Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
Databases

Yahoo Insiders Believe Hackers Could Have Stolen Over 1 Billion Accounts (businessinsider.com) 21

An anonymous reader quotes a report from Business Insider: The actual tally of stolen user accounts from the hack Yahoo experienced could be much larger than 500 million, according to a former Yahoo executive familiar with its security practices. The former Yahoo insider says the architecture of Yahoo's back-end systems is organized in such a way that the type of breach that was reported would have exposed a much larger group of user account information. To be sure, Yahoo has said that the breach affected at least 500 million users. But the former Yahoo exec estimated the number of accounts that could have potentially been stolen could be anywhere between 1 billion and 3 billion. According to this executive, all of Yahoo's products use one main user database, or UDB, to authenticate users. So people who log into products such as Yahoo Mail, Finance, or Sports all enter their usernames and passwords, which then goes to this one central place to ensure they are legitimate, allowing them access. That database is huge, the executive said. At the time of the hack in 2014, inside were credentials for roughly 700 million to 1 billion active users accessing Yahoo products every month, along with many other inactive accounts that hadn't been deleted. In late 2013, Yahoo CEO Marissa Mayer said the company had 800 million monthly active users globally. It currently has more than 1 billion.
Government

New US 'Secret' Clearance Unit Hires Firm Linked To 2014 Hacks (reuters.com) 20

An anonymous reader quotes a report from Reuters: A U.S. government bureau set up to do "secret" and "top secret" security clearance investigations has turned for help to a private company whose login credentials were used in hack attacks that looted the personal data of 22 million current and former federal employees, U.S. officials said on Friday. Their confirmation of the hiring of KeyPoint Government Solutions by the new National Background Investigations Bureau (NBIB) comes just days ahead of the bureau's official opening, scheduled for next week. Its creation was spurred, in part, by the same hacks of the Office of Personnel Management that have been linked to the credentials of KeyPoint, one of four companies hired by the bureau. The officials asked not to be named when discussing sensitive information. A spokesman for OPM said the agency in the past has said in public statements and in congressional testimony that a KeyPoint contractor's stolen credentials were used by hackers to gain access to government personnel and security investigations records in two major OPM computer breaches. Both breaches occurred in 2014, but were not discovered until April 2015, according to investigators. One U.S. official familiar with the hiring of KeyPoint said personnel records were hacked in 2014 from KeyPoint and, at some point, its login credentials were stolen. But no evidence proves, the official said, that the KeyPoint credentials used by the OPM hackers were stolen in the 2014 KeyPoint hack. OPM officials said on Thursday one aim for NBIB is to reduce processing time for "top secret" clearances to 80 days from 170 days and for "secret" clearances to 40 days from 120 days.
Security

Hack iOS 10, Get $1.5 Million 30

Reader Trailrunner7 writes: The stakes in the vulnerability acquisition and bug bounty game have just gone up several notches, with a well-known security startup now offering $1.5 million for a remote jailbreak in iOS 10.The payout was put on the table Thursday by Zerodium, a company that buys vulnerabilities and exploits for high-value target platforms and applications. The company has a set of standing prices for the information it will buy, which includes bugs and exploits for iOS, Android, Flash, Windows, and the major browsers, and the top tier of that list has been $500,000 for an iOS jailbreak. But that all changed on Thursday when Zerodium announced that the company has tripled the standing price for iOS to $1.5 million.
Businesses

Avast Not Done With Deal-Making After AVG Buy, But No Rush (reuters.com) 15

Avast Software, maker of the world's most popular computer antivirus program, will need a year to absorb its $1.3 billion buy of rival AVG but may seek further acquisitions before an expected flotation, its chief executive said in an interview, according to Reuters. From a report: Prague-based Avast closed its purchase on Friday of AVG Technologies, another software firm with Czech roots specializing in consumer security. The combined company will have over 400 million users and 40 percent of the consumer computer market outside of China. While Avast will delist AVG shares, it has its own plans to eventually offer shares, maybe as soon as 2019. Before that, it must fully integrate AVG and will then look at mid-tier acquisitions for its push into mobile and, possibly, to expand its small- and medium-sized business offering. "We have to digest AVG first and that is going to take us pretty much all of 2017 to really integrate. Then we will look at expanding the business after that," Avast CEO Vincent Steckler said.
Earth

Oscar Winners, Sports Stars and Bill Gates Are Building Lavish Bunkers (hollywoodreporter.com) 303

turkeydance quotes a report from Hollywood Reporter: Given the increased frequency of terrorist bombings and mass shootings and an under-lying sense of havoc fed by divisive election politics, it's no surprise that home security is going over the top and hitting luxurious new heights. Or, rather, new lows, as the average depth of a new breed of safe haven that occupies thousands of square feet is 10 feet under or more. Those who can afford to pull out all the stops for so-called self-preservation are doing so -- in a fashion that goes way beyond the submerged corrugated metal units adopted by reality show "preppers" -- to prepare for anything from nuclear bombings to drastic climate-change events. Gary Lynch, GM at Rising S Bunkers, a Texas-based company that specializes in underground bunkers and services scores of Los Angeles residences, says that sales at the most upscale end of the market -- mainly to actors, pro athletes and politicians (who require signed NDAs) -- have increased 700 percent this year compared with 2015, and overall sales have risen 150 percent. Any time there is a turbulent political landscape, we see a spike in our sales. Given this election is as turbulent as it is, "we are gearing up for an even bigger spike," says marketing director Brad Roberson of sales of bunkers that start at $39,000 and can run $8.35 million or more (FYI, a 12-stall horse shelter is $98,500). Adds Mike Peters, owner of Utah-based Ultimate Bunker, which builds high-end versions in California, Texas and Minnesota: "People are going for luxury [to] live underground because they see the future is going to be rough. Everyone I've talked to thinks we are doomed, no matter who is elected." Robert Vicino, founder of Del Mar, Calif.-based Vivos, which constructs upscale community bunkers in Indiana (he believes coastal flooding scenarios preclude bunkers being safely built west of the Rockies), says, "Bill Gates has huge shelters under every one of his homes, in Rancho Santa Fe and Washington. His head of security visited with us a couple years ago, and for these multibillionaires, a few million is nothing. It's really just the newest form of insurance."
Security

The Psychological Reasons Behind Risky Password Practices (helpnetsecurity.com) 191

Orome1 quotes a report from Help Net Security: Despite high-profile, large-scale data breaches dominating the news cycle -- and repeated recommendations from experts to use strong passwords -- consumers have yet to adjust their own behavior when it comes to password reuse. A global Lab42 survey, which polled consumers across the United States, Germany, France, New Zealand, Australia and the United Kingdom, highlights the psychology around why consumers develop poor password habits despite understanding the obvious risk, and suggests that there is a level of cognitive dissonance around our online habits. When it comes to online security, personality type does not inform behavior, but it does reveal how consumers rationalize poor password habits. My personal favorite: password paradox. "The survey revealed that the majority of respondents understand that their digital behavior puts them at risk, but do not make efforts to change it," reports Help Net Security. "Only five percent of respondents didn't know the characteristics of a secure password, with the majority of respondents understanding that passwords should contain uppercase and lowercase letters, numbers and symbols. Furthermore, 91 percent of respondents said that there is inherent risk associated with reusing passwords, yet 61 percent continue to use the same or similar passwords anyway, with more than half (55 percent) doing so while fully understanding the risk." The report also found that when attempting to create secure passwords, "47 percent of respondents included family names or initials," while "42 percent contain significant dates or numbers and 26 percent use the family pet."
Security

The Yahoo Hackers Weren't State-Sponsored, Security Firm Says (csoonline.com) 33

itwbennett writes from a report via CSO Online: After Yahoo raised eyebrows in the security community with its claim that state-sponsored hackers were responsible for the history-making breach, security firm InfoArmor now says it has evidence to the contrary. InfoArmor claims to have acquired some of the stolen information as part of its investigation into "Group E," a team of five professional hackers-for-hire believed to be from Eastern Europe. The database that InfoArmor has contains only "millions" of accounts, but it includes the users' login IDs, hashed passwords, mobile phone numbers and zip codes, said Andrew Komarov, InfoArmor's chief intelligence officer. Earlier this week, Chase Cunningham, director of cyber operations at security provider A10 Networks, called Yahoo's claim of state-sponsored actors a convenient, if trumped up, excuse: "If I want to cover my rear end and make it seem like I have plausible deniability, I would say 'nation-state actor' in a heartbeat." "Yahoo was compromised in 2014 by a group of professional blackhats who were hired to compromise customer databases from a variety of different targeted organizations," Scottsdale, Arizona-based InfoArmor said Wednesday in a report. "The Yahoo data leak as well as the other notable exposures, opens the door to significant opportunities for cyber-espionage and targeted attacks to occur."
Networking

Researcher Find D-Link DWR-932 Router Is 'Chock Full of Holes' (helpnetsecurity.com) 70

Reader JustAnotherOldGuy writes: Security researcher Pierre Kim has unearthed a bucketload of vulnerabilities in the LTE router/portable wireless hotspot D-Link DWR-932. Kim found the latest available firmware has these vulnerabilities: Two backdoor accounts with easy-to-guess passwords that can be used to bypass the HTTP authentication used to manage the router
-A default, hardcoded Wi-Fi Protected Setup (WPS) PIN, as well as a weak WPS PIN generation algorithm
- Multiple vulnerabilities in the HTTP daemon
- Hardcoded remote Firmware Over The Air credentials
- Lowered security in Universal Plug and Play, and more.
"At best, the vulnerabilities are due to incompetence; at worst, it is a deliberate act of security sabotage from the vendor," says Kim, and advises users to stop using the device until adequate fixes are provided.

Security

Microsoft Widens Edge Browser Bug Hunt For Bounty Hunters (theregister.co.uk) 12

Microsoft said today it is expanding its program for rewarding those who find and report bugs in Edge, its latest web browser, enabling bounty hunters to claim their prize for a broader range of vulnerabilities. The Register adds: The snappily titled "Microsoft Edge Web Platform on Windows Insider Preview Bug Bounty Programme" was launched in August, and enabled anyone to report vulnerabilities they discover in Microsoft Edge in exchange for flippin' great wodges of cash. Now, the firm has expanded the programme, with a focus on vulnerabilities that lead to "violation of W3C standards that compromise privacy and integrity of important user data," or which enable remote code execution by a particular threat vector. Specifically, the bounty programme now covers the following: Same Origin Policy bypass vulnerabilities (such as universal cross-site scripting), Referrer Spoofing vulnerabilities, Remote Code Execution vulnerabilities in Microsoft Edge on Windows Insider Preview, and Vulnerabilities in open source sections of Chakra.
Facebook

Facebook at Work To Report For Duty Next Month (fortune.com) 83

The debut of the long-awaited business social network is nigh. Facebook at Work is about to report for duty. The social networking company's long-awaited foray into business applications will formally debut in London on October 10, according to tech site TechCrunch. From a report:The news site further noted this would be Facebook's first major product launch to take place outside the United States. Thus far, Facebook is seen as a fun-and-games site, not something corporate employees use to converse or track each other. But Facebook at Work, a business-minded operation, could help change that image. As has been reported, it will be a separate version of the network that can be accessed only from a company's internal IT systems, and in theory, subject to stricter corporate security and access rules. Personal accounts will be cordoned off.
Government

US Believes Hackers Are Shielded By Russia To Hide Its Role In Cyberintrusions: WSJ (newsmax.com) 108

According to a report from The Wall Street Journal (Warining: may be paywalled), U.S. officials are all but certain that the hacker Guccifer 2.0, who hacked the Democratic National Committee in June, is connected to a network of individuals and groups who are being shielded by the Russian government to mask its involvement in cyberintrusions. Even though the hacker denies working for the Russian government, the hacker is thought to be working with the hacking groups Fancy Bear and Cozy Bear, which have ties to the Russian government. The Wall Street Journal reports: Following successful breaches, the stolen data are apparently transferred to three different websites for publication, these people say. The websites -- WikiLeaks, DCLeaks.com and a blog run by Guccifer 2.0 -- have posted batches of stolen data at least 42 times from April to last week. Cybersecurity experts believe that DCLeaks.com and Guccifer 2.0 often work together and have direct ties to Russian hackers. Guccifer 2.0 said in a Twitter direct message sent to The Wall Street Journal that he wants to expose corruption in politics and shine light on how companies influence policy. The hacker said he also hopes to expose "global electronization." "I think I won't have a better opportunity to promote my ideas than this year," Guccifer 2.0 added in a long exchange with a Journal reporter. The Journal cannot verify the identity of the person sending messages on behalf of Guccifer 2.0, but the account is the same one that was used to publish personal information about Democrats. A posting on a blog run by Guccifer 2.0 says he is a man who was born in Eastern Europe, has been a hacker for years and fears for his safety. "I think u've never felt that feeling when u r crazy eager to shout: look everyone, this is me, this is me who'd done it," the hacker wrote to the Journal. "but u can't." WikiLeaks officials didn't respond to requests for comment on whether Russia fed them the stolen files published by WikiLeaks in July. A representative for DCLeaks.com asked the Journal to submit questions via email but hasn't responded to them. Last week, U.S. intelligence chielf James Clapper said it "shouldn't come as a big shock to people" that Russia is behind the hacking operation. While Russia has tried to interfere in U.S. elections since at least the 1960s by spying and funneling money to particular political groups, "I think it's more dramatic maybe because now they have the cyber tools," he said.
HP

HP To Issue 'Optional Firmware Update' Allowing 3rd-Party Ink (arstechnica.com) 79

Soon after the Electronic Frontier Foundation (EFF) issued a letter to HP, calling for them to apologize to customers for releasing firmware that prevents the use of non-HP ink cartridges and refilled HP cartridges, the company has responded with a temporary solution. HP "will issue an optional firmware update that will remove the dynamic security feature" for certain OfficeJet printers. Ars Technica reports: HP made its announcement in a blog post titled "Dedicated to the best printing experience." "We updated a cartridge authentication procedure in select models of HP office inkjet printers to ensure the best consumer experience and protect them from counterfeit and third-party ink cartridges that do not contain an original HP security chip and that infringe on our IP," the company said. The recent firmware update for HP OfficeJet Pro, and OfficeJet Pro X printers "included a dynamic security feature that prevented some untested third-party cartridges that use cloned security chips from working, even if they had previously functioned," HP said. For customers who don't wish to be protected from the ability to buy less expensive ink cartridges, HP said it "will issue an optional firmware update that will remove the dynamic security feature. We expect the update to be ready within two weeks and will provide details here." This customer-friendly move may just be a one-time thing. HP said it will continue to use security features that "protect our IP including authentication methods that may prevent some third-party supplies from working." Without the optional firmware update, printers will only be able to use third-party ink cartridges that have an "original HP security chip," the company said.
Yahoo!

Yahoo Repeatedly Didn't Invest In Security, Rejected Bare Minimum Measure To Reset All User Passwords: NYTimes 124

If it wasn't already enough that the mega breach at Yahoo affects over 500 million users, a new investigative report on The New York Times states the extent to which Yahoo didn't care about its users' security (Editor's note: the link could be paywalled; alternate source). The report says Yahoo CEO Marissa Mayer refused to fund security initiatives at the company, and instead invested money in features and new products. Despite Edward Snowden warning Yahoo that it was too easy of a target for hackers, the company took one year to hire a new chief information officer. The company hired Alex Stamos, who is widely respected in the industry. But Stamos soon left partly due to clashes with Mayer, The Times adds. And it gets worse. From the report:But when it came time to commit meaningful dollars to improve Yahoo's security infrastructure, Ms. Mayer repeatedly clashed with Mr. Stamos, according to the current and former employees. She denied Yahoo's security team financial resources and put off proactive security defenses, including intrusion-detection mechanisms for Yahoo's production systems. [...] But during his tenure, Ms. Mayer also rejected the most basic security measure of all: an automatic reset of all user passwords, a step security experts consider standard after a breach. Employees say the move was rejected by Ms. Mayer's team for fear that even something as simple as a password change would drive Yahoo's shrinking email users to other services.
Privacy

Apple Logs Your iMessage Contacts - And May Share Them With Police: The Intercept 61

The Intercept is reporting that despite what Apple claims, it does keep a log of people you are receiving messages from and shares this and other potentially sensitive metadata with law enforcement when compelled by court order. Apple insists that iMessage conversations are safe and out of reach from anyone other than you and your friends. From the report:This log also includes the date and time when you entered a number, along with your IP address -- which could, contrary to a 2013 Apple claim that "we do not store data related to customers' location," identify a customer's location. Apple is compelled to turn over such information via court orders for systems known as "pen registers" or "tap and trace devices," orders that are not particularly onerous to obtain, requiring only that government lawyers represent they are "likely" to obtain information whose "use is relevant to an ongoing criminal investigation." Apple confirmed to The Intercept that it only retains these logs for a period of 30 days, though court orders of this kind can typically be extended in additional 30-day periods, meaning a series of monthlong log snapshots from Apple could be strung together by police to create a longer list of whose numbers someone has been entering.
Blackberry

BlackBerry Says It's Done Designing and Building Its Own Phones (theverge.com) 90

BlackBerry today reported its fiscal second-quarter sales and said that it will stop making its iconic smartphones and focus on its software business. The Verge adds: BlackBerry has announced that it plans to stop making its own phones as the struggling company continues to focus on its software and security products. This is far from the end of BlackBerry devices, the production of which will be outsourced to third-party manufacturers -- as was the case with the company's recent DTEK 50, a clone of Alcatel's Idol 4 with BlackBerry branding. "The company plans to end all internal hardware development and will outsource that function to partners," said CEO John Chen in a statement. Elsewhere he stated: "We are reaching an inflection point with our strategy. Our financial foundation is strong, and our pivot to software is taking hold." This isn't surprising news considering BlackBerry's ongoing struggle in the mobile market. According to estimates from Gartner, the company claimed just 0.1 percent of the market in the second quarter, equating to sales of some 400,400 units. The last BlackBerry phone manufactured by the company was the Priv, the company's first Android-powered device, released November last year.
Microsoft

Vladimir Putin Is Replacing Microsoft Programs With Domestic Software (bloomberg.com) 276

An anonymous reader quotes a report from Bloomberg: Moscow city will replace Microsoft Corp. programs with domestic software on thousands of computers in answer to President Vladimir Putin's call for Russia's authorities to reduce dependence on foreign technology amid tensions with the U.S. and Europe. The city will initially replace Microsoft's Exchange Server and Outlook on 6,000 computers with an e-mail system installed by state-run carrier Rostelecom PJSC, Artem Yermolaev, head of information technology for Moscow, told reporters Tuesday. Moscow may expand deployment of the new software, developed by Russia's New Cloud Technologies, to as many as 600,000 computers and servers, and may also consider replacing Windows and Office, Yermolaev said. Putin is urging state entities and local companies to go domestic amid concerns over security and reliability after U.S. firms shut down paid services in Crimea following Russia's 2014 annexation. The plan poses a challenge to the likes of Microsoft, SAP SE and Oracle Corp. in the country's $3 billion software market. Adding to pressure, Putin's internet czar German Klimenko wants to raise taxes on U.S. technology companies to help Russian competitors such as Yandex NV and Mail.ru Group Ltd.
Democrats

FBI Investigating Possible Hack of Democratic Party Staffer Cell Phones (cnn.com) 107

In what may be part of the original Democratic National Committee hack, the FBI is currently investigating a possible hack involving the cell phones of a small number of Democratic Party staffers. CNN reports: The development comes on the same day Homeland Security Secretary Jeh Johnson told lawmakers that 18 states have asked for help in warding off cyberattacks on their electronic voting systems. Law enforcement officials have reached out to the staffers individually about "imaging" their phones to search for evidence of hacking, such as malware. Investigators are still probing whether this attempted hack is part of the original breach of Democratic National Committee emails -- which is widely thought to be the work of the Russian government -- or a new hacking attempt. "Our struggle with the Russian hackers that we announced in June is ongoing -- as we knew it would be -- and we are choosing not to provide general updates unless personal data or other sensitive information has been accessed or stolen," interim DNC Chairwoman Donna Brazile told CNN. Cybersecurity was a major theme at the debate last night between Republican nominee Donald Trump and Democratic nominee Hillary Clinton. While Clinton blamed the Russians for the "election-related cyberintrusions," Trump said "It could be Russia, but it could also be China. It could also be lots of other people. It could also be somebody sitting on their bed that weighs 400 pounds." We will update this story as it develops.
Network

OVH Hosting Suffers From Record 1Tbps DDoS Attack Driven By 150K Devices (hothardware.com) 115

MojoKid writes: If you thought that the massive DDoS attack earlier this month on Brian Krebs' security blog was record-breaking, take a look at what just happened to France-based hosting provider OVH. OVH was the victim of a wide-scale DDoS attack that was carried via a network of over 152,000 IoT devices. According to OVH founder and CTO Octave Klaba, the DDoS attack reached nearly 1 Tbps at its peak. Of those IoT devices participating in the DDoS attack, they were primarily comprised of CCTV cameras and DVRs. Many of these devices have improperly configured network settings, which leaves them ripe for the picking for hackers that would love to use them to carry out destructive attacks.The DDoS peaked at 990 Gbps on September 20th thanks to two concurrent attacks, and according to Klaba, the original botnet was capable of a 1.5 Tbps DDoS attack if each IP topped out at 30 Mbps. This massive DDoS campaign was directed at Minecraft servers that OHV was hosting. Octave Klaba / Oles tweeted: "Last days, we got lot of huge DDoS. Here, the list of 'bigger that 100Gbps' only. You can the simultaneous DDoS are close to 1Tbps!"
Yahoo!

Yahoo's Delay in Reporting Hack 'Unacceptable', Say Senators (zdnet.com) 72

Yahoo won't be able to get away with its mega data breach from 2014 that it only reported this month. Six senior senators have said Yahoo's two-year delay in reporting the largest known data breach in history is unacceptable. The senators have asked Yahoo CEO Marissa Mayer to explain why the massive hack of more than 500 million accounts wasn't reported two years ago when the breach occurred. From a ZDNet report:The senators said they were "disturbed" that a breach of that size wasn't noticed at the time. "That means millions of Americans' data may have been compromised for two years. This is unacceptable. This breach is the latest in a series of data breaches that have impacted the privacy of millions of American consumers in recent years, but it is by far the largest," the letter wrote. Sens. Patrick Leahy, Al Franken, Elizabeth Warren, Richard Blumenthal, Roy Wyden, and Edward Markey signed the letter, dated Tuesday. The senators also requested a briefing to senate staffers on its incident response and how it intends to protect affected users.
Security

Windows 10 Will Soon Run Edge In a Virtual Machine To Keep You Safe (arstechnica.com) 171

An anonymous reader quotes a report from Ars Technica: Microsoft has announced that the next major update to Windows 10 will run its Edge browser in a lightweight virtual machine. Running the update in a virtual machine will make exploiting the browser and attacking the operating system or compromising user data more challenging. Called Windows Defender Application Guard for Microsoft Edge, the new capability builds on the virtual machine-based security that was first introduced last summer in Windows 10. Windows 10's Virtualization Based Security (VBS) uses small virtual machines and the Hyper-V hypervisor to isolate certain critical data and processes from the rest of the system. The most important of these is Credential Guard, which stores network credentials and password hashes in an isolated virtual machine. This isolation prevents the popular MimiKatz tool from harvesting those password hashes. In turn, it also prevents a hacker from breaking into one machine and then using stolen credentials to spread to other machines on the same network. Credential Guard's virtual machine is very small and lightweight, running only a relatively simple process to manage credentials. Application Guard will go much further by running large parts of the Edge browser within a virtual machine. This virtual machine won't, however, need a full operating system running inside it -- just a minimal set of Windows features required to run the browser. Because Application Guard is running in a virtual machine it will have a much higher barrier between it and the host platform. It can't see other processes, it can't access local storage, it can't access any other installed applications, and, critically, it can't attack the kernel of the host system. In its first iteration, Application Guard will only be available for Edge. Microsoft won't provide an API or let other applications use it. As with other VBS features, Application Guard will also only be available to users of Windows 10 Enterprise, with administrative control through group policies. Administrators will be able to mark some sites as trusted, and those sites won't use the virtual machine. Admins also be able to control whether untrusted sites can use the clipboard or print.

Slashdot Top Deals