PacketSled CEO Harrigan resigns over threats to Trump
Insec Ethical Hacking Hub WPA2 Broken with KRACK - Biggest HIT on IOT ? ?

PacketSled CEO Matt Harrigan resignation was accepted by the company.

PacketSled CEO Matt Harrigan resignation was accepted by the company.

Matthew Harrigan, CEO of PacketSled, resigned his position today after being suspended for posting threatening messages against President-Elect Trump on social media.

Packetsled’s board of directors announced it had accepted Harrigan’s resignation as president and CEO and that he will be replaced on an interim basis by company CTO Fred Wilmot.

“We want to be very clear, PacketSled does not condone the comments made by Mr. Harrigan, which do not reflect the views or opinions of the company, its employees, investors or partners,” the board wrote.

Harrigan had been placed on administrative leave by the company on Nov. 14 for making comments that he wished to kill Trump. These were initially posted on Facebook, but were then copied into a sub-Reddit thread and by Monday he was suspended.

“I’m going to kill the president. Elect,” he reportedly wrote, followed by a string of malevolent comments supporting his initial written intent.

In a statement on PacketSled’s website, the network security company said it not only removed him from his position, but reported Harrigan to law enforcement.

“PacketSled takes recent comments made by our CEO seriously. Once we were made aware of these comments, we immediately reported this information to the Secret Service and will cooperate fully with any inquiries. These comments do not reflect the views or opinions of PacketSled, its employees, investors or partners. Our CEO has been placed on administrative leave,” the company wrote.

Harrigan recanted his anti-Trump comments in a series of Tweets.

Updated with resignation announcement.

–News collected and synced by Info Security Solution Kolkata,

Read more
Are browsers using the HTTP/2 protocol vulnerable to HEIST attacks?
Insec Ethical Hacking Hub ISRO Will Use Satellites To Map & Create 3D Visualizations of Indian Heritage Sites 2

While the HTTP/2 protocol was designed to improve security and performance, it’s also apparently enabled threat…

actors to do more damage with existing attacks. At Black Hat USA 2016, Ph.D. researchers at the University of Leuven in Belgium, Tom Van Goethem and Mathy Vanhoef, disclosed a web-based attack that can steal encrypted content from HTTPS traffic using nothing more than JavaScript. Until now, attacks against secure sockets layer (SSL) and transport layer security (TLS) like CRIME and BREACH have required the attacker to be able to observe or manipulate the traffic between the victim and the website they are visiting — a man-in-the-middle attack — making it difficult for the attacker to easily carry out the exploit. This new attack, called HEIST, which stands for “HTTP encrypted information can be stolen through TCP-windows,” puts a user’s privacy at risk by him simply visiting a compromised site controlled by the attacker, or a page running JavaScript-based ads, for example. What’s more, the HEIST attack can leverage features of the HTTP/2 protocol to make the attack even faster.

HEIST is a side-channel attack on HTTPS. It doesn’t actually break the encryption used, but by combining weaknesses and unexpected behavior in the interactions between the browser, HTTP, SSL/TLS and TCP, it can uncover enough information about the data exchanged in a cross-origin response in the browser to guess its content, even though it is encrypted and sent over HTTPS. It works by exploiting the way HTTPS responses are delivered over TCP to measure the size of an HTTPS response. JavaScript code is not allowed to know how many bytes of data are returned in a response, but the HEIST JavaScript code uses two new APIs, HTML5 Resource Timing and Fetch to generate a start time and a stop time, from which the size of an encrypted response can be inferred. Once the attacker knows the size of an encrypted response, he can then use either the BREACH or CRIME exploit techniques to brute force attack the plaintext contained inside it. Both the BREACH and the CRIME exploits are able to decrypt payloads by manipulating the file compression that sites use to reduce the amount of data transferred in order to make pages load more quickly.

If there’s a block of duplicated information on the page, the server sends that block only once. The HEIST script sends repeated requests to the website, varying each request byte by byte, trying to match a block of information on the page, such as a password or bank account number. Attempts to guess the data in a block that are wrong result in a larger file size, while if the guess matches the block there will be no appreciable increase in data size, as the compression function won’t send duplicate blocks of data. Repeating this process thousands of times and analyzing the size of each resulting response allows the script to eventually determine the plaintext contained in the encrypted webpage. This stage of the attack can take a while, but if the page is loaded using the HTTP/2 protocol, the time taken is greatly reduced as all requests are made in a single HTTP/2 connection. Also the compression format used in HTTP/2, HPACK, makes it easier to predict the length of the header frame.

HTTP/2 is the first major upgrade to the Hypertext Transfer Protocol in over 15 years. Its main goal was to improve website performance, but security may have been weakened as a result; the new features in HTTP/2 have certainly increased the attack surface that hackers can exploit. Details of four vulnerabilities and attack vectors related to the HTTP/2 protocol are discussed in Imperva’s report, “HTTP/2: In-depth analysis of the top four flaws of the next generation web protocol,” two of which were already known to have existed in implementations of HTTP/1.x. No one technology can secure sensitive data, but HTTPS is a core element of secure communications and any exploitable vulnerabilities put the entire internet at risk.

Delaying implementing the HTTP/2 protocol may be the best option for sites displaying sensitive data, at least until more research into HTTP/2 has been carried out. Those administrators pressured into upgrading to take advantage of HTTP/2’s faster page load speeds should ensure existing vulnerabilities are fixed first; most sites are still vulnerable to BREACH, and although there are no reports that BREACH has successfully been used to hijack real accounts, HEIST-enabled BREACH attacks may change that. A detailed explanation of HEIST’s attack methodology is available in Van Goethem and Vanhoef’s research paper. Online tools such as Qualys’ SSL server test can check whether a website is vulnerable to BREACH or other similar attacks.

For the HEIST attack to work, a webpage must include or reflect part of the browser’s request in its own content, and the user must have JavaScript and third-party cookies enabled. If there are reports of the HEIST attack being successfully used in the wild, users should consider turning on the private browsing mode offered by major browsers. This feature, which disables third-party cookies, would prevent the HEIST script from being able to authenticate with the HTTPS protected webpage. However, this would make many sites unusable, as would disabling JavaScript execution in the browser, the one other possible mitigation.

Next Steps

Find out if Gmail security is threatened by the BREACH attack update

Discover the compression and encryption features in HTTP/2

Learn how opportunistic encryption can help web security

This was last published in November 2016

–News collected and synced by Info Security Solution Kolkata,

Read more
Is it possible to get a new CISO position after being fired?
Insec Ethical Hacking Hub Penn State University Becomes Victim To Yet Another Cyberattack

There’s always talk about executive turnover after a security incident or full scale data breach at an organization,…

specifically the CISO position. Even in the case of relatively minor security incidents, security executives can be fired or reassigned. What are the options for CISOs after they are forced out or asked to resign? Can they get another CISO job? Do they stay in security, or are their credibility and reputation lost after such an incident?

CISOs get fired for many reasons. The obvious are due to poor performance, illegal acts, or personal or ethical behaviors that warrant termination. Many times, CISOs become collateral damage after a security breach. Due to their visibility of personnel system activities, they are sometimes terminated because they become aware of executive indiscretions or come across highly sensitive information such as executive compensation plans. Their job can also be eliminated due to budget cuts or because they fall out of favor with management. The list goes on but regardless of the cause, a termination for the CISO can be detrimental to his ability to obtain a CISO position elsewhere.

In most states in the U.S., employers are not prohibited by law from providing truthful information about a former employee’s reason for termination to a prospective employer. Information former employers can disclose includes job performance, reasons for termination or separation, performance evaluation or opinion, knowledge, qualifications, skills or abilities, education, training or experience or professional conduct. They are not allowed to make misstatements or provide false information. The former employee has recourse in a defamation lawsuit in such cases. However, prospective employers typically will not share negative information obtained from former employers with the applicant.

In the event a CISO is terminated, he needs to decide whether or not to continue in this profession. There are many CISOs that are terminated or laid off that find another CISO position. To increase the likelihood of this, CISOs can:

  • Ask during the exit interview if the former employer would refrain from providing a negative reference. It may not be positive at least it won’t be negative;
  • Become a business partner for business unit managers and executives. This will allow them to more easily provide a good reference;
  • Get involved with professional organizations such as ISSA, ISACA and OWASP so that others in the cybersecurity field know him if another CISO position becomes available;
  • Engage a professional recruiter that specializes in cybersecurity. Share all the details of the termination with him and strategize as to how he will present the CISO to prospective employers;
  • Write articles or give lectures on cybersecurity to increase his worth to others outside of the company; and
  • Build and lead his staff by example in learning, technical abilities and ethics. Their references will speak volumes to prospective employers.

The key to staying employed as a CISO is communication, especially with executive management. CISOs who perform their duties in a vacuum and rarely speak to or teach executives on the elements of information security or incident handling will find their job tenure in jeopardy when a real incident occurs.

Being a CISO is a rewarding yet challenging job. Those in cybersecurity say that a five-year tenure is about average for most CISOs, although clearly there are those who hold that position for many more years. So unless a CISO’s termination was due to egregious and illegal activity, finding another CISO position elsewhere may not be that difficult.

Ask the Expert:
Have questions about enterprise security? Send them via email today. (All questions are anonymous.)

Next Steps

Find out if it’s necessary to have a cybersecurity expert on a board of directors

Learn how CISOs can help mitigate insider security threats

Discover how CISOs should handle cyberextortion

This was last published in November 2016

Dig Deeper on Information Security Jobs and Training

PRO+

Content

Find more PRO+ content and other member only offers, here.

Related Q&A from Mike O. Villegas

What CISO certifications are the most important to have?

There are multitudes of cybersecurity certifications, but which are the best CISO certifications? Expert Mike O. Villegas discusses the most …continue reading

Which are the best cybersecurity certifications for beginners?

There are an overwhelming number of cybersecurity certifications available, so which one should people just beginning their career start with? Expert…continue reading

How can the cybersecurity skills shortage be fixed?

With the skills shortage plaguing the industry, should enterprises put less of a focus on finding staff with cybersecurity skills? Expert Mike O. …continue reading

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever’s puzzling you.

–News collected and synced by Info Security Solution Kolkata,

Read more
Privacy stripped bare as hackers breach 412 million Adult Friend Finder accounts
Insec Ethical Hacking Hub BadOnions : Bad TOR exit nodes attempts to login with sniffed password

Sex and dating website Adult Friend Finder Network has reportedly suffered one of the largest – and potentially compromising – data breaches in internet history.

According to notification site Leaked Source, 412 million accounts were breached last month, compromising names, email addresses as well as weakly secured passwords.

The biggest tranche was 339 million users of AdultFriendFinder.com, “the world’s largest sex and swinger community”, with a further 62 million users of webcam site cams.com, 7.1 million users of Penthouse.com, and 1.4 million users of stripshow.com also lifted.

The breach appears to affect not only current users but potentially anyone who has ever signed up to it or its associated network brands in the last two decades.

Leaked Source’s analysis suggests that 15.7 million of the Adult Friend Finder database were deleted accounts that had not been properly purged.

The most disturbing revelation surrounds the weak state of the site’s passwords security, which the site said were either plain text (125 million accounts) or had been scrambled using the weak SHA-1 algorithm, which is considered trivially easy to crack (the rest).

Leaked Source said:

The hashed passwords seem to have been changed to all lower case before storage which made them far easier to attack but means the credentials will be slightly less useful for malicious hackers to abuse in the real world.

Hashing, which is one-way and can’t be reversed, is often confused with encryption (which is two-way and reversible by design), but suffice it to say its primary function is to verify that a password entered by a user during log-on is correct.

It’s a sort of fingerprint, but a vulnerable one. If the hashing format used is weak the attacker can just compare the hashed output against a “rainbow table”, giant directory of billions of hashes matched to real passwords.

A further problem with SHA-1 and this breach could be the type of “salting” or “peppering” used to defend against rainbow lookups.

Leaked Source seems to have had no difficulty breaking 99% of the hashed passwords, turning up a litany of terrible plain-text choices including the usual “123456”, “password” and “qwerty”. Bizarrely, 12,159 accounts used “Liverpool” as a password, making it the 59th most common.

How did it the hack happen?

There are few details at the moment, although it seems it might (or might not) be connected to a local file inclusion flaw publicised in October by a researcher called Revolver, who also reportedly posted screengrabs from Adult Friend Finder.

Worryingly, the breach is the second suffered by the site in two years after 3.5 million accounts were compromised in 2015. Unlike that incident, the new breach does not contain information on users’ sexual preferences, according to one website that saw some of the data.

Porn and sex site hacks tend to be ones that people remember.

In September, forum data for 800,000 Brazzers.com porn users came to light in an attack dated to 2012.

Biggest and worst of all was the attack on dating site Ashley Madison in 2015 which compromised 37 million accounts, most of which were later leaked.

Passwords are often a weak point, with people choosing easily guessed and easily cracked words.

–News collected and synced by Info Security Solution Kolkata,

Read more
BlackNurse hits big routers with low-volume denial-of-service attack
Info Security Solution

BlackNurse, the newest branded vulnerability, is a denial-of-service attack that researchers claim can take down firewalls and routers with as little as 15 to 18 Mbps of malicious ICMP packets.

The attack abuses Internet Control Message Protocol (ICMP) Type 3 Code 3 “port unreachable” messages, and has been reported to work against several Cisco routers, as well as routers and firewalls from other vendors including ZyXEL, Sonicwall and Palo Alto Networks. Security researchers Lenny Hansson and Kenneth Jørgensen, who discovered the vulnerability, claim the attack can disrupt Cisco ASA 55xx routers with as little as 4 Mbps.

“We see the Cisco ASA firewall 55xx series to have the biggest problems. Even if you deny all ICMP traffic to the firewalls, they still suffer from the [denial-of-service (DOS)] attack, with as little as 4Mbit of traffic,” the researchers wrote on the BlackNurse website.

The TDC researchers wrote that mitigating a BlackNurse attack could be as simple as configuring a whitelist “of trusted sources for which ICMP is allowed could be configured. Disabling ICMP Type 3 Code 3 on the WAN interface can mitigate the attack quite easily. This is the best mitigation we know of so far.”

The source of the problem is still unclear, though the researchers believe the vulnerability is based on how devices handle packets. “We have right now only seen this in hardware-based firewalls, where packets are sent directly to CPU,” Hansson and Jørgensen told SearchSecurity by email.

However, not everyone agrees about the threat from BlackNurse. It is still unclear why these particular ICMP packets require so much processing from the CPU, wrote Johannes Ullrich, dean of research at SANS Technology Institute, in a blog post. “In my opinion, this is likely due to the firewall attempting to perform stateful analysis of these packets. ICMP unreachable packets include as payload the first few bytes of the packet that caused the error. A firewall can use this payload to determine if the error is caused by a legit packet that left the network in the past. This analysis can take significant resources.”

“This issue is not vendor-specific, and the attack does not exploit a security vulnerability,” Cisco wrote in a statement to SearchSecurity, downplaying the threat. “In the event of an attack, the mentioned ASA devices continue to enforce the configured security policy, and there is not a compromise. For the select ASA firewalls noted in this study, protection against DoS threats is multilayered, and we work with our customers to ensure the DoS security is accounted for further upstream in the network as a best practice.”

Palo Alto Networks issued a note to its customers about the BlackNurse attack, stating “We have conducted an investigation into this issue and to date have found that Palo Alto Networks Next-Generation Firewall customers can only be affected in very specific, non-default scenarios that contravene best practices.”

Palo Alto suggested best practices for its customers to protect against BlackNurse, including configuring a DoS protection profile to protect against flooding of ICMP and ICMPv6 packets, but the company also warned that flooding attacks can use any protocol type.

“You don’t need a lot of bandwidth to carry out the attack,” Hansson and Jørgensen told SearchSecurity, noting that combining BlackNurse with a botnet, like the Mirai DDoS botnet, which devastated the Dyn DNS service last month, could spell trouble because it is practical to execute the attack from IoT devices. “We have seen as little as 4 [Mbps] to DoS a Cisco device. IoT devices from small uplinks can come into play from botnets. This means that a botnet like Mirai would be able to attack more targets at once. This can be more devastating than a single attack of 1 TBps on one target.”

As for the source of the attacks, the researchers said: “Right now we have seen this used from what we believe can be some sort of DDOS-service. This is based on the mix of attack types we see hit our customers.”

Next Steps

Find out more about how ICMP is used, and how to keep it from being misused.

Learn about how ping uses ICMP to help test network connections.

Read about how the internet of things enabled massive DDoS bandwidth  to take down DNS firm Dyn’s servers.

–News collected and synced by Info Security Solution Kolkata,

Read more
How a hybrid whitelisting-blacklisting approach can help enterprises
Insec Ethical Hacking Hub Wassenaar Cybersecurity Rules – How India Must Respond

The data speaks for itself — large scale breaches continue to occur at record levels. The AV-TEST Institute, an…

international, independent service provider that detects the latest malware, registers over 390,000 new strains of malicious code every day. Cyberspace has become the Wild West, where databases are being pilfered and sold on the dark web at a frequency never seen before. We can’t possibly blacklist this number of known bad threats on a daily basis. We also can’t whitelist every allowed known good application. Managed security services providers struggle to be successful in the defense against bad actors because most of the tools and techniques have been focused on known bad, which is becoming impossible to keep up with. The stark reality is that we are losing the battle. We need a new hero, and a hybrid whitelisting-blacklisting approach may be the answer.

Many of today’s security products are built on blacklisting capabilities. Blacklisting allows everything like emails, IP addresses, URLs and domain names but blocks only the items that are specified on the blacklist. The best way to think of a blacklist is as a block list. If you know something is bad, you add it to the blacklist, and it won’t execute.

The problem is, how can you block things that you don’t know are bad? Typically, malware has to infect something for it to be identified, analyzed and added to the blacklist. We also can’t out-signature the problem. Signature-based devices and software compare files and look for known bad signatures based on host or network traffic during an incident. A system’s success is only as good as its database of signatures. We can’t create signatures fast enough to keep up with the rate of new malware samples being generated daily.

Even with heuristic and behavior detection added to blacklisting capabilities, we are still losing the battle. Intellectual property continues to be vulnerable. Personal data is vulnerable. Healthcare records, financial data and voter records in the millions are vulnerable. Blacklisting is simply not enough to protect companies and their employees.

To fill the gap, whitelisting is often done. Whitelisting only allows execution of network or application data that is exclusively on the whitelist. Think of a whitelist as an allow list. Only the items listed in the whitelist are allowed to execute or run. The early days of application whitelisting saw the technology get a bad rap; early adopters found it cumbersome to implement and difficult to maintain. Also, the expertise required to deploy and manage the whitelisting solution caused pain points in many organizations. With old whitelisting, the risks of omitting a known good were simply too big. However, some of today’s products and services include sandboxing technology that helps explore malware in a controlled environment. The risks were simply too big, and whitelisting of old didn’t have the support it needed to become a viable solution to the problem.

Companies should not solely blacklist or solely whitelist. Instead, organizations should implement both. An ideal solution is a hybrid whitelisting-blacklisting approach that combines the best of both options. Using data whitelisting helps accomplish looking for known good applications, while blacklisting helps look for known bad applications and code. As we see more hybrid whitelisting-blacklisting solutions come online with the maturity and the support model to be effective, we will see a change in perspective on whitelisting and MSSPs with an effective model to make a greater impact.

Whitelisting is a critical component of a stronger cybersecurity approach for the future, giving enterprises a fighting chance against what seems like an insurmountable problem. Until we can ensure the solvency of the data in our environment and allow only known good to execute, we will be fighting against the odds. A hybrid whitelisting-blacklisting approach is a good thing because if ever we needed a hero, that time is now.

About the author: Beth Musumeci is senior vice president of commercial cybersecurity and advisory services for ICF, a global consulting and technology services provider headquartered in Fairfax, Va. Prior to joining ICF, she served as general manager of Computer Sciences Corporation’s global commercial cybersecurity practice.

Next Steps

Get the latest information on how to prevent privilege creep

Read more on best practices for information security risk management

Find out about the most important features of today’s endpoint security tools

This was last published in November 2016

–News collected and synced by Info Security Solution Kolkata,

Read more
Wi-Fi shadows cast by your fingers could leak your password

Researchers in a team from Shanghai, Boston and Tampa recently published an temptingly titled paper about password stealing.

Dubbed When CSI Meets Public Wi-Fi: Inferring Your Mobile Phone Password via Wi-Fi Signals, the paper makes you think of Crime Scene Investigation, but that’s just a handy collision of acronyms.

This CSI is short for “channel state information,” a collection of readings that describes what’s happening at the lowest level of the data link between a Wi-Fi sender, such as your laptop, and a receiver, such as as an access point.

If you remember the cassette tapes on which early home computer programs were stored, you’ll know that there wasn’t much CSI going on: there were typically two sound frequencies, 1200Hz and 2400Hz, and the pitch of the recording warbled between them every few milliseconds to denote zeros and ones.

In modern Wi-Fi standards, however, connections are much more complex, with each radio channel divided into many sub-channels that transmit in parallel, and multiple antennas that measure different signal paths, thus turning echoes and reflections into an advantage, not a liability.

Chopping your radio spectrum into lots of sub-channels is a bit like sending 20 bicycle couriers across town at the same time, each carrying a modest amount of correspondence, instead of stuffing the whole lot in a van and delivering it in one go.

When you have numerous independent delivery channnels, your throughput copes much better with localised interference, because you haven’t got all your communication eggs in one basket.

Now imagine that you have a stream of real-time information about how what route each courier is taking, and how much progress each of them has made so far.

You can build up a picture of what the traffic looks like in various parts of the city, and you can guess at what’s causing the various holdups.

After all, protesters converging on parliament cause a different pattern of disruption than a pile-up on the airport access road.

That’s the kind of approach that the researchers tried in this paper.

They used specially modified firmware dowloaded into a Wi-Fi network card to create an access point that could keep track of minute variations in the underlying communication signal and correlate those changes with your typing.

They dubbed their attack WindTalker.

Their idea was that if they could get their rogue access point close enough to your phone, then the interference caused even by your fingers moving in front of the on-screen keyboard might produce detectable differences in the CSI data that they measured.

And if they could guess when you were about to start entering a PIN using just 10 widely spaced positions on the screen, rather than when you were busy with the more complicated business of navigating through a web form or typing words from the entire keyboard…

…then they could focus their attention on the moments when they had the best chance of success.

Limitations of the attack

The paper is mathematically rather technical: it helps if you are already familiar with techniques such as discrete wavelet transforms, dynamic time warping and machine learning.

But the bottom line, in brief, is that the researchers claim modest success in guessing PINs tapped in on mobile phones, based on Wi-Fi interference caused by the fingers doing the tapping.

Fortunately, the current version of the attack seems to have many limitations:

  • The attack only works with one model of Wi-Fi network card, which limits the range of Wi-Fi devices that can be modified for malicious purposes.
  • The attack relies on modified firmware code that is prone to crashing, which limits its usefulness.
  • The attack only works on unencrypted networks, because the authors haven’t yet managed to squeeze both the CSI-grabbing code and Wi-Fi decryption code into the limited firmware space available.
  • The tests were done in what looks like a rather sterile radio environment, without the levels of interference you might expect in real life.
  • The attack relies on a consistent stream of network replies from your phone (800 ping replies per second) to form the basis of the CSI measurements, a rate that we found hard to maintain when we tried in an office environment.
  • The attack doesn’t yet seem to scale from PIN entry to full-on passwords, so it isn’t applicable to all login pages you may use.
  • The attack is thwarted by two-factor authentication (2FA), because it relies on guessing a password that can be re-used indefinitely.

What to do?

You can probably guess our advice in this case.

Use 2FA whenever you can, and you will be taking a big step towards a digital lifetstyle in which you greatly reduce the risk of sniffed and stolen passwords.

If the crooks can’t figure out what tomorrow’s login code is going to be, there’s no longer much point in stealing today’s.

–News collected and synced by Info Security Solution Kolkata,

Read more
Adult Friend Finder hacked

In a number of instances, passwords stored in clear text are visible, and in other cases passwords hashed with SHA1 were easily cracked

In a number of instances, passwords stored in clear text are visible, and in other cases passwords hashed with SHA1 were easily cracked

In what could rival the size and impact of an earlier hack of MySpace, usernames, purchasing patterns, internet addresses and passwords of more than 412 million subscribers were exposed after Adult Friend Finder was breached last month.

In a number of instances, passwords stored in clear text are visible, and in other cases passwords hashed with SHA1 were easily cracked, according to breach notification website LeakedSource.

If preliminary reports prove true, this would be the worst hack of 2016, outdoing the MySpace hack whose tally reached 360 million.

And, this is not the first time that Adult Friend Finder, a portal operating a number of so-called 18+ services, has been breached. It was the target of an attack in May 2015.

Last month’s attack hit six properties operated by FriendFinder Networks (FFN): Adultfriendfinder.com, Cams.com, Penthouse.com, Stripshow.com. iCams.com and an unknown domain. It was reported that the attackers purloined nearly 20 years of data.

Indecent exposure

Six properties operated by FriendFinder Networks (FFN) were affected by a breach:

Adultfriendfinder.com: 
339,774,493 users

Cams.com: 62,668,630 users

Penthouse.com: 7,176,877 users

Stripshow.com: 1,423,192 users

iCams.com: 1,135,731 users

Unknown domain: 35,372 users

Total: 412,214,295 affected users

– LeakedSource

FFN has so far not confirmed the attack, but did acknowledge being made aware of “potential security vulnerabilities.” 

“FriendFinder has received a number of reports regarding potential security vulnerabilities from a variety of sources,” Diana Ballou, VP and senior counsel at FFN, told ZDnet. “While a number of these claims proved to be false extortion attempts, we did identify and fix a vulnerability that was related to the ability to access source code through an injection vulnerability.”

Additionally, FFN has brought in a partner to look into the hack, according to Ballou, and promised to update customers.

A researcher, known on Twitter and other sites as 1×0123, provided evidence of a local file inclusion vulnerability (LFI) used to trigger the breach. LFI flaws enable attackers to “include files located elsewhere on the server into the output of a given application,” according to CSO. The researcher added that the LFI was detected in a module embedded in the adult website’s production servers.

Most commonly, a LFI results in data being displayed to the screen, or can be manipulated to perform more nefarious tasks, such as code execution. The bug is present in applications “that don’t properly validate user-supplied input, and leverage dynamic file inclusion calls in their code,” CSO explained.

The exposure of passwords is troubling, LeakedSource said, as the login details can expose user identities and make it simple for cyberthieves to use the information to hijack account and follow up with any manner of nefarious activity, such as hitting users up for extortion demands. Nearly a million users used “123456” as their password.

In this case, the fact that verification showed that some data is stored in clear text while passwords are encrypted with SHA-1 is not enough to thwart today’s adversaries, Adam Brown, manager of security solutions at Synopsys, told SC Media in an emailed statement on Monday.

“Unfortunately penetration testing or application security scanning can offer almost no insight into how data is stored or processed inside an organization’s applications and data stores,” he said. “A data-centric approach is needed. It enables organizations to see how their data is managed by systems and, more importantly, whether it is encrypted and whether that encryption level is satisfactory.”

So far, based on information currently available around the breach, it’s quite probable that a vulnerable web application was used to steal the data, Ilia Kolochenko, CEO of web security company High-Tech Bridge, told SC Media in an emailed statement on Monday. Gartner, he explained, highlighted in its Hype Cycle for Application Security 2016 that applications are the main source of data exfiltration. However, Kolochenko said that companies still tend to underestimate the risks related to web applications and consequently put their customers at huge risk. “With this breach of 400 million accounts we should expect a domino effect of smaller data breaches with password reuse and spear-phishing,” he warned. 

Some large companies, handling and processing personal data, still fail to respect and even intentionally neglect the basics of information security, Kolochenko added. “Despite numerous reports on increasing cybersecurity spending during the last few years, many companies do spend more, but aren’t becoming more secure. A holistic risk assessment, comprehensive asset inventory and continuous security monitoring are often omitted, even though they are probably the most important parts of information security strategy and management.”

This attack on AdultFriendFinder is extremely similar to the breach it suffered last year, David Kennerley, director of threat research at Webroot, told SC Media in an emailed statement on Monday. “It appears to not only have been discovered once the stolen details were leaked online, but even details of users who believed they deleted their accounts have been stolen again. It’s clear that the organization has failed to learn from its past mistakes and the result is 412 million victims that will be prime targets for blackmail, phishing attacks and other cyber fraud.”

All companies, especially those dealing with sensitive customer data, must balance their security resources against their risk tolerance and look at threat intelligence solutions that provide them with the greatest scope of protection, Kennerley wrote. “It goes without saying that systems, software and processes should be regularly reviewed as previously accepted risk levels may no longer suffice.”

Consumers, he added, need to think twice about posting anything online they may not want to show up in public. Every day there seems to be news of another breach,” Kennerley said.

Kolochenko at High-Tech Bridge agreed that computer users should be wary of posting anything online they might not want to see made publicly available. He suggested that enforcement of general data protection regulation (GDPR) will probably help to minimize this type of incident in the future, though he did acknowledge it will take some time.

–News collected and synced by Info Security Solution Kolkata,

Read more
Zuckerberg pushes back on fears over fake news on Facebook
Insec Ethical Hacking Hub Facebook’s New Security Tool Will Remove Malware From Your Computer

It’s a “pretty crazy idea” to think that Facebook news stories influence people, Mark Zuckerberg said last week, even as he conceded that perhaps fake news might have had the unintended effect on people some commentators have claimed.

He wasn’t speaking to Facebook advertisers, of course, though some were quick to point out that his tongue seemed to have forked:

No, he wasn’t talking to ad-buying customers. Rather, Zuck was speaking to a crowd at the Techonomy conference near San Francisco, where he dismissed the  hubbub about fake news swaying voters. Said voters in the US, of course, had shocked much of the world by voting for Donald Trump in the presidential election.

The Guardian quoted Zuckerberg, who said that it’s a disservice to Trump supporters to suggest they’d fall for all the hoaxes and half-truths that were oozing around cyberspace in the run-up to the election:

Voters make decisions based on their lived experience. There is a profound lack of empathy in asserting that the only reason someone could have voted the way they did is because they saw fake news.

Funny, that’s not what Facebook thinks about potato chips.

If you scroll through its gallery of targeted marketing success stories, you’ll find that Facebook boasts about advertiser Lay’s, purveyor of crisps, having convinced more people into eating new potato chip flavors through use of video ads.

…and that the maker of an anti-blister spray for high-heel wearers convinced people to part with their foot-spray money to the extent a whopping 30X sales increase.

Like all advertising platforms, Facebook’s full of these stories, page after page of them, all cheerfully extolling how advertisers “connected” with consumers and picked the precise kind of marketing to elicit the most response from their targets (example: high heel wearers like “raw video footage” featuring an enthusiastic foot-spray user more than they like a polished presentation).

And Facebook, again like all advertisers, is obviously pumped up about its power to drive decision-making. Granted, swaying voters’ decisions in a presidential election isn’t exactly the same thing as convincing them to buy Kettle Cooked Indian Tikka Masala chips.

Nonetheless, it’s seems that there is some cognitive dissonance at work for Facebook to flog its ability to influence consumers as an advertising platform out of one side of its face, then to spin around 180 degrees, shrug its shoulders and then to say in effect: “Meh! We can’t influence people’s political viewpoints. We’re just a platform.”

“We are a tech company, not a media company,” Zuckerberg has said repeatedly over the last few years. It builds the tools and then steps back, insisting that it doesn’t bear any of the responsibilities of a publisher for verifying information.

Many commentators say that’s disingenuous: Facebook might not write or be responsible for commissioning phony or misleading news, but its algorithms parse how articles are shared and prioritise showing them to users according to criteria that don’t distinguish between fake news and real news.

We don’t know much about Facebook’s proprietary algorithm, but we do know that it takes into account how close you are to the poster, plus how many times a post has been liked or shared, as it parses which stories to push into the Trending panel.

During a heavy news cycle such as the bruising US presidential campaign, fake news that picked up viral-share speed (not just on Facebook, of course) included some doozies: one was a hoax about an FBI agent connected to Hillary Clinton’s email disclosures having murdered his wife and shot himself (from a purported newspaper called “The Denver Guardian” that doesn’t actually exist); or the report that President Obama and Hillary Clinton had both promised amnesty to undocumented immigrants who vote on the Democratic ticket.

Facebook already knows it’s got issues with how baloney spreads virally. From a statement it sent to media outlets last week concerning its efforts to filter the dreck out of Trending:

…we understand there’s so much more we need to do, and that is why it’s important that we keep improving our ability to detect misinformation. We’re committed to continuing to work on this issue and improve the experiences on our platform.

Unfortunately, its algorithm simply doesn’t distinguish between something that’s coming from a reputable source vs. something that’s merely pretending to be a reputable source. A good example of that is the Denver Post’s unraveling of that fake Denver Guardian article.

How phoney was that phoney newspaper? It couldn’t even pick a real address when it lied about where its newsroom is supposed to be. Instead, it listed the address of  a tree in a parking lot next to a vacant bank building.

A story doesn’t have to be legit to make it into people’s newsfeeds or into the Trending panel. It just has to look legit, like the UK website Canary, which published a story claiming that US election results had been published a week before the polls closed. It fell to blogger David Landon Cole to point out how badly wrong that claim was in a blog post of his own.

Facebook’s commitment to the responsibilities of being a publisher was questioned when it axed the humans whose purpose it was to curate Trending topics and weed out such fake news. Within three days of swapping the editorial staff for an algorithm, Facebook had published a fake news story in Trending topics.

Facebook didn’t learn its lesson after that misstep, though. In the months that followed the hoax about Fox News “exposing” news anchor and so-called “traitor” Megyn Kelly and kicking her out for backing Hillary Clinton, it’s gone on to repeatedly trend fiction passed off as news.

However Facebook sees itself, it is nonetheless where many people go to get their news. According to Pew Research Center, two thirds of US adults – 62% – get news on social media. And that number’s on a growth path: it’s up from 49% in 2012.

One problem that Facebook and thus its users are up against is that there are people and organizations dedicated to creating and spreading viral news in order to profit from the clicks.

One example: on Election Day, Buzzfeed identified Macedonian spammers as being the engine behind more than 100 pro-Trump websites.

The US election may well have added fuel to the fire, but that fire has been burning for a while. Last year the Guardian reported on the hundreds of bloggers paid to flood forums and social networks at home and abroad with anti-western, pro-Vladimir Putin, pro-Kremlin comments.

Not only do we have friends who can’t differentiate between good, credible information from reputable sources and dross, all of them diligently spreading that dross; we also have organized groups actively creating that dross.

It’s impossible to say how much of a part Facebook played in coloring voters’ minds and swaying the election. But more to the point, it would be a relief were Mark Zuckerberg to acknowledge the magnitude of the fake-news industry and to step up and pledge to do something about it – be it rehiring the editorial curatorial team or finding some other way to vet the sources whose nonsense it’s allowing to pollute online discourse.

In the meantime, we’re pretty much on our own. And the challenge is to learn to be more discerning about the information we choose to believe.

Learning how to parse information like that needs to start in schools, and Facebook needs to step up on enabling it by acknowledging its role as the the de facto biggest publisher in the world, and thus strive to make sure that good information from reputable sources isn’t drowned out by toxic nonsense.

Image of Mark Zuckerberg courtesy of Shutterstock.com

–News collected and synced by Info Security Solution Kolkata,

Read more
Florida man charged in JPMorgan hacking probe
Info Security Solution

A Florida man is the ninth person to face charges related to the hefty data breach that JPMorgan disclosed in 2014.

Agents arrested Ricardo Hill, 38, last month. A criminal complaint filed in federal court in Manhattan charged him with conspiring to operate an unlicensed bitcoin exchange called Coin.mx.

Prosecutors have said that the exchange was masterminded by Gery Shalon, an Israeli accused of orchestrating a massive attack on JPMorgan and other companies, and that it was operated by another Florida man, Anthony Murgio.

FBI Special Agent Joel Decapua wrote in the complaint filed against Hill in October that Hill was aware the exchange was being used to launder the loot from ransomware schemes.

Hill began working for Coin.mx as a marketing manager and business development coordinator in January 2014.

According to the complaint, Hill discussed with the other operators how dealing with ransomware crooks could get them brought up on charges of money laundering.

Coin.mx allegedly kept processing payments on behalf of the victims of ransomware schemes, pocketing a 7.5% fee with the transactions, which were likely to be reported as fraudulent.

One of the ransomware schemes that lined the pockets of the bitcoin exchange operators was the infamous CryptoLocker: one of the best-known ransomware variants ever released, and one that’s spawned clones such as CryptoWall.

Another of its offspring was one that borrowed the CryptoLocker name and then got packaged up with a phishing email about fake speeding fines.

According to Hill’s estimates, ransomware victims made up about 40% percent of Coin.mx’s customers, based on the volume of calls he received from them, the complaint said.

In November 2015, the Justice Department charged Shalon, Orenstein, and an American named Joshua Samuel Aaron with computer hacking crimes against JPMorgan, as well as other financial institutions, brokerage firms and financial news reporters, including the Wall Street Journal.

Aaron was a fugitive until last month, when he turned up at a facility for illegal immigrants outside Moscow. He had failed to show police a valid passport during a midnight check at his apartment, according to court documents seen by Bloomberg.

The JPMorgan breach was initially thought to involve the theft of as many as 83 million customer records.

Altogether, the trio has been accused of ripping off the data of more than 100 million customers from JPMorgan and other companies, and then using it in schemes such as stock manipulation that generated hundreds of millions of dollars in illicit gains.

Hill was released on $75,000 bond on Thursday. Pending his trial, the court also barred him from going on to money exchanges via the internet.

–News collected and synced by Info Security Solution Kolkata,

Read more