Who Has Been Hacked This Week?

I’m thinking of changing the name of this blog to Who Has Been Hacked This Week?  Perhaps we’ll take a poll and place bets, the winner gets to change all their passwords (again) for a few days – until the next major security breach.
In the past week alone we’ve heard about NVIDIA, Yahoo!, Billabong, Formspring, Android Forums, PBS, WHO, Exxon, BP, Shell, Gazprom, Rosneff, Asus and ISPdirectory.co.z.

A hacker posted to Pastebin a list of what he called NVIDIA Admin Hashes, as part of  The Apollo Project. The 800 leaked accounts included numerous nvidia.com email addresses, plus Hotmail and Gmail Webmail accounts, as well as corporate accounts at ARM, Bloomberg, Fibertek, Givex, Honda, Patriot Memory, and many other companies. Apparently the list was only a “partial dump” of purloined data. In addition, the post also warned that NVIDIA’s online store had been hacked. That led NVIDIA to also suspend operations for the NVIDIA Gear Store.

Yahoo! confirmed that over 450,000 usernames and passwords were stolen and published in PLAINTEXT by group D33D Company as a warning for Yahoo! to step up their security.  Which can’t be all bad, right?

A little over 21,400 passwords were leaked from Australian company Billabong.  The WikiBoat collective, as part of WikiBoatWednesday, wanted to highlight the firm’s fragile security measures – which they’ve achieved, as Billabong protected their passwords with nothing (plaintext, for all to see and understand…)

Formspring, a social question and answer site, had around 420,000 usernames and passwords compromised.  But in this case the passwords were all hashed and salted (much better security practices than Yahoo! and Billabong), and Formspring were very upfront about the hack and have reset all passwords as a precaution.

Exxon, BP, Shell, Gazprom and Rosneff, were all targets as part of an operation similar to OpSaveTheArctic, the targets were breached and the employee accounts used to sign the petition at http://www.savethearctic.org.  This is, in my opinion, is “hacktivism” at its best, good luck to le4ky and Anonymous cohorts.

The World Health Organisation (WHO) was allegedly hacked by NullCrew because of pathetic health-care, “our Health-Care system has never been what it should be. Thousands of people are dying just because of this. Either waiting in the waiting room for too long, or not being able to pay the extreme amounts to be cared for.”

NullCrew have also taken credit for the Public Broadcasting Service, in which close to 1,000 email addresses and clear-text passwords were published.  ”We hacked PBS.org, for reason of broadcasting false information, and misleading the public.”

NullCrew have also claimed responsibility for posting 23 administrator usernames and passwords from ASUS, publishing them on Pastebin and urging everyone to try them out.

South Africa’s leading ISP directory site, http://www.ispd.co.z was hacked, also by NullCrew (who is very busy) and over 400 usernames, domains and passwords pasted on pasteBay in plaintext format.  I’m not sure why though, as all the other attacks had specific reasoning.

I’m sure that there have been more that I’m not immediately aware off, let me know in the comments.  And let me know who you think is next!

Microsoft Sidebar a Serious Security Vulnerability

Microsoft has released a security advisory detailing the vulnerabilities in the windows Sidebar that could potentially be a gateway for remote arbitrary code execution when running insecure Gadgets.  The Sidebar is an application on computers that run Vista and some versions of Windows7 and can show realtime updates of news, weather, RSS feeds and more, but also included games and puzzles and even dashboards to show how your computer is running – all according to which widget you download or purchase to customize the sidebar.   Apparently if the current user is logged on with administrative user rights, an attacker could take complete control of the affected system.  Programs could be installed; data viewed, changed, or deleted; and new accounts created with full user rights.

Microsoft, in response, has issued a quick deactivation for the sidebar and has removed the ‘Desktop Gadgets‘ application.  According to the old gadgets page “gadgets installed from untrusted sources can harm your computer and can access your computer’s files, show you objectionable content, or change their behavior at any time”.

Microsoft has been in the spotlight a lot recently in regards to ignoring best security practices and leaving a lot of vulnerabilities.  The most notable of these is the Flame Malware.  Attackers decrypted the Message-Digest Algorithm (MD5), (proven vulnerable since at least 1996 and now obsolete) that Microsoft was using, to forge Microsoft Certificates and plant the malware as security updates.  Quite a large security oversight.

If you have a Windows Sidebar please visit this page and click on the relevant “Fix it” link.  If you have had any security issues due to your Sidebar or Gadgets, or have any thing else to add, then please post a comment.

How Safe Is Your Password?

In the last few weeks there have been a LOT of password hacks on some pretty huge websites.  This is a list of the ones I can think of without Googling:

WHMCS – massive breach with over 1.7G of User, password and credit card information taken and posted online for anyone to decrypt.

Linkedin – over 6 million passwords stolen

eHarmony – around 1.5 million passwords stolen

Last.fm – around 17.3 million passwords stolen

Twitter – in May around 55,000 passwords and usernames leaked.

The Department of Homeland Security and the U.S. Navy – these database hacks include usernames, passwords, email IDs, security questions and answers for all their users.

And just this morning I got an email from techradar.com stating that their user registration database has been compromised and user details including username, email address, date-of-birth and encrypted passwords have been stolen in the process.

The problem with websites that ask for a password is the best practices used to ensure that your password is safe from decryption if the website is hacked.  Most ask for alpha-numeric, at least 8 characters long with at least 2 digits.  This is not going to help you if the website is using MD5 or SHA-1 hash algorithms to keep your password secure.  Hackers can use ‘guesses’ to find passwords; for example if they try ‘password21′ or ‘mydogbob’ then they will be able to see a list of usernames that will go with those passwords.  And this isn’t just some gob sitting at a keyboard trying to come up with word and number combinations, there are programs to do this for them.  Any word in any language, as well as short random letters and digits, can be checked at thousands per second.

The only way to ensure that you’re not part of the breach statistics is to have an ‘un-guessable’ password.

Here is a cartoon that’s been making the rounds for a while that explains what I’m talking about

If the site you’re entering a password into has one of those “you can not use dictionary words” warnings then there is still something you can do.  Find a passage in a book or a line from your favorite poem and use the first letter from each word – with some symbols thrown in for good measure: CTROBCTMO&BHW (that’s the first few lines of ‘The Emperor of Ice-Cream’ by Wallace Stevens) then add a few letters to describe the site you’re logging onto, so this one would be CTROBCTMO&BHW*WordP.  No one is going to guess that.

The lesson in all these password hacks is that if the companies you are logging onto are not going to use best security practices for information or the manner that the information is encrypted, then it falls on you to have best security practices of your own.

UPDATE: I just learned that Tuts+ Premium was hacked and all user details were stored in CLEARTEXT which means no encryption at all. If that happens then I’m afraid that all your best password practices won’t help you.  Change your password.