Issue 38 - Week of Nov 9th

1.       U.S. charges three Israelis in huge cyber-fraud targeting JPMorgan, others: U.S. Attorney Preet Bharara in a press conference last week unveiled criminal charges against the three men accused of running a sprawling hacking and fraud scheme that included a huge attack against JPMC and generated hundreds of millions of dollars of illegal profit.  This fraud is described as a vast, multi-year criminal enterprise centering on hacks of at least nine big financial and publishing firms and the theft of information on 100 million of their customers that fueled a web of stock manipulation, credit-card fraud and illegal online casinos. From 2012 to mid-2015, the suspects and their co-conspirators successfully manipulated dozens of publicly traded stocks, sent misleading pitches to clients of banks and brokerages whose e-mail addresses they’d stolen, and profited by using trading accounts set up under fake names, prosecutors said.

2.       Linux hit by crypto-ransomware - but attackers botch private key: Admins are facing a variant of Linux malware (Linux.Encoder.1) that encrypts files on infected web servers. But the good news for now is the private key that locks down those files is predictable. The crypto-ransomware is aimed at Linux system administrators and demands exactly one Bitcoin (~$350) to restore access to key files. Researchers analyzed the malware and said it was extremely similar to more widespread ransomware for Windows machines, such as CryptoLocker and TorLocker, which have reportedly made tens of millions of dollars for their operators.

3.       No two factor authentication- FBI got basic security wrong: Hackers earlier this month were able to access a US law enforcement arrest database, and posted screenshots to Twitter. The hackers also gained access to a police file transfer service, and an instant messaging service for police, and a real-time intelligence-sharing platform, among others.  A servers were located in one centralized location, and were accessible by a single sign-on process -- using one username and one password. What's more surprising is that the FBI trumpets two-factor authentication as one of the prime ways of keeping data safe. FBI warned that it takes this very seriously and will hold accountable those who engage in illegal activities in cyberspace.

4.       Bug bounty programs help but researchers need a platform to report: Many computer-security researchers think the world would be a safer place if they could easily report bugs to software creators, so the holes could be patched before hackers exploit them. But there's a problem: 94% companies don't advertise a way for users to report bugs, such as J.P. Morgan Chase, Bank of America, Allstate Insurance, Ford Motor, etc. The exceptions who do are: Facebook, Microsoft, Apple, Amazon, etc. As discussed in Week of Aug 10th post, Oracle's CSO had equated recreating and testing the source code behind Oracle products with 'sinning', Oracle has since removed the post.

5.       New Ransomware business cashing in on CryptoLocker's name: A new service launched last week is offering a new Ransomware product under the name CryptoLocker service to anyone willing to pay ten percent of the collected ransom. CryptoLocker Service requires a $50 USD fee to begin with, which customers (other hackers) pay in order to get the basic Ransomware payload. Once the payment is done, customers will be allowed to specify the amount of ransom money they want to receive and account details for Bitcoin transfer. When crytpolocker file is executed on the victim's machine it encrypts all files. If the victim pays the demanded ransom, the payment address will forward the funds – less a ten percent fee – to the Bitcoin wallet designated by the CryptoLocker Service customer. MaaS – Malware as a Service.

6.       Latest Android phones hijacked with tidy one-stop-Chrome-pop (does not require multiple chained vulnerabilities to work): Google's Chrome for Android has been hacked in a single exploit that could lead to the compromise of any Android handset. The exploit, showcased at MobilePwn2Own at the PacSec conference in Tokyo last week, targets the JavaScript v8 engine. It can probably hack all modern and updated Android phones if users visit a malicious website. As soon as the phone accessed the website the JavaScript v8 vulnerability in Chrome was used to install an arbitrary application without any user interaction, thereby taking complete control of the phone.

7.       Apple and Google remove Instagram password-stealing app from app stores: Google and Apple have removed a malicious third-party Instagram app that stole passwords – but only after it had become a top-grossing app in the App Store and gained over 100,000 users from Google Play. iOS developers raised the alarm over the app 'Who Viewed Your Profile - InstaAgent', posting on Twitter that it was storing Instagram usernames and passwords and sending it in clear-text to a remote server. As discussed in Issue 31, Apple had earlier discovered dozens of apps in the China App Store laced with the XCodeGhost malware.

8.       All Windows users should patch these two new 'critical' flaws: The software giant [Microsoft] released the patches Tuesday as part of its monthly release of security updates. All users running Windows Vista and later - including Windows 10 - are affected by two flaws, which could allow an attacker to install malware on an affected machine. The patch, MS15-112 addresses a memory corruption flaw in Internet Explorer. If exploited, an attacker could gain access to an affected machine, gaining the same access rights as the logged-in user, such as installing programs, and deleting data.

9.       Tax talks - Central Board of Direct Taxes will be using email for correspondence with taxpayers: In order to improve services, CBDT will be using email for correspondence with taxpayers for notice on scrutiny and getting responses from them. To start with, it will be on a pilot basis in five cities — Delhi, Mumbai, Bengaluru, Ahmedabad and Chennai. This will reduce the need for taxpayers to personally meet the tax officers. To avoid impersonation authorities will only be using '@incometax.gov.in' domain. The 'Tax notice' will now be an eNotice and will be followed up with a SMS to ensure people read those emails and respond. An online portal is also being mooted which will enable all tax payers to upload returns and communicate to CBDT directly.

10.   Japan its own enemy in push to improve cybersecurity: Apart from rogue hackers, criminal organizations or even state-backed cyber-warfare units, Japan's businesses and government agencies are facing a unique cybersecurity foe: themselves. The primary reason is the widespread corporate culture that views security breaches as a loss of face, leading to poor disclosure of incidents or information sharing at critical moments.  Rank-and-file workers fear reports of security lapses may get them punished, the problem reflects a broad lack of understanding of cybersecurity among the top ranks of Japanese executives. The cybersecurity industry around the world, not just in Japan, frequently echoes the call for greater transparency within and among organizations. In many ways, several other countries including India suffer from such cultural barriers.