Tech News

A smart dishwasher has reportedly been found connected to an unsecured web server, giving experts further arsenal to warn about the dangers of IoT devices. A bug report by a security expert alleges that Miele, the manufacturer of the smart dishwasher, ignored the security issue despite having been notified of it, indicating that the smart device may have been left exposed to an unsecured server for months. According to Jens Regel of Schneider & Wulf, Mieles Professional PG 8528 PST10 devices were found to be prone to a directory traversal attack; therefore, an unauthenticated attacker may be able to exploit this issue to access sensitive information to aide in subsequent attacks. According to Regel, he was able to get his hands on the embedded systems shadow file, which in turn provided him access to all files in the system. We are not aware of an actual fix, Regel said. According to Mieles product description page, the ethernet connection is used to extract text reports from the dishwasher. The ethernet interface is the universal solution for data exchange, the description states. In comparison with other interfaces the user is offered a particularly high level of functionality. However, security experts have reportedly bemoaned such situations, warning about the potential dangers such security flaws could pose, and the IoT security situation is unlikely to get any better any time soon. The price of turning a dumb device into a smart device will be about 10 cents. It is going to be so cheap that vendors will put the chip in anything electronic they produce, even if the benefits are only very small. But those benefits will not be benefits to you, the consumer -- they will be benefits for the manufacturers because they want to collect analytics, and you will probably not even know that it is an IoT device.

The dark web has been flooded with millions of accounts from recently compromised vBulletin forums. A hacker using the name Cfnt claimed to have hacked 25 web forums, which were running on outdated versions of the vBulletin software. Among the compromised forums are subagames.com, rappers.in, forums.spybot.info, cashcrate.com, codingforums.com, dcemu.co.uk, asia-team.net, dbforums.com and forums.3dtotal.com. Around 38 million accounts from the 25 hacked forums are now up for sale in a popular dark web marketplace. The hacked forums were all running on vBulletin 4.x, which is vulnerable to SQL injection. The security issue with this version was reported in June 2016, according to vBulletin support forums. A warning to those using older vBulletin versions last year reads: A security issue was reported to us that affects vBulletin 4. We have released security patches for vBulletin 4.2.2 & 4.2.3 to account for this vulnerability. The issue could potentially allow attackers to perform SQL Injection attacks via the included Forumrunner add-on. It is recommended that all users update as soon as possible. If you are using a version of vBulletin four older than 4.2.2, it is recommended that you upgrade to the latest version as soon as possible. Lists of accounts from each of the forums are being sold for around $150. It is highly recommended that users with accounts on such vBulletin forums change their passwords now.

Police in Minnesota want to solve a crime by combing through Google search history. Officers in Edina, a city of around 50,000 people, got a warrant compelling Google to divulge information about people who searched for the name of a financial fraud victim between Dec. 1, 2016 and Jan. 7, 2017. Someone convinced a credit union to wire $28,500 from an Edina mans account by creating a fake passport using the mans name alongside a photo of someone else. In their warrant application, police stated that the fake photo came up by googling the victims name, but did not come up in other search engines. The warrant for the five-week period compels Google to hand over information regarding anyone who searched the victims name, including email addresses, social security numbers, birthdates, IP addresses and information related to the content the user is viewing/using.

Disclosure is not currently an option. Rather than share the now-classified technological means that investigators used to locate a child porn suspect, federal prosecutors in Washington state have dropped all charges against a man accused of accessing Playpen, a notorious and now-shuttered website. The case, United States v. Jay Michaud, is one of nearly 200 cases nationwide that have raised new questions about the appropriate limitations on the governments ability to hack criminal suspects. Michaud marks just the second time that prosecutors have asked that case be dismissed. The government must now choose between disclosure of classified information and dismissal of its indictment, Annette Hayes, a federal prosecutor, wrote in a court filing on Friday. Disclosure is not currently an option. Dismissal without prejudice leaves open the possibility that the government could bring new charges should there come a time within the statute of limitations when and the government be in a position to provide the requested discovery. The Department of Justice is currently prosecuting over 135 people nationwide whom they believe accessed the illegal website. However, in order to find those people, federal authorities seized and operated the site for 13 days before closing it down. During that period, the FBI deployed a Tor exploit that allowed them to find out those users real IP addresses. The use of Tor, which obscures and anonymizes IP addresses and browser user agents, makes it significantly more difficult for individuals to be tracked online. With the exploit, it became extremely easy for suspects to be identified and located. The DOJ has called this exploit a network investigative technique, (NIT) while most security experts have labelled it as malware.

A dark web vendor is reportedly selling over 1 million decrypted Gmail and Yahoo accounts on an underground marketplace. The accounts listed for sale allegedly contain usernames, emails and plaintext passwords. The cybercriminal allegedly selling the accounts is believed to be using the handle SunTzu583. The dark web vendor is allegedly selling 100,000 Yahoo accounts, from the 2012 Last.fm data breach, for 0.0079 bitcoins ($10.75). Another 145,000 Yahoo accounts from the 2013 Adobe breach and the 2008 MySpace hack were also reportedly found listed for sale, for 0.0102 bitcoins. SunTzu583 is also reportedly selling 500,000 Gmail accounts for 0.0219 bitcoins. The accounts allegedly come from the 2008 MySpace hack, the 2013 Tumblr breach and the 2014 Bitcoin Security Forum breach, according to a report by HackRead. Yet another 450,000 Gmail accounts were also listed for sale by the same vendor for 0.0199 bitcoins, from various other data breaches that took place between 2010 and 2016, including Dropbox, Adobe and other big name hacks. The data has allegedly been checked by matching it to data on popular data breach notification platforms such as HaveIBeenPwned. However, the data listed for sale has not been independently verified as being valid. It has become increasingly commonplace for hackers to sell user accounts from older data breaches on underground marketplaces, as a way to make a quick buck. These hacked and stolen accounts are used by cybercriminals to perpetuate other crimes such as identity theft. It is highly advisable that users adopt safe security practices and change their account passwords in the event that their accounts are found to be a part of any massive data breaches.

LeakedSource, a legally and ethically questionable website that sold access to a database of more than 3.1 billion compromised account passwords, has disappeared amid an unconfirmed report that its operator was raided by law enforcement officers. Leakedsource is down forever and will not be coming back, a person using the handle LTD wrote Thursday in an online forum. Owner raided early this morning. Was not arrested, but all [solid state drives] got taken, and Leakedsource servers got subpoenaed and placed under federal investigation. If somehow he recovers from this and launches LS again, then I will be wrong. But I am not wrong. Attempts to reach LeakedSource operators for comment were not successful.