Sunday, September 25, 2016

Issue 83- Week of Sep 19th


1.      Yahoo confirms 'state-sponsored' hackers stole personal data from 500m accounts: Hackers stole the personal data associated with at least 500m Yahoo accounts, the company confirmed last week. Details including names, passwords, email addresses, phone numbers and security questions were taken from the company’s network in late 2014 by what was believed to be a state-sponsored hacking group. The company is investigating the breach with law enforcement but currently believes that credit card or bank details were not included in the stolen data. To avoid password reuse attack, avoid using the same password across all accounts. "Mega-Breaches" revealed in recent months, include LinkedIn, MySpace, VK.com, Tumblr, and Dropbox.

2.      Hacker who helped ISIS to build 'Hit List' of US military personnel jailed for 20 years: A computer hacker who allegedly helped the terrorist organization ISIS by handing over data for 1,351 US government and military personnel has been sentenced to 20 years in a U.S. prison. The 21-year-old ISIS-linked hacker obtained the data by hacking into the US web hosting company's servers in 2015. The stolen data contains personally identifiable information (PII), which includes names, email addresses, passwords, locations and phone numbers of US military service members and government workers.

3.      Tesla car hacked by Chinese security firm from 19km away using 'malicious' wi-fi hotspot: A Chinese security team has hacked into a Tesla car driving on autopilot from a distance of 19km (12 Miles). The team was able to remotely control the vehicle's brakes, dashboard computer, side mirrors and door locks in both "parking and driving mode". In a video posted to YouTube, the hackers demonstrate the remote operation of the car in a carpark at low speeds "for safety". Tesla has confirmed the hack and has already deployed an over-the-air software update that addresses the potential security issues. Last year, there was similar demo of the Jeep hack.

4.      Beware — Someone is dropping Malware-infected USB Sticks into People's Letterbox: Australia's Victoria Police Force has issued a warning regarding unmarked USB flash drives containing harmful malware being dropped inside random people's letterboxes in a Melbourne suburb. It seems to be one of the latest tactics of cyber criminals to target people by dropping malware-laden USB sticks into their mailboxes, in the hope unsuspecting users will plug the infected devices into their personal or home computers. So, next time when you find any USB drive or receive it in the post, show more caution and make sure you don't plug it into your laptop or computer.

5.      iPhone 7 and iOS 10 jailbreak is possible: It has only been a few days since the launch of Apple's brand new iPhone 7 and iPhone 7 Plus, but it appears that the new iPhone has already been jailbroken. Jailbreaking a smartphone removes certain restrictions put on the device by its manufacturer, giving root access to the depths of the iOS system itself. This then allows the user to download and install apps, extensions and themes than are not typically available through the iOS App Store. Apple is already beta testing the patch to address this issue- in iOS 10.1.

6.      Apple weakens iOS 10 backup encryption: Apple has downgraded the hashing algorithm for iOS 10, potentially allowing attackers to brute-force the password via a standard desktop computer processor. This weakness is centered around local password-protected iTunes backups. With iOS 10, it's possible for an attacker to brute force the password for a user’s local backup 2,500 times faster than was possible on iOS 9, using a computer with an Intel Core i5 CPU. However, an obvious limitation to this attack is that it can't be performed remotely.

7.      Critical DoS flaw found in OpenSSL: OpenSSL is a widely used in several websites and other secure services, Over a dozen vulnerabilities in its cryptographic code library, including a high severity bug that can be exploited for denial-of-service (DoS) attacks, have been found. The vulnerabilities exist in OpenSSL versions 1.0.1, 1.0.2 and 1.1.0. The OpenSSL Foundation has patched all these vulnerabilities. If you are using these versions on your website - it is time to patch. In Issue 63,  we discussed – “High-severity openSSL vulnerability allows hackers to decrypt HTTPS traffic.”

8.      Probe of leaked U.S. NSA hacking tools examines operative's 'mistake': In Issue 78, we discussed NSA's hacking group getting hacked. Last week, A U.S. investigation has found that NSA itself was not directly hacked, but a former NSA employee carelessly left those hacking tools on a remote server three years ago after an operation and a group of hackers found them. The leaked hacking tools, which enable hackers to exploit vulnerabilities in systems from big vendors like Cisco Systems, Juniper, and Fortinet, were dumped publicly online. The vendors confirmed the authenticity of these exploits and patched them.

9.      RBI says banks must report all cyber-attacks: The Reserve Bank of India has issued an ultimatum to Indian banks on cybercrimes, asking them to immediately report any breach of security so that the overall network is not compromised. The tough stance follows the reluctance of some banks to report such frauds in order to avoid negative publicity. The banking regulator has set a deadline of March 31, 2017, for banks to put in place a mechanism to report cyber-attacks immediately.

10.   Hackers publish apparent scan of Michelle Obama's passport: The White House says it is investigating a "cyber breach" after what appeared to be a scan of Michelle Obama's passport, was published online. The scan appeared to have been taken from a Gmail account belonging to a White House employee, a spokesman said. Other confidential information was published online, including travel details, names, social security numbers and birth dates of members of staff. The White House said it had not yet verified the documents. DCLeaks[.]com, a hacker group which last week published personal emails from an account belonging to former US Secretary of State Colin Powell's emails, claimed responsibility for the hack.
a

Image courtesy: DCleaks[.]com
LinkedIn

Twitter
Facebook

Sunday, September 18, 2016

Issue 82- Week of Sep 12th


1.      About 100 FreeCharge clients lose money after cyber-attack: FreeCharge is e-wallet payment app, based out of India. Last week, Nearly 100 customers of FreeCharge lost Rs.10,000 ($150) each, across the country in cities like Chennai, Mumbai, Hyderabad, Delhi only to be restored later as the e-wallet's system met with a phishing attack. The attacks happened between June and August 2016. The hackers used the e-wallet for online shopping, transferring the money to various bank accounts.

2.      Online Ad service ClixSense hacked; 6M plain-text passwords leaked: ClixSense, a website that claims to pay users for viewing advertisements and completing online surveys, is the latest victim to join the list of "Mega-Breaches" revealed in recent months, including LinkedIn, MySpace, VK.com, Tumblr, and Dropbox. In addition to 6.6M passwords and email addresses, the dump database includes first and last names, dates of birth, sex, home addresses, IP addresses, payment histories, and other banking details of Millions of users. ClixSense admitted the data breach and said some unknown hackers were able to get access to its main database through an old server which the firm was no longer using, but at the time, still networked to its main database server.

3.      Olympic Athletes' medical data compromised by Russian Hackers: Last week, The World Anti-Doping Agency (WADA) revealed that its Anti-Doping Administration and Management System database was recently hacked -- allegedly by Russian hacker group Fancy Bear. Confidential data of athletes were stolen and some released publicly. The International Olympic Committee called the leaks an "outrageous" breach of confidentiality and have offered to assist WADA in communicating with Russian authorities over the matter. In total, 40 athletes have now had their TUE history disclosed. TUE - (Therapeutic Use Exemption) is a certificate which allows an athlete to take an otherwise banned substance.

4.      Mystery surrounds possible BlueSnap data breach: Around 324,000 users have likely had their payment records stolen either from Payment Gateway BlueSnap or its customer Regpack; however, neither of the company has admitted a data breach. Whoever is guilty of this breach is also in line for a serious fine, because they also stored CVV numbers, an action prohibited by financial authorities and credit card companies.

5.      British Hacktivist 'Lauri Love' to be extradited to USA: British citizen and alleged hacker Lauri Love will be extradited to the United States to face allegations of hacking into US government computer systems - including FBI, NASA and US Army. Love was involved in an online protest linked to the untimely death of another activist, who committed suicide in 2013 while under federal charges for data theft. He has few legal options left before he can be extradited but if it happens, he will face 99 years in prison.

6.      Xiaomi can silently install any App on Android Phone using a backdoor: Xiaomi in the past has been criticized for spreading malware, shipping handsets with pre-loaded spyware/adware and secretly stealing users' data. Now, a researcher has found that the smartphone runs a pre-installed app called AnalyticsCore.apk, that runs 24x7 in the  background and reappears even if it is deleted. The app sends the phone data including IMEI number to the company server every 24 hours to check for updates, which automatically gets installed silently. The worry is that the handset maker- can remotely and silently install any application on the device just by renaming it to "Analytics.apk" and hosting it on the server.  Hackers can also exploit this backdoor.

7.      Using 'Signal' app? install the patch: Two Researchers have discovered a couple of vulnerabilities in Signal, the popular end-to-end encrypted messaging app. One of those vulnerabilities could allow potential attackers to add random data to the attachments of encrypted messages sent by Android users, while another bug could allow hackers to remotely crash vulnerable devices. The vulnerabilities have just been patched and the updated version is available on Github but not yet on Google play.

8.      Google’s Project Zero is offering upto $200,000 to find vulnerabilities in Android: Google’s security analyst team, Project Zero (that works on finding vulnerabilities in the Android system) has announced the launch of its hacking contest to discover flaws in the mobile ecosystem. The goal is to find a bug chain that can give remote access to multiple Android devices by just knowing their email address or phone numbers. The first prize in the competition is $200,000; the second prize is $100,000 and the third prize is $50,000. There will be additional awards for winning entries that are able to find flaws in the Google’s operating system.

9.      Instead of spending $1.3 million, FBI could have hacked iPhone in just $100: The infamous encryption fight of Apple V/s FBI, where Apple paid $1.3M to hack the phone and got nothing useful out of it, could have been done in just $100. A researcher has shown a technique called NAND mirroring, in which he physically removes the NAND memory chip from the iPhone - copies the data and brute forces the passcode. 4 digit passcode takes few hours while 6 digit passcode take few weeks. The big problem FBI faced with the iPhone was that the 11th attempt to open the phone with a wrong passcode would have deleted all its contents, hence they had to hack the phone.


10.   FBI Director says you should cover your Webcam with tape: In issue 70, we saw a Photo that revealed even Zuckerberg tapes his Webcam and Microphone for Privacy, last week, the FBI director in a conference, confirmed that he too tapes his webcam. He said like we lock our cars and lock our door at night, we should also tape the camera on our laptops for privacy. In reality, taping the camera just solves a small issue, the bigger issue is IoT devices like Security Cameras. Due to their insecure implementation, hackers routinely hijack Security Cameras and use them as weapons in cyber-attacks


Sunday, September 11, 2016

Issue 81- Week of Sep 5th


1.      Russia's largest portal hacked; nearly 100 million plaintext passwords leaked: Another data breach from 2012, and this time, it's Russia's biggest internet portal and email provider Rambler.ru. The portal suffered a massive data breach in 2012 in which an unknown hacker managed to steal nearly 100 Million user accounts, including their unencrypted plaintext passwords. The leaked user records in the database included usernames, email addresses, social account details & passwords. Rambler.ru is the latest victim to join  the list of "Mega-Breaches" revealed in recent months, when Millions of online credentials from years-old data breaches on popular services, including LinkedIn, MySpace, VK.com, Tumblr, and Dropbox were exposed online.

2.      MedSec sued over St. Jude pacemaker vulnerability report: Last issue, we discussed this case. Now, St. Jude Medical is taking allegations of serious security vulnerabilities in the firm's medical devices to heart with a lawsuit designed to "set the record straight." The medical device maker claimed on last week that MedSec and Muddy Waters falsely issued warnings about insecure medical devices in order to intentionally drop the share value of St. Jude and profit from a short-selling scheme, in which investors sell stock with the belief that values will soon drop -- allowing them to buy them back at a lower price and make a profit.

3.      Just an Image can hack your Android phone — Patch now: Similar to last year's Stagefright bug that allowed hackers to hijack Android devices with just a simple text message without the owners being aware of it, a bug has been discovered that Google has now patched. The bug allows attackers deliver their hack hidden inside an innocent looking image via social media or chat apps. In fact, there is no need for a victim to click on the malicious photo because as soon as the image’s data was parsed by the phone, it would quietly allow a remote attacker to take control over the device or simply crash it. Given the shaky history of handset manufacturers and carriers rolling out security patches, it is not known how long the companies will take to update vulnerable Android devices.

4.      FBI arrests two hackers who hacked US Spy Chief, FBI and CIA Director: US authorities have arrested two men on charges that they were part of the notorious hacking group "Crackas With Attitude." A 16-year-old British teenager suspected of being part of the group was arrested in February. These men had hacked into Intelligence chief's and CIA directors email accounts and Phone. They also leaked the personal details of 31,000 government agents belonging to nearly 20,000 FBI agents; 9,000 Department of Homeland Security (DHS) officers and some number of DoJ staffers. The hacking group used social engineering in order to trick the victims into revealing their account number, password, and other details.

5.      US law enforcement throw online scam artists behind bars: US law enforcement has sentenced seven criminals who were part of an online fraud ring which duped victims out of their cash through romance, shopping and job opportunity scams. Scams, phishing emails and job opportunities which land in our inbox are now commonplace. While email providers usually do a good job of keeping these schemes in our spam box, there are still many who fall for such schemes. All the seven criminals will spend five years behind bars.

6.      USB kill to destroy any computer within seconds: A Hong Kong-based technology manufacturer is selling a USB thumb drive called USB Kill 2.0 that can fry any unauthorized computer it's plugged into by introducing a power surge via the USB port. It costs $49.95. The company claims to have developed USB Kill 2.0 stick for the sole purpose of allowing companies to test their devices against USB Power Surge attacks but looks like it can be misused for other purposes as well.

7.      New cross-platform Malware can hack Windows, Linux and OS X Computers: Cyber attackers have started creating cross-platform malware for wider exploitation. One such malware family dubbed as Mokes, has recently been discovered by researchers, which runs on all the key operating systems, including Windows, Linux, and Mac OS X. The malware can capture audio-video, obtain keystrokes as well as take screenshots every 30 seconds from a victim’s machine.

8.      Microsoft Window’s name resolution services abused to steal passwords: A Security researcher has discovered a unique attack method that can be used to steal credentials from a locked computer (but, logged-in) and works on both Windows as well as Mac OS X systems. He modified the firmware code of USB dongle in such a way that when it is plugged into an Ethernet adapter, the plug-and-play USB device installs and acts itself as the network gateway, DNS server, and Web Proxy Auto-discovery Protocol (WPAD) server for the victim's machine. The computer automatically shares Windows credentials with the connected device as it is the default behavior of Microsoft Window’s name resolution services, which can be abused to steal authentication credentials.

9.      Another hack developed for air gapped computers: Researchers have discovered a way to extract sensitive information from air-gapped computers using a combination of a malware + USB. The secure Air gapped computers first need to be infected with a malware, after which when 'any' USB is plugged into that computer, the malware turns the  USB into an RF transmitter. This is a software-only method for short-range data exfiltration using electromagnetic emissions from a USB. Dubbed USBee - this method can transmit data at about 80 bytes per second, which is fast enough to steal a 4096-bit decryption key in less 10 seconds.


10.   NCRB data: India’s cyber criminals are mostly business rivals: The National Crime Records Bureau’s 2015 data shows a wide range of profiles making up the cybercriminal, the most prolific among them being business rivals (20%) followed by 'neighbors, friends or relatives' (15%), Hackers (13%) & Students (10%). Overall, cybercrimes in 2015 - witnessed an increase of 20.5 per cent since 2014. A total 11,592 cases of cybercrime were registered across the country.

Sunday, September 4, 2016

Issue 80- Week of Aug 29th

1.      Dropbox hacked: Hackers have obtained credentials for more than 68 Million accounts of online cloud storage platform Dropbox from a known 2012 data breach. Last week, Dropbox sent out emails alerting its users that a large chunk of its users’ credentials that was obtained in 2012 data breach, may soon be seen on the Dark Web marketplace, prompting them to change their password if they hadn't changed since mid-2012. Dropbox is the latest to join the list of "Mega-Breaches," which includes LinkedIn, MySpace, VK.com and Tumblr.

2.      Kimpton Hotels hit by Point-of-Sale breach: Kimpton Hotels & Restaurants is alerting payment card customers of a payment card breach at more than 60 of its hotels and restaurants that occurred between February 16 and July 7 of this year. The hotel chain said in a message on its website that it first got word of unauthorized charges on guests' payment cards in mid-July. An ensuing investigation uncovered malware on PoS servers at the front desks and restaurants of some of its hotels. "The malware searched for track data read from the magnetic stripe of a payment card and routed it through the affected server. Kimpton's POS woes follow that of Eddie Bauer and HEI Hotels & Resorts, which operates Marriott, Hyatt and Sheraton and Westin hotels.

3.      Music website hacked: UK based - Music website called Last.fm, was hacked in March 2012 and three months after the breach, the company admitted to the incident and issued a warning, encouraging its users to change their passwords. Now, four years later the stolen data has surfaced in the public. The leaked records include usernames, hashed passwords, email addresses, the date when a user signed up to the website, and ad-related data. Last.fm stored its users’ passwords using MD5 hashing – which has been considered outdated even before 2012 – and that too without any Salt. (Salt is a random string added to strengthen encrypted passwords that make it more difficult for hackers to crack them.)

4.      St. Jude says Muddy Waters, MedSec video shows security feature, not flaw: St. Jude Medical, is a medical device company which makes pacemakers. MedSec is a Cyber security firm that specializes in security flaws in medical devices. Muddy Waters Research is a due diligence based investment firm. After a yearlong research by Medsec, it was found that St Jude's products had severe issues. Medsec did not responsibly disclose its findings to St Jude but instead joined hands with Muddy waters to profit in the stock market with this information. St. Jude has refuted the allegations and has issued a statement saying the supposed “flaw” was actually a “security feature. If attacked, the pacemakers place themselves into a 'safe' mode to ensure the device continues to work.

5.      Double Whammy - Ransomware steals data before Encrypting: Betabot, the first known weaponized password-stealing malware that also infects victims with ransomware in a second stage of attack. In many instances it is still able to evade detection, it uses the Neutrino exploit kit, which uses infected documents disguised as CVs to ask the victim to enable macros. If they do, the malware is able to steal login data and passwords from web browsers. The Trojan then downloads and installs the Cerber ransomware onto the victim's computer, demanding the user pays up in order to regain access to their compromised machine.

6.      ‘Guccifer’ gets 52-month Jail term: Romanian hacker “Guccifer,” who pleaded guilty in May this year to hacking and identity theft of around 100 high-profile Americans, has been sentenced to 52 months in prison by a US court. Guccifer hacked the email and social media accounts of his victims between October 2012 and January 2014 and made public confidential emails, photographs and private medical and financial data. Not to confuse with Guccifer 2.0, the hacker behind the DNC hack.

7.      Suspect arrested for 2011 Linux Kernel organization breach: In September 2011, kernel.org site that hosts the core development infrastructure behind the Linux kernel was breached. For the last five years, not many details about the attack were revealed and the attacker remained at large—that is, until he was picked during a traffic stop in Miami - last week. The hacker had managed to steal login credentials of one of the Linux Kernel Organization system administrators in 2011 and used them to install a hard-to-detect malware backdoor, dubbed Phalanx, on servers belonging to the organization. Using this backdoor, he installed malware on various Linux installations. He faces a possible sentence of 40 years in prison as well as $2 Million in fines. Threat protection for Linux can help in such situations.

8.      California may soon treat Ransomware as extortion: Ransomware may soon be regarded as a form of extortion in California once legislation is approved by governor. The Bill if passed, could land culprits in jail for two to four years. The move has received widespread support from different quarters that want ransomware attacks to be treated as a felony. The state’s law enforcement unit and the tech sector all support the legislation.

9.      SWIFT reveals new hacking attempts on member Banks: SWIFT has revealed new hacking attempts on several member banks following its June disclosure of the $81-million Bangladesh Bank heist and is pushing members to comply with new safety features. "The threat is persistent, adaptive and sophisticated - and it is here to stay," SWIFT told the banks. SWIFT members have been warned that failure to meet a November 19 deadline for installing latest security software would be reported to banking regulatory bodies and partners.


10.   India registers 350 percent rise in cybercrime in last three years: According to a study, in India, there has been a surge of approximately 350% in cybercrime cases registered under the Information Technology (IT) Act, from the year of 2011 to 2014. The Indian Computer Emergency Response Team (CERT-In) has also reported a surge in the number of incidents handled by it, with close to 50,000 security incidents in 2015. Bangalore leads in the number of cybercrime cases, the city recorded 1,041 cybercrime cases in 2015, the highest among the country's 53 mega cities, and a 42% increase over the 2014 figures. State-wise data shows the worst states to be: Maharashtra (2,195 cases) and Uttar Pradesh (2,208). Most cases relate to credit card fraud, email hacking and online cheating, including fake lottery scams. Use of technology and building awareness can reduce cybercrime.
Image source: Times of India