Monday 19 December 2016

Russian hacker Rasputin allegedly stole logins from the US election agency EAC

r
According to the security firm Record Future, a Russian-speaking hacker was offering for sale stolen login credentials for a U.S. agency that tests and certifies voting equipment, the U.S. Election Assistance Commission (EAC).

The EAC Agency was formed in 2002, it is tasked of certifying voting systems and developing best practices for administering elections.
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       
More than 100 allegedly compromised U.S. Election Assistance Commission login credentials were offered for sale by a hacker that uses the Rasputin online moniker.

“On December 1, 2016, Recorded Future threat intelligence technology identified chatter related to a suspected breach of the U.S. Election Assistance Commission (EAC).” Record Future said in a Thursday blog post.

“Further research identified a Russian hacker (Recorded Future refers to this actor as Rasputin) soliciting a buyer for EAC database access credentials.”

Researchers discovered that some of these credentials included the highest administrative privileges that could be used by an attacker to steal sensitive information from the U.S. Election Assistance Commission or deploy an Exploit kit to compromise targeted individuals in a watering hole attack.

Recorded Future shared multiple screenshots that demonstrate the hacker had access to the system at the U.S. Election Assistance Commission.

Election and software systems test reports (image provided by Rasputin).

The Rasputin hacker claimed to have broken in the system via an unpatched SQL injection (SQLi) vulnerability.

The U.S. Election Assistance Commission (EAC) investigated the incident with authorities and has terminated access to the vulnerable application.

“The U.S. Election Assistance Commission (EAC) has become aware of a potential intrusion into an EAC web-facing application. The EAC is currently working with Federal law enforcement agencies to investigate the potential breach and its effects.” reads a statement issued by the Agency.

The Election Assistance Commission clarified that it does not administer elections.

“The EAC does not maintain voter databases. The EAC does not tabulate or store vote totals,” added the commission.

The discovery of this new data breach raises the debate around possible interference with 2016 Presidential. The US Government blamed the Russia for attempted to influence the U.S. election through several high-profile cyber attacks.

SQL Injection Attack is Tied to Election Commission Breach


Just as cybersecurity concerns over the U.S. presidential election reach a fevered pitch, the U.S. agency responsible for certifying that voting machines work properly says it may have been hacked. That’s after independent researchers say they uncovered evidence that hackers have infiltrated the agency in question – the U.S. Election Assistance Commission. On Thursday security firm Recorded Future reported that a hacker offered to sell knowledge of an unpatched SQL injection vulnerability on the Dark Web. The vulnerability would have given an attacker access to the Election Assistance Commission (EAC) website and backend systems. In addition to knowledge of the vulnerability, the seller also included 100 potentially compromised access credentials for the system, including some with administrative privileges

“This vulnerability would of given an adversary access to the EAC database, allowed them to plant malware on the site or effectively stage a watering hole attack,” said Levi Gundert, VP of intelligence and strategy at Recorded Future. EAC is an independent bipartisan commission that develops voting guidelines and provides information on administering elections. The commission is also responsible for testing and certifying voting equipment and systems to ensure they meet security standards, according to the agency’s website. Gundert said access to EAC’s systems by an attacker would be invaluable for future attacks, helping them glean sensitive information about existing electronic voting systems as well as those coming online.

 The Election Assistance Commission acknowledged the vulnerability and released the following statement: “EAC has become aware of a potential intrusion into an EAC web-facing application. The EAC is currently working with Federal law enforcement agencies to investigate the potential breach and its effects… Upon detecting the intrusion, the EAC terminated access to the application and began working with federal law enforcement agencies to determine the source of this criminal activity. The FBI is currently conducting an ongoing criminal investigation.” Little is known about the hacker selling the SQL injection flaw. According to a report by Recorded Future the seller’s native language is Russian and goes by the online handle “Rasputin.” Researchers said they spotted Rasputin advertising the flaw on the Dark Web for between $2,000 and $5,000 on Dec. 1 and alerted authorities the next day. “Based on Rasputin’s historical criminal forum activity, Recorded Future believes it’s unlikely that Rasputin is sponsored by a foreign government,” Recorded Future said. SQL injections are among the most common techniques employed by hackers to steal valuable information from corporate databases. Recorded Future declined to share technical specifics of the SQL injection vulnerability or EAC’s compromised platform.

 This past U.S. presidential election has seen an unprecedented amount of concern over hackers attempting to sway election results. In August, the Federal Bureau of Investigation’s Cyber Division warned election officials nationwide to fortify voter registration data systems in the wake of two breaches it was able to detect earlier this summer. Earlier this week, President Barack Obama said the U.S. intelligence community has concluded Russian cyberattacks were part of an effort to influence the 2016 presidential election. Gundert doesn’t believe the sale of the unpatched SQL injection vulnerability is tied to past election attacks. However, he said, stolen credentials and earlier attacks that may have taken advantage of the SQL injection vulnerability could fuel more serious cyberattacks in the future. “It’s unclear how long the EAC vulnerability has been active; however, it could have been potentially discovered and accessed by several parties independently,” Recorded Future said.

Just as cybersecurity concerns over the U.S. presidential election reach a fevered pitch, the U.S. agency responsible for certifying that voting machines work properly says it may have been hacked. That’s after independent researchers say they uncovered evidence that hackers have infiltrated the agency in question – the U.S. Election Assistance Commission. On Thursday security firm Recorded Future reported that a hacker offered to sell knowledge of an unpatched SQL injection vulnerability on the Dark Web. The vulnerability would have given an attacker access to the Election Assistance Commission (EAC) website and backend systems. In addition to knowledge of the vulnerability, the seller also included 100 potentially compromised access credentials for the system, including some with administrative privileges.

See more at: SQL Injection Attack is Tied to Election Commission Breach https://wp.me/p3AjUX-vSX
“This vulnerability would of given an adversary access to the EAC database, allowed them to plant malware on the site or effectively stage a watering hole attack,” said Levi Gundert, VP of intelligence and strategy at Recorded Future. EAC is an independent bipartisan commission that develops voting guidelines and provides information on administering elections. The commission is also responsible for testing and certifying voting equipment and systems to ensure they meet security standards, according to the agency’s website. Gundert said access to EAC’s systems by an attacker would be invaluable for future attacks, helping them glean sensitive information about existing electronic voting systems as well as those coming online. The Election Assistance Commission acknowledged the vulnerability and released the following statement: “EAC has become aware of a potential intrusion into an EAC web-facing application. The EAC is currently working with Federal law enforcement agencies to investigate the potential breach and its effects… Upon detecting the intrusion, the EAC terminated access to the application and began working with federal law enforcement agencies to determine the source of this criminal activity. The FBI is currently conducting an ongoing criminal investigation.” Little is known about the hacker selling the SQL injection flaw. According to a report by Recorded Future the seller’s native language is Russian and goes by the online handle “Rasputin.” Researchers said they spotted Rasputin advertising the flaw on the Dark Web for between $2,000 and $5,000 on Dec. 1 and alerted authorities the next day. “Based on Rasputin’s historical criminal forum activity, Recorded Future believes it’s unlikely that Rasputin is sponsored by a foreign government,” Recorded Future said. SQL injections are among the most common techniques employed by hackers to steal valuable information from corporate databases. Recorded Future declined to share technical specifics of the SQL injection vulnerability or EAC’s compromised platform. This past U.S. presidential election has seen an unprecedented amount of concern over hackers attempting to sway election results. In August, the Federal Bureau of Investigation’s Cyber Division warned election officials nationwide to fortify voter registration data systems in the wake of two breaches it was able to detect earlier this summer. Earlier this week, President Barack Obama said the U.S. intelligence community has concluded Russian cyberattacks were part of an effort to influence the 2016 presidential election. Gundert doesn’t believe the sale of the unpatched SQL injection vulnerability is tied to past election attacks. However, he said, stolen credentials and earlier attacks that may have taken advantage of the SQL injection vulnerability could fuel more serious cyberattacks in the future. “It’s unclear how long the EAC vulnerability has been active; however, it could have been potentially discovered and accessed by several parties independently,” Recorded Future said.

See more at: SQL Injection Attack is Tied to Election Commission Breach https://wp.me/p3AjUX-vSX

Hack attack fear scares Canadian exam board away from online tests

testing
Every year Ottawa's Education Quality and Accountability Office (EQAO) tests secondary school students in their literacy skills. This year it rolled out online tests and the results weren't good.
In October the online pilot test of the Ontario Secondary School Literacy Test (OSSLT) was deployed and quickly fell over with its legs in the air mimicking a dead parrot. The failure was the result of what it called an "intentional, malicious and sustained distributed denial-of-service attack," against the testing system.
The attack was successful despite earlier testing of the online system against the possibility of just such an online assault. Forensic examiners are still investigating where the attack came from – El Reg suggests they look for a computer-savvy kid who doesn't study English much.
The original plan was for the OSSLT to be run for real in March, with students and teachers being able to choose whether to do the tests online or in the old-fashioned way. But because the source of the attack is still unknown, the EQAO is dropping all online testing for the time being.
"While we are pressing 'pause' on EQAO's move toward online assessments, we are by no means hitting 'stop,'" said Richard Jones, interim CEO of EQAO.
"In the days following the cyberattack in October, we heard from hundreds of members of Ontario's education community about the online OSSLT and we will take the time required to continue those discussions, so that we can integrate feedback into our system design. The intent is to come back with a system that better addresses needs in terms of usability, accessibility and security."

NAB sent details of 60,000 customers to wrong email address

The National Australia Bank (NAB) has taken "full responsibility" and apologised for the sending of personal data of 60,000 customers to an "incorrect email address".
The email contained each customer's name, address, email address, branch and account number, as well as an NAB identification number for some customers. Those impacted were customers who had their accounts created by the bank's migrant banking team while they were overseas.
"This error does not impact customers who set up an account in Australia," the bank said in a statement on Friday afternoon. "We take the privacy and the protection of our customers' personal information extremely seriously.
"The error was caused by human error and identified following our own internal checks and as soon as we realised what had happened we took action."
NAB said it had not seen any unusual activity on the affected accounts, and 40 percent of those customers had either closed their accounts or not used them in 2016. The bank said 19,000 accounts contained less than AU$2.
"We are sorry for this error and we will continue to work hard to improve and strengthen our processes," the bank said.
NAB said it had notified the Office of the Australian Information Commissioner and the Australian Securities and Investments Commission.
In October, NAB posted a AU$352 million statutory net profit for the 2016 financial year and praised its reduction in "technology incidents".

LinkedIn's training arm resets 55,000 members' passwords, warns 9.5m


linkedinLynda.com, the training arm of LinkedIn, on Saturday issued email notices to about 55,000 members whose data it says has been perused by an “unauthorized third party.”
The letter sent to members, two of whom thoughtfully forwarded it to El Reg, reads as follows:
We recently became aware that an unauthorized third party breached a database that included some of your Lynda​.com learning data, such as contact information and courses viewed. We are informing you of this issue out of an abundance of caution. Please know that we have no evidence that this data included your password. And while we have no evidence that your specific account was accessed or that any data has been made publicly available, ​we wanted to notify you as a precautionary measure.
The Register asked LinkedIn when the breach detected, when it occurred and how many people were impacted.
The company offered a statement penned by an un-named spokesperson, re-stating news of the breach and offering the following.
As a precautionary measure, we reset passwords for the less than 55,000 Lynda.com users affected and are notifying them of the issue. We’re also working to notify approximately 9.5 million Lynda.com users who had learner data, but no protected password information, in the database. We have no evidence that any of this data has been made publicly available and we have taken additional steps to secure Lynda.com accounts.
LinkedIn has form when it comes to breaches: earlier this year the company downplayed the sale of 117m user records. Which is a trivial number compared to the billion users records Yahoo! last week admitted it had lost, probably as a result of management fearing a costly and complex encryption re-tooling effort

PayAsUGym breach exposes passwords


Fitness website PayAsUGym has been breached in a hack that may have exposed up to 400K emails and passwords.
In a breach notice to users, the firm admitted one of its servers was hacked after “underground researchers” posted screenshots purporting to show PayAsUGym’s hacked database via Twitter. The 1x0123 hacker crew later claimed that they planned to sell off the compromised database through underground markets.
PayAsUGym apparently used the obsolete MD5 hashing technology, making it straightforward to work out the corresponding passwords using a brute force attack and dictionary lookups.
Troy Hunt, the security researcher behind the haveibeenpwned breach notification website, warned over the weekend that “PayAsUGym data appears to be circulating with “more than 400k unique emails in there for UK customers”.
Hunt reposted a notice that admitted email addresses and passwords might have been breached. PayAsUGym, which says that it doesn’t store credit card numbers, has reset user passwords.
Password reuse is always a bad idea. Those users who their PayAsUGym password at other sites are particularly exposed to so-called credential-stuffing attacks, where hackers try passwords exposed at one site at other sites.
Luke Brown, VP and GM EMEA at Digital Guardian, said: “It’s easy to think that breaches from consumer sites like PayAsUGym do not affect businesses, but it’s certainly possible that some customers have used their business email address to sign up to these services. Using the compromised login details, hackers can attempt to hijack the email accounts, steal more data, and target the victims’ friends, family and place of work in advanced social engineering attacks.
“This highlights why it’s so important for businesses to make sure that employees can’t use the same password for their personal and professional accounts. Implementing a good password policy will ensure that these increasingly common login ‘dumps’ can’t be used to access or steal sensitive corporate information,” he added.
PayAsUGym offers flexible access to day passes, fitness classes and no-contract membership at over 2,200 UK gyms. The firm is yet to respond to a request from El Reg to confirm the number of breached records.