Sunday, July 31, 2016

Issue 75 - Week of July 25th


1.       Hillary Clinton's Presidential campaign also hacked in attack on Democratic Party: There's a lot more to come from the DNC Hack. The Associated Press confirmed last week that the computer systems used by Hillary Clinton's presidential campaign were hacked as part of the recent Democratic National Convention (DNC) hack. According to experts investigating the DNC hack - Fancy Bear APT (also known as APT28 and Pawn Storm) used a piece of malware called X-Tunnel to steal data from the system without getting detected.

2.       Kimpton Hotel chain investigating payment Card Breach: Kimpton Hotels has confirmed a possible payment card breach at around 24 of its properties across the US and says it is investigating the charge. Kimpton authorities alerted customers, noting: “If there are unauthorized charges, individuals should immediately notify their bank.” In the past 2 years, most of the credit card breaches have been done by remotely planting malicious software at point-of-sale (PoS) devices. Recent hotel chain victims include - Hyatt Hotels, Trump Hotel Collection, Starwood Hotels, and Hilton Hotels.

3.       Using VPN in the UAE? You'll be fined if you get caught!: If you get caught using a VPN in UAE, you could face temporary imprisonment and fines of up to $545k. Online Privacy is one of the biggest challenges in today's interconnected world. The governments across the world have been found to be using the Internet to track people’s information and conduct mass surveillance. The top two telecom companies in UAE, have also banned VoIP and the phone calling features in popular apps. China has an illegal VPN service that is used to circumvent the Great Firewall of China.

4.       PornHub pays hackers $20,000 to find Zero-day flaws in its Website: Two months ago, PornHub had launched a Bug bounty program and last week they paid $20,000 bug bounty to a team of three researchers, who gained Remote Code Execution (RCE) capability on its servers using a zero-day vulnerability in PHP – the programming language that powers the website.

5.       Indian hacker discovers Vine’s source code; Twitter pays him $10,080 for his efforts: An Indian Bug bounty hunter, discovered a loophole in Vine that allowed him to download a Docker image containing complete source code of Vine without any hassle. Vine is a video sharing service where people can share 6-second-long video clips on Twitter. The 23-year-old reported this blunder to Twitter, the company rewarded him and fixed the issue within 5 minutes.

6.       LastPass bug lets Hackers steal all your Passwords: LastPass is a cloud password manager that automatically fills credentials for you. Last week, a critical zero-day flaw has been discovered in Lastpass that could allow any remote attacker to compromise an account completely. LastPass has quickly patched the reported vulnerability. Lastpass was in similar news in 2015 as well as in Jan 2016 (when it was mocked as LostPass).

7.       KeySniffer lets Hackers steal keystrokes from Wireless Keyboards: Wireless keyboards from eight different hardware manufacturers, have been found to use cheap transceiver chips (non-Bluetooth chips) – a less secure, radio-based communication protocol. They also use unencrypted radio transmission. This means anyone within 100 meters range of the computer with a long-range radio dongle can intercept the communications between affected wireless keyboards and computer. The vulnerability is called KeySniffer.  Issue 66 - we discussed Keysweeper - a simple device that exploited weak encryption used by Microsoft wireless keyboards.

8.       Possible end of SMS-based 2-Factor Authentication: SMS-based Two-Factor Authentication (2FA), which is used as an added layer of security, has been declared insecure by the US National Institute of Standards and Technology (NIST). NIST argues it's too easy for anyone to obtain a (replacement) phone and the website operator has no way to verify whether the person who receives the 2FA code is even the correct recipient. Other issues include design flaws in SS7 which allows SMS to be diverted to other devices and possible leak of code when it gets displayed on a locked screen. Issue 49 - we saw how a duplicate SIM card was used to steal $70k from a Bangalore based entrepreneur.

9.       QRLJacking — hacking technique to hijack QR Code based quick login system: QR codes are two-dimensional barcodes that contain a significant amount of information, many websites use this in place of usernames and passwords for authentication. Last week, an expert revealed a method in which a cloned QR login code on a phishing site could capture login details of a victim and allow the hacker to steal.


10.   'No More Ransomware', a new way to fight back when your Data's taken hostage: Participants of a new initiative called 'No More Ransomware', have launched a website last week featuring tools that can help some victims decrypt their data without paying off the criminals. The site offers four decryption tools, each designed to help unlock data from different strains of ransomware. Though this will not be able to help all victims, it definitely offers another option to paying-up or losing-data. Regular Data backup and a good web security solution are the need of the hour to combat this Ransomware Menace.

Sunday, July 24, 2016

Issue 74 - Week of July 18th


1.       KickassTorrents — Domain names seized! owner arrested! website goes down!: Last week, The federal authorities have arrested the alleged mastermind behind the world's largest Bit Torrent distribution site KickassTorrents (KAT). After The Pirate Bay had suffered copyright infringement hardship, KickassTorrents (KAT) became the biggest and most-used pirate site on the Internet, attracting millions of daily unique visitors. How was he caught? - Authorities went undercover to buy ad slots on this site, this gave them access to an email id, the authorities then managed to access the entire mail box to figure out IP addresses and physical location.

2.       WikiLeaks releases 20,000 DNC emails: In issue 69 - we discussed about the Democratic National Committee (DNC) compromise and the hacker had been able to read all email and chat traffic. Last week, whistleblowing website WikiLeaks published more than 19,000 DNC e-mails with 8,000 attachments. Hillary Clinton was also targeted in the attack, and the hackers announced that a "series" about Hillary Clinton is coming soon.

3.       Hacker steals 1.6 million accounts from top mobile game's forum: A hacker has targeted the official forum for popular mobile game "Clash of Kings," making off with close to 1.6 million accounts. The stolen database contains usernames, email addresses, IP addresses. The hacker exploited a known weakness in the forum's software, which had not been updated or patched for long. Last week it was Ubuntu Linux Forum that was hacked for similar reasons.

4.       Cybersecurity company executives plead guilty to hacking rival firm: Five employees from UK based cybersecurity reseller Quadsys have admitted to hacking into a rival company's servers to allegedly steal customer data and pricing information. They have been arrested and are due to be sentenced in September, this could lead up to 12 months in prison or fines.

5.       Ex-Cardinal exec jailed for hacking Astros: In Issue 46, we discussed about the misuse of shared password of an employee, who was switching jobs between two basketball clubs - Cardinal and Astros. Last week, the ex-Cardinal exec was sentenced to 46 months in prison and fine of $278K.

6.       Beware! your iPhone can be hacked remotely with just a message: Last year, Android phones were under risk due to the Stagefright vulnerability. Last week, a similar bug was discovered in iPhone as well. Just one specially-crafted message can expose personal information, including authentication credentials stored in iPhone's memory. The critical bug resides in ImageIO – a API used to handle image data – and works across all widely-used Apple operating systems. The attack could also be delivered through Safari web browser. For this, the attacker needs to trick the victim into visiting a website that contains the malicious payload. Apple has patched this critical issue in iOS version 9.3.3.

7.       Hidden 'backdoor' in Dell security software gives hackers full access: Security researchers are warning Dell security management software (GMS) admins to patch their systems after finding six high-risk vulnerabilities. One of the highest-rated "critical" flaws involves a hidden default account with an easily-guessable password. Dell acknowledged the flaws affect the most recent versions of the GMS software and have issued patches to fix the bugs.

8.       Police unlock dead man's phone by 3D-Printing his fingerprint: Police in Michigan is considering 3D printing a dead man’s fingers so they could unlock his smartphone in a crime investigation using the biometric sensors. Police had this murder victim's fingerprints scanned from a previous crime and these fingerprints were used to 3D print fingers. This has the potential to be misused in the future - if criminals access high resolution pictures of a person's hand, they can hack his/her devices by 3D printing fingers.

9.       Your favorite website is under attack: Websites and web-based services are increasingly under attack. A recent report suggests that the largest number of web application attacks originate in the US. Ironically, the US is also the target for the maximum number of attacks. Along with US - UK, Brazil, India, China & Netherlands appear both in Top 10 source of attack countries as well as top 10 victim countries list. In terms of the sectors being targeted by hackers and malware, the retail industry tops the list, followed by hotel and travel, all of which involve a lot of transactions.

Spoof emails used to steal $50k from Indian media company CEO's NGO: Ronnie Screwvala, CEO of UTV runs a NGO as well. A top finance official of the NGO received an email from what appeared to be from Ronnie, asking for $50k to be transferred to a bank account, she followed the instructions. Few days later, she received another such transfer request. This time Ronnie happened to be in the NGO office, so the finance official, got suspicious and walked up to the Ronnie to confirm. This is when they realized that they had been scammed. They were quick to file a complaint and the police has recovered 60% of the money so far. ONGC had lost ₹197 Crore($30M)- in a similar unbelievably simple scam.


Sunday, July 17, 2016

Issue 73 - Week of July 11th


1.       Ubuntu Linux forum hacked: A silly mistake of not installing a patch for a known bug caused exposure of user's personal data - in Ubuntu online forums. The vulnerability is one of the oldest, but most powerful and most dangerous flaw that could affect any website or web application that uses an SQL-based database. The bug allows- SQL injection attack, in which malicious SQL commands/payloads are injected through the client to the application in order to breach the database and get access to the user's personal data. The hack did not affect the Ubuntu operating system, or it was not due to a vulnerability or weakness in the OS.

2.       Downloading Pokémon GO game for Android? beware! it could be malicious: "Pokémon Go" has become the hottest iPhone and Android game to hit the market with enormous popularity and massive social impact. The app has taken the world by storm since its launch last week. The location-based augmented reality game allows players to catch Pokémon in the real life using their device's camera and is currently only officially available in the United States, New Zealand, UK and Australia. In other countries users are side-loading the app from untrusted sources which needs modification of core security settings. This allows the apps to install a backdoor on phones, enabling hackers to compromise a user's device completely.

3.       For iOS, Pokémon GO doesn't Intend, but has Power to look inside: The iOS version of the official Pokémon GO app  is a "huge security risk" as the game, for some reason, grants itself "full account access" to your Google account when you sign into the app via Google on iPhone or iPad. This allows the app to Read /send email, Access Google Drive documents, Look at search history as well as Maps navigation history and a whole lot more. The game developer has acknowledged this and said the company is actively working on a fix to downgrade the permission.

4.       Chinese hacker who stole information on US military jets jailed: A 51-year-old aviation specialist Chinese national, has been thrown behind bars after admitting to his part in a year-long conspiracy to steal valuable technical data belonging to military and defense contractors in the United States. He pleaded guilty to one count of conspiring to gain unauthorized access to a protected computer and to violate the Arms Export Control Act by exporting defense articles on the US Munitions List.

5.       Microsoft wins! Govt. can't force tech companies to hand over data stored overseas: Last week, a court ruled that the United States government cannot force tech companies to give FBI or other federal authorities access to their non-US customers' data stored on servers located in other countries. US Government can't go beyond its boundaries to collect data. The case was an international drug trafficking case, in which FBI wanted data from the US & Ireland data centers.

6.       The World's first all-machine hacking tournament: Today's approach to cybersecurity depends on computer security experts to identify new flaws/threats and remediate them manually. This process takes time and critical systems may have already been breached. DARPA wants to address this and is conducting a tournament called 'Cyber Grand Challenge', in which the participants will build a smart Artificial Intelligence System that will automatically detect and even patch security flaws. The Tournament will be held in Las Vegas on Aug 4th, winning team gets $2M, runner up gets $1M. If successful, the speed of autonomy could someday blunt the advantages hackers enjoy in cyber offense.

7.       3 popular Drupal modules found vulnerable, patch released: Three popular Drupal modules - RESTful Web Services, coder & Webform Multiple File Upload, have been found to be Vulnerable. The Drupal Security Team released critical patches to address these security issues. If you own a Drupal website, you are advised carefully to review the list of affected modules and apply the security patches as soon as possible. Panama Papers leak was largely due to unpatched Drupal & WordPress systems.

8.       Fiat Chrysler debuts Bug Bounty program: A year ago, IT security researchers hacked the onboard computer in Fiat Chrysler's Jeep Cherokee, that led to the recall of 1.4 million vehicles. Now, the company is launching its first public bug bounty program. The bug bounty program will award researchers up to $1,500 per vulnerability that is responsibly disclosed to Chrysler. Other recent Bug bounty programs – MIT, Uber, General Motors, Pentagon.

9.       State-sponsored SCADA malware targeting European energy companies: Security researchers have discovered a new campaign targeting energy companies in Western Europe with a sophisticated malware that almost goes to great lengths in order to remain undetected while targeting energy companies. The malware, dubbed 'SFG', features a vast arsenal of tools rarely seen in ordinary malware samples. The malware provides its masters with a backdoor, which could then be used to install other malware on systems to extract data or potentially shut down the energy grid.


10.   Are you prepared for Ransomware?: Ransomware is no longer a consumer threat, it has begun affecting government and enterprise. The decision "To pay or not to pay", must take into account a balanced view. FBI had initially suggested the victims should not pay, later they suggested paying hackers was an option. The Hollywood hospital is one of the victims that paid $17K. For as long as ransomware remains profitable, attackers will continue to frustrate and damage organizations around the world. Ultimately, Advanced content security protection and a good backup strategy is the safety net that underpins the mitigation strategy against Ransomware.



https://twitter.com/ootyajay
https://www.linkedin.com/in/ootyajay

Sunday, July 10, 2016

Issue 72 - Week of July 4th


1.       Indian-Origin Engineer guilty of revenge cyber-attack:  An Indian origin network engineer based in US, has pleaded guilty to a revenge cyberattack on a network security company and its clients after he was fired. He admitted in court to hacking the computer of his former employer to delete vital information resulting in $137,000 in damages. He has offered to compensate his victims, he will be sentenced on September 28 and he could face up-to 10 years in prison and $250,000 fine. Classic case of disgruntled employee.

2.       1,025 Wendy's outlets affected by hack: Wendy's said hackers were able to steal customers' credit and debit card information at 1,025 of its U.S. restaurants, far more than it originally thought. The Malware had been installed on Point-of-Sale (PoS) systems in the affected restaurants. We discussed the breach in Issue 49 - Week of Jan 25th. The company went public in May and initially thought less than 300 outlets would have been impacted. According to experts- Wendy's breach losses may exceed those of Target & Home Depot incidents.

3.       Microsoft Office 365 hit with massive Cerber ransomware attack: Millions of Microsoft Office 365 users were potentially exposed to a massive zero-day Cerber ransomware attack last month that not only included a ransom note, but an audio warning informing victims that their files were encrypted. To bypass defenses the malware encrypts the email attachment.  When executed, that code uses a technique to call a ‘.JPG’ file, but only to retrieve additional executable code to complete the attack. The good news is… Forcepoint customers were safe! 

4.       Hackers took down Wikileaks over a spat with Anonymous: OurMine, the hacker group that previously broke into the social accounts of tech heavyweights like Google CEO & Facebook founder, has now taken down the Wikileaks site in a DDoS attack. The reason? A spat with Anonymous, the global hacker group that’s been known to take down ISIS social media accounts, publish the names of KKK members and attack a Greek Central Bank’s website to protest the global financial system.

5.       Indian businesses lost $1mn from data loss in one year: According to a recent survey - Indian businesses lost over $1 million from data loss and downtime in the last 12 months. 46 per cent of organisations suffered unplanned system downtime and/or data loss due to an external or internal security breach, the study found. Ransomware is dramatically raising the stakes when it comes to cyber security. Regular backup and Advanced Web Security solutions are the best ways to combat Ransomware.

6.       New anti-terrorism law in Russia asks Telcos to record all phone calls: Last week - Russian President signed into law a controversial package of counterterrorism measures, including tougher sentences for extremism and heightened electronic surveillance of Russian citizens, that have provoked condemnation from rights activists. Several of the amendments require telecom companies to store recordings of their customers’ phone calls and text messages for six months and order messaging services such as Facebook and Telegram to provide decryption keys to Russia’s Federal Security Service.

7.       Hackers can steal your ATM PIN from your smartwatch or fitness tracker: When you enter your PIN in the ATM machine, your hand moves a particular pattern. If you happen to be wearing a smartwatch then the accelerometers, gyroscopes and magnetometers inside the watch record this movement. Researchers have developed an algorithm which can guess your password based on these hand movements. Best practice- Always enter your PINs with the hand that is not having a wearable device.

8.       BMW web portal vulnerabilities pose car hack risk: Two unpatched vulnerabilities in BMW's ConnectedDrive web portal create a mechanism to manipulate car settings, a security researcher warns. The first vulnerability creates a means for a hacker to access another driver’s Vehicle Identification Number (VIN) before changing in-car settings. The second issue involves a reflective cross-site scripting bug on BMW’s ConnectedDrive portal password reset webpage. BMW joins Mitsubishi, Jeep, Nissan and Tesla on the list of cars that have had vulnerabilities highlighted.

9.       Cyber spies are still using old Windows flaws to target their victims: Hackers using only the most basic forms of cyberattack have been able to successfully steal files from high-profile governmental and diplomatic targets. Researchers suggest that the hack originates in India and that attacks are undertaken using old exploits, low-budget malware tools and basic social engineering methods. The simple, but effective threat actor has been dubbed 'Dropping Elephant'.


10.   Keydnap malware goes after your Mac password treasure trove: Researchers have discovered a new kind of Mac malware- dubbed Keydnap, which burrows its way into PCs to steal passwords and install a permanent backdoor into a victim's system. The researchers are not sure how victims become exposed to the malware, but it may be through phishing campaigns, malicious email attachments or downloads from suspicious websites. Gatekeeper is a security feature of Apple OS, If Gatekeeper is active on the target machine, the malware will not execute and a warning is displayed to the user.


https://twitter.com/ootyajay



Sunday, July 3, 2016

Issue 71 - Week of June 27th


1.       Global terrorism database leaked: A massive database of terrorists and "heightened-risk individuals and entities" containing more than 2.2 Million records has reportedly leaked online. The leaked database contains records of people with suspected terrorist, organized crime, money laundering, bribery, corruption links, and other unsavory activities. The database is called World-Check and is run by Thomson Reuters. This is used by banks, governments, and intelligence agencies worldwide. The researcher who discovered this leak had in April discovered the leak of 90 Million Mexican Voter Database.

2.       Google CEO's Quora account hacked: Nobody is immune to being Hacked! After hacking Mark Zuckerberg’s Twitter and Pinterest accounts, Hacking group OurMine has successfully found a vulnerability in Quora to hack the account of Google CEO and then cross-post to his Twitter account as they are linked. The group behind OurMine claims it is "testing security" of accounts and teaching people to secure their online accounts better - for a fee of up to $5,000 for a scan. Fear distracts and sometimes it sells but is not the best way forward. Move forward without fear.

3.       Oculus CEO's Twitter gets hacked; hacker declares himself new CEO: Twitter account of another high profile has been hacked! This time, it is Facebook-owned virtual reality company Oculus's CEO who had his Twitter account hacked last week. He is the latest in the list of technology chief executives to have had their social media accounts hacked in recent weeks. Recently, Google's CEO, Twitter's ex-CEO, and Facebook's CEO, have all fallen victim to similar hacks Most the cases it is 'Password reuse attacks'.

4.       IoT Botnet — CCTV cameras hacked to launch DDoS attack: IoTs pose a great threat due to the insecure implementations, these Internet-connected embedded devices, including Smart TVs, Refrigerators, Microwaves, Set-top boxes, Security Cameras and printers, are routinely being hacked and used as weapons in cyber-attacks. Cyber crooks are hacking CCTV cameras to form a massive botnet that can blow large websites off the Internet by launching Distributed Denial-of-service (DDoS) attacks. Last week - hackers used 25000 CCTV cameras from 103 different countries to launch a DDoS attack on a commercial website to bring it down.

5.       More than 150,000 Android phones hacked in India: A notorious mobile Trojan called Hummer, stealthily installs malicious apps, games, or even porn apps onto victim's phones and yields its creators huge sums of money via pop-up ads. The Trojan roots the phone to gain admin privileges and is extremely difficult if not impossible to get rid of - even after a factory reset. Hummer spreads itself using a different number of domain names and third-party app stores, tricking users into downloading malicious apps or fake versions of popular apps like Facebook or Twitter. Indonesia, Turkey, China and Mexico are the other four in the top five countries where Hummer has made most of its victims, but the Trojan is also infecting Android users in the U.S. and Europe.

6.       Another banking heist - $10 Million stolen from Ukraine Bank: An unidentified bank in the Ukraine was allegedly hacked and $10 million stolen via the SWIFT network. The country’s ISACA branch, which is part of the probe, said several banks in Ukraine and Russia have been compromised and hundreds of millions of dollars stolen from them. Unconfirmed local media reports say the theft was via the SWIFT messaging system akin to the February $81-million Bangladesh Bank cyber heist. However, SWIFT has repeatedly rejected allegations that its system was compromised in the bank thefts and now warned that institutions with weak internal security may be suspended from its network.

7.       Noodles & Co reports possible data security incident: Fast-casual restaurant chain operator Noodles & Co said last week that a recent data security incident may have compromised the security of payment information of some its customers - who used debit or credit cards at some of its locations between Jan. 31 and June 2. Wendy's had a reported similar cyber-attack in January.

8.       How to see everything Google knows about you: It's no secret that Google knows a lot about its users. The tech giant collects tons of data about you, including your search history, location, and voice searches that help improve Google's services and provide relevant ads. Last week the company rolled out a new tool called "My Activity" that shows you almost everything you do online related to your Google account. From a security perspective, with millions of credentials available on the darkweb due to all the big hacks like Myspace and Linkedin, hackers can access your "My Activity" and misuse it. Time to change your passwords to avoid such Password reuse attacks.

9.       Free Wi-Fi connections are very risky: While travelling abroad it is indeed tempting and many a times necessary - to connect to any free Wi-Fi connection. A survey showed that for every 10 travelers - 8 of them connected to Free unsecured connections and 3 of them were hit by Cyber-crime. The reality is that there is a lack of understanding of the risks of cybersecurity on unsecured public Wi-Fi networks" and a fundamental lack of options for making secure connections. Enforcing use of VPNs and taking other security precautions definitely help.


10.   Nasty ransomware returns: After a huge decline in activity, instances of Locky malware, one of the most prolific forms of malicious software, have bounced back. The CryptXXX family of ransomware also has been discovered in the wild - this is a particularly nasty form of ransomware which not only encrypts files on the infected PC, but also attacks any files on connected storage devices. Ransomware is working, and the cyber-crooks know it. The success of ransomware means more and more cybercriminals are attempting to get in on the action. PPT approach to stop Ransomware - Trained People, Processes and Cutting edge Technology.

Image source: informationisbeautiful.net

https://www.linkedin.com/in/ootyajay