Elsevier exposes users’ emails and passwords online

By Lisa Vaas

Elsevier – publisher of scientific journals such as The Lancet – has left its users’ passwords and email addresses lying around online.

What Motherboard described as a “rolling list of passwords,” along with password reset links produced when a user requested a change to their login credentials was discovered by cybersecurity company SpiderSilk. It’s unclear how many records were exposed and for how long.

Mossab Hussein, SpiderSilk chief security officer, said that most of the exposed accounts are related to educational institutions, and hence belong to either students or teachers.

To paraphrase a Twitter wit… What could go wrong besides hackers making sure all their journal submissions get accepted?

For one thing, those email addresses/passwords could be used on other, sensitive sites, as Hussein pointed out. With the depressing ubiquity of password reuse, some of them undoubtedly are sprinkled around elsewhere online.

Read more at https://nakedsecurity.sophos.com/2019/03/20/elsevier-exposes-users-emails-and-passwords-online/

New scam accuses you of child abuse, offers to remove evidence

By Paul Ducklin

Here’s a new twist to sextortion, the cybercrime that gets its name because it melds sex with extortion.

Usually, the approach is to send you an email saying, “We infected your computer with malware, we snooped via your webcam, we monitored your browsing…

…and we recorded you on a porn site, so send us money or we’ll send the recording to your friends and family.”

To reinforce the claim to have remote control over your computer, the crooks often add some personalized content into the email they send you.

For example, the crooks may include a password from one of your accounts, list your phone number, or set the From: line in the email to make it look as though they sent the message directly from your own email account.

Don’t panic if you see “personal” data in one of these spams. The passwords and phone numbers almost certainly come from a data breach – in fact, you might recognise the password as an old one you had to change because the service provider got hacked. And the From: header in an email is essentially part of the mail message itself – the sender can set it to anything they like.)

Read more at https://nakedsecurity.sophos.com/2019/03/19/cia-bribery-scam-crooks-offer-to-erase-child-abuse-evidence-for-10000/

Microsoft won’t patch Windows registry warning problem

By Danny Bradbury

A security researcher has found a way to tinker with Windows’ core settings while persuading users to accept the changes, it emerged this week – and Microsoft has no intention of patching the issue.

The attack was discovered by John Page, who goes by the name hyp3rlinkx. It focuses on the Windows registry, which is a database of configuration settings for software programs, hardware devices, user preferences and the operating system itself.

Users can make changes to the registry using the Registry Editor program that ships with Windows, but this isn’t something that non-power users would normally do. Messing with the registry can cripple your machine or introduce security risks.

In most cases, when a Windows user really must make changes to the registry, they’ll do it by clicking on a file with a .reg extension. These files, provided by a trusted third party, alter the registry without the user having to enter anything.

This is why a dialog box appears when opening a .reg file, asking users if they trust the source and if they want to continue. It will then offer a ‘yes’ or ‘no’ choice.

Page’s attack changes that. In a document describing the process, he explains:

…we can inject our own messages thru the filename to direct the user to wrongly click “Yes”, as the expected “Are you sure you want to continue?” dialog box message is under our control.

Read more at https://nakedsecurity.sophos.com/2019/03/19/microsoft-wont-patch-windows-registry-warning-problem/

Gargantuan Gnosticplayers breach swells to 863 million records

By John E Dunn

A hacker using the identity ‘Gnosticplayers’ has topped up one of the largest data breaches ever publicized by offering for sale 26 million records stolen from another six online companies.

The first of four data caches came to light in early February when The Register got wind that a database of 617 million records pilfered from 16 companies had been put up for sale on the Dark Web for $20,000.

Days later, Gnosticplayers added another 127 million records from a further eight websites, before adding a third round on 17 February comprising another 93 million from a further eight sites.

Round 4

The fourth round, posted to Dark Web market Dream Marketplace last weekend brings the total number of hacked records to 863 million from 38 sites.

The data at risk varies by site but reportedly includes email address, usernames, IP addresses, and in some cases, personal details, settings and in one case, phone numbers.

Passwords are also at risk with a variety of hashing algorithms used to secure them, including SHA1 (with and without salting), SHA256, SHA512 (with salting), and in the case of LifeBear, MD5.

Naked Security was unable to independently confirm the victims, but ZDNet has named the sites in the latest round as Bukalapak (13 million records) GameSalad (1.5 million), Estante Virtual (5.4 million), Coubic (1.5 million), LifeBear (3.8 million), Youthmanual.com (1.1 million).

Read more at https://nakedsecurity.sophos.com/2019/03/19/gargantuan-gnosticplayers-breach-swells-to-863-million-records/

Court: Embarrassing leaks of internal Facebook emails are fishy

By Lisa Vaas

Remember when app company CEO Ted Kramer was “spooked” into handing over confidential internal Facebook emails to MP Damian Collins during the UK’s fake-news inquiry?

Well now a California court agrees with Facebook that the “I panicked” explanation from Six4Three’s Kramer could stand a bit of scrutiny.

After all, Kramer handed over highly confidential documents, which he was explicitly told not to do during the company’s legal battle with Facebook. The whole thing looks more like a plot to leak confidential data than a flustered moment in an MP’s office, the court says.

Judge V. Raymond Swope, of the ­superior court of California, ruled that there was prima facie evidence that Six4Three had plotted to “commit a crime or fraud” by leaking the emails in violation of an earlier court order. Prima facie evidence is that which is sufficient to establish a fact or raise a presumption unless disproved or rebutted.

Six4Three’s legal team had been trying to hide the developer’s conversations with British MPs, claiming that they should be protected under attorney-client privilege. But given that prima facie evidence points to Six4Three having potentially leaked the emails, the court has ordered the developer to hand over all such records.

Read more at https://nakedsecurity.sophos.com/2019/03/19/court-embarrassing-leaks-of-internal-facebook-emails-are-fishy/

Epic in hot water over Steam-scraping code

By Danny Bradbury

Epic Games, the company behind online gaming phenomenon Fortnite, is at the centre of a privacy storm after players noticed that it was gathering data from their Steam accounts and storing it on their computers without permission.

Fortnite has been a gaming sensation. The game, which pits players against each other in an online world, is downloadable directly from Epic, which launched its own online Epic Games Store in December.

Last week, players found it gathering information about their accounts on rival online gaming service Steam, and Reddit was up in arms.

Reddit user notte_m_portent alerted Fortnite users to alleged suspicious activity in the Epic Game Launcher, which controls the Fortnite software. They claimed that it was watching other processes on the machine, reading root certificates, and storing hardware information in the registry, among other things.

Crayten, another Reddit user, also claimed to have found EGL creating an encrypted copy of the user’s localconfig.vdf file, which contains all friends on Steam and their name histories.

Epic VP of engineering Dan Vogel explained to concerned Redditors that tracking JavaScript feeds information to the company’s Support-a-Creator program, enabling it to pay creators. Epic describes these as “active video makers, streamers, storytellers, artists, cosplayers, musicians, and community builders” supporting its products.

Read more at https://nakedsecurity.sophos.com/2019/03/19/epic-in-hot-water-over-steam-scraping-code/