Cybersecurity News Roundup: Stolen Passwords; FBI and Stuxnet; Google and Gov’t Hacking

Quite the week in cybersecurity land, eh? I haven’t heard this much about salting and hashing since I was a busboy. Anyway…

17.3 Million Last.fm Passwords Possibly Stolen: Social music site Last.fm on Thursday announced it is investigating a user-password leak. Analysts say they’ve known about the problem for months and are now wondering why it took the company so long to act. As many as 17.3 million unique MD5 hashes— which can be cracked to indicate unique passwords— appeared on a hacking forum in 2011, and they could be used to reveal Last.fm user passwords, according to KoreLogic. A member of the Korelogic team posted on Reddit Thursday: “The list has been ‘out there’ for a long time. I talked about it privately at 2011 DEFCON. It was originally posted by ‘bad guys’ on password cracking websites last year. I grabbed it, but it was promptly deleted.” LinkedIn and eHarmony also reported massive password thefts this week.

FBI Investigates Leak of U.S. Cyberattack Against Iran: The FBI is trying to find out who disclosed information to the press about a classified U.S. cyberattack program aimed at Iran’s nuclear facilities. Last week details of the cyber-sabotage program were published by several media outlets. Those reports included details about the use of a computer worm called Stuxnet, which Iran says it found on its computers. The CIA reportedly ran the operation in conjunction with Idaho National Laboratory, the Israeli government and other U.S. agencies.

Google to Warn Users About Government-Sponsored Attacks: Google unveiled a warning system that will alert users if their accounts are compromised by state-sponsored attacks. After being warned, users will have the ability to lock down their accounts and prevent further access by attackers. The new warning comes after U.S. officials’ Gmail accounts were breached last year. Eric Grosse, Google vice president of security, wrote in a blog post: “You might ask how we know this activity is state-sponsored. We can’t go into the details without giving away information that would be helpful to these bad actors, but our detailed analysis—as well as victim reports—strongly suggest the involvement of states or groups that are state-sponsored.”

Researchers Sneak Malware into Google’s Android App Store: Jon Oberheide and Charlie Miller of Duo Security demonstrated that it’s possible to slip a malicious app past the Google Play store’s “Bouncer,” a program used to detect mobile malware in submitted applications. Bouncer scans apps for known malware, spyware, and Trojans, looks for suspicious behaviors and compares them to previously analyzed apps. Unlike Apple, which vets every app, Google doesn’t require pre-approval for Android apps.

Hacker Says He Hacked Mitt Romney’s Email: An anonymous person claims he has hacked the Web-based e-mail and online-storage accounts of GOP Presidential hopeful Mitt Romney. A report on Gawker.com says mittromney@hotmail.com is believed to have been broken into, though the news has not been confirmed. Why anyone would want to hack Romney’s mail is beyond this writer’s comprehension. I am sure there are more boring people in the world (Mike Dukakis, another former Massachusetts governor and presidential nominee, for example), but not many.

This Week in Facebook’s Stock Price: Nothing to do with security but I find this rather amusing.