27 million Mate1.com account hacked and sold

If you have an account on online dating website Mate1.com then it is very high probability that your account has been hacked.

A hacker has claimed of accessing the account usernames, passwords and email addresses for 27 million people by posting a Hell.

According to the Motherboard Vice, who first reported about the hack said that hacker has hacked over 27 million users account details, and sold them to someone else through a deal brokered on the Hell forum.

The hacker told to Motherboard Vice that he managed to compromise the Mate1.com server, and used command access to look at the MySQL database and then download parts of it.

Further adding he said that the online dating website has lax a security flaw which allow  users to log onto the website  without authenticating  their email-id to complete the sign-up process, which means that  you just have to log onto the website, create your account with an email address that belongs to you or to someone eases.

The hacker reveals that Mate1 does not use any encryption technique to store passwords, so don't worry if you have forgotten your password, it will be sent to the corresponding email in plain text.

It is not clear how much the hacker eventually sold the data for, although he was offering it 

Mozilla awarded $2,500 to security researcher

Security Researcher Ashar Javed, recently discovered three bugs with Mozilla add-ons portal and that had been exploited via "Create new collection" feature.

It was discovered that malicious codes could be inserted in collection of  Mozilla Add - ons . These ad - ons are basically used to organize add-ons for business and personal purposes and can be shared on social media as well.

“Given that the Mozilla add-on site has millions of downloads, it is easily possible for the attacker to convince the victim to visit the collection page,” the expert told SecurityWeek.

Users were later exposed with all kinds of virus attack that could be carried via XSS flaws  and most common attack was cookie theft.

Websites are generally vulnerable to  XSS flaw, add-on collections are very useful for Firefox users, so for discovering the issue Mr Javed recieved $2,500 from Mozilla. There were two other bugs discovered about which Mozilla did not reveled any information apart from the location.

This is not the first time that he had received the heavy amount, Google awarded him $3,000 for a reflected XSS in the main search bar of the YouTube Gaming website.

Guardian's Article on Cyber Crime spreads Malware

A cybercrime article from 2011 named as “Cybercrime: is it out of control?"  on the website of Guardian has been found to be serving up the Angler Exploit Kit.

The Angler Exploit Kit is a Web-based utility toolbelt that hackers use to test the defenses of a user's computer.

The problem was discovered by FireEye Labs on December 01 which noticed that this instance of Angler infection this not come from a tainted ad but visiting the Guardian’s article about cybercrime.

Visiting the page would execute an embedded script to redirect the reader's browser to an Angler Exploit Kit landing page.

This particular vulnerability enables a "God Mode" on infected PCs, giving attackers control over every face of the user's machine.

Angler exploit kit also scans for the Flash-based CVE-2015-5122, CVE-2015-5560, and CVE-2015-7645 vulnerabilities which are less powerful intrusions, compared to the Windows OLE one, but dangerous nevertheless.

These vulnerabilities have been fixed by Microsoft and Adobe, and users who keep their systems up to date have nothing to fear while reading the article on Guardian.

Meanwhile, Guardian has assured to fix the contaminated links on its website.

This news came days after Angler was found serving malvertising to visitors of video site DailyMotion.

State-sponsored hackers spread backdoors in Middle East

Symantec's threat report revealed that two hacking groups of state-sponsored threats have been using backdoors to spy on targets in Iran and other nations in the Middle East.

The two groups are known as ‘Cadelle’ and ‘Chafer’ and each of them uses their custom-developed backdoors. While Cadelle with its five member team uses backdoor ‘Cadelle’, Chafer’s backdoors are known as ‘Remexi’ and ‘Remexi B’ developed by its ten member team.

Both backdoors are capable enough to open connections and help attackers steal data from infected systems.

Reports by Symantec are of the view that the two groups which are targeting political dissidents from Iran and airports and telecommunications companies from other Middle East countries may be doing so with the intention to keep an eye on the movements of their targets.

Chafer has been using SQL injection attack to compromise servers and drop Backdoor, Remexi  to infect its targets but the technique of Cadelle is not known yet.

After infecting targets, the backdoors can harm hugely. They can be used to gather and steal passwords, intercept document print commands, record audio via infected devices, take screengrabs, record webcam feeds, log keystrokes, log opened applications, and gather system and clipboard information.

First attackers using these backdoors were spotted in 2014 but the clues from each group’s code reveal that they might have used it in 2011.

Critical vulnerabilities found in Modbus

Security researchers have found various critical vulnerabilities in Modbus gateways built by Advantech , that are used for serial connection of devices in industrial control environments to IP networks. 

There have been hard - coded SSH keys in Advantech EKI series of devices , buffer overflow and code injection flaws in the same product. 

There are two critical flaws Shellshock and Heartbleed in bash shell and OpenSSL ,to which EKI -1322 GPRS Ip gateway device is  vulnerable, Researchers of Rapid 7 have confirmed . 

Patches for Shellshock and Heartbleed for Bash shell and OpenSSL library  were released immediately , but Advantech failed to apply those patches on device and moreover kept its silence on Rapid 7's disclosure . 

Chief Researcher of Rapid 7 showed his concern on vulnerabilities by saying there have been previous  similar kind of security bugs for SSH keys  and still Shellshock bug was not looked upon after doing all the reverse engineering .

Rapid 7 has also found security issues in the DHCP client version 1..3.20-p10 product which had stack based buffer overflow . But they were not sure of the vulnerabilty to exploit for that.

After disclosure of hard coded SSH keys , Advantech and ICS -CERT warned about hardcoded SSH keys in the product EKI-122x series and they told the firmwares about the fix. 

SSH hard coded keys were found in :
EKI-136* product line prior to firmware version 1.27,
EKI-132* product line prior to firmware version 1.98, and
EKI-122*-BE product line prior to firmware version 1.65.

There have been few more vulnerabilities exposed while Moore found out about SSH configuration , the keys were not being generated on the fly while Dropbear SSH client was being used to generate keys .

Chinese Cybercriminal gang uses Dropbox to Target Media outlets

A Chinese Advanced Persistent Threat (APT) gang which had been allegedly responsible for attacks against foreign governments and ministries has shifted its focus on Hong Kong based media companies by using Dropbox for communicating malware.

The group identified as ‘admin@338’ has been active since 2008 and uses publicly available Trojans like ‘Poison Ivy’ to attack organizations in the financial services, telecoms, government, and defense sectors.
The group is also known to use some non-public backdoors.

But this is the first instance where the group has used phishing lures in Chinese against targets. Each phishing email containing of three attachments included exploits for a patched Microsoft Office vulnerability, CVE-2012, 0158, a buffer overflow in the Windows Common Control Library patched in early 2012.

On execution, the exploit triggers a backdoor dubbed ‘Lowball’ which connects to an external location on finding it. After this, Lowball syncs with the legitimate Dropbox account which is controlled by the remote attackers.

In the first stage, the attack runs many commands on the infected computer and sends the output to the Dropbox account for C&C communications. The attackers then retrieve the information analyse it and if the target is worthy, a second stage backdoor is delivered called ‘Bubblewrap’ which is used for remote control and stealing data.

This research was found out by network security company, FireEye.

This group was also suspected of launching phishing campaign in August against media organizations in Hong Kong. Last year in March, this group had leveraged the disappearance of Malaysia Airlines Flight, MH370 to target a government in the Asia-Pacific region and a US-based think tank.

This isn’t the first time China has targeted media outlets seeking out sources to stay ahead in news cycle.
In January 2013, hackers, allegedly connected to the Chinese government, were blamed by Mandiant for a breach at the New York Times. The group broke into the email accounts of investigative journalists for seeking information on the corruption scandal which involved then-Chinese premier, Wen Jiabao.

Hilton payment system attacked

One of the largest US based hotel chain Hilton revealed that hackers had infected some of their point-of-sale computer systems with malware crafted to steal credit card information.

They didn’t disclosed what data was taken, but cautioned everyone who used payment cards at Hilton Worldwide hotels between November 18 and December 5 of last year or April 21 and July 27 of this year to check for any irregular activity from their debit or credit cards.

In an online post Hilton said that the Malware that infected system had a potential to retrieve cardholders' names, account numbers, security codes and expiration dates.

They further wrote that they are investigating the breach with the help of third-party forensics experts, law enforcement and payment card companies.

Starwood hotels, which operate the Sheraton and Westin chains, announced four days before Hilton that hackers had attacked their payment system resulting in leaking of customer credit card data in some of their establishments.

"The malware was designed to collect certain payment card information, including cardholder name, payment card number, security code and expiration date," the group said in a statement.

Starwood and Hilton are not the only one whose payment system has been hacked but last month Trump hotels has face the similar incidence of cyber attack.

"We believe that there may have been unauthorised malware access to some of the computers that host our front desk terminals and payment card terminals in our restaurants, gift shops and other point-of-sale purchase locations at some hotels," Trump Hotel Collection said at a website devoted to details of the incident.

According to Trump hotels, the access could have taken place in between May 19 of last year and June 2 of this year.

Brian Krebs, cyber threat blogger at KrebsonSecurity.com explained the cyber attack on payment systems as "just the latest in a long string of credit card breaches involving hotel brands, restaurants and retail establishments."

Malware detected in Martel’s cameras used by police department

iPower Technologies, a U.S security company and network integrator, has discovered a copies of Conficker malware in the Martel Frontline Camera with GPS, one of the largest manufacturers of police in-car video systems in America, whose product is being sold and marketed as a body camera for official police department.

The Florida-based company, which is currently working to develop a cloud based video storage system for government agencies and police departments to store and search camera video, said that it had received cameras from the supplier Martel Electronics were loaded with 2009's baddest botware.

It was not the first time, the Conficker flaw was discovered in late 2008 when researchers found that the malware, which at that point had already infected millions of PCs, had been set to perform an unspecified update activity on April 1, 2009.

Jarrett Pavao and Charles Auchinleck, researchers from the security company, found that when the cameras were connected to a computer, they tried to execute the Worm ‘Win32/Conficker.B!inf variant’.

“When the camera was connected to a computer, iPower's antivirus software immediately caught the virus and quarantined it.  However, if the computer did not have antivirus actively protecting the computer it would automatically run and start propagating itself through the network and internet, iPower said in a post.

"In the iPower virtual lab environment, packet captures were also run on the infected PC to view the viruses' network activity using Wireshark. The virus, classified as a worm virus, immediately started to attempt to spread to other machines on the iPower lab network, and also attempted several phone home calls to internet sites," the post added.

After the findings, iPower said to have tried to contact Martel Frontline Camera in order to report the flaws. However, the company concerned is yet to give any response. 

A Threat that encrypts data on offline mode

Researchers at Check Point Technologies have discovered an ‘offline’ ransomware that encrypts files on the infected machine without communicating with a command and control (C&C) server.

The ransomware which mainly targets Russian users, has been in existence since around June 2014. Since then, a dozen files have been released and the latest among them is CL which was made available in mid-August.

Security products detect various versions of the threat as Ransomcrypt.U(Symantec),Win32.VBKryjetor.wfa (Kaspersky) and Troj/Ransom-AZT (Sophos).
After the threat infects a computer, it encrypts important files after which it changes the desktop background to a message in native language, ‘Russian’ informing the users about their encryption of files.

Victims are then asked to pay between $300 and $380; depending on how fast they pay up, to receive a decryption tool and the key needed to recover their files.

Due to its offline feature and detachment from C&C server, it becomes more difficult for security solutions that identify threats based on their communications to detect and neutralize the malware.

According to Check point researchers, the malware is designed only to encrypt files and it does not have much other functionality. However, its efficiency on its function is high enough which makes it impossible to recover files without paying the ransom.

The beginning (first 30000 bytes) of each file is encrypted using two buffers of digits and letters that are randomly generated on the infected machine. The encryption process includes taking each original byte along with one byte from each of the randomly generated buffers and performing mathematical operations on them.

The remainder of each file (if it exists) is encrypted using an RSA public key (“local”) that is randomly generated on the infected machine, along with the matching local RSA private key required for decryption of the data.

The randomly generated buffers and the local RSA private key that are required for decryption are added as metadata to each encrypted file, and are then encrypted using three hardcoded RSA 768 public keys that the offender created in advance (“remote”). The matching remote RSA private keys required to unlock the metadata are located on the attacker’s side.”

Ransomware campaigns are highly profitable for cyber criminals who can make huge amounts of cash by encrypting files of Russian users. 

Marshmallow OS to get patch for two critical Android bug

Google has patched seven of its code execution vulnerabilities in which two of them were rated critical, while four were high and one was moderate. This was the fourth round of Android patching since August this year.

Two flaws, which give attackers remote code execution, that were rated critical include libutils (CVE-2015-6609) and mediaserver (CVE-2015-6608) holes. The holes can be exploited by sending crafted media files to the affected devices.

Google informed their “partners’ about the patch on October 5, and the patch code is set to be available on Nexus, Samsung, and Android Open Source Project, but it will be first available for its latest Marshmallow Android operating system.

In its advisory Google said that, "The most severe of these issues is a critical security vulnerability that could enable remote code execution on an affected device through multiple methods such as email, web browsing, and MMS when processing media files."

"During media file and data processing of a specially crafted file, vulnerabilities in mediaserver could allow an attacker to cause memory corruption and remote code execution as the mediaserver process.The affected functionality is provided as a core part of the operating system and there are multiple applications that allow it to be reached with remote content, most notably MMS and browser playback of media."

Privilege elevation bug is solved in libstagefright library which was separate from StageFright vulnerabilities reported by Zimperium researcher Joshua Drake earlier this year.

Vulnerabilities in Bluetooth (CVE-2015-6613), the mediaserver (CVE-2015-6611), the telephone app (CVE-2015-6614), and libmedia (CVE-2015-6612) were also patched.

Google says “exploitation is made harder on the security-improved Marshmallow Android platform.

Remote Code Execution Vulnerabilities in Mediaserver
Remote Code Execution Vulnerability in libutils
Information Disclosure Vulnerabilities in Mediaserver
Elevation of Privilege Vulnerability in libstagefright
Elevation of Privilege Vulnerability in libmedia
Elevation of Privilege Vulnerability in Bluetooth
Elevation of Privilege Vulnerability in Telephony

Cyber threats may well face an insurance vacuum, firms need to look after themselves

Anecdotal evidence suggests that the global insurance industry is unwilling to play ball on writing cyber insurance policies. Companies are facing unprecedented cyber threats and thus seeking ever larger cyber insurance covers. Insurers, however, are either unwilling to write policies, or are writing limited policies at a fat cost or with significant conditionalities. Firms are looking for US $ 1 billion covers, but the insurers are not biting.

It is not hard to understand the predicament of insurers. As it stand today, cyber insurers face a situation of information asymmetry, there is none or very limited actuarial insights available. No insurer has a clue as to what hidden vulnerabilities exist in a company’s IT set up - software, websites, network, data centres and processes. How can the insurers know when companies themselves do not fully understand their vulnerabilities?

The task for insurers is made even more difficult by the fact that attacks may not aimed at a big firm directly. The recent attack on iOS (Apple) app store suggests that hackers may have discovered another route to compromise the internet – by infecting machines of software developers writing legitimate programs and apps. Developers are a huge, globally dispersed (geopolitical risks) and logical target for hackers, and this approach may be harder to defend against.

Further, insurers also need to take into account that one lives in the days of internet linked business ecosystems which include multiple partners and suppliers of various sorts, apart from outsourced software development. Smaller, less prepared, less equipped members of ecosystems offer hackers a easier route to sneak into the systems of the big firms

The situation gets extremely complicated when one considers the size of cyber threats. One estimate of annual cost of cybercrime to global economy ranges from US $ 375 bn – US $ 575 bn. That’s a lot of money, and the reluctance of insurers to write out policies to protect against hugely expensive and unknown threats is unsurprising to say the least. Attackers are remotely located, face no direct/immediate physical threat and are unafraid to take risks.

Testing for vulnerabilities is a deeply technical issue. When one is faced with situations such as Advanced Persistent Threats (APT) and 0 Day Vulnerabilities, it needs to be borne in mind that businesses are up against attackers typically belong to organised criminal groups, mafia groups, Black Hat hacker groups or state backed groups.

APT attack happens when committed adversaries persistently utilise advanced technologies to compromise targets. Extremely hazardous 0 Day exploits (vulnerabilities found by hackers and never reported to security vendors) are found in Operating Systems, Application Software, Browsers, Antivirus Software, Firewall, and Internal Application Software. On an average, twenty 0 Day vulnerabilities exist in any given server. O Days have the greatest amount of success and damage rates and least probability of detection by firewalls/IDS/AV's etc.

The problem is also compounded by lack of senior management involvement in a vulnerability assessment and penetration testing similar exercise. This is a matter that cannot be left to systems administrators or developers who are better equipped to remediate security issues than discovering vulnerabilities.

Given the reluctance of insurers to play ball, companies may have little choice but to look after themselves. The buck needs to stop at the desk of senior management and Boards need to ask difficult questions. Cyber threats are strategic in nature and as such a strategic response is called for to defend against financial and non-financial damage.

Constant vigilance, vulnerability assessments and penetration testing are essential for defence. Companies also need to utilise country-cyber espionage and counter-intelligence techniques to protect themselves against cyber-attacks, as well as inject themselves with a healthy dose of paranoia.

Author: Prasanna J, Founder of Cyber Security and Privacy Foundation(CSPF)

Cyber Attack on America’s Thrift Stores exposes credit card numbers

A charity store chain, America’s Thrift Stores discovered on Friday (October 09), that it had been become the victim of a malware-driven security breach which originated from a third-party service provider’s software to process credit card payments in Alabama, Georgia, Louisiana, Mississippi and Tennessee.

America’s Thrift Stores is a for-profit organization which operates 18 donations-based thrift stores throughout the southeast United States that collects used clothing and household items from local communities and sells them for a profit, which it shares with Christian charities.

The Birmingham-based company’s CEO, Kenneth Sobaski declared ina statement released that no customer names, phone numbers, addresses or emails were exposed, but credit card numbers were revealed.

The hack appears to have affected transactions between September 01 and September 27.
The organization cautioned the customers who feared for their data to be compromised to contact their card issuer or bank immediately, and to report any suspicious activity was discovered.

The malware has been removed from the stores’ computers, and purchases outside of those dates should not be at risk.

Security journalist, Brian Krebs stated in his blog that there were indications that data stolen from America's Thrift Store was already being used to create new counterfeit cards with details obtained from several banking sources who confirm a pattern of fraud on cards used at America’s Thrift Stores.

The company assured that U.S. Secret Service is investigating the breach.

The store chain employs over 1,000 employees and turns donated items into revenue to its non-profit partners for their causes. The store chain is estimated to pay out over $ 4 million annually toward its partners.

This store chain is not the only charity organization whose systems have been targeted by cyber criminals.

Last year, Goodwill Industries International’s system was breached which processed payments for twenty Goodwill members, representing roughly 10 percent of all stores.

Its investigation revealed that the attackers had access to the third party vendor’s systems for a year and a half, and leveraged point-of-sale (PoS) malware to steal data which they used for fraudulent purchases.

In these breaches, the problem does not arrive with the Operating system but the biggest problems have to do with various levels of access being given to third party businesses. The organizations fail miserably in protecting their level of access that makes these breaches possible and damaging.

The breach of America’s Thrift stores may be the repetition of Target breach that took place recently. Using easy passwords across the gamut of critical systems lead to such hacks. The Target’s security breach should have been a huge wake-up call for businesses everywhere to adapt and evolve their IT security practices.

Danske bank fixes several vulnerabilities that could allow hackers to get into bank accounts

Most of us prefer to keep money at our bank accounts than to keep at home as we believe that banks are safer in comparison to our homes. But, you must get panicked, once you read a blog post by Sijmen Ruwhof, Freelance IT Security Consultant and an Ethical Hacker.

He has published a bank review entitled “How I could hack internet bank accounts of Danish largest bank in a few minutes”  in which he revealed that any hacker could easily get into the website of Danske Bank, one of the largest banks of Denmark, and get access to the users accounts.

His in-depth technical post explains the extent to which Danske Bank is vulnerable to hacking.

He discovered the vulnerability in August when he got intrigued with the idea of testing Bank’s security while interacting with a group of Danish hackers at the Chaos Communication Camp (CCC), near Berlin.

During the interacting program, security experts and Whitehat hackers were disappointed with the terrible security implementations adopted by many Danish Banks.

“I opened up the Danske Bank’s website and was curious to see how the HTML code looked like, so opened the code of the customer login screen of the banking environment. I strolled thru the code to get a grasp of the technology used,” the security researcher wrote in the blog.

Then he saw JavaScript comments that seemed to contain internal server information. Not just a few variables, but quite a lot of confidential data.

“It was in URL encoded format, so I decoded it right away. Really wondering what kind of secrets it contained,” he added. I was shocked. Is this happening for real? In less than a minute on their web site, this is just the HTML code of the login screen, one of the most visited pages of Danske Bank’s web site.”

The researcher said that he could see IP address of a probable customer via variable HTTP_CLIENTIP while visiting Danske Bank’s website. Similarly, HTTP_USER_AGENT contains an operating system and web browser details.

He warned that variable HTTP_COOKIE was visible and full of information; credentials of a customer could be hijacked in a very few time.

According to the researcher, Danske Bank doesn’t use a secure HTTPS connection to transport customer banking traffic; as variable HTTPS was OFF and SERVER_PORT carried value 80. The bank is still using COBOL code on their backend; for (Customer Information Control System) CICS and Database handling.

However, the good news is bank has patched all the vulnerabilities only after the researcher had uploaded his findings on his blog.

Negligence of Experian puts T mobile’s 15 million records at stake

Third biggest mobile company in U.S, T mobile’s CEO, John Legere is angry again and for a very obvious reason as this time highly personal records of some 15 million users have been leaked through one of the largest credit agency data brokers in the world, Experian.

The information exposed names, addresses, and social security, driver’s license and passport numbers of the customers. The license and passport numbers were in an encrypted field, but Experian said that encryption may also have been compromised.

The massive security breach was first discovered on September 15, 2015 which impacted customers who registered for T mobile between September 01, 2013 and September 16, 2015.

Legere broke the sad news in a post on the company's website which displayed his frustration over the incident.

The post read as below:
“Obviously I am incredibly angry about this data breach and we will institute a thorough review of our relationship with Experian."

Experian took immediate action upon finding the breach. It secured the server, initiated a comprehensive investigation and notified U.S. and international law enforcement.

In the most obvious manner in which the companies react on their security being breached; Experian too is offering those impacted by the break-in two years of free credit monitoring and identity theft resolution services.

There have been a series of high-profile hacks of businesses and other organisations in recent years impacting millions and sometimes tens of millions of records, including adultery website Ashley Madison, Sony Pictures, and retailers such as Home Depot, Target, and eBay.

Theft of personnel records from the U.S. government this year, a 2014 breach on JPMorgan Chase and a 2013 attack on Target Corp's cash register systems were also some of them.

The irony is that a company which handles the personal information of many Americans had not been able to protect the information of customers who applied for T mobile services.
It is the second massive breach linked to Experian.

An attack on the company's subsidiary happened in 2012 which exposed the Social Security numbers of 200 million Americans and prompted an investigation by at least four states, including Connecticut.
Though the security breach will adversely affect both the companies but T Mobile is trying to put all the blame on Experian.
In one o it’s FAQ , it read-

“Experian has taken full responsibility for the theft of data from its server.”
Both the companies had made it clear that no credit card or banking data was exposed. Yet, the hoard of T-Mobile customer data can still be used for assembling profiles for identity theft.

If consumers can’t pressure data aggregators like Experian into securing their secrets, perhaps the consumer-facing companies who collect that information can.

Will 'Green Dispenser' Take of all your Money?

(pc- google images)
ATM malwares are no myth to the cyber world and this time is no different than the earlier. a team of security researchers from PointProof have unraveled the veil off a new malware, named GreenDispenser, that gives the capability to hackers to attack compromised ATMs and drain all of it's cash.

This malware acts on the basic principle of a primitive DDoS action in which the machine displays an 'out of service' message on the screen but in the meanwhile can crack open the bank vaults through correct pin number, looting a lot of money with no trace of robbery at all.

Such kind of activities were first reported in Mexico and similar abuses have been reported in other countries ever since. GreenDispenser, unlike its predecessors, Ploutus and Tyupkin; requires no physical access for the installation procedure and hence makes it easier for the hacker to break into the machine and subsequently; the server.

It is being doubted that cyber criminal bosses now have an mobile app that provides them with a two-step encryption and creates a firewall of authorisation for malwares such as GreenDispenser itself.

ProofPoint, in another post explained such encryption; an extract from which is given below:-
GreenDispenser employs authentication using a static hardcoded PIN, followed by a second layer of authentication using a dynamic PIN, which is unique for each run of the malware. The attacker derives this second PIN from a QR code displayed on the screen of the infected ATM. We suspect that the attacker has an application that can run on a mobile phone with functionality to scan the barcode and derive the second PIN – a two-factor authentication of sorts.

Now, these malwares are evolving with the passage of time, making ATMs more vulnerable. ATMs being the primary target results as a threat to the financial institutions. Thus, security with credit and debit card credentials should be also enhanced accordingly. The question arises; How long to completely secure the parameters?

Once again a malicious application found on Google Play Store

Researchers at Check Point Threat Prevention have detected a malicious application and said to have affected some one million people, which was published twice in the Google Play Store. The malware was packaged within an Android game called “Brain Test”.

According to the researchers, the malware was reported to Google Play twice. Each instance had between 100,000 and 500,000 downloads as per the Google Play statistics. Check Point reached out to Google on September 10, 2015, and the app containing the malware was removed from Google Play on September 15, 2015.

“The malware was first detected on a Nexus 5 smartphone, and although the user attempted to remove the infected app, the malware reappeared on the same device shortly thereafter. Our analysis of the malware shows it uses multiple, advanced techniques to avoid Google Play malware detection and to maintain persistency on target devices, the researchers wrote in a blog post.

Although, the reported the malware to Google, and the company concerned removed the app from the Google Play Store, it manages to bypass malware detection through several sophisticated techniques. It also installs an application similar to itself and so these two monitor the removal of each other and actually protects each other from being removed.

The researchers suggested that in order to prevent yourself from the malware, you must have an up-to-date anti-malware software on your mobile device. It has already infected anyone’s phone, he/she has to re-flash it with an official ROM.

Lackadaisical VAPT leads to big hole in Cyber Security

Vulnerability analysis and penetration testing (VAPT) is the bedrock for cyber security. How can one fix problems if one does not know what the problem is? Ignorance is no bliss when it comes to cyber security - one estimate of annual cost of cyber crime to global economy ranges from US $ 375 billion – US $ 575 billion. That’s a lot of money.

Pity then that many companies undertake VAPT as an eye wash for ISO 270001, to secure for themselves a compliance certificate. IT vendors/IT Consultants are usually tasked with undertaking VAPT, and these firms in turn outsource it further to so called specialists, sometimes without the clients’ knowledge.

Vulnerability testing is deeply technical issue. When one is faced with situations such as Advanced Persistent Threats (APT) and 0 Day Vulnerabilities, it needs to be borne in mind that businesses are up against highly skilled and creative hackers. Such attackers typically belong to organized criminal groups, mafia groups, Black Hat hacker groups or state backed groups.

APT attack happens when committed adversaries persistently utilize advanced technologies to compromise targets. Extremely hazardous 0 Day exploits (vulnerabilities found by hackers and never reported to security vendors) are found in Operating Systems, Application Software, Browsers’ like Chrome, Firefox, Antivirus Software, Firewall, and Internal Application Software. On an average, twenty 0 Day vulnerabilities exist in any given server. O Days have the greatest amount of success and damage rates and least probability of detection by firewalls/IDS/AV's etc.

The lack of seriousness with respect to VAPT also extends to the “purchasers” of such services. Businesses are not fully equipped to understand the complexities of VAPT. One has heard of instances where a firm sought to dictate the nature of a Test, the date, time and even the server and port/s to be tested. All this fussiness may be relevant when it comes to a haircut, but not in the context of a VAPT. Hackers, of course, are famous for not following any rules whatsoever and thumbing their noses even at hyperactive cyber defenses, leave alone amateurish ones.

The crux of the whole problem appears to lack of senior management or CISO involvement in a VAPT or a similar exercise. This is a matter that cannot be left to systems administrators or developers who are better equipped to remediate the security issues than discovering vulnerabilities.

The lack of senior management attention is often seen in the nature of testing firms recruited to undertake the assignment. Inferior manpower (tool runners abound), no post exploitation skills, - no access to ultra critical 0 Day exploits, no APT “War Gaming” skills, no real white hat hackers on board with practical experience (only people with some theoretical knowledge), limited skills on network analysis – these are some of the downsides of testing firms normally used.

Businesses need to address such issues by ensuring senior level, even board level involvement in cyber security. Further their cyber security vendor selection process needs to be more precise and demanding. Vendors need to have very deep domain knowledge, years of penetration testing experience, sophisticated tools, access of hundreds of 0 Day exploits, and staffed by established and well networked bug bounty hunters and white hat hackers.

J Prasanna
Founder, Cyber Security & Privacy Foundation

Researchers say North Korea behind attacks exploiting a Korean word processing program

Recent reports had confirmed that the relations between the two Koreas (North and South), which were bad for years, now showed some signs of improvement. After Seoul and Pyongyang had exchanged reconciliatory gestures and expressed their willingness to talk. There was even a rather high probability that the third intra-Korean summit would happen in near future.

However, the situation might go in other direction after reading a PDF report by FireEye, a U.S-based security company that provides automated threat forensics and dynamic malware protection against advanced cyber threats. The report says that North Korea is likely behind cyber-attacks that have focused on exploiting a word processing program widely used in South Korea.

Genwei Jiang and Josiah Kimble, authors of the report, identified several malicious documents in the wild that exploit a previously unknown vulnerability (CVE-2015-6585) in the Hangul Word Processor (HWP). HWP, published by a South Korean company, is a Korean word processing application.

“It is widely used in South Korea, primarily by government and public institutions. Some HWP programs are frequently used by private organizations, such as HWP Viewer. The payloads and infrastructure in the attack are linked to suspected North Korean threat actors. Hancom patched CVE-2015-6585,” the authors said in the report.

The authors have said that only a handful of attacks have been publicly attributed to the secretive nation, which is known to have well-developed cyber capabilities.

According to them, if the malicious HWP file is opened, it installs a backdoor which FireEye nicknamed "Hangman", which is used for downloading files and probing file systems and similar to backdoor FireEye calls Peachpit, which may have been developed by North Korea, the report said.

Once Hangman has collected data, it sends it to command-and-control servers over an SSL (Secure Sockets Layer) connection. The IP addresses of those servers are hard-coded into Hangman and have been linked to other suspected North Korea-related attacks.

“While not conclusive, the targeting of a South Korean proprietary word processing software strongly suggests a specific interest in South Korean targets, and based on code similarities and infrastructure overlap, FireEye Intelligence assesses that this activity may be associated with North Korea-based threat actors,” the authors added.

According to a news report published in PCWorld, one of the most prominent instances was the devastating attack in November 2014 against Sony Pictures, which lost sensitive corporate data and email and saw many of its computers rendered inoperable.

“In a rare move, the FBI blamed North Korea for the Sony hack based on an analysis of malware suspected to have been developed by the country and used in other attacks,” the news report added.

Mozilla patches severe vulnerabilities in its Bugzilla bug tracking system

Mozilla confirmed on September 4 that an attacker, stole its security-sensitive vulnerability information from its Bugzilla bug tracking system and then he got accessed to information about unpatched zero-day bugs.

However, Mozilla has now patched all the flaws that allowed the attacker to get the accessed. Similarly, the company concerned said that it would take its own security more seriously than before.

It is also said that the attacker used it to attack Firefox users, the maker of the open-source Firefox browser warned Friday.

“The attacker acquired the password of a privileged Bugzilla user, who had access to security­sensitive information. Information uncovered in our investigation suggests that the user re­used their Bugzilla password with another website, and the password was revealed through a data breach at that site,” Mozilla said in an FAQ on the breach.

The one bug that was exploited in the wild was used to collect private data from Firefox users who visited a Russian news site.

The attacker accessed approximately 185 bugs that were non-public. Among them, 53 were said to be severe vulnerabilities. Mozilla claims that 43 of the severe flaws had already been patched in the Firefox browser by the time the attacker accessed the bug information. That leaves 10 bugs that the attacker had access to before they were patched, and that's where the potential risk to Firefox users lies.

“The earliest confirmed instance of unauthorized access dates to September 2014. There are some indications that the attacker may have had access since September 2013,” the company said.

The company said that during its investigation it found out that the user re­used their Bugzilla password with another website, and the password was revealed through a data breach at that site.
Firefox security lead Richard Barnes detailed what Mozilla is now doing to improve Bugzilla's security.

"We are updating Bugzilla's security practices to reduce the risk of future attacks of this type," Barnes wrote. "As an immediate first step, all users with access to security-sensitive information have been required to change their passwords and use two-factor authentication."

Ola leaks personal information of its customer, claims a girl

A girl from Chennai claimed that OlaCabs, famous as Ola, a mobile app for personal transportation in India, had sent personal information of more than 100 customers to her via SMS.

Swapnil Midha posted on Facebook that the Ola, which started as an online cab aggregator in Mumbai, now based out of Bangalore and is among the fastest growing businesses in India, leaked personal details such as mobile numbers, locations of users.

However, the company regarded it as a technical fault and confirmed that it has been fixed now.

“About three weeks ago, I booked an Ola cab for a long distance drive. After the ride I received a few garbled texts from "VM-OLACAB" that I didn't think much of and ignored. These messages were alpha-numeric with hashes and made no sense to me whatsoever. I assumed there was some system error and did not anticipate the sleep deprivation that followed,” she wrote on Facebook.

She added, “My phone beeped throughout the night. 1:06, 2:34, 2:37, 2:38, 4:05, 5:17. I couldn't get my head around why these were coming at these times. I then called their call centre the next day to explain that there was probably some sort of bug and my number had somehow gotten into their highly cryptic message transmission systems, whatever secrets they were trying to transmit.”

Although, the Ola assured her to fix the problem soon, she had been receiving SMS after SMS. She received text between 300 and 400.

“I received no further communication from them, no update, no email, just more garbled messages,” she explained. I reached out to them through every channel possible. I called their call centre at least 5 times, demanded to speak to the senior managers, and had to explain my problem each time in great detail, answering the same annoying questions.”

She said that the company shared personal details of their customers throughout the day and throughout the night.

“What scares me the most, is that THIS should be their number one priority. I questioned their lack of concern for privacy and data protection. I threatened to report them to the authorities and TRAI. Nothing seemed to work which makes you think - do they even care about protecting customer information? If they are sending all this to me, who are they sending MY booking details to? Whose number is receiving all of my data? Which creepy criminal knows my full name, my mobile number, my door number, my account details, when I'm home and when I'm out?” she added.

The girl has raised a serious question which the company concerned need to answer as soon as possible. If this, one of the most trusted companies like the Ola does such careless, what do we expect from others?