It is unclear if the email was the result of the compromise of Epsilon’s servers (and the NYTimes private key), or was accidentally sent to all subscribers instead of the intended subset
WPS was created to allow users to more easily setup secure wireless networks
WPS uses either an 8 digit PIN number, or a ‘push to connect’ button on both the AP and Client device
This security vulnerability specifically targets the 8 digit PIN number
The 8 digit PIN results in a key space of 10^8 (100 million) keys
However, the last digit in the PIN is actually a checksum, used to detect typographic errors
The attack described below exploits a flaw in WPS where the attacker is able to determine by the response from a failed attempt, that the first 4 digits of the PIN matched
This combined with the last digit being a checksum, effectively narrows the key space of possible PINs to 10^4 + 10^3 (11,000) keys
Even this key space should be enough to keep attackers out, however it was discovered that many devices do not implement any type of failed login banning, making brute force attacks much easier and faster
It was also observed that rapid brute force attempts also seemed to have a Denial of Service effect on the targeted AP, exhausting its processor time responding to the authentication requests
Security researcher Karsten Nohl, known for his research into exploiting GSM to tap/eavesdrop on mobile phone calls, is set to present new research that he says allows an attacker to impersonate your phone, making calls and sending text messages to expensive premium services operated by the attacker
Such attacks are commonly executed against corporate land line PBX systems, breaking in to systems and then placing expensive per-minute calls, collecting large sums of money, and then disappearing before the victim gets their next phone bill and notices the problem
In the days of dialup, computer viruses that cause your computer to much similar expensive phone calls in the middle of the night were also fairly common
The vulnerability only effects the older 2G GMS network, however most all phones still support GMS as a fallback when newer 3G networks are not available
“We can do it to hundreds of thousands of phones in a short time frame,” Nohl told Reuters
The website of US security think tank Strategic Forecasting Inc (Stratfor) was compromised by attackers under the banner of the Anonymous movement
Other members of Anonymous stated that the attack was not an official operation, and that because Stratfor is a media source, they are protected by freedom of the press, a highly valued principle in the Anonymous movement
The pastebin posts are only flagged as #antisec and #lulzxmas, and may have been falsely attributed to anonymous by the media
Stratfor has suspended the operation of its website and email
The attackers have obtained the credit card details, password, and addresses of 4000 of Startfor private clients
The attackers claimed to have stolen 200GB of data, including emails and research
The goal of the #lulzxmas campaign was apparently to make 1 million dollars in donations to charities using stolen credit cards
Other twitter posts claim the total number of stolen credit cards was in excess of 90,000. Of these, two lists containing 3956 items and 13,191 items respectively, have been published
The data is said to include the CVV values for the credit cards, it is against the PCI-DSS standard to store the CVV value specifically for this reason, so that when a database is compromised, the CVV value is NOT disclosed, so that online stores that use the CVV value can still prevent fraud
It also appears that the users’ passwords were stored in plain text. The data that was released via pastebin had the passwords MD5 hashed, but even if that is how they were stored in the database, that is insufficient protection
Most of these funds will likely be charged back, actually costing the charities money
Stratfor describes itself as a provider of strategic intelligence for business, economic, security and geopolitical affairs
Stratfor’s said that they were working with law enforcement to attempt to apprehend the attackers
“Stratfor’s relationship with its members and, in particular, the confidentiality of their subscriber information, are very important to Stratfor and me,” wrote Mr. Friedman (Chief Executive of Startfor) in an email to clients
“Contrary to this assertion the disclosure was merely a list of some of the members that have purchased our publications and does not comprise a list of individuals or entities that have a relationship with Stratfor beyond their purchase of our subscription-based publications,”