Category Archives: News Bites

Short news items

Hacks, Hacks, Everywhere A Hack

Back in 2012, LinkedIn told its users that  it had been hacked – to the tune of 6.5 million users.  Well, it turns out, that was a tad bit shy of the truth.  It turns out that the real number was 117 million email and password combinations.  – roughly 18 times the number that they had admitted to.  LinkedIn told the 6.5 million users to change their passwords, but not the other 110+ million users.  The Fortune article has links to other sources if you want more information, but my recommendation is that you change your LinkedIn Password.

Tumblr says that it just discovered that hackers stole 65 million user email/password combinations in 2013.  That is a long time to figure that out.  I assume that is because hackers are now trying to sell those passwords.  Since people reuse passwords on other sites and don’t change their passwords, it is likely that many of those passwords still work.  The good news is that the passwords were hashed and salted, making it a LOT of work to decode them – but not impossible.  This is a perfect example of companies being hacked and not even knowing about it.  The only reason they found out is that someone is trying to sell the data.

On the lighter side, Katy Perry’s Twitter account was apparently hacked – or else she was having a REALLY bad day.  Her 89 million followers were treated to a series of inappropriate hacks.  This reminds me of the recent (a couple of years ago) hack of the DoD Twitter account.  This just means that protecting your (Twitter or any other) account with just a password is likely not at all secure.

On the “Gees, that is a big hack” side, Myspace (remember them?) data is now coming up for sale.  The dataset includes 360 million records, but only 111 million had users names in them.  However, many of them had email addresses (which could also be a user name for another site if the user reused their password) and passwords.  The total number of passwords in the dataset was 427 million.  While I doubt anyone still uses Myspace, if that email/ password combination is used elsewhere …..

What is the take away from this?

  • Even though it is tempting, do not reuse passwords on any account that you care about, even in the least (From Amazon to Twitter, banking to Email)
  • Use two factor authentication on important accounts (such as banking or any account that stores your credit cards and allows the user to use them)
  • Change your passwords periodically.  Notice that most of the news above is about old hacks where the data is being resold now.  If people changed passwords regularly (at least annually), then that data would be useless.

There is a web site called HaveIBeenPwned.com that allows you to enter JUST an email address to see if in their database of over a half billion breach records, that email address comes up.  It is safe because all you enter is your email address.

Information for the LinkedIn hack came from Fortune.

Information for the Tumblr hack came from Motherboard.

Information for the Katy Perry Twitter hack came from Techcrunch.

Information for the Myspace hack came from Fortune.

Maybe Oracle Doesn’t Like Other People To Find Security Holes

Oracle has a love-hate relationship with security researchers.  Actually, mostly hate.  Given that Oracle finds enough of it’s own bugs – it released 193 patches in it’s July patch fest – maybe it doesn’t want people to find any more bugs.

This all started when Oracle Chief Security Officer Mary Ann Davidson wrote a rather long winded rant on her company blog saying that people should stop reverse engineering Oracle’s code because it is a violation of the license agreement and you never find anything worth while – just waste our time.

While the company has axed her blog post, the Internet never forgets, so her post is still available on the Internet Archive.

While she does make some good points, the bad will from the tone of the post way over shadows it.

What she could have said in a lot less words is:

1. The first thing you should do is make sure that the software is configured in the most secure manner reasonable for what your business needs to do.

2. Make sure that you are running the current release and have installed all the patches (it is amazing how many Oracle customers fail this test).

3. Use the tools that Oracle provides to make sure you are not missing any secure configuration issues.

4.  Don’t bother to run a static or dynamic code analyzer against our software because 99+% of what they will report are false positives and it takes way too much time to sort out the 1 potentially valid issue out of the 1,000 false ones.

And a note to Ms. Davidson: don’t worry about the reverse engineering of Oracle’s code that some analysis tools do because it is a violation of the license agreement.  Anyone who wants to steal your code will ignore the license agreement anyway, so what good do you do by beating up the customers that pay your salary?

She also said that Oracle would not give credit to researchers who find security holes.  What that statement does is cause researchers to publish exploits first.  As an example, we see a lot of that at BlackHat and Usenix Security for just that reason.  The media will give them credit.  Then Oracle has to figure out how to do damage control.  Not a great move.

There.  I think I did that in a lot less words and likely annoyed a whole lot less Oracle customers in the process.

Hopefully, someone took Ms. Davidson to the break room and explained corporate branding 101 to her.  If not, the media certainly has.

That being said, as you consider a vendor, covertly assessing that vendor’s posture with respect to security researchers might be useful.  The good vendors embrace the reputable researchers because they often find stuff that the vendors don’t find and you don’t have to pay them.  Even if you have a bug bounty program, you only pay them if they find something you have not found.  More, it is about attitude.

Information for this post came from Wired.

Google Search Rules Changed Last Week

For those of you depend on Google search engine position for your business, the world changed last week.

As of April 21st, 2015, Google is using mobile friendliness as a criteria in search engine rankings.  This affects mobile search (not your desktop) in all languages, world wide.

Google has been saying that mobile friendliness is important for several years.  Now they are sort of “emphasizing” that point.

If your web site is not mobile friendly according to their criteria, your ranking will drop like a rock (see Google changes ranking criteria).

Google has even created a mobile friendliness ranker to see if your web site passes muster.  I just checked my site and it passes.  WHEH!

The good news is that this is all fixable and when you fix it, if you  need to, your position will return to a normal place.

Check things out.  See where you are.  Fix things if you have to.  Otherwise, consider that you are likely to “disappear” from Google.

News Bites For April 14, 2015

I wrote about an attack on hotel routers a few weeks ago (see post).  Today, I heard more details on the attack.  ANTlabs InnGate router, used by many hotel chains (see advisory), was configured incorrectly.  This configuration error allowed anyone to read or write any file in the router, thereby easily owning that router and doing whatever they want to do to its customers.

This means the attacker could push software to a user’s device, sniff traffic or insert traffic that would be thought to be from the user’s device.  Pretty ugly.

###############

According to several sources that seem to have picked up the same article, Google and eBay have begun to move data of Russian users into Russian data centers, ahead of a law that takes effect on Sep 1, 2015 requiring that.  The alternative would seem to be to close down Russian operations, which probably did not seem attractive to either organization.

How or if they will protect Russian user’s data is unclear.  With their servers within physical control of the KGB/FSB, that may be difficult.

Update:  Google is denying that they are doing that, but they are not saying anything about what they are doing, so it is unclear what they are doing.  Things should become clearer by September 1.

###############

News Bites For April 7, 2015

Researchers from the University of Virginia and Perrone Robotics recently completed testing of an anti hacking sensor for automobiles  from startup Mission Secure, Inc.  The sensor was able to detect several attempts to take over the braking, acceleration and collision avoidance systems of cars on a test track.

This article says the tests went well, but challenges remain like convincing car makers to use something they did not invent, adapting it for different cars and getting the cost down.  Hopefully, car makers will do something before there is a flashy and possibly bloody demonstration of the problem.

###############

Although people love to beat up Android phones as not very secure, Google’s just released Android security year in review says that number of potentially harmful Android application installations was cut nearly in half from Q1 to Q4 of 2014 (see report).

Google found that less than 1% of Android devices had a potentially harmful app installed and the number went down to 0.15% for devices that only installed apps from the Google App Store.

###############

Darking Reading is reporting that 3 out of 4 Global 2000 companies are still vulnerable to the Heartbleed SSL bug, a year after its public disclosure (see article).  Security software provider Venafi found 580,000 hosts (such as web servers) that had not completely fixed the Heartbleed problem.  Gartner called these companies “lazy”, saying they patched the bug, but did not replace the old, compromised SSL keys or revoke the old certificates.  The article provides a lot of potential reasons such lack of knowledge and not knowing where all their keys and certificates reside.

As a reminder, Heartbleed is a bug in the very popular open source SSL encryption package OpenSSL that has a catchy name, cute logo (a heart dripping blood) and span of millions of affected computers.  The bug works on both clients and servers running OpenSSL,  allowing an attacker to steal a server’s private keys (resulting in the ability to masquerade as the server) or steal a user’s password (resulting the the ability to, for example, empty your bank account).

Part of the problem is that whether a particular system is using OpenSSL is not obvious to the user like a bug in Excel 2013 would be visible.

###############

Apparently, the U.S. Government has been tracking international phone calls way longer than Snowden told us about.  USAToday is reporting that as far back as 1992 under President George H.W. Bush and approved by, at least, then Attorney General William Barr.  The data collection continued under Presidents Clinton, Bush II and Obama until it was killed in 2013 after the Snowden leaks.

The DEA was getting so much call data that they had to get the help of the DoD to program computers to analyze the data.  They claim the call traffic has led to finding some big players, but could not name any names.

The DEA used an “expansive interpretation” of administrative subpoenas that said that the data was relevant to federal drug investigations.  A former DEA official said that they knew that they were stretching the definition.

Now the DEA sends subpoenas to the phone companies to get the data.   It is reported that they send as many as a thousand subpoenas a day, however, that likely represents a much smaller percentage of the call traffic than prior to 2013.

###############

News Bites

In case you were wondering, Siri is not being faithful.  Apple, Microsoft and other tech companies are sharing your voice with third parties.  But before you go ballistic, they are not selling the data.  Third parties such as Walk N’ Talk get your speech from these companies so that they can validate the quality of the speech translation.  And yes, it is a human being that has a job to listen to you and score Siri (see details) And yes, people do tell Siri some strange and naughty things.  I wrote about Samsung doing something similar a few weeks ago.

CERT at Carnegie Mellon is reporting a mDNS amplification DDoS (distributed denial of service) attack.  DDoS attacks take a web site down by overwhelming its servers in a variety of ways.  The effect, no matter the method, is that legitimate users cannot use the web site.   Banks are often attacked this way.  Amplification attacks are ones where the attacker can send a small number of bytes out and the reply is much bigger.  In this case, for each 1 byte of bandwidth the attacker needs to initiate the attack, he gets 10 bytes of attack traffic to the web site he is trying to take down.   In this mDNS attack, the attacker sends a request to a poorly configured DNS server with a fake address and the DNS server sends a large reply to the site being attacked.

In theory, mDNS servers should only respond to requests from their own local network, but researchers found at least 100,000 misconfigured servers that would respond to any address.  This means an attacker could send a 100 byte request to 100,000 servers and deluge a target server with 100 megabytes of trash.  Do this enough times per second and you will take down the target.

Since the traffic looks like it is coming from 100,000 servers all over the Internet, these attack are much harder to stop.

Uber is a disruptive business model and disruptive business models are messy.  Wired is reporting a new trouble Uber is having.  Besides the regulatory challenges, the lawsuits over drivers soliciting customers and worse and district attorneys sueing them for conducting bogus background checks, there is a new problem.  Uber’s new security chief Joe Sullivan, whom they stole from Facebook, has to deal with claims that a Denver Uber driver tried to break into a customer’s house after taking the customer to the airport.

Think about that for a minute.  Talk about an affiliated business arrangement.  The driver takes you to the airport, chatting up on the way.  He finds out where you are going, how long you are going to be gone and if anyone will be home.  He then uses that information to break into your house or sells those leads to other burglars for cash.  Now that is a synergistic business model.