Security researchers have uncovered a recent distributed denial-of-service (DDoS) attack that used at least 162,000 WordPress-powered websites to knock another site offline.
The technique made it possible for an attacker with modest resources to greatly amplify the bandwidth at its disposal. By sending spoofed Web requests in a way that made them appear to come from the target site, the attacker was able to trick the WordPress servers into bombarding the target with more traffic than it could handle. Besides causing such a large number of unsuspecting sites to attack another one, the attack is notable for targeting XML-RPC, a protocol the sites running WordPress and other Web applications use to provide services such as pingbacks, trackbacks, and remote access to some users.
Researchers from security firm Sucuri recently counted more than 162,000 legitimate WordPress sites hitting a single customer website. They suspect they would have seen more if they hadn't ended the attack by blocking the requests.
Security researchers have developed a password storage system that uses inexpensive hardware to prevent the cracking of passwords—even the most common and weak ones such as "123456," "password," and "letmein."
The S-CRIB Scrambler uses an additional layer of protection over methods many websites use now to prevent mass account compromises in the event a password database is exposed during a site breach, according to a post published Friday on the University of Cambridge's Light Blue Touchpaper blog. Rather than relying solely on a one-way cryptographic hash to represent plaintext passwords, the small dongle performs an additional operation known as hash-based message authentication code (HMAC). The secret 10-character key used to generate the HMAC resides solely on the dongle. Because it's not included in password tables that are stored on servers, the key could remain secret even in the event of a major security breach.
The new method comes amid twin epidemics of website security breaches that spill password databases and a large percent of end users who use "princess," "123abc," and other easily guessed passcodes to safeguard their accounts. Like a similar approach unveiled last year that uses a hardware security module to encrypt hashed passwords, it's designed to make it much harder for attackers to guess the plaintext corresponding to the hashes in a leaked database. Even if a hacker gains access to hashes protecting "123456" or other extremely weak passwords, there is no way to crack them.
[remote exploits] – GetGo Download Manager 220.127.116.112 – HTTP Response Header Buffer Overflow Remote Code Execution Explo
Following the MtGox Bitcoin exchange losing millions to a hack and filing for bankruptcy, anonymous attackers took over the personal blog and reddit account of MtGox CEO Mark Karpeles on Sunday. After seizing control, the hackers posted (Pastebin) a message to the two spaces detailing their findings and the reasoning behind the attack.
"It’s time that MTGOX got the bitcoin communities [sic] wrath instead of Bitcoin Community getting Goxed," the message reads. "This release would have been sooner, but in spirit of responsible disclosure and making sure all of ducks were in a row, it took a few days longer than would have liked to verify the data... Included in this download you will find relevant database dumps, csv exports, specialized tools, and some highlighted summaries compiled from data. Keeping in line with fucking Gox alone, no user database dumps have been included."
Forbes reports the 716 megabyte file placed on Karpeles' site included items like his home address, CV, and an Excel spreadsheet that seems to document more than a million trades. But the most interesting piece of information shared is a summary of 18 different currency balances—with 951,116 bitcoins listed. In light of the 850,000 bitcoins supposedly lost in the recent attack, the hackers concluded this figure demonstrates fraud. The footnote reads, "That fat fuck has been lying!!"