Photograph: Robert Galbraith/ReutersA hacker claiming to have the log in details of millions of LinkedIn users is advertising the data for sale online.The extensive list of user IDs and passwords, which were allegedly sourced from a cyber attack on the networking site four years ago, is being advertised on the darknet – a sub-section of the internet not accessible through normal web browsers and often a platform for illegal activity.Around 6.5m details were posted online at that time – but LinkedIn s chief information security officer Cory Scott said he does not believe the extra data was gained as the result of a new security breach.In 2012, LinkedIn was the victim of an unauthorised access and disclosure of some members passwords.We are taking immediate steps to invalidate the passwords of the accounts impacted, and we will contact those members to reset their passwords.News of the breach is the latest in a long line of cyber-attacks on major websites and companies, with telecoms firm TalkTalk and parental forum Mumsnet among those who have been the victims of security breaches in the last year.
Photo: Nora TamHong Kong companies and financial services institutions lag behind the US and Europe in cybersecurity measures as little emphasis is placed on security from a board-level perspective, according to industry experts.He said the banking sector in Hong Kong had lagged in their uptake of cloud technology adoption.Darren Argyle, chief information security officer of UK-based financial technology firm Markit, believes that Hong Kong banks and companies fall behind the US and Europe in beefing up cybersecurity even as the number of cyberattacks have been on the rise globally.He added that companies often view security as a cost of doing business, as cyber criminals increasingly target corporations in their attacks.CEOs of financial companies are now starting to ask what technology is in place which assures that they can respond adequately during a breach, he said.One way to mitigate the skills gap in Hong Kong is for the government to invest heavily in cybersecurity and related security start-ups, thereby encouraging more Hongkongers to pursue a career in security, he said.
Indeed, LinkedIn claims on its website to have over 433 million registered members.Attempts to contact the seller failed, but the administrators of LeakedSource, a data leak indexing website, claim to also have a copy of the data set and they believe that the records do originate from the 2012 LinkedIn breach.Only 117m accounts have passwords and we suspect the remaining users registered using FaceBook or some similarity."Hashing is a one-way operation that generates unique, verifiable cryptographic representations of a string that are called hashes.When the 6.5 million LinkedIn password hashes were leaked in 2012, hackers managed to crack over 60 percent of them.LinkedIn users who haven't changed their passwords in a long time, are advised to do so as soon as possible.
The vulnerability CVE-2016-4010 is fixed in version 2.0.6 issued overnight.Magento handed the flaw a 9.8 out of 10 severity score explaining that the platform installation code is no longer accessible once the installation process is complete."I recommend all Magento administrators to update their installations to the 2.0.6 patch."The chained attack combines smaller vulnerabilities which Rubin has detailed in full, and relies on REST or SOAP being left enabled from default which is the case in most installations.Much of the fault lies with the sizeable and dynamic API for each Magento module that customers use to run things like shopping carts.Rubin praised Magento for its code overhaul which has seen vast re-writing, code improvements, and a bolstering of security.
Indeed, LinkedIn claims on its website to have over 433 million registered members.LinkedIn did not immediately respond to a request for comment.Attempts to contact the seller failed, but the administrators of LeakedSource, a data leak indexing website, claim to also have a copy of the data set and they believe that the records do originate from the 2012 LinkedIn breach.Only 117m accounts have passwords and we suspect the remaining users registered using FaceBook or some similarity.Hashing is a one-way operation that generates unique, verifiable cryptographic representations of a string that are called hashes.When the 6.5 million LinkedIn password hashes were leaked in 2012, hackers managed to crack over 60 percent of them.
The Nulled.IO board is used to trade and sell credit card and leaked identity information, hacking tools, cracks, and malware-creation kits.On May 6th, the hacker or hackers responsible for the breach dumped a 1.3 GB compressed archive online which when expanded is a 9.45 GB SQL file containing details of the website s cybercriminal users and their activities.According to RiskBased Security, which discovered the breach, the attack was likely possible due to Nulled.IO s use of the Ip.Board community forum, which has a number of known vulnerabilities.RiskBased Security said the full dump contains 536,064 user accounts, 800,593 user personal messages, 5,582 purchase records and 12,600 invoices, which could include donation records.All this information will, of course, likely be of interest to law enforcement officials, especially as it contains so much information about illegal activities.A particularly interesting discovery made by the RiskBased Security team is that there are 20 .gov email accounts in the leaked database that originate from countries such as the US, Turkey, the Philippines, Brazil, Malaysia, and Jordan.
It s no surprise to anyone that emails and social media accounts are hacked every single day.And if you cast your mind back to 2012, you might remember how millions of LinkedIn users were left vulnerable after it emerged that a Russian hacker was offloading over 6 million of their login details online.Well, he/she is back and this time there are 117 million email and passwords belonging to LinkedIn users up for grabs on an illegal Dark Web marketplace called The Real Deal for 5 bitcoin $2,200 approximately .Under the nickname Peace, the hacker has spoken to Motherboard and confirmed these logins come from the 2012 breach – proving that LinkedIn did not make it known just how widespread the hack was at the time.The hacker added that while the majority of the passwords are encrypted or hashed with the SHA1 algorithm, over 90 percent have already been cracked.While you might not have your bank details saved to your LinkedIn profile, the information that could be pulled from your account is still extremely private and could potentially allow someone to steal your identity.
Robert Schifreen, the "white hat" at the centre of the 1980s controversy, compiled the archive, which details Schifreen s two-year-long legal travails following his open hack of Prestel, BT s pre-web online service.Schifreen and the late Steve Gold managed to hack into BT's Prestel Viewdata service, famously accessing the personal message box of Prince Philip in the process.Involving the Royals prompted BT into calling in the police, setting off a chain of events that led to the the arrest of Schifreen and Gold in March 1985 and the subsequent prosecution of the two tech enthusiast journalists.Evening white hatsIn presenting the archive, Robert Schifreen explained the context of 1980s hacking to an audience at TNMOC.Live systems were used for home banking, among other applications.BootnoteThe Reg's take on how a hack on Prince Philip's Prestel account led to UK computer law - featuring interviews with Schifreen, former Detective Inspector John Austen, a senior investigating officer in the case, and Alistair Kelman , Gold's barrister throughout the case - can be found here.
LinkedIn is currently investigating the incident but appears to be uncertain about the amount of data stolenA hacker is attempting to sell account information, including emails and passwords, of 117 million LinkedIn users.The hacked data is reportedly from an older breach which affected LinkedIn in 2012.At the time of the hack, only 6.5 million encrypted passwords were posted online.Security researcher Troy Hunt, who runs the website "Have I Been Pwned?"reportedly got in touch with several of the victims of the breach, two of whom confirmed that the passwords he shared with them, were in fact the same as the one they were using as LinkedIn users at the time of the 2012 breach.Things about the LinkedIn breach:- Dates to 2012- SHA1 with no salt I believe it's changed since - Weak passwords will be easily cracked— Troy Hunt @troyhunt May 18, 2016LinkedIn spokesperson Hani Durzy did not confirm if the data on sale on the dark web was legitimate but said that the firm was currently investigating the matter.
A hacker affiliated with the notorious Anonymous collective has launched a series of cyberattacks against government portals in North Carolina to protest against the so-called 'bathroom bill' – which has been criticised by many as being anti-LGBT.Indeed, a number of businesses and high-profile celebrities have protested its advance into law – including Bruce Springsteen, Bryan Adams and Elton John.This type of cyberattack sends a tidal wave of traffic towards a single web server with the aim of taking it offline and is regularly used by Anonymous as a method of protest.Following the DDoS attacks, the hacker posted a JustPaste link that purported to hold a database compromised from the North Carolina State University .The hacking group recently became embroiled in the ongoing US election campaign after planning operations against presidential hopeful Donald Trump.The latest campaign, however, looks set to continue.
If hackers take down a bank, it could endanger the whole society, says Barclays chairman John McFarlane.The financial sector needs to do more to protect itself against cybercriminals, as the combination of money and personal data that banks possess represents the "perfect target" for hackers, according to a new industry report.Read More"Digital technology has radically changed every aspect of our lives and brought untold benefits.Of course, with these opportunities it's introduced a new threat which is cybercrime; not only are they after our information, they're after our money and can and will steal it from wherever they choose," said John McFarlane, chairman of Barclays and TheCityUK.TheCityUK also calls for the creation of a City-wide cyber forum to "to promote collaboration across all firms" in the sector, in order to encourage best practice sharing and strengthen every organisation's cybersecurity.There is no silver-bullet to manage it, but there are practical steps the industry, and the customers we serve, can take to ensure we're well protected against attack," said Chris Cummings, chief executive of TheCityUK.
As you may or may not recall, given how much time has passed, hackers broke into LinkedIn s network back in 2012, stole some 6.5 million encrypted passwords, and posted them onto a Russian hacker forum.Because the passwords were stored as unsalted SHA-1 hashes, hundreds of thousands were quickly cracked.If you re not sure, a best practice would be to change it anyway, as well as on other critical sites where you may be using that same password such as your banking website, email, or Facebook, for example.LinkedIn says that it has increased its security measures in the years since the breach, by introducing stronger encryption, email challenges and two-factor authentication.They would also not necessarily protect users from hackers who had obtained email and password combinations.We are taking immediate steps to invalidate the passwords of the accounts impacted, and we will contact those members to reset their passwords.
News: CBR looks at the meanings of this broadly used term.The term 'hacking' is used very broadly, but in general is used to refer to seeking and exploiting weaknesses to networks and databases.There are many types of hacking, including cyber crime, ethical hacking, hacktivism, and state-sponsored hacking.For example, the much-publicised Ashley Madison attack was carried out by the Impact Team, who claimed moral motives.They released a limited amount of data shortly after the hack was made public, threatening to release all of the data if the site was not shut down.There is some controversy around the usage of the term hacking, since many people in the IT industry use the term 'hacker' to refer simply to somebody with a good knowledge of computer systems.
The region is a hotspot for malware-based spying campaign thanks largely to the conflict between the Kiev government and rebels in the East who identify with Russia.The majority of such campaigns feature booby-trapped content themed around the current Ukrainian geopolitical situation and the war in Donbass in order to trick marks into opening malicious attachments.Whether these secondary targets are been deliberately selected or represent collateral damage remains unclear.ESET detects the malware associated with the attacks, which may have been going on since as long ago as 2008, as Prikormka.The attacks seem to have slipped under the radar for eight years but now that one anti-virus vendor has caught onto the campaign, widespread detection by other vendors can be expected to follows within days or weeks.The security community in general is playing particularly close attention to malware-slinging in the Ukraine after the BlackEnergy malware was linked to attacks that results in power outages last December.
Robert Schifreen has donated documentation relating to his landmark Prestel 'hacking' case, which led to The Computer Misuse Act 1990, to TNMOC.The National Museum of Computing TNMOC has announced the acquisition of an archive relating to a historic 'hacking' case from the 1980s, from the subject at the heart of the matter: Robert Schifreen.In the mid 80s, Robert Schifreen made a name for himself cracking into popular telecommunications service Prestel - ending up with access to mailboxes for some major public figures, up to and including Prince Philip.But 6pm was a significant start-time because the Prestel security staff had gone home and weren t there to deal with automated messages telling them that there had been three unsuccessful attempts at a log-on to Prestel,' Schifreen told the Museum of his exploits.The Computer Misuse Act came into existence in 1990.'We are extremely grateful to Robert Schifreen for donating his fascinating archive to TNMOC and giving us an insight into what now seems a very strange world in which computer security was not treated very seriously,' said Museum Trustee Margaret Sale of the donation.
LinkedIn account details including names, emails and passwords were originally stolen in 2012, but reportedly remain up for saleLinkedIn users are being urged to change their passwords after the revelation that around 117 million account details, including email addresses and passwords, are up for sale.The data is reportedly being offered to the highest bidder by a hacker who claims he was responsible for the theft four years ago.Peace outdata breachThe hacker, known as Peace, contacted technology site Motherboard this week to offer the details, which are up for sale for five Bitcoins around £1564 on dark web site The Real Deal.Peace claims that that the data was stolen during a breach of LinkedIn back in 2012, in which around 6.5 million encrypted passwords were posted online.The social network also apologised and enlisted the help of the FBI in the matter, but that did not stop a class action lawsuit, which ultimately cost LinkedIn $1.25m £810,000 in settlements last year.The LinkedIn breach goes to show how a single significant breach can come back to haunt a business and its customers again and again, said Rob Sobers, director at Varonis.
New obligations on providers of essential servicesThe European Council has adopted new cybersecurity rules to make networks and information services across the European Union safer and more secure.Member states will specifically identify who they believe fits into the essential services group through criteria listed in the directive and they will be subject to stricter rules.As part of the agreement, EU member states have agreed to improve cooperation when it comes to cybersecurity.A new group will be created to make that happen, as well as a new network pulling together the national computer security incident response teams CSIRTs .The agreement still has to be officially confirmed by member states.Once in force, member states will have 21 months to adopt the measures with a further six months to identify essential service operators.
By Dustin Volz and Mark HosenballWASHINGTON Reuters - U.S. presidential campaigns face threats from hackers bent on espionage and other activity more nefarious than mere political mischief, the office of the U.S. National Intelligence Director James Clapper said on Wednesday, but did not provide details on specific intrusions.We re aware that campaigns and related organizations and individuals are targeted by actors with a variety of motivations— from philosophical differences to espionage — and capabilities— from defacements to intrusions, Clapper s spokesman Brian Hale said in a statement, deferring to the FBI for details on specific incidents.Earlier, Clapper said the U.S. intelligence community had already had some indications of hacking attempts against presidential campaigns.The Republican and Democratic candidates for president will begin receiving intelligence briefings after being officially nominated at party conventions this summer.He said the sessions would not be used to try to persuade Trump to soften his stance about a proposed ban on Muslim immigration, which some national security professionals have said is counterproductive to fighting Islamic extremism.We ve been doing this for many years, it s not designed to shape anybody s worldview, Clapper said.
Speaking at the Financial Regulation Summit in Washington DC, White warned the industry that their policies and procedures were not up to scratch and without them they faced the same fate as the Bangladeshi bank that recently lost $81m through a cyber attack."As we go out there now, we are pointing that out."The SEC is "very pro-active" in assessing how open those acting in the financial sector are to a cyberattack, she said, adding: "we can't do enough in this sector."She noted that companies are increasingly using non-Generally Accepted Accounting Principles GAAP to report their figures – an approach which enables them to keep what can be very large expenses out of public reporting.She also warned that the SEC was closely watching "fintech" – startups targeting the financial markets – name-checking in particular blockchain, automated investment advice and marketplace lending.It's not known whether the new crowdfunding rules will help revive the many startups across the country – but particularly in and around Silicon Valley – who are struggling to find funding through VC routes, or whether the rules will just sit on the books awaiting the next tech boom.
The huge cache of personal data comes from a hack of the website four years ago that was previously thought to have affected only a few million accounts.LinkedIn said it was trying to assess which accounts had been affected and invalidate their passwords to prevent hackers accessing users accounts.Although encrypted, the set of passwords had not been cryptographically-sealed with an additional security measure known as a salt , making more common passwords relatively easy to decode.The data release actually contains 167 million account details including email addresses, although only 117 million passwords are included.It said that passwords are now salted, meaning in the event of any future breach, they would be less difficult to crack.One ultra-secure one won't be any good if someone finds itWhile combining upper and lower case passwords with numbers to alter a memorable word - M4raD0na - is often advised, these are more easily cracked than you might thinkGood advice is to make a memorable, unusal sentence: "I am a 7-foot tall metal giant" is better than "My name is John", and use the first letter of each word with punctuation: "Iaa7-ftmg"Alternatively, you can use a password manager such as 1Password, which can generate secure passwords and store them onlineThe best way to protect yourself is to use two-factor authentication, which will send a text with a code or use an app to verify your log-inIf your LinkedIn password has not been changed since 2012, now is probably a good time, and the same goes for any other websites which you use the same password for.