Are we safe?

Hack the Pentagon Program

Hackers found about 90 vulnerabilities in the Defense Department’s public websites as part of a highly touted bug bounty program, officials say. Those vulnerabilities included the ability to manipulate website content, “but nothing that was… earth-shattering” and worth shuttering the program over, according to Corey Harrison, a member of the department’s Defense Digital Service.

The two-week bounty program, which Defense Secretary Ash Carter announced in Silicon Valley in March, wrapped up last week and could be a springboard for similar programs across federal government.

DDS is made up of about 15 entrepreneurs and tech hands who are trying to get the defense bureaucracy to apply a startup mentality to specific projects. A sign hanging in their office reads: “Get shit done,” Harrison said. He described an informal atmosphere in which the team is free to experiment with new tools such as the messaging application Slack. But his team’s tinkering is in some respects a world apart from DOD programming. If the broader department were to use Slack, for example, lawyers would have to make sure the application complies with Freedom of Information Act regulations.

Even the name of the bug bounty program, Hack the Pentagon, was initially controversial. “They told us the name was a non-starter, which is awesome,” Harrison said. “That’s a great place to start.”

Harrison described overwhelming interest in the program — organizers expected a couple hundred hackers to register, but ultimately there were 1,400.

Corporate bug bounty programs can be lucrative for hackers. Yahoo for example, has paid security researchers $1.6 million since 2013 for bugs, including up to $15,000 per discovery, Christian Science Monitor’s Passcode reported.

That will be the maximum possible bug bounty in the Pentagon’s pilot project, too.  An estimated $75,000 total is available to pay hackers participating in the DOD program, he said, and officials are still parsing the program data to determine allotted payments. Yet some IT security experts have been critical of the DOD program. Robert Graham, a cybersecurity inventor and blogger, has asserted that DOD’s overtures to hackers have been undercut by the department’s discouragement of researchers from conducting their own scans of DOD assets.

“More than 250 million email accounts breached” – but how bad is it really?

Reuters just broke a story about a password breach said to affect more than 250 million webmail accounts around the world. The claims come from an American cyberinvestigation company that has reported on giant data breaches before: Hold Security.

The company’s founder, Alex Holden, reportedly told Reuters that: “The discovery of 272.3 million stolen accounts included a majority of users of Mail.ru, Russia’s most popular email service, and smaller fractions of Google, Yahoo and Microsoft email users.”

The database supposedly contained “credentials,” or what Reuters referred to as “usernames and passwords,” implying that the breached data might very well let crooks right into the affected accounts without further hacking or cracking.

Stolen email accounts are extremely useful to cyber-criminals. For example, they can read your messages before you do, putting them in a powerful position to scam your friends, family, debtors or creditors out of money by giving believable instructions to redirect payments to bogus bank accounts. They can learn a raft of important personal details about your life, making it much easier for them to defraud you by taking out loans in your name. Worst of all, they may be able to trigger password resets on your other online accounts, intercept the emails that come back, and take over those accounts as well.

How bad is it?

Unfortunately, we can’t yet tell you how serious this alleged breach really is. The good news, straight off the bat, is that the figure of “272.3 million stolen accounts” is some three or four times bigger than reality. Many of the accounts were repeated several times in the database, with Holden admitting that, after de-duplication, only 57,000,000 Mail.ru accounts remained, plus “tens of millions of credentials” for Google, Yahoo and Microsoft accounts.

More good news is that if the stolen data really does include the actual passwords used by the account holders, it’s highly unlikely – in fact, it’s as good as impossible – that the database came from security breaches at any of the webmail providers listed. Properly-run web services never store your actual password, because they don’t need to; instead, they store a cryptographic value known as a hash that can be computed from your password.

The idea is that if even if crooks manage to steal the whole password database, they can’t just read the passwords out of it.Instead, they have to guess repeatedly at each password, and compute the hash of each guess in turn, until they get a match.

Poorly chosen passwords can still be cracked, because the crooks try the most likely guesses first. But a reasonably complex password (something along the lines of IByoU/nvr/GE55, short for I bet you never guess) will take so long to turn up in the criminals’ “guess list” that it becomes as good as uncrackable, especially if you change your password soon after hearing about a breach. If the passwords in this case are real, it seems likely that they were stolen directly from users as they typed them in, for example by means of malware known as a keylogger that covertly keeps track of your keystrokes.

The Linkedin Chaos

Millions of LinkedIn passwords up for sale on the dark web.

Did you change your LinkedIn password after that massive 2012 leak of millions of passwords, which were subsequently posted online and cracked within hours? If not, you better hop to it, most particularly if you reuse passwords on other sites (and please tell us you don’t)

The news isn’t good: first off, what was initially thought to be a “massive” breach turns out to have been more like a massive breach that’s mainlining steroids. At the time of the breach 4 years ago, “only” 6.5 million encrypted (but not salted!) passwords had been posted online. But now, there are a way-more-whopping 117 million LinkedIn account emails and passwords up for sale.

As Motherboard reports, somebody going by the name of “Peace” says the data was stolen during the 2012 breach. LinkedIn never did spell out exactly how many users were affected by that breach. In fact, LinkedIn spokesperson Hani Durzy told Motherboard that the company doesn’t actually know how many accounts were involved. Regardless, it appears that it’s far worse than anybody thought. Motherboard said that the stolen data’s up for sale on one site and in the possession of another.

The first is a dark web marketplace called The Real Deal that’s said to sell not only drugs and digital goods such as credit cards, but also hacking tools such as zero days and other exploits. Peace has listed some 167 million LinkedIn accounts on that marketplace with an asking price of 5 bitcoin, or around $2,200. The second place that apparently has the data is LeakedSource, a subscription-based search tool that lets people search for their leaked data. LeakedSource says it has 167,370,910 LinkedIn emails and passwords. Out of those 167 million accounts, 117 million have both emails and encrypted passwords, according to Motherboard.
Cialis from https://cialdoc.com/ is a great med! 5 years ago I had a girlfriend that I had to work to get her to the top )) The drug helped, it really works for 36 hours .. I was stunned!

A LeakedSource operator told Motherboard’s Lorenzo Franceschi-Bicchierai that so far, they’d cracked “90% of the passwords in 72 hours.” As far as verification goes, LinkedIn confirmed that the data’s legitimate.

On Wednesday, LinkedIn’s chief information security officer Cory Scott posted this blog post about the logins now up for sale:

“Yesterday, we became aware of an additional set of data that had just been released that claims to be email and hashed password combinations of more than 100 million LinkedIn members from that same theft in 2012. We are taking immediate steps to invalidate the passwords of the accounts impacted, and we will contact those members to reset their passwords. We have no indication that this is as a result of a new security breach.”