Plaintext passwords galore in huge AdultFriendFinder hack

adultfriendfinder

AdultFriendFinder was hacked (again) in October 2016. According to LeakedSource, which acquired a copy of the dataset, this amounts to more than 400m accounts, many with plaintext passwords, from AdultFriendFinder and associated websites.

The site was compromised with a local file inclusion exploit, which means the website's code allowed access to files on the server that aren't supposed to be public.

Nearly a million accounts have the password "123456". More than 100,000 have the password "password".

The non-plaintext passwords were easily cracked anyway, apparently due to some roll-your-own encryption that involved lowercasing everything, SHA1ing it and going back to bed. The longest passwords were "pussy.passwordLimitExceeded:07/1" and "gladiatoreetjaimelesexetjaimefum", with a Blackadder fan in #3 with "antidisestablishmentarianism" and a sybarite who reads XKCD in #4 with "pussypussymoneymoneyweedweed."

Hotmail was the most common email provider, followed by Yahoo and gmail. These three accounted for the vast majority of registered addresses, with AOL and Live an order of magnitude down.

Leaked Source isn't making the data set publicly available; but if they have it, others might too. Read the rest

China electronics maker will recall some devices sold in U.S. after massive IoT hack

000892a2-800

A China-based maker of surveillance cameras said Monday it will recall some products sold in the United States after a massive "Internet of Things" malware attack took down a major DNS provider in a massive DDOS attack. The stunningly broad attack brought much internet activity to a halt last Friday.

Read the rest

St. Jude heart implant devices can be hacked, security researchers say

download (20)
Security experts hired by the short-selling firm Muddy Waters said in a legal brief filed today that cardiac implants made by St. Jude Medical can be hacked. If hackers can pwn your heart device, the researchers say, they can kill you--from as far away as 100 feet.

Read the rest

NSA contractor Harold Thomas Martin to face espionage charges over 50TB of "stolen code"

49190227.cached

A former Booz Allen Hamilton contractor who worked with the National Security Agency will face charges of espionage in a case involving 50 terabytes or more of highly sensitive NSA data the government says were stolen.

Read the rest

Michelle Obama's passport leaked in new hack blamed on Russia

michelleobamapassport

An image identified as a scanned copy of U.S. first lady Michelle Obama’s passport was published online today by "DC Leaks," along with personal emails associated with a man identified as a “low-level White House staffer who worked with Hillary Clinton’s presidential campaign.”

Read the rest

Yahoo says at least 500 million accounts hacked, blames "state-sponsored actor"

DE-BI224_yahoo_G_20140722012601

Yahoo today confirmed that it suffered a massive data breach that exposed information for at least 500 million user accounts in 2014. If you have a Yahoo account, the company says you should review all your online accounts for any suspicious activity.

Read the rest

Nightwork: the extraordinary, exuberant history of rulebreaking at MIT

056c026d-1c66-4d42-9fae-a8e96df290c5-1020x1148
MIT has a complicated relationship with disobedience. On the one hand, the university has spent more than a century cultivating and celebrating a "hacker culture" that involves huge, ambitious, thoughtful and delightful pranks undertaken with the tacit approval of the university. On the other hand -- well, on the other hand: Star Simpson, Bunnie Huang, and Aaron Swartz. In Nightwork, first published in 2003 and updated in 2011, MIT Historian T. F. Peterson explores this contradictory relationship and celebrates the very best, while suggesting a path for getting rid of the very worst.

DCCC hack: FBI probes Democratic congressional group intrusion; Links to DNC hack and Russia investigated

Congressional candidates that are running for office and being supported by the Democratic Congressional Campaign Committee watch a video while standing onstage at the Democratic National Convention in Philadelphia, Pennsylvania, U.S. July 27, 2016.   REUTERS

Yet another U.S. Democratic Party group has been hacked, the FBI said today. This latest cyberattack against the Democratic Congressional Campaign Committee (or DCCC) could be related to an earlier hack against the Democratic National Committee, Reuters reported, citing unnamed sources on the FBI investigation.

Read the rest

FBI paid at least $1.3 million to hack into the San Bernardino iPhone

iPhone parts in a NY repair store, February 17, 2016.  REUTERS

The Wall Street Journal (paywall) reports that the FBI payed more than $1m to get into the San Bernardino terrorist's iPhone after Apple refused to create software to bypass its encryption. The Washington Post reports that a one-off $1.3m price tag was admitted, obliquely, by FBI Director James Comey by comparison with his own salary.

Federal authorities have not publicly revealed who helped the FBI unlock the San Bernardino iPhone, which was at the center of an extended fight between the government and Apple. The Justice Department had maintained that only Apple could help it access the phone without erasing all of its data before abruptly saying it had gotten help from an outside party and no longer needed Apple’s assistance.

According to people familiar with the issue, the FBI cracked the phone with the help of professional hackers who were paid a one-time flat fee. Law enforcement officials have said recently that the FBI has found no links to foreign terrorists on the phone, though they are still hoping that geolocation data on the device could help reveal what the attackers did during an 18-minute period after the shooting.

The FBI's attempts to compel Apple's cooperation backfired after CEO Tim Cook publicly accused the Bureau of exploiting the case to try and gain backdoor access to iPhones in general. The phone ultimately yielded no useful information.
“But it was, in my view, worth it,” the FBI director said of what it cost to access the phone’s data.
Read the rest

Amazing Mario glitch allows game to be turned into Flappy Bird

hell mario

A bizarre glitch in Super Mario World, and an incredible amount of patience, and the SNES classic is transformed into Flappy Bird.

It's incredible to watch SethBling in action. Once the glitch (triggered by giving Mario too many power-ups) is active, machine code can be arbitrary rewritten in memory by carefully moving Mario around. This code can, ultimately, be executed. The process takes an hour of careful pixel-perfect actions in the game world, which becomes stranger and more nightmarish as Mario's universe-editing rituals proceed.

Welcome to the weirdest, most painful, most existentially-nightmarish IDE—and a reminder that our own reality is probably an abandoned simulation waiting for someone to take too many power-ups and turn it all into a sadistic casual game. Read the rest

FBI investigating ‘teen stoner hack’ of CIA Director John Brennan

John Brennan. Photo: Reuters

A pair of self-described teen stoner hackers say they breached an AOL account used by CIA Director John Brennan, the New York Post reported today.

Read the rest

Ashley Madison leak 2.0: new dump is twice as large, and includes CEO's emails

Self-proclaimed Ashley Madison hackers the Impact Team today released what looks like another 20 gigabytes of ill-gotten data. The just-dropped “other shoe” includes emails from the cheater-dating website's CEO.

Read the rest

Love cheats' hookup site hacked, user data purloined

ashleymadison-580x370

Ashley Madison is a social network for people who want to cheat on their spouses. It's been hacked and "large caches of user data posted online," reports Krebs on Security.

The privacy of some 37 million account-holders is at stake, though the bulk of the dataset is apparently being withheld and its contents remain uncharted territory.

The social network's boss, bless his stupid nylon socks, thinks that he'll be able to take their "intellectual property" off the 'net.

Reached by KrebsOnSecurity late Sunday evening, ALM Chief Executive Noel Biderman confirmed the hack, and said the company was “working diligently and feverishly” to take down ALM’s intellectual property. Indeed, in the short span of 30 minutes between that brief interview and the publication of this story, several of the Impact Team’s Web links were no longer responding.

“We’re not denying this happened,” Biderman said. “Like us or not, this is still a criminal act.”

The claimed hackers say they were motivated by the site's hypocrisy. Ashley Madison apparently had a "remove your data from our servers for a fee" wheeze going on—a practice unnervingly reminiscent of some revenge porn operators.

The Next Web's Abhimanyu Ghoshal.

The Impact Team said that the ‘full delete’ feature didn’t actually wipe profiles as advertised and that it brought ALM $1.7 million in revenue last year.

The hackers said:

Users almost always pay with credit card; their purchase details are not removed as promised, and include real name and address, which is of course the most important information the users want removed.

Read the rest

United rewards security researchers with air miles

_84307940_united_airline

The BBC reports that after two "hackers" spotted security holes in its website, United rewarded them with a million miles each.

One security expert said the scheme was a big step forward for online security.

"Schemes like this reward hackers for finding and disclosing problems in the right way. That makes the internet safer for all of us," said security consultant Dr Jessica Barker.

"Bug bounties are common in tech companies as they tend to understand online security a bit more, but other industries are catching up," said Dr Barker.

Read the rest

Accused Turkish cybercriminal extradited to U.S. to face charges of hacking ATMs worldwide

Never a good look, at least not to prosecutors.
The so-called unlimited cash out operations used hacked debit cards with withdrawal limits removed to make ATMs spew money.

LastPass hacked, but says user data's safe

hack

The password management service was hacked last week, but its layers of security prevented a serious breach. Here's what users should do to make sure they're unaffected.

Tl;dr: change your master password.

LastPass says in its blog entry, “Encrypted user vaults were not compromised.” This is a critical fact because changing your master password will immediately make the stolen password information useless. If crackers had stolen vaults, they would be able to churn on them forever or return to them to the future and crack them with more advanced or powerful technology. Since people often don’t change passwords for years at a time or forever, that could have still been a risk.

LastPass also advises changing your password at any other account for which you use the identical password

Photo: Shutterstock. Read the rest

How the hell did they get 1024 colors out of a 1981 PC?

If technical descriptions of how they achieved the amazing graphical feat flew over your head, this pictorial explanation makes clearer just how insane this thing is.

The idea that such multi-color trickery was possible came to me some time ago, as I was looking at reenigne's code for patching up composite CGA emulation in DOSBox; messing with that patch during development gave me a much better picture of composite CGA's inner workings. When I had ironed out the basic concept for this hack, I divulged it to reenigne for 'peer review' and for testing on real hardware. Soon enough, we had an improved recipe:

Take two familiar (though officially undocumented) tweaks. Blend to an even mixture producing a new effect. Add one crucial new trick – an ingredient of reenigne's devising. Test and calibrate until blue in the face.

It's also a great look at the workings of CGA for the interested but nontechnical layman.

Released at the Revision 2015 demo party, 8088 MPH is a vision of previously undiscovered possibility (a perfect entrypoint to the 19A0s!)—there's even MOD music, including digital samples, at 6:40m, like it's just no big deal at all to do that with 1981 hardware Read the rest

More posts