Monday, December 26, 2016

Bitcoin Leaded Data

Searching through our platform we are seeing bitcoin transactions including full credit card numbers. Here is a redacted list of what we are seeing. These appear to be foreign but still interesting.

Avro,Ahmed,,035325325,"2 BTC","1255.32 USD",Visa,"Avro Ahmed",4364************,CVV,,,,,,
Seems like this is an all too common occurrence lately. 

IBM of Brazil Credential Exposure

Looking through the Jigsaw Analytics Platform (from Jigsaw Security) we noted today that there was an account being leaked at the domain.

As 2016 comes to a close we have decided that instead of ignoring these issues we will be posting more and more. In fact we will be exposing these issues in 2017.


Thursday, December 8, 2016

More Retail Breach Details

We are about to release some details on another retail breach. It seems it just keeps getting worse and worse. We are trying to contact these folks but if they don't respond we will just post the information here.

Wednesday, October 26, 2016

What are we tracking today?

Just a little over 20000 infected camera's, routers, Unix embedded operating systems.

It's not looking good for the Interwebs at the moment. This list keeps growing and growing...

Hopefully we don't see a repeat of what we saw last week!

Tuesday, September 20, 2016

We Told You So!

I just read a post on that talks about the issues at WakeMed. Remember this is not the first time they have popped up on this blog. We contacted them and received no response. If they were smart they would talk to us because we provided other information and to date they have done nothing about it.

The response I received was that they didn't care because it was end users accounts that were affected. Just goes to show that all of this could have been prevented but their response to us was not what we would have expected.


Previous Warnings:

Tuesday, September 6, 2016

DNC Hacked Over a Year Ago

What they are not telling you in the news is that the DNC was hacked at least as early as December 2015. Looking back through our data we noted the DNC FTP server information was publicly known and was obtained through the PONY malware attacks that dominated part of 2015.

During forensics of a server in December of 2015 we noted that there were political information in the data set but did not really see the significance until recently when reviewing the forensics information.

Thursday, August 25, 2016

Represenative Wagner Pennsylvania - Just a quick note

So we started seeing some references to Representative Wagner in PA in dumps today. It was his username and obvious password. Tried to contact them and let them know and was greeted with this:

<>: host[] said: 550 #5.1.0
    Address rejected. (in reply to RCPT TO command)
Now what if I was trying to email my state representative? I guess I would be screwed because Cisco decided that I can't email them right? 
Well you can thank Cisco Ironport. Apparently Cisco has us on their blocklist and hasn't removed us. Maybe because we make them look stupid by posting their passwords such as this one...
August 24th 2016, 20:00:00.000

August 24th 2016, 20:00:00.000|Gold*****
Don't you just love it when these companies rely on a useless piece of technology like the Ironport devices?

Monday, June 20, 2016

Deep Diving xDedic Marketplace

First off I would like to thank SecureList for posting the full unredacted IP address information on the servers posted to Pastebin in their recent article. Upon seeing the file I decided to have our analyst take a look and see what servers were affected and figure out who owns those server (The companies affected).

Using our Intelligence Platform to process the 70000+ entries and to perform analytic modeling on the data we came up with the following.

Ingest Time: 35 seconds
Total Records Ingested: 176,076
DNS Enrichment: 5 minutes 25 seconds

So now we have the data in our big data platform and we want to see exactly what the IP's resolve to. Our goal is to figure out what companies are affected by this and breached without them being aware of it and notify them.

More information will be posted shortly...

Monday, June 6, 2016

UPDATED: A look at Guardzilla - They have eyes even when you don't!

Look familiar? Well this device started showing up in all the big box retailers last year so we decided to give one a try. Hooking the device up to a EVDO hotspot on Verizon was interesting at best. During our testing we discovered that the device streams continuously back to Guardzilla (even if you don't subscribe to their monitoring) all the time. So this "security" device has some serious "privacy" issues. The way most camera's work is that you access the camera and it streams the images to you directly but Guardzilla is not setup that way. When you setup the device it ALWAYS streams the video back to Guardzilla even if you don't subscribe to that service.

This is troubling for a number of reasons as now Guardzilla get's a sneak peek into your "secure" area without your consent.

The Guardzilla Privacy Policy:
Practecol takes reasonable efforts to ensure that your personal information is protected while you use the Services.

Oh and theres this line:
Also, video, audio, and other information received or recorded by your Guardzilla device may be stored on our servers or the servers of third parties.

I wonder who these third parties are because they are not disclosed anywhere in the privacy policy or terms of use.

Wait what?! So let me get this straight the information is protected while you use the services but not when your not using the services. So if I'm watching the video I'm now being protected by reasonable efforts to ensure that my information is protected but when I stop using the services they are not protected any longer? This is quite confusing honestly. So while your in bed sleeping your information is not protected because your not actively using the services?

Here's the problem. Even when you don't subscribe to the recording and playback features offered by Guardzilla the devices still stream to Guardzilla and we assume that the video is being stored otherwise why would you send it? What tipped us off was the fact that the device uses nearly 1GB of bandwidth per day even when your not viewing the camera. So basically your allowing Guardzilla to see into your protected space and to hear everything that goes on in this space because these devices are constantly streaming even when you are not using them.

We thought you might like to know. I can tell you this. Our Guardzilla test unit is about to be smashed in the parking lot never to be seen or heard from again.... Ever...

UPDATE: So Guardzilla reached out to me via email and specifically stated that this is how the product works. I definitely would NOT recommend the purchase of these devices under any circumstances since the terms of service basically says they can do what they want with your videos, and the fact that it will use 30GB of data per month which is ridiculous. Best to purchase a camera that only sends the information to you and only when requested.

Saturday, June 4, 2016

University of Berkely In Trouble AGAIN

Started seeing reports from the University of Berkeley again this evening. Specifically which has been observed trying to run shellcode against a rash of servers the last 2 weeks. The activity is very high today. Maybe the "Office of the President" at Berkeley can hire somebody to secure their network. Not that they have ever been breached or anything.

We have a history with reporting on activity at Berkeley. Search our archives for more information. 

Tuesday, May 24, 2016

Russia gets the jump with DMA Locker

Over the course of the last few days we have been monitoring the malware known as DMA locker. It appears as though Russia is building some really good capabilities for infecting workstations with zero detection currently in any of the antivirus products that we have tested.

In addition there is only 1 sample on Virustotal and none of the other vendors except MalwareBytes is even taking a look at this one.

As you can see below our analytics products are pointing squarely at Russia on this one. Keep your eyes out and check out our threat intelligence for more information.

Screenshot Courtesy of Jigsaw Security ( 

Keep an eye on this one!

Thursday, February 25, 2016

Cornell University looks the other way

As part of a new initiative to notify users of leaked credentials Jigsaw Security a member of SLC Security notified Cornell of a security issue. The response from Tom McMahon was interesting.

"Stop scaring our users."

The interesting thing is that Cornell has been hacked numerous times as evidenced by the following:

We could go on and on but we can certainly understand their reluctance to respond to notifications. Hopefully the end users are more concerned about these disclosures than the administration. 

Saturday, February 20, 2016

American Museum of Natural History

Looks to us like information from this site has been pulled down by hackers. We are notifying the affected users...

Tuesday, January 19, 2016

Large Numbers of MIT Email accounts leaked

We have noted a large amount of MIT related email accounts showing up on Darknet forums and in leaks posted to Paste sites.

The information posted includes 98 accounts and additional information. The information is verified as we have been able to get confirmation from several students and staff.

Sunday, January 17, 2016

Credit Suisse accounts start appearing online

We started noticing credit-suisse accounts showing up online this evening. Our system that collects information on compromised accounts started alerting to accounts at the firm. It is not known if the accounts detected are end user accounts or corporate accounts.

Wednesday, January 13, 2016

State of Virginia DHRM fails to respond to notification

On 1-7-2016 a researcher that assist Jigsaw Security noted some issues with documents posted on the DHRM website. A PDF posted by this organization contained information that was obfuscated by blocks but was a layered image so if you edit the document the blocks can be removed and the original content is then visible.

The Jigsaw Security Operations Center sent a standard notification advising them of the issue but they have failed to respond to the request.

As of the posting of this article the document remains on the website and there has been no response for the contact Nancy Tobin identified as the documents author. Our email was not returned as undeliverable.

We can't show you the actual email because it would expose the actual issue but we did what we could to notify them of the issue. 

We we notified them and followed up but no response. 

So basically they tried to do the right thing by blocking out personally identifiable information in these documents but the method used was inadequate. 

It is unknown of the individuals affected by this issue are still employed by the State of Virginia as we have not received any response to our inquiry. 

Hopefully bringing this information to light will prevent this type of information disclosure in the future but the lack of response is troubling. 

As of 14 January, 2016 a response was received indicating that the issue is being corrected.

"DHRM takes any possible data breach very seriously, and we wanted to notify you that measures are being taken to address the issue:

·         Removal of the referenced documents and links from DHRM’s servers so that data is no longer exposed that might impact employee privacy and security;
·         Software that has proper redacting capability supplied to users;
·         Staff training introduced to ensure that no lapses will occur in the future.

Thank you for bringing this matter to our attention."

Friday, January 8, 2016

2 Big Stories Next Week

We are currently reviewing 2 issues both of which are confirmed issues of PII and/or PHI data that we uncovered in the course of reading user submissions this week. Both involve some high profile entities of which neither has replied to our request for comments.

We have provided evidence of the issues to both and are awaiting any response.