Category Archives: Hacker

Two Million Passwords Stolen by Hackers



Trustwave logoOn November 24, 2013, researchers at Trustwave discovered that hackers have obtained up to 2 million passwords for websites like Facebook, Google, Yahoo!, Twitter (and others). Researchers learned this after digging into source code from Pony bonnet. It appears that information about this has only been made public very recently.

Here’s some quick stats about some of the domains from which the passwords were stolen:

* Facebook – 318,121 (or 57%)
* Yahoo! – 60,000
* Google Accounts – 54,437
* Twitter – 21,708
* Google.com – 16,095
* LinkedIn – 8,490
* ADP (a payroll provider) – 7,978

In total, Pony botnet stole credentials for: 1.58 million websites, 320,000 email accounts, 41,000 FTB accounts, 3,000 remote desktops, and 3,000 secure shell accounts.

According to Trustwave, around 16,000 accounts used the password “123456”, 2,221 used “password” and 1,991 used “admin”. Now is a good time to go change your passwords into something strong and secure.

Doing so won’t make it entirely impossible for hackers to crack it, but it could make it more difficult. Trustwave noted that only 5% of the 2 million passwords that were stolen had excellent passwords (meaning the passwords had all four character types and were longer than 8 characters).


SIM Card Security Flaw Exposing 750 Million Cell Phones



SIM Card
SIM Card

Outdated encryption is to blame for a new risk on your cellular device. According to a report by SRLabs and research which will be presented at BlackHat on July 31st, the Subscriber Identity Module (SIM) card can be hacked in a few ways, including through SMS messages.

According to SRLabs, SIM cards use 56-bit DES encryption – a technology created in the 70s. Using what is called FPGA clusters, a SIM can be crackable. SRLabs is looking to make aware these issues, then recommend a better SIM card technology, SMS firewall and SMS filtering so simple hacking techniques cannot access SIM card data.

It is reported that over 750 million SIM cards are vulnerable to this hack. That is 1 in 8 SIM cards, according to Karsten Nohl of SRLabs. An improperly encrypted SMS message – along with use of a custom Java program – can open the SIM to the malware. A hacker can do anything from change your voicemail to access your personal information on the SIM card.

In some phones, most information is stored on the phone and not the SIM. In some phones, SIM data can also include bank information, passwords to websites and programs and more. However, as we move to mobile and wearable devices, more SIM cards will be used to connect people to cellular networks.

 

 

 


Twitter Adds Two Step Verification System



Twitter logoWhen Burger King got hacked, we all laughed at the idea McDonalds might have bought it. When the Associated Press got hacked, we noticed. But it took the Onion in getting hacked for Twitter to finally do something…

Twitter rolled out a two-step verification system for users to get extra protection against would-be hackers. The verification method includes a special code that is sent via phone when they try to log in. With this extra step using a cell phone, hackers can become thwarted in trying to access an account.

This is not a new process – Facebook and Google both give this second verification step in your security features. Its better than a password because you don’t need to remember one. Its also better than a “name your pet” verification because in some cases (like Sarah Palin) people know that information.

“Today we’re introducing a new security feature to better protect your Twitter account: login verification,” says Jimio from the Twitter Product Security Team on the Twitter blog. “With login verification enabled, your existing applications will continue to work without disruption. If you need to sign in to your Twitter account on other devices or apps, visit your applications page to generate a temporary password to log in and authorize that application.

If you choose not to opt in you run risk of getting hacked. Of course, you also need to keep your phone numbers up-to-date. If that changes, you might have problems getting into your accounts.

If your Twitter Gets Hacked

First, attempt to change your password. If you still can’t log in, contact Twitter through a Support request. (choosing “Hacked account” from the list of options).


LivingSocial has been Hacked



LivingSocialAre you using LivingSocial? At the top of their website today is an important notice for customers that says “if you haven’t already updated your LivingSocial password, please update it now”. According to CNN the LivingSocial website, which people use to get daily deals, suffered a cyberattack on some of its servers. Data for more than 50 million users may have been accessed. LivingSocial says that credit card data was not affected by the cyberattack.

AllThingsD has posted the entire email from CEO Tim O’Shaughnessy that was sent to employees of LivingSocial. The email states:

The information accessed includes names, email addresses, date of birth for some users, and encrypted passwords – technically ‘hashed’ and ‘salted’ passwords. We never store passwords in plain text.

The same paragraph was in an email sent to users of LivingSocial, along with instructions about how to change their password. Users are encouraged to also change passwords on any other sites in which they used the same, or similar, password as the one they were using on LivingSocial.

I am not a user of LivingSocial, but I know that it is a website that offers people daily deals on a variety of things. There are many other websites, and apps, that also offer special deals to users. When people sign up for these types of things, they are doing it because they want to save money.

Nobody thinks about the potential for their favorite deals website to get hacked. It makes me wonder if the ability to get good deals through services like LivingSocial is really worth the risk of having your personal information out there (potentially accessible to hackers).


55,000 Twitter Accounts Have Been Hacked



An anonymous source, (but not the hacker group that goes by the name “Anonymous”) has hacked more than 55,000 Twitter accounts. This includes the username and password of each of the compromised Twitter accounts.

Was yours one of the thousands that were hacked? There is a huge list of the Twitter accounts that were affected that you can sort through. Someone put them onto Pastebin. There are so many of them that the list had to be split into five separate lists.

They are: Page One, Page Two, Page Three, Page Four, and Page Five. According to AirDemon.net You can find your account by using the find feature in your browser (CTRL + F) and typing in your email ID.

At this time, it appears that Twitter has disabled many of the accounts that were hacked. A spokesperson from Twitter said:

“We’ve discovered that the list of alleged accounts and passwords found on Pastebin consists of more than 20,000 duplicates, many spam accounts that have already been suspended and many login credentials that do not appear to be linked – that is, the password and username are not actually associated with each other”.

It sounds to me like perhaps, some anonymous hacker decided to take action against the plethora of spam accounts that keep popping up on Twitter, (since Twitter doesn’t seem to do a whole lot to get rid of them or prevent new spammers from appearing). We are all tired of being followed by spam Twitter accounts. Perhaps the anonymous hacker is sort of acting like a modern day “Robin Hood”, only, instead of taking money from the rich and redistributing it to the poor, he or she is taking spam accounts from Twitter, and making Twitter do something about them.

If you are concerned that your Twitter account is among the thousands that were hacked, you might want to go ahead and change your password. Those of you that connected your Twitter account to your Facebook account, or other forms of social media, might want to check to see if those connected accounts have been affected as a result of the hacked Twitter accounts.


YouTube Hackers Invade Sesame Street, Replace with Porn



Sesame Street
Sesame Street Logo

Sunny Day, but the streets look different…

Visitors to the iconic children’s show “Sesame Street” on YouTube got a rude awakening on Sunday. All videos were deleted, and replaced with pornographic material. The header on the front page said “Sesame Street: It’s Where Porn Lives”. YouTube took instant action and brought down the site within the hour. At this moment, the page is still offline.

The blame has been running around as Reddit has a thread, blaming a person titled “MrEdxwx” . MrEdxwx has responded with a video stating his case that he did not hack Sesame Street.

Their Facebook Page has a public apology:

We apologize for any inconvenience our audience may have experienced today on ourSesame Street YouTube channel.  Our channel was compromised and we are presently working with YouTube/Google to restore our original content. We always strive to provide age-appropriate content for our viewers and hope to resolve this problem quickly.

This article was brought to you by the letters and numbers – H4cK0r.

 


Sony Issues Statement About the PlayStation Network



playstation network

2010 and 2011 have been rough years for Sony and for PS3 owners who use the popular PlayStation Network for online gaming.  The service has come under attack, and been taken down, on more than one occasion, and for extended time periods.  The latest attack began to hit the news yesterday, when it was learned that the service was again under attack.

Reports have ranged from DDOS attack to user account hacking, but earlier today Sony finally set the record straight about what is going on, how extensive the attack is, and what steps they are taking fix the problem.

According to Sony, the attack spanned three of their networks – the PlayStation Network, Sony Entertainment Network, and Sony Online Entertainment.  A total of approximately 93,000 users have been affected, and those accounts have now been locked by Sony.  It appears to have been a hacking attack – the perpetrators attempted to gain log-in access to accounts, and succeeded on 93,000 of them, which is actually a relatively small percentage.  At this time, Sony says that those users’ credit card data is still safe.

If you have a PSN account, even if you don’t think you were affected, I would still recommend changing your password.  Use a long password that incorporates letters, numbers, and symbols.  Although, Sony says credit information wasn’t gained, it would still be prudent to monitor you account closely and report anything that seems suspicious.

Below is full text of Sony’s announcement.

“12 October 2011

Tokyo, October 12 – Sony Network Entertainment International LLC and Sony Online Entertainment (SOE) have detected a large amount of unauthorized sign-in attempts on PlayStation®Network (PSN), Sony Entertainment Network (SEN) and Sony Online Entertainment (SOE) services. We discovered these attempts and have taken steps to mitigate the activity.

Less than one tenth of one percent of our PSN, SEN and SOE consumers may have been affected. There were approximately 93,000 accounts (PSN/SEN: approximately 60,000 accounts; SOE: approximately 33,000) where the attempts succeeded in verifying those accounts’ valid sign-in IDs and passwords, and we have temporarily locked these accounts. As a preventative measure, we will be sending email notifications to these account holders and will be requiring secure password resets or informing consumers of password reset procedures.

Credit card numbers associated with these accounts are not at risk as a result of these unauthorized attempts. Only a small fraction of these 93,000 accounts showed additional activity prior to being locked. We are continuing to investigate the extent of unauthorized activity on any of these accounts.

These attempts appear to include a large amount of data obtained from one or more compromised lists from other companies, sites or sources. These were unauthorized attempts to verify valid user accounts on our services using very large sets of sign-in IDs and passwords. Between October 7 – 10 US Pacific Daylight Time, we confirmed that these were unauthorized attempts, and took steps to thwart this activity.

For the latest updates please visit http://blog.eu.playstation.com/