Twitter Hacked: About 250,000 User Accounts Possibly Compromised

Seems to be the week for large media attacks. The NY Times and WSJ were hacked earlier this week and Twitter announced earlier today that they had a security breach and the credentials for about 250,000 accounts could have been compromised.

“This week, we detected unusual access patterns that led to us identifying unauthorized access attempts to Twitter user data. We discovered one live attack and were able to shut it down in process moments later. However, our investigation has thus far indicated that the attackers may have had access to limited user information – usernames, email addresses, session tokens and encrypted/salted versions of passwords – for approximately 250,000 users.

As a precautionary security measure, we have reset passwords and revoked session tokens for these accounts. If your account was one of them, you will have recently received (or will shortly) an email from us at the address associated with your Twitter account notifying you that you will need to create a new password. Your old password will not work when you try to log in to Twitter.”

Apparently the culprit of the breach was, drum roll please, a Java vulnerability. Twitter recommends disabling Java if it is not necessary, use different passwords for each site and if you are using weak passwords to change them now!

“Make sure you use a strong password – at least 10 (but more is better) characters and a mixture of upper- and lowercase letters, numbers, and symbols – that you are not using for any other accounts or sites. Using the same password for multiple online accounts significantly increases your odds of being compromised.”

Apparently Twitter was able to catch the hacker in progress and shut him out. They are working with Law Enforcement agencies to track the attackers and shut them down.

No source has been mentioned as to who the hackers were or where they were from. There was a lot of finger pointing at China earlier this week with the NY Times and WSJ attacks, not sure if I buy into that at this point. China (at least the military backed hackers) is usually more interested in cyber espionage and targets of strategic importance.

Advertisements

Newspaper that Posted Map of NY Gun Owners Hacked – Database Dumped

Gun Permit Map

In one of the most controversial moves in recent journalism history, Lower Hudson Journal News (lohud.com) posted a map of NY pistol permit owners in two counties. Apparently that wasn’t enough and they tried to obtain gun owner information for additional counties. Well, allegedly the lohud site was hacked and their entire user database has been dumped and publicly released.

After the school shooting in Connecticut, it would seem that lohud.com wanted to take the gun control issue into their own hands and publicly released three interactive Google maps with the names and addresses of LEGAL pistol permit owners in the Lower Hudson NY area. Just scrolling over the map would reveal permit owner’s names and addresses.

This sparked nationwide outrage as these were not criminals, but those who went through New York very strict procedures to legally obtain a NYS pistol permit.

You have judges, policemen, retired policemen, FBI agents — they have permits. Once you allow the public to see where they live, that puts them in harm’s way,” said Rockland County Clerk Paul Piperato.

Do you fools realize that you also made a map for criminals to use to find homes to rob that have no guns in them to protect themselves? What a bunch of liberal boobs you all are,” wrote Rob Seubert on the newspaper’s website.

In response, numerous bloggers have released the names, addresses, phone numbers and social media sites of several members of the Journal News editorial staff.

In a move that some see as hypocritical, the newspaper apparently hired gun toting armed guards to protect the Journal News office building after they received threatening e-mails.

Oddly enough, Journal News recently tried to obtain gun permit information for other counties, but were turned down by permit clerks.

Apparently, this seemed to be the straw that broke the camel’s back as hacktivists allegedly hacked the lohud website and publicly dumped the newspaper’s entire database. A Pastebin post by the user “Guest” lists a sample of the dump and including links to download the entire list.

lohud pastebin

The dumped database seems to include over ten thousand user accounts, including names, addresses, phone numbers, and account credentials. Password hashes are also present, and it appears that some had already been cracked.

Account emails listed included numerous public e-mail addresses, but also many company addresses. This is really bad as users often use the same password on numerous sites. If you have an account at lohud.com, change your password now! And if you re-use your passwords make sure to change your passwords for all of your accounts.

Hackers Grab 12 Million Apple IDs from FBI

The hacker group Anonymous claims that they have stolen 12 million Apple Unique Device Identifier numbers (UDID), releasing 1 million publicly as “proof”. Though this in itself would be cause for concern, it doesn’t stop there. They claim that the information was stolen from an FBI agent’s laptop!

The ID breach was made public through a tweet from AnonymousIRC (above) that linked to a Pastebin post. The post is a compilation of hacktivism rants, including Russian loans to Syria, a list of hackers that were supposedly killed or mistreated by the government, and their philosophy of life.

It does include an interesting message to NSA leader General Keith Alexander:

In July 2012 NSA’s General Keith Alexander (alias the Bilderberg Biddy) spoke at Defcon, the hacker conference in Las Vegas, wearing jeans and a cool EFF t-shirt (LOL. Wtf was that?). He was trying to seduce hackers into improving Internet security and colonoscopy systems, and to recruit them, ofc, for his future cyberwars. It was an amusing hypocritical attempt made by the system to flatter hackers into becoming tools for the state…

Well…We got the message. We decided we’d help out Internet security by auditing FBI first.

The hacker group claims the Apple ID list was stolen from FBI Special Agent Christopher Stangl’s computer. Apparently they hacked the agent’s laptop using the Atomic Reference Array Java vulnerability (CVE-2012-0507):

“During the second week of March 2012, a Dell Vostro notebook, used by Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber Action Team and New York FBI Office Evidence Response Team was breached using the AtomicReferenceArray vulnerability on Java, during the shell session some files were downloaded from his Desktop folder one of them with the name of ‘NCFTA_iOS_devices_intel.csv’ turned to be a list of 12,367,232 Apple iOS devices including Unique Device Identifiers (UDID), user names, name of device,type of device, Apple Push Notification Service tokens, zipcodes, cellphone numbers, addresses, etc.

Several questions come to mind, first of all, is the information legit? Second, if so, why would an FBI agent have a list of twelve million Apple ID’s (which apparently in some cases can be used to access information just as a password would)? And lastly, how did the hacker group exploit this particular agent’s laptop and recover information from it?

Several important questions, not a lot of answers right now.

But at least one site has already popped up offering “Check to see if your Apple ID was stolen in the hack” services.  As always be very wary of these sites, unless they are created by or referred from the manufacturer.

For the latest Computer Security News Follow us on Twiter @cyberarms

Analysis of Passwords Dumped from LinkedIn

I love taking a look at dumped passwords and analyzing them with Pipal by DigiNinja. Pipal is a great analytical program that takes a password dump and looks for patterns, including password lengths and complexities. I have always liked statistics and you can learn a lot from running passwords through Pipal.

I took a quick look at Pastebin and found that Stefan Venken (@StefanVenken) had already taken almost a million and a half of the LinkedIn passwords and analyzed them with Pipal. Here are some of the more interesting results:

Password length (length ordered)

  1. 6 = 281193 (20.75%)
  2. 7 = 211946 (15.64%)
  3. 8 = 444338 (32.79%)

From this portion of cracked passwords, on average 8 character passwords were the most commonly used. 444,338 users chose passwords that were 8 characters long.

In fact, a whopping 69% of the passwords that were cracked were 8 characters, or less…

30% of the cracked passwords only used lowercase letters. While 45% of the passwords contained just lowercase letters and numbers. And from the statistics, it looks like almost all of these were in the format of lowercase letters followed by one or more numbers, with the numbers always being at the end.

Overall, only 1% of the users used passwords that were made up of mixed case letters, numbers and symbols…

And according to an article on Arstechnica, all of the normal bad passwords were present, including:

  • 123456
  • 1234567
  • 12345678
  • password
  • strongpassword
  • And of course, linkedin

People put a lot of personal information out on LinkedIn. Many do so in looking for a new job or business opportunities. Users post their education and job experience along with the groups that they belong to. A treasure trove of information to Social Engineers. It would seem that of all the online social sites, users would really choose a long complex password to secure their account on LinkedIn.

But as every one of the top bad passwords of 2011 were found in the dump it truly makes one wonder – What in the world is people’s fascination with the password “monkey”???