Roundup Let's kick start your Monday with some lovely juicy computer security and news, beyond what we reported last week
New round of data theft claims
Throughout last week, El reg broke the news that more than 600 million accounts had been stolen from more than a dozen websites, and were offered for sale on the dark web by a single seller. One by one, the company hit by the hacker confirmed their customer records had been swiped and touted online for Bitcoin.
Just before the weekend, the miscreased put more databases up for sale on the dark web from more hacked websites. The purloined data is mostly usernames or email addresses as well as hashed passwords, sold to spammers and credential stuffers to exploit. Here's the list of purported account records for sale:
- Houzz: 57 million usernames and hashed passwords. The company is aware of and has customers enforced around early February that it was ransacked by a hacker.
- YouNow: 40 million usernames and IP addresses. The company is aware, and said that no passwords were involved as it uses external sites for user authentication. YouNow says it does not believe the advertised data was stolen from its systems, and may have been scraped from its website ̵
- ixgo: 18 million usernames and MD5 hashed passwords, which could be trivially easy to break.
- Stronghold Kingdoms: 5 million accounts and HMAC-RIPEMD160 hashed passwords.
- Roll20.net: 4 million usernames and bcrypt hashed passwords.
- ed: 1.8 million usernames and sha256 hashed passwords
- Petflow: 1.5 million usernames and MD5 hashed passwords, which could be trivially easy to break.
- CoinMama: 400,000 usernames and PHPASS hashed passwords.
- Plus, in late-breaking news: 60 million accounts from Pizap , 8 million from Gfycat, 20 million accounts from Storybird, Jobandtalent, Legendas.tv, and OneBip, 1.5 million from ClassPass, and one million from StreetEasy.
Needless to say, if you have an account on any of these sites, you should expect to hear from them shortly.
The stolen credentials were hashed, aka one-way encrypted, and some of the more secure algorithms, such as bcrypt, make it highly unlikely they could be solved to steal accounts, but it's better to be safe than Sorry: wait for that password reset, and change the password on other sites where you reused your passphrase. But we know Reg readers aren't reusing passwords across multiple sites, yeah?
Prosecutors claim Stone link to WikiLeaks
Friday afternoon's bad news dump contained in the case against President Trump associate Roger Stone
US prosecutors say they have copies of direct communications between Stone and Wikileaks. If it were proven that it would be place Stone within an alleged chain of communication that went from the Guccifer 2.0 hacking operation to WikiLeaks, to Stone, and possibly to the Trump campaign.
Stone has plead not guilty.
Facebook using tracking tools to watch 'threats'
Stop us if you heard this one before: a newly-uncovered practice at Facebook is raising possible privacy concerns.
This time, it's a report from CNBC outlining how the social network uses its products to track users who believe they have a credible threat to Facebook offices and employees.
Dubbed "Bolo" (short for Be On Look Out) the tool has been in use for more than a decade. When a user is added to the Bolo list, Facebook's security team gets their information as well as their location information and photos.
While Facebook is the list is only used to protect its employees from credible threats of harm, the report suggests that in some cases people are added to the list for minor infractions, or because they were a former employee or contractor.
The whole thing is a sticky situation. On one hand, Facebook can and should be able to protect its employees from any threat of harm. On the other, the social network has the best track record when it comes to guarding privacy.
Hackers show off remote control tricks in Xiaomi scooters
A report by security shop at Zimperium found that Xiaomi's M365 scooter model uses potentially insecure Bluetooth control system that can be managed through a smartphone.
The flaw is not within the scooter's hardware itself, but rather in the way the techie toys communicate with administrator devices over Bluetooth.
The problem arises in the way that Bluetooth communication occurs. The hackers found that by default the scooter is the person running the application has already been authenticated.
"During our research, we determined the password is not used properly as part of the authentication process with the scooter and that all commands can be done without the password, "writes researcher Rani Idan.
" The password is only validated on the application page, but the scooter itself doesn't keep track of the authentication state. "
Fortunately, it does not look like this is a threat to any of the popular rent-a-scooter services popping up in cities. Of the major scooter carriers we talked to, only one still used the M365, and they had closed the vulnerability long before putting the scooters on the street.
Mac malware spreads via Windows PC apps
A new outbreak of Mac malware infections is coming from an unlikely source: a Windows .EXE file.
Researchers at Trend Micro say the infection itself is a installer for the popular paid-for Little Snitch macOS security tool being spread for free on Torrent sites. 19659004] Within the installer is a .EXE file, a Windows executable packed with the Mono .NET framework, which allows the executable to launch on a Mac and start downloading adware and logging system information.
Trend believes the unusual behavior is done to evade macOS's built-in security Gatekeeper tool that would otherwise spot the malicious activity: in other words, the operating system would stop the malware as an unsigned binary, or from an untrusted developer, but allo ws the .EXE to run
"We are aware that this particular malware can be used as an evasion technique for other attack or infection attempts to bypass some built-in safeguards such as digital certification checks since it is an unsupported binary executable in Mac systems by design, "the security firm says.
" We think that the cybercriminals are still studying the development and opportunities from this malware bundled in apps and available in torrent sites, and therefore we will continue investigating how cybercriminals can use this information and routine. "
Microsoft sacks SAC-T
Redmond wants to make it a bit easier for companies to upgrade their PCs. To do that, Microsoft says it is doing away with the SAC-T designation on some versions of Windows.
Previously, SAC-T, or Semi-Annual Channel (Targetted) had been designated for specific versions of Windows offered on Windows Update for Business. This was done as Microsoft was working to get the Windows and Office releases aligned on Update for Business. That work will be done in the upcoming Windows feature update.
"Instead, you will find a single entry for each new SAC release. In addition, you are using Windows Update for Business, you will see new UI and behavior to reflect that there is only one release date for each SAC release, "Microsoft's writes John Wilcox.
" If you use System Center Configuration Manager, Windows Server Update Services (WSUS), or other management tools, there will now only be one feature update published to WSUS, and this will occur at the time of release. " ®