Geek News: Latest Technology, Product Reviews, Gadgets and Tech Podcast News for Geeks


Two Million Passwords Stolen by Hackers

Posted by JenThorpe at 6:36 PM on December 4, 2013

Trustwave logoOn November 24, 2013, researchers at Trustwave discovered that hackers have obtained up to 2 million passwords for websites like Facebook, Google, Yahoo!, Twitter (and others). Researchers learned this after digging into source code from Pony bonnet. It appears that information about this has only been made public very recently.

Here’s some quick stats about some of the domains from which the passwords were stolen:

* Facebook – 318,121 (or 57%)
* Yahoo! – 60,000
* Google Accounts – 54,437
* Twitter – 21,708
* Google.com – 16,095
* LinkedIn – 8,490
* ADP (a payroll provider) – 7,978

In total, Pony botnet stole credentials for: 1.58 million websites, 320,000 email accounts, 41,000 FTB accounts, 3,000 remote desktops, and 3,000 secure shell accounts.

According to Trustwave, around 16,000 accounts used the password “123456”, 2,221 used “password” and 1,991 used “admin”. Now is a good time to go change your passwords into something strong and secure.

Doing so won’t make it entirely impossible for hackers to crack it, but it could make it more difficult. Trustwave noted that only 5% of the 2 million passwords that were stolen had excellent passwords (meaning the passwords had all four character types and were longer than 8 characters).

SIM Card Security Flaw Exposing 750 Million Cell Phones

Posted by J Powers at 8:54 AM on July 22, 2013
SIM Card

SIM Card

Outdated encryption is to blame for a new risk on your cellular device. According to a report by SRLabs and research which will be presented at BlackHat on July 31st, the Subscriber Identity Module (SIM) card can be hacked in a few ways, including through SMS messages.

According to SRLabs, SIM cards use 56-bit DES encryption – a technology created in the 70s. Using what is called FPGA clusters, a SIM can be crackable. SRLabs is looking to make aware these issues, then recommend a better SIM card technology, SMS firewall and SMS filtering so simple hacking techniques cannot access SIM card data.

It is reported that over 750 million SIM cards are vulnerable to this hack. That is 1 in 8 SIM cards, according to Karsten Nohl of SRLabs. An improperly encrypted SMS message – along with use of a custom Java program – can open the SIM to the malware. A hacker can do anything from change your voicemail to access your personal information on the SIM card.

In some phones, most information is stored on the phone and not the SIM. In some phones, SIM data can also include bank information, passwords to websites and programs and more. However, as we move to mobile and wearable devices, more SIM cards will be used to connect people to cellular networks.

 

 

 

Twitter Adds Two Step Verification System

Posted by J Powers at 10:50 AM on May 23, 2013

Twitter logoWhen Burger King got hacked, we all laughed at the idea McDonalds might have bought it. When the Associated Press got hacked, we noticed. But it took the Onion in getting hacked for Twitter to finally do something…

Twitter rolled out a two-step verification system for users to get extra protection against would-be hackers. The verification method includes a special code that is sent via phone when they try to log in. With this extra step using a cell phone, hackers can become thwarted in trying to access an account.

This is not a new process – Facebook and Google both give this second verification step in your security features. Its better than a password because you don’t need to remember one. Its also better than a “name your pet” verification because in some cases (like Sarah Palin) people know that information.

“Today we’re introducing a new security feature to better protect your Twitter account: login verification,” says Jimio from the Twitter Product Security Team on the Twitter blog. “With login verification enabled, your existing applications will continue to work without disruption. If you need to sign in to your Twitter account on other devices or apps, visit your applications page to generate a temporary password to log in and authorize that application.

If you choose not to opt in you run risk of getting hacked. Of course, you also need to keep your phone numbers up-to-date. If that changes, you might have problems getting into your accounts.

If your Twitter Gets Hacked

First, attempt to change your password. If you still can’t log in, contact Twitter through a Support request. (choosing “Hacked account” from the list of options).

LivingSocial has been Hacked

Posted by JenThorpe at 4:26 PM on April 26, 2013

LivingSocialAre you using LivingSocial? At the top of their website today is an important notice for customers that says “if you haven’t already updated your LivingSocial password, please update it now”. According to CNN the LivingSocial website, which people use to get daily deals, suffered a cyberattack on some of its servers. Data for more than 50 million users may have been accessed. LivingSocial says that credit card data was not affected by the cyberattack.

AllThingsD has posted the entire email from CEO Tim O’Shaughnessy that was sent to employees of LivingSocial. The email states:

The information accessed includes names, email addresses, date of birth for some users, and encrypted passwords – technically ‘hashed’ and ‘salted’ passwords. We never store passwords in plain text.

The same paragraph was in an email sent to users of LivingSocial, along with instructions about how to change their password. Users are encouraged to also change passwords on any other sites in which they used the same, or similar, password as the one they were using on LivingSocial.

I am not a user of LivingSocial, but I know that it is a website that offers people daily deals on a variety of things. There are many other websites, and apps, that also offer special deals to users. When people sign up for these types of things, they are doing it because they want to save money.

Nobody thinks about the potential for their favorite deals website to get hacked. It makes me wonder if the ability to get good deals through services like LivingSocial is really worth the risk of having your personal information out there (potentially accessible to hackers).

55,000 Twitter Accounts Have Been Hacked

Posted by JenThorpe at 6:02 PM on May 8, 2012

An anonymous source, (but not the hacker group that goes by the name “Anonymous”) has hacked more than 55,000 Twitter accounts. This includes the username and password of each of the compromised Twitter accounts.

Was yours one of the thousands that were hacked? There is a huge list of the Twitter accounts that were affected that you can sort through. Someone put them onto Pastebin. There are so many of them that the list had to be split into five separate lists.

They are: Page One, Page Two, Page Three, Page Four, and Page Five. According to AirDemon.net You can find your account by using the find feature in your browser (CTRL + F) and typing in your email ID.

At this time, it appears that Twitter has disabled many of the accounts that were hacked. A spokesperson from Twitter said:

“We’ve discovered that the list of alleged accounts and passwords found on Pastebin consists of more than 20,000 duplicates, many spam accounts that have already been suspended and many login credentials that do not appear to be linked – that is, the password and username are not actually associated with each other”.

It sounds to me like perhaps, some anonymous hacker decided to take action against the plethora of spam accounts that keep popping up on Twitter, (since Twitter doesn’t seem to do a whole lot to get rid of them or prevent new spammers from appearing). We are all tired of being followed by spam Twitter accounts. Perhaps the anonymous hacker is sort of acting like a modern day “Robin Hood”, only, instead of taking money from the rich and redistributing it to the poor, he or she is taking spam accounts from Twitter, and making Twitter do something about them.

If you are concerned that your Twitter account is among the thousands that were hacked, you might want to go ahead and change your password. Those of you that connected your Twitter account to your Facebook account, or other forms of social media, might want to check to see if those connected accounts have been affected as a result of the hacked Twitter accounts.

YouTube Hackers Invade Sesame Street, Replace with Porn

Posted by J Powers at 7:34 AM on October 17, 2011
Sesame Street

Sesame Street Logo

Sunny Day, but the streets look different…

Visitors to the iconic children’s show “Sesame Street” on YouTube got a rude awakening on Sunday. All videos were deleted, and replaced with pornographic material. The header on the front page said “Sesame Street: It’s Where Porn Lives”. YouTube took instant action and brought down the site within the hour. At this moment, the page is still offline.

The blame has been running around as Reddit has a thread, blaming a person titled “MrEdxwx” . MrEdxwx has responded with a video stating his case that he did not hack Sesame Street.

Their Facebook Page has a public apology:

We apologize for any inconvenience our audience may have experienced today on ourSesame Street YouTube channel.  Our channel was compromised and we are presently working with YouTube/Google to restore our original content. We always strive to provide age-appropriate content for our viewers and hope to resolve this problem quickly.

This article was brought to you by the letters and numbers – H4cK0r.

 

Sony Issues Statement About the PlayStation Network

Posted by Alan at 3:27 PM on October 12, 2011

playstation network

2010 and 2011 have been rough years for Sony and for PS3 owners who use the popular PlayStation Network for online gaming.  The service has come under attack, and been taken down, on more than one occasion, and for extended time periods.  The latest attack began to hit the news yesterday, when it was learned that the service was again under attack.

Reports have ranged from DDOS attack to user account hacking, but earlier today Sony finally set the record straight about what is going on, how extensive the attack is, and what steps they are taking fix the problem.

According to Sony, the attack spanned three of their networks – the PlayStation Network, Sony Entertainment Network, and Sony Online Entertainment.  A total of approximately 93,000 users have been affected, and those accounts have now been locked by Sony.  It appears to have been a hacking attack – the perpetrators attempted to gain log-in access to accounts, and succeeded on 93,000 of them, which is actually a relatively small percentage.  At this time, Sony says that those users’ credit card data is still safe.

If you have a PSN account, even if you don’t think you were affected, I would still recommend changing your password.  Use a long password that incorporates letters, numbers, and symbols.  Although, Sony says credit information wasn’t gained, it would still be prudent to monitor you account closely and report anything that seems suspicious.

Below is full text of Sony’s announcement.

“12 October 2011

Tokyo, October 12 – Sony Network Entertainment International LLC and Sony Online Entertainment (SOE) have detected a large amount of unauthorized sign-in attempts on PlayStation®Network (PSN), Sony Entertainment Network (SEN) and Sony Online Entertainment (SOE) services. We discovered these attempts and have taken steps to mitigate the activity.

Less than one tenth of one percent of our PSN, SEN and SOE consumers may have been affected. There were approximately 93,000 accounts (PSN/SEN: approximately 60,000 accounts; SOE: approximately 33,000) where the attempts succeeded in verifying those accounts’ valid sign-in IDs and passwords, and we have temporarily locked these accounts. As a preventative measure, we will be sending email notifications to these account holders and will be requiring secure password resets or informing consumers of password reset procedures.

Credit card numbers associated with these accounts are not at risk as a result of these unauthorized attempts. Only a small fraction of these 93,000 accounts showed additional activity prior to being locked. We are continuing to investigate the extent of unauthorized activity on any of these accounts.

These attempts appear to include a large amount of data obtained from one or more compromised lists from other companies, sites or sources. These were unauthorized attempts to verify valid user accounts on our services using very large sets of sign-in IDs and passwords. Between October 7 – 10 US Pacific Daylight Time, we confirmed that these were unauthorized attempts, and took steps to thwart this activity.

For the latest updates please visit http://blog.eu.playstation.com/

How To Hack Mobile Phone Voicemail

Posted by Andrew at 2:44 PM on July 11, 2011

As the fall-out from the News of the World scandal continues, many sources continue to inaccurately refer to “mobile phone hacking”. The truth (as far as is known) was that it was the voicemail of the mobile phone that was hacked rather than the phone itself. There are two ways to do this – the first is to simply guess the PIN of the voicemail and the second is to use Caller ID spoofing.

In the mid-2000s, most mobile phone voicemail systems were poorly protected as they typically came with a default PIN which was often easily guessed and only varied  according to the mobile phone company. Most users didn’t bother to change the PIN. Say the phone was on Orange, then the default PIN was 1234. If it was Vodafone, then 0000.  Typically, the villain then makes two simultaneous calls to the victim. One will be picked up, the other will go to voicemail.   By then pressing “*” or “#” while listening to the voicemail prompts, the individual can gain access to the voicemail system using the default PIN. Computeractive has article covering this scenario and how, in theory, it would be harder (but not impossible) to take this approach today.

As for Caller ID spoofing, this technique makes a call look like it’s coming from a different number than it actually is. It can be used legally to make someone calling from a mobile to actually appear to be coming from a company office, so that the person’s mobile number is not divulged. However, in some instances it has been used to gain access to voicemail boxes as many voicemail systems do not ask for further identification if the system recognises the inbound Caller ID as one of its own. PC Mag and c|net have short articles on how this is done and worryingly, this is still a threat. The Wall Street Journal covered the problem in 2010 before the current scandal broke.

It would appear that the best protection to both these attacks is (a) to change your PIN on your voicemail and (b) require your PIN even when calling from your own mobile phone. That way, even if your Caller ID is spoofed, the caller can’t get in without knowing your PIN.

“News of the World” Phone Hacking Scandal

Posted by Andrew at 3:45 AM on July 7, 2011

News International today announced that this Sunday’s edition of the News of the World newspaper would be the last edition and that the newspaper was closing down. Ostensibly the reason is that a phone hacking scandal had a irretrievably stained the name of the newspaper but the suspicion is that there’s far more to the closure.

For non-UK residents, it’s an astonishing story that involves several alleged crimes and some disgraceful behaviour. First of all, News of the World (NOTW) is one of the biggest selling Sunday newspapers with around 40% of the market and 2.8 million readers. It’s been going for 168 years and while considered a tabloid paper, it has been instrumental in revealing other scandals involving politicians and other well-known figures.

The scandal itself is that around six years ago, a private investigator used by the newspaper is alleged to have hacked into the voice mailboxes of over 4,000 people, including royal aides, sports stars, celebrities and politicians. Even worse, it is further alleged that the mailboxes of soldiers killed in Iraq and murder victims were hacked into. In particular, the alleged deletion of messages on Milly Dowler’s phone is suggested to have given hope to her parents that she was still alive when she had been killed.

Rumours of the hacking arose when the newspaper published stories that could only have been discovered from personal messages. The private investigator and the journalist involved were sent to prison back in 2007 and at the time, a police investigation suggested that the two individuals involved acted alone. In 2009, the Guardian newspaper claimed that thousands of mailboxes had been hacked and that the practice was well known and routine. The Metropolitan Police refused to re-open the investigation. It has also now been alleged that NOTW made payments to the police in return for information. The hacking of the mobile phone’s voice mail was not sophisticated. The private investigator simply relied on the fact that most people did not bother changing the default PIN on their voice mailbox.

Over the past week, as the revelations of the alleged hacking continued, public opinion turned against NOTW. Major advertisers in the paper withdrew their contracts, unwilling to be associated with the unfolding scandal. It was perhaps inevitable that the NOTW would have to close but it seems harsh to punish the current staff for the activities of their predecessors.

The intrigue continues as the parent company, News International, is keen to buy out the remaining shares in BSkyB. However, this had raised concerns that one single company would own too much of the UK media – News International owns the The Times too. The suggestion has been made that by closing one newspaper, NOTW, this will reassure the regulatory authorities but there are also now questions about whether News International is fit and proper to take over BSkyB. It is rumoured that News International will launch a Sunday edition of a sister newspaper The Sun. The domains “TheSunOnSunday.co.uk” and “TheSunOnSunday.com” were registered two days ago, though it’s not clear by who registered them

It’s an amazing scandal and totally despicable – some of the stuff you couldn’t make up. If there’s one thing to be learnt from the scandal, it’s make sure you change the default PIN on your mobile phone’s voice mailbox.

 

Is it the Browser, or the People Using the Browser?

Posted by susabelle at 5:39 PM on June 2, 2011

Another breach of security, at another big name.  Or is it?  The recent announced breach of email and personal information comes to us from Google and those with Gmail accounts.  The “attacks” have come from China, and affected “top U.S. officials.”  But reading the fine print in all of the articles out there about this latest “breach,” brings up the same cause:

targeted attacks…duped victims into revealing their Gmail passwords through e-mails that pose as people or companies known to end user.”

In other words, phishing.  The users themselves were to blame for letting the hackers into their accounts.

If I leave my car unlocked and full of things like GPS devices, iPods, digital cameras, backpacks, the purchases we just made at Macy’s and the Apple Store, we can’t complain that someone stole our stuff.  If you let the crook into your living room, you can’t complain that he stole your television!

The fact is, there are always going to be people trying to rip us off.  That’s the way the world is, whether we like it or not.  We lock our cars, and the doors to our houses, because that’s the best way to keep out the bad guys.  It’s not fool proof, of course, but it reduces the chances of a theft by a whole bunch.

The same needs to be the case for use when it comes to our computers.  Not taking an extra 30 seconds to check the legitimacy of an email from someone, and to be suspicious of anyone asking for my username or password, I have successfully avoided getting a virus, a trojan, malware, or worse yet, my personal information.  In other words, I’ve never been hacked.

I’m not smarter than anyone else, I’m sure of that.  What I am is skeptical, and cautious.  I still only read email in text form (not html).  I know what my friends sound like when they write to me in an email, and I will recognize when they don’t sound like themselves.  I use strong passwords, and answer my “challenge questions” with false information that I will easily remember but that no one else can figure out.

I don’t consider this recent “attack” as a hack, as much as it is a crook taking advantage of people who have left themselves open to theft.  That crook is always looking for a way to get what is yours.  It is up to me to make sure he doesn’t have an open door to walk through.  “Top government officials” should know enough not to be phished.  And if they don’t know enough, then why aren’t they being trained to be more cautious?

This alone amazes me. It’s not that hard to be cautious, to keep a suspicious mind, and to take a few extra minutes to verify that where you’re clicking, and what information you are entering, is really something you should be doing.

Is Google supposed to take responsibility for this recent attack?  I sure don’t think so.  Place the blame where it belongs:  on the user.