'Scribd' World's Largest Document Sharing Website Admits Security Breach

'Scribd' World's Largest Document Sharing Website Admits Security Breach 

Scribd- San Francisco-based document sharing site have fallen victim of cyber attack. Such kind of massacre is no doubt very much shameful for one of the world largest document sharing website which have more than 100 million of registered user. Like other largest companies, Scribd acknowledged the attack. In their official security announcement the company said that the operations team of Scribd have discovered and blocked suspicious activity on Scribd's network that appears to have been a deliberate attempt to access the email addresses and passwords of registered Scribd users. But the matter of relief is that only the 1% of its registered users have been affected during the hack. Immediately after this intrusion get spotted Scribd security team have emailed every user whose password was potentially compromised with details of the situation and instructions for resetting their password.  So, if you are a Scribd user and you did not receive such email from Scribd, then you are most likely unaffected.  If you still wish to check, you can use this web tool to determine if your account was among those affected. From the official announcement of Scribd, we came to know that the inertial investigation have already take place, which indicates that no content, payment and sales-related data, or other information were accessed or compromised. It has been  believed that the information accessed by the hackers was limited to general user information, which includes usernames, emails, and encrypted passwords.  Even though this information was accessed, the passwords stored by Scribd are encrypted (in technical terms, they are salted and hashed). Most of the users were therefore unaffected by this; however, the analysis shows that a small percentage may have had their passwords compromised. In an abundance of caution, it has been highly recommended for those affected users to reset their password and to change their password on any other services they might have used it on. 

At conclusion of the note, Scribd team did serious apology to its users while saying -"we would like to sincerely apologize for our failure to live up to our users' expectations in this instance. We’re incredibly disappointed that this happened and are committed to doing everything we can to prevent this from happening again. We will work harder than ever to ensure that we deserve the trust that our users place in us." 

While talking about big cyber attacks against large companies we would like to remind you in the last year we have been a slew of attacks against the following sites: Guild Wars 2, Gamigo, Blizzard, Yahoo, LinkedIn, eHarmony, Formspring, Android Forums, Gamigo,  Nvidia,Blizzard, Philips, Zynga, VMWare, Adobe,  Twitter  New York Times, Apple and so on. 

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">'Scribd' World's Largest Document Sharing Website Admits Security Breach"https://www.voiceofgreyhat.com/2013/04/Scribd-Admits-Security-Breach.html</a>

Hackers Exploiting Old Ruby on Rails Vulnerability To Compromise Web Servers & Create Botnet

Hackers Exploiting Old Ruby on Rails Vulnerability (CVE-2013-0156) To Compromise Web Servers & Create IRC Botnet

A critical vulnerability on Ruby on Rails spotted in January this year which was deemed “critical” at the same time yet again found in the wild. The vulnerability known as CVE-2013-0156 that affected versions 3.0.20 and 2.3.16 again rises it's hand. Though a security patch was released by the Rails developers. But as we all know that many server administrator used to be unaware of these events have not patched their systems. As a result hackers and cyber criminals are actively exploiting a critical vulnerability in the Ruby on Rails Web application development framework in order to compromise Web servers and create a dangerous botnet. This major security issue was first discovered by a security consultant Mr. Jeff Jarmoc of research firm Matasano Security. In his blog Jarmoc said "It’s pretty surprising that it’s taken this long to surface in the wild, but less surprising that people are still running vulnerable installations of Rails. It also appears to be affecting some web hosts." According to his blog post -the exploit that's currently being used by attackers adds a custom cron job -- a scheduled task on Linux machines that executes a sequence of commands. Those commands download a malicious C source file from a remote server, compile it locally and execute it. The resulting malware is a bot that connects to an IRC (Internet Relay Chat) server and joins a predefined channel where it waits for commands from the attackers. A pre-compiled version of the malware is also downloaded in case the compilation procedure fails on the compromised systems.

"Functionality is limited, but includes the ability to download and execute files as commanded, as well as changing servers," Jarmoc said. "There's no authentication performed, so an enterprising individual could hijack these bots fairly easily by joining the IRC server and issuing the appropriate commands." But the matter of relief is that Jarmoc concluded while saying "this is a pretty straightforward skiddy exploit of a vulnerability that has been publicly known, and warned about, for months."

But still administrators who have not yet patched their Rails version should immediately should update the Ruby on Rails installations on their servers to at least versions 3.2.11, 3.1.10, 3.0.19 or 2.3.15 which contain the patch for this vulnerability. However, the best course of action is probably to update to the latest available Rails versions, depending on the branch used, since other critical vulnerabilities have been addressed since then. 

Brief About RoR:- Ruby on Rails is a popular framework for developing Web applications based on the Ruby programming language and is used by major websites including Hulu, GroupOn, GitHub and Scribd.

-Source (Network World)

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Hackers Exploiting Old Ruby on Rails Vulnerability To Compromise Web Servers & Create Botnet"https://www.voiceofgreyhat.com/2013/06/RoR-Vulnerability-Turning-Servers-into-Botnet.html</a>

Drupal.org Hacked ! More Than 967,000 Registered User Details Compromised

Drupal.org Hacked ! More Than 967,000 Registered User Details Compromised 

Drupal, one of the most famous and widely used open-source content management framework have fallen victim to cyber criminals. The Drupal Security Team and Infrastructure Team has discovered unauthorized access to account information on the official Drupal website and another site called groups.drupal.org. This security breach has exposed user names, country, and email addresses along with hashed passwords of more than 967,000 registered users on the Drupal.org. But still a matter of relief is that the breach failed to infiltrate the credit card details which was stored on the same server. According to security release unauthorized access was made via third-party software installed on the Drupal.org server infrastructure, and was not the result of a vulnerability within Drupal itself. Drupal team have worked with the vendor to confirm it is a known vulnerability and has been publicly disclosed. They are still investigating and will share more detail when it is appropriate. Upon discovering the files during a security audit, the security team has already shut down the association.drupal.org website to mitigate any possible ongoing security issues related to the files. The Drupal Security Team then began forensic evaluations and discovered that user account information had been accessed via this vulnerability. The suspicious files may have exposed profile information like username, email address, hashed password, and country. In addition to resetting your password on Drupal.org, it is also recommending a number of measures (below) for further protection of your information, including, among others, changing or resetting passwords on other sites where you may use similar passwords. 

As a precautionary measure of the said security breach, Drupal Security Team has reset all Drupal.org account holder passwords and are requiring users to reset their passwords at their next login attempt. A user password can be changed at any time by taking the following steps. 

1. Go to https://drupal.org/user/password 
2. Enter your username or email address. 
3. Check your email and follow the link to enter a new password. It can take up to 15 minutes for the password reset email to arrive. If you do not receive the e-mail within 15 minutes, make sure to check your spam folder as well.

Counter Measures that Drupal has Taken to avoid such mishap is something followed- as attacks on high-profile sites (regardless of the software they are running) are common, Drupal strive to continuously improve the security of all Drupal.org sites. To that end, Drupal have taken the following steps to secure the Drupal.org infrastructure:

• Staff at the OSU Open Source Lab (where Drupal.org is hosted) and the Drupal.org infrastructure teams rebuilt production, staging, and development webheads and GRSEC secure kernels were added to most servers
• Drupal is scanning and have not found any additional malicious or dangerous files and making scanning a routine job in their process
• There are many subsites on Drupal.org including older sites for specific events. Drupal created static archives of those sites.

This security breach of Drupal which affected more than 967,000 users is giving us a remind of the decent history of breach where we have seen a slew of attacks against the following sites: Scribd, Guild Wars 2, Gamigo, Blizzard, Yahoo, LinkedIn, eHarmony, Formspring, Android Forums, Gamigo,  Nvidia,Blizzard, Philips, Zynga, VMWare, Adobe,  Twitter  New York Times, Apple and so on. 

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Drupal.org Hacked ! More Than 967,000 Registered User Details Compromised "https://www.voiceofgreyhat.com/2013/06/Drupal.org-Hacked-967000-User-at-Risk.html</a>

Cupid Media Network Breach Exposes 42 Million Passwords in Plain Text

Cupid Media Network Breach Exposes 42 Million Passwords in Plain Text (Uunencrypted)

Cupid Media one of the leading niche online dating network that have more than 35 large online dating website, faced a massive intrusion that effects more than 42 million of its registered users. From an exclusive report of Kerbs On Security we came to know that the breach was taken earlier in this year. Where the hackers managed to gain access into the crucial servers belongings to Cupid Media network. According to the managing director of Cupid Media, Mr Andrew Bolton - "In January we detected suspicious activity on our network and based upon the information that we had available at the time, we took what we believed to be appropriate actions to notify affected customers and reset passwords for a particular group of user accounts.” After a preliminary investigation it has been found that the purloined database of Australia-based niche dating service Cupid Media was found on the same server where hackers had amassed tens of millions of records stolen from Adobe. More than 42 million peoples' unencrypted names, dates of birth, email addresses and passwords have been found from the pinched database. I am very much wearied to see that a high value site like Cupid is unconcerned about the basic security counter measure. Even their confidential tables remained unencrypted which allows the hacker to gain the personal information in plain text. Like the Cupid Media security team, the registered users also found very much inadvertent and unaware of basic security measures. I am saying this because of the leaked passwords, almost two million picked "123456", and over 1.2 million chose "111111". "iloveyou" and "lovely" both beat out "password", and while 40,000 chose "qwerty", 20,000 chose the bottom row of the keyboard instead - yielding the password "zxcvbnm". 

Jason Hart of famous data protection firm Safenet said "The true impact of the breach is likely to be huge. Yet, if this data had been encrypted in the first place then all hackers would have found is scrambled information, rendering the theft pointless."

This security breach of Cupid Media reminds us  the decent history of breach where we have seen a slew of attacks against the following sites: Drupal.org  Scribd, Guild Wars 2, Gamigo, Blizzard, Yahoo, LinkedIn, eHarmony, Formspring, Android Forums, Gamigo,  Nvidia,Blizzard, Philips, Zynga, VMWare, Adobe,  Twitter,  New York Times, Apple and so on. While covering this story on behalf of VOGH, I am warning our readers across the globe to use strong alphanumeric passwords to avoid such disaster. Also the webmasters and security administrator are highly recommended to use salted encryption in their database to prevent fortuitousness cyber attack. 

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Cupid Media Network Breach Exposes 42 Million Passwords in Plain Text "https://www.voiceofgreyhat.com/2013/11/cupid-media-breach-exposes-42million-plaintext-passwords.html</a>

Supercookies Of MSN Has Been Disabled By Microsoft

Microsoft has eliminated controversial "supercookies" that were present on MSN.com, in response to research that detailed the user-tracking technique. Unlike regular cookies, or even newer Flash cookies, the latest generation of tracking technologies can't be disabled by browser users, even with privacy add-ons. That revelation surfaced late last month, in two separate research papers.
The first paper, "Tracking the Trackers: Microsoft Advertising (cache and ETag supercookies)," written by Stanford University graduate student Jonathan R. Mayer, highlighted new, persistent-cookie techniques being used by Microsoft on its MSN.com site.
In response to that paper, released in July, Microsoft on Thursday disclosed that it had immediately investigated Mayer's assertions, identified the code in question, and disabled it. 

"We determined that the cookie behavior he observed was occurring under certain circumstances as a result of older code that was used only on our own sites, and was already scheduled to be discontinued," said Mike Hintze, associate general counsel for regulatory affairs at Microsoft, in a blog post.
"We accelerated this process and quickly disabled this code. At no time did this functionality cause Microsoft cookie identifiers or data associated with those identifiers to be shared outside of Microsoft," he said. "We are committed to providing choice when it comes to the collection and use of customer information, and we have no plans to develop or deploy any such 'supercookie' mechanisms."

Interestingly, the use of ETag supercookies that Mayer discovered wasn't limited to Microsoft. In fact, a separate group of researchers found similar techniques at use in a wide range of websites, as detailed in their paper, "Flash Cookies and Privacy II: Now with HTML5 and ETag Respawning," released late last month.
That report's co-author, Ashkan Soltani, an independent privacy researcher, said in a blog post that the team discovered the new tracking techniques when recreating their 2009 study,  

"which found that websites were circumventing user choice by deliberately restoring previously deleted HTTP cookies using persistent storage outside of the control of the browser (a practice we dubbed 'respawning')." The technique is often used by online advertisers and their affiliates to track online behavior.
In the course of the new research, the team identified 5,600 HTTP cookies used on popular sites, 88% of them from third parties. Google-run cookies were present on 97 of the top 100 websites--including government websites--and Flash cookies were also present on 37 of the top 100 websites. In addition, 17 sites used HTML5, with seven also used "HTML5 local storage and HTTP cookies with matching values," said Soltani.
In addition,  

"we found two sites that were respawning cookies, including one site--hulu.com--where both Flash and cache cookies were employed to make identifiers more persistent," he said. "The cache cookie method used ETags, and is capable of unique tracking even where all cookies are blocked by the user and 'Private Browsing Mode' is enabled."
 

Exactly what are ETags? According to the report, "ETags are tokens presented by a user's browser to a remote webserver in order to determine whether a given resource (such as an image) has changed since the last time it was fetched. Rather than simply using it for version control, we found KISSmetrics returning ETag values that reliably matched the unique values in their 'km_ai' user cookies."

Wired first reported those findings, which led television streaming website Hulu.com to sever ties with one of the supercookie-using tracking firms detailed in the report, startup KISSmetrics. Spotify also suspended its relationship with the company, pending an investigation.
In a blog post, Hiten Shah, CEO of KISSmetrics, slammed the report for inaccuracies, arguing that it "significantly distorts our technology and business practices." Namely, he said, while his company employs a unique identifier for every person it tracks, even across websites, "internally, these identifiers are instantly translated into unique identifiers for each customer, and KISSmetrics has gone to extensive lengths to avoid linking any information from different customers, including segregating each customer's data in a completely separate database."
According to Shah, the same day the report was released, the first of two related lawsuits were filed against his company.
Hulu's move to sever ties over controversial marketing practices isn't surprising, considering it had been named in a previous class action lawsuit that resulted from Soltani's original respawning study, released in 2009. The result of that lawsuit was a $2.4 million settlement in December 2010, and a promise by Clearspring and Quantcast to discontinue using the technology.
Meanwhile, other defendants in the suit--ABC, ESPN, Hulu, JibJab Media, MTV Networks, NBC Universal, and Scribd--agreed to warn user if Flash was being used to track them, and to detail in their website privacy policies how to block the practice.
How can users stop supercookies? While do not track capabilities in browsers have attracted much attention lately as a way to block persistent tracking, supercookies can't currently be stopped from within the browser. Accordingly, blocking supercookies might require some type of privacy legislation that compels U.S. businesses to respect users' "do not track" intentions, as well as to disclose their tracking techniques. 

-News Source (Information Week)

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Supercookies Of MSN Has Been Disabled By Microsoft"https://www.voiceofgreyhat.com/2011/08/supercookies-of-msn-has-been-disabled.html</a>