Snapchat hacked. Millions of Accounts Compromised

(CNN) — Hackers appear to have posted account info for 4.6 million users of quickie social-sharing app Snapchat, making usernames and at least partial phone numbers available for download.

The data were posted to the website SnapchatDB.info. By late Wednesday morning, that site had been suspended.

The hack was seemingly intended to urge Snapchat to tighten its security measures. The anonymous hackers said they used an exploit created by recent changes to the app, which lets users share photos or short videos that disappear after a few seconds.

“Our motivation behind the release was to raise the public awareness around the issue, and also put public pressure on Snapchat to get this exploit fixed. It is understandable that tech startups have limited resources but security and privacy should not be a secondary goal. Security matters as much as user experience does,” the hackers said in a statement to technology blog TechCrunch.

http://www.cnn.com/2014/01/01/tech/social-media/snapchat-hack/index.html

Hacking your cell phone calls, texts, browser

An increasingly popular technology for extending cell-phone coverage ranges had a major security hole that went undetected for years, through which an attacker could eavesdrop on everything a target did on their phone, according to new research released on Monday.
The research brings to light previously unknown vulnerabilities in some models of femtocells, devices that mobile network operators use to bring wireless service to low-coverage zones. The compact boxes, which are typically as small as a standard cable modem, can be deployed in hard-to-reach spots like the top of an apartment building or a home in the mountains. Femtocells are also referred to as “network extenders,” and analysts project that as many as 50 million of them will be in use by 2014.

In a demonstration for CNNMoney, researchers at iSEC Partners, who discovered the security hole, covertly recorded one of our phone conversations and played it back for us. They were also able to record our browsing history, text messages, and even view pictures we sent from one smartphone to another by hacking the network extender.

“We see everything that your phone would send to a cell phone tower: phone calls, text messages, picture messages, mobile Web surfing,” said iSEC Partners senior security consultant Tom Ritter.

ISEC discovered the security flaw a year ago and contacted the affected vendors, who quickly began working on a fix. Though iSEC focused its research on femtocells operating on Verizon’s 3G CDMA network, the company believes similar holes could exist on other network extenders.

http://money.cnn.com/2013/07/15/technology/security/femtocell-phone-hack/

 

Alert from Hacker News: Some Outdated WordPress Blogs Used in DDOS Attacks

In the past we have reported about many such cyber attacks, where attackers hacked into the WordPress blogs using password brute-force attack or they used the PINGBACK vulnerability in older versions of WordPress without compromising the server.

WordPress has a built in functionality called Pingback, which allows anyone to initiate a request from WordPress to an arbitrary site and it can be used for a single machine to originate millions of requests from multiple locations.

We have seen more than 100,000 IP addresses involved in the recent DDOS attack and the victim’s Forum website received more than 40,000 requests in 7 minutes from different WordPress blogs and IP addresses.

http://thehackernews.com/2013/12/ddos-attacks-originated-from-thousands.html

Christmas Came Early For Hackers: 2 Million Social Media Accounts Hacked, Big U.S. Bank Data Stolen

Hackers Stole 2M Facebook, Google Passwords: How to Protect Your Accounts

Dec. 5, 2013

Any time you logged into Facebook, Google, Twitter, or a host of other popular web services the past month, there may have been a hacker peering over your digital shoulder, sneaking a peek at your password.

The information security company Trustwave has revealed that the passwords to 2 million different accounts have been compromised. The malware program Pony forwarded the vast majority of the passwords to a central server in the Netherlands.

John Miller, security research manager at Trustwave, said that the hack wasn’t due to a flaw in any of those company’s servers. “It was the individual users’ computers that had the malware installed on their machine,” he told ABC News. He adds that the unnamed hackers were most likely motivated by profit. “These passwords were never publicly posted. We can’t say for sure, but [the hackers] were probably going to sell them.”

http://abcnews.go.com/Technology/hacker-group-stole-million-stolen-facebook-google-passwords/story?id=21109910

 

JP Morgan Chase Hacked: 465,000 Card  Users’ Data Gone

JPMorgan Chase, one of the world’s biggest Banks has recently announced that it was the victim of a cyber attack and warned round 465,000 of its holders of prepaid cash cards on the possible exposure of their personal information.

In the Security Breach that took place on the bank’s website www.ucard.chase.com in July, around 465,000 accounts are compromised i.e. 2% of the overall 25 million UCard users. JPMorgan confirmed that there is no risk for holders of debit cards, credit cards or prepaid Liquid cards.
 
They informed the law enforcement in September, and till now no information on how attackers have conducted the attack has been disclosed.

http://thehackernews.com/2013/12/JPMorgan-Chase-bank-card-hacked_5.html 

FBI Threatened Lavabi to Turn Over SSL Keys to ALL User Email Accounts

Lavabit owner Ladar Levison told RT that he had no choice but to close his email service because the FBI, in pursuit of NSA whistleblower Edward Snowden, forced him into an ethical dilemma by demanding he hand over customers’ personal data.

RT: The FBI demanded you hand over encryption  codes to collect data from a specific account that is not named  in the documents. What was your initial response

Ladar Levison: That’s actually not correct. What they  demanded were the SSL keys that were protecting all the data  coming in and out of my network for all of my users, and that’s  what I had an issue with. I’ve said before that I took the stance  that I did not to try and protect a single person but because I  was concerned about the invasion and the sacrificing of  everyone’s privacy rights that were accessing my system. 

RT: We were led to believe that you had been  threatened to be charged with criminal content if you did not  comply. Do you feel those threats would have eventually become  reality if you didn’t follow suit? 

LL: Oh, I know they would. In fact they went on to  charge me $5,000 a day for every day that I didn’t turn over  those keys, which is why I was eventually forced to hand them  over. Given the difficult choice of remaining silent about what I  thought was a grave injustice or taking, like you said, the  lesser of two evils and shutting down the service. I just wasn’t  comfortable knowing that they were examining all the data that  was coming in and out of my network without any kind of  transparency or auditing by myself to ensure that they were only  collecting the information they were legally authorized to and  continuing to run the service with that knowledge. So I made the  only decision I felt was appropriate. In terms of being arrested,  I think the only reason they didn’t is because if they had the  system would have had nobody to maintain it. That’s one of the  advantages of being a small business owner, you wear many  hats. 

 

http://rt.com/usa/govt-implications-internet-control-lavabit-752/

Sen. Feinstein’s NSA Alleged Reform Bill To Add Surveillance Authority

A bipartisan group of US senators is trying to ban the NSA’s blanket surveillance program in a radical bill proposed to the Senate Intelligence Committee. But a milder bill from chairwoman Diane Feinstein would sanction more snooping on US citizens.

Thursday’s Committee hearing on reforming the Foreign Intelligence Surveillance Act (FISA) reviewed the two rival bills in an effort to find a balance between security and privacy. The Committee is expected to have further lively debate on the proposed legislation next week, before the bill is sent for consideration by the full Senate.

 Feinstein’s bill would also seek to expand the US government’s spying capabilities by authorizing the monitoring of terror suspects the NSA is tracking overseas when they arrive in the US. 

Currently, when a suspected terrorist arrives in America, the NSA has to halt its surveillance, creating a legal loophole.

“I call it the terrorist lottery loophole,” said Republican Senator Mike Rogers, the chairman of the House Intelligence Committee. “If you can find your way from a foreign country where we have reasonable suspicion that you are … a terrorist … and get to the United States, under a current rule, they need to turn it off and do a complicated handoff to   the FBI,” Rogers said.

The new bill would allow the NSA to legally continue eavesdropping on a person for seven days after arriving to the US without asking for authorization from a court.

Democratic Senator Wyden, who has been for years working with classified data as a member of the Senate Intelligence Committee, also derided the NSA’s complaints about the damage to US national security caused by the recent leaks.

“You talk about the damage that has been done by disclosures, but any government official who thought this would never be disclosed was ignoring history. The truth always manages to come out,” he said.

http://rt.com/usa/nsa-snooping-senators-feinstein-439/

Senate Intelligence Committee Hearing: The NSA Wants Unlimited Citizen and Business Data in National Database

[NSA Director Keith] Alexander acknowledged that the NSA is interested in compiling the largest national database possible, and that there is no limit to the number of records that can be gathered. The storehouse holds billions of records, former officials have told The Washington Post.

Is it the goal of the NSA to collect the phone records of all Americans?” Udall asked.

I believe it is in the nation’s best interests to put all the phone records into a lockbox that we could search when the nation needs to do it, yes,” Alexander said.

 

The government has claimed the authority to gather the data under Section 215 of the USA Patriot Act, also known as the “business records” provision of the Foreign Intelligence Surveillance Act. The FISA court in 2006 agreed that the government could use that statute to order phone companies to hand over “all call detail records” daily to the NSA.

 

Asked by Udall if that statute gave NSA the authority to collect other data — such as utility bills — Deputy Attorney General James M. Cole offered a qualified answer. “It’s given them the authority to collect other bulk records if they can show that it is necessary to find something relevant to a foreign intelligence investigation of particular types. . . . It’s not just all bulk records. But it’s also not no business records. It’s all dependent on the purpose.”

 

 

[Sen. Ron Wyden (D-Oregon)], Udall and other lawmakers have introduced reform legislation that would, among other things, end the phone records collection, while allowing for a more limited program.

On Thursday, Wyden accused U.S. officials of not being more forthcoming about intelligence-collection programs.

“The leadership of your agencies built an intelligence-collection system that repeatedly deceived the American people,” he said. “Time and time again, the American people were told one thing about domestic surveillance in public forums while government agencies did something else in private.”

 

http://www.washingtonpost.com/world/national-security/nsa-leaks-extremely-damaging-national-intelligence-director-tells-senate-hearing/2013/09/26/a01b4e08-26d3-11e3-b75d-5b7f66349852_story.html

 

Wyden infamously showed down with Clapper earlier this year when he asked the lawmaker if the intelligence community collects information on millions of Americans. Clapper responded “not wittingly,” then later apologized to Committe Chairwoman Dianne Feinstein (D-California) for his “clearly erroneous” remark after Snowden’s leaks suggested otherwise only weeks later.

So that he would be prepared to answer, I sent the question to Director Clapper’s office a day in advance. After the hearing was over, my staff and I gave his office a chance to amend his answer,” Wyden told the Washington Post after the March meeting. “Now public hearings are needed to address the recent disclosures, and the American people have the right to expect straight answers from the intelligence leadership to the questions asked by their representatives.”

On Thursday, Alexander phrased questioning directed at Gen. Alexander in an attempt to determine if the NSA collected information from cell phone towers that could be used to locate customers. Alexander decline to provide a straight answer during an unclassified hearing.

 

If you’re responding to my question by not answering it because you think thats a classified matter, that is certainly your right,” said Wyden. “ We will continue to explore that because I believe that is something the American people deserve to know.”

 

http://rt.com/usa/fisa-hearing-nsa-surveillance-410/