Bitly security breach – the full story

As many of you will no doubt already know, Bitly (the popular URL shortener) had a data security breach that they were made aware of “early [on] Thursday morning”. Hashed passwords were exposed to the hackers, meaning that in theory your password could be exposed, but it would require an incredible amount of computing power to realize. For security reasons, Bitly have disassociated all Twitter and Facebook accounts and revoked all oAuth tokens according to their CTO, Rob Platzer.

In a statement, Bitly said “We audited the security history for our hosted source code repository that contains the credentials for access to the offsite database backup storage and discovered an unauthorized access on an employee’s account.  We immediately enabled two-factor authentication for all Bitly accounts on the source code repository and began the process of securing the system against any additional vulnerabilities.”

It is unclear here whether or not this is suspected to be an “inside job”, however it does appear from this that at least one employee account at their backup data centre was compromised. Bitly says that they have rotated the credentials for their backup storage, enforced two-factor authentication on all third-party services and enabled “detailed logging” on their offsite backup systems. No production systems were compromised, and there is no risk of current bit.ly links being redirected or deleted.

Source: Bitly blog

malwareZero logo

A message.

Hello visitor.

My name is Curtis Parfitt-Ford, and I am the co-founder and CEO of malwareZero. The malwareZero site has been offline now for several weeks, due to our web hosting provider stopping providing us service and personal issues on my part. And I would like to profusely apologise. Believe me, the malwareZero team have been working hard on getting the site back up whilst we were away, and have made a few additions to our team along the way. We have some exciting stuff planned, believe me!

Watch this space, and keep believing. Your PC is not a place where malware is welcome.




WiFi – risks in every wave

The availability of Wi-Fi hotspots in major cities in the
world has made laptops and even smartphones truly mobile computers.

People who are always on the go such as business travellers
benefit from this because they can access their e-mail and
other information from any place where these hotspots are

However, in spite of the convenience that Wi-Fi brings,
there is also a risk involved in using it.

Most Wi-Fi hotspots are unsecure. Because of this, data
that are sent through these wireless networks can be read
by anyone on the network who has the right tools.

Packet sniffers are a good example of such a tool. Unsecure
networks are also called ‘poisoned hotspots’ because of the
penchant of hackers and identity thieves for stealing other
people’s sensitive information.

The good thing is that there are several ways that users
can do to protect themselves. One security measure is by
turning off file sharing in the computer before connecting
to a hotspot.

This prevents other users to see what is in your shared
folder and mess with it. Another measure is by turning on
their computer’s personal firewall. They basically help
restrict traffic to and from their computers.

This is an important tool that people shouldn’t go without.
There are a number of good free firewalls out there which
why there’s no reason for users to not protect themselves.

Finally, if one is in a hotspot but he/she doesn’t want to
connect to the network, it would be good to disable their
wireless adapter. This helps prevent people from
unwittingly sending out data that others may sniff.

There are other ways that people can protect
themselves in Wi-Fi hotspots along with the ones mentioned
above. Check them out and have a more secure hotspot


Hackers makes genuine WordPress sites DDOS

Hackers have been able to take control of over 162,000 WordPress sites and cause them to DDOS another site, says Sucuri Security.

By default, a function in WordPress called XML-RPC (XML Remote Procedure Call) is turned on, which allows the user to remotely control their site from, say, a mobile app. However, this system is prone to attack, as one unfortunate site learned when they were attacked with “hundreds of requests per second”.

The general public need not be concerned by this, because this will only affect websites. However, if you do happen to run a WordPress site, ensure you disable XML-RPC unless you have a very good reason for keeping it on. All sites should employ a WAF such as Sucuri or CloudFlare. I would specifically recommend CloudFlare because it has many other benefits apart from a WAF.


Flexcoin – flexing Bitcoins to their limit

No doubt everyone reading this has heard about the recent Mt. Gox scandalous hack attack, which is obviously not very good press coverage for Bitcoin. However, the situation has been further aggravated by the fact that another Bitcoin-related site, this time Flexcoin, the “world’s first Bitcoin bank”, has been hacked and forced to shut down. Their homepage now reads:

On March 2nd 2014 Flexcoin was attacked and robbed of all coins in the hot wallet. The attacker made off with 896 BTC, dividing them into these two addresses:



As Flexcoin does not have the resources, assets, or otherwise to come back from this loss, we are closing our doors immediately.
Users who put their coins into cold storage will be contacted by Flexcoin and asked to verify their identity. Once identified, cold storage coins will be transferred out free of charge. Cold storage coins were held offline and not within reach of the attacker. All other users will be directed to Flexcoin’s “Terms of service” located at “Flexcoin.com/118.html” a document which was agreed on, upon signing up with Flexcoin.

Flexcoin will attempt to work with law enforcement to trace the source of the hack.

The Bitcoin addresses that had the coins in (1NDkevapt4SWYFEmquCDBSf7DLMTNVggdu and 1QFcC5JitGwpFKqRDd9QNH3eGN56dCNgy6) have since been drained, and the loot split into tens, if not hundreds, of other addresses. We’ll keep you posted as and when we get further information.

These recent attacks are causing people to worry significantly about the use of Bitcoins. The way Bitcoin works is explained in

this video
, which shows how Bitcoin works as a peer-to-peer network. Because of this, flaws can be easily exploited, as shown in the case of Mt. Gox who state on their site:

…illegal access through the abuse of a bug in the bitcoin system resulted in … a possibility that bitcoins had been illicitly moved through the abuse of this bugMtGox Co.

For anyone who is concerned about usage of Bitcoin, I would recommend moving your BTC funds to a locally-hosted wallet; therefore if a Bitcoin wallet provider goes the way of Flexcoin and Instawallet, you will not be affected as severely and your funds will stay safe.


Update (4th March):

During the investigation into stolen funds we have determined that the extent of the theft was enabled by a flaw within the front-end.

The attacker logged into the flexcoin front end from IP address under a newly created username and deposited to address  1DSD3B3uS2wGZjZAwa2dqQ7M9v7Ajw2iLy

The coins were then left to sit until they had reached 6 confirmations.

The attacker then successfully exploited a flaw in the code which allows transfers between flexcoin users. By sending thousands of simultaneous requests, the attacker was able to “move” coins from one user account to another until the sending account was overdrawn, before balances were updated.

This was then repeated through multiple accounts, snowballing the amount, until the attacker withdrew the coins.

Flexcoin has made every attempt to keep our servers as secure as possible, including regular testing. In our ~3 years of existence we have successfully repelled thousands of attacks. But in the end, this was simply not enough.

Having this be the demise of our small company, after the endless hours of work we’ve put in, was never our intent. We’ve failed our customers, our business, and ultimatley the Bitcoin community.

Please direct any and all questions to [email protected] and we will reply to you as soon as possible.


Linksys routers infected by malware

A worm, known by security researchers as “The Moon”, has infected many of Linksys’ routers, a large networking solution brand from Cisco.

The worm reportedly infects routers with a “Remote Management Access” functionality enabled. For novice users, it’s relatively tricky to remove or even detect; some may not even know what a router is, and as there is no antimalware software normally installed on a router it’s a virus that may not appear to do anything. However, as of yet, the worm hasn’t done anything, it just sits on the router. This isn’t a reason to be complacent though; with a network of routers the malware’s owner could summon a large botnet. Linksys, however, is aware of the problem, and has a guide to prevention and removal here. Anyone who has an affected model router, regardless of whether or not they know if the router is infected, should follow the steps Linksys has provided in order to prevent possible future DDOS attacks from a router botnet.

This vulnerability also comes in the same week that a report from security firm Tripwire claimed that 80% of the top 25 routers on Amazon have security vulnerabilities as sold, which is inherently worrying because should such an operation as The Moon succeed, a botnet could be formed that would have sufficient power to pose a serious threat to the Internet.

command line

Kickstarter kicked by hack attack

We’re incredibly sorry that this happened. We set a very high bar for how we serve our community, and this incident is frustrating and upsetting.Yancey Strickler

This last week, Kickstarter (the online crowdfunding site) has come under fire for having a proportion of it’s customers’ data hacked. The website, which is currently 566th in Alexa rank, was hacked early last week, but the security flaws have been patched says the chief executive of Kickstarter, Yancey Strickler, who wrote in a blog post “We’re incredibly sorry that this happened. We set a very high bar for how we serve our community, and this incident is frustrating and upsetting. We have since improved our security procedures and systems in numerous ways, and we will continue to do so in the weeks and months to come. We are working closely with law enforcement, and we are doing everything in our power to prevent this from happening again.”.

What was stolen?

According to Kickstarter, no credit card data was accessed, however accessed information included usernames, emails, postal addresses and phone numbers. Passwords were also stolen, and, while these were encrypted, could be cracked by a well-trained hacker.

What should I do?

Official advice is to change your Kickstarter password and any other sites on which you use that password, and change them all to individual ones for every site.

Has something happened to my account?

No, except two people who are aware of their account situation and “have had their accounts secured”. There was no unauthorised activity on any other accounts.