Facebook hacked, Java disabled

Facebook has been hacked and has disabled Java environment.

Facebook announced that it was hacked in its blog post after some of its employees visited an infected mobile developer website in January. It assures that user data hasn’t been compramised after its security breach.

“They gained limited visibility into our systems,” Fred Wolens, a spokesperson for Facebook, told in an interview, “We’ve accelerated our program to disable Java in our environment.”

“The company explained in the blog post that the laptops that were infected were “fully patched” and ran the most up-to-date antivirus software prior to the infection. It is currently working with law enforcement to dig into the hack’s details. The malware came through another issue with Java, the programming language that Oracle recently patched to fix a number of other issues. The Department of Homeland Security even recommended that people uninstall Java since hackers were finding new holes often.”

“After analyzing the compromised website where the attack originated, we found it was using a ‘zero-day,’ previously unseen exploit to bypass the Java sandbox (built-in protections) to install the malware,” said Facebook in the blog post. “We immediately reported the exploit to Oracle, and they confirmed our findings and provided a patch on February 1, 2013, that addresses this vulnerability.”

Facebook has not specified who the attackers are, and it very well may not know. The company does, however, say that it was “not alone in this attack” and that it wanted to tell the world about this hack quickly so that others can start their own remediation.


Blowfish12@2013 blowfish12.tk Author: Sudharsun. P. R.

Advertisements

MyTalk network security breached

“Jambox wireless speaker creator Jawbone is singing the blues today. It alerted users early this morning to a hack on its MyTalk network that left names, email addresses, and encrypted passwords compromised.”

The MyTalk network is platform where they can update, find and download apps for Jawbone devices. A customer has voluntarily reported he has received this message on twitter. It reads “Based on our investigation to date, we do not believe there has been any unauthorized use of login information or unauthorized access to information in your account.”

Jawbone says that “because your password was taken was encrypted and none of “the actual letters and numbers in your password” were revealed, hackers have ways to decrypt information”.


Blowfish13@2013 blowfish12.tk Author: Sudharsun. P. R.

Was YOUR Yahoo password hacked? Here’s how to find out

Last night the news broke that Yahoo had a security breach and 435,000 usernames and passwords had been hacked. Particularly troubling? The login credentials are in plaintext, not even encrypted. The biggest question users have when this happens: have MY username and password been released?

A number of services can answer that. One is Should I Change My Password, which has two great features that differentiate it from some others.

One is the ability to check anonymously based on email address, which many people have as their username for online services. This is helpful, because you don’t have to enter your password into the service (which you don’t know if you can trust or not) to check if your password has, indeed, been compromised. Secondly, you can sign up to receive notifications in the future if your email address is ever involved in another hacking incident.

Simply go to Should I Change My Password, and enter your email address:

The site automatically checks you against millions of emails and passwords leaking innumerous security breaches. If your email address is among those that have been hacked and released, this is what you’ll see. (I checked it myself with an old email address that I knew had been previously compromised.)

While investigating the breach and writing my story last night, I personally downloaded a few hundred thousand of the usernames and passwords and tried (unsuccessfully) to log into a number of Yahoo accounts.  This service can give you some confidence that others won’t be trying the same with your private accounts.


Blowfish12@2012 blowfish12.tk Author: Sudharsun. P. R.

Hackers post 450K credentials apparently pilfered from Yahoo

Credentials posted in plain text appear to have originated from the Web company’s Yahoo Voices platform. The hackers say they intended the data dump as a “wake-up call.”

Yahoo appears to have been the victim of a security breach that yielded more than hundreds of thousands of login credentials stored in plain text. The hacked data, posted to the hacker site D33D Company, contained more than 453,000 login credentials and appears to have originated from the Web pioneer’s network. The hackers, who said they used a union-based SQL injection technique to penetrate the Yahoo subdomain, intended the data dump to be a “wake-up call.”

“We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call, and not as a threat,” the hackers said in a comment at the bottom of the data. “There have been many security holes exploited in webservers belonging to Yahoo! Inc. that have caused far greater damage than our disclosure. Please do not take them lightly. The subdomain and vulnerable parameters have not been posted to avoid further damage.”

The hacked subdomain appears to belong to Yahoo Voices, according to a TrustedSec report. Hackers apparently neglected to remove the host name from the data. That host name — dbb1.ac.bf1.yahoo.com — appears to be associated with the Yahoo Voices platform, which was formerly known as Associated Content.

Because the data is quite sensitive and displayed in plain text, Blowfish12 has elected not to link to the page, although it is not hard to find. However, the page size is very large and takes a while to load.

The disclosure comes at a time of heightened awareness over password security. Recent high-profile password thefts at LinkedIn, eHarmony, and Last.fm contributed to approximately 8 million passwords posted in two separate lists to hacker sites in early June. Yesterday, Formspring announced it had disabled the passwords of its entire user base after discovering about 420,000 hashed passwords that appeared to come from the question-and-answer site were posted to a security forum.


Blowfish12@2012 blowfish12.tk Author: Sudharsun. P. R.