tadamichi - Fotolia

News Stay informed about the latest enterprise technology news and product updates.

ICANN breached, members' encrypted passwords stolen

News roundup: ICANN confirmed its members' credentials were stolen Wednesday, forcing the nonprofit to enforce a site-wide password reset. Plus: VPN provider being used for APTs; Thunderstrike strikes again; Windows 10 security in its first week.

ICANN is requiring its website members to change their passwords following a data breach.

The Internet Corporation for Assigned Names and Numbers (ICANN) is responsible for mission-critical Internet systems, including IP address space allocation, protocol parameter assignment and root server system management functions. Its Internet Assigned Numbers Authority (IANA) manages the domain name system.

The nonprofit organization informed its users via its website Wednesday that ICANN.org public website member profile data was "obtained by an unauthorized person" sometime within the last week, "as a result of unauthorized access to an external service provider."

Usernames/email addresses and encrypted passwords, as well as other data -- including public bios, interests and newsletters -- were pilfered.

While the stolen passwords were encrypted, ICANN still requires a password reset.

"These encrypted passwords (hashes) are not easy to reverse," the website reads, "but as a precaution, we are requiring that all users reset their passwords.

"Most importantly, if you have the same password on other websites or services, you should change it immediately … as a general matter, you should avoid reusing passwords across multiple sites."

An ICANN representative told SearchSecurity no data has been seen in the wild. ICANN also noted there was no evidence of the profile accounts being used maliciously, nor evidence of internal ICANN systems being accessed. In addition, no operational data, financial data or IANA systems were involved in the incident.

Further details of the breach were not disclosed.

ICANN has experienced other notable security incidents over the last year. In March, the organization experienced an issue involving top-level domain applications; new applicants in certain circumstances were able to view the data of other applicants. In December, some ICANN employees' passwords were compromised after a spear-phishing attack.

An ICANN representative told SearchSecurity the latest incident is not related to either prior issue.

The announcement of the breach occurred days after ICANN published a 199-page public report detailing how it plans to pass IANA functionality from the U.S. Department of Commerce to ICANN and a group of interested parties in order to reduce U.S. government oversight.

In other news:

  • RSA Security researchers published a report Tuesday detailing how advanced threat actors are using a VPN provider to obfuscate and anonymize attacks. Dubbed "Terracotta" by RSA researchers, the VPN provider -- which sells commercial services under multiple brands in China -- is being used as an "active launch platform" for APT actors, such as Shell_Crew or Deep Panda. According to the report, Terracotta -- which also houses legitimate users -- is operating more than 1,500 end nodes around the world, at least 30 of which are compromised Windows servers "harvested" from unwitting victims. While most of the victims are small businesses with little or no IT staff, large organizations' Windows servers have also been compromised, including a Fortune 500 hotel chain, a U.S. state university, a unified communications as a service provider and a Windows enterprise management application developer. RSA researchers confirmed all of the harvested systems were Windows servers. Using the legitimate harvested systems, researchers said, malicious actors can use legitimate IP addresses to disguise their attacks. Since the malicious actors are not using sophisticated methods to harvest the nodes, researchers said attacks are "readily preventable" by blocking port 135, renaming admin accounts on Windows systems to unique identifiers, and using strong passwords.
  • Researchers have illustrated how known vulnerabilities affecting PC firmware can also affect  Apple's Mac firmware, which is often considered to be more secure. At Black Hat Thursday, Xeno Kovah and Corey Kallenberg of LegbaCore and Trammell Hudson of Two Sigma Investments LLC discussed their proof-of-concept "firmworm," a threat that, after a local root privilege exploit, writes to the motherboard bootflash, infects Thunderbolt option ROMs, hooks to the S3 resume script or SMM, and then repeats the process to infect bootflash chips on other machines. Thunderstrike 2, which follows the Thunderstrike threat disclosed in January, cannot be removed from the firmware unless the chip is manually re-flashed. It also cannot be detected by existing security software. Unlike its predecessor, Thunderstrike 2 does not require physical access to infect a MacBook; initial infection is generally achieved through a malicious email or website. The worm then infects peripheral devices which, when removed, can infect other devices they connect to. However, Rich Mogull, analyst and CEO at Securosis LLC, said the threat may be overblown. "The research itself is excellent and fascinating work from Trammell Hudson and Xeno Kovah. And, as always, we hope Apple patches all the flaws quickly, but this isn't something most Apple users need to lose any sleep over," Mogull said. "It only works on Thunderbolt devices, and affects only vulnerable Macs." Mogull also said that "OS X 10.10.4 Yosemite breaks the proof-of-concept demonstration. That doesn't mean Macs are immune from firmware attacks, but it does mean the current attack demonstration won't work on Macs running the latest version of Yosemite." He also noted USBs do not transmit the worm -- only Thunderbolt devices do. It also cannot automatically jump air gaps, as many outlets have suggested. While Mogull does not dismiss the idea of similar attacks, he said it unlikely an attack will be used at scale against consumers.
  • One of the most highly debated new features of Windows 10 is its "rolling update" approach -- Forbes reported last week upset users said a forced Nvidia graphic card update was causing their systems to crash. Yet, the company has held its ground, releasing its first three Windows updates on July 29. While the patches were not new ones -- MS15-073, MS15-074 and a Flash update were updated during July's Patch Tuesday release -- they were published before the already manufactured Windows 10 was released.
  • Another controversial Windows 10 topic over the past week was its password-sharing feature, Wi-Fi Sense. The enabled-by-default option sends a user's encrypted Wi-Fi password to his or her contacts on Skype, Outlook and Facebook. While the contacts do not see the password, it has caused a stir. However, an article on ZDNet noted that users must take an additional step to allow access to their Wi-Fi network: they must make it available for sharing -- so the issue may not be as bad as some are making it out to be. "You have to very consciously enable sharing for a network. It's not something you'll do by accident," the article said.
  • Privacy and Windows 10 have been mentioned together a lot lately -- namely because many default security settings are not considered privacy friendly. To address concerns, a guide has been published to help users find and adjust privacy controls. And soon after the Windows 10 release, a new open source app became was released to help users regain privacy control on the OS. However, it is important to note that many Windows 10 security features should be leveraged, so caution should be exercised before making drastic privacy changes.

Next Steps

Learn more about outsourcing VPN services, hardware security and Windows 10.

Dig Deeper on Data security breaches