Sunday, August 31, 2014
Banks Hacked- News gets more and more interesting
Apparently it is 7 banks now
Some had their records deleted
The link below has more information:-
http://www.cnet.com/news/jpmorgan-hackers-altered-deleted-bank-records-says-report/
Thursday, August 28, 2014
DLP function now available for SharePoint (Office 365)
We know it is available for Exchange now it is extended to SharePoint
From the Article
Microsoft has extended the data loss prevention features in Office 365 so that they are available not only for its email tools but also for data in SharePoint Online and OneDrive for Business.
Administrators will be able to search for content across SharePoint Online and OneDrive for Business, zeroing in on 51 predefined sensitive information types, like credit card numbers, passport data, and Social Security information. If they identify policy breaches, they'll be able to export a report and take the appropriate action. DLP tasks are managed from Office 365's eDiscovery Center console.
Follow this link for additional details:
Friday, August 22, 2014
New member to the list of credit card hacked companies - it is UPS now
News might be new but
It started infiltration started in January and attacks in March
And...........
We only know now
Customers’ credit and debit card information at 51 franchises in 24 states may have been compromised.
Follow this link for additional details:
http://time.com/3151681/ups-hack/
How to steal encryption keys - Just by touching the computer !!!
I did not know that we are born with embedded hacking tools (I am excluding the Brain here).
From the Article
There are flaws and weaknesses in human flesh and bones that make it easier than it should be to force someone to offer up the key to decrypt something.
This research is a side-channel attack. The metal parts of a laptop, such as the shielding around USB ports, and heat sink fins, are notionally all at a common ground level. However, this level undergoes tiny fluctuations due to the electric fields within the laptop. These variations can be measured, and this can be used to leak information about encryption keys.
the researchers also experimented with using a smartphone connected to Ethernet shielding via its headphone port, and found that this was sufficient to perform some attacks.
Robust protection is hard to do, because
- The side-channel is largely a feature of the hardware.
- Faraday cages can protect against electromagnetic side channels,
- insulation can protect against this kind of "touching metal parts" attack,
- optical fibres can protect against measuring fluctuations in Ethernet connections
but all these drive up costs and are of limited practicality.
Follow this link for additional details:
Wednesday, August 20, 2014
Hacking Traffic Lights Is Apparently Really Easy
It is not the headline that bothered me.
What shocked me is what makes it easy
The Michigan team identified three main weaknesses in traffic control systems in the U.S.:
- use of un-encrypted wireless communication signals
- default usernames and passwords,
- use of a traffic controller—the machine that interprets sensor data and controls lights and walk signs, etc.—that is vulnerable to known hacks.
Follow this link for additional details:
NUKE REGULATOR HACKED BY SUSPECTED FOREIGN POWERS
Not once but, THRICE.
The methods adopted by the hackers is really interesting
- Malware in the cloud
- Email from legitimate account
From the Article
Nuclear Regulatory Commission computers within the past three years were successfully hacked by foreigners twice and also by an unidentifiable individual,
One incident involved emails sent to about 215 NRC employees in "a logon-credential harvesting attempt,"
A dozen NRC personnel took the bait and clicked the link.
hackers also attacked commission employees with targeted spearphishing emails that linked to malicious software. A URL embedded in the emails connected to "a cloud-based Microsoft Skydrive storage site," which housed the malware,
In another case, intruders broke into the personal email account of an NRC employee and sent malware to 16 other personnel in the employee's contact list. A PDF attachment in the email contained a JavaScript security vulnerability. One of the employees who received the message became infected by opening the attachment, McIntyre said.
Follow this link for additional details:
Sunday, August 17, 2014
70 Percent of World's Critical Utilities Breached
78 percent of the senior security officials responded that a successful attack is at least somewhat likely within the next 24 months
The link below has more information:-
http://www.darkreading.com/attacks-breaches/infographic-70-percent-of-worlds-critical-utilities-breached/a/d-id/1298006
Thursday, August 14, 2014
iPhone vulnerable? - Yes when connected to a computer
Apple seems to have too much trust in USB
From the Article
The beauty of their attack is that it doesn't rely on iOS software vulnerabilities, the customary way that hackers commandeer computers. It simply takes advantage of design issues in iOS, working around Apple's layered protections to accomplish a sinister goal.
Their attack requires the victim's computer to have malware installed
Wang and the researchers developed a man-in-the-middle attack that can trick an Apple device that's connected to a computer into authorizing the download of an application using someone else's Apple ID.
Wang's team found they could sneak a developer provisioning file onto an iOS device when it was connected via USB to a computer. A victim doesn't see a warning.
That would allow for a self-signed malicious application to be installed. Legitimate applications could also be removed and substituted for look-alike malicious ones.
"The whole process can be done without the user's knowledge," Wang said
The host computer has access to a device not only through iTunes but also via a protocol called Apple File Connection, which is used for accessing images or music files
The researchers recovered login cookies, including those for Facebook and Google's Gmail.
Follow this link for additional details:
Monday, August 11, 2014
Complex Passwords - Are not really safe anymore
I am more or less 100% in agreement with the author.
Summary
pinning your security on an insanely complex password is a fool’s wager.
From the Article
According to Alex Holden, Hold Security’s founder, the “vast majority” of the passwords he uncovered had been stored in plain text on company servers.
says Donna Dodson NIST’s chief cyber security advisor. “Putting the burden of security on the end-user and making it more complex just doesn’t work,” she says. “The security has to be usable for the end-user. Otherwise they’re going to find workarounds.”
The cracking software that’s out there has known about all of these tricks for more than a decade,” says Herley.
What’s more, system administrators need to spend more time securing the passwords they store. If sysadmins had been taking care of business before the Russian hack—locking down their websites and protecting their users passwords with cryptography instead of storing them in plain text—users would be a lot better off.
Follow this link for additional details:
Saturday, August 9, 2014
Chip-n-Pin may be better than swipe card but still vulnerable
(From the article)
His team found that several devices were not, in fact, made to the security specifications they claimed to follow. With a minimum of effort, he said they could wiretap the devices and extract the PIN during a sale.
Scammers installed their evil wares into card readers before they were even delievered to merchants.
In order to get European merchants to switch, the banks promised merchants that they would be responsible for fraudulent charges. With swipe cards, a fraudulent charge is simply reversed to the merchant.
The victims of fraud were frequently blamed by the banks, who accused them of exposing their PINs somehow. In other cases, the banks simply changed their minds and reversed charges to the merchants. In extreme cases, banks and credit card companies declined to press charges against known scammers, apparently out of embarrassment.
The link below has more information:-
Creative hacking - Hackers use Google to steal data
(From the article)
What was unique about the attackers was how they disguised traffic between the malware and command-and-control servers using Google Developers and the public Domain Name System (DNS) service of Fremont, Calif.-based, Hurricane Electric.
In both cases, the services were used as a kind of switching station to redirect traffic that appeared to be headed toward legitimate domains, such as adobe.com, update.adobe.com and outlook.com.
The link below has more information:-
http://www.csoonline.com/article/2462409/data-protection/how-hackers-used-google-in-stealing-corporate-data.html
Thursday, August 7, 2014
Wednesday, August 6, 2014
XML Vulnerability that can take down an entire website or server almost instantly.
(From the article)
Impacts the popular website platforms WordPress and Drupal.
The vulnerability uses a well-known XML Quadratic Blowup Attack — and when executed, it can take down an entire website or server almost instantly.
This is a big deal because WordPress and Drupal are used by millions of websites. The latest statistics from the World Wide Web Consortium (WC3) show WordPress alone powers nearly 23% of the web.
The XML vulnerability Goldshlager discovered affects WordPress versions 3.5 to 3.9 (the current version) and works on the default installation. It affects Drupal versions 6.x to 7.x (the latest version) and also works on the default installation.
When the vulnerability is exploited, the results can basically render a website or web server unusable. The vulnerability can cause 100% CPU and RAM usage, cause the server to become unavailable and also create a Denial of Service attack on the MySQL database program
The good news is that both WordPress and Drupal have released patches for their applications.
The link below has more information:-
http://mashable.com/2014/08/06/wordpress-xml-blowup-dos/
Monday, August 4, 2014
Interesting - Malware that fully resides in Registry
We always knew someone would do it so, finally it is done.
http://www.darknet.org.uk/2014/08/windows-registry-infecting-malware-files/
AV Zero day detection - Does anyone still believe it?
This should not come as a surprise
(From the article)
Kyle Adams wrote what he describes as "ridiculously obvious" malware that most major antivirus products ultimately failed to detect.
His research shows that code emulation and sandboxing aren't really working anymore.
What can AV vendors do to beef up their code emulation? For one thing, "they should start penetration-testing their own AV software."
The link below has more information:-
If you own Synology's NAS devices , you might want to disconnect it.
This advise is coming from the he vendor.
To avoid being affected by ransomware that uses strong encryption to lock files on the brand’s machines and demands US$350 for the decryption key.
The SynoLocker “service” asks for 0.6 Bitcoins to unlock the encrypted files, which at today’s exchange rate is around USD$350
The link below has more information:-
Sunday, August 3, 2014
Can you or your computer detect a compromised USB device? - NO !!!
DOn't believe me. read further.........
(From the article)
The infection can travel both from computer to USB and vice versa. Any time a USB stick is plugged into a computer, its firmware could be reprogrammed by malware on that PC, with no easy way for the USB device’s owner to detect it.
he malware they created, called BadUSB, can be installed on a USB device to completely take over a PC, invisibly alter files installed from the memory stick, or even redirect the user’s internet traffic. Because BadUSB resides not in the flash memory storage of USB devices, but in the firmware that controls their basic functions, the attack code can remain hidden long after the contents of the device’s memory would appear to the average user to be deleted. And the two researchers say there’s no easy fix: The kind of compromise they’re demonstrating is nearly impossible to counter without banning the sharing of USB devices or filling your port with superglue.
“These problems can’t be patched,” says Nohl,
‘IN THIS NEW WAY OF THINKING, YOU HAVE TO CONSIDER A USB INFECTED AND THROW IT AWAY AS SOON AS IT TOUCHES A NON-TRUSTED COMPUTER.’
It can even impersonate a USB keyboard to suddenly start typing commands. “It can do whatever you can do with a keyboard, which is basically everything a computer does,” says Nohl.
The malware can silently hijack internet traffic too, changing a computer’s DNS settings to siphon traffic to any servers it pleases. Or if the code is planted on a phone or another device with an internet connection, it can act as a man-in-the-middle, secretly spying on communications as it relays them from the victim’s machine.
The link below has more information:-
76,000 email addresses + 4000 passwords exposed, How? - bad script!!!!
C'mon mozilla , It is a shame
(From the article)
he breach was caused by a bad script that on July 23 was found to have inadvertently published the records online over the previous month.
"As soon as we learned of it, the database dump file was removed from the server immediately, and the process that generates the dump was disabled to prevent further disclosure," they said.
The exposed passwords were salted hashes but further technical details have not been revealed
The link below has more information:-
MPTCP - New concern for security folks? ;
I guess the security tools have a lot to catch up
(From the article)
If any of your security decisions, tools, thought-processes, manual processes, if they rely on any of... these four things, then something in those is going to break," he says.
- If you expect to see all app layer data within a TCP stream;
- if you expect to differentiate clients from servers based on the connection direction;
- if you expect to tamper with or close bad connections midstream;
- if attempt to associate logical connections to IP addresses.
If you make any security decisions based on any of those, then those security mechanisms are going to break in the face of MPTCP.
The link below has more information:-
Friday, August 1, 2014
Apple scammed 42 time - by a 24 Year old:-
Simple but brilliant..............
From the article)
Parrish allegedly tricked Apple Store employees in 16 states starting around December 2012 into accepting fake authorization codes to purchase $309,768 worth of Apple goods.
Here’s how it works: Parrish allegedly visited Apple Stores and tried to buy products with four different debit cards, which were all closed by his respective financial institutions. When his debit card was inevitably declined by the Apple Store, he would protest and offer to call his bank — except, he wasn’t really calling his bank.
he would offer the Apple Store employees a fake authorization code with a certain number of digits, which is normally provided by credit card issuers to create a record of the credit or debit override
“It does not actually matter what code the merchant types into the terminal,” the U.S. Attorney’s Office in New Jersey said publicly after a similar case occurred there in February. “Any combination of digits will override the denial.”
The link below has more information:-
http://www.businessinsider.com/sharron-laverne-parrish-jr-charged-with-apple-credit-card-scam-2014-7
Subscribe to:
Posts (Atom)