Category Archives: English

Den sorgesamma berättelsen om bitcoinbörsen MtGox

Så, fast på engelska, heter ett inlägg jag skrev om bitcoin och MtGeox på min nya engelska blogg, https://anders.io. MtGox gick från att vara en tradingsida för Magickort till att bli en tradingsida för bitcoin och ganska snart en aktör med stora problem.

Vill du veta mer om MtGox och eventuellt dessutom få lite större inblick i hur bitcoin fungerar tycker jag du ska ta dig igenom inlägget – med brasklappen att det är ganska långt. 🙂

 

MtGox

Huge leak of Apple device unique IDs and ASPNs

Recently, I saw a post on pastebin regarding leaked Apple device IDs. The hackers said they got the file from a laptop belonging to an FBI employee:

During the second week of March 2012, a Dell Vostro notebook, used by Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber Action Team and New York FBI Office Evidence Response Team was breached using the AtomicReferenceArray vulnerability on Java, during the shell session some files were downloaded from his Desktop folder one of them with the name of ”NCFTA_iOS_devices_intel.csv” turned to be a list of 12,367,232 Apple iOS devices including Unique Device Identifiers (UUID), user names, name of device,
type of device, Apple Push Notification Service tokens, zipcodes, cellphone numbers, addresses, etc. the personal details fields referring to people appears many times empty leaving the whole list incompleted on many parts. no other file on the same folder makes mention about this list or its purpose.

The file ”NCFTA_iOS_devices_intel.csv” is said to contain over 12 million unique device identifiers (UUID) and user data for iOS devices. The actual leaked file contains 1 million records. The UUID is a unique number assigned to each device. It’s used for identifying the device, and many app developers use it to identify the device/user.

The list looks something like this:

That in itself doesn’t contain much ”dangerous” information, however, the interesting thing is where the hackers, or the FBI/NCFTA (National Cyber-Forensics & Training Alliance) got it. I’d generally say that this information could be fetched from some hacked app developer, since they usually store that kind of info on their servers. Perhaps they got this from some hacker they arrested? Or some developer handed it over?

Security expert Peter Kruse reported on Twitter that the actual data is correct, he found three of his devices in the list.

The list also contains APNS (Apple Push Notification Service) IDs. This is used for push notifications on the iOS devices. I am uncertain if it’s enough to have the device ID and the APNS ID in order to read the push notifications for any device. If any reader knows, please let me know!

Looking at the data, there seem to be some interesting device names, however, keep in mind that anyone can choose to name their device whatever they like:

carlos.ferreira@govcv.gov.cv
mbarth@utah.gov
USAEO-Aaron.Price@usdoj.gov
Government Official’s iPod
Governor’s iPad
Governor’s iPad
Forensic3GiPad
Forensic iPad
Forensic iPhone
Forensics
TACTICAL FORENSIC SOLUTIONS
A. Castillo Law Office
Chief Excecutive Officer’s iPad
Law Offices of Jannette Mooney’s iPad
Port Moresby Duty Officer iPad
Riot Officer’s iPad
The Law Office of Yariv Katz, P.C.’s iPad

Without more info, it’s very hard to tell where the list originally came from, or what it’s purpose is. Time will tell, and hopefully we’ll get some more info soon. Also, keep in mind that the persons who leaked this also said the original list contained much more info (addresses, phone numbers, etc).

Some report that the data might have been acquired in a raid on Instapaper servers.

There seem to be quite many devices from Asia in the list. The top 10 device names are:

   1140 – PdaTX.Net
1196 – Administrator’s iPhone
1309 – Administrator’s iPad
1414 – 이지윤의 iPhone
1453  – iPhone
1534 – Owner’s iPad
2202 – “Administrator”的 iPhone
3136 – “Administrator”的 iPad
5141 – iPod touch
42790 – iPhone

Since the list also contains the device type, here is how it’s distributed:

iPod touch: 6%
iPhone: 35%
iPad: 59%

So, if this list comes from an app developer, it sure seems like the app is most popular on the iPad.

Update: They say they got the list from using a Java exploit in March, and as ErrataRob points out, this coincides with that exploit being used, and a possible targeted attack on a leaked list of agents and agencies trying to track hackers.

55.000 hacked Twitter accounts leaked… or?

Recently, Prabakaran Santhanam reported that there were 55.000 Twitter accounts leaked from a hack.

Update: I checked some accounts, and the e-mail ones seem to originate from the June 2011 leak by Lulzsec.
When looking at the spam-accounts, Google suggested this site as could be the original source for a bunch of them at least… ;P

For updates on this, and other programming/security stuff, follow me on Twitter: @nilssonanders

I took a look at the files, and gathered some statistics!

There are a total of 58.973 lines in total in all of the files (including whitespace).

If we sort out all the duplicate accounts, we end up with 34.062 unique accounts, where a handful are obviously incorrect when looking at the data.

There are two kinds of accounts in the list, ones with a user name (e.g. ”Hayleyjsvze”), and ones with an e-mail (e.g. ”something@hotmail.com”). On Twitter, you can login with either your user name, or your e-mail, so that could be the reason there are two different kinds.. or?

Of the 34.062 unique accounts, 25.068 accounts seems to be an e-mail address. Those accounts look ”real”. They all seem to have ”regular” passwords (easier words, numbers). The rest of the accounts, the ones that aren’t based on an e-mail address, all seem to be spam-accounts. They have a few, if any, posts, following many others, but very few followers of their own. And they all have random 8 character passwords..

Now, looking back to the real accounts, here are some statistics from the e-mails used for the accounts:

Total number of accounts: 34.062 Total number of e-mails: 25.068 (where a few are incorrect, or contain typos)
Domain "hotmail.com": 15,777
Domain "gmail.com": 2,193
Total NOT using ".com": 6,046 (but a handful of invalid e-mails in there too)
Total using ".com.br": 5,736

So, almost 95% of the country-specific e-mails are from Brazil (.com.br)! And of the ”55.000” accounts, about 9000 seem to be Twitter-spam accounts..

I think this is probably the result of either a leak of a big Brazilian hacked website, or a Brazil-targetted phishing, combined with 9000 Twitter-spam accounts.

I haven’t verified any of the accounts (of course!) so it IS possible that the e-mail accounts are actually valid for their e-mail, not actually to Twitter…

Now… looking back to the spam accounts… many of the accounts has already been suspended by Twitter, but.. here are some that are currently working:

Notice how they all have some generic profile image, screen name and full name. Also, they all have a big bunch of people they follow, a few followers of their own… and… they all retweeted the @Swagstro account…

Also, looking at their followers:

 

 

 

 

 

 

They follow about the same accounts (at least some random ones), with the top account always being @Cyberopz

There’s definitely something more to this leak then just a generic hacked website.. weird that they combined spam-accounts and regular ones… We’ll see what else there is to find out about this. 🙂

Update:

I also did a quick Pipal run of the e-mail based accounts:

Total entries = 37058
Total unique entries = 21215

Top 10 passwords
123456 = 688 (1.86%)
123456789 = 258 (0.7%)
102030 = 92 (0.25%)
123 = 86 (0.23%)
12345 = 74 (0.2%)
1234 = 67 (0.18%)
242424 = 41 (0.11%)
101010 = 40 (0.11%)
12345678 = 38 (0.1%)
010203 = 35 (0.09%)

Top 10 base words
bruno = 47 (0.13%)
junior = 44 (0.12%)
carlos = 43 (0.12%)
brasil = 38 (0.1%)
sexo = 38 (0.1%)
amor = 36 (0.1%)
daniel = 36 (0.1%)
alex = 36 (0.1%)
rafa = 33 (0.09%)
jesus = 33 (0.09%)

(full statistics available here)

The top base words also really suggest that this leak originated in Brazil.

Update: As I reported yesterday, it seems like this list consists of old hacked accounts from last summer, and some spam-accounts with random passwords.

Thousands of hacked Twitter accounts spamming malware-links

Today at 08:49 CET over 1600 Twitter-accounts started spreading spam-links, and the numbers are still increasing.

 

When they started spreading, they first linked to Viagra spam. After a while, the server they connected to stopped serving pages. Now, they started linking to an exploit page instead (at tw1.su first, but now changed again).

The spam tweets consists of a random word, and link, and some antivirus-related search term: excellent anti-virus, check for viruses 2012, or as in the picture below proven antivirus:

At the moment of writing, I’ve seen 45810 tweets, from 1997 unique twitter accounts, and it’s still increasing. It’s rather common for hacked accounts, be it Facebook, Twitter or E-mail, to be used for spamming, but when it’s done like this, it’s not really sophisticated. Just mass-spamming. The content makes it rather obvious that it’s not sent by the real account holder. The amount of accounts involved though are really interesting!

It’s always important to make sure you don’t ”loose” your password to your e-mail and social media accounts. This applies to everyone, not just ”important” people with lots of followers. Your account is a part of your life and lifestyle, and it’s a bridge to other people. Trust is important, and there’s always a risk you or someone else will get hurt, even if a bunch of spam-tweets doesn’t seem so bad.

Update 14:49 CET: Currently the statistics is up to 57860 tweets, and 2179 unique twitter accounts.

Update April 20th, 2102 at 12:23 CET: I just rechecked my statistics after all of this, and I’ve seen 77232 tweets from 2306 users.

 

Linode administrator account hacked – Massive amount of stolen online BitCoin currency

 

I recently saw a blog post by Marek Palatinus that a Linode administrator user has been hacked and that their internal customer support interface was used by the hacker to access customer accounts.

We were alerted to the suspicious activity and have identified and corrected the issue. Our investigation has revealed a customer support interface was used to access your account. The compromised credentials have been restricted and we are discussing policy changes to prevent this from recurring.

According to this forum there are also other accounts on Linode targeted which had BitCoin wallets worth several thousands of dollars stolen.

If these reports are correct it would probably mean that they had unlimited access to most of Linodes customers data.

Update: Linode has confirmed the breach and said that 8 accounts that were dealing with bitcoins were specifically targeted.

YouPorn chat leak infographics


Related:

Blog: YouPorn chat leaks millions of accounts
Podcast: The YouPorn Chat Scandal

I decided to create some infographics from the YouPorn chat leak. Please note that due to the source log files being slightly harder than average to parse (and me having zero time available) the data used for this might not be one hundred percent correct. However, due to the large sample size, I don’t expect the exact numbers to be much different, if at all.

>> Follow me on Twitter for more IT-security news and fun stuff <<

Please feel free to use and abuse this infographics in any way you want, as long as you credit me, preferably with a link to my twitter account.

(also available as .PDF)

Password statistics for leaked YouPorn passwords

Here are some interesting statistics for the leaked YouPorn passwords. Please note that the passwords were filtered VERY quickly, so there might be some duplicate/weird data in it, but the top lists should be fine at least.. 😉

>> Follow me on Twitter for more IT-security news and fun stuff <<

 

YouPorn password statistics (@nilssonanders)

Total entries = 3026016
Total unique entries = 838255

Top 10 passwords
123456 = 72915 (2.41%)
123456789 = 18996 (0.63%)
12345 = 13018 (0.43%)
1234 = 9269 (0.31%)
password = 8380 (0.28%)
qwerty = 6192 (0.2%)
12345678 = 5976 (0.2%)
1234567 = 5393 (0.18%)
123 = 5103 (0.17%)
111111 = 4615 (0.15%)

Top 10 base words
password = 11733 (0.39%)
qwerty = 8338 (0.28%)
youporn = 5162 (0.17%)
pussy = 3542 (0.12%)
ficken = 3144 (0.1%)
fuckyou = 2769 (0.09%)
hallo = 2632 (0.09%)
liverpool = 2585 (0.09%)
sexy = 2482 (0.08%)
love = 2415 (0.08%)

Full Pipal statistics available here.

  1. YouPorn password statistics (@nilssonanders)

Porn site coders expose user info of millions

 

Related:
Infographics: YouPorn Chat Statistics
Podcast: The YouPorn Chat Scandal

 

I got contacted by Alltid Nyheter, from Swedish public broadcasting radio, regarding a thread on Flashback.org, Sweden’s largest web forum. User info of well over a million registered users was openly accessible on the chat site of YouPorn until the server was taken down yesterday.

>> Follow me on Twitter for more IT-security news and fun stuff <<

 

The exposed information contains e-mail addresses and passwords. This information can be used to identify porn consumers, but for some users more than a reputation is at stake.

It is common knowledge that even today a surprisingly large portion of Internet users use the same passwords for many (or all) of the services they use on the Internet, whether it is e-mail accounts, Facebook, PayPal, or other services.

For a security professional it is baffling how coders working on a website with such sensitive content can make mistakes of this magnitude. Allegedly hundreds of megabytes of data has been secured by people with unknown goals. Cyber criminals can easily go through these e-mail addresses and match them with passwords and this way gain access to e-mail accounts. Once they are in, they can secure even more sensitive information to use in phishing attacks, theft, or fraud.

It is difficult not to compare this case with the hacking of porn site Brazzers earlier this year, even though in this case the site wasn’t hacked.

Looking at the data, it seems like a careless programmer accidentally(?!) left debug logging on to a publicly accessible URL as early as November 2007, and it has been storing all registrations ever since.

Yesterday, it was found, probably by ”accident” by someone sweeping websites for publicly accessible, but non-linked (”hidden”) folders, looking for.. either porn or sensitive material like this, and struck gold.

Hackers have already started going through the lists, checking which users have the same password for e-mail or Facebook, and have posted some intimate pictures found in some users sent/received e-mail.