Issue 54 - Week of Feb 29th

1.       Snapchat apologizes to its employees: On its blog Snapchat says it is "impossibly sorry" after being duped by a cyber-attacker who impersonated the CEO and was able to elicit employee payroll information from the firm.  The phishing email wasn’t recognized and payroll information about some current and former employees was disclosed externally. No internal systems were breached, and no user information was accessed. Snapchat did all the right things post the attack, it owned the mistake, reported to the authorities, contacted the affected employees and also offered them two years of free identity-theft insurance and monitoring, and is planning to redouble the training programs around privacy and security in the coming weeks.

2.       Sea Pirates hack shipping company to figure the cargo to steal: With very little knowledge & effort, pirates were able to cause some serious damage to a shipping firm whose basic security protection was not in place. Using very basic hacking techniques, the pirates uploaded a malicious shell script on the shipping firm's Content Management System (CMS) that ran the custom platform for managing stock and cargo data. Through this they could download the cargo reports, which helped them to board the right vessel, locate by bar code- specific crates containing valuables, steal the contents of that crate and then depart the vessel without further incident. It's becoming more and more critical for companies in every industry, whether it be shipping, health or technology, to ramp up their cybersecurity efforts.

3.       Hack the Pentagon and get paid: The US Defense Department is inviting vetted white-hat hackers to hunt for vulnerabilities in its public web pages under a pilot bug bounty program. Bug bounty is gradually getting accepted in the corporate world, it is surprising but welcome for a defense entity to run such a program.

4.       ABCD - AnyBody Can DDoS: If you do not like any website and want it to be down for few hours or days or weeks- just rent the 'Booter' service from Russian hackers for as low as $13-$60 a day. These hackers have infected computers under their control, which they  use to mount 400Gbps attacks towards the target to keep it offline. Another player who goes by the name 'Forceful' also advertises and offers free five to ten minute DDos test. BBC was a recent victim of DDoS.

5.       University of California Berkeley hacked: The University of California, Berkeley, has admitted to a second data breach which may have exposed the data of 80,000 people to misuse. Current and former students, faculty members and vendors linked to the university are among those who have been warned about the incident, which took place through financial management software which contained a security flaw, allowing an attacker -- or group -- to access internal services. UC Berkeley was last hit with a cyber-attack in December, 2014.

6.       Malvertisers remain one step ahead: Malvertising is the use of ad networks to serve unwitting visitors malware and exploit kits, including Angler and Neutrino. Many legitimate websites rely on advertising to generate revenue, and unfortunately, malware may slip through the net. To avoid detection and being monitored by security researchers and other honey pots - Malvertisers are using a new technique called Fingerprinting - through which they will deliver payloads only to legitimate victims. Using Web-security solutions and regular updates can keep Malvertisers at bay.

7.       Amazon is going against the grain: Amazon has removed device encryption from its tablets and phones, a day after the company filed a brief supporting Apple in its fight against the FBI over encryption. In a statement Amazon said it removed device encryption from its Fire OS 5 because the company "found customers weren't using it." In other words, Amazon will continue to encrypt your data in transit, but it won't scramble the contents of its customers' Fire tablets or phones. That means thieves and law enforcement will have an easier time grabbing user data from these devices without too much effort. The timing is striking, given the tense moments the industry is going through with the Apple and FBI faceoff.

8.       RSA conference 2016 - Lessons Learned From Real World CISOs: The annual RSA conference was held last week in SFO, the theme this year was 'Connect to Protect'. Some of the lessons learned from experts and CISOs are: (i) Organizations are particularly interested in being able to safely adopt new technology, things like IoT and cloud. (ii) Don’t care what comes in, worry about what leaves the network (iii) Reducing complexity & Protect the sensitive data regardless of where it’s located.

9.       RSA conference 2016 - 7 Attack Trends Making Security Pros Sweat: A look at the most dangerous threats and what to expect for the rest of 2016. (i)Weaponization of Windows PowerShell (ii) Stagefright-Like Mobile Vulnerabilities (iii) Developer Environment Vulnerability Like Xcode Ghost (iv) ICS (infrastructure control systems) Attacks (v) Targeting Insecure Third-Party Software Components (vi) Internet of (Evil) Things (vii) Changing Malware Economics Presses Ransomware Push.

And the Oscars goes to...: It was Oscars season last week and hackers compromised India's leading "Bollywood news & celebrity gossip website" - www.missmalini[.]com. The website had been injected with JavaScript that automatically and silently redirects visitors to a malicious web site in the background. Depending on the browser and user's IP address, the website silently launches Angler Exploit Kit. Anglers scans and exploits existing vulnerabilities (for eg: Adobe Flash) to drop and execute TeslaCrypt on the system. Angler EK shows no signs of relenting and is still very prevalent. Hackers are aware of world events and continue to compromise websites of currently significant popularity. The use of crypto-ransomware also continues to persist, providing criminals with quick and easy financial gain.