Sunday, August 2, 2015

The World this week..(Week of July 27th)

1.       Android phones can be hacked with a text, over 1 Billion devices at risk. A Critical flaw resides in the 'Stagefright' component of Android OS, which is used by  Android to process, record and play multimedia files. To improve user experience any video file that is received by the OS is automatically downloaded and kept ready for play back to the user, this feature makes this vulnerability even more dangerous as hackers can hack any Android device without depending on any action on part of the user. They have to just send a text and hack the device. Researchers have discovered a method of hosting this exploit on a webpage and infecting the visitors. Google has delivered a patch for Stagefright attack but given the shaky history of handset manufacturers and carriers rolling out security patches, it is not known how long the companies will take to update vulnerable Android devices. Till then, the users can protect themselves by turning off MMS auto-retrieval and using 3rd party patched apps to view MMS.

2.       Update on Auto hack - Chrysler has recalled 1.4 Million jeeps to fix the software issues, the company is being criticized for providing an option to send USB sticks to customers that will fix the issue. There is always a possibility of customer not doing it the right way or the sticks getting infected with new bugs during transit by malicious actors. Another Security researcher revealed a kit last week that makes it possible to track, remotely unlock and start the engine of GM vehicles that run the OnStar connected car system. He calls his kit - OwnStar.

3.       Massachusetts General Hospital recently notified 648 patients that their names, lab results and Social Security numbers may have been exposed in May 2015 when an  employee sent an email containing the data to the wrong email address by mistake. To help prevent this from happening again, the hospital will need to update their processes, re-educate their workforce and invest in a world class Data Theft Prevention technology.

4.       Last week witnessed Windows 10 being released, followed by overblown FUD reports of Wi-Fi Sense being a potential security concern and finally the week ended with reports that Wi-Fi Sense not being a security risk. The option to allow Internet sharing is enabled by default but only for networks that the user chooses (like Outlook contacts, Skype contacts, Facebook friends). If any one of these networks are selected then the Wi-Fi Sense only shares Internet access. It doesn't allow any access to local resources or personal files.

5.       Hackers and malicious actors are increasingly targeting online ad networks as a means to infect users, more than half of these "malvertising" (Malware + Advertising) attacks originate from news and entertainment sites that inadvertently display infected online ads. Attackers buy ads from online advertising companies and insert Exploit Kits in these ads, which in turn help the hackers profile the victim’s machine and launch the malware payload (Dropper file). The hosting websites cannot be blamed completely as Ads are their key revenue model and it is impossible for them to check all the ads, though they try to limit third party code running on their sites.

6.       "National defense is too important to leave to the military", is a famous quote - this also applies to Cybersecurity. The IT team manages data on the frontlines but the impact of a data theft is very severe most of the times and it is advisable for the Board to get involved from the scratch. For many in the Board, cybersecurity is very formidable and the best way to overcome is by investing in a "Right Cybersecurity partner".

7.       White hat hackers are usually rejected and sometimes even threatened by Indian firms, this is now gradually changing. After the recent hacks of Ola cabs, Zomato and Ganna.com, where hackers publicly pointed to flaws, some Indian firms are finally following in the footsteps of US bigges by allowing ethical hackers to test their security systems for bugs. At stake are cash rewards and career boosts. Ola now pays minimum of  ₹ 1000 for bugs with no upper limit for complex bugs, Indians identified the largest number of valid bugs in the last two years for Facebook, which paid an average of $1343 per bug in 2014.

8.       Indian companies are increasingly suffering huge losses due to rising cyber-attacks that leads to interruption of business and loss of customer data. However, with only 100-150 policies covering 'cybercrime liability insurance' being sold in the country, majority companies are inadequately protected against the growing menace. A typical cybercrime policy can take care of monetary loss arising out of the loss of financial data, hacking leading to business interruption, loss of customer data, bank data and patient data. BPOs and the software companies are the top buyers and mostly at the insistence of their foreign clients.


9.       On the dark web’s marketplaces, the full set of someone’s personal information—identification number, address, birthdate, etc.—are known as “Fullz.” Each Fullz has a market price ranging from $1 to $450, The median price for someone’s identity is $21.35. Fullz are generally used to make fraudulent Credit card transactions, Online transfers, Phone banking, Fake insurance claims, etc. The below screen shot is from the Dark web:

No comments:

Post a Comment