December 22, 2014

Security Breach Roundup: Short Month, Many Breaches

Bookmark and Share

For this month’s security breach roundup we once again have some big names in the news and perhaps the best headline you’ll ever read in this roundup.

A Six-Pack of Security Breaches

I love it when others make my job easier, as the fine folks at Ars Technica have with this piece under the headline, “Breaches galore as Cryptome hacked to infect visitors with malware.” (And no, that’s not the gem referenced above; that comes later.)

A breach that caused to infect visitors with virulent malware was one of at least six attacks reported to hit high-profile sites or services in the past few days. Others affected included Ticketmaster, websites for Mexico and the state of Alabama, Dutch ISP KPN, and the Microsoft store in India.

Cryptome, a repository of leaked documents and other information concerning free speech, privacy and cryptography, was attacked by hackers who left code on its servers that attempted to infect visitors using Windows PCs with a trojan spawned by the Blackhole Toolkit, the website reported on Sunday

Word of the compromise came as at least five other high-profile sites and services were also reported to have had their security breached. They include government websites for Mexico and the state of Alabama, the Dutch ISP KPN, the UK arm of Ticketmaster, and the Microsoft store in India. Members of the loosely organized hacker collective Anonymous reportedly took credit for a denial-of-service attack that took out US government’s CIA website and then backed away from the claim.

A Security Breach of the Sensitive Variety

Lots of people, we understand, visit…ahem…sites of the adult variety. But we’d also venture to guess that 99% of them would rather nobody know about it. So subscribers to one particular site were probably more than a little unnerved when they saw this headline from Gawker: YouPorn Security Breach Exposes Millions of Horny Users’ Emails and Passwords. (Yes, that’s the one.)
The Gawker story is amusing but we’ll let the folks at Digital Journal tell the story:

A security breach has exposed the emails and passwords of thousands of users of the chat service of the popular pornographic site, an incident that might have caused embarrassment to some users of the site.

YouPorn in a statement has blamed a third-party chat service for “failing to secure the data.” International Business Times reports that Manwin Holding SARL, YouPorn’s parent company, said it has disabled the third-party chat service called “YP Chat.” Kate Miller, a spokesperson of Manwin, said the security breach was entirely the fault of the chat service provider and that YouPorn itself was not at fault. Miller attempted to reassure millions of its users, after the fact of leakage of their email addresses, saying, “YouPorn continues to ensure that all appropriate measures and tools are in place to maintain the security of its infrastructure, and to safeguard the privacy of its users.”

Gawker did check out some of the leaked logins and had this to say:

A brief look into the leaked logins did not reveal anyone stupid enough to register with a “.gov” email address, but it does reveal a lot of very stupid passwords—including fifteen that included the word “password.”

Apple Takes Heat over Photo Flap

Apple was also in the news this month when word got out that it’s possible for certain apps to copy photos from its devices – like, all of them. As The News Tribune reports:

The private photos on your phone may not be as private as you think.

Developers of applications for Apple’s mobile devices, along with Apple itself, came under scrutiny this month after reports that some apps were taking people’s address book information without their knowledge.

As it turns out, address books are not the only things up for grabs. Photos are also vulnerable. After a user allows an application on an iPhone, iPad or iPod Touch to have access to location information, the app can copy the user’s entire photo library without any further notification or warning, according to app developers.

It is unclear whether any apps in Apple’s App Store are illicitly copying user photos. Although Apple’s rules do not specifically forbid photo copying, Apple says it screens all apps submitted to the store, a process that should catch nefarious behavior on the part of developers.

University Exposes Thousands of Social Security Numbers

No security breach roundup would seem complete without a piece on a school. This month a university in Conn. obliges, as reported by the Hartford Courant:

A security breach in a computer at Central Connecticut State University has exposed Social Security numbers of students and of current and former employees to potential risk and misuse.

A computer in the business office became infected by a “Z-Bot” virus, which exposed 18,275 Social Security numbers, said James Estrada, the university’s chief information officer.

The university said it was matching numbers with names and addresses Thursday, and will contact each person who was exposed.

CIO Magazine Lists Worst Security Breaches of the Century

Although we’re not all that far into it, CIO magazine nonetheless took it upon itself to list the 15 worst breaches of the 21st century. Our friends at Gawker came in at no. 9 and we’re sure you’ll recognize many of the others.

Speak Your Mind