May 28, 2020

Ashampoo Security Breach – Names and Email Addresses Taken

At the moment there seems to be a cyber crime wave and attackers are picking top names on the Internet to attack and hack. Recently servers at RSA were breached and then Epsilon was attacked. Now Ashampoo, the German software company best known for Ashampoo Burning Studio and Ashampoo WinOptimizer, has been attacked.

According to an email sent to its customers today Ashampoo detected an unauthorized access to one of its server systems and customer data was exposed. However it does want to reassure customers that billing information (e.g. credit card information or banking information) was definitely not taken as this data is not stored on its systems. As soon as the break-in was detected it was interrupted instantly, the security gap closed and the incident reported to the police.

Ashampoo is warning its customers of possible after effects of the theft and it cites the example of PurelyGadgets who announced that its servers were used to send bogus confirmations of orders. The emails contained a manipulated PDF document in the attachments that exploited vulnerabilities in Adobe Acrobat Reader to load malicious code on the recipients PC.

If you have further questions concerning this issue, Ashampoo’s support team (security@ashampoo.com) is at hand for help and advice. Inquiries in this context are being handled with the highest priority.

WordPress.com Security Breach – Hackers Gain Low Level Access to Servers

Automattic, the company behind WordPress.com and the open source WordPress blogging platform, has revealed that it has suffered a security breach. The attackers gained root access to several of Automattic’s servers and potentially anything on those servers could have been read, copied or modified.

Automattic are reviewing the logs and records to determine the extent of the information exposed and are blocking the holes used to gain access. Most of the code on WordPress.com is open source, however Matt Mullenweg, the founding developer of WordPress, has mentioned that there are sensitive bits of code. It is assumed that these ‘sensitive bits’ are embedded passwords etc.

Automattic’s investigation into this matter is ongoing and will take time to complete but worried customers can contact the WordPress support team.

WordPress 3.1.1 Released – Includes Security Patches

The WordPress project has released WordPress 3.1.1, the open source blogging system. Version 3.1.1. is a maintenance and security update. The release announcement says that the update fixes almost thirty issues in 3.1, including:

  • Performance improvements
  • Fixes for IIS6 support
  • Fixes for taxonomy and PATHINFO (/index.php/) permalinks
  • Fixes for various query and taxonomy edge cases that caused some plugin compatibility issues

With regards to security, V3.1.1 addresses three security issues:

  • Better Cross-site request forgery (CSRF – pronounced sea-surf) prevention in the media uploader
  • Workaround a PHP crash in certain environments when handling esoteric links in comments
  • Fix for a cross-site scripting (XSS) issue

The WordPress team suggest you update to 3.1.1 promptly. You can download 3.1.1 or update automatically from the Dashboard → Updates menu in your site’s admin area.

BP Lose Laptop – Data Leak Ahead?

Not all incidences of confidential data getting into criminal hands is because a hacker has breached security, there is always the human element. BP have reported that nearly one month ago one of its employees lost a company laptop with the personal information of 13,000 claimants who are trying to get compensation from BP after the Gulf oil spill.

Curtis Thomas, a BP spokesman, said that BP has sent letters to almost 13,000 people whose data was stored on the computer. BP is offering to pay the claimants to have their credit monitored by Equifax in case their details are being used fraudulently.

Although the laptop was password-protected, the spreadsheet of claimants’ details was not encrypted. The spreadsheet contained the claimants’ names, Social Security numbers, phone numbers and addresses.

This data is now potentially out in the wild all because a single laptop was lost or stolen “during routine business travel”. And laptops are easy to lose, research from 2008 showed that 10,278 laptops are reported lost every week at 36 of the largest U.S. airports, and 65 percent of those laptops are not reclaimed.

According to a statement make to SecurityWeek: “The lost laptop was immediately reported to law enforcement authorities and BP security, but has not been located despite a thorough search. There is no evidence that the laptop or data was targeted or that anyone’s personal data has in fact been compromised or accessed in any way. Our Security team continues to monitor the situation very closely and we are still in touch with authorities in an attempt to recover the laptop.”

Fraudulent SSL Certificates In Wild That Could Allow Spoofing

It has been revealed that an affiliate of Comodo, a security company, was compromised resulting in the fraudulent issue of nine SSL certificates for existing domains including mail.google.com, www.google.com, login.yahoo.com and addons.mozilla.org. These certificates could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against all Web browser users.

Comodo is reporting that the compromise was detected within hours and the certificates revoked immediately. However Microsoft, Google and Mozilla have updated their web browsers to ensure that these fraudulent certificates are rejected.

Mozilla has updated Firefox 4.0, 3.6, and 3.5 while Microsoft has released updates for various platforms according to Microsoft Knowledge Base Article 2524375 and they are also supplying additional information in Microsoft Security Advisory 2524375. At the end of last week Google released Chrome 10.0.648.151 to “blacklists a small number of HTTPS certificates” which is almost certainly connected to this incident.

It is worth noting that none of Comodo’s root keys, intermediate CAs or secure hardware were compromised and that Comodo quickly reported the incident to the owners of the domains affected as well as informing the major browser providers and the relevant government authorities.

It is interesting to note that the two IP addresses involved are assigned to Iranian ISPs, but this may just be the result of an attacker attempting to lay a false trail. However government attacks against social networking sites are not new. A few months ago it was reported that the Tunisian Internet Agency was harvesting passwords and usernames of bloggers, reporters, political activists, and protesters by injecting hidden JavaScript into many popular site login pages.

NIST Propose Two New SHA2 Algorithms

NIST (National Institute of Standards and Technology) the US government department responsible for defining standard measures and, in the digital age, for defining certain technology standards, has proposed an alteration to the SHA-2 hash algorithm standard.

A hashing algorithm is a deterministic way to produce a fixed-size bit string from an arbitrary block of data in such a way that an accidental or intentional change to the data will change the hash value.

The perfect hashing algorithm has four properties:

  1. it is easy to compute the hash value for any given message
  2. it is infeasible to find a message that has a given hash,
  3. it is infeasible to modify a message without changing the hash
  4. it is infeasible to find two different arbitrary blocks of data with the same hash.

There are currently five SHA2 algorithms: SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512. Each algorithm produces a message digest of a specific length: SHA-1 produces a digest of 160 bits, SHA-224 produces one of 224 bits, and so on.

The proposed standard would add SHA-512/224 and SHA-512/256. They are based on the SHA-512 algorithm but produce a truncated output of 224 or 256 bits, respectively. They are being added because it is thought they might be a more efficient alternative to using SHA-224 or SHA-256 on 64-bit platforms.

Also the proposed standard would remove the current restriction on the padding operation in the secure hash algorithms which could potentially lead to more flexibility and efficiency.

ICANN Working Group Issues Domain Hijacking Recommendations

ICANN (Internet Corporation For Assigned Names and Numbers) has been working on a new set of recommendations related to the issues around domain hijacking, the urgent return of an inappropriately transferred name and a domain’s “lock status”.

The wonderfully named “GNSO Inter-Registrar Transfer Policy (IRTP) Part B Policy Development Process Working Group” (don’t you just love bureaucrats) has come up with nine recommendations to address the problem of domain hijacking.

Some of the language of the recommendations seems a bit fuzzy and at times bureaucratic… Recommendation #1 starts with “is considering recommending”. Or in other words we are thinking about making a recommendation which could then be ignored, but we won’t commit either way… But at least they are thinking… we hope…

So here are some of the recommendations in simple English.

  • Requiring registrars to provide an Emergency Action Channel when a domain is hijacked.
  • Proactive measures to prevent hijacking including measures to protect domain registrar accounts against compromise and misuse.
  • Creation of a ‘thick’ WHOIS that stores the complete WHOIS information from all the registrars. Currently there is no standard means for the secure exchange of registrant details in the current ‘thin’ registry.
  • Require that the Registrar of Record/Losing Registrar notify the Registered Name Holder/Registrant of a transfer.
  • Standardizing and clarifying WHOIS status messages regarding Registrar Lock status. The goal of these changes is to clarify why the Lock has been applied and how it can be changed.

The Register: Facebook bug spills name and pic for all 500 million users

A bug in Facebook’s login system allows attackers to match unknown email addresses with users’ first and last names, even when they’ve configured their accounts to make that information private.

The information leak can be exploited by social-engineering scammers, phishers, or anyone who has ever been curious about the person behind an anonymous email message. If the address belongs to any one of the 500 million active users on Facebook, the social-networking site will return the full name and picture associated with the account.

Read the full article here.

Source: [The Register]

Suricata 1.0.1 Released:Open Source IDS/IPS

The OISF development team released Suricata 1.0.1, the first maintenance release for Suricata 1.0, the Open Source Intrusion Detection and Prevention engine.

Improvements:

Download the new release here:

https://www.openinfosecfoundation.org/download/suricata-1.0.1.tar.gz

Known issues & missing features:
See https://redmine.openinfosecfoundation.org/projects/suricata/issues for an up to date list and to report new issues. See https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Known_issues for a discussion and time line for the major issues.

[ad code=2 align=center]