April 23, 2018

Evernote hacked, forces 50 million users to reset password

evernote(LiveHacking.Com) – Over the weekend Evernote, the cloud based information storage company, revealed that it had discovered suspicious activity on its servers by hackers trying to access secure areas where user’s “notes” and files are kept. During the follow up investigation, Evernote discovered that the hackers had gained access to user information, which includes usernames, email addresses, and encrypted passwords. Therefore, as a precaution, the company has implemented a forced password reset for each of its 50 million users.

One good bit of news is that the passwords are encrypted and use a salt, something that LinkedIn failed to do. Evernote is confident that its password encryption is robust, but is forcing the password reset to ensure that users’ personal data remains secure.

“As recent events with other large services have demonstrated, this type of activity is becoming more common. We take our responsibility to keep your data safe very seriously, and we’re constantly enhancing the security of our service infrastructure to protect Evernote and your content,” said Evernote is a statement.

As part of the notification email, which Evernote sent to its users, the company gave some general tips for passwords including:

  • Avoid using simple passwords based on dictionary words
  • Never use the same password on multiple sites or services
  • Never click on ‘reset password’ requests in emails – instead go directly to the service

Although the last bit of advise is generally sound (because so many phishing emails use password resets as link bait), Sophos has pointed out that the notification email itself contained links for resetting a user’s password. However in fairness to Evernote the links do take the user to the evernote.com site and not a password reset page. However the problem is that the link uses a click tracking system and goes via a domain called links.evernote.mkt5371.com, which could look like a phishing attack! The mkt5371.com domain is owned by Silverpop, an email communications firm who Evernote is using to send out the 50 million emails!


GPS more vulnerable than previously thought

(LiveHacking.Com) –  The Global Positioning System (GPS) has grown from its simple beginnings to a ubiquitous and trusted source for positioning, navigation, and timing data. GPS chips are built into everything from Sat Nav systems to mobile phones and from vehicle tracking systems to digital cameras. It has always been possible to jam and spoof GPS signals, since they are just radio transmissions from the orbiting satellites, but now new research has been published which shows that when treated as a complete computer system, GPS is more vulnerable than previously thought.

The research paper, which has been published by Carnegie Mellon University and Coherent Navigation, shows that a 45 second GPS message can disable over 30% of the Continually Operating Reference Station (CORS) network. CORS, which is used for many safety and life-critical applications, provides Global Navigation Satellite System (GNSS) data which is used by surveyors, GIS users, engineers, scientists to improve the precision of their positions.

The new, larger attack surface for GPS now includes the following three areas:

  1. GPS Data Level Attacks – Producing good, bad, and wrong data at higher-levels such as the navigation message in real time with the valid GPS signal. These data-level attacks can cause more damage than simple spoofing including the ability to remotely crash a high-end professional receiver.
  2. GPS Receiver Software Attacks – The GPS software stack in a receiver can be compromised, in some cases remotely.The danger is that if the GPS receivers is treated as a device, rather than a computer system, the vulnerabilities could remain unpatched.
  3. GPS Dependent System Attacks – Most systems which use GPS data implicitly trust the data. Since there is no validation of the data it is possible to affect system which depend on GPS data but are’t themselves GPS receivers. The researchers have shown that it is possible to permanently de-synchronize the date of Phasor Measurement Units (PMUs) used in the smart grid.

To carry out the “attacks” the researchers designed a GPS phase-coherent signal synthesizer (PCSS). Like a hybrid receiver and satellite in a box, the PCSS has an input antenna that receives live GPS signals, and outputs malicious signals. It also allows full programmatic control over the GPS signals in real time. The total hardware cost of the PCSS is about the same as a high-end laptop – around $2,500.

“Until GPS is secured, life and safety-critical applications that depend upon it are likely vulnerable to attack,” wrote the paper’s authors.

These new attacks highlight the possibility of causing serious damage using only a few thousand dollars worth of hardware. As a result the researchers are recommending  the use of an Electronic GPS Attack Detection Systems (EGADS). An EGADS is similar in spirit to a network or host IDS system, but designed to detect GPS attacks.

36 million euros stolen from banking customers across Europe using mobile malware

(LiveHacking.Com) –  A sophisticated and complex attack has been used to systemically steal millions from banking customers, both corporate and private, across Europe. By using a combination of malware for the PC and malware for mobile, the attackers have been able to  intercept SMS messages used by banks as part of their two-factor authentication process. First the attackers would infect the victim’s PC and then  infected their mobile. Once the two-factor authentication was bypassed, the criminals used the corresponding transaction authentication number (TAN), to automatically transfers of funds from the victims’ accounts. The sums varied in size from €500 to €250,000.

According to Check Point, the firewall maker, an estimated €36+ million has been stolen from more than 30,000 corporate and private bank accounts. This attack campaign has been named “Eurograbber” by Versafe and Check Point Software Technologies who have released a case study about the criminals activities. By using a variation of the Zeus-In-The-Mobile Trojan the  victim’s online banking sessions were completely monitored and manipulated by the attackers. The mobile part of the attack used malware developed for both the Blackberry and Android platforms.

“Cyberattacks are constantly evolving to take advantage of the latest trends. As online and mobile banking continue to grow, we will see more targeted attacks in this area, and Eurograbber is a prime example,” said Gabi Reish, Head of Product Management at Check Point Software Technologies. “The best way to prevent these attacks is with a multi-layered security solution that spans network, data, and endpoints, powered by real time threat intelligence.”

In the on-going battle between cyber-criminals and IT infrastructure designers, cyberattacks have become more sophisticated. The Eurograbber attack has found the weakest link in the chain, the banking customers and their devices. In this case by unwittingly installing malware on their PC and phone the victims allowed the attackers to launch and automate their attacks and avoid traceability.

Checkpoint has notified the banks involved and it is actively working with law enforcement  agencies to halt any current or future attacks. The report ends by reminding  individual users that they must be steadfast in ensuring all of their desktops, laptops and tablets have all possible security layers enabled and that they are kept current with software and security updates to ensure the best protection possible.

Tumblr attacked with viral worm that posts hate messages

(LiveHacking.Com) –  The GNAA, an “anti-blogging” group, is claiming responsibility for a worm which hit Tumblr this week. The worm posted unpleasant posts on victim’s accounts and spread when others viewed the post. The text posted on victim’s blogs starts with “Dearest Tumblr users,” but it quickly turns into a bewildering rant about the “self-indulgent” and “decadent” ways of Tumblr bloggers.

The GNAA, whose acronym is intentionally inflammatory and isn’t worth repeating here, has attacked other major sites in the past including CNN, President Obama’s re-election campaign and Wikipedia.  As another “prank” the group pretended to be looters on Twitter in the aftermath of hurricane Sandy. In an interview, a spokesman for the group claims they told Tumblr weeks ago about the potential security vulnerability but they were ignored.

During the attack Tumblr posted the following status message: “There is a viral post circulating on Tumblr which begins “Dearest ‘Tumblr’ users”. If you have viewed this post, please log out of all browsers that may be using Tumblr immediately. Our engineers are working to resolve the issue as swiftly as possible. Thank you.”

An analysis of the worm by Sophos shows that “the worm took advantage of Tumblr’s reblogging feature, meaning that anyone who was logged into Tumblr would automatically reblog the infectious post if they visited one of the offending pages.” The contents of the post contained a base64 string of encoded JavaScript, which itself was hidden inside an iFrame. The Javascript then downloaded more from a subdomain of strangled.net.

“It shouldn’t have been possible for someone to post such malicious JavaScript into a Tumblr post – our assumption is that the attackers managed to skirt around Tumblr’s defences by disguising their code through Base 64 encoding and embedding it in a data URI,” wrote Graham Cluley of Sophos.

According to SCMagazine, Tumblr has fixed the security issue which allowed the worm to spread. The worm did not do any other damage other than spreading the inflammatory spam message. According to Tumblr, users’ accounts were not compromised.

The fix was confirmed by the blogging platform, “Tumblr engineers have resolved the issue of the viral post attack that affected a few thousand Tumblr blogs. Thanks for your patience.”


Egyptian hacker selling Yahoo! Mail exploit for $700

(LiveHacking.Com) – An Egyptian hacker is selling a zero-day exploit for Yahoo! Mail that lets an attacker hijack email accounts. The hacker is offering the exploit for $700 on a hacking related black market website. The exploit uses a  cross-site scripting  (XSS) vulnerability in yahoo.com that allows an attacker to steal cookies. Once the cookie has been stolen the attacker can send or read email from the victim’s account.

The hacker created a video for potential buyers on the Darkode cybercrime forum. In the video a method for accessing the victim’s account is demonstrated. For the exploit to work the attacker must trick the user into clicking on a specially-crafted link. Brain Krebs has got hold of the video and posted it to YouTube.

As part of the sales pitch the hacker wrote, “I’m selling Yahoo stored xss that steal Yahoo emails cookies and works on ALL browsers. And you don’t need to bypass IE or Chrome xss filter as it do that itself because it’s stored xss. Prices around for such exploit is $1,100 – $1,500, while I offer it here for $700. Will sell only to trusted people cuz I don’t want it to be patched soon!” Notice how his uses his entrepreneurial skills to drop the price to just $700.

Brain Krebs has informed Yahoo! of the problem. According to Ramses Martinez, director of security at Yahoo!, the problem for the engineers is to work out exactly which URL is susceptible as it isn’t clear from the video. Once found it should be easy enough to fix.

XSS attacks are unfortunately all too common. The site Xssed.com hosts an archive of reported XSS vulnerabilities  including several examples of other XSS flaws in yahoo.com CSS attacks work by getting an unsuspecting user to click on a  malicious link. Once clicked a script is executed, and can access cookies, session tokens or other sensitive information stored by the victim’s browser. This information can then be stolen by the attacker.

Two machines attacked within the FreeBSD.org cluster

(LiveHacking.Com) – Just over a week ago the FreeBSD team detected an intrusion on two of its machines in the FreeBSD.org cluster. As a result the affected machines were taken offline while they investigated.  Also as a precaution, most of the remaining infrastructure machines were also taken offline. The investigation has revealed that the compromise occurred due to a leaked SSH key. No vulnerability or code exploit within FreeBSD was found. However the most alarming thing is that the attack and subsequent  compromise may have occurred as early as the 19th September 2012.

FreeBSD is divided into two segments: the “base” which includes the kernel; the system libraries; the compiler; and the core command-line tools and daemons, and the “packages” which are the third-party components distributed as part of the overall FreeBSD system. According to the security advisory published by the FreeBSD team, “no part of the base FreeBSD system has been put at risk. At no point has the intruder modified any part of the FreeBSD base system software in any way. However, the attacker had access sufficient to potentially allow the compromise of third-party packages.”

The investigation has concluded that although the attacker had sufficient access to compromise the third-party packages, no evidence has been found that any packages were modified. But the FreeBSD team is taking an extremely conservative view and is working on the assumption that packages generated and distributed between the 19th September and 11th November 2012 could theoretically have been modified.

Who’s affected?

You have no reason to worry if:

  • you are running a system that has had no third-party packages installed or updated on it between the 19th September and 11th November 2012.
  • you reply in the Source, Ports and Documentation Subversion repositories to make updates.
  • you use the freebsd-update binary upgrade mechanism (it uses an entirely separate infrastructure).

However for everyone else the FreeBSD project cannot cannot guarantee the integrity of any packages available for installation between 19th September 2012 and 11th November 2012, or of any ports compiled from trees obtained via any means other than through svn.freebsd.org or one of its mirrors. Those affect should re-install any machines from scratch, using trusted sources.

The package set built for the upcoming 9.1-RELEASE has been deleted, and will be rebuilt from source before 9.1 is released. With regards to the cluster machines, all suspect machines are being either reinstalled, retired, or thoroughly audited before being brought back online.

In brief: Callcentric hit by malicious series of DDoS attack

(LiveHacking.Com) – Callcentric, a VoIP Internet phone service, has sent an email to its subscribers telling them about a malicious series of DDoS attacks which have been launched against the service. The company are treating the attacks as a Direct Criminal Act with clear malicious intent. This is based on the persistent, aggressive, and evolving nature of attacks. The company has been in direct contact with the FBI and FCC to report the matter and to prompt and an investigation.

According to the email, the attacks are targeting Callcentric’s SIP Servers:

  • As a result of these attacks, users may experience drops in system registration, which can ultimately lead to inconsistent inbound/outbound calling results.
  • Customer’s using “Call Forwarding” to temporarily route their inbound calls to a 3rd party number (SIP URI, Cellphone, PSTN line, etc.) should not experience difficulty in receiving calls.

“We can appreciate and share in everyone’s frustration regarding these malicious attacks and we continue to work around the clock to deploy software\hardware updates and upgrades in effort to mitigate against them,” said Callcentric. “At Callcentric we have always been and remain committed to providing great value, reliable service, and putting our customer’s first. Once this matter has been fully resolved our corporate management team will be performing a complete review and we will work to provide a fair resolution to address any inconvenience that our customers’ have experienced resulting from these attacks.”

Chinese hackers reportedly breached White House systems used for nuclear commands

(LiveHacking.Com) – The Washington Free Beacon is reporting that hackers with connections to the Chinese government have breached one of the U.S. government’s computer systems used for nuclear commands. The hack, which is said to have taken place earlier this month, used servers in China to access the computer network used by the White House Military Office (WHMO).

The WHMO is the president’s military office which handles not only presidential communications and inter-government teleconferences, but also communications relating to strategic nuclear commands. The so-called “nuclear football” is the nuclear command and control suitcase used by the president which enables him to be in constant communication with the USA’s strategic nuclear forces.

According to an unidentified national security official the instant the attack was identified, the system was isolated, and there are no indications that any data was copied. It is thought that since the WHMO handles such important communications it is likely the work of Chinese military cyber warfare specialists under the direction of a unit called the 4th Department of General Staff of the People’s Liberation Army, or 4PLA.

“The White House network would be the crown jewel of that campaign so it is hardly surprising that they would try their hardest to compromise it,” said Former McAffee cyber threat researcher Dmitri Alperovitc who now works for Crowdstrike.

The revelation of the attack comes only days after Rear Admiral Samuel Cox, The U.S. Cyber Command’s top intelligence officer, accused China of persistent efforts to pierce Pentagon computer networks. He also said a proposal was moving forward to boost the cyber command in the U.S. military hierarchy.

The White House have so far given no comment on the cyber attack, or on whether President Obama was notified of the incident.

However, there are questions being raised over the validity of the claims made by The Washington Free Beacon. In the original report an Obama administration national security official is reported to have said “This was a spear phishing attack against an unclassified network.” This is interesting for two reasons:

  1. A spear phishing attack isn’t really a hack, but rather a targeted email which tries to solicit information from the recipient.
  2. The unclassified network mentioned means a normal non-secret network rather than a classified or “high side” encrypted network.



SourceForge distributes phpMyAdmin with backdoor after mirror hacked

(LiveHacking.Com) – SourceForge has stopped using one of its mirrors in Korea after the popular open source website was alerted to a corrupted copy of phpMyAdmin being served from that site. The ‘cdnetworks-kr-1′ mirror in Korea was immediately removed from rotation when it was discovered that the mirror had been hacked (via a yet as unknown vector) and started serving a modified copy of phpMyAdmin- with a built-in backdoor which allowed the execution of arbitrary commands.

According to an advisory posted on the phpMyAdmin  website, the backdoor is located in file server_sync.php and allows an attacker to remotely execute PHP code. Another file, js/cross_framing_protection.js, has also been modified.

SourceForge has examined its logs and has identified around 400 users who downloaded the hacked file. Where possible SourceForge has send emails to those users if they were able to identify them through the logs.

SourceForge is currently conducting additional validation to confirm that only one file was modified on the ‘cdnetworks-kr-1′ mirror and they will post an update once this process is complete. For the moment the mirror remains out of rotation.

Anyone concerned that they may have downloaded a corrupt version of the popular MySQL administration software should check the phpMyAdmin distribution and download it again from a trusted mirror if it contains the file server_sync.php.


In brief: GoDaddy outage was not due to hacking

(LiveHacking.Com) – As reported yesterday, GoDaddy suffered an interruption to its services on Monday starting shortly after 10 a.m. PDT. The company, which is one of the world’s biggest domain registrars and web hosts,  managed to restore full services by by 4 p.m. PDT. It was thought that the down time was due to a denial of service attack when a user on Twitter, who claimed to be an official member of the hacking group Anonymous,  took sole responsibility for the alleged attack, stating, “was only me not the Anonymous [collective]“.

However GoDaddy has now completed its investigation and is reporting that the incident was not related to a “hack”.

“The service outage was not caused by external influences. It was not a ‘hack’ and it was not a denial of service attack (DDoS). We have determined the service outage was due to a series of internal network events that corrupted router data tables. Once the issues were identified, we took corrective actions to restore services for our customers and GoDaddy.com. We have implemented measures to prevent this from occurring again,” said Scott Wagner CEO of GoDaddy in a statement.