1.
TalkTalk hack hits up to 4 million
in unencrypted data theft: UK ISP TalkTalk says customers' credit-card and banking details may
have been accessed by hackers after a "sustained cyber-attack" on its
website last week. Following its second major breach in the past year, the
British broadband provider has vaguely admitted it may have failed to protect
customers' financial data properly. Among details it says may have been
"accessed" were customers' name, address, date of birth, email
address, telephone number, account information, credit-card and bank-account
details. TalkTalk customers were targeted by fraudsters earlier this year
following a breach of its internal security procedures linked to its use of a
third-party call center.
2.
WikiLeaks posts data from CIA
director's email account: Last week, Hackers accessed CIA Director's personal AOL email account
by using social engineering techniques. One hacker posed as a Verizon worker
and called a Verizon worker and tricked him to obtain personal information;
with which he reset the Director's password. The hackers were able to access
sensitive government documents stored as attachments in the personal account because
the spy chief had forwarded them from his work email. In 2012 another CIA
director had to step down as he mishandled classified information by allegedly
storing it in a Gmail drafts folder, he avoided jail by pleading guilty but was
fined $100,000.
3.
Governments seeks to outlaw Car hacking: A house committee will consider
automotive safety reforms that, among other proposed changes, would make it
illegal to hack vehicles and will be punishable by penalties up to $100k. A
group of researchers argue that hackers make car safer and hence they should
not be banned from tinkering. Car Hacking is not just remotely disabling its
functionalities - it could also be used for surveillance as well as sabotage.
As discussed in the issue of 27th-July - following a demo of hack - Chrysler had recalled 1.4M Vehicles for Bug
Fix while the hackers released a video of their demo.
4.
Just how many websites are
vulnerable because of SHA-1: Some certificate authorities are still issuing digital certificates
signed with the SHA-1 hashing algorithm, despite recent research showing that
the cost of undermining it is not beyond criminals' budgets. Browser makers
Google, Microsoft, and Mozilla have announced plans to stop accepting SHA-1 SSL
certificates by 2017. But researchers recently called for this deadline to be
brought forward, after estimating the cost of causing a SHA-1 collision is much
cheaper than initially thought - and definitely within reach of cybercriminal
budgets. It is estimated that by renting Amazon servers with an approx. cost of
$75K USD, hackers can crack SHA-1 based encryption.
5.
Thousands of e-commerce Magento
websites struck with Guruncsite malware: Websites running the Magento Content Management System
are being infected with malware in a fresh campaign which has impacted
thousands of domains in a matter of days. The attack involves the injection of
malicious scripts through iframes from guruincsite.com (Neutrino exploit kit).
Google has already blacklisted almost 8,000 infected websites; Removing the
malicious scripts then resubmitting clean websites back to Google for review
should remove the blacklisting. The Magento content management system, tailored
for e-commerce, is used by over 200,000 companies worldwide.
6.
Computer clocks can be easily
scrambled, undermining encryption and bitcoin trades: Researchers from Boston University
said they've found several flaws in NTP that could undermine encrypted
communications and even jam up bitcoin transactions. One of the problems they
found is that it's possible for an attacker to cause an organization's servers
to stopping checking the time altogether. NTP has a rate-limiting mechanism,
nicknamed the "Kiss O' Death" packet, that will stop a computer from
repeatedly querying the time in case of a technical problem. When that packet
is sent, systems may stop querying the time for days or years, according to a
summary of the research. They found a big issue: it's possible for an attacker
to spoof a Kiss O' Death packet, making it appear to have come from a system
experiencing trouble when it's actually fine.
7. “I am stranded without any money, so I was wondering if I could get a
quick loan of $1,850 from you or any amount, you can afford if not all,” read the mail from the hacked
account. Hackers appear to have adopted a new modus operandi to make people
transfer money to their accounts. Recently, somebody who is believed to be from
Ukraine, hacked a yahoo mail account of a journalist and created similar ID
with Microsoft web mail service Outlook. The hacker used contacts from the
hacked Yahoo ID to send mails to the person’s friends and relatives asking
money from the newly created ID. The mail typically claim that the sender was
stuck in a foreign country and his debit and credit cards are not working and
is in dire need of money. Since hackers used a different account, the original
user didn’t know about the mails sent in his name.
8. Unbelievably simple scam cost The
ONGC ₹197 Crore:
Another classic case of typo-squatting. 'patel_dv@ongc.co.in' is an original id
of ONGC. Hackers used a parked domain to create a fake id
'patel_dv@ognc.co.in'. Note the simple change in spelling of the fake id. ONGC
was engaged in a business transaction with Saudi Arabia-based oil company
Aramco. Using their fake id, Hackers began interacting with Aramco and
instructed them to make the payment to a Bangkok Bank instead of the regular
State Bank of India. A case has been registered with the cybercrime police
station.
9. Cybersecurity skills gap continues
to grow: Last week
the Digital India Initiative of the Government appointed - an Ethical hacker as
its new Brand Ambassador. This in way acknowledges hacking as an acceptable
activity, a legitimate career option & an honest way to earn one's
livelihood. A deeper look at the colleges and institutes that offer ethical
hacking courses show that ethical hacking in India is making large strides, but
there is still some distance to cover. Worldwide market indicators show the
need for as many as 4.25 million security professionals by 2017,
representing the potential for a 47% shortage in qualified personnel.
10.
State-sponsored attack? Facebook
will now tell you 'You've been hacked': Facebook has started to notify users when it suspects
they've been targeted by government-sponsored hackers, rather by than
run-of-the-mill cybercriminals. Facebook won't be revealing how it tells when a
state-sponsored hacker is targeting a particular user, although there are
numerous pieces of known malware that are suspected to have been created by
government-backed hackers, such as the Stuxnet, thought to have been built by
the US, Duqu, DarkSeoul, supposedly from North Korea, China's ShadyRAT and
Russia's The Dukes malware.