Blog Archives

Facts We Know Now About the AshleyMadison Hack, by the Numbers

Analysts are poring over the latest details to emerge from the AshleyMadison hack and the implications for the company going forward. Since the hackers released their treasure trove Monday, we’re starting to get a sense of how big this hack really was.

As Ars Technica notes, the breadth of this attack is massive. It too early to say if it’s on the scale of the Sony hack last winter — but this is certainly a big deal.

Here’s what we know has been taken, by the numbers:

33 million accounts with user information, including names, street addresses and phone numbers

36 million email addresses

9.6 million documented transactions

10 GB of compressed data

This data was stolen on July 11, 2015. Anyone who registered an account after this date is probably safe — but anyone who registered before July 11 should consider some or all of their information compromised.

Passwords were encrypted in a relatively secured manner. But that doesn’t mean that a user’s individual password couldn’t be cracked.

It’s also important to note — as security researcher Graham Cluley points out — that if your email address is in the AshleyMadison database, it doesn’t mean you are or were a member of the site.

AshleyMadison apparently never bothered to confirm a user’s email address. Instead of having to click on a verification link in an email, a user could just enter in any email address they wanted in order to access the site.

As a result, there are tens of thousands of email addresses that could just be false. Plenty of members were using email addresses, and similar burner accounts.

Still, by all accounts, this data is real. And it’s not just user information that was leaked; internal corporate data was shared too.

Putting aside the schadenfreude and the moral judgments, what happened has the potential to be devastating to many individuals. And the data analysis is just getting started.


Firefox Bug Could Search and Upload your Files Secreatly

Attention, Firefox users: Stop what you’re doing and update your web browser.

An exploit discovered on Wednesday could potentially search your local files and upload them to a server that appears to be in Ukraine, according to a blog post Mozilla published on Thursday. The company strongly recommends users update to the Firefox 39.0.3 or Firefox ESR (Extended Support Release) 38.1.1.

An advertisement on an unnamed Russian general news website can use a security vulnerability to perform the search and upload without leaving any trace on your computer, according to the post.

The security bug affects Windows and Linux users; Mac users are reportedly safe, though “would not be immune,” according to the post by Mozilla lead security expert Daniel Veditz.

“The vulnerability comes from the interaction of the mechanism that enforces JavaScript context separation (the “same origin policy”) and Firefox’s PDF Viewer,” Veditz wrote. “Mozilla products that don’t contain the PDF Viewer, such as Firefox for Android, are not vulnerable.”

Veditz added that users who have ad-blocking software enabled may be unaffected.

If you aren’t on the latest version of Firefox, you can find instructions on how to update it here.

Hackers are Exploiting an OS X Flaw to Install Tricky Adware

A security flaw in an operating system is dangerous, but a security flaw that’s being actively exploited in the wild, and for which there is no official fix, is much more problematic.

That’s exactly what’s happening to Apple’s latest version of OS X, according to security company Malwarebytes. An OS X security flaw detailed in July by security researcher Stefan Esser allows an attacker to install software on a user’s computer without permission or password. Now, Malwarebytes researcher Thomas Reed has encountered an exploit that takes advantage of this flaw, installing VSearch and Genieo adware as well as MacKeeper junkware — in short, software that you don’t want on your computer, ever.

The exploit takes advantage of a vulnerability in an environment variable DYLD_PRINT_TO_FILE in OS X 10.10.x, which is normally used for error logging. According to Esser, the vulnerability has been fixed in the OS X 10.11 beta versions, but is not fixed in the current version — OS X 10.10.4 — nor in the 10.10.5 beta version.

Update: According to a tweet from Esser, Apple did fix the vulnerability in OS X 10.10.5 beta 2 version.

Looks like dropping DYLD_PRINT_TO_FILE exploit resulted in Apple having fixed it in OS X 10.10.5 beta “2” – suddenly they can work “faster”

— Stefan Esser (@i0n1c) July 31, 2015

Furthermore, Apple has confirmed to Mashable that the vulnerability has indeed been fixed in a new OS X 10.10.5 beta version. There’s no word, however, on when a full version of OS X 10.10.5 will be released to the public.

Reed claims Esser’s behavior was irresponsible, as he publicly revealed the flaw without notifying Apple first. And while Esser created his own software that he claims fixes the issue, Reed advises against using it.

“There is no good way to protect yourself, short of installing Esser’s software to protect against the very flaw that he released into the hands of hackers worldwide, which introduces some serious questions about ethics and conflict of interest,” he wrote in a blog post.