Jan 16

Multiple power plant workstations slammed by malware

Posted in: Today's Chili

According to the Homeland Security Department, multiple power plants in the United States were affected by malware during the beginning of October 2012. While details are relatively scarce, it was revealed that one of the power plants had been infected via a USB flash drive. The infection happened during a software update.

USB drive

The power plant infected by the USB drive ended up staying offline for three weeks while the issue was fixed. The malware had been introduced via the USB drive of an outside technician who was performing software updates, and was an identity theft trojan. The malware managed to infect approximately 10 computers.

A second power plant that was also infected had malware on multiple computers, some of which were involved with the plant’s operations. Unlike the other plant, no information was provided on how this malware made its way onto the workstations. The first power plant did not have properly updated antivirus software.

The Industrial Control Systems Cyber Emergency Response Team said this in a report. “ICS-CERT’s onsite discussions with company personnel revealed a handful of machines that likely had contact with the tainted USB drive. These machines were examined immediately and drive images were taken for in-depth analysis. ICS-CERT also…discovered signs of the sophisticated malware on two engineering workstations, both critical to the operation of the control environment.”

[via USA Today]


Multiple power plant workstations slammed by malware is written by Brittany Hillen & originally posted on SlashGear.
© 2005 – 2012, SlashGear. All right reserved.

No Comments | Tags: , , , ,
Jan 15

Java tipped in Red October – may be Homeland Security’s hang-up

Posted in: Today's Chili

Over the past several days, the US Department of Homeland Security has issued warnings against using Java due to newly discovered security weaknesses – today it’s been tipped that the Red October cyberespionage attacks may have had their own Java iterations. The two have not been put together by the Israeli IT security firm Seculert, the group that today suggests Red October was implemented not just via email downloads and USB sticks, but through web-based Java exploits as well. Could that and Homeland Security’s warning be timed both right here at this point in time together without any relation to one another?

wagwe

Coincidences like this don’t just happen every day. According to Kaspersky Lab, the antivirus group that let loose the info on Red October earlier this week, it was mainly through Word and Excel documents that the security exploit was delivered, either via an email download or possibly through USB sticks plugged into host computers. Security researchers from Seculert assigned to analyze the command and control servers used in the Red October campaign have found a malicious Java applet made to exploit a Java vulnerability they say was patched all the way back in October of 2011.

trashing_java-580x429

What this means is that their targets were not computers that were brand new, patched and up to date, but older machines that for one reason or another hadn’t gotten with the program. Another fabulous reason to keep your computer up to date, that’s what this is. According to the Seculert blog where the Java connection announcement was made, “the JAR file of the Java exploit was compiled in February 2012, even though the patch for the vulnerability was available as of October 2011.”

These exploits appear to have been included in pages with the title “We Can Find All News!” The terms “news theme” and “NewsForYou” were also included in the code, this leading the team to believe that it was through a series of pages that suggested they’d be delivering the malicious project via harmless-seeming websites with “fake” news blasts galore. While it would seem strange that the US Department of Homeland Security would wait many, many months to deliver a warning against an attack like this, it is possible that, like the rest of us, they only found out about it here in 2013 – and they’ve not confirmed that this is the same attack, of course, but we shall see!


Java tipped in Red October – may be Homeland Security’s hang-up is written by Chris Burns & originally posted on SlashGear.
© 2005 – 2012, SlashGear. All right reserved.

No Comments | Tags: , , , , ,
Dec 26

Decoding PIN Codes Is Easier Than You Think It Is, Says Report

Posted in: Today's Chili

PIN Decoding PIN Codes Is Easier Than You Think It Is, Says ReportDecoding ATM PIN codes might be easier than you think. According to data scientist Nick Berry, an estimated 26.83 percent of all PIN codes could be guessed by using 20 combinations of four-digit numbers. Berry, the founder of the Seattle-based technology consultancy firm Data Genetics, analyzed passwords from security breaches and discovered that there are 10,000 possible combinations that the digits 0 to 9 can have in order to form a four-digit code. Berry also found out that roughly 11 percent of the 3.4 million passwords he analyzed were 1234, while 6 percent of them were 1111. (more…)

By Ubergizmo. Related articles: LG Display Teases Its Display Lineup For CES 2013, Nintendo Panorama View Feature Patented,

No Comments | Tags: , ,
Nov 27

Google bug grants access to revoked Analytics and Webmaster Tools users

Posted in: Today's Chili

A fairly problematic bug is affecting Google accounts, granting revoked users access to the Webmaster Tools and Google Analytics they originally had access to. For example, a business that fired an employee and revoked his or her access rights may find itself in the uncomfortable position of that embittered ex-employee regaining access to the tools. As you’d expect, angry tweets and forum posts are lighting up the Internet.

The folks over at The Next Web talked with eBay’s former Director of SEO Dennis Goedegebuure, who stated that he has regained access to eBay’s Webmaster Tools after having not worked for the company in over a year. A quick search for “Webmaster Tools” on Twitter reveals a host of tweets, many of which are angry, stating that they have either regained access or have had users added to Webmaster Tools who were previously revoked.

Just how much havoc could someone wreck with access to Webmaster Tools and Analytics? To start with, he or she could remove webmaster user access, followed by bumping pages off the index and purging sitemaps. This is on top of the massive amounts of data that will be accessible via Analytics, which include a variety of records and site reports.

Some users are reporting that old Gmail Talk contacts are also reappearing, suggesting that other services may be compromised as well. Google is no doubt frantically working to correct this issue. While we wait to see what damage is done, here’s a bit of random Twitter advice from @Skitzzo: “Never screw your SEO… you never know when Google will do something stupid like let them back into your Webmaster Tools account.”

[via TNW]


Google bug grants access to revoked Analytics and Webmaster Tools users is written by Brittany Hillen & originally posted on SlashGear.
© 2005 – 2012, SlashGear. All right reserved.


No Comments | Tags: , , , , ,
Nov 26

Hacker selling $700 Yahoo! email exploit

Posted in: Today's Chili

Hacker “TheHell” is selling an exploit that allows individuals to hijack a Yahoo! email account. The method is shown off in a video that was posted on Darkode, where the exploit is being sold for $700, and then reposted on YouTube. Yahoo! has been notified and is looking for the security hole, which it says can be fixed in a few hours once discovered.

The zero-day exploit takes advantage of a cross-site scripting vulnerability, allowing the hacker to steal a Yahoo! user’s cookies and take control of the account. In order to work, the victim must click on a malcious link. Upon doing so, the user’s cookies will be stolen and he or she will be redirected back to the Yahoo! email home page.

Said TheHell: “I’m selling Yahoo stored xss that steal Yahoo emails cookies and works on ALL browsers. And you don’t need to bypass IE or Chrome xss filter as it do that itself because it’s stored xss. Prices around for such exploit is $1,100 – $1,500, while I offer it here for $700. Will sell only to trusted people cuz I don’t want it to be patched soon!”

Yahoo stated that while fixing the issue will be simple enough, that can’t happen until they actually find “the offending URL.” This isn’t the first time an XSS attack has been directed at Yahoo!, however, with some recent examples of vulnerable linkes including surveylink.yahoo.com and order.store.yahoo.com. You can see a full list of XSS vulnerabilities and whether they’ve been fixed over at XSSed.com.

[via Sophos]


Hacker selling $700 Yahoo! email exploit is written by Brittany Hillen & originally posted on SlashGear.
© 2005 – 2012, SlashGear. All right reserved.


No Comments | Tags: , , , , ,
Nov 15

NASA updates on data breach, says 10,000 users compromised

Posted in: Today's Chili

Earlier today, we reported that NASA had suffered a serious security breach when one of its employee’s laptops was stolen from his vehicle. Later today, NASA stated that it was implementing new security rules to prevent having data compromised like this again. Now the agency has released stats on the contents of the laptop, saying that about 10,000 users have been compromised.

A NASA spokesperson told Computer World that “at least” 10,000 employees and contractors are at risk due to the information contained on the laptop. The system was password protected, but the actual data on the hard drive was not encrypted, making it exceptionally vulnerable. NASA waited two weeks before informing employees of the theft, stating that it worked with law enforcement during that time.

The agency’s spokesperson Allard Beutel offered this statement. “NASA immediately began working with local law enforcement after the laptop was stolen, with the goal of recovering the computer and protecting the sensitive data. At the same time, NASA IT specialists and security officials began performing an exhaustive automated and manual analysis of the data to make sure everyone with information on the stolen laptop is notified.”

Employees were informed via an email sent out from the Associate Deputy Administrator at NASA, Richard Keegan Jr. The email stated that a laptop had been stolen that contained personal information. Workers were warned that while the system was password protected, the data was not encrypted, and thusly it could be accessed by the thief.

[via Computer World]


NASA updates on data breach, says 10,000 users compromised is written by Brittany Hillen & originally posted on SlashGear.
© 2005 – 2012, SlashGear. All right reserved.


No Comments | Tags: , , ,
Nov 15

NASA now requiring encrypted laptops to avoid future breaches

Posted in: Today's Chili

Earlier today, we heard the news that NASA had suffered a major security breach when the laptop of an associate deputy administrator was stolen out of his car. The laptop contained the personal information of a number of NASA employees, including social security numbers. Naturally, this is a pretty big problem for NASA, so now it’s no surprise that we’re seeing the organization take measures to make sure that nothing on this scale happens again.


The problem with the stolen laptop was that it wasn’t properly protected. The information was stored away behind a password, but just protecting vital information like that with a password never means that it’s 100% secure. Had the information on the laptop been encrypted, this whole mess could have been avoided, despite the fact that the laptop was stolen.

NetworkWorld reports that NASA is now requiring full disk encryption on its laptops. The organization wants this implemented on the “maximum possible number of laptops,” by the time November 21 rolls around next week, with each and every laptop NASA owns required to have encryption capabilities by December 21. Once we’re past that date – provided we all survive the apocalypse – no unencrypted computer will be allowed to leave NASA’s buildings.

So, at least NASA is doing something to prevent unprotected computers from falling into the wrong hands. That won’t be much consolation to the folks whose information might be floating around in the wild at the moment, but NASA is offering to pay for credit tracking and insurance in the event that their identity is stolen. Keep it tuned to SlashGear, as we’ll update you on this breach if any new information becomes available.


NASA now requiring encrypted laptops to avoid future breaches is written by Eric Abent & originally posted on SlashGear.
© 2005 – 2012, SlashGear. All right reserved.


No Comments | Tags: , , , ,
Nov 12

Blizzard hit with lawsuit over Battle.net security

Posted in: Today's Chili

To many, securing your Battle.net account with one of the authenticators Blizzard offers is just the way the game is played. Folks have been using authenticators to secure their Battle.net accounts for years now, but one player has decided he’s had enough. His name is Benjamin Bell, and he’s the leading plaintiff in a new class action lawsuit brought against Blizzard.


According to IGN, Bell claims that Blizzard is “deceptively and unfairly” charging players extra for authenticators to secure their accounts, and he’d also like to see Blizzard stop requiring that players sign into Battle.net to play the studio’s games. Blizzard has required a Battle.net sign up for quite some time now, though Battle.net was around for years before it was turned into a required part of Blizzard’s games.

The suit also claims that Blizzard hasn’t done its part in making sure that Battle.net is secure. We can see the problems players have with physical authenticators – after all, Blizzard charges $6.50 for each one – but there’s also a smartphone authenticator app that’s free to use. In any case, Blizzard is going to fight this lawsuit, telling IGN, “This suit is without merit and filled with patently false information, and we will vigorously defend ourselves through the appropriate legal channels.”

We’re not really sure how this lawsuit is going to go, but we’re almost positive that if Bell comes out on top, the amount of money Blizzard players get will be negligible. Then again, it’s clear that this suit is more about getting Blizzard to change the way it operates Battle.net than it is about money. Keep it tuned here to SlashGear, as we’ll have more details for you once they surface.


Blizzard hit with lawsuit over Battle.net security is written by Eric Abent & originally posted on SlashGear.
© 2005 – 2012, SlashGear. All right reserved.


No Comments | Tags: , , , , ,
Nov 05

Anonymous celebrates Guy Fawkes Day with reported PayPal hack [UPDATE]

Posted in: Today's Chili

In case you don’t remember, today is Guy Fawkes Day. Anonymous is trying to make sure that you remember the fifth of November, taking to Twitter today to announce that it has hacked PayPal and made off with nearly 28,000 passwords. According to The Next Web, Anonymous posted these passwords (along with usernames and telephone numbers in some cases) to Private Paste, though at the time of this writing the page linked to by the AnonymousPress Twitter account has been taken down. [UPDATE: PayPal responds below.]


PayPal says that it is currently investigating the claims of a breach, but so far the company hasn’t found any evidence that it has been hacked. SEE: quote below. That isn’t all Anonymous has been up to though, as the BBC reports that Symantec is looking into claims that it has been hacked as well. Over the weekend, sites belonging to NBC, Lady Gaga, and the Australian government were compromised in an apparent protest for Guy Fawkes Day.

“It appears that the exploit was not directed at PayPal after all, it was directed at a company called ZPanel. The original story that started this and was retweeted by some of the Anonymous Twitter handles has now been updated.” – PayPal Spokesperson

Guy Fawkes, who attempted to blow up the House of Lords in an effort to kill King James I back in 1605, has become something of a legend within Anonymous, thanks to 2005′s V for Vendetta. “Members” of the group often wear Guy Fawkes masks that were used in the movie when they appear publicly, and indeed, a few of the websites displayed the famous Gunpowder Treason rhyme after being compromised. “Remember, remember the fifth of November, the Gunpowder Treason and Plot,” the rhyme commands. “I know of no reason why the Gunpowder Treason should ever be forgot.”

A number of the sites that were reportedly compromised in this Guy Fawkes protest are now back to normal, but you can bet that Anonymous is pleased with the attention it has received this fifth of November. Even though PayPal hasn’t confirmed that it was hacked, it might not be a bad idea to switch up your password if you happen to be a customer. Knowing Anonymous, this won’t be the last we hear of the hacktivist group today, so keep it tuned here to SlashGear for more details.


Anonymous celebrates Guy Fawkes Day with reported PayPal hack [UPDATE] is written by Eric Abent & originally posted on SlashGear.
© 2005 – 2012, SlashGear. All right reserved.


No Comments | Tags: , , , , , ,
Oct 24

Jesus makes an appearance in SplashData’s 25 worst passwords list

Posted in: Today's Chili

He may be considered a savior by many people around the world, but today SplashData is showing us that Jesus won’t do much when it comes to protecting you from having your online identities hijacked. The company has released its list of the 25 worst passwords for 2012, and aside from an appearance by one of the most important figures in the Christian religion, there are few new entries on the annual list. Of course, things like “password” and “123456″ rank at the top yet again, so if you’re still using those passwords to secure your online accounts, stop it already.


Every year, SplashData complies a ton of information on the most common passwords by picking through the millions of passwords hackers post to the Internet. In every list, we see the same culprits rank at the top, though 2012′s list has a number of newcomers. As we mentioned earlier, “jesus” is one of these new passwords on the list, as are “ninja,” “mustang,” and “welcome.”

Have a look at the full list of worst passwords below, including their rank for 2012 and any change from last year’s list. It kind of goes without saying, but if you use any of the passwords listed, it’s definitely a good idea to change them as soon as humanly possible.

1. password (Unchanged)
2. 123456 (Unchanged)
3. 12345678 (Unchanged)
4. abc123 (Up 1)
5. qwerty (Down 1)
6. monkey (Unchanged)
7. letmein (Up 1)
8. dragon (Up 2)
9. 111111 (Up 3)
10. baseball (Up 1)
11. iloveyou (Up 2)
12. trustno1 (Down 3)
13. 1234567 (Down 6)
14. sunshine (Up 1)
15. master (Down 1)
16. 123123 (Up 4)
17. welcome (New)
18. shadow (Up 1)
19. ashley (Down 3)
20. football (Up 5)
21. jesus (New)
22. michael (Up 2)
23. ninja (New)
24. mustang (New)
25. password1 (New)

The temptation to go with an easy-to-remember password is there for all of us, but unfortunately that leads to an increased risk of having your online accounts breached – not a good thing if you have a lot of important data (like banking information) you need to keep safe behind these passwords. Also, it’s never a good idea to use the same password across multiple accounts, so start thinking of unique passwords for all of your online identities if you haven’t already. Are you surprised by any of the changes or new additions to this list?


Jesus makes an appearance in SplashData’s 25 worst passwords list is written by Eric Abent & originally posted on SlashGear.
© 2005 – 2012, SlashGear. All right reserved.


No Comments | Tags: , , ,