Amazon Recommends Users Change Their Passwords

Who doesn’t have an Amazon account? If you do it may be worth changing your password as Amazon recommends users take the precaution after it discovered that some of their Amazon accounts could be found online.

Amazon discovered the leaked passwords were contained within a password list online, and while not exclusive to Amazon services, it has recommended that users change their passwords, even more, so if they use the same password on several sites. If your accounts email address was found to be on any of the lists then Amazon has taken the precaution to force a password reset on your account.

While many recommend against it, it’s common practice for people to use the same password and email combinations on several sites, thus increasing the chance that if one account is hacked, others will be compromised alongside.

While it’s recommended by some that we get rid of passwords altogether, alternative methods like biometric scanners for your fingerprints have been seen as easily bypassed and companies are even looking at using videos or selfies to access your accounts, a technique that has been met with mixed views. Would you prefer to access your account with a selfie or video of yourself or do you believe that the password still has a while to go if used correctly?

UPDATE: We were asked to remove the image, so one of our own, Robert Ainsworth, provided us with a copy of the email he received.

Wireless Passwords Could Be a Thing of the Past Thanks to MIT Research

 

A new wireless technology in development by MIT’s Computer Science and Artificial Intelligence Lab could allow us to finally say goodbye to the Wi-Fi password.

The technology, currently named Chronos, is capable of allowing a single wireless access point to detect the location of networked users to tens of centimetres in accuracy. This immediately has a number of possible applications, one of which could allow wi-fi networks to be limited in access to only those within the building, as well as smart home applications such as tracking people’s movement and adjusting temperature and lighting as they move.

Chronos works by computing the “time of flight” of a wireless signal with an average error of just 0.47 nanoseconds according to MIT, which when multiplied by the speed of light allows Chronos to accurately detect not only the angle from the access point a user is at, but also their distance from it. Comparatively, existing wi-fi devices lack the bandwidth to accurately measure the time of flight of a signal, so in order to detect the locations of users, multiple access points were required for triangulation.

It was discovered after MIT Ph.D. student Deepak Vasisht observed that the signals travel through the air at a different frequency than within a Wi-Fi device that is being detected. He and his team were then able to exploit this difference in signals, testing their new algorithm in a two-bedroom apartment containing four people, where Chronos could accurately detect the room a user was in 94% of the time. When tested in a cafe, the detection rate of in-store customers compared to out-of-store hijackers was 97% accurate, which could allow wireless passwords to be rendered redundant in such cases, as only those in the store can connect to the network.

Whether this will truly be the end of the wireless password is unlikely, as there will always be a call for a higher level of security on many networks. For lightly restricted public networks, though, this technology could be a godsend, without requiring businesses set up a complex multi-access-point solution. A paper summarizing the study of the technology was presented last month by Vasisht at the USENIX Symposium on Networked Systems Design and Implementation.

Suspect In The UK Told To Decrypt His Devices For The US

Apple vs the FBI may be over but that doesn’t mean the question about decryption and the law is over. In the most recent case to catch our ears a suspect from the UK being asked to decrypt his devices for the US authorities.

Lauri Love is a British computer scientist, who is a suspect in the breach of US government networks, which are claimed to have caused “millions of dollars in damage”. After being initially arrested in 2013, and then released, Love was re-arrested back in 2015 and is facing extradition to the US for the suspected crime. While he has not been charged with any crimes, Love has been asked as part of a Section 49 RIPA notice (doesn’t sound that bad does it?) to decrypt his devices by providing them with the passwords and keys required to unlock his devices.

With his devices confiscated, something that Love is now fighting in a counter-sue in civil court, the authorities want to access the data on his devices which include, a Samsung Laptop, a Fujitsu Siemens laptop, a Compaq computer tower, an SD card and a Western Digital hard drive. Alongside this, the National Crime Authority, the UK branch that has demanded the devices be decrypted, are interested in files located on the SD card and external drive that are encrypted using TrueCrypt.

What is most worrying is that if Love was to provide the keys, and this evidence is used against him in the US, then it would breach his fifth amendment rights within the US. The fifth amendment can be described as allowing someone to present evidence against themselves, meaning that you can’t be forced to prove your guilt, by unlocking a computer for example.

In his argument, Love states that “the NCA are effectively arguing that any information that cannot be read and comprehended by the police has a presumption of guilt”. An argument that if extended to other circumstances, could be seen as worrying for any groups that share information and protect journalists, whistleblowers and anyone within the legal profession.

Amazon Patents Selfie-Pose Authentication Technology

Amazon is known for their increased use of technology. Keen to use drones in their delivery process and even leasing out a new set of jets in order to speed up their delivery processes, the company seems to be stopping at nothing to control the delivery market. The next step may be something a little closer to home though with the pay-by-selfie technique to introduce selfie-pose authentication.

The new patent filed by the company reveals a process in which shoppers would be able to forgo the use of their password to instead have them take a photo or video of themselves. The technology would use a similar system to the MasterCard selfie system which means that you would be prompted to perform an action, such as blink or pose in order to confirm that it isn’t just a photo being held up by someone else.

Can you see yourself buying a product and then paying by blinking at the camera on your phone? While it stops you from having to remember your password or getting your phone and laptop from saving them, am I the only one who suddenly see people in public winking at their phone every five minutes in order to purchase that new DVD you’ve wanted to see for so long?

Hacker Found Way into Any Facebook Account

An Indian hacker has found a remarkably simple way to access any Facebook user account. Thankfully, Anand Prakash, a security engineer from Bangalore, is a “white hat” hacker and immediately contacted Facebook about the loophole, granting him a $15,000 reward.

In a blog post – with the provocative title “How I could have hacked all Facebook accounts” – Prakash explained the process he used, including a proof-of-concept video. Effectively, he brute-forced the password reset code – a six-digit number which is sent to the user’s phone or e-mail – on Beta version of Facebook, which allowed him unlimited input attempts without locking him out. He was then able to set his own password with which he could fraudulently access other user’s accounts.

“Whenever a user Forgets his password on Facebook, he has an option to reset the password by entering his phone number/ email address on https://www.facebook.com/login/identify?ctx=recover&lwv=110 ,Facebook will then send a 6 digit code on his phone number/email address which user has to enter in order to set a new password,” Prakash wrote. “I tried to brute the 6 digit code on www.facebook.com and was blocked after 10-12 invalid attempts.”

“Then I looked out for the same issue on beta.facebook.com and mbasic.beta.facebook.com and interestingly rate limiting was missing on forgot password endpoints,” he added. “I tried to takeover my account (as per Facebook’s policy you should not do any harm on any other users account) and was successful in setting new password for my account. I could then use the same password to login in the account.”

According to his blog, Prakash discovered the vulnerability on 22nd February, and received his $15,000 reward from Facebook on 2nd March. Facebook is yet to confirm the veracity of Prakash’s blog post.

DOJ Appealing Order Found in Favor of Apple

Apple is everywhere in the news these days. From the rumoured features of their next generation of phones to the courtrooms. In a case that recently came to light in New York, the judge ruled that Apple could not be forced to unlock an iPhone by the All Writs Act. This didn’t sit well with the DOJ who are now appealing the order.

The case in New York features another iPhone, again locked by a passcode. Repeatedly trying different passcode risks the data on the phone, thanks to a security measure put in place that states when you fail to put in the passcode 10 times, it will erase the phone. With so many combinations, the FBI are looking to enlist Apple’s help to type in passcodes through software, without the data being erased.

I say looking to enlist, but the act used (the All Writs Act) has been deemed as some as an order from a judge where no legal precedent is available for the request. A judge in New York recently ruled that Apple couldn’t be forced to remove these settings or extract the data by use of the All Writs Act.

The DOJ don’t seem happy though with this ruling, asking the court to review the decision by the Magistrate Judge, with the hopes that they can get the iPhone unlocked and the continued in a similar fashion to the one currently taking place in California.

Child Tracking Firm uKnowKids Accuses Security Researcher of Hacking

Digital security is important in this day and age, with access from across the world to your information meaning not only you can access all that information. With big companies like TalkTalk finding out the hard way that even a single breach can cause your company untold harm to both your image and credibility. The issue is only made worse though when the information relates to the young.

VTech found out the hard way when it was revealed that their hacked data included photos and chat logs. This time up it’s the software firm known as uKnowKids. uKnowKids is a subscription-based service designed to help parents track their children’s online activity. The supposed hack is the work of none other than security researcher Chris Vickery. Vickery states that all he did was use the search engine Shodan and he managed to locate millions of text messages and images, amongst the data was around 1,700 “detailed child profiles”.

The information was apparently obtained from a database which hadn’t been password protected, meaning that it was freely accessible from the web. uKnownKids disagrees and says that the “vulnerability” was patched within 90 minutes of Vickery notifying them. The worse part is that they claim they haven’t been able to identify him as a “white hat” security researcher, someone who will identify a vulnerability and then report them and help fix the issues they find.

Steve Woda is the chief executive of uKnowKids and posted a blog stating that one of their databases “was breached by a hacker” and that “Twelve minutes after the final breach… and after taking screenshots of our intellectual property, business data, and customer data, Mr Vickery notified uKnow of his breach of our private systems”.

uKnowKids tracks youngsters online activity from text messages to social media, letting parents keep close tabs on their activity and be aware of any alerting content that could be upsetting or dangerous. It comes as no surprise then that the BBC reports that the data included a family photo, usernames and email address.

Vickery was surprised when they responded in such an aggressive way, saying that other firms would thank you for alerting them to these issues or even hire you to help fix and make sure their security was up to date.

Iris Scanners Allow Access to Bank Accounts Without Pin or Card

We all hear about how we need to keep our accounts safe, but who remembers all their passwords to all their different accounts? Who can say that they haven’t used the same password for several websites before? Even with password managers apparently making passwords redundant according to GCHQ, we still use them for everything from logging into your phone to filing your bank returns. So what about when it comes to your money? A four digit pin? Why not use an iris scanner to access your bank account.

Jordan is the first country to deploy iris scanning technology, with help from the United Nations Refugee Agency (UNHCR), to help users access their bank accounts, with the system being used to help refugees access their bank accounts without a bank card or pin. With around 23,000 families using the system to receive aid, the system is working well.

By removing the need for a person to check details before handing out the cash the UNHCR feels like this is a step in the right direction, giving both the refugees and the UNHCR a feeling of control and freedom. With the hopes that the system could be deployed to all of UNHCR’s current cash assistance programmes, you have to wonder how long before typing in a password becomes a thing you’ll tell your grandchildren about.

Video Surveillance DVRs Exposed by Hard Coded Password

The security of devices that are internet accessible has become more and more critical in recent years. Recently cheap unsecured webcams have come under fire after many such devices were exposed by the Shodan search engine. Now as many as 46000 users of digital video recorders (DVRs) manufactured by Zhuhai RaySharp Technology may actually be making their property less secure, with it coming to light that the Chinese manufacturer has been using hard-coded unchangeable passwords for the highest user privileges in their software.

The vulnerability was discovered by security researchers from vulnerability intelligence firm Risk Based Security (RBS), who examined the software that the DVRs’ interface runs on. RaySharp’s DVR products have a web interface through which a user can view the camera feeds, manage settings and recordings and operate any pan or zoom features on the cameras. These web interfaces all run on a Linux OS based firmware, which on examination of the CGI scripts that manage the user authentication of the web interface a routine was found that checks to ensure the user-supplied username is “root” and the password is “519070”. Using these credentials to log into the web interface would provide full system access.

Using hard-coded passwords for small-scale systems used to be an accepted practice, where physical access to the system would generally be required regardless. Such things are now considered to be unacceptable by most, with many vendors developing secure systems and working to ensure vulnerabilities that do pop up are patched. That RaySharp still use hard-coded root passwords would be bad enough, but the Chinese firm also manufacture DVR products and provide firmware for a number of other companies worldwide with RBS researchers finding that at least some of the DVR products from König, Swann Communications, COP-USA, KGUARD Security, Defender and LOREX Technology, contain the same hard-coded root password. Another CGI script found in RaySharp firmware listed 55 vendors that apparently use the same firmware, so the impact could be much greater.

For those in possession of a DVR system from Raysharp or one of the other affected firms, RBS researchers chose to release information on the vulnerability, so that they can check for themselves whether their system possesses the issue. They recommend that any DVR that uses the username and password combination of root and 519070 should not be accessible on the internet and if access is required, it should be done by first logging into a VPN.

With the recent revelation that many webcams had been unwittingly exposed publicly online, it is likely that the same may occur for these DVRs. Hopefully, those with vulnerable DVR systems will discover the issue and take precautionary steps to avoid unwittingly sabotaging their own efforts to make their property or possessions safer.

Worst Passwords of 2015 Revealed

Security provider SplashData has released its annual “Worst Password List” for 2015, and the results are as depressing – and predictable – as ever. While last year’s entries boast some of the longest bad passwords ever featured during SplashData’s five years of compiling its worst password lists, they are certainly no more secure.

The top-25 worst passwords have not changed much in the last 12 months, though the revised list – which has lost “batman” and “superman”, but gained “starwars”, “solo”, and “princess”, which could delight J.J. Abrams at the expense of Zack Snyder – does offer an interesting glimpse into the cultural zeitgeist. Though, “trustno1” has faded from view since last year, which surprises considering the recent revival of The X-Files.

The reigning champions, in first and second place, respectively, are “123456” and “password”, retaining their positions from 2014, while new, terrible entries include “welcome”, “1qaz2wsx” (the first two lines of keyboard characters, vertically), and “login”. While “dragon” has dropped 7 places, it remains curiously popular.

Rank Password Change from 2014
1 123456 Unchanged
2 password Unchanged
3 12345678 Up 1
4 qwerty Up 1
5 12345 Down 2
6 123456789 Unchanged
7 football Up 3
8 1234 Down 1
9 1234567 Up 2
10 baseball Down 2
11 welcome New
12 1234567890 New
13 abc123 Up 1
14 111111 Up 1
15 1qaz2wsx New
16 dragon Down 7
17 master Up 2
18 monkey Down 6
19 letmein Down 6
20 Login New
21 princess New
22 qwertyuiop New
23 Solo New
24 passw0rd New
25 starwars New

“We have seen an effort by many people to be more secure by adding characters to passwords, but if these longer passwords are based on simple patterns they will put you in just as much risk of having your identity stolen by hackers,” Morgan Slain, CEO of SplashData, said. “As we see on the list, using common sports and pop culture terms is also a bad idea. We hope that with more publicity about how risky it is to use weak passwords, more people will take steps to strengthen their passwords and, most importantly, use different passwords for different websites.”

Image courtesy of Wired.

Bohemia Interactive Confirms DayZ Forum Hacked

DayZ see’s players fight off and survive in a harsh apocalyptic world where zombies are the second most dangerous thing, only after the other players that want all your stuff. Seems someone took that one step further and have taken people’s login details for the DayZ forums.

With reports that it was hacked as early as last week, Bohemia Interactive (the creators of the standalone game, based on the popular mod) have sent an email round to their forum members stating the extent of the hack and the details that were obtained during the hack.

Greetings,

A security incident occurred on forums.dayzgame.com recently. According to our investigation all usernames, emails and passwords from forums.dayzgame.com were accessed and downloaded by hackers.

While the passwords were not stored in plain text, but in a more secure form, it is highly recommended that if you have used the same password elsewhere you change it immediately on all applicable websites and services.

We would like to apologize for the inconvenience caused, and share with you one of the major changes planned in order to mitigate similar risks in the future. We will be replacing the IPBoards login system with Bohemia Account within the next two weeks. As Bohemia Account is a separate custom-built service currently used by Bohemia Interactive Forums and Store, it offers much better security and its use should prevent similar incidents going forward.

We ask for your patience over the next few days and weeks as we implement this and other security overhauls, as there are likely to be service interruptions and forum unavailability from time to time. In particular, the forums will be down until migration to the Bohemia Account is complete. We will keep you up to date on vital info and scheduled down-time on the site itself and via our Twitter.

Yours sincerely,

Bohemia Interactive

While everything from usernames and emails was taken,  the passwords were luckily encrypted in some way. We highly recommend that you change your password for the DayZ forum and any other sites or services that you use that password for (recommended that everything has a unique password in future, helps prevent breaches like this affecting other accounts).

While hacks are becoming more and more common, sites like these need to respond quicker and alert their users as soon as they detect the hack, a whole week is a lot of time to have access to people’s emails and social media accounts (all of which could be done using your email and potentially your password).

Amazon Passwords Could Have Been Leaked

It’s that time of the year again, when everyone goes crazy and starts buying ready for all the events and gift giving that is come over the next few months (some even preparing so much as to get some ordered for next year). Black Friday, one of the busiest shopping days of the year is upon us and with it a lot of people are looking and watching online stores waiting for that juicy one time deal they could quickly scope up before it all goes. To no surprise, Amazon is one of these online stores, so what does it mean when people started receiving emails asking them to change their passwords? That’s right another potential breach.

As reported by ZDNet, a selection of their readers received emails asking them to reset their password (the email was also sent via Amazons message centre, confirming that it came from a legitimate source). The reason given was that your password could have been stored on your device or transmitted in a way that exposed it to third parties.

Amazon continued to state they had corrected the issue, but that temporary passwords were being issued as a sign of caution.

Given recent hacks and breaches, it’s not surprising that Amazon is airing on the side of caution when it comes to people’s accounts, especially around this time of year.

New Firefox Testing Feature Warns Of Insecure Website Password Submission

Consumers are exposed to a myriad of cyber threats which are intent upon harvesting as much information as possible, from bogus emails offering state cash refunds to spoofed pages which purport to be from a genuine vendors, but are in fact aiming to collect sensitive consumer details. Well known and popular browser Mozilla Firefox have recognised the importance of alerting consumers to the security of password submission by offering a simple yet important safeguard within the latest Firefox Nightly build.

The security measure in question is in the form of a faded crossed out padlock icon within the address bar of the browser, thankfully it’s more useful than simply a new icon. The aim of this new feature is to warn consumers if a password field is not submitted over HTTPS and thus regarded as insecure. If a consumer clicks on the icon it will provide further details as to why a particular site is considered insecure, below is an image to convey the change. This feature is currently “only in testing as part of Firefox 44 Nightly”.

This new yet simple feature is a good way of informing consumers as to the risks of submitting a password over an insecure method, cyber security is a hot topic and the more every individual knows the better. It will be interesting to note the rollout timescale of this feature once Firefox confirms it for its finished builds. On a side note, let’s hope consumers actually update their browsers in order to benefit from the latest security fixes, I bet many a reader knows someone who is running a version of Firefox that is at least 10 versions behind that of the currently available.

Image courtesy of technodyan

Wifatch: The Vigilante Malware

Malware. That one word which seems to inspire fear and dread in everybody who hears it, even more so when you’ve experienced it first hand on one of your many devices. Malicious Software, or Malware for short, is often used by people to spread itself over the internet or even WiFi in the hopes of creating openings for other malicious software, from a program that can redirect you when you go on the internet to one that encrypts your hard drive until you pay hundreds of pounds so that (if they are true to their word) they will release your files. The world has changed since those dark days, there is a new piece of software in the world; Wifatch is here.

Wifatch was found in late 2015 by Symantec and focuses on the bugs and security issues normally involved in routers (a piece of hardware we all use but rarely update). This malware doesn’t just infect your router and use it to spread to others, it closes off potentially dangerous loopholes and bugs on your router. That’s right, this malware, a piece of software that by its very nature breaches your security and trust, is trying to help stop you from being affected by … malware?

Not only does it block common points of danger for routers but it also tries to disinfect infected systems, even going so far as to reboot systems in the hopes of stopping any malware that is currently running.

The developer even left a funny message in its source code for those brave enough to browse it.

Is this the kind of software that we need? What do you think about this vigilante malware?

Thank you Symantec and the BBC for the information.

Images courtesy of Symantec.

Android Lollipop Lock Screen Can be Bypassed Using Really Long Password

Any Android Lollipop device that is not using the latest build of the mobile operating system is vulnerable to having its lock screen bypassed by inputting a long string of characters as password. The bypass was discovered by researchers from the University of Texas this week and can be applied to any Android 5 device that does not have the latest security updates, released last week.

“A vulnerability exists in Android 5.x <= 5.1.1 (before build LMY48M) that allows an attacker to crash the lockscreen and gain full access to a locked device, even if encryption is enabled on the device,” the researchers wrote on the University of Texas blog. “By manipulating a sufficiently large string in the password field when the camera app is active, an attacker is able to destabilize the lockscreen, causing it to crash to the home screen.”

The Texas researchers also included a proof-of-concept video, tested using a Nexus 4 with an Android 5.1.1 factory image:

Google has patched the flaw, but in the meantime it is advised that Android Lollipop users that do not have the latest updates use either a PIN or pattern lock, since neither are vulnerable to the above exploit.

Thank you The Register for providing us with this information.

GCHQ Claims Longer Passwords Are Unnecessary

GCHQ is a government body which monitors communication in the UK and protects the security of its citizens. While the organization remains fairly aloof, it has come under a great deal of scrutiny in lieu of the Edward Snowden revelations. GCHQ and the Centre for the Protection of National Infrastructure compiled a report entitled “Password guidance: simplifying your approach”. This piece of documentation recommends users to opt for a password manager instead of long and overly complicated passwords:

“Complex passwords do not usually frustrate attackers, yet they make daily life much harder for users.”

Although, professional hackers are still capable of infiltrating any kind of software:

“like any piece of security software, they are not impregnable and are an attractive target”.

Nigel Hawthorn from security company Skyhigh Networks argued:

“The security industry is awash with password advice, but much of it is contradictory or simply not suited to modern working. The result – passwords still puzzle many. GCHQ’s latest advice is refreshingly to the point and covers some of the most pressing issues facing UK businesses and employees today.”

The question is, do you trust GCHQ’s advice given their less-than-admirable behaviour in recent years? Ideally, you should set a different password for each service to avoid every aspect of your being disrupted during a hack. Although, it can be quite difficult to remember passwords as various sites set specific stipulations for the characters used. Hopefully, fingerprint recognition and other methods will replace passwords in the near future.

Thank you The Guardian for providing us with this information.

MIT Ranks Worst In IT Security Assessment

The Massachusetts institute for technology (known as MIT) is known throughout the world for its technological prowess and skills. Producing proud graduates, it is known for being at the forefront of the information technology that we as a world use on an everyday basis. Once again it has scored first, this time, however, this is not good news.

Conducted by Security Scorecard, an information security assessment company, the company tested an assessment for several high-value universities and nearly gave MIT a failing grade. MIT scored low in several areas, including; hacker chatter (this measures the number of times the school was mentioned in online forums used by hackers and the amount of user details that were revealed online on these forums), patching cadence (how quickly reported patches were applied to deal with the vulnerabilities reported during the scan’s period) and IP reputation (the amount of malware communications that were coming from IP’s registered with the school).

MIT did score high in several areas, though, such as its Web Application Security, the health of its DNS records and finally the quality of its security at its endpoints. As with all things security is not something that can be considered fixed and left alone, it should always be considered and updated.

Thank you Ars Technica for the information. 

Image courtesy of Wikipedia.

Cracking Millions Of Ashley Madison Passwords In Quadruple Quick Time

Signing up to a dating site which offers the platform for affairs while expecting all your data to remain safe looks to be rather stupid, after the many revelations which have been exposed concerning the Ashley Madison website. If the owners thought it could not be embarrassed any further, a cracking team by the name of Cynosure prime, not affiliated with Amazons video service, has cracked roughly 11 million passwords in just 10 days.

They managed this with help from an error implemented by Ashley Madison themselves, this involved breaking the passwords which were secured using MD5 (Message Digest Algorithm) which is a faster algorithm but far less secure than others. Using the second leak of data as a study group, cynosure prime attacked the md5 tokens, the passwords were set to bcrypt which is much more secure and therefore should have been harder to crack. Problem is, cynosure prime found that the commit was changed on the 14th June 2012 to 1c833ec7, this meant accounts could be cracked which had been created prior to this date with “simple salted MD5”.

What was expected to take years to solve only took 10 days to expose such naïve security protocols within Ashley Madison’s tech structure. The era of basic security has long since ended and businesses need to understand the scale of threats which are targeting their valuable data, Mrs Madison won’t be the last to experience such data loss. This should also be yet another warning against the crusade to ban effective encryption which is an essential tool to protect consumers from web-based data theft.

If you have a spare few minutes then by all means take a look at the full detailed explanation of the techniques used to crack the passwords, its worth a read.

Thank you cynosureprime for providing us with this information.

Image courtesy of winknews

Data from Hacked Bug Database used to Target Firefox Users

Using data and information obtained through another hack, hackers were able to target Mozilla Firefox users through vulnerabilities in the popular browser. What is most interesting about this whole debacle, however, was that the attackers first hacked Bugzilla, Mozilla’s bug and vulnerability tracking system to find working exploits.

Bug trackers and vulnerability databases serve important roles in maintaining secure software. As researchers and whitehats find and discover bugs and vulnerabilities, they report it to either a third party or directly to the vendor. In this case, it was through Bugzilla to Mozilla. This allows a common platform to share the information required to demonstrate and fix the bug. Even if there is no outside facing infrastructure to report bugs, more developers probably have their own internal system for keeping up with, detailing and cataloguing bugs. For widely popular software, an attacker may not need to spend time researching their own zer0-days. Instead, they can simply hit one of these bug repositories and grab a whole host of vulnerabilities and use them as needed before they are patched.

In this case, Bugzilla got hit via as a privileged user account had the same password for Bugzilla as on another site that got hacked. Due to this, attackers were able to break into Bugzilla undetected for at least a year. They managed to get away with 185 non-public vulnerabilities of which 10 were unpatched at the time. Given how many users tend not to patch, and that Mozilla is unsure when the attackers first got in, it’s possible many users were vulnerable. In fact, one of the vulnerabilities was exploited widely for a while. In response, Mozilla is implementing steps to shore up security by things like restricting access and two-factor authentication.

Once again, it shows that security can be pretty hard and even systems introduced to better protect users can severely backfire. Given the wealth of information stored within bug repositories on various vulnerabilities, they can become a juicy target for blackhats. Just like major retailers and  the recent US government data breaches, the sensitive information means these systems are guaranteed to be attacked at some point. Another major lesson is that if you want good security, not reusing passwords, keeping patched and using two-factor authentication is key.