1. Indian origin teenager hacker arrested for disrupting 911
service with DDoS attack: 18 year old
Indian origin teen discovered an iOS vulnerability that could be exploited to
manipulate devices, including trigger pop-ups, open email, and abuse phone
features. He posted links of his exploits on his Twitter account, which has a
follower base of 12000 people, all those who clicked on that link had their
iPhones hacked and ended up automatically calling 911 non-stop. This resulted
in the disruption of 911 service in state of Arizona. Authorities swung into
action and traced the issue to the teen and have arrested him.
2. Hacker gets 18 months in Prison for hacking Celebrity nude
photos: The hacker who stole nude
photographs of female celebrities two years ago in a massive data breach —
famous as "The Fappening" or "Celebgate" scandal — has
finally been sentenced to 18 months in federal prison. The hacker ran phishing scheme between November 2012 and
September 2014 and hijacked more than 100 Identities using fake emails
disguised as official notifications from Google and Apple, asking victims for
their account credentials. Many of the compromised accounts belonged to famous
female celebrities including Jennifer Lawrence, Kim Kardashian.
3. LinkedIn hacker also charged with Dropbox hacking: Last issue we discussed the arrest of the LinkedIn
hacker from Prague. Now, US authorities have officially indicted the
29-years-old Russian national, for hacking not just LinkedIn, but also the
online cloud storage platform Dropbox.
The hacker remains in custody in Prague, Czech Republic. The FBI is waiting for
a Czech court to decide on his extradition to the United States.
4. Chinese IoT cameras used in Dyn DDos attack: Issue
87 - we discussed the DDoS attack on DNS provider Dyn by an army of
hacked IoT devices. A Chinese IoT firm admitted its products inadvertently
played a role in the massive cyber-attack against DynDNS. More such attacks are
expected to happen and will not stop until IoT manufacturers take the security
of these Internet-connected devices seriously. The company has rolled out
patches and has advised its customers to update their product's firmware and
change their default credentials. The company also said it will also recall up
to 10,000 webcams.
5. Mirai Botnet that attacked Dyn is itself Flawed: A Botnet called Mirai was used in the Dyn
DDoS attack. The author of the
Botnet released the source code and a researcher found that the botnet itself
contains several vulnerabilities that might be used against it in order to
destroy botnet's DDoS capabilities and mitigate future attacks. The researcher
has now released his exploit. The DDoS attack that hit French Internet service
and hosting provider OVH
with 1 Tbps of junk traffic, which is the largest DDoS attack known to
date, also came from Mirai bots.
6. Chinese Hackers won $215k for Hacking iPhone and Google
Nexus at Mobile Pwn2Own: For hacking Apple's
iPhone 6S (with the latest iOS 10), the hackers exploited two iOS
vulnerabilities – a use-after-free bug in the renderer and a memory corruption
flaw in the sandbox – and stole pictures from the device, for which the team
was awarded $52.5k. They won another $60k for installing an app on the iPhone
though it did not survive a reboot. For hacking the Nexus 6P, the hackers used
a combination of two vulnerabilities and other weaknesses in Android and managed
to install a rogue application on the Google Nexus 6P phone without user
interaction. They were awarded them a whopping $102,500 for the Nexus 6P hack.
7. AtomBombing is a design flaw in Windows that cannot be
patched: Security researchers have
discovered a new technique that could allow attackers to inject malicious code
on every version of Microsoft's Windows operating system, even Windows 10, in a
manner that no existing anti-malware tools can detect. Dubbed
"AtomBombing," the technique does not exploit any vulnerability but
abuses a designing weakness in Windows. AtomBombing attack abuses the
system-level Atom Tables, a feature of Windows that allows applications to
store information on strings, objects, and other types of data to access on a
regular basis. This issue cannot be patched as it is a design issue.
8. You can hijack nearly any Drone mid-flight using this tiny
Gadget: A Security researcher has
devised a small hardware, dubbed Icarus, that can hijack a variety of popular
drones mid-flight, allowing attackers to lock the owner out and give them
complete control over the device. Besides Drones, the new gadget has the
capability of fully hijacking a wide variety of radio-controlled devices,
including helicopters, cars, boats and other remote control gears that run over
the most popular wireless transmission control protocol called DSMx. The
loophole relies on the fact that DSMx protocol does not encrypt the 'secret'
key that pairs a controller and flying device.
9. Now – iPhone can also be hacked with an Image: Attackers can take over a vulnerable Apple's iOS device
remotely – all they have to do is trick the user to view a maliciously-crafted
JPEG graphic or PDF file, which could allow them to execute malicious code on
the mobile. That's a terrible flaw (CVE-2016-4673), but the good news is that
Apple has released the latest version of its mobile operating system, iOS 10.1,
for iPhones and iPads to address this remote-code execution flaw, alongside an array
of bug fixes. Users running older versions of iOS are advised to update their
mobile devices to iOS 10.1 as soon as possible. Last
year, Stagefright bug in Android allowed hack via just a text message,
while in Issue
81 – we saw how an image can be used to hack the unpatched Android
devices.
10. Big spike in cybercrimes in India: Latest statistics released by the National Crime Records
Bureau (NCRB) reflect a massive spike in cybercrimes in India. In Issue
77 - we saw "Pune based Indian Manufacturing Co. losing
$175k". Last week it was few Hyderabad based Pharma companies that fell
victim to a typo-squatting attack when they received fake details of change in
bank in an Email, from what appeared to be their suppliers. They ended up
sending huge sums of money to Scamsters instead of their suppliers. There are
also cases where hackers hacked the email servers and send emails to the company's
customers informing about a fake change in bank details to swindle money. These
kinds of hacks are also called BEC
- Business Email Compromise.
No comments:
Post a Comment