Sunday, December 25, 2016

Issue 96- Week of Dec 19th - Merry Christmas


1.      Gigantic ad fraud: A group of Russian hackers are believed to have built a bot called 'Methbot' that can automatically generate ad views resulting in $3 to 5Million of revenue per day for themselves. To make things look real - the bot is capable of spoofing faked clicks, social network login information, and mouse movements. The hackers run fake websites hosted in Dallas / Amsterdam to run real ads, the bots generate fake traffic and fool the ad world.

2.      Power outage in Ukraine - hackers suspected: Last weekend - Russian hackers are suspected to have downed the power station in Ukraine rendering half of its capital powerless. The power station was switched to manual mode and power was restored within 75 minutes. Over the last month - hackers have been attempting the disrupt the energy and financial infrastructure of Ukraine.

3.      Alice malware makes ATM's spit cash: Crooks with physical access to ATMs can insert this malware called 'Alice' into the ATM via USB. The crooks also connect a keyboard to authenticate and run their malware which will empty all the cash in the ATM. Issue 79 - we discussed Thailand ATM hack and in Issue 92 - the European ATM hacks.

4.      Post the Russian Ambassador's killing: After the Ambassador was shot dead by an off-duty police man, conflicting reports in the media have emerged which claim that Apple has been approached by Turkey/Russia to break the police Man's iPhone 4s. Some reports claim Apple has not been approached. FBI had approached Apple in the San Bernardino's attack resulting in the famous Apple V/s FBI case.

5.      Android malware found in Ukraine links Russia to DNC hacks: An Ukrainian artillery officer developed an App that could expedite the processing of targeting data for D-30 Howitzers. A Russian hacker group called Fancy bear managed to insert its malware into this app, thereby compromising the location of the officers and Howitzers. The same group was held responsible for the DNC hack in the US, earlier this year.

6.      Free Ransomware alert tool: A free tool called 'Ransomfree' has been released which is capable of alerting the user to take action just before the Ransomware starts to encrypt the files. The tool currently works for Windows. A similar tool for Mac called 'Ransomwhere?' was built by a researcher in April this year.

7.      Flaws in In-flight entertainment system detected: A researcher has found holes in the Panasonic Avionics in-flight system that is used in planes run by 13 major airlines. Using these vulnerabilities hackers can spoof flight information like map routes, speed statistics, altitude values, and access credit card information of frequent filers that is stored in the automatic payment system. In 2015 - a cybersecurity researcher Chris Roberts caused an airplane's engine to climb after hacking its software.

8.      NSA hack was insider job: Issue 78 - we discussed the NSA hack by 'The Shadow Brokers' group which dumped several NSA hacking tools online. Last week an Intelligence report suggests that this was an insider job rather than outside hack. A rogue NSA insider just handed over the tools to 'The Shadow Brokers'. It is important for sensitive organizations to have tools that can monitor and block insider threats.

9.      Security and demonetization: There is widespread increase in digital transactions across India, which is moving towards a 'less cash' society. The Security challenges are now being discussed and addressed at various levels. The other challenges and the areas that need to be immediately addressed are Internet speeds, bandwidth. India also tops the world in terms of Ransomware attacks with almost no hacker being convicted to date. The investigations into recent big hacks in India - 3.2M debit card details stolen or Legion attacking Twitter accounts - have yielded no results yet.

16 Going on 17 (2017): From a cyber security perspective - 2016 was bad and it now appears that 2017 will be worse. After having supposedly influenced the US elections - hackers have apparently set their eyes on the upcoming German elections. 2017 not safe for ordinary folks either, Artificial intelligence and autonomous hacking machines are being built that will actively and rapidly seek vulnerabilities and exploit them. Human security operations will be outdone by AI.


Sunday, December 18, 2016

Issue 95- Week of Dec 12th


1.      Yahoo admits that 1 Billion accounts were hacked: Issue 83 - Yahoo had confirmed that personal data from 500m accounts was stolen in 2013, now Yahoo has admitted that the figure is 1 Billion accounts. It is now also being reported that this data was sold in Aug for $300k. This can potentially result in 'Password Reuse Attacks', kindly do not use same password across all your internet accounts.

2.      Ashley Madision fined $1.66M: Infidelity website Ashley Madison, was hacked in July 2015 and 36 million user records were leaked on the internet resulting in several cases of blackmail and suicides. The investigation that followed the leak revealed that the company had created several fake female profiles to lure men and also did not fully delete records even though it charged $20 for a 'full deletion'.

3.      Accidental data leak at Ameriprise: Ameriprise is financial services company based in the US. A Researcher while doing random scans on Shodan search engine spotted an Ameriprise advisor's internet facing unsecured backup drive which was set to sync with his primary backup drive at his office. This exposed Investment portfolios worth millions of dollars & Personal data of 320 clients. Shodan is a search engine that can scan the internet for open and unsecured databases and devices.

4.      Kickass Torrents bounces back to life: Issue 74 - the Domain names of Kickass Torrents(KAT) was seized, owner was arrested and the site went down. Last week, a bunch of dedicated ex-KAT staffers came together and put together a forum called Katcr.co. This group has now bought back the Torrent site to life. The new site starts from scratch and is a clone of the original site.

5.      JPMC hacker arrested: Issue 38 - U.S. had charged three Israelis for the huge JPMC cyber-fraud. Two of them were arrested in Israel in 2015 and the third hacker was arrested in JFK airport last week when he flew in from Russia to face trial. The hackers manipulated their access to the JPMC clients with misleading stock pitches and profiteering from it. The famous Preet Bharara, is the US Attorney for this case.

6.      Ubuntu’s crash report tool vulnerable: A Cyber Researcher has discovered and privately reported a critical vulnerability to the Ubuntu team. He found that he could inject code into the OS's crash file handler by crafting a crash file that, when parsed, executes arbitrary Python code. This Remote Code Execution affects Ubuntu Linux installations Ver. 12.10 (Quantal) and later. Ubuntu users are advised to patch their systems ASAP.

7.      MacOS Filevault 2 can be hacked in 30 seconds: A researcher has demonstrated that if he could get physical access to a Mac, he can hack the password in 30 seconds, using a $300 device dubbed ‘PCILeech’. There are 2 weakness that the researcher exploited - 1. Mac system protects itself against Direct Memory Access (DMA) only after it is booted & 2. the decryption password is stored in clear text. The researcher re-booted the Victim's Mac and in 30 seconds he could access the password. This issue is fixed in the latest (10.12.2) Ver.

8.      NSA tools put on direct sale, Auction abandoned: Issue 78 -  Shadow Brokers hack NSA's hacking group and put the hacking tools on Auction. The hackers are now offering these tools on a direct sale in the price range of 1 -100 bitcoins.
8. A probe by NSA on how the tools were lost concluded that it was a mistake by an agent who left it behind during an operation.

9.      Exploit kit called DNSchanger is back: Similar to the Stegano Malvertisement discovered recently, researchers have discovered another malware that spreads via Malvertising called ‘DNSChanger’. The key difference however in this attacks is the exploit kit spreads thru a Malvertisement but the dropper file (actual malware) affects the router rather than the browser. The malware changes the DNS entries in the router from the ones provided by the ISP to the Malicious servers that are controlled by hackers. With this the attackers can redirect traffic, inject ads and install other malware. Users can mitigate this risk by not using default passwords on routers.

Legion's exploits in India: Legion continued its attacks in India by claiming to have hacked accounts of 74000 Chartered Accountants, government emails hosted on Sansad.nic.in and the server of Apollo Hospital in Chennai. Legion has said that the 'Banking System' in India is deeply flawed and has been hacked several times in the past. It claims it has access to 40,000 servers in Indian Banks and can paralyses the system.




Sunday, December 11, 2016

Issue 94- Week of Dec 5th


1.      NDTV and Vijay Mallya hacked: Days after a hacking group called Legion hacked Rahul Gandhi and INC's Twitter accounts, they went on to hack India's famous loan defaulter Vijay Mallya's Twitter account. Mallya is based in London for the past 9 months. This morning the news broke out that Senior journalist Ravish Kumar’s and NDTV Barkha Dutt's official Twitter handle has also been hacked by ‘Legion’. In a tweet Legion has threatened to release over 1TB of confidential data and also said the next attack will be on Lalit Modi - Another absconder of Indian Law based in London.

2.      Daily Motion Hacked: 85 million accounts hacked,  Email addresses, usernames and some passwords were stolen. If you have an account with Daily Motion, kindly reset your password and if you were using the same password across many sites - it is time you reset all your passwords. It is safer not to reuse passwords across various platforms. Daily Motion was in news last year for serving malvertising to its visitors.

3.      'Distributed Guessing Attack' hacks Visa card in 6 seconds: Researchers at Newcastle University have built a toolkit which can guess a Visa card’s details such as Expiry date and CVV number in 6 seconds. The tool will send different values to different e-commerce websites and will get confirmation from one of them. For e.g. to guess the expiry date, the tool will send different dates to 60 e-commerce sites, for CVV number it sends the request 1000 times to these e-com sites. This attack works on Visa as it does not detect multiple incorrect attempts across different sites. MasterCard has a centralized payment network and they can detect such frauds quickly.

4.      'Popcorn Time' Ransomware launches victim reference program: Like any other Ransomware, Popcorn Time also encrypts the files and demands ransom in bitcoins. The unusual aspect of this Ransomware is that it offers the victims the decryption key for free- if the victims can infect 2 others and get them to pay the Ransom. All the victim has to do is to send a link shared by the hackers to 2 other people, if they pay after getting infected the victim will get his files back for free.

5.      Stegano malvertising discovered: Researchers have discovered a Malvertising campaign dubbed Stegano, which has remained undetected for nearly 2 years now. Hackers hid the exploit code inside the Image's Alpha channel, packaged it as an Ad and managed to display this ads in several popular websites - potentially infecting millions. Whenever a user visits a site that is hosting this malware, the exploit kit reports system info to C&C server. Depending the system vulnerabilities like unpatched browsers or flash players, the malware can do a silent redirect to a malicious site to download the dropper file and infect the system. It could either lead to Ransomware or stealing of local data. Spotify was hit by Malvertising recently.

6.      Yahoo flaw allows access to any Yahoo Inbox: As part of its bug bounty program, a researcher was awarded $10k for discovering and privately reporting a XSS bug that allowed the attacker to view any Yahoo mail box. The bug has since been fixed. The researcher said that finding the bug was difficult but exploiting it was very easy as it only requires to send a specially crafted email to the victim.

7.      Linux Kernel Local Privilege Escalation Flaw Discovered and patched: A critical, local code-execution vulnerability in the Linux kernel was patched last week, this bug has been around since 2011. This bug allowed a local attacker to gain kernel code execution from unprivileged processes. Issue 87 - we saw a nine year old Linux bug called 'Dirty COW'  - being discovered and patched.

8.      Gamification of DDoS attacks: A hacker group in Turkey is inviting users to launch DDoS attacks on identified targets and win points in return. These points can be accumulated and redeemed to win various hacking tools. Dubbed 'Sath-ı Müdafaa', this attack was discovered by Forcepoint researchers.

9.      Red Star OS can be hacked: North Korea's Linux operating system called Red Star can be easily hacked by just sending it a link. Ever since the full install of Ver 3.0 was leaked outside North Korea - researchers have been regularly finding holes in this OS. This OS was designed to keep the western OS out as North Koreans find them suspicious. Red Star is strikingly similar to Mac OS and this severe vulnerability was found in its Firefox derived browser called Naenara 3.5.

Uber wants to track your location 5 mins after the ride: Earlier in the year - Uber was tracking the battery life of a user's phone and charging differently. They believe a person with low battery is likely to accept a higher price for a ride than a person with full battery life. Now with the latest App, Uber wants to track the users even after the ride is over, so that they can offer the most precise transportation service around. In the latest version of the app, a popup will ask the users to 'allow / don't allow', location access even when they are not using the App.

Sunday, December 4, 2016

Issue 93- Week of Nov 28th


1.      Rahul Gandhi and Indian National Congress' Twitter accounts hacked: Last week, Congress party, the key opposition party in India, confirmed that the official Twitter accounts of its vice-president Rahul Gandhi had been hacked. In less than 24 hours, Congress party's Twitter account was also hacked. A series of offensive posts were posted on the party's account. In the recent past, several celebrities like Facebook CEO, Google CEO, Twitter's CEO, Twitter's ex-CEO etc have had their Twitter accounts hacked. Courtesy the recent big hacks and high volume password dumps from sites like Yahoo, LinkedIn, MySpace, Tumblr, etc, there are more than 1 Billion passwords available on the net. This coupled with the human tendency to reuse most of the passwords, allows hackers to easily break into Twitter and other social media accounts.

2.      San Francisco Metro system hacked with Ransomware; resulting in free rides: The fare system of San Francisco's Metro got hacked by ransomware and station screens across the city started displaying a message that reads: "You Hacked, ALL Data Encrypted. Contact For Key(cryptom27@yandex.com)ID:681 ,Enter." Trains themselves were not affected by the malware attack. Though it is yet not clear exactly who was responsible for the attack, but according to local media reports, $73K was paid in Bitcoins to get the key and put the Fare system back to normal. Issue 52 - A LA Hospital has paid $17K in Ransom.

3.      Over 1 Million Google Accounts hacked by 'Gooligan' Android malware: A new Android malware Dubbed 'Gooligan', has already breached more than 1 Million Google accounts. The malware roots vulnerable Android devices to steal email addresses and authentication tokens stored on them. Armed with this information, the attackers are able to hijack the user’s Google account. The malware is part of legitimate-looking Android apps on 3rd-party app stores, when users download these apps, their device is compromised. Once installed the malware also tries to generate revenue for its master by downloading some apps and writing reviews on behalf of the user.

4.      Cyber-attack knocks nearly a Million Routers offline: More than 900,000 broadband routers belonging to Deutsche Telekom users in Germany were knocked offline over last weekend following a supposed cyber-attack, affecting the telephony, television, and internet service in the country. The hackers used Mirai Botnet and the ports/protocols that were meant for the ISP to manage the device remotely - to knock the routers off. Most of the routers were using default passwords. Experts recommend to avoid using default passwords in any internet facing device.

5.      Rule 41 — FBI gets expanded Power to hack any computer in the World: Hacking multiple computers across the world just got easier for the United States intelligence and law enforcement agencies. The changes introduced to the Rule 41 grants the FBI much greater powers to hack into multiple computers within the country, and perhaps anywhere in the world, with just a single warrant authorized by any US judge. Issue 92 - we saw " FBI hacked into 8,000 Computers in 120 Countries using a single warrant".

6.      Hacker who exposed Steubenville rape faces longer Prison term than rapists: In 2012, Steubenville (Ohio) high school's football team players gang-raped an unconscious teenage girl and took photographs of the sexual assault. In December 2012, a member of the hacker collective Anonymous hacked into the Steubenville High School football fan website and leaked some evidence of the rape, including a video taken and shared by the crime's perpetrators in which they joked about the sexual assault. The rapists who were 16 years at that time were sentenced to 2 years in jail. In 2013, FBI arrested the hacker who now faces 10 years in prison, the sentencing is scheduled in Mar'17.

7.      Anonymous Hacktivist 'Barrett Brown' released from Prison: Barrett Brown was arrested in 2012 for hacking and leaking 200GB data from a 'geopolitical intelligence and consulting firm' called Stratfor. The leaked data largely contained Emails, Credit Card Numbers and client lists. The hackers used the stolen credit card information to make donations to various charities exceeding one million dollars. Brown was convicted for five years in jail and nearly $900,000 in restitution and fines. He was released last week.

8.      Researcher shows how to bypass BitLocker: Any laptop that relies on Windows BitLocker Hard Drive Encryption software can be easily hacked if the hacker gets physical access to the device and holds SHIFT+F10 during Windows 10 update procedure. This will allow the hacker to get CLI access and full access to the computer's hard drive, even when the user has enabled BitLocker disk encryption feature. Experts recommend users not to leave their PCs unattended during the update procedure.

9.      Firefox Zero-Day exploit to unmask Tor users released online: Tor (The Onion Router) is an anonymity software that not only provides a safe haven to human rights activists, journalists, government officials, but also is a place where drugs, assassins for hire, child pornography, and other illegal activities has allegedly been traded. Tor is a repackaged version of Mozilla Firefox web browser. A JavaScript zero-day exploit is currently being used to Unmask the identity of TOR users via a memory corruption flaw in Firefox.


10.   Malware used to steal Tesla car: Last week, researchers showed an easy way to steal a Tesla car. Tesla app generates an OAuth token when a Tesla owner logs in to the Android app for the first time and this token is stored in clear text in the device’s system folder to help the user access the app without credentials every time he logs into the app. Researchers have shown that if a Tesla owner's phone is infected with Android malware and hackers access the OAuth token, the hacker can locate, unlock and drive away a Tesla Model S. Tesla says it is not the issue with its product but common social engineering tricks used by attackers to first compromise victim's phone, rooting the device and then altering its apps data. Issue 83 – “ Tesla car hacked by Chinese security firm from 19km away using 'malicious' Wi-Fi hotspot”