In case you missed our coverage this week in ThreatWatch, Nextgov’s regularly updated index of cyber breaches:
A hacker grabbed a horde of credentials and profiles from the specialty dating site and posted the data online, along with more than half a million private messages between users.
In addition, technologist Thomas White, otherwise known as TheCthulhu, has released the full dataset publicly, for anyone to download.
Launched in 2000, Muslim Match is a free site aimed at people looking for companionship or marriage.
The attacker may have used a SQL-injection—an ancient but commonly effective website exploit —to obtain the data, judging by the format the files are in.
“I feel disappointed but the site didn't seem to be secure in the first place. They never used https,” Zaheer, a Muslim Match user, said in an email, referring to the protocol used for encrypting traffic, particularly website login screens.
Using information within the dataset, Motherboard was able to link private messages with specific users. By cross-referencing the different files, it was possible to find out the username of the person who sent the message, as well as their logged network address and poorly encrypted, “MD5” password.
The data includes whether each user is a convert or not, their employment, living and marital status -- and whether they would consider polygamy.
One file also contains around 790,000 private messages sent between users, which deal with everything from religious discussion and small talk to marriage proposals.
Judging by network addresses, the victims are based all over the world, including the U.K., Pakistan and United States.
The lesson here: A site let its users down by not taking security very seriously (the lack of HTTPS stands out). Users should scrutinize a service they intend to use before registering: Does it use encryption on login screens? Is it a forum based on a vulnerable piece of software like IP.Board?
Criminals are using a massive network of hacked CCTV security cameras to crash computers around the world.
The 25,000-strong botnet may be the largest found yet. Security firm Sucuri discovered the extent of the evil web while investigating an online "distributed denial of service," or DDoS, assault against an ordinary jewelry store.
Around a quarter of the zombie cameras were located in Taiwan, with another 12 percent in the United States and just under 10 percent in Indonesia. In all, infected systems in 105 countries were used in the attacks.
An early analysis of how the cameras were hacked points the blame at a security hole in DVR boxes used by many CCTV cameras. The vulnerability was discovered in March. But CCTVs are not high on the patching priority list of most people.
The jewelry shop's website was knocked offline after drowning in tens of thousands HTTP pings per second.
As Sucuri attempted to thwart the network tsunami, the botnet stepped up its output and discharged even more pings per second against the store's website.
When Sucuri dug into the source of the bogus network traffic, it found the pings were all coming from internet-connected CCTV cameras – devices that had been remotely hacked by miscreants to attack other systems.
"It is not new that attackers have been using [internet of things] devices to start their DDoS campaigns, however, we have not analyzed one that leveraged only CCTV devices and was still able to generate this quantity of requests for so long," said Daniel Cid, an executive at Sucuri.
The Hard Rock Hotel & Casino in Vegas disclosed June 27 that malware placed on the resort’s payment-card system resulted in the compromise of customer data.
The rock ‘n’ roll-themed casino said the unauthorized intrusions were identified in May after the company received reports of cards being used fraudulently.
The company said the card-scraping malware accessed data including cardholder name, card number, expiration date and internal verification code, in some cases.
The number of potential cards impacted wasn’t immediately disclosed.
Google chief Sundar Pichai appears to have fallen victim to OurMine, which broke into Facebook boss Mark Zuckerberg’s Twitter and Pinterest accounts last month.
The three-man hacker outfit has been posting messages on question-and-answer site Quora through Pichai’s account; it’s also connected to his Twitter account and as a result, OurMine was able to publicize the hack to all 508,000 of Pichai’s followers.
It isn’t clear how the group is gaining access to the accounts of its targets, who largely are tech execs.
The group claims it uses various exploits to pull passwords from celebrities’ browsers.
"OurMine is attempting to rebrand itself as a ‘security firm‘ and offering its support to those it targets so that these incidents don’t occur again. It’s probably not the best way to garner your potential customers’ trust, but that’s the way OurMine seems to enjoy doing business," The Next Web reports.
OurMine later said it was only conducting a test: “We are just testing people security (sic), we never change their passwords, we did it because there is other hackers can hack them and change everything.”
The group also noted it managed to slip into Pichai’s account by exploiting a vulnerability in Quora’s platform – one it claims to have reported to the company, to no avail.
Quora said in a statement it doesn’t believe a weakness in its platform led to the breach:
"We are confident that Sundar Pichai’s account was not accessed via a vulnerability in Quora’s systems. This is consistent with past reports where OurMine exploited previous password leaks on other services to gain access to accounts on Twitter or Facebook. We also have no record of a report by OurMine pointing to a vulnerability. We recommend that people use unique passwords for accounts on different services, so that a security breach on one service does not lead to attackers gaining access to accounts on other services. Safeguarding our users is very important to us, which makes security at Quora one of our highest priorities."
(Image via Flickr user Mark Richardson)