Tens of millions more web accounts for sale after more sites hacked, Mac malware spreads via Windows.exe, and more
Standby for a 'we woz haxx0ed' email from one of these sites this week...
Roundup Let's kickstart your Monday with some lovely juicy computer security and screwups news, beyond what we reported last week.
New round of data theft claims
Throughout last week, El Reg broke the news that more than 600 million accounts details had been stolen from more than a dozen websites, and were being offered for sale on the dark web by a single seller. One by one, the companies hit by the hacker confirmed their customer records had been swiped and touted online for Bitcoin.
Just before the weekend, the miscreant put more databases up for sale on the dark web from more hacked websites. The purloined data is mostly usernames or email addresses as well as hashed passwords, sold to spammers and credential stuffers to exploit. Here's the list of account records purportedly for sale:
- Houzz: 57 million usernames and hashed passwords. The company is aware, and notified customers and law enforcement around early February that it had been ransacked by a hacker.
- YouNow: 40 million usernames and IP addresses. The company is aware, and said that no passwords were involved as it uses external sites for user authentication. YouNow says it does not believe the advertised data was stolen from its systems, and may have been scraped from its website – although that doesn't explain the IP addresses.
- ixgo: 18 million usernames and MD5 hashed passwords, which could be trivially easy to break.
- Stronghold Kingdoms: 5 million accounts and HMAC-RIPEMD160 hashed passwords.
- Roll20.net: 4 million usernames and bcrypt hashed passwords.
- ge.tt: 1.8 million usernames and sha256 hashed passwords.
- Petflow: 1.5 million usernames and MD5 hashed passwords, which could be trivially easy to break.
- CoinMama: 400,000 usernames and PHPASS hashed passwords.
- Plus, in late-breaking news: 60 million accounts from Pizap, 8 million from Gfycat, 20 million accounts from Storybird, Jobandtalent, Legendas.tv, and OneBip, 1.5 million from ClassPass, and one million from StreetEasy.
Needless to say, if you have an account on any of these sites, you should expect to hear from them shortly.
The stolen credentials were hashed, aka one-way encrypted, and some of the more secure algorithms, such as bcrypt, make it highly unlikely they could be solved to steal accounts, but it's better to be safe than sorry: wait for that password reset, and change the password on other sites where you've reused your passphrase. But we know Reg readers aren't reusing passwords across multiple sites, yeah?
Prosecutors claim Stone link to WikiLeaks
Friday afternoon's bad news dump contained a new allegation in the case against President Trump associate Roger Stone.
US prosecutors say they have copies of direct communications between Stone and Wikileaks. If proven, that would place Stone within an alleged chain of communication that went from the Guccifer 2.0 hacking operation to WikiLeaks, to Stone, and possibly to the Trump campaign.
Stone has pleaded not guilty.
In brief... Duo Security has been probing around Apple's T2 security coprocessor. A facial recognition database he Chinese government uses to track Uyghur Muslims in the Xinjiang area has been facing the public internet for months. Also, it appears Twitter keeps hold of direct messages for years, even for deleted or suspended accounts.
Facebook using tracking tools to watch 'threats'
Stop us if you've heard this one before: a newly-uncovered practice at Facebook is raising possible privacy concerns.
This time, it's a report from CNBC outlining how the social network uses its products to track users who they believe pose a credible threat to Facebook offices and employees.
Dubbed "Bolo" (short for Be On Look Out) the tool has reportedly been in use for more than a decade. When a user is added to the Bolo list, Facebook's security team gets their information as well as their location information and photos.
While Facebook maintains that the list is only used to protect its employees from credible threats of harm, the report suggests that in some cases people are added to the list for minor infractions, or because they were a former employee or contractor.
The whole thing is a sticky situation. On one hand, Facebook can and should be able to protect its employees from any threat of harm. On the other, the social network doesn't exactly have the best track record when it comes to guarding privacy.
Hackers show off remote-control tricks in Xiaomi scooters
A report by security shop at Zimperium found that Xiaomi's M365 scooter model uses a potentially insecure Bluetooth control system that can be managed through a smartphone.
The flaw is not within the scooter's hardware itself, but rather in the way the techie toys communicate with administrator devices over Bluetooth.
The problem arises in the way that Bluetooth communication occurs. The hackers found that by default the scooter assumes the person running the application has already been authenticated.
"During our research, we determined the password is not being used properly as part of the authentication process with the scooter and that all commands can be executed without the password," writes researcher Rani Idan.
"The password is only validated on the application side, but the scooter itself doesn’t keep track of the authentication state."
Fortunately, it does not look like this is a threat for any of the popular rent-a-scooter services popping up in cities. Of the major scooter carriers we talked to, only one still used the M365, and they had closed the described vulnerability long before putting the scooters on the street.
Mac malware spreads via Windows PC apps
A new outbreak of Mac malware infections is coming from an unlikely source: a Windows .EXE file.
Within the installer is a .EXE file, a Windows executable packed with the Mono .NET framework, which allows the executable to launch on a Mac and begin downloading adware and logging system information.
Trend believes the unusual behavior is done to evade macOS's built-in security Gatekeeper tool that would otherwise spot the malicious activity: in other words, the operating system would stop the malware as an unsigned binary, or from an untrusted developer, but allows the .EXE to run.
"We suspect that this specific malware can be used as an evasion technique for other attack or infection attempts to bypass some built-in safeguards such as digital certification checks since it is an unsupported binary executable in Mac systems by design," the security firm says.
"We think that the cybercriminals are still studying the development and opportunities from this malware bundled in apps and available in torrent sites, and therefore we will continue investigating how cybercriminals can use this information and routine."
Microsoft sacks SAC-T
Redmond wants to make it a bit easier for companies to upgrade their PCs. To do that, Microsoft says it is doing away with the SAC-T designation on some versions of Windows.
Previously, SAC-T, or Semi-Annual Channel (Targetted) had been designated for specific versions of Windows offered on Windows Update for Business. This was done as Microsoft was working to get the Windows and Office releases aligned on Update for Business. That work will be done in the upcoming Windows feature update.
"Instead, you will find a single entry for each new SAC release. In addition, if you are using Windows Update for Business, you will see new UI and behavior to reflect that there is only one release date for each SAC release," writes Microsoft's John Wilcox.
"If you use System Center Configuration Manager, Windows Server Update Services (WSUS), or other management tools, there will now only be one feature update published to WSUS, and this will occur at the time of release." ®
Sponsored: Becoming a Pragmatic Security Leader