Trove of Information Related to Top Spy Chief Hacked!
- Home telephone account
- Internet accounts
- Personal email accounts
- His wife's Yahoo email
According to the service administrator Vincent Canfield, "SSL keys and private keys and full mail content of all 64,500 of my users...hashed passwords, registration time, and the last seven days of logs were all confiscated and now are in the hands of German authorities."
"[This] extra quotes [in the display name] triggers a parsing bug in the Gmail app, which causes the real email to be invisible," Zhu told Motherboard.
"Filed a Gmail Android bug that lets me fake sender email address. [Google] said it's not a security issue. ¯\_(ツ)_/¯." Zhu tweeted.
"Using this as a targeted attack definitely has a high impact, but this is also the perfect type of vulnerability to turn into a worm," Wineberg wrote. "A worm could easily email all of a user’s contacts, with something enticing…and spread to every user who clicks the link."
"OWA was configured in [such] a way that [it] allowed Internet-facing access to the server," Cybereason wrote in a post published Monday. "This enabled the hackers to establish persistent control over the entire organization's environment without being detected for several months."
"The ease with which crimes such as this can be committed by those who have skills in the field," the court said, "such as the accused, require an appropriate punitive response that has a deterrent and uncompromising message."
"We believe a 'spear phishing' attack was initiated in late November 2014," Tuesday's press release stated. "It involved email messages that were crafted to appear to come from our own domain being sent to members of our staff. The attack resulted in the compromise of the email credentials of several ICANN staff members."
"Based on our investigation to date, we are not aware of any other systems that have been compromised, and we have confirmed that this attack does not impact any IANA-related systems," ICANN stated.
"As soon as we learned of it, the database dump file was removed from the server immediately, and the process that generates the dump was disabled to prevent further disclosure," Stormy Peters, director of developer relations, and Joe Stevensen, operations security manager, wrote.
"While we have not been able to detect malicious activity on that server, we cannot be sure there wasn't any such access."
“While end-to-end encryption tools like PGP and GnuPG have been around for a long time, they require a great deal of technical know-how and manual effort to use. To help make this kind of encryption a bit easier, we’re releasing code for a new Chrome extension that uses OpenPGP, an open standard supported by many existing encryption tools,” reads the blog post.
"READ_EXTERNAL_STORAGE and INTERNET are some of the most common permissions granted by users to applications upon installation." Erik Cabetas, managing director of Include Security said.Include Security firm found the Outlook app for Android downloads the email attachments automatically to '/sdcard/attachments' folder on the file system, which could be accessed by any malicious application or person with the physical access to the user's device. "Phones nowadays come with preinstalled apps on them that could grab those emails." he added.
“We've found that many messaging applications (stored email or IM/chat apps) store their messages in a way that make it easy for rogue apps or 3rd parties with physical access to the mobile device to obtain access to the messages.” he said.In this folder, the app stores a database file called 'email.db', which keeps a backup of your every email, but in an unencrypted form i.e. once an attacker able to grab this file, he can access all of your emails and sensitive data in plain text using sqlite3 utility.
“If a device is stolen or compromised, a 3rd party may try to obtain access to locally cached messages (in this case emails and attachments),” said Erik Cabetas, managing director of Include Security in the blog post.
"I verified this issue by restoring an iPhone 4 (GSM) device to the most recent iOS versions (7.1 and 7.1.1) and setting up an IMAP email account1, which provided me with some test emails and attachments. Afterwards, I shut down the device and accessed the file system using well-known techniques (DFU mode, custom ramdisk, SSH over usbmux). Finally, I mounted the iOS data partition and navigated to the actual email folder. Within this folder, I found all attachments accessible without any encryption/restriction" he explained in a blog post.
"Since mid-January, we have been protecting your emails from Twitter using TLS in the form of StartTLS. StartTLS encrypts emails as they transit between sender and receiver and is designed to prevent snooping. It also ensures that emails you receive from Twitter haven’t been read by other parties on the way to your inbox if your email provider supports TLS."
"The sheer volume is overwhelming," Holden told Reuters, adding, “He believes the 360 million records were obtained in separate attacks, including one that yielded some 105 million records, which would make it the largest single credential breaches known to date.”
Want more Interesting Articles to your Inbox every Morning? We'll keep you up to date with Latest News and In-Depth coverage of Current and Future Trends in Information technology. Subscribe & WIN a Free Pass to NULLCON 2016
No Thanks, I Don't want to Learn anything New