Quoted on SecurityWeek.com over the 32,8 M Twitter accounts leaked

Source: http://www.securityweek.com/32-million-twitter-credentials-emerge-dark-web Author: Ionut Arghire, Security Week   The cybercriminal behind the claimed Twitter leak is the same hacker who was previously attempting to sell stolen data from Myspace, Tumblr and VK user accounts, namely Tessa88@exploit.im. The Twitter credentials have already made it online on paid search engine for hacked data LeakedSource, which says it received a total of 32,888,300 records, each containing user’s email address, username, possibly a second email, and a password. [..] What is yet unclear is how old the supposedly leaked data is, since LeakedSource doesn’t provide specific details on that, although they do suggest that some credentials might be only a couple of years old. Furthermore, IT Security expertSorin Mustaca tells SecurityWeek that the manner in which these credentials were stolen isn’t that clear either. “Interesting enough, Leakedsource writes that they “very strong evidence that Twitter was not hacked”, rather the users got infected with some malware which stole credentials directly from the browsers of any account, not only Twitter’s,” Mustaca says. “However, there is no clear evidence presented that this is indeed the case. Their explanation for malware stealing credentials from browser is not entirely valid.” Although malware that targets browsers to steal user…

Quoted in SecurityWeek.com on the Myspace.com leak

Ionut Arghire of SecurityWeek wrote a very good article about the potential breach of Myspace.com: 427 Million MySpace Passwords Appear For Sale and I was quoted a lot! Thanks, Ionut! I wrote more extensively about what I think of this leak: Myspace.com was apparently hacked, 360Mil accounts on sale and nobody knows any details There are many things that aren’t right with this breach. Read the article above… Another question, after reading the above article: how come that Troy Hunt didn’t get it? Maybe because it is only available for money? The data hasn’t been tested at all and according to Troy’s article it is not valid data: no sql dump Too many yahoo.com and hotmail.com email addresses   1 @yahoo.com 126,053,325 2 @hotmail.com 79,747,231 According to Troy, Gmail should be the top email provider these days (and also 3 years ago) Partial username, partial email address, partial password -> can it get worse than this?

More on the hype behind OpenSSH flaw that could leak crypto keys

Richard Adhikari wrote a good overview about the “OpenSSH Flaw Could Leak Crypto Keys” in the LinuxInsider.com website. I got quoted : The flaws are not dangerous, security consultant Sorin Mustaca said. “In order to exploit this vulnerability, an attacker must convince its target OpenSSH client to connect to a malicious server — an unlikely scenario — or compromise a trusted server and install a special build of the OpenSSH server having roaming activated,” he told LinuxInsider. The second option “is possible but also unlikely to happen.” If hackers compromise a server to the degree that they can replace OpenSSH, for which they need root access, “it would be better for them to insert their own private keys and have access to the server directly rather than stealing someone else’s private key,” Mustaca remarked. Even if a private key is stolen, the thief has to figure out where else it’s being used. “OpenSSH did very well by fixing these issues,” Mustaca observed.   This news is an example of how to create FUD – Fear Uncertainty and Doubt. The marketing department of Qualys, which is a very respected company, exaggerated the effects of the vulnerability they found. I am pretty sure that…

Quoted in Tech News World: Paris Attacks Deepen Encryption Debate

Paris Attacks Deepen Encryption Debate By Richard Adhikari Nov 18, 2015 5:00 AM PT   ISIS has threatened to attack the United States and continue its reign of terror elsewhere in the world, so an argument could be made that the high-tech industry would serve the greater good by agreeing to weaken encryption. “No, it should not,” maintained security expert Sorin Mustaca. “There has to always be somebody who controls those that control everyone else. The day when security companies give in to those demands is the day there’s no privacy for everyone,” he told TechNewsWorld.   Additional comments not in the article:   Weakening encryption is not helping fighting terrorism. There is too much data out there and even if everything would be plain text they would still not be able to detect discussions about a planned attack. It is like searching an exotic fish in an ocean. The usual fish is plain text, the data you are looking is the exotic colored fish. The fact that the exotic  fish is hiding (data is encrypted) doesn’t make much of difference, isn’t it?    

Quoted in ECommerceTimes: Gmail to Warn Users of Unencrypted Email

Gmail to Warn Users of Unencrypted Email Author: Richard Adhikari   Quotes: The warning “will help in cases where hackers try to perform DNS poisoning while trying to infect or phish users visiting well-established websites,” security consultant Sorin Mustaca said.   Going with TLS is not necessarily the answer because “many emails would not reach their destination if the destination servers don’t support TLS,” security consultant Mustaca told the E-Commerce Times. Emails continue to be delivered because of opportunistic encryption. “Servers first try to establish a TLS connection and, if they don’t succeed, they continue communicating on unencrypted connections,” he explained.


ENCRYPTION IS NOT SOLVING ALL CYBERSECURITY PROBLEMS     Sorin Mustaca, CSSLP, shares his thoughts from a recent Frankfurt-based automotive show on the overreliance of the car industry on Encryption, noting “…all those lights are sensors and processors which communicate with each other via the CAN BUS (Controller Area Network). If one of them is compromised, it will send invalid data to the others and the consequences are unpredictable. The data will leave the car encrypted and will be decrypted on destination, but the information is compromised.”      

No Image

What you need to know about the “Hacking Team” which was hacked (and I was quoted)

My good friend Richard Adhikari has written yesterday a very good article about this incident. Read it here: Hacking Team’s Dingy Laundry Hung Out Online Here is where I get quoted as founder of Sorin Mustaca IT Security Consulting: A Black Bag Job? “It could be that some government agency who’s a customer of Hacking Team decided to discredit them and force them to close their doors,” said Sorin Mustaca, founder of Sorin Mustaca IT Security Consulting. “These special customers don’t like to leave traces of their acquisitions,” he told the E-Commerce Times.   Here are additional comments Apparently, on Sunday night many people managed to download the content from bittorrent (before it was taken down). The reports speak of confirmations of selling intrusion tools to various regimes and contract documents with some of their customers. Here is the list of countries: Please enjoy this list of @hackingteam's customers from their Wiki. Kazahkstan! Sudan! Russia! Saudi Arabia! pic.twitter.com/xdKGiRFV6f — Eva (@evacide) July 6, 2015 Surprised to see Germany among the list of customers? Eduard Snowden already warned of this, so this can be seen as a cross verification with other sources and not as a brand new piece of news….

No Image

Comments on Privacy for “Data Privacy Day 2015”

My comments on Data Privacy Day 2015: Top Experts Comment on Privacy Issues (+Infographic) from http://www.cloudwards.net.   Our society has become in a very short time digitally connected and the consumers didn’t have the time to understand the implications of data privacy on their lives. We can be sure that every provider of an online service is doing everything legally possible to obtain maximum information about its users. This is person related information, as well as information that the user is voluntarily (or not) sharing with others in online platforms. Because many people don’t take their online actions seriously or don’t understand the consequences, they tend to act differently in their online life than in their offline life. If I would have to give just two pieces of advice that one should remember about privacy, they are: When online, don’t tell or share with anyone something that you wouldn’t also tell them loud in a room full of people listening. It sounds scary? Think that re-sharing your comment with the entire world is usually one click away. Once you publish or upload something online, independent of your security and privacy settings, it doesn’t belong just to you alone anymore. It also belongs to the provider of…

No Image

Quoted in Technewsworld.com: Botnet Twists the Knife in iCloud Security

Author:Richard Adhikari Article:Botnet Twists the Knife in iCloud Security Reduce, Reuse, Recycle For the record, though, “Waledac and Kelihos both send spam, and this is the reason for the confusion,” IT security expert Sorin Mustaca told TechNewsWorld. Both use email to spread but in different ways. The same group of cybercriminals may have created the code for these worms, because “there aren’t that many cybercriminals who can create a complex piece of software,” Mustaca suggested. “This is just using the old Kelihos [worm] with a new email payload.” Fixing the Problem Symantec reiterated well-known practices users can follow to protect themselves: Be suspicious of messages claiming your account has been restricted or needs updating; be wary of links in emails; don’t provide personal information when replying to emails; don’t enter personal information in pop-up pages or windows; and use comprehensive security software. “This is not Apple’s problem directly,” Mustaca said. “However, they could enforce two-factor authentication and take other steps. Usability drops when you want to make a process more secure, so they need to experiment.”

%d bloggers like this: