Author: Dan Goodin

For more than a month, users of the remote login service TeamViewer have taken to Internet forums to report their computers have been ransacked by attackers who somehow gained access to their accounts. In many of the cases, the online burglars reportedly drained PayPal or bank accounts. No one outside of TeamViewer knows precisely how many accounts have been hacked, but there's no denying the breaches are widespread.

Over the past three days, both Reddit and Twitter have exploded with such reports, often with the unsupported claim that the intrusions are the result of a hack on TeamViewer's network. Late on Friday afternoon, an IBM security researcher became the latest to report a TeamViewer account takeover.

"In the middle of my gaming session, I lose control of my mouse and the TeamViewer window pops up in the bottom right corner of my screen," wrote Nick Bradley, a practice leader inside IBM's Threat Research Group. "As soon as I realize what is happening, I kill the application. Then it dawns on me: I have other machines running TeamViewer!"

A growing number of WordPress websites have been infected by attackers exploiting a vulnerability that remains unpatched in a widely used plugin called WP Mobile Detector, security researchers warned.

The attacks have been under way since last Friday and are mainly being used to install porn-related spamming scripts, according to a blog post published Thursday. The underlying vulnerability in WP Mobile Detector came to light on Tuesday, and the plugin has since been removed from the official WordPress plugin directory. As of Wednesday, the plugin reportedly had more than 10,000 active installations, and it appears many remained active at the time this post was being prepared.

The security flaw stems from the plugin's failure to remove malicious input submitted by website visitors. Because the WP Mobile Detector performs no security checks, an attacker can feed malicious PHP code into requests received by websites that use the plugin.

The next time you're in the market for a new Windows computer, consider this: if it comes from one of the top five manufacturers, it's vulnerable to man-in-the-middle attacks that allow hackers to install malware.

That's the take-away from a report published Tuesday by researchers from two-factor authentication service Duo Security. It found third-party updating tools installed by default threatened customers of Dell, HP, Lenovo, Acer, and Asus. The updaters frequently expose their programming interfaces, making them easy to reverse engineer. Even worse, the updaters frequently fail to use transport layer security encryption properly, if at all. As a result, PCs from all five makers are vulnerable to exploits that allow attackers to install malware.

"Hacking in practice means taking the path of least resistance, and OEM software is often a weak link in the chain," the Duo Security report stated. "All of the sexy exploit mitigations, desktop firewalls, and safe browsing enhancements can't protect you when an OEM vendor cripples them with pre-installed software."

Less than two weeks after more than 177 million LinkedIn user passwords surfaced, security researchers have discovered three more breaches involving MySpace, Tumblr, and dating website Fling that all told bring the total number of compromised accounts to more than 642 million.

"Any one of these 4 I'm going to talk about on their own would be notable, but to see a cluster of them appear together is quite intriguing," security researcher Troy Hunt observed on Monday. The cluster involves breaches known to have happened to Fling in 2011, to LinkedIn in 2012, and to Tumblr 2013. It's still not clear when the MySpace hack took place, but Hunt, operator of the Have I been pwned? breach notification service, said it surely happened sometime after 2007 and before 2012. He continued:

There are some really interesting patterns emerging here. One is obviously the age; the newest breach of this recent spate is still more than 3 years old. This data has been lying dormant (or at least out of public sight) for long periods of time.

The other is the size and these 4 breaches are all in the top 5 largest ones HIBP has ever seen. That's out of 109 breaches to date, too. Not only that, but these 4 incidents account for two thirds of all the data in the system, or least they will once MySpace turns up.

Then there's the fact that it's all appearing within a very short period of time - all just this month. There's been some catalyst that has brought these breaches to light and to see them all fit this mould and appear in such a short period of time, I can't help but wonder if they're perhaps related.

All four of the password dumps are being sold on a darkweb forum by peace_of_mind, a user with 24 positive feedback ratings, two neutral ratings, and zero negative ratings. That's an indication the unknown person isn't exaggerating the quality of the data. The megabreach trend is troubling for at least a couple of reasons. First, it demonstrates that service providers are either unable to detect breaches or are willing to keep them secret years after they're discovered. Second, it raises the unsettling question where the trend will end, and if additional breaches are in store before we get there?

FBI agents armed with an assault weapon raided the home of a security professional who discovered sensitive data for 22,000 dental patients was available on the Internet, according to a report published Friday.

Justin Shafer, who is described as a dental computer technician and software security researcher, reportedly said the raid happened on Tuesday at 6:30am as he, his wife, and three young children were sleeping. He said it started when his doorbell rang incessantly and someone banged hard on his door. According to Friday's report:

“My first thought was that my dad had died,” Shafer told Daily Dot in a phone interview, “but then as I went to the door, I saw all the flashing blue and red lights.”

With the baby crying in fear from the racket, Shafer opened the door to find what he estimated to be 12 to 15 FBI agents. One was “pointing a ‘big green’ assault weapon at me,” Shafer told Daily Dot, “and the baby’s crib was only feet from the door.”

The agents allegedly ordered Shafer to put his hands behind his back. As they handcuffed him, his 9-year-old daughter cried in terror, Shafter said, and his wife tried to tell the agents that there were three young children in the house.

Once handcuffed, Shafer was taken outside, still in his boxer shorts, still not knowing what was going on or why.

Over the next few hours, the agents seized all of Shafer’s computers and devices—“and even my Dentrix magazines,” Shafer said. “The only thing they left was my wife’s phone.” The seized property list, a copy of which was provided to Daily Dot, shows that federal agents took 29 items.

Enter Eaglesoft

A FBI agent told Shafer the raid stemmed from an incident in February, when Shafer discovered a file transfer protocol server operated by Eaglesoft, a provider of dental practice management software. The FTP server reportedly stored patient data in a way that made it easily accessible to anyone. Shafer contacted DataBreaches.net and asked for help privately notifying the software maker, and once the patient data was secured, the breach notification site published this disclosure. In a blog post of his own, Shafer later discussed the FTP lapse and a separate Eaglesoft vulnerability involving hard-coded database credentials.

As Microsoft pats itself on the back for its crackdown on easily cracked passwords, keep this in mind: a quick check shows users still have plenty of leeway to make poor choices. Like "Pa$$w0rd" (excluding the quotation marks).

As a Microsoft program manager announced earlier this week, the Microsoft Account Service used to log in to properties such as Xbox Live and OneDrive Azure has been dynamically banning commonly used passwords during the account-creation or password-change processes. Try choosing "12345678," "password," or "letmein"—as millions of people regularly do—and you'll get a prompt telling you to try again. Microsoft is in the process of adding this feature to the Azure Active Directory so enterprise customers using the service can easily stop employees from taking security shortcuts, as well.

But a quick check finds it's not hard to get around the ban. To wit: "Pa$$w0rd1" worked just fine. And in fairness to Microsoft, Google permitted the same hopelessly weak choice.

Dozens of HTTPS-protected websites belonging to financial services giant Visa are vulnerable to attacks that allow hackers to inject malicious code and forged content into the browsers of visitors, an international team of researchers has found.

In all, 184 servers—some belonging to German stock exchange Deutsche Börse and Polish banking association Zwizek Banków Polskich—were also found to be vulnerable to a decade-old exploit technique cryptographers have dubbed the "forbidden attack." An additional 70,000 webservers were found to be at risk, although the work required to successfully carry out the attack might prove to be prohibitively difficult. The data came from an Internet-wide scan performed in January. Since then, Deutsche Börse has remedied the problem, but, as of Wednesday, both Visa and Zwizek Banków Polskich have allowed the vulnerability to remain and have yet to respond to any of the researchers' private disclosures.

The vulnerability stems from implementations of the transport layer security protocol that incorrectly reuse the same cryptographic nonce when data is encrypted. TLS specifications are clear that these arbitrary pieces of data should be used only once. When the same one is used more than once, it provides an opportunity to carry out the forbidden attack, which allows hackers to generate the key material used to authenticate site content. The exploit was first described in comments submitted to the National Institute of Standards and Technology. It gets its name because nonce uniqueness is a ground rule for proper crypto.

FBI officials are warning private industry partners to be on the lookout for highly stealthy keystroke loggers that surreptitiously sniff passwords and other input typed into wireless keyboards.

The FBI's Private Industry Notification is dated April 29, more than 15 months after whitehat hacker Samy Kamkar released a KeySweeper, a proof-of-concept attack platform that covertly logged and decrypted keystrokes from many Microsoft-branded wireless keyboards and transmitted the data over cellular networks. To lower the chances that the sniffing device might be discovered by a target, Kamkar designed it to look almost identical to USB phone chargers that are nearly ubiquitous in homes and offices.

"If placed strategically in an office or other location where individuals might use wireless devices, a malicious cyber actor could potentially harvest personally identifiable information, intellectual property, trade secrets, passwords, or other sensitive information," FBI officials wrote in last month's advisory. "Since the data is intercepted prior to reaching the CPU, security managers may not have insight into how sensitive information is being stolen."

A co-leader on Google's product security team has waved a piece of red meat in front of already frothing privacy advocates by deleting part of a blog post saying he wished the Allo messenger app the company announced Wednesday would provide end-to-end encryption by default.

To critics, the deletion by Thai Duong amounted to tacit admission that his employer was willfully choosing to leave messages sent by the vast number of Allo users open to government surveillance. The critics have argued that because end-to-end encryption will be turned off by default and turned on only in an incognito mode, most users will never avail themselves of the protection.

In a blog post published shortly after Wednesday's announcement, Duong said the move would benefit people who want their messages to be processed by an artificial intelligence agent that would offer auto-replies based on the content of the messages. A built-in digital assistant, for instance, might automatically suggest nearby restaurants or available movies when parties are making plans, but only if the encryption feature is turned off. Then Duong went on to say something that he later deleted from the post:

ISPs around the world are being attacked by self-replicating malware that can take complete control of widely used wireless networking equipment, according to reports from customers and a security researcher who is following the ongoing campaign.

San Jose, California-based Ubiquity Networks confirmed on Friday that attackers are actively targeting a flaw in AirOS, the Linux-based firmware that runs the wireless routers, access points, and other gear sold by the company. The vulnerability, which allows attackers to gain access to the devices over HTTP and HTTPS connections without authenticating themselves, was patched last July, but the fix wasn't widely installed. Many customers claimed they never received notification of the threat.

Nico Waisman, a researcher at security firm Immunity, said he knows of two Argentina-based ISPs that went dark for two days after being hit by the worm. He said he's seen credible reports of ISPs in Spain and Brazil being infected by the same malware and that it's likely ISPs in the US and elsewhere were also hit, since the exploit has no geographic restrictions. Once successful, the exploit he examined replaces the password files of an infected device and then scans the network it's on for other vulnerable gear. After a certain amount of time, the worm resets infected devices to their factory default configurations, with the exception of leaving behind a backdoor account, and then disappears. Ubiquity officials have said there are at least two variations, so it's possible other strains behave differently.