Friday, 31 January 2014

Yahoo Mail hacked; Change your account password immediately

Hack Reports
31 January 2014

A really bad year for the world's second-largest email service provider, Yahoo Mail! The company announced today, 'we identified a coordinated effort to gain unauthorized access to Yahoo Mail accounts', user names and passwords of its email customers have been stolen and are used to access multiple accounts.

Yahoo did not say how many accounts have been affected, and neither they are sure about the source of the leaked users' credentials. It appears to have come from a third party database being compromised, and not an infiltration of Yahoo's own servers.

"We have no evidence that they were obtained directly from Yahoo’s systems. Our ongoing investigation shows that malicious computer software used the list of usernames and passwords to access Yahoo Mail accounts. The information sought in the attack seems to be names and email addresses from the affected accounts’ most recent sent emails."

For now, Yahoo is taking proactive actions to protect their affected users, "We are resetting passwords on impacted accounts and we are using second sign-in verification to allow users to re-secure their accounts. Impacted users will be prompted (if not, already) to change their password and may receive an email notification or an SMS text if they have added a mobile number to their account."

People frequently use the same passwords on multiple accounts, so possibly hackers are brute-forcing Yahoo accounts with the user credentials stolen from other data breaches.

Yahoo users can prevent account hijacks by using a strong and unique password. You can use 'Random strong password generator' feature of DuckDuckGo search engine to get a unique & strong password.

Users are also recommended to enable two-factor authentication, which requires a code texted to the legitimate user's mobile phone whenever a login attempt is made from a new computer.

Yahoo! was hacked in July 2012, with attackers stealing 450,000 email addresses and passwords from a Yahoo! contributor network.


Tuesday, 28 January 2014

FBI hits 'hackers-for-hire' websites

BBC News
January 27, 2014

The FBI has arrested five people in connection with what it says are several hacking-for-hire websites.

Two men have been charged with running and three others with being customers of websites that allegedly offered to obtain access to email accounts.

The swoop against the sites was co-ordinated with police forces in Romania, India and China.

Six other alleged administrators of such sites were arrested as part of the overseas element of the operation.

Mark Anthony Townsend and Joshua Alan Tabor, both of Arkansas, have been charged with operating the website that, according the FBI, charged people to find passwords for about 6,000 email accounts.

If the two are found guilty they face up to five years in jail for computer fraud offences.

The other three people have been charged with paying, between them, more than $23,000 (£14,000) to similar hacker-for-hire websites outside the US to find passwords for a wide variety of email accounts.

Paying a hacker to act on your behalf is a "misdemeanour offense" and if found guilty each defendant could go to a federal jail for 12 months.

In a statement, the FBI said it expected all five defendants to plead guilty.

Four people in Romania, one person in India and one in China were also arrested in connection with websites that allegedly offered to obtain a password for any email account for between $100 (£60) and $500 (£300).

BBC © 2014

FBI hits 'hackers-for-hire' websites

Wednesday, 22 January 2014

Millions of German passwords stolen

BBC News
January 21, 2014 7:13 PM

The passwords and other details of 16 million email users in Germany have been stolen, the country's security agency has revealed.

The Federal Office for Security said criminals had infected computers with software which allowed them to gather email addresses and account passwords.

The agency has not commented on what progress it has made in tracking down the hackers.

It has set up a website for people to check whether they have been victims.

The agency learnt that the online criminals had managed to infect millions of computers with a program that would enrol them on to a network from where data could be stolen.

It believes most of those targeted are in Germany as many of the email addresses end in .de which is the identifier for German web addresses.

The scale of the attack is the equivalent of almost a fifth of the German population being at risk.

The BBC's correspondent in Germany, Steve Evans, said that so many people were anxious to check if they were victims of this hack that they overwhelmed the official security website causing it to crash.

BBC © 2014

Millions of German passwords stolen

Huge data theft hits South Korea

BBC News

Huge data theft hits South Korea
January 20, 2014

Credit card details from almost half of all South Koreans have been stolen and sold to marketing firms.

The data was stolen by a computer contractor working for a company called the Korea Credit Bureau that produces credit scores.

The names, social security numbers and credit card details of 20 million South Koreans were copied by the IT worker.

The scale of the theft became apparent after the contractor at the centre of the breach was arrested.

Unprotected data

Managers at the marketing firms which allegedly bought the data were also arrested.

Early reports suggest that the contractor got hold of the giant trove of data thanks to the access Korea Credit Bureau enjoys to databases run by three big South Korean credit card firms. The contractor stole the data by copying it to a USB stick.

Regulators are now looking into security measures at the three firms - KB Kookmin Card, Lotte Card, and NH Nonghyup Card - to ensure data stays safe. A task force has been set up to investigate the impact of the theft.

The three bosses of the credit card firms involved made a public apology for the breach.

In a statement the Financial Services Commission, Korea's national financial regulator, said: "The credit card firms will cover any financial losses caused to their customers due to the latest accident."

Another official at the FSC said the data was easy to steal because it was unencrypted and the credit card firms did not know it had been copied until investigators told them about the theft.

This theft of consumer data is just the latest to hit South Korea. In 2012, two hackers were arrested for getting hold of the details of 8.7 million subscribers to KT Mobile. Also, in 2011, details of more than 35 million accounts of South Korean social network Cyworld were exposed in an attack.

BBC © 2014

Huge data theft hits South Korea

Sunday, 12 January 2014

Yahoo malware creates Bitcoin botnet

BBC News
January 9, 2014

Adverts on Yahoo's homepage were infected with malware designed to mine the Bitcoin virtual currency, according to security experts.

Yahoo confirmed that for a four-day period in January, malware was served in ads on its homepage.

Experts estimate that as many as two million European users could have been hit.

Security firm Light Cyber said the malware was intended to create a huge network of Bitcoin mining machines.

"The malware writers put a lot of effort into making it as efficient as possible to utilise the computing power in the best way," Light Cyber's founder Giora Engel told the BBC.

Lucrative market

Bitcoin mining malware is designed to steal computing power to make it easier for criminals to accumulate the virtual currency with little effort on their part.

"Generating bitcoins is basically guessing numbers," said Amichai Shulman, chief technology office of security firm Imperva.

"The first one to guess the right number gets 25 bitcoins and if you have a large volume of computers guessing in a co-ordinated way then you have a more efficient way of making money," he added.

Other than a computer running slower, victims will be unaware that their machine is being used in what could become known as a "bitnet".

It is a variation on the traditional botnet, networks of malware-infected computers used to churn out spam or bombard websites with requests in order to knock them offline.

Some experts estimate that such networks could be generating as much as $100,000 (£60,000) each day.

Since bitcoins have risen in value - at its peak one bitcoin was worth $1,000 - making it a lucrative market for online criminals.

"Bitcoin mining malware is the new frontier as criminal gangs look for new ways to make money," said Mr Engel.

Easy target

Yahoo acknowledged the attack in a statement earlier this week.

"From December 31 to January 3 on our European sites, we served some advertisements that did not meet our editorial guidelines - specifically, they spread malware," the statement read.

It went on to say that users in America, Asia and Latin America weren't affected but did not specify how many European users were victims.

Fox IT, the Dutch cybersecurity firm which revealed the malware attack, estimates that there were around 27,000 infections every hour the malware was live on the site.

Over the period of the attack that could mean as many as two million machines were infected.

Such attacks may be hard to avoid, said Mr Shulman.

"For an ad platform it is virtually impossible to guarantee 100% malware free ads."

"There are many independent stakeholders involved in the process of web advertising, so from time to time any ad platform is bound to deliver malware."

BBC © 2014

Yahoo malware creates Bitcoin botnet

'World first' Bitcoin insured vault

BBC News
January 10, 2014

A Bitcoin storage service that insures deposits of the digital currency against loss and theft has launched in London.

Elliptic Vault uses "deep cold storage", where private encrypted keys to bitcoins are stored on offline servers and in a secure location.

The facility's founders say they are the "first in the world" to offer insurance for Bitcoin owners.

Stolen bitcoins cannot be recovered as all transactions are irreversible.

Online wallets used to store bitcoins have been subject to a number of cyber-attacks and some users have also suffered from accidental loss.

James Howells lost about £4.6m when he threw away his hard drive, forgetting that he had bitcoins stored on it.

Elliptic co-founder Tom Robinson says the service addresses a "deep concern" among Bitcoin users
Unlike money stored in a conventional bank, bitcoins are not insured and there is no way of retrieving them once they are gone.

'Obvious step'

"One of the main concerns people have with Bitcoin is that it's quite difficult to store securely," Elliptic co-founder Tom Robinson told the BBC.

"Offering people insurance seemed an obvious step."

But convincing an insurance firm to trust the nascent currency was not an easy task.

"It was very difficult to find an insurer," said Mr Robinson, an Oxford graduate with a PhD in physics who started the company with two friends.

"The industry is very conservative and they did not understand Bitcoin.

"They were also influenced by the negative publicity Bitcoin received, although this has improved since Silk Road [an online marketplace] was taken down and stopped dominating the Bitcoin agenda."

Layers of security

The company is underwritten by Lloyd's of London, which will give people "more faith in the Bitcoin system", according to Emily Spaven, managing editor of CoinDesk, a digital currency news site.

Insurance payouts will be calculated using the Bitcoin to US dollar exchange rate at the time a claim is made.

Elliptic's focus is on storing bitcoins as securely as possible, using what Mr Robinson calls "deep cold storage" techniques.

Bitcoin keys are encrypted and stored offline. There are multiple copies, protected by layers of cryptographic and physical security.

The copies are accessible only via a quorum of Elliptic's directors.

Illicit financing

Elliptic's launch comes as Bitcoin has been making news around the world, with governments deciding how to legislate for the currency.

Singapore has become one of the first countries to issue guidance on taxation for Bitcoin businesses, although it also said it was monitoring transactions to detect illicit financing by criminals and terrorists.

Bitcoin was less fortunate in China, where the largest online marketplace, Alibaba Group's Taobao, said it would ban virtual currencies.

In December, the country's central bank ordered financial institutions to halt Bitcoin-related services and products.

There was a breakthrough for the currency in the US, however, where became one of the first major online retailers to accept Bitcoin on Thursday.

BBC © 2014
'World first' Bitcoin insured vault

Target data theft hit 70 million

BBC News
January 10, 2014

US retail giant Target says up to 70 million customers had payment card and personal data stolen from the company's databases in December - 30 million more that it first thought.

Target said the thieves took credit card numbers, names, postal addresses, phone numbers and email addresses.

The data breach began on or around 29 November, known as Black Friday, one of the busiest shopping days of the year.

The company said customers would have "zero liability" for any fraud losses.

But this hasn't stopped some customers suing Target, claiming that Target failed to notify them of the breach before it was first reported and did not "maintain reasonable security procedures" to prevent the attack.

"I know that it is frustrating for our guests to learn that this information was taken and we are truly sorry they are having to endure this," said Gregg Steinhafel, Target's chairman, president and chief executive officer.

Target is offering one year of free credit monitoring and identity theft protection to all its US customers.

Data-stealing code

Security researcher Brian Krebs, writing about the breach in December, said sources at credit card payment processing firms had told him the thieves had installed data-stealing code on to card-swipe machines at tills in all 1,797 Target stores.

The thieves stole data between Thanksgiving and 15 December, said Target. This data is often sold on to criminals via underground marketplaces.

The largest ever credit card breach at a US retailer took place in 2007 when cyber-thieves managed to steal information related to almost 46 million credit and debit cards from TJ Maxx and Marshalls.

The thieves amassed the huge cache of data over an 18-month period after penetrating the retailers' computer network.

BBC © 2014

Target data theft hit 70 million

Saturday, 4 January 2014

This Credit Card Startup Has A Way To Thwart Target-Style Hacking

Look into the future a moment and imagine Christmas shopping 2014. Target offers a great deal on a perfect gift. At the register, you recall that someone stole 40 million credit card numbers from the retailer in late 2013.  Then, you as flick your fingerprint across the front of the biometric reader of your new credit card, you smile, relaxed that your number will work just a single time and thus would be useless to steal from Target’s computer system.

That’s the new technology in development at Epic One, a Houston startup that will introduce its pilot credit cards with fingerprint reader and microprocessor inside later this year. It works, in essence, by offering a type of dual factor authentication, a second piece of information that confirms that you are who you claim to be before approving the transaction. The Epic One card never exposes your Visa, MasterCard, Amex or other cards to the network where most of the data hijacking occurs.

When a shopper uses an Epic One card, his fingerprint scan on the card generates a green light on top that signals to the merchant it’s okay to swipe the card. Then the transaction is relayed to the card’s issuing bank and to Epic One. The only data Target sees is your Epic One card number plus the one-time use code. Even if someone hacks into the credit card processing system subsequently, the Epic One card number will not work a second time because the thief can’t generate a valid code to use it.

“The root cause of fraud is the exposure of this information,” says William Gomez Jr., the co-founder and CEO. “The Epic One card does not hold any details of any credit cards. Neither does the Epic One application that runs on your smartphone. None of these devices hold any of your credit card information. The Epic One card grants you temporary access to your cloud wallet that is stored within Epic One’s back-end systems.”

For details:

Snapchat Responds To Massive Hack – ReadWrite

After hackers compromised an estimated 4.6 million Snapchat accounts, the Venice, California-based messaging startup is finally admitting it has a problem—but it's making no apologies. Over the holidays, a whitehat hacker collective published what it claimed was Snapchat's API and two security ex...

U.S. spy court: NSA to keep collecting phone records

The Foreign Intelligence Surveillance Court has renewed NSA's phone-collection program, allowing the agency to continue collecting every American's telephone records every day. WASHINGTON (AP) — A secretive U.S. spy court has ruled again that the National Security Agency can keep collecting every...

Cyber security firms agree $1bn deal

BBC News
January 3, 2014

Cyber security company FireEye has acquired Mandiant, a firm known for responses to network breaches, in a deal worth more than $1bn (£608m).

Mandiant rose to prominence last year after it alleged that a secretive branch of China's military had stolen data from more than 100 global firms.

The deal, one of the largest ones in the sector recently, comes amid increased worries over cyber security.

FireEye shares rose 24% in after hours trading in New York on the deal.

The companies said they had agreed the deal on 30 December, but only made it public on Thursday after close of US markets.

FireEye and Mandiant had entered into a technology development agreement in 2013.

"Organizations today are faced with knitting together a patchwork of point products and services to protect their assets from advanced threats," David DeWalt, chief executive of FireEye, said in a statement.

"Together, the size and global reach of FireEye and Mandiant will enable us to innovate faster, create a more comprehensive solution, and deliver it to organizations around the world at a pace that is unmatched by other security vendors."

Kevin Mandia, Mandiant's founder and chief executive officer prior to the acquisition, has been appointed as the chief operating officer of FireEye.

BBC © 2014

Cyber security firms agree $1bn deal

NSA 'developing quantum computer'

BBC News
January 3, 2014

The US National Security Agency is building a quantum computer to break the encryption that keeps messages secure, reports the Washington Post.

The NSA project came to light in documents passed to the newspaper by whistle-blower Edward Snowden.

The spying agency hopes to harness the special qualities of quantum computers to speed up its code-cracking efforts.

The NSA is believed to have spent about $80m (£49m) on the project but it has yet to produce a working machine.

If the NSA managed to develop a working quantum computer it would be put to work breaking encryption systems used online and by foreign governments to keep official messages secure, suggest the documents excerpted in the Post.

The quantum computer is being developed under a research programme called Penetrating Hard Targets and is believed to be conducted out of a lab in Maryland.

For details:
NSA 'developing quantum computer'