Las Vegas Sands Casino Websites Restored a Week After Hacking

 

Las Vegas Sands Corp. has restored its websites a week after hackers defaced them.

Casino giant Las Vegas Sands Corp. has restored its websites a week after they were hacked.

The Las Vegas-based company pulled down its sites Feb. 13 after hackers defaced them with images condemning comments CEO Sheldon Adelson had made about using nuclear weapons on Iran.

Sands restored the websites Monday afternoon. Spokesman Ron Reese says the company first became aware of the hacking on Feb. 12, when company email went down.

The hacking affected Sands' corporate website, as well as the sites for casinos in China, Singapore, Bethlehem, Pa., and the Italian-themed Venetian and Palazzo on the Las Vegas Strip. Sands owns the world's largest casino, in the Chinese gambling enclave of Macau.

The company's net income was $2.31 billion last year.

Reese didn't say whether internal systems were also operating again.

2014 – The year of the hacker?

The dramatic increase in the number of security attacks and the sophistication of the cyber criminals masterminding them means there is a critical need for businesses to take a more radical approach to their information security.
2013 saw a surge in high-profile security attacks and data breaches – with the likes of Facebook, Twitter, Microsoft and Apple all suffering at the hands of cyber criminals.
Indeed, research commissioned by the Department for Business, Innovation and Skills last year found that 93 per cent of large businesses in the UK suffered a computer security breach in the previous 12 months, while 87 per cent of small businesses also suffered attacks.
This should be a massive cause for concern for any security professional, but the more worrying problem is that 70 per cent of these security breaches often go undetected for between two and 12 months. Furthermore, attackers typically sit in a network for three to four months before they extract data – by which time, they may know the systems better than even the company itself.

Raising awareness

With this in mind, it is absolutely vital that companies rigorously test their systems and closely monitor their networks. A large percentage of data breaches can be avoided through improved education of employees, users and customers yet less than one per cent of security budgets goes on education.
Using ethical hackers and network testing experts will help companies to discover existing flaws within their systems, while also detecting human-made errors.

Ethical hacking

This ethical hacking approach helps businesses gain invaluable insight into security holes that may exist in their defences today.
Penetration tests and network security testing can simulate threats from both internal and external sources to identify flaws exposed through internet gateways, servers and firewalls, and evaluate the security behaviour of interactive websites and web applications.
Many businesses may look at the names involved in high-profile attacks and the staggering stats surrounding the growing rate of cybercrime and think 'if those guys are getting hacked, then it's inevitable that we will too.' But the good news is that this doesn't have to be the case.
To get a head start in minimising the impact of cybercrime it is imperative that businesses test their systems from the perspective of the hacker.
With the number of threats increasing by the day and the sophistication of hacker's methods, it is more critical than ever that organisations take a different approach to protecting their users, their systems and their data.

• Simon Godfrey is Sales Director, Security Practice at MTI with over 15 years experience in the EMEA security market helping organisations implement effective information security, risk and compliance programmes.

Kickstarter hacked, user data stolen

Hackers hit crowd-funding site Kickstarter and made off with user information, the site said Saturday.
Though no credit card information was taken, the site said, attackers made off with usernames, e-mail addresses, mailing addresses, phone numbers, and encrypted passwords.
"Actual passwords were not revealed, however it is possible for a malicious person with enough computing power to guess and crack an encrypted password, particularly a weak or obvious one," the site said in a blog post, adding that "as a precaution, we strongly recommend that you create a new password for your Kickstarter account, and other accounts where you use this password."
The site said law enforcement told Kickstarter of the breach on Wednesday night and that the company "immediately closed the security breach and began strengthening security measures throughout the Kickstarter system." The site also said "no credit card data of any kind was accessed by hackers" and that "there is no evidence of unauthorized activity of any kind on all but two Kickstarter user accounts."
You can read additional information about resetting a password here. We've contacted Kickstarter for more info on the attacks and will update this post when we hear back.

Two students held for hacking, Rs 8 lakh fraud

JAIPUR: After carrying out a two-and-a-half months-long technical investigation, the cyber crime police station arrested two Information Technology (IT) students from Shimla for hacking Data Infosys e-processing system and fraudulently recharging BSNL's pre-paid mobile phones worth Rs 8 lakh. The students used a cyber cafe to hack into the Data Infosys's website.

The youths, Kulshrestha Varma and Hardik Sud, both 19-years-old, are second year students of APG University's IT department in Shimla, police said. They suspect involvement of several other people in the crime.

DySP, cyber crime, Rajendra Sharma told TOI that one Yogesh Gupta, a representative of Data Infosys, lodged an FIR on December 3 in this connection. "Gupta said Data Infosys runs an e-commerce set-up to recharge pre-paid mobile connections of BSNL," said Sharma.

In November, the company found during an audit that someone hacked into its website and fraudulently recharged prepaid mobile phones. The several recharges were worth nearly 8 lakh. The police said that more then 500 mobiles were recharged.

"We registered an FIR and began investigating the case. It came up that the hacking had taken place from a cyber cafe. A team went to Shimla to investigate the matter and seized records from the cycer cafe. The involvement of several people including these two students came up. We have arrested the duo and brought them to Jaipur on a transit remand," said the officer.

The officer said that it took the police almost 75 days to crack the case as a lot of technical investigation was involved. "It came up that the two students obliged several people besides recharging mobiles of other on discounted rates," said the officer.

Second Android signature attack disclosed

 

Chinese security bloggers have disclosed an alternative to Bluebox's Android signature attack. Although the attack is different in its execution, it does the same basic trick of fooling Android's APK-reading routines into thinking an APK has been properly signed by using a copy of correctly signed data in one location but tricking the system into running an unsigned modified version of that data stored in another location. The Bluebox approach exploited a flaw that allowed two copies of the same file to be present in a ZIP archive.
The new Chinese attack works instead by modifying the classes.dex file which contains an application's compiled code within the APK file. That file's header includes a variable-sized space between the header, which includes the file name with a .dex extension and the class files for an "extra field". It is into the last three characters of the file name and the extra field that the original class files are copied, with the length of the extra field set to 0xFFFD.


After this, padding is added and then the attackers' own class files can be included. When validating, a bug in the reading code means that 0xFFFD is converted to -3 and the validation takes places starting at the "dex" part of the file name extension which also happens to be the opening header of the dex file format. When being loaded though, the reading code follows 0xFFFD correctly and reads the modified code.
The flaw exploits a confusion between short and int types and has been given the bug id 9695860. The nature of the problem does mean, though, that it only works for classes.dex files that are less than 64K in size. The problem has been corrected with a patch which simply forces all values to be unsigned.
The patch, along with the fix for the Bluebox flaw, has already been deployed in the latest versions of CyanogenMod 10.1.2 and the team are looking at addressing the same problems in CM7 and CM9. For Google, though, the problem is the same as with the Bluebox issue; how to get phone manufacturers to ship out firmware updates that will correct both issues, not only in new editions of Android but in older versions, as these problems date back to early Android versions, as far back as Android 1.6.

Neighbor banned from Web after naked man shows up at woman's house

Jason Willis, prankster. (Credit: TMJ4 screenshot by Chris Matyszczyk/CNET)

He thought it was funny.
He was alone in that.
Back in 2012, Jason Willis of Racine County, Wisconsin, thought it would be funny to take out personal ads on Craigslist in his neighbor's name. Now he's going to find it hard to place a Craigslist ad to sell his furniture.
His neighbor is a woman. The ads were sex solicitations. Men came to her door, one dressed as nature intended.
The woman wasn't amused. Under the pseudonym "Dawn," she told TMJ4-TV: "His idea of a joke is much different than other people's idea of a joke."
"Dawn" had no idea that this was a joke at all, until one of the men who appeared at her door, unannounced, told her that he'd got her particulars from a Craigslist ad.
He'd seen her picture. Now here he was, clad only in a trench coat.
This Craigslist-based "joke" has been around for a while. A number of people, seeking merely humor or a twisted form of revenge, have run ads purporting to be from neighbors or friends.
In one Connecticut case, the ad was headlined: "Sex partner wanted."

In the Wisconsin case, Willis was charged with felony identity theft but pleaded guilty to misappropriating identity information to harm someone's reputation, according to Racine's Journal Times. He was sentenced to 18 months in prison and then another 18 months of extended supervision, the Journal Times reported, but the judge said the prison time won't kick in unless he violates the terms, which include a ban on using the Internet during that time.
Racine County Circuit Court Judge Allan "Pat" Torhorst told TMJ4: "If you want to drive drunk, you're not allowed to drive. To me, a public availability of the Internet -- to use it the way he did -- is unconscionable. Everybody knows it's wrong. He knew it was wrong. He admitted it."
It's hard to imagine how this might be enforced. He can surely use a friend's computer, go to an Internet cafe, or even use someone's phone. Cutting someone from the Web isn't so simple.
And what of "Dawn"? She told TMJ4 she would have felt safer if Willis had gone to jail.
Willis has 30 days to disconnect from the Web. If not, off to prison he'll go.
He might not find that funny at all. Prisons are known for the proliferation of unwelcome gentleman callers.

Hackers hit Tesco as over 2,200 accounts compromised

A Tesco virtual store in a South Korea subway station.

Tesco, an international supermarket chain, has been forced to deactivate online customer accounts after hackers took aim at its systems.
The company confirmed to The Guardian on Friday that over 2,200 of its accounts were compromised. Interestingly, it's believed that the hackers didn't actually break into its systems, but instead used data collected from other hacks to see if they could get any hits. The affected accounts used the same username and password combination as those in previous hacks, allowing the hackers to break in.
Rather than snoop around, however, the hackers posted the compromised accounts online, giving both personal details and usernames and passwords.
The Tesco hacks comes just a couple of months after a massive data breach at Target left up to 110 million people with personal information open to hackers. Target is still investigating that breach and has closed down the gaps that allowed the hackers in. Still, it's possible that the data leaked to the Web by those hackers is being used in a fashion similar to the way Tesco data was stolen.
According to Tesco, it has contacted the affected customers. The company has not said when the online accounts will be reactivated.

Syrian Electronic Army slurps a MILLION reader passwords from Forbes

Forbes.com has become the latest media outlet to fall to an attack by the Syrian Electronic Army (SEA) with the account records of more than a million people swiped.
A database containing email address and password combinations for 1,071,963 accounts was dumped online by the hacktivisits – including the records for Forbes contributors.

<SCRIPT language='JavaScript1.1' SRC="https://ad-ace.doubleclick.net/adj/N5716.290927.AFFIPERF.COM52/B8022822.4;sz=300x250;u=2865928195956654476;ord=2865928195956654476;click=http://pixel.mathtag.com/click/img?mt_aid=2865928195956654476&mt_id=674491&mt_adid=117400&mt_sid=350153&mt_uuid=5301f956-692c-9777-e06e-2826647bf324&mt_3pck=http%3A//beacon-us-east.rubiconproject.com/beacon/t/3e6bf26f-f9b0-4899-bea0-fcff77342aac/&redirect="></SCRIPT><NOSCRIPT><A HREF="http://pixel.mathtag.com/click/img?mt_aid=2865928195956654476&mt_id=674491&mt_adid=117400&mt_sid=350153&mt_uuid=5301f956-692c-9777-e06e-2826647bf324&mt_3pck=http%3A//beacon-us-east.rubiconproject.com/beacon/t/3e6bf26f-f9b0-4899-bea0-fcff77342aac/&redirect=https://ad-ace.doubleclick.net/jump/N5716.290927.AFFIPERF.COM52/B8022822.4;sz=300x250;u=2865928195956654476;ord=2865928195956654476?"><IMG SRC="https://ad-ace.doubleclick.net/ad/N5716.290927.AFFIPERF.COM52/B8022822.4;sz=300x250;u=2865928195956654476;ord=2865928195956654476?" BORDER=0 WIDTH=300 HEIGHT=250 ALT="Advertisement"></A></NOSCRIPT>

Although the passwords were one-way encrypted, the publisher strongly urged its readers to change their login secrets. The team added:

The email address for anyone registered with Forbes.com has been exposed. Please be wary of emails that purport to come from Forbes, as the list of email addresses may be used in phishing attacks. We have notified law enforcement. We take this matter very seriously and apologize to the members of our community for this breach.

Just how exactly did Forbes protect its punters' passwords? After looking through the data, Sophos reckoned the site stored the information in the PHPass Portable format: each password and a random 6-byte salt were together run through the MD5 algorithm to generate a hash, and 8,192 iterations of MD5 were performed on the hash and the password. The final result was saved to the database.
Users with particularly trivial passwords will be vulnerable to a dictionary attack; although the use of salt will slow down a miscreant, MD5 is hopelessly weak. The attackers can, say, combine the password “123456” with a particular user's salt and quickly generate a hash to check against that user's database entry. If it matches, the password is revealed; if not, try again with another similarly crap password.
Now that the data is out there, people who used their Forbes.com email address and password combination to log into various other websites are at risk of losing control of multiple web accounts.
"It took about an hour, using one core of a vanilla laptop, to crack close to one-quarter of the passwords of the 500 or so Forbes employees in the database," said Sophos' Paul Ducklin.
"Astonishingly, 73 Forbes staffers (more than one-eighth of the list) had chosen a password consisting of their company's name, Forbes, followed by zero to four digits. 1 and 123 were the most common suffixes.”
Three online articles were defaced by the SEA as proof it carried out the database raid, and at the time of writing, Forbes' blog sites remain out of action.

Google buys sound authentication firm SlickLogin

SlickLogin showcased its technology at the TechCrunch Disrupt event last year. Google has acquired SlickLogin - an Israeli start-up behind the technology that allows websites to verify a user's identity by using sound waves.

It works by playing a uniquely generated, nearly-silent sound through computer speakers, which is picked up by an app on the user's smartphone.
The app analyses the sound and sends a signal back to confirm the identity.
The technology can be used either as a replacement for a password or as an additional security layer.
SlickLogin confirmed the acquisition on its website but did not provide any financial details of the deal.
"Today we`re announcing that the SlickLogin team is joining Google, a company that shares our core beliefs that logging in should be easy instead of frustrating, and authentication should be effective without getting in the way," the firm said in a statement.
"Google was the first company to offer two-step verification to everyone, for free - and they're working on some great ideas that will make the internet safer for everyone."

Secure logins

Many firms, especially those in sectors such as financial services, have been adopting a two-step verification for users.

The steps include matching the user name and the password plus a second layer of verification.
In some cases, such as online payments, companies message the user a one-time Pin on the mobile phone number associated with their account. The user then enters the Pin within a stipulated period of time to verify his or her identity.
Some other companies, like banks, issue special gadgets that generate unique codes. Users need to enter these codes to authenticate their login.
Analysts said that while these methods has been working, firms were keen to use even more secure ways to protect their users against any data theft.
"The more uniquely a technology identifies the user, the safer the system would be against any potential hacks," Sharat Sinha, a vice president with Palo Alto Networks, a firm specialising in enterprise security told the BBC.
"The problem with one-time Pins is that if someone hacks into your account, they can change the mobile number associated with it.
"Meanwhile, specialised hardware devices provided to users are something they need to carry with them all the time," he said.
Mr Sinha added that firms were looking for technology that is not only unique and highly secure, but also convenient to use.
"And anything that uses smartphones makes life easier for the users."