Issue 76 - Week of Aug 1st

1. Telegram Hacked: Reuters and several media outlets are reporting that the phone numbers of 15 Million Telegram users in Iran have been compromised by Iranian hackers exploiting a SMS text message flaw. The attack targeted Telegram’s one-time SMS activation and not its end-to-end encryption. Telegram sends an SMS with a verification code to users who want to log in to the app from a new device. The SMS can be intercepted by phone companies and sold to hackers who can then access the user’s contact list and archived messages. 'SMS Interception' is not a Telegram's vulnerability. Such attack can be used against any messaging app, like Whatsapp and Viber, whose registration is based upon SMS-based verification mechanism. No wonder that many experts are predicting possible end of SMS-based 2-Factor Authentication.

2.       Bitcoin exchange 'Bitfinex' hacked: Hong Kong-based Bitcoin exchange 'Bitfinex' has posted a note on their website announcing the shutdown of its operation after discovering a security breach that allowed an attacker to steal bitcoins worth $72 Million. The cause of the security breach and the hacker behind the incident is still unclear. After the news of the hack had broken on August 2, the price of Bitcoin dropped almost 20%. Maybe, it is safer to store cryptocurrency in an offline wallet; instead on any website or cryptocurrency exchange.

3.       Hacker Selling 200 Million Yahoo Accounts On Dark Web: A hacker who calls himself Peace, who was responsible for selling data dumps for LinkedIn, MySpace, Tumblr and VK.com is now selling what is said to be the login information of 200 Million Yahoo! users on the Dark Web. The leaked database includes usernames, MD5-hashed passwords and date of births. In some cases, there is also the backup email addresses used for the account, country of origin, as well as the ZIP codes for US users. This can increase the 'Password reuse attacks', it is high time users change their online passwords and have different passwords for different accounts.

4.       Pokémon GO creator's Twitter account hacked: After hacking the Twitter account of Google's CEO, Facebook's CEO, Twitter's CEO, Twitter's ex-CEO, Oculus CEO, Ourmine last week hacked Pokemon GO creator's Twitter account. Over 1 billion passwords are now available on the net after the high volume dumps from Yahoo, LinkedIn, MySpace, Tumblr and VK.com. Ourmine is believed to be reusing these passwords to hack well known people.

5.       Torrentz.eu shuts down forever! End of biggest Torrent search engine: Over two weeks after the shutdown of Kickass Torrents and arrest of its admin in Poland, the world's biggest BitTorrent meta-search engine Torrentz.eu has apparently shut down its operation. The surprise shutdown of Torrentz marks the end of an era. Torrentz.eu was a free, fast and powerful meta-search engine that hosted no torrents of its own, but combined results from dozens of other torrent search engine sites including The Pirate Bay, Kickass Torrents and ExtraTorrent.

6.       Hack Apple & get paid up to $200k bug bounty Reward: Last week, Apple announced at the Black Hat security conference that the company would be launching a bug bounty program to pay outside security researchers and white hat hackers privately disclose security flaws in the company's products. This decision comes in the wake of the recent Apple v/s FBI court case. Apple joins a long list of companies offering bug bounty programs, the list includes  – Fiat, MIT, Uber, General Motors, Pentagon. PornHub and Twitter paid bug bounty recently.

7.       Your battery status is being used to track you online: In HTML5, a feature called Battery Status API, was introduced. The API is intended to allow site owners to see the percentage of battery life left on a laptop, tablet, or smartphone in an effort to deliver an energy-efficient version of their sites. Some companies (like a famous taxi hailing app), analyze and monetize this access by charging differently for different levels of battery life. A person with low battery is likely to accept a higher price for a ride than a person with full battery life.

8.       Flaws hit HTTP/2 Protocol that could allow Hackers to disrupt servers: HTTP/2.0 which is used by nearly 10% of the websites, is a major revision of the HTTP network protocol. It was originally developed by Google. It has been around for four months now and last week in the Black Hat conference, researchers revealed four flaws in the HTTP/2 protocol. These vulnerabilities allow attackers to slow down the web servers. All the four vulnerabilities have already been fixed.

9.       This ATM hack allows crooks to steal money from chip based cards: A team of security engineers at Black Hat USA 2016 conference in Las Vegas demonstrated how a small and simple modification to ATM would be enough for attackers to bypass the Chip-and-PIN protections and enable unauthorized transactions. A device called Shimmer is added to the ATM, which can read data from the card as the ATM reads and transmit the data to the hacker's smartphone enabling replication of the cards. We believed the chip based EMV cards are secure but that now stands shattered.

10.   Ransomware attack on Delhi based Diagnostic Centre: A Diagnostic Centre in the national Capital of India was recently targeted by unknown hackers, who gained illegal access to the Diagnostic Centre and encrypted its data. A Ransom of $1300 was demanded. The cyber cell of CBI has registered a case. Most of the times- Ransomware gains entry when users open links in spam or phishing emails. Training users, regular backup and good web security solution will help against such attacks. According to a leading cyber security firm - Nearly 40% of enterprises were hit by Ransomware last year.