Issue 77- Week of Aug 8th

1.       Data Breach — Oracle's Micros payment systems hacked: Oracle has confirmed that its Point-of-Sale (MICROS) division has suffered a security breach. Hackers had infected hundreds of computers at the division, infiltrated the support portal used by customers, and potentially accessed sales registers all over the world.  It is likely that hackers installed malware on the troubleshooting portal in order to capture customers' credentials as they logged in. These usernames and passwords can be used to access customer accounts and remotely control their MICROS point-of-sales terminals. POS terminals have emerged as the favorite target for cybercriminal gangs- Two of the best-known victims to be hit by POS malware are Target and Home Depot.

2.       DNC hacker leaks personal info of nearly 200 Congressional Democrats: The hacker behind the DNC hack has claimed responsibility for hacking into the Democratic Congressional Campaign Committee (DCCC) as well. Last week, to prove his claims, the hacker dumped a massive amount of personal information belonging to nearly 200 Democratic House members onto his blog. The dumped data also contains passwords to access multiple DCCC accounts. The hacker goes by the name Guccifer 2.0

3.       Pune based Indian Manufacturing Co. loses $175k: Very similar to the modus operandi of ONGC scam, hackers send an email to Kinetic Electrical Company that looked like, it had originated from its Taiwan based supplier (Typosquatting). The fake email informed the company about supplier's new bank account and asked the next advance payment to be transferred to new account. Pune company officials promptly transferred $175k (1.18 Crore) to the account and were waiting shipment. After three months when the shipment did not arrive they called Taiwan to realize the scam. Ronnie Screwvala's NGO lost $50k recently in similar fashion. Finance and purchase departments should call the recipients of funds (Suppliers or CEO) whenever there is bank change request. This hack is also called BEC - Business Email Compromise.

4.       Pakistan-based hacker defaces Canara Bank site, tries to block e-payments: According to a statement issued by Canara bank, a Pakistani hacker defaced the bank’s home page and also tried to block certain online transactions but failed to access any data or transactions. Within hours of the attack, the Reserve Bank of India, alerted all banks to double check the SWIFT payments. With the recent $81 Million hack on Bangladesh bank - one should not take any chances.

5.       United Airlines pays bug bounty in Air Miles: Two computer hackers have earned more than 1 Million frequent-flyer miles each from United Airlines for finding and reporting multiple security vulnerabilities in the Airline's website. Last year - United Airlines had rewarded 1 Million Air Miles to a vulnerability researcher for identifying remote  code execution (RCE) vulnerabilities in its web properties. Many companies including Apple, Twitter, Pentagon, Pronhub etc offer bug bounties.

6.       Blackhat Firm Offers $500,000 for Zero-day iOS Exploit; Double Than Apple’s Highest Bounty: Issue 76, we discussed Apple's $200k bug bounty Reward. A blackhat company is now offering more than double Apple's maximum payout for zero-day vulnerabilities affecting the newest versions of iOS 9.3 and above. Last year, a security firm paid $1 Million to a group of hackers for an iPhone hack. The zero-day market has long been a lucrative business because governments, law enforcements, criminals, and the private sector shop for zero-days. In recent times, we have seen FBI paying more than $1M to hack into a terrorist's phone.

7.       Over 900 Million Android Phones vulnerable to new 'QuadRooter' attack: A high security alert for Android devices was issued last week. Dubbed "Quadrooter," the set of four vulnerabilities discovered in devices running Android Marshmallow and earlier that ship with Qualcomm chip could allow an attacker to gain root-level access to any Qualcomm device. An attacker needs to trick a user into installing a malicious app to exploit one of the four vulnerabilities which will give the attacker full access to the device, including its data, camera and microphone. Last year, 1 Billion Android phones were under risk due to the Stagefright vulnerability. Users getting their Android OS updated is a messy affair as it involves Google, Device manufacturer and Telcos.

8.       Linux TCP flaw allows Hackers to hijack Internet traffic and Inject Malware remotely: Linux is used widely across the Internet, from web servers to Android smartphones, tablets, and smart TVs. Researchers have uncovered a serious Linux flaw, which if exploited, could allow attackers to terminate or inject malware into unencrypted communication between any two vulnerable machines on the Internet. The flaw resides in the design and implementation of the Request for Comments: 5961 (RFC 5961) – a relatively new Internet standard that's designed to make commonly used TCP more robust against hacking attacks.

9.       Car Thieves can unlock 100 Million Volkswagens with a simple wireless hack: Every car that Volkswagen group has sold since 1995 can be unlocked using a simple $40 device. The device first listens to the rolling code values used by keyless entry systems whenever the driver presses the key fob's buttons. These codes along with the cryptographic key that was extracted from the Volkswagen network, are used to clone the key fob and access to the car. In past 20 years, only four common keys are used in all the 100 Million cars sold by Volkswagen.

New hack uses Hard Drive's noise to transfer stolen data from Air-gapped Computer: For security reasons, many super sensitive networks like that of Defense and research organizations have computers that are not connected to internet (Air-Gapped computers). Now, researchers have devised a new method to steal data from such Air Gapped computers. The first step is that such computers are infected with a malware which is capable of transmitting data like passwords, cryptographic keys, etc, via covert Hard Drive noise. The malware manipulates the movements of the Hard drive coil in very specific way to generate acoustic noise (like morse code) that is interpreted into binary data using a smartphone app from six feet away.