Asaan Social Shopping Network Compromised, 9.9 GB of Data Effecting +10 Million Customers Stolen

On January 3rd 2019, a hacker going by the name of “Take Down Root” announced the hack of Asaan, a high end online shopping web portal. While the hackers did not publicly disclose all of the information obtained to the public, they did release a sample of between 295-300 emails compromised by the breach through Pastebin to serve as proof of the hack. They also released several screen shots of the hack and databases breached as they browsed through them, posted to their Minds.com account.

For those of you unfamiliar with the web service, as was explained by the hackers themselves, “Assan is an online social shopping network that enables shoppers to discover and buy the best products in United States, United Kingdom, India, United Arab Emirates, Saudi Arabia curated by a community with great taste.” All told, approximately 9.9 Gigabytes of data was stolen across 10 databases hosted by Amazon Web Services in Ashburn, Virginia, exposing the identification numbers, email addresses and passwords of more than 10 million customers – presumably granting the hackers access to their order histories, shipping addressees and payment information as well.

At the time of this article January 7th 2019, Rogue Media Labs has been unable to make contact with the Take Down Root for comment on the matter.

Website: hxxps://www.asaan.com/
Location: ec2-34-237-83-126.compute-1.amazonaws.com
Server IP Address: 34.237.83.126
Data Leak: https://pastebin.com/27en6Frz

Screen Shots from Hacked Databases:

No photo description available.

No photo description available.

No photo description available.

Data/Telecommunications Firm Digitel Brasil Hacked, Hundreds of Restricted Access Account Owners Emails & Passwords Dumped Online

Earlier today, December 6th 2018, Digitel Brasil, a Brasilian based tech firm specializing in enterprise data and telecommunications solutions, was hacked by “SHIZEN – member of the Brasilian based hacking group Pryzraky. In a press release made available the the public via his Twitter page, SHIZEN explains how he was able to breach a Microsoft-IIS/6.0 web server tied to the IP Address of 192.252.46.52 through an SQL Injection vulnerability tied to the sites back-end, exposing 3 databases, 26 tables and hundreds of email accounts along with their passwords. To be more exact, approximately 255 registered account owners with restricted access to digetel.com.br had their login email addresses and passwords compromised by the data breach.

When asked whether the accounts exposed belonged to Digitel Brasil customers or corporate employees, SHIZEN simply responded “Yes!” – indicating that the leak was a mixture of both. At this time Digitel Brasil has yet to release a statement on the matter, and it remains unclear if they are even aware of the breach in the first place.

Website Effected: hxxp://digitel.com.br
Raw Data Leak: https://pastebin.com/beYvDSDE

https://twitter.com/zglobal_/status/1070561436710199296

Over 3,000 Spotify Accounts Leaked Online

Approximately 3,164 customer accounts belonging to Spotify which were hacked and leaked online between November 5th and November 7th 2018. “Argentina GhostHack” and a hacker going by the name of “Grinch Vyse” have claimed responsibility for the breaches, posting email addresses and login credentials tied to Spotify customer accounts online earlier this week. It should be noted that Argentina GhostHack is primarily responsible for the majority of accounts exposed this week, releasing 2,867 (91%) of the leaked material online.

To confirm the legitimacy of the leaks, Rogue Security Labs reached out to Spotify for comment and was told that “We’ve passed this on to the right folks to take a closer look backstage” – while thanking me for bringing the leak to their attention. It is unknown if the accounts breached were tied to the October 2018 Facebook hack which effected over 50 million Facebook users worldwide, incidentally compromising other 3rd party services attached to the social network – such as Spotify, Tinder and Instagram. Investigations are still ongoing.

For the time being, if you are a customer of Spotify you are advised to update/change your account password immediately. Additionally, if you use the same root password for your Spotify account as you do your personal email, you are advised to change this as well.

** Due to the number of civilian customers exposed in the breach, Rogue Security Labs has declined to share the leaks publicly **

 

370 NordVPN Accounts Hacked/Leaked Online

Rogue Security Labs has managed to uncover the email addresses and login passwords to approximately 370 paid/premium accounts allegedly attached to the NordVPN service. The hacked accounts were compiled from a string of 4 different leaks, from 3 different hackers across Syria, Japan, and Denmark over the course of October 26th to November 6th 2018. In addition to releasing customer login information, hackers also released a new ‘hack’ used to exploit different functions of PayPal through faked email addresses in order to trick companies like Nord into providing them with free VPN service. To uncover more about the incident, as well as how/where the hackers got the information the first place, Rogue Security Labs has attempted to make contact with each of the parties responsible for the leaks, but all parties have declined comment. Upon further investigation however, there appears to be no known ties behind each individual involved.

As of November 8th 2018, NordVPN has been notified of the leaks and in a statement to Rogue Security Labs made it clear that their company and service has “never been breached” and that “any accounts available online are not leaked from our servers, but matched from other databases available online.” Research into the breach is still ongoing. If you are worried that your account might have been compromised, you are advised to reach out to NordVPN customer support for more information. The problem can also be mitigated by simply changing the login password to your account itself as well. Additionally, if you use the same root password for your Nord account as you do your email or any other service, you are advised to change this as well.

** Due to the number of civilian customers/accounts involved, Rogue Security Labs has declined to share the original leaks with the general public. **

 

 

 

McAfee Exposes Critical Website Vulnerabilities In 20 Important US Swing States

Over the course of the last several weeks and months leading up the November 2018 Mid-Term Elections, McAfee, a US based anti-virus software provider, has been analyzing various Government website in several important “Swing States” and state counties across the country. More specifically, “McAfee surveyed the security measures of county websites in 20 states.” What researchers have found is that there is an alarmingly large number of Government run websites that remain unprotected by even some of the most basic and fundamental security measures, presenting an easy target for hackers ahead of important election dates.

Due to these critical vulnerabilities, in a blog post publishing their finding earlier this week, McAfee researchers were primarily concerned with 2 major issues. First, the spamming of unprotected email subscriber/voter registration lists tied to state owned websites allowing for phishing attacks to spread and second, the spoofing of websites, domain names and/or vulnerability to DNS poisoning attacks leading potential voters to fake or spoofed versions of state/election/Government websites.

Full Release from McAfee: https://securingtomorrow.mcafee.com/executive-perspectives/state-county-authorities-fail-at-midterm-election-internet-security/

To their surprise, what McAfee uncovered is that there is an unusually large number of of US Government websites not running on .gov Top Level Domains (TLD), instead using .com or .net. This is important to understand because .com domains are far less secure and much easier to obtain than .gov TLD’s, which require far more authentication/investigation to register. However, because of this, McAfee concludes that state employed website administrators simply didn’t want to go through the “hassle” or “red tap” to obtain .gov TLD’s – deliberately choosing to make their websites less secure for the sake of convenience. Moreover, according to McAfee‘s press release, “Our findings essentially revealed that there is no official U.S. governing body validating whether the majority of county websites are legitimately owned by actual legitimate county entities” – therefore making it easier for malicious actors to spoof or set up fake election web pages to fool the voting public.

For some perspective on this, McAfee notes how “Minnesota and Texas had the largest percentage of non-.gov domain names with 95.4% and 95% respectively.” Adding that “They were followed by Michigan (91.2%), New Hampshire (90%), Mississippi (86.6%) and Ohio (85.9%).” On the other end, “Arizona had the largest percentage of .gov domain names, but even this state could only confirm 66.7% of county sites as using the validated addresses.

On top of this, McAfee discovered that several state owned websites didn’t even utilize some of the simplest, most basic and easy to install security measures – such as SSL’s. This means that there are Government owned websites across different states that actively refuse to protect/encrypt any information their constituents enter onto them – something with is absolutely unacceptable in 2018, especially given all the state-wide voter registration data dumps throughout 2015/2016. For example, the study found that “Maine had the highest number of county websites protected by SSL,” but even then only 56.2% of them utilized one. On the other end of the spectrum, “West Virginia had the greatest number of websites lacking SSL security,” with approximately 92.6% of their sites lacking SSL certificates. This was followed by Texas (91%), Montana (90%), Mississippi (85.1%) and New Jersey (81%). Highlighting just how pathetic this is, most SSL certificates can be obtained for $2-$5 and come standard, for free, on most website hosting platforms.

Influencing the electorate through false communications is more practical, efficient and simpler than attempting to successfully hack into hundreds of thousands of voting machines. Such a scenario is much easier to execute than tampering with voting machines themselves,” notes McAfee CTO Steve Grobman. “Given how important the democratic process of voting is to our society and way of life, we must work to better secure these critical information systems.

Safe & Secure Voting Registration Websites To Utilize for November:

  1. Alabama
  2. Alaska
  3. Arizona
  4. Arkansas
  5. California
  6. Colorado
  7. Connecticut
  8. DC
  9. Delaware
  10. Florida
  11. Georgia
  12. Hawaii
  13. Idaho
  14. Illinois
  15. Indiana
  16. Iowa
  17. Kansas
  18. Kentucky
  19. Louisiana
  20. Maine
  21. Maryland
  22. Massachusetts
  23. Michigan
  24. Minnesota
  25. Missouri
  26. Montana
  27. Nebraska
  28. Nevada
  29. New Hampshire
  30. New Jersey
  31. New Mexico
  32. New York
  33. North Carolina
  34. North Dakota
  35. Ohio
  36. Oklahoma
  37. Oregon
  38. Pennsylvania
  39. Rhode Island
  40. South Carolina
  41. South Dakota
  42. Tennessee
  43. Texas
  44. Utah
  45. Vermont
  46. Virginia
  47. Washington
  48. West Virginia
  49. Wisconsin
  50. Wyoming

Tech Review: Mailfence Encrypted Email

In my line of work, secure, private and encrypted emails are becoming an everyday necessity, especially these days. While the major players in the game remain ProtonMail and Tutanota, earlier this year I learned of a new up and coming provider operating out of Belgium – Mailfence – and decided to test the service out for myself. Here’s what I learned, and why I now run my business through their servers.

Customer Service

The first thing to catch my attention about Mailfence was their responsiveness to customer service inquires, even on social media and when dealing with free account holders. For example, even whilst hosting a free account on their service I received messages back from customer support within 24 hours time. Not only this, but their social media channels remain open to the public and are very responsive to messages. By comparison, other email service providers do not have any open lines of communication through social media, and most will only provide support to paying customers.

Accounts & Plans

Mailfence offers a wide range of account services including, free, entry, pro and business level plans. If you would like to learn more about each individual plan, as well as the added costs/benefits between them, please utilize the following link.

View All Plans Here: https://mailfence.com/#register

Even though the company operates out of Belgium, they do accept payments through foreign currency, including the American dollar, and perform the currency exchange on their end. This is important to understand because not every European based company is willing to do this. For example, in 2014 I was unable to register for Perfect Privacy VPN out of the Netherlands due to their reluctance to accept anything other than Euros. Perhaps most notably, even after submitting my debit card for payment, Mailfence enacted a delay on processing the payment in order to review my account/purchase – clearly indicating that the company isn’t just after some quick cash grab, but instead has a set of moral standards in place governing what they do and who they do business with. I know, imagine that – right?

Additionally, each Mailfence email address comes with built in data storage, acting as a de fecto Cloud storage account for all your important documents. Personally, I keep all of my most important documentation backed up through Mailfence. By comparison, I refuse to keep this sort of information stored on any other data hosting platform – especially Google.

Data Servers & Security

Mailfence‘s largest claim to fame, and what separates them from their competition, is the fact that the company hosts their data servers in and operates their business out of Belgium, which is known to have literally THE strictest privacy laws of any country in the world. Not only this, but Mailfence also goes out of its way to protect its website using TLS and SSL certificates which ensure that “no American certification authority is involved in the certification chain” – something I have personally never even seen before. Their site also enforces HSTS security headers and features state of the art encryption on all messages – more on that later on.

Data servers and country of origin is important to understand. As I have pointed out in a previous article on this subject, different countries have different laws when it comes to data storage and business/customer confidentially. Moreover, while countries like Switzerland would have you believe they hold the most secured privacy laws due to their world renown banking system, this just simply isn’t the case when it comes to cyber security. For example, ProtonMail tries to bank on Switzerland’s historic reputation, but ProtonMail was developed in part by researches at the Massachusetts Institute of Technology (MIT) and their relationship to/with the NSA and US Government is more than just rumor at this point. The fact of the matter is that, at the present moment in time, Belgium does more to protect customer privacy and data confidentially than any other country in the world – period, end of story.

Image may contain: text

Encryption Measures are Second To None

While there is a lot of competition out there on the encrypted email market these days, I have not seen one company offer more options to encrypt individual emails as Mailfence now does. For example, not only does Mailfence offer end to end encryption for all of its users, but the service also allows its users to create digital signatures, implements Sender Policy Framework (SPF) and Domain Keys Identified Mail (DKIM) – preventing email forging and ensuring all emails attached to your domain/account are exclusively sent via Mailfence servers. These are options which simply do not exist on other encrypted mail service platforms.

On top of this, Mailfence also implements two-factor authentication for all account holders using something known as “Time-based One-time Password” algorithms – also something I had never seen before. This technology ties a unique bar-code to an individual device or cell phone, ensuring that only that one device can have the means of generating a secondary code necessary for login. Combining their sign in methods with the sites security, along with their email encryption options, from login to transit, no email company I’ve ever seen does more to protect data/privacy than Mailfence now does.

Belgium Is The Future – IMO

While Mailfence is a relatively new and upcoming name, they have already sold me and I am happy to make the investment in the future. Moreover, reading international security headlines for a living such as I do, I am noticing an increase trend in the exploitation of encrypted email services for illegal means. For example, Tutanota accounts are behind nearly every single major ransomware related incident over the course of the last two years, and it is a general fact that all of the world most famous hackers and hacking groups operate through ProtonMail accounts.

Not all publicity is good publicity. The fact that nearly all major hacking and hacking related incidents are being conducted through ProtonMail and Tutanota servers is not a good look for business, and the longer this behavior continues the more likely it is that international authorities are going to compromise these services in one way or another – if they haven’t already quietly done so. As I have already pointed out, Mailfence is careful to choose who they do business with and whom they do not, and given that they are a relatively new service globally, ensures that their reputation has not been tarnished. As a new business owner myself, I feel much more comfortable attaching my name to Mailfence than I am any of its competitors.

Lastly, with the Netherlands essentially out of the privacy/security game and the pressure slowly mounting on all of these Swiss based companies, I see Belgium as the future leaders of cyber security over the course of the next 5-10 years. Not only is Belgium at the literal center of the European Union, which enacted revolutionary new data privacy laws in 2018, but some of the worlds most innovative security companies are starting to emerge there. This is true of services like Mailfence and DNSBelgium, which is leading the charge towards blockchain dns, which has the possibility changing the course of internet history. Given the way the country structures its laws, I see several major computer or cyber security based companies either starting up in or moving to Belgium in the years to come.

Email Security Strategies

Before we begin, you can have the most advanced cyber security practices and anti-virus in place but if you do not have a strong enough password to secure your devices or online accounts, all your security measures might as well be useless. As I have already explained in a previous tutorial, more people are hacked as a result of weak passwords than any other single factor. With that established, the 2nd most common way to hack someone is through their email inboxes or accounts – just ask Hillary Clinton, John Podesta, John Brennan and the DNC about that. Make no mistake, if some of the worlds most powerful people can have their personal emails hacked, so can you. This is also why learning how to practice better email habits should be of the upmost importance for you heading into the future.

What To Avoid & How Email Hacks are Pulled Off:

While browsing through your email account(s), never open a single email or click on any link(s) from a sender you do not know personally. It might seem harmless, but the simple act of curiously opening an email or clicking on a link within an email can open Malware or register and transmit the IP Address of the device you are using to the sender of that email or link.

When a hacker sends compromising emails or links to your personal inbox it is a technique known as “Phishing,” and it is perhaps the most common form of cyber-attack you will ever encounter. I am willing to bet that everyone whom has ever owned an email account has seen a phishing scheme at one point or another in their lifetime, whether they were even aware of it or not. This is also why it is important to not just leave your email out in the open for all the world to see, or blindly pass it around to so many pages across the internet – especially if you have something to lose.

Believe it or not, there are even free and public services which allow any person to secretly attach a program to any given link or email they send, which automatically transmits data such as your IP Address as soon as you open it. This type of program also reveals things like the time of day you clicked the link, the type of browser you were using and how long you kept the window open. This is also what is referred to as a “trap-link.” The most common of which comes in the form of an “IP-logger,” which automatically registers the data of any device that clicks on it. While this might sound extremely complicated or foreign to you, again, regardless of the legality of it all, there are actually multiple free services, platforms and tools available on the internet for people to do just this.

Needless to say, always use caution and judgement when clicking on any links in your inbox, online chat, message or social media network alike – especially from people/sources/senders you do not know or have never done business with directly.

Separate Your Inboxes:

A good practice is to also use separate accounts for different purposes. For example, use a separate email account for your online banking and/or business than you would use for family, friends, or subscribing to magazines. This ensures that if one account is ever breached or compromised, not every aspect of your life gets compromised along with it. Additionally, use separate passwords for separate accounts and always reserve your strongest passwords for your most important accounts. You should also utilize two-factor authentication whenever and wherever possible.

If you are a website domain owner, or own multiple email accounts, you can also secure your personal or business inbox behind a mail forwarding service through your domains DNS settings or an alternative service provider. Selecting this option will allow you to pass out an email address without actually revealing the true end destination where those emails will be sent, essentially turning the mail forwarding address into an “alias” or “proxy” for your real account.

If you would like to learn more about alternative/encrypted email service providers, as well as why you should consider making the switch to them, please utilize the following link: https://roguesecuritylabs.ltd/making-the-switch-to-encrypted-emails/

If you need help learning how to read, write and remember stronger passwords to secure your online accounts, please utilize the following link: https://roguesecuritylabs.ltd/how-to-write-un-hackable-passwords/

Making The Switch To Encrypted Emails

This past February a US judge ordered Microsoft, an American based tech company, to honor the search warrants of American law enforcement agencies requiring the company to hand over any/all data, emails and the like which the company stores on servers located overseas. The ruling came in direct contradiction to a previous ruling from a Federal Appeals Court in August of 2016, which upheld a US Circuit court ruling from July 2016, prohibiting the US Government from seizing data stored on servers located outside of US borders.

The principle behind this case is very simple to understand, does the United States Government have the right to demand foreign businesses located outside of the United States hand over their records to the United States Government if that company happens to do business with a US citizen? In other words, are foreign nations forced to abide by US law and comply with all US based legal requests? Well, according to the most recent ruling, as of February 2017, at least as far as US courts are concerned, the answer is “yes.

What Other “Authority” Does The US Government Have?

Let’s use the world’s most popular email service provider as a quick example – Gmail. Quite literally, everything you do on your Gmail account is accessible by Google at any given moment in time. After-all, you are using their service. If the US Government ever wants to see your account or any of the information on it, then all they have to do is pull up the file of a generic document, insert your name on top of it, print it out and just like that they magically have a “subpoena” to obtain all of your information from Google.

Despite how simple of a process this is, it is all groundbreaking stuff too. Believe it or not, it was not until May 2016 that the US government even needed to get a warrant or legal document of any kind to search through all of your personal emails. Don’t believe me?

Read More – Email Privacy Act of 2016: https://www.congress.gov/bill/114th-congress/house-bill/699

For you international folk out there, the news isn’t much better. You see, the US Government has its own private court known as a FISC court which, historically speaking, blindly grants “99.96%” of all warrant request brought in front of it – but who’s counting, right?

With that out of the way, all of the information above only goes to show how easy it is for the US Governments to go about obtaining all your data “legally.” But as I think we are all aware by now, agencies like the NSA or CIA do not necessarily care about US law and have the very real authority to act outside of it – #PatriotAct. To be fair, this does not necessarily mean that someone working for the US Government is literally watching/reading every single email you write every minute of the day, but they theoretically could be if/whenever they wanted to.

To that very point, early in 2016 Google came out with a press release addressing how “state-sponsored hackers” had breached over 1 million Gmail accounts over the course of that year. This was also not an isolated incident and it’s not just Google which has been targeted by these types of breaches. Literally hundreds of millions of Yahoo and Hotmail accounts have also been exposed over the years.

Read More – 3 Billion Yahoo User Accounts Hacked, Including 500 Million Email Addresses: http://money.cnn.com/2017/10/03/technology/business/yahoo-breach-3-billion-accounts/index.html

So far I have only addressed how easy it is for the US Government and/or law enforcement agencies to access all of your personal accounts/information, this does not even account for all of the non-Government organizations or hackers out there or oppressive regimes located in countries all over the world. In fact, I am willing to bet that at least 95% of all hackers worldwide are non-Government affiliated. Moreover, Hillary Clinton, the DNC, CIA, John Brennan and John Podesta should all serve as evidence for just how easy it can be for hackers to compromise anyone’s email account if they really want to – even some of the most powerful people in society.

Quite frankly, there is a reason why politicians and members of the Armed Forces are told never to use their own personal or private email accounts, because none of these services are properly protected or encrypted! While members of the Government and Armed Forces use their own private versions of encrypted email services which are NOT open or available to the public sector, thankfully, there are a number of free and paid email encryption services out there open to the general public.

For Example:

Mailfence

Mailfence is a relatively new company globally, but one which I have already placed at the top of all encrypted email service providers. Mailfence operates their servers out of Belgium, a country internationally renown for having some of the strongest and most resolute privacy laws in the world. Unlike the United States, every surveillance request or request for information inside Belgium, including on Mailfence’s servers, must be legally brought in front of a Belgium judge and proven in court as legitimate. In this way Belgium protects user data and business confidentiality in a way that no other country in the world does.

Sign Up/Create an Account Here: https://mailfence.com

ProtonMail

This email service provider offers free end to end encryption and hosts its servers in Switzerland, outside of US jurisdiction – theoretically. When signing up, at no point in time are you asked for any personal information and you do not need to attach any other emails account or phone numbers in order to register. This service also utilizes 2-factor authentication to log in, preventing hacking attempts. ProtonMail has also partnered with humanitarian organizations around the world, such as Amnesty International, in order to help fight back against Government surveillance and cyber censorship in developing countries around the world.

On a lighter note, if you are a fan of the Television drama “Mr. Robot” this is Elliot’s email provider of choice on the show.

Sign Up/Create an Account Here: https://protonmail.com/

Tutanota

This is another free encrypted email service that has become quite popular in recent times. In fact, earlier in 2016 Tutanota officially surpassed 1 million accounts – becoming the world’s largest encrypted email service provider. In 2017, Tutanota then went on to surpass 2 million accounts, furthering the countries rock solid reputation as an industry leader.

What makes Tutanota unique is that the company makes their source code “open source,” meaning that security researches investigate for themselves the level of encryption they are receiving. For all you n00bs out there, making your source code public record and still not having it hacked proves just how good the code really is.

Sign Up/Create an Account Here: https://tutanota.com/