Sunday, September 11, 2016

Issue 81- Week of Sep 5th


1.      Russia's largest portal hacked; nearly 100 million plaintext passwords leaked: Another data breach from 2012, and this time, it's Russia's biggest internet portal and email provider Rambler.ru. The portal suffered a massive data breach in 2012 in which an unknown hacker managed to steal nearly 100 Million user accounts, including their unencrypted plaintext passwords. The leaked user records in the database included usernames, email addresses, social account details & passwords. Rambler.ru is the latest victim to join  the list of "Mega-Breaches" revealed in recent months, when Millions of online credentials from years-old data breaches on popular services, including LinkedIn, MySpace, VK.com, Tumblr, and Dropbox were exposed online.

2.      MedSec sued over St. Jude pacemaker vulnerability report: Last issue, we discussed this case. Now, St. Jude Medical is taking allegations of serious security vulnerabilities in the firm's medical devices to heart with a lawsuit designed to "set the record straight." The medical device maker claimed on last week that MedSec and Muddy Waters falsely issued warnings about insecure medical devices in order to intentionally drop the share value of St. Jude and profit from a short-selling scheme, in which investors sell stock with the belief that values will soon drop -- allowing them to buy them back at a lower price and make a profit.

3.      Just an Image can hack your Android phone — Patch now: Similar to last year's Stagefright bug that allowed hackers to hijack Android devices with just a simple text message without the owners being aware of it, a bug has been discovered that Google has now patched. The bug allows attackers deliver their hack hidden inside an innocent looking image via social media or chat apps. In fact, there is no need for a victim to click on the malicious photo because as soon as the image’s data was parsed by the phone, it would quietly allow a remote attacker to take control over the device or simply crash it. Given the shaky history of handset manufacturers and carriers rolling out security patches, it is not known how long the companies will take to update vulnerable Android devices.

4.      FBI arrests two hackers who hacked US Spy Chief, FBI and CIA Director: US authorities have arrested two men on charges that they were part of the notorious hacking group "Crackas With Attitude." A 16-year-old British teenager suspected of being part of the group was arrested in February. These men had hacked into Intelligence chief's and CIA directors email accounts and Phone. They also leaked the personal details of 31,000 government agents belonging to nearly 20,000 FBI agents; 9,000 Department of Homeland Security (DHS) officers and some number of DoJ staffers. The hacking group used social engineering in order to trick the victims into revealing their account number, password, and other details.

5.      US law enforcement throw online scam artists behind bars: US law enforcement has sentenced seven criminals who were part of an online fraud ring which duped victims out of their cash through romance, shopping and job opportunity scams. Scams, phishing emails and job opportunities which land in our inbox are now commonplace. While email providers usually do a good job of keeping these schemes in our spam box, there are still many who fall for such schemes. All the seven criminals will spend five years behind bars.

6.      USB kill to destroy any computer within seconds: A Hong Kong-based technology manufacturer is selling a USB thumb drive called USB Kill 2.0 that can fry any unauthorized computer it's plugged into by introducing a power surge via the USB port. It costs $49.95. The company claims to have developed USB Kill 2.0 stick for the sole purpose of allowing companies to test their devices against USB Power Surge attacks but looks like it can be misused for other purposes as well.

7.      New cross-platform Malware can hack Windows, Linux and OS X Computers: Cyber attackers have started creating cross-platform malware for wider exploitation. One such malware family dubbed as Mokes, has recently been discovered by researchers, which runs on all the key operating systems, including Windows, Linux, and Mac OS X. The malware can capture audio-video, obtain keystrokes as well as take screenshots every 30 seconds from a victim’s machine.

8.      Microsoft Window’s name resolution services abused to steal passwords: A Security researcher has discovered a unique attack method that can be used to steal credentials from a locked computer (but, logged-in) and works on both Windows as well as Mac OS X systems. He modified the firmware code of USB dongle in such a way that when it is plugged into an Ethernet adapter, the plug-and-play USB device installs and acts itself as the network gateway, DNS server, and Web Proxy Auto-discovery Protocol (WPAD) server for the victim's machine. The computer automatically shares Windows credentials with the connected device as it is the default behavior of Microsoft Window’s name resolution services, which can be abused to steal authentication credentials.

9.      Another hack developed for air gapped computers: Researchers have discovered a way to extract sensitive information from air-gapped computers using a combination of a malware + USB. The secure Air gapped computers first need to be infected with a malware, after which when 'any' USB is plugged into that computer, the malware turns the  USB into an RF transmitter. This is a software-only method for short-range data exfiltration using electromagnetic emissions from a USB. Dubbed USBee - this method can transmit data at about 80 bytes per second, which is fast enough to steal a 4096-bit decryption key in less 10 seconds.


10.   NCRB data: India’s cyber criminals are mostly business rivals: The National Crime Records Bureau’s 2015 data shows a wide range of profiles making up the cybercriminal, the most prolific among them being business rivals (20%) followed by 'neighbors, friends or relatives' (15%), Hackers (13%) & Students (10%). Overall, cybercrimes in 2015 - witnessed an increase of 20.5 per cent since 2014. A total 11,592 cases of cybercrime were registered across the country.

No comments:

Post a Comment