Google stored G Suite passwords in plaintext, apologises


Google says a small number of its enterprise customers mistakenly had their passwords stored on its systems in plaintext.

If you have a Google account, Google's core sign-in system is designed not to know your password.
The search giant disclosed the exposure Tuesday but declined to say exactly how many enterprise customers were affected. “We recently notified a subset of our enterprise G Suite customers that some passwords were stored in our encrypted internal systems unhashed,” said Google vice president of engineering Suzanne Frey.

The company said that only G Suite enterprise customers were impacted, but not regular Gmail accounts.

The tech giant said it had notified G Suite administrators to change the impacted passwords.

Google on Wednesday extended an apology to its G Suite customers.

"We apologise to our users and will do better," she added.

Most G Suite customers are companies that signed-up for enterprise versions of Gmail, Google Docs, Google Sites, Google Drive, and Google's various other services.

No consumer Gmail accounts were affected by the security lapse, said Frey.

Storing passwords without cryptographic hashes expose them to hacking risk as they become readable.

Passwords are typically scrambled using a hashing algorithm to prevent them from being read by humans. G Suite administrators are able to manually upload, set and recover new user passwords for company users, which helps in situations where new employees are on-boarded. But Google said it discovered in April that the way it implemented password setting and recovery for its enterprise offering in 2005 was faulty and improperly stored a copy of the password in plaintext.

Google has since removed the feature.

Google said the bug at the heart of this security breach was an old tool it developed back in the 2000s.

"The tool (located in the admin console) allowed administrators to upload or manually set user passwords for their company's users," the company said today.


Bitcoin hacker steals money and passwords from Dark Web users, jailed

Blockchain and cryptocurrency related crimes are something heard about in a very scarce quantity. But this week, a 37 year-old man in the US has been sentenced to one year and one day in prison for fraud in connection with a Bitcoin $BTC▲2.4% phishing scheme designed to rob victims of their cryptocurrency.

Michael Richo was allegedly running an elaborate bitcoin phishing scheme, all with the purpose of stealing confidential information from unaware victims, including various sums of cryptocurrency which they held.

Richo, of New Haven, was also ordered to forfeit $352,000 in cash, various computers and electronic devices, such as digital and hardware-based wallets, which contained a vast array of different precious metals and virtual coins that he purchased with the proceeds of his offense.

It was during the trial that evidence, such as court documents from the trial in question, as well as supplementary statements, illustrate just where Richo was going in order to target individuals for his Phishing attacks – The Dark Web.

Per court documents associated with Richo’s case, he will be subject to three years of supervised release once he’s out of prison. His operation involved targeting individuals on the dark web using marketplaces.

He did so by posting fake links to online marketplaces on dark web forums. Once users clicked on them, these links would then direct users to fake login pages that resembled the real login pages for various dark web marketplaces. Once the victim entered his credentials, the hacker would steal them. He would then monitor the individual’s Bitcoin balance at the real marketplace and would withdraw the coins once the person deposited the funds. He would then either deposit the funds directly to his bitcoin wallet, or sell them on cryptocurrency exchanges for US dollars. The US dollars obtained as a result were deposited into bank accounts under his control or provided to him through Green Dot Cards, Western Union transfers, and MoneyGram transfers.

The dangers of default passwords : Routers use default 'password'


A hacker with twitter handle SuperSl1nk has discovered a security flaw in the Router's web admin interface. The famous organization left their router password as default one.  The worst part is that the default password is 'password'

"The dangers of default passwords is a critical vulnerability that unfortunately touches a lot of school, business, government and other ... The developpers are not aware of the danger or repercussion that this may have on the entire system." The hacker said in the leak.

"I can publish a little of my results. Only for Lesson ! :p"

The list of affected network includes BellSouth.net (U.S.A), Imagination (U.S.A),
Hotwire Communications (U.S.A), Capital Market Stragies L (U.S.A), University of Maryland Baltimore County (UMBC U.S.A), U.S. Network (U.S.A), LG DACOM Corporation (Korea).

Other affected networks : Harano Telecom (Korea),SK Broadband Co Ltd (Korea) ,Korea Telecom (Korea) , Infrastructure EM (Denmark) , Bahnhof Internet AB (Sweden), Intelligente Office (Canada), Wightman Telecom (Canada).

"@EHackerNews I've seen much worse, but I did not publish everything, I have access to ISP, Telecom, Gov, Military, Big Company... " In a tweet hacker replied to EHN.

All of the affected network has the same password to sign in to the interface .  Yes it is 'password' .  

http://pasteit.com/19643

Browser Event Hijacking allows hacker to steal your password

Browser Event Hijacking

Be careful what you type on your web browser.  Hacker can hijack search command in browser and steal your password or any other sensitive data by social engineering attack.

The hacking method has been possible for years , but now two POCs has been published that demonstrate how an attacker can lure victims to give their password.

Browser Event Hijacking:

The hacker can hijack the browser event by using 'preventDefault' method on JavaScript, that cancels an operation while allowing all remaining handlers for the event to be executed. For Eg: if you press Ctrl+F , hackers can display their own search box instead of the browser search box.

The hack was initially posted here:
http://labs.neohapsis.com/2012/11/14/browser-event-hijacking/

A simple code that hijacks the browser event and steal password :
$(window).keydown(function(evt){
                if((evt.which == "70" && (evt.metaKey || evt.ctrlKey))){
                        console.log("STRG+F");
                        evt.preventDefault();
                        /* display fake search */
                        $("#searchbox").slideDown(110);
                        $('#search').focus();



Then another researcher rebuild the POC with a fake list of leaked passwords. So someone just presses CTRL+F in his browser and types his password to look if it is leaked ,become victim.

The POC :
http://h43z.koding.com/blog/leaked.html

If you search for any keywords in the page, it will lure you to believe there is password with your search string.