Sunday, December 27, 2015

Issue 44 - Week of Dec 21st


1.       What a year in security 2015 was: The biggest security stories of 2015 include - major cyberespionage groups being uncovered, the most embarrassing data breach in history, an unbelievable Android flaw, and incredibly stupid decisions from two major PC makers. The top 10 are:
a.       Ashley Madison: Hackers were able to breach and steal sensitive data of many users of the infidelity service.
b.      VTech: Suffered a major data breach losing data records of millions of children and their parents.
c.       OPM Hack: Office Of Personnel Management lost millions of sensitive data records of federal employees.
d.      Hacking Team: Surveillance company lost 400GB data, exposed sensitive company data and exposed unknown vulnerabilities that the company was using.
e.      Super fishy security: Dell and Lenovo messed around, Dell added root certificates that help impersonation of any site while Lenovo's superfish left users vulnerable.
f.        Encrypt everything, but leave the back door open: Govt wants backdoor but that makes it possible for hackers to capitalize on. The industry v/s Govt. debate continues.
g.       Android gets stage fright: Hackers can just send a MMS to any android phone and hack it.
h.      Flash crash: When Flash vulnerabilities became public-Mozilla blocked Flash, Facebook called for flash EoL, Amazon dropped it for ads, YouTube switched its default to HTML5 video instead of Flash. Even if Adobe doesn’t kill Flash, the web will.
i.         LastPass Breach: Browser-based password manager LastPass dealt with a major breach. LastPass asked all of its users to reset their master passwords.
j.        Tor hacking: It is believed that FBI paid Carnegie Mellon researchers at least $1 million to hack users on the Tor network in order to reveal their true identities.

2.      2015 Ransonware Wrap-Up:
a.       Pacman: The most highly targeted ransomware attack, the Pacman ransomware only went after Danish chiropractors. The malware was also very difficult to remove.
b.      Tox: Tox was the first to offer ransomware as a service, it offered free toolkit but the site hosting the ransomware takes a 20 percent cut of the profits.
c.       Chimera: Chimera also a ransomware-as-a-service, takes a 50 percent cut of the profits and tries to recruit its victims as new ransomware operators.
d.      CryptoWall 2.0: Used TOR on command-and-control traffic and could execute 64-bit code from its 32-bit dropper.
e.      CryptoWall 3.0: Spread mostly through exploit kits and made $325 million in extortion payments.
f.        Cryptowall 4.0: Nuclear & Angler Exploit Kit used to spread this, steals passwords before encrypting files.

3.      Good guys hacking - 8 Coolest Hacks Of 2015:
a.       Chrysler Jeep hack: Hackers remotely controlled a car on highway by killing its ignition, Chrysler recalled 1.4 million vehicles to fix the bug.
b.      Non smart cars hackable too: Researchers inserted rogue devices in the two police vehicles to reprogram car's electronic operations & attack via mobile devices.
c.       Gun hack: A husband & wife team in August demonstrated how they were able to hack a long-range, precision-guided rifle.
d.      Car wash hack: Web interface in a popular car wash has weak passwords that allows an attacker to hijack the functions to wreak physical damage or score a free wash.
e.      Gas gauge hack: Gas tank monitoring systems at US gas stations have no password protection making them vulnerable to attacks & disrupt the fuel tank operations.
f.        Globalstar hack: A researcher was able to hack the Globalstar satellite data as it was not encrypted, Globalstar has however shot down this work.
g.       GM Onstar hack: A kit called Ownstar that makes it possible to track, remotely unlock & start the engine of GM vehicles that run the OnStar connected car system.
h.      Other cool stuff: DEF CON this year launched its first IoT Hacking Village, everything from Apple network storage, toys, blood pressure monitors, Fitbits, and fridges fell to white-hat hackers there.

4.       87 percent of employees take data they created with them when they leave the company: According to a recent survey - most employees believe they own their work, and take strategy documents or intellectual property with them as they head out of the door. The biggest driver is sense of ownership, 59 percent of them felt the data was theirs while 77% thought the information would be useful in their new job. The common methods used to take data was a Flash or external drive, personal email accounts, hard copies & Dropbox. None of the respondents believed their action will not harm the company. The Security teams have some control on data when the employee is being laid off but when employees leave voluntarily there is hardly any control. To a large extended these can be prevented by using technologies to monitor user behavior -- like behavioral analytics, data exfiltration monitoring -- and regular security awareness programs.

5.       Oracle settles with the FTC over 'deceptive' Java security promises: Oracle acquired Java in 2010 and has been aware of security issues. It promises customers  that updates would keep users' systems safe but in reality, those updates removed only the most recent prior version of the software, leaving older ones intact -- and vulnerable to attacks. Oracle will now be required to notify consumers during the Java SE update process if they have outdated versions of the software on their computer, notify them of the risk of having the older software, and give them the option to uninstall it. In addition, the company will be required to provide broad notice to consumers via social media and their website on how consumers can remove older versions of the software.

6.       Online broadcaster Livestream suffers possible database breach: Live video streaming platform Livestream has discovered that an unauthorized person may have accessed its customer accounts database. The database holds information such as a user's name, email address, an encrypted version of their password, as well as phone numbers and the customer's date of birth. Livestream has issued a warning to users to update their passwords.

7.       Millions of Hello Kitty fans' data exposed by database hack: A database used by Hello Kitty fans has reportedly been found online after servers were hit last month. As many as 3.3 million records are said to be in the database. It's not immediately clear where the database was leaked to, or if the database can be verified for authenticity. The Hello Kitty toy brand has a major sway in far eastern Asian countries, particularly Japan where it was invented. Its parent company Sanrio generates more than $7 billion in revenue from the brand alone.

8.       Yellow Alert Sounded For Juniper Vulns, Feds Called In: The infosec alert level for Juniper backdoors was bumped to yellow last week after the two crucial vulnerabilities rocked the infosec world. As the industry scrambles to fill these gaping holes in its ScreenOS platform, news continues to trickle in that FBI officials are investigating potential nation-state actions that led to the insertion of an authentication backdoor (whose password is public now)  that impacts tens of thousands of devices on the Internet. This fiasco is a major blow-up for government's backdoor rhetoric and a shining example why backdoors are bad.

9.       Yahoo now warns users if they're targets of state-sponsored hackers: The web giant is the latest firm, behind Google, Facebook, and Twitter, to warn users of state attacks. In order to prevent the hackers from learning about Yahoo's detection methods, Yahoo will not share any details publicly about these attacks.

10.   After UP, Maharashtra leads India in cybercrime: In India, the rising cases of hacking, cyber bullying, IP spoofing, credit card fraud has always kept the cyber security team on its toes. As per a recent report - 3,049 people were put behind the bars for committing cybercrime during 2010-2014. Mumbai being the financial capital has seen a 295 per cent increase in cybercrime. Credit card fraud tops the list with hackers using various methods like - Rigged ATM machines, Skimming devices at POS, Phone and email frauds & Duplicate websites. The good news is Banks are getting smarter by issuing EMV cards (Chip and PIN Credit card), Banks are also looking at contact-less credit cards with NFC (Near Field Communication) and RFID technology which do not require swiping of card thereby lowering the chance of any data leakage.



Sunday, December 20, 2015

Issue 43 - Week of Dec 14th

1.       J.P. Morgan, Bank of America, Citibank And Wells Fargo Spending $1.5 Billion To Battle Cyber Crime: There’s a showdown going down between a global network of cyber criminals and the world’s largest corporations, governments and cybersecurity companies. Insurance companies estimate the annual cost of cyber-attacks to be more than $500 billion. The BFSI sector has been the prime target of cyber criminals over the last five years, followed by IT/telecom, defense, and the oil and gas sector. JPMC expects its cybersecurity spending to be around $500 million in 2016 while Bank of America will spend $400 million, Citibank $300 million & Wells Fargo $250 million. That’s roughly $1.5 billion in cybersecurity spending by these 4 companies. The U.S. financial services US cybersecurity market is $9.5 billion, making it the largest non-government cybersecurity market in the world. Worldwide market size of financial services is estimated at $16 Billion.

2.       Chinese hacker Steals $170,000 by hacking airline website and offering ticket booking: A 19-year-old man in Dalian, China has been arrested by the police after he was caught hacking into an airline’s website, stealing booking information from 1.6 million ticket orders, and ripping off hundreds of travelers. Using the information, the teen went on to make hundreds of fraudulent transactions and pocketed $170k. It took the airline three weeks to notice the data breach. A police officer said the hack was a result of a loophole in the airline’s computer system and was not highly sophisticated.

3.       Xbox Live downed after threats; hacker group takes responsibility: Hackers from the Phantom Squad are said to have launched a distributed denial-of-service (DDoS) attack against the Microsoft gaming network. In a tweet, the hacker group said Xbox maker Microsoft, and rival Sony-owned gaming network PSN, doesn't "bother working on security" despite their "millions of dollars." Last year, the infamous Lizard Squad launched a series of network attacks against Xbox Live and Sony's PSN network. The attacks were so ferocious and long-lasting that new and existing gamers during the Christmas holidays were unable to login for hours or even days at a time, drawing ire from the international gaming community.

4.       The Ghosts of Technologies Past will Come Back to Haunt Us: Just like it takes continual effort to keep the Golden Gate Bridge or the Taj Mahal in its famous hue, maintenance of the broader IT infrastructure is an ongoing task and requires continual vigilance and effort. However, unlike a bridge or monument, IT Infrastructure continues to grow and expand in depth and criticality, requiring increasing resources just to maintain the status quo. In essence, with every passing day, IT managers have to work harder just to stay in the same place...and that’s a problem. As our infrastructure ages, the challenges posed by connected technology that has become obsolete will grow - for eg: erstwhile robust algorithms such as MD5 and SHA-1 have now become vulnerable to attack.

5.       Over 650 terabytes of data up for grabs due to publicly exposed MongoDB databases: There are at least 35,000 publicly accessible and insecure MongoDB databases on the Internet, and their number appears to be growing. Combined they expose 684.8 terabytes of data to potential theft. This is the result of a scan performed over the past few days. Millions of user accounts from various apps and services, including 13 million users of the controversial OS X optimization program MacKeeper stand exposed.

6.       Torrent websites infect 12 million users a month with malware: If you visit torrent search websites to pirate software, the risk isn't only through the law but also through malware. Almost a third of the 800 main torrent search websites online today regularly serve their visitors malware - most of them through malvertising. Malware is also found in torrented content. In one example, a pirated copy of the game Fallout 4 served malware to a gamer victim resulting in the theft of their bitcoin savings, worth approximately $2000. Exploits, Remote Access Trojans (RATs), adware, ransomware and botnets were all discovered, and all of which could lead to the theft of sensitive data or system surveillance.

7.       Russian hacking group sharpens its skills: APT 28 group targets political figures, telecom, aerospace companies and has developed new ways of attacking according to researchers. The primary targets of the group are in countries such as Ukraine, Spain, Russia, Romania, the US and Canada. They primarily use three attack vectors to infect targets: spear phishing e-mails with crafted Word and Excel documents attached, phishing websites hosted on typosquatted domains and malicious iFrames leading to Java and Flash zero-day exploits. The hacking group also takes advantage of several newly discovered zero-days exploits, relying on the fact that not everyone installs security updates immediately after they are published.

8.       Data Theft Prevention (DTP) Crosses the Chasm: Chances are, data about you was leaked or stolen in 2015. The variety of industries targeted by attackers in 2015 is unprecedented - 177 Million data records were stolen from 750 reported breaches. As Data has value to criminals, they began to spread their attacks to steal data much more widely than ever before. From retail pharmacy and broader healthcare and insurance industries; to university systems and financial service companies; and even to attacks against prominent security companies; data is money to attackers, and in 2015, they made a lot of money from stolen data. An assumption that, “we are already compromised” is beginning to pervade security professionals and the prediction is that DTP adoption will dramatically increase in more mainstream companies.

9.       NASSCOM task force considering corporate cyberattacks disclosure: The technology industry in India is working on a comprehensive cybersecurity plan, which includes asking companies to share information about online breaches and the methods employed to deal with them to help the larger community take better decisions about investing resources in cyber-attacks. Most of the corporates do not want to disclose that they got hacked but at-least a disclosure of actions that companies have taken to protect themselves, in terms of staffing, in terms of funding, in terms of action will help fix similar issues from recurring elsewhere. A similar decision was taken in 2012 but it never saw the light of the day. Last week, NASSCOM also discussed the need for India to become self-reliant in cybersecurity technologies and the need to have more trained professionals in the country engaged in cybersecurity.

10.   Comcast customers targeted in sophisticated malvertising scheme: Comcast ISP customers need to watch out for a new malvertising campaign specifically designed to install ransomware on their machines or hook them through fake tech support. The ad in question is for a review site called SatTvPro[.]com (now down), which appeared on comcast Xfinity's search page and quietly loads the Nuclear exploit kit. Daily Motion, Daily Mail and Yahoo are the other such recent victims. Some Comcast customers would see an additional phishing website designed to look like the Xfinity portal, warning their system may have been breached. The message reads: "Comcast's security plugin has detected some suspicious activity from your IP address. Some Spyware may have caused a security breach at your network location. Call Toll Free 1-866-319-7176 for technical assistance. In this tech support scam - if visitors end up calling the number - the scammers could persuade victims to hand over their account details.

Sunday, December 13, 2015

Issue 42 - Week of Dec 7th

1.       Daily Motion served Angler exploit kit to visitors, over 128 million users placed at risk: Popular streaming website Daily Motion has become the latest victim of malicious advertisements (Malvertising) and has delivered malware payloads to potentially millions of visitors. The hacker bought ad space in the Daily Motion website and placed a decoy ad that initiates a series of redirections and ultimately loads the Angler exploit kit. The bogus advertiser used a combination of SSL encryption, IP blacklisting and JavaScript obfuscation. In addition, Angler Exploit Kit also fingerprints potential victims before launching its exploits to ensure the user is not a security researcher, honeypot or web crawler. This case is a reminder that any legitimate website can become an attack vector - such as  Yahoo in the past.

2.       Business E-Mail Compromise (BEC)- An Emerging Global Threat: The accountant for a U.S. company recently received an e-mail from her CEO, who was on vacation, requesting a transfer of funds on a time-sensitive acquisition that required  quick completion. It was not unusual for the accountant to receive such emails from the CEO, so she went ahead and made the transfer of $737,000 to a bank in China. The next day, when the CEO happened to call, he was shocked to learn about the transfer and alleged acquisition. Earlier this year the FBI reported that such scams cost victims more than $750 million and has impacted more than 7,000 people between Oct 2013 to Aug 2015 and these scams are still ongoing.

3.       Content Theft Websites Delivering More Than Just Content: In the dark reaches of the Internet are thousands of sites that offer users stolen entertainment content for free. This content is used as bait to lure users with malware delivery being the objective. The malware may or may not require user interaction. The malware need not be high end Zero day exploits, it could be known exploits leveraging unpatched systems. Such sites are paid by malware advertising agencies at the rate of about 10-20 cents per malware install. No free meals indeed!

4.       Spy Banker Trojan Being Hosted On Google Cloud: The Trojan is spreading through Brazil via malicious links posted on social networks. The hackers are using Google Cloud Servers to host the initial Spy Banker Downloader Trojan, which in turn installs the payload (Dropper file). The Lures used in social media range from coupon vouchers to free AV software applications. The Trojan has some stealthy capabilities, while it is designed to steal banking passwords, one of the first things it does is check a machine for the presence of a virtual environment.

5.       Hello Barbie toy security issues disclosed and fixed quickly: With the recent VTech breach exposing millions of parents and children to risk, there is increased sensitivity and awareness around the security of Internet-connected toys this holiday season. Last week, researchers revealed flaws in the Hello Barbie connected toy manufactured by ToyTalk. The good news, though, is that the issues were responsibly disclosed and ToyTalk acted quickly to remediate them. ToyTalk now also has a bug-bounty program. Hello Barbie is an interactive device that makes use of WiFi to listen and respond to a child's voice.

6.       .Cyber and .Criminal are Coming for Your .Money and .Computer: We are all accustomed to the old Internet of .com, .co.in, .edu, .gov, .net, .org, and .info; With the implementation of expanded new generic top level domains (gTLD) by ICANN, we will now need to get accustomed to many new URLs ending in .club, .xyz, .guru, etc. This will only increase in frequency, because as of November 2015, the number of new gTLDs available is over 800. A quick look at the new approved and delegated TLD provided by ICANN reveals both big brands like .Tatamotors, .bmw, which are used by everyday consumers and common words (including .car, .wine, .mom, .family). Attackers are often early adopters of new opportunities and will rapidly colonize new avenues of attack, including new domains.

7.       Microsoft warns of possible attacks after Xbox certificate leaked: The private keys for xboxlive.com were "inadvertently disclosed," Microsoft said, which could be used to impersonate the Xbox Live website and carry out a so-called "man-in-the-middle" attacks, which allows the attacker to intercept the website's secure connection. This could trick Xbox users into handing over their username and password, potentially leading to further attacks on the user. The company has revoked trust in the certificate, which more often than not is an automatic process for all supported versions of Windows and users do not have to take any action.

8.       Cyber Insurance Moves Toward “Must Have” and “Evidence Based”: 2015 was a tough year for breaches and the trend for 2016 looks to be no better. Against this backdrop is the gradual realization within corporations that the value of their company’s data is a large part of corporate assets, and a huge potential cost during a cyber-event. Indeed, for some information-centric companies, a data breach can be the largest single risk for business continuity, especially when considering the potential of downstream liability from loss of PII. Such losses comprise not only that data related to customers, but also to employees. Over time, cyber insurance will drive improvements in company security posture to better handle threats.

9.       FBI Tweaks Stance On Encryption BackDoors, Admits To Using 0-Day Exploits:  It seems the Bureau has backed off the idea of a "government backdoor" per se, as long as technology companies themselves can still access customers' data (and thus surrender it to law enforcement when legally subpoenaed). FBI also admitted to use 0-day exploits for public safety. In India - government's draft encryption policy, unveiled in September, was booed off stage because it sought to weaken standards rather than boost them. It had heavy-handed specifications on encryption algorithms, mandatory registration of encryption products, and the retention of unencrypted user information for 90 days. Now, as the government reworks its stand on encryption, it can include global opinion, learn from other's mistakes and keep in mind that undermining security standards just leaves everyone vulnerable.


10.   49% of CIOs feel budget hampers Information Security operations: 49% of CIOs feel a budget constraint is the main obstacle or reason that challenge Information Security operations followed by lack of skilled labor, says EY's study on Global Information Security Survey 2015 called 'Creating trust in the digital world'. 65% of the responses from more than 200 Indian organizations believe their information security structure does not fully meet the organization's needs.

 

Sunday, December 6, 2015

Issue 41 - Week of Nov 30th

1.       Chennai Rains: Attackers frequently see large events as an opportunity to launch cyber-attacks on a curious population, these events are used as effective lures. People are exposed to information on social media and they have to often wade through rumors, hackers exploit this. In the past, hackers have used major crisis to spread malware - like they did during the Boston Marathon blast in 2013. Chennai Rains offers a ripe opportunity to hackers and one needs to take precaution before opening any email or clicking on any URL. US elections is another such event that hackers may exploit!

2.       Vtech hack: Hong Kong-based Children's toy company Vtech announced it was hacked last week. 6.4 million children's accounts and 4.9 million parental accounts were accessed. The hack exposed general user profile information including name, email address, encrypted password, secret question and answer for password retrieval, IP address, mailing address and download history. The company on its website confirmed that no Credit card information or personal identification data was lost. The hack occurred on 14th Nov 2015. The company discovered the breach, after being contacted by a journalist, 10 days later on the 24th Nov. Customers were informed on 27th Nov.

3.       Hacker leaks customer data after UAE bank fails to pay ransom: A hacker who broke into a large bank in the United Arab Emirates made good on his threat to release customer data after the bank refused to pay a bitcoin ransom worth about $3 million. The hacker, who calls himself Hacker Buba, breached the network of a bank in Sharjah last month and began releasing customer account and transaction records via Twitter. Although Twitter closed the account, the hacker opened a new one and released the account statements.

4.       Gambling darling Paysafe confirms 7.8 Million customers hit in hacks: The newly-branded Paysafe Group confirmed in a London Stock Exchange announcement that information related to 3.6 million Neteller accounts and 4.2 million Skrill users were leaked. Paysafe group lists itself as a British online payments company with Neteller and Skrill being its subsidaries. The Neteller attack involved an exploit of a vulnerability in the Joomla content management system, whilst the Skrill breach saw a VPN, designed to provide secure access to the firm’s network, hacked and a transaction database accessed.

5.       New Windows ransomware steals passwords before encrypting files: Several badly secured websites are being used by hackers to redirect the visitors to sites that are hosting the notorious Angler Exploit kit. A mere visit to such sites installs the exploit kit without the user's knowledge and then the exploit kit delivers the payload (Crytowall 4) to the system. Before Cryptowall encryts the machine, the hackers systematically harvests all usable usernames and passwords from the infected system and sends them to servers controlled by hackers. This enables hackers to acquire working logins for websites, e-commerce sites, and even corporate applications, which they could further steal data from. We discussed Cryptowall 4 last week.

6.       JD Wetherspoon loses data of over 650,000 customers in cyber-attack: In an email to customers sent last week, the food and drink chain said the firm's website had been hacked between 15th and 17th June this year, resulting in the potential loss of customer data including names, dates of birth, email addresses and phone numbers -- as well as a small amount of credit card records. However, it is applaudable that the company went public with the news, quickly after it was told about the breach on 1st December.

7.       Pickpocketing the Mobile Wallet: Mobile wallets and new payment technologies will introduce additional opportunities for credit card theft and fraud. Hacks targeting mobile devices and new payment methodologies will impact payment security more than EMV (Chip and PIN Credit card). The increase in non-traditional payment methods on mobile devices or via beacons (a system to allow retailers to detect a mobile app user’s presence in the store) and smart carts will open up the doors for a new wave of retail data breaches.

8.       Anonymous leaks Paris climate summit official’s private data: Hackers have leaked the private login details of nearly 1,415 officials at the UN climate talks in Paris in an apparent act of protest against arrests of activists in the city. They hacked the website of the summit organizers, the UN Framework Convention on Climate Change (UNFCCC), and posted names, phone numbers, usernames, email addresses, and secret questions and answers onto an anonymous publishing site. The damage is likely to be limited, and can mitigated by changing the passwords on any other accounts of the officials that use similar passwords.

9.       Over 50,000 cyber security incidents reported in India this fiscal: As many as 54,483 cyber security incidents such as phishing, spam and malicious code have been reported in the current financial year, Parliament was informed last week by the Communications and IT Minister. These incidents were reported to the Indian Computer Emergency Response Team (CERT-In) by various Indian organizations, individuals and agencies from other countries.


10.   Chimera Ransomware tries to turn malware victims into Cybercriminals: Chimera ransomware is taking victims hostage, then trying to recruit them to be part of the criminal team. Compared to other ransom messages, Chimera's is brief, straightforward, and polite: it says 'please' twice and invites the victims with a message - 'Take advantage of our affiliate program!'. The hackers are trying to build a ransomware-as-a-service (RaaS) business and are offering 50% commission for spreading and infecting other victims. This Malware first appeared in September with a unique tactic of threatening to publish the victim's files online if payment is not received.  In Issue 38, we did discuss - a similar model from CryptoLocker.