Millions of accounts compromised in Snapchat hack

January 1, 2014 – 3:18 PM

Hackers appear to have posted account info for 4.6 million users of quickie social-sharing app Snapchat, making usernames and at least partial phone numbers available for download.

The data were posted to the website SnapchatDB.info. By late Wednesday morning, that site had been suspended.

The hack was seemingly intended to urge Snapchat to tighten its security measures. The anonymous hackers said they used an exploit created by recent changes to the app, which lets users share photos or short videos that disappear after a few seconds.

“Our motivation behind the release was to raise the public awareness around the issue, and also put public pressure on Snapchat to get this exploit fixed. It is understandable that tech startups have limited resources but security and privacy should not be a secondary goal. Security matters as much as user experience does,” the hackers said in a statement to technology blog TechCrunch.

In the statement, the hackers said they blurred the last two digits of the phone numbers they posted but were still considering whether to post more with the full number visible.

Source: http://www.cnn.com/2014/01/01/tech/social-media/snapchat-hack/

Unique malware evades sandboxes

December 19, 2013 – 8:15 PM

On Wednesday, security vendor Seculert reported finding that one of five malware types used in the attack had a unique cloaking property for evading sandboxes. The company called the malware DGA.Changer.

DGA.Changer’s only purpose was to download other malware onto infected computers, Aviv Raff, chief technology officer for Seculert, said on the company’s blog. Seculert identified 6,500 compromised computers communicating with the malware’s command and control server. Almost 60 percent were in the United States.

What Seculert found unique was how the malware could receive a command from a C&C server to change the seed of the software’s domain generation algorithm. The DGA periodically generates a large number of domain names as potential communication points to the C&C server, thereby making it difficult for researchers and law enforcement to find the right domain and possibly shutdown the botnet.

“What the attackers behind DGA did is basically change the algorithm on the fly, so they can tell the malware to create a new stream of domains automatically,” Raff told CSOonline.

When the malware generates the same list of domains, it can be detected in the sandbox where security technology will isolate suspicious files. However, changing the algorithm on demand means that the malware won’t be identified.

“This is a new capability that didn’t exist before,” Raff said. “This capability allows the attacker to bypass sandbox technology.”

Source:
http://www.pcadvisor.co.uk/news/security/3494538/unique-malware-evades-sandboxes/?olo=rss

Sources: Target Investigating Data Breach

December 18, 2013 – 5:11 PM

Nationwide retail giant Target is investigating a data breach potentially involving millions of customer credit and debit card records, multiple reliable sources tell KrebsOnSecurity. The sources said the breach appears to have begun on or around Black Friday 2013 — by far the busiest shopping day the year.

According to sources at two different top 10 credit card issuers, the breach extends to nearly all Target locations nationwide, and involves the theft of data stored on the magnetic stripe of cards used at the stores.

Minneapolis, Minn. based Target Brands Inc. has not responded to multiple requests for comment. Representatives from MasterCard and Visa also could not be immediately reached for comment.

Both sources said the breach was initially thought to have extended from just after Thanksgiving 2013 to Dec. 6. But over the past few days, investigators have unearthed evidence that the breach extended at least an additional week — possibly as far as Dec. 15. According to sources, the breach affected an unknown number of Target customers who shopped at the company’s main street stores during that timeframe.

“The breach window is definitely expanding,” said one anti-fraud analyst at a top ten U.S. bank card issuer who asked to remain anonymous. “We can’t say for sure that all stores were impacted, but we do see customers all over the U.S. that were victimized.”

Source:
http://krebsonsecurity.com/2013/12/sources-target-investigating-data-breach/

New DDoS malware targets Linux and Windows systems

December 18, 2013 – 5:02 PM

Attackers are compromising Linux and Windows systems to install a new malware program designed for launching distributed denial-of-service (DDoS) attacks, according to researchers from the Polish Computer Emergency Response Team (CERT Polska).

The malware was found by the Polish CERT at the beginning of December and the Linux version is being deployed following successful dictionary-based password guessing attacks against the SSH (Secure Shell) service. This means only systems that allow remote SSH access from the Internet and have accounts with weak passwords are at risk of being compromised by attackers distributing this malware.

“We were able to obtain a 32-bit, statically linked, ELF file,” the Polish CERT researchers said Monday in a blog post. The executable runs in daemon mode and connects to a command-and-control (C&C) server using a hard-coded IP (Internet Protocol) address and port, they said.

When first run, the malware sends operating system information — the output of the uname command — back to the C&C server and waits for instructions.

“From the analysis we were able to determine that there are four types of attack possible, each of them a DDoS attack on the defined target,” the researchers said. “One of the possibilities is the DNS Amplification attack, in which a request, containing 256 random or previously defined queries, is sent to a DNS server. There are also other, unimplemented functions, which probably are meant to utilize the HTTP protocol in order to perform a DDoS attack.”

Source:
http://www.csoonline.com/article/744855/new-ddos-malware-targets-linux-and-windows-systems

Report accuses BT of supplying backdoors for GCHQ and NSA

December 17, 2013 – 6:04 PM

A paper released earlier this month by a group of security researchers has outlined the technical details behind a potential Computer Network Exploitation (CNE) program likely used by the U.K. Government Communications Headquarters (GCHQ) and their American counterpart, the NSA.

Moreover, the researcher’s say that one of the largest telecom providers in the world, BT Group (formerly British Telecom), ships hardware to the home and office with firmware that enables this secretive surveillance on a massive scale.

In a paper titled The Internet Dark Age the researchers say that BT is shipping hardware with backdoors that allow secret government access in order to make network compromise easier. “BT are directly responsible for covertly embedding secret spy equipment in millions of homes and businesses within the U.K.,” the paper states.

The authors of the paper, (who stated that while they wish to remain anonymous, are ready to appear in a court of law and present their findings) claim to have discovered a key piece to the global surveillance puzzle, addressing several questions that have gone unanswered since documents leaked by former NSA analyst Edward Snowden started appearing this summer. The researchers said that they made their discovery in June, but held the report for an additional six months in order to do additional research and study.

Source:
http://www.networkworld.com/news/2013/121613-report-accuses-bt-of-supplying-276975.html