Issue 32 - Week of Sep 28th

1.       Experian leaks info of 15 million T-Mobile credit applications: Experian is one of the major credit rating bureaus that companies use to conduct credit checks, has exposed the personal information of T-Mobile consumers. T-Mobile has revealed that the hack has exposed the personal details, including social security numbers, date of birth, and various identification numbers - including passport & driver's license number of its customers. Experian said the incident is "isolated" and is only limited to consumers who applied for T-Mobile USA services between Sept. 1, 2013, and Sept. 16, 2015.

2.       T-Mobile CEO - John Legere did what all CEOs should do after a hack: Promptly following the issuance of the company statement - Legere got on Twitter and sent out a tweet that read, “One of our vendors, Experian, experiences a data breach. See what we’re doing about it,” and included a link to the company’s initial announcement. But Legere’s engagement didn’t stop there. He then proceeded to answer questions from T-Mobile customers in response to his Tweet. These tweets address what everyone potentially affected by a massive data breach yearns for—answers, personal interaction and attention. The best thing a company can do after an attack is act like they care. Seeing a CEO of a giant corporation get on social media and interact with customers is certainly refreshing and the way to go.

3.       Every Android device is vulnerable to newly discovered bugs: With two new "Stagefright" vulnerabilities discovered, almost every Android device ever released is vulnerable to malicious hackers. More than a billion Android smartphones and tablets are at risk of being compromised by the new bugs if their owners even just preview video or audio files that have been specially crafted to exploit the vulnerability. Google has responded positively and will release a patch for these vulnerabilities by Oct 5th but the question on Android ecosystem remain wherein the processes for updates is very slow as phone makers are responsible for pushing software updates to customers.

4.       A researcher has discovered a flaw in the Apple’s Gatekeeper: Gatekeeper is a new feature in Apple build to help protect the device from malware and misbehaving apps downloaded from the Internet. A signed app can access other software or components that have been replaced with malware without a separate verification stage. In his testing, the researcher found that a signed Photoshop installer would load plug-ins from another directory that were changed out for malware without any further notification. He also tested with an Apple-distributed program that he declined to disclose at Apple’s request.

5.       Critical WinRAR vulnerability places 500 million users at risk: An unpatched, critical remote code execution flaw within WinRAR's SFX archive features has been disclosed by a researcher; a security flaw which reportedly allows for remote code execution has been discovered in WinRAR SFX version 5.21. A researcher posted his findings on Full Disclosure. Granted a CVSS score of 7.4, the vulnerability could allow hackers to remotely execute system code and compromise victim machines, leading to control, surveillance and potentially data theft. WinRar's team refutes the flaw discovery.

6.       Russian Developer of the Notorious "Citadel" Malware Sentenced to Prison: "Dimitry Belorossov, a.k.a Rainerfox, has been sentenced to four years, six months in prison following his guilty plea for conspiring to commit computer fraud. Belorossov distributed and installed Citadel, a sophisticated malware that infected over 11 million computers worldwide, onto victim computers using a variety of infection methods including malicious attachments to spam emails and commercial Internet ads containing malware or links to malware. Citadel was a sophisticated form of malware known as a "banking Trojan" designed to steal online banking credentials, credit card information, personally identifiable information, and, ultimately, funds through unauthorized electronic transfers. Belorossov was arrested in Spain and extradited to US.

7.       Cookies can facilitate attacks on secure web sites: CERT has issued a new directive notifying that cookies can be used to allow remote attackers to bypass a secure protocol (HTTPS) and reveal private session information - and that modern browsers, including Apple's Safari, Mozilla's Firefox and Google's Chrome, currently provide no protection against the attack vector. Research indicates that secure sites as important as Google and the Bank of America are vulnerable to the technique. CERT advises that HSTS (HTTP Strict Transport Security) be implemented at the server level in order to mitigate the vulnerability. But even with that done, it remains for browser publishers to prevent subdomains from being used by attackers to generate malicious cookies.

8.       As impactful as targeted attacks can be on organizations, non-targeted automated attacks using known vulnerabilities also pose a significant threat to the enterprise: It is found that it takes an average of between 100 to 120 days to patch a flaw once it's found. Meanwhile, the probability of a vulnerability being exploited rises to 90 percent by the time the flaw has been known for between 40 to 60 days. It's no surprise, then, that the volume of exploits has exploded in 2015.

9.       Classic case of Typosquatting: Mumbai cyber police arrested a school drop-out and a graphic designer for creating a fake BMC Octroi (Local tax) collection website. The website was in operation from January till April before the accused pulled it down on seeing an article in a local newspaper that the BMC had detected the fraud. The accused created the fake website (www.mcgmoctroi.in), similar to that of the BMC (www.mcgmoctroi.com), with minor changes. Police are collecting information on number of e-receipts (called PNR) the accused issued to transport companies and total money he managed to siphon off. The accused have been booked under several sections of the IPC and the IT Act for cheating and forgery.

10.   In response to the cyber-attack on the Kerala government website by Pakistan-based hackers, an anonymous Indian cyber group has retaliated by hacking into scores of official Pakistani websites. Last week - the Kerala government website was crashed by Pakistani hackers, who posted image of a burning Indian flag. The hackers had left messages such as "Pakistan Zindabad", "We are Team Pak Cyber Attacker" and "Security is just an illusion". However, hours later, the Kerala-based 'Mallu Cyber Soldiers' hacked into Pak government websites, warning the pro-Pakistan hackers to "stay away from Indian cyber space". Just like the world-famous Anonymous hacktivists, "Mallu Cyber Soldiers" is also an online gathering of security experts. These vigilantes work toward protecting Indian websites from getting hacked.