1.
U.S. charges three Israelis in huge cyber-fraud
targeting JPMorgan, others: U.S. Attorney Preet Bharara in a press conference last week unveiled
criminal charges against the three men accused of running a sprawling hacking
and fraud scheme that included a huge attack against JPMC and generated
hundreds of millions of dollars of illegal profit. This fraud is described as a vast, multi-year
criminal enterprise centering on hacks of at least nine big financial and
publishing firms and the theft of information on 100 million of their customers
that fueled a web of stock manipulation, credit-card fraud and illegal online
casinos. From 2012 to mid-2015, the suspects and their co-conspirators
successfully manipulated dozens of publicly traded stocks, sent misleading
pitches to clients of banks and brokerages whose e-mail addresses they’d
stolen, and profited by using trading accounts set up under fake names,
prosecutors said.
2.
Linux hit by crypto-ransomware - but
attackers botch private key: Admins are facing a variant of Linux malware (Linux.Encoder.1) that
encrypts files on infected web servers. But the good news for now is the
private key that locks down those files is predictable. The crypto-ransomware
is aimed at Linux system administrators and demands exactly one Bitcoin (~$350)
to restore access to key files. Researchers analyzed the malware and said it
was extremely similar to more widespread ransomware for Windows machines, such
as CryptoLocker and TorLocker, which have reportedly made tens of millions of
dollars for their operators.
3.
No two factor authentication- FBI
got basic security wrong: Hackers earlier this month were able to access a US law enforcement
arrest database, and posted screenshots to Twitter. The hackers also gained
access to a police file transfer service, and an instant messaging service for
police, and a real-time intelligence-sharing platform, among others. A servers were located in one centralized
location, and were accessible by a single sign-on process -- using one username
and one password. What's more surprising is that the FBI trumpets two-factor
authentication as one of the prime ways of keeping data safe. FBI warned that
it takes this very seriously and will hold accountable those who engage in
illegal activities in cyberspace.
4.
Bug bounty programs help but researchers
need a platform to report: Many computer-security researchers think the world would be a safer
place if they could easily report bugs to software creators, so the holes could
be patched before hackers exploit them. But there's a problem: 94% companies
don't advertise a way for users to report bugs, such as J.P. Morgan Chase, Bank
of America, Allstate Insurance, Ford Motor, etc. The exceptions who do are:
Facebook, Microsoft, Apple, Amazon, etc. As discussed in Week
of Aug 10th post, Oracle's CSO had equated recreating and testing the
source code behind Oracle products with 'sinning', Oracle has since removed the
post.
5.
New Ransomware business cashing in
on CryptoLocker's name: A new service launched last week is offering a new Ransomware product
under the name CryptoLocker service to anyone willing to pay ten percent of the
collected ransom. CryptoLocker Service requires a $50 USD fee to begin with,
which customers (other hackers) pay in order to get the basic Ransomware
payload. Once the payment is done, customers will be allowed to specify the
amount of ransom money they want to receive and account details for Bitcoin
transfer. When crytpolocker file is executed on the victim's machine it
encrypts all files. If the victim pays the demanded ransom, the payment address
will forward the funds – less a ten percent fee – to the Bitcoin wallet
designated by the CryptoLocker Service customer. MaaS – Malware as a Service.
6.
Latest Android phones hijacked with
tidy one-stop-Chrome-pop (does not require multiple chained vulnerabilities to
work): Google's
Chrome for Android has been hacked in a single exploit that could lead to the
compromise of any Android handset. The exploit, showcased at MobilePwn2Own at
the PacSec conference in Tokyo last week, targets the JavaScript v8 engine. It
can probably hack all modern and updated Android phones if users visit a
malicious website. As soon as the phone accessed the website the JavaScript v8
vulnerability in Chrome was used to install an arbitrary application without
any user interaction, thereby taking complete control of the phone.
7.
Apple and Google remove Instagram
password-stealing app from app stores: Google and Apple have removed a malicious third-party
Instagram app that stole passwords – but only after it had become a
top-grossing app in the App Store and gained over 100,000 users from Google
Play. iOS developers raised the alarm over the app 'Who Viewed Your Profile - InstaAgent', posting on Twitter that it
was storing Instagram usernames and passwords and sending it in clear-text to a
remote server. As discussed in Issue
31, Apple had earlier discovered dozens of apps in the China App Store
laced with the XCodeGhost malware.
8.
All Windows users should patch these
two new 'critical' flaws: The software giant [Microsoft] released the patches Tuesday as part of
its monthly release of security updates. All users running Windows Vista and
later - including Windows 10 - are affected by two flaws, which could allow an
attacker to install malware on an affected machine. The patch, MS15-112
addresses a memory corruption flaw in Internet Explorer. If exploited, an
attacker could gain access to an affected machine, gaining the same access
rights as the logged-in user, such as installing programs, and deleting data.
9.
Tax talks - Central Board of Direct
Taxes will be using email for correspondence with taxpayers: In order to improve services, CBDT
will be using email for correspondence with taxpayers for notice on scrutiny
and getting responses from them. To start with, it will be on a pilot basis in
five cities — Delhi, Mumbai, Bengaluru, Ahmedabad and Chennai. This will reduce
the need for taxpayers to personally meet the tax officers. To avoid impersonation
authorities will only be using '@incometax.gov.in' domain. The 'Tax notice' will
now be an eNotice and will be followed up with a SMS to ensure people read
those emails and respond. An online portal is also being mooted which will
enable all tax payers to upload returns and communicate to CBDT directly.
10.
Japan its own enemy in push to
improve cybersecurity: Apart from rogue hackers, criminal organizations or even state-backed
cyber-warfare units, Japan's businesses and government agencies are facing a
unique cybersecurity foe: themselves. The primary reason is the widespread
corporate culture that views security breaches as a loss of face, leading to
poor disclosure of incidents or information sharing at critical moments. Rank-and-file workers fear reports of
security lapses may get them punished, the problem reflects a broad lack of
understanding of cybersecurity among the top ranks of Japanese executives. The
cybersecurity industry around the world, not just in Japan, frequently echoes
the call for greater transparency within and among organizations. In many ways,
several other countries including India suffer from such cultural barriers.
No comments:
Post a Comment