Page 1


Despite Lackluster Efforts, Yahoo’s Mail users continue reporting hacking incidents


- Since the Last Known 0-day

Java Exploit

Yahoo is the third largest e-mail company behind Google and Microsoft, but they’re giving every reason to become irrelevant entirely. For the past few months, Yahoo users have been open to known vulnerabilities discovered and published on Youtube by the hacker Shahin Ramezany in early January. Since then, Yahoo has been contacted several times, both by people with hacks and by reporters looking for answers. Yahoo has claimed numerous times that they’ve fixed the issues. But they haven’t fixed anything. User reports of their e-mail accounts spamming all contacts they’ve ever had were piling up, and those users were clicking on the malicious links contained within them and continuing the spread. It’s been months of this particular vulnerability within Yahoo, and they’ve been passive about the ordeal. This isn’t just an inconvenience, it’s a serious issue. Here’s an excerpt from a larger organization getting their yahoo accounts hacked:

We were hacked at the end of January. They spammed everyone in the “contact” folder and deleted all the contacts. We just had another yahoo account hacked yesterday. Not only did it spam the entire “contact” folder, but we are unable to send out e-mails or access our “secret question” to change the password. There was a toll free number to call and when we did so we spoke with people who spoke very poor English, and they asked for a one time fee of $100 for assistance with the issue. When we refused they hung up on us. We called the number twice, the first time we spoke with a woman and the second time we called we spoke with a man. Both times we called when we refused the payment of $100 we were hung up on. This is known as a ransom hack, and you’d be silly to pay it of course. It leaves users in a seemingly hopeless situation, and Yahoo should be the one doing something about it. When contacted recently, a Yahoo spokesperson said “We’re committed to protecting our users and their data. We strongly urge our users to change their passwords frequently and to use unique, alphanumeric passwords for each online site they visit.” Empty words will leave you will empty bank accounts, Yahoo. Source

In a “He Said She Said” Cyberworld, China Seeks New Rules Here at the K logix Weekly, we’ve covered dozens of hacks, and many of that have been linked to China. Publications from around the globe started to linked several hacks together as part of a Chinese effort to gain information and other goodies from the West. The NYTimes, WSJ, twitter, facebook, and many others had all been breached, but beyond the fact that there was a strong link to China, many were unsure of what was actually being done. It may have just been a watchful eye from a certain elite group of hackers in China, waiting to gather enough information to have something meaningful, or it could’ve been the Chinese government itself. Either way, China is not taking all of this press so kindly. Foreign Minister Yang Jiechi said “Anyone who tries to fabricate or piece together a sensational story to serve a political motive will not be able to blacken the name of others nor whitewash themselves.” He’s getting a little defensive, and who could blame him. If you’re not going to admit to it, then deny it cold. He went on to say that the reports were built on “shaky ground” and that cyberspace should not be turned into a battlefield. It’s a little too late for that. It is a battlefield, but is it too late to establish rules? Source: NYTimes

Bookmark This One – “Days Since Last Known Java 0-day exploit” Out of all the exploits that you see, Java is the name that comes up the most. I’ve just stopped downloading any updates from them and I’m a happier person for it. Here’s a little site that lets you know just how long java has gone without any new exploits, and trust me the counter doesn’t get very high. It reminds me of the opener from the Simpsons when Homer is inside the nuclear power plant.

K logix Weekly 22  

Data security goodness, you know the dealio.