Winner of the ‘Worst Week’ award goes to James Howells, who this week realized he threw away a hard drive with 7,500 Bitcoins worth over $7.5 million in current BTC value. Read about his million dollar fumble, the still-unfolding Vodafone breach, new NSA snooping and more in this week’s edition of The Week in AppSec.
Microsoft Takes Extra Anti-Snooping Measures
In this week’s NSA drama, the agency has royally pissed-off Microsoft after new documents got out that the Agency could have tapped into the company’s fiber optic cables and collected data. The company is stepping up their encryption practices in response.
An email from Britain’s Global Communications Headquarters (GCHQ) to the NSA suggested that Microsoft may have been spied on with the same programs that accessed Yahoo and Google’s internet traffic. While it’s not known for sure if the NSA did tap in or not, it would come as no surprise. Details of the NSA’s MUSCULAR program previously revealed that the agency, with GCHQ help, gained access to the powerful and private networks of Yahoo and Google by intercepting the Web connections and traffic that link their data centers.
The new revelations are a slap in the face to Yahoo and Google, and now possibly Microsoft, all of which were previously revealed to have been assisting the NSA by providing volumes of photo, video, communications and more data. NSA has refuted the claim that they snooped, saying they would never pick up communications “that are not of bonafide foreign intelligence interest to the U.S. government.”
Major tech companies have responded to the NSA leaks by unifying under the umbrella of the USA Freedom Act, a piece of legislation that would curtail NSA surveillance and demand more transparency of intelligence programs.
Read more: http://www.washingtonpost.com/business/technology/microsoft-suspecting-nsa-spying-to-ramp-up-efforts-to-encrypt-its-internet-traffic/2013/11/26/44236b48-56a9-11e3-8304-caf30787c0a9_story.html
Data Breach in Iceland Exposed Personal Data of Over 77,000
The last day of the month saw yet another major data breach, this time affecting the Iceland branch of the phone company Vodafone.
User names, the Icelandic equivalent to social security numbers, encrypted passwords and other encoded data were placed on a 61.7MB Rar file. The file has a number of different lists offering different data, including a few with the nulled data of credit card numbers.
The site was infiltrated by a group of Turkish hackers who call themselves Maxn3y. The hackers, who go by the name @AgentCoOfficial on Twitter, tweeted their find on November 30th, and have seemingly been running their own PR campaign by re-tweeting all the articles about their hacking success.
IT Pro Threw Out $7.5 Million in Bitcoins
An IT professional was kicking himself hard this week after realizing he threw out a hard-drive holding over 7,500 Bitcoins. James Howells, who tossed the hard drive after cleaning house this summer, realized that it held a digital wallet from 2009.
Bitcoin values passed $1,000 this week for the first time, making his stash worth over $7.5 million. The hard-drive contained the cryptographic key Howells needs to access and spend the cryptocurrency. He had been mining Bitcoins using a program, and within one week had accumulated at least 7,500 that would have been worth about $7,500 when first mined nearly 5 years ago.
Howells told The Guardian that he stopped mining when his girlfriend complained that the laptop was too noisy and hot when the mining program was running. After the laptop later broke, he dismantled it into usable parts and threw the hard-drive in a drawer. That hard drive is in now believed to be in a Wales landfill, and though Howells has visited the fill, he does not think he’ll be able to recover it.
“I’m at the point where it’s either laugh about it or cry about it,” Howells told the newspaper.
Ruby on Rails Exploit Discoverer Warns of Thousands of Vulnerable Sites
A white-hat hacker found that at least 2,000 websites are vulnerable to an Insufficient Session Expiration exploit – and that number is just out of the 90,000 he tested personally.
The vulnerability is a byproduct of Ruby on Rails never fully ending a user session and storing the user’s session cookies indefinitely on the client side. It is especially problematic when the same computer is used by lots of different people, such as in internet cafés and libraries. Another big issue is that the data isn’t well encrypted and makes for an easy XSS attack.
Some recognizable sites include Fivrr.com, Kickstarter.com, Jango.com, and many more. G.S. McNamara suggests switching to a different cookie storage tool and upgrading to newer versions of Ruby on Rails, which at least encrypts the user data.