Largest Hack of 2016 (so far)

In the past few weeks, FriendFinder Networks has had a number of major data breaches that resulted in over 412 million user accounts exposed.

FriendFinder Networks owns AdultFriendFinder, Cams.com, Penthouse, Stripshow and iCams.com all which suffered breaches but AdultFriendFinder suffered the worst with over 300 million accounts leaked. 

“Over the past several weeks, FriendFinder has received a number of reports regarding potential security vulnerabilities from a variety of sources,” Diana Ballou, FriendFinder vice president and senior counsel, told ZDNet which is a sister site of cnet.com. “While a number of these claims proved to be false extortion attempts, we did identify and fix a vulnerability that was related to the ability to access source code through an injection vulnerability.”

The breach was a result of a local file inclusion exploit according to LeakedSource who also said the exposed information was not going to be made publicly available. Also according to LeakedSource FriendFinder used a number of bad security practices such as passwords stored in plaintext or hashed using SHA1 which is notoriously easy to crack. They also still had account information for deleted user accounts and sites they no longer ran such as Penthouse.com which is now owned by Penthouse Global Media.

This is the second time the AdultFriendFinder site has been hacked in two years with the last leaking 3.5 million account in May of 2015 according to LeakedSource.

-Robert Arnold

Sources:

https://www.cnet.com/au/news/hack-reportedly-exposes-412m-friendfinder-networks-accounts-adult-dating-swinger/

FriendFinder Networks hack reportedly exposed over 412 million accounts

Tesco bank hacked, hackers attempt money transfer from around 20,000 compromised accounts

Tesco banks has recently announced that it has seen “suspicious transactions” from around 40,000 accounts over the weekend, and this has led them to actually shut down their site while they look into it.  At the moment of writing it is not known how much (if any) money was taken from the 20,000 of the aforementioned 40,000 account where withdrawals were attempted.

This has been called a much more recent and unique attack since most of the time when a bank is hacked only the larger accounts are compromised, and the attackers don’t bother with smaller accounts, in order to avoid a better chance of getting caught.  This also means that a hacked bank doesn’t have to shut down their site to investigate it, though in this instance it was so widespread the bank itself had to briefly shut down.

Apparently it is suspected that intruders found their way in via either a bug that was introduced with a website update, or through some third party connected to Tesco, as the attack was clearly done to the website, and not the core computer systems that provide most of the heavy lifting for the bank’s systems.

-jes5746

Source: http://www.bbc.com/news/business-37891742

St. Jude Medical heart devices come under attack in security lawsuit

St. Jude Medical is currently being targeted due to security vulnerabilities in implanted heart devices. Back in August, MedSec and Muddy Waters released a report about how St. Jude’s pacemakers and defibrillators were vulnerable to cyberattacks that could result in battery drain or manipulation of pacemaker beat rates. This could in turn put a patient’s life at risk.

Bishop Fox, an independent security firm, recently provided a testimony stating that the St. Jude cardiac devices ecosystem does not meet the security requirements of a system responsible for safeguarding life-sustaining equipment implanted in patients. In addition, the wireless protocol used by the devices to communicate also have vulnerabilities that allow attackers to take control of the device and deliver shocks to patients at a range up to 10 feet and possibly more with additional components.

-AJ Agena

http://www.zdnet.com/article/st-jude-heart-devices-come-under-attack-in-security-lawsuit/

Android Rooting Easier for Malware with DRAMMER attack

Last year security researchers had gotten access to Linux operating systems by using a design flaw in the memory storage to get higher kernel privileges on the system. Now for the first time with dynamic random access memory exploit called Rowhammer, which was already known about but not implemented on a mobile device, hackers will be able to gain “root” access to many android phones.

VUSec Lab at Vrije Universiteit Amsterdam was able to gain access for the first time using the Rowhammer exploit. The exploit works by “executing a malicious application that repeatedly accesses the same “row” of transistors on a memory chip in a tiny fraction of a second in a process called Hammering.” This can disturb a neighboring row causing energy to leak into more rows which causes a bit to flip. Bit flipping allows anyone to change the contents of memory in an operating system.

Drammer has no quick fix so it could become a very big problem for android phone users. They were able to gain access to many phones but none of the newer phones they only got up to the s5 for Samsung’s Galaxy model. The way they were able to access the phones was using something called ION in the android phones DRAM memory. Once the malicious app is downloaded within minutes it will have root access to your phone.

source: http://thehackernews.com/2016/10/root-android-phone-exploit.html

-Gavin Millikan

iPhone Passcode Hack

Just a few days ago, Dr Sergei Skorobogatov, who works at the University of Cambridge laboratory, was able to develop a method to crack an unknown pin code on an iPhone 5c.  He did it by removing the Nand chip, which is the main memory of the phone, studying how it communicated with the phone and successfully cloning it.

The purpose of this is to allow for an unlimited number of passcode attempts as usually an iPhone will lock up after a few incorrect tries. This directly contradicts a claim by the FBI that this method (called Name mirroring) would not work during the time they were attempting to access San Bernardino gunman Syed Rizwan Farook’s iPhone 5c.

Dr Skorobogatov made a YouTube video demonstrating his method of removing and replacing the Nand chip and the successful reset of the passcode lockout counter.

Using this method, he was able to crack a 4 digit code in about 40 hours and a 6 digit code could take hundreds of hours. In order to crack newer phones, Dr Skorobogatov said more information was needed about how Apple stored data in memory and he would need a more sophisticated set-up to extract the memory chip.

Apple has not responded to this yet.

Link to original article: http://www.bbc.com/news/technology-37407047