Protect your corporate IT network from hackers and other unwanted intruders with Proxy Sentinel™. Click here for all the details and get the peace of mind you deserve.
Back to our Homepage Proxy Sentinel™ high performance Internet proxy server and secure firewall solution Firewall Sentinel™ secure & powerful Internet firewall solution About Internet Security.ca and GCIS Frequently Asked Questions on Internet security issues Internet Security Industry News - Stay informed of what's happening Contact Internet Security.ca today and order your Proxy Sentinel™ or Firewall Sentinel™ server now!

38 million-plus Adobe user accounts were hacked into

If you need reliability when it comes to SMTP servers, get the best, get Port 587.

Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

Share on Twitter.

October 30, 2013

Do you remember that Adobe security breach in early October that leaked the account records of some 3 million customers? Well that number is totally wrong-- the real number was at least 38.3 million and still counting, news have emerged in the last few days.

Three weeks ago, Adobe warned of sophisticated attacks on its network in which hackers gained access to data for what was then believed to be about 2.9 million customers. That data included names, encrypted credit or debit card numbers, expiration dates, and other sensitive and personal information relating to customer orders.

Additionally, Adobe said that hackers managed to abscond with source code for numerous Adobe products as well. But in a blog post yesterday, investigative journalist Brian Krebs said that those early estimates were far too low, and that the actual list of accounts that had been compromised numbered in the tens of millions.

How does Krebs know? Because he's seen the list. Over the weekend, he says AnonNews.org posted a 3.8 GB file called "users.tar.gz" that contained more than 150 million user and password pairs that had apparently been lifted from Adobe's system.

Adobe spokeswoman Heather Edell has since confirmed the breach to Krebs, adding that the company has contacted the owners of the affected accounts and has reset the passwords for all of the Adobe IDs that it believes were involved in the security breach.

"But so far, our own investigation has confirmed that the attackers obtained access to Adobe IDs and (that were at the time valid) encrypted passwords for approximately 38 million active users," Edell said. "We are still in the process of investigating the number of inactive, invalid and test accounts involved in the incident."

Edell also said that the attackers were able to gain full access to at least some of the source code for Adobe Photoshop. Krebs was able to confirm that as well, since a second 2.56 GB file posted to AnonNews.org contained what appeared to be new Photoshop code.

Source code for Adobe Acrobat, Adobe Reader and the ColdFusion web application server software is also believed to have leaked during the incident, but at least some of this data appears to have been password protected and may not be readily accessible, at least it is hoped by Adobe.

Adobe has offered one year's worth of free credit monitoring by Experian to any customer whose account was compromised in the attack.

But as Krebs points out, this kind of service isn't guaranteed to spot all of the forms of identity theft that might arise from such incidents, so Adobe customers are advised to place fraud alerts on their accounts and monitor their credit reports very closely. In all honesty, that sounds like good advice.

In other internet security news

Internet security researchers sais today they have discovered a hidden backdoor in all wireless routers made by Chinese hardware maker Tenda.

Craig Heffner, the same security researcher who uncovered a backdoor in routers from D-link, discovered the latest issue. He uncovered the functionality, which ships with Tenda's products, after unpacking firmware updates and locating what he described as suspicious code at the outset.

Hackers can take over the router and execute commands by sending a UDP packet with a special string, The Hacker News claims.

"The backdoor only listens on the LAN, thus it is not exploitable from the WAN. But it is exploitable over the wireless network, which has WPS enabled by default with no brute force rate limiting,” Heffner explains in a detailed advisory.

“My new ReaverPro box made relatively short work of cracking WPS,” he claimed, “providing access to the WLAN and a subsequent root shell on the router, and that's very bad.”

Heffner also says that the backdoor exists on Tenda’s W302-R and W330-R router models as as well as re-branded models, such as the Medialink MWN-WAPR150N.

"They all use the same 'w302r_mfg' magic packet string," he notes. Follow-up work by other internet security researchers also uncovered a more comprehensive list of potentially backdoored products.

Source code for the GoAhead web server used in Tenda products has been made available on GitHub. We've asked Tenda for its reaction but have yet to hear back from the company. We'll update this story as and when we hear more.

In other internet security news

For more than 10 years now, Paypal has enabled internet users and ecommerce sites to send and receive payments with a level of security that's usually very good. Now there's a new service that someone else is offering, but it somehow doesn't offer the same level of security, some internet security experts suggest.

Not content with traditional internet shopping as we know it, a new startup service called Square has launched a peer-to-peer payment system. But it's secured only by an SMTP password...

Square – the payment firm developed by Twitter founder Jack Dorsey – has debuted the new service, Square Cash, which authorizes transactions with an email.

You just email the payment recipient, you also CC cash@square.com, and specify the amount of cash to be moved in the subject line.

The money is then deducted from one's debit or credit card (which must be registered with the service – either in advance or Square sends you instructions on how to do so) and credited to the recipient, who will in turn be asked to provide one debit card if he or she is not already registered with the service.

The key to securing Square transactions, however, is that their security depends entirely on the impossibility of forging an email message.

Square apparently wanted to simplify the process of sending and receiving money, and thinks that email should be sufficiently secure to authorize payments totalling up to $2,500 a week.

As an SMS is sent to the payee every time money is deducted, they've plenty of time to dispute a payment during the 1-2 business days it takes to process.

Forging emails isn't as trivial as it used to be some years ago, when one could telnet into an SMTP server and spit out an email from anyone.

These days, SMTP servers commonly require a username and password, and use Transport Layer Security, but you might not wish to bet your bank account on it. They are now a bit more secure yes, but email communications are still largely viewed as insecure unless they are encrypted with strong SSL technology and backed by a valid certificate from a trusted entity.

A while back, Square tried implementing an iPhone-based magnetic-stripe card reader without any obvious security features, but if the company can get away with it in most cases, then the security is probably good enough. Or is it?

Square Cash transactions cost 2.75 percent per transaction, but the dealbreaker may be those two business days it takes for transactions to be credited to the recipient's account, while similar services offered by some banks can do the same thing in less than one business day.

In other internet security news

An internet security researcher based in Germany is asking why Google is still using the unsafe RC4 and MD5 cipher as its first-default technology for SSL connections.

The change has gone unnoticed since December 2010, when the Android 2.3 release swapped from a default preference for the AES256-SHA1 cipher, followed by the 3DES and the AES128, instead defaulting to RC4-MD5 and RC4-SHA1 as its first and second default preference.

For those unfamiliar with encryption implementations, there's a long list of different cipher types available to encryption applications.

And to fully ensure that both ends can negotiate an encrypted connection, each end needs to know which ciphers the other end can support, which means stepping through a list of ciphers during the traditional handshaking.

As the researcher, George Lukas notes, internet security exploits based on MD5 collisions have been known for several years and continue.

The guilty party, he asserts, isn't the Android development team, but rather Java developers, and it's an implementation recommendation first made in 2002.

As Lukas notes-- “So what the Google engineers did to reduce our security was merely to copy what was in the Reference Implementation, defined by the inventors of Java!

In the Java reference implementation, the code responsible for creating the cipher list is split into two files. First, a priority-ordered set of ciphers is constructed in the CipherSuite class,” he writes. “Then, all enabled ciphers with sufficient priority are added to the list for CipherSuiteList.getDefault().

The cipher list hasn't experienced relevant changes since the initial import of Java 6 into Hg, when the OpenJDK was brought to life.

Finally, the cipher order on the vast majority of Android devices was defined by Sun Microsystems in 2002 and taken over into the Android project in 2010 as an attempt to improve compatibility.

RC4 is considered problematic since 2001 (remember WEP?), and MD5 was broken in 2009. We'll keep you posted on this as well as other developments.

In other internet security news

The lack of the most basic security at Mexican banks has allowed cybercriminals to place their own malware-ridden CDs into ATM machines in order to gain control of the easily-compromized cash machines.

The so-called Ploutus malware was installed after criminals acquired access to the ATM’s CD-ROM drive and inserted a new boot CD into it.

The hacking attempt was possible because many ATMs in Mexico use a simple lock that is easily picked, allowing the attackers to gain physical access to the ATMs.

Attacks involving getting malware on ATMs are rare but far from unprecedented. Normally, all sorts of trickery is necessary before being able to get a trojan onto a target machine, but in Mexico, it's very easy.

Malware-based ATM scams have previously involved using corrupt insiders to infect hole-in-the-wall machines. Learning how an ATM machine works by posing as an repair technician is also unnecessary thanks to Ploutus. And you don't need a genius security researcher to develop a friendishly cunning ATM attack, either.

Schoolboy errors made the self-service ATM-pawning tactic all too easy for Mexican crooks. The extent of the resulting scam - either in terms of how much money was lost or how many machines were infected - still remains unclear for now.

But details of how the malware itself works are fairly well understood. Information security firm Trustwave has completed an analysis of the malware used in Mexico after obtaining samples of the malicious code.

Infected machines still carry out their normal functions of dispensing cash, but if a particular key combination is input into the compromised device, the attacker will be presented with a hidden GUI, written in Spanish, complete with drop-down menus apparently designed for a touch screen.

Once criminals input a passcode - derived from a fixed four digit PIN combined with the figures for the date and month – they obtain the ability to dispense money from the compromised ATM.

"If you are a bank or the owner/operator of ATMs in Mexico, you will want to closely examine your machines for evidence of tampering," says Josh Grunzweig, an ethical hacker in TrustWave's SpiderLabs team."

"Banks and ATM owner/operators outside of Mexico could also benefit from an inspection of their ATMs," he added.

"Examples of targeted malware like Ploutus serve as a reminder of the importance of a thorough security review of ATMs and the back-end systems connected to them," he added.

Grunzweig has put together a blog post explaining how the malware works - containing code snippets and a screenshot of the GUI cybercrooks are able to feast their eyes upon once the malware is installed on compromized cash machines.

This is ATM fraud without recourse to skimmers to harvest the card details of consumers or other more complex approaches. So far, Ploutus-based attacks were targeted against ATMs at off-premise locations, according to self-service device information security software developer SafenSoft.

"The emergence of new malware with ability to directly extract cash from ATMs is a very alarming sign for self-service device security," says Stanislav Shevchenko, chief technology officer at SafenSoft.

Malware like this allows the cybercriminals to skip the whole process of cash withdrawal they have to take part in after using traditional ATM trojans and skimmer-like devices to steal the plastic card information.

Additionally, by spreading malware like that criminals can easily bypass the traditional antivirus-based protection on the ATMs. If that trojan gets massively distributed, then any bank without specialized protection software on its ATMs will have a difficult time getting ahead," he added.

In other internet security news

It looks like Symantec is taking full credit for luring a the powerful Zero Access botnet into an effective sinkhole where it can't do anymore harm to internet users.

ZeroAccess has been active for the past two years already and is one of the largest known botnets in existence. It has upwards of 1.9 million infected computers and servers forming its nasty army, all remotely controlled by miscreants.

It's estimated that this group of computer robots is literally put to work generating tens of millions of dollars annually.

It's claimed that cyber criminals make money from the infected Windows machines by instructing the computers to virtually and fraudulently click on web adverts, thus ramping up income for an affiliate ad network or, to a lesser extent, mine for new Bitcoins.

By subverting the communications system used by the bots to organize, Symantec has sinkholed (IE- gained control or disabled) more than half a million bots, Symantec claims.

This will have made a serious dent in the number of zombie drones under the thrall of the ZeroAccess group. Symantec added that it's working with ISPs and government computer security teams such as CERT globally, in an effort to help get infected computers cleaned up as fast as possible.

ZeroAccess infects Microsoft-powered computers caught up in drive-by-downloads-- booby-trapped websites attempt to exploit security holes in web surfers' machines to install the malware.

It then uses a rootkit to hide itself from the operating system and the victim, set itself up on a secret file system, downloads yet more bogus software, then connects itself to other infected systems and opens up more backdoor access.

And the whole process is repeated over and over. The Zero Access botnet is very sophisticated and powerfully resilient, using a peer-to-peer architecture to communicate in the wild.

So it seems to enjoy a high degree of redundancy and no central command-and-control server for the good guys to target. As a result, nobody is under any illusions that Symantec's action has finally put an end to the zombie network.

More details and additional information on the takedown effort can be found in a blog post on Symantec's site.

If you need reliability when it comes to SMTP servers, get the best, get Port 587.

Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

Share on Twitter.

Source: Adobe Corp.

Save Internet Security.ca's URL to the list of your favorite web sites in your Web browser by clicking here.

You can link to the Internet Security web site as much as you like.

















Home | Proxy Sentinel™ | Firewall Sentinel™ | FAQ | News | Sitemap | Contact
Copyright © Internet Security.ca    Terms of use    Privacy agreement    Legal disclaimer






Click here to order our special clearance dedicated servers.


Get your Linux or Windows dedicated server today.





Click here to order our special clearance dedicated servers.





Click here to order our special clearance dedicated servers.