STE WILLIAMS

Smart cars can be pretty stupid. Thanks to the Internet of Things (IoT), they collect data about you and your driving habits with cloud-based services.

Then, they swap that data back and forth with apps that can control brakes, accelerators, radios, horns and windshield wipers, to lesser or greater degrees of “Holy mackerel, a remote hacker’s steering us into a ditch!!”

That would be à la auto hackers Charlie Miller and Chris Valasek and the car models that the security pros persist in, well, driving into a ditch.

Now, an IBM researcher has pointed out that thanks to the smart mobile apps used to unlock a car with your phone, honk the horn and find out its precise location, you can control your car years after you sell it – even if you remove your personal information from the car’s services before you sell it back to the dealership.

The researcher, Charles Henderson, heads up IBM’s penetration testing service X-Force Red. At RSA 2017 last week, Henderson gave a presentation on how the lack of IoT security through a device’s lifecycle isn’t just a smart car problem. It’s a smart everything problem.

When it comes to IoT devices designed for convenience, be it for homes or cars, long-term security is “often overlooked or ignored completely,” he said in his IoT: End of Days session.

Like gum your kid stuck under a seat, that lack of security follow-through is going to stick to an IoT device when it’s sold, Henderson said:

[It] can lead to ongoing problems such as transfer of ownership, unsupported/zombie devices, weak authentication between IoT platforms, and protocol exploits.

His recent research has shown that nobody’s really paying attention to these devices once their original owners pass them on. The manufacturers, and the security industry, have focused on the initial provisioning of the devices, but they’ve forgotten that the IoT isn’t disposable.

It’s resold, it’s transferred … [and] almost no one’s paying attention to the back end of the ownership lifecycle.

That goes for home automation and smart cars alike. CNN quotes Henderson:

The car is really smart, but it’s not smart enough to know who its owner is, so it’s not smart enough to know it’s been resold. There’s nothing on the dashboard that tells you ‘the following people have access to the car’.

Henderson declined to name the make or model of the car in question, but it might not matter all that much, given that the problem seems to be rife: he’s found that cars from four major manufacturers all have apps that allow previous owners to access them from a mobile device.

Henderson was inspired to research IoT security vis-à-vis product lifecycle when he traded in his smart car three years ago. When he traded the car back to the dealership, he thought he had wiped it clean of his personal information. He did a full factory reset on the entertainment unit to wipe his phone number and other details, for example.

The dealership made sure it had all the keys, even checking to see whether additional keys had been issued. But that’s easy: physical security was something the dealer understood.

Cybersecurity? Not so much. Henderson was able to control the car through a mobile app for years. He told CNN that was because only the dealership that originally sold the car can see who has access and manually remove someone from the app. A full factory reset won’t revoke mobile access, Henderson said. While a factory reset wipes local data off a mobile phone so it can be resold, IoT devices store information in the cloud, on servers far away that the original owner can’t get at.

It’s not that auto manufacturers can’t let users wipe the data. It’s that they don’t want to, Henderson said: they fear that users might not do it right, or that anybody – say, a valet – who gets access to the car might revoke the owner’s access.

The explanation we were given was fear of user error. But a PIN system for reset or an authentication-required reset system would be my suggestion.

Owner data can be retained in other IoT devices as well, be they refrigerators, home security systems or connected lightbulbs.

Henderson passed on a number of tips we can use to protect ourselves when we buy used smart stuff:

• Always check who can access data through user management settings on smart devices.
• If you buy a home with smart appliances, ask a home inspector who understands security to check them out first.
• Always ask car dealerships to show you how mobile apps work and to confirm any previous owners are no longer on the app.

Henderson says that users who aren’t tech-savvy might want to consider just buying brand-new gadgets and staying away from the second-hand IoT market.

Only buy new?! Makes my skinflint skin crawl at the thought of it.

Follow @NakedSecurity
Follow @LisaVaas

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/byKVoDN31es/

As Naked Security readers will already know, Facebook has been plagued over the years by fake content of various types. But which represents the biggest problem for users?

Most people would point to the scourge of fake news after a year when the platform has faced constant criticism for distributing made-up stories that just might even have warped the US election.

But less fashionable cons can be just as taxing, such as the tale of a British woman who this week complained to Facebook about a “like farming” scam that used stolen images to falsely claim that her young son was suffering from cancer (the malady was severe chickenpox).

The posting was only one from a Facebook account using the identity Pooran Singh that showed numerous upsetting images culled from elsewhere on the web with the message that Facebook would donate money if they liked or shared it.

Surprisingly, many did, up to 1.2m sharing this piece of content alone for an account with more than 39,000 followers. Clearly, this sort of con fools enough people enough of the time to make it worth the scammers’ effort.

It’s a bogus content format has been a problem on Facebook for years without anyone, including at times Facebook, paying much attention. Its purpose it is to attract gullible followers and appreciation which is exploited to promote all sorts of web frauds.

In 2014, the company launched a crackdown of sorts on like-farming, with Matt Jones of Facebook offering the following description of the initiative:

Our abuse-fighting team builds and constantly updates a combination of automated and manual systems that help us catch suspicious activity at various points of interaction on the site, including registration, friending, liking, and messaging.

And yet in 2017 the service clearly still has a problem spotting a string of obviously bogus posts farming likes on an agricultural scale. A separate issue is Facebook’s response when the post was brought to its attention.

The boy’s mother told the BBC she had reported the matter to the company several times, which suspended it hours later after the story appeared on the BBC website. The next day it had returned. Facebook has since apologised for failing to stop the account from being reinstated.

When Naked Security checked, the child cancer posting was no longer on the site, although similar ones by an account bearing the same name were still visible.  As the mother said: “What’s so disgusting [is] it’s not just Jasper’s pictures but 100 of other people’s families as well.”

And the relevance of this for curbing fake news? CEO Mark Zuckerberg recently promised to hire more fact checkers to flush out the story fakers. This week’s surprisingly flat-footed response to a relatively straightforward like farming complaint suggests people shouldn’t get their hopes up.

Follow @NakedSecurity
Follow @JohnEDunn

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/BcDsvYaxmwo/

Your daily round-up of some of the other stories in the news

ISPs push back against Pirate Bay ban

In the latest twist to the legal manoeuvres in Sweden to get ISPs to block access to the torrenting site The Pirate Bay, Swedish ISPs are pushing back against a court ruling. Sweden’s Patent and Market Court ruled last week that ISP Bredbandsbolaget must block TPB in a lawsuit brought in 2014 by Universal Music, Sony Music, Warner Music, Nordisk Film and the Swedish film industry.

Other Swedish ISPs have said they won’t be treating the ruling against Bredbandsbolaget they must follow: ISP Telia said that “we will not block if we are not forced to do so by a court”.

Telia’s response came after Bahnhof, another ISP, said the lawsuit signals “the death throes” of the copyright industry. TorrentFreak reported that it had hinted that it might offer some kind of workaround to its customers.

University offers lectures in fighting fake news

As the fight against “fake news” gears up, a university in the US has stepped in with a 12-week course in how to identify and refute fake news.

Two professors, Carl Bergstrom and Jevin West, will be offering lectures at Seattle’s University of Washington in “statistical traps and trickery”, as well as data visualisation, the problems of predatory publishing and scientific misconduct, and in the ethics of calling out fake news.

The course will run from next month and the professors say they hope to be able to record and share videos of their lectures.

Uber puts self-driving cars on the road for passengers

Just two months after Uber pulled its tests of self-driving cars from San Francisco and moved its fleet of autonomous vehicles to Arizona, where they were welcomed with open arms, Uber has launched a self-driving pilot scheme.

Passengers in Tempe, Arizona, who order an UberX, could find themselves passengers in a self-driving car after state governor Doug Ducey became the first passenger in the pilot scheme.

Ducey told the Phoenix News that his ride was “very safe and smooth”. Earlier he had said that “Arizona welcomes Uber self-driving cars with open arms and wide-open roads.”

Catch up with all of today’s stories on Naked Security

Follow @NakedSecurity
Follow @katebevan

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/60gZUTwRHVU/

Thanks to Brett Cove of SophosLabs for his behind-the-scenes work on this article.

You might not have noticed, but the amount of spam being sent globally has fallen off dramatically recently.

We aren’t talking about phishing emails, cheap viagra pills and endless surveys where you can win an iPhone that doesn’t exist – those are still spamming inboxes the world over.

We’re talking about the sort of malicious spam that plagues you with information about missed parcel deliveries, fake CVs (resumes) and invoices for services you didn’t use in the hope of tricking you into opening malicious attachments to spread ransomware like Locky or banking Trojans like Dridex.

These attachments come in a variety of forms, such as Microsft Word or Excel documents laced with malicious macros, or more recently JavaScript (.JS) and Windows Script Files (.WSF). The attachments usually follow a similar formula: if you run them, they call home to a server controlled by the crooks and download a malware sample to infect you with, or these days even multiple malware samples.

Something strange has happened in the world of spam, though.

Since just before Christmas 2016, spam levels have dropped by more than half. We have seen outages like this before, but this one has lasted two months now with no sign of spam levels increasing again, although we assume they will at some point.

The chart below represents the spam levels seen in the Sophos spamtrap network, plotted daily, going back to the end of November 2016:

As you can see, the spiky shape of the graph ended just before Christmas 2016 and has not been seen again. (It is also interesting to note that spam levels routinely increased during the working week, from which we assume that even cybercriminals don’t like to work at weekends.)

To rule out the possibility of this being caused by an issue with our own infrastructure, we also looked at publicly available data from CBL, the Composite Blocking List, used by Spamhaus, giving us a graph with a similar shape:

The reason for this has not been conclusively proven, but the evidence points to a notorious botnet called Necurs going quiet.

Necurs is considered by some as the largest botnet ever, with some estimates indicating it consists of more than 6,000,000 infected computers. The majority of infected computers seem to be in India, but almost every country in the world seems to be affected by this malware, with the notable exception of Russia – the Necurs malware deliberately avoids infecting computers set up to use a Russian keyboard.

Interestingly, spam levels also dropped back in June 2016, but, Necurs was back to full strength less than a month later, delivering a new version of Locky.

Why Necurs has gone quiet this time, and how long the “outage” will last, is unknown, as of course is when or if it will return to its former volume.

What we do know is that this hasn’t stopped users being targeted by Locky ransomware or other malware delivered via dodgy attachments or booby-trapped web links, despite the dramatic drop in spam volume depicted above.

We also know that the Necurs botnet isn’t completely dead, just very much quieter than it was. In other words, if your computer is part of the Necurs botnet, it’s still infected, it’s still awaiting instructions, and it could receive a command to wake up and start sending spam again in the future.

What to do?

For starters, make sure your computer isn’t helping the crooks:

• Keep your anti-virus up-to-date.
• Install the latest security patches promptly.
• Be cautious about the attachments you open, the programs you install and the web links you trust.

Additionally, if you are a sysdamin looking after your organisation’s email security, be sure to turn on outbound spam scanning. (You’ll be surprised how many companies don’t bother checking outgoing email, treating spam as a purely inbound problem – even though all inbound spam rather obviously started life as outbound spam.)

If you have zombie computers on your network that are sending out spam, you want to know about it!

After all, some of that spam might be targeting your own business, thus creating a vicious circle of infection.

To see the Locky ransomware in action, and how Sophos blocks it, why not watch our video?

Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/YLRBZlABnpI/

eBay uses HTTPS on its most critical pages, such as those where payment or address information is entered, but a lack of encryption on several sensitive pages still poses a concern for the privacy conscious.

Many pages on the site, which require user input or contain their personal info, are not HTTPS encrypted, according to security experts. The online auction house acknowledges the point but said it was in the process of making encryption ubiquitous across the site.

More specifically eBay does not currently use HTTPS on the My eBay dashboard, nor on business-to-customer message pages. A VPN can mitigate the risks that arise from the lack of HTTPS on these pages.

El Reg learnt of the issue from Mark Richards, a former eBay contractor who worked in Gumtree (eBay classifieds group) in the UK turned whistleblower, who is campaigning on the issue. Richards has documented his concerns in a series of blog posts (here and here) as well as unsuccessfully attempting to get action by approaching the internet giant through social media (here and here).

“eBay has been told repeatedly by customers that they are sending confidential information over HTTP,” Richards told El Reg.

Two independent security experts have verified Richards’ concerns.

In a statement, eBay said it was in the process of expanding the use of encryption across its site. It said secondary controls it had in place would help protect users in the meantime.

eBay protects all pages that involve sensitive information with authentication and authorization controls. All critical flows that involve sensitive data are delivered over SSL (HTTPS).

This incorporates the login flows but also further critical flows like registration, payment and critical updates to users’ profiles. Additionally, eBay has deployed a myriad of proprietary technologies to detect and prevent attempts of account misuse.

These technologies run behind the scenes to protect our users’ accounts against any illegitimate access. We are continuously investing at large scale into the security of our site. This includes the further development of our technologies to identify and prevent attempts of account misuse, as well as the expansion of SSL usage on our site, which is a key priority for eBay.

As things stand consumers need to be careful when accessing their account activity, personal information and stored messages. When customers send and receive messages from sellers, for example, their communications are not sent over a private channel.

A user would log into eBay using their details over a secure connection but once they navigate to “My eBay” part of the site they are not longer connected using an encrypted connection.

“The worrying things for me is that anyone can intercept all of my buying habits or even intercept my communications to a seller,” a third-party software development expert told El Reg.

A hacker on the same network could intercept and read messages sent through eBay. The same class of trickery could be used to send messages ostensibly from a user’s account, technology comparison site Comparitech.com warns.

The tech site goes on to suggest that eBay’s lack of encryption on these pages could be insufficient to meet data privacy standards, including the upcoming GDPR.

El Reg expects eBay to comply with relevant data protection regulations as part of its normal business process.

Complaints have raised alleging that eBay fails to meet current data protection regulations. El Reg understands these complaints are still under consideration and should therefore be treated as unconfirmed. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/02/22/ebay_crypto_privacy_concerns/

Global aerospace firm Boeing earlier this month sent a notification to Washington State Attorney General Bob Ferguson, as required by law, about a company employee who mistakenly emailed a spreadsheet full of employee personal data to his spouse in November, 2016.

The spreadsheet, sent to provide the employee’s spouse with a formatting template, contained the personal information of roughly 36,000 other Boeing employees, including Social Security numbers and dates of birth, in hidden columns. Some 7,288 of the affected employees resided in Washington State.

Had the company been using the data loss protection (DLP) software it makes, Boeing might not now be in the position of offering two-year subscriptions to Experian’s identity theft protection service to tens of thousands of employees.

Boeing sells a Windows-based DLP application called Cipher, through a partnership with Talisen Technology. “Proprietary or classified information can intentionally or accidentally be included in documents shared with others,” Boeing explains in the product literature. “Boeing programmers have created a superior product that can be used to ensure that hidden information is not inadvertently included in and transmitted with a file.”

Reached by phone and sounding rather surprised that a reporter would call her directly on the line included in the breach notification, Boeing’s deputy chief privacy officer Marie E Olson declined to answer whether the company was using its data protection software in this instance. She suggested taking the issue up with Boeing’s corporate communications department.

Not expecting much, The Register asked Boeing’s communications department whether the company ate its own security dog food. A company spokesperson said in an email, “We have notified all affected parties about the incident. We believe it is contained and the risk of harm is very low. I don’t have anything else to add.”

The Register then reached out to Gregory L Smith, a Boeing technical fellow and, as his LinkedIn profile says, “the innovator and developer behind the Cipher software application.” Smith explained in a brief phone interview that Boeing has thousands of copies of the software, but that it only mandates the product for classified work.

According to research conducted by IBM and the Ponemon Institute – presumably to incentivize the sale of security software and services – the average cost of a data breach reached $4 million in 2016 and the average cost per record came to $158. For Boeing then, the cost of that spreadsheet might be as high as $5.7 million. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/02/22/boeing_employee_emails_personal_info_36000_colleagues/

By pressuring travelers to hand over locked phones and the means to unlock them, US Customs Border Patrol (CBP) is “short-circuiting” well-established laws about how law enforcement is supposed to apply for warrants to get data from social media and email providers. That’s the view of Senator Ron Wyden as set out in his letter to John Kelly, secretary of homeland security.

In the letter, dated Monday, the senator said that he’s working on legislation that would require border agents to get a warrant before they can search devices. The legislation will also prohibit forcing travelers to reveal their account passcodes.

The checks and balances of the long-established warrant application process include giving an ISP or social media company the chance to ask that the terms of an overly broad warrant be narrowed, Wyden said.

As it is, the CBP’s “digital dragnets” are distracting the patrol from actual threats, he said:

These digital dragnet border search practices weaken our national and economic security. Indiscriminate digital searches distract CBP from its core mission and needlessly divert agency resources away from those who truly threaten our nation.

…as well as potentially causing businesses to cut back on nonessential employee travel, given fears that their business data may be seized when they cross the border.

That, in fact, is exactly what happened to a NASA employee recently.

As NASA engineer and US citizen Sidd Bikkannavar tells it, he flew back into the US on January 30. He claims that he was detained by CBP agents at the airport and pressured to hand over his NASA-issued phone and the PIN to get into it – even though it could have contained sensitive information relating to his employment at the space agency.

What Wyden’s after, essentially, is for the Constitution to enter border zones. As it is, border zones are commonly called “Constitution-free” in the US.

That’s not strictly true, as the ACLU notes. While Border Patrol agents don’t need a warrant – or even suspicion of wrongdoing – to conduct a routine search (say, of your car or your luggage), they still can’t pull anyone over without “reasonable suspicion” of an immigration violation or crime. Reasonable suspicion, as in, more than a hunch.

Still, search rules certainly are different than outside of these so-called ports of entry, which extend to within 100 miles of a land or coastal border and hence affect roughly two thirds of the US population.

Wyden says his legislation will guarantee that the Fourth Amendment – which protects Americans from random and arbitrary stops and searches – is respected at those border zones.

In his letter, Wyden had a series of questions for Homeland Security regarding what legal authority allows CBP to demand devices and passwords, and how often CBP has done so over the past five years.

Here’s the full list of his questions:

1. What legal authority permits CBP to ask for or demand, as a condition of entry, that a US person disclose their social media or email account password?
2. How is CBP use of a traveler’s password to gain access to data stored in the cloud consistent with the Computer Fraud and Abuse Act?
3. What legal authority permits CBP to ask for or demand, as a condition of entry, that a US person turn over their device PIN or password to gain access to encrypted data? How are such demands consistent with the Fifth Amendment?
4. How many times in each calendar year 2012-2016 did CBP personnel ask for or demand, as a condition of entry, that a US. person disclose a smartphone or computer password, or otherwise provide access to a locked smartphone or computer? How many times has this occurred since January 20 2017?
5. How many times in each calendar year 2012, 2013, 2014, 2015, and 2016 did CBP personnel ask for or demand, as a condition of entry, that a US person disclose a social media or email account password, or otherwise provide CBP personnel access to data stored in an online account? How many times has this occurred since January 20 2017?

Follow @NakedSecurity
Follow @LisaVaas

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/0177fAGpwYw/

Microsoft has been stung anew by Google’s Project Zero wasps after the latter’s researchers made public a Windows 10 vulnerability which has yet to be patched.

The flaw in the Windows GDI’s gdi32.dll was supposed to have been patched with last June’s MS-16-074 bulletin, but according to Project Zero researcher Mateusz Jurczyk, that fix was only partial.

Jurczyk resubmitted his vulnerability report on November 16, which gave Microsoft 90 days to issue a fix under Google’s Project Zero protocol for non-critical flaws. With no patch forthcoming by the cut-off, he felt justified in making the issue public.

Normally, this would be merely annoying for Microsoft if the date of the deadline, February 14, had not also been the day it unexpectedly pulled its regular monthly update (formerly Patch Tuesday) due to an unspecified “last-minute issue”.

Worse still, not only was dropping a patch day unprecedented in a system stretching back to 2003, but Microsoft unsettled customers by pulling it completely until March 14.

It’s not certain that a fix had been prepared for February but the long delay pushes it back by weeks unless an out-of-band patch is issued, something reserved only for serious flaws that are being exploited.

If Google embarrassing Microsoft over unpatched vulnerabilities sounds familiar, it is. Barely three months ago, the pair crossed swords after Google disclosed a zero-day flaw days in advance of a patch. As Microsoft’s Terry Myerson complained at the time:

We believe responsible technology industry participation puts the customer first, and requires coordinated vulnerability disclosure. Google’s decision to disclose these vulnerabilities before patches are broadly available and tested is disappointing, and puts customers at increased risk.

Further back, in early 2015, barely six months after Google set it up, Project Zero was heavily criticised by Microsoft after it released details of a privilege escalation flaw in Windows 8.1 under its 90-day protocol even though a Patch Tuesday fix was due two days later.

Stung, Google revised its policy to allow for an extension of up to 14 business days where a fix was on its way.

These ongoing spats boil down to whether Google’s disclosure policy is in the interests of the public as opposed to the convenience of an affected vendor, in this case Microsoft.

Google works to three timescales: the 90-day rule applied to the latest vulnerability, which drops to 60 days if the flaw is rated critical, and seven days if it is being exploited.

As Google says in a 2015 blog, timescales are always a balancing act. The vendor must have some time but not too much or there is no incentive to issue a fix quickly.

US CERT/CC works to an even more aggressive 45-day policy, Yahoo 90 days, while TippingPoint’s old Zero Day Initiative (ZDI) assumed 120 days. Arguably, by this measure, Google is being overly generous. Google explained:

We’ve chosen a middle-of-the-road deadline timeline and feel it’s reasonably calibrated for the current state of the industry.

Microsoft has yet to respond the latest Project Zero disclosure but it could be that with an extraordinary one-month update delay to cope with, this is simply the least of its worries.

Follow @NakedSecurity
Follow @JohnEDunn

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/96tgt0Q4Nfc/

Cybersecurity firm NCC Group has launched a strategic review after issuing a profit warning.

The company announced on Tuesday that the performance of its assurance division will be significantly lower than anticipated. This will hit its overall financial results for the full year ending 31 May, 2017.

NCC now expects that the full year adjusted EBITDA will be approximately 20 per cent below the £45.5m-47.5m range forecast on 13 December, 2016.

“The rate of sales growth and subsequent delivery in the assurance division in the third quarter to date has been lower than had been anticipated in both security consulting and software testing and web performance,” NCC said in a statement. “The reduction in expected sales and profitability in the third quarter has been seen in the UK, mainland Europe and North America.”

Sales are normally higher in the fourth quarter but any increases are highly likely to be offset by the shortfall in the rest of the year, NCC warned. Longer term NCC hopes to bring in extra sales as firms seek to achieve compliance with the General Data Protection Regulation ahead of the May 2018 deadline.

NCC’s escrow division remains on course for reaching its sales target but the deterioration in sales by the assurance division has prompted NCC to initiate a review of its operating strategy. The review will be led by the board, supported by externally appointed consultants, and expected to come out with preliminary findings before NCC announces its results in July 2017.

“NCC Group continues to firmly believe that the Assurance Division has significant growth prospects which it is determined to capture once the Group has reviewed its existing strategy and operations,” the firm concluded.

NCC shares were down a quarter from 126.50p overnight to 97p in London trading at the time of publication.

NCC Group’s chairman Paul Mitchell last month said he would be stepping down in May as the firm revealed it had been hit by the cancellation of three large contracts and the deferral of a fourth. The firm hasn’t indicated the root source of the problem. Speculation among analysts suggests it might be down to issues with renewing government contracts attached to forensics and incident response outfit Fox-IT, a November 2015 acquisition.

Last October NCC said the “lumpy nature of its product revenues and a large contract deferral allied to complex government relationships” made integrating Fox-IT into its business “challenging”. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/02/22/ncc_trading_update/

Hundreds of websites have been defaced by hackers who hijacked a web-hosting server run by UK domain registrar DomainMonster.

The index.php pages on the attacked sites were rapidly vandalized by miscreants late on Tuesday, with 612 domains and sub-domains overwritten within seconds of each other. Among the websites hit include DomainMonster’s own blog.

The hacked server is at 109.68.38.20; this IP address belongs to Mesh Digital, which is based in Woking, England, and provides various online services to companies and brands. DomainMonster is the trading name of Mesh Digital, and sells domains and web hosting.

A group called the National Hackers Agency claimed to be behind the mass defacements. You can find a mirror of the graffitied DomainMonster blog and all the other trashed sites here – visit at your own risk as it may have nasty JavaScript on the page. All the defaced pages appear to be the same.

The page that greeted pwned webmasters after Tuesday night hack attack

The server or servers behind that IP address have been successfully attacked in the past, too, in 2016 and 2015. This week, it appears hacker gang BD Level 7 and NHA had a power struggle over who owns the machine, with the so-called agency winning. The first sites roughed up by the NHA appear to be porno related, and then it seems the attackers scribbled over the index pages for everything else hosted on the box – including sites belonging to small Brit businesses.

If you have anything sensitive stored on that server, such as customer information, consider it compromised. DomainMonster did not respond with comment when poked by El Reg last night. ®

Thanks to Reg reader Mike for the tip-off.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/02/22/have_a_site_with_domainmonster_not_anymore/