Bitcoin Talk forum hacked hours after making cameo in Silk Road takedown

Database of private messages and password data may be in the wild, admins warn. 

by Dan Goodin

Just hours after it played a supporting role in the takedown of the Silk Road drug empire, the Bitcointalk.org website suffered a hack that exposed users' personal messages, e-mails, and password data.

"To be safe, it is recommended that all Bitcoin Forum users consider any password used on the Bitcoin Forum in 2013 to be insecure," an e-mail sent to registered users stated. "If you used this password on a different site, change it. When the Bitcoin Forum returns, change your password."

User passwords were cryptographically protected using 7,500 rounds of the SHA256crypt hash function, Bitcoin Talk administrator Theymos said in a forum on reddit. That's a significant measure that could add decades or even centuries to the task of cracking passcodes that are at least nine characters and randomly generated. Still, the hack could be damaging to the privacy of users who stored sensitive communications on the site. Bitcoin Talk administrators are in the process of figuring out how the compromise happened and don't plan to restore service until after the security hole is plugged.

bitcointalk.org defaced

People who visited the site after it was hacked were greeted by cartoon images of missiles that appeared over Tchaikovsky's classical music opus 1812 Overture. A pop-up caption at one point read: "Hello friend, Bitcoin has been seized by the FBI for being illegal. Thanks, bye."

Bitcoin Talk was one of the sites on which alleged Silk Road kingpin Ross William Ulbricht used his real identity to post messages. Federal prosecutors cited the post, which solicited an "IT pro in the Bitcoin community" to work on a venture-backed startup, as evidence that Ulbricht was the same person who went by the handle "Dread Pirate Roberts" and ran the $1.2 billion Silk Road bazaar.

Courtesy: arstechnica

By: Unknown On 9:32 PM

Continue Reading

Adobe source code and customer data stolen in sustained network hack

Theft could give hackers a new way to exploit widely used Acrobat, ColdFusion apps. 

by Dan Goodin

Adobe said it suffered a sustained compromise of its corporate network, allowing hackers to illegally access source code for several of its widely used software applications as well as password data and other sensitive information belonging to almost three million customers.

Adobe dropped the bombshell revelation shortly after KrebsonSecurity's Brian Krebs reported that the hack began sometime in mid August and was carried out by the same criminals who breached LexisNexis and other major US data brokers. In the course of investigating the earlier intrusions, Krebs said he happened upon a 40 gigabyte trove of source code, much of it belonging to Adobe. Adobe confirmed its ColdFusion Web application software and its Acrobat document program were among those that were stolen.

A new generation of exploits

The Acrobat software family, which is intimately linked to the nearly ubiquitous Reader application, has long been a favorite target of malware developers looking for ways to sneak their malicious wares onto people's computers. The specter of hackers having full access to the raw source code of those applications is troubling, because it could make it easier to identify bugs that can be surreptitiously exploited in drive-by website attacks.

Wikipedia

"This breach poses a serious concern to countless businesses and individuals," a statement issued by Holder Security, which assisted in Krebs's investigation, warned. "While we are not aware of specific use of data from the source code, we fear that disclosure of encryption algorithms, other security schemes, and software vulnerabilities can be used to bypass protections for individual and corporate data. Effectively, this breach may have opened a gateway for a new generation of viruses, malware, and exploits."

Adobe Chief Security Officer Brad Arkin said officials aren't aware of any unpatched vulnerabilities being targeted in any of the company's products. "However, as always, we recommend customers run only supported versions of the software, apply all available security updates, and follow the advice of the Acrobat Enterprise Toolkit and the ColdFusion Lockdown Guide," he added. He thanked Krebs and Alex Holden of Hold Security for their help in responding to the intrusion.

Krebs said Adobe engineers are still in the process of checking on the integrity of its source code. The investigation includes looking for "anomalous check-in activity on its code repositories," which could indicate the intruders were able to introduce backdoors or security bugs or otherwise tamper with the underlying applications.

"We are looking at malware analysis and exploring the different digital assets we have," Arkin told Krebs. "Right now the investigation is really into the trail of breadcrumbs of where the bad guys touched."

In an advisory, Arkin said attackers removed information for 2.9 million customers from company computers. That data included customer names, encrypted credit or debit card numbers, expiration dates, and other information relating to orders. Attackers also accessed customer IDs and "encrypted" (by which Adobe probably means cryptographically hashed) passwords. Customer passwords will be reset, and Arkin recommended customers change passwords on other sites if they matched those used in their Adobe accounts. Arkin said company employees have notified banks that process customer payments so they can work with payment card companies and card-issuing banks to protect customer accounts.

Krebs said that one of the related intrusions he uncovered—into the network of the National White Collar Crime Center—appears to have been initiated by exploiting weaknesses in Adobe's ColdFusion product. While Adobe plugged all known security holes in the product a few months ago, many networks run outdated versions that expose the users to serious hacks. "This indeed may have also been the vector that attackers used to infiltrate Adobe's own networks," Krebs said.

Courtesy: arstechnica

By: Unknown On 9:13 PM

Continue Reading

Why phishing continues to trigger cyberattacks

(Editor's note: In this guest essay, Trevor Hawthorn, Chief Technology Officer, at security training vendor ThreatSim, discusses why phishing remains at the root of many forms of cyberattacks.)

As we mark the 10th annual National Cyber Security Awareness, the most common -- and effective -- cyberattack method is spear phishing.

Some 92 percent of targeted attacks in 2012 started with spear phishing, according to research by Trend Micro.

Attackers can simply e-mail a targeted victim and entice him or her to click on a malicious link.

Phishing is a simple and consistently successful attack vector despite billions of dollars invested into technologies designed to defend against well-engineered attacks.

READ MORE: In Antarctic lake, extreme conditions lead to extreme genetics

After 20 years of technology R&D and the birth of a booming cyber security industry, 
users still represent a major security weakness.

Untrained users are in a position to escort the attackers around your expensive security technology every time they click a link or open an email attachment without any hesitation.

The simplest solution is to train people to identify and avoid phishing messages, thus creating a "human firewall." Even small changes can have a dramatic impact.

READ MORE: LA schools halt iPad program in light of student “hacks”

Better training prepares the user to think twice when presented with a suspicious e-mail. Just getting them to pause and think can lead to a dramatic decrease in compromises.

The mantra espoused and championed by National Cyber Security Awareness Month needs to be communicated more than once a year.

Awareness is achieved through continuous activity to inform and remind recipients of a message. Security awareness programs need to be designed like a good advertising campaign that delivers the right message, to the right person, at the right time.

Properly trained, users can act as the eyes and ears in the trenches and report suspicious activity, blunt a phishing attack, and become valuable sensors in the fight against cyber crime.

Courtesy: USAtoday

By: Unknown On 12:10 PM

Continue Reading

LA schools halt iPad program in light of student “hacks”

A total of 2,100 iPads are supposed to be returned—with 700 still missing. 

by Cyrus Farivar

Last week, we reported on the fact that students in Los Angeles had figured out a way to “hack” the iPads they were given by their school. (In reality, it was a simple matter of deleting profile information as students found ways around the security limits implemented by the administration.)

Now, school officials at Westchester and Roosevelt high schools are seemingly pulling the plug on the entire program. They're asking for students to return the 2,100 devices that had been distributed. For the time being, however, only about two-thirds of those iPads have actually been returned to the school, and no one knows if or when the district's iPad program will resume.

"They carted them out of every classroom in sixth period," Westchester senior Brian Young told a Los Angeles Times reporter on Monday. "There has been no word of when they'll be back."

READ MORE: In Antarctic lake, extreme conditions lead to extreme genetics

Officials from the nation’s second-largest school district “expressed some admiration for the students' ingenuity, and they discussed the possibility of enlisting students' help on an anti-hacking committee,” the Times added. (The Times' editorial board has slammed the entire program.)

A Los Angeles Unified School District (LAUSD) spokesperson told the newspaper that the district was “working with Apple to develop a solution” so that students would be allowed to take the iPads home and use them outside of the school environment. This was not previously allowed.

READ MORE: Shutdown of US government websites appears bafflingly arbitrary

The district's top official, John Deasey, is slated to appear on local television on Thursday evening to field questions about the program. An LAUSD deputy in charge of this initiative resigned last month as a result of the fiasco.

Courtesy: arstechnica

By: Unknown On 12:02 PM

Continue Reading

U.S. Says Iran Hacked Navy Computers

U.S. officials said Iran hacked unclassified Navy computers in recent weeks in an escalation of Iranian cyber intrusions that target the U.S. military.

The allegations by U.S. officials, coming as the Obama administration ramps up talks with Iran over its nuclear program, demonstrate the depth and complexity of long-standing tensions between Washington and Tehran.

Read the rest of this post on the original site »

Courtesy: allthingsd

By: Unknown On 11:38 AM

Continue Reading