Sunday, November 27, 2016

Issue 92- Week of Nov 21st


1.      Madison Square Garden admits hackers spent a year harvesting visitor credit-card data: Card issuing banks noticed suspicious patterns and notified MSG. After investigation, MSG has revealed that for a year malware has been capturing payment-card data from a system that processes payments for several of its properties. MSG warned customers that the breach had exposed customer data held on the magnetic strip of credit cards, including card numbers, cardholder names, expiration dates, and internal verification codes. Exact number of victims is not known, though it is known fact that millions of people visit MSG every year.

2.      Hackers attack Canada Army site, redirect visitors to China: Canada’s Defense Ministry has confirmed that hackers recently attacked its armed forces recruitment website and changed configurations redirecting visitors to the Chinese government’s official page instead, says a Reuters report. Canadian authorities have in the past complained of the country’s official network being frequently targeted by hackers. An official complaint had even been lodged with Beijing in 2014 about Chinese hackers compromising a key network system.

3.      FBI hacked into 8,000 Computers in 120 Countries using a single warrant: While investigating a child pornography website, the FBI used a malware on the site to gather details of all its visitors. FBI admitted in a court filing that they used the single warrant to hack 8000 computers in 120 countries.

4.      Hackers are targeting ATMs and stealing wads of cash: Issue 79 - we discussed - 'ATMs in Thailand hacked; 12 Million Baht stolen'. Now according to a Russian cyber security firm, cyber crooks have remotely infected ATMs with malware in more than dozen countries across Europe this year, which forces machines to spit out cash. The world's two largest ATM manufacturers, Diebold Nixdorf and NCR Corp., said they were aware of the ATM attacks and had already been working with their customers to mitigate the threat.

5.      Telecrypt Ransomware cracked, free Decryptor released: TeleCrypt, is a typical ransomware. For Russian victims, the blackmailing message is in Russian and they demand a ransom of 5,000 rubles ($77). Some of its unusual features are that it abuses Telegram Messenger's communication protocol to send decryption keys and other communication. If the victim has an unencrypted version of the file, Researchers can use this as an sample to generate the decryption key and thus easily crack this Ransomware.

6.      Locky ransomware spreading on Facebook Messenger via JPG file: Early part of last week - it was reported that a Malware in the form of .SVG image files was being spread using Facebook Messenger. Compromised FB accounts were extensively used to spread the Malware. Later part of last week - experts discovered how cyber criminals are hiding malware in image files, and how they are executing the malware code within these images to infect social media users with Locky variants. We discussed Locky way back in Issue 52, it has since become the biggest and most common Ransomware.

7.      Stampado ransomware gets worm-like techniques to spread in network: Stampado ransomware is available for sale on the dark web for $39, the seller describes this as a easy to manage ransomware with life time license. This ransomware also has capabilities to spread in the network like a worm and re-encrypt already encrypted files. It installs itself in the %AppData% folder under the name scvhost.exe, a slight deviation on a genuine Windows process named svchost.exe, and creates a registry entry to load automatically. Researchers advise victims not to pay the ransom, stating that it's possible to decrypt files infected by Stampado on their own.

8.      Headphones can be used to Spy - even with disabled Microphone: Issue 70, we saw the picture of Mark Zuckerberg with his laptop’s Webcam and Microphone taped for Privacy. Researchers have now shown that even if one tapes his camera and microphone, it is possible to turn headphones into a microphone by turning the output channel on the laptop for input signal, in order to spy on all the conversations in the background without user's knowledge. This malware is dubbed as 'Speake(a)r'.

9.      NTP DoS exploit released: A proof-of-concept (PoC) exploit for a critical vulnerability in the Network Time Protocol daemon (ntpd) has been publically released that could allow anyone to crash a server with just a single maliciously crafted packet. The vulnerability has been patched by the Network Time Foundation with the release of NTP 4.2.8p9, which includes a total of 40 security patches, bug fixes, and improvements.

PM Modi urges India to go Cashless / Less-Cash: After the demonetization process started 3 weeks ago, there has been a great push towards cashless society, while this is a welcome move - the experts are cautionary. They say that Cyber Security is clear and present danger and it is here to stay. Major concerns include - Card cloning, Malware infections, Card theft and misuse. Building awareness can help in keeping the crime under check. If these security issues result in declined / failed transactions - people will revert to the older ways of handling cash, slowing down the process of going cashless


Sunday, November 20, 2016

Issue 91- Week of Nov 14th


1.      Mobile company in UK hacked: One of UK's biggest mobile operators called 'Three', has been hacked and massive data containing personal information and contact details of 6 Million of its customers exposed. The company admitted the data breach last week, saying that computer hackers gained access to a phone upgrade database. It is reported that hackers used an employee login to gain entry. Three people have been arrested. In 2015, another British carrier called TalkTalk was hacked and it suffered a loss of 60M pounds.

2.      Hacker group breaches Mega.nz servers: MEGA is New Zealand-based website that offers  cloud storage and file hosting service. A hacking group has hacked this site and dumped the stolen data online. In a statement released following the dump, Mega Chairman confirmed the incident but said no user data was compromised. The hackers managed to steal the credentials of one of Mega's contractors and using that they gained access to the servers. The dump includes admin logins of several employees, Mega's CMS and some emails. The hackers also claimed to have stolen source codes of various Mega apps and have put them on Auction.

3.      Some Android phones secretly sent user data to China: Shanghai Adups Technology, a China-based company, developed a back-doored firmware software that is installed in thousands of Android-based devices. This backdoor sends all text messages, call log, contact list, location history, and app data to China every 72 hours. It also has the capability to remotely install and update applications on a smartphone. Google issued a statement saying that the company is working with all affected parties to patch the issue, though the tech giant said that it doesn't know how widely AdUps distributed its software.

4.      Three Million Android smartphones infected with dangerous Rootkit: Nearly 3 Million Android devices worldwide are vulnerable to man-in-the-middle (MITM) attacks that could allow attackers to remotely execute arbitrary code with root privileges, turning over full control of the devices to hackers. According to a report, the issue is due to a vulnerability in the insecure implementation of the OTA (Over-the-Air) update mechanism used by certain low-cost Android devices. This vulnerability is associated with Chinese mobile firm Ragentek Group and it runs with root privileges to communicate over unencrypted channels - allowing a remote attacker to extract personal information from an affected device, remotely wiping the whole device, and even make it possible to gain access to other systems on a corporate network and steal sensitive data.

5.      BlackNurse attack: BlackNurse is the name of a recently discovered network attack that can crash firewalls and routers via ICMP packets, known by most of us as "pings". In this attack, Type 3 ICMP packets with a code of 3 are send to cause a Denial of Service (DoS) state by overloading the CPUs of certain types of server firewalls. The vulnerable firewalls are - some Cisco ASA models, Sonicwall, Palo Alto & Zyxel firewalls. The BlackNurse traffic volume is very small - 40,000 to 50,000 packets per second, which is tiny when compared to the recent 1.1 Tbps DDoS attack on French ISP OVH. The good news is that there are several ways to defend and some of the Vendors have already issued Advisories.

6.      iPhone lock screen hack puts contacts, messages and pics at risk: A new exploit video has been put on Internet, this shows - Hackers can bypass the passcode to access Contacts, Pictures and Messages of a locked phone. All that they need is a physical access to the phone. This vulnerability is across all the current versions of Apple. The Company is likely to patch this in its next release. As this exploit leverages SIRI, one can turn off SIRI till the patch is available.

7.      $5 'Poison Tap' hacks locked computers: A developer has created a $5 device that can hack into an unattended computer even with a locked screen. The tool called Poison Tap can break into a password-protected computer if the user has left an internet browser running in the background. The attacker can then remotely use the victim's web accounts undetected. Samy Kamkar, who has made a YouTube video showing what happens when it breaks into a computer, created the device on a Raspberry Pi microcomputer. As physical access to a machine is required, the best defense is to avoid leaving laptops and computers unattended.

8.      Gone in 70 seconds - Holding Enter key can smash through defense: If a hacker enters a blank password 93 times – or simply holds down the 'Enter' key for roughly 70 seconds – he will gain access to a root initramfs (initial RAM file system) shell. The simple exploit, which requires physical access to the system, exists due to a bug in the Linux Unified Key Setup (LUKS) used in popular variations of Linux.  Exploiting the flaw remotely is also possible. With access to an 'initramfs' environment shell, an attacker could then attempt to decrypt the encrypted filesystem by brute-force. Fortunately, the vulnerability is easy to fix - all that one needs to do is add a command to stop the boot sequence after 'x' number of password attempts.

9.      Password typing fingers can leak passwords: Researchers have found a technique, dubbed 'Windtalker', to exploit a feature called CSI in the WiFi protocol. CSI monitors the general information about the status of the signal. When a user is typing his password (or using keyboard), his fingers are interfering with signal in a certain pattern, which causes the CSI to fluctuate. Analyzing the strong correlation between the CSI fluctuation and the keystrokes, it is possible with 68% accuracy to infer the user’s keystrokes. If the keypad layouts are randomized this attack can be defeated. In Issue 72, we discussed how “Hackers can steal your ATM PIN from your smartwatch or fitness tracker”, using related tricks.

10.   Indian Cybercrime victims refuse to learn from past experience: Consumers in India may be increasingly becoming aware of the cyber threats they face but their online behavior is often contradictory and puts them at risk to ransomware, malware and attacks from cyber criminals. It is also estimated that there are at least 15 ransomware attacks per hour in the country and one in three Indians fall prey to it. In another report based on figures from Ministry of Finance - Top 51 Banks in India have lost ₹485Cr ($71M) between Apr'13 to Nov'16. 56% of the money lost is due to Net-banking thefts and Card cloning.

Sunday, November 13, 2016

Issue 90- Week of Nov 7th


1.      Tesco Bank hacked: Tesco Bank customers have had their money stolen from their accounts after the banking arm of UK's biggest retailer fell victim to a hacking attack last week. As a result of the hack, Tesco Bank had frozen online transactions for few days, while only allowing the use of credit/Debit cards. Tesco Bank has confirmed that a total of £2.5 Million was stolen from its 9,000 customers in the cyber-attack, the entire amount has been refunded to the customers. Further details of the attack are yet to be disclosed and as of now all account services have returned to normal.

2.      Websites of 7 Indian embassies hacked, database leaked: Indian embassy websites in seven different countries have been hacked, and attackers have leaked personal data, including full name, residential address, email address, passport number and phone number, of Indian citizens living abroad. This incident is extremely worrying because it involves diplomatic personnel working in the embassies that have always been a favorite target of state-sponsored hackers launching cyber espionage campaigns. Security pen-testers have claimed responsibility for the hack and apparently the reason behind the hack was to force administrators to consider the cyber security of their websites seriously.

3.      5 major Russian Banks hit with powerful DDoS attacks: Distributed Denial of Service (DDoS) attacks have risen enormously in past few months, and mostly they are coming from hacked and insecure IoT. Recently, a similar DDoS attack against DNS provider Dyn brought down a large chunk of the Internet. Researchers said more than a half of the IoT botnet devices used in this attack, were situated in the United States, India, Taiwan, and Israel. In a similar but separate incident,   a  DDoS attack through hacked IoT devices led to the disruption of the heating systems for at least two apartments in Finland, literally leaving their residents in subzero weather. It is advised to change the default settings and credentials of IoT devices and always protect the devices behind a firewall.

4.      Recruitment firm hacked: Michael Page, a global recruitment consultancy, has been hacked and a wide range of personal information on 710,000 applicants has been stolen. The company has formally admitted the attack. The leaked personal information includes full names, email address, telephone numbers, locations, sectors, job types and current positions. The company claimed in the statement that due to the nature of the data, there is limited risk of fraudulent activity, they also confirmed that no other data was compromised.

5.      Gone in 60 seconds - Google phone hacked: At the 2016 PwnFest - the brand new Android smartphone launched by Google just a few months back has been hacked by Chinese hackers in less than a minute. The team demonstrated a proof-of-concept exploit that used a zero-day vulnerability in order to achieve remote code execution (RCE) on the target smartphone. They also won $120K for this effort, Google will now work to patch the vulnerability.

6.      Hackers launch targeted Cyberattacks hours after Trump’s win: Merely a few hours after Donald Trump declared his stunning victory, a group of hackers that is widely believed to be Russian and was involved in the breach of the DNC (Democratic National Committee) launched a wave of attacks against dozens of people working at universities, think tank tanks, NGOs, and even inside the US government. It is very common for hackers to use major world events to spread malware.

7.      Facebook buys leaked Passwords from Black Market: According to Facebook's Chief Security Officer, the company buys passwords that hackers are selling in the black market and cross-references them with encrypted passwords used on their platform. Facebook then asks the users to re-think the password and change it. While Password reuse is a big cause of harm on the internet, weak passwords like '12345'/'password' add to the problem.

8.      Russian court bans LinkedIn in Russia; Facebook and Twitter could be next: According to a new Russian data protection law, foreign tech companies are required to store the personal data of its citizens within the country. As LinkedIn violated this law, it will be banned in Russia. Other bigger companies, including WhatsApp, Facebook, and Twitter, could be next on the list. Some of the companies, including Google, Apple, and Viber, have reportedly moved some of their servers to Russia. LinkedIn, which has some 5 Million users in Russia, is considering arrangements that will allow it to avoid the ban. It could also appeal against the court's decision.

9.      SWIFT Hack: Bangladesh Bank recovers $15 Million from a Philippines Casino: Part of the $81 Million stolen in February from Bangladesh bank's New York Federal Reserve account earlier this year in the wake of the major malware attack on the SWIFT interbank transfer network has been tracked down to a casino in the Philippines and has been recovered.

RIP - For a short while, Facebook killed us all: Last week, Facebook declared everyone dead, including the company's CEO Mark Zuckerberg, in a massive memorial 'remembering' profile glitch. Facebook in a statement apologized and accepted that it was a terrible error. The bug was quickly fixed. This idea of memorial was suggested as part of a recent Facebook hackathon. Facebook didn’t comment further on the what caused the glitch.

Sunday, November 6, 2016

Issue 89- Week of Oct 31st


1.      Medical procedures cancelled after network attack: Hundreds of planned operations, outpatient appointments, and diagnostic procedures have been canceled at multiple hospitals in Lincolnshire, England, after a "major" computer virus compromised the National Health Service (NHS) network last week. Some patients, including major trauma patients and high-risk women in labor, were diverted to neighboring hospitals. Although the majority of systems are now back and working, the NHS Trust has not provided any specific information about the sort of virus or malware or if it managed to breach any defense. Issue 52 -  we discussed the Ransomware attack in which Hospital paid hackers $17,000 in Bitcoins.

2.      Hack attacks cut internet access in Liberia: A small African country - Liberia, has been repeatedly cut off from the internet by hackers targeting its only link to the global network. Experts said the same group that caused world-wide disruption recently is behind this hack. Mirai botnet have been used in this attack and vulnerable IoTs continue to be misused to launch massive DDoS attacks. Most IoT users are unaware that a simple step like changing default password can go a long way in making the world far more secure that it is now. The other steps can be disable universal Plug and Play (UPnP) & remote management thru’ Telnet.

3.      Hacker providing DDoS-for-Hire service arrested: A 19-year student created a tool called ‘Titanium Stresser’- that offers DDoS as a service. The tool was used to launch hundreds of attacks between Dec'13 to Mar'15 and also earned him $385K. The hacker was arrested in 2015 and will be sentenced in Dec'16.

4.      Microsoft fires back at Google for Windows 0-Day disclosure: Microsoft says Google's disclosure last week of a zero-day security vulnerability in Windows prior to a patch being issued put users "at increased risk." The flaw, which Google revealed under its policy of reporting bugs after 7 days if they haven't been fixed. The bug is a local privilege-escalation flaw in the Windows operating system kernel that can be used to bypass a security sandbox. Some of the hacker groups have been spotted exploiting this bug already.

5.      Cisco job applicants warned of potential mobile site data leak: Users of Cisco's Professional Careers mobile site, mjobs.cisco.com, have been warned of a potential leak of their data, which the networking giant is pinning on an incorrect security setting. Cisco said the impact was restricted to a "limited set of job application-related information", however the personal data that could have been exposed included name, address, race, gender, veteran status, disability status, username, password, answers to security questions, education, professional profile, cover letter, and resume text.

6.      Tracking cell-phones using Wi-Fi: A controversial cell phone spying tool, known as  ‘IMSI catchers’, is used to track and monitor mobile users by mimicking a cellphone tower and tricking their devices to connect to them. Sometimes it even intercepts calls and Internet traffic, sends fake texts, and installs spyware on a victim's phone. In a presentation at BlackHat Europe, researchers have demonstrated a new type of IMSI catcher attack that operates over WiFi, allowing anyone to capture a smartphone's IMSI number within a second as the users' pass by. The captured IMSI would then allow attackers to track the user's movements. Mobile manufactures have begun working to ensure the future protection of the IMSI number.

7.      MalwareMustDie spotted a new IoT Linux/IRCTelnet malware: Security researchers at MalwareMustDie have discovered a new malware family designed to turn Linux-based insecure Internet of Things (IoT) devices into a botnet to carry out massive DDoS attacks. Dubbed ‘Linux/IRCTelnet’, the nasty malware is written in C++ and, just like Mirai malware, relies on default hard coded passwords in an effort to infect vulnerable Linux-based IoT devices. The malware works by brute-forcing a device's Telnet ports to infect it, which then connects to a malicious IRC channel and reads commands sent from a command-and-control server.

8.      XSS flaw that places millions of websites at risk: An XSS vulnerability discovered on the Wix.com platform is putting millions of websites and their users at risk of attack. The website hosting provider, which provides free drag-and-drop website building tools, hosts millions of websites with 87 million registered users -- and all of which are currently vulnerable to an XSS bug which can be utilized by attackers to create worms capable of taking over administrator accounts. This, in turn, gives attackers full control over websites. A Spokesperson from Wix has confirmed that the issues have now been addressed.

9.      OAuth 2.0 - can be hacked to hijack mobile apps: OAuth 2.0 is an open standard for authorization that allows users to sign in for other third-party services by verifying existing identity of their Google, Facebook or other accounts. So, when a user wants to log into a travel app, he can request Facebook to authenticate him. Facebook sends a 'Access Token' to the user which is forwarded to the travel app. Now Researchers have found a loophole - the hacker can download the travel app, change the username to the person he wants to hack and request for the token from Facebook and get access to the user's data on the travel app. The Researchers presented their research paper at BlackHat Europe conference last week.


10.   Jharkhand emerges hotbed of low-tech cyber-crimes: Jamtara, a predominantly tribal district in Jharkhand is one of the biggest centers of organized cyber-crime in India. As per estimates, close to 150 gangs are involved in developing cyber fraud as a cottage industry. There are training centers in Jamtara, where for as low as ₹7000 ($100) for a four day training - hackers are taught to make fake phone calls, mostly in the guise of a bank employee, and seeking information like the CVV or ATM pin for urgent account verification. This is followed by prompt illegal transfer of money. There are also cases of card cloning and Ransomware.