Friday, June 29, 2018
Here is a SCAM that anyone (in USA) could become the next victim. If you happen to go to emergency in an hospital , you can be charged with a “trauma fees”.Charges ranged from $1,112.00 at a hospital in Missouri to $50,659.00 at a hospital in California.
At San Francisco General Hospital, the $30,206 higher-level trauma response fee, which increased by about $2,000 last year, was approved by the San Francisco Board of Supervisors
Example:
The hospital charged Sulvetta a $15,666 trauma response fee, a hefty chunk of her $113,336 bill. Her insurance decided that the hospital fees for the one-day stay were too high, and — after negotiations — agreed to pay only a charge it deemed reasonable. The hospital then went after Sulvetta for $31,250.
Trauma centers argue that these fees are necessary to train and maintain a full roster of trauma doctors, from surgeons to anesthesiologists, keeping them on-call and able to respond to medical emergencies at all times.
Zuckerberg San Francisco General Hospital spokesperson Brent Andrew defended the hospital’s fee of over $15,000, even though Jeong-whan didn’t require those services.
“We are the trauma center for a very large, very densely populated area. We deal with so many traumas in this city — car accidents, mass shootings, multiple vehicle collisions,” Andrew said. “It’s expensive to prepare for that.”
https://www.vox.com/2018/6/28/17506232/emergency-room-bill-fees-health-insurance-baby
If you get "vished" , your bank account might get "washed" (out) - Voice + Phishing = VISHING
A type of fraud that uses the telephone system and social engineering techniques to obtain private or confidential information from people — often financial information.
Vishing can be used to scam individual consumers or as part of more sophisticated attacks against organizations.
Many vishing calls begin with the scammer impersonating a bank employee, telling the victim that there’s been suspicious activity or another problem with his or her bank account. To resolve this issue, they’ll need to call a toll-free number and speak to a representative. This call will be directed to the scammer, who will take down the victim’s account information and later use it to transfer money out of the account. The scammers may persuade the victims themselves to transfer the funds
https://www.wombatsecurity.com/blog/vishing-attacks-whos-really-on-the-line
Thursday, June 28, 2018
If I avoid using the Web to manage various accounts tied to my personal and financial data then I will be safe - WRONG !!!
Scammers can create online accounts in someone’s name at the Internal Revenue Service, the U.S. Postal Service or the Social Security Administration
Kerskie said she recently had a client who had almost a quarter of a million dollars taken from his bank account precisely because he declined to link his bank account to an online identity
Plant your flag online or — as Kerskie puts it — “mark your territory” — before fraudsters do it for you.
The bad guy can your vendor/service provider, provide his personal details, and establish an online account,” Once they do that, they will be able to do anything.
https://krebsonsecurity.com/2018/06/plant-your-flag-mark-your-territory/
You think your confidential info is collected and stored only by companies that you work with - You are wrong!!! - A company that you almost certainly never heard of ( exposed (2TB of) detailed personal information of 230 million consumers (you could be one of them) and 110 million business contacts.
Including phone numbers, addresses, dates of birth, estimated income, number of children, age and gender of children, education level, credit rating, interests and more.
In short, “pretty much every U.S. citizen” is included in the database.
Florida-based Exactis, a marketing and data aggregation firm that you almost certainly never heard of before the story made headlines courtesy of security researcher Vinny Troia.
Just ask Equifax, another company you probably never realised you had any relationship with, and yet knew an awful lot about you
https://www.tripwire.com/state-of-security/security-data-protection/hitherto-unknown-marketing-firm-exposed-hundreds-of-millions-of-americans-data/
Ever heard of "Privacy Intrusive Defaults"? (Hint, Facebook, Google , Microsoft) and "FREE SOFTWARE/SERVICE"
Facebook and Google have privacy intrusive defaults, where users who want the privacy friendly option have to go through a significantly longer process.
Before we cry wolf, we should remember there is no such thing as "free service" so, we have to trade something to get something "free"
The popups from Facebook, Google and Windows 10 have design, symbols and wording that nudge users away from the privacy friendly choices. Choices are worded to compel users to make certain choices, while key information is omitted or downplayed. None of them lets the user freely postpone decisions.
Also, Facebook and Google threaten users with loss of functionality or deletion of the user account if the user does not choose the privacy intrusive option.
Full Report Here:
https://fil.forbrukerradet.no/wp-content/uploads/2018/06/2018-06-27-deceived-by-design-final.pdf
If your home security camera sends (captured) video to an unknown person , would that be a bug,feature or something funny/nice?
The BBC first learned of the (Swann home security camera) problem on Saturday, when a member of its staff began receiving motion-triggered video clips from an unknown family's kitchen
BBC discovered there had been a report of a similar incident in May.
Swann says that "human error" had caused two cameras to be manufactured that shared the same "bank-grade security key - which secures all communications with its owner".
One cyber-security expert has raised concern.
"I can kind of see how the duplicate security key happened, but the second scenario seemed very unlikely," Prof Alan Woodward from the University of Surrey explained.
"I'm dubious that two users unrelated other than by geographic area would choose the same username and password combination enabling one to see the live video feed of the other.
"When both incidents are combined it does make you wonder if there are others who have had similar issues, and whether there is more at work here than has been so far explained."
Wednesday, June 27, 2018
Firefox Monitor - A new security tool from Mozilla
Similar to the existing function of HIBP (Have I Been Pwned), Firefox Monitor allows users to enter their email addresses to check if they’re part of hacker databases that have been publicly released.
Firefox Monitor users can see the details on sites and other sources of breaches and the types of personal data exposed in each breach, and receive recommendations on what to do in the case of a data breach.
Mozilla said it is also considering a service to notify people when new breaches include their personal data
Mozilla said currently it is testing initial designs of the Firefox Monitor tool – but beginning next week, the company will invite approximately 250,000 users, mainly U.S.-based, to try it out.
https://threatpost.com/mozilla-announces-firefox-monitor-tool-testing-firefox-61/133087/
If you are serious about securing container apps then, here is a 8-Point Security Checklist.
Organizations need to think about security through the application stack both before deploying a container and throughout its life cycle. "While containers inherit many of the security features of Linux, there are some specific issues that need to be considered when it comes to the model,"
- Secrets Management
- Image Provenances
- Visibility Into Container Workflow
- Standardized Configuration and Deployment
- Discovery and Monitoring
- Container-Specific Host OS
- Container Risk-Prioritization
- Group Containers
https://www.darkreading.com/cloud/containerized-apps-an-8-point-security-checklist/d/d-id/1332045
Tuesday, June 26, 2018
Card skimming at the Pump is easy on older pumps but, how can you differentiate between old and new pumps?
Newer pumps - Include not only custom keys for each pump, but also tamper protections that physically shut down a pump if the machine is improperly accessed
Feature a horizontal card acceptance slot along with a raised metallic keypad — much like a traditional payphone keypad and referred to in the fuel industry as a “full travel” keypad
Older pumps - Are secured via a master key that opens not only all pumps at a given station, but in many cases all pumps of a given model made by the same manufacturer.
Have a vertical card reader and a flat, membrane-based keypad.
In virtually all cases investigated by the SAPD, the incidents occurred at filling stations using older-model pumps that have not yet been upgraded with physical and digital security features which make it far more difficult for skimmer thieves to tamper with fuel pumps and siphon customer card data (and PINs from debit card users).
https://krebsonsecurity.com/2018/06/how-to-avoid-card-skimmers-at-the-pump/
Simple security flaws can steer ships off course - It all stems from simple security issues, including the failure to change default passwords (which ironically are published by the manufacturers on their own websites) or segment networks.
Researcher Ken Munro, with Pen Test Partners, on Monday showed how the attack could work and how it’s possible to manipulate a ship’s steering, propulsion, ballast and navigation data
The weaknesses Munro found stem from several vulnerable IP network devices on ships – which are used in business systems, crew mail and web browsing.
For the proof of concept, researchers focused on serial-IP converters, including those made by Moxa and Perle Systems, which are used to send serial data over IP/Ethernet networks’ cabling. Researchers were able to use a hacker box to look at the data running through the serial-to-IP converters.
These converters have an array of security issues if not updated, he said. The web interface for configuration generally have default credentials – which ironically are published by the manufacturers on their own websites, the researcher said.
“Once you’ve got the password, you can administrate the converter,” wrote Munro. “That means complete compromise and control of the serial data it is sending to the ships engine, steering gear, ballast pumps or whatever.”
https://threatpost.com/simple-security-flaws-could-steer-ships-off-course/133071/
Monday, June 25, 2018
Can someone write a book with a title that is something like "Cloud Security for Developers"
Researchers from mobile security firm Appthority discovered that many app developers' fail to properly secure their back-end Firebase endpoints with firewalls and authentication, leaving hundreds of gigabytes of sensitive data (over 100 million data records, including plain text passwords, user IDs, location, and in some cases, financial records such as banking and cryptocurrency transactions) of their customers publicly accessible to anyone
They scanned over 2.7 million apps and found that more than 3,000 apps—2,446 Android and 600 iOS apps—were leaking a whole 2,300 databases with more than 100 million records, making it a giant breach of over 113 gigabytes of data
https://thehackernews.com/2018/06/mobile-security-firebase-hosting.html
They scanned over 2.7 million apps and found that more than 3,000 apps—2,446 Android and 600 iOS apps—were leaking a whole 2,300 databases with more than 100 million records, making it a giant breach of over 113 gigabytes of data
https://thehackernews.com/2018/06/mobile-security-firebase-hosting.html
Build your own BOT (and sell , if needed) for $50
In its beta form but promising the ability to allow customers to open their own botshop allowing the purchaser to rebuild the bot to sell access to others, creating their own clientele.
Kardon appears to be a rebrand of the ZeroCool botnet, which was previously developed by the same actor.
“Pretty much every element of cyber-crime is now part of a broader ecosystem, with hackers specializing in certain areas and then selling those skills or capabilities on the dark web to others who can then use that for a broader cyber-crime campaign.”
https://www.scmagazine.com/50-kardon-beta-malware-allows-customers-to-build-own-botnets/article/776002/
Friday, June 15, 2018
Interesting Thought (Highly recommended Article) - Modern cars are computers we put our bodies in , whereas hearing aids and pacemakers are computers we put in our body.. This means that all of our sociopolitical problems in the future will have a computer inside them, too.
This is a very long and a well thought out article.
I have extracted a few important points (and this itself is long)
Whether you want to be free—or want to enslave—you need control. And for that, you need this knowledge.
If your world is made of computers, then designing computers to override their owners' decisions has significant human rights implications.
Human rights and property rights both demand that computers not be designed for remote control by governments, corporations, or other outside institutions. Both ensure that owners be allowed to specify what software they're going to run.
Users of computers don't always have the same interests as the owners of computers— and, increasingly, we will be users of computers that we don't own.
it's not a good security approach: if vehicular security models depend on all the other vehicles being well-behaved and the unexpected never arising, we are dead meat.
Self-driving cars must be conservative in their approach to their own conduct, and liberal in their expectations of others' conduct.
DRM and its cousins are deployed by people who believe you can't and shouldn't be trusted to set policy on the computer you own. Likewise, IT systems are deployed by computer owners who believe that computer users can't be trusted to set policy on the computers they use.
When the computer says yes, you might need to still say no.
This is the idea that owners possess local situational awareness that can't be perfectly captured by a series of nested if/then statements.
Soul of Hayekism — we're smarter at the edge than we are in the middle.
it's easy to consider the possibility that there are going to be people — potentially a lot of people — who are "users" of computers that they don't own, and where those computers are part of their bodies.
Consider some of the following scenarios:
- You are a minor child and your deeply religious parents pay for your cochlear implants, and ask for the software that makes it impossible for you to hear blasphemy.
- You are broke, and a commercial company wants to sell you ad-supported implants that listen in on your conversations and insert "discussions about the brands you love".
- Your government is willing to install cochlear implants, but they will archive everything you hear and review it without your knowledge or consent.
Far-fetched? The Canadian border agency was just forced to abandon a plan to fill the nation's airports with hidden high-sensitivity mics that were intended to record everyone's conversations.
Will the Iranian government, or Chinese government, take advantage of this if they get the chance?
Here are four major customers for the existing censorware/spyware/lockware industry:
- repressive governments
- large corporations
- schools
- paranoid parents.
I'm an attorney, doctor, corporate executive, or merely a human who doesn't like the idea of his private stuff being available to anyone who is friends with a dirty cop.
- So, at this point, I give the three-finger salute with the F-keys. This drops the computer into a minimal bootloader shell, one that invites me to give the net-address of an alternative OS, or to insert my own thumb-drive and boot into an operating system there instead.
- The cafe owner's OS is parked and I can't see inside it. But the bootloader can assure me that it is dormant and not spying on me as my OS fires up. When it's done, all my working files are trashed, and the minimal bootloader confirms it
Fundamentally, this is the difference between freedom and openness — between free software and open source.
The potential for abuse in a world made of computers is much greater:
- Your car drives itself to the repo yard.
- Your high-rise apartment building switches off its elevators and climate systems, stranding thousands of people until a disputed license payment is settled.
Sounds fanciful? This has already happened with multi-level parking garages.
Back in 2006, a 314-car Robotic Parking model RPS1000 garage in Hoboken, New Jersey, took all the cars in its guts hostage, locking down the software until the garage's owners paid a licensing bill that they disputed.
https://boingboing.net/2012/08/23/civilwar.html
https://boingboing.net/2012/08/23/civilwar.html
Dh0AurDh0P@@nchV33du1@
Thursday, June 14, 2018
Is this Funny - Former FBI Director James Comey, who led the investigation into Hillary Clinton's use of personal email while secretary of state, also used his personal email to conduct official business.
In three of the five examples, investigators said Comey sent drafts he had written from his FBI email to his personal account.
In one instance, he sent a "proposed post-election message for all FBI employees that was entitled 'Midyear thoughts,'" the report states. In another instance, Comey again "sent multiple drafts of a proposed year-end message to FBI employees" from his FBI account to his personal email account.
In other instances, Comey sent himself an email of "proposed responses to two requests for information from the Office of Special Counsel" that contained two attachments. One attachment was "a certification for Comey to sign" and the other was "a list of FBI employees" that included "their titles, office, appointment status, contact information, and duty hours."
https://www.buzzfeed.com/talalansari/james-comey-personal-email-use
Remember the term "Snake oil salesman" - Canadian company Tapplock sells a product that claims “unbreakable design” (Unbreakable for less than 2 seconds).
Tapplock claims that unlocking takes just 0.8 seconds unfortunately, it only takes 2 seconds to break-in.
Additionally, they found that the protocol used to grant access to multiple users access couldn’t handle revocation.
That’s a fancy way of saying that the unlock code transmitted to the lock was identical for every user, which is like having the same password for every account on a server – if one person goes rogue, you can’t lock them out without locking everyone else out, too.
Free Utility to disable risky features in Windows OS, MS Office and in Adobe.
Generic Windows Features
- Disable Windows Script Host.
- Disabling AutoRun and AutoPlay. D
- Disables powershell.exe, powershell_ise.exe and cmd.exe execution via Windows Explorer.
- Sets User Account Control (UAC) to always ask for permission (
- Disable file extensions mainly used for malicious purposes. Disables the ".hta", ".js", ".JSE", ".WSH", ".WSF", ".scf", ".scr", ".vbs", ".vbe" and ".pif" file extensions
Microsoft Office
- Disable Macros.
- Disable OLE object execution.
- Disabling ActiveX.
- Disable DDE.
Acrobat Reader
- Disable JavaScript in PDF documents.
- Disable execution of objects embedded in PDF documents.
- Switch on the Protected Mode
- Switch on Enhanced Security
https://github.com/securitywithoutborders/hardentools
Wednesday, June 13, 2018
Blockchain - Security information is limited to the integrity of the ledger and the tech supporting it. There is little talk about associated threats like phishing, malware, implementation exploits, and tech vulnerabilities.
McAfee's team broke blockchain threats into four groups:
- Phishing - To obtain cryptocurrencies
- Malware - Like Cryptojacking
- Implementation exploits - When the implementer / user doesn't understand the tech
- Tech vulnerabilities - When best practices are ignored
https://www.darkreading.com/vulnerabilities---threats/blockchain-all-the-rage-but-comes-with-numerous-risks/d/d-id/1332038
Did you know that Cortana could allow hackers to break into a locked Windows 10 system and execute malicious commands with the user's privileges. MS has released a patch for this vulnerabiltity. Now, it your responsibility to apply the patch.
Did you know that Cortana could allow hackers to break into a locked Windows 10 system and execute malicious commands with the user's privileges. MS has released a patch for this vulnerabiltity. Now, it your responsibility to apply the patch.
An Elevation of Privilege vulnerability exists when Cortana retrieves data from user input services without consideration for status," Microsoft explains. "An attacker who successfully exploited the vulnerability could execute commands with elevated permissions.
Microsoft has classified the flaw as "important" because exploitation of this vulnerability requires an attacker to have physical or console access to the targeted system and the targeted system also needs to have Cortana enabled.
In worst case scenario, hackers could also compromise the system completely if the user has elevated privileges on the targeted system.
https://thehackernews.com/2018/06/cortana-hack-windows-password.html
Tuesday, June 12, 2018
"Frequency Hopping" Transmitter (MIT Invention) could secure, among other products, "medical devices, such as insulin pumps and pacemakers, that could be attacked if a hacker wants to harm someone."
Traditional frequency hopping breaks data down into large packets, but the process is just slow enough for adept hackers to still attack them. However, the new transmitter hops each individual "1" or "0" bit to a unique, random frequency every microsecond. Attackers simply cannot keep up with such a frenetic pace, the release explains.
The transmitter works by leveraging bulk acoustic wave (BAW) resonators, which can quickly shift between RF channel frequencies. Although BAW resonators typically only span four-to-five hegahertz of frequency channels, the researchers were able to divide their resonator's frequencies into about 80 channels, thereby making the technology viable.
https://www.scmagazine.com/mit-researchers-develop-frequency-hopping-transmitter-that-fends-off-attackers/article/772638/
New security features in upcoming iOS 12
- USB Restricted Mode - kills off two iPhone unlocking tools used by police forces around the world.
- End-to-end encryption for group calls.
- Privacy enhancement to prevent tracking
https://arstechnica.com/information-technology/2018/06/a-host-of-new-security-enhancements-is-coming-to-ios-and-macos/
Another (in)security admin error - By not properly protecting the administration console, Weight Watchers provided all the keys and information needed to gain full root access to their entire cluster. It was too easy.
A critical server for popular weight-loss service Weight Watchers was left unprotected, allowing researchers to take a bite out of dozens of exposed S3 buckets containing company data and AWS access keys.
Researchers at Kromtech Security said that they discovered a Weight Watchers Kubernetes administration console earlier this month that was accessible over the Internet – without any password protection
https://threatpost.com/unprotected-server-exposes-weight-watchers-internal-it-infrastructure/132713/
Remember, Good technology is no match to BAD implementation - - Apple's code-signing API that could make it easier for malicious programs to bypass the security check, potentially leaving millions of Apple users vulnerable to hackers.
NOTE - This is NOT a vulnerability in MacOS itself but a flaw in how third-party security tools implemented Apple's code-signing API
Code-signing mechanism is a vital weapon in the fight against malware, which helps users identify who has signed the app and also provides reasonable proof that it has not been altered.
However, Pitts found that the mechanism used by most products to check digital signatures is trivial to bypass, allowing malicious files bundle with a legitimate Apple-signed code to effectively make the malware look like it has been signed by Apple.
https://thehackernews.com/2018/06/apple-mac-code-signing.html
Monday, June 11, 2018
In the computer world the word "Debug" generally means, it is "temporary" and meant for troubleshooting Unfortunately, Countless Android devices including DVRs, mobile telephones, Android smart TVs, and even tankers are are open to attack after being shipped with a debug port (TCP 5555) left unsecured
In the computer world the word "Debug" generally means, it is "temporary" and meant for troubleshooting Unfortunately, Countless Android devices including DVRs, mobile telephones, Android smart TVs, and even tankers are are open to attack after being shipped with a debug port (TCP 5555) left unsecureds, silently install software, and execute malicious code, without any need for a password.
Android Debug Bridge (ADB) is a feature that allows developers to communicate with an Android device remotely, executing commands, and – if necessary – taking full remote control.
A network worm called ADB.Miner has been seen scanning across the internet to see where TCP port 5555 used by ADB has been left open, in an attempt to create a cryptomining botnet.
https://hotforsecurity.bitdefender.com/blog/tens-of-thousands-of-android-devices-are-leaving-their-debug-port-exposed-20012.html
How to defend against homoglyph attack (Recently happened to Whatsapp users)
Chrome:
Install Phish.ai's extension - Helps by showing a big red window every time the user is attempting to access a domain containing Unicode characters
Firefox:
Firefox users, can enable homograph attack detection by enabling "IDN_show_punycode" inside about:config
https://www.tripwire.com/state-of-security/featured/whatsapp-users-targeted-by-homoglyph-attack-peddling-free-tickets-to-theme-park/
Friday, June 8, 2018
Another example that confirm that you business partner/ vendor's security issues can hurt your business
Cybercriminals recently launched a phishing campaign targeting Booking.com customers whose information was illegally obtained, possibly by breaching certain partner hotels
According to a June 3 report from The Sun, users have received WhatsApp and text messages warning them to change their passwords following a supposed security breach. By clicking on the accompanying malicious link, victims are unknowingly giving the adversaries access to their bookings
Booking.com reportedly told the Sun that the information was likely obtained by breaching certain hotels that it works with via a portal website separate from the travel company's main systems.
https://www.scmagazine.com/cybercriminals-phish-bookingcom-customers-after-possibly-breaching-partner-hotels/article/771091/
Facebook (bug) switches 14 million member posting from private.
The social media giant revealed Thursday that it recently found a bug that automatically updated the default audience setting for 14 million users' Facebook posts to "Public," even if they had intended to share them just with their friends, or a smaller group of people only.
The bug was live for a period of 4 days between May 18 and May 22, which was caused while the company was testing a new feature.
https://thehackernews.com/2018/06/facebook-privacy-setting.html
New free Cyberwarranty - For Ransomware offered by SentinelOne to its customers
SentinelOne, the company transforming endpoint security by delivering real-time protection powered by machine learning and intelligent automation, today announced a cyber threat protection warranty to provide customers with financial protection in the event of ransomware attacks on their networks
SentinelOne’s cyber threat protection warranty program provides its customers with financial support of $1,000 per endpoint, or up to $1 million per company,
https://www.sentinelone.com/press/sentinelone-establishes-1-million-cyber-threat-protection-guarantee/
Thursday, June 7, 2018
You can't grow a new fingerprint or iris if that information is divulged so, next solution (??) "Brain Password" - Sounds Strange?
Smartphones will be unlocked only by recognizing the brainwaves in response to a series of pictures - an advance that could better protect devices from hackers. According to the scientists at Buffalo University, electroencephalography (EEG) is currently a very easy system, through which the waves of the brain can be recorded.
http://www.ehackingnews.com/2018/06/no-more-need-to-remember-passwords.html
IaaS is great except when the vendor offering it has security issues. Identity-as-a-service vendor (Auth0) could allow bad actors to spoof a legitimate website and collect sensitive information from visitors.
Possible consequences - phishing attacks, harvest user credentials, or even possibly launching cryptomining attacks.
https://threatpost.com/auth0-glitch-allows-attackers-to-launch-phishing-attacks/132554/
Wednesday, June 6, 2018
Where would you like to spend you Cyber Awareness training dollars? - Hint - Employees who engage in the riskiest cyber behavior tend to be sales and marketing professionals, high-level executives and, most surprisingly, millennials.
This comes from Ahold, which operates 21 food chains across 11 countries and collectively employs more than 375,000 associates, conducts periodic internal phishing simulation campaigns to identify workers who fall for such scams, and uses analytics to interpret the results.
Schreiber said sales and marketing professionals tend to be cyber risk-pone because they're "very focused on the customer and just less focused on data protection." Millennials, on the other hand, tend to be more cyber aware, yet still engage in risky behavior, perhaps because they are too comfortable with the digital lifestyle.
https://www.scmagazine.com/supermarket-retailer-ciso-identifies-millennials-sales-and-marketing-pros-as-riskiest-employees/article/769950/
CIS Critical Security Controls version 7 has been available since March. It now has three broad categories and has been modified to align with the latest cyber threat data and reflect today’s current threat environment
You can download the PDF and the EXCEL sheet here (needs email registration)
https://learn.cisecurity.org/20-controls-download
https://learn.cisecurity.org/20-controls-download
I am sure you know this - end-to-end encrypted messaging app like WhatsApp is that the messages are unreadable to anyone who intercepts them. Are you aware of this (read below)
If you keep those messages on your device, or worse, you back them up unencrypted to the cloud—be it iCloud or Google Drive—you open the door for authorities to obtain them with court orders, effectively making the original encryption pointless.
Check this incident:
https://motherboard.vice.com/en_us/article/zm8q43/paul-manafort-icloud-whatsapp-bad-opsec-witness-tampering
Check this incident:
https://motherboard.vice.com/en_us/article/zm8q43/paul-manafort-icloud-whatsapp-bad-opsec-witness-tampering
Do you use Trello? - it is time to check if your admin or your vendor admins have "misconfigured" it to expose credentials.
Examples
Seceon, a Westford, Mass. cybersecurity firm that touts the ability to detect and stop data breaches in real time. But until a few weeks ago the Trello page for Seceon featured multiple usernames and passwords, including credentials to log in to the company’s WordPress blog and iPage domain hosting.
A senior software engineer working for Red Hat Linux in October 2017 posted administrative credentials to two different servers
Maricopa County Department of Public Health (MCDPH) in California used public Trello boards to document a host of internal resources that are typically found behind corporate intranets, such as this board that aggregated information for new hires (including information about how to navigate the MCDPH’s payroll system)
A public Trello page maintained by HealthIT.gov — the official Web site of the National Coordinator for Health Information Technology, a component of the U.S. Department of Health and Human Services (HHS) — that was leaking credentials
https://krebsonsecurity.com/2018/06/further-down-the-trello-rabbit-hole/
Tuesday, June 5, 2018
The Cyber Hygiene Results - Based on survey of more than 4,000 consumers across all 50 states and Washington, D.C.
- More devices an individual owns, the lower their level of cyber-hygiene.
- Only 24% of Americans are aware of the best practices
- 75% of respondents 30 and under reportedly engage in riskier online behaviors than older respondents.
- 72% of survey respondents living in Florida reported that they share passwords
https://www.infosecurity-magazine.com/news/top-5-riskiest-states-for
Monday, June 4, 2018
Why is "misconfiguration" becoming a common theme for data exposure. New story - Sysadmins have left thousands of Redis instances exposed on the Internet without setting authentication. (here is the bad news , Redis is designed to be accessed inside trusted environments, it should not be exposed on the Internet)
Redis, or REmote DIctionary Server, is an open source, widely popular data structure tool that can be used as an in-memory distributed database, message broker or cache. Since it is designed to be accessed inside trusted environments, it should not be exposed on the Internet.
A massive malware campaign designed to target open Redis servers, about which researchers warned almost two months ago, has now grown and already hijacked at least 75% of the total servers running publicly accessible Redis instances.
Out of total compromised servers, 68 percent systems were found infected using similar keys, named "backup1, backup2, backup3," which were attacked from a medium-sized botnet located at China (86% of IPs), according to the data Imperva collected.
Moreover, the attackers have now found using the compromised servers as a proxy to scan and find vulnerabilities, including SQL injection, cross-site scripting, malicious file uploads, and remote code executions, in other websites
https://thehackernews.com/2018/06/redis-server-hacking.html
Having a Twitter account for your company is good. but, ensure that it does not get compromised. Here is a story about Buffalo wild wings
Around 7:30 pm ET an unknown hacker managed to send six tweets from the company's verified account including one referencing Wendy's and a bigoted attack toward media personality Tariq Nasheed using a racial slur, before either dropping the account or losing access.
The tweets were up for about 20 minutes before they were deleted.
https://www.scmagazine.com/buffalo-wild-wings-apologizes-after-racist-tirade-from-hacked-account/article/770919/
Interesting dual purpose SCAM - Steal and also use the victim to create fake testimonies on YouTube.
Remote-access scammers trick their victims into handing over big money — as well as control of their computers — in return for fake fixes for technical problems that never existed.
The scammers then post the videos to their YouTube page, using them as testimonials to convince future targets that their services are legitimate.
http://www.abc.net.au/news/2018-06-03/australian-web-cams-hacked-to-make-secret-recordings-online/9807960
Friday, June 1, 2018
Along with the "Weakest link", do not forget the "high-risk link" (your cloud app admin) in your security chain. Example - Misconfigured Google Groups can leak sensitive info.
Google Groups are private by default. Many businesses have this configured to "Public on the Internet." As a result, Google Groups can leak emails and expose passwords, financial data, and employee names, addresses, and email addresses.
More than 9,600 institutions - including hospitals, universities, media companies, government agencies, and Fortune 500 organizations - have public Google Groups settings. Of these, researchers found 3,000 are currently leaking some form of sensitive email
It's not just customer data at risk. Google Groups configured to Public can also leave corporate data and internal resources open to the Internet. Kenna's investigation unearthed real emails with GitHub credentials, password recovery, invoices, and suspension documents.
https://www.darkreading.com/cloud/google-groups-misconfiguration-exposes-corporate-data/d/d-id/1331951
Old but Useful - If you are a victim of Identity theft - What should you do next?
A 12-point checklist for victims of identity theft:
https://www.bankrate.com/finance/credit/steps-for-victims-of-identity-fraud.aspx
- Change all account passwords
- Notify affected creditors or bank
- Put a fraud alert on your credit report
- Check your credit reports
- Consider putting a credit freeze on your reports
- Contact the FTC - https://www.identitytheft.gov/
- Go to the police
- Send creditors a copy of your ID theft report
- Contact credit reporting agencies
- Contact the Social Security fraud hot line - 1-800-269-0271 / https://www.socialsecurity.gov/fraudreport/oig/public_fraud_reporting/form.htm
- Get a new driver’s license
- Contact your telephone and utility companies
https://www.bankrate.com/finance/credit/steps-for-victims-of-identity-fraud.aspx
Blockchain and smart contracts - 6 Common Misconceptions
- THE MAIN BENEFICIARIES OF BLOCKCHAIN TECHNOLOGY ARE CRIMINALS
- BLOCKCHAIN IS UNHACKABLE AND UNMODIFIABLE
- A BLOCKCHAIN NETWORK CAN BE SHUT DOWN BY THE GOVERNMENT
- SMART CONTRACTS ARE LEGALLY BINDING CONTRACTS
- SMART CONTRACTS OPERATE WITH COMPLETE AUTONOMY
- ALL SMART CONTRACTS HAVE THE SAME FEATURES
https://www.tripwire.com/state-of-security/risk-based-security-for-executives/connecting-security-to-the-business/6-common-misconceptions-about-the-security-of-blockchain-technology-and-smart-contract/
You worry about "weakest link in security chain" how about, "high-risk link", your cloud app admin. Need evidence?
(1)Universal Music Group contractor neglected to protect an Apache Airflow server
(2) Honda affiliate in India left two Amazon S3 buckets misconfigured for more than a year
The Honda mistake affects 50,000 users of the Honda Connect App, which is used to manage automobile service and maintenance. It can also pair with the car to offer vehicle health monitoring, “find my car” capability, trip analysis and an SOS function for emergencies.
A cybercriminal could know “where someone’s car is currently located, where they went, where they typically drive, how they drive, and where they start and stop
https://threatpost.com/honda-universal-music-group-expose-sensitive-data-in-misconfig-blunders/132451/
Subscribe to:
Posts (Atom)