Hacker threw Molotov cocktail, dropped USB drive of his DDoS deeds

By Lisa Vaas

If you’re going to go around DDoSing businesses, it’s probably not the slickest idea to carry a thumb drive full of evidence in your pocket while you’re hurling a Molotov cocktail at one of their brick-and-mortars.

A now-35-year-old Belgian man who was already sentenced to prison for hurling that bomb has had his sentence extended by 18 months because of what investigators found on a USB drive that the man dropped during or after his 2014 attack on a Crelan Bank in the town of Rumbeke, Belgium, according to Belgian news site Het Laatste Nieuws (HLN).

HLN reported last week that the USB held evidence showing that the man, identified in court documents only as Brecht S., was a member of the hacker groups that brand themselves as Anonymous Belgium and Cyber Crew.

It also implicated the man in launching a distributed denial of service attack (DDoS) against Crelan Bank that took it offline for hours, and that he extorted a pizza shop, DDoS-ing it several times until the pizzeria paid him to call off the attacks.

Investigators who searched Brecht’s devices and history reportedly found evidence that Brecht had participated in large-scale international cyber-attacks, including attacks launched against the Fédération Internationale de Football Association (FIFA): the world soccer’s governing body.

FIFA has been hacked multiple times: The first time, in 2017, led to the publishing of footballers’ failed drug tests. At the time, the attack was attributed to the Russian hacking group Fancy Bear, also known as APT28.

Read more at https://nakedsecurity.sophos.com/2019/06/26/hacker-threw-molotov-cocktail-dropped-usb-drive-of-his-ddos-deeds/

Social engineering forum hacked; user data dumped on rival site

By Lisa Vaas

Social Engineered, a forum that bills itself as dedicated to the “Art of Human Hacking,” may have been given a dose of its own medicine: in mid-June, its user data was leaked and dumped on a rival forum.

On Thursday, the founder of Social Engineered, who goes by the username Snow101, confirmed the breach, blaming a MyBB vulnerability:

Mybb had a vulnerability yet again and the site got breached along other websites using Mybb. We moved over to xenforo i suggest changing your passwords immediately [sic].

MyBB is open-source, free software used to create and run online forums.

Snow101 said that Social Engineered has now moved over to the XenForo platform to try to avoid a repeat of the data breach. The forum owner is also looking for contributions: Snow101 asked members to voluntarily chip in to help in the shift from a free, open-source project to a commercial forum.

According to Bleeping Computer, whoever’s behind the leak posted that they had “uploaded the full database and root directory of this website.”

MyBB’s MyBad month

MyBB has had a shaky month. It was one of the many CMSs (content management systems) that researchers recently found weren’t storing passwords securely. They found that MyBB, along with a dozen others, was using the now obsolete MD5 hashing function.

Weak password hashing couldn’t have caused the breach at Social Engineered, but it might make the consequences of the breach much worse as hackers make light work of cracking the site’s exposed password database.

Read more at https://nakedsecurity.sophos.com/2019/06/26/social-engineering-forum-hacked-user-data-dumped-on-rival-site/

VLC media player gets biggest security update ever

By John E Dunn

Earlier this month, VideoLAN – the maintainers of the world’s most popular open source media player, VLC – issued the biggest single set of security fixes in the program’s history.

Numbering 33 in all, this included two marked critical, 21 mediums and 10 rated low, bringing VLC to 3.0.7.

But perhaps the most interesting part of the story is less the flaws themselves but the process through which they were found.

The most serious flaws

The first of the criticals, CVE-2019-12874, discovered and documented in detail by Symeon Paraschoudis of Pen Test Partners, is an out-of-bounds write flaw in the FAAD2 MPEG-4 and MPEG-2 AAC decoder library used by VLC 3.0.6 and earlier.

The second is CVE-2019-5439, a stack buffer overflow in version 4.0.0 beta’s Reliable Internet Stream Transport (RIST), potentially allowing remote code execution (RCE) at the user’s privilege level, if a the user can be persuaded to run a malicious AVI or MKV video file.

The mediums, meanwhile, are described by VideoLAN’s Jean-Baptiste Kempf as “mostly out-of-band reads, heap overflows, NULL-dereference and use-after-free security issues,” which could crash VLC.

Read more at https://nakedsecurity.sophos.com/2019/06/26/vlc-media-player-gets-biggest-security-update-ever/

Google creates educational tools to help kids spot fake news

By Danny Bradbury

Google is on a mission to teach kids how to spot fake news. The company has expanded its internet safety guide for children with techniques and games to help them be more information literate online.

The expansion is part of its Be Internet Awesome (Be Internet Legends in the UK) initiative, aimed at families, educators, and children to help young people be better online citizens and protect themselves.

The initiative, which aligns with educational standards from the International Society for Technology in Education (ISTE) and the American Association of School Librarians (AASL), features an ‘Internet Code of Awesome’ supported by lesson plans that include ‘Share with Care’, ‘Secure your Secrets’, ‘It’s Cool to be Kind’, and ‘When in Doubt, Talk It Out’.

Don’t Fall for Fake

The new activities are listed under another item in the Code: ‘Don’t Fall for Fake’. Google developed them in conjunction with Anne Collier, executive director of The Net Safety Collaborative, and Faith Rogow, PhD, co-author of The Teacher’s Guide to Media Literacy and a co-founder of the National Association for Media Literacy Education.

Read more at https://nakedsecurity.sophos.com/2019/06/26/google-launches-educational-tools-to-help-kids-spot-fake-news/

Serious Security: Rambleed attacks blunted – the OpenSSH way

By Paul Ducklin

We all know that you’re not supposed to save raw passwords to disk these days.

The reason is obvious: disk storage is generally supposed to be both permanent and shared.

Once you’ve written something to disk unencrypted, there’s always a chance that someone else might be able to get it back later, especially if they know it’s there and it’s worth looking for.

At worst, they could shut down the computer your program is running on, remove the disk (or desolder the chips that make up a solid-state storage device) and try to extract the data elsewhere at their leisure.

As we like to say at Naked Security, Dance like no one’s watching. Encrypt like everyone is.

Of course, blunders happen – even companies that pride themselves on being leaders in secure coding practices have recently admitted to saving plaintext passwords by mistake.

Facebook let plaintext passwords escape into logfiles for about seven years before noticing the error; rivals Google made a similar mistake in a sysadmin toolkit for an astonishing 14 years, admitting in May 2019 that “we made an error when implementing this functionality back in 2005.”

Read more at https://nakedsecurity.sophos.com/2019/06/25/serious-security-rambleed-attacks-blunted-the-openssh-way/

WeTransfer sends user file links to wrong people

By Danny Bradbury

Popular file transfer service WeTransfer faces embarrassment this week after admitting that it has mailed file links to the wrong users.

Founded in 2009, WeTransfer enables users to transfer large files between each other for free. It’s an alternative to email services, which typically place limitations on file size. It has 50 million users sending a billion files each month, amounting to a Petabyte (1,000 Terabytes) of data.

The service, which became profitable in 2013, provides its free version through an advertising model. It also offers a paid ‘Plus’ service that lets users password protect their files.

On 21 June 2019 WeTransfer posted a security notice warning of an incident it had discovered five days earlier on Monday 17 June 2019.

The issue began on 16 June 2019, the notice said, adding:

e-mails supporting our services were sent to unintended e-mail addresses. We are currently informing potentially affected users and have informed the relevant authorities.

WeTransfer had blocked the links and logged users out of their accounts, it said.

Read more at https://nakedsecurity.sophos.com/2019/06/25/wetransfer-sends-user-file-links-to-wrong-people/

Presidential text alerts are open to spoofing attacks, warn researchers

By John E Dunn

Researchers have shown that it’s technically possible for hackers to target the US presidential alerts system to send fake messages on a localized basis.

For anyone who can’t remember what these are, the Federal Emergency Management Agency (FEMA), which manages the system, sent a message to US 200 million mobile users designed to test the Wireless Emergency Alerts (WEA) system at 2:18 pm (ET) on 3 October 2018. It read:

Presidential Alert. THIS IS A TEST of the National Wireless Emergency Alert System. No action is needed.

Judging from Twitter responses and a legal challenge, not all Americans were pleased at the idea of being sent a text message of up to a 90-characters by the US President that they can’t opt out of or block, but it did achieve its purpose of publicizing an unfamiliar element of the system.

Launched in 2006, there are in fact three types of Integrated Public Alert and Warnings System (IPAWS) alerts, the other two being Imminent Threat Alerts (usually weather or fire-related) and Amber Alerts used to tell people about missing or abducted children.

Emergency alerts also have the potential to go badly wrong, as millions of Hawaii residents discovered on 13 January 2018, when they received the following terrifying message at 8:07 am:

Emergency alert. Ballistic missile inbound to Hawaii. Seek immediate shelter. This is not a drill.

As people crawled under café tables in fear, it took 38 minutes for the authorities to confirm that the message was a false alarm caused by human error.

Read more at https://nakedsecurity.sophos.com/2019/06/25/presidential-text-alerts-are-open-to-spoofing-attacks-warn-researchers/