Hackers in China attempted to gain access to over 20 million active accounts on Alibaba Group Holding Ltd’s Taobao e-commerce website using Alibaba’s own cloud computing service, according to a state media report posted on the Internet regulator’s website.
An Alibaba spokesman said the company detected the attack in “the first instance”, reminded users to change passwords, and worked closely with the police investigation.
Chinese companies are grappling a sharp rise in the number of cyber attacks, and cyber security experts say firms have a long way to go before defenses catch up to U.S. counterparts.
In the latest case, hackers obtained a database of 99 million usernames and passwords from a number of websites, according to a separate report on a website managed by the Ministry of Public Security.
The hackers then used Alibaba’s cloud computing platform to input the details into Taobao. Of the 99 million usernames, they found 20.59 million were also being used for Taobao accounts, the ministry website said.
The hackers started inputting the details into Taobao in mid-October and were discovered in November, at which time Alibaba immediately reported the case to police, the ministry website said. The hackers have since been caught, it said.
Alibaba’s systems discovered and blocked the vast majority of log-in attempts, according to the ministry website.
The hackers used compromised accounts to fake orders on Taobao, a practice known as “brushing” in China and used to raise sellers’ rankings, the newspaper said. The hackers also sold accounts to be used for fraud, it said.
Alibaba’s spokesman said the hackers rented the cloud computing service, but declined to comment on security measures designed to stop the system being used for the attack. He said they could have used any such service, and that the attack was not aided by any possible loopholes in Alibaba’s platform.
“Alibaba’s system was never breached,” the spokesman said.
The number of accounts, 20.59 million, represents about 1 out of every 20 annual active buyers on Alibaba’s China retail marketplaces.
Slapdash developers have been advised not to use the open source JSPatch method of updating their wares because it is as vulnerable as a soft boiled egg, for various reasons.
It’s FireEye that is giving JSPatch the stink eye and providing the warning that it has rendered over 1,000 applications open to copy and paste theft of photos and other information. And it doesn’t end there.
FireEye’s report said that Remote Hot Patching may sound like a good idea at the time, but it really isn’t. It is so widely used that is has opened up a 1,220-wide iOS application hole in Apple users’ security. A better option, according to the security firm, is to stick with the Apple method, which should provide adequate and timely protection.
“Within the realm of Apple-provided technologies, the way to remediate this situation is to rebuild the application with updated code to fix the bug and submit the newly built app to the App Store for approval,” said FireEye.
“While the review process for updated apps often takes less time than the initial submission review, the process can still be time-consuming and unpredictable, and can cause loss of business if app fixes are not delivered in a timely and controlled manner.
Let’s not all make this JSPatch’s problem, because presumably it’s developers who are lacking.
FireEye spoke up for the open source security gear while looking down its nose at hackers. “JSPatch is a boon to iOS developers. In the right hands, it can be used to quickly and effectively deploy patches and code updates. But in a non-utopian world like ours, we need to assume that bad actors will leverage this technology for unintended purposes,” the firm said.
Teenage hackers are making merry with the online world of CIA director of national intelligence James Clapper.
This is the second bout of attacks from the group of technology tearaways, according to Motherboard, which reports on the Clapper problem and its connection to a group known as Crackas With Attitude.
A member of the group, a young chap called Cracka, told Motherboard that access to a range of Clapper accounts had been seized, and that Clapper and the CIA haven’t a clue what’s going on.
“I’m pretty sure they don’t even know they’ve been hacked. You asked why I did it. I just wanted the gov to know people aren’t fucking around, people know what they’re doing and people don’t agree #FreePalestine,” he said.
The claims were supported by the Office of the Director of National Intelligence, which confirmed that something has happened and that the authorities are looking into it.
“We’re aware of the matter and we reported it to the appropriate authorities,” said spokesman Brian Hale, before going mute.
Cracka, representing himself on Twitter as @dickreject, is less quiet. He has tweeted a number of confirmatory and celebratory messages that are not particularly flattering about the CIA and its abilities.
This is the group’s second bite at the CIA cherry. The teenagers walked into the personal email account of CIA director John Brennan last year and had a good look around. Some of the impact of this was washed away when it was discovered that Brennan used an AOL account for his communications.
“A hacker, who describes himself as an American high school student, has breached the CIA boss’s AOL email account and found a host of sensitive government files that one assumes a government official shouldn’t be sending to his personal email address,” said security comment kingpin Graham Cluley at the time.
“I’m not sure what’s more embarrassing. Being hacked or having an AOL email account.”
Thousands of small businesses continue to suffer intermittent outages of their websites in the crucial lead up to Christmas, after their provider Moonfruit took all sites offline yesterday.
A statement from the company at 1pm today said: “Our operations team is continuing to work on resolving the service issue. We are making progress but unable to provide specific details at this time. Once again, we’re really sorry for the disruption. Your patience and understanding is very much appreciated.”
A further update was scheduled for 3pm but had not materialized at the time of publication.
The identikit website creator made the unusual decision after facing a prolonged DDoS attack against its servers last Thursday from a hacking group calling itself Armada DDoS. The company is believed to have had renewed threats of further attacks and is still suffering a significant degradation of service.
The motives for the attack are currently unknown.
Moonfruit began restoring service this morning, but at 1pm many customers were still having problems, and the main Moonfruit site was offline.
Moonfruit is one of the oldest sites of its type, dating back to 2000. The British company was initially advertising-based and free before moving to a subscription model when the last bubble burst.
The whole system was based on Adobe Flash until recently, but has been adapted for HTML5, which represents an important step in its survival as more browsers stop rendering the ageing platform.
However, the company announced earlier today that it is taking all its sites offline for 12 hours after a sustained distributed denial-of-service (DDoS) attack on its servers.
Moonfruit Update, 14/12/2015: https://t.co/5xkHAshFT9 and your sites will be offline today. Please read: https://t.co/w2CvVG1xqQ
— Moonfruit (@moonfruit) December 14, 2015
Dave Larson, chief operating officer at Corero Network Security, said: “Unfortunately, the sheer size and scale of hosting or data centre operator network infrastructures and their massive customer base presents an incredibly attractive attack surface due to the multiple entry points and significant aggregate bandwidth that acts as a conduit for a damaging and disruptive DDoS attack.
“As enterprises of all sizes increasingly rely on hosted critical infrastructure or services, they are placing themselves at even greater risk from these devastating DDoS attacks, even as an indirect target.”
DDos attacks grew by a third in just the past quarter. A Swedish bank was brought down last month, while GitHub was taken offline earlier in the year by an attack thought to have originated in China.
Moonfruit customers have expressed their anger at the short notice and timing of the outage. Many are obviously concerned about potential loss of sales in the run up to Christmas, but Moonfruit maintained that the downtime is necessary to make “infrastructure changes”.
“We have been working with law enforcement agencies regarding this matter and have spared no time or expense in ensuring we complete the work as quickly as possible,” said the company’s director, Matt Casey, in a statement posted to the Moonfruit Facebook page.
The Moonfruit site, which is built on its own platform is back up and running. A further statement from Moonfruit last night said, ”We know how painful this has been for you and your business. We have used the time well and our defenses have improved substantially. Thank you for your patience and support throughout this crisis. We are nearly there and hope to fully restore service by early evening.
As always, we care about the Moonfruit Community and will keep you informed. You have no idea how much the messages of support have meant as we’ve burned the midnight oil over the weekend to put things right, and to better position you for the future.”
The service set up by WordPress to better support WordPress has failed users by suffering a security breach and behaving just like the rest of the internet.
WordPress, and its themes, are often shone with the dark light of the security vulnerability, but we do not hear of WP Engine often. Regardless of that, it seems to do good business and is reaching out to those that it does business with to tell them what went wrong and what they need to do about it.
A reasonable amount of threat mitigation is required, and if you are affected by the issue you are going to have to change your password – again, and probably keep a cautious eye on the comings and goings of your email and financial accounts.
“At WP Engine we are committed to providing robust security. We are writing today to let you know that we learned of an exposure involving some of our customers’ credentials. Out of an abundance of caution, we are proactively taking security measures across our entire customer base,” says the firm in an urgent missive on its web pages.
“We have begun an investigation, however there is immediate action we are taking. Additionally, there is action that requires your immediate attention.”
That action, is probably to panic in the short term, and then to change your password and cancel out any instances of its re-use across the internet. You know the drill, this is a daily thing right. Judging by the WordPress statement we are in the early days of internal investigation.
“While we have no evidence that the information was used inappropriately, as a precaution, we are invalidating the following five passwords associated with your WP Engine account,” explains WordPress as it reveals the sale of its – actually, your, problem. “This means you will need to reset each of them.”
Have fun with that.
The notice said there was no indication the hackers obtained sensitive information from what it said were a “small group of accounts” targeted.
It did not provide additional information about the attack or possible suspects in its investigation.
Twitter’s notice is the latest amid concern about cyber attacks by state-sponsored organizations. Government agencies, businesses and media have all been hacked.
Motherboard, a tech news site, and the Financial Times earlier reported on Twitter’s warning.
One organization that said it received the notice, a Winnipeg-based nonprofit called Coldhak, said the warning from Twitter came on Friday. The notice said the attackers may have been trying to obtain information such as “email addresses, IP addresses, and/or phone numbers”.
Coldhak’s Twitter account, @coldhakca, retweeted reports from a number of other users who said they received the notice. Coldhak and the other users did not indicate why they may have been singled out.
Colin Childs, one of the founding directors of Coldhak, told Reuters his organization has seen “no noticeable impact of this attack”.
Google and Facebook have also started issuing warnings to users possibly targeted by state-sponsored attacks.
Symantec has warned that the hacker threat to Apple users has reached unprecedented levels.
The firm reckons that Apple is a victim of its success, becoming a bigger target as its user base grows. To be fair to Apple most of the problem relates to jailbroken devices, which is not a thing that the firm recommends. We have seen incidents recently that make the most of this. The threat applies to mobile software and the desktop.
“A growing number of attackers have begun to target Apple operating systems, with the amount of infections and new malware threats increasing over the past two years,” said Symantec.
“The number of new Mac OS X threats rose by 15 percent in 2014, while the number of iOS threats discovered this year has more than doubled, from three in 2014 to seven so far in 2015.
“Jailbroken devices are the focus of the majority of threats and, of the 13 iOS threats documented by Symantec to date, nine can only infect jailbroken devices. While the total number of threats targeting Apple devices remains quite low compared to Windows in the desktop space and Android in the mobile sector, Apple users cannot be complacent. Should Apple platforms continue to increase in popularity, the number of cybersecurity threats facing Apple users will likely grow in parallel.”
Symantec warns that Apple users face threats from a growing range of attackers.
“These threats span from ordinary cybercrime gangs branching out and porting their threats to Apple platforms, right up to high-level attacker groups developing custom Mac OS X and iOS malware,” it added.
“Examples of the latter include the Butterfly corporate espionage group infecting OS X computers in targeted organisations and the Operation Pawnstorm APT group creating malware capable of infecting iOS devices.”
Symantec said that a “significant” amount of the threats hitting iOS X are what it calls Grayware. Grayware, says Symantec, includes “adware, potentially unwanted or misleading applications”.
Members of the European Parliament have reached a milestone by signing off the first cyber security rules for the European Union in the form of the Network and Information Security Directive.
The rules ask much of firms like Amazon and Google and will encourage them to be more open about security problems, data breaches and the like. The European Parliament reckons the rules will help protect the EU’s essential infrastructure, such as air and road traffic control systems and the electricity grid, from cyber attack as well as safeguard digital services, with the likes of eBay and Amazon specifically mentioned in the legislation.
“Today, a milestone has been achieved [told you]: we have agreed on the first ever EU-wide cyber-security rules, which the Parliament has advocated for years,” said a clearly delighted Parliament rapporteur Andreas Schwab.
“Parliament has pushed hard for a harmonised identification of critical operators in energy, transport, health or banking fields, which will have to fulfill security measures and notify significant cyber incidents. Member states will have to cooperate more on cybersecurity – which is even more important in light of the current security situation in Europe.”
That worrying “security situation” extends beyond Europe to the US, and in the past couple of days we have seen both President Obama and President of Alphabet Eric Schmidt urge the tech community to do more to help combat cyber baddies.
The European Parliament has long pressed for cloud services to be included in the legislation, pointed out Schwab. “Moreover, this directive marks the beginning of platform regulation,” he said.
“Whilst the Commission’s consultation on online platforms is still on-going, the new rules already foresee concrete definitions – a request that Parliament had made since the beginning in order to give its consent to the inclusion of digital services.”
As a directive, these rules cannot be imposed on EU member states but rather will have to be reflected by new or amended legislation passed by individual EU national parliaments.
Hacking a major corporation is so easy that even an elderly grannie could do it, according to technology industry character John McAfee.
McAfee said that looking at the world’s worst hacks you can see a common pattern – they were not accomplished using the most sophisticated hacking tools.
Writing in IBTImes said that the worst attack was in 2012 attack on Saudi Aramco, one of the world’s largest oil companies. Within hours, nearly 35,000 distinct computer systems had their functionality crippled or destroyed, causing a massive disruption to the world’s oil supply chain. It was made possible by an employee that was fooled into clicking a bogus link sent in an email.
He said 90 per cent of hacking was social engineering, and it is the human elements in your organization that are going to determine how difficult, or how easy, it will be to hack you.
The user is the weakest link in the chain of computing trust, imperfect by nature. And all of the security software and hardware in the world will not keep a door shut if an authorized user can be convinced to open it, he said.
“Experienced hackers don’t concern themselves with firewalls, anti-spyware software, anti-virus software, encryption technology. Instead they want to know whether your management personnel are frequently shuffled; whether your employees are dissatisfied; whether nepotism is tolerated; whether your IT managers have stagnated in their training and self-improvement.”
Muct of this information can be picked up on the dark web and the interernet underground, he added.
“”Are you prepared for a world where grandma or anyone else can quickly obtain, on the wide open web, all of the necessary information for a social engineering hack? Is your organization prepared?” he said.
IBM has claimed that sophisticated criminals are responsible for 80 percent of cyber attacks, and that there are probably a lot of kids and amateurs accounting for the remaining 20 percent.
The IBM X-Force Threat Intelligence Quarterly 4Q 2015 (PDF) described this 20 percent as “script kiddies”, claiming that the attacks reveal their amateurishness. However, when people are not messing about they are able to carry out some catastrophic and expensive hacktrocities.
“The script kiddies scour the internet for ‘low hanging fruit’, the servers that can be compromised quickly and easily, and they use them for a limited time to send spam and scan other servers on the internet,” said the report.
“Or they deface the website and move on to other targets once they are discovered. These script kiddies give little thought to covering their tracks.
“In contrast, stealthy attackers might gain access to a system by exploiting the same vulnerability as the script kiddies, but they use a far more sophisticated combination of commercial tools, malware/rootkits and backdoors to increase their access level on the client’s network and compromise additional systems over several weeks of expansion.”
There is plenty to worry about, naturally, and IBM has plenty of things to spook us with. The report starts with saying that 2015 has been the year of ransomware. The FBI has already reported that such exploits have bagged attackers $18m over the period, and that it expects the problem to extend into 2016.
Take a look around your office before you read alert number two. This is the insider danger. The report said that this trend has played out since 2014, and that 55 percent of all attacks in 2015 were down to insiders, or at least people with inside information.
Perhaps as a result of this – we are not data analysts – IBM has also seen an increase in boardroom involvement and spending. Some 88 percent of respondents to a survey said that their relevant budgets had increased over the period.
Swiss bank Swedbank has had its website taken offline by hackers after suffering a distributed denial of service (DDoS) attack on Friday.
Details remain thin on the ground, but the attack means that customers are unable to to carry out online transactions or contact the bank through its website.
The site is still down, and the bank admitted to CBR that, while it probably knows who is behind the attack, “our method to cope with it hasn’t really succeeded yet”.
There’s no word as to when the website will be back up and running, but the bank has confirmed that its mobile applications are still working.
This isn’t the first time that Swedbank has fallen victim to hackers. The company admitted in a statement given to Reuters that this was the second attack in as many months, and – clearly not very confident in its own security – that it will probably happen again.
“The website was also hit by a hacker attack in October. It is not the first time and it will probably not be the last,” a spokesperson said.
News of the attack on Swedbank, which also operates in Estonia, Latvia and Lithuania, comes just hours after encrypted email company ProtonMail admitted that it had also been struck by a major DDoS attack.
ProtonMail said that, in a bid to get back to business, the company “grudgingly agreed” to pay 15 bitcoins, or $6,000, to the hackers in a bid to get them to stop the attack.
However, after handing over the cash, ProtonMail said that the DDoS attack, which was “unprecedented in size and scope”, continued, although it appears to have now stopped.
ProtonMail warned that the costs involved in avoiding another such attack are crippling and could put the firm out of business.
The attackers had potentially gained access to the victims’ bank sort codes and the last four numbers of their bank accounts, along with their names and mobile telephone numbers, a Vodafone spokesman said.
“This incident was driven by criminals using email addresses and passwords acquired from an unknown source external to Vodafone,” he added in a statement.
Only a handful of those affected in the Thursday morning attack had seen any attempts to use their data for fraudulent activity on their Vodafone accounts.
“No credit or debit card numbers or details were obtained. However, this information does leave these 1,827 customers open to fraud and might also leave them open to phishing attempts,” the spokesman said.
The company was contacting all those involved and that other customers need not be concerned, he said.
Last week broadband, TV, mobile and fixed-line service provider TalkTalk said it had been hacked, potentially putting the private details of its 4 million customers into the hands of criminals.
Less than 21,000 unique bank account numbers and sort codes had been accessed. Two teenagers have been arrested in connection with that attack.
A spate of hacking attacks on U.S. companies over the past two years has caused insurers to massively increase cyber premiums for some companies, leaving firms that are perceived to be a high risk scrambling for cover.
On top of rate hikes, insurers are raising deductibles and in some cases limiting the amount of coverage to $100 million, leaving many potentially exposed to big losses from hacks that can cost more than twice that.
“Some companies are struggling to find the money to buy the coverage they want,” said Tom Reagan, a cyber insurance executive with Marsh & McLennan Co’s Marsh broker unit.
The price of cyber coverage – which helps cover costs like forensic investigations, credit monitoring, legal fees and settlements – varies widely, depending on the strength of a company’s security. But the overall trend is sharply up.
Retailers and health insurers have been especially hard hit by the squeeze after high-profile breaches at Home Depot Inc , Target Corp, Anthem Inc and Premera Blue Cross.
Health insurers who suffered hacks are facing the most extreme increases, with some premiums tripling at renewal time, said Bob Wice, a leader of Beazley Plc’s cyber insurance practice.
Average rates for retailers surged 32 percent in the first half of this year, after staying flat in 2014, according to previously unreported figures from Marsh.
Higher deductibles are also now common for retailers and health insurers. And even the biggest insurers will not write policies for more than $100 million for risky customers. That leave companies like Target, which says its big 2013 data breach has cost $264 million, paying out of pocket.
No. 2 U.S. health insurer Anthem ran into difficulties renewing its coverage after an attack early this year that compromised some 79 million customer records, according to testimony from Anthem General Counsel Thomas Zielinski at an August hearing of the National Association of Insurance Commissioners.
Renewal rates were “prohibitively expensive,” according to minutes of that session seen by Reuters. The company managed to get $100 million in coverage, Zielinski said, but only after agreeing to pay the first $25 million in costs for any future attacks. The company would not say what that figure was before, but it was likely much smaller.
Eight months after admitting a major data breach, ride service Uber is focusing its legal efforts on obtaining more information about an internet address that it has persuaded a court could lead to identifying the hacker. That address, two sources familiar with the matter say, can be traced to the chief of technology at its main U.S. rival, Lyft.
In February, Uber revealed that as many as 50,000 of its drivers’ names and license numbers had been improperly downloaded, and the company filed a lawsuit in San Francisco federal court in an attempt to unmask the perpetrator.
Uber’s court papers claim that an unidentified person using a Comcast IP address had access to a security key used in the breach. The two sources said the address was assigned to Lyft’s technology chief, Chris Lambert.
The court papers draw no direct connection between the Comcast IP address and the hacker. In fact, the IP address was not the one from which the data breach was launched.
However, U.S. Magistrate Judge Laurel Beeler ruled that the information sought by Uber in a subpoena of Comcast records was “reasonably likely” to help reveal the “bad actor” responsible for the hack.
On Monday, Lyft spokesman Brandon McCormick said the company had investigated the matter “long ago” and concluded “there is no evidence that any Lyft employee, including Chris, downloaded the Uber driver information or database, or had anything to do with Uber’s May 2014 data breach.”
McCormick declined to comment on whether the Comcast IP address belongs to Lambert. He also declined to describe the scope of Lyft’s internal investigation or say who directed it.
Lambert declined to comment in person or over email.
Data hacked from Experian is already on sale on the dark web and is available for grabbing by bad actors, phishers, malware writers and ID thieves.
Security firm Trustev is credited with the dark web discovery, although is it very possible that the underworld got to it first. Trustev and the internet are calling the dump a fullz, which means that it contains a lot of personal information.
T-Mobile customers make up a chunk of the potentially affected 15 million victims. The firm’s CEO, John Legere, went ballistic about what happened.
“We have been notified by Experian, a vendor that processes our credit applications, that they have experienced a data breach,” he said in a statement.
“Obviously I am incredibly angry about this data breach and we will institute a thorough review of our relationship with Experian, but right now my top concern and first focus is assisting any and all consumers affected. I take our customer and prospective customer privacy very seriously.”
Experian has also gone public on this with a statement on its website, and has, perhaps ironically, offered to help victims sort their credit lives out.
“Experian North America today announced that one of its business units, notably not its consumer credit bureau, experienced an unauthorised acquisition of information from a server that contained data on behalf of one of its clients, T-Mobile USA,” the statement said.
“The data included some personally identifiable information for approximately 15 million consumers in the US, including those who applied for T-Mobile USA postpaid services or device financing from 1 September 2013 through 16 September 2015, based on Experian’s investigation to date. This incident did not impact Experian’s consumer credit database.”
The agency said that it acted quickly to fix the problem once it was discovered, and immediately told the authorities and began an investigation into the hows and the whys.
It is the crown jewels of data that has been lost. Experian fessed to a breach of “names, dates of birth, addresses and Social Security numbers and/or an alternative form of ID like a driver’s licence number, as well as additional information used in T-Mobile’s own credit assessment”.
Experian added that no payment card or banking information was lost to the hackers.
Affected punters are being contacted and will be offered credit services, including two years of credit monitoring (although this may have lost some of its shine), and some identity protection services through its own ProtectMyID service.
Experian recommended that these services are embraced. “Although there is no evidence to-date that the data has been used inappropriately, Experian strongly encourages affected consumers to enroll in the complimentary identity resolution services,” the firm said.
Craig Boundy, CEO of Experian North America, took the opportunity to apologise and remind people that the company takes privacy very seriously.