Resultados 1 a 7 de 7
  1. #1
    WHT-BR Top Member
    Data de Ingresso
    Dec 2010
    Posts
    15,002

    [EN] bash: hackers invadem Yahoo, WinZip e Lycos

    Hackers Exploit Shellshock Vulnerability to Gain Access to Yahoo Servers


    Romanian hackers have exploited the Shellshock vulnerability to gain access to Yahoo servers, according to Jonathan Hall of security consulting company Future South Technologies. Hall announced the hack of Yahoo, as well as Lycos and WinZip, on the Future South blog after informing the companies and the FBI.

    According to a series of blog posts, Hall discovered the vulnerabilities on Saturday night, and watched overnight as the exploit expanded. Hall claims he began attempting to alert Yahoo before 5 am CST, but that it, like the other two companies, was slow to respond.

    WinZip confirmed to Hall that they were hacked, while Lycos initially denied that it had been breached, and subsequently admitted the need for further testing. Yahoo confirmed that it had been breached midday on Sunday, and on Monday Yahoo CISO Alex Stamos posted a response to the incident to Hacker News.

    “Earlier today, we reported that we isolated a handful of servers that were detected to have been impacted by a security flaw. After investigating the situation fully, it turns out that the servers were in fact not affected by Shellshock,” Stamos said. “Regardless of the cause our course of action remained the same: to isolate the servers at risk and protect our users’ data. The affected API servers are used to provide live game streaming data to our Sports front-end and do not store user data. At this time we have found no evidence that the attackers compromised any other machines or that any user data was affected. This flaw was specific to a small number of machines and has been fixed, and we have added this pattern to our CI/CD code scanners to catch future issues.”

    Stamos also responded to allegations by Hall that Yahoo had been slow to react to the breach, saying that the affected systems had been isolated and the investigation begun within an hour of the email Hall addressed to CEO Marissa Mayer.

    Hall in turn responded to Stamos, at first accusing him of giving misleading information, and then trashing Stamos’ explanation for how the breach really occurred.

    “I’m not saying for a fact that more than what they are saying was compromised was,” said Hall. “But what I am saying for a fact is that there’s no way in hell they can be certain when they can’t even honestly provide a technical explanation of how the breach occurred in the first place.”

    The Independent notes Yahoo’s reputation for under appreciating bug bounty hunters. Yahoo gave a $25 voucher to an ethical hacker who disclosed three bugs in Yahoo servers last year.
    http://www.thewhir.com/web-hosting-n...-yahoo-servers

  2. #2
    WHT-BR Top Member
    Data de Ingresso
    Dec 2010
    Posts
    15,002
    ...

    The Yahoo! infiltration WAS from the “Shellshock” vulnerability, and it did NOT originate on the sports servers / API’s. How do I know? Because I sat there watching it happen, all the while trying to contact them during it – yielding zero results.

    ....


    I’m not convinced the problem is contained, nor am I convinced the users data is secure… And I am flat out accusing Stamos, and Yahoo!, of being dishonest and inaccurate in their reports of this breach, as well as being grossly negligent to their users and shareholders by releasing inaccurate and misleading information.

    ...
    http://www.futuresouth.us/wordpress/?p=25

  3. #3
    WHT-BR Top Member
    Data de Ingresso
    Nov 2010
    Posts
    1,608
    O yahoo deu 25 dolares pra um hacker, foi isso mesmo?
    oGigante.com*• Revenda de Hospedagem Cloud Linux + WHMCS Grátis
    VWhost.com.br • Revenda de Hospedagem Linux Cpanel + CloudFlare
    Zocka.com.br • Hospedagem de Sites Cpanel + Construtor de Sites

  4. #4
    Aspirante a Evangelist
    Data de Ingresso
    Jul 2012
    Posts
    352
    Citação Postado originalmente por chuvadenovembro Ver Post
    O yahoo deu 25 dolares pra um hacker, foi isso mesmo?
    Isso mesmo, $8,33 por bug encontrado.
    Deve ser um hacker indiano pelo valor da remuneração

  5. #5
    WHT-BR Top Member
    Data de Ingresso
    Dec 2010
    Posts
    15,002
    Não se pode sequer chamar de remuneração. Foi um vale compras (voucher) que só pode ser usado para adquirir mercadorias vendidas pelo Yahoo.

    Note que esse pagamento é relativo a outro episódio, nada tem a ver com a exploração da vulnerabilidde do bash que alegadamente possibilitou a alegada invasão do Yahoo. No presente caso, o Yahoo recusou pagar pelo aviso de falha de segurança recebido da Future South Technologies sob a justificativa da informação não se enquadrar no programa de recompensas. Lembrar o ridiculo valor de US$ 25 foi uma forma do reporter reforçar na matéria que o Yahoo não dá a devida atenção à segurança, o que está apenas implicito no texto.

    It was confirmed to him that its servers had been infiltrated but Yahoo refused to pay him for alerting them as it was not part of the company’s bug bounty programme.


    Yahoo is notorious for its disregard of bug bounty hunters, having last year rewarded one such hacker who identified three bugs in Yahoo's servers with a $25 voucher for company merchandise.
    http://www.independent.co.uk/life-st...t-9777753.html
    Última edição por 5ms; 09-10-2014 às 15:36.

  6. #6
    Membro
    Data de Ingresso
    Oct 2014
    Posts
    4
    Citação Postado originalmente por chuvadenovembro Ver Post
    O yahoo deu 25 dolares pra um hacker, foi isso mesmo?
    Foi um voucher para $25.

  7. #7
    WHT-BR Top Member
    Data de Ingresso
    Nov 2010
    Posts
    1,608
    Esse $25 dolares ae me lembrou o caso do facebook:

    http://youpix.virgula.uol.com.br/new...-crowdfunding/
    oGigante.com*• Revenda de Hospedagem Cloud Linux + WHMCS Grátis
    VWhost.com.br • Revenda de Hospedagem Linux Cpanel + CloudFlare
    Zocka.com.br • Hospedagem de Sites Cpanel + Construtor de Sites

Permissões de Postagem

  • Você não pode iniciar novos tópicos
  • Você não pode enviar respostas
  • Você não pode enviar anexos
  • Você não pode editar suas mensagens
  •