Category Archives: News and Events

Article: Hacked Yahoo Data Is for Sale on Dark Web

“Some time around August 2013, hackers penetrated the email system of Yahoo, one of the world’s largest and oldest providers of free email services. The attackers quietly scooped up the records of more than 1 billion users, including names, birth dates, phone numbers and passwords that were encrypted with an easily broken form of security.

The intruders also obtained the security questions and backup email addresses used to reset lost passwords — valuable information for someone trying to break into other accounts owned by the same user, and particularly useful to a hacker seeking to break into government computers around the world: Several million of the backup addresses belonged to military and civilian government employees from dozens of nations, including more than 150,000 Americans.

No one knows what happened to the data during the next three years. But last August, a geographically dispersed hacking collective based in Eastern Europe quietly began offering the whole database for sale, according to Andrew Komarov, chief intelligence officer at InfoArmor, an Arizona cybersecurity firm, who monitors the dark corners of the internet inhabited by criminals, spies and spammers. Three buyers — two known spammers and an entity that appeared more interested in espionage — paid about $300,000 each for a complete copy of the database, he said.

The attack, which Yahoo disclosed on Wednesday, is the largest known data breach of a company. And neither Yahoo nor the public had any idea it had occurred until a month ago, when law enforcement authorities came to the company with samples of the hacked data from an undisclosed source.

Yahoo still does not know who broke into its systems in 2013, how they got in or what they did with the data, the company said Wednesday. It has made more progress tracking down a separate hacking episode in 2014, which compromised 500 million email accounts and was disclosed in September. The company has said it believes the 2014 attack was sponsored by a government entity but has not identified it.

The Federal Bureau of Investigation said in a statement that it was investigating the Yahoo breach. Attorney General Eric T. Schneiderman of New York also said his office was in touch with Yahoo to examine the circumstances of the data breach.

Security experts and former government officials warned that the real danger of the Yahoo attack was not that hackers gained access to Yahoo users’ email accounts, but that they obtained the credentials to hunt down more lucrative information about their targets wherever it resided across the web.

“This wasn’t an attack against Yahoo, but rather reconnaissance to launch other campaigns,” said Oren Falkowitz, a former analyst at the National Security Agency who now runs Area 1, a Silicon Valley security start-up.

“Inactive or not, a billion user accounts and hashes means attackers have a golden key for new phishing attacks,” he said. In a phishing attack, a hacker often poses as a trusted contact and tries to induce the recipient of an email to click on a malicious link or share sensitive information.

Users routinely ignore advice to use different passwords for their different accounts across the web, which means a stolen Yahoo user name and password could open the door to more sensitive information in online-banking, corporate or government email accounts.

Mr. Komarov said the group that hacked Yahoo in 2013, which he calls Group E, appeared to be motivated by money, not politics. It is believed to have broken into the systems of major American internet companies like LinkedIn, Myspace, Dropbox and Tumblr, as well as foreign-owned services like VKontakte, a Russian social network similar to Facebook.

Group E sometimes sells complete copies of the data, Mr. Komarov said. It also combines information from different hacking forays into a master database. Like a corporate marketer, it peddles chunks of the data to spammers seeking to reach specific audiences, like middle-aged women who live in certain ZIP codes. It sometimes operates through intermediaries.

That database of 1 billion Yahoo accounts, Mr. Komarov said, is still for sale, although current bids are coming in at $20,000 to $50,000 since the data is much less valuable now that Yahoo has changed the passwords.”


Article: 1 Billion Yahoo Accounts Stolen

“Yahoo has suffered another hack.

The company disclosed today that it has discovered a breach of more than one billion user accounts that occurred in August 2013. The breach is believed to be separate and distinct from the theft of data from 500 million accounts that Yahoo reported this September.

Troublingly, Yahoo’s chief information security officer Bob Lord says that the company hasn’t been able to determine how the data from the one billion accounts was stolen. ‘We have not been able to identify the intrusion associated with this theft,’ Lord wrote in a post announcing the hack.

‘The stolen user account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers,’ Lord added.

Yahoo was alerted to the massive breach by law enforcement and has examined the data with the help of outside forensic experts. The data does not appear to include payment details or plaintext passwords, but it’s still bad news for Yahoo account holders. The hashing algorithm MD5 is no longer considered secure and MD5 hashes can easily be looked up online to discover the passwords they hide.

Yahoo says it is notifying the account holders affected in the breach. Affected users will be required to change their passwords.

Yahoo also announced today that its proprietary code had been accessed by a hacker, who used the code to forge cookies that could be used to access accounts without a password. ‘The outside forensic experts have identified user accounts for which they believe forged cookies were taken or used. We are notifying the affected account holders, and have invalidated the forged cookies,’ Lord said, adding that he believed the attack was launched by a state-sponsored actor.

Today’s revelations add to Yahoo’s long string of security problems. Yahoo employees reportedly knew of the intrusion that led to the theft of data from 500 million users as early as 2014, but the company did not announce the breach until this September. What Yahoo executives knew about the breach, and when they knew it, have been crucial questions in Verizon’s ongoing acquisition of Yahoo. Yahoo did not disclose the first breach until several months after the deal was announced.”

“What can users do to protect their account?

  • Change your passwords and security questions and answers for any other accounts on which you used the same or similar information used for your Yahoo account;
  • Review all of your accounts for suspicious activity;
  • Be cautious of any unsolicited communications that ask for your personal information or refer you to a web page asking for personal information;
  • Avoid clicking on links or downloading attachments from suspicious emails; and
  • Consider using Yahoo Account Key, a simple authentication tool that eliminates the need to use a password on Yahoo altogether.”


Article: How to protect yourself while online shopping for the holidays

A recent article from Mashable provides researched geared towards protecting yourself online while shopping for the holidays:


With many retailers offering internet-only promotions to go along with their in-store doorbusters, more Americans than ever seem to be choosing to stay home to take advantage of the best deals of the season.

Research from Visa projects an 18 percent increase in online holiday spending this year, which follows 16 percent growth over the 2015 season from the year before. That uptick in 2015 resulted in about $11 billion of online sales over the five-day Thanksgiving weekend period (Thanksgiving Day through Cyber Monday). That’s why it’s essential that shoppers protect themselves and their personal information more than ever in 2016. Especially since “25 percent of all security breaches [are] taking place in the retail sector,” said Experts Exchange COO Gene Richardson in a statement to Mashable.

As a former head of the data security teams of IBM, Charles Schwab and Motorola, Richardson has extensive experience advising companies and consumers alike on how to avoid fraud and protect their identities online.

With that in mind, he’s assembled a set of helpful online shopping safety tips:

1. Ensure that the website address is secure and has a valid encryption certificate. It will usually display a “locked, green” indicator in front of the website name. If it doesn’t have that, it does not have a higher level of security that has been guaranteed by a known entity like Verisign, Symantec and others.

2. Ensure your system has the most recent recommended system and security patches.

3. Always use a credit card that is not tied directly to your personal bank account(s), even if you are using PayPal, Bitcoin or some other payment method.

4. Never give anything other than name, address and phone number. You should not need to answer security or privacy questions when making a purchase or checking out. If they ask, see if you can checkout as a “guest” instead.

5. Monitor your credit through a third party for identify theft and have SMS and email alerts sent to you immediately.

6. Set-up alerts with your credit card company that send both SMS and emails when any purchases are made and the credit card was not scanned (meaning, it wasn’t in someone’s hand when the charge was made). Set them as low as $25 per purchase. Also, set-up alerts for total purchases over $500 in a billing period to protect multiple $24.99 purchases. And if possible, a maximum amount of purchases allowed in a billing period such as $1500 before card will get declined.

7. Ensure that you have a reputable Antivirus program running on your computer and that your browser has an Ad blocking plug-in.

8. Ensure that the network your computer/device is on is secure and you know who has access to your network. This is usually done with your router. You want to lock down your router so that traffic can be initiated from the inside-out but you do not want traffic to be initiated from the outside-in. If you are using a WiFi connection, make sure that network is also secure and requires a password to join. If it is a public WiFi network that doesn’t require a password, then the traffic coming from your device can be monitored and stolen.

9. Any passwords that you use should be strong, hard to guess ones. Or, even better, hard to guess, but easy to remember.

10. Don’t click on unfamiliar links to sites advertising sales, coupons, etc.

11. Use two-factor authentication/verification, if it is offered.

Mobile Concerns

To stay safe while shopping on your phone or tablet, be sure to follow these tips, according to RiskIQ:

1. Only download apps from official app marketplaces like Google Play or Apple’s App Store.

2. Be wary of applications that ask for suspicious permissions, like access to contacts, text messages, administrative features, stored passwords, or credit card info.

3. Check out the background of an app before downloading. Research the developer and be cognizant of the spelling of brand names.

4. Make sure to take a deep look at each app. New developers, or developers that leverage free email services (e.g., @gmail) for their developer contact, can be enormous red flags — threat actors often use these services to produce mass amounts of malicious apps in a short period. Also, poor grammar in the description highlights the haste of development and the lack of marketing professionalism that are hallmarks of mobile malware campaigns.

Common Sense

Just like any other time of the year, a deal found online over Thanksgiving weekend that seems too good to be true might be just that.

In addition to Richardson’s first tip about web page encryption certificates, always check website addresses after following links on Twitter, Facebook or even Google to be sure you haven’t been redirected. Legitimate retailers will almost always be determined by the “S” in HTTPS at retail sites.

Finally, keep your personal and financial information close at hand. Never provide anything until you’ve done your homework on a site or app, and even then never input anything until you’ve selected your purchase and are checking out.

With a measured approach to online shopping, you can dodge the in-store lines and the security risks this holiday season.


Article: Post-Election Spear Phishing Campaigns

A recent article warns of election related spear-phishing and malware infected emails.


In the wake of the 2016 United States Presidential Election, not even six hours after Donald Trump became the nation’s President-Elect, an advanced persistent threat (APT) group launched a series of coordinated and well-planned spear phishing campaigns.

These e-mails came from a mix of attacker created Google Gmail accounts and was appears to be compromised e-mail accounts at Harvard’s Faculty of Arts and Sciences (FAS). These e-mails were sent in large quantities to different individuals across many organizations and individuals focusing in national security, defense, international affairs, public policy, and European and Asian studies. Two of the attacks purported to be messages forwarded on from the Clinton Foundation giving insight and perhaps a postmortem analysis into the elections. Two of the other attacks purported to be eFax links or documents pertaining to the election’s outcome being revised or rigged. The last attack claimed to be a link to a PDF download on “Why American Elections Are Flawed.”

The post-election attacks launched by the Dukes on November 9 were very similar to previous attacks seen from the Dukes in both 2015 and 2016. The PowerDuke malware, first seen in August 2016, was once again used in these most recent attacks. Three of the five attack waves contained links to download files from domains that the attackers appear to have control over. The other two attack contained documents with a malicious macros embedded within them. Each of these different attack waves were slightly different from one another and are detailed below.

Attack Wave 1: eFax – The “Shocking” Truth About Election Rigging
Attack Wave 2: eFax – Elections Outcome Could Be revised [Facts of Elections Fraud]
Attack Wave 3: Why American Elections Are Flawed


More information can be found at:

Article: Free Tools to Remove Ransomware Infections From Your PC

“Ransomware, a variety of malware which encrypts user files and demands payment in return for a key, has become a major threat to businesses and the average user alike.

Coming in a variety of forms, ransomware most often compromises PCs through phishing campaigns and fraudulent emails. Once a PC is infected, the malware will encrypt, move, and potentially delete files, before throwing up a landing page demanding a ransom in Bitcoin.

Demands for payment can range from a few to thousands of dollars. However, giving in and paying the fee not only further funds the development and use of this malware, but there is no guarantee any decryption keys given in return will work.

It is estimated that ransomware attacks cost more than $1 billion per year.

The No More Ransom Project, launched by the National High Tech Crime Unit of the Netherlands’ police, Europol, Kaspersky, and Intel Security, is a hub for victims to find out how to remove infections — and how to prevent themselves becoming infected in the future.

Unfortunately, not every type of ransomware has been cracked by research teams. Time and vulnerabilities which can be exploited by cybersecurity experts are required, and so some ransomware families do not have a solution beyond wiping your system clean and using backup data.

However, researchers are cracking more types of ransomware every month and there are a number of tools available which give victims some hope to retrieve their files.

The No More Ransom Project offers a quick way to find out what sort of ransomware is on your PC . Alternatively, the Malware Hunter Team runs the ID Ransomware online service which can also be used to identify infections.”

You can find a range of tools and software made available by researchers to scour your PC clean of the most common types of infection as well as links to the the No More Ransom Project and Malware Hunter Team’s ID Ransomware online service in the article.


Cyber Security Awareness Month LearnIT Sessions

Cyber Security is a growing area of concern to many organizations as well as individuals. With the growing number of cyber based attacks, it is imperative as members of the Fordham community that we identify some possible threats and understand the simple steps we can take daily to protect ourselves as well as our university.

To share our knowledge on the subject and to discuss certain topics, we will be holding two LearnIT sessions. One will be October 13th at 1:00 p.m at Lincoln Center in room LL304 and the other will be on October 14th at 2:00 p.m. at Rose Hill in the Walsh Library within Flom Auditorium. Topics we will be discussing include, phishing (the process in which a malicious actor attempts to trick you into sharing sensitive information with them), compromises and what to do, password safety tips, ransomware (the process in which a malicious actor locks your data or device and demands payment for the keys), mobile device safety and much more.

Article: 500 Million Yahoo Accounts Stolen

“Yahoo confirmed on Thursday data “associated with at least 500 million user accounts” have been stolen in what may be one of the largest cybersecurity breaches ever.

The company said it believes a “state-sponsored actor” was behind the data breach, meaning an individual acting on behalf of a government. The breach is said to have occurred in late 2014.

“The account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers,” Yahoo said in a statement.

Yahoo urges users to change their password and security questions and to review their accounts for suspicious activity.

The silver lining for users — if there is one — is that sensitive financial data like bank account numbers and credit card data are not believed to be included in the stolen information, according to Yahoo.

Yahoo is working with law enforcement to learn more about the breach.

“The FBI is aware of the intrusion and investigating the matter,” an FBI spokesperson said. “We take these types of breaches very seriously and will determine how this occurred and who is responsible. We will continue to work with the private sector and share information so they can safeguard their systems against the actions of persistent cyber criminals.”

A large-scale data breach was first rumored in August when a hacker who goes by the name of “Peace” claimed to be selling data from 200 million Yahoo users online. The same hacker has previously claimed to sell stolen accounts from LinkedIn  and MySpace.

Yahoo originally said it was “aware of a claim” and was investigating the situation. Nearly two months later, it turns out the situation is even worse.

“This is massive,” said cybersecurity expert Per Thorsheim on the scale of the hack. “It will cause ripples online for years to come.”

U.S. Sen. Richard Blumenthal called for tougher legislation to “make sure companies are properly and promptly notifying consumers when their data has been compromised.”

“If Yahoo knew about the hack as early as August, and failed to coordinate with law enforcement, taking this long to confirm the breach is a blatant betrayal of their users’ trust,” he said in a statement.

Here are steps to take to secure your online accounts.

Change passwords often

Yahoo is asking anyone who hasn’t changed their password since 2014 to update it. This is good advice for everyone: Passwords should be changed often. You won’t always get a timely notice from a company that an account was compromised — and sometimes it might not even know about a hack until much later. In this case, it took two years for the company to confirm the breach.

Never use the same password twice

Never use the same password twice. If hackers get the password for one of your online accounts, they can try to use it to access your other accounts that take the same credentials.

Pick better passwords

Consider using a phrase instead of single words that are more easily guessed. Don’t go for common phrases like cliches: Pick a combination of words that don’t go together — i.e. rather than “herecomesthesun,” go for something like “wombatbootsparade”.

Avoid using common passwords like 1-2-3-4-5-6 or p-a-s-s-w-o-r-d, and include a mixture of numbers, letters and characters.

Update those security questions

If you forget a password, using security questions is an easy way to gain access back into your own account — its not like you’ll ever forget your mom’s maiden name. But some Yahoo security answers and questions were a part of the breach. The company has already disabled any unencrypted security answers on its accounts.

If you frequently use the same security questions and answers for other online accounts, you’ll want to change those, as well. Attackers could use the information taken from Yahoo to obtain access to other online accounts that contain even more sensitive information.

Avoid choosing the obvious questions and don’t provide answers that are easy to find online through Google searches, social media sites or old Live Journal entries.

Be alert

The company is urging users to look through their Yahoo accounts (email, calendar, groups, etc.) for any signs of suspicious activity. Although it doesn’t say what to look for, start by checking outgoing emails.

Be extra careful about clicking on links or opening downloads from unknown email addresses. If anyone emails asking for your password, it’s a red flag — even if it looks like it’s coming from a legitimate place like Yahoo or a bank. Never share any account information or passwords over email.”



Article: Fake-Game: The Emergence of a Phishing-as-a-Service Platform

“Malware-as-a-Service (MaaS) business models continue to thrive in the cyber underground. It has allowed cyber crooks to generate renewable income through renting malware rather than selling their tool for a one-time payment. As a result, the business model has been adopted in various underground commodities such as exploit kits andremote access trojans. Recently, we saw the emergence of Ransomware-as-a-Service (RaaS) platforms.

During our monitoring, we discovered that this same business model is also being used in phishing schemes in the form of a Russian website called “Fake-Game.” Appearing in (at least) July 2015, Fake-Game offers a Phishing-as-a-Service (PHaaS) platform to anyone who signs up on their website:

Once a user has logged in, a tutorial window pops-up (the rest of the images in this post have been translated from Russian to English to allow our general readers to understand them):

The site then asks the user to choose which type of credential it wishes to steal:

To see how it works, we tried to simulate the platform’s Gmail phishing tool. Upon choosing the Google option from the dropdown menu above, a link containing the subdomain “gmail” was generated:

The link is appended by an affiliate ID which, in this case, is our subscriber’s ID. This allows the website to track which stolen accounts belong to which subscriber.

A subscriber can then spread the phishing site to prospective victims. Once a victim enters a credential into the subscriber’s phishing link, a prompt showing the stolen information appears:

In order to assist novice cyber criminals using the platform, the above prompt provides a hyperlink to another Russian site where subscribers can sell the credentials they have stolen. The stolen credentials can be sold from $0.015 USD up to $15.39 USD at current exchange rates.

A summary of stolen credentials appear on the subscriber’s profile:

How Does the Phishing Webpage Work?

The Gmail phishing page looks like the legitimate Gmail log in page:

The Fake-Game platform has a feature that verifies the validity of credentials. If an entered credential is valid, it replies with a compressed string that translates to “good” once decompressed:

The phishing page’s code then checks to see if Fake-Game responded with the required value. If not, it displays an error and re-loads the phishing page:

The Fake-Game Phishing-as-a-Service (PHaaS) Business Model

Fake-Game earns money by offering VIP subscriptions for relatively low prices. The VIP account also offers subscribers extra privileges (listed below) that are not available for normal one-time users. The prices for such an account are $3.50 USD for a month, $5.70 USD for two months and $7.12 USD for three months:

Like legitimate businesses, Fake-Game has a real-time chat support feature available on its website:

Users are also given the privilege to chat with each other after reaching a rating of over 50 on the website:

User ratings are achieved by purchasing VIP accounts. Higher VIP package purchases reward users with higher ratings.

In addition, referral programs are available in order to attract more users to use the PHaaS platform:

As of this writing, the Fake-Game website shows that there are currently 61,269 subscribers using the platform. Furthermore, a total of 679,511 credentials were stolen based on their current statistics:


With the thriving malware-as-a-service business model, it is unsurprising to see the emergence of a Phishing-as-a-Service platform such as Fake-Game. However, it is important to be aware of these services and understand their implications. In this case, an effective business model such as this has the capability to amplify phishing attacks in the wild by making malicious services available and convenient to just about anyone.

While Fake-Game caters specifically to Russian cyber criminals, we believe that similar services will be available to other regions soon, if they are not already happening.

We want to reemphasize that it is always a good idea to make sure that the website link on your browser address bar is legitimate before entering online credentials. If you are unsure, manually typing in the correct website URL can help prevent phishing attacks. Furthermore, remember that unsolicited requests for credentials arriving through email or social media are typically fraudulent, and are best avoided.”


Article: Update OS X Right Now or You Could Get Some Nasty Spyware

Image: Mark Lennihan/AP

“Apple has issued an urgent security update for OS X El Capitan, OS X Yosemite and Safari to protect against the same security vulnerability that hit iOS last week.

To update on OS X, go to App Store > Updates and then install the Security Update 2016-001 (for El Capitan) or 2016-005 (for Yosemite). For users on OS X Mavericks, a Safari update is available as well.

Oh and while you’re at it, you should update iOS as well. (Just go to Settings > General > Software Update on your device, and follow the instructions.) The urgent OS X patch comes a week after Lookout Security and Citizen Lab discovered a nasty strain of spyware that could hijack an iPhone with a simple text message. Lookout Security’s Mike Murray called it “one of the most sophisticated pieces of cyberespionage software we’ve ever seen.”

The malware was used to target human rights activist Ahmed Mansoor. Mansoor noticed a strange text message on his phone, and rather than clicking the link, he turned his phone over to experts. It’s a good thing he did. That malware could have been used to read text messages, emails, and track calls and contacts.

Because OS X and iOS share a lot of the same code, it makes sense that a vulnerability in iOS would also exist in OS X. It isn’t clear exactly how the exploit would be used on OS X—on iOS users would be hit with a rogue SMS message—but don’t take any chances. Update!”

Article: Dropbox hack ‘affected 68 million users’



“A Dropbox security breach in 2012 has affected more than 68 million account holders, according to security experts.

Last week, Dropbox reset all passwords that had remained unchanged since mid-2012 “as a preventive measure”.

In 2012, Dropbox had said hacks on “other websites” had affected customers who used their Dropbox password on other sites too.

But now what purports to be the details of 68.6 million Dropbox accounts have emerged on hacker trading sites.

The 5GB document has been acquired by a Motherboard reporter, who also said it had been verified as genuine by a “senior Dropbox employee” speaking on the condition of anonymity.

The data includes email addresses and hashed passwords.

But security researcher Troy Hunt, who has also seen the document, said the hashing algorithm that obscured the passwords was “very resilient to cracking”.

“Frankly, all but the worst possible password choices are going to remain secure even with the breach now out in the public,” he said.

Mr Hunt said he had managed to independently verify the hack by finding the password of his wife within the cache.

He told BBC News the document contained a “very unique, 20-character, completely random password” used by his wife to login to Dropbox.

It had been created by a password manager, he said, making the chance of it having been correctly guessed “infinitely small”.

Mr Hunt wrote his blog: “There is no doubt whatsoever that the data breach contains legitimate Dropbox passwords – you simply can’t fabricate this sort of thing.”

Security researcher Ken Munro also said the hack appeared to be genuine and to have “taken place in 2012”.

In a statement sent to the BBC, Dropbox said: “This is not a new security incident.”

And there was “no indication” Dropbox user accounts had been improperly accessed.

“Our analysis confirms that the credentials are user email addresses with hashed and salted passwords that were obtained prior to mid-2012,” said the statement.

“We can confirm that the scope of the password reset we completed last week did protect all impacted users.

“Even if these passwords are cracked, the password reset means they can’t be used to access Dropbox accounts.”

Meanwhile, on Tuesday the password management service OneLogin – of which Dropbox is a client – revealed that a user gained access to one of its systems used for log storage and analytics.

Alvaro Hoyos, chief information security officer at OneLogin, has said that this incident is not connected to the Dropbox hack.

“We have no indication that OneLogin’s August 2016 incident is connected to any further incidents currently in the news,” Mr Hoyos told the BBC.

“To reiterate what our recent blog post stated, the impacted system is a standalone system and there are no signs of suspicious activity in any of our other systems.

“The security of our customers is of the utmost importance and we are carrying out an extensive investigation in partnership with a third-party cybersecurity firm. We are advising impacted customers as soon as any additional information becomes available as a result of the investigation.””