Have I Been Pwned goes open source, bags help from FBI • The Register

Have I Been Pwned goes open source, bags help from FBI • The Register


In brief The creator of the Have I Been Pwned (HIBP) website, which alerts you if it turns out your credentials have been swiped and leaked from an account database, has open sourced the project’s internals.

Troy Hunt set up HIBP in 2013, and the dot-com is now said to be getting a billion requests a month. Last year, the man Down Under announced plans to make key portions of the system open source for others to pick up, use, and improve. Now the Pwned Passwords code base is available from GitHub under a BSD three-clause license.

Hunt also said the FBI has offered to feed known compromised passwords into HIBP.

“Their goal here is perfectly aligned with mine and, I dare say, with the goals of most people reading this: to protect people from account takeovers by proactively warning them when their password has been compromised,” he said.

In addition to the code, there’s also a 3D print schematic of the HIBP logo if that interests you.

New DRAM still susceptible to Rowhammer

Google’s Project Zero last week detailed Half-Double, a new Rowhammer-like technique for altering memory that application code shouldn’t otherwise be able to affect – which can lead to privilege escalation and other bad outcomes.

Rowhammer attacks usually involve repeatedly writing to one memory address to change bits in nearby RAM cells. Half Double, developed by Salman Qazi, Yoongu Kim, Nicolas Boichat, Eric Shiu and Mattias Nissler, is able to affect RAM further away, simply put.

“Traditionally, Rowhammer was understood to operate at a distance of one row: when a DRAM row is accessed repeatedly, bit flips were found only in the two adjacent rows,” Team Google explained. “However, with Half-Double, we have observed Rowhammer effects propagating to rows beyond adjacent neighbors, albeit at a reduced strength.”

The Googlers disclosed this info because they believe “it significantly advances the understanding of the Rowhammer phenomenon, and that it will help both researchers and industry partners to work together to develop lasting solutions” to protect systems from malware and rogue users that seek to use Rowhammer effects to hijack computers.

For pity’s sake, patch Fortinet

The FBI has sent out an urgent memo pleading with Fortinet customers to patch their Fortigate installations after miscreants were spotted exploiting vulnerabilities in a firewall belonging to a local government in America. Fixes are available for the abused bugs.

“As of at least May 2021, an advanced persistent threat (APT) actor group almost certainly exploited a Fortigate appliance to access a webserver hosting the domain for a US municipal government,” the Feds warned [PDF]. “The APT actors likely created an account with the username ‘elie’ to further enable malicious activity on the network.”

Horse, meet stable gate

The US Department of Homeland Security has issued a directive regarding the computer network defenses of oil, gas, and hazardous waste pipelines, two weeks after a ransomware attack led to the shutdown of a major American fuel system and panic buying among some citizens.

According to Uncle Sam:

“The cybersecurity landscape is constantly evolving and we must adapt to address new and emerging threats,” said Secretary of Homeland Security Alejandro Mayorkas.

“The recent ransomware attack on a major petroleum pipeline demonstrates that the cybersecurity of pipeline systems is critical to our homeland security. DHS will continue to work closely with our private sector partners to support their operations and increase the resilience of our nation’s critical infrastructure.”

Malware has its finger on the Pulse

In April, Chinese snoops were fingered for exploiting Pulse Connect Secure VPN appliances. Now FireEye’s Mandiant surveillance squad has reported four families of malware abusing the Pulse vulnerabilities, for which patches are available. Intrusions appear to be automated.

“Mandiant Threat Intelligence assesses that Chinese cyber espionage activity has demonstrated a higher tolerance for risk and is less constrained by diplomatic pressures than previously characterized,” it said.

Apply patches as soon as you can. ®



Source link

The post Have I Been Pwned goes open source, bags help from FBI • The Register appeared first on SecuritNEWS.


https://pubads.g.doubleclick.net/gampad/ad?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2YLWZWxu2Asa1A6tZmnq4RAAAAJA&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
https://securitnews.com/have-i-been-pwned-goes-open-source-bags-help-from-fbi-the-register/

Comments

Post a Comment

Popular posts from this blog

Hey Rudy and/or the FBI, Pick Up Your Phone

Hey Rudy and/or the FBI, Pick Up Your Phone Photo: Samuel Corum (Getty Images) On Wednesday, the feds raided the home and office of Rudy Giuliani, noted flask with legs and former personal attorney to ex-President Donald Trump. According to one of Giuliani’s neighbors at his Upper East Side apartment building, the agents in question seized and “were bringing out a lot of stuff.” Search warrants require investigators to provide a judge with sufficient reason to believe a crime may have been committed, and the bar is higher when the target is an attorney, even one of Giuliani’s… stature. Gizmodo called and texted a phone number that Giuliani has used in the past to determine whether or not the search warrants executed on Wednesday were related to, as the New York Times reported, the suspicion that he was picking up a little illegal scratch on the side by working for Ukrainian officials or businesses that shared Trump’s interest in removing U.S. ambassador Marie L. Yovano...
Read more

Understanding Where the Internet Isn’t Good Enough Yet

Image
Understanding Where the Internet Isn’t Good Enough Yet Since March 2020, the Internet has been the trusty sidekick that’s helped us through the pandemic. Or so it seems to those of us lucky enough to have fast, reliable (and often cheap) Internet access. With a good connection you could keep working (if you were fortunate enough to have a job that could be done online), go to school or university, enjoy online entertainment like streaming movies and TV, games, keep up with the latest news, find out vital healthcare information, schedule a vaccination and stay in contact with loved ones and friends with whom you’d normally be spending time in person. Without a good connection though, all those things were hard or impossible. Sadly, access to the Internet is not uniformly distributed. Some have cheap, fast, low latency, reliable connections, others have some combination of expensive, slow, high latency and unreliable connections, still others have no connection at all. Close to 60...
Read more

Migrating to hosted Exchange: Do’s and don’ts

Migrating to hosted Exchange: Do’s and don’ts Make no mistake: moving from an on-premises Microsoft Exchange deployment to Exchange in the cloud is a gargantuan undertaking. Earlier this year, I explored the major issues you’ll need to consider and decisions you’ll need to make when moving to hosted Exchange. But for most folks, further guidance is necessary. What are some of the gotchas to watch out for? What are some best practices to factor into your planning? Here, I’ll take a look at several important do’s and don’ts when it comes to getting your organization into Exchange Online. Note: This story focuses on migrating from Exchange Server on-premises to some version of Microsoft’s hosted Exchange service (under an Exchange Online , Office 365 , or Microsoft 365 subscription), or to a hybrid configuration with the “365” apps in the cloud and Exchange remaining in some fashion on-premises in production. It is not intended to apply to migrations to other providers’ services. ...
Read more