Russian Hacker pleads guilty for role in creating Ebury Malware

The Russians hackers who created the malware Ebury pleaded guilty to the charges brought against them.

Maxim Senach, 41 years old Russian man, inhabitant of Great Novgorod, was arrested in Finland in 2015. In January 2016 he was extradited to the United States. Now the U.S. Department of Justice reports that Senach pleaded guilty, confirming that he was engaged in the development of Ebury malware and controlled the well-known botnet.

Malware Ebury appeared in 2011 and attacked UNIX systems (Linux, FreeBSD, Solaris). Malware was installed on poorly protected servers, and Ebury had the rootkit component, and also a backdoor that allows attackers at any time to get to the server remote access. Additionally, Ebury was used to steal SSH accounting data and private keys. Then attackers also used it to infect new servers.



This malware has become well know after "Ryan Austin" (Unrelated) used it to infect kernel.org servers. It took the administrators months to clear out the infections as kernel.org is the main distribution channel for the linux source code.


Servers affected by Ebury joined in a botnet used by cyber criminals to send spam, clickfraud, traffic-diversion to malicious sites or to sites which paid for "advertising." Ebury totally infected more than 500,000 computers and 25,000 servers. The botnet could send out 35 000 000 spam emails daily, and divert more than 500 000 people to malicious sites. According to law enforcement agents operators of the botnet benefited millions of dollars.

As stated above, Senach pleaded guilty to all charges and now he faces 30 years in prison. The verdict will be announced on 3 August 2017.

No app can stop CIA from reading your messages, says Pavel Durov



In an article titled "What does the "Year Zero" and "Vault 7" stuff from Wikileaks mean?", Pavel Durov, the Founder of social network Vkontakte and messenger Telegram, explained how CIA can read your messages even if you are using a secure messaging application.

Durov said that the hackers do not need to directly hack the targeted applications. Instead, they can exploit the vulnerabilities in the mobile operating systems to access your sensitive information and messages.

"To put 'Year Zero' into familiar terms, imagine a castle on a mountainside. That castle is a secure messaging app. The device and its OS are the mountain. Your castle can be strong, but if the mountain below is an active volcano, there's little your engineers can do." he explained. "So in the case of 'Year Zero', it doesn't matter which messenger you use."

He explained that the hackers can gain access to your keyboard that allows them to know which key you press.

"No app can hide what shows up on your screen from the system. And none of this is an issue of the app." said Durov

The founder of the Telegram urged the main developers of operating systems and devices, such as Apple, Google or Samsung, immediately start fixing their vulnerabilities.

He said that normal users do not need to worry about this. But, if the CIA is on your back, it doesn't matter which messaging apps you use as long as your device is running iOS or Android.

Be careful with whom you share your Jio Hotspot!

If you are sharing your Jio internet with others via mobile hotspot, you should know what is the risk that you are taking.  Our research shows that sharing your Jio with others puts your sensitive information in their hands.

The person who is using your Jio Internet can easily log into your Jio account. All they have to do is download the MyJio app and click "SIGN IN WITH SIM". 

Steps to replicate:
Step 1:
    You should have two phones - one with Jio Sim and another one with non-Jio SIM(make sure you have not installed Jio app in the second phone yet).

Step 2:
    Turn on Wi-Fi hotspot in the Jio phone and connect from your non-Jio phone

Step 3:
    Install Jio app from playstore and open.  When it is asking for authentication, click "SIGN IN WITH SIM". Now you will be able to access the Jio account from your non-Jio mobile.

View/Modify Details:
After logging in, it is possible to view sensitive information including name, date of birth, mobile number, alternate contact work, address, photo, usage details.  Also, some of the details can be edited.



Once you are logged in, the session is getting maintained even if you are disconnected from the Jio network.

Account lockout:
If you mistakenly log out from the Jio-phone when it is logged in the non-Jio phone, you won't be able to log in to your Jio app unless the other person logs out from the app.

If the victim has installed Jio Security app, it is possible for an attacker to track the current location or see the last location details.

Let's say that you are in public place and a stranger(attacker) asking for Internet connection to check his email.  If you share the Internet, it is enough for the attacker to steal your sensitive information.

The issue can be resolved by adding OTP Check when doing authentication.

We thank Suriya Prakash from Cyber Security & Privacy Foundation(CSPF) for helping us with this research.

Hackers could easily bypass SBI's OTP security

One Time Password (OTP) has become the new security feature on most of the websites, including the banks. This feature allows a user to make online transactions after the identity of the customer is verified by putting the OTP password sent to the registered mobile number from the bank. But who knew this security feature could be easily bypassed and lead to huge loss of money.

A white-hat hacker, bug bounty hunter and web application security researcher, Neeraj Edwards shared his research on how he could easily bypass the OTP of one of the most popular bank, State Bank of India (SBI) and could make the transaction with any amount.



While making a transaction, the last page of SBI’s website shows a One Time Password screen where there is a parameter called ‘smartotpflag is set to Y i.e. smartotpflag=Y’.


Smartotpflag parameter is used to generate OTP, and Y represents ‘yes’ to send the code to the registered mobile. However, the risk factor arises if someone changes ‘Y’ to ‘N’ which means ‘No’. The transaction then will be completed without entering the OTP.


Though after Edwards discovery, the vulnerability was patched but it was highly disappointing that the person who could have easily benefited from this vulnerability, but choose not to, was neither rewarded nor acknowledged for his work.

The press too could not make this important news to the papers, thus keeping the public in dark and keeping the discoverer from any achievement.

The POC Video:
https://www.youtube.com/watch?v=2kYm1G2jBcM

nullcon Information Security Conference 8Bit, Goa 2017




nullcon‍ was founded in 2010 with the idea of providing an integrated platform for exchanging information on the latest attack vectors, zero day vulnerabilities and unknown threats. Our motto - "The neXt security thing!" drives the objective of the conference i.e. to discuss and showcase the future of information security and the next-generation of offensive and defensive security technology. The idea started as a gathering for researchers and organizations to brainstorm and demonstrate why the current technology is not sufficient and what should be the focus for the coming years pertaining to information security. In addition to security, one of the section of the conference called Desi Jugaad (Hindi for "Local Hack") is dedicated to hacking where we invite researchers who come up with innovative security/tech/non-tech solutions for solving real life challenges or taking up new initiatives.

The nullcon conference is a unique platform for security companies/evangelists to showcase their research and technology. Nullcon hosts Prototype, Exhibition, Trainings, Free Workshops, null Job Fair at the conference. It is an integrated and structured platform, which caters to the needs of IT Security industry at large in a comprehensive way.

The event consists of 25 speeches and 11 training sessions, which cover all major topics of IT security industry. The conference is created for security companies/enthusiasts so they can showcase the most up to date research and technology on the topic. The shared knowledge is usually used afterwords within the organizations. Moreover, we host ExhibitionFree WorkshopsCTF Hacking competitionsJob FairBlackShield Awards and other events at the conference.

The Keynote will be addressed by Joshua Pennell, Founder & President, IOActive, following which we would have talks by various international security researchers on topics such as, ATM Hackings, Drone Hijacking, Telecom Protocol Security, Blockchain issues, Cloud Security, Bug Hunting, Social Engineering, Botnets and lots more.

With nullcon 8-bit edition we have made a lot of changes bringing the conference to the next level:
  • We anticipate to have 1000 people,
  • Additional DevOps Security Track,
  • New Trainings on Cloud Security, IoT, Infrastructure, Hardware Security,
  • New CXO Panel session,
  • Larger exhibition vendor area etc.

Nullcon Goa 2017 Dates:
  • Training - 28th Feb to 2nd March 2017
  • Conference - 3rd to 4th March 2017

New Venue:
Holiday Inn Resort, Mobor Beach, Cavelossim, Salcette, Goa - India.
Registartion is still open! Get your pass here: http://nullcon.net/website/register-goa.php

We are happy to announce that we are giving 10% discount for a conference pass if you are E Hacking News Reader! Don’t miss your chance to visit the leading Asia's Information Security Conference!

Visit our website for more information: http://nullcon.net/website/
We are looking forward to seeing you at the conference!

27 million Mate1.com account hacked and sold

If you have an account on online dating website Mate1.com then it is very high probability that your account has been hacked.

A hacker has claimed of accessing the account usernames, passwords and email addresses for 27 million people by posting a Hell.

According to the Motherboard Vice, who first reported about the hack said that hacker has hacked over 27 million users account details, and sold them to someone else through a deal brokered on the Hell forum.

The hacker told to Motherboard Vice that he managed to compromise the Mate1.com server, and used command access to look at the MySQL database and then download parts of it.

Further adding he said that the online dating website has lax a security flaw which allow  users to log onto the website  without authenticating  their email-id to complete the sign-up process, which means that  you just have to log onto the website, create your account with an email address that belongs to you or to someone eases.

The hacker reveals that Mate1 does not use any encryption technique to store passwords, so don't worry if you have forgotten your password, it will be sent to the corresponding email in plain text.

It is not clear how much the hacker eventually sold the data for, although he was offering it 

Mozilla awarded $2,500 to security researcher

Security Researcher Ashar Javed, recently discovered three bugs with Mozilla add-ons portal and that had been exploited via "Create new collection" feature.

It was discovered that malicious codes could be inserted in collection of  Mozilla Add - ons . These ad - ons are basically used to organize add-ons for business and personal purposes and can be shared on social media as well.

“Given that the Mozilla add-on site has millions of downloads, it is easily possible for the attacker to convince the victim to visit the collection page,” the expert told SecurityWeek.

Users were later exposed with all kinds of virus attack that could be carried via XSS flaws  and most common attack was cookie theft.

Websites are generally vulnerable to  XSS flaw, add-on collections are very useful for Firefox users, so for discovering the issue Mr Javed recieved $2,500 from Mozilla. There were two other bugs discovered about which Mozilla did not reveled any information apart from the location.

This is not the first time that he had received the heavy amount, Google awarded him $3,000 for a reflected XSS in the main search bar of the YouTube Gaming website.

Guardian's Article on Cyber Crime spreads Malware

A cybercrime article from 2011 named as “Cybercrime: is it out of control?"  on the website of Guardian has been found to be serving up the Angler Exploit Kit.

The Angler Exploit Kit is a Web-based utility toolbelt that hackers use to test the defenses of a user's computer.

The problem was discovered by FireEye Labs on December 01 which noticed that this instance of Angler infection this not come from a tainted ad but visiting the Guardian’s article about cybercrime.

Visiting the page would execute an embedded script to redirect the reader's browser to an Angler Exploit Kit landing page.

This particular vulnerability enables a "God Mode" on infected PCs, giving attackers control over every face of the user's machine.

Angler exploit kit also scans for the Flash-based CVE-2015-5122, CVE-2015-5560, and CVE-2015-7645 vulnerabilities which are less powerful intrusions, compared to the Windows OLE one, but dangerous nevertheless.

These vulnerabilities have been fixed by Microsoft and Adobe, and users who keep their systems up to date have nothing to fear while reading the article on Guardian.

Meanwhile, Guardian has assured to fix the contaminated links on its website.

This news came days after Angler was found serving malvertising to visitors of video site DailyMotion.

State-sponsored hackers spread backdoors in Middle East

Symantec's threat report revealed that two hacking groups of state-sponsored threats have been using backdoors to spy on targets in Iran and other nations in the Middle East.

The two groups are known as ‘Cadelle’ and ‘Chafer’ and each of them uses their custom-developed backdoors. While Cadelle with its five member team uses backdoor ‘Cadelle’, Chafer’s backdoors are known as ‘Remexi’ and ‘Remexi B’ developed by its ten member team.

Both backdoors are capable enough to open connections and help attackers steal data from infected systems.

Reports by Symantec are of the view that the two groups which are targeting political dissidents from Iran and airports and telecommunications companies from other Middle East countries may be doing so with the intention to keep an eye on the movements of their targets.

Chafer has been using SQL injection attack to compromise servers and drop Backdoor, Remexi  to infect its targets but the technique of Cadelle is not known yet.

After infecting targets, the backdoors can harm hugely. They can be used to gather and steal passwords, intercept document print commands, record audio via infected devices, take screengrabs, record webcam feeds, log keystrokes, log opened applications, and gather system and clipboard information.

First attackers using these backdoors were spotted in 2014 but the clues from each group’s code reveal that they might have used it in 2011.

Critical vulnerabilities found in Modbus

Security researchers have found various critical vulnerabilities in Modbus gateways built by Advantech , that are used for serial connection of devices in industrial control environments to IP networks. 

There have been hard - coded SSH keys in Advantech EKI series of devices , buffer overflow and code injection flaws in the same product. 

There are two critical flaws Shellshock and Heartbleed in bash shell and OpenSSL ,to which EKI -1322 GPRS Ip gateway device is  vulnerable, Researchers of Rapid 7 have confirmed . 

Patches for Shellshock and Heartbleed for Bash shell and OpenSSL library  were released immediately , but Advantech failed to apply those patches on device and moreover kept its silence on Rapid 7's disclosure . 

Chief Researcher of Rapid 7 showed his concern on vulnerabilities by saying there have been previous  similar kind of security bugs for SSH keys  and still Shellshock bug was not looked upon after doing all the reverse engineering .

Rapid 7 has also found security issues in the DHCP client version 1..3.20-p10 product which had stack based buffer overflow . But they were not sure of the vulnerabilty to exploit for that.

After disclosure of hard coded SSH keys , Advantech and ICS -CERT warned about hardcoded SSH keys in the product EKI-122x series and they told the firmwares about the fix. 

SSH hard coded keys were found in :
EKI-136* product line prior to firmware version 1.27,
EKI-132* product line prior to firmware version 1.98, and
EKI-122*-BE product line prior to firmware version 1.65.

There have been few more vulnerabilities exposed while Moore found out about SSH configuration , the keys were not being generated on the fly while Dropbear SSH client was being used to generate keys .

Chinese Cybercriminal gang uses Dropbox to Target Media outlets

A Chinese Advanced Persistent Threat (APT) gang which had been allegedly responsible for attacks against foreign governments and ministries has shifted its focus on Hong Kong based media companies by using Dropbox for communicating malware.

The group identified as ‘admin@338’ has been active since 2008 and uses publicly available Trojans like ‘Poison Ivy’ to attack organizations in the financial services, telecoms, government, and defense sectors.
The group is also known to use some non-public backdoors.

But this is the first instance where the group has used phishing lures in Chinese against targets. Each phishing email containing of three attachments included exploits for a patched Microsoft Office vulnerability, CVE-2012, 0158, a buffer overflow in the Windows Common Control Library patched in early 2012.

On execution, the exploit triggers a backdoor dubbed ‘Lowball’ which connects to an external location on finding it. After this, Lowball syncs with the legitimate Dropbox account which is controlled by the remote attackers.

In the first stage, the attack runs many commands on the infected computer and sends the output to the Dropbox account for C&C communications. The attackers then retrieve the information analyse it and if the target is worthy, a second stage backdoor is delivered called ‘Bubblewrap’ which is used for remote control and stealing data.

This research was found out by network security company, FireEye.

This group was also suspected of launching phishing campaign in August against media organizations in Hong Kong. Last year in March, this group had leveraged the disappearance of Malaysia Airlines Flight, MH370 to target a government in the Asia-Pacific region and a US-based think tank.

This isn’t the first time China has targeted media outlets seeking out sources to stay ahead in news cycle.
In January 2013, hackers, allegedly connected to the Chinese government, were blamed by Mandiant for a breach at the New York Times. The group broke into the email accounts of investigative journalists for seeking information on the corruption scandal which involved then-Chinese premier, Wen Jiabao.


Hilton payment system attacked

One of the largest US based hotel chain Hilton revealed that hackers had infected some of their point-of-sale computer systems with malware crafted to steal credit card information.

They didn’t disclosed what data was taken, but cautioned everyone who used payment cards at Hilton Worldwide hotels between November 18 and December 5 of last year or April 21 and July 27 of this year to check for any irregular activity from their debit or credit cards.

In an online post Hilton said that the Malware that infected system had a potential to retrieve cardholders' names, account numbers, security codes and expiration dates.

They further wrote that they are investigating the breach with the help of third-party forensics experts, law enforcement and payment card companies.

Starwood hotels, which operate the Sheraton and Westin chains, announced four days before Hilton that hackers had attacked their payment system resulting in leaking of customer credit card data in some of their establishments.

"The malware was designed to collect certain payment card information, including cardholder name, payment card number, security code and expiration date," the group said in a statement.

Starwood and Hilton are not the only one whose payment system has been hacked but last month Trump hotels has face the similar incidence of cyber attack.

"We believe that there may have been unauthorised malware access to some of the computers that host our front desk terminals and payment card terminals in our restaurants, gift shops and other point-of-sale purchase locations at some hotels," Trump Hotel Collection said at a website devoted to details of the incident.

According to Trump hotels, the access could have taken place in between May 19 of last year and June 2 of this year.

Brian Krebs, cyber threat blogger at KrebsonSecurity.com explained the cyber attack on payment systems as "just the latest in a long string of credit card breaches involving hotel brands, restaurants and retail establishments."



Malware detected in Martel’s cameras used by police department


iPower Technologies, a U.S security company and network integrator, has discovered a copies of Conficker malware in the Martel Frontline Camera with GPS, one of the largest manufacturers of police in-car video systems in America, whose product is being sold and marketed as a body camera for official police department.


The Florida-based company, which is currently working to develop a cloud based video storage system for government agencies and police departments to store and search camera video, said that it had received cameras from the supplier Martel Electronics were loaded with 2009's baddest botware.

It was not the first time, the Conficker flaw was discovered in late 2008 when researchers found that the malware, which at that point had already infected millions of PCs, had been set to perform an unspecified update activity on April 1, 2009.

Jarrett Pavao and Charles Auchinleck, researchers from the security company, found that when the cameras were connected to a computer, they tried to execute the Worm ‘Win32/Conficker.B!inf variant’.

“When the camera was connected to a computer, iPower's antivirus software immediately caught the virus and quarantined it.  However, if the computer did not have antivirus actively protecting the computer it would automatically run and start propagating itself through the network and internet, iPower said in a post.

"In the iPower virtual lab environment, packet captures were also run on the infected PC to view the viruses' network activity using Wireshark. The virus, classified as a worm virus, immediately started to attempt to spread to other machines on the iPower lab network, and also attempted several phone home calls to internet sites," the post added.


After the findings, iPower said to have tried to contact Martel Frontline Camera in order to report the flaws. However, the company concerned is yet to give any response. 

A Threat that encrypts data on offline mode

Researchers at Check Point Technologies have discovered an ‘offline’ ransomware that encrypts files on the infected machine without communicating with a command and control (C&C) server.

The ransomware which mainly targets Russian users, has been in existence since around June 2014. Since then, a dozen files have been released and the latest among them is CL 1.1.0.0 which was made available in mid-August.

Security products detect various versions of the threat as Ransomcrypt.U(Symantec),Win32.VBKryjetor.wfa (Kaspersky) and Troj/Ransom-AZT (Sophos).
After the threat infects a computer, it encrypts important files after which it changes the desktop background to a message in native language, ‘Russian’ informing the users about their encryption of files.

Victims are then asked to pay between $300 and $380; depending on how fast they pay up, to receive a decryption tool and the key needed to recover their files.

Due to its offline feature and detachment from C&C server, it becomes more difficult for security solutions that identify threats based on their communications to detect and neutralize the malware.

According to Check point researchers, the malware is designed only to encrypt files and it does not have much other functionality. However, its efficiency on its function is high enough which makes it impossible to recover files without paying the ransom.

The beginning (first 30000 bytes) of each file is encrypted using two buffers of digits and letters that are randomly generated on the infected machine. The encryption process includes taking each original byte along with one byte from each of the randomly generated buffers and performing mathematical operations on them.

The remainder of each file (if it exists) is encrypted using an RSA public key (“local”) that is randomly generated on the infected machine, along with the matching local RSA private key required for decryption of the data.

The randomly generated buffers and the local RSA private key that are required for decryption are added as metadata to each encrypted file, and are then encrypted using three hardcoded RSA 768 public keys that the offender created in advance (“remote”). The matching remote RSA private keys required to unlock the metadata are located on the attacker’s side.”

Ransomware campaigns are highly profitable for cyber criminals who can make huge amounts of cash by encrypting files of Russian users. 

Marshmallow OS to get patch for two critical Android bug

Google has patched seven of its code execution vulnerabilities in which two of them were rated critical, while four were high and one was moderate. This was the fourth round of Android patching since August this year.

Two flaws, which give attackers remote code execution, that were rated critical include libutils (CVE-2015-6609) and mediaserver (CVE-2015-6608) holes. The holes can be exploited by sending crafted media files to the affected devices.

Google informed their “partners’ about the patch on October 5, and the patch code is set to be available on Nexus, Samsung, and Android Open Source Project, but it will be first available for its latest Marshmallow Android operating system.

In its advisory Google said that, "The most severe of these issues is a critical security vulnerability that could enable remote code execution on an affected device through multiple methods such as email, web browsing, and MMS when processing media files."

"During media file and data processing of a specially crafted file, vulnerabilities in mediaserver could allow an attacker to cause memory corruption and remote code execution as the mediaserver process.The affected functionality is provided as a core part of the operating system and there are multiple applications that allow it to be reached with remote content, most notably MMS and browser playback of media."

Privilege elevation bug is solved in libstagefright library which was separate from StageFright vulnerabilities reported by Zimperium researcher Joshua Drake earlier this year.

Vulnerabilities in Bluetooth (CVE-2015-6613), the mediaserver (CVE-2015-6611), the telephone app (CVE-2015-6614), and libmedia (CVE-2015-6612) were also patched.

Google says “exploitation is made harder on the security-improved Marshmallow Android platform.

Issue
CVE
Severity
Remote Code Execution Vulnerabilities in Mediaserver
CVE-2015-6608
Critical
Remote Code Execution Vulnerability in libutils
CVE-2015-6609
Critical
Information Disclosure Vulnerabilities in Mediaserver
CVE-2015-6611
High
Elevation of Privilege Vulnerability in libstagefright
CVE-2015-6610
High
Elevation of Privilege Vulnerability in libmedia
CVE-2015-6612
High
Elevation of Privilege Vulnerability in Bluetooth
CVE-2015-6613
High
Elevation of Privilege Vulnerability in Telephony
CVE-2015-6614
Moderate


Cyber threats may well face an insurance vacuum, firms need to look after themselves

Anecdotal evidence suggests that the global insurance industry is unwilling to play ball on writing cyber insurance policies. Companies are facing unprecedented cyber threats and thus seeking ever larger cyber insurance covers. Insurers, however, are either unwilling to write policies, or are writing limited policies at a fat cost or with significant conditionalities. Firms are looking for US $ 1 billion covers, but the insurers are not biting.

It is not hard to understand the predicament of insurers. As it stand today, cyber insurers face a situation of information asymmetry, there is none or very limited actuarial insights available. No insurer has a clue as to what hidden vulnerabilities exist in a company’s IT set up - software, websites, network, data centres and processes. How can the insurers know when companies themselves do not fully understand their vulnerabilities?

The task for insurers is made even more difficult by the fact that attacks may not aimed at a big firm directly. The recent attack on iOS (Apple) app store suggests that hackers may have discovered another route to compromise the internet – by infecting machines of software developers writing legitimate programs and apps. Developers are a huge, globally dispersed (geopolitical risks) and logical target for hackers, and this approach may be harder to defend against.

Further, insurers also need to take into account that one lives in the days of internet linked business ecosystems which include multiple partners and suppliers of various sorts, apart from outsourced software development. Smaller, less prepared, less equipped members of ecosystems offer hackers a easier route to sneak into the systems of the big firms

The situation gets extremely complicated when one considers the size of cyber threats. One estimate of annual cost of cybercrime to global economy ranges from US $ 375 bn – US $ 575 bn. That’s a lot of money, and the reluctance of insurers to write out policies to protect against hugely expensive and unknown threats is unsurprising to say the least. Attackers are remotely located, face no direct/immediate physical threat and are unafraid to take risks.

Testing for vulnerabilities is a deeply technical issue. When one is faced with situations such as Advanced Persistent Threats (APT) and 0 Day Vulnerabilities, it needs to be borne in mind that businesses are up against attackers typically belong to organised criminal groups, mafia groups, Black Hat hacker groups or state backed groups.

APT attack happens when committed adversaries persistently utilise advanced technologies to compromise targets. Extremely hazardous 0 Day exploits (vulnerabilities found by hackers and never reported to security vendors) are found in Operating Systems, Application Software, Browsers, Antivirus Software, Firewall, and Internal Application Software. On an average, twenty 0 Day vulnerabilities exist in any given server. O Days have the greatest amount of success and damage rates and least probability of detection by firewalls/IDS/AV's etc.

The problem is also compounded by lack of senior management involvement in a vulnerability assessment and penetration testing similar exercise. This is a matter that cannot be left to systems administrators or developers who are better equipped to remediate security issues than discovering vulnerabilities.

Given the reluctance of insurers to play ball, companies may have little choice but to look after themselves. The buck needs to stop at the desk of senior management and Boards need to ask difficult questions. Cyber threats are strategic in nature and as such a strategic response is called for to defend against financial and non-financial damage.

Constant vigilance, vulnerability assessments and penetration testing are essential for defence. Companies also need to utilise country-cyber espionage and counter-intelligence techniques to protect themselves against cyber-attacks, as well as inject themselves with a healthy dose of paranoia.

Author: Prasanna J, Founder of Cyber Security and Privacy Foundation(CSPF)

Cyber Attack on America’s Thrift Stores exposes credit card numbers

A charity store chain, America’s Thrift Stores discovered on Friday (October 09), that it had been become the victim of a malware-driven security breach which originated from a third-party service provider’s software to process credit card payments in Alabama, Georgia, Louisiana, Mississippi and Tennessee.

America’s Thrift Stores is a for-profit organization which operates 18 donations-based thrift stores throughout the southeast United States that collects used clothing and household items from local communities and sells them for a profit, which it shares with Christian charities.

The Birmingham-based company’s CEO, Kenneth Sobaski declared ina statement released that no customer names, phone numbers, addresses or emails were exposed, but credit card numbers were revealed.

The hack appears to have affected transactions between September 01 and September 27.
The organization cautioned the customers who feared for their data to be compromised to contact their card issuer or bank immediately, and to report any suspicious activity was discovered.

The malware has been removed from the stores’ computers, and purchases outside of those dates should not be at risk.

Security journalist, Brian Krebs stated in his blog that there were indications that data stolen from America's Thrift Store was already being used to create new counterfeit cards with details obtained from several banking sources who confirm a pattern of fraud on cards used at America’s Thrift Stores.

The company assured that U.S. Secret Service is investigating the breach.

The store chain employs over 1,000 employees and turns donated items into revenue to its non-profit partners for their causes. The store chain is estimated to pay out over $ 4 million annually toward its partners.

This store chain is not the only charity organization whose systems have been targeted by cyber criminals.

Last year, Goodwill Industries International’s system was breached which processed payments for twenty Goodwill members, representing roughly 10 percent of all stores.

Its investigation revealed that the attackers had access to the third party vendor’s systems for a year and a half, and leveraged point-of-sale (PoS) malware to steal data which they used for fraudulent purchases.

In these breaches, the problem does not arrive with the Operating system but the biggest problems have to do with various levels of access being given to third party businesses. The organizations fail miserably in protecting their level of access that makes these breaches possible and damaging.

The breach of America’s Thrift stores may be the repetition of Target breach that took place recently. Using easy passwords across the gamut of critical systems lead to such hacks. The Target’s security breach should have been a huge wake-up call for businesses everywhere to adapt and evolve their IT security practices.

Danske bank fixes several vulnerabilities that could allow hackers to get into bank accounts



Most of us prefer to keep money at our bank accounts than to keep at home as we believe that banks are safer in comparison to our homes. But, you must get panicked, once you read a blog post by Sijmen Ruwhof, Freelance IT Security Consultant and an Ethical Hacker.

He has published a bank review entitled “How I could hack internet bank accounts of Danish largest bank in a few minutes”  in which he revealed that any hacker could easily get into the website of Danske Bank, one of the largest banks of Denmark, and get access to the users accounts.

His in-depth technical post explains the extent to which Danske Bank is vulnerable to hacking.

He discovered the vulnerability in August when he got intrigued with the idea of testing Bank’s security while interacting with a group of Danish hackers at the Chaos Communication Camp (CCC), near Berlin.

During the interacting program, security experts and Whitehat hackers were disappointed with the terrible security implementations adopted by many Danish Banks.

“I opened up the Danske Bank’s website and was curious to see how the HTML code looked like, so opened the code of the customer login screen of the banking environment. I strolled thru the code to get a grasp of the technology used,” the security researcher wrote in the blog.

Then he saw JavaScript comments that seemed to contain internal server information. Not just a few variables, but quite a lot of confidential data.

“It was in URL encoded format, so I decoded it right away. Really wondering what kind of secrets it contained,” he added. I was shocked. Is this happening for real? In less than a minute on their web site, this is just the HTML code of the login screen, one of the most visited pages of Danske Bank’s web site.”

The researcher said that he could see IP address of a probable customer via variable HTTP_CLIENTIP while visiting Danske Bank’s website. Similarly, HTTP_USER_AGENT contains an operating system and web browser details.

He warned that variable HTTP_COOKIE was visible and full of information; credentials of a customer could be hijacked in a very few time.

According to the researcher, Danske Bank doesn’t use a secure HTTPS connection to transport customer banking traffic; as variable HTTPS was OFF and SERVER_PORT carried value 80. The bank is still using COBOL code on their backend; for (Customer Information Control System) CICS and Database handling.

However, the good news is bank has patched all the vulnerabilities only after the researcher had uploaded his findings on his blog.

Negligence of Experian puts T mobile’s 15 million records at stake

Third biggest mobile company in U.S, T mobile’s CEO, John Legere is angry again and for a very obvious reason as this time highly personal records of some 15 million users have been leaked through one of the largest credit agency data brokers in the world, Experian.

The information exposed names, addresses, and social security, driver’s license and passport numbers of the customers. The license and passport numbers were in an encrypted field, but Experian said that encryption may also have been compromised.

The massive security breach was first discovered on September 15, 2015 which impacted customers who registered for T mobile between September 01, 2013 and September 16, 2015.

Legere broke the sad news in a post on the company's website which displayed his frustration over the incident.

The post read as below:
“Obviously I am incredibly angry about this data breach and we will institute a thorough review of our relationship with Experian."

Experian took immediate action upon finding the breach. It secured the server, initiated a comprehensive investigation and notified U.S. and international law enforcement.

In the most obvious manner in which the companies react on their security being breached; Experian too is offering those impacted by the break-in two years of free credit monitoring and identity theft resolution services.

There have been a series of high-profile hacks of businesses and other organisations in recent years impacting millions and sometimes tens of millions of records, including adultery website Ashley Madison, Sony Pictures, and retailers such as Home Depot, Target, and eBay.

Theft of personnel records from the U.S. government this year, a 2014 breach on JPMorgan Chase and a 2013 attack on Target Corp's cash register systems were also some of them.

The irony is that a company which handles the personal information of many Americans had not been able to protect the information of customers who applied for T mobile services.
It is the second massive breach linked to Experian.

An attack on the company's subsidiary happened in 2012 which exposed the Social Security numbers of 200 million Americans and prompted an investigation by at least four states, including Connecticut.
Though the security breach will adversely affect both the companies but T Mobile is trying to put all the blame on Experian.
In one o it’s FAQ , it read-

“Experian has taken full responsibility for the theft of data from its server.”
Both the companies had made it clear that no credit card or banking data was exposed. Yet, the hoard of T-Mobile customer data can still be used for assembling profiles for identity theft.

If consumers can’t pressure data aggregators like Experian into securing their secrets, perhaps the consumer-facing companies who collect that information can.

Will 'Green Dispenser' Take of all your Money?

(pc- google images)
ATM malwares are no myth to the cyber world and this time is no different than the earlier. a team of security researchers from PointProof have unraveled the veil off a new malware, named GreenDispenser, that gives the capability to hackers to attack compromised ATMs and drain all of it's cash.

This malware acts on the basic principle of a primitive DDoS action in which the machine displays an 'out of service' message on the screen but in the meanwhile can crack open the bank vaults through correct pin number, looting a lot of money with no trace of robbery at all.

Such kind of activities were first reported in Mexico and similar abuses have been reported in other countries ever since. GreenDispenser, unlike its predecessors, Ploutus and Tyupkin; requires no physical access for the installation procedure and hence makes it easier for the hacker to break into the machine and subsequently; the server.

It is being doubted that cyber criminal bosses now have an mobile app that provides them with a two-step encryption and creates a firewall of authorisation for malwares such as GreenDispenser itself.

ProofPoint, in another post explained such encryption; an extract from which is given below:-
GreenDispenser employs authentication using a static hardcoded PIN, followed by a second layer of authentication using a dynamic PIN, which is unique for each run of the malware. The attacker derives this second PIN from a QR code displayed on the screen of the infected ATM. We suspect that the attacker has an application that can run on a mobile phone with functionality to scan the barcode and derive the second PIN – a two-factor authentication of sorts.

Now, these malwares are evolving with the passage of time, making ATMs more vulnerable. ATMs being the primary target results as a threat to the financial institutions. Thus, security with credit and debit card credentials should be also enhanced accordingly. The question arises; How long to completely secure the parameters?