10Fold – Security Never Sleeps – 90

Your daily digest of “All Things Security” gathered, collected and researched by your very own 10Fold Security Practice team.

Big items to consider: Another data set from the 2012 LinkedIn hack, which contains over 100 million LinkedIn members’ emails and passwords, has now been released. Washington US District Judge Robert Bryan has thrown out Mozilla’s request for the security flaw’s details. Cybercriminals can call on an extensive network of specialists for “business” expertise, including people who train and recruit, launder money, and provide escrow services, according to HPE. RunKeeper announced Tuesday that it had found a bug in its Android code that resulted in the leaking of users’ location data to an unnamed third-party advertising service.

117 million LinkedIn emails and passwords from a 2012 hack just got posted online – Publication: TechCrunch- Reporter name: Sarah Perez

As you may or may not recall, given how much time has passed, hackers broke into LinkedIn’s network back in 2012, stole some 6.5 million encrypted passwords, and posted them onto a Russian hacker forum. Because the passwords were stored as unsalted SHA-1 hashes, hundreds of thousands were quickly cracked. Now, according to a new report from Motherboard, a hacker going by the name of “Peace” is trying to sell the emails and passwords of 117 million LinkedIn members on a dark web illegal marketplace for around $2,200, payable in bitcoin. In total, the data set includes 167 million accounts, but of those, only 117 million or so have both emails and encrypted passwords.


Mozilla fails to get the details on the FBI’s malware hack – Publication: Engadget – Reporter name: Mariella Moon

If you’ll recall, the FBI seized the server of a child porn website on the Tor network called Playpen in early 2015. They then used a flaw in the Tor browser, which is based on Mozilla Firefox, to install malware that pointed agents to users’ locations. They nabbed over a hundred people from that sting, including a defendant in one of Bryan’s cases. Mozilla asked for the vulnerability’s details when Bryan ordered prosecutors to disclose the flaw to that defendant’s lawyers.


Cybercriminals are launching their own HR departments – Publication: PC World- Reporter name: Grant Gross

Cybercriminals are increasingly taking a business-based approach toward their activities, with some organizations developing in-house training, disaster recovery, and other business functions, and others contracting for those services in the underground marketplace, said Shogo Cottrell, a security strategist with HPE Security. Cybercrime is maturing as a business model, he added. Some criminal hacking businesses offer 24-by-seven telephone support, others offer money-back guarantees on their products, Cottrell said.


RunKeeper acknowledges location data leak to ad service, pushes updates – Publication: Ars Technica – Reporter name: Cyrus Farivar

Like other Android apps, when the Runkeeper app is in the background, it can be awakened by the device when certain events occur (like when the device receives a Runkeeper push notification). When such events awakened the app, the bug inadvertently caused the app to send location data to the third-party service.