Day: January 17, 2014

Hackers claim to have lifted millions of Snapchat usernames and phone numbers, apparently taking advantage of a vulnerability that the messaging service last week dismissed as mostly theoretical.

A partially redacted database of 4.6 million usernames and phone numbers (minus two digits) – purportedly of Snapchat users – have been released by the miscreants through a site called SnapchatDB

The Snapchat app is designed to allow users to send photos that are only supposed to be viewable for a few seconds before they are automatically deleted. A flaw in a feature of the photosharing app, originally designed to allow users to locate their friends on Snapchat through their name and phone number, emerged last week.

As previously reported, Australian security outfit Gibson Security explained how to access any phone number and username from the smartphone photo-sharing service to underline its concerns.

There was no limit on how many lookups someone could carry out each minute, a shortcoming that made it possible to do a brute force attack. In response, Snapchat put out an advisory dismissing the lack of rate-limiting as no great concern:

Theoretically, if someone were able to upload a huge set of phone numbers, like every number in an area code, or every possible number in the U.S., they could create a database of the results and match usernames to phone numbers that way. Over the past year we’ve implemented various safeguards to make it more difficult to do. We recently added additional counter-measures and continue to make improvements to combat spam and abuse.

Describing a vulnerability as “theoretical” is the net security equivalent of waving a red flag at a bull. Sure enough, hackers picked up the implied challenge to prove Snapchat wrong. The “additional counter-measures” and “safeguards” came too late to prevent third-party hackers from lifting the usernames and number of millions of users of the smartphone app. Snapchat has yet to confirm the leak, but the contents of the database look authentic, so caution is advised.

Gibson Security only went public with its discovery last week months after it discovered the problem in August 2013 after growing increasingly frustrated by Snapchat’s perceived lack of action on the security hole. The third-party hackers behind the breach are offering to share full details of the leak under unspecified conditions:

This database contains username and phone number pairs of a vast majority of the Snapchat users. This information was acquired through the recently patched Snapchat exploit and is being shared with the public to raise awareness on the issue. The company was too reluctant at patching the exploit until they knew it was too late and companies that we trust with our information should be more careful when dealing with it. For now, we have censored the last two digits of the phone numbers in order to minimize spam and abuse. Feel free to contact us to ask for the uncensored database. Under certain circumstances, we may agree to release it.

Commentary on the security implications of the incident can be found in blog posts by Graham Cluley (here) and Paul Ducklin on the Sophos Naked Security blog here. ®

[Source: The Register]

Security researchers have discovered that Chinese computer hackers dangled the promise of nude photos of former French first lady Carla Bruni as bait to lure in targeted foreign ministries during a Group of 20 economic summit in Paris in 2011. And the scheme worked, for the most part.

According to a report published by computer security firm FireEye on Tuesday, cyberattackers homed in on the annual G-20 meeting of central bank governors and foreign ministries and breached senior officials’ high-priority computer networks via an email with the subject line “French First Lady nude photos!” The report also said the attack was not isolated and the hackers have been active since 2010.

The email contained malware code hidden in the link to the alleged photos. Once opened, the email was forwarded along to others.

“Almost everybody who received the email took the bait,” a government source in Paris told Australia’s The Daily Telegraph.

An anonymous source close to the investigation told The New York Times that five of the ministries attacked were from the Czech Republic, Portugal, Bulgaria, Latvia and Hungary.

However, investigators could not confirm the identity of the hackers or which specific files were breached.

“Beyond the fact they are Chinese, we don’t know who the attackers are or what their motivations might be,” Nart Villeneuve, a researcher for the FireEye report, told the Times.

If only the easily swayed foreign ministries had known nude photos of the former super model and songwriter have been circling the Web for years from past photo shoots. Sigh.

This isn’t the first instance of alleged hacking at a G-20 gathering. Just last month former National Security Agency contractor Edward Snowden leaked NSA documentsaccusing the U.S. and Canada of spying on top leaders during both the G-20 and G-8 summits in Toronto in 2010.

Additional Information:

Source: http://www.huffingtonpost.com/2013/12/12/carla-bruni-nude-photos-hack_n_4433764.html

Summary: When running under VMware Workstation, Fusion, ESX or ESXi hypervisors, old versions of Windows are vulnerable to privilege escalation.

VMware has issued an update for several of their hypervisor products to address a privilege escalation vulnerability when running Windows XP, Windows Server 2003 and older versions of Windows as a guest operating system.

The products are VMware Workstation, VMware Fusion and VMware ESXi and ESX. The vector for the attack is a VMware device driver LGTOSYNC.SYS. The file properties for this driver describe it as “VMware/Legato Sync Driver.”

The hypervisor itself is not exploitable through this vulnerability, but an unprivileged Windows process could elevate privilege under Windows. Presumably it could attain the privileges under which LGTOSYNC.SYS runs, but the advisory does not specify what level this is.

Updated versions may be downloaded at these pages:

• VMware Workstation
• VMware Player
• VMware Fusion
• ESXi and ESX

About Larry Seltzer

Larry Seltzer has long been a recognized expert in technology, with a focus on mobile technology and security in recent years.

[Source: ZDNet]

As IT security practitioners struggle to defend against APTs (Advanced Persistent Threats), a new study by the Ponemon Institute finds malware installed via zero-day exploits presents the biggest threat to corporate data.

After surveying 755 IT security professionals who are involved in protecting organizations from targeted attacks, the Ponemon Institute found that current technology controls against APTs “are not working” and warned that the average cost to restore a company’s reputation following an APT attack is in the range of $9.4 million.

Not surprisingly, the Institute found that malware is almost always used as the source of an APT attack.  More than half of the respondents (68%) say zero-day attacks that look to bypass firewalls, intrusion detection systems, and anti-malware programs are the greatest threats to an organization.

The security pros say third-party software from Oracle (Java) and Adobe (Reader) pose the most risk because these are the most difficult applications to ensure that all security patches have been fully implemented in a timely fashion.

According to the study, the security practitioners also complained about difficulties in managing security patches from Microsoft (Windows) and Adobe (Reader and Flash).

Despite these risks, 75% of those surveyed acknowledged that their company continued to use Java and Reader in the production environment knowing that vulnerabilities exist and a viable security patch is unavailable.

The security professionals explained that the company could not afford the cost of downtime waiting for the patch to be implemented; or they simply did not have the professional staff available to implement a security patch.

In the case of Oracle Java, the survey found that Java vulnerabilities are very difficult to fix (patch) or resolve. Sixty-one percent of respondents say that a realistic timeframe for patching Java in their organization is once per month or quarter. Despite the risk posed by Java, 55% of respondents say it is nearly impossible to replace it with a less risky alternative.

Although the main approaches to detecting APTs are intrusion detection systems (IDS), anti-malware software and intrusion prevention systems (IPS), more than half of the respondents say they discovered an APT by accident.

On average, it took about 225 days to detect APTs launched against an organization, according to the study.

Ryan is the host of the podcast series “Security Conversations – a podcast with Ryan Naraine“. He is the head of Kaspersky Lab’s Global Research & Analysis team in the USA and has extensive experience in computer security user education, specializing in operating system and third-party application vulnerabilities, zero-day attacks, social engineering and social networking threats. Prior to joining Kaspersky Lab, he monitored security and hacker attack trends for over 10 years, writing for eWEEK magazine and the ZDNet Zero Day blog. Follow Ryan on Twitter @ryanaraine.

[Source: SecurityWeek]