Sunday, August 30, 2015

Issue 27 - Week of Aug 24th


1.       Ashley Madison aftermath - CEO steps down last Friday. Lawsuits filed against the company both in Canada and US. Some users reported receiving extortion emails requesting 1.05 in bitcoins ($250) to prevent the information from being shared with the user's significant other. On August 24 the Toronto Police Department spoke of "two unconfirmed reports of suicides" associated with the leak of customer profiles along with extortion attempts. The company is offering $500K for any information that can lead to the arrest of the hackers.  According to the John McAfee - this hack was an insider job by a female employee.

2.       More than 80% of healthcare IT leaders say their systems have been compromised -  "Eighty-one percent of healthcare executives say their organizations have been compromised by at least one malware, botnet or other kind of cyberattack during the past two years, according to a survey by KPMG. The KPMG report also states that only half of those executives feel that they are adequately prepared to prevent future attacks. The attacks place sensitive patient data at risk of exposure, KPMG said." 13% of survey respondents said that they are targeted by external hack attempts about once a day and another 12% seeing about two or more attacks per week. "More concerning, 16% of healthcare organizations said they cannot detect in real-time if their systems are compromised," the report said.

3.       IBM has said that TOR based attacks are steadily increasing and that Spikes in Tor traffic can be directly tied to the activities of malicious botnets. IBM says that Companies have “little choice” but to block Tor-based communications. What is TOR? - TOR (The Onion Router) is a browser that delivers untraceable access to the Internet by linking all the computers onto a network. By routing connections through a chain of users, the IP address of the user is kept hidden. TOR was in part created by the US government and its use was intended to protect the personal privacy of users, However - it is being widely used for unscrupulous and illegal activities.

4.       Pentagon unveils data breach rules for defense contractors "The Pentagon is rolling out long-awaited rules governing how the defense industry should report cybersecurity incidents. The regulations, published in the Federal Register on Wednesday, require contractors and subcontractors to report "cyber incidents that result in an actual or potentially adverse effect" on either the contractor's information system and data, or its ability to "provide operationally critical support."  Report the incident and have a response plan is good lesson for corporates as well.

5.       BitTorrent tracker blocks Windows 10 users "Some BitTorrent sites don't trust Windows 10 at all. So, at least one BitTorrent tracker, iTS, has blocked Windows 10 users from accessing torrents from their site. Others are considering banning Windows 10 users. In a YouTube video, iTS proclaimed that "Windows 10 is nothing more than a spy tool that will keep track of every action, email, conversation, video, picture, or anything else that you do on your computer."

6.       Keyless Cars - convenience; but always seems to come at a cost. News emerged last week that car manufacturers using the Megamos Crypto transponder electronic vehicle immobilizer, used by Audi, Fiat, Honda, Volvo, and Volkswagen in over 100 models of car, had suppressed information on a security flaw for two years. Deploying security updates in cars is always challenging. Doing it OTA (Over The Air) is easier but needing a recall to update is costly and time consuming with no guarantee of all cars getting fixed. Four out of ten thefts in London last year were due to electronic hacking. Experts recommend that you keep your smart key in an RF Shielded pouch.

7.       Development of legislative mechanisms and criminal law provisions are the need of the hour to tackle the menace of cybercrime, India’s Minister of State for Home Kiren Rijiju said last week. Addressing a seminar on cyber and network security, Rijiju said that to ensure cyber security, concerned agencies have the necessary training, tools and know-how to take on new age cybercrimes.

8.       India ranks as the 9th most impacted region by ransomware with other countries like US, Japan, the UK, Italy and Germany topping the charts. The threat is known for locking computers or encrypting files to trick users into handing over their money. Among the many tips for protecting your business against cyber extortion - the most important is Back It Up, and Back It Up, and Back It Up Again.


9.       Things keep getting worse on the cyber front. From the US government to Ashley Madison to Ola to Gaana.com, no company, organization, or person is safe from cyber-attacks. 80% of the non-state attacks are by organized crime and these gangs are collaborating amongst each other to help each other out. Attacks cannot be stopped but certainly one can be prepared to prevent these attacks and also put in process/team to handle actions post attack. The first step to prepare is to understand how a hacker works or in other words understand the kill chain and put controls to block each of the link in the chain. For post attack preparation - one could put an Emergency Response Team and process - that will respond in the event of an attack. 

Sunday, August 23, 2015

Issue 26 - Week of Aug 17th

1.       Ashley Madison hackers released two data dumps last week. The first dump was on details of the registered members and the second dump focused on private internal company information. The data is leaked on various sites, but the data itself is not easily searchable by folks who aren’t familiar with raw database files. However, several sites have since popped up that allow anyone to search by email address to find if an email address had an account at AshleyMadison.com. In Canada, where Ashley Madison is based, a class-action lawsuit has been lodged against the firm, seeking damages of up to $760 million on behalf of Canadians whose data has been leaked online. In a spoof, the company's original slogan 'Life is Short. Have an Affair' became "Life is short; Hire an Attorney." Indeed, divorce lawyers maybe the only ones laughing all the way to the bank.

2.       Retail Giant Target suffered one of the biggest breaches in 2013. Last week, Visa and Target have reached an agreement that reportedly will reimburse card issuers a total of up to $67 million for fraud losses and other expenses. The breach had exposed an estimated 40 million credit and debit cards. On Feb. 25, Target reported that its card breach cost the retailer $252 million, with $162 million of that amount not covered by insurance. As reported in this blog on May 31st - A proposed $19 million settlement reached between Target and MasterCard fell apart.

3.       Microsoft issues emergency patch for all versions of Windows "Microsoft has released an emergency out-of-band patch for a "critical"-rated security vulnerability, affecting all supported versions of Windows. The software giant said in an advisory Tuesday that users visiting a specially-crafted website can lead to remote code execution on an affected machine." The zero-day flaw (classified as CVE-2015-2502) works by exploiting a flaw in how Internet Explorer handles objects in memory. If successfully exploited, an attacker could "gain the same user rights as the current user," the advisory said. Those running administrator accounts are particularly at risk, it said.

4.       IRS breach claims 220,000 additional US taxpayers "The United States Internal Revenue Service (IRS) has revealed that in excess of 220,000 taxpayers may have had their personal information accessed, in addition to the 100,000 originally reported, as a result of a data breach.  Thieves used the IRS' "Get Transcript" system to clear a multi-step authentication process, including several personal verification questions that typically are only known by the taxpayer, to access the personal taxation information of individuals.

5.       After Stagefright, Google patches another 'high severity' bug in Android affecting Android versions 2.3 to 5.1.1, which experts say could be used to abuse device owners' privacy. The bug, likely to be fixed in Google's next monthly security update for Nexus devices, could allow attackers to abuse Android's mediaserver program to spy on device owners. Unlike Stagefright, which could be exploited simply by sending a malicious media file to affected Android devices, in this case an attacker would need to trick victims into installing a malicious app.

6.       A hacking group suspected of operating from China has had success stealing information from mostly Indian targets, often pertaining to border disputes and trade issues. The gang mostly uses spear phishing techniques- sending genuine looking emails from seemingly known people to identified targets. If the target opens the email and clicks on the link, their machine gets compromised. Some of the latest spear-phishing emails have an attached Microsoft Word document, which contains an exploit for a now-patched vulnerability in Word. The vulnerability is “really ancient,” but still, it’s effective in organizations that haven’t patched their systems. Once compromised - the attackers leverages Windows Management Instrumentation (WMI) to explore computers and the network.

7.       Major discoveries in H1-2015: Adobe Flash vulnerabilities on the rise; Angler dominates the exploit kit market; Emboldened by the success Ramsomware have had - they are now investing more in development of newer and deadlier attacks; Criminals are increasingly using TOR and I2P(Invisible Internet Project) to avoid detection; Microsoft Macros are once again being used to deliver malware; Some exploit kit authors are incorporating text from Jane Austen’s classic novel Sense and Sensibility into web landing pages that host their exploit kits. Antivirus and other security solutions are more likely to categorize these pages as legitimate after “reading” such text; Hackers have found ways to evade the sandbox by failing to detonate when it detects sandbox activity; SPAM volume goes up; exploits involving Java have been on the decline in the first half of 2015.

8.       A white Hat Hacker claims that websites of several leading varsities can be hacked, including that of DAVV-Indore and Mumbai University. He said that the sensitive information like names, roll numbers and marks of students can be altered. The hacker shared screen shots of these databases and also showed how data can be altered. He also said that he had contacted the universities but has not received any positive feedback from them yet.


9.       The website of the Karnataka State Higher Education Council was hacked on Thursday by a group calling itself Clinkz48. The homepage of the website (http://kshec.ac.in/) has an image of a man laughing and holding a wine bottle saying: “Cyber Team Rocks” and the message “Hacked by Clinkz48.” The hackers have also said: “Your data belongs to me. F*** Your System India :P Noob!! its lol `” 


Sunday, August 16, 2015

The World this week..(Week of Aug 10th)

1.       Oracle Controversy - Mary Davidson - the CSO of Oracle took to the corporate blog to pen her thoughts on Security titled - "No, You Really Can't". The post sharply admonished enterprise customers for reverse engineering, or hiring consultants to reverse engineer, the company's proprietary software, with the aim of finding as of yet unfixed security vulnerabilities. The post was deleted few hours later but social media continues to either roll its eyes or shout in outrage or just laugh at her.

2.       Marketwire, PR Newswire, and Business Wire -- which distribute press releases for major publicly traded companies -- had its systems penetrated by a pair of Ukraine-based hackers who stole 'market-moving media releases' and used this information to profitably trade and pocket $100m.

3.       Cyber thieves broke into the IT systems of Carphone Warehouse, a large cell phone retailer in the U.K., and may have stolen personal and bank data of up to 2.4 million customers and the credit card details of up to 90,000 customers. Specifically, the division that was attacked operates the OneStopPhoneShop.com, e2save.com and Mobiles.co.uk websites, the company said in an emailed statement.

4.       Update on Android's Stagefright vulnerability - Google issued a four line Patch but that does not work. This highlights the utter shoddiness of the Android ecosystem's processes for updates with three parties involved - Google, Device manufacturer and Telcos. An expert in his tweet response to Samsung / HTC 's plan to issue monthly patches to  carriers said -  "I am giving a steak to my dog, to deliver to you. I'm sure it'll arrive." Stagefright vulnerability allows hackers to just send a text message and hack the Android device.

5.       June was "the worst month of malvertising ever" and Flash zero-day vulnerabilities are partly to blame, say experts. In the first six months of 2015, malvertising was one of the biggest threats to endpoint security, causing an estimated $525 million in damages The kind of malware dropped by malvertising on the endpoint was mostly Ransomware, Banking trojans, or Bot code that abuses endpoints for Click fraud campaigns. Malware + Advertising = Malvertising. As you may recall from the last week's blog - Yahoo was recently missued to deliver malvertising.

6.       The Darkhotel cyberespionage crew keeps adding to its bag of tricks: New evidence shows that the group seems to have latched on to some of the zero-day vulnerabilities exposed by the Hacking Team data dump last month. Known best for breaking into Wi-Fi networks in luxury hotels to target very high-profile corporate and government executives, the team has long depended on zero-day vulnerabilities to strike its targets. Darkhotel has gone through half a dozen or more - zero-days targeting Adobe Flash Player in the past year, investing considerable funds to beef up a quiver meant to hit the proverbial bullseyes. The Darkhotel APT will relentlessly spearphish specific targets in order to successfully compromise systems.

7.       Australians are paying thousands of dollars to overseas hackers to rid their computers of an unbreakable virus known as Cryptolocker. There has been a rise in the number of people falling victim to the latest version of an encryption virus which hijacks computer files and demands a ransom to restore them. The "ransomware" infects computers through programs and credible-looking emails, taking computer files and photographs hostage. It can arrive in an email disguised as an installer of the new operating system in a zip file.

8.       Hackers' arsenal was beefed last week, with a drone armed with software weapons to crack into wireless computer networks at close range, whether they be in skyscrapers or walled compounds. The drone is equipped with software tools used to perform the kind of "penetration testing" done by hackers or computer security professionals who seek vulnerabilities in computer networks. The drone is flown past physical defenses of the targeted victim.


9.       India features among the worst affected countries by Black Vine, a formidable, highly resourced attack group, which is equipped to conduct cyber espionage against targeted organizations. Black Vine typically conducts watering-hole attacks against websites that are relevant to its targets' interests and uses zero-day exploits to compromise computers (Recon, Lure, Exploit kit). If the exploits succeed, then they drop variants of Black Vine's custom-developed malware (Dropper file). These threats open a back door on the compromised computers and allow the attackers to steal information. (Call home and Data theft).


Sunday, August 9, 2015

The World this week..(Week of Aug 3rd)

1.       iPhones are generally considered to be safer than Android phones but the data leaked from 'hacking team' network shows that the company used sophisticated, remotely-controllable exploits for all major mobile platforms including iOS, Android, Windows Phone, BlackBerry and Symbian. For the iOS, the Hacking Team tool is disguised as an innocuous newsstand app and comes with a transparent icon that conceals its presence on an iOS device.  The attack method takes advantage of a now-patched flaw in multiple versions of iOS that allowed attackers to replace a legitimate application installed on an iOS device with a malicious application so long as both the apps had the same binary identifier or file name.

2.       OPM Wins Pwnie for Most Epic Fail at Black Hat Awards Show: One of the many categories at the Pwnie Awards is for the Most Epic Fail, with this year's nominees including the Ashley Madison and U.S. Office of Personnel Management (OPM) hacks. OPM came away with this year's Most Epic Fail award, as the hack of its systems resulted in 25.7 million Americans being at risk. The name Pwnie Award is based on the word ``pwn'', which is hacker slang meaning ``to compromise'' or to ``control'' based on the previous usage of the word ``own'' (and it is pronounced similarly).

3.       Starting from July 28th - for 7 days, hackers used Yahoo's ad network to infect millions of computers. A group of hackers bought ads across the Internet giant’s sports, news and finance sites. When a windows computer visited a Yahoo site, it downloaded malware code. Either the victims were being held at ransom until they paid money or their browsers were being redirected discreetly to websites which paid hackers on traffic. Yahoo acknowledged the attack but said the scale of the attack was grossly misrepresented.

4.      
Named after the life size terracotta Chinese soldiers, China has an illegal VPN service that is used to circumvent the Great Firewall of China. This service has over 1500 nodes in the outside world, obtained mainly through exploiting vulnerable Windows-based servers used by legitimate organizations. Terracotta also masks online users, which can be invaluable to individuals in a country where activists do not prove popular with the ruling party. Hackers have begun to exploit this and launch attacks through these VPNs which makes it impossible to track them.


5.       The Sri Lankan prime minister Ranil Wickremesinghe’s  office website was hacked by a hacktivist. The hacker going with the handle of Dr.MwNs, hacked and defaced the official website of Prime Minister’s Office in Sri Lanka last Thursday.

6.       Researchers participating in the Black Hat USA, have released details about the "Man in the cloud" attack. This attack does not depend on any malware or stolen credentials. It instead uses the synchronization token that is used by all cloud apps to authenticate the user and sync files. The attacker social engineers the victim to install a simple piece of code that creates a new synchronization token with the attackers cloud account, it also steals the victims original synchronization token and runs it on the attackers cloud account. Now every time the victim uses the cloud, the files are uploaded to the attacker's cloud account, from where it is synced to the victims cloud account.

7.       Classic case of typosquatting - Cybercriminals hacked into the email conversations between a Marine Lines pharmaceutical firm in Mumbai and a US company, they used the information in the mails, created a similar ID and duped the Mumbai firm of ₹5 lakh. Through the emails, the accused had found out that the Mumbai company had ordered for medical equipment. They created a fake ID by flipping just one letter of the US company’s ID.

8.       Some more news from Black Hat USA - researchers have shown how finger prints from Android devices can be stolen and maliciously used by hackers for the rest of Victim's life time. This  "fingerprint sensor spying attack" -- can "remotely harvest fingerprints in a large scale,", Many android phones use Finger print sensor to login the user into the phone, hackers can steal this image from the sensor and misuse it in a variety of ways as fingerprints are used in mobile payments, unlocking devices, identity, immigration, and for criminal records. Apple phones remain unaffected in this attack as Apple encrypts the image.


9.       A new Variant of Ransomware has surfaced in Australia, this variant can double the ransom price of decryption after a deadline of five days. The malware can encrypt text, image, data, web, database, video, web, backup, and other file formats. Once done, it deletes traces of itself from the machine and leaves only the .ZIP file in the temporary Internet files and some HTML warnings. Since the business owner did not engage with the cybercriminal, the company lost thousands of valuable files, including business-related databases.

Sunday, August 2, 2015

The World this week..(Week of July 27th)

1.       Android phones can be hacked with a text, over 1 Billion devices at risk. A Critical flaw resides in the 'Stagefright' component of Android OS, which is used by  Android to process, record and play multimedia files. To improve user experience any video file that is received by the OS is automatically downloaded and kept ready for play back to the user, this feature makes this vulnerability even more dangerous as hackers can hack any Android device without depending on any action on part of the user. They have to just send a text and hack the device. Researchers have discovered a method of hosting this exploit on a webpage and infecting the visitors. Google has delivered a patch for Stagefright attack but given the shaky history of handset manufacturers and carriers rolling out security patches, it is not known how long the companies will take to update vulnerable Android devices. Till then, the users can protect themselves by turning off MMS auto-retrieval and using 3rd party patched apps to view MMS.

2.       Update on Auto hack - Chrysler has recalled 1.4 Million jeeps to fix the software issues, the company is being criticized for providing an option to send USB sticks to customers that will fix the issue. There is always a possibility of customer not doing it the right way or the sticks getting infected with new bugs during transit by malicious actors. Another Security researcher revealed a kit last week that makes it possible to track, remotely unlock and start the engine of GM vehicles that run the OnStar connected car system. He calls his kit - OwnStar.

3.       Massachusetts General Hospital recently notified 648 patients that their names, lab results and Social Security numbers may have been exposed in May 2015 when an  employee sent an email containing the data to the wrong email address by mistake. To help prevent this from happening again, the hospital will need to update their processes, re-educate their workforce and invest in a world class Data Theft Prevention technology.

4.       Last week witnessed Windows 10 being released, followed by overblown FUD reports of Wi-Fi Sense being a potential security concern and finally the week ended with reports that Wi-Fi Sense not being a security risk. The option to allow Internet sharing is enabled by default but only for networks that the user chooses (like Outlook contacts, Skype contacts, Facebook friends). If any one of these networks are selected then the Wi-Fi Sense only shares Internet access. It doesn't allow any access to local resources or personal files.

5.       Hackers and malicious actors are increasingly targeting online ad networks as a means to infect users, more than half of these "malvertising" (Malware + Advertising) attacks originate from news and entertainment sites that inadvertently display infected online ads. Attackers buy ads from online advertising companies and insert Exploit Kits in these ads, which in turn help the hackers profile the victim’s machine and launch the malware payload (Dropper file). The hosting websites cannot be blamed completely as Ads are their key revenue model and it is impossible for them to check all the ads, though they try to limit third party code running on their sites.

6.       "National defense is too important to leave to the military", is a famous quote - this also applies to Cybersecurity. The IT team manages data on the frontlines but the impact of a data theft is very severe most of the times and it is advisable for the Board to get involved from the scratch. For many in the Board, cybersecurity is very formidable and the best way to overcome is by investing in a "Right Cybersecurity partner".

7.       White hat hackers are usually rejected and sometimes even threatened by Indian firms, this is now gradually changing. After the recent hacks of Ola cabs, Zomato and Ganna.com, where hackers publicly pointed to flaws, some Indian firms are finally following in the footsteps of US bigges by allowing ethical hackers to test their security systems for bugs. At stake are cash rewards and career boosts. Ola now pays minimum of  ₹ 1000 for bugs with no upper limit for complex bugs, Indians identified the largest number of valid bugs in the last two years for Facebook, which paid an average of $1343 per bug in 2014.

8.       Indian companies are increasingly suffering huge losses due to rising cyber-attacks that leads to interruption of business and loss of customer data. However, with only 100-150 policies covering 'cybercrime liability insurance' being sold in the country, majority companies are inadequately protected against the growing menace. A typical cybercrime policy can take care of monetary loss arising out of the loss of financial data, hacking leading to business interruption, loss of customer data, bank data and patient data. BPOs and the software companies are the top buyers and mostly at the insistence of their foreign clients.


9.       On the dark web’s marketplaces, the full set of someone’s personal information—identification number, address, birthdate, etc.—are known as “Fullz.” Each Fullz has a market price ranging from $1 to $450, The median price for someone’s identity is $21.35. Fullz are generally used to make fraudulent Credit card transactions, Online transfers, Phone banking, Fake insurance claims, etc. The below screen shot is from the Dark web: