November 21, 2018
Dark Web hosting provider hacked, 6,500 sites erased
By Lisa Vaas
One of the most popular Dark Web hosting services – Daniel’s Hosting – was slaughtered last week when attackers hosed it clean of about 6,500 hidden services. The admin says they’re gone for good: he hasn’t even figured out where the vulnerability is yet.
The administrator at Daniel’s Hosting is a German software developer named Daniel Winzen, who acknowledged the attack on the hosting provider’s portal. Winzen said that it happened on Thursday night, a day after a PHP zero-day exploit was leaked.
The service will likely be back in December, he said, but even the “root” account has been deleted, and all the data on those 6,500 sites are toast:
There is no way to recover from this breach, all data is gone. I will re-enable the service once the vulnerability has been found, but right now I first need to find it.
Backups? Forget it. This is the Dark Web. Winzen told ZDNet that there ain’t no such thing as backups on Daniel’s Hosting, by design:
Unfortunately, all data is lost and per design, there are no backups.
As of last week, Winzen said his priority was to do a full analysis of the log files. He had determined that the attacker(s) had gained administrative database rights, but it’s looking like they didn’t get full system access. Some accounts and files that weren’t part of the hosting setup were left “untouched,” he said.
Other than the root account, no accounts unrelated to the hosting were touched and unrelated files in /home/ weren’t touched either. As of now there is no indication of further system access and I would classify this as a “database only” breach, with no direct access to the system. From the logs it is evident that both, adminer and phpmyadmin have been used to run queries on the database.
Who cares?
According to Dark Owl, when the attacker(s) took out Daniel’s Hosting, they erased over 30% of the operational and active hidden services across Tor and the Invisible Internet Project (I2P) – an anonymous network layer that allows for censorship-resistant, peer-to-peer communication. ZDNet’s Catalin Cimpanu tweeted on Monday night that this pretty much matched his own calculations.
Read more at https://nakedsecurity.sophos.com/2018/11/21/dark-web-hosting-provider-hacked-6500-sites-erased/
Drone owner fined for putting police helicopter crew ‘in danger’
By Lisa Vaas
The owner of an iPad-controlled, £900 (USD $1,150) drone who flew it into the path of a police search helicopter has become the first person to be prosecuted under UK drone laws.
At Peterborough Magistrates’ Court on Friday, 37-year-old Sergej Miaun was ordered to pay fines and court costs amounting to £464 (USD $593) and to give up his drone, according to The Independent.
The BBC reports that he was found guilty of failing to maintain direct, unaided visual contact with a drone and flying it without being “reasonably satisfied” that he could do so safely.
Prosecutors told the court that Miaun’s amateurish flight could have caused “catastrophic” consequences, similar to the helicopter crash that left five people dead in Leicester City. The cause of that deadly crash hasn’t yet been determined, but aviation experts have suggested that the helicopter’s loss of power to the tail rotor could have been caused by a large bird or a large drone.
With regards to the UK’s first-ever conviction on unsafe drone flying, on 9 December, a police search helicopter had been out looking for a missing woman near a river in Cambridgeshire when the pilot was forced to take evasive action to avoid a drone that narrowly passed beneath it. Police followed the drone back to a home in Guyhim – a town in Cambridgeshire – and searched until they found the Phantom 4 drone hidden in a loft hatch above the bath in Miaun’s home.
Read more at https://nakedsecurity.sophos.com/2018/11/21/drone-owner-fined-for-putting-police-helicopter-crew-in-danger/
Patch Skype for Business now or risk DoS via emoji kittens!
By Lisa Vaas
For the second time in three years, there’s a vulnerability in Microsoft Skype that could get communications tangled up in bouncy little kitten emojis (or any other kind of animated emojis, for that matter).
SEC Consult reported last week that it had discovered that launching 100 animated emojis (the security firm chose to focus on kittens, because, we assume, KITTENS) at Skype for Business caused it to flutter, triggering a short lag in the application.
Throwing 800 animated emojis at the app turned the emoji marauders into the forces of darkness in a denial of service (DoS) attack, causing Skype to keel…
…well, for a few seconds, anyway. Even so, if your business depends on Skype to hold staff conferences, client calls or any other form of communication, you should hop on the patch installation. Microsoft issued a patch for the vulnerability – CVE-2018-8546 – which affects Office 365 ProPlus, Microsoft Office, Microsoft Lync, and Skype.
It’s a good idea to install that patch. You don’t want some jerk – like, say, a disgruntled ex-employee – to lob gobs of nonstop kittens at your operation. If such a jerk were to keep it up, a business would be up a creek without a paddle, says SEC Consult:
When receiving about 800 kittens at once, your Skype for Business client will stop responding for a few seconds. If a sender continues sending emojis your Skype for Business client will not be usable until the attack ends.
This has happened before: in 2015, Skype for Business had the same kind of emoji-overload vulnerability. As SEC Consult put it, multiple animated emoticons would “cause a client’s CPU usage to go through the roof.”
Read more at https://nakedsecurity.sophos.com/2018/11/20/patch-skype-for-business-now-or-risk-dos-via-emoji-kittens/
Update now! Dangerous AMP for WordPress plugin fixed
By John E Dunn
If you’re one of the 100,000+ users of AMP for WP, good news – the popular plugin for implementing Accelerated Mobile Pages returned to WordPress.org last week.
AMP is a Google technology through which users of publishing partners such as WordPress can create pages that will load faster on mobile devices. Doing that requires a plugin, which is where AMP for WP comes in.
The plugin’s hiatus, which began when it abruptly disappeared on 21 October, was starting to look a little unusual.
According to a note from the developer, the reason for the disappearance was an ominous-sounding security flaw that “could be exploited by non-admins of the site.”
It also said that existing users could continue using the plugin in the meantime, which wouldn’t have sounded terribly reassuring to anyone using it in its vulnerable state as the days turned into weeks.
We’ve got a report from the WordPress that they found a security Vulnerability in our plugin which could be exploited by non-admins of the site, so to prevent the exploitation they temporary withdraw our plugin for further download. But the existing user’s will be able to use the plugin like always.
The day after AMP for WP reappeared on WordPress.org on 14 November, WebARX, the company that discovered the security problems, finally explained the weakness.
Read more at https://nakedsecurity.sophos.com/2018/11/20/update-now-dangerous-amp-for-wordpress-plugin-fixed/
Instagram accidentally reveals plaintext passwords in URLs
By Lisa Vaas
In April, with the GDPR deadline and its requirement for data portability looming, Instagram released the long-anticipated download your data tool. The feature gave users the ability to download images, posts and comments.
Unfortunately, Instagram turned the task of downloading your data into an exercise in exposing people’s passwords in plain text. Thankfully, the bug in the “download your data” tool only affected a handful of users, it said.
As The Information reported last week, Instagram told affected users on Thursday night that if they’d used the “download your data” feature, their passwords were showing up in plaintext in the URL of their browsers.
That might not be a big deal to a user at home on an unshared computer, but as Facebook, which owns Instagram, said in the notice to users, it means that anybody who used the tool on a public computer – say, in a library – had their password exposed in the URL: an unfortunate gift to any shoulder surfers who may have been around.
It also means that Instagram passwords were stored on Facebook servers, the user notice said, and that means in plaintext, not encrypted.
Read more at https://nakedsecurity.sophos.com/2018/11/20/instagram-accidentally-reveals-plaintext-passwords-in-urls/