Issue 75 - Week of July 25th

1.       Hillary Clinton's Presidential campaign also hacked in attack on Democratic Party: There's a lot more to come from the DNC Hack. The Associated Press confirmed last week that the computer systems used by Hillary Clinton's presidential campaign were hacked as part of the recent Democratic National Convention (DNC) hack. According to experts investigating the DNC hack - Fancy Bear APT (also known as APT28 and Pawn Storm) used a piece of malware called X-Tunnel to steal data from the system without getting detected.

2.       Kimpton Hotel chain investigating payment Card Breach: Kimpton Hotels has confirmed a possible payment card breach at around 24 of its properties across the US and says it is investigating the charge. Kimpton authorities alerted customers, noting: “If there are unauthorized charges, individuals should immediately notify their bank.” In the past 2 years, most of the credit card breaches have been done by remotely planting malicious software at point-of-sale (PoS) devices. Recent hotel chain victims include - Hyatt Hotels, Trump Hotel Collection, Starwood Hotels, and Hilton Hotels.

3.       Using VPN in the UAE? You'll be fined if you get caught!: If you get caught using a VPN in UAE, you could face temporary imprisonment and fines of up to $545k. Online Privacy is one of the biggest challenges in today's interconnected world. The governments across the world have been found to be using the Internet to track people’s information and conduct mass surveillance. The top two telecom companies in UAE, have also banned VoIP and the phone calling features in popular apps. China has an illegal VPN service that is used to circumvent the Great Firewall of China.

4.       PornHub pays hackers $20,000 to find Zero-day flaws in its Website: Two months ago, PornHub had launched a Bug bounty program and last week they paid $20,000 bug bounty to a team of three researchers, who gained Remote Code Execution (RCE) capability on its servers using a zero-day vulnerability in PHP – the programming language that powers the website.

5.       Indian hacker discovers Vine’s source code; Twitter pays him $10,080 for his efforts: An Indian Bug bounty hunter, discovered a loophole in Vine that allowed him to download a Docker image containing complete source code of Vine without any hassle. Vine is a video sharing service where people can share 6-second-long video clips on Twitter. The 23-year-old reported this blunder to Twitter, the company rewarded him and fixed the issue within 5 minutes.

6.       LastPass bug lets Hackers steal all your Passwords: LastPass is a cloud password manager that automatically fills credentials for you. Last week, a critical zero-day flaw has been discovered in Lastpass that could allow any remote attacker to compromise an account completely. LastPass has quickly patched the reported vulnerability. Lastpass was in similar news in 2015 as well as in Jan 2016 (when it was mocked as LostPass).

7.       KeySniffer lets Hackers steal keystrokes from Wireless Keyboards: Wireless keyboards from eight different hardware manufacturers, have been found to use cheap transceiver chips (non-Bluetooth chips) – a less secure, radio-based communication protocol. They also use unencrypted radio transmission. This means anyone within 100 meters range of the computer with a long-range radio dongle can intercept the communications between affected wireless keyboards and computer. The vulnerability is called KeySniffer.  Issue 66 - we discussed Keysweeper - a simple device that exploited weak encryption used by Microsoft wireless keyboards.

8.       Possible end of SMS-based 2-Factor Authentication: SMS-based Two-Factor Authentication (2FA), which is used as an added layer of security, has been declared insecure by the US National Institute of Standards and Technology (NIST). NIST argues it's too easy for anyone to obtain a (replacement) phone and the website operator has no way to verify whether the person who receives the 2FA code is even the correct recipient. Other issues include design flaws in SS7 which allows SMS to be diverted to other devices and possible leak of code when it gets displayed on a locked screen. Issue 49 - we saw how a duplicate SIM card was used to steal $70k from a Bangalore based entrepreneur.

9.       QRLJacking — hacking technique to hijack QR Code based quick login system: QR codes are two-dimensional barcodes that contain a significant amount of information, many websites use this in place of usernames and passwords for authentication. Last week, an expert revealed a method in which a cloned QR login code on a phishing site could capture login details of a victim and allow the hacker to steal.

10.   'No More Ransomware', a new way to fight back when your Data's taken hostage: Participants of a new initiative called 'No More Ransomware', have launched a website last week featuring tools that can help some victims decrypt their data without paying off the criminals. The site offers four decryption tools, each designed to help unlock data from different strains of ransomware. Though this will not be able to help all victims, it definitely offers another option to paying-up or losing-data. Regular Data backup and a good web security solution are the need of the hour to combat this Ransomware Menace.