Issue 68 - Week of June 6th

1.       University pays $20K to Ransomware attackers: Canadian based - University of Calgary, paid a ransom of $20,000 to decrypt their computer systems' files and regain access to its own email system after getting hit by a ransomware infection. The University fell victim to ransomware last month, when the malware installed itself on computers, encrypted all documents and demanded $20,000 in Bitcoins to recover the data. Issue 52 – we discussed –“Hospital pays hackers $17,000 in Bitcoins”.

2.       32Million Twitter passwords available for sale: Login credentials of more than 32 Million Twitter users are now being sold on the dark web marketplace for 10 Bitcoins (over $5,800). The database includes usernames, email addresses, sometimes second email addresses, and plain-text passwords for all the 32 Million Twitter accounts. Some of the high profile victims include Mark Zuckerberg and Twitter co-founder Evan Williams. "123456', '123456789', 'qwerty' are the top 3 frequently used passwords. Twitter says it was not hacked, experts believe it could have been a password harvesting malware that stole data and passwords.

3.       BitTorrent forum hacked; change your password immediately: If you are a torrent lover and have registered on BitTorrent community forum website, then you may have had your personal details compromised, along with your hashed passwords.  The BitTorrent team has announced that its community forums have been hacked, which exposed private information of hundreds of thousands of its users. As of now, BitTorrent is the most visited torrent client around the world with more than 150 Million monthly active users.

4.       VK.com hacked! 100 Million clear text passwords leaked online: Russia's biggest social networking site VK.com is the latest in the line of historical data breaches targeting social networking websites. The same hacker who previously sold data dumps from MySpace, Tumblr, LinkedIn, and Fling.com, is now selling more than 100 Million VK.com records for just 1 Bitcoin (approx. US$580).  Experts’ advice not to re-use the same password in different online platforms, one compromise can expose users in all websites.

5.       Mark Zuckerberg’s Twitter and Pinterest accounts hacked: Mark's Twitter and Pinterest accounts were taken over last week because he reused a password: “dadada,” according to a person familiar with the matter. The password had appeared last month in a database of more than 100 million usernames and passwords stolen in 2012 from LinkedIn, the person said. Mr. Zuckerberg appears to have reused “dadada” to log into Twitter and Pinterest, allowing hackers to take over those accounts. Ironically, Facebook's first “security tip” for users is, “Don’t use your Facebook password anywhere else online.”

6.       Morgan Stanley pays $1 million fine over stolen customer data: Morgan Stanley will pay a fine of $1 million for failing to protect customer data. The banking giant reportedly violated the Safeguards Rule, which allowed a then employee to transfer client details to his home computer, which was later hacked by a third party. In January 2015, confidential details of around 900 of Morgan Stanley’s 730,000 clients were released online by the hackers briefly with an offer to sell more. The employee was soon criminally charged and ordered to pay $600,000 in restitution and sentenced to 36 months of probation.

7.       Singapore to cut Internet access for Government computers: Singapore will cut Internet off from 100,000 government computers starting May next year to safeguard official data from cybercriminals. However, there will be a few dedicated computers with Internet access and employees will be allowed to  surf the web on their mobile devices. This decision was taken after the government became victim to a number of “very sophisticated” cyber-attacks in the past. Singapore has for years come under attack from cybercriminals who have also hacked into websites and stolen clients data from Standard Chartered Bank.

8.       Karnataka police website ‘hacked’ by Pakistani hackers: The official website of the Karnataka police department (www.ksp.gov.in) was on Friday allegedly hacked by Pakistani hackers, who pasted a Pakistani flag on the home page. The hacker, claiming to be Faisal 1337 from Team Pak Cyber-attacker, posted a Pakistani flag on the home page with a message below it, which read “Pwned! Hacked, shame on your security!”  Indian and Pakistani hackers routinely hack each other’s weak websites.

9.       Yet another car can be hacked – this time it's the Mitsubishi Outlander hybrid: Mitsubishi joins Jeep, Nissan and Tesla on the list of cars that have had vulnerabilities highlighted. A security expert has discovered these vulnerabilities in the car's Wi-Fi console that could allow hackers to access the vehicle remotely and turn off car alarms before potentially stealing it. The security key needed to break the Wi-Fi can be cracked through a brute force attack. Mitsubishi has recommended that Outlander owners deactivate the wifi system until further notice; a recall of the cars is likely.

Will your backups protect you against ransomware?: According to the FBI, more than $209 million in ransomware payments have been paid in the United States in the first three months of 2016 -- up from just $25 million for all of 2015. There are several examples of Hospitals, Police departments, Universities paying up. Cyber extortionists know that backups are their number one enemy and are adapting their ransomware to look for them. On the other hand - in many cases - users are not backing up all data or not frequently backing up. All of these result in either paying up or losing data. The best way to combat Ransomware is to not get infected at all.  Forcepoint protects its users against Ransomware.