Ex-Yahoo engineer pleads guilty to hacking 6,000 accounts

By Lisa Vaas

A former Yahoo software engineer pleaded guilty in federal court on Monday to being a lech who broke into mostly young women’s Yahoo accounts – 6,000 of them – trying to sniff out salacious photos and videos.

According to the US Attorney’s Office for the Northern District of California, in his guilty plea, Reyes Daniel Ruiz admitted to cracking Yahoo users’ passwords and using his access to internal Yahoo systems to get at accounts, including those of his personal friends and work colleagues.

After he got into his victims’ Yahoo accounts, he’d make copies of their intimate content and stash them at home. He’d also pivot from their Yahoo accounts, branching out to break into and grope through his victims’ iCloud, Facebook, Gmail, DropBox, and other online accounts for whatever other salacious content he could find.

Yahoo saw what it thought was suspicious behavior. The Department of Justice’s press release didn’t give details of how Ruiz got wind of his former boss’s suspicions – was he confronted? Did a mass email go out, telling employees to keep their paws to themselves? – but prosecutors did say that Ruiz admitted that after Yahoo got wind of his unsavory forays, he demolished the computer and hard drive that he was using to store the ripped-off imagery.

Ruiz, 34, of Tracy, California, was indicted by a federal grand jury on 4 April 2019. He was charged with one count of computer intrusion and one count of interception of a wire communication, but under the plea agreement, he just pled guilty to the computer intrusion charge.

Ruiz is now out on a $200K bond. He’s looking at a maximum sentence of five years in prison and a fine of $250,000 plus restitution, though maximum sentences are rarely handed out. He’s scheduled to be sentenced on 3 February 2020.

Just for comparison’s sake, we can look to how much prison time the celebrity e-muggers have received as payback for prying open the iCloud and Gmail accounts of Hollywood glitterati in the Celebgate mini-series – when primary scumbags preyed on celebrities and non-celebrities alike to steal their nudes, and secondary scumbags had a field day sharing the material online.

Read more at https://nakedsecurity.sophos.com/2019/10/02/yahoo-engineer-pleads-guilty-to-hacking-6000-womens-accounts/

218 million Words with Friends players lose data to hackers

By Lisa Vaas

On 12 September, Zynga released a low-key statement saying that it had been beset by an “unfortunate reality” of doing business today: PR-speak for a data breach.

Zynga – maker of addictive (and crook-tempting) online social games such as FarmVille, Mafia Wars, Café World and Zynga Poker – said at the time that it had immediately launched an investigation. The early good news: it didn’t look like any financial information had been ripped off from players of the targeted games, Words With Friends and Draw Something.

Well, that unfortunate reality has now become a lot more unfortunate: it’s 218 million account passwords worth of misfortune to the Words With Friends players whose accounts were allegedly breached.

On Sunday, Hacker News reported that it’s been in touch with the threat actor known as GnosticPlayers, who claims to be responsible for the Zynga breach.

Another GnosticPlayers feeding frenzy

He/she/they have been in the headlines for gargantuan breaches this year: in March 2019, the hacker(s) put up 26 million records for sale, stolen from six online companies. As we reported then, the first of what would turn out to be four data caches had gone up for sale in early February, when GnosticPlayers tried to sell a database of 617 million records pilfered from 16 companies for $20,000.

Days later, GnosticPlayers added 127 million records stolen from eight websites, before adding a third round on 17 February comprising another 93 million from another eight sites.

Read more at https://nakedsecurity.sophos.com/2019/10/02/218-million-words-with-friends-players-lose-data-to-hackers/

O.MG! Evil Lightning cable about to hit mass distribution

By Danny Bradbury

Remember the O.MG cable? Back in February, we covered its early development: A project by self-taught electronics hacker _MG_, it’s a malicious Lightning cable that looks just like the regular overpriced piece of wire that connects your iPhone to a computer.

Embedded in it is a tiny Wi-Fi transceiver that can operate as an access point or a wireless client. When the victim plugs it into their computer, an attacker within radio distance can connect to the cable with a mobile app and use it to manipulate the computer.

An attacker can reach the O.MG cable from 300 feet away using Wi-Fi from a regular phone, but a suitable booster antenna connected to your computer or phone could enable a connection from even further away.

@_MG_ has been steadily working on it along with a team of fellow hackers, and says that he spent over $4,000 on what is effectively a “negative profit project”. He spent months hand-milling the tiny integrated circuit boards and then painstakingly putting them inside the ends of Apple lightning cables. He gave these prototypes away at DEF CON in August 2019. Now, having perfected the performance of the cable and created a design suitable for manufacturing, he is preparing to sell them through penetration testing hardware site, Hak5.

The project has come a long way, with some extensive work on the kinds of payload it can deliver.

Read more at https://nakedsecurity.sophos.com/2019/10/02/omg-evil-lightning-cable-hits-prime-time/

Exim suffers another ‘critical’ remote code execution flaw

By John E Dunn

Remember the critical remote code execution (RCE) vulnerability in the Exim email server, CVE-2019-15846, from mid-September?

Barely two weeks later, and the software’s maintainers have issued an advisory for another potentially troublesome bug, identified as CVE-2019-16928, which has been given the same critical rating.

Affecting all Exim versions between and including 4.92 to 4.92.2, this one’s described as:

A heap-based buffer overflow in string_vformat (string.c). The currently known exploit uses an extraordinary long EHLO string to crash the Exim process that is receiving the message.

The “currently known exploit” refers to a proof of concept created by QAX A-Team, which first reported the flaw.

This could lead to at least a denial of service crash in the software but also, more worryingly, the possibility of remote code execution.

The flaw isn’t being targeted in the wild yet, but there is a risk this might be a matter of time given that it looks relatively easy to exploit.

Read more at https://nakedsecurity.sophos.com/2019/10/02/exim-suffers-another-critical-remote-code-execution-flaw/