Astoria - Researchers develop a new Tor client which aims to beat NSA


With an aim to beat powerful intelligence: like NSA, researchers have developed Astoria, a new Tor client which is said to be capable of protecting user’s privacy, even from such powerful intelligence agencies.

A cyber security researcher team from America and Israel come up with a new Tor client which is designed to make spying more difficult for the world's most capable intelligence agencies.

According to the research paper, people have used Tor, a popular anonymity system for users who wish to access the Internet anonymously or circumvent censorship, to prevent their activity from being tracked as Internet anonymity becoming difficult to establish.

However, Tor is not as safe as it was supposed to be, from the powerful intelligence agencies.

As a result the researchers have developed Astoria, which particularly focuses on defeating autonomous systems that has set up to intrude into Tor’s anonymity.

“In our experiments, we find that 58% of all circuits created by Tor are vulnerable to attacks by timing correlation and colluding sibling ASes. We find that in some regions (notably, China) there exist a number of cases where it is not possible for Tor to construct a circuit that is safe from these correlation attacks,” said in the research paper.

It added, “To mitigate the threat of such attacks, we build Astoria, an AS-aware Tor client. Astoria uses leverages recent developments in network measurement to perform pathprediction and intelligent relay selection. It not only reduces the number of vulnerable circuits to 5.8%, but also considers how circuits should be created when there are no safe possibilities. It performs load balancing across the Tor network, so as to not overload low capacity relays. Moreover, it provides reasonable performance even in its most secure configuration.”

The Astoria is aimed to do a list of things:
• Deal with asymmetric attackers.
• Deal with the possibility of colluding attackers.
• Consider the worst case possibility.
• Minimize performance impact.

Hack In Paris 5th edition - The French Cyber Security Conference

 Sysdream, a French company which provides auditing skills and training from an attacker’s perspective to those companies which require a high level of security for their information systems, is organizing 5th edition of Hack in Paris (HIP) from 15th June to 19th this year in France.

The HIP, which is said to be the most awaited event for security professionals, includes training and conferences sessions.

According to an announcement, the event, which will be entirely in English, brings IT security professionals like: information system directors, managers and security officers together with hacking experts.

The announcement said for the first three days, the participants will be given 13 training classes by international experts like: Aditya Gupta, founder of Attify, Peter Van Eeckhoutte, founder of Corelan Team, Richard Hollis, Chief Executive Officer of Risk Factory Limited, Mario Heiderich, security researcher, Nikhil Mittal, researcher, Gnesa Gianni, security research and professional trainer at Ptrace Security and many others.

The training will be given on various topics like: ANDROID/IOS EXPLOITATION, CORELAN “ADVANCED”, CORELAN “FOUNDATIONS”, DESIGNING AN EFFECTIVE 27001 ISMS, HACKING WEB APPLICATIONS – CASE STUDIES OF AWARD-WINNING BUGS IN GOOGLE, YAHOO, MOZILLA AND MORe, HARDWARE HACKING LABORATORY FOR SOFTWARE PENTESTERS, IOS APPLICATION EXPLOITATION, MASTERING BURP SUITE PRO - 100% HANDS-ON and among others.

The training session will be held at Sysdream, 14 Place Marie-Jeanne Bassot,92300 Levallois-Perret France.

More details available about the training at: https://www.hackinparis.com/trainings-2015

On the remaining two days of the HIP, there will be 16 talks, including two keynote addresses and one debate with world-renowned speakers like: Winn Schwartau, Jose Lopes Esteves, Chaouki Kasmi, Mario Heiderich and others.
The conference will be held at Académie Fratellini, 1-9 rue des Cheminots 93210 La Plaine Saint Denis France.

More details available about the conferences at: https://www.hackinparis.com/talks-2015

‘India should learn from Russia and China agreement’ says security expert

India should learn from the recent cyber-security agreement between Russia and China where both of the countries have agreed to not launch cyber-security attack against each other said an Indian cyber-security expert on Thursday.

J. Prasanna, cyber-security expert and one of the founders of Cyber Security and Privacy Foundation (CSPF), an organization which solves the cyber security problems, said that India should join such initiatives as it provides a chance to share information among law enforcements of different countries.  

“The agreement is good for China and Russia,” he said.

“However, such agreements are only possible when both of the sides (countries) have equal capabilities,” said Prasanna. “Similarly, they should have advanced cyber capabilities.”

According to the agreement, which was signed on May 8 and provided by The Wall Street Journal, Russia and China agreed to share information between law enforcement agencies, share technologies and ensure security of information infrastructure.

Similarly, these countries have agreed to not “destabilize the internal political and socio-economic atmosphere," or "interfere with the internal affairs of the state".

The agreement is said to be the result of the revelations about US and Western nation hacking and surveillance operations by former US National Security Agency contractor, Edward Snowden. After the revelations, Russian lawmakers had demanded for tighter control over the Internet.

It is also believed that the agreement shows that Beijing and Moscow support changes to global Internet governance that would reduce the traditional role of the U.S.

Last year, Russian Communication Minister Nikolai Nikiforov said Russia was preparing an action plan as a backup plan in case the segment of the Internet was shut down from outside.

“For Russia the agreement with China to cooperate on cyber security is an important step in terms of pivoting to the East,” Oleg Demidov, a cyber-security consultant at the PIR Center, an independent think tank focusing on international security, told to The Wall Street Journal. “The level of cooperation between Russian and China will set a precedent for two global cyber security powers,” Mr. Demidov said.

Telstra reveals security breach in Pacnet's IT network

Australia’s biggest telecoms company Telstra revealed that the corporate IT network of Pacnet, the company acquired by it  on April 16 this year, has been hacked.

This breach came into light shortly after it finished the acquisition of Pacnet Limited, a Singapore and Hong Kong based telecommunications provider that offers data center services to multinational companies and governments in Asia-Pacific Region.


The telecom company cited that the investigations have revealed that a third party had accessed  Pacnet’s corporate network through a SQL vulnerability and led to the hacking of admin and user testimonials.

 “We immediately addressed the security vulnerability that allowed access to the network, removed all known malicious software and put in place additional monitoring and incident response capabilities that we routinely apply to all our networks.”, Mike Burgess, Chief Information Security Officer, Corporate Security and Investigations of Telstra quoted in an announcement.

It was also clarified by Telstra that the Pacnet corporate IT network is not connected to it and there has been no proof of any activity on Telstra’s network.

"We have had no contact from the perpetrators so we don't know the reason behind it or who was involved,”,quoted Burgess.

The telecom company has stated that it will now talk to its customers to make them aware of what has exactly happened in the breach and how is the company responding to it.

Penn State College of Engineering disables its network after two cyber attacks


The Penn State College of Engineering’s computer network has been temporarily disconnected from the Internet after its system was targeted by two cyber-attacks which were said to be advanced persistent threat and one of which was carried out by a threat actor based in China, using advanced malware.


“This was an advanced attack against our College of Engineering by very sophisticated threat actors,” said Eric J. Barron, President of the Penn State, wrote in a message on May 15.

“University leadership announced that our College of Engineering has been the target of two highly sophisticated cyberattacks. So, as a response, the college’s computer network has been disconnected from the Internet. Our experts expect the network to be back up and running in several days,” he 
added.

The Penn State officials announced on May 15 that FireEye Cybersecurity Forensic Unit Mandian, which was hired by the college, discovered the breach and confirmed that at least one of the two attacks to the college system was from China.

Now, the system has been disabled by the college to securely recover.

“In order to protect the college’s network infrastructure as well as critical research data from a malicious attack, it was important that the attackers remained unaware of our efforts to investigate and prepare for a full-scale remediation,” said Nicholas P. Jones, Executive Vice-President and Provost at the Penn State. “Any abnormal action by individual users could have induced additional unwelcome activity, potentially making the situation even worse.”

The college wrote that it has taken up plans to allow engineering faculty, staff and students to their and to upgrade affected computer hardware and fortify the network against future attack. The outage is expected to last for several days, and the effects of the recovery will largely be limited to the College of Engineering.

 “I encourage all College of Engineering faculty, staff and students to visit http://SecurePennState.psu.edu/ for the latest information about steps they will need to take as the college recovers from the attack. This website also includes general information for all members of the Penn State community, including steps that all can take to safeguard their critical information, above and beyond the protections that already are in place,” Barron wrote.

According to the announcement, the FBI on 21 Nov, 2014 informed the Penn State about the cyberattack of unknown origin and scope on the College of Engineering network by an outside entity.

Soon after, the security experts from Penn State started working on a task to identify the nature of the possible attack and to take appropriate action, including the enlistment of third-party experts, chief of the Mandiant.

An investigation was carried out in every computer networks of the college.

Similarly, the University leadership reached out selectively to key administrators, academic leaders and IT professionals in the college. The IT officials also have taken steps to preserve critical data.

“Penn State should be commended for acting quickly to address these breaches, immediately launching a comprehensive internal investigation into the FBI’s report and retaining leading third-party computer forensic experts to assist in the investigation,” said Nick Bennett, senior manager of Mandiant. “These types of advanced attacks are difficult to detect and often linked to international threat actors which are ‘the new normal.”

According to the announcement, the researchers are yet to find any evidence to suggest that research data or any personal information such as social security or credit card numbers have been stolen. 

However, they have evidence that a number of College of Engineering-issued usernames and passwords have been compromised.

In order to ensure the safety of College of Engineering faculty and staff at University Park and students at all Penn State campuses who recently have taken at least one engineering course, the college has requested them to choose new passwords for their Penn State access accounts.

Hackers try to attack German parliament Bundestag


The officials of Bundestag, lower house of German parliament, on May 15 confirmed that its IT system has been attacked by hackers.  

Ernst Hebeker, spokesperson at the Bundestag, said in Berlin, that the hackers targeted on the IT systems of the parliament.

He added that the experts, associated with Bundestag administration and the government office for Information Technology Security (BSI) are working to fend off the hackers.

According to Spiegel Online, the IT specialists from the parliament noticed several days ago that someone was trying to gain access to the Bundestag’s internal network in a serious attack.

However, there is no information about, whether any computers containing sensitive information were penetrated or not.

MPs and their assistants from several parties, who were already warned about the attack on Friday morning, were told that the network would be shut down in the afternoon (May 15).

The Bundestag’s computers were temporarily switched off, including systems containing information on the inquiry into spying by the U.S. National Security Agency (NSA) in Germany.

Earlier in January, the Bundestag and Chancellery were attacked from hackers which resulting both institutions paralysed for several hours.

According to the officials, a pro-Russian hacker group in Ukraine claimed responsibility.

Details of 400,000 users leaked as mSpy is hacked


The mobile spying software service, mSpy has been allegedly hacked and personal data of about 400,000 customers released in the Deep Web.

mSpy, a software as a service product claims to help about 2 million people by helping them track the mobile activities of their partners or kids. The hacking of their servers came to light after KrebsOnSecurity received an anonymous tip with a link to a Tor-based site.

The site contained data about Apple IDs and passwords, tracking data, payment details on some 145,000 successful transactions, pictures, calendar data, corporate email threads, and very private conversations. Also included are emails from the people who have requested services of mSpy.

Sites like these are difficult to be suspended as they are hosted in the deep web, away from the indexing and registration in the regular search engines and can be accessed only via Tor.

While the unknown hackers claim to have data about 400,000 users, the company has not responded to repeated requests for an official confirmation.

It is not clear where the company is based but it seems to be tied to a presently defunct company called MTechnology Ltd. The founders are self-styled programmers Aleksey Fedorchuk and Pavel Daletski. The brand is involved in a trademark dispute with an US based company called Retina X studios that makes a similar product called MobileSpy.

The US courts are generally strict with companies like these, as has been indicated by past incidents and maintain that “Advertising and selling spyware technology is a criminal offense, and such conduct will be aggressively pursued by this office and our law enforcement partners”

While law takes a firm stand on such techniques, what is paradoxical is how the interested users of mSpy, who are mostly concerned parents of kids, have in a bid to keep their children secure ended up exposing their personal details to a world full of predators and bullies.

BitTorrent releases Bleep for iOS, introduces new feature 'Whisper'

In the era of communication, instant messaging apps are what making news every day. A new entrant in this world of apps is “Bleep”. It is a fun and easy to use mobile messaging app for iOS released by BitTorrent, in order to keep the user information private.

BitTorrent, that bought an alpha version of Bleep last September, enables the first non-alpha release to sign up without an account and allowing all the messages to be encrypted with local keys, so that no one has access to the other’s data.

With Bleep, one can chat via text, make free voice calls, or use the newly admitted feature, Whisper. 

A message or photo can be sent to any of your contacts as a Whisper, and it will disappear 25 seconds after it's viewed. 

Whisper messages also have additional screenshot protection that blurs out the important stuff.

To register, all that is required is a nickname. The email addresses and mobile numbers with Bleep can be verified optionally, which means more anonymity on the app.

Bleep offers a peer-to-peer connection in which one’s data isn't stored in the cloud where it could be hacked into remotely. Data sent via Bleep is stored on the device until it is delivered, through an encrypted connection, to the recipient’s device.

Adding friends is easy via the device’s address book, their email, mobile number or Bleep key. Voice calls can be connected directly (no cloud) to your contacts with end-to-end encryption.

In addition to its availability on iOS, it has significant updates on Android and is also available for Mac and Windows desktop. 

Upgrade your SOHO routers firmware to the latest version


A recent study has uncovered that a huge number of Small Office / Home Office (SOHO) routers, who neglect basic security practices, were recently targeted by attackers.


The study conducted by Incapsula security team was published on its blog by researchers Ofer Gayer, Ronen Atias, Igal Zeifman.  

It has urged router owners to disable all remote access to their router management interfaces. In order to verify that their own router is not open to remote access, they can use YouGetSignal to scan for the following ports: SSH (22), Telnet (23) and HTTP/HTTPS (80/443).

Along with that, it has recommended all router owners to change the default login credentials, if they haven’t done so already.

And those whose routers are already compromised, they can upgrade their routers’ firmware to the latest version provided by the manufacturer.

It is said that the flaw was the result of negligent, with ISPs, vendors, and users sharing a long tradition of disregarding basic security practices. As a result hundreds of thousands routers likely to be controlled by hacker which are used to attack the Internet ecosystem and interconnected networks.

The study revealed that major companies involved in the issue.

The study’s main target is to share attack details in an attempt to raise awareness about the dangers posed by under-secured, connected devices.

Although the study has been published, many botnet devices are still attacking the users and other websites.

According to the study, the researchers first identified these attacks on December 30, 2014 and have been mitigating them ever since. In the last 30 days, they saw that the number of attacking IPs had been increasing.

The rapid growth compelled the Incapsula security team to further investigate the case. The team revealed that this wave of attacks is a part of a much larger DDoS assault targeting hundreds of other domains outside of the Incapsula network, and includes other attack vectors and  network layer barrages.

After the research, Incapsula contacted the vendor of the routers and the ISPs whose routers and networks, it found to be most open to abuse.

After inspecting a sample of 13,000 malware files, they found out that on average, each compromised router held four variants of MrBlack malware, as well as additional malware files, including Dofloo and Mayday, which are also used for DDoS attacks.

EllisLab urges its users to change their password after hack

EllisLab, a software development company, has urged all its users to change their password after hackers managed to gain unauthorized access to its servers on March 24 this year.

According to the company’s statement, in a bid to be safe from the hackers who might have stolen its members’, who are registered at EllisLab, personal information, it has asked people to change their EllisLab.com password.

The company said that the new users can also remove their account from the site. It is must, if anyone has sent his/her password via plaintext email instead of using the company’s secure form.

As the company form encrypts the passwords and removes them after 30 days, it is believed that those encrypted passwords would only be available to the hackers if anyone submitted it after February 24, 2015.

Similarly, if people have used their EllisLab.com’s password on other sites, they should change those too.

The company asked people to change the passwords periodically, and enable two-factor authentication whenever available. It also recommends tools which simplify the creation and use of unique passwords.

It is said that the hackers used a Super Admin’s stolen password to log in to the company’s site. The hacker then uploaded a common PHP backdoor script (a WSO Web Shell variant) that allowed them to control the company’s server. 

The company wrote that the Nexcess hosting prevented the "privilege escalation" attempt.  After getting alerts about the malicious activity, the unauthorized access had been shut down at the firewall level.

The company also thanks the Nexcess for their alertness and speed on their blog post.
Then the officials started dissecting the server logs to retrace hacker’s steps and learn how they got the access. They wrote that they had gone through all their files to remove what they added. 

The attackers had access to the server for three hours. Although the evidence does not show any stealing the database, the company prefers to be cautious and assume the hackers had access to everything.

Harbortouch discloses a breach caused by malicious software


Harbortouch, which supplies point-of-sale (POS) systems to thousands of businesses across United States, disclosed a breach in which some of its restaurant and bar customers were impacted by a malware. The malware allowed hackers to get customer card data from the affected merchants.

A card issuer recently reported to KrebsOnSecurity about the concerned authority is ignoring the dangerousness of the breach. And the ignorance of the company would affect more than 4,200 Harbortouch customers nationwide.

Before the Harbortouch had revealed, many sources involved in financial industry suspected that there was a possibility of a breach at a credit card processing company.

According to an article published on  KrebsOnSecurity, the suspicion increased whenever banks realized card fraud that they could not easily trace back to one specific merchant.

Some banks wanted to know about the unrevealed fraud as stolen cards were used to buy goods at big box stores. They made some changes in the way they processed debit card transactions.  

United Bank recently issued a notice saying that in a bid to protect its customers after learning of a spike in fraudulent transactions in grocery stores and similar stores such as WalMart and Target, it has started a block in which customers will now be required to select ‘Debit’ and enter their ‘PIN’ for transactions at these stores while using their United Bank debit card.

Harbortouch issued a statement last week, in which the company said it has identified and contained an incident that affected a small percentage of its merchants. It also confirmed the involvement of malware installation on the POS systems. The advanced malware was designed in such a way that the antivirus program running on the POS System could not detect.

The Harbortouch however, removed the malware from affected systems shortly when the problem was detected.

Mandiant, a forensic investigator, helped the company in its investigation.

The company explained in the statement that it does not directly process or store card holder data and only a small percentage of their merchants got affected for a short period of time. 

Currently, the company’s officials are working with the parties concerned to notify the card issuing banks that were impacted. After that the banks can conduct heightened monitoring of transactions to detect and prevent unauthorized charges.

However, the sources at a top 10 card-issuing bank in the United States that shared voluminous fraud data with an author of KrebsOnSecurity on condition of anonymity, the breach extended to at least 4,200 stores that run Harbortouch’s the POS software.

Nate Hirshberg, marketing director at Harbortouch, said the statements are not true.

Google launches 'Password Alert' to protect its users from phishing attacks


Google on April 29 launched a new extension, ‘Password Alert’, which warns people whenever they type in their Google password on any site that is not a Google sign-in page.

Drew Hintz, security engineer and Justin Kosslyn, Google Ideas, posted on the Google’s Online Security Blog, that the Password Alert, which is now available on the Chrome Web Store, is aimed to prevent phishing attacks. However, it also aims to minimize the over use of Google password.

They wrote that it is designed to alert people while they use their Google password on those sites which are not operated by Google.

According to them, if anyone enters his/her password on a website that’s imitating accounts.google.com and aims to get personal details, he/she will receive a warning. It also provides people time to change their password before it gets misused.

It works by checking the HTML of the page to identify whether it’s a legitimate Google sign-in page or not.

According to Google, the password hacking is known as “phishing” which represents two percent of all Gmail messages.

The new tool is believed to be an additional attempt of security for Google’s users. The Password Alert sits among a number of tools which are aimed to safeguard user accounts. Other methods include two-step authentication and security key.

WordPress patches Stored XSS bug, Many versions affected

(PC- google images)
WordPress has issued a critical security update - WordPress Security Release 4.2.1, announced in an advisory by consultant Gary Pendergast, after millions of websites were at risk of a bug that allows attackers to take control of a system.

Pendergast read, “A few hours ago, the WordPress team was made aware of a cross-site scripting vulnerability which could enable commenter to compromise a site”. He added, "This is a critical security release for all previous versions and we strongly encourage you to update your sites immediately. [It] has begun to roll out as an automatic background update, for sites that support those."

Discovered by Jouko Pynnönen of Finnish security company Klikki ; the critical, unpatched zero-day vulnerability, affecting WordPress’ comment mechanisms, is a stored cross-scripting (XSS) bug that allows a hacker to take over an entire website running the WordPress platform.

In a blog post, Klikki explained that if triggered by a logged-in administrator, under default settings, the attacker can leverage the vulnerability to execute arbitrary code on the server via the plug-in and theme editors. Alternately the attacker could change the administrator’s password, create new administrator accounts, or do whatever else the currently logged-in administrator can do on the target system.

The vulnerability is exploited by injecting JavaScript in the WordPress comment section, and then adding 64Kb of the text.

"If the comment text is long enough, it will be truncated when inserted in the database. The MySQL TEXT type size limit is 64kilobytes, so the comment has to be long”, Pynnönen said.

 "The truncation results in malformed HTML generated on the page.The attacker can supply any attributes in the allowed HTML tags, in the same way as with the two recently published stored XSS vulnerabilities affecting the WordPress core”, added he. 

WordPress versions 3.9.3, 4.1.1, 4.1.2, and the latest version 4.2 are affected.

Similar to the one reported by Cedric Van Bockhaven in 2014, the only difference in this version is the use of excessively long comment for the same effect.  In both the cases, the injected JavaScript can’t be triggered in the administrative Dashboard so these exploits require getting around comment moderation e.g. by posting one harmless comment first.

Hackers hijack Tesla automaker's website, Twitter account

(PC- Google images)
The website and Twitter account of high-tech automaker Tesla were hacked over the weekend as part of a prank by angry rival hackers. Tesla CEO Elon Musk’s personal twitter account was also hacked around Saturday night (US Standard Time).

The first sign of hijacking was noticed around 1:52 p.m., when the company’s Twitter account had a tweet that declared it being under the control of attackers and the name changed from “Tesla Motors” to  “#RIPPRGANG”. The tweet posted on the carmaker’s account said, “This Twitter is now run [sic] by Henry Blair Strater [sic] from Oswego Illinois, call me at [number redacted]”. 


A few minutes later, the account began promising free Teslas to those who followed certain accounts or to those who called a certain phone number. The number belonged to a repair shop in Illinois which was flooded with calls.

Nearly at that time, Tesla’s website was hacked by the same attackers. Visitors were redirected to a website with ISIS in the URL, a Laden-ranting video and a picture of a man resembling Osama Bin Laden.
(PC-google images)

The Twitter account war restored around 2:45 p.m., an hour after it was uncompromised and the website was back to its usual state at around 6:30 p.m.

Elon Musk’s Twitter account was hijacked by miscreants who claimed to be from the infamous Lizard Squad Hacking crew, known as Autismsquad.

Hackers get to Prince's facebook page

Prince's Facebook page made a quick re-appearance on the social media site on Saturday for few hours before being it was taken down for being a hacked one.

Prince, who has been in the music industry for about forty years had avoided social media until last year. In an era where reaching close to the audience has been the aim of most musicians, Prince chose to avoid the buzz of online socializing. It was only in 2014 October that he opened a Facebook page and hosted a fan Q&A but  replied to only one question before taking the page down in November.

He even shut his Twitter account and deleted videos from the official You Tube account. The page was activated with promises of new music, but then it started being self-deprecating and rude with messages like " My name is Prince and I don't care about my fans, I put my hit and run pause on tour so I can be the true asshole I am." Some were funny as well, with one saying, “Bring omelets to my next show, free entry.”

The surge of insulting and absurd messages pointed towards a hack and the page was promptly taken down by the site.

Interpol coordinated to take down Simda botnet

The Simda botnet has been taken down on April 9 in a collaborative effort between international law enforcement bodies and private security and technology companies coordinated by Interpol's Global Complex for Innovation.

The botnet, known for spreading banking malware and establishing backdoor for many malware, has exploited more than 770,000 computers in 190 countries. The take down has resulted in seizure of 14 command-and-control servers in the Netherlands, United States, Poland, Luxembourg, and Russia.

According to the researchers, Simda is a mysterious botnet used by cyber criminals for distributing several types of unwanted and malicious software. Due to constant functionality and security updates, it rarely appears on the KSN radars despite a large number of hosts every day.

It uses hardcoded IP addresses to notify the keeper about the various stages of execution. It can modify the system hosts file by downloading and running additional components from its own updated servers, and to point to malicious IP’s, it adds unexpected records for google-analytics.com and connect.facebook.net.

The Kaspersky Lab report says that, “This criminal business model opens up the possibility of exclusive malware distribution. This means that the distributors can guarantee that only the client’s malware is installed on infected machines. And that becomes the case when Simda interprets a response from the C&C server – it can deactivate itself by preventing the bot to start after next reboot, instantly exiting. This deactivation coincides with the modification of the system hosts file. As a farewell touch, Simda replaces the original hosts file with a new one from its own body.”

To analyse the spread of the infection the Digital Crime Centre (IDCC) in Singapore worked with Microsoft, Trend Micro, Kaspersky Lab, and Japan's Cyber Defense. The researcher team also involved officers from the Dutch National High Tech Crime Unit in the Netherlands, the Police Grand-Ducale Section Nouvelles Technologies in Luxembourg, the Federal Bureau of Investigation in the US, and the Russian Ministry of the Interior's Cybercrime Department "K".

Sanjay Virmani, Director of the INTERPOL Digital Crime Centre, said “This successful operation highlights the value of, and need for partnerships involving national and international law enforcement and private industry in the fight against the global threat of cyber crime. The operation has dealt a crippling blow to the Simda botnet. INTERPOL will continue its work to assist member countries in protecting their citizens from cybercriminals and to identify other emerging threats.”

White lodging confirms second data breach at 10 hotels

White Lodging Services Corporation (WLSC), an independent company which manages more than 160 hotels in 21 states of America, has confirmed a second data breach on its credit card systems at 10 locations.

In a press release issued on April 8, the WLSC said that the suspected breach of point-of-sale systems at food and beverage outlets, such as restaurants and lounges, from July 3, 2014 to February 6, 2015 at 10 hotels.

While it is believed that some of the breached locations were the last year’s breached locations only, the Indiana-based company clarified that the second was a separate breach.

According to KrebsOnSecurity news report published on April 15, in February 2015 it reported for the second time within a year that multiple financial institutions were complaining about the fraud on customer’s credit and debit cards that were all recently used at a string of hotel properties run by the WLSC.

However, the company said it had no evidence of a new breach at that time, but last week only, it confirmed the suspected breach of point-of-sale systems at 10 locations.

Banking sources back in February 2015 said that the credit cards compromised in this most recent incident looked like they were stolen from many of the same WLSC locations implicated in the 2014 breach, including hotels in Austin, Texas, Bedford Park, Ill., Denver, Indianapolis, and Louisville, Kentucky.

“After suffering a malware incident in 2014, we took various actions to prevent a recurrence, including engaging a third party security firm to provide security and managed services,” said (in the press release) Dave Sibley, Chief Executive Officer (CEO) of the WLSC.

“However, these security measures failed to stop the malware occurrence on point-of-sale systems at those 10 hotels. We will continue our investigation as it is necessary to protect the personal information entrusted to us by our valuable guests. We deeply regret and apologize for this situation,” he added.

According the WLSC, the stolen data includes names printed on customers’ credit or debit cards, credit or debit card numbers, and the security code and card expiration dates.

The company is offering a year’s worth of credit protection services for customers impacted by the breach, from Experian.

Database hacked at Biggby Coffee, personal information of customers at risk


Security breach at Biggby Coffee has potentially exposed personal information of some of its customers and job applicants.

Biggby Coffee, a leading coffee franchise business based out of Michigan stores information like customer or applicant’s name, date of birth, email address, address, telephone number, Social Security number, driver's license record, employment history.

However the company maintains that no sensitive data like financial information has been leaked, only details like name, contact details and employment history might have been subjected to the breach.

A spokeswoman for the company added that less than 20 % of Biggby's customer data was affected and only information submitted via the website had been compromised. Also, the information accessed had nothing to do with the cash registers or point of sale systems in the stores,

The attack on the company's systems was discovered on the last week of March, when its web developer and hosting company Traction revealed that a criminal has forced its way into the system and accessed the consumer database.

The data breach has been reported to the police and FBI.

International operation mounted to counter Beebone Botnet

A multinational task-force comprising of European Cybercrime Centre (EC3) and the Joint Cybercrime Action Taskforce (J-CAT), the FBI and led by Dutch National High Tech Crime Unit was recently set up to target the Beebone (AAEH) botnet, a downloader virus that cripples a computers defenses by downloading various malwares on a PC.

Private players Intel Security, Kaspersky and Shadowserver were also present to consult on destroying the polymorphic downloader that according to sources, has affected 12000 computers till date.

The operation 'sinkholed' the botnet by recognizing the domain names and addresses of the affected parties and then rerouting traffic.

Emergency teams around the world have been put into motion to get into touch with the victims of the botnet. The number of affected parties is less in this case, but the botnet has been deemed to be very sophisticated.

The operation was successfully carried out after which Europol’s Deputy Director of Operations, Wil van Gemert, said "This successful operation shows the importance of international law enforcement working together with private industry to fight the global threat of cybercrime."

"We will continue our efforts to take down botnets and disrupt the core infrastructures used by cybercriminals to carry out a variety of crimes. Together with the EU Member States and partners around the globe, our aim is to protect people worldwide against these criminal activities."

Arris / Motorola Modems have multiple vulnerabilities and backdoor accounts


Security Researcher Joe Vennix has discovered multiple vulnerabilities in the 'ARRIS / Motorola SURFboard SBG6580' series Wi-Fi Cable Modem that could allow hackers to take control of the Web Interface.

One of the flaws(CVE-2015-0964) is a stored cross site scripting vulnerability in the firewall configuration page could allow an authenticated attacker to inject javascript code capable of performing any action available in the web interface.

The other vulnerability allows to perform a login action "on behalf of the victim's browser by an arbitrary website, without the user's knowledge."

And on top of this, it has pre-installed backdoor accounts.  Devices tested by the researcher had an account called "technician" with the password "yZgO8Bvj".

"Other accounts may be present as installed by service providers and resellers." Rapid7 post reads.  

Rapid7 has published a metasploit module that "takes advantage of all three vulnerabilities to place an arbitrary internal endpoint in the DMZ of the affected network, thus exposing all running services to direct Internet access.

The module also capable of stealing the information of all registered DHCP clients including IPs, hostnames and MAC addresses.