Category Archives: Link list

$61 million stolen from accounts at Bitcoin exchange Bitfinex

Posted on by

The Verge writes:

Hackers have compromised the Bitcoin exchange Bitfinex, the company announced today, withdrawing roughly $61 million from various consumer accounts. The causes of the breach are still unclear, but the attackers appear to have bypassed Bitfinex’s mandated limits on withdrawals.

“The theft is being reported to — and we are co-operating with — law enforcement,” the statement reads. “We ask for the community’s patience as we unravel the causes and consequences of this breach.”

You really shouldn’t be surprised. Online criminals are modern-day Willie Suttons. They go where the money is.

If you had a Bitcoin wallet with Bitfinex I imagine you would be quite worried right now.

In fact, if you had a Bitcoin wallet anywhere else you probably shouldn’t be feeling too smug. Security Week reports that the value of Bitcoin has dropped by more than 20% since the incident.

Continue reading $61 million stolen from accounts at Bitcoin exchange Bitfinex

200 million Yahoo passwords being sold on the dark web?

Posted on by

Joseph Cox at Motherboard writes:

A notorious cybercriminal is advertising 200 million of alleged Yahoo user credentials on the dark web, and the company has said it is “aware” of the hacker’s claims, but has not confirmed nor denied the legitimacy of the data.

On Monday, the hacker known as Peace, who has previously sold dumps of Myspace and LinkedIn, listed supposed credentials of Yahoo users on The Real Deal marketplace. Peace told Motherboard that he has been trading the data privately for some time, but only now decided to sell it openly.

When a hacker advertises a huge horde of login details for sale there are often more questions than answers:

  • How many (if any) of the credentials are legitimate? There may be 200 million-or-so being sold, but that doesn’t mean you’ll be able to break into 200 million accounts.
  • What is the origin of the data? Has the data been collected through phishing attacks? Or Has the data been collated from the mega breach of another online service (like LinkedIn or MySpace), and just evidence that yet again folks have made the mistake of reusing passwords?
  • Are the credentials for current accounts or for old, stale accounts that may have been closed down or had their passwords changed long ago?
  • Is there any evidence of a security breach at Yahoo that could have resulted in login credentials spilling out? (This would be most worrying, but thankfully seems least likely)

Not all of these questions are necessarily easy to answer with absolute certainty.

But what is clear is that your Yahoo account will be a lot safer if you have enabled two-step verification and have learnt to never reuse passwords.

If you’re not being sensible about your online security, take appropriate steps now to harden your Yahoo account. Because even if this current scare ends up not impacting your account, there is always the danger that you could become a victim in the future.

Continue reading 200 million Yahoo passwords being sold on the dark web?

Advertisers could be tracking you via your battery status

Posted on by

A legitimate reason to poll your battery’s status is to stop intensive operations from executing if you’re running low on juice.
But it’s also open to exploitation by those who want to track your online activity, writes Lukasz Olejnik:
The information … Continue reading Advertisers could be tracking you via your battery status

Secure email service GhostMail shutting down, in fear of being abused

Posted on by

GhostMail, a site that offered “military encrypted and self-destructing email accounts”, has announced that it is closing down:

GhostMail in its current form will be closed down as per 1. of September 2016.

Since we started our project, the world has changed for the worse and we do not want to take the risk of supplying our extremely secure service to the wrong people – it’s simply not worth the risk.

In general, we believe strongly in the right to privacy, but we have taken a strategic decision to only supply our platform and services to the enterprise segment.

We hope you understand this decision and we refer to other free services available, as an alternative to our platform i.e. Protonmail.

PRO users will be refunded and contacted directly.

If we take GhostMail’s statement at face value, one assumes that GhostMail is concerned that criminals and terrorists might abuse its services to hide their communications. As GhostMail has no way of perusing its customers’ encrypted conversations it wouldn’t know who would be up to no good, and who wouldn’t.

So, bad news for regular folks who were using GhostMail for their secure, private webmail (switching to alternatives like Switzerland-based Protonmail sounds like a natural next step) but potentially the company might be able to offer a more focused offering for enterprise customers.

If you are a GhostMail user make sure to download any messages from its servers that you wish to keep before 1st September.

Continue reading Secure email service GhostMail shutting down, in fear of being abused

Sorry, your Motorola Android isn’t going to get monthly security updates

Posted on by

Well, this sucks if you’ve spent good money on a Motorola smartphone.
The firm has confirmed to Ars Technica that it isn’t going to commit to monthly security updates, even though Google will have released patches for the Android operating system.
Here… Continue reading Sorry, your Motorola Android isn’t going to get monthly security updates

LastPass security hole could have seen hackers steal your passwords

Posted on by

Mathias Karlsson, a security researcher at Detectify Labs, writes:

Stealing all your passwords by just visiting a webpage. Sounds too bad to be true? That’s what I thought too before I decided to check out the security of the LastPass browser extension.

In his article, Karlsson explains how he was able to trick LastPass into believing that it was on the real Twitter website, and cough up the users’ credentials because of a bug in the LastPass password manager’s autofill functionality.

The same technique could have been used to steal passwords associated with other websites.

Yeuch!

The good news is that Karlsson believes in responsible disclosure, and so informed LastPass of the problem. In more good news LastPass fixed the issue in less than a day (and awarded Karlsson a $1,000 bug bounty for his efforts).

Karlsson recommends that LastPass users disable the autofill functionality and enable multi-factor authentication for better security.

Although his discovery is troubling, I agree with Karlsson when he points out that using a password manager is still better than reusing passwords on different websites.

PS. Well-known vulnerability researcher Tavis Ormandy has also tweeted overnight that he has also found a flaw in LastPass. Details have not yet been made public, and LastPass is reportedly working with him on resolving the issue.

PPS. Readers with good memories will recall that LastPass was acquired by LogMeIn last year to the concern of some. Overnight it has been announced that LogMeIn is itself being acquired by Citrix.

Continue reading LastPass security hole could have seen hackers steal your passwords

Happy ending for Pornhub after vulnerability researchers gain access to entire user database

Posted on by

The Register reports:

A trio of hackers have gained remote code execution powers on servers used by adult entertainment outlet Pornhub, using a complex hack that revealed twin zero day flaws in PHP.

Google sofware intern and security boffin Ruslan Habalov (@evonide) detailed the Return Orientated Programming hack in detailed debriefing explaining how he and fellow hackers @_cutz and Dario Weißer @haxonaut gained access to the entire Pornhub database including sensitive user information.

Regular readers will recall that earlier this year Pornhub announced its bug bounty program, asking vulnerability researchers to help harden its security.

The researcher threesome rose to the challenge, and earned themselves a tasty US $20,000 from Pornhub for their efforts. The Internet Bug Bounty threw an extra US $2,000 into the mix for the discovery of the PHP zero-day vulnerabilities.

In the wrong hands, vulnerabilities like these could have caused enormous damage to the x-rated website and its many clandestine users, as well as potentially other sites too.

So, a happy ending all round.

Continue reading Happy ending for Pornhub after vulnerability researchers gain access to entire user database

When the people selling you IT security solutions hack into their rival’s database…

Posted on by

The Register reports:
Five men working at UK-based IT security reseller Quadsys confessed today to hacking into a rival’s database.
Owner Paul Streeter, managing director Paul Cox, director Alistair Barnard, account manager Steve Davies and security co… Continue reading When the people selling you IT security solutions hack into their rival’s database…