Menu
The Tech News Blog

February 16, 2014

Kickstarter Hacked, Credit Card Data Safe

Kickstarter example

The group funding site Kickstarter was recently the target of a hack by an unknown individual or group of individuals. Yes, some of the data that the service stores about you – if you're a user – was tapped into. However, there's a bit of a silver lining: Credit card data and passwords appear relatively safe, with a caveat.

Kickstarter officially notified the world about the hack yesterday via a blog post from company CEO Yancey Strickler, although the attack itself happened this past Wednesday. According to Strickler, Kickstarter was tipped off about the unauthorized access by "law enforcement officials" that evening. Once notified, Kickstarter "immediately closed the security breach and began strengthening security measures throughout the Kickstarter system," according to the related Kickstarter blog post.

Following an investigation – hence the reason why users were notified Saturday instead of, say, Thursday — Kickstarter was able to determine that its users' credit card data remained safe from pilfering. However, that doesn't mean that the attacker(s) left empty-handed:

"While no credit card data was accessed, some information about our customers was. Accessed information included usernames, email addresses, mailing addresses, phone numbers, and encrypted passwords. Actual passwords were not revealed, however it is possible for a malicious person with enough computing power to guess and crack an encrypted password, particularly a weak or obvious one," reads Strickler's blog post.



February 10, 2014

Snapchat Flaw Lets Attackers DDoS Your Phone

Snapchat

Popular picture-messaging app Snapchat can be used to launch a denial-of-service attack against a user's iPhone, a security researcher said.

Pocket DDOS
Attackers can flood a Snapchat user's account with thousands of messages in a matter of seconds, causing the app to freeze and the entire device to crash, Jaime Sanchez, a security consultant for Spanish telecommunications company Telefonica, wrote on a post on seguridadofensiva.com. Users may need to perform a hard reset on their iPhones to recover.

Sanchez demonstrated the weakness by sending 1,000 messages within five seconds to the Los Angeles Times reporter Salvador Rodriguez's Snapchat account, causing his device to shut down and restart, the Times reported. The attack won't crash Android devices, although they will become slow and the app will be impossible to use, Sanchez said.

Snapchat's privacy-conscious app lets users send photo and video messages which disappear shortly after the recipient has viewed them. When a user sends a message, the app generates a new token to verify the user. Unfortunately, it appears that old tokens can also be reused to send additional messages, Sanchez found.



February 8, 2014

HVAC Vendor Confirms Link to Target Data Breach

Target Dog

Almost two months after Target reported a massive data breach that put the personal data of up to 70 million shoppers at risk, more details have emerged about how the hackers gained access to the retailer's systems.

As first reported by security blogger Brian Krebs, hackers broke into Target's network using credentials stolen from a third-party vendor—Sharpsburg, Penn.-based Fazio Mechanical Services.

On Friday, owner and president Ross E. Fazio confirmed that his company, a refrigeration and HVAC systems maker, was "a victim of a sophisticated cyber attack operation."

"Our data connection with Target was exclusively for electronic billing, contract submission and project management, and Target is the only customer for whom we manage these processes on a remote basis," Fazio wrote in a statement. "No other customers have been affected by the breach."

Fazio denied conducting any remote monitoring or control of Target's heating, cooling, and refrigeration systems, and said that its "IT system and security measures are in full compliance with industry practices."



January 21, 2014

16M Online Accounts Compromised, German Authorities Warn

Security Password Hack

Another day, another massive data breach.

Germany's Federal Office for Information Security, or BSI, said Tuesday that the online accounts of some 16 million Internet users have been compromised by hackers. The theft of email addresses and passwords was discovered as part of an analysis by research institutions and law enforcement agencies into botnets, or networks of compromised computers that cybercriminals use to carry out attacks, the organization said.

BSI warned that affected individuals may be at risk of identity theft as a result of the data heist. The organization has set up a webpage where people can check if their information has been compromised.

Those affected by the breach should check their computer for malware, and change all their passwords for social-networking sites, online stores, email accounts, and other online services.

The incident is just the latest in a string of high-profile breaches both in the U.S. and abroad.



January 20, 2014

You’re Still Using Terrible Passwords

Security Password Hack

You can't teach an old dog new tricks. Or passwords, it seems.

Despite all the warnings about the need for secure passwords, some Web users still use very obvious codes, according to SplashData's annual list of the most commonly used passwords on the Web.

The good news is that "password" is no longer the most popular password, slipping to No. 2. But it has been replaced by the equally dumb "12346."

SplashData's 2013 list was influenced by last year's huge Adobe hack, which saw the release of encrypted passwords for approximately 38 million active users.

"Seeing passwords like 'adobe123' and 'photoshop' on this list offers a good reminder not to base your password on the name of the website or application you are accessing," Morgan Slain, CEO of SplashData, said in a statement.

Other passwords in the top 10 were the oh-so clever "12345678," as well as "qwerty", "abc123," and "iloveyou," as well as various, easily guessed number combinations ("111111").



January 10, 2014

Target Hack Affected Up to 70M Shoppers

Target Black Friday

Target on Friday revealed some more details about the recent mega hack of encrypted customer payment card data.

In addition to nabbing 40 million credit and debit card numbers, as was previously disclosed, the hackers managed to steal the personal information of up to 70 million individuals, Target said. That includes customers' names, mailing addresses, phone numbers, and email addresses.

Target said much of the stolen data is "partial in nature," but promised it will attempt to contact everyone whose email address has been compromised. The company said it will provide tips to guard against scams, and warned that it will not ask guests to provide any personal information as part of its communication, so be on the lookout for phishing emails.

"I know that it is frustrating for our guests to learn that this information was taken and we are truly sorry they are having to endure this," Gregg Steinhafel, chairman, president, and CEO of Target, said in a statement. "I also want our guests to know that understanding and sharing the facts related to this incident is important to me and the entire Target team."



January 7, 2014

Intel Ditching McAfee Brand for Security Products

McAfee Deep Defender

Intel is rebranding its McAfee security products as Intel Security going forward, the company revealed late on Monday during CEO Brian Krzanich's keynote presentation at the Consumer Electronics Show.

The transition away from the McAfee brand, rendered somewhat toxic in recent years due to the bizarre antics of company founder John McAfee, will play out over the next 12 months, according to Intel.

The chip giant acquired McAfee in 2010 for $7.68 billion and began integrating the computer security firm's technology into Intel hardware products while continuing to sell McAfee software solutions for PCs.

"For McAfee, the initial announcement is that as new products are introduced, the McAfee brand name will be phased out and branded Intel Security," an Intel spokesperson told PCMag on Tuesday. "The shield—which represents the core values of security and protection—will remain. The rebranding will begin immediately, but the transition will take up to a year before it is complete. McAfee will continue to operate as a wholly owned subsidiary."



January 5, 2014

Bad Ads on Yahoo Infected Thousands of Users With Malware

Yahoo

Thousands of users who visited Yahoo's Web site over the past week were infected with malware, researchers have found. The malware was delivered via malicious advertisements that appeared on the site.

Yahoo confirmed the infection, but said it has already been removed. "At Yahoo, we take the safety and privacy of our users seriously. We recently identified an ad designed to spread malware to some of our users. We immediately removed it and will continue to monitor and block any ads being used for this activity," the company said in an email.

Attackers had inserted malvertisements, or malicious advertisements, into the servers used by ads.yahoo.com, Fox-IT, a Dutch security firm, wrote in a blog post Saturday. These ads redirected users to a page hosting the "Magnitude" exploit kit, which targets various Java vulnerabilities. The exploit kit installed "a host of different malware" on to vulnerable computers, such as the Zeus Trojan, Andromeda, Dorkbot/Ngrbot, ad-clicking malware, Tinba/Zusy and Necurs, Fox-IT said. The researchers believe the servers have been showing malvertisements since Dec. 30, but did not rule out the possibility that the attacks were occurring even earlier.

The infection has also been confirmed on Twitter by Mark Loman, a Dutch malware analyst with antivirus outfit Surfright.

"It is unclear which specific group is behind this attack, but the attackers are clearly financially motivated," Fox IT said. The attackers may be selling the ability to control these infected machines to other cyber-criminals, perhaps as part of a botnet.



January 3, 2014

After Leak, Snapchat Promises to Fix Bug Via App Update

Snapchat

Snapchat on Thursday acknowledged a recent leak of 4.6 million usernames and phone numbers, and said an updated version of the app will let users opt out of participating in the compromised feature.

The company stopped short of apologizing for the leak, and seemed to blame Gibson Security for "publicly document[ing] our API, making it easier for individuals to abuse our service and violate our Terms of Use."

At issue is Snapchat's Find Friends feature, which lets Snapchatters enter their phone number so friends can find their username. "This means that if you enter your phone number into Find Friends, someone who has your phone number in his or her address book can find your username," according to Snapchat.

In August, Gibson Security published a report about vulnerabilities within Find Friends. The firm said it tried but "failed" to contact Snapchat about these problems prior to the report's publication.

"The only contact we've received from Snapchat was one email from Micah Schaffer (Snapchat's Director of Operations) on 28/12/2013," Gibson said on its website.



January 1, 2014

4.6M Snapchat Usernames, Phone Numbers Leaked Online

Snapchat

The usernames and phone numbers for 4.6 million Snapchat accounts were temporarily posted online by hackers who took advantage of a previously disclosed vulnerability within the chat service.

SnapchatDB.info went live last night and allowed visitors to download the database of Snapchat user info, though the last two digits of the phone numbers were censored "in order to minimize spam and abuse."

The site has since been pulled offline (because the hosting provider was "intimidated by the overwhelming attention," SnapchatDB told The Verge), but a cached version is still available.

"You are downloading 4.6 million users' phone number information, along with their usernames," those behind SnapchatDB.info wrote. "People tend to use the same username around the web so you can use this information to find phone number information associated with Facebook and Twitter accounts, or simply to figure out the phone numbers of people you wish to get in touch with."

The move comes after Gibson Security last week revealed several vulnerabilities within the Snapchat app. One of those bugs could allow "someone to easily create a database of the usernames and phone numbers of users of the Snapchat application, in a small timeframe, using phone numbers automatically provided to the app," Gibson said.