Subscribe to our newsletters
Sign Up

The Hacker News — Cyber Security, Hacking, Technology News

Wednesday, June 01, 2016 Swati Khandelwal

mysace-hacked
MySpace has suffered a major data breach in which hundreds of Millions of users have had their account details compromised.

You may have forgotten Myspace and have not thought of it in years after Facebook acquired the market, but Myspace was once-popular social media website.

On Tuesday, Myspace confirmed that the company was hacked in 2013 and that the stolen Myspace username and password combinations have been made available for sale in an online hacker forum.

The hacker, nicknamed Peace, who is selling the database of about 360 Million Myspace accounts with 427 million passwords, is the same hacker who was recently in the news for leaking 164 Million LinkedIn and 65 Million Tumblr accounts.
"We believe the data breach is attributed to Russian Cyberhacker 'Peace'," Myspace wrote in a blog post. "Email addresses, Myspace usernames, and Myspace passwords for the affected Myspace accounts created prior to June 11, 2013 on the old Myspace platform are at risk."
The data breach in Myspace is believed to be the largest leaks of passwords ever and even if you have not visited Myspace in years, your personal information is up for sale online.

Like LinkedIn, the stolen Myspace passwords were also stored in SHA1 with no "salting." Salting is a process that makes passwords much harder to crack.

Myspace said it has taken "significant steps" to strengthen its users' account security since the data breach in 2013 and now the company uses double-salted hashes to store passwords.

I strongly advise users who tend to reuse the same passwords between sites to set new passwords on those websites immediately.

Thursday, September 04, 2014 Swati Khandelwal

LinkedIn Boosts Security With New Session Alert and Privacy Control Tools
With a need to give more controls in users’ hands, LinkedIn has introduced a few new security features that the company says will help users of the social network for professionals keep their accounts and data more secure.

SESSION ALERTS
Just like Google, Facebook, Yahoo and other online services, LinkedIn has added a new option within the settings tab that allows users to see where and on what devices they are logged into their account. From there, users can sign out of various sessions with one click.

This will include details about the users’ current sessions, the browser name, operating system, carrier and IP address, which is used to give an approximate location of the device through which the session is occurring.

Just like the Facebook feature, LinkedIn lets people to approve the devices to be used, and if somebody accesses a user’s LinkedIn account from an unapproved device it will alert user.
LinkedIn Boosts Security With New Session Alert and Privacy Control Tools
PASSWORD ALERTS
LinkedIn has also introduced its password change email alerts. Like many online services, LinkedIn will now alert users via an email when their password reset has initiated, and when it has been changed. It will also give you a sense of where that request originated as well.
The added information gives your more insight into when and where the account change took place, including the date and time and details on the device the device the changes were made on such as the browser it was running, the Operating System (OS), IP address, and approximate physical location,” LinkedIn's head of privacy and security Madhu Gupta explained in a blog post.
REQUEST YOUR DATA ARCHIVE
Furthermore, LinkedIn is making users’ stored data totally accessible to the users who created it, so that users can export it and see their each and every activity and account history, including who invited you to join, when you last logged in, updates, IP records and many more.
LinkedIn Boosts Security With New Session Alert and Privacy Control Tools
In short, you can request access to your archive of activity and data on LinkedIn and it may take 72 hours for LinkedIn to compile the archive, after which you’ll receive an email with a link to your entire data.
We are in the process of rolling these three new tools out globally now and encourage you to take a look at your settings today to see two of these new tools. It's also a good opportunity to remind yourself of all your settings and make sure they are right for how you are using LinkedIn now,” wrote Gupta.

Wednesday, June 18, 2014 Swati Khandelwal

Millions of LinkedIn Users at Risk of Man-in-the-Middle Attack
Two year back in 2012, one of the most popular online social networking sites Linkedin spent between $500,000 and $1 million on forensic work after millions of its users’ account passwords were compromised in a major security data breach. But, it seems that the company hasn't learned any lesson from it.

WHAT IS MAN-IN-THE-MIDDLE (MitM) ATTACK
Before moving on to the story, let us discuss some emerging and common threats against the social networking sites nowadays. If we talk about less publicized but more danger, then Man-in-the-Middle (MitM) attack is the most common one. By attempting MitM attack, a potential attacker could intercept users’ internet communication, steal sensitive information and even hijack sessions.

Though MitM attacks are popular and have existed for years, a major categories of today’s largest websites and social networking sites still haven’t taken the necessary steps to safeguard their users’ personal and sensitive data from the vulnerabilities that raise the danger of this type of attacks.

LINKEDIN SSL STRIP ATTACK
The popular professional network, LinkedIn has left hundreds of millions of its users exposed to Man-in-the-Middle (MitM) attack due to the way the site uses Secure Sockets Layer (SSL) encryption in its network.

No doubt, LinkedIn is using HTTPS connection for user login pages, but they are not using HTTP Strict Transport Security (HSTS) technology that prevents any communications from being sent over HTTP, instead send all communications over HTTPS.
LinkedIn Users' Vulnerable to Man-in-the-Middle Attack
According to researchers at Israel-based Zimperium Mobile Threat Defence, the poor implementation of HTTPS/SSL allows a hacker to intercept a user’s communication by replacing all “HTTPS” requests with its non-encrypted form, “HTTP”, known as “SSL stripping” attack.
Once the attacker has extracted a user’s credentials, they can reuse the user’s credentials or session cookies to authenticate and forge the exact session,” reads the blog post.
VIDEO DEMONSTRATION
In a video demonstration, researchers have practically used this tool against LinkedIn website and as a result of SSL stripping, they intercepted one of its users’ account by a MITM attack and successfully grabbed users’ account information and every single user they tested was vulnerable to this attack.
VULNERABLE COMPONENTS
By attempting MitM attack against the website, an attacker can grab a LinkedIn user’s credentials, hijack their session to gain access to all other LinkedIn information and impersonate the user. Attackers could do multiple things including:
  • Email address
  • Password
  • Read and Sent Messages
  • Connections
  • “Who viewed my profile”
Attackers can impersonate the user to use any account feature, including:
  • Send invitations to connect
  • Edit the user’s profile
  • Edit job postings
  • Manage company pages
So not only is your personal LinkedIn information at risk, but also if you are an administrator for your corporate LinkedIn presence, your company’s brand reputation could also be damaged if a malicious actor were to gain control over posts and email communication on LinkedIn,” reads the blog post.

REMOTE ATTACKS
Moreover, this vulnerability in the LinkedIn doesn't just exist when a potential attacker is on the same network as the targeted victim.

To perform MITM attack remotely, an attacker can compromise a device and once that device enters a different network, the same attacker can use the victim’s device remotely to perform man-in-the-middle attack on other users on the victim’s network.

LINKEDIN IMPLEMENTING HTTPS BY DEFAULT, BUT VERY SLOWLY
Researchers from Zimperium first responsibly reported this critical ‘session hijacking’ vulnerability to the LinkedIn security team in May 2013. Despite, reaching out to LinkedIn six times over the last year, the team have not responded seriously.

Later from December 2013, LinkedIn started transition of the website to default HTTPS and just last week they have successfully upgraded US and European users to Default HTTPS Network. Because of slow implementation of default SSL, Zimperium finally rolled out the disclosure of the vulnerability publically.
LinkedIn spokeswoman Nicole Leverich said the issue described by Zimperium “does not impact the vast majority of LinkedIn members given our ongoing global release of https by default.
HOW TO ENABLE FULL HTTPS MANUALLY
However, In 2012, LinkedIn offers its users an option to change their security settings to full HTTPS manually, but many might not have known about it. You can enable it by going into your LinkedIn settings, Open “account” tab and Click “manage security settings” to select Full HTTPS.

Newsletter Subscription

Subscribe to our newsletter and get all latest hacking news, free eBooks delivered to your inbox.

Join Over 450,000 Subscribers!