LinkedIn Passwords Stolen and Posted Online

Numerous security sites are abuzz about an estimated 6.5 million LinkedIn passwords that have allegedly been stolen. According to reports about 300,000 have been cracked and were posted in clear text on Russian forums.

Earlier today, LinkedIn confirmed in a blog post that some of the passwords did in-fact correspond to LinkedIn accounts. They also provided information on how they are handling the data breach:

  1. Members that have accounts associated with the compromised passwords will notice that their LinkedIn account password is no longer valid.
  2. These members will also receive an email from LinkedIn with instructions on how to reset their passwords. There will not be any links in this email. Once you follow this step and request password assistance, then you will receive an email from LinkedIn with a password reset link.
  3. These affected members will receive a second email from our Customer Support team providing a bit more context on this situation and why they are being asked to change their passwords.

LinkedIn is continuing to investigate the breach, until then, the best bet is to immediately change your password. LinkedIn’s recommendations for strong passwords can be found here.

AT&T Hackers Funded Pakistan Terrorist Group that Struck India

Four hackers have been arrested in the Philippines that funded a terrorist group possibly linked to the deadly 2008 terrorist attacks in Mumbai, India. According to a Foxnews article, the Philippine Criminal Investigation and Detection Group working with the FBI arrested the 4 suspects late Thursday. The suspects allegedly stole 2 million from AT&T according to the CIDG.

“The hackers were working on commission for a terrorist group linked to Muhammad Zamir, according to the Philippine police. Zamir, a Pakistani, was arrested in Italy in 2007, where he was running a call center and allegedly buying information from Filipino hackers.”

Though not mentioned by name, the group that allegedly was to receive the stolen funds was the Pakistani militant group Lashkar-e-Taiba.

A later article today on states that AT&T denies that it was hacked and that it only assisted law enforcement with the investigation:

“AT&T, the No. 2 U.S. mobile provider, said it “ended up writing off some fraudulent charges that appeared on customer bills” but did not comment on the $2 million figure.

“AT&T and its network were neither targeted nor breached by the hackers,” AT&T spokeswoman Jan Rasmussen said. “AT&T only assisted law enforcement in the investigation that led to the arrest of a group of hackers.”

It is alarming how many times Pakistan’s name comes up when terrorism is involved. Not to long ago, Osama Bin Laden was taken out by American special forces in his hideout that was near a Pakistan military base. One has to wonder just how strong an ally they really are in the war against terror.

Water Utilities Hacked, End of the World Imminent

By now you probably have heard about the Water Utilities that have reportedly been hacked.  But is this the advanced uber world ending SCADA cyber attack that we have all been warned of? You know, the one that ends life as we know it and sends us back to the stone age? No, hate to disappoint, but it is not.

Then, what is it?

This was barely a hack. A child who knows how the HMI that comes with Simatic works could have accomplished this. I’m sorry this ain’t a tale of advanced persistent threats and stuff, but frankly most compromises I’ve seen have been have been a result of gross stupidity, not incredible technical skill on the part of the attacker. Sorry to disappoint.”

Says hacker “Pr0f” in an e-mail interview with Threat Post. Prof allegedly hacked into a South Houston Water plant after becoming frustrated with reports that surfaced after the Illinois Water Plant was attacked:

My eyes were drawn, nary, pulled, to a particular quote:

‘In an email sent several hours after this article was first published, DHS spokesman Peter Boogaard wrote: “DHS and the FBI are gathering facts surrounding the report of a water pump failure in Springfield Illinois. At this time there is no credible corroborated data that indicates a risk to critical infrastructure entities or a threat to public safety.”‘

This was stupid. You know. Insanely stupid. I dislike, immensely, how the DHS tend to downplay how absolutely F***** the state of national infrastructure is. I’ve also seen various people doubt the possibility an attack like this could be done.”

Pr0f said on a post on Pastebin that included pictures allegedly from the South Houston Water Plant (one is used as the graphic for this post as posted on The Register.).

In the Threat Post article, Pr0f claims to have used a “scanner that looks for the online fingerprints of SCADA systems.” Shodan, dubbed the “Google for Hackers” comes to mind. Just surf to Shodan’s website and you are greeted with, “Expose Online Devices.
Webcams. Routers. Power Plants. iPhones. Wind Turbines. Refrigerators. VoIP Phones.”

Power Plants? That is kind of unnerving. But anyone who has used Shodan knows that with the right keyword search many unsecured or lightly secured systems can be found. Pr0f claims that the South Houston site was protected by a three letter password!

This brings up numerous questions that must be asked and answered:

  • Why are public utility systems found through simple online searches that are completely or lightly protected? Especially after years of warnings of possible hacker attacks?
  • Why haven’t Federal agencies used the same search engines to look for open utilities and locked them down? Does the Federal Government even have a “Red Team” to do this?
  • Why would utilities themselves (again after several years of warnings) use a three character or easily guessable password to secure systems available online? Aren’t there rules set for password length and complexity for public utilities?

The press seems to be making this out as the missing links of cyber attacks. The proof needed that an “End of the World” attack is not only possible, but imminent. But so far, the proof available seems to show that this is nothing of the sort.

The closest call that I have ever heard of had nothing to do with hackers. Working in the Oil & Gas sector for a while I heard a nuclear power plant executive engineer tell a harrowing story.

A while ago, an engineer was looking for a gas leak near a Nuclear Power plant control room. He was in an area that has ALL the wires running through it that enter into the control room. He caught the room on fire, but they were able to put it out in time before any wires or controls were damaged.

How did he do this? He was using his lighter as a light to find the gas leak!

Our infrastructure will be much safer if and when utility providers are held to secure their systems, are checked and tested for security regularly and all lighters are banned from vulnerable areas!

Steam Announces Skyrim is Available Today, and they were Hacked…

Anxious to download the Elderscroll saga’s latest amazing looking installment?

And who isn’t?

Just change your password first.

Steam announced yesterday through the “Latest News” section of the Steam client that they were compromised on November 6th. At first Steam thought only the forums were defaced, but doing a thorough investigation they found that their database holding user account information and encrypted credit cards was compromised:

So if you have a Steam account, keep an eye on your credit card statement and change your Steam passwords.

Hopefully this will not lead to an extended game network outage like Sony users have experienced.