Analyzing the MD5 collision in Flame
June 11, 2012 – 6:55 PMHere is a great analysis of the MD5 collision in Flame by Alex Sotirov.
https://trailofbits.files.wordpress.com/2012/06/flame-md5.pdf
Malicious URLs in Fake Craigslist Emails
June 8, 2012 – 4:53 AMToday, Websense® Security Labs™ ThreatSeeker™ Network has seen a barrage of malicious emails pretending to be automated notifications from Craigslist. These emails instruct the recipient to click a link to complete a Craigslist request. The URLs in these emails redirect the user to malicious web sites hosting Blackhole Exploit Kit. So far we have seen over 150,000 of these emails in our Cloud Email Security portal. Websense Email Security and Websense Web Security protect against this kind of blended threat with ACE, our Advanced Classification Engine.
The emails have subject lines like:
POST/EDIT/DELETE : “Models for fine” (systems / network)
POST/EDIT/DELETE : “Studio4PaintWorkCatskills” (education)
POST/EDIT/DELETE : “Show Your Art” (cars+trucks)
Millions of Last.fm passwords leaked
June 8, 2012 – 4:47 AMA list with several million passwords belonging to users of the music community site Last.fm has been posted on the internet. The site owners have posted a statement saying that the company is investigating the leak and that all users of the service should change their passwords immediately. This is the third major compromise of a popular web site’s passwords in as many days.
The H’s associates at heise Security are in possession of a list containing approximately 2.5 million password hashes. Like the recently leaked data from LinkedIn and eHarmony, these are unsalted MD5 hashes that are trivial to crack in today’s world of fast CPU and GPU hardware and specialised techniques such as using rainbow tables. At least one million of these hashes have already been cracked and the clear text passwords have also been posted on the internet.
Users of the Last.fm service are advised to change their password immediately. Furthermore, it would be prudent for any users who have reused their passwords to change them on other web sites as well. The article Storing passwords in uncrackable form at The H Security explains how server administrators can prevent passwords from being cracked this easily.
Source:
http://www.h-online.com/security/news/item/Millions-of-Last-fm-passwords-leaked-1613641.html
LinkedIn confirms passwords were compromised
June 6, 2012 – 5:24 PMLinkedIn said today that some passwords on a list of allegedly stolen hashed passwords belong to its members, but did not say how its site was compromised.
“We can confirm that some of the passwords that were compromised correspond to LinkedIn accounts,” Vicente Silveira, a director at the professional social networking site, wrote in a blog post. It is unknown how many passwords have been verified by LinkedIn.
LinkedIn has disabled the passwords on those accounts, it said. Account holders will receive an e-mail from LinkedIn with instructions for resetting their passwords. The e-mails will not include any links. Phishing attacks often rely on links in e-mails that lead to fake sites designed to trick people into providing information, so the company says it will not send links in e-mails.
Affected account holders will then receive a second e-mail from LinkedIn customer support explaining why they need to change their passwords.
LinkedIn’s app transmits user data without their knowledge
June 6, 2012 – 4:47 AMLinkedIn’s iOS app is collecting information from calendar entries, including passwords and meeting notes, and transmitting it back to the company’s servers without their knowledge, according two mobile security researchers.
The business-networking giant’s app for Apple’s iPad and iPhone has an opt-in feature that allows users to view their calendar entries within the app. However, researchers Yair Amit and Adi Sharabani discovered that once enabled by the user, the app automatically transmits users’ calendar entries back to LinkedIn servers. The pair expects to present their findings at a security workshop at Tel Aviv University tomorrow.
The transmission of data, which is not revealed to users, may violate Apple’s privacy guidelines, which prohibit apps from collecting and transmitting users’ data without their express permission. Controversy erupted earlier this year when Path — a popular iOS and Android application — was found to be collecting user contact information without permission. Path issued an apology on the issue introduced an updated version that required users to opt-in to the feature.
