Linkedin, eHarmony and HACKED ‘HULK’ attack a form of ‘DoS’ attack

LinkedIn, eHarmony and all got hacked and had user passwords stolen. Millions of members from the business network and the dating site had their passwords published online, while users were also getting spammed, indicating emails may have been taken too.

LinkedIn came off the worst in the hacks, as its users’ passwords were published in hashed form, when many security experts recommend salting as well as hashing for encrypting data.

One annoyed member told The Reg:

When you have an enforced connectivity regardless model pushed to the master revenue plan added to antiquated security systems and zip due diligence like LinkedIn – that’s a FUBAR train wreck waiting to happen.

Both LinkedIn and eHarmony were also less than forthcoming about whether or not other information could have been stolen when the hackers were creeping about in their system. Despite the fact that members were reporting being inundated with spam and phishing emails, the sites were staying mum.

A spammed eHarmony user said:

Not surprisingly, eHarmony haven’t answered my requests for more information.

Data breaches continue to be taken more and more seriously in the UK, as the Information Commissioner’s Office handed out its biggest cash smackdown yet, to an NHS trust.

The Brighton and Sussex University Hospitals NHS Trust was fined £325,000 for leaving data on patients and staff on hard drives that ended up on eBay instead of being destroyed.

However, the Trust is ticked off with the size of the whopping penalty and disagrees that it was “reckless” in protecting data, which needs to be proved for the ICO to release the hounds.

The Trust said it was appealing the ruling, adding:

It is a matter of frank surprise that we still do not know why they have imposed such an extraordinary fine despite repeated attempts to find out, including a freedom of information request which they interestingly refused on the basis that it would ‘prejudice the monetary penalty process’.

Meanwhile, a security researcher accidentally handed over big, green ammunition to the bad guys when he shared his new HULK attack tool on his blog.

The malware you wouldn’t like when it’s angry is a denial of service tool, but it’s not distributed, it comes from one computer.

Neal Quinn, COO at DoS defence business Prolexic worried:

What makes HULK dangerous is the fact that a single malicious actor with a single computer could feasibly take down a small, unhardened web server in minutes.

But he didn’t stay concerned for long as incredibly, HULK is not difficult to smash. Although the tool is difficult to spot in regular traffic, once you know about it, you can take down the HULK.

Fortunately, this is not a very complex DoS tool. It is fairly simple to stop HULK attacks and neutralise this vulnerability with the proper configuration settings and rules.

From one guy in his garage to nation states, whose online exploits were big in the news this week when it was reported that none other than US President Barack Obama had ordered the deployment of the Stuxnet virus to try to set back Iran’s nuclear programme.

Now that what everyone already knew – that countries do indeed cyber-spy on each other – is public, it’s time to figure out how the coding minds behind such viruses can declare their genius on their CVs.

Anton Chuvakin, a research director in Gartner’s IT1 Security and Risk Management group said:

‘Malware’ … is now a legitimate occupation that you can put on your resume.

And suggested the upfront approach to CV updating:

2006-2007: Developed ‘attack software’ for XYZ government

Given that the coders in question probably had to sign one of those pesky NDAs though, perhaps the following from Peter Acheson of recruitment firm Peoplebank would be more suitable:

2009–11 – Department of Defence – Israel Project Director – Strategic Defence project. Worked on the development of strategic defence software for Department of Defence. Project had defence classification XYZ 123. Responsible for all aspects of overseeing development of the strategic software including management of 200 people.

But it wasn’t all security this week, the tech world also saw Oracle not announcing new cloud offerings. The software giant had led everyone to believe that it would be “rounding out” its cloudy services, but instead it just kind of said more about what Oracle Cloud is and does.

Oh, and of course, the “announcement” gave CEO Larry Ellison the chance to diss some of his cloud rivals. First up for some caustic wit was nemesis SAP, which is expecting to have ERP software ready for the atmosphere in 2020.

Ellison quipped:

20/20, excellent vision. 20/20, a great news programme. 2020, a terrible time to get to the cloud.

And he also had a totally unveiled thrust at Workday as well for using a Flash-based UI and an object store instead of a relational database:

They have made some fundamental architectural decisions that are flat wrong, and I think calamitous.

And finally, the Motion Picture Ass. of America has said it won’t stop legitimate users of Megaupload from getting their data back – as long as someone makes sure that data isn’t pirated.

The judge has asked the Crown lawyer John Pike to start handing back data that isn’t relevant to the trial, but he reckons there could be a problem there:

Police, to put it bluntly, would not have a clue what is relevant and what is not relevant. How could they? ®

About Author