The Data Breach Thread

[Carpet_pissr]

Thankfully for me, that was one of the ones I used LastPass to generate a random password for.

Although at this point, it just feels like spitting in the ocean. I'm just about to give up on any kind of silly security measures when seemingly everybody gets hacked eventually.

[Carpet_pissr]

DISQUS:

https://blog.disqus.com/security-alert-user-info-breach

Security Alert: User Info Breach
Posted by Jason Yan on October 06, 2017

Yesterday, on October 5th, we were alerted to a security breach that impacted a database from 2012. While we are still investigating the incident, we believe that it is best to share what we know now. We know that a snapshot of our user database from 2012, including information dating back to 2007, was exposed. The snapshot includes email addresses, Disqus user names, sign-up dates, and last login dates in plain text for 17.5mm users. Additionally, passwords (hashed using SHA1 with a salt; not in plain text) for about one-third of users are included.

We sincerely apologize to all of our users who were affected by this breach. Our intention is to be as transparent as possible about what happened, when we found out, what the potential consequences may be, and what we are doing about it.

2012 and just now finding out about it?! Wow.

[Lorini]

I wish everyone would move to authenticators and call it a day.

[Zaxxon]

Trump's DOJ Tries to Rebrand Weakened Encryption at Responsible Encryption.

This will end well.

[Moliere]

Equifax website borked again, this time to redirect to fake Flash update

For several hours on Wednesday, and again early Thursday morning, the site was maliciously manipulated again, this time to deliver fraudulent Adobe Flash updates, which when clicked, infected visitors' computers with adware that was detected by only three of 65 antivirus providers.

[stessier]

Reading the whole article, it looks like a 3rd party adserver was the source, rather than a direct hack of Equifax.

[gilraen]

Reading the whole article, it looks like a 3rd party adserver was the source, rather than a direct hack of Equifax.

Yeah, those are fairly common since the website owners will contract with an ad-aggregator who may or may not be vetting their ad providers properly. Now, while I'm not surprised when Wowhead or Buzzfeed do it, but I'd think that any company at the level of Equifax will be a little more discerning when slapping an ad-spinning blackbox on their page.

[Jeff V]

After Wannacry, my company has been diligently scanning our network for vulnerabilities. The vast majority of them have been vendor-owned devices that are not being patched by the vendors. Some of these had to be removed entirely when the vendor was unwilling or unable to comply.

[Blackhawk]

Reading the whole article, it looks like a 3rd party adserver was the source, rather than a direct hack of Equifax.

Again, this is the reason why even if I trust your website, I will not whitelist you in my ad blocker.

[Zaxxon]

Reading the whole article, it looks like a 3rd party adserver was the source, rather than a direct hack of Equifax.

Again, this is the reason why even if I trust your website, I will not whitelist you in my ad blocker.

Indeed. The fact that sites disclaim responsibility for content served to their visitors is... not cool.

[Carpet_pissr]

"WPA2 security flaw puts almost every Wi-Fi device at risk of hijack, eavesdropping"

Yeesh.

http://www.zdnet.com/article/wpa2-secur ... fi-device/

http://www.zdnet.com/article/wpa2-secur ... fi-device/

Hey, lookey there, we don't need tags when posting links anymore! Woot

[Moliere]

Equifax: Last Week Tonight with John Oliver

[Pyperkub]

Microsoft:

The company did not disclose the extent of the attack to the public or its customers after its discovery in 2013, but the five former employees described it to Reuters in separate interviews. Microsoft declined to discuss the incident.

The database contained descriptions of critical and unfixed vulnerabilities in some of the most widely used software in the world, including the Windows operating system. Spies for governments around the globe and other hackers covet such information because it shows them how to create tools for electronic break-ins.

The Microsoft flaws were fixed likely within months of the hack, according to the former employees. Yet speaking out for the first time, these former employees as well as U.S. officials informed of the breach by Reuters said it alarmed them because the hackers could have used the data at the time to mount attacks elsewhere, spreading their reach into government and corporate networks.

[Max Peck]

All your basic utilities are belong to us!

The Department of Homeland Security and Federal Bureau of Investigation warned in a report distributed via email late on Friday that the nuclear, energy, aviation, water and critical manufacturing industries have been targeted along with government entities in attacks dating back to at least May.

The agencies warned that hackers had succeeded in compromising some targeted networks, but did not identify specific victims or describe any cases of sabotage.

The objective of the attackers is to compromise organizational networks with malicious emails and tainted websites to obtain credentials for accessing computer networks of their targets, the report said.

U.S. authorities have been monitoring the activity for months, which they initially detailed in a confidential June report first reported by Reuters. That document, which was privately distributed to firms at risk of attacks, described a narrower set of activity focusing on the nuclear, energy and critical manufacturing sectors.

[Moliere]

Intel chips

SECURITY RESEARCHERS HAVE raised the alarm for years about the Intel remote administration feature known as the Management Engine. The platform has a lot of useful features for IT managers, but it requires deep system access that offers a tempting target for attackers; compromising the Management Engine could lead to full control of a given computer. Now, after several research groups have uncovered ME bugs, Intel has confirmed that those worst-case fears may be possible.

On Monday, the chipmaker released a security advisory that lists new vulnerabilities in ME, as well as bugs in the remote server management tool Server Platform Services, and Intel’s hardware authentication tool Trusted Execution Engine. Intel found the vulnerabilities after conducting a security audit spurred by recent research. It has also published a Detection Tool so Windows and Linux administrators can check their systems to see if they're exposed.

[LordMortis]

Whew. For reasons I can't explain, perhaps paranoia, Trusted Execution Engine., looked like TPM, as in the Trusted Platform Module behind chip level encryption and I thought I was truly fubar.

[Zaxxon]

TPM was last month.

No, really.

[LordMortis]

TPM was last month.

No, really.

https://thehackernews.com/2017/10/rsa-e ... -keys.html

Thanx... Sigh...

[Carpet_pissr]

Uber.

"Uber Discloses Data Breach, Kept Secret for a Year, Affecting 57 Million Accounts"

NYT if you have access...

[Zarathud]

Inexcusable.

[Zaxxon]

Uber did something shady? Excuse me while I fetch the fainting couch and pearls.

[Carpet_pissr]

Heh

[Carpet_pissr]

Imgur
https://gizmodo.com/welp-looks-like-img ... 1820739397

[Max Peck]

This is sort of breachesque...

“Suspicious” event routes traffic for big-name sites through Russia

Traffic sent to and from Google, Facebook, Apple, and Microsoft was briefly routed through a previously unknown Russian Internet provider Wednesday under circumstances researchers said was suspicious and intentional.

The unexplained incident involving the Internet's Border Gateway Protocol is the latest to raise troubling questions about the trust and reliability of communications sent over the global network. BGP routes large-scale amounts of traffic among Internet backbones, ISPs, and other large networks. But despite the sensitivity and amount of data it controls, BGP's security is often based on trust and word of mouth. Wednesday's event comes eight months after large chunks of network traffic belonging to MasterCard, Visa, and more than two dozen other financial services were briefly routed through a Russian government-controlled telecom, also under suspicious circumstances.

According to a blog post published Wednesday by Internet monitoring service BGPMon, the hijack lasted a total of six minutes and affected 80 separate address blocks. It started at 4:43 UTC and continued for three minutes. A second hijacking occurred at 7:07 UTC and also lasted three minutes. Meanwhile, a second monitoring service, Qrator Labs, said the event lasted for two hours, although the number of hijacked address blocks varied from 40 to 80 during that time.

[Moliere]

Today's CPU vulnerability: what you need to know

Last year, Google’s Project Zero team discovered serious security flaws caused by “speculative execution,” a technique used by most modern processors (CPUs) to optimize performance.

The Project Zero researcher, Jann Horn, demonstrated that malicious actors could take advantage of speculative execution to read system memory that should have been inaccessible. For example, an unauthorized party may read sensitive information in the system’s memory such as passwords, encryption keys, or sensitive information open in applications. Testing also showed that an attack running on one virtual machine was able to access the physical memory of the host machine, and through that, gain read-access to the memory of a different virtual machine on the same host.

These vulnerabilities affect many CPUs, including those from AMD, ARM, and Intel, as well as the devices and operating systems running on them.

[tiny ogre]

This one (well, these two) is really ridiculously bad. I read the paper they put out for one of them.
In a nutshell, they've demonstrated reading arbitrary memory from the host browser process from Javascript. This means that a random website you visit can get your passwords for other sites, for example.

One of the exploits (Meltdown) seemingly only affects Intel processors so far, but the other one (Spectre) affects everything.

Keep everything updated. OS, browser, applications, everything. On every device you own. There'll be patches for every computing device you own in the next few days or weeks and you should get them. Or better still, throw it all in a ditch, light it on fire, salt it and bury it, and wait about 3 years for completely new CPU designs to buy any new ones.

[Lorini]

On Reddit they said MS has already updated Win 10.

[tiny ogre]

Yes and no. They have patched it. Linux kernels have been patched as well. But these are mitigations, not fixes. It’s not yet clear that it’s even possible to completely fix Spectre in software. It may need whole new CPU architectures, which will take years.

It’s not just the OS you need to worry about! Chrome is vulnerable to malicious websites stealing data and has not been patched yet. I don’t believe Firefox or any other browser is immune, but if you want to be extra careful, you should use the least popular browser you can find.

[Zaxxon]

Indeed--you'll need the Windows patches, plus app patches, plus Intel/AMD firmware updates, plus in some cases Windows registry changes.

This one is a big pile o dung.

[Blackhawk]

I'm fairly computer literate, and I barely know where to start. I can't imagine Joe User is going to have a shot in hell.

[Carpet_pissr]

I don’t believe Firefox or any other browser is immune, but if you want to be extra careful, you should use the least popular browser you can find.

I knew all those AOL CD's I've been storing for years would come in handy one day. It's back to the stone age of computing, bitches!

[Jaymann]

Yes and no. They have patched it. Linux kernels have been patched as well. But these are mitigations, not fixes. It’s not yet clear that it’s even possible to completely fix Spectre in software. It may need whole new CPU architectures, which will take years.

It’s not just the OS you need to worry about! Chrome is vulnerable to malicious websites stealing data and has not been patched yet. I don’t believe Firefox or any other browser is immune, but if you want to be extra careful, you should use the least popular browser you can find.

Which is the least popular? Vivaldi? Maxthon? UC Browser?

[Moliere]

Yes and no. They have patched it. Linux kernels have been patched as well. But these are mitigations, not fixes. It’s not yet clear that it’s even possible to completely fix Spectre in software. It may need whole new CPU architectures, which will take years.

It’s not just the OS you need to worry about! Chrome is vulnerable to malicious websites stealing data and has not been patched yet. I don’t believe Firefox or any other browser is immune, but if you want to be extra careful, you should use the least popular browser you can find.

Which is the least popular? Vivaldi? Maxthon? UC Browser?

Implement Chrome's site isolation.

[Carpet_pissr]

Implement Chrome's site isolation.

Ooof!
"Site isolation will increase Chrome's memory use by approximately 10–20%"

[Moliere]

Implement Chrome's site isolation.

Ooof!
"Site isolation will increase Chrome's memory use by approximately 10–20%"

Security ain't free.

[Carpet_pissr]

Implement Chrome's site isolation.

Ooof!
"Site isolation will increase Chrome's memory use by approximately 10–20%"

Security ain't free.

Yeah, or convenient, usually. I think that point is being driven home to mainstream users these past couple of years, more and more, with 2 factor authent. etc being implemented more and more commonly (suggested/required by many vendors).

[Jaymann]

I am now logged in with QupZIlla, about the most obscure browser I could find, and uninstalled google chrome.

[Pyperkub]

Disable javascript in addition to running an adblocker. Every proof of concept I've seen uses javascript, so at least use a toggle.

[Moliere]

[coopasonic]

hover text:

New zero-day vulnerability: In addition to rowhammer, it turns out lots of servers are vulnerable to regular hammers, too.