Security Alerts & News
by Tymoteusz A. Góral

History
#1514 As we speak, teen social site is leaking millions of plaintext passwords
A social hangout website for teenage girls has sprung a leak that's exposing plaintext passwords protecting as many as 5.5 million user accounts. As this post went live, all attempts to get the leak plugged had failed.

Operators of i-Dressup didn't respond to messages sent by Ars informing them that a hacker has already downloaded more than 2.2 million of the improperly stored account credentials. The hacker said it took him about three weeks to obtain the cache and that there's nothing stopping him or others from downloading the entire database of slightly more than 5.5 million entries. The hacker said he acquired the e-mail addresses and passwords by using a SQL injection attack that exploited vulnerabilities in the i-Dressup website.
#1513 Sofacy APT targeting OSX machines with Komplex trojan
The prolific APT gang allegedly behind the DNC hack and other targeted attacks against Western military and political targets is using a new Trojan called Komplex to infect OS X machines used in the aerospace industry.

The gang, known as Sofacy, APT28, Fancy Bear, Sednit and Pawn Storm, is spreading the malware via phishing emails promising insight into the future of Russia’s space program, researchers at Palo Alto Networks said on Monday.

“Apple does a great job at defending OS X. The only thing being exploited here is the user. But it’s important to remember, people are still a target no matter what OS you use,” said Ryan Olson, intelligence director at Unit 42 of Palo Alto Networks.
#1512 How Dropbox securely stores your passwords
It’s universally acknowledged that it’s a bad idea to store plain-text passwords. If a database containing plain-text passwords is compromised, user accounts are in immediate danger. For this reason, as early as 1976, the industry standardized on storing passwords using secure, one-way hashing mechanisms (starting with Unix Crypt). Unfortunately, while this prevents the direct reading of passwords in case of a compromise, all hashing mechanisms necessarily allow attackers to brute force the hash offline, by going through lists of possible passwords, hashing them, and comparing the result. In this context, secure hashing functions like SHA have a critical flaw for password hashing: they are designed to be fast. A modern commodity CPU can generate millions of SHA256 hashes per second. Specialized GPU clusters allow for calculating hashes at a rate of billions per second.

Over the years, we’ve quietly upgraded our password hashing approach multiple times in an ongoing effort to stay ahead of the bad guys. In this post, we want to share more details of our current password storage mechanism and our reasoning behind it. Our password storage scheme relies on three different layers of cryptographic protections, as the figure below illustrates. For ease of elucidation, in the figure and below we omit any mention of binary encoding (base64).
#1511 Drupal patches multiple security flaws in core engine
Drupal has issued a security update which resolves three security flaws, two of which are deemed critical.

Earlier this week, the open-source website content management system (CMS) released a security advisory detailing the latest security issues which have been both discovered and fixed.

The three vulnerabilities, assigned as SA-CORE-2016-004, affect versions 8.x of the CMS and users are now advised to upgrade to Drupal 8.1.10.

The first bug, considered the least dangerous of the three, is a problem which allows users without admin rights to set comment visibility on nodes they have rights to edit. By default, these user accounts should not be able to made these changes.
#1510 MarsJoke ransomware mimics CTB-Locker
Ransomware in its various forms continues to make headlines as much for high-profile network disruptions as for the ubiquity of attacks among consumers. We recently noted the non-linear growth of ransomware variants and now a new type has emerged, dubbed MarsJoke.

Proofpoint researchers originally spotted the MarsJoke ransomware in late August [1] by trawling through our repository of unknown malware. However, beginning on September 22, 2016, we detected the first large-scale email campaign distributing MarsJoke. This ongoing campaign appears to target primarily state and local government agencies and educational institutions in the United States.

The targeting of state and local government agencies as well as the distribution methods are very similar to a CryptFile2 campaign we described in August [2]. Gary Warners’s blog also reported on this and similar campaigns, indicating that a well-known botnet, Kelihos, is responsible for distributing this spam.
History
2017: 01 02 03 04 05
2016: 01 02 03 04 05 06 07 08 09 10 11 12