Sunday, July 26, 2015

The World this week..(Week of July 20th)

1.       "Life is short. Have an affair."- is the slogan of Ashley Madison, a Canadian-based online dating service marketed to people who are married or in a committed relationship. It has over 37 Million registered users and over 124 Million visits per month. Last week this website was hacked by a group called Impact team. The hackers are blackmailing the company to shut down all its services failing which they will publish the user information online, which includes Names and personal profile details.

2.       The website requires registered members to pay every time they want to start an conversation with other members and the chat sessions are also metered. The users who wish to delete their profiles including historical data need to pay $19. The hackers have claimed that the website collects the deletion fee but never deletes the full profile and maintains some basic records of users, they have cited this as the reason for the hack. In light of the hack, the company is now offering full-delete option free to any member.

3.       What could be worse than publishing user name online is that hackers may sell the stolen data to highest bidders on the Dark Web. These bidders may use the data and blackmail individual users for commercial exploitation or other favors. Ashley Madision's public listing plan in the London stock Exchange to raise $200Million - now looks unlikely, according to bankers cited by CNBC.

4.       Hackers can take over your Jeep, literally driving you off the road. This was demonstrated last week by cyber security experts, when two of them remotely hacked into a running Jeep Cherokee being driven by the third expert on a busy highway. The root of the attack was a vulnerability in the Uconnect system, a software-based connected car system for a number of Fiat Chrysler cars. The vulnerability allowed these researchers to remotely control the vehicle through its IP address, such as turning on and off the brakes, interfering with the driver's visibility by switching on the windshield wipers, and shutting off the engine. Chrysler has recalled 1.4M Vehicles for Bug Fix while the researchers released a video of their demo.

5.       Cylance, the first predictive cyber security company that applies artificial intelligence to stop malware, and Raytheon|Websense, last week, announced a partnership that extends Cylance's next-generation security technology to Raytheon|Websense customers. Raytheon|Websense has embedded Cylance Infinity Engine, a next-generation malware detection technology engine, into its SureView Threat Protection solution.

6.       Hacking team news - A Researcher has lashed out at Hacking Team after discovering his codes have been used (without notice or permission by Hacking Team), as a springboard in the development of Android surveillance tools sold to governments and law enforcement agencies. In South Korea, the revelation that their National Intelligence Service (NIS) was a hacking team customer, has been politically explosive. An Intelligence officer who used this software was found dead over last weekend in an apparent suicide as controversy swirls in the country over use of the software.

7.       An IT security drill went off the tracks in Belgium. The govt. wanted to train its employees against phishing attacks and hence setup a fake spam email confirming the employee's travel to Paris and stay in a fancy hotel. Those who choose to cancel the trip were supposed to reply to the said email within 3 days along with their credit card number. Instead the worried employees called the train company to complain, overwhelming the bewildered staff . The govt. apologized  to the train company for not keeping them informed and “being a bit overzealous.”

8.       According to Global CEO Outlook 2015 by KPMG - Half of the CEOs are not fully prepared for a cyber-event. Yet, cyber security was named by 20 percent of respondents as one of the top five risks—right behind the related issues of third party and supply chain risks. For technology firms, information security edged out all other risks as the most pressing threat. Most of them also believe that Cyber security risk is the most unpredictable one.

And finally the Indian connection to Ashley Madison - of the 37Million global users, 2.7 Lakh users are from India and now may stand to be exposed:

Sunday, July 19, 2015

The World this week..(Week of July 13th)

1. Hacking team released a press statement stating that the recent hack and leak of information is now "obsolete because of universal ability to detect these system elements." The statement went on read that there will be version 10 of Hacking Team's Remote Control System, calling it "a total replacement for the existing ‘Galileo’ system, not simply an update." Six former employees of the surveillance software maker are reportedly under investigation for the breach that led to the company's corporate secrets leaking online.

2. A former intern at FireEye has been arrested for creating and selling the slick and sophisticated Dendroid malware program after being caught in a global police sting that destroyed the Darkode cybercrime forum. Prosecutors say that he was most recently working as a whitehat anti-malware professional at the company while also building and selling Dendroid, a product which the company would label its chief enemy. The alleged hacker sold the toolkit for $300 and its source code for $65k on the Darkode forum. He was arrested in the global sting along with a total of 70 administrators and members.

3. A vulnerability researcher (read hacker) from Florida, was the first recipient of United Airline’s highest-level reward in its bug bounty program, reserved for remote  code execution (RCE) vulnerabilities in its web properties. He was rewarded 1 Million Air miles.

4. Lots of excitement building up about the upcoming security conferences – BlackHat and Defcon. Both events are planned in Las Vegas in August. Black Hat Set to Expose More Than 30 Zero-Day Flaws while the Defcon consists of several tracks of speakers about computer- and cracking-related subjects, as well as social events and contests.

5. In the past, phishing campaigns were less believable, like - You may have won a lottery or you may have a undelivered parcel. However, phishing can now be very complex, well-engineered and professionally crafted, which makes them far more difficult to detect. One of ways to beat this is by training staff to detect a phishing email. Staff can be periodically sent benign phishing emails and armed with reports - as to who opened, who clicked the links in those emails etc - staff can be (re)trained.

6. A browser called the TOR (The Onion Router) delivers untraceable access to the Internet by linking all the computers onto a network. By routing connections through a chain of users, the IP address of the user is kept hidden. India is estimated to have between 500,000 to 1 million daily users of this browser. Tor's use is intended to protect the personal privacy of users, as well as their freedom and ability to conduct confidential communication by keeping their Internet activities from being monitored. However, it is widely used for unscrupulous and illegal activities like drugs, weapons, counterfeit currency, forged documents and other illicit and legal goods.

7. The website of Antrix, Indian Space Research Organization’s commercial arm, was hacked last week. The URL antrix.gov.in led to a web page to buy sports merchandise and is believed to be the handiwork of Chinese hackers. This comes two days after ISRO launched five British satellites from its Polar Satellite Launch Vehicle, its heaviest commercial launch, from Andhra Pradesh, India.


Sunday, July 12, 2015

The World this week..(Week of July 6th)

1.       The irony of Hacking Team—an Italian company that sells surveillance software being hacked last weekend, is interesting, especially given Hacking Team’s denials it  sold to governments with notorious human rights records. Hacking Team still insists it broke no laws and has behaved ethically. Whether Hacking Team survives remains  to be seen, as of now the company has asked its clients to stop using its software for the time being and to cease operations, but when you consider the kinds of clients -- from law enforcement to government agencies and intelligence units - you have to ask whether Hacking Team has enough of a reputation left to restore client trust.

2.       WikiLeaks has released 440-GB of data stolen from Hacking team, Email exchanges indicate that top Indian security agencies were secretly negotiating with the surveillance firm to procure software for intercepting communications through remote bugging of devices. RAW, IB, NIA and NTRO did attend a PoC, the WB and Maharashtra govts., were in touch with the company. The Hacking Team was mostly interested in pushing its flagship product Galileo, a platform-independent undetectable Remote Control System, that takes control of targeted devices and monitor them regardless of encryption and mobility.

3.       Cybercriminals start using Flash zero-day exploit leaked from Hacking Team - It took just a day for cybercriminals to start using a new and yet-to-be-patched Flash Player exploit. The exploit was found among the stolen files. Adobe Systems confirmed the vulnerability, which received the identifier CVE-2015-5119, and is planning to release a patch for it. According to a researcher, the leaked Hacking Team exploit has already been integrated into three commercial exploit kits: Angler, Neutrino and Nuclear Pack.

4.       OPM has been hit by a second breach, leading to the theft of more than 21 million individuals' records. The figure confirmed Thursday by OPM is in addition to the previous breach, and the total figure now stands at almost 26 million individuals affected by the two breaches. The two attacks are separate, but related. It has been reported that OPM's director had no technology, cybersecurity or crisis management experience -- she quit last week.

5.       US presidential candidate Hillary Clinton has accused China of "trying to hack into everything that doesn't move in America" and stealing government information, in strongly worded comments likely to irk Beijing. Clinton, a former secretary of state, pulled no punches in remarks to Democratic supporters at a campaign event in New Hampshire.

6.       In other news, The hackers that targeted Twitter, Facebook, Apple and Microsoft developers two years ago have escalated their economic espionage efforts as they seek confidential business information and intellectual property they can profit from. The hacking group, motivated by financial gain, is thought to target companies on request, and "ought to be taken seriously by corporations," said an expert.


7.       Within a week of CEO Rahul Yadav's controversial exit from Housing.com, the online realty startup's website was allegedly hacked by an anonymous group, which put up a cheeky message demanding his reinstatement. Nobody claimed responsibility for the hack, though social media was rife with rumours that Yadav might have been behind it. But on his Facebook page, the founder and ex-CEO of Housing.com was quick to dissociate himself from the attack. "I would have designed it better," he wrote.

Sunday, July 5, 2015

The World this week..(Week of June 29th)



1.       Pitching India as the world's destination for the next big idea, Prime Minister Narendra Modi on Wednesday, launched his ambitious Digital India project. The project aims to create a digitally empowered society and knowledge economy. He also spoke of the role of Digital India in a world where cyber security is becoming increasingly important. "Everyone is worried about cyber security and cyber warfare. India should work towards giving the world a shield from the threat of cyber warfare," he said. "I dream of a Digital India where cyber security becomes an integral part of national security," he added.
2.       Maharashtra government ropes in PwC, to prepare an exclusive cyber security plan for the state. Once the plan is ready, the department aims at training at least 1,000 police personnel to crack cases of cybercrime.
3.       A data breach at Harvard University has exposed system and email passwords belonging to an unspecified number of faculty, staff, and students from numerous schools and at least one major administrative network at the university. Harvard discovered the intrusion on June 19 but publicly disclosed it only Thursday while it worked to mitigate the issue. A statement disclosing the breach said Harvard discovered an intrusion into the Faculty of Arts and Sciences (FAS) network and another one at the university Central Administration network.
4.       Trump Hotel Properties, has confirmed that it is investigating reports that it suffered a data breach, leading to the theft and fraudulent use of its customers' payment card data. The company's executive vice president of development and acquisitions, Eric Trump - son of Donald Trump- on July 1 confirmed the breach investigation in a statement.
5.       An overwhelming majority of Infosec professionals (92%) said they have lost confidence in the ability of traditional endpoint protection solutions, such as antivirus and white listing, to detect unknown threats like zero-day attacks. Additionally, 78 % believe antivirus is not effective against general cyber-attacks. Not so long ago in May 2014, Symantec's SVP went on record to say that "AV is dead" and he had estimated that AV can stop only about 45% of cyber-attacks.
6.       Another big news on insider threat - 2 brothers working as contractors with the US govt., have admitted during a Friday hearing that they infiltrated the department’s networks in order to pilfer passport and visa information. Allegedly, the brothers were attempting to create and sell fake passports and visas on the black market. They face up-to 50 years in prison and both will be sentenced in September.
7.       A woman in the UK has been scammed out of her life savings through a simple phishing email orchestrated by cyber criminals. She was in the middle of buying a house when she received an email claiming that she needed to transfer her deposit of nearly £50,000 ($78,000), which she did. Little did she know her email account had been hacked and was being monitored by cyber criminals. The hackers setup an account in the name of her Lawyer and the email was crafted with similar language used by the lawyer in the previous legitimate emails.
8.       One of the biggest threats that employees need to be made aware of is phishing. Today's cyber criminals use highly sophisticated social engineering tactics, which can make phishing attempts hard to spot, especially for the untrained. The best way to begin combatting this threat is to run mock phishing attacks. This way you can get an insight into how security savvy your workforce is, and then take steps to address any issues.
A day after Prime Minister Narendra Modi launched Digital India week to reform government through technology, the official website of National Institute of Technology was hacked and defaced by Pakistan cyber hacker on Thursday.

9.