Issue 55 - Week of Mar 7th

1.       Phishermen target sensitive data- Again: On the lines of the recent Snapchat attack - in which a scammer impersonating their CEO tricked their payroll department into emailing an attacker the payroll information of current and former Snapchat employees. Last week, it was reported that Alaskan telecom GCI was tricked into handing over employee W-2 forms by a phisher posing as the company's CFO, while a Seagate employee was also fooled into sending thousands of employee W-2's by email to a phisher posing as the company CEO. W-2 (Form 16 in India) contains virtually all of the data one would need to fraudulently file someone’s taxes and request a large refund in their name. Last year - Hackers stole this directly from IRS website. Data security solution prevents accidental data leak.

2.       Cancer clinic warns 2.2 million patients of data breach: Cyber-attackers accessed a key database of the clinic in early October. They were able to access and steal data including patients' names, Social Security numbers, physicians' names, diagnosis and treatment information, as well as insurance records. FBI had requested to delay the announcement and patient notification till last week as they were investigating. There is growing trend of core services being struck by cyber-attacks. Recently, a hospital in Germany was held to ransom by cyber-attackers but they did not pay-up while a LA Hospital that went thru a similar attack paid $17k.

3.       ISIS data breach: A defector has allegedly leaked what appears to be a USB drive's worth of ISIS’s secret data, including the personal information of 22,000 ISIS fighters. The leaked ISIS information could be a unexpected gift for security agencies and prosecutors trying to track ISIS’ members and prevent more recruits from joining. The names of three Paris attackers were found in the list.

4.       Restaurant recommendation site 'Burrp' serves EKs, TeslaCrypt:  Researchers spotted the Indian restaurant recommendation site “Burrp” redirecting visitors to a website that was serving Angler exploit kits (EK) that ultimately led to the delivery of TeslaCrypt ransomware. To begin with - Burrp website was compromised and malicious code was injected in the JavaScript which redirects users. Last week another popular website www[.]missmalini[.]com was compromised. Hackers routinely monitor sites with high traffic and whenever they spot an opportunity - they launch their attacks.

5.       Obama on Apple v/s FBI: The president answering a question on this subject said that one can’t take an absolutist view. He spoke at length on encryption and his position favored the American government's current position in this case. He favored strong encryption with secure keys, accessible to small set of people for a subset of important issues. He repeatedly reassured the audience the agencies are pretty scrupulous and trustworthy. Meanwhile, responding to Justice Dept.'s arguments - Apple slammed it  as  "cheap shot" and will next appear in court in California on March 22, a day after an expected product announcement.

6.       Spelling mistake saves $1 Billion: Attackers successfully breached Bangladesh Bank's systems and stole its credentials for payment transfers, they then "bombarded the Federal Reserve Bank of New York with nearly three dozen requests to move money (total value $1B) from the Bangladesh Bank's account there to entities in the Philippines and Sri Lanka. The first four transfers, totaling about $81 million, went through, but for the fifth transfer, Hackers misspelled "foundation" in the NGO's name as "fandation," prompting a routing bank, Deutsche Bank, to seek clarification from the Bangladesh central bank, which stopped the transactions.

7.       Automakers in the hot-seat for vehicle cybersecurity: Most of the new cars today are equipped with internet connectivity with third party apps running on board, making them vulnerable to hackers. Recently, researchers demonstrated hacks on Nissan Leaf and Chrysler Jeep. Car owners hold car makers responsible for security though many components of this system are not owned by car makers - like Infotainment, Connectivity, OS & Apps. General Motors now has a bug bounty program underway as well as a product security officer position. Someday in near future, we will have end point agents running in our cars like the way they  run on our laptops.

8.       First Fully Functional Mac Ransomware: The first fully functional ransomware for Mac OS X has been discovered in the wild, but was contained before it did damage. The new ransomware is called 'KeRanger' and it bypasses Apple's Gatekeeper -- the tool that prevents unsigned code from running on Mac operating systems -- by piggy-backing on an infected version of Transmission, an open-source BitTorrent client, which is signed with a valid Mac application developer's certificate.  Apple responded quickly to the announcement, revoking the abused certificate and updating XProtect signatures.

9.       Researchers can unlock some Android phones with inkjet-printed fingerprints: Researchers demonstrated a method in which, they first took high resolution image of victim's fingerprints, then print it on a special kind glossy paper. The printed fingerprints could fool the Android device into believing it was human. Way back in 2013, Apple's TouchID was hacked and more recently hackers showed ways to harvest fingerprint data from Android phones.

10.   The Bounty Hunter: A 22-year-old e-commerce company’s employee in Bangalore, earned ₹ 13 Million ($200K) just by reporting bugs for Facebook, Twitter and a host of other US-based companies. He recently found a simple vulnerability on Facebook that could have been used to hack into any user's account to get access to credit or debit card details, personal pictures, and messages without any user interaction, For this - he was awarded $15K (₹1Million). Bug bounty is highly recommended strategy to find new bugs especially for high traffic websites.