1. Daily Motion served Angler exploit kit to visitors, over
128 million users placed at risk: Popular
streaming website Daily Motion has become the latest victim of malicious
advertisements (Malvertising) and has delivered malware payloads to potentially
millions of visitors. The hacker bought ad space in the Daily Motion website
and placed a decoy ad that initiates a series of redirections and ultimately
loads the Angler exploit kit. The bogus advertiser used a combination of SSL
encryption, IP blacklisting and JavaScript obfuscation. In addition, Angler
Exploit Kit also fingerprints potential victims before launching its exploits
to ensure the user is not a security researcher, honeypot or web crawler. This
case is a reminder that any legitimate website can become an attack vector - such
as Yahoo in the past.
2. Business E-Mail Compromise (BEC)- An Emerging Global
Threat: The accountant for a U.S.
company recently received an e-mail from her CEO, who was on vacation,
requesting a transfer of funds on a time-sensitive acquisition that
required quick completion. It was not unusual for the accountant to
receive such emails from the CEO, so she went ahead and made the transfer of
$737,000 to a bank in China. The next day, when the CEO happened to call, he
was shocked to learn about the transfer and alleged acquisition. Earlier this
year the FBI reported that such scams cost victims more than $750 million and
has impacted more than 7,000 people between Oct 2013 to Aug 2015 and these
scams are still ongoing.
3. Content Theft Websites Delivering More Than Just Content: In the dark reaches of the Internet are thousands of
sites that offer users stolen entertainment content for free. This content is
used as bait to lure users with malware delivery being the objective. The
malware may or may not require user interaction. The malware need not be high
end Zero day exploits, it could be known exploits leveraging unpatched systems.
Such sites are paid by malware advertising agencies at the rate of about 10-20
cents per malware install. No free meals indeed!
4. Spy Banker Trojan Being Hosted On Google Cloud: The Trojan is spreading through Brazil via malicious
links posted on social networks. The hackers are using Google Cloud Servers to
host the initial Spy Banker Downloader Trojan, which in turn installs the
payload (Dropper file). The Lures used in social media range from coupon
vouchers to free AV software applications. The Trojan has some stealthy
capabilities, while it is designed to steal banking passwords, one of the first
things it does is check a machine for the presence of a virtual environment.
5. Hello Barbie toy security issues disclosed and fixed
quickly: With the
recent VTech breach exposing millions of parents and children to risk,
there is increased sensitivity and awareness around the security of Internet-connected
toys this holiday season. Last week, researchers revealed flaws in the Hello
Barbie connected toy manufactured by ToyTalk. The good news, though, is that
the issues were responsibly disclosed and ToyTalk acted quickly to remediate
them. ToyTalk now also has a bug-bounty program. Hello Barbie is an interactive
device that makes use of WiFi to listen and respond to a child's voice.
6. .Cyber and .Criminal are Coming for Your .Money and
.Computer: We are all accustomed to the
old Internet of .com, .co.in, .edu, .gov, .net, .org, and .info; With the
implementation of expanded new generic top level domains (gTLD) by ICANN, we
will now need to get accustomed to many new URLs ending in .club, .xyz, .guru,
etc. This will only increase in frequency, because as of November 2015, the
number of new gTLDs available is over 800. A quick look at the new approved and
delegated TLD provided by ICANN reveals both big brands like .Tatamotors, .bmw,
which are used by everyday consumers and common words (including .car, .wine,
.mom, .family). Attackers are often early adopters of new opportunities and
will rapidly colonize new avenues of attack, including new domains.
7. Microsoft warns of possible attacks after Xbox
certificate leaked: The private keys for
xboxlive.com were "inadvertently disclosed," Microsoft said, which
could be used to impersonate the Xbox Live website and carry out a so-called
"man-in-the-middle" attacks, which allows the attacker to intercept
the website's secure connection. This could trick Xbox users into handing over
their username and password, potentially leading to further attacks on the
user. The company has revoked trust in the certificate, which more often than
not is an automatic process for all supported versions of Windows and users do
not have to take any action.
8. Cyber Insurance Moves Toward “Must Have” and “Evidence
Based”: 2015 was a tough year for
breaches and the trend for 2016 looks to be no better. Against this backdrop is
the gradual realization within corporations that the value of their company’s
data is a large part of corporate assets, and a huge potential cost during a
cyber-event. Indeed, for some information-centric companies, a data breach can
be the largest single risk for business continuity, especially when considering
the potential of downstream liability from loss of PII. Such losses comprise
not only that data related to customers, but also to employees. Over time,
cyber insurance will drive improvements in company security posture to better
handle threats.
9. FBI Tweaks Stance On Encryption BackDoors, Admits To
Using 0-Day Exploits: It seems the
Bureau has backed off the idea of a "government
backdoor" per se, as long as technology companies themselves can still
access customers' data (and thus surrender it to law enforcement when legally
subpoenaed). FBI also admitted to use 0-day exploits for public safety. In
India - government's draft encryption policy, unveiled in September, was booed
off stage because it sought to weaken standards rather than boost them. It had
heavy-handed specifications on encryption algorithms, mandatory registration of
encryption products, and the retention of unencrypted user information for 90
days. Now, as the government reworks its stand on encryption, it can include
global opinion, learn from other's mistakes and keep in mind that undermining
security standards just leaves everyone vulnerable.
10. 49% of CIOs feel budget hampers Information Security operations: 49% of CIOs feel a budget constraint is the main
obstacle or reason that challenge Information Security operations followed by
lack of skilled labor, says EY's study on Global Information Security Survey
2015 called 'Creating trust in the digital world'. 65% of the responses from
more than 200 Indian organizations believe their information security structure
does not fully meet the organization's needs.
No comments:
Post a Comment