Tumblr users’ login credentials on dark web

tumblrThe same person “peace_of_mind” who offered LinkedIn users’ data for sale recently has offered 65 million email addresses along with hashed and salted passwords of Tumblr users for sale on the dark web.

Earlier this month, Tumblr had issued a breach warning to its users: “We recently learned that a third party had obtained access to a set of Tumblr user email addresses with salted and hashed passwords from early 2013, prior to the acquisition of Tumblr by Yahoo. As soon as we became aware of this, our security team thoroughly investigated the matter. Our analysis gives us no reason to believe that this information was used to access Tumblr accounts. As a precaution, however, we will be requiring affected Tumblr users to set a new password,”

Peace is offering the data for less than half a bitcoin, which is around $150.

Advertisements

Russian Hacker Puts Millions of Gmail, Yahoo, Mail.ru Accounts Up for Sale—Report

Hundreds of millions of hacked usernames and passwords for some of the world’s largest webmail providers have been discovered up for sale on the Russian Dark Web.

Alex Holden, founder and chief information security officer of Hold Security, told Reuters that the cache consists of 272.3 million stolen account credentials. These include Yahoo Mail credentials, which numbered 40 million, or 15% of the 272 million unique IDs discovered. Meanwhile, 33 million, or 12%, were Microsoft Hotmail accounts and 9%, or nearly 24 million, were Gmail, according to Holden.

Also included are a majority of users of Mail.ru, Russia’s most popular email service—totaling 57 million compromised accounts. And, thousands of other stolen username/password combinations appear to belong to employees of some of the largest US banking, manufacturing and retail companies, he said. Continue reading

US Government Finally Drops Apple Backdoor Request

apple-logo1The US government has dropped its attempts to force Apple to create backdoor access to a terrorist’s iPhone, claiming it has been able to find a way in itself.

A court filing (via The Register) made with the Central District of California on Monday, states the following:

“The government has now successfully accessed the data stored on [Syed] Farook’s iPhone and therefore no longer requires the assistance from Apple Inc. mandated by Court’s Order Compelling Apple Inc. to Assist Agents in Search dated February 16, 2016.

Accordingly, the government hereby requests that the Order Compelling Apple Inc. to Assist Agents in Search dated February 16, 2016 be vacated.”

The filing confirms what many had suspected when the government filed a court document a week ago requesting that a hearing on the case be put on hold.

It’s not clear how the FBI managed to crack the phone’s code or if an outside party helped it, although Apple is likely to want to know how its security mechanisms were bypassed and if the method could be used on other devices.

Continue reading

Hackers Breach and Shame the KKK’s Security Company

DDoS protection firm Staminus has been breached and shamed by hackers, who released a mocking “Tips When Running a Security Company” list along with a data dump of Staminus customer information, including that for sites belonging to the Ku Klux Klan.

A crew going by the name of FTA took responsibility. The motivation was to bring to light one of Staminus’ key customers: The KKK.

“Yes, that’s right, Staminus was hosting the KKK and its affiliates,” it said. “An organization legally recognized in some regions as a terrorist collective. Not that we hold anything against the KKK. Choosing such an awful host as Staminus however is unforgiveable [sic], and consequently they had to be punished.” Continue reading

Patent Showcases Cognitive Biometrics

biocatch_logo_1biocatch_logo_1biocatch_logo_1

There are plenty of opinions and theories on the best way to move past passwords and into an era of strong authentication—and biometrics are one key piece of the conversation. A new patent for technology that extracts cognitive parameters from the interaction between a user and a device shows that it’s not all about retina scans and fingerprint sensors, either.

The US Patent Office has granted BioCatch a patent entitled “Device, system, and method for detecting user identity based on motor control loop model,” which provides biometric accuracy and continuous user authentication by combining unique cognitive, motor, behavioral, physiological and anatomical parameters.

In other words, rather than requiring users to authenticate themselves to their connected devices with a username and password, BioCatch’s technology authenticates them based on their unique cognitive parameters and the way they interact with their devices.

This means that authentication incorporates physiological factors, such as press-size, hand tremor and hand-eye coordination; cognitive traits, such as usage preferences and device interaction patterns; and contextual factors, including device ID, device preference, network access and geolocation.

This overcomes in theory one of the main objections facing biometrics: the ability to be mimicked. Fingerprints can be replicated in latex, as the iPhone TouchID hacks demonstrated; and facial recognition cameras can be fooled by photographs. The BioCatch technology instead provides a multi-layered user profile that is based on that user’s unique behavior – which cannot be lost or stolen, and is much harder to imitate.

“The granting of this patent highlights BioCatch’s deep commitment to providing our customers with an unmatched technology platform to protect the identities of their users and prevent fraud,” said Avi Turgeman, CTO and founder of BioCatch. “Continuing to grow our IP portfolio to offer new and innovative methods of fighting cyber-attacks is crucial to our business, and the granting of the patents is great recognition of our efforts.”

SOURCE: Tara Seals | Infosecurity Magazine

 

 

 

POS Hackers Caught Scanning for Simple Passwords

bruteforcepasswordpasswordsResearchers have unveiled even more evidence suggesting retail IT security admins would do well to choose strong passwords and usernames for point of sale (POS) systems, after it was revealed that opportunistic hackers scan the web for weak credentials.

Rapid7’s Project Heisenberg sees the firm collating data from a public-facing network of low-interaction honeypots to ascertain what hackers are trying to examine or exploit.

The latest results provide an interesting snapshot into exactly what they’re scanning for in a bid to compromise internet-connected POS systems, kiosks and compromised desktops offering the Remote Desktop Protocol (RDP) service for remote management.

Rapid7 collected data over almost a year (334 days), recording over 221,000 log-in attempts from over 5000 IP addresses in 119 countries.

Interestingly, of the 3969 different passwords used by hackers, the most popular was not the typical “password” or “12345” but “x,” which featured over 5% of the time. Other popular passwords used by the hackers included “Zz,” “St@rt123” and “1” – while the old favorite “P@ssw0rd” also appeared in the top 10 list, alongside “admin.”

In terms of the 1806 different usernames analyzed, the most popular was a more predictable “administrator,” used 34.8% of the time.

Others in the top 10 were “user1,” “admin,” “demo,” and “pos,” according to Rapid7.

The majority of attacks appeared to come from China (39.9%), followed by the US (24.9%), South Korea (6%) and the Netherlands (4.9%). The UK was just outside the top five, accounting for 1.8% of login attempts.

The message to admins should be clear: if you have to use passwords ensure they are long and complex, or risk becoming the “path of least resistance” for opportunistic hackers.

“Research that combines active scanning and passive collection techniques is incredibly useful for spot checking the state of cyber hygiene, and we hope to continue this sort of research to help identify where enterprises and small businesses are faltering when it comes to their online footprint,” explained Rapid7 security research manager, Tod Beardsley.

SOURCE: Phil Muncaster | Infosecurity Magazine