Sunday, March 27, 2016

Issue 57 - Week of Mar 21st


1.       Think twice before using USB drives: Security researchers have discovered a new data-stealing Trojan called USB Thief, that has the capability of attacking air-gapped or non-internet computers without leaving any trace of activity on the compromised systems. The malware resides as a Plug-in/DLL and executes from the USB itself, it is bound to that USB making it hard to be replicated or reverse engineer. To stay safe - Never use USB storage devices from non-trustworthy sources, Turn off Auto-run and Regularly backup your data.

2.       Anti-hacker unit of Verizon hacked: Records for more than 1.5 million customers of the computer security wing of Verizon, appeared for sale earlier last week. This division aids large corporations when they’ve been the victims of a hack, ironically, now the division itself has been breached. The entire database was offered up for $100k on a cybercrime forum, or in increments of 100,000 records for $10k apiece. The company has since fixed the security vulnerability and confirmed that the attacker only obtained basic contact information and no customer proprietary network information (CPNI) was accessed.

3.       Uber launches Bug-bounty program: The new bug bounty program is designed for white hat hackers to identify flaws in Uber's codebase; critical bugs could yield up to $10,000 in rewards, the company said. Uber's first reward program will run for 90 days, starting on May 1st. Uber says it will share publicly the "highest-quality" vulnerability discoveries if the winners who found them agree to the disclosure.

4.       Cybersecurity expert assisting with Bangladesh bank heist probe goes missing: A cybersecurity expert was reportedly abducted last week, according to his family, after commenting on an attempted cyber-attack of $1Billion from Bangladesh's central bank. Before disappearing, he met the special police force appointed by the central bank. He also addressed media, where he talked about the three user IDs used for the heist. Police are yet to comment on his disappearance. Meanwhile, the police are seeking both technical and human assistance from the FBI and have confirmed that criminals from multiple countries were involved. $100 million that was stolen has been traced to Sri Lanka and the Philippines

5.       Apple v/s FBI: Last week – court suspended the proceedings of this case, at least until next month after FBI told the federal judge that it needs some time to test a possible method for unlocking the shooter's iPhone for which they have hired an "outside party". Some reports have pointed to a forensic firm- assisting the Justice Dept. in opening the iPhone.

6.       Stop 'rewarding' victims of online fraud with refunds: A top cop has said that Banks should stop automatically reimbursing victims of online financial fraud, since it rewards their bad security habits. He believes consumers would learn to take computer security more seriously, if full refunds are stopped. He suggests banks could refund only a portion of funds lost in online fraud, if the victim is running outdated software. Malware takes advantage of unpatched flaws in browsers and plugins, such as Adobe Flash, Java, etc. Experts advice to keep all the software updated and run an Anti-malware software.

7.       Phishing attacks continue to target W-2 data: Playing on fear and basic human nature in order to succeed - Scammers continue to impersonate CEO/CFO/Senior people to seek W2(Form 16) data from mid/lower rung employees. Attackers play on the trust relationships that exist within the company and exploit the fact that most employees often cannot say ‘No’ to bosses. In the first three months of 2016 - 41 large and small organizations have reported such data loss, these include names like Snapchat, Seagate, Polycom, Netcracker Technology...

8.       Iranians charged with cyber-attacks on US banks, New York dam: The Justice Dept. has charged seven Iranian nationals with computer hacking offences against US banks and a dam in New York. They are said to have carried out numerous distributed denial-of-service (DDoS) attacks, disabling bank websites, preventing customers from gaining access to their online accounts. One of the attackers gained unauthorized access to Bowman dam's industrial automation control (SCADA) system, thru which he could have remotely operated and manipulated the dam's sluice gate. The attackers face up to 10 years in prison. Iran has brushed aside the charges.

9.       Malvertising campaign strikes top websites worldwide: Hackers continue to have a free run with Malvertising. Popular websites - including The New York Times, BBC, AOL, MSN, Lenovo and many others across the world fell prey to a malicious advertising campaign which sent unwitting visitors to the Angler exploit kit which serves TeslaCrypt ransomware. Hackers identify sites with high traffic and leverage third-party ad networks to slip in fraudulent and fake adverts. A mere visit to such sites installs Angler on victim's machines, it is not necessary to click those ads.


10.   Badlock - another branded bug trying to make money?: Samba is a re-implementation of the SMB/CIFS networking protocol, it facilitates file and printer sharing among Linux and Windows systems as an alternative to NFS. Stefan Metzmacher is contributed in the development on Samba; last week he announced a Bug in Samba on a newly created website and indicated it will patched on April 12th – coinciding with the next patch Tuesday. InfoSec professionals across the world panned this move as it gives a heads-up to criminals who can exploit this bug.

Sunday, March 20, 2016

Issue 56 - Week of Mar 14th


1.       US warns against Android apps that secretly listen in on your TV habits: An Indian firm called SilverPush uses a technology called 'Audio Beacon Technology', which uses inaudible audio waves in TV Ads to track TV habits and link it with the mobile user and his/her social-media activity. This technology is available as a SDK, which Android app developers embed in their apps. The US has told 12 Android app developers to declare their use of this technology, as failing to let customers know - violates the FTC Act. The technology runs silently in the background with or without the app being active.

2.       Bangladesh Bank chief throws in the towel after cyber-attack: The head of the Bangladeshi central bank has resigned following the devastating cyber-attack in which a group of hackers managed to steal at least $80 million from Bangladesh's New York-based Federal Reserve account. The criminals infected the Bangladesh Bank's computer systems with surveillance-based malware, and after watching transactions and learning how the banks operated for a few weeks, decided to strike. It was only thanks to a spelling mistake in one of the requests that bank officials became suspicious, querying the transfers and blocking others in the list. If no-one had noticed, the criminals could have gotten away with up to $1 billion.

3.       Lenovo start page pushed Angler: Another webpage (startpage[.]lenovo[.]com) joins the long list of pages/sites that have been compromised to silently redirect traffic to pages that install the infamous Angler exploit kit - which subsequently leads to delivery of TeslaCrypt ransomware. Last week it was Burrp[.]com and week before it was www[.]missmalini[.]com.

4.       Pwn2Own 2016- Chrome, Edge, and Safari hacked: Pwn2Own is a computer hacking contest held annually, contestants are challenged to exploit widely used software and mobile devices with previously unknown vulnerabilities. Winners of the contest receive a cash prize and other goodies. This year too -major browsers fell, security flaws in Google Chrome, Microsoft Edge, and Apple Safari were all successfully exploited. A total of $460,000 was awarded for 21 vulnerabilities across the three browsers as well as Windows, OS X, and Flash. Last year’s total was $557,500.

5.       Apple Fires Back At FBI Court Order: In a legal brief filed last week, Apple said the US founding fathers "would be appalled" by the Department of Justice (DOJ)'s order last month that Apple help bypass security encryptions built into the iPhone. The two sides will meet before a magistrate judge this Tuesday (March 22). Look for the ruling to be appealed, possibly all the way to the Supreme Court.

6.       Anonymous says it's hacking Trump: The 'Hacktivist' collective group Anonymous claimed to have leaked personal details of the controversial US presidential candidate Donald Trump, including his Mobile Phone Number and Social Security Number (SSN). The group posted a video condemning Trump. In response, a Trump representative sought the arrest of the people responsible for attempting to illegally hack accounts and telephone information.

7.       Android Trojan infiltrates mobile firmware: An Android Trojan which displays unwanted ads and installs nuisance software on mobile devices has been discovered in the firmware of smartphones and in popular Android applications. The adware, dubbed Gmobi, has infected the firmware of at least 40 low-end smartphone models and is present in a number of applications provided by well-known companies. Gmobi is packaged as a tailored program in software development kits (SDKs) for Google's Android platform and it is able to "remotely update the operating system, collect information, display notifications (including advertising ones), and make mobile payments.

8.       Hackers can Silently Install Malware in Non-Jailbroken iOS Devices: A new strain of malware designed for the iPhone and iPad poses a major risk to hundreds of millions of devices, because it can infect non-jailbroken devices without the user's knowledge. The Trojan - dubbed as AceDeceiver, installs itself on iOS devices without enterprise certificates and exploits design flaws in Apple's digital rights management (DRM) protection mechanism called FairPlay. Attackers purchase an app from App Store, intercept and save the authorization code. They then developed fake iTunes which tricks iOS devices to believe the app was purchased by victim and thus installs potentially malicious apps without the user’s knowledge.

9.       3 reasons why the Tax refund fraud thrives: A popular scam—where criminals filed fake income-tax returns to collect fraudulent refunds is on the rise in 2016 as well. It largely thrives as 1) Almost all tax returns are now online, 2.) Widespread leakage of personal information, 3.) Low risk of getting caught or being prosecuted for the crime. Storage firm Seagate Technologies and social media firm Snapchat are among the companies that recently announced that their employees had inadvertently given fraudsters W-2 (Form 16) information of their workers.

10.   Flipkart CEO Binny Bansal’s email ‘spoofed’, attempt to steal $80,000: The email account of Binny Bansal, CEO of e-commerce giant, Flipkart has reportedly been ‘spoofed’ and an attempt made to steal $80,000 using his email address. The incident took place two weeks back, when a seemingly official mail (Typosquatting) went from Bansal to the company’s CFO Sanjay Baweja asking him to transfer $80,000. The crime-in-progress was stopped after Baweja, noting the oddity of the request checked with Bansal in person. Flipkart said an official complaint has been lodged with the police. Police sources said that the spoof mails originated from Hong Kong and Canada using a server in Russia.



Sunday, March 13, 2016

Issue 55 - Week of Mar 7th

1.       Phishermen target sensitive data- Again: On the lines of the recent Snapchat attack - in which a scammer impersonating their CEO tricked their payroll department into emailing an attacker the payroll information of current and former Snapchat employees. Last week, it was reported that Alaskan telecom GCI was tricked into handing over employee W-2 forms by a phisher posing as the company's CFO, while a Seagate employee was also fooled into sending thousands of employee W-2's by email to a phisher posing as the company CEO. W-2 (Form 16 in India) contains virtually all of the data one would need to fraudulently file someone’s taxes and request a large refund in their name. Last year - Hackers stole this directly from IRS website. Data security solution prevents accidental data leak.

2.       Cancer clinic warns 2.2 million patients of data breach: Cyber-attackers accessed a key database of the clinic in early October. They were able to access and steal data including patients' names, Social Security numbers, physicians' names, diagnosis and treatment information, as well as insurance records. FBI had requested to delay the announcement and patient notification till last week as they were investigating. There is growing trend of core services being struck by cyber-attacks. Recently, a hospital in Germany was held to ransom by cyber-attackers but they did not pay-up while a LA Hospital that went thru a similar attack paid $17k.

3.       ISIS data breach: A defector has allegedly leaked what appears to be a USB drive's worth of ISIS’s secret data, including the personal information of 22,000 ISIS fighters. The leaked ISIS information could be a unexpected gift for security agencies and prosecutors trying to track ISIS’ members and prevent more recruits from joining. The names of three Paris attackers were found in the list.

4.       Restaurant recommendation site 'Burrp' serves EKs, TeslaCrypt:  Researchers spotted the Indian restaurant recommendation site “Burrp” redirecting visitors to a website that was serving Angler exploit kits (EK) that ultimately led to the delivery of TeslaCrypt ransomware. To begin with - Burrp website was compromised and malicious code was injected in the JavaScript which redirects users. Last week another popular website www[.]missmalini[.]com was compromised. Hackers routinely monitor sites with high traffic and whenever they spot an opportunity - they launch their attacks.

5.       Obama on Apple v/s FBI: The president answering a question on this subject said that one can’t take an absolutist view. He spoke at length on encryption and his position favored the American government's current position in this case. He favored strong encryption with secure keys, accessible to small set of people for a subset of important issues. He repeatedly reassured the audience the agencies are pretty scrupulous and trustworthy. Meanwhile, responding to Justice Dept.'s arguments - Apple slammed it  as  "cheap shot" and will next appear in court in California on March 22, a day after an expected product announcement.

6.       Spelling mistake saves $1 Billion: Attackers successfully breached Bangladesh Bank's systems and stole its credentials for payment transfers, they then "bombarded the Federal Reserve Bank of New York with nearly three dozen requests to move money (total value $1B) from the Bangladesh Bank's account there to entities in the Philippines and Sri Lanka. The first four transfers, totaling about $81 million, went through, but for the fifth transfer, Hackers misspelled "foundation" in the NGO's name as "fandation," prompting a routing bank, Deutsche Bank, to seek clarification from the Bangladesh central bank, which stopped the transactions.

7.       Automakers in the hot-seat for vehicle cybersecurity: Most of the new cars today are equipped with internet connectivity with third party apps running on board, making them vulnerable to hackers. Recently, researchers demonstrated hacks on Nissan Leaf and Chrysler Jeep. Car owners hold car makers responsible for security though many components of this system are not owned by car makers - like Infotainment, Connectivity, OS & Apps. General Motors now has a bug bounty program underway as well as a product security officer position. Someday in near future, we will have end point agents running in our cars like the way they  run on our laptops.

8.       First Fully Functional Mac Ransomware: The first fully functional ransomware for Mac OS X has been discovered in the wild, but was contained before it did damage. The new ransomware is called 'KeRanger' and it bypasses Apple's Gatekeeper -- the tool that prevents unsigned code from running on Mac operating systems -- by piggy-backing on an infected version of Transmission, an open-source BitTorrent client, which is signed with a valid Mac application developer's certificate.  Apple responded quickly to the announcement, revoking the abused certificate and updating XProtect signatures.

9.       Researchers can unlock some Android phones with inkjet-printed fingerprints: Researchers demonstrated a method in which, they first took high resolution image of victim's fingerprints, then print it on a special kind glossy paper. The printed fingerprints could fool the Android device into believing it was human. Way back in 2013, Apple's TouchID was hacked and more recently hackers showed ways to harvest fingerprint data from Android phones.

10.   The Bounty Hunter: A 22-year-old e-commerce company’s employee in Bangalore, earned ₹ 13 Million ($200K) just by reporting bugs for Facebook, Twitter and a host of other US-based companies. He recently found a simple vulnerability on Facebook that could have been used to hack into any user's account to get access to credit or debit card details, personal pictures, and messages without any user interaction, For this - he was awarded $15K (₹1Million). Bug bounty is highly recommended strategy to find new bugs especially for high traffic websites.





Sunday, March 6, 2016

Issue 54 - Week of Feb 29th


1.       Snapchat apologizes to its employees: On its blog Snapchat says it is "impossibly sorry" after being duped by a cyber-attacker who impersonated the CEO and was able to elicit employee payroll information from the firm.  The phishing email wasn’t recognized and payroll information about some current and former employees was disclosed externally. No internal systems were breached, and no user information was accessed. Snapchat did all the right things post the attack, it owned the mistake, reported to the authorities, contacted the affected employees and also offered them two years of free identity-theft insurance and monitoring, and is planning to redouble the training programs around privacy and security in the coming weeks.

2.       Sea Pirates hack shipping company to figure the cargo to steal: With very little knowledge & effort, pirates were able to cause some serious damage to a shipping firm whose basic security protection was not in place. Using very basic hacking techniques, the pirates uploaded a malicious shell script on the shipping firm's Content Management System (CMS) that ran the custom platform for managing stock and cargo data. Through this they could download the cargo reports, which helped them to board the right vessel, locate by bar code- specific crates containing valuables, steal the contents of that crate and then depart the vessel without further incident. It's becoming more and more critical for companies in every industry, whether it be shipping, health or technology, to ramp up their cybersecurity efforts.

3.       Hack the Pentagon and get paid: The US Defense Department is inviting vetted white-hat hackers to hunt for vulnerabilities in its public web pages under a pilot bug bounty program. Bug bounty is gradually getting accepted in the corporate world, it is surprising but welcome for a defense entity to run such a program.

4.       ABCD - AnyBody Can DDoS: If you do not like any website and want it to be down for few hours or days or weeks- just rent the 'Booter' service from Russian hackers for as low as $13-$60 a day. These hackers have infected computers under their control, which they  use to mount 400Gbps attacks towards the target to keep it offline. Another player who goes by the name 'Forceful' also advertises and offers free five to ten minute DDos test. BBC was a recent victim of DDoS.

5.       University of California Berkeley hacked: The University of California, Berkeley, has admitted to a second data breach which may have exposed the data of 80,000 people to misuse. Current and former students, faculty members and vendors linked to the university are among those who have been warned about the incident, which took place through financial management software which contained a security flaw, allowing an attacker -- or group -- to access internal services. UC Berkeley was last hit with a cyber-attack in December, 2014.

6.       Malvertisers remain one step ahead: Malvertising is the use of ad networks to serve unwitting visitors malware and exploit kits, including Angler and Neutrino. Many legitimate websites rely on advertising to generate revenue, and unfortunately, malware may slip through the net. To avoid detection and being monitored by security researchers and other honey pots - Malvertisers are using a new technique called Fingerprinting - through which they will deliver payloads only to legitimate victims. Using Web-security solutions and regular updates can keep Malvertisers at bay.

7.       Amazon is going against the grain: Amazon has removed device encryption from its tablets and phones, a day after the company filed a brief supporting Apple in its fight against the FBI over encryption. In a statement Amazon said it removed device encryption from its Fire OS 5 because the company "found customers weren't using it." In other words, Amazon will continue to encrypt your data in transit, but it won't scramble the contents of its customers' Fire tablets or phones. That means thieves and law enforcement will have an easier time grabbing user data from these devices without too much effort. The timing is striking, given the tense moments the industry is going through with the Apple and FBI faceoff.

8.       RSA conference 2016 - Lessons Learned From Real World CISOs: The annual RSA conference was held last week in SFO, the theme this year was 'Connect to Protect'. Some of the lessons learned from experts and CISOs are: (i) Organizations are particularly interested in being able to safely adopt new technology, things like IoT and cloud. (ii) Don’t care what comes in, worry about what leaves the network (iii) Reducing complexity & Protect the sensitive data regardless of where it’s located.

9.       RSA conference 2016 - 7 Attack Trends Making Security Pros Sweat: A look at the most dangerous threats and what to expect for the rest of 2016. (i)Weaponization of Windows PowerShell (ii) Stagefright-Like Mobile Vulnerabilities (iii) Developer Environment Vulnerability Like Xcode Ghost (iv) ICS (infrastructure control systems) Attacks (v) Targeting Insecure Third-Party Software Components (vi) Internet of (Evil) Things (vii) Changing Malware Economics Presses Ransomware Push.

And the Oscars goes to...: It was Oscars season last week and hackers compromised India's leading "Bollywood news & celebrity gossip website" - www.missmalini[.]com. The website had been injected with JavaScript that automatically and silently redirects visitors to a malicious web site in the background. Depending on the browser and user's IP address, the website silently launches Angler Exploit Kit. Anglers scans and exploits existing vulnerabilities (for eg: Adobe Flash) to drop and execute TeslaCrypt on the system. Angler EK shows no signs of relenting and is still very prevalent. Hackers are aware of world events and continue to compromise websites of currently significant popularity. The use of crypto-ransomware also continues to persist, providing criminals with quick and easy financial gain.