013

Over four years ago, Microsoft's internal database for bug tracking was apparently breached by hackers. It was discovered in 2013 but never disclosed to the public, according to five former employees of the company who spoke with Reuters.

This is a serious issue because of what exactly was hacked. Microsoft's internal database of bugs contains secret security flaws and possible exploits within its widely used software that need to be fixed. With this information, hackers and foreign governments had a road map on how to breach vulnerable systems.

Microsoft was able to fix the stolen vulnerabilities within a few months after the hack was detected. The company also checked to see whether the leaked information had been used in other breaches around that same time, before Microsoft was able to patch them. The company was unable to link their internal hack to any other breaches.

According to the former employees, Microsoft has since put more of an emphasis on internal security. Still, the fact that Microsoft didn't disclose that the breach occurred isn't a great move. It's not hard to follow their line of thinking -- that bringing publicity to it might encourage the group responsible to exploit these vulnerabilities more quickly because they knew the breach had been noticed and an eventual fix for these issues was coming. But the fact remains that computer systems around the world were even more vulnerable than usual because of a security breach. Had it been public, the organizations could have taken preventative measures to ensure their security.

Source: Reuters

The encryption many major companies rely on has a serious flaw

Researchers at Masaryk University in the Czech Republic uncovered a major security vulnerability in RSA keys generated by Infineon Technologies-produced chips. These chips are used in products manufactured by Acer, ASUS, Fujitsu, HP, Lenovo, LG, Samsung, Toshiba and Chromebook vendors, reports Bleeping Computer and the RSA keys generated by Infineon's chips are used in government-issued identity documents, during software signing, in authentication tokens, with message protection like PGP, in programmable smartcards and during secure browsing.

The researchers say that key lengths of 1024 and 2048 bits are able to be figured out with little effort using the public portion of the key. "A remote attacker can compute an RSA private key from the value of a public key. The private key can be misused for impersonation of a legitimate owner, decryption of sensitive messages, forgery of signatures (such as for software releases) and other related attacks," they said in a report. "The vulnerability does NOT depend on a weak or a faulty random number generator - all RSA keys generated by a vulnerable chip are impacted. The attack was practically verified for several randomly selected 1024-bit RSA keys and for several selected 2048-bit keys." And the affected RSA library has been generating weak keys since 2012. "The currently confirmed number of vulnerable keys found is about 760,000 but possibly up to two to three magnitudes more are vulnerable," said the researchers. As Ars Technica reports, a number of the vulnerable keys included those used in Estonian government-issued documents like e-residency cards.

The vulnerability was discovered and reported to Infineon in February and as per the agreed upon delay before public disclosure, the researchers will be releasing their full report on November 2nd at the ACM Conference on Computer and Communications Security. The delay is to ensure that people have time to change affected keys before the details of how the vulnerability works are released. It has also allowed vendors like Microsoft, Google, HP, Lenovo and Fujitsu to release software updates to mitigate the impact of the flaw.

The researchers have released a blog post about the vulnerability, which includes tools for testing whether existing RSA keys are secure or vulnerable. It also provides advice on what to do if you find your RSA key is compromised.

Via: Ars Technica, Bleeping Computer

Source: CRoCS

Iran blamed for cyberattack on UK parliament

When hackers attacked UK parliament email accounts in June, it was tempting to blame Russia. After all, it's been rather busy lately. However, it looks like people were pointing their fingers in the wrong direction. The Times has learned that British intelligence has pinned the campaign on Iran -- it'd be the country's first cyberattack against the UK, in fact. While the actual damage was relatively limited (about 30 Members of Parliament were compromised out of roughly 9,000 total accounts), the intrusion supports beliefs that Iran has become a serious player in cyberwarfare after years of being little more than a target. Officials aren't commenting on the attack, but there are a few theories as to why Iran would take this risk.

One theory suggests that this was really an exploratory mission: Iran may have been looking for data that could compromise the UK's interests or force it to make concessions. Iran may have been looking for an advantage in trade, too. There's even the possibility that factions in Iran's Revolutionary Guard were trying to undermine the country's anti-nuclear proliferation deal in a bid to cancel it, giving officials the excuse they needed to resume full nuclear technology research.

It's that last part which has politicians worried. Reportedly, officials said the link between Iran and the cyberattack has "complicated" Prime Minister Theresa May's attempts to protect the nuclear deal. They didn't believe it changed the argument in favor of the deal (if anything, it shows why Iran must be contained), but it's no longer as simple as claiming that Iran has turned a corner.

Via: Reuters

Source: The Times

Facebook locks down key data as researchers analyze Russian influence

The truth behind Facebook's involvement in Russian voter hacks continues to get more complicated. The social media company apparently knew about Russian meddling even before last year's US election. Mark Zuckerberg's company reported that 10 million people saw Russian political ads, and has handed over Russia-linked ads to Congress. According to a report in The Washington Post, however, Facebook recently scrubbed the internet of thousands of posts related to social media analyst Jonathan Albright's research that apparently concluded that at least twice as many people had seen the ads than Facebook reported.

Needless to say, the researcher is upset. "This is public interest data," Albright told the Post. "This data allowed us to at least reconstruct some of the pieces of the puzzle. Not everything, but it allowed us to make sense of some of this thing."

Facebook confirmed to The Washington Post that while the posts had been removed, it was due to a bug in its analytics tool CrowdTangle. According to the company, Albright should never have been able to see this information. When the "bug" was quashed, Facebook told the Post, advertisers (and analysits like Albright) could no longer see information from "cached" posts that had already been taken down on Facebook (and Instagram). "We identified and fixed a bug in CrowdTangle that allowed users to see cached information from inactive Facebook Pages," Facebook spokesman Andy Stone told the Post. "Across all our platforms we have privacy commitments to make inactive content that is no longer available, inaccessible."

It's hard not to see this as a convenient excuse to hide tens of millions of potentially damning data, of course, especially as COO Sheryl Sandberg has committed the company to transparency around the fake Russian ads. Social media analysis has become a large part of figuring out what happens in our society, and not allowing access to even "taken down" posts can seem alarming. We've reached out to Facebook for comment on this matter and will update the post when we hear back.

Source: The Washington Post

Equifax may have been hacked again

When Equifax's interim CEO penned a letter of apology on The Wall Street Journal, he admitted that it will take a lot of effort to regain people's trust. Unfortunately, the company still seems to be lacking when it comes to security, because according to Ars Technica, it's been hacked yet again. Independent security analyst Randy Abrams told Ars that he was redirected to hxxp:centerbluray.info and was met with a Flash download when he went to equifax.com to contest a false info on his credit report.

The fake Flash installer apparently tricks people into downloading what Symantec identifies as Adware.Eorezo, an adware that inundates Internet Explorer with advertisements. Unfortunately, we can't replicate the problem, but Abrams said he encountered the issue on three separate visits and captured one of them on video:

We reached out to Equifax to ask whether the company has already cleaned up the adware downloader. To be safe, though, don't click on any random Flash installer that pops up when you visit the agency's website in the near future.

Source: Ars Technica

Equifax breach included 10 million US driving licenses

10.9 million US driver's licenses were stolen in the massive breach that Equifax suffered in mid-May, according to a new report by The Wall Street Journal. In addition, WSJ has revealed that the attackers got a hold of 15.2 million UK customers' records, though only 693,665 among them had enough info in the system for the breach to be a real threat to their privacy. Affected customers provided most of the driver's licenses on file to verify their identities when they disputed their credit-report information through an Equifax web page. That page was one of the entry points the attackers used to gain entry into the credit reporting agency's system.

While leaked SSNs and bank details are definitely worse, driver's licenses contain some info that could make it easier to steal someone's identity, including people's height and eye color. A bad player could use the name, address and physical characteristics in those stolen licenses as a verfication for someone else's identity or to carry out scams in someone else's name. If you verified your identity using your license through Equifax's website in the past and want to ensure your security, it's probably best to get a new license number.

In case you're in the UK and are more worried about the stolen UK consumer info, though, Equifax said it will contact the 693,665 affected individuals. The rest of the records only contain people's names and birthdates, which aren't considered sensitive information.

Source: The Wall Street Journal

Israel warned the US about Kaspersky after hacking its network

Kaspersky is in hot water...again. The US government recently prohibited federal agencies from using the company's products, and the FBI is reportedly convincing private entities to do the same. Its latest headache is linked to the NSA cyberattacks allegedly carried out by Russian hackers, who made away with official cyber defense material in 2015. The US intelligence agency claimed it noticed the stolen files using Kaspersky software. Little else was revealed about the incident (news of which broke last week) until now. It seems Israeli officials tipped off the US about the Russian intrusion, having hacked into Kaspersky's network, according to The New York Times.

So, to sum things up: Israel-linked hackers were watching Russian hackers breach an NSA contractor's computer in real-time using a popular anti-virus tool. It all spins an espionage web worthy of a John le Carré novel. As for Kaspersky, its response is the same boilerplate. The company claims it was "not involved in" nor "does it possess any knowledge of, the situation in question."

But, according to multiple people in the know, the Russian operation turned Kaspersky's software (to borrow the Times' phrasing) into a "Google search for sensitive information." This classified data was then extracted back to Russian intelligence systems. The NSA, however, has always restricted its analysts from installing Kaspersky's apps (which may explain why the hackers went after an agency contractor).

Kaspersky detailed the attack on its systems back in June 2015. Although it didn't pin the blame directly on Israel, it did drop a significant hint by referring to the attack as"Duqu 2.0" (in reference to the Duqu malware, which matches the Stuxnet virus). The latter was a joint Israel-American cyberweapon that inflicted considerable damage on Iran's nuclear program, in particular on its Natanz facility. But, the virus didn't stop there. It ended up accidentally spreading to Indonesia, India, and Azerbaijan, among other regions. Kaspersky noted that the breach, which lasted for several months, used the same algorithm as Duqu. The attack's other victims reportedly matched Israeli targets, several of which were located in the US, ruling out American collusion.

The Times reports that Israeli officials handed over screenshots and documentation of the hack to their American counterparts. The findings led, in part, to the US government's decision to block federal agencies from using the anti-virus tool -- although, Kaspersky's alleged ties to the Kremlin didn't exactly help its cause either.

Still, this doesn't necessarily mean Kaspersky Lab founder Eugene V. Kaspersky was complicit in the breach. Theoretically speaking, there's always the chance the software could have been exploited without his consent, or the consent of his staff. Nonetheless, it will do little to free Kaspersky from the maelstrom it's caught up in.

Source: The New York Times

North Korean hackers allegedly stole South Korean and US war plans 

According to a report, North Korean hackers acquired military intel last year from South Korea that included a plan to 'decapitate' North Korean leadership. According to a South Korean lawmaker, the 235 GB of data were stolen from SK and contained detailed plans in collaboration with the US as well as contingencies and infrastructure information.

South Korean news service Yonhap reported that a lawmaking member of the country's ruling political party claimed North Korea's cyber infiltrators successfully acquired military documents. According to the service, the Pentagon didn't confirm the nature of a breach as it is a matter of intelligence, but its spokesman Army Col. Rob Manning said: "I can assure you that we are confident in the security of our operations plans and our ability to deal with any threat from North Korea."

The lawmaker, Rep. Rhee Cheol-hee, cited defense officials when claiming that North Korea stole 235 GB of data, 80 percent of which hasn't been identified. But among the known documents stolen were contingency plans for South Korea's special forces, reports to the country's allies and ino on military facilities and power plants.

According to the BBC, the hack took place in September 2016; Back in May, South Korea noted that a large amount of data had been taken, and that North Korea may have been the culprit, but gave no details as to when the hack took place.

Whenever the hack occurred, its news comes at a fraught time. Weeks ago, North Korean leader Kim Jong-Un stated that Trump's incendiary tweets were equivalent to declarations of war on his country. Over a week ago, reports surfaced that the US had been participating in an extended campaign to cripple the North Korean spy department's internet access by overwhelming it with traffic. The country may have found a way to mitigate that attack vector anyway by securing a second internet connection through Russia, leaving it potentially more able to spy and hack.

Via: TechCrunch

Source: Yonhap

China denies carrying out cyberattacks against US-based activist

China claims it wasn't behind the hacking of a US think tank that was set to host exiled Chinese tycoon-turned-activist Guo Wengui. The Hudson Institute abruptly canceled its event with Guo last week, claiming it had detected a Shanghai-based attack aimed at crippling its website.The incident was raised by US Attorney General Jeff Sessions in his meeting with Chinese government officials on Wednesday, according to The Wall Street Journal. Guo himself also claimed that the law firm representing his US political asylum bid backed out after it was targeted by Chinese hackers. In a statement, China's Ministry of Public Security told Reuters it had found "no evidence" of government involvement in the alleged cyberattacks.

Guo, who left China in 2014, is an outspoken critic of the country's Communist Party. The New York-based tycoon's unsubstantiated accusations against top-tier Chinese officials on Twitter and YouTube have garnered him quite the social media following. For its part, China has issued a global "red notice" through Interpol for Guo's arrest. Although the exact charges against him remain unclear, the country's state-run media has previously accused him of bribing a vice-minister. And, in August, Chinese police opened a new investigation against the billionaire on rape charges. Guo is also facing a series of defamation lawsuits in the US from various Chinese individuals and companies. He denies all the allegations against him.

China is no stranger to charges of state-sponsored hacking. Last year, the Federal Deposit Insurance Corporation pointed the finger at the Chinese military for a spate of cyberattacks launched against it since 2010. And, in August, the FBI said it had arrested a Chinese national linked to the massive data breach that struck the Office of Personnel Management back in 2014 to 2015.

Source: Reuters

Disqus reveals it suffered a security breach in 2012

Another day, another security breach (and another, and another...). This time it's Disqus, which is revealing that in 2012 -- around the time when Engadget used Disqus for comments -- hackers made off with some of its data, covering a snapshot of usernames and associated email addresses dating back to 2007, as well as "sign-up dates, and last login dates in plain text for 17.5mm users." More distressing is news that it also coughed up passwords for a third of those accounts, which were in hashed (SHA1) form but it's possible the attackers could have decrypted them.

According to Disqus, it learned of the leak Thursday evening after Troy Hunt of Have I Been Pwned notified obtained a copy of the site's information and informed the company. Within about 24 hours, it has disclosed the breach, started to contact users and forced password resets for affected accounts.

Within the last day, Hunt has also added databases for breaches from Bit.ly and Kickstarter to his site, and he says he has three more to go. HIBP is a free service that collects the databases of account information stolen by hackers and will let you know if your information is among those affected -- signing up is probably a good idea.

If you have an account with one of the services that have been pwned, then besides needing to reset your password there, you could have a problem if a password is shared across accounts on other websites. If you've reused a password elsewhere, then it's time to change it everywhere, which is why a password manager (like LastPass or 1Password) to create and manage unique keys is a good idea, as well as enabling two-factor authentication wherever you can.

Source: Disqus, HIBP