Now, Microsoft says goodbye to common passwords



(pc-google images)

After the LinkedIn debacle, Microsoft says it will stop users from choosing easily guessable passwords in a bid to prevent a repeat of the former’s recently resurfaced fiasco. 

Microsoft’s Alex Simons said that his firm will try to avoid the same thing happening to it by preventing users from making lazy choices in passwords. 

(pc-google images)
Following last week's leak of 117 Million LinkedIn customer email credentials, Microsoft has detailed how it's using the leaked list and others like it to prevent Microsoft Account users from picking passwords that appear frequently in stolen data.

Microsoft will soon launch a new Azure Active Directory (AD) feature that will let admins stop users from picking easily-guessed passwords. Microsoft will roll out the feature to over 10 million Azure AD tenants in coming months. 

IT admins will have the ability to lock down corporate email accounts automatically if the username and password for those accounts match credentials in a newly-leaked list.

Microsoft runs the list of compromised credentials through a system that compares hashes of the passwords with those stored with live accounts. If it identifies an at-risk account, Microsoft locks it and prompts the user to verify their identity and reset their password. This capability will be available with Azure AD users.

Andrew Tang, service director of security at MTI said that there is very little risk with the initiative.
“We are trusting Microsoft to store and secure that password, as it will need to be check every time it's used.  Like all other systems, it's just an algorithm to check how the password is structured.”







1.4 billion yen stolen in japan atm heist

In Japan an international credit card fraud has come to light in which about 1.44 billion yen or more than $13 million was illegally withdrawn with forged credit cards from 1,400 automated teller machines in convenience stores around the country.

The cash was withdrawn within a space of 5 am to 8 am by more than 100 burglars on May 15. The time chosen avoided immediate detection of criminals.

The thieves apparently went to ATMs like those found in 7-11s across Japan and swiped 1,600 counterfeit South African credit cards, created using information from cards issued by South Africa's Standard Bank. Since the money machines would only let them take about $900 at a time, the hackers made thousands of withdrawal.

Suspecting the involvement of international criminal organization, the police are planning to cooperate with overseas investigative organizations.

According to Reuters Africa, Standard Bank is estimating its total losses at 300 million rand ($19 million). The bank said none of its customers will suffer the losses from the international fraud scheme.

The ATMs are in Tokyo, Kanagawa, Aichi, Osaka, Fukuoka and other prefectures.

Police intend to identify the suspects by analyzing the images recorded by security cameras. They also plan to examine how the credit card data was leaked, in cooperation with the South African authorities via Interpol.

The fraud came to light following a report from a bank that installed some of the ATMs.

The heist comes as credit card networks like Visa and MasterCard are trying to move world markets toward uniform acceptance of chip-based cards, which are considered less vulnerable to fraud than magnetic stripe cards.

TeslaCrypt releases master key as it shuts down

TeslaCrypt has shut down and the security researchers of ransomware have created a tool that can decrypt files affected by recent versions of the malicious program.
Over the past few weeks, an analyst for ESET had noticed that the developers of TeslaCrypt have been slowly closing their doors, while their previous distributors have been switching over to distributing the CryptXXX ransomware. 
When the ESET researcher used the support chat on the Tesla payment site to ask if they would release the master TeslaCrypt decryption key. To his surprise and pleasure, they agreed to do so and posted it on their now defunct payment site with an apology for their acts.
“Project closed, master key for decrypt XXX…XXX, we are sorry.”
It is hard to believe that the crooks really were sorry, but it seems that the master was genuine. The decision appears to kill off the net menace.
TeslaCrypt, which first appeared in early 2015 often targeted gamers, landed on systems through malicious downloads; web domains which load exploit kits and phishing campaigns. As ransomware, TeslaCrypt infected systems and encrypted user files, sticking up a landing page and removing access to the PC until a ransom is paid, usually in virtual currency Bitcoin.
What made TeslaCrypt a particularly severe case is that the developers behind the malware were very active, and researchers found it difficult to crack the software before new, even more sophisticated versions were released into the wild.
The program had some moderate success in the beginning, earning its creators $76,522 in less than two months. However, in April 2015, researchers from Cisco Systems discovered a flaw in the ransomware program that allowed them to create a decryption tool for some of its variants.
The number of TeslaCrypt attacks spiked in December and starting with version 3.0.1 of the program, which appeared in March, all encryption flaws were fixed and the existing decryption tools were rendered ineffective. That lasted until Wednesday.
A TeslaCrypt expert has been able to use the master key to update the TeslaDecoder decryption software to unlock all versions of the ransomware which are encrypting files with the .xxx, .ttt, .micro, .mp3 or extensionless files without giving into the malware's demands for payment.
With the release of the master decryption key for TeslaCrypt, victims can now download TeslaDecoder to decrypt files encrypted by TeslaCrypt.
Each computer, or more commonly each file, uses a unique, randomly chosen key that is never saved on disk, so it can’t be recovered directly.
Instead, the file encyption key is then itself encrypted using a public key for which only the crooks have the corresponding private key.
It is all-but-unheard-of for ransomware authors to release a master key capable of decrypting all infected files.



Adobe Patches Flash Zero-day Vulnerability



(PC-GOOGLE IMAGES)
Adobe has released a patch to fix several security-related problems with its Adobe Flash Player. Adobe released its monthly security patch that included fixes for 25 security issues, including the zero-day. It has updated Flash Player for Windows, Mac and Linux to address the vulnerabilities.


The company made an announcement to draw attention to the zero-day exploit (CVE-2016-4117) discovered by security researcher Genwei Jiang from FireEye.


While Adobe’s pre-notification advisory only mentioned CVE-2016-4117, an advisory published by Microsoft for Flash library updates for Internet Explorer and Edge showed that a total of 25 flaws would be fixed.

Adobe has also released updates for Reader, Acrobat and Cold Fusion to fix nearly 100 vulnerabilities.


Last month, Adobe had pre-announced and patched a similar Flash zero-day that allowed attackers to deliver the Cerber and Locky ransomware families.


Updates for Flash running on Windows, Mac and Linux have been released and are available for download. The latest Adobe Flash Player version numbers are 21.0.0.242 for Windows and Mac, and 11.2.202.621 for Linux distros.

FBI, India and Iphone Hacking

There have been talks that India and FBI should join hands for important investigations where hacking of iphones is involved  as India can easily jailbreak into Iphones and can decrypt all the encrypted data.  

According to Indian government , they have been actively working to keep its electronic devices and forensic tools up to date. According to New Indian Express, Ravi Shankar Prasad, India's Communications minister said that "A tool for mobile forensics has been developed, which handles smart phones including Apple phones" 

But it has not been specified that which version of IOS are susceptible to India's forensic tools. There have been tug of war between Apple and FBI over encryption and privacy. 

FBI obtained a court order demanding Apple create a version of iOS that didn't include the safeguards preventing brute force attacks on lockscreen passcodes. Apple resisted and said the government didn't have the authority to force companies to make tools that defeated their product's security features.

In one of the cases, FBI agents were trying to get access of Iphone 5C of a San Bernardino mass shooter Syed Farook who was killed in police shootout and  only he had the passcode for his phone. Later on, FBI found the third party for hacking into his phone and dropped that case . 

According to FBI, there should be easy access to encrypted data and private data, else criminals and terrorists can go "dark", while technology companies deny to grant access to private data and secured features as it can be exploited by others and it will not be in sync with consumers interests.

Both Indian govt and FBI believes in easy access of  encrypted data and security, but Indian govt is not in favour of backdoor practices to access privacy , while FBI is pushing hard for backdoors, so currently it seems that both can't team up together after all. 

Hackers infiltrate another SWIFT bank

Cyber hackers infiltrated an unnamed bank on Thursday (May 12) using malware to target a PDF reader which allowed them to transfer money and tamper with bank documents, global bank transfer co-operative SWIFT said.

SWIFT is a Belgium-based society for Worldwide Interbank Financial Telecommunication. More than 11,000 global banks securely transfer billions of dollars every year through the society.

SWIFT spokeswoman, Natasha de Teran said that one of its members was attacked by cybercriminals in a similar way that led to February’s $81 million cyber heist at the Bangladesh central bank.

It was not immediately clear how much money, if any, was stolen in the second attack.

Though Teran declined to reveal the name of the bank, but a UK-based security firm, BAE Systems, said in a blog post that it believes the second victim is a commercial bank in Vietnam.

BAE isn't directly involved in the investigation, but analysed malware samples uploaded to public repositories from locations in both Bangladesh and Vietnam and found a match. BAE said details in the code from the Bangladesh and Vietnam hacks also match a third breach, the devastating 2014 attack on Sony Pictures, which US officials attributed to North Korea. BAE said the match indicates that the same hackers may be behind all three attacks

Confirmation of a second attack on a bank will likely increase scrutiny on the security of a network that is a linchpin of the global financial system.

SWIFT said in a statement that the attackers exhibited a "deep and sophisticated knowledge of specific operational controls" at targeted banks and may have been aided by "malicious insiders or cyber attacks, or a combination of both."

SWIFT said that hackers managed to steal enough information from a member bank that allowed them to transfer funds via SWIFT's network because the transaction would have looked legitimate and had the right credentials.

SWIFT has acknowledged that the scheme involved altering SWIFT software to hide evidence of frauulent transfers, but that the messaging system it controls was not compromised.

SWIFT's network is believed to be among the most secure ways in the world of transferring money, but two major breaches in the span of as many months is a concerning development for the people who run the communications network that underpins the world's financial system.

In its warning, Swift said customers using PDF reader applications to check confirmation messages should take particular care.

The attempted theft of almost $1 billion has prompted central banks around the globe to review defenses against hackers, along with calls by US government officials to beef up security.


Fast-food Chain Wendy's Admits POS Security Breach




North American fast-food chain chain Wendy’s confirmed that a recent data breach has hit around 300 of the burger chain’s 5,500 franchised stores, or about five per cent of all its restaurants in North America.

Wendy’s issued the confirmation, five months after reports of a possible data breach. In January, reports about a possible point-of-sale (POS) data breach at an undisclosed number of locations affiliated with the Wendy's and its chain of quick-serve restaurants. On May 11, in its fiscal 2016 first-quarter financial report, the company officially confirmed that some of its locations were the victim of a POS data breach.

In its press release, Wendy's noted that the Aloha point of sale system installed in all company-operated restaurants and most franchise-operated restaurants was not impacted by the malicious activity.

"The company has worked aggressively with its investigator to identify the source of the malware and quantify the extent of the malicious cyber-attacks, and has disabled and eradicated the malware in affected restaurants," Wendy's stated. "The Company continues to work through a defined process with the payment card brands, its investigator and federal law enforcement authorities to complete the investigation."

Tod Beardsley, security research manager at cybersecurity specialist Rapid 7, believes the breach illustrates a number of recurring themes with point-of-sale system-based financial crime. “The length of time the compromise went undetected, then unmitigated, is troubling news for any retailer that depends on a third-party POS vendor for security.”

Hacker finds vulnerability in Mr. Robot’s website


A white hat hacker going by the name Zemnmez found the flaw on the new promotional website for upcoming season 2 of Mr. Robot.

Mr. Robot was the biggest 'Hacking Drama' television show of 2015 and its second season will return to American TV screens on July 13, 2016.

The vulnerability could have given Zemnmez an easy way to pawn fans of the show, tricking them into giving over much of their Facebook information. But, shortly after a quick note to Mr. Robot’s writer Sam Esmail, 
the vulnerability was closed off.

The vulnerability known as cross-site scripting (XSS) was discovered on the day when the show launched its promo for the second series. During the launch ceremony, a clip of President Obama was shown condemning a destructive attack launched on the US financial system at the end of the first series, and a website, whoismrrobot.com, mimicking a mix of Linux command line and IRC chat. The series had already received praise for its relatively accurate portrayal of hacking, something other shows and films have failed at miserably.

USA Network’s owner NBC Universal confirmed that the website was patched late Tuesday (May 10) night, hours after Zemnmez reported the flaw.

XSS bugs are widespread. It’s the most common vulnerability class on the web.

If the reporter would have been a malicious hacker, he’d have abused it to steal users’ Facebook information. In particular, he’d have targeted a section of the website that contains a quiz, whoismrrobot.com/fsociety, which requested access to players’ Facebook data. FSociety is the hacktivist collective that central character Elliot Alderson, played by Rami Malek joins early in series one.


Also, the flaw could also be exploited using some simple social engineering technique like phishing to get site victims to click on a malicious link that executes the Javascript code.

Qatar Bank Hack Leaks Royal Family, Al Jazeera Data




A massive hack attack on Qatar National Bank has taken the Gulf country by storm leaking the names, bank passwords and other sensitive data of the Qatari royal family members, alleged intelligence agents and Al Jazeera staff.

Qatar National Bank said it was investigating 'an alleged data breach' after a file that appears to contain account information began circulating online.

The 1.4GB file contained names, phone numbers, bank accounts and passwords, payment card data, PINs and other sensitive information of customers of the bank.

(pc- google images)
The data dump had nine main folders named “Al Jazeera”, “Al-Qardawi”, “Al-Thani”, “Banks, corporations”, “Defence and etc”, “Gov”, “Mukhabarat”, “Police, Security” and “Spy, Intelligence”.

The  “SPY, Intelligence” folder included an array of records listed as Ministry of Defense, MI6 (the British intelligence agency) and Qatar's State Security Bureau known as Mukhabarat.

The newspaper said the MI6 file is found next to similar files relating to Polish and French intelligence and contains the in-depth report of alleged agents including the names of close relatives, phone numbers, credit card information and social media accounts.

A number of Al Jazeera staff said that the data found in their section of the leak is mostly accurate. Al Jazeera reporter, Bernard Smith, said,“The details they had for me were mostly correct – I had changed my credit cards just a few months ago after losing them, but other information such as my passwords and contact details were all accurate. I was very shocked to see my details online.”

The Qatar National Bank has released a statement saying that the leak had no financial impact on their clients or the bank, and that they are investigating the matter “in coordination with all concerned parties.”