Largest Hack of 2016 (so far)

In the past few weeks, FriendFinder Networks has had a number of major data breaches that resulted in over 412 million user accounts exposed.

FriendFinder Networks owns AdultFriendFinder, Cams.com, Penthouse, Stripshow and iCams.com all which suffered breaches but AdultFriendFinder suffered the worst with over 300 million accounts leaked. 

“Over the past several weeks, FriendFinder has received a number of reports regarding potential security vulnerabilities from a variety of sources,” Diana Ballou, FriendFinder vice president and senior counsel, told ZDNet which is a sister site of cnet.com. “While a number of these claims proved to be false extortion attempts, we did identify and fix a vulnerability that was related to the ability to access source code through an injection vulnerability.”

The breach was a result of a local file inclusion exploit according to LeakedSource who also said the exposed information was not going to be made publicly available. Also according to LeakedSource FriendFinder used a number of bad security practices such as passwords stored in plaintext or hashed using SHA1 which is notoriously easy to crack. They also still had account information for deleted user accounts and sites they no longer ran such as Penthouse.com which is now owned by Penthouse Global Media.

This is the second time the AdultFriendFinder site has been hacked in two years with the last leaking 3.5 million account in May of 2015 according to LeakedSource.

-Robert Arnold

Sources:

https://www.cnet.com/au/news/hack-reportedly-exposes-412m-friendfinder-networks-accounts-adult-dating-swinger/

FriendFinder Networks hack reportedly exposed over 412 million accounts

iPhone Passcode Hack

Just a few days ago, Dr Sergei Skorobogatov, who works at the University of Cambridge laboratory, was able to develop a method to crack an unknown pin code on an iPhone 5c.  He did it by removing the Nand chip, which is the main memory of the phone, studying how it communicated with the phone and successfully cloning it.

The purpose of this is to allow for an unlimited number of passcode attempts as usually an iPhone will lock up after a few incorrect tries. This directly contradicts a claim by the FBI that this method (called Name mirroring) would not work during the time they were attempting to access San Bernardino gunman Syed Rizwan Farook’s iPhone 5c.

Dr Skorobogatov made a YouTube video demonstrating his method of removing and replacing the Nand chip and the successful reset of the passcode lockout counter.

Using this method, he was able to crack a 4 digit code in about 40 hours and a 6 digit code could take hundreds of hours. In order to crack newer phones, Dr Skorobogatov said more information was needed about how Apple stored data in memory and he would need a more sophisticated set-up to extract the memory chip.

Apple has not responded to this yet.

Link to original article: http://www.bbc.com/news/technology-37407047

Hacking the US Voter Registration System

120923060151-jones-voter-registration-00013513-story-top

Every election season, a new discussion sparks up surrounding the security of voting machines and the handling of voter registration information. For the 2016 election cycle, the first victims of vulnerabilities in these systems were the states of Illinois and Arizona. CNN is reporting that both states have had their registration databases breached, but are claiming that their election systems are currently unaffected.

In Illinois it is apparent that roughly 200,000 unique voter registrations have been accessed, but are apparently unchanged. The attack was likely carried out in early June, but was not detected until late July. The database included voters’ names, addresses, sex and birthdays in addition to other information. The database comprises of 15,000,000 records, and some contain a social security number or drivers license number. It is still unclear who is responsible for the breach, or what their intentions with the data are.

In Arizona the attack is a little more clear, but have been going on much longer. The Arizona voter registration system had to be taken down in May after it was discovered that a local official’s username and password had been made publicly available on a forum online. The account used to post the information is linked to a prominent Russian hacker. After taking down the system the forensic analysts determined that it was more than likely the official who’s information had been made public was the victim of a malware attack. It is apparent that no data has been affected, but the severity of the breach is unknown.

You can read the full CNN article here.

-Max Maurin

Canadian Point of Sale company data breech

     The point of sale company Lightspeed has suffered a data breech, the email above was posted on twitter by Australian security expert Troy Hunt which was sent by Lightspeed to its customers. The hackers had gained access to systems related to its retail offering. Lightspeed confirmed the attackers accessed a central database containing information on sales, products, and customers. The database included encrypted passwords, electronic signatures, and API keys. Eventhough the database was accessed by hackers Lightspeed said there was no evidence that information was stolen.

      The company said that passwords created after January of 2015 where the safest having been stored with advanced encryption technology. They also said that the system that the hackers had accessed did not hold any private information such as credit card numbers. The company has informed customers that a third party security firm had been hired to investigate and that it’s systems should be only accessible by authorized users.

http://www.securityweek.com/pos-vendor-lightspeed-suffers-data-breach

  • Gavin Millikan

New Rule 41 Allows FBI to Mass Hack

shutterstock_fbi_spy-640x423

An amendment to Rule 41 would allow the FBI to obtain a warrant from any court to hack multiple computers rather than from one with jurisdiction over the target’s location. All the FBI would have to do in order to get the warrant would be to prove the target is obscuring their location.

Therefore, the FBI would theoretically only need one warrant from anywhere in America to hack multiple computers all over the world. This is scary to think about. Tor users should be aware of this.

Some people seem to be not as worried stating that the FBI would still need probable cause. They also point out the logic in that it is hard to get a warrant to hack a computer if you cannot determine the computer’s location.

This will go into effect starting December 1st unless Congress blocks it.

Source: https://news.bitcoin.com/update-bitcoiners-use-tor-warned

– jar311