Sunday, June 26, 2016

Issue 70 - Week of June 20th


1.       Insider breach at T-Mobile Czech Republic: One of the T-Mobile's employees in Czech Republic, stole more than 1.5 Million customer records in order to sell  it on for a profit. The investigation into the issue has been handed over to the Czech Police's Unit for combating organized crime, though the company said the data breach is not due to a signal failure or a failure of system or procedures. Instead, the data was stolen by one of its employees who was part of a "small team" that "worked with customer data" and who was caught while attempting to sell the database. T-Mobile said it would inform its customers of any further developments in the investigation.

2.       Uber hacked for free Uber rides: A Security Researcher has discovered a critical vulnerability in Uber app that could allow an attacker to brute force Uber promo code value and get valid codes with the high amount of up to $25,000 for more than one free rides. He has discovered a "promo codes brute-force attack" vulnerability in the sign-up invitation link for Uber that allows any user to invite another user to join the service and get one or more than one free rides based on the promotion code value. Uber is yet to patch this flaw.

3.       Air India frequent flier miles hacked: Unidentified individuals hacked into the loyalty program of at least 20 accounts at Air India to steal nearly $24,000 worth of frequent flier miles. The intruders succeeded in creating 20 email IDs to hijack the reward points earned by Air India passengers. As a number of the phony tickets were bought using invalid IDs and were signed with the same signature, Delhi Police suspect the involvement of an insider familiar with security loopholes. The airline has suspended the fraudulent IDs and deactivated accounts holding identical user names and passwords.

4.       Twitter Ex-CEO got hacked: The same group of teenage hackers that hacked Facebook CEO Mark Zuckerberg's Twitter and Pinterest accounts have hacked another high-profile person. The hacker group from Saudi Arabia, dubbed OurMine, compromised Twitter account of former Twitter CEO on Sunday and managed to post three tweets on his Twitter timeline.  The account was not directly hacked, instead, a third-party service that cross-posted to his Twitter account was compromised, and the attackers used this old service to post. The hackers claim their objective is to just to teach people better security.

5.       Hacker breaks into Candaian political party's VC system: A critical flaw in the video conferencing software of the Quebec Liberal Party (PLQ), allowed a user to spy on and hear the strategy discussions of the party at its premises and even access the live video camera feeds. When asked how difficult it was to hack? The hacker told media that it was as easy as using a commonly used password, that is often the default code that never gets changed. Both the party and the hacker have confirmed that the password has been changed and the security flaw fixed.

6.       DDoS attacks on central banks of Indonesia and South Korea: Public websites of the central banks of both Indonesia and South Korea have been hit by cyber-attacks. Hacktivist group Anonymous had pledged last month that they would launch a 30-day campaign to attack central bank sites in what it dubbed as Operation Icarus. No money was lost in the attacks but Central banks have been on high alert ever since the Bangladesh central bank lost $81 million in fraudulent money transfers in February.

7.       India - 68% of Nifty 50 companies are vulnerable to cyber-attacks: Out of the 50 companies in the Nifty Index, 34 (or 68%) have identified vulnerabilities in at least one or more of their Internet-facing properties. The PwC survey about transgressions in Indian cyberspace of these companies further said, 525 email addresses belonging to the 34 companies were compromised, meaning hackers had access to those email addresses.

8.       ‘Bug Poachers:’ A new breed of Cybercriminal: Bug Poachers are people who breach a company's network to steal data but they do not sell this data in the dark web. They use this data to extort their victims—telling the company they must pay to get information on how they were breached. The bug poachers argue that they are doing companies a service. A bug bounty program can go a long way toward attracting the right kind of probing into a company network.

9.       Majority of SMBs would not pay Ransomware attackers: A survey of US small and mid-sized business owners on ransomware attacks found that 84% wouldn't pay cybercriminals even if it meant loss of data. Only 3% would be willing to pay $10,000 or more, while 10% were okay with giving between $1 and $100. Businesses need a comprehensive cyber security strategy that includes prevention, monitoring and damage control. According to the FBI, 2,453 ransomware complaints were received in 2015, costing victims $25 million dollars.

10.   Be careful the next time you get an Invitation to connect on LinkedIn: Hackers in the guise of recruiters - request to be connected - Many of us connect with such people with little hesitation. Once connected the hackers gain accesses to you, your contact details, and the rest of your network. Hackers use this to setup lures, spear-phishing, malware drops, and other nefarious activities. More often than not, Hackers use this connection to compromise our machines (to steal data or Ramsonware) or to launch attacks on other people in our LinkedIn network. In Issue 28, we did discuss - People tend to expose a lot of information on LinkedIn / to headhunters.

Photo reveals even Zuckerberg tapes his Webcam and Microphone for Privacy

Sunday, June 19, 2016

Issue 69 - Week of June 13th


1.       Github accounts Hacked: Popular code repository site GitHub is warning that a number of users' accounts have been compromised by unknown hackers reusing email addresses and passwords obtained from other recent data breaches. The recent widespread "mega breaches" of LinkedIn, MySpace, Tumblr, and the dating site Fling, that have dumped more than 642 Million passwords over the past month is the cause. Last issue we discussed a similar 'Password reuse attack', wherein Mark Zuckerberg’s Twitter and Pinterest accounts were hacked.

2.       Acer online store hacked, a year's worth of credit cards stolen: Acer has informed the authorities that its online store was attacked by hackers. Acer admitted that an unauthorized outside party had taken a year's worth of full credit card data, names and addresses between mid-May 2015 and late-April this year. The company said it hasn't found any evidence yet that passwords or logins were affected, but didn't outright rule it out. Similar news - Canadian media giant VerticalScope admitted it had been hacked, leaking close to 45 million users' details, including email addresses and passwords.

3.       51 Million accounts leaked from iMesh file sharing service: A defunct peer-to-peer file sharing service called iMesh has been hacked and its data has been leaked by the same Russian hacker who was behind the massive breaches in some of the most popular social media sites including LinkedIn, MySpace, Tumblr, and VK.com. It is estimated that the breach took place in Sep'13. This can potentially result in many  more 'Password reuse attacks', it is high time users change their online passwords and have different passwords for different accounts.

4.       Russian Hackers Breach Democrats to steal data on Trump: Russian hackers, have compromised the networks of the Democratic National Committee (DNC), particularly targeting "opposition research" information on GOP candidate Donald Trump. The intruders so thoroughly compromised the DNC’s system that they also were able to read all email and chat traffic. Hillary Clinton was also targeted in the attack.

5.       Insider threat - US charges Chinese ex-IBM employee with Espionage: The US federal authorities have boosted charges against a former IBM Corp. software developer in China for allegedly stealing valuable source code from his former employer in the US. The Chinese national was arrested by the FBI in December last year, when he was charged with just one count of theft of a trade secret. However, he has been charged with six counts now including three counts of economic espionage and three counts of theft of a trade secret. If convicted he could face up to 75 years in prison.

6.       Android Ransomware now targets your Smart TV: After targeting hospitals, universities, and businesses, Ransomware has started popping up on Smart TV screens. A new version of the Frantic Locker (better known as FLocker) Ransomware has now the ability to infect and lock down your Smart TVs until you pay up the ransom. After infection the C&C delivers the payload and a HTML file with a JavaScript (JS) interface enabled. This HTML page has the ability to initiate malware installation, take photos of the affected user using the JS interface, and display the photos taken in the ransom page.

7.       For $6, buy access to hacked Govt. server: Experts have exposed an underground trading platform that is selling access to compromised servers of governments, businesses and universities at a price starting as low as $6. Inventory offered- 70,000 servers from 173 countries. They also sell add-ons such as -software designed to launch denial-of-service and spam campaign attacks on networks, break into online or retail payment systems and illegally produce Bitcoin.

8.       Ponemon report on Data breaches: The average cost of breaches at organizations has jumped past $4 million per incident, a 29% increase since 2013 and 5% increase since last year. The study found that average dwell time for breaches stands at 201 days, with organizations requiring another 70 days to contain breaches once they'd been identified. The cost per record lost is at $158 for unprepared organizations and $16 for the ones that are prepared. A ponemon study in Sep’15 confirmed that 3 out of 4 organizations aren't 'resilient' to cyber-attacks.

9.       North Korean hackers steal thousands of military files from S. Korea: Hackers aligned with North Korea have always been accused of attacking and targeting South Korean organizations, financial institutions, banks and media outlets. Recent reports indicate that North Korean hackers have hacked into more than 140,000 computers of at least 160 South Korean government agencies and companies, and allegedly injected malware in the systems.

10.   Indian defense forces on alert after Chinese cyber-attack:  A cyber-attack on government and commercial organizations in India by Chinese military, has raised alarm bells. An alert has been issued to the Indian Army, Navy and Air Force that a Chinese Advanced Persistent Threat (APT) group called Suckfly, is targeting Indian organizations. India’s defense establishment is its prime target. Sensitive information is exfiltrated, and this information is being used to undermine the national security and economic capabilities. India keeps a tight vigil on Pakistani hackers as well.






Sunday, June 12, 2016

Issue 68 - Week of June 6th


1.       University pays $20K to Ransomware attackers: Canadian based - University of Calgary, paid a ransom of $20,000 to decrypt their computer systems' files and regain access to its own email system after getting hit by a ransomware infection. The University fell victim to ransomware last month, when the malware installed itself on computers, encrypted all documents and demanded $20,000 in Bitcoins to recover the data. Issue 52 – we discussed –“Hospital pays hackers $17,000 in Bitcoins”.

2.       32Million Twitter passwords available for sale: Login credentials of more than 32 Million Twitter users are now being sold on the dark web marketplace for 10 Bitcoins (over $5,800). The database includes usernames, email addresses, sometimes second email addresses, and plain-text passwords for all the 32 Million Twitter accounts. Some of the high profile victims include Mark Zuckerberg and Twitter co-founder Evan Williams. "123456', '123456789', 'qwerty' are the top 3 frequently used passwords. Twitter says it was not hacked, experts believe it could have been a password harvesting malware that stole data and passwords.

3.       BitTorrent forum hacked; change your password immediately: If you are a torrent lover and have registered on BitTorrent community forum website, then you may have had your personal details compromised, along with your hashed passwords.  The BitTorrent team has announced that its community forums have been hacked, which exposed private information of hundreds of thousands of its users. As of now, BitTorrent is the most visited torrent client around the world with more than 150 Million monthly active users.

4.       VK.com hacked! 100 Million clear text passwords leaked online: Russia's biggest social networking site VK.com is the latest in the line of historical data breaches targeting social networking websites. The same hacker who previously sold data dumps from MySpace, Tumblr, LinkedIn, and Fling.com, is now selling more than 100 Million VK.com records for just 1 Bitcoin (approx. US$580).  Experts’ advice not to re-use the same password in different online platforms, one compromise can expose users in all websites.

5.       Mark Zuckerberg’s Twitter and Pinterest accounts hacked: Mark's Twitter and Pinterest accounts were taken over last week because he reused a password: “dadada,” according to a person familiar with the matter. The password had appeared last month in a database of more than 100 million usernames and passwords stolen in 2012 from LinkedIn, the person said. Mr. Zuckerberg appears to have reused “dadada” to log into Twitter and Pinterest, allowing hackers to take over those accounts. Ironically, Facebook's first “security tip” for users is, “Don’t use your Facebook password anywhere else online.”

6.       Morgan Stanley pays $1 million fine over stolen customer data: Morgan Stanley will pay a fine of $1 million for failing to protect customer data. The banking giant reportedly violated the Safeguards Rule, which allowed a then employee to transfer client details to his home computer, which was later hacked by a third party. In January 2015, confidential details of around 900 of Morgan Stanley’s 730,000 clients were released online by the hackers briefly with an offer to sell more. The employee was soon criminally charged and ordered to pay $600,000 in restitution and sentenced to 36 months of probation.

7.       Singapore to cut Internet access for Government computers: Singapore will cut Internet off from 100,000 government computers starting May next year to safeguard official data from cybercriminals. However, there will be a few dedicated computers with Internet access and employees will be allowed to  surf the web on their mobile devices. This decision was taken after the government became victim to a number of “very sophisticated” cyber-attacks in the past. Singapore has for years come under attack from cybercriminals who have also hacked into websites and stolen clients data from Standard Chartered Bank.

8.       Karnataka police website ‘hacked’ by Pakistani hackers: The official website of the Karnataka police department (www.ksp.gov.in) was on Friday allegedly hacked by Pakistani hackers, who pasted a Pakistani flag on the home page. The hacker, claiming to be Faisal 1337 from Team Pak Cyber-attacker, posted a Pakistani flag on the home page with a message below it, which read “Pwned! Hacked, shame on your security!”  Indian and Pakistani hackers routinely hack each other’s weak websites.

9.       Yet another car can be hacked – this time it's the Mitsubishi Outlander hybrid: Mitsubishi joins Jeep, Nissan and Tesla on the list of cars that have had vulnerabilities highlighted. A security expert has discovered these vulnerabilities in the car's Wi-Fi console that could allow hackers to access the vehicle remotely and turn off car alarms before potentially stealing it. The security key needed to break the Wi-Fi can be cracked through a brute force attack. Mitsubishi has recommended that Outlander owners deactivate the wifi system until further notice; a recall of the cars is likely.

Will your backups protect you against ransomware?: According to the FBI, more than $209 million in ransomware payments have been paid in the United States in the first three months of 2016 -- up from just $25 million for all of 2015. There are several examples of Hospitals, Police departments, Universities paying up. Cyber extortionists know that backups are their number one enemy and are adapting their ransomware to look for them. On the other hand - in many cases - users are not backing up all data or not frequently backing up. All of these result in either paying up or losing data. The best way to combat Ransomware is to not get infected at all.  Forcepoint protects its users against Ransomware.

Sunday, June 5, 2016

Issue 67 - Week of May 30th


1.       Myspace passwords leaked in major security breach: Myspace.com is a social networking website, which was once popular. Last week, Myspace confirmed that the company was hacked in 2013 and that the stolen Myspace username and password combinations have been made available for sale in an online hacker forum. The hacker, nicknamed Peace, who is selling the database of about 360 Million Myspace accounts, is the same hacker who was recently in the news for leaking 167 Million LinkedIn and 65 Million Tumblr accounts. Many users use the same password across various sites and hackers leverage this to hack into accounts using stolen passwords.

2.       65Million passwords from Tumblr data breach being sold: Earlier this month Tumblr revealed that a third party had obtained access to a set of e-mail addresses and passwords dating back from early 2013, before being acquired by Yahoo. At that time, Tumblr did not reveal the number of affected users, but in reality, around 65 Million accounts credentials were leaked in the 2013 Tumblr data breach.

3.       Credit Card breach at CiCi’s Pizza: American's CiCi’s Pizza, with more than 500 stores in 35 states, appears to be the latest restaurant chain to struggle with a credit card breach. The data available so far suggests that hackers obtained access to card data at affected restaurants by posing as technical support specialists for the company’s point-of-sale provider, and that multiple other retailers have been targeted by this same cybercrime gang. Also read - Wendy’s data breach.

4.       TeamViewer users are being hacked in bulk: According to recent reports on Reddit and Twitter, the popular TeamViewer software that is used to remotely control PCs appears to have been hacked.  In many of the cases, the online burglars reportedly drained PayPal or bank accounts. TeamViewer denies being hacked, blames users - says the cause is password reuse, and introduces two new security measures - Trusted Devices and Data Integrity. The Trusted Devices feature allows you to approve the new device as trusted before it can access an existing TeamViewer account for the first time. The Data Integrity feature forces password reset when it detects any unusual behavior in a user's account.

5.       GhostShell hacker leaks 36 million user records to protest: GhostShell hacker back with a bang, leaks 36 million user records from 110 misconfigured MangoDB servers. The hacker announced the data leak on Twitter and posted a link to a PasteBin URL where he wrote that the leak was aimed at raising awareness “about what happens when you decide not to even add a username and password as root or check for open ports."

6.       Zero-Day exploit of Microsoft Windows - $90,000: Researchers have uncovered a zero-day exploit on Russian underground malware forum exploit.in. This apparently affects all versions of Microsoft Windows OS from Windows 2000 all the way up to a fully patched version of Windows 10. It is currently priced at $90k. Any zero-day exploit by itself will not be able to compromise a system, but is the most useful piece in the overall hacking kill chain. Also read - $1M for Apple zero day exploits

7.       Indian Govt. curbs smartphone use over hacking, data theft fears: Concern over hacking and data thefts and vulnerabilities in communication systems has prompted the government to instruct bureaucrats in all central ministries and departments to use smartphones only as a last resort and in emergency situations to discuss sensitive official work. The officers were sensitized that smartphone is a far less secure device when it comes to dealing with official work due to the risk of embedded malware or spyware that may be downloaded along with certain applications and that these instruments are best avoided when discussing classified information.

8.       Over 10,000 WordPress sites vulnerable to exploit: Security researchers have warned that over 10,000 websites powered by the WordPress content management system (CMS) are at risk of exploit due to a plugin containing a zero-day flaw. The WP Mobile Detector plugin is the source of the issue, containing a zero-day vulnerability. The zero-day can compromise a website and act as a backdoor to the CMS simply through sending the HEAD request with the backdoor URL. Developers have now patched the plugin and it is recommended that users of this plugin update their software.

9.       Long arm of law catches up - hackers who stole money put behind bars: Russian authorities have arrested a gang of 50 hackers suspected of stealing more than $25 Million from banks and other financial institutions in the country since 2011. The same criminal gang had also tried to steal by issuing false payment instructions, but that were blocked. The group allegedly used a Trojan called "Lurk" to set up a network of bots on infected computers to carry out the attacks. Lurk is a "file-less" Trojan that runs in RAM and has mostly been used for collecting banking credentials, especially for banks in Eastern Europe and the Russian Federation.


10.   FBI alerts to rise in extortion email schemes: The FBI has issued an announcement alerting citizens to a rise in extortion email schemes related to recent high-profile data thefts, stating the message is sent as soon as breach of an individual’s data is reported. The agency says its Internet Crime Complaint Center (IC3) is receiving complaints about emails which threaten release of personal information unless a ransom is paid within a given deadline. The amount demanded ranges between 2 to 5 bitcoins to be sent to a given address.