By Mike S
Anonymous again demonstrates the importance of strong passwords:
Along with the release of these e-mails, Anonymous also exposed the passwords of 78 accounts on the Ministry’s servers. Of the passwords revealed, 31 were “12345″ and a number were minor variations on that. Some of the other passwords in the set included:
By Mike S
Pretty embarrassing for Oracle and MySQL:
By Mike S
When Pacific Northwest National Laboratory detected a cyber attack–actually two of them–against its tech infrastructure in July, the lab acted quickly to root out the exploits and secure its network. PNNL then did something few other cyber attack victims have been willing to do. It decided to talk openly about what happened.
Their seven lessons learned are well worth examining – particularly the lesson about locating and purging legacy systems, rather than simply leaving them running and available for exploit.
By Mike S
So again: Palin’s AOL account was hacked because it used publicly-known answers for password-retrieval questions, a common/known exploit exposed users on O’Reilly’s site, and password-reuse by users exposed their other personal accounts.
On September 19, 2008, hackers from the Anonymous collective attacked the website of Fox News host Bill O’Reilly. The hackers found and immediately posted e-mail addresses, passwords, and physical addresses of 205 O’Reilly site members paying $5 a month to hear Bill’s wisdom. The next day, a distributed denial of service (DDoS) attack hit the site with 5,000 packets per second. That night, another attack flooded two O’Reilly servers with 1.5GB/s of data.
The attack itself wasn’t particularly clever, but it was effective. Billoreilly.com’s administrative interface was protected by a servlet that locked down access to all back-end material, but the site administrator made one small mistake: he once created a “New premium member report” showing a list of the most recent subscribers, and he created it in such a way that it bypassed the servlet. As later FBI interview notes show, this was “just an error”—but it made the new member report available outside the secure admin structure to someone who knew the location.
The attackers took the name at the top of the list, an account registered only one hour before, and used it to log into the O’Reilly site as a check of the data’s accuracy. The information was then posted to Wikileaks and discussed on 4chan. Three O’Reilly members who had used the same password on multiple other sites experienced additional fraudulent use of that information.
The article doesn’t differentiate whether the portion of Bill’s site that was hacked contained cardholder data, so I don’t know if this will be considered a breach meriting PCI DSS penalties. But it’d be quite embarrassing for Bill if his site now has to post the ”We’ve been hacked!” banner.
By Mike S
Anonymous computer hackers broke into a BART website and revealed personal information on thousands of BART riders Sunday; part of a protest that could include a disruption of train service during the Monday afternoon commute.
Transit officials closed down the myBART website, which is run by an external vendor, and urged anyone who subscribed to the news alert service to change their passwords on other websites if they use the same password they used for myBART.
The information includes names, email addresses, myBART account passwords, and in some cases mailing addresses and phone numbers. BART officials emphasized that no financial information is stored in the affected database.
I wonder if the passwords were even encrypted.
By Mike S
One of the primary methods of creating zombies is by getting computer users to unwittingly infect their computers by opening e-mails and Web pages containing malware. “If you look at the way RSA was penetrated, it was not terribly sophisticated, nothing on the order of Stuxnet, which was probably the most sophisticated attack we’ve seen in recent memory,” says Anup Ghosh, a research professor and chief scientist at George Mason University’s Center for Secure Information Systems. “Most of these attacks are executed using conventional exploits. What’s different is they’re using these exploits in new ways.”
And, unfortunately, they are also quite successful when using the same old attacks in the same old way.
Start with a good security policy, and educate your users so that they follow it. People can work around any technological hurdle to compromise a system and get their jobs done.
By Mike S
Here’s an exciting story: Citigroup Credit Card Portal Breach Compromises 200,000 Customers – Security – News & Reviews – eWeek.com.
Cyber-attackers have breached financial giant Citigroup’s Web portal and gained access to customer credit card information. The company said the most sensitive information remained safe.
The perpetrators broke into Citi Account Online and viewed customer names, account numbers and some contact information such as email addresses, Citigroup said in a statement June 9. Social Security numbers, birth dates, card expiration dates and the security codes generally found on the back of the credit cards were not compromised as they are stored elsewhere.
Now they know real customers’ contact info, and can phish away, if not fabricate new identities from it.
While 200,000 sounds “kind of small” when compared to what happened in recent breaches, such Sony’s 100 million, the number of records compromised is “not the important thing here,” Anup Ghosh, founder and chief scientist of Invincea told eWEEK. “It’s the loss of faith in the institution’s ability to protect us,” Ghosh said.
Financial institutions are “principal” targets for cyber-criminals, according to Brendan Hannigan, CEO of Q1 Labs. “Security trust means more than just making sure you’re in compliance with regulations,” Hannigan told eWEEK.
I’d sincerely hope Citibank is PCI DSS compliant, but as they said, it’s a baseline, not an ultimate goal.
Citi discovered the hacking incidents in early May during routine monitoring, according to The Financial Times, which broke the story June 9. Citigroup likely had spent the time trying to “quantify what was touched and what had happened,” Ghosh said.
Watch those logs!
Citigroup global enterprise payments head Paul Galant, who previously ran the bank’s credit card unit, told Reuters in April that security breaches are a fact of life for financial institutions. However, companies need to be “thinking like hackers do,” Mark Hatton, president and CEO of Core Security, told eWEEK, noting that deploying defensive technologies and hoping they keep the bad guys out is “clearly not working.”
Businesse (sic) are relying on defense mechanisms that were “developed in the last century” and have not changed since then, while attackers are creating new threats and “evolving every day,” said Ghosh.
By Mike S
This is colossally bad for RSA and users of their SecurID tokens:
RSA Security is to replace virtually every one of the 40 million SecurID tokens currently in use as a result of the hacking attack the company disclosed back in March. The EMC subsidiary issued a letter to customers acknowledging that SecurID failed to protect defense contractor Lockheed Martin, which last month reported a hack attempt.
SecurID tokens are used in two-factor authentication systems. Each user account is linked to a token, and each token generates a pseudo-random number that changes periodically, typically every 30 or 60 seconds. To log in, the user enters a username, password, and the number shown on their token. The authentication server knows what number a particular token should be showing, and so uses this number to prove that the user is in possession of their token.
The exact sequence of numbers that a token generates is determined by a secret RSA-developed algorthm, and a seed value used to initialize the token. Each token has a different seed, and it’s this seed that is linked to each user account. If the algorithm and seed are disclosed, the token itself becomes worthless; the numbers can be calculated in just the same way that the authentication server calculates them.
By Mike S
Even the mighty security firm Barracuda was hacked through the simplest, well-known, and commonly-used exploits.
Barracuda’s firewall was accidentally put into passive monitoring mode, which means it lets all the traffic through without doing any analysis or blocking and was essentially doing nothing since late evening April 8. This gave the attacker sufficient time to poke around via an automated script to crawl the site.
It took approximately two hours of “nonstop” probing before the intruder discovered a SQL injection flaw in a PHP script used to display customer case studies. That error allowed the attacker entry into the database used for marketing programs and sales lead development efforts. The customer case study database was on the same system as the one used for marketing programs.
Do you have a way of monitoring the status of your firewall? Are internal apps as hardened as external applications?