Yahoo hack hits half a billion users

Yahoo announces that data from as many as 500 million user accounts were stolen in a breach during 2014. The data breach poses many problems for Yahoo CEO Marissa Mayer as she tries to close a $4.8bn sale to Verizon Communication who were only made aware of the leak two days ago. With the deal not set to close until early 2017, Verizon still has plenty of time to negotiate price or decide whether the takeover is worth it. But what does the biggest ever data leak made public mean for you?

“The account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers,” Yahoo claimed in a recent statement on their tumblr.

Yahoo suggest the hack may have been performed by a ‘state sponsored actor’ – polite jargon suggesting the hacker(s) were potentially acting on behalf of a foreign government. The California-based company did not explain why it had taken so long to disclose the breach or how it reached its conclusions about the hacker.

Last month, Motherboard reported that a hacker known as “Peace” claimed that he had account information belonging to 200 million Yahoo users and was trying to sell the data on the dark web. However, given the timing, the significant size of the leak and the suggestion of state interference, this breach not only appears to be different but is also far more serious. Yahoo claims the FBI is now involved.

An FBI Spokesperson told CNN, “the FBI is aware of the intrusion and investigating the matter. We take these types of breaches very seriously and will determine how this occurred and who is responsible. We will continue to work with the private sector and share information so they can safeguard their systems against the actions of persistent cyber criminals.”

What you need to do

• Change your Yahoo passwords whether you believe your account has been compromised or not.


• Check your account for ANY suspicious activity.


• All Yahoo users should also update all security questions and answers.


• Other steps to protect your data include regularly changing your passwords, never using the same password twice and developing unique passwords with a password manager. This PCMag guide compares different options.

Have a nice (malware-free) day!

Related Posts:

• Researcher claims Yahoo! servers have been compromised using


• ALERT: You need to change your eBay password, now.


• Change your passwords now: Dropbox hack affects 68 million…


• Emsisoft Alert: Kickstarter Data Breach


• Twitch user accounts possibly compromised

Yahoo hack hits half a billion users

Are all hackers criminals?

Not all hackers are created equal. The terms ‘hacker’ and ‘cyber criminal’ seem to be used interchangeably in online media which is both misleading and reductive. A cybercriminal uses online means to profit from illegal activity regardless of the cost to its many victims. Hacker is a blanket term that doesn’t allow for much differentiation between those who hack for good and those who hack for evil. Many hackers hack for profit. But not all hack to profit from online crime.

In the US, western films between the 1920s and 40s contrasted heroes and villains with the use of black hats (villains) and white hats (heroes). This term has been adopted to define classes of hacker. There are essentially four kinds of hackers; black hat, white hat, grey hat and hactivists. The key to distinguishing between them lies with the permission to hack.

Black Hats

Black-hat hackers, or simply ‘black hats,’ are the type of hacker that violate computer security for personal gain. Examples of this include stealing credit cards numbers or mining for personal data to be sold to identity thieves. An example of just how lucrative this can be made the headlines recently when a hacker offered over 650,000 patient records for sale on the dark web; a class of different locations online that are hidden from public search engines and regular internet users. The data, stolen from various medical institutions, included names, addresses and social security numbers. The perpetrator will likely make close to USD$800,000.

Black hat hackers are online criminals who hack without permission for illegal financial or personal gain. Some simply hack for revenge or to prove that they can. The term ‘black hat’ is also used in everyday tech language to describe any kind of person or activity that is considered underhanded or somewhat dodgy, such as SEO black hats who drain website traffic and sell it back to the site owner.

Grey Hats

As in life, between black and white there are various shades of grey. A grey-hat hacker falls in the space between a black hat and a white hat. A grey hat doesn’t work for their own personal gain or to cause damage, but their actions may technically be illegal. A grey hat hacker does not ask permission to hack. If a flaw is found a grey hat may reveal the flaw to an organisation privately, enabling them to fix it. Sometimes, however, a grey hat may reveal the flaw publicly which is not necessarily malicious but exposes organisations to black hats who can and will exploit the vulnerability.

Hacktivists

Under the same umbrella as grey hats, hacktivists hack systems as a form of political protest. Anonymous, perhaps the most notorious hacktivists blur the lines of good and bad, always hacking without permission but for what they believe is the greater good. Anonymous have gained a lot of exposure for their Robin Hood type takedowns, such as the hacking and shutting down of child porn sites. They took it one step further however when they leaked the names of visitors to these sites.

When Michael Brown was shot by a police officer in Ferguson on August 9, 2014, Anonymous intervened, collecting evidence to expose Brown’s killer in the name of justice. However, after collating all the data they had collected, Anonymous came to the incorrect conclusion and released the name of an innocent man.

Another attempt to seek justice saw Anonymous leak details of thousands of Bay Area Rapid Transport (BART) users. The hack was in retaliation for BART shutting down cell service during a protest to stop activists communicating with each other. Many innocent personal users were caught in the crossfire and had their personal information leaked online.

Though their intentions are good, the means of hacktivists are illegal and the outcome often display mixed results. Additionally, the key objective of a hacktivist is to hack without permission to further a political cause.

White Hats

White hats hack with permission in what can be a lucrative industry for the highly skilled. Looking for vulnerabilities in companies, hackers are hired to find bugs and alert developers or companies so that they can be resolved. White hats often work for profit but don’t gain from the exploitation of others.

HackerOne is a company founded by two twenty-five year old hackers who discovered a vulnerability in their university’s grading system. After the university was alerted, and the boys were paid handsomely, they founded a business based on the idea that companies will play good money to be informed of breach points before black hats do.

Ethical Hackers are certified by a means of an exam involving penetration tests, whereby hackers seen to penetrate networks and computer systems with the purpose of finding and fixing any vulnerable access points they encounter. While unauthorized hacking, black hat hacking, is illegal, testing that is authorised by an organisation is not.

At Emsisoft, we invite ethical white hat hackers to put our software to the test. We’re keen to improve our products continuously, as we all know such a thing as perfect code doesn’t exist.

Summary

So, as you can see, not all hackers are the same. The key is the permission to hack and the means of receiving any kind of gain from found vulnerabilities.

A grey hat does not ask for permission but has no intention to cause harm or damage though their means may be illegal. A white hat is hired and permitted to do his work. A black hat is not.

Have a great (malware-free day!)

Related Posts:

• Professional hackers available for hire, charge over US$200…


• Hackers Anonymous declare (cyber)war on terrorists after…


• Watch out for this new iPhone infrared pin number hack


• When a surveillance state hacking firm gets hacked


• Hacking Identity Theft: Entry points, tools and prevention

Are all hackers criminals?

How to identify your ransomware infection to find the right decrypter tool

How would you feel if you opened your computer to find it had been locked with a ransom note demanding cash immediately? Ransomware is the most common online threat of 2016, making up a huge percentage of today’s active threats. It has turned out to be one of the easiest and highest income earners for attackers. All other malware makes its developers money indirectly (by using or selling your computer power), but ransomware directly asks you (the victim) for cash by putting you in a situation in which you feel forced to pay.

The Emsisoft team spends a lot of time looking for ways to prevent ransomware from finding it’s way onto your computer. But, what if your system is already infected? Don’t panic. Downloading various tools to attempt to unlock your system will only make matters worse. If you have ransomware, look no further.

Emsisoft is proud to support Malware Hunter Team, a group of researchers who share our commitment to protecting you and your data.

Malware Hunter Team does a great job of raising awareness of not only online threats themselves, but how to remove them if you find yourself the victim. What does this mean for you? If you find yourself with ransomware, you can identify the strain you have and find out if there is a decryption tool available.

We spoke with Michael Gillespie at Malware Hunter Team, the creator of ID Ransomware, the website that will help you to figure out what kind of ransomware you have been infected with based on the specific signatures that can be found in the ransom note you receive. He walked us through the process of identifying ransomware families.

Who are Malware Hunter Team and what do they/you do?

Malware Hunter Team is basically a small group of security researchers interested in tracking down malware and promoting cyber security. They do a great job of hunting phishing sites and other threats on a daily basis. I recently joined the team with my ransomware research, and have been coordinating with them on tracking and identifying new threats.

I personally coordinate with ransomware victims and try to hunt down new samples, and help with reverse engineering when I can – with the goal of trying to decrypt if at all possible of course.

So, if someone’s computer has been infected with ransomware, what is the first thing they should do?

I would say the first step is definitely quarantining the system – for an organization this may include finding the affected system. The system should be either shutdown, or put in ‘hibernate’ if possible. From there, the threat needs to be identified just like any other malware infection.

And that’s where you guys come in? My understanding is you specialise in working out what type of malware a user has?

Yes. That can sometimes be the tricky part, especially lately with new strains mimicking others, or flying under the radar.

With so many families and new strains, how do you tell them apart? I saw you have 100’s that can be decrypted for free through your site.

That’s the hard part. In general, we’ll classify them by the symptoms – what extension does it use, what ransom note is left, etc. Sometimes we do have to get more technical to recognize if it is the same author based on their coding style, or certain strings left in the malware.

And for a user, for example, they have a ransom lockout screen, they go to your site, what would they need to do? What is the process?

I’ve tried to make ID Ransomware as simple as possible for the user. They simply upload a ransom note left by the malware, and one of their encrypted files (I recommend something not confidential), and the website will use several methods of trying to identify which ransomware it is. If it is a positive match, it will provide an easy status on “can it be decrypted”, since that is the #1 thought to a victim at that time. It then gives a link to more information either way so they can learn more about what hit them, and possibly find how it came in in the first place.

I use a few techniques to identify by the filename of the ransom note, certain known email addresses or BitCoin addresses in the note, the pattern of the encrypted file’s name (e.g. a certain added extension), and even some hex patterns that some ransomware leave in the files. I also have some custom “plugins” for a few more advanced techniques, such as detecting an embedded image in one certain strain.

With the amount of work that goes into it. Why do you offer the service for free?

Part of it is inspiration from other volunteers in the area. I get most of my information from sources such as victims, Twitter, and Emsisoft Malware Lab. Also, I don’t want to hold a ransom on helping someone decrypt their files – that makes me no better than the criminals in some sense. The information itself should be free to all.

It seems like the appearance of ransomware is increasing constantly. What does the future of malware look like in your opinion?

I definitely see it becoming more and more of a threat in all sectors as we are seeing with the Internet of Things, and how insecure devices are found to be from the factory. In just the past year I’ve been involved with this, I’ve seen a lot of adaptations and “creativity”. We have recent ransomware we discovered that mimics a Windows Update while it decrypts, one that also creates a backdoor to the system, one that uploads passwords, etc. Malware authors are bundling more features together into one package it seems.

How should people best protect themselves?

The best protection is definitely awareness of what you are clicking on. Having good anti-malware protection is a great step, but knowing how to use it, and how to not HAVE to use it. I want to bluntly say “common sense” when it comes to what you are doing online and what you are trusting to run on your computer.

I also want to say BACKUPS BACKUPS BACKUPS. (The Emsisoft Team explored this in a recent article ‘Prevent Ransomware – Backup!’)

Which ransomwares are detected in ID Ransomware?

This service currently detects 163 different ransomwares. Here is a complete, dynamic list of what is currently detected:

777, 7ev3n, 7h9r, 8lock8, ACCDFISA v2.0, Alfa, Alma Locker, Alpha, AMBA, Apocalypse, Apocalypse (Unavailable), ApocalypseVM, AutoLocky, AxCrypter, BadBlock, Bandarchor, BankAccountSummary, Bart, Bart v2.0, BitCrypt, BitCrypt 2.0, BitCryptor, BitMessage, BitStak, Black Shades, Blocatto, Booyah, Brazilian Ransomware, Bucbi, BuyUnlockCode, Cerber, Cerber 2.0, Cerber 3.0, Chimera, Coin Locker, CoinVault, Coverton, Cryakl, CryFile, CrypMic, Crypren, Crypt0L0cker, Crypt38, CryptFuck, CryptInfinite, CryptoDefense, CryptoFinancial, CryptoFortress, CryptoHasYou, CryptoHitman, CryptoJoker, CryptoMix, CryptorBit, CryptoRoger, CryptoShocker, CryptoTorLocker, CryptoWall 2.0, CryptoWall 3.0, CryptoWall 4.0, CryptXXX, CryptXXX 2.0, CryptXXX 3.0, CryptXXX 4.0, CrySiS, CTB-Faker, CTB-Locker, DEDCryptor, DirtyDecrypt, DMA Locker, DMA Locker 3.0, DMA Locker 4.0,Domino, ECLR Ransomware, EduCrypt, El Polocker, Encryptor RaaS, Enigma, Fantom, GhostCrypt, Globe, Gomasom, Herbst, Hi Buddy!, HolyCrypt, HydraCrypt, Jager, Jigsaw, JobCrypter, JuicyLemon, KeRanger, KEYHolder, KimcilWare, Kozy.Jozy, KratosCrypt, Kriptovor, KryptoLocker, LeChiffre, Locky, Lortok, Magic, Maktub Locker, MirCop, MireWare, Mischa, Mobef, NanoLocker, NegozI, Nemucod, Nemucod-7z, NullByte, ODCODC, OMG! Ransomcrypt, PadCrypt, PayForNature, PClock, PowerLocky, PowerWare, Protected Ransomware, R980, RAA-SEP, Radamant, Radamant v2.1, Razy, REKTLocker, RemindMe, Rokku, Russian EDA2, SamSam, Sanction, Satana, ShinoLocker, Shujin, Simple_Encoder, Smrss32, SNSLocker, Sport, Stampado, SuperCrypt, Surprise, SZFLocker, TeslaCrypt 0.x, TeslaCrypt 2.x, TeslaCrypt 3.0, TeslaCrypt 4.0, TowerWeb, ToxCrypt, Troldesh, TrueCrypter, UCCU, UmbreCrypt, Unlock92, Unlock92 2.0, Uyari, VaultCrypt, VenusLocker, WildFire Locker, WonderCrypter, Xorist, Xort, XRTN, zCrypt, ZimbraCryptor, Zyklon

If you have been infected by ransomware head straight to the ID Ransomware site. If you want to learn more about Malware Hunter Team you can visit them at malwarehunterteam.com.

Have a great (malware-free) day!

Related Posts:

• Free decryption keys for CryptXXX Ransomware


• Fabiansomware: when hackers lose it


• Ransomware “Locker” automatically decrypts all…


• Apocalypse: Ransomware which targets companies through…


• Copycat Ransomware “Locker” Emerges

How to identify your ransomware infection to find the right decrypter tool

Fabiansomware: when hackers lose it

Cybercrime has existed for as long as the internet has. However, 2016 has well and truly been the year of ransomware. New ransomware families are popping up weekly and the Emsisoft Malware Lab battles them daily on the frontline.

As a result, our lab is often at the receiving end of hate from authors of such ransomware. This was the case a few months ago when we were able to break the amateurish code that makes up a ransomware family known as Apocalypse. Recently, the hate has become more personal and directly focussed at Fabian, our CTO and head of Emsisoft’s Malware Research Lab. Abusive comments have been embedded directly into Apocalypse’s malware. They recently even named their most recent strain ‘Fabiansomware’ in his honour.

So, why are we being targeted?

Online, Fabian is a comical malware hunter who shares decryption tools and online security advice.  At Emsisoft, he is the head of our malware lab. He and his team investigate new threats, develop new -and adapt existing- protection technologies and makes sure our users are protected from current and future malware threats.

Why it’s getting so personal

In June 2016, we published an article after the lab broke three variants of Apocalypse and shared a free decrypter to all Apocalypse victims. Since then, the lab has broken six new variants.

Currently, the malware authors are changing their malware to try to stay a step ahead of our lab and other malware hunters online. Currently, it takes us only an hour or two to break the new variant. And the insults continue.

The abuse has become so offensive we won’t share it here but it can be seen on Fabian’s twitter account.

Apocalypse’s crush on the head of our lab has become so out of control that in their newest variant, the contact email has been listed as fabianwosar@mail.ru

Essentially, their idea is to try to blame him for the most recent strain. It has been working to some degree as can be seen in this sprightly conversation between Fabian and a very unhappy victim.

So looks like the Apocalypse degenerates decided to rename their project to Fabiansomware. They fell hard for me. pic.twitter.com/pYkXp1vEap

— Fabian Wosar (@fwosar) August 29, 2016

A bit about Apocalypse

The Apocalypse ransomware was first seen on the 9th May 2016. The main attack vector is weak passwords on insecurely configured Windows servers running the remote desktop service. This allows an attacker to use brute force to gain access and means they can easily interact with the system as if they had access in person. Abusing remote desktop has become increasingly common over the last few months, especially for running ransomware like Apocalypse.

The earliest variants install themselves to %appdata%\windowsupdate.exe and create a run key called windows update to both HKEY_CURRENT_USER and HKEY_LOCAL_MACHINE. This variant uses the .encrypted extension. A ransom note is created for every file in the form of *filename*.How_To_Decrypt.txt. The dr.compress@us1.l.a/dr.compress@bk.ru/dr.jimbo@bk.ru/dr.decrypter@bk.ru email addresses are used in the ransom note.

On June 9th, another version of the Apocalypse was discovered. This variant uses a different location, run key name and email address. The ransomware installs itself to %ProgramFiles%\windowsupdate.exe, and creates a run key called windows update svc. The email address used in this variant is decryptionservice@mail.ru.

On June 22nd, the newest variant was discovered, which changed a lot more. Instead of using windowsupdate, it uses firefox as a name instead. The newest version installs itself to %ProgramFiles%\firefox.exe, and creates a run key called firefox update checker. The new extension is “.SecureCrypted” and new name for ransom note *filename*.Contact_Here_To_Recover_Your_Files.txt. The email address used is recoveryhelp@bk.ru.

Our lab continues to find and crack new strains.

What you can do

The most important line of defence is a proper password policy that is enforced for all user accounts with remote access to the system. This applies to rarely used accounts created for testing purposes or by applications as well.

Apocalypse and many other families spread via Remote Desktop Protocol (RDP). If you are a small business owner or even a large company, make sure your RDP and remote control ports are closed.

Even better would be to disable Remote Desktop or Terminal Services completely if not required or at least to use IP address based restrictions to allow the access to these services from trusted networks only.

Related Posts:

• Apocalypse: Ransomware which targets companies through…


• Strong indications that ransomware devs don’t like…


• New Cryptolocker copycat PClock2 discovered that targets…


• Ransomware Cryptowall makes a comeback via malicious help…


• Decrypter for HydraCrypt and UmbreCrypt available

Fabiansomware: when hackers lose it

Change your passwords now: Dropbox hack affects 68 million users

A dropbox security breach that occurred in 2012 is now affecting millions of users as passwords and login information appear for sale online.

A 5GB document reported by a Motherboard reporter suggests that the details of over 60 million dropbox accounts have been released online. The validity of the document was confirmed by a senior Dropbox employee and contains all hashed emails and user passwords.

Though Dropbox forced password resets last week to ensure unchanged passwords were updated, they are unable to confirm how many users have been affected. The firm insists they have not had any information of a user being hacked because of this breach but urges users to change their passwords immediately as a preventative measure.

What you can do

• If you are unsure whether your account has been compromised, you can check at haveibeenpwned.com, which scans a database of all known breaches and will tell you if your email is one of the affected accounts. This page is safe and you can enter your email address to find out if your account has been compromised.


• Change your Dropbox password immediately. If your password is among the thousands stolen, it cannot be used if it has been replaced with a new one. Even if you’re not sure your details have been leaked, it doesn’t hurt to be sure


• Never use the same password across multiple sites. If it is compromised on one, be sure it will be used to access others such as your internet banking or email accounts


• Update passwords regularly


• Use a password generator to create a complex random series of numbers and characters for a more secure password. Though this cannot prevent your account details being extracted from a major website, it does ensure that your password cannot be easily guessed

Have a great (malware-free day!)

 

Related Posts:

• ALERT: You need to change your eBay password, now.


• Emsisoft Alert: Kickstarter Data Breach


• Emsisoft Security Warning: 16 Million Email Accounts hacked…


• ALERT: 18 Million Email Accounts Compromised


• 5 Million Gmail Usernames and Passwords Compromised

Change your passwords now: Dropbox hack affects 68 million users