That Adobe breach we told you about? It’s about 10x worse than originally reported, we’ll share the details.
Plus PHP.net gets compromised, howto future proof your storage, and much much more!
On this week’s TechSNAP!
Thanks to:
Direct Download:HD Video | Mobile Video | MP3 Audio | Ogg Audio | YouTube | HD Torrent | Mobile Torrent RSS Feeds:HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feeds | Torrent Feed |
Adobe breach worse than originally thought, number of impacted customers now atleast 38 million
- Adobe is continuing its flurry of password resets, which now extend to more than 38 million customers
- Adobe has also revised its original list of applications for which the source code was leaked to include the entire photoshop family of programs
- “This past weekend, AnonNews.org posted a huge file called “users.tar.gz” that appears to include more than 150 million username and hashed password pairs taken from Adobe” – This number apparently includes inactive and test accounts, the 38 million number mentioned earlier are those considered ‘Active’
- A company spokesperson said Adobe has no indication that there has been any unauthorized activity on any Adobe ID involved in the incident
- As part of its resolution of the breach, Adobe is offering customers a years worth of free credit monitoring… from Experian (See last weeks story about how Experian was caught selling personal data to identity thieves)
- Additional Coverage
PHP.net compromised, serves malware and is blocked by Google Safe Browsing
- On 24 Oct 2013 06:15:39 +0000 Google started saying www.php.net was hosting malware. The Google Webmaster Tools were initially quite delayed in showing the reason why and when they did it looked a lot like a false positive because we had some minified/obfuscated javascript being dynamically injected into userprefs.js.
- To summarise, the situation right now is that:
- JavaScript malware was served to a small percentage of php.net users from the 22nd to the 24th of October 2013.
- Neither the source tarball downloads nor the Git repository were modified or compromised.
- Two php.net servers were compromised, and have been removed from service. All services have been migrated to new, secure servers.
- SSL access to php.net Web sites is temporarily unavailable until a new SSL certificate is issued and installed on the servers that need it.
- Over the next few days: php.net users will have their passwords reset. Note that users of PHP are unaffected by this: this is solely for people committing code to projects hosted on svn.php.net or git.php.net.
- As part of this, the php.net systems team have audited every server operated by php.net, and have found that two servers were compromised: the server which hosted the www.php.net, static.php.net and git.php.net domains, and was previously suspected based on the JavaScript malware, and the server hosting bugs.php.net.
- All affected services have been migrated off those servers. We have verified that our Git repository was not compromised, and it remains in read only mode as services are brought back up in full.
- As it\’s possible that the attackers may have accessed the private key of the php.net SSL certificate, we have revoked it immediately.
Researchers at Vicarious software claim to be able to defeat 90% of Captchas
- “Vicarious is developing machine learning software based on the computational principles of the human brain. Our first technology is a visual perception system that interprets the contents of photographs and videos in a manner similar to humans.“
- The claim that using this technology, they can defeat 0% of common anti-bot technology used to defect websites from automated usage
- While no paper or code has been shared, they provide a demonstration video that appears fairly compelling
- If their claim is true, this could be a huge setback for the internet
- Captchas are often used to prevent automated signups for services, to defend login systems from brute force attempts, and to moderate spam in online discussion and comment forums
- CAPTCHA creator Luis von Ahn of Carnegie Mellon University says “This is the 50th time somebody claims this. I don\’t really get how they think this is news :)”
- The writing from ScienceMag jumped on a skype call with the company and send them 4 sample captchas, a recaptcha and a paypal captcha were both solved, however another containing cyrillic characters was not (the company says they have not trained their system on non-latin characters yet), and one containing a checkerboard pattern was also not solved immediately.
- If this research got into the wrong hands, it could be used to defeat protection systems across the internet, flooding websites with spam, evading brute force protection systems and otherwise wreaking havoc
Feedback:
Round Up:
- Announcing The Dark Mail Alliance – Founded by Silent Circle & Lavabit
- Keynote: Tradeoffs in Cyber Security – Cyber Security Symposium, University of North Carolina
- NSA infiltrates links to Yahoo, Google data centers worldwide, Snowden documents say
- ShellCheck – a “Static” analyzer for shell script, finds many common flaws and mistakes
- How the NSA is infiltrating private networks
- Researcher exposes issues with online music charts like Spotify, how to make money with fake music + amazon EC2 instances, and how to get your rival’s account suspended
- Why you shouldn’t interupt a programmer
- FAA develops new guidelines for the use of Personal Electronic Devices during all phases of flight – Airlines must test each airframe and pass a safety approval process
- Bluecoat security blog Roundup of recent news
- HP sues seven optical drive manufacturers over alleged price fixing
- De-anonymizing users of french political forums
- Cyber Dialog 2013 – Canada Centre for Global Security Studies, University of Toronto
- Doing Strong Cryptography in the Browser