App Used by Israel's Ruling Party Leaked Personal Data of All 6.5 Million Voters

Por Mohit Kumar em 11/02/20 no site The Hacker News

An election campaigning website operated by Likud―the ruling political party of Israeli Prime Minister Benjamin Netanyahu―inadvertently exposed personal information of all 6.5 million eligible Israeli voters on the Internet, just three weeks before the country is going to have a legislative election.

In Israel, all political parties receive personal details of voters before the election, which they can't share with any third party and are responsible for protecting the privacy of their citizens and erasing it after the elections are over.

Reportedly, Likud shared the entire voter registry with Feed-b, a software development company, who then uploaded it a website (elector.co.il) designed to promote the voting management app called 'Elector.'

According to Ran Bar-Zik, a web security researcher who disclosed the issue, the voters' data was not leaked using any security vulnerability in the Elector app; instead, the incident occurred due to negligence by the software company who leaked the username and password for the administrative panel through an unprotected API endpoint that was listed in the public source code of its homepage, as shown.

"Someone visiting the Elector website on a standard browser like Google's Chrome could right-click their mouse on the page and select 'View page source.' The revealed source code for the website contained a link to the 'get-admins-users' page, which the prospective hacker simply had to visit in order to find, out in the open, the passwords of "admin" users — those with authorization to manage the database." Israeli media explained.

The exposed database includes the full names, identity card numbers, addresses, and gender of 6,453,254 voters in Israel, as well as the phone numbers, father's name, mother's name, and other personal details of some of them.

Through the affected Elector website is down for many users at the time of writing, some media reports confirm the software company has now patched the issue but can't ensure how many people have since then been able to download the voters' database.

The Israeli Justice Ministry's Privacy Protection Authority (PPA) said it was investigating the incident.

Ancestry.com’ RootsWeb breach: 300,000 plaintext accounts leaked

By Waqas on December 27, 2017  no site HackRead

Another day another data breach, this time it is Ancestry.com, the United States-based genealogy company operating a large network of genetic, historical and genealogical websites with over 2 million paying subscribers.

Ancestry And RootsWeb

One of Ancestry’s service is RootsWeb that is an online community consisting of forums and mailing lists etc to assist people in exploring the history of their family tree. Now, the bad news for RootsWeb users is that the community suffered a data breach in which usernames, email, and passwords of 300,000 registered users were stolen and leaked online in clear text format.

The data was discovered by Troy Hunt, founder of data breach notification website HaveIbeenPwned. Hunt did an analysis of the leaked data and reported that the breach took place in 2015, however, Ancestry.com was unaware of the incident. On the other hand, the company has confirmed the breach and wrote an in-depth blog post to explain what happened.

Ancestry’s Acknowledgment

“As a result of that analysis, we determined that the file was legitimate, although the majority of the information was old. Though the file contained 300,000 email/usernames and passwords, through our analysis we were able to determine that only approximately 55,000 of these were used both on RootsWeb and one of the Ancestry sites, and the vast majority of those were from the free trial or currently unused accounts. Additionally, we found that about 7,000 of those passwords d and email address combinations matched credentials for active Ancestry customers. As part of our investigation, our team also uncovered other usernames that were present on the RootsWeb server that, though not on the file shared with us, we reasonably believe could have been exposed externally,” the blog post explained.

Have I been pwned?

✔@haveibeenpwned

New breach: Ancestry service "RootsWeb" had almost 300k email addresses and plain text passwords compromised in 2015. 57% were already in @haveibeenpwned. Read more: 

https://

blogs.ancestry.com/ancestry/2017/

12/23/rootsweb-security-update/ 

…

2:32 AM - Dec 24, 2017

•  55 Replies
 
 89
• 89 Retweets
 
 75
• 75 likes

Twitter Ads info and privacy

The Plan

To tackle the situation, the company has taken RootsWeb offline and plan to bring it back with additional security measures to ensure user data remains secure. Those affected by the breach have been already informed and urged to change their passwords.

Furthermore, accounts of 55,000 customers who used the same credentials at RootsWeb’s surname list and Ancestry have been locked and require them to create a new password upon their next login.

RootsWeb Data Available For Download

On December 4th, 2017, RootsWeb was posted on a hacking forum for anyone to download it and contained emails and their plaintext passwords.The data is still available on the hacker forum which means customers should change their passwords without further delay.

Screenshot from the data available on a hacking forum

A look at the data indicates that hackers stole the data from following domain:

rsl.rootsweb.ancestry.com

Not For The First Time

This is not the first time when Ancestry was under cyber attacks. In June 2014, the company said its servers crashed due to a series of distributed denial of service (DDoS) attacks. However, no customer data was stolen back then.

Vault 8: WikiLeaks Releases Source Code For Hive - CIA's Malware Control System

Swati Khandelwalem 09/11/2017 no site The Hacker News

Almost two months after releasing details of 23 different secret CIA hacking tool projects under Vault 7 series, Wikileaks today announced a new Vault 8 series that will reveal source codes and information about the backend infrastructure developed by the CIA hackers.

Not just announcement, but the whistleblower organisation has also published its first batch of Vault 8 leak, releasing source code and development logs of Project Hive—a significant backend component the agency used to remotely control its malware covertly.

In April this year, WikiLeaks disclosed a brief information about Project Hive, revealing that the project is an advanced command-and-control server (malware control system) that communicates with malware to send commands to execute specific tasks on the targets and receive exfiltrated information from the target machines.

Hive is a multi-user all-in-one system that can be used by multiple CIA operators to remotely control multiple malware implants used in different operations.

Hive’s infrastructure has been specially designed to prevent attribution, which includes a public facing fake website following multi-stage communication over a Virtual Private Network (VPN).

"Using Hive even if an implant is discovered on a target computer, attributing it to the CIA is difficult by just looking at the communication of the malware with other servers on the internet," WikiLeaks says.

As shown in the diagram, the malware implants directly communicate with a fake website, running over commercial VPS (Virtual Private Server), which looks innocent when opened directly into the web browser.

However, in the background, after authentication, the malware implant can communicate with the web server (hosting fake website), which then forwards malware-related traffic to a "hidden" CIA server called 'Blot' over a secure VPN connection.

The Blot server then forwards the traffic to an implant operator management gateway called 'Honeycomb.'

In order to evade detection by the network administrators, the malware implants use fake digital certificates for Kaspersky Lab.

"Digital certificates for the authentication of implants are generated by the CIA impersonating existing entities," WikiLeaks says. 

"The three examples included in the source code build a fake certificate for the anti-virus company Kaspersky Laboratory, Moscow pretending to be signed by Thawte Premium Server CA, Cape Town."

The whistleblowing organisation has released the source code for Project Hive which is now available for anyone, including investigative journalists and forensic experts, to download and dig into its functionalities.

The source code published in the Vault 8 series only contains software designed to run on servers controlled by the CIA, while WikiLeaks assures that the organisation will not release any zero-day or similar security vulnerabilities which could be abused by others.

46.2 Million Mobile Numbers Leaked Online after Malaysian Data Breach

DAVID BISSON

Em 01/11/2017 no site The State of Security

46.2 million mobile numbers have appeared online following a data breach that affected several Malaysian telecommunication companies.

The incident involves 15 Malaysian telcos and mobile virtual network operators (MVNO). Included in the leak are customers’ mobile numbers along with their personal and device information. Of note, those exposed details contain customers’ IMEI and IMSI numbers that can help identify a device based on its SIM card.

A screenshot of one of the affected telco’s customer database. (Source: Lowyat.net)

Malaysian Internet forum and technology magazine website Lowyat.net first learned of the breach in mid-October 2017 when it received a tip that someone was attempting to sell several large databases of personal information on its forums. It subsequently decided to review the databases. This analysis revealed the telco customer database along with three databases belonging to the Malaysian Medical Council (MMC), the Malaysian Medical Association (MMA), and the Malaysian Dental Association (MDA).

Lowyat.net notified the Malaysian Communications And Multimedia Commission (MCMC) at the time of publication. A day later, the MCMC requested that the technology magazine website take down the original article. But a day after that on 20 October, the Commission published a statement on Facebook confirming an ongoing investigation into a data breach involving several telcos. Lowyat.net‘s original reappeared that same day.

In a subsequent post, Lowyat.net reveals the breach likely occurred back in May and July 2014. It’s therefore difficult to determine how long the data has been available for sale on the web or how long the hackers maintained access to the affected companies’ systems. Those responsible for the attack might have spent years gathering all that information.

Dr. Mazlan Ismail, the chief operating officer of the MCMC, said the Commission is currently working with all Malaysian telecommunication companies to determine how the data breach occurred. As he told Malay Mail Online:

“This is to ensure that they understand what is happening now, especially when the police, through the Commercial Crime Investigation Department, visit them to investigate. Communications services cannot escape the security aspects, [service providers] must work together, and safety features are important to gain the trust of consumers.”

Meanwhile, Lowyat.net is asking all telco companies implicated in the breach to begin replacing affected customers’ SIM cards.

With a population of 32 million, it’s possible the breach affected the entire country of Malaysia along with foreigners who might have received a pre-paid number while traveling there.

Especialista confirma vazamento de senhas e nomes de usuários de e-commerce brasileiros

Da Redação Computerworld

Em 17/07/2017

Desde domingo, 15, cibercriminosos estão publicando arquivos com centenas de senhas e nomes de usuários de sites de e-commerce brasileiros no serviço de publicação de textos Pastebin. Segundo o especialista em segurança da informação, Paulo Brito, que primeiro identificou o vazamento no domingo, o número de senhas e nomes de usuários passava de 800 até esta segunda-feira, 17. A lista de sites inclui Magazine Luiza, Extra, Ponto Frio, PagSeguro e Ingresso.com.

"Na manhã de domingo encontrei um vazamento grande de logins, senhas, nomes e CPFs de clientes do Magazine Luiza, Ponto Frio, PagSeguro, e Extra no Pastebin. Somente do Magazine Luiza eram mais de 500 senhas e do Ponto Frio outras tantas 194", explicou Brito. O especialista diz que testou as senhas, verificou que eram verdadeiras e entrou em contato com o Magazine Luiza, GPA e UOL. "O pessoal do Magazine Luiza pediu ao Pastebin para tirar o arquivo do ar. Não sei o que os outros dois fizeram", diz.

O vazamento, segundo Brito, parecia recente, "menos de 24 horas", "mas também poderia ter sido copiado de alguma coisa mais antiga". Hoje, 16/07, pela manhã, Paulo Brito encontrou mais alguns lotes de senhas do PagSeguro.

"Se você tem login em desses lugares entre lá e mude a senha já. Se não conseguir entrar é porque a sua senha foi mudada por outra pessoa. Nesse caso, use o "perdi minha senha", o telefone ou qualquer outro recurso porque o problema pode ser grande. Corra antes que os bandidos também achem a lista", alerta Brito

O especialista explica que a publicação de lotes de senhas no Pastebin é um tipo de isca para atrair interessados em comprar lotes maiores que o cibercriminoso tenha em mãos. "O que acontece é que os bandidos vão guardando, montando as listas e de vez em quando publicam parte delas para que outros comprem — é propaganda. Quem compra pega esses dados, altera o endereço de entrega da mercadoria, altera o e-mail (para o dono da conta não ser notificado de nada), pega um cartão roubado e faz a compra.