Two-factor Exemption | TechSNAP 174

Russian hackers collect 1.2 billion usernames and passwords, and while questions remain the details are compelling.

Plus simply working around two-factor authentication, crypto-malware that targets NAS Boxes, your questions, our answers and much more!

Thanks to:

Direct Download:

RSS Feeds:

Become a supporter on Patreon:

— Show Notes: —

Reportedly 1.2 billion username and password combinations found in Russian cybercrime stash

The data was apparently stolen from 420,000 different websites using SQL injection and other common techniques
Original post at Hold Security
“So far, the criminals have not sold many of the records online. Instead, they appear to be using the stolen information to send spam on social networks like Twitter at the behest of other groups, collecting fees for their work.”
The Russian cybercrime group (called CyberVor by Hold Security) appears to have used a large botnet to scan most of the internet looking for vulnerable sites and software and collecting as much data as possible
“Criminals were able to collect 4.5 billion records — each a user name and password — though many overlapped. After sorting through the data, Hold Security found that 1.2 billion of those records were unique”
Because of the varied sources of the data, the passwords are likely a combination of plain text, simple hashes (md5, sha1, sha256), esoteric hashes like md5(salt.password.salt) or md5(salt.md5(password)) etc, and proper cryptographic hashes
Original Coverage from 6 months ago
Alex Holden was the researcher who originally discovered the Adobe breach late last year, and tracked the trafficking of the stolen Target data
Krebs has a Q&A on the subject, based on his past working with Alex Holden, or Holden Security
There has been a bit of backlash against Hold Security, because they are charging $120/year for their “Breach Notification Service” (BNS) to be alerted if your website was one of the ones compromised
Sophos and others still have questions about the data from CyberVor
While still under construction, there is a individual version of the service that will allow you to find out if your electronic identity was found in possession of the CyberVor gang, which will be provided free for the first 30 days
This service will take a SHA512 hash of your password(s), and then compare that to the passwords in the data dump, notifying you which of your passwords may have been compromised
The issue with this is that if a compromised site used proper cryptographic hashes, the only way to compare the passwords without knowing your original password in plain text, is to brute force the hash and return it to the plain text. If Hold Security had your plain text password, they could compare it to the database much more quickly and accurately, but it would then lead them to being a bigger security threat than the exposure of the hashed passwords
Additional Coverage: Forbes

PayPal 2 factor authentication contained simple bypass used for linking ebay account

While investigating the usefulness of the PayPal 2 Factor Authentication system, a security researcher (Joshua Rogers) was astonished to find a simple by pass
PayPal (owned by eBay) has a system to link your eBay account to your PayPal account to facilitate sending and receiving payments in connection with auctions
This system works by sending an additional HTTP GET parameter when directing the user to the PayPal login or signup page
By using “cmd=_integrated-registration” in the request, PayPal skips asking for any two factor authentication, allowing an attacker that knows your username and password to access your account without requiring the second factor
The exploit can be used without needing to have an affiliated eBay account
The issue was reported to PayPal on June 5th 2014, who replied on June 27th and July 4th
After two months the issue has not been resolved, so the researcher released his findings
It is not clear if the issue was reported via the PayPal Bug Bounty program, but if it was, publicly disclosing the vulnerability voids the researchers eligibility for the bug bounty reward

SynoLocker malware targets Synology NAS appliances, encrypts files and demands ransom

New malware has serviced that has been targeting Synology NAS appliances exposed to the Internet
Users will be greeted by a screen telling them that the files on their NAS have been encrypted, and directing them to use tor to visit a website and pay a 0.6 Bitcoin (~$350) ransom to get the decryption keys to regain access to their files
It was not immediately clear how the NAS devices were being compromised
Synology reports: “Based on our current observations, this issue only affects Synology NAS servers running some older versions of DSM (DSM 4.3-3810 or earlier), by exploiting a security vulnerability that was fixed and patched in December, 2013. At present, we have not observed this vulnerability in DSM 5.0”
Users are encouraged to upgrade to the latest DSM 5.0 or:
For DSM 4.3, please install DSM 4.3-3827 or later
For DSM 4.1 or DSM 4.2, please install DSM 4.2-3243 or later
For DSM 4.0, please install DSM 4.0-2259 or later
If you suspect you have been affected by this, Synology recommends following these steps:
1. Shutdown the Synology NAS to prevent any more files being encrypted
2. Contact the Synology support team at security@synology.com or fill out the support form
Users whose files have already been encrypted may not be out of luck, yesterday a new service launched that can decrypt files locked by CryptoLocker similar malware that targetted Windows