Month: June 2016

Zuckerberg Twitter Hack Shows Danger of Password Reuse

The Zuckerberg Twitter hack has clearly demonstrated the danger of password reuse. Zuckerberg used the same password for Twitter as he did for his Pinterest and LinkedIn accounts. In spite of the Facebook founder, chairman, and CEO’s lofty position at the top of the world’s most popular social media network, he is guilty of poor data security practices like many others.

In addition to reusing passwords, Zuckerberg also chose a password of 6 digits with no capital letters, symbols, or numbers and did not change it for at least three years. The password was revealed to be “dadada.”

Mark Zuckerberg Twitter Hack Stemmed from the LinkedIn Data Breach

A collective known as OurMine was responsible for the Mark Zuckerberg Twitter hack. The collective, which is understood to hail from Saudi Arabia, gained access to data from the LinkedIn breach. The data were listed for sale a few days previously by a hacker operating under the name of “Peace”.

The LinkedIn passwords were not stored as plaintext, so a little effort was required to reverse the hash to obtain the password. While SHA-1 was thought to be impossible to reverse, it has since been shown to be a relatively straightforward task unless the passwords are also salted. In the case of LinkedIn, they were not.

Simply enter in the SHA-1 hash of a password into one of many reverse hash calculators and the plaintext password will be revealed. A search of the keyword phrase “how to reverse a sha1 password” will reveal many online options for doing so. Once the password had been obtained, access to online accounts was possible.

The Zuckerberg Twitter hack did not appear to cause anything other than some embarrassment. The group notified Zuckerberg of the hack by tweeting him using his own account, saying “we are just testing your security.” While the tweet said that Zuckerberg’s Instagram account was compromised, it has since been confirmed that this account was secure all along, as was Zuckerberg’s Facebook account.

While it is embarrassing, it should be pointed out that Zuckerberg was not a regular Twitter user, having only sent 19 tweets from his account in the past four years. His compromised Pinterest account was similarly rarely used.

Spate of Account Hacks Reported After Major Data Leaks

Other individuals were not quite so fortunate. Since the data from the LinkedIn breach was made available online, numerous celebrity social media accounts have been compromised. The Twitter accounts of celebrities such as Keith Richards and Kylie Jenner were hacked, as was the account of Tenacious D. The latter’s account was used to send a tweet saying Jack Black had died.

While these hacks have not been confirmed as stemming from the LinkedIn breach (or the MySpace or Tumblr breaches) the spate of account hijacks suggest as much.

TeamViewer GmbH was also a victim, having had numerous accounts compromised recently. The company provides remote desktop software and a number of users claim that the hacking of GmbH employee accounts enabled attackers to compromise their computers and authorize PayPal and Amazon transactions. This was attributed to “password mismanagement” by GmbH rather than any flaws in their software.

All of these account hacks show how common the reuse of passwords is, and the danger of doing so. What should be particularly worrying for businesses, is many people use their LinkedIn passwords for work accounts, or vice versa. If that password is obtained via a data breach, malicious actors could do a considerable amount of damage.

Important Online Security Best Practices

To improve security and reduce the risk of more than one account being compromised….

  • Never reuse passwords
  • Create a complex password for each platform – use symbols, capitals, and numerals
  • Change your passwords regularly – every month or three months
  • Use 2-factor authentication if available
  • Use a password manager to help keep track of passwords
  • Don’t store your passwords in your browser
  • Regularly check your email address/username against the Have I Been Pwned? database

Ransomware Research Study Shows Profits are Low for the Average Joe

A recent ransomware research study has shown the individuals running ransomware campaigns do not actually earn that much money and the success rate of attacks is relatively low. However, the threat from attacks cannot be ignored due to the volume of individuals now running their own ransomware campaigns.

For the ransomware research study, web intelligence company Flashpoint trawled underground forums and marketplaces and monitored communications over a period of five months. The purpose of the ransomware research study was to improve understanding of how ransomware campaigns are run, to learn about the players involved, and the tactics they used to run campaigns and infect end users. It helps to know thy enemy when forming a defense strategy against attacks.

For its ransomware research study, Flashpoint investigated Russian ransomware campaigns from December 2015. The attacks were predominantly carried out on organizations and individuals in the West.

Ransomware Research Study Shows Campaigns are Not as Profitable as Many People Think

Considering the disruption caused and the money lost by victims of ransomware attacks, many people believe the criminals behind the campaigns are making big bucks, but that is not necessarily the case. In fact, even “ransomware bosses” – the individuals offering ransomware-as-a-service – are not raking in anywhere near as much money as many people think.

The majority of cybercriminals who run ransomware campaigns earn well under $10,000 a month. According to the ransomware research study report, only one in five individuals who run ransomware campaigns admitted to earning in excess of this figure. The report suggests that the average monthly earnings from this type of campaign is around $600 per month.

The typical ransom is around $300 per infected computer, although the people who run the campaigns have to give the ransomware bosses 60% of their earnings. They are allowed to keep the remaining 40%, suggesting most of the people running these campaigns only get 2-3 ransoms per month.

The ransomware research study data suggest that far from allowing criminals to obtain big money from ransomware campaigns, the attacks only yield similar returns to other forms of cybercriminal activities. The only difference being the attackers can usually get their hands on money faster. Stealing data such as credit card numbers or healthcare data requires the attacker to find a buyer for those data before any money is received.

The report suggests that the typical infection rate from a campaign is between 5% and 10%, yet few of the victims end up paying the ransom. Many ransomware victims are protected having made backup copies of important files and some are able to unlock the infections using tools from security companies. Others are willing to lose data rather than pay the ransom.

Ransomware bosses that push ransomware-as-a-service using an affiliate model can make around $7,500 per month, which equates to around $90,000 a year – approximately 30 ransom payments per month for the bosses.

Most Ransomware Campaigns are Run by Novices

While there are criminal gangs and highly skilled cybercriminals who invest a lot of time and effort into their ransomware attacks, the report suggests that the majority of attackers are novices; not skilled hackers. The report suggests that many individuals choose to run campaigns using ransomware-as-a-service in the hope that they will get lucky and get a big payout. These individuals tend to run spamming campaigns based on quantity rather than quality, and send high numbers of spam emails using botnets.

Flashpoint’s ransomware research study shows just how easy it is to start sending out ransomware campaigns. This is why so many individuals choose to give it a try. All that is needed is a very small injection of capital to get started, a lack of morals about how money is earned online, and a modicum of knowledge to allow individuals to send out mass spam emails.

Adverts for ransomware-as-a-service are easy to find with the Tor browser and advice on distribution is not difficult to find. Would-be criminals with no experience are recruited with a promise of a big payout, even though the reality is that for most people the payouts will be low.

More experienced and skilled individuals send phishing emails directing victims to websites containing exploit kits, which probe for vulnerabilities and automatically download the ransomware. Another popular method of infection is to sneak adverts containing malicious links onto legitimate advertising networks.

Only a small percentage of attackers are highly skilled. These individuals tend to send out targeted campaigns. These attackers target organizations and businesses with the aim of infecting multiple machines and infiltrating networks causing widespread disruption.

These campaigns tend to involve a considerable amount of planning, and require the attacker to research targets and design targeted emails that have a high change of eliciting the desired response. According to Flashpoint’s director of Eastern European Research and Analysis, Andrei Barysevich, “The success rate of this type of operation is significantly higher, enabling criminals to earn upwards of $10,000 a month or more.”

For organizations infected with ransomware the costs can be severe. Add up the cost of disruption to the business, the time and resources required to remove infections and restore files, and the cost of implementing more robust security measures, and the cost of a ransomware attack could be tens of thousands of dollars.

With no shortage of takers for ransomware-as-a-service, and ever more sophisticated ransomware being developed, organizations must develop a host of defenses to prevent attacks from being successful.

Jetpack Plugin Vulnerability Places a Million WordPress Websites At Risk

Security researchers have discovered a serious Jetpack plugin vulnerability that places sites at risk of attack by hackers. If you run WordPress sites for your company and you use the Jetpack website optimization plugin, you must perform an update as soon as possible to prevent the flaw from being exploited.

The Jetpack plugin vulnerability can be leveraged to inject malicious JavaScript code into websites, or to insert links, videos, documents, images, and other resources. This would place visitors to the site at risk of malware or ransomware downloads. Malicious actors could embed malicious JavaScript code in the site comments, and every time a visitor views a malicious comment it would allow JavaScript code to be run. Visitors could be redirected to other websites, the flaw could be used to steal authentication cookies and hijack administrator accounts, or to embed links to websites containing exploit kits.

The flaw can also be exploited by competitors to negatively affect search engine rankings by using SEO spamming techniques, which could have serious consequences for site ranking and traffic.

Over a Million WordPress Websites Affected by the New Jetpack Plugin Vulnerability

The Jetpack plugin vulnerability was recently discovered by researchers at Sucuri. The flaw is a stored cross-site scripting (XSS) vulnerability that was first introduced in 2012, affecting version 2.0 of the plugin. All subsequent versions of Jetpack also contain the same Shortcode Embeds Jetpack module vulnerability.

Jetpack is a popular WordPress plugin that was developed by the people behind WordPress.com – Automattic – and has been downloaded and used on more than one million websites. This is not only a problem for website owners, but for web visitors who could easily have this flaw exploited to infect their computers with ransomware or malware. Flaws such as this highlight the importance of using web filtering software that blocks redirects to malicious websites.

While many WordPress plugin vulnerabilities require a substantial skill level to exploit, the jetpack plugin vulnerability takes very little skill at all to exploit. Fortunately, Jetpack has not discovered any active exploits in the wild; however, now the vulnerability has been announced, and details provided online about how to exploit the vulnerability, it is only a matter of time before hackers and malicious actors take advantage.

The flaw can only be exploited if the Shortcode Embeds Jetpack module is enabled, although all users of the plugin are strongly advised to perform a site update as soon as possible. Jetpack has worked with WordPress to get the update pushed out via the WordPress core update system. If you have version 4.0.3 installed, you will already be protected.

Jetpack reports that even if the flaw has already been exploited, updating to the latest version of the software will remove any exploits already on the website.

MySpace Data Breach: 360 Million Login Credentials Offered for Sale

Over the past few days, rumors have been circulating about a massive MySpace data breach. Initial reports suggested that 427 million usernames and passwords had been obtained by a hacker going by the name of “Peace”. The name should sound familiar. The Russian hacker is the same individual who recently listed 117 million LinkedIn login credentials for sale on an illegal darknet marketplace. The hacker was also allegedly responsible for the 65 million-record data breach at Tumblr.

360 Million Login Credentials Stolen in MySpace Data Breach

Yesterday, Time Inc., confirmed that login credentials had been listed for sale online and that a MySpace data breach had occurred, although it would appear that the stolen data was obtained some time ago. The login credentials are for the old MySpace platform and date to before June 11, 2013. While Time Inc., did not confirm exactly how many login names and passwords had been stolen, Time confirmed that the figure of 360 million that had been reported in the press in the last couple of days was probably accurate.

Usernames, passwords, email addresses, and secondary passwords are reportedly being offered for sale. Out of the 360 million logins, Leakedsourrce.com suggests that 111,341,258 of the stolen records include a username and a password, and 68,493,651 records had a secondary password compromised. Not all of those stolen records also included a primary password.

Since 2013, data security has improved considerably and many companies have enforced the use of numerals, capital letters, and symbols when creating passwords. The stolen data reportedly includes only a small percentage of accounts with a capital letter in the password. This makes the passwords much easier to crack. The algorithm used to encrypt the passwords was also weak.

The login credentials from the MySpace data breach are reportedly being offered for sale for 5 Bitcoin – approximately $2,800.

All old users of the MySpace platform, and current users who joined the website before June 11, 2013 are potentially at risk. MySpace has responded to the breach by resetting all passwords on accounts created before June 11, 2013. When these users visit MySpace again they will be required to authenticate their account and supply a new password.

Additional security measures have been employed to identify suspicious account activity and the data theft is now being investigated. It would appear that no one at MySpace was aware that its database had been breached until the data were offered for sale just before the Memorial Day weekend.

MySpace Breach Shows Why It is Important Never to Reuse or Recycle Passwords

Since the data breach appears to have occurred some time ago, it is probable that many users will have changed their passwords on the site long ago, but the data could still be used to attack past and current users. All too often passwords are recycled and used for other online accounts, and many individuals use the same passwords for different platforms or rarely (or never) change them.

The MySpace data breach shows why it is important to use a different password for each online account and to regularly change passwords on all platforms. In the event of a breach of login credentials, users will only have to secure one account. If there is a possibility that only passwords are still in use on other platforms, MySpace account holders should update their passwords as soon as possible.

Hackers have access to tools that can check to see if account login and password combos have been used on other websites.