Issue 31 - Week of Sep 20th

1.       A diesel whodunit: How software let VW cheat on emissions. According to the U.S. Environmental Protection Agency, Volkswagen was able to cheat emission tests for half a million of its U.S.-sold cars. Diesel cars from Volkswagen and Audi cheated on clean air rules by including software, likely a single line of code that made the vehicles' emissions look cleaner than they actually were. This resulted in VW cars meeting emissions standards in the Lab or testing station but during normal operation on roads- emit 40 times more Nitrogen oxides.

2.       Morgan Stanley employee pleads guilty in data breach case. A Morgan Stanley employee who was fired in connection with a data breach at the company, pleaded guilty last week to downloading hundreds of thousands of confidential customer account data. Names, addresses, account numbers, and investment information are among the sensitive data of the 730,000 accounts (10% of the Wealth division clients) taken by him, according to the prosecution. They also claim that he was speaking to other companies about a possible new job when the data was taken; sentencing is scheduled for December.

3.       Uber hacked again. "@Uber I had a great ride in China this morning! Except, weird, I wasn't in China this morning. A number of Twitter users worldwide are complaining that their Uber accounts have been hacked and are being used to secure rides in China without their consent or knowledge. After an account has been hacked, you can eventually find them for sale in the Dark Web. Identities can be purchased for as little as $1, as well as compromised eBay, PayPal, Facebook, Netflix, Amazon and Uber accounts.

4.       The OPM breach deepens: 5.6 million federal employees' fingerprints stolen. It took weeks before the Office of Personnel Management (OPM) admitted that almost 22-million federal employee personnel and security records had been cracked in two separate attacks. Months later, the OPM and Department of Defense (DoD) confessed that of the 21.5 million individuals whose Social Security Numbers and other sensitive information were impacted by the breach, the subset of individuals whose fingerprints have been stolen has increased from a total of approximately 1.1 million to approximately 5.6 million.

5.       Russia's plan to crack TOR crumbles. The Russian Govt was willing to pay 3.9 million rubles ($59,000) to anyone able to crack Tor, a popular tool for communicating anonymously over the Internet. Now the company that won the government contract expects to spend more than twice that amount to abandon the project. As discussed in Issue - 27 of this blog, TOR (The Onion Router) is a browser that delivers untraceable access to the Internet by linking all the computers onto a network and is mostly being used for unscrupulous and illegal activities.

6.       Security spending will reach $75.4b worldwide: Gartner. Worldwide security spending will reach $75.4 billion this year, a 4.7 percent increase over last year, according to the latest forecast from technology research firm Gartner. "Interest in security technologies is increasingly driven by elements of digital business, particularly cloud, mobile computing, and now also the Internet of Things, as well as by the sophisticated and high-impact nature of advanced targeted attacks."

7.       Cybersecurity firm offers $1 million for Apple hack. A Computer security firm last week, offered a $1 million bounty to hackers who can find a way to breach Apple's latest iOS 9 mobile operating system. To win the money, hackers must use a web page or text message to remotely bypass the iOS 9 security and discretely install an application on the iPhone or iPad by October 31, the company said in an online statement.

8.       Healthcare Organizations twice as likely to experience data theft than other Industries. Last week, Raytheon|Websense announced the publication of 2015 Industry Drill-Down Report – Healthcare. In it, Websense explains why healthcare has experienced a surge in attacks in recent years: The rapid digitization of the healthcare industry, when combined with the value of the data at hand, has led to a massive increase in the number of targeted attacks against the sector. While the finance and retail sectors have long honed their cyber defenses, research illustrates that healthcare organizations must quickly advance their security posture to meet the challenges inherent in the digital economy – before it becomes the primary source of stolen personal information.

9.       Cyber security very important for Digital India: The Digital India program envisions the creation of a digitally empowered economy, e-governance and services on demand to improve access of information as well as resources for citizens. The Aadhar (UID) initiative now stores biometric data of over 730 million citizens. India currently has 319 million internet users, 213 million mobile internet users, 41% of e-commerce sales happen on the mobile, it is anticipated that majority of the Digital India users will also be using mobiles. Now consider these statistics in the light of a recent report that discussed how Android phones can be hacked with a single text message. Any security breach will raise major concerns about privacy and security of confidential data.

10.   Apple on Thursday shared a list of the top 25 iOS apps infected with malware as a result of Xcode Ghost. As previously noted most of the titles are from China-based developers since that's where programmers installed a modified version of Apple's Xcode IDE in lieu of the official version. Apple has pointed out that WeChat topped the list of 25 apps - which contains games, utilities and other software including an Angry Birds 2 clone. The Infected apps:

Issue 30 - Week of Sep 14th

1.       Target's legal woes continue to mount over its now-infamous data breach in 2013. Last week, a District Court judge in Minnesota ruled that Target was negligent in its credit card data security and is therefore liable to a class-action suit brought by banks affected by the hack. Following the initial hack and disclosure in 2013, Target came under scrutiny from the Justice Department and had its CEO step down in disgrace. The company has already paid Visa $67 million for the trouble and attempted to give MasterCard another $19 million, though that latter offering fell through.

2.       Former AT&T employees sued for fraudulently unlocking phones. In many markets across the world, service providers offer mobile handsets with a software lock installed which prevents the user from switching to competing networks. A US based company run by Prashant Vira, bribed 3 AT&T employees and installed malware in their computers, through which he could unlock any AT&T phone. AT&T says "hundreds of thousands" of phones were unlocked as a result of this malware. AT&T's charges include computer fraud, breach of loyalty and civil conspiracy.

3.       Raytheon|Websense* has been recognized by research and global advisory firm Forrester Research, Inc. as a leader for the TRITON AP-WEB with Web Cloud Module in the "Forrester Wave™: SaaS Web Content Security, Q2 2015,” report. Forrester's independent, 26-criteria evaluation ranked Websense among the highest scores for threat detection, automated malware analysis, and endpoint support, as well as the top score among all vendors in the reporting category. Websense also received among the highest scores in the Data loss prevention — discovery and analysis category, authentication and administration categories.

4.       AirDrop, Apple’s method for wirelessly transmitting data quickly, has a serious bug according to one security researcher. The problem relates to security certificates, when a business wants to deploy apps outside of the App Store, they ‘sign’ that software with an enterprise certificate. As of now - bad actors can trick the device into accepting a fake certificate, even if you never open an AirDropped file - this will give them root level access to the device. For now, it’s a good idea to restrict AirDrop to contacts only (or turn it off), and update to iOS 9 as soon as possible.

5.       The head of China's Cyberspace Administration, is holding a summit with US technology companies. He's expected to further press US technology companies operating in China to sign off on a pledge that they will comply with Chinese information security policies—potentially giving Chinese authorities direct access to user data. The terms of the pledge, which the New York Times reports requires companies to “promise they would not harm China’s national security and would store Chinese user data within the country." The pledge also goes further, pressing for systems to be “secure and controllable”—suggesting that companies may have to provide direct backdoors to systems for surveillance and provide the Chinese government with source code to their applications.

6.       Unpatched Android Lollipop devices open to lockscreen bypass bug  "There's an easy way to bypass the lockscreen in devices running Android 5.0 Lollipop - at least those which have not yet received the latest security update. Now that Google has released its September patch for Android Lollipop, which contained a fix for a lockscreen bypass, a security researcher at the University of Texas has detailed how to exploit the bug. The hack involves overloading the password field after opening the camera app from the lockscreen."

7.       3 out of 4 organizations admit they aren't 'resilient' to cyberattacks. The survey—conducted by the Ponemon Institute —asked more than 600 IT pros about their organizations’ “cyber resilience (The capacity of an enterprise to maintain its core purpose and integrity in the face of cyberattacks.)”, a mere 25% of respondents  rated their organizations as highly resilient,  two-thirds of respondents rated their organization’s ability to prevent a cyberattack as not high. And an ever greater share—68%—graded their ability to recover from cyberattacks as not high. In the face of cyberattacks on companies such as Sony Pictures, Hacking Team, Ashley Madison and countless others - the self-assuredness of security teams seems to be slipping.

8.       Why is cybercrime spreading rapidly? According to experts, one of main reasons is ease with which hackers can launch an attack - with the availability of Maas (Malware as a Service). Cyberattacks used to be the exclusive domain of seasoned professional cyber-criminals, but now MaaS allows non-professional hackers to buy or subcontract portions of complex and highly evasive multi-stage attacks needed to build and distribute malware. This changes the baseline of security - what was advanced last year is now basics. IT managers need to constantly enhance a company’s security posture to counter the continuously growing and evolving world of threats. Adopting a security posture that protects your data across the kill chain is essential, businesses need to move with the times and effectively protect the assets that keep them running and reputable.

9.       Idiot box no more an idiot for Indian Army - the idiot box could be spying on you. Emergence of smart television and its rapid use in the army have sounded the alarm bells as the army fears that these sets can be a threat to cyber security and can leak data from sensitive locations. The Cyber Security Division has also listed out some measures to mitigate the cyber threat - Disable built-in cameras and microphones, Disable the location setting feature, also web browsing through the smart TV should be avoided.

10.   Darknet is full of criminals. A darknet is an overlay network that can only be accessed with specific software, configurations, or authorization, often using non-standard communications protocols and ports. Two typical darknet types are peer-to-peer connection and anonymity networks such as TOR, which works via an anonymized series of connections. The Darknet is also a platform for new and innovative ways to commit crime. Empowered by the Darknet’s global reach and emboldened by the anonymity it offers, gamification and crowdfunding of crimes like murder and human trafficking represent an increasingly grim aspect of the Darknet.

Issue 29 - Week of Sep 7th

1.       Data breach exposes 10M health records from New York insurer, "More than 10 million records were exposed in a data breach of health insurer Excellus BlueCross BlueShield and a partner company. Excellus revealed the breach on Wednesday, telling customers they would receive identity-monitoring services and that the FBI is investigating the crime. The records included Social Security numbers and other identifying information, as well as claims members made to pay for medical care." That's only a fraction of the size of a similar hack earlier this year, but it raises the question, "Again?" This blog for the week of May 18^th had reported that breach of 1.1M records.

2.       Britain’s Largest Bank And Insurer Admit to Massive Data Theft. Website of RSA (Royal Insurance and Sun Alliance) had the following update - A storage device that contained information about some of our customers is missing and has been reported as stolen. The privacy and security of our customers’ personal information is a top priority for RSA. We value the trust our customers place in us to keep their personal information secure and we regret the concern that this loss may cause. We’re making available two years of identity protection to anyone affected by this incident as well as providing more information on this site on how to protect your personal information.

3.       When hackers swiped an estimated 37 million accounts associated with AshleyMadison.com, a site which helps married people cheat on their partners, there was a rush to find out what had been stolen. A month after the breach was reported, hackers released the first cache of stolen data and the list of the worst passwords in the Ashley Madison breach just got longer -- and a lot more depressing. '123456', '12345', 'password', 'default', '123456789' are the top five passwords.

4.       Researcher discloses zero-day vulnerability in FireEye "Last week, Kristian Erik Hermansen of a German firm ERNW, disclosed a zero-day vulnerability in FireEye's core product, which if exploited, results in unauthorized file disclosure. As proof, he also posted a brief example of how to trigger the vulnerability and a copy of the /etc/passwd file. What's more, he claimed to have had three other vulnerabilities, and said they were for sale." FireEye responded to this by releasing patches for all the vulnerabilities but not before issuing an Injunction to the researcher - refraining him from going public and in the process facing significant wrath from the internet community for  stifling not only free speech but the ability to warn and educate their customers.

5.       Websense Security Labs identified a rising trend in bold, well-researched, targeted fraud attacks using typo-squatting and false headers as their primary gambit. Since then, these fraudulent attacks have continued, logging immense gains in both volume and success: the FBI’s Internet Crime Complaint Center (IC3) reports a 270% increase in identified victims and dollar losses since January. Typo-squatting is a technique in which the hacker registers a fake domain with only one character’s difference to the target domain or feature transposed characters. Most often hackers exploit these domains - within hours of registration and according the IC3, the money trail takes several hops around the world, but primarily ends up in Asian banks (specifically mainland China and Hong Kong).

6.       Mozilla admitted last week that its Bugzilla bug tracking system was breached by an attacker, who was then able to get access to information about unpatched zero-day bugs. According to Mozilla, the attacker was able to breach a user's account that had privileged access to Bugzilla, including the non-public zero-day flaw information. As far as Mozilla has been able to determine at this time, the attacker accessed approximately 185 bugs that were non-public. Of those bugs, Mozilla considered 53 to be severe vulnerabilities.

7.       DOE Hacked 159 Times From 2010 To 2014, Report Says. It's no surprise that the US Department of Energy (DOE) is a major target for cyber-attacks, but new data shows just how often the agency gets hit, the agency reported 1,131 attack attempts during a 48-month period, of which 159 were "successful," the publication reports.

8.       Over two months after Italian surveillance software maker Hacking Team had its internal data leaked by hackers, vendors are apparently still fixing zero-day exploits from the company's arsenal. On Tuesday (Patch Tuesday), Microsoft published 12 security bulletins covering 56 vulnerabilities in the new Edge browser, Internet Explorer, Windows, Office, Skype for Business, .NET Framework and some of its other software products.

9.       "The New York Times on Monday reported that Apple was served a court order by the Justice Department this summer over an investigation involving drug and gun crime, demanding it provide real time access to text messages sent between suspects using iPhones. Apple reportedly said its iMessage system was encrypted and, as a result, it couldn't comply with the order. Consequently, the company can't provide the same interception capabilities to law enforcement officials under US wiretap laws as telecoms operators can."

10.   Digital India and ‘Make in India’ are two initiatives launched by the Government of India. According to Avinash Kadam (Advisor, ISACA India) - these initiatives would succeed only if the industries and enterprises prosper. The industries and enterprise would prosper only if they take care of the 4 Ms of manufacturing (Man, Machine, Material and Method) and now, most importantly, the cyber security.

2014 – 783 Breaches – 80 Million records.

2015 (till 8^th Sep 2015) – 541 Breaches – 140 Million records.

Issue 28 - Week of Aug 31st

1.       People tend to expose a lot of information on LinkedIn / to headhunters -  about their work environments, colleagues, the company's infrastructure and even internal projects. There are multiple cases where attackers have used fake LinkedIn profiles to gather sensitive information about organizations and their employees. This reconnaissance helps in knowing who is the manager of a particular department in a company or who is a member of the organization's IT staff can be very useful in planning targeted attacks. Armed with this RECON information hackers launch their next step of attacks with ultimate objective of stealing data.

2.       An Anonymous group called GhostSec, has launched an online battle against members of the Islamic State group. The hacktivists are targeting and attacking the online network of supporters and suspected websites of the IS including social media accounts. So far 60000 twitter accounts of jihadists have been shut down, Ghostsec has also used DDOS attacks, brute force attacks and SL Injection to halt IS communication network. The group's mission is to eliminate the online presence of Islamic extremist groups to stymie their recruitment and limit their ability to organize international terrorist efforts.

3.       A new kind of malware targeting jail-broken iPhones and iPads is able to steal security certificates, usernames and passwords, and other private account data. The malware, dubbed KeyRaider, intercepts iTunes traffic on the device, stealing usernames, passwords, and unique device identifiers, which are then uploaded to the malware owner's server. More than 225,000 users from 18 countries are thought to be affected by the malware. The malware is also known to have locked devices, holding them for ransom, an increasingly popular method of generating potentially vast sums of money for attackers.

4.       24 Chinese Android Smartphone Models Come with Pre-Installed Malware. Chinese middlemen suspected of adding malware to smartphones before they are shipped to customers. The middlemen not only make margins selling the device, they try to make extra bucks by using stolen user data and enforced advertising. The malware is hidden as an add-on in legitimate Android apps and cannot be uninstalled as it part of the firmware. The malware is of poor quality and it can be easily targeted and misused by other attackers to launch different attacks.

5.       Fraudsters increasingly rely on legitimate administrator tools instead of malware to successfully breach systems and steal data. They first use social engineering techniques and/or spear phishing to trick legitimate users to share their credentials. Once they have access to the credentials, they use legitimate tools like RDP, FTP, PowerShell, etc. With access to the systems they move laterally within the network to steal IP and other credentials. These type of attacks are very difficult to stop as they use legitimate tools, the only way to stop them is by knowing what is considered normal behavior for a user or a system admin and to flag an alert when an admin logs into a server at an unusual time or uses RDP from a different system. User education against phishing and unwarranted credential sharing is another acceptable method to stop this menace.

6.       Sony Pictures Entertainment sidestepped a class action suit by reaching a settlement with former employees whose information was exposed in a high-profile breach. On the cusp of a hearing to determine whether a lawsuit against Sony Pictures Entertainment should be turned into a class action suit, the company has reached a settlement with nearly 50,000 former employees after a breach exposed their personal information online. A data leak / hack can haunt the company for many months draining it valuable time and financial resources, Sony was hacked in Nov'14.

7.       Fallout of OPM Hack - China and Russia are using leaked OPM data to target U.S. spies especially those based in their countries. They are aggressively aggregating and cross-indexing the databases which includes security clearance applications, airline records and medical insurance forms - to identify U.S. intelligence officers and agents based in their soil. At least one clandestine network of American engineers and scientists who provide technical assistance to U.S. undercover operatives and agents overseas has been compromised as a result, according to two U.S. officials.

8.       US Feds putting teeth into requirements for corporate cybersecurity - Poor corporate cybersecurity is no longer an option. Businesses in the USA that fail to protect their customers’ sensitive information will now face even greater federal penalties. A US appeals court is allowing the Federal Trade Commission to sue global hotel chain Wyndham over breaches the company experienced in 2008-2009. Insufficient security practices that led to significant losses of customer data will be considered “unfair and deceptive trade practices.”

9.       Cybersecurity poses the biggest challenge and it is high time India took a lead at the world stage in addressing this issue, BJP MP Tarun Vijay has said. "The biggest challenge before India will not be as much of oil crisis or water or the military expansionism of the neighbors, it will be cybersecurity. No other factor is going to match this challenge of cybersecurity," he said.  Other cybersecurity news to grab the Indian media attention was that of Amitabh Bachchan’s Twitter account getting hacked. He later tweeted saying - "WHOA !..My Twitter handle hacked ! Sex sites planted as 'following' ! Whoever did this, try someone else, buddy, I don't need this !".