Information Security, SSAE 16, ISO 27001, CISA, Cert-IN
When Yahoo said on Thursday that data from at least 500 million user accounts had been hacked, it wasn’t just admitting to a huge failing in data security — it was admitting to the biggest hack the world has ever seen. Until Thursday, the previous largest known hack was the 2008 breach that hit almost 360 million MySpace accounts, according to a ranking by the "Have I been pwned" website.
via https://ift.tt/2deEZ58
Yahoo says it was the victim of state-sponsored hackers who stole information associated with 500 million accounts.
Yahoo CISO Bob Lord said the attack happened on the company’s network in late 2014; he did not name the country responsible.
“The account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers,” Lord said in a statement. “The ongoing investigation suggests that stolen information did not include unprotected passwords, payment card data, or bank account information; payment card data and bank account information are not stored in the system that the investigation has found to be affected.”
Yahoo, which said law enforcement is investigating the breach, believes the attackers are no longer on its network. The confirmation of the attack comes as Verizon continues its $4.83 billion acquisition of Yahoo’s core business. It’s unknown how the news of the attack will impact the deal going forward.
Affected users are going to be notified via email and Yahoo will force a password reset and also urge the use of multifactor authentication, including its Yahoo Account Key. Yahoo has also invalidated unencrypted security questions and answers for affected accounts, and recommends that all users change their passwords if they haven’t done so since 2014.
“An increasingly connected world has come with increasingly sophisticated threats. Industry, government and users are constantly in the crosshairs of adversaries,” Lord said. “Through strategic proactive detection initiatives and active response to unauthorized access of accounts, Yahoo will continue to strive to stay ahead of these ever-evolving online threats and to keep our users and our platforms secure.”
Yahoo’s confirmation comes after an Aug. 1 report that said a cache of 200 million Yahoo user credentials were put up for sale on a dark web site called The Read Deal by a hacker who goes by the handle “Peace” or “peace_of_mind.” The asking price was 3 Bitcoin, or about $1,800 USD.
Initially, it was believed that the data stolen in the attack dated back to 2012. Given that users will reuse passwords over and over for different accounts online, the stolen credentials can give the attackers access to multiple accounts belonging to the same victim.
Already this year, a number of high-profile websites have had user account information and credentials dumped online. Most of those leaks, however, have been data accumulated from a number of locations online stolen in a number of older breaches.
The Yahoo breach represents the largest number of stolen credentials to date this year (a collection of 470,000 MySpace credentials was put online earlier this year).
LeakedSource, an subscriber-based aggregator of personal data found online, told Threatpost that two files containing Yahoo credentials have been available for years, including a sample text file containing 5,000 credentials, and an encrypted file containing 40 text files claiming to be from Yahoo. “We have both of them as well as the decryption key for the 40 text files which we determined to be fake,” LeakedSource said. “The 5,000 sample however may be real and provide enough evidence for Yahoo to begin resetting passwords.”
via https://ift.tt/2cGuSRh
If you’re a user of Microsoft PowerPoint, here’s a great add-in which makes it really easy to create timeline slides.
You mean you don’t know what a timeline is? It’s a line across the slide which represents a period of time. You then put little pieces of text or icons along that line to indicate events that will, might, did, or didn’t happen. Timelines are great for project planning, documenting a child’s progress, and loads of other things too.
The add-in you need is called Office Timeline, which you’ll find at https://ift.tt/Jcex5j as a free download of around 12 MB. The file is malware-free according to VirusTotal and Web of Trust. You install it just like any other software, after which you’ll find an Office Timeline menu available in PowerPoint, and some demo presentations also installed to help you understand how it works.
The Pro version of Office Timeline, at around $50 per year, includes some additional templates, but the free version is still very useful and usable. If you already use PowerPoint, give it a try.
via https://ift.tt/2cD7shB
A site that’s been warning the public about data breaches might actually be doing more harm than good.
Enter LeakedSource, a giant repository online that can potentially make hacking easier. Your email address and the associated Internet accounts — including the passwords — is probably in it.
via https://ift.tt/2cngOjv
Just when we thought ransomware’s evolution had peaked, a new strain has been discovered that forgoes the encryption of individual files, and instead encrypts a machine’s hard drive.
The malware, called Mamba, has been found on machines in Brazil, the United States and India, according to researchers at Morphus Labs in Brazil. It was discovered by the company in response to an infection at a customer in the energy sector in Brazil with subsidiaries in the U.S. and India.
Renato Marinho, a researcher with Morphus Labs, told Threatpost that the ransomware is likely being spread via phishing emails. Once it infects a machine, it overwrites the existing Master Boot Record with a custom MBR, and from there, encrypts the hard drive.
“Mamba encrypts the whole partitions of the disk,” Marinho said. “It uses a disk-level cryptography and not a traditional strategy of other ransomware that encrypts individual files.”
The malware is a Windows threat, and it prevents the infected computer’s operating system from booting up with out a password, which is the decryption key.
The victims are presented with a ransom note demanding one Bitcoin per infected host in exchange for the decryption key and it also includes an ID number for the compromised computer, and an email address where to request the key.
Mamba joins Petya as ransomware targeting computers at the disk level. Petya encrypted the Master File Table on machines it infected. Mamba, however, uses an open source disk encryption tool called DiskCryptor to lock up the compromised hard drives.
Petya was a game-changer among ransomware families. It spread initially among German companies targeting human resources offices. Emails were sent that contained a link to a Dropbox file that installed the ransomware. The malware showed the victim a phony CHKDSK process while it encrypted the Master File Table in the background.
Researchers quickly analyzed Petya’s inner workings and by understanding its behavior, were able to build a decryptor shortly after the first infections were disclosed.
More than a month after Petya surfaced, a variant was found that included a new installer. If the installer failed to install Petya on the compromised machine, it installed a less troublesome ransomware strain known as Mischa. Petya included an executable requesting admin privileges that caused Windows to flash a UAC prompt; if the victim declined at the prompt, the malware would install Mischa instead of Petya.
Mischa behaves like most of the ransomware many are familiar with. Once the victim executes link sent in a spam or phishing email, the malware encrypts local files and demands a ransom of 1.93 Bitcoin, or about $875 to recover the scrambled files.
via https://ift.tt/2cFo7RQ
Data breaches increased 15% in the first six months of 2016 compared to the last six months of 2015, according to Gemalto.
Worldwide, there were 974 reported data breaches and more than 554 million compromised data records in the first half of 2016, compared to 844 data breaches and 424 million compromised data records in the previous six months. In addition, 52% percent of the data breaches in the first half of this year did not disclose the number of compromised records at the time they were reported.
The Breach Level Index is a global database that tracks data breaches and measures their severity based on multiple dimensions, including the number of records compromised, the type of data, the source of the breach, how the data was used, and whether or not the data was encrypted. By assigning a severity score to each breach, the Breach Level Index provides a comparative list of breaches, distinguishing data breaches that are a not serious versus those that are truly impactful.
According to the Breach Level Index, more than 4.8 billion data records have been exposed since 2013 when the index began benchmarking publicly disclosed data breaches. For the first six months of 2016, identity theft was the leading type of data breach, accounting for 64% of all data breaches, up from 53% in the previous six months. Malicious outsiders were the leading source of data breaches, accounting for 69% of breaches, up from 56% in the previous six months.
“Over the past twelve months hackers have continued to go after both low hanging fruit and unprotected sensitive personal data that can be used to steal identities,” said Jason Hart, VP and CTO for Data Protection at Gemalto. “The theft of user names and account affiliation may be irritating for consumers, but the failure of organizations to protect sensitive personal information and identities is a growing problem that will have implications for consumer confidence in the digital services and companies they entrust with their personal data.”
Across industries, the healthcare industry accounted for 27% of data breaches and saw its number of data breaches increase 25% compared to the previous six months. However, healthcare represented just 5% of compromised data records versus 12% in the previous six months.
Government accounted for 14% of all data breaches, which was the same as the previous six months, but represented 57% of compromised records.
Financial services companies accounted for 12% of all data breaches, a 4% decline compared to previous six months, but accounted for just 2% of compromised data records.
Retail accounted for 11% of data breaches, and declined 6% versus the previous six months, and accounted for 3% of compromised data records.
Education accounted for 11% of data breaches and represented less than one percent of all compromised records. All other industries represented 16% of data breaches and 16% of compromised data records.
In terms of top three geographic regions for reported data breaches, 79% were in North America, 9% were in Europe, and 8% were in Asia-Pacific.
As data breaches continue to grow in frequency and size, it is becoming more difficult for consumers, government regulatory agencies and companies to distinguish between nuisance data breaches and truly impactful mega breaches,” said Jason Hart, VP and CTO for Data Protection at Gemalto. “News reports fail to make these distinctions, but they are important to understand because each have different consequences. A breach involving 100 million user names is not as severe as a breach of one million accounts with social security numbers and other personally identifiable information that are used for financial gain.”
“In this increasingly digital world, companies, organizations and governments are storing greater and greater amounts of data that has varying levels of sensitivity. At the same time, it is clear that data breaches are going to happen and that companies need to shift from a total reliance on breach prevention to strategies that help them secure the breach. That is why more focus needs to be understanding what really constitutes sensitive data, where it is stored, and using the best means to defend it. At the end of the day, the best way to protect data is to kill it. That means ensuring user credentials are secured with strong authentication and sensitive data is protected with encryption so it is useless to the thieves.”
via https://ift.tt/2cqENwH
Tesla car owners are urged to update their car’s firmware to the latest version available, as it fixes security vulnerabilities that can be exploited remotely to take control of the car’s brakes and other, less critical components.
The vulnerabilities were discovered by researchers from Tencent’s Keen Security Lab, and responsibly disclosed to Tesla. The company’s Product Security Team confirmed them, and implemented fixes in the latest version of the firmware.
Tencent’s researchers understandably didn’t reveal details about the flaws, but have provided a video demonstration of the attacks:
VIDEO
They have managed to remotely open various Tesla cars’ sunroof, turn on the blinkers, move the car seat, and open doors, all while the cars were in parking mode. But they have also managed to control windshield wipers, fold the side rearview mirrors, open the trunk, and manipulate the brakes from 12 miles away.
“As far as we know, this is the first case of remote attack which compromises CAN Bus to achieve remote controls on Tesla cars. We have verified the attack vector on multiple varieties of Tesla Model S. It is reasonable to assume that other Tesla models are affected,” they noted.
“The issue demonstrated is only triggered when the web browser is used (web browser functionality not enabled in Australia). Our realistic estimate is that the risk to our customers was very low, but this did not stop us from responding quickly,” a Tesla spokesperson told ZDNet.
The software update fixing the flaws has already been deployed over-the-air, so details about them should soon be revealed.
via https://ift.tt/2cro7F6
BBQSQL is a blind SQL injection framework written in Python. It is extremely useful when attacking tricky SQL injection vulnerabilities. BBQSQL is also a semi-automatic tool, allowing quite a bit of customization for those hard to trigger SQL injection findings. The tool is built to be database agnostic and is extremely versatile. It also has an intuitive UI to make setting up attacks much easier. Python gevent is also implemented, making BBQSQL extremely fast.
Blind SQL injection can be a pain to exploit. When the available tools work they work well, but when they don’t you have to write something custom. This is time-consuming and tedious. BBQSQL can help you address those issues.
The most important thing to note about BBQSQL is that it doesn’t care about the data or database, whilst most SQL Injection tools are built with specific databases or languages in mind.
Similar to other SQL Injection tools you must provide certain request information for the tool to work, for BBSQL this is:
Then specify where the injection is going and what syntax we are injecting.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 |
root@darknet:~# bbqsql _______ _______ ______ ______ ______ __ | \ | \ / \ / \ / \ | \ | $$$$$$$\| $$$$$$$\| $$$$$$\| $$$$$$\| $$$$$$\| $$ | $$__/ $$| $$__/ $$| $$ | $$| $$___\$$| $$ | $$| $$ | $$ $$| $$ $$| $$ | $$ \$$ \ | $$ | $$| $$ | $$$$$$$\| $$$$$$$\| $$ _| $$ _\$$$$$$\| $$ _| $$| $$ | $$__/ $$| $$__/ $$| $$/ \ $$| \__| $$| $$/ \ $$| $$_____ | $$ $$| $$ $$ \$$ $$ $$ \$$ $$ \$$ $$ $$| $$ \ \$$$$$$$ \$$$$$$$ \$$$$$$\ \$$$$$$ \$$$$$$\ \$$$$$$$$ \$$$ \$$$
_.(–)._ .‘ ‘. / ‘or ‘1‘=’1 \ |‘-…___…-‘| \ ‘=’ / `‘._____.’` / | \ /.—‘|’—.\ []/‘-.__|__.-‘\[] | []
BBQSQL injection toolkit (bbqsql) Lead Development: Ben Toews(mastahyeti) Development: Scott Behrens(arbit) Menu modified from code for Social Engineering Toolkit (SET) by: David Kennedy (ReL1K) SET is located at: https://https://ift.tt/2d5nDTV Version: 1.0
The 5 S‘s of BBQ: Sauce, Spice, Smoke, Sizzle, and SQLi
Select from the menu:
1) Setup HTTP Parameters 2) Setup BBQSQL Options 3) Export Config 4) Import Config 5) Run Exploit 6) Help, Credits, and About
99) Exit the bbqsql injection toolkit
bbqsql> |
BBQSQL has many https parameters you can configure when setting up your attack. At a minimum you must provide the URL, where you want the injection query to run, and the method. The following options can be set:
You specify where you want the injection query to be inserted by using the template ${injection}. Without the injection template the tool wont know where to insert the query.
You can download BBQSQL here:
Or read more here.
via https://ift.tt/2d5meg6
Around 324,000 users have likely had their payment records stolen either from payment processor
BlueSnap
or its customer
Regpack
; however, neither of the company has admitted a data breach.
BlueSnap is a payment provider which allows websites to take payments from customers by offering merchant facilities, whereas RegPack is a global online enrollment platform that uses BlueSnap to process the financial transactions for its online enrollments.
The data breach was initially reported on July 10, when a hacker published a link on Twitter, pointing to a file containing roughly 324,000 records allegedly stolen from Waltham, Massachusetts-based BlueSnap.
The tweet has since been deleted, but Australian security expert Troy Hunt took a copy of it for later review to analyze the data and after analyzing, he discovered that the leaked payment records are most likely legitimate.
The data contains users’ details registred between 10 March 2014 to 20 May 2016 and includes names, email addresses, physical addresses, phone numbers, IP addresses, last four digits of credit card numbers, even CVV codes, and invoice data containing details of purchases.
According to Hunt, who owns ‘
Have I Been Pwned
‘ breach notification service, some evidence like file names containing ‘BlueSnap’ and ‘Plimus’ in it suggests that the data comes from BlueSnap.
Plimus is the original name of BlueSnap, which was rebranded after private equity firm Great Hill Partners acquired it for $115Million in 2011.
However, since April 2013, Regpack has been using BlueSnap’s payment platform, it could be possible that the stolen data has come from Regpack.
“We have got 899 totally separate consumers of the Regpack service…who send their data direct to Regpack who pass payment data onto BlueSnap for processing,” Hunt explained in a blog post.
“Unless I am missing a fundamental piece of the workflow… it looks like accountability almost certainly lies with one of these two parties.”
Whatever the source is, but the primary concern here is that more than 320,000 stolen users financial information is floating around the web.
Although the payment data does not contain full credit card numbers, as Hunt stressed, cyber criminals can still misuse the compromised information, particularly the CVV codes that are highly valuable payment data, which can be used to conduct “card not present” transactions.
Also, the last four digit of any user’s credit card number can also be used for identity verification that’s very useful in conducting social engineering attacks.
Hunt contacted BlueSnap as well as Regpack, but they both denied suffering a data breach. He has also loaded as many as 105,000 email addresses into
, so you can search for your address on the site to check whether you are impacted by the breach.
via https://ift.tt/2cTuPXt
PunkSPIDER is a global-reaching web vulnerability search engine aimed at web applications. The goal is to allow the user to determine vulnerabilities in websites across the Internet quickly, easily, and intuitively. Please use PunkSPIDER responsibly.
In simple terms, that means the authors have created a security scanner and the required architecture that can execute a large number of web application vulnerability scans: all at the same time. The tool, or rather arsenal, works off an Apache Hadoop cluster and can handle tens of thousands of scans.
Searching for a specific website is easy! If you know the URL of your site you can simply type the URL in the search box (without https or https) and find your website. Once there you will be presented with the number of vulnerabilities present on the site.
Let’s try an example together, let’s say you’re looking to check if our the New York Times website https://www.nytimes.com is vulnerable. You could type in www.nytimes.com in the search bar, and you should receive a result back that looks like the following:
|
www.nytimes.com Scanned: 2014–05–18T12:30:55.000055Z bsqli:0 | sqli:0 | xss:0 | trav:0 | mxi:0 | osci:0 | xpathi:0 | Overall Risk:0 |
The first line gives you the domain of the result. The timestamp field on line 2 is the time that the site was added to our system. Below that is the interesting part, the total number of vulnerabilities found on the website. If you’re non-technical, you can ignore almost every part of that and just look at the Overall Risk field – this will tell you the risk of visiting a website.
As a rule of thumb anything with an Overall Risk of 1 should make you very wary, anything with an Overall Risk of greater than 1 you should stay away from entirely.
Check it out here:
via https://ift.tt/2c7q5fF