Thursday, December 28, 2017
From Scammer to Slammer (Talk about insider theft)
Ajay Garg, an assistant programmer at the Central Bureau of Investigation (CBI), has been arrested by his own agency for developing a software that exploits the vulnerabilities of the IRCTC railway ticketing system to book over 1000 Tatkal tickets at a time.
Rather than reporting the vulnerabilities found by him, Garg instead used them for his own gain and amassed a huge wealth by making his software available to travel agents through his accomplice Anil Gupta, who can then easily book Tatkal tickets for clients for a fee using the software.
For More:
http://www.ehackingnews.com/2017/12/tatkal-ticket-scam-uncovered-cbi.html
Wednesday, December 27, 2017
Watchout - since November 2017 spoofed emails are being sent to unsuspecting users for infecting the computers. These emails are supposed to be sent by commonly used printer and scanner brands.
The emails contain very regular and normal looking subject lines such as Scanned from HO, Scanned from Canon or Scanned from Epson, etc. Cybercrooks have modified extension and file names and hidden the malicious coding in such a way that email antivirus software cannot detect them.
For More
https://www.hackread.com/spoofed-emails-from-printer-vendors-install-backdoor
How to avoid a data breach - Just a few well known ideas which Sr. security folks tend to ignore for various reasons.
This one is sure to repeat more often - Business Email Compromise (BEC) - attacks are when a cyber criminal adopts the identity of a senior executive and sends emails to staff members in an attempt to trick them into doing something that they shouldn’t.
- Don’t overlook the vulnerability of executives
- Reduce your data holdings
- Take a company-wide approach
- Test yourself on your response plan
For More:
http://www.telegraph.co.uk/connect/better-business/cyber-security/how-to-avoid-a-data-breach/
Android malware that can pose as not a hundred or two but nearly 2,200 banks to steal passwords and carry out fraud
2017 seems to be the year for Andriod Malware - Here is another one "Catelites Android Malware"
The malware can get installed on an android device in more than one ways such as via fake, malicious applications available at third-party app stores or phishing websites. It may also get installed with malicious malware. Catelites can intercept texts, lock the mobile phone, delete device data, access phone numbers, modify speaker volume, spy on message conversations and force password unlocks.
More Here
https://www.hackread.com/catelites-android-malware-poses-as-2200-bank-apps/
Thursday, December 21, 2017
Facebook messenger users may want to read this - You might be victimized by a mining bot called Digmine
Facebook Messenger is the launching pad for a new Monero-cryptocurrency mining bot called Digmine
Once downloaded onto a computer, Digmine's first operation is to install an autostart mechanism and launch Chrome with a malicious extension. It then starts mining and finally connects with the Facebook account's friend list via Messenger and begins to spread.
In order to keep the victim unaware, a video file is streamed from a website that is controlled by the cybercriminal and contains additional components for the malware.
For More:
https://www.scmagazine.com/digmine-cryptocurrency-botnet-spreading-through-facebook-messenger/article/720451/
Remember "He who is well prepared has half won the battle" - Are you prepared to deal with "Fileless malware" in 2018
Fileless malware attacks using PowerShell or Windows Management Instrumentation (WMI) tools accounted for 52% of all attacks this year (2017)
Fileless malware attacks, also known as non-malware attacks, allow cybercriminals to skip steps that are needed to deploy malware-based attacks, such as creating payloads with malware to drop onto users' systems. Instead, attackers use trusted programs native to the operating system and native operating system tools like PowerShell and WMI to exploit in-memory access, as well as Web browsers and Office applications
For More:
https://www.darkreading.com/perimeter/fileless-malware-attacks-hit-milestone-in-2017/d/d-id/1330691
Is your Apple iPhone slow - No worries, it is a feature Apple added without bothering to notify users
Apple has finally admitted that it does indeed intentionally slow down older iPhone models
Apple says it is a feature—implemented on the iPhone 6, 6S and SE last year during a software update, and on the iPhone 7 in December with the release of iOS 11.2—to protect against unexpectedly shutting down of older iPhones due to aging batteries and prolong their lifespan.
The above statement by Apple came in response to a blog post published earlier this week by Toronto-based firm Geekbench developer John Poole, who analyzed the performance of iPhone 6S and iPhone 7 over time.
For More
https://thehackernews.com/2017/12/old-iphone-slow.html
Wednesday, December 20, 2017
300,000 active WordPress sites could have a hidden backdoor. Hope, your site is not one of them. Hope, your site is not one of them.
BestWebSoft sold a popular Captcha WordPress plugin to an undisclosed buyer, who then modified the plugin to download and install a hidden backdoor.
While reviewing the source code of the Captcha plugin, WordFence folks found a severe backdoor that could allow the plugin author or attackers to remotely gain administrative access to WordPress websites without requiring any authentication.
For More:
https://thehackernews.com/2017/12/wordpress-security-plugin.html
Tuesday, December 19, 2017
Cyber Threat Intelligence (CTI) - Types and use?
Tactical CTI:
This form of CTI answers the "what" of a cyber incident and consists largely of bad IP addresses, URLs, file hashes, known malicious domain names, etc.
Operational CTI:
This form of intelligence analyzes and profiles threat actors and adversaries: the "who" behind the attacks. While still fairly short-term in nature, operational CTI requires human analysis
Strategic CTI:
Strategic CTI is long-term and takes a geopolitical view that analyzes risk factors such as global events, foreign policy factors, and other local and international movements and agendas that can affect your organization's safety. It is the most difficult type of intelligence to generate
For More:
https://www.darkreading.com/attacks-breaches/comprehensive-endpoint-protection-requires-the-right-cyber-threat-intelligence/a/d-id/1330623
What is the market for stolen passwords?
Just the first seven months of 2017, a botmaster sold approximately 35,000 credential pairs earning him more than $288,000 and almost 9,000 different customers chose to purchase one or more of his username and password pairs.
For More:
https://krebsonsecurity.com/2017/12/the-market-for-stolen-account-credentials/
Monday, December 18, 2017
Friday, December 15, 2017
What more can I say - More than nine in 10 Americans (94%) in a new survey have heard news stories about security breaches but, 43% have not changed their online habits at all.
37% of respondents said they think it’s likely their personal information will be stolen
(it gets better , read below)
However,
- 43% have not changed their online habits at all.
- 25% have implemented two-factor authentication
- 56% of Americans have used a password to lock their computer
- 45% use a PIN to lock their mobile devices.
- 19% of Americans reported use of Biometrics
For More:
Thursday, December 14, 2017
Are you using Azure AD Connect ? if so, you need to know this
A permissions flaw in Microsoft’s Azure AD Connect software could allow a rogue admin to escalate account privileges and gain unauthorized universal access within a company’s internal network.
The flaw allows trusted users with limited or temporary privileges within a domain, such as the ability to change passwords or add users to administrative groups, to escalate privileges,
Microsoft didn’t release a patch to fix the bug, rather it made available a PowerShell script.
For More:
https://threatpost.com/permissions-flaw-found-azure-ad-connect/129170/
Have you enabled MFA for your account? - Because, someone found 1.4 billion usernames and passwords in clear text
The collective database contains plain text credentials leaked from Bitcoin, Pastebin, LinkedIn, MySpace, Netflix, YouPorn, Last.FM, Zoosk, Badoo, RedBox, games like Minecraft and Runescape, and credential lists like Anti Public, Exploit.in.
"None of the passwords are encrypted, and what's scary is that we've tested a subset of these passwords and most of the have been verified to be true," Casal said
For More:
https://thehackernews.com/2017/12/data-breach-password-list.html
ROBOT attack? - Not the Isaac Asimov Kind, its around Encryption
ROBOT - Return of Bleichenbacher’s Oracle Attack
Bleichenbacher’s attack was first discovered in 1998
Studies uncover that probably the most well-known sites on the Internet, including Facebook and Paypal, are influenced by the ROBOT attack.
For More:
http://www.hackersnewsbulletin.com/2017/12/robot-attacks-rediscovered.html
Friday, December 8, 2017
Is it Cayla doll or should we call it Creepy doll?
It turns out that anybody located within nine meters of the toys, outside a building, can wirelessly pair a mobile phone to the toys through Bluetooth, without having to log in. It can be done without inputting a PIN code, and you don’t have to press any kind of button on the toy
Apparently, if you then make a call to the phone that’s sneakily paired with the toy, what you say into the calling phone will be relayed to the toy by the called phone, which effectively gives two-way conversation.
For More:
https://nakedsecurity.sophos.com/2017/12/06/cayla-doll-too-eavesdroppy-to-put-under-the-christmas-tree-says-france/
Thursday, December 7, 2017
What the security folks always feared - Memory based Malware (No Files) - Process Doppelgänging (poc)
Process Doppelgänging - Works on All Windows Versions
Attack works on all modern versions of Microsoft Windows operating system, starting from Windows Vista to the latest version of Windows 10.
According to the researcher, Process Doppelgänging is a fileless attack and works in four major steps as mentioned below:
- Transact—process a legitimate executable into the NTFS transaction and then overwrite it with a malicious file.
- Load—create a memory section from the modified (malicious) file.
- Rollback—rollback the transaction (deliberately failing the transaction), resulting in the removal of all the changes in the legitimate executable in a way they never existed.
- Animate—bring the doppelganger to life. Use the older implementation of Windows process loader to create a process with the previously created memory section (in step 2), which is actually malicious and never saved to disk, "making it invisible to most recording tools such as modern EDRs."
For More:
https://thehackernews.com/2017/12/malware-process-doppelganging.html
Bank Of America, HSBC or TunnelBear customers may want to take a look at this
Researchers from the UK have uncovered a serious vulnerability in the way nine banking and VPN apps handle encrypted communication that puts tens of millions of users at risk of man-in-the-middle (MitM) attacks
"Our tests find that apps from some of the world's largest banks contain the flaw, which if exploited, could enable an attacker to decrypt, view and modify traffic - including log-in credentials - from the users of the app," write Chris Mcmahon Stone, Tom Chothia, and Flavio Garcia of University of Birmingham
For More:
https://www.darkreading.com/mobile/man-in-the-middle-flaw-in-major-banking-vpn-apps-exposes-millions/d/d-id/1330586?_mc
Wednesday, December 6, 2017
Tuesday, December 5, 2017
5 computer security facts that surprise most people (including some IT Security Folks)
- Every company is hacked
- Most companies don’t know the way they are successfully attacked the most
- A criticality gulf exists between real and perceived threats
- Firewalls and antivirus software aren’t that important
- Two problems are almost 100 percent of the risk (unpatched software or a social engineering)
Remember: Most risks can be reduced with the following
- Patch regularly
- Use non-admin / root accounts for regular activities
- Think before you CLICK
- Never give away sensitive information over email or phone (unless you get it from reliable Search engines)
For More:
https://www.csoonline.com/article/3239644/data-breach/5-computer-security-facts-that-surprise-most-people.html#tk.twt_cso
Are you using one of the 33 eMail clients that could be exploited by MailSploit?
German security researcher Sabri Haddouche has discovered a set of vulnerabilities that he collectively refers to as Mailsploit, and which allow an attacker to spoof email identities, and in some cases, run malicious code on the user's computer
The real issue is the email spoofing attack that circumvents all modern anti-spoofing protection mechanisms such as DMARC (DKIM/SPF) or various spam filters.
The full list is given here:
https://docs.google.com/spreadsheets/d/1jkb_ZybbAoUA43K902lL-sB7c1HMQ78-fhQ8nowJCQk/htmlview?sle=true
For More:
https://blog.knowbe4.com/mailsploit-bypasses-dmarc-and-lets-attackers-send-spoofed-phishing-emails-on-over-33-email-clients
Could this be true or is it scaremongering - 100,000-strong botnet built on router 0-day could strike at any time
What sets this latest variant apart is its ability to exploit a recently discovered zeroday vulnerability to infect two widely used lines of home and small-office routers even when they're secured with strong passwords or have remote administration turned off altogether.
More Here:
https://arstechnica.com/information-technology/2017/12/100000-strong-botnet-built-on-router-0-day-could-strike-at-any-time
Monday, December 4, 2017
Malware (called Troubleshooter) can now perform (fake) Tech support functions.
It presents a fake BSOD (Blue Screen of Death) that appears to lock out the user. Then, a “troubleshooting wizard” pops up, masquerading as a Windows utility. It detects “issues” on the PC, and then recommends that the victim pony up $25 via PayPal to buy a package called Windows Defender Essentials to take care of them.
Malwarebytes said that it’s spreading via a cracked software installer that loads various files, including the malware. Troubleshooter then registers itself as a Windows service.
If a victim pays the $25, they are redirected to a “thank you” webpage and the malware is terminated
For More
https://www.infosecurity-magazine.com/news/tech-support-scam-malware-fake?utm_source=twitterfeed&utm_medium=twitter
Friday, December 1, 2017
STATS for RISK based security - IT professionals listed sysadmins as the biggest threat (42%) followed by C-level executives (16%).
While these executives typically have limited IT skills, their credentials are worth more to hackers than any other group.
Other targets:
For More:
https://www.infosecurity-magazine.com/news/it-staff-blame-themselves-for/
Other targets:
- Social engineering - HR and finance departments are the easiest targets.
- Insider risk - IT staff.
For More:
https://www.infosecurity-magazine.com/news/it-staff-blame-themselves-for/
Could you be one of those 40,000 consumer whose sensitive data was exposed (NOT Stolen)
Some 111GB of highly sensitive information including consumer credit histories has been exposed by the National Credit Federation as the result of yet another misconfigured Amazon Web Services (AWS) S3 cloud storage bucket.
Although the leak affected only around 40,000 consumers, the data concerned is highly sensitive, including credit reports from the big three agencies — Equifax, Experian and TransUnion.
What is the most common response by organization- Add additional data/alert feed, Don't spend time filtering/prioritizing them, eventually ignore them (did it resolve the issue?).
More Here
https://www.infosecurity-magazine.com/news/100gb-secret-consumer-credit-data
Subscribe to:
Posts (Atom)