Monthly Archives: September 2016

71,000 Minecraft World Map accounts leaked online after ‘hack’

Dumped creds have been exposed since January.

Some 71,000 user accounts and IP addresses have been leaked from Minecraft fan website Minecraft World Map.

The dumps, reported by Australian security researcher Troy Hunt, include email addresses, IP address data, usernames, and passwords for popular site Minecraft World Map.

Login passwords were salted and hashed, and further details were not disclosed.

More than half of the breached accounts were already breached and listed in Hunt’s Haveibeenpwnedbreach credential repository.

The hack, which occurred in January this year, appears to have gone unreported.

“In approximately January 2016, the Minecraft World Map site designed for sharing maps created for the game was hacked and over 71k user accounts were exposed,” Hunt wrote on the breach site.

“The data included usernames, email and IP addresses, along with salted and hashed passwords.”

The site is popular with Minecraft gamers who use the web property to share their in-game developed worlds. Users should reset affected passwords reused on other sites.

Password best practice is subject to debate. If advice from boffins at Microsoft and Google is followed, passwords should be pronounceable, rather than set to the typically-recommended jumble of numbers, special characters, and letters, which are difficult for users to recall.

It is okay for users to reuse passwords on sites they do not care for, Microsoft academics have said, provided they set strong logins for critical sites.

Britain’s GCHQ spy agency also weighed in on the password best practice debate, advising admins to stop punishing users with regular password resets, which is said to lead to weaker combinations being set over time.

Docker’s security lead, Diogo Mónica, (@diogomonica) said that debate on password choice and complexity is off the mark, and should instead focus on convincing users to run password managers to set unique jumbled credentials for all sites.

 

via:  theregister

Intel to raise $3.1bn by spinning off security business

Ending what many saw as an uncomfortable marriage, Intel is to spin off its security business as a standalone pure-play cyber security company.

Chip maker Intel is partnering with global investment firm TPG to spin off its security business to form the one of the world’s largest dedicated information security firms, valued at $4.2bn.

Intel will receive $3.1bn in cash and retain a 49% stake in the new business, to be known as McAfee and led by Intel Security chief Chris Young and his existing management team.

The move comes five years after Intel completed its $7.7bn acquisition of McAfee and just two years after rebranding it as Intel Security.

Intel justified the acquisition by outlining plans to push security to every device through building a baseline security capability into every chip.

But those plans have not come to fruition, and some of the key executives at Intel who led the acquisition and championed the concept of hardware-based security have since left the company.

Intel has also since been forced to restructure to focus on datacentres for the cloud industry and mobile and wearable technology in the face of the global slowdown in PC shipments.

In Intel’s 2016 first-quarter financial results, the security group was one of its best performers, with revenue of $537m, up 5% on the previous quarter and up 12% year-over-year.

This made the division ripe for selling, and the deal with TPG will give Intel a financial boost, in addition to the $750m it is seeking to save in 2016 by cutting 12,000 jobs.

TPG announced it is making a $1.1bn equity investment in the business to help drive growth and enhance focus as a standalone business.

In a statement, Intel and TPG said they would work together to position McAfee as a strong independent company with access to significant financial, operational and technology resources.

“With the new investment from TPG and continued strategic backing of Intel, the new entity is expected to capitalise on significant global growth opportunities through greater focus and targeted investment,” the statement said.

In 2015, Intel Security unveiled a new strategy focused on endpoint devices and cloud as security control points, as well as actionable threat intelligence, analytics and orchestration, which the company said would enable customers to detect and respond to more threats faster and with fewer resources.

“Security remains important in everything we do at Intel, and going forward we will continue to integrate industry-leading security and privacy capabilities in our products from the cloud to billions of smart, connected computing devices,” said Intel CEO Brian Krzanich.

“As we collaborate with TPG to establish McAfee as an independent company, we will also share in the future success of the business and in the market demand for top-flight security solutions, creating long-term value for McAfee’s customers, partners and employees and Intel’s shareholders. Intel will continue our collaboration with McAfee as we offer safe and secure products to our customers.”

Jim Coulter, co-founder and co-CEO of TPG, said he was confident McAfee would thrive as an independent company.

“With TPG’s investment and continued support from Intel, McAfee will sharpen its focus and become even more agile in its response to today’s rapidly evolving security sector,” he said.

The CEO of the new company, Chris Young, said in an open letter that as a company supported by these two partners, McAfee will be in a position of strength.

“With this move, we will create the ideal company structure to position McAfee for enhanced focus, innovation and growth,” he said.

The transaction is expected to close in the second quarter of 2017, subject to certain regulatory approvals and customary closing conditions.

 

via: computerweekly

Hewlett Packard Enterprise to spin off software assets in $8.8B transaction

In an $8.8 billion transaction, Hewlett Packard Enterprise, also known as HPE, will be spinning off its non-core software assets, according to a statement from company CEO Meg Whitman. The assets will be merged with Micro Focus, a British software company, to form a new combined corporation.

After separating from Hewlett-Packard last year, HPE forged a business model centered around providing both infrastructure and software to support enterprise server, cloud and network needs. The company’s hybrid approach involved so much software that the HPE website even had a dedicated “A-Z” software section with packages spanning every letter but J, X, Y and Z.

HPE will be retaining tools that support the company’s cloud and infrastructure businesses but will be spinning off tools for application delivery management, big data, enterprise security, information management, governance and IT operations management.

“I want to be crystal clear — HPE is not getting out of software,” said Whitman.

The new merged company operating these software platforms will be owned in part by HPE shareholders. Shareholders will retain a 50.1 percent stake in the company after HPE receives $2.5 billion in cash from the transaction.

image

HP Enterprise (HPE) Stock Price – 7 Days | FindTheCompany

HPE made a similar move in May of this year by spinning off and merging its enterprise services division with Computer Sciences Corporation to form a new company. HPE shareholders also retained 50 percent ownership of the combined company in that transaction. Both deals are expected to bring increased cost synergies.

In addition to HPE and Micro Focus, German open-source software company SUSE will also be getting a boost from the deal via a new commercial partnership where SUSE will provide HPE with Linux tools.

image
View image on Twitter

The deal is expected to close in Q3 of 2017 with Kevin Loosemore, executive chairman of Micro Focus, taking the helm of the combined company.

 

via:  techcrunch

Multi-process Firefox brings 400-700% improvement in responsiveness

Earlier this summer some was written about Mozilla’s efforts to rollout a multi-process architecture, codename Electrolysis, for Firefox. In the months since, Mozilla has completed its initial tests on 1 percent of its user population and the initial numbers are good, according to Asa Dotzler, director of Firefox at Mozilla.

The company is reporting a 400 percent improvement in responsiveness and a 700 percent improvement in responsiveness for loading large web pages.These numbers mean that users are far less likely to see their browser freeze, pause, lag or crash. Dotzler himself used the word “janky” to describe previous versions of the browser.

Over the next week, multi-process will be coming to 10 percent of total Firefox users. For now, users with add-ons will not be getting the new architecture. The staggered rollout is fairly industry standard to avoid shipping bugs. Having two independent groups of users allows Mozilla to benchmark metrics from the new version against unconverted users.

For now, multi-process is limited to a single content process and a single browser process. Later versions will include multiple content processes and sandboxing.

In the coming weeks, Mozilla will push multi-processing to 100 percent of their initial cohort of users. This group represents 40-50 percent of total users. Within the next six months, a majority of users can expect to have the capabilities. Here is a little cheat sheet of upcoming releases:

  • Firefox 49: Enabling for a set of add-ons that work well with multi-processing
  • Firefox 50 or 51: Sandboxing and enabling for more add ons
  • Firefox 52 or 53: Multiple content processes

Over the coming months, engineering teams will be shifting their efforts toward improving security and adding new web developer features.

Teams spent a large amount of time ensuring the new browser would be accessible to as many groups as possible. Bi-directional editing turned out to be a larger project than expected, and users that need right-to-left support will get it in Firefox 49-51.

One of the initial fears of Firefox users was that Electrolysis would be so RAM-intensive that it would severely slow the browser down.

Dotzler noted the memory reduction his teams achieved after spending the last five years on a project called MemShrink. Such a low starting point made multi-process possible. Adding a single additional process added about 20 percent overhead. There are currently no plans to dedicate a process to every single webpage. Right now teams are working to define a fixed number of processes for future rollouts. The question is whether new versions will coalesce pages randomly into a fixed number of processes or coalesce pages by domain.

“We can learn from the competition,” said Dotzler. “The way they implemented multi-process is RAM-intensive, it can get out of hand. We are learning from them and building an architecture that doesn’t eat all your RAM.”

While most may not remember, Electrolisis is not Mozilla’s first attempt to bring a multi-process architecture to Firefox. Six years ago, Project Candle brought a multi-process architecture to Firefox on mobile. The company abandoned the efforts after noticing it was creating a bottleneck on mobile, according to Dotzler.

Today the Firefox mobile browser runs as a single process but with advancements in the processing power of smartphones, it is possible that additional content processes could come to mobile again in the future.

 

via:  techcrunch

SWIFT Discloses New Cyber-Heists, Urges Banks to Boost Security Measures

SWIFT, the messaging network used by financial institutions to complete transactions, announced on Tuesday it has discovered new cyber-theft attempts against its member banks.

According to a report by Reuters, the company sent out a private letter to global clients, warning that new cyber-heists have occurred since June this year.

“Customers’ environments have been compromised, and subsequent attempts (were) made to send fraudulent payment instructions,” read a copy of the letter, which was obtained by Reuters.

“The threat is persistent, adaptive and sophisticated – and it is here to stay,” warned the Society for Worldwide Interbank Financial Telecommunication (SWIFT).

Due to its privacy agreements, the Brussels-based firm did not disclose the name of the affected banks or the amounts stolen. However, SWIFT noted the banks varied in size and location, and used different methods for accessing the financial messaging system.

According to the letter, all victims had weaknesses in their local security that attackers exploited to compromise the local networks and send fraudulent messages requesting money transfers.

The announcement comes just months after the first major heist in which the Central Bank of Bangladesh lost $81 million to cyber thieves who successfully hacked into SWIFT’s client software.

Subsequently, several other attacks surfaced, including the theft of $12 million from Ecuador’s Banco del Austro and $10 million from an unnamed Ukrainian bank.

Other reported attempts were unsuccessful, such as the case with the Vietnamese Tien Phong Bank after it spotted a fraudulent transfer of 1.2 million euros bound to a Slovenian bank.

Following the spate of attacks, SWIFT has been pushing banks to adopt enhanced security measures, including stronger systems for authenticating users and updates to its software for sending and receiving messages, said Reuters.

Furthermore, SWIFT announced it plans to suspend banks with poor security practices. In the letter, the firm notified banks they must install the latest version of its software by November 19, or they could be reported to regulators and banking partners.

The added security features in its new software include technology for verifying credentials of people accessing a bank’s SWIFT system; stronger password management rules; and better tools for identifying attempts to hack the software.

SWIFT claims its messaging services are used by more than 11,000 financial institutions in more than 200 countries and territories around the world.

 

via:  tripwire

5 Ways You Can Ensure Improved Data Security

Today, we live in a day and age where businesses are continually crippled by data breaches. From the 2014 JPMorgan Chase hack that compromised 76 million households and 7 million small businesses accounts, to the 2015 Anthem breach that exposed birthdates, social security numbers, addresses, phone numbers and employment information from the second-largest health insurer in the US. It’s evident that no organization is safe when it comes to data hacks.

However, data security within any organization can also be improved through new technologies, software defined storage, better training and common sense. It’s important to invest time and money in your data security initiatives in order to not only protect your business but also increase customer service and brand reputation.

Below are five ways organizations, both big and small, can ensure improved data security.

1. MANAGE WHO HAS ACCESS

First, as an organization, take inventory of what data every employee may or may not have access to. Determine which employees still need access and which do not in an effort to limit the amount of data access by employees/admins to a small, manageable number. In addition, have your admins determine which type of access each department/employee needs.

According to infoworld.com:

“Credential hygiene is essential to strong database security because attackers often, if not nearly always, seek to compromise privileged accounts to gain access to confidential data. Minimizing permanent privileged accounts reduces the risk that one of those accounts will be compromised and used maliciously.”

2. KNOW AND PROTECT YOUR MOST IMPORTANT DATA

If a data breach occurred in the next hour, could you quickly identify your most valuable data? As a company, it’s important to take the time to identify what you consider the most valuable data and work on protecting that first.

Commonly referred as the “crown jewels” of data, this type of data usually makes up 5-10 percent of the company’s data, and if it were compromised, would cause the most damage to the company. Once identified, work on procedures to not only secure the data but also limit the amount of employees that have access to it.

3. DEVELOP A DATA SECURITY PLAN/POLICY

Another important strategy when looking to improve data security is developing a data security policy. It’s important to have a plan in place when hacks and breaches occur and a plan that determines which employees need and have access to data, as mentioned above. Thus, these sorts of policies can keep employees in line and organized.

This policy should also be open to changes and edits as amendments will need to be made to match the growing technology innovations and new company policies. By having data access rules that are strictly enforced, the better you protect your data on a day-to-day basis.

4. DEVELOP STRONGER PASSWORDS THROUGHOUT YOUR ORGANIZATION

Employees need to have stronger and more complicated passwords. Work to help employees develop passwords that are a combination of capital letters, numbers and special characters that will make it much harder for hackers to crack.

A good rule of thumb when creating a new password is to have it be at least 12 characters and to not include a combination of dictionary words, such as “green desk.” All and all, passwords should be unique to employees and difficult for computers to guess.

5. REGULARLY BACKUP DATA

Lastly, it’s important to backup your data on a regular basis. In addition to hacks, loss of data is a serious issue, and organizations need to be prepared for the unexpected. As a business, get in the habit of either automatically or manually backing up data on a weekly or daily basis.

Also, make sure the backup data is equally secure from potential hackers. With a strong software program or IT department, it can help businesses fight off potential threats and build business values around the importance data security.

Avoid becoming the next major data breach story by taking action and initiative with your data security and protecting what’s valuable to your organization.

 

via:  tripwire

New York subway is offering free ebooks (and Wi-Fi) for your commute

In an effort to highlight its upcoming launch of more in-train Wi-Fi (not to be confused with in-train cricket attacks), the New York MTA, Transit Wireless, and publishing powerhouse Penguin Random House are getting together to release ebooks and articles timed to your commute. This project mirrors a product launched in London last year.

As The Digital Reader notes, even Governor Cuomo is in on the fun. “New York’s transportation network must continue adapting to the changing needs of its ridership and a key part of that is delivering the amenities that have become essential components of everyday life,” he said. “Bringing Wi-Fi into underground stations helps riders stay connected throughout their commute, allowing them to check in with friends or family and access news or entertainment. We’ve made tremendous progress in modernizing the system and Subway Reads is a fun way to introduce riders to the new Wi-Fi experience.”‎

Transit Wireless is giving away a few Kindle Fires and they are offering 175 short stories and chapters for riders. You can even take the stories off the train and above ground.

It’s odd that the MTA feels it needs to advertise its exciting free Wi-Fi offer in any way. Given the previous inaccessibility of the system’s eldritch tunnels I figure all you have to do is post a sign that says “Free Wi-Fi” and people would jump. However, the ebook offering is a clever way to kick things off and it’s better than the previous system of trapping and tagging subway weirdos for public exhibition.

 

via:  techcrunch

Apple adds a 2TB iCloud storage option for $19.99 per month

iCloud users can now access up to 2TB of storage, as Apple just added a new tier that provides 2TB for $19.99 per month.

As a refresher, iCloud storage can be used by Mac and iOS users to store and sync photos and videos, documents, device backups, music, emails and more between their devices.

Apple also offers a Dropbox-like service called iCloud Drive which uses also iCloud storage, and lets you sync any document between your iOS device, Mac, or PC. Since Apple is getting ready to release macOS Sierra with built-in Drive support, they probably added this new 2TB option assuming that bringing iCloud Drive to the desktop will result in some users wanting to sync more than 1TB of data.

Plus, this increased storage option may also lend credibility to the rumor that Apple may soon release a new iPhone with 256GB of storage. Before this increase to 2TB, backing up a iPhone with 256GB of storage to iCloud could have potentially forced a user to bump up against his 1TB storage limit.

This 2TB option joins iCloud’s existing 5GB free tier, 50GB tier at $0.99 per month, 200GB tier at $2.99 per month, and 1TB tier at $9.99 per month.

In terms of price, Apple’s offering is pretty on par with competing services. Google Drive also offers 1TB for $9.99 per month (but then nothing until 10TB for $99.99 per month) while Microsoft offers 1TB for $6.99 per month as part of an office 365 subscription. Dropbox also offers 1TB for $9.99 per month.

Since pricing is essentially identical across platforms, the decision really comes down to convenience for users and what platform will most easily work between all of their devices. With these increased storage options and the upcoming integration of iCloud Drive into macOS, Apple may have finally build an iCloud-based storage option that is good enough for iOS and mac users to ditch their Dropbox or Google Drive subscriptions and commit to iCloud.

 

via: techcrunch

Mac password-stealing malware haunts Transmission app… again

To have the official distribution of your Mac software hacked to include malware once may be regarded as a misfortune; to have it happen twice looks like carelessness.

(With apologies to Oscar Wilde.)

The first time it happened to popular BitTorrent client Transmission was back in March 2016.

For a short while, the Mac version of Transmission 2.90 on the official download site was a not-so-official version that had some secret sauce of its own: OS X ransomware called OSX/KeRanger-A.

This time, for less than 24 hours on 28 August 2016 and 29 August 2016, a bogus version of Transmission 2.92 was uploaded that contained malware known as OSX/PWSSync-B.

Ironically, the main feature added when 2.92 was released, and the main reason you might have updated, was to a malware removal utility for KeRanger, in case you had a leftover infection from the hacked 2.90 version:

PWS, by the way, is short for for password stealer, so you can guess the primary function of the malware; it is also known as “Keydnap”, a name that explains itself (say it out loud quickly).

The hack that was applied to the Transmission app this time is very similar to the previous attack.

The hacked Transmission program itself contains only a tiny change: a small snippet of code added at the start that loads a file called License.rtf that is packaged into the application bundle. (Last time, the sneaky extra file was General.rtf.)

Transmission’s hacked startup code loads License.rtf from the Resources subdirectory

The file License.rtf sounds innocent enough – what software doesn’t include a licensing document somewhere? – and opening it seems equally reasonable.

Except that this License isn’t what it seems.

It’s actually an OS X executable (program file) that:

  • Configures itself as an OS X LaunchAgent so that it runs automatically every time you reboot or logon.
  • Steals passwords and other credentials from your OS X Keychain, the Mac’s built-in password manager.
  • Calls home to download additional scripts to run.

As an aside, don’t forget that before ransomware grabbed the headlines, with its laser-like focus on scrambling your data quickly to provoke prompt payment, most malware included a zombie or bot component like the third item above.

So, don’t forget that even though the credential-grabbing part of OSX/PWSSync-B is bad enough on its own…

…malware that includes a “download new stuff and run it” function can, rather obviously, be updated at any time to commit any additional cybercrimes that its botmaster might decide upon.

The hacked Transmission.app package is digitally signed, so if you run it you won’t see an “unknown developer” warning, but the signature doesn’t identify the developer you’d expect for a legitimate Transmission file:

FAKE APP (AUGUST 2016):
Identifier=org.m0k.transmission
Authority=Developer ID Application: Shaderkin Igor (836QJ8VMCQ)
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Signed Time=Aug 28, 2016, 5:09:55 PM
TeamIdentifier=836QJ8VMCQ

REAL APP:
Identifier=org.m0k.transmission
Authority=Developer ID Application: Digital Ignition LLC
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Timestamp=6 Mar 2016, 20:01:41
TeamIdentifier=5DPYRBHEAR

If you’re comfortable using a bash prompt, you can extract the details shown above, and more, from any Mac app by using the command codesign --details --verbose=4 Nameofthe.app.

Just for interest, here is the developer’s signature from the last time Transmission was hacked:

FAKE APP (MARCH 2016):
Identifier=org.m0k.transmission
Authority=Developer ID Application: POLISAN BOYA SANAYI VE TICARET ANONIM SIRKETI (Z7276PX673)
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Signed Time=Mar 4, 2016, 9:36:28 PM
TeamIdentifier=Z7276PX673

What to do?

If you’re a Windows user, you may stop right here: for once, you have the minor luxury of a malware attack that doesn’t apply to you!

This vector of infection only applies if you:

  • Have a Mac running OS X.
  • Downloaded the Transmission 2.92 BitTorrent client on 28 or 29 August 2016.
  • Actually ran the booby-trapped Transmission app you downloaded.

If you think you may be at risk, or if you want to check your Mac anyway, just to make sure, you can use our 100% free Sophos Home product.

Sophos detects these malware components as OSX/PWSSync-B and OSX/PWSSync-E.

 

via:  nakedsecurity

Evidence of DNS tunnelling in two-fifths of business networks

Cyber criminals are capitalizing on the failure of many businesses to examine their DNS traffic for malware insertion and data ex-filtration, according to Infoblox.

Two-fifths of business networks show evidence of DNS tunnelling, the latest security report from network control firm Infoblox reveals.

DNS tunnelling is a technique used to send and receive data packets over the domain name system (DNS) that is designed to translate domain names such as computerweekly.com into IP addresses such as 206.19.49.154, and consequently has no inherent security or monitoring capability.

DNS tunnelling activity is a significant security threat that can indicate malware or data ex-filtration within a network, according to the company’s security assessment report for the second quarter of 2016.

The report said 559 files capturing DNS traffic were uploaded to Infoblox for assessment from 248 customers across a wide range of industries and geographies. Evidence of suspicious DNS activity, such as attempting to reach known malicious internet locations, was present in 66% of the files.

Tunnelling trend

The prevalence of DNS tunnelling is one of the trends that stands out in the quarter, the report said, noting that cyber criminals know that DNS is a well-established and trusted protocol, and that many organisations do not examine their DNS traffic for malicious activity.

DNS tunnelling enables cyber criminals to insert malware or pass stolen information into DNS queries, creating a covert communication channel that bypasses most firewalls, the report said.

While there are quasi-legitimate uses of DNS tunnelling, many instances are malicious. There are several off-the-shelf tunnelling toolkits readily available on the internet that enable cyber criminals with relatively little technical expertise to mount DNS tunnelling attacks.

Cocktail ingredient

According to Infoblox, DNS tunnelling is often an element in very sophisticated attacks, including those sponsored or directly managed by nation states. For example, the recently uncovered Project Sauron – a particularly advanced threat likely to have been sponsored by a government – uses DNS tunnelling for data exfiltration.

“In the physical world, burglars will go to the back door when you’ve reinforced and locked the front door. When you then secure the back door, they’ll climb in through a window,” said Rod Rasmussen, vice president of cyber security at Infoblox.

“Cybersecurity is much the same. The widespread evidence of DNS tunnelling shows cyber criminals at all levels are fully aware of the opportunity. Organisations can’t be fully secure unless they have tools in place to discover and prevent DNS tunnelling.”

The specific security threats uncovered by Infoblox during the second quarter, ranked by percentage, include:

“While these threats are serious, DNS can also be a powerful security enforcement point within the network,” Rasmussen pointed out.

“When suspicious DNS activity is detected, network administrators and security teams can use this information to quickly identify and remediate infected devices, and can use DNS firewalling as well to prevent malware inside the network from communicating with command-and-control servers,” he said.

 

via: computerweekly