Unless you’ve been living under a rock for the past few months you have probably heard about the dump from the 2012 LinkedIn hack being released. TrustedSec was able to acquire a copy of the list and use it for research purposes. Our friends over at Korelogic have already posted an excellent analysis of the list showing the most common words, patterns, and other statistics so we are not going to rehash that information. The LinkedIn list offers an opportunity for us at TrustedSec to share our password recovery methodology step by step and show how we attack large password breach lists. The passwords gained from these types of breaches are very valuable to us on penetration tests because people often reuse passwords across work and social media. Our hope is that by now everyone on this list has reset their password and is no longer using the password they used for LinkedIn in 2012, however since we cannot be sure, we have no plans to share the list so please don’t ask.
The list we received contained 167,370,909 entries in a SHA1 unsalted hash format. The list contains a large number of duplicate hashes which is valuable for statistical analysis but we don’t need that to go over cracking methodology. After removing all of the duplicates and blank lines we were left with 117,205,871 unique hashes to crack.
Merger monday is back with a bang, when moments ago Microsoft announced that it would buy LinkedIn for $196/share, a massive 50% premium to the Friday closing price of $131. The total deal size is $26.2 billion and according to the press release, MSFT will finance the transaction primarily through the issuance of new debt. Indicatively, almost exactly one year ago, LNKD was trading at $300.
Microsoft, which will pay a $725 million termination fee if the deal does not go through, warns that the deal will only become accretive in 2019. This means many synergies are coming for the tech company.
Microsoft also reiterated its intention to complete its existing $40 billion share repurchase authorization by Dec. 31, 2016. Continue reading »
Targets included engineers at Global Roaming Exchange providers and OPEC
According to a new report (German) by Der Spiegel, the British signals intelligence spy agency has again employed a “quantum insert” technique as a way to target employees (Google Translate) of two companies that are GRX (Global Roaming Exchange) providers.
The lead author of the story in the German magazine is Laura Poitras, one of the journalists known to have access to the entire trove of documents leaked by former National Security Agency contractor Edward Snowden.
GRX is roughly analogous to an IX (Internet Exchange), and it acts as a major exchange for mobile Internet traffic while users roam around the globe. There are only around two dozen such GRX providers globally. This new attack specifically targeted administrators and engineers of Comfone and Mach (which was acquired over the summer by Syniverse), two GRX providers.
Der Spiegel suggests that the Government Communications Headquarters (GCHQ), the British sister agency to the NSA, used spoofed versions of LinkedIn and Slashdot pages to serve malware to targets. This type of attack was also used to target “nine salaried employees” of the Organization of Petroleum Exporting Countries (OPEC), the global oil cartel.
There was a time when the shadier online “element” was mostly interested in procuring credit card numbers, usually from Eastern European sources, in order to turn a quick buck. However, over time, interest in credit card fraud declined and according to RSA the going rate for 1000 credit card numbers has now dropped to a mere $6. What has taken the place of monetary online fraud, is artificial “likability” and “popularity.” Reuters reports that with the rise of social networking, instead of obtaining credit card numbers, hackers have used their computer skills to create and sell false endorsements – such as “likes” and “followers” – that purport to come from users of Facebook, its photo-sharing app Instagram, Twitter, Google’s YouTube, LinkedIn and other popular websites. This can be seen in the costs charged by “service” providers: 1,000 Instagram “followers” can be bought for $15, while 1,000 Instagram “likes” cost $30. It is likely that the going rates for fake popularity on other online social networks, FaceBook and Twitter is comparable.
In other words, being “liked” and “followed” online – traditionally an indication of influence, importance and power – has become more important than having instant access to liquidity, and naturally, since there is demand for online popularity shortcuts, there is also supply.
Enter Zeus: a computer virus that was once widely used to steal credit card numbers, has now been modified to create bogus likes that can be used to generate buzz for a company or individual.
In short: marketing and self-promotion is now the most impotant gray market commodity on the internet.
These fake “likes” are sold in batches of 1,000 on Internet hacker forums, where cyber criminals also flog credit card numbers and other information stolen from PCs. According to RSA, 1,000 Instagram “followers” can be bought for $15 and 1,000 Instagram “likes” go for $30, whereas 1,000 credit card numbers cost as little as $6.
Earlier this year, ThinkProgress obtained 75,000 private emails from the defense contractor HBGary Federal via the hacktivist group called Anonymous. The emails led to two shocking revelations. First, that an assortment of private military firms collectively called “Team Themis” had been tapped by Bank of America to conduct a cyber war against reporters sympathetically covering the Wikileaks revelations. And second, that late in 2010, the same set of firms began work separately for the U.S. Chamber of Commerce, a Republican-aligned corporate lobbying group, to develop a similar campaign of sabotage against progressive organizations, including the SEIU and ThinkProgress.
Are you tired of living in public, sick of all the privacy theater the social networks are putting on, and just want to end it all online? Now you can wipe the slate clean with the Web 2.0 Suicide Machine. (Warning: This will really delete your online presence and is irrevocable). Just put in your credentials for Facebook, MySpace, Twitter, or LinkedIn and it will delete all your friends and messages, and change your username, password, and photo so that you cannot log back in.
The site is actually run by Moddr, a New Media Lab in Rotterdam, which execute the underlying scripts which erase your accounts. The Web 2.0 Suicide Machine is a digital Dr. Kevorkian. On Facebook, for instance, it removes all your friends one by one, removes your groups and joins you to its own “Social Network Suiciders,” and lets you leave some last words. So far 321 people have used the site to commit Facebook suicide. On Twitter, it deletes all of your Tweets, and removes all the people you follow and your followers. It doesn’t actually delete these accounts, it just puts them to rest.
The Web 2.0 Suicide Machine runs a python script which launches a browser session and automates the process of disconnecting from these social networks (here is a video showing how this works with Twitter). You can even watch the virtual suicide in progress via a Flash app which shows it as a remote desktop session. You can watch your online life pass away one message at a time. Taking over somebody else’s account via an automated script, even with permission, may very well be against the terms of service of these social networks.
From the FAQs:
If I start killing my 2.0-self, can I stop the process?
If I start killing my 2.0-self, can YOU stop the process?
What shall I do after I’ve killed myself with the web2.0 suicide machine?
Try calling some friends, take a walk in a park or buy a bottle of wine and start enjoying your real life again. Some Social Suiciders reported that their lives has improved by an approximate average of 25%. Don’t worry, if you feel empty right after you committed suicide. This is a normal reaction which will slowly fade away within the first 24-72 hours.
The light-hearted video below explains the benefits of committing Web 2.0 Suicide and disconnecting from “so many people you don’t really care about.” Unplugging from your social life online will leave you more time for your real life, which you’ve probably been neglecting. With the Web 2.0 Suicide Machine, you can “sign out forever.” Not that we are recommending you do this in any way. But you may enjoy the video.