Hack

Zappos hack exposes personal information

by certifiedbug on January 16, 2012

in Internet Security

Beta News
By Ed Oswald

Data on up to 24 million customers of online shoe retailer Zappos was compromised according to an email sent by its CEO Tony Hsieh on Sunday. While Hsieh says that full credit card information is safe, hackers may have the last four digits of the cards.

Hackers accessed names, email addresses, physical addresses, and phone numbers. Passwords were also compromised, however in encrypted form. As a result, the company sent out an email to all its customers, advising them to change their passwords as a protective measure. Zappos is also asking customers to reset their passwords elsewhere where it may be the same.

http://betanews.com/2012/01/16/zappos-hack-exposes-personal-information-of-24-million-customers/

{ 0 comments }

DigiNotar SSL Certificate Hack

by certifiedbug on September 1, 2011

in Internet Security

Microsoft Security Advisory (2607712)
Fraudulent Digital Certificates Could Allow Spoofing
Published: August 29, 2011 | Updated: August 29, 2011

Microsoft is aware of at least one fraudulent digital certificate issued by DigiNotar, a certification authority present in the Trusted Root Certification Authorities Store, on all supported releases of Microsoft Windows. Although this is not a vulnerability in a Microsoft product, Microsoft is taking action to protect customers.

Microsoft has been able to confirm that one digital certificate affects all subdomains of google.com and may be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against all Web browser users including users of Internet Explorer. Microsoft is continuing to investigate how many more certificates have been fraudulently issued. As a precautionary measure, Microsoft has removed the DigiNotar root certificate from the Microsoft Certificate Trust List.

All supported editions of Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2 use the Microsoft Certificate Trust List to validate the trust of a certification authority. Users of these operating systems will be presented with an invalid certificate error when they browse to a Web site or try to install programs signed by the DigiNotar root certificate. In those cases users should follow the instructions in the message. Microsoft will release a future update to address this issue for all supported editions of Windows XP and Windows Server 2003.

Microsoft is continuing to investigate this issue and may release future updates to help protect customers.

http://www.microsoft.com/technet/security/advisory/2607712.mspx

Edit
V3.0 (September 6, 2011): Revised to announce the release of an update that addresses this issue.

Computerworld

Hackers may have obtained more than 200 digital certificates from a Dutch company after breaking into its network, including ones for Mozilla, Yahoo and the Tor project, a security researcher reported today.

The count is considerably higher than DigiNotar has acknowledged. Earlier this week, a company spokesman said that “several dozen” certificates had been acquired by the attackers.

http://www.computerworld.com/s/article/9219663/Hackers_may_have_stolen_over_200_SSL_certificates

Mac OS X can’t properly revoke dodgy digital certificates
http://www.computerworld.com/s/article/9219669/Mac_OS_X_can_t_properly_revoke_dodgy_digital_certificates

Firefox and Thunderbird 6.0.1 released after the Mozilla team removed DigiNotar from their root program to protect users.


{ 0 comments }

WordPress warns of trojaned plugins

by certifiedbug on June 23, 2011

in Internet Security

WordPress News
June 21, 2011

Earlier today the WordPress team noticed suspicious commits to several popular plugins (AddThis, WPtouch, and W3 Total Cache) containing cleverly disguised backdoors. We determined the commits were not from the authors, rolled them back, pushed updates to the plugins, and shut down access to the plugin repository while we looked for anything else unsavory.

We’re still investigating what happened, but as a prophylactic measure we’ve decided to force-reset all passwords on WordPress.org. To use the forums, trac, or commit to a plugin or theme, you’ll need to reset your password to a new one. (Same for bbPress.org and BuddyPress.org.)

http://wordpress.org/news/2011/06/passwords-reset/

{ 0 comments }

iTunes hack

by certifiedbug on June 9, 2011

in Internet Security

Betanews

iTunes hack goes global, new affected games identified

With Apple all but silent on the issue, it has been difficult to determine what may be the source of the problem. However, with the quantity of reports received now numbering over three dozen, a pattern has emerged: every game targeted is a free download, and the fraudulent charges are all due to in-app purchases.

For this reason, Betanews now has reason to believe that this particular hack affecting iTunes is likely sourced to an exploit existing in Apple’s in-app purchasing mechanism. It is the only similiarity between every report received.

http://www.betanews.com/article/iTunes-hack-goes-global-new-affected-games-identified/1307564070?

iTunes hack widespread, and Apple appears to know about it

From the reports a pattern is emerging. Nearly every victim had a gift card balance on their account, and some have reported that their credit card and/or payment information had been removed from their account. This indicates that Apple likely is aware of the attacks, and is actively trying to protect its users.

http://www.betanews.com/article/iTunes-hack-widespread-and-Apple-appears-to-know-about-it/1307390216

{ 0 comments }

Epsilon Breach

April 5, 2011

No April Fools Day joke, on Friday Dallas based on-line marketing firm Epsilon said that its system had been breached. Epsilon Notifies Clients of Unauthorized Entry into Email System IRVING, TEXAS – April 1, 2011 – On March 30th, an incident was detected where a subset* of Epsilon clients’ customer data were exposed by an [...]

Read the full article →

Play.com confirms breach

March 22, 2011

March 21, 2011 http://certifiedbug.com/blog/2011/03/21/play-com-customer-emails-leaked/ A message sent out to customers by Play.com: Dear Customer, Email Security Message We are emailing all our customers to let you know that a company that handles part of our marketing communications has had a security breach. Unfortunately this has meant that some customer names and email addresses may have [...]

Read the full article →

More LUSH websites hacked

February 17, 2011

http://nakedsecurity.sophos.com/2011/02/15/lush-customers-check-credit-card-statements-more-websites-hacked/ http://certifiedbug.com/blog/2011/01/21/lush-website-hacked/

Read the full article →

Zuckerberg’s Facebook fan-page reportedly hacked

January 25, 2011

According to Tech Crunch Facebook CEO Mark Zuckerberg’s fan page was hacked and defaced. By this message, apparently: The Raw Story Within hours of the comment’s appearance, Zuckerberg’s fan page disappeared completely from the Facebook network. (Another page, not updated since December, is still online.) The security breach has some Facebook users wondering how well [...]

Read the full article →

Lush website hacked

January 21, 2011

UK specific notice: Happy Monday Dancing Lemmings From: Lushcosmetics | January 20, 2011 | 6,364 views We thought we would try to brighten up your day (even if it isn’t blue monday) with this uplifting video of our lovely lemmings turning frowns upside down at this depressing time of year! Enjoy. http://www.youtube.com/lushcosmetics#p/a/u/0/tmPgKe0E7-k I doubt victims [...]

Read the full article →

Hackers gained access to computers of over 50 pop stars

December 3, 2010

The Telegraph Happy with their success, the duo allegedly bragged on internet forums about their ability to hack into the computers of A-list celebrities. But prosecutors believe their main goal was unreleased musical material, which can fetch high prices on the internet. They sold some of the music they had obtained. Sven Kilthau-Lander, Universal Music’s [...]

Read the full article →