Monthly Archives: October 2014

Microsoft Windows Hit By New Zero-Day Attack

Microsoft has disclosed that a new zero-day vulnerability is present in Windows, and is exploited via Microsoft Office files. According to Microsoft Security Advistory 3010060, the vulnerability is present in all supported versions of Windows except Windows Server 2003.

The vulnerability (designated as CVE-2014-6352) is triggered by an attacker sending a specially crafted Microsoft Office file to the user. Currently, attacks using PowerPoint files are known to exist, but all Office file types can be used to carry out this attack.

The specially crafted files contain a malicious Object Linking and Embedding (OLE) object. This technology is used to share data between various applications; it is in this component of Windows where this vulnerability may be found. Exploiting it allows for malicious code to run with the privileges of the user. To get administrator access, a separate exploit must be used. In addition, under default settings a User Access Control popup is displayed, which may alert the user that something unusual is going on.

Currently, Microsoft has not indicated whether a patch to solve this issue will be sent outside of the regular Patch Tuesday cycle. Until more definitive information becomes available, we advise users to be careful about opening Office documents that they have been sent, particularly if they come from parties that have not sent you documents beforehand. The Microsoft bulletin also includes several workarounds and temporary fixes, including settings for users of the Enhanced Mitigation Experience Toolkit (EMET) utility.

 

Via: trendmicro

 

Staples confirms data breach investigation

In a statement, company stresses that they’re working to resolve the situation.

Monday evening, investigative journalist Brian Krebs reported that multiple banking sources were seeing a pattern of credit and debit card fraud. The common thread between each case were purchases made at Staples Inc. stores in the Northeastern U.S.

There isn’t a lot to go on if in fact the latest retailer to be breached is Framingham, Mass.-based Staples Inc.

What’s known for sure comes from the sources that spoke on background to Krebs. They said the fraudulent transactions were traced to cards that made purchases at Staples stores in Pennsylvania, New York City, and New Jersey.

In a statement to Salted Hash, Mark Cautela, Senior Public Relations Manager for Staples Inc., said that the company is investigating a potential issue involving credit and debit card data, and that law enforcement has been contacted.

When asked for additional details, Cautela declined further comment.

“Staples is in the process of investigating a potential issue involving credit card data and has contacted law enforcement. We take the protection of customer information very seriously, and are working to resolve the situation. If Staples discovers an issue, it is important to note that customers are not responsible for any fraudulent activity on their credit cards that is reported on a timely basis.” – Mark Cautela, Senior Public Relations Manager, Staples

Given the pattern in recent months, it’s possible that Staples has fallen victim to Backoff, a malware family that targets POS systems, or a similar variant.

Backoff entered the public eye earlier this summer, after the U.S. Secret Service issued a warning to retailers. The attackers installed Backoff after locating poorly protected instances of remote management software, such as LogMeIn, or similar services from Microsoft, Apple, or Chrome.

At the time, some 600 businesses were victimized by the malicious code, but that number was expected to increase.

Since then, Home Depot, Target, Dairy Queen, Kmart, and others have been victimized by POS malware, including Backoff, BlackPOS, vSkimmer, or TriForce.

 

Via: csoonline

Obama signs Executive Order to bolster federal credit card security

Banks and retailers in the public sector are urged to follow suit.

On Friday, at the headquarters of the Consumer Financial Protection Bureau, President Obama signed an Executive Order that will add chip-and-PIN protections (EMV) to federal credit cards starting in January. The President encouraged the financial and retail sectors to follow suit.

The signing of the Executive Order comes after a string of high profile breaches including those at Home Depot, Target, and JP Morgan Chase.

According to the White House, Wal-Mart, as well as Target and Home Depot, are just a few of the larger retail outlets that will be transitioning to chip-and-PIN in 2015. Furthermore, American Express is expected to launch a $10 million program geared towards helping small businesses upgrade their payment processing.

For years, the United States has lagged behind the rest of the world when it comes to card protections. The Executive Order, as well as the financial and retail push for chip-and-PIN, means that after fifty years, the nation will finally leave behind swipe-and-sign processing.

“While some institutions recently have shifted to the new chips, progress has been at a snail’s pace,” Warner Johnston, Head of Association of Chartered Certified Accountants (AACA), USA, said in a statement.

“We are heartened to hear our President urge banks and retailers to follow his action to improve measures for federal credit and debit cards by equipping them with microchips and PIN numbers (sic). Until this transition takes place, it appears that the odds are not in the consumer’s favor in the U.S. As larger household brands and major banking institutions routinely come under attack, the risk of being victimized is greater than ever. The transition to chip-and-signature boils down to cold cash and common sense.”

Outside of the more visible problem caused by swipe-and-sign card processing, data breaches and insider theft, there’s another issue that chip-and-PIN implementations will address; card skimming.

A lack of chip-and-PIN in the United States has created a boon for criminals looking to operate skimming scams. This in turn has led to a sort of skimming arms race, as criminals devise novel ways to steal. Their efforts have resulted in skimming devices that are smaller and more sophisticated in terms of power, memory, communication and encryption.

According to a report from the AACA earlier this year, ATM and gas pump skimmers are the most common tools, because the United States has more ATMs than any other country and it isn’t EMV compliant. After ATMs, handheld skimmers are the second most popular.

“Handheld skimmers are not an issue in other countries as much as in the U.S. For example, at U.S. restaurants, a waiter takes a credit or debit card and later with a receipt. At European restaurants, a card remains in sight at all times, and a waiter brings a terminal to the table,” the AACA report explained.

Earlier this year, the Manhattan District Attorney announced an indictment that charged 13 people with operating a multi-million dollar fraud ring. The indictment says that the ring used Bluetooth-enabled skimmers at gas station pumps, which enabled them retrieve the data collected by the skimmers wirelessly.

 

 

Via: csoonline

FBI director warns of Apple and Google device encryption implications

FBI director James B. Coney issued another firm warning to tech companies, specifically Apple and Google, that implementing default encryption on their new operating systems could hamper law enforcement in pursuit of crimes.

Coney said in a speech at the Brookings Institution that the two companies’ steps to remove themselves from the data interception equation was leading Americans to a place that, “we shouldn’t go to without careful thought and debate as a country.”

Taking a stance in particular against Apple’s decision, Coney mentioned that although the company said law enforcement can access information through the cloud, not all users will opt into cloud backup, especially “bad guys.”

“It is people most worried about what’s on the phone who will be most likely to avoid the cloud and to make sure that law enforcement cannot access incriminating data,” he said.

 

Via: scmagazine

HBO Go Will Be Available Without A Cable Subscription In 2015

HBO is finally getting its online streaming game on, after Chairman and CEO Richard Plepler revealed that the broadcaster will launch a standalone streaming service next year.

“That is a large and growing opportunity that should no longer be left untapped. It is time to remove all barriers to those who want HBO,” Plepler told a Time Warner investor meeting today.

Plepler confirmed that a service will launch with HBO’s “current partners” in the US market next year, although he did not provide details of how much it will cost, and whether the company will use its own technology or work with existing players. The HBO Chairman believes that an online service could complement the firm’s existing offerings and help it reach new audiences.

“All in, there are 80 million homes that do not have HBO and we will use all means at our disposal to go after them,” he said.

HBO has watched Netflix rise from a young startup into a service that has more paying subscribers in the US, not to mention an overseas business that has been aggressively expanding in Europe.

The beauty of Netflix is that the programming is available without the need to buy a core cable package. That takes away a lot of the complication behind becoming an HBO subscriber. Yet, the bulk of HBO’s marketing comes from its alliance with cable companies, so going standalone on the Web removes some of that advantage. Thus, it would make sense for the company to offer a slightly different selection of programming online, so as not to cannibalise its primary business.

While Netflix’s growth demonstrates a market for ‘cord cutters’, it is by no means clear that this market is large enough to replace HBO’s cable-based customer base.

Another challenge is that HBO is also relatively late to the game. Netflix is far from the only challenger when it comes to online video streaming. Both Hulu and Amazon Prime Instant Video are established in the US, the latter in particular continues to beef up its catalog with original programming and licensed content — all of which also feeds back into the Prime subscription for Amazon’s e-commerce empire.

There are a lot of questions at this point, but HBO and Plepler have made the first step by confirming this move, which the company has previously admitted it was thinking about.

 

 

Via: techcrunch

UK ranks third in right to be forgotten requests to Google

The UK has made the third-highest number of requests for links to be removed from search results under Europe’s right to be forgotten ruling, says Google.

The search firm has received more than 146,000 takedown requests since the European Court of Justice (ECJ) supported the controversial right to be forgotten in a landmark ruling in May 2014.

The case was brought by Mario Gonzalez of Spain, who complained that an auction notice of his repossessed home on Google’s search results infringed his privacy.

Takedown requests were reportedly submitted within a day of the ECJ ruling an individual could demand that “irrelevant or outdated” information be deleted from results.

Google scrambled to introduce an online application form within 13 days of the ruling for Europeans who want personal data to be removed from online search results.

Since then, citizens of France have made the greatest number of takedown requests (29,140), followed by those in Germany with 25,206 requests, and the UK with 18,486 requests relating to more than 63,000 web pages.

Since May 2014, Google has received 146,357 takedown requests relating to 498,737 web pages, according to the search firm’s latest transparency report.

But only 41.8% of web pages relating to all the takedown requests have been removed from search results, which equates to 35% of web pages relating to UK requests.

It said it had turned down requests from a UK public official who wanted a link to a student organisation’s petition demanding his removal taken down.

Among the UK requests rejected by Google was from a former clergyman who asked for two links to articles about an investigation into sexual abuse accusations about him to be removed, reported the BBC.

Google also rejected a request from a UK “media professional” relating to four links to articles reporting on “embarrassing content he posted to the internet”.

A UK doctor requested more than 50 links to newspaper articles about a botched procedure be removed, but Google removed only links to three pages that contained personal information about the doctor.

Links to a news summary of a man who was convicted at a magistrates’ court were also removed because his conviction had been spent under the UK Rehabilitation of Offenders Act.

The ECJ ruling requires all online service providers to comply with takedown requests unless they have legitimate reasons not to.

Among the service providers most affected after Google have been Facebook, which has removed 3,353 links, and YouTube, which has deleted 2,392 links.

Criticism of the right to be forgotten ruling

The ECJ ruling has come under strong criticism from online entrepreneurs, who argue such rules will hamper innovation.

In July 2014, a House of Lords European Union (EU) sub-committee said Google and other search engines should not decide what links to remove from search results.

A right to be forgotten is “wrong in principle” and “unworkable” in practice, the committee’s report said, because search engines should not be made responsible for the content of the internet.

The committee said the ECJ judgment relied on the EU’s 1995 data protection directive, which was drafted three years before Google was founded.

Committee chair Usha Prashar said it was clear neither the 1995 directive, nor the ECJ’s interpretation of it, reflects the “incredible advancement in technology” in the past 20 years.

The committee said in the proposed new European data protection laws, search engines should not be classed as data controllers, and therefore not liable as owners of the information they are linking to.

The committee also believes people should not have the right to remove links to accurate and lawfully available information about them because they do not like what is said.

EU regulators have called for feedback from search engine operators on their implementation of the ECJ ruling.

This feedback from tech firms will be incorporated in a set of guidelines to be drafted by regulators to help them decide which links to remove and to deal with complaints from unsuccessful applicants.

EU regulators want a coherent approach that fits with EU data protection principles and plan to publish a set of guidelines before the end of 2014.

 

 

Via: computerweekly

FBI warns of cyberattacks linked to China

The U.S. Federal Bureau of Investigation issued a warning to companies and organizations on Wednesday of cyberattacks by people linked with the Chinese government.

The advisory, issued privately, contains “information they can use to help determine whether their systems have been compromised by these actors and provides steps they can take to mitigate any continuing threats,” according to an FBI statement.

The warning comes a day after security companies said they’ve been working closely together to enable their products to detect several hacking tools used by a China-based group against U.S. and other companies over several years.

“The FBI has recently observed online intrusions that we attribute to Chinese government affiliated actors,” according to the FBI statement. “Private sector security firms have also identified similar intrusions and have released defensive information related to those intrusions.”

The U.S. government had continued to be vocal about cyberattacks and has directly called on China for greater cooperation. China has maintained it does not coordinate cyberattacks against U.S. companies and organizations and maintained it is a victim of such attacks as well.

On Tuesday, security companies Cisco, FireEye, F-Secure, iSIGHT Partners, Microsoft, Tenable, ThreatConnect, ThreatTrack Security, Volexity, Novetta and Symantec said they conducted their first joint effort aimed at stopping hackers affiliated with “Operation Aurora,” which struck 20 companies in 2009, including Google.

The group is also referred to as Axiom by Novetta and shares similarities with other groups and cyberattacks that have been named Hidden Lynx, Elderwood, Voho, DeputyDog, Ephemeral Hydra and ShellCrew by various security vendors.

 

From Symantec:

A coordinated operation involving Symantec and a number of other security companies has delivered a blow against Backdoor.Hikit and a number of other malware tools used by the Chinese-based cyberespionage group Hidden Lynx. Dubbed Operation SMN, this cross-industry collaboration has seen major security vendors share intelligence and resources, resulting in the creation of comprehensive, multi-vendor protection which may significantly blunt the effectiveness of this malware. The organizations involved in this operation include Cisco, FireEye, F-Secure, iSIGHT Partners, Microsoft, Symantec, ThreatConnect, Tenable, ThreatTrack Security, Novetta, and Volexity.

The Hikit back door has been used in cyberespionage attacks against a range of targets in the US, Japan, Taiwan, South Korea, and other regions. Attackers using Hikit have focused their energies against organizations associated with the government, technology, research, defense, and aerospace sectors among other targets.

Operation SMN is the first time a cross-industry group has come together to disrupt an advanced persistent threat (APT) group. Previous collaborations, such as operations against the gangs behind the Gameover Zeus and Shylock Trojans, have usually been focused on cybercriminal gangs.

Coordinated by security firm Novetta under Microsoft’s new Coordinated Malware Eradication program, Operation SMN has resulted in a significant amount of intelligence being shared among vendors, leading to the rollout of more effective protection against Hikit and a number of other associated pieces of malware, including one previously unknown malware tool.

Hikit
The main target for this operation was Backdoor.Hikit, a sophisticated and stealthy remote access Trojan (RAT) which has been used in high profile attacks since 2011. Hikit provides the attackers with a back door on the victim’s computer. It enables them to download information from the infected computer and upload commands and other malware.

Network-tunneling capabilities allow the threat to create proxies, while an ad-hoc network generation feature allows it to connect multiple compromised computers to create a secondary network. Hikit comes in 32-bit and 64-bit versions, which are deployed depending on the target’s infrastructure.

Hikit has been used by at least two Chinese-based APT groups to launch cyberespionage attacks: Hidden Lynx and Pupa (also known as Deep Panda). Whether the groups are related in some way or whether they simply have access to the same malware tools is currently unknown.


Figure 1. Hikit infections by region

Hidden Lynx
Hidden Lynx, also known in the industry as Aurora, is a highly capable and well-resourced group of attackers that is based in China. The group has a track record of mounting relentless and persistent attacks against a broad range of targets.

Symantec has carried out extensive research on Hidden Lynx and has concluded that the group has between 50 and 100 operatives at its disposal and is capable of carrying out hundreds of simultaneous attacks against diverse targets. Given its broad focus, the group appears to operate as a “hackers for hire”-type operation, mounting attacks on demand as directed by its paymasters.

Hidden Lynx is regarded as one of the pioneers of the “watering-hole” attack method and it appears to have early access to zero-day vulnerabilities. If it cannot mount direct attacks against a target, Hidden Lynx has the capabilities and the patience to work its way up through the supply chain, compromising the security at companies that are suppliers to the target organization and using them a stepping stone towards the ultimate goal.

Hidden Lynx used Hikit during its compromise of Bit9’s trusted file-signing infrastructure in 2012. This attack was then leveraged to mount the VOHO campaign in July 2012 using Bit9-signed malware. The ultimate target of this campaign was US companies whose computers were protected by Bit9. Hikit once again played a key role in this attack campaign.

Since then, Hidden Lynx has continued to use Hikit in its attacks against organizations predominantly in Taiwan, the US, Japan, and South Korea. In 2013, Hidden Lynx underwent a significant re-tooling effort, introducing two new malware tools, Backdoor.Fexel and Backdoor.Gresim, which it continues to use in conjunction with Hikit. Backdoor.Gresim was undiscovered prior to this collaboration effort.

This is the first time that a significant effort to disrupt the activities of an APT has been made. Symantec welcomes the work between industry partners to share intelligence and coordinate efforts to provide the maximum impact against APT groups. Through effective collaboration, we can help ensure that any organization likely to be targeted by these groups will be better protected in the future.

Symantec protection
Symantec has the following detections in place for the malware used in these attacks:

AV

IPS

 

 

Via: csoonline , symantec

Microsoft patches 3 zero-days including Sandworm on Patch Tuesday

Microsoft released eight security patches to protect machines from nasty tricks such as three zero-days. After adding in Oracle and Adobe patches, and you’ve protected all machines under your care, then it’s time to treat yourself to whatever makes you happy.

Ladies and gentlemen, for this National Cyber Security Awareness month, prepare yourself for a monster load of patches and restarts. Microsoft released nine Security Bulletins, but only eight security patches. Although there are five patches for remote code execution vulnerabilities, Microsoft rated only three of those as “Critical.” Since RCE-flavored vulnerabilities can allow an attacker to take control and execute code on your PC, it seems wise to patch all RCE bugs ASAP as if they were all rated Critical. Three of these RCE fixes are for zero-days being exploited in the wild.

Sandworm

You’ll want to patch CVE-2014-4114 with MS14-060 as a vulnerability in the OLE package manager can be exploited to remotely execute arbitrary code in Microsoft Windows versions Vista SP2 to Windows 8.1 and in Server 2008 and 2012. iSight, working in “close collaboration with Microsoft”—since before September Patch Tuesday, has tracked and monitored the exploitation of the vulnerability in the wild. A Russian cyber-espionage campaign dubbed “Sandworm” was used against targets including a U.S. academic organization, NATO, Ukrainian and Western European government organizations, European telecommunication firms and energy sector firms in Poland.


iSight Partners

iSight added:

The vulnerability exists because Windows allows the OLE packager (packager .dll) to download and execute INF files. In the case of the observed exploit, specifically when handling Microsoft PowerPoint files, the packagers allows a Package OLE object to reference arbitrary external files, such as INF files, from untrusted sources.

This will cause the referenced files to be downloaded in the case of INF files, to be executed with specific commands. An attacker can exploit this vulnerability to execute arbitrary code but will need a specifically crafted file and use social engineering methods (observed in this campaign) to convince a user to open it.

Let that be a lesson to highlight one more reason never to use PowerPoint again….just kidding. However, patching the vulnerability is no joke.

Despite the name, Sandworm “is not a ‘worm’ in the sense of computer virus that can self-propagate.” (It’s a hat tip to killer worms in the movie Dune.) Ross Barrett, senior manager of security engineering at Rapid7, added, “The average system administrator or home users should not panic about Sandworm.…This is a local file format exploit” and “not a remote.” Nevertheless, Microsoft’s deployment chart shows it as an “Important” fix for an RCE.


 

3 Critical RCE vulnerability patches

Microsoft’s deployment schedule shows three zero-days, yet only two of those are rated Critical and suggested to be deployed first.

MS14-056 closes 14 privately reported RCE bugs in Internet Explorer. It’s listed as a top priority for deployment with an exploitability index of zero meaning it’s in the wild. It’s rated Critical for IE 6 – 11 on Windows clients and moderate for IE 6 – 11 on Windows Servers 2008 and 2012.

MS14-058 fixes two privately reported RCE flaws in Microsoft Windows kernel-mode driver. It is rated as Critical and affects all supported versions of Windows. It is the second zero-day Microsoft patched this month.

MS14-057 resolves three privately reported RCE vulnerabilities in Microsoft’s .Net framework. Rated Critical, it has an exploitability index of one.

5 patches for vulnerabilities rated as Important

The two RCE fixes rated as Important are MS14-060 and MS14-061. MS14-060 addresses the zero-day OLE “Sandworm” vulnerability revealed by iSight. MS14-061 patches one privately reported flaw in Microsoft Office, specifically “Microsoft Word 2007, Microsoft Office 2007, Microsoft Word 2010, Microsoft Office 2010, Microsoft Office for Mac 2011, Microsoft Office Compatibility Pack, Word Automation Services, and Microsoft Office Web Apps Server 2010.” Microsoft recommends deploying these two patches second.

MS14-062 and MS14-063 are the fixes for elevation of privilege flaws. MS14-062 addresses a publicly disclosed hole in Microsoft Windows Message Queuing Service and is rated as “Important” with an exploitability index of one for all supported editions of Windows Server 2003. “Successful exploitation of this vulnerability could lead to full access to the affected system.”

Rated as Important for all supported editions of Windows Server 2003, Windows Vista, and Windows Server 2008, MS14-063 resolves one privately reported EoP bug “in the way the Windows FASTFAT system driver interacts with FAT32 disk partitions.” Microsoft rates it as a two on its exploitability index.

MS14-059 fixes one publicly disclosed security feature bypass bug in ASP.NET MVC, specifically ASP.NET MVC 2, ASP.NET MVC 3, ASP.NET MVC 4, ASP.NET MVC 5, and APS.NET MVC 5.1. It’s recommended as one of three patches to be deployed third, but is the only one this month with an exploit index of three.

Microsoft “revised Security Bulletin
MS14-042: Vulnerability in Microsoft Service Bus Could Allow Denial of Service (2972621) and Security Advisory 2755801: Update for Vulnerabilities in Adobe Flash Player in Internet Explorer.” Tracey Pretorius, Director of Microsoft’s Response Communications, added:

Microsoft also announced upcoming updates to the out-of-date ActiveX control blocking feature. Beginning November 11, 2014, the out-of-date ActiveX control blocking feature will automatically be expanded to block outdated versions of Silverlight, in addition to outdated versions of Java. It is also being expanded to support Internet Explorer 9 on Windows Vista SP2 and Windows Server 2008 SP2.

You can grab Adobe’s patch for Flash Player here and hotfixes for ColdFusion here. Adobe promised it will soon release a patch for the privacy hole in Digital Editions 4.

But wait, there’s more! Lucky you, Oracle rolled out its quarterly critical patch update which includes 155 security fixes “across ‘hundreds’ of Oracle products.”

After you’ve protected all machines under your care from any nasty tricks, then it’s time to treat yourself to chocolate and a beer (or whatever makes you happy). Happy patching!

 

 

Via: networkworld

Mark Zuckerberg And Wife Priscilla Donate $25M To Fight Ebola

Facebook CEO Mark Zuckerberg has just announced on Facebook that he and his wife Priscilla Chan have made a grant of $25 million to the Centers for Disease Control Foundation in support of fighting Ebola — the deadly, viral disease that started in Africa, has infected over 8,000 people, and is spreading fast.

Zuckerberg announced the donation in a post on Facebook, along with a call for more people to donate — although at the time of writing the page seems to be down.

“The Ebola epidemic is at a critical turning point. It has infected 8,400 people so far, but it is spreading very quickly and projections suggest it could infect 1 million people or more over the next several months if not addressed,” he wrote. “We need to get Ebola under control in the near term so that it doesn’t spread further and become a long term global health crisis that we end up fighting for decades at large scale, like HIV or polio.

“We believe our grant is the quickest way to empower the CDC and the experts in this field to prevent this outcome.

Grants like this directly help the frontline responders in their heroic work. These people are on the ground setting up care centers, training local staff, identifying Ebola cases and much more.”

Zuckerberg and Chan have donated to other charitable causes — namely in the area of education, where their Startup:Education organization has backed companies building innovative educational platforms and services. They also donated $120 million to Bay Area schools earlier this year.

With events like the Ice Bucket Challenge demonstrating that viral internet memes can extend beyond sneezing pandas and biting infants, it will be interesting to see whether another urgent cause that threatens to become an even bigger health crisis than it is already will get people buzzing.

 

 

Via: techcrunch

Snapsaved Takes Responsibility For Latest Snapchat Leak

Last week, news spread that some 200,000 Snapchat photos had leaked after a third-party app (used to save people’s snaps) was hacked. It was referred to as the Snappening.

Snapchat was quick to respond to the situation by saying that the photos had been stolen from a third-party application, but that Snapchat’s servers were never compromised. Turns out, Snapsaved.com is stepping forward and taking responsibility for the leak.

In an update posted to the company’s Facebook page, Snapsaved claims full responsibility and also gives a bit more clarity about what was hacked and what information was made available.

According to the statement, the hackers never had access to any personal information such as usernames, though they did access 500MB of images, “as far as [Snapsaved] can tell.”

The company also responded to accusations that it might have purposefully provided hackers with access to the image database, saying that it immediately shut down the entire Snapsaved website and database as soon as they detected the breach.

The majority of affected users are Swedish, Norwegian and American, says the statement.

You can read the full explanation below:

I would like to elaborate on the recent events regarding Snapsaved.com
Snapsaved.com Was a website used to save SnapChat’s, precisely as the app snapsave.
In response to recent media events and the statement made by http://pastebin.com/cJcTbNz8, I would like to inform the public that snapsaved.com was hacked, the dictionary index the poster is referring to, was never publicly available. We had a misconfiguration in our Apache server.
SnapChat has not been hacked, and these images do not originate from their database.
Snapsaved has always tried to fight child pornography, we have even gone as far, as to reporting some of our
Users to the Swedish and Norwegian authorities.
As soon as we discovered the breach in our systems, we immediately deleted the entire website and the database
Associated with it. As far as we can tell, the breach has effected 500MB of images, and 0 personal information
From the database.
The recent rumors about the snappening are a hoax. The hacker does not have sufficient information to live up to his claims
Of creating a searchable Database.
Our users had to consent to all the content they received via SnapSaved.com, as we mentioned, we tried to cleanse the database of inappropriate images as often as possible.
The majority of our users are Swedish, Norwegian and American.
I sincerely apologize on the behalf of snapsaved.com we never wished for this to happen. We did not wish to cause SnapChat or their users any harm, we only wished to provide a unique service.

 

via The Guardian , techcrunch