Issue 70 - Week of June 20th

1.       Insider breach at T-Mobile Czech Republic: One of the T-Mobile's employees in Czech Republic, stole more than 1.5 Million customer records in order to sell  it on for a profit. The investigation into the issue has been handed over to the Czech Police's Unit for combating organized crime, though the company said the data breach is not due to a signal failure or a failure of system or procedures. Instead, the data was stolen by one of its employees who was part of a "small team" that "worked with customer data" and who was caught while attempting to sell the database. T-Mobile said it would inform its customers of any further developments in the investigation.

2.       Uber hacked for free Uber rides: A Security Researcher has discovered a critical vulnerability in Uber app that could allow an attacker to brute force Uber promo code value and get valid codes with the high amount of up to $25,000 for more than one free rides. He has discovered a "promo codes brute-force attack" vulnerability in the sign-up invitation link for Uber that allows any user to invite another user to join the service and get one or more than one free rides based on the promotion code value. Uber is yet to patch this flaw.

3.       Air India frequent flier miles hacked: Unidentified individuals hacked into the loyalty program of at least 20 accounts at Air India to steal nearly $24,000 worth of frequent flier miles. The intruders succeeded in creating 20 email IDs to hijack the reward points earned by Air India passengers. As a number of the phony tickets were bought using invalid IDs and were signed with the same signature, Delhi Police suspect the involvement of an insider familiar with security loopholes. The airline has suspended the fraudulent IDs and deactivated accounts holding identical user names and passwords.

4.       Twitter Ex-CEO got hacked: The same group of teenage hackers that hacked Facebook CEO Mark Zuckerberg's Twitter and Pinterest accounts have hacked another high-profile person. The hacker group from Saudi Arabia, dubbed OurMine, compromised Twitter account of former Twitter CEO on Sunday and managed to post three tweets on his Twitter timeline.  The account was not directly hacked, instead, a third-party service that cross-posted to his Twitter account was compromised, and the attackers used this old service to post. The hackers claim their objective is to just to teach people better security.

5.       Hacker breaks into Candaian political party's VC system: A critical flaw in the video conferencing software of the Quebec Liberal Party (PLQ), allowed a user to spy on and hear the strategy discussions of the party at its premises and even access the live video camera feeds. When asked how difficult it was to hack? The hacker told media that it was as easy as using a commonly used password, that is often the default code that never gets changed. Both the party and the hacker have confirmed that the password has been changed and the security flaw fixed.

6.       DDoS attacks on central banks of Indonesia and South Korea: Public websites of the central banks of both Indonesia and South Korea have been hit by cyber-attacks. Hacktivist group Anonymous had pledged last month that they would launch a 30-day campaign to attack central bank sites in what it dubbed as Operation Icarus. No money was lost in the attacks but Central banks have been on high alert ever since the Bangladesh central bank lost $81 million in fraudulent money transfers in February.

7.       India - 68% of Nifty 50 companies are vulnerable to cyber-attacks: Out of the 50 companies in the Nifty Index, 34 (or 68%) have identified vulnerabilities in at least one or more of their Internet-facing properties. The PwC survey about transgressions in Indian cyberspace of these companies further said, 525 email addresses belonging to the 34 companies were compromised, meaning hackers had access to those email addresses.

8.       ‘Bug Poachers:’ A new breed of Cybercriminal: Bug Poachers are people who breach a company's network to steal data but they do not sell this data in the dark web. They use this data to extort their victims—telling the company they must pay to get information on how they were breached. The bug poachers argue that they are doing companies a service. A bug bounty program can go a long way toward attracting the right kind of probing into a company network.

9.       Majority of SMBs would not pay Ransomware attackers: A survey of US small and mid-sized business owners on ransomware attacks found that 84% wouldn't pay cybercriminals even if it meant loss of data. Only 3% would be willing to pay $10,000 or more, while 10% were okay with giving between $1 and $100. Businesses need a comprehensive cyber security strategy that includes prevention, monitoring and damage control. According to the FBI, 2,453 ransomware complaints were received in 2015, costing victims $25 million dollars.

10.   Be careful the next time you get an Invitation to connect on LinkedIn: Hackers in the guise of recruiters - request to be connected - Many of us connect with such people with little hesitation. Once connected the hackers gain accesses to you, your contact details, and the rest of your network. Hackers use this to setup lures, spear-phishing, malware drops, and other nefarious activities. More often than not, Hackers use this connection to compromise our machines (to steal data or Ramsonware) or to launch attacks on other people in our LinkedIn network. In Issue 28, we did discuss - People tend to expose a lot of information on LinkedIn / to headhunters.

Photo reveals even Zuckerberg tapes his Webcam and Microphone for Privacy