Ukrainian CyberPolice arrest the Hacker accused of spreading "Petya.A" virus



Ukrainian officers from cyber crime department have arrested a 51-year-old resident of Nikopol (Ukraine, Dnipropetrovsk region), who is suspected of spreading computer virus "Petya.A".

Petya is a ransomware that infects the Master boot Record(MBR). If the malware successfully infectes the MBR, it will encrypt the whole hard drive. Otherwise, it encrypts all files.

According to the local news report, the suspect published an online tutorial video explaining how to use the "Petya.A" malware to infect victim's computers. In the comments section, he also shared a link to social network on which he has uploaded the malware and distributed.

The police have conducted a search at the residence of the suspect. They have seized the computer equipments and found malicious software which is similare to the "Petya.A".

The malware is said to be infected more than 400 computers. Also a number of companies intentionally used this virus to conceal criminal activity and evasion from the payments of penalties to the state.

In June 2017, ESet reported that large number of infections happened in the Ukraine. The affected Ukrainian industries includes financial sector, energy sector.

- Christina

Russia to create a National Internet filtering system that allows only WhiteListed sites


By 2020 Russia will launch a national web-filtering system, intended to protect children from the negative and dangerous content.

Denis Davydov, the head of the Secure Internet League, said that there are two versions of the project:

1. Traffic filtering in educational institutions.

2. Traffic filtering by default for all users.

With the second option users will be able to access unfiltered content, if they write a statement to provider or if they remove the checkbox in the account Settings.

Nowadays the League of Secure Internet has a "white list" of websites. It has more than 1 million resources.

Igor Ashmanov, IT businessman, thinks that the idea of "white lists" of websites is not viable. According to the expert, the system of "smart" operational filtering, which blocks prohibited content, is very important and necessary.

"We support the idea of ​​restricting children's access to unwanted content and have been working in this direction for a long time", the official representative of "MegaFon" Julia Dorokhina said.

- Christina

Telegram founder agrees to register in Russia but won't share user data



The Telegram's founder Pavel Durov has agreed to register the company in Russia, after getting pressure from the local authorities.

Few days ago, the Russian communications regulator Roskomnadzor has demanded Telegram to provide information about the messaging app and company details.  The authorities also said this encrypted messaging app is being used by terrorists to plan attacks.

The authorities asked to give access to decrypt messages in order to catch terrorists. Authorities threatened to ban the Telegram, if the company fails to do so.

At first, Durov didn't agree with the demands.  Now, he is agreed to register the company with the Russian government.

"If the Telegram is banned in Russia, it will not happen because we refused to provide details about our company" Durov said in the social network VK.

Roman Jelud, a Professor from dataVoronezh State University, shared his opinion to Regnum that news about "Telegram ban" itself is a PR stunt.  This will only help the Telegram to gain more number of users.  Few days back itself, Roman said that Durov is using this for his PR and eventually Durov is going to agree to provide the required five points of information.

Though Durov says that they are only registering the company in Russia and will not share the users' secret data with the government, it will be hard to know whether it is true or not.

Russia is not only the government that is interested in the Telegram messenger. Last week, Durov stated that US Federal officers want to add a backdoor to the app.

- Christina

Security Vulnerability in McDonald's India allows hackers to access Customer data

 
If you are from India and have ordered Burger in McDonald's, your personal details are at risk.

Security researchers from  Fallible found a serious vulnerability McDonald’s India application that allows hackers to access millions of customer data.

There is no authentication or authorization check in API used in the application.   Sending request to "http://services.mcdelivery.co.in/ProcessUser.svc/GetUserProfile" with customer id in the header allows to access customer details.

The customer id is a sequential number.  All an attacker needs to do is create a script and increase the number to dump all customer data.

"The lack of strong data protection and privacy laws or penalties in India, unlike the European Union , United States or Singapore has led to companies ignoring user data protection" The researcher said.

"We have in the past discovered more than 50 instances of data leaks in several Indian organizations." The researcher said.

The vulnerability allows attackers to obtain name, address, email address, phone number,  Date of birth, GPS Co-ordinates and social profile details.

The researchers reported the issue to McDelivery on 4th February, 2017.  After few days(13th Feb), they received an acknowledgement from the McDelivery IT Manager.  From 7th march,  Fallible tried to contact the McDelivery to know the status.  However, there is no response from their side.  The bug is still not fixed, at the time of writing.

In Jan 2017, a researcher Tijme Gommers found two critical bugs "an insecure cryptographic storage vulnerability" and XSS in McDonald.

Are enough safeguards built within BHIM?

About BHIM:
BHIM (Bharat Interface for Money - Bhim App) is a Mobile App developed by National Payments Corporation of India (NPCI), based on the Unified Payment Interface (UPI). It was launched by Narendra Modi, the Prime Minister of India, at a Digi Dhan programme at Talkatora Stadium in New Delhi on 30 December 2016. (source:Wikipedia)

Issues:

The BHIM application has an option to create a payment address(Virtual ID). It auto suggests a persons name+(value) as a many of the typical Indian Names are already taken.


Example if a person called Vijay Kumar R is trying to create a personal payment address he will be suggested "vijaykumarr" . This is the primary identifier and during transfer it does not do any further checking. A simple mistake in the name might cause a catastrophe for the sender.

If a person by mistake types in "vijaykumart" (instead of "vijaykumarr") the application will show the proper full name as "Vijay Kumar" and it is highly probable that a person would send the money to the wrong person as the name is matching. Since the BHIM application is mostly targeted towards "New Adopters" mostly from rural locations they might not be able to find the difference or spot a mistake on what they are typing.

The application should ask for a secondary detail (Eg:Mobile Number,Bank Name etc) about a person and cross check it with the database and only process it if the details are matching.

When it comes to NEFT and IMPS it has multilayer verification , even if the user gives a wrong inputs it will not send the amount if any of the details are incorrect.


BHIMNEFT/IMPS
Checks Full NameNoYes
Checks Bank AddressNoYes
Checks Account NumberNoYes

There is an option to refund the money back to the senders only on the receivers end. It does not have any option to raise a complaint on the senders side. Many of the banks are unable to get the money back if it is wrongly sent to another person. There is no option in the UPI ecosystem for such cases. How can this be ? Why did they not think about this?

The same issue was faced by us when we sent about 9200 to the wrong ID.  The bank (Axis) that we used could not get our money back, even though we made a compliant within few minutes.  It was also not possible for us to track who it was sent to and request them to send it back.

We recommend that people stick to the traditional NEFT and IMPS for any high value transactions as there is no support in the UPI system for raising issues during transactions.

Making Indian Cyberspace Secure!


At a time when Cyber attacks are increasing with every passing day, the Indian government on Tuesday (February 21) launched a Cyber Swachhta Kendra (Botnet Cleaning and Malware Analysis Centre) which is a desktop and mobile security solution for maintaining a secure Cyber space in the country.

India’s IT and Electronics Minister, Ravi Shankar Prasad through its Computer Emergency Response Team (CERT-in) launched the M-Kavach tool in New Delhi which offers a comprehensive mobile device security solution for Android devices addressing threats related to mobile phones. The new solution will notify, enable cleaning and secure systems of end-users to prevent further infections.

"Launched 'Cyber Swachhta Kendra' (Botnet Cleaning and Malware Analysis Centre), an imp milestone in various initiatives taken on Cyber Security," tweeted Prasad. Botnets fundamentally is a program which is automated and runs on a computing device which can be any IoT/smart device. The attacks taking place using botnets are called Distributed Denial of Service (DDoS).

* Botnet Cleaning and Malware Analysis Centre (Cyber Swachhta Kendra) -

India has been ranked 3rd in bot-net distribution. Its a good move for Indian government to clean the computers.  CERTIn has chosen an Indian product for this.

Research by CSPF(Non profit organization) found that Malwarebytes / Avast anti-virus free anti-virus are more effective in removing viruses/bots.

The free product chosen by CERTIn also advertises that botnet cleaning tool is not replacement to anti-virus. "The vendor is trying to sell his other anti virus solutions which is totally unacceptable" according to an US based anti virus company.

"Antivirus and botnet cleaners should be constantly maintained,  Who is going to do this CERTIn or Indian vendor?" asks the US based anti-virus company.

According to CSPF "some samples of botnet were missed by this tool", the tool should have a facility to report malware missed by this tool.

"Launched USB Pratirodh, which will control the unauthorized usage of removable USB storage media devices like pen drives, external hard drives. Launched App Samvid, to protect Desktops from suspicious applications from running," the minister added.

USB Pratirodh is a desktop security solution that controls the usage of removable storage media like pen drives, external hard drives and other USB-supported mass storage devices.

AppSamvid is a desktop solution which protects systems by allowing installation of genuine applications through white listing. This helps in preventing threats from malicious applications.

According to Cyber Security & Privacy Foundation "Some of these tools developed by CDAC including white listing tool is far more complex for a normal user to understand.  White listing tool does not detect .msi files and other extension". 
Executable blocking / allowing has to be manually done. Most end users don't understand white listing, they don't know which to allow/block when there is an issue. users should not end up locking their own computers. Auto white listing that is available in some famous anti viruses should be included.
 
The reason cyber security is an issue among common man is because common man does not understand anything technical. If using the tool is more complex then the actual problem how are we going to solve the problem says a college student.

He also suggests "video should be released by CDAC showing what the tool is about and how to install and run" in multiple languages. 

During the launch, Prasad said that the 13 banks and Internet service providers are using this government facility presently and the government will co-ordinate with other ISPs and product/antivirus companies to spread its usage for a safer online space.

Prasad said that this Kendra will also enhance awareness among citizens regarding botnet and malware infection along with measures to be taken to secure their devices.

The minister also announced that the National Cyber Coordination Centre will be operational by June 2017 and CERT-Ins will be set up at state level as well.

"The government will set up 10 more STQC (Standardization Testing and Quality Certification) testing Facilities. Testing fee for any start-up that comes up with a digital technology in the quest of cyber security will be reduced by 50 per cent. We will also empower designated forensic labs to work as the certified authority to establish cyber crime," Prasad noted.

The move comes at a time when over 50,300 cyber-security incidents like phishing, website intrusions and defacements, virus and DDoS attacks have been observed in the country during 2016.

As per the information reported to and tracked by CERT-In, a total number of 44,679, 49,455 and 50,362 cyber-security incidents were observed during the years 2014, 2015 and 2016, respectively.

The Cyber Swachhta Kendra is part of the government of India’s Digital India initiative under the Ministry of Electronics and Information Technology (MeitY). The Cyber Swachhta Kendra complies with the objectives of the National Cyber Security Policy which aims at creating a secure cyber Eco-system in the country.

The botnet and malware cleaning analysis centre was announced in 2015 with an outlay of Rs. 100 crores.

Industry experts wonder about the 100 crore outlay if it is going to used for building antivirus/botnet cleaning software, honeypots to track bots and take down botnets.

The threat of Cyber security has become more serious and visible in the past few years in the country. There is a need to collaborate and come forth with more solutions like the Cyber Swachhta Kendra. It was a much-needed move by the government. It should not be just another public relation exercise but it should be effective.

You can download the tools from here:
http://www.cyberswachhtakendra.gov.in/security-tools.html

Indians Behind supplying cyber weapons to Islamic Republic of Mauritania

After Edward Snowden scooping incidence of National Security Agency (NSA), every country went frisk on spying. An Indian coder, Manish Kumar promised the  President of Mauritania to help them build a mini-NSA like an electronic spying apparatus.

Kumar, who owns a spying company Wolf Intelligence,  met Ahmed Bah dit Hmeida, an official with the innocuous-sounding title of counselor to the president, made a deal to develop a sophisticated technology  . The total contract was worth $2.5 million, and they transferred half a million dollars into BVI account of Wolf Intelligence(Manish Kumar) as a down payment.

Mauritania is perhaps among  one of the few countries in the world where slavery still exists, and known for spying against journalists, activists, and political opponents. Since 1960, it has seen 10 coups.



Mauritania expected Wolf to develop a software that  would allow them  to attack and spy on  multiple targets  at a time over a large network. The network mainly  include  a nationwide mobile phone provider. The  promotional literature of Wolf  promised  to build a silent SMS attack technique that allows full control of someone’s smartphone without requiring the target to click on a link or otherwise interact. Mauritania targets  individuals accused of terrorism, but occasionally they’re journalists or protesters, too.

For this, Wolf needed a special  team of coders who are  capable of circumventing security measures on Apple smartphones. Kumar knew that hackers in Israel had developed it. However, it cost $1 million. That was only possible when  Mauritania  deliver its next payment.

Bah had warned Kumar that if  Wolf’s system wasn’t fully functional by the end of the visit, neither Kumar nor the technician he’d brought with him would be leaving the country. Uncertain of his intentions,  Kumar joked he would need a vegetarian meal in Jail.

“One small mistake and everything’s gone—money, life, everything”

Kumar tried his best  to explain that he didn’t have the silent SMS exploit yet, but Bah didn’t believe him. After this Bah  prevented  Kumar and his colleague  Nafees Ahmed from leaving Mauritania. But Kumar managed to flew to Europe.

According to Kumar, Mauritania agreed to pay the remaining balance of $2 million if he would send someone to the country until the software was operational.

An Israeli acquaintance helped  Kumar by putting him in touch with Tel Aviv-based exploit broker named David “Dudi” Sternberg, who said he could provide what Kumar needed.

The deal did not go through. And Kumar could not deliver the exploit. He had "Nafees Ahmed" leave the country saying that he is sick. But Replaced him with an Italian Bodyguard called " Cristian Provvisionato " and fooled the officials into believing that he was part of the company. But  Cristian Provvisionato  was only hired to come to the country as a "Bodygurad" and was not explained what he was getting himself into. Finally Kumar escaped the country leaving  Cristian Provvisionato  behind. The Officials arrested  Cristian Provvisionato  and charged him to cheating the government , he is still in jail for the last 14 months whereas Kumar and Ahmed roam free. They have completely abandoned him. 

key points:

-Cyber weapons are banned to be sold. Islamic Republic of Mauritania has poor human rights record and slavery still exist. These tools will be misused. 

Wolf intelligence is registered in Germany(Munich), CEO is Swiss named Martin Wyss. Germany and Swiss government should introspects if their soil is used for selling cyber surveillance technology/weapon technology to Islamic republic of Mauritania. 
- US Wassenaar_Arrangement prevents selling of surveillance/monitoring to countries.
- India should investigate because both nafees ahmed and manish kumar are Indian citizen and have got 9.75 crore into bvi islands shell company. They are Indian citizens with Indian passport(with german visa, german registered companies). They can be investigated by Income tax/DRI/CBI for money laundering and moving money to tax havens for selling cyber weapon.
- The silent SMS exploit kumar talks about to sell to islamic republic of Mauritania comes from israeli exploit broker. It is interesting to observe that Mauritania has severed all diplomatic ties with Israel.
- The imprisonment of the Italian Nationa l" Cristian Provvisionato " due the actions of Kumar should be investigated.

Orginal article from: https://www.bloomberg.com/news/features/2017-01-18/the-post-snowden-cyber-arms-hustle

DROWN attack risks millions of popular websites

An international team of researchers warned that more than 11 million websites and e-mail services protected by the transport layer security protocol are vulnerable to a new, low-cost attack that decrypts sensitive communications in few hours.

The cybersecurity experts from universities in Israel, Germany and the US as well as a member of Google's security team found that more than 81,000 of top one million popular websites are vulnerable.
The researchers said many popular sites - including ones belonging to Samsung, Yahoo and a leading Indian bank - appeared to be vulnerable.

The DROWN attack works against TLS-protected communications that rely on the RSA cryptosystem when the key is exposed even indirectly through short for secure sockets layer version 2 (SSLv2).

The vulnerability allows everyone on the internet to browse the web, use e-mail, shop online and send instant messages without third-parties being able to read the communication.  It allows attackers to break the encryption and read or steal sensitive communications, including passwords, credit card numbers, trade secrets, or financial data. Under some common scenarios, an attacker can also impersonate a secure website and intercept or change the content the user sees.

While many security experts believed the removal of SSLv2 support from browser and e-mail clients prevented abuse of the legacy protocol, some misconfigured TLS implementations still tacitly support the legacy protocol when an end-user computer specifically requests its use.

Websites, mail servers, and other TLS-dependent services are at risk for this attack, and many popular sites are affected.

In practice, older email servers would be more likely to have this problem than the newer computers typically used to power websites.

In addition, because many of the servers vulnerable to Drown were also affected by a separate bug, a successful attack could be carried out using a home computer.

Though a fix has been issued but it will take time for many of the website administrators to protect their systems.

The researchers have released a tool that identifies websites that appear to be vulnerable.

The SSLv2 protocol was weakened because, at the time of its creation, the US government wanted to try to restrict the availability of tough encryption standards to other countries.

It has since eased its export limits, but the effects live on.

JD Wetherspoon's website hacked, 650,000 people affected

Hackers breached  the  website of a major pub chain JD Wetherspoon, operating in the UK and Ireland, in mid-June 2015.

The company sent an email to all its customers last week info
rming them about the breach, the company also got to know about the breach on December 1.

According  to the company “ the attackers gained access to a customer database linked to the firm’s old website, which had been hosted by a third party. At some point after the breach, the website was replaced and taken over by a new service provider that is not connected to the incident.”

The database compromised includes the  personal details of 656,723 people who signed up for newsletters, registered Wi-Fi users, and those who bought  online vouchers between January 2009 and August 2014, or used the contact form on the company’s website.

For customers who bought online  vouchers, the last four digits of their payment card numbers had also been accessed. Whereas the company says that website never stored the sensitive information.

JD Wetherspoon says “there is no evidence of fraudulent activity involving the exposed data, but customers have been advised to beware of emails asking for personal and financial information, or ones that instruct recipients to click on links or install software.”


The investigation is ongoing on , and the Information Commissioner’s Office (ICO) in the UK has been notified.

Security Flaw in VPNs can expose your IP address

Researchers from a virtual private network (VPN) provider, Perfect Privacy discovered a gaping hole which can expose the real IP-address of VPN users easily.

The flaw, dubbed "Port Fail," affects VPN providers including those of BitTorrent users which offer port forwarding and have no protection against IP leaks.

The issue, which affects all VPN protocols and operating systems, was uncovered after altering several affected competitors to the threat before making it public.

For the past several years, there has been a wider interest in usage of VPN to bypass censorship in countries with stringent internet access and to prefer anonymity with browsing, especially post-Snowden revelation.
VPNs are used across the world by the privacy conscious people and to circumvent geolocation-based content restrictions by disguising the true location of a person.

The aim of using a VPN is to hide an ISP IP-address, but the discovery showed that this can be easily bypassed on some providers by using a port forwarding trick. If the attacker uses the same VPN as the user, the IP-address can be exposed.

Perfect privacy tested the vulnerability with nine VPN providers which offer port forwarding. Among them, five were vulnerable, including Private Internet Access (PIA), Ovpn.to and VPN, which were notified before public disclosure and have fixed the issue.

PIA awarded Perfect Privacy $5,000 for the disclosure.

ATMs of Sparkasse Bank not only gives you Money but also Sensitive Information


A security researcher, Benjamin Kunz-Mejri discovered that ATM machines of German savings bank, ‘Sparkasse’ can leak sensitive information during software updates.

Mejri who is a CEO and founder of Germany based security firm Vulnerability Lab, used the ATM of Sparkasse when the machine suddenly ejected his card, and changed its status to “temporarily not available.” The machine later showed details of an update process on the screen which was when Mejri realised that the terminal had become temporarily unavailable because it was performing a software update.

For this attack, Mejri coined the term “timing attack”.

Software updates are normally conducted in the background, but Mejri discovered, the progress and details of the update process can be made visible by interacting with the device as he did.

The researcher found that a lot of sensitive data like bank’s main system branch usernames, serial numbers, firewall settings, network information, device IDs, ATM settings, and two system passwords was vulnerable to the hackers.

During the whole process, the card reader remained available and usable for other operations.

The ATM’s keyboard was also not disabled and the attacker could execute system commands via the available command prompt.

The ATM’s analysed were manufactured by Wincor Nixdorf, a German company that manufactures, sells, installs and services retail and banking hardware and software. The affected ATMs and self-service terminals were running Windows 7 and Windows XP operating systems.

According to the experts, a large scale attack can be coordinated by a criminal ring due to this vulnerability.
An attacker who has a physical access to bank nework can use the information disclosed during the update process to run a man-in-the-middle (MitM) attack on the targeted bank’s local network.

The attacker could push a bogus update to reconfigure the ATMs.

The attacker could conduct fraudulent transactions by forcing the ATM crash and corrupt the logging or debugging mechanism.

If fraudsters can determine the time and date of update schedules, they can conduct a larger, coordinated attack targeting multiple ATMs and self-service terminals as it takes 17 minutes to record all the information displayed on the screen.

There is a possibility that apart from Sparkasse, other banks who use Wincor Nixdorf ATMs and self-service terminals might also be affected.

The bank has already pushed out updates that fix the issue to a limited number of ATMs in German city of Kassel as a pilot project. The update will be installed in other regions after the test of new configuration becomes successful.

It is the first time that a German bank has admitted the security vulnerability in an ATM and rewarded the researcher with undisclosed amount of money.

Last week only, Berlin Police announced that they have been looking for a man who illegally withdrew cash from two ATMs using a USB stick that he connected to the devices after unscrewing their front panel.

Zerodium offers $1 million for iOS 9 jailbreak


Here comes a time when companies are offering money to hackers who can provide a way of infecting the iPhones and iPads of individuals.

Zerodium, a company that acquires exploits, has announced to pay $1 million USD to those that can provide a good enough iOS 9 jailbreak.

The company launched "The Million Dollar iOS 9 Bug Bounty" program which aimed to buy an "exclusive, browser-based, and untethered jailbreak" for Apple's latest mobile operating system.

The company explained the reason behind the program in a blog, “Apple iOS, like all operating system, is often affected by critical security vulnerabilities, however due to the increasing number of security improvements and the effectiveness of exploit mitigations in place, Apple's iOS is currently the most secure mobile OS. But don't be fooled, secure does not mean unbreakable, it just means that iOS has currently the highest cost and complexity of vulnerability exploitation and here's where the Million Dollar iOS 9 Bug Bounty comes into play.”

According to the post, the Million Dollar iOS 9 Bug Bounty is tailored for experienced security researchers, reverse engineers, and jailbreak developers, and is an offer made by ZERODIUM to pay out a total of three million U.S. dollars ($3,000,000.00) in rewards for iOS exploits/jailbreaks.

“ZERODIUM will pay out one million U.S. dollars ($1,000,000.00) to each individual or team who creates and submits to ZERODIUM an exclusive, browser-based, and untethered jailbreak for the latest Apple iOS 9 operating system and devices,” the company added.

The company has given some rules which a hacker need to follow the jailbreak must be reliable, silent, and doesn't require any actions to be taken by the user, save for visiting a web page or reading a text/MMS message. Similarly, they must work on a wide range of Apple hardware, including the iPhone 6S and 6S Plus. The pair of phones doesn't go on sale until September 25, while the bounty program expires on October 31, giving people a little over a month to get their potential exploits working on the new phones.

“Partial or incomplete exploits/jailbreaks will not be eligible for the Million Dollar iOS 9 Bug Bounty. ZERODIUM may, at its sole discretion, make a distinct offer to acquire such partial exploits. All submissions must be made exclusively to ZERODIUM and must include the fully functioning exploit and its source code (if any), and a detailed whitepaper describing all the zero-day vulnerabilities and techniques used in the jailbreak,” the post added.

New Android Ransomware locks Victim's Phone Permanently

Security researchers at ESET have discovered the first malware that could allow an attacker to reset the PIN of anyone’s phone to permanently lock them out of their own device.

“This ransomware also uses a nasty trick to obtain and preserve Device Administrator privileges so as to prevent uninstallation. This is the first case in which we have observed this aggressive method in Android malware,” the researchers said in a blogpost.



The malware dubbed LockerPin, which spreads via an adult entertainment app called Porn Droid, could change the infected device's lock screen PIN code and leaves victims with a locked mobile screen, demanding a $500 ransom.

Researchers said that there was no effective way to regain access to infected devices without losing personal data. Rebooting the device in Safe Mode, uninstalling the offending application and using Android Debug Bridge (ADB) could not solve the problem.

In order to unlock the device to perform factory reset that wipes out all the personal data and apps stored on users device.

According to the researchers, as the lock screen PIN is reset randomly, paying the ransom amount won't give the users back their device access, because even the attackers don't know the randomly changed PIN code of their device. This is a novelty among ransomware, usually they do everything possible to unlock the device, up to and including live tech support.

If the ransomware gets installed on anyone’s smartphone, the app first tricks users into granting it device administrator rights. It does so by disguising itself as an "Update patch installation" window.
After gaining the control over phone, the malicious app goes on to change the user's lock screen PIN code, using a randomly generated number. Though the majority of infected devices are detected within the United States, the researchers have spotted the infections worldwide.


Researchers have suggested that in order to protect our smartphone from the ransomware, please do not install apps outside of the Google Play Store. Similarly, don't grant administrator privileges to apps unless you truly trust them.

Wassenaar Cybersecurity Rules – How India Must Respond


In December 2013, the Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies (“Wassenaar Arrangement”) extended its reach to the cyber world. The extension seemed to signal a broad attack on export of many categories of cyber security software including commercially available penetration testing and network monitoring products, zero days and other computer exploits. Interestingly, these changes have emerged after media reports of U.S. government purchases of zero day computer exploits or vulnerabilities, i.e., security vulnerabilities previously unknown, by the US National Security Agency (NSA) for use by its hacking team.

Cyber security experts around the world and large companies like Google have raised a banner of revolt against the Wassennar changes and the U.S. Department of Commerce’s Bureau of Industry and Security (BIS)’s proposals for the implementation of the Wassenaar changes. They have expressed serious concerns about the impact of these changes on discovery of new vulnerabilities that could pose a threat to the internet globally.
If anything, the general impression is that Wassenaar Changes and its implementation by the signatory countries would actually make the internet more dangerous to users around the world. Google has been quoted as saying that the rules “are dangerously broad and vague and would have a significant, negative impact on the open security research community. They would also hamper our ability to defend ourselves, our users and make the Web safer. It would be a disastrous outcome if an export regulation intended to make people more secure resulted in billions of users across the globe becoming persistently less secure."
The fierce criticism and loud, public protest has had a temporary impact. The US Department of Commerce has now committed to drafting new rules to replace/amend the earlier draft.
It would be pertinent to note here that in response to the Wassenaar changes, VUPEN, a well known zero-day exploit firm (and also a supplier of exploits to the NSA), announced its decision to restrict exploit sales only to approved government agencies in approved countries
So what does all this mean for India? While the Wassenaar Arrangement might have worked in the physical world, will it work in the borderless cyber world? Will a country like Russia, a leading global supplier of cyber security software and tools implement rules to accommodate the Wassenaar changes, especially at a time when it is facing economic headwinds and under sanctions from the US and the EU? It does not seem to be in Russia’s interest at all, given its enormous strengths in the cyber security area and huge market for such products.
But India cannot afford to speculate on which way the wind will blow. The ongoing transformation of India into a Digital Economy implies the need for strong cyber security defences. Imagine a situation where a commercial or defence software is found to have vulnerabilities, whether accidental or deliberate, and the country lacks the tools to test for and mitigate such vulnerabilities? What if such vulnerabilities are discovered in software used in sectors such as Critical Infrastructure, Public Utilities, Financial Services, Health Information Systems? What if vulnerabilities are found in SCADA (industrial automation control systems) used by major industries and the energy sector?
Clearly, India needs to build its own cyber security defences and do it fast. Some expertise is available in the country, and needs to be complemented with global talent. 
The Government, leading software companies, defence companies and major users need to invest liberally in funding and supporting talented cyber security professionals. The Government should support some aggression in sourcing relevant tools, technology and talent from wherever required in the world. Israel’s export of cyber security software now exceeds that of physical weapons systems, and there’s a lesson for India here in the form of a Military/Industrial/Cyber Security Professionals complex to meet India’s needs.
As is known, India has faced serious problems in the past with respect to imports of critical technologies in the areas of defence, space and the nuclear sector. In the context of cyber security, we now have advance warning about problems that are around the corner. It makes no sense to run into a wall all over again and as such, a proactive and immediate national response is called for.
 Author: 
Prasanna J, Founder of Cyber Security and Privacy Foundation.

iOS malware steals over 225,000 Apple accounts to create free App Utopia


Researcher from Palo Alto Networks, a computer security firm, have found out that hackers, who have targeting jail-broken iPhones, have raided more than 225,000 Apple accounts, using them for app buying sprees or to hold phones for ransom.

The jailbreak is a tool in iPhones to use additional iThing tweaks available through the alternative Cydia store, and for some to pirate software by installing ripped-off apps for free.

“In cooperation with WeipTech, we have identified 92 samples of a new iOS malware family in the wild. We have analyzed the samples to determine the author’s ultimate goal and have named this malware “KeyRaider”. We believe this to be the largest known Apple account theft caused by malware,” the researchers posted in a blog.

Claud Xiao, a researcher, said that the KeyRaider malware, hidden in jailbreaking utilities, is slurping login credentials and GUIDs from the user's iTunes data, and siphoning them off to remote servers.

"We believe this to be the largest known Apple account theft caused by malware," Xiao said. "The malware hooks system processes through MobileSubstrate, and steals Apple account usernames, passwords and device GUID by intercepting iTunes traffic on the device.”

He confirmed that the purpose of the attack was to make it possible for users of two iOS jailbreak tweaks to download applications from the official App Store and make in-app purchases without actually paying.

It is said that especially the people in China got affected but herald from 17 other countries including France, Russia, Japan, United Kingdom, United States, Canada, Germany, Australia, Israel, Italy, Spain, Singapore, and South Korea from the attack.

Similarly, some people said that they were being locked out of phones and forced to pay ransoms.


According to the researchers, the attack was discovered by a Yangzhou University student known as i_82 who worked with Xiao alongside a group. They exploited an SQL injection vulnerability on the bad guy's server to learn about the attack. They siphoned about half of the stolen accounts before the VXer became savvy and punted the white hats. They have now set up a website for users to check if they are impacted. 

Your Android phones can be hacked with a single MMS message

Image Credits : Zimperium
 Researchers from Zimperium Mobile Security, a security firm, have discovered a bug dubbed Stagefright in Android mobile operating system which they said to be the “worst Android vulnerabilities” to the date.

Though, the Google had patched the problem, millions of devices need to be updated. The flaw has affected nearly a billion devices.

“These issues in Stagefright code critically expose 95% of Android devices, an estimated 950 million devices. Drake’s research, to be presented at Black Hat USA on August 5 and DEF CON 23 on August 7 found multiple remote code execution vulnerabilities that can be exploited using various methods, the worst of which requires no user-interaction,” a report posted in its blog.

The flaw can be exploited by sending a photo or video message to a person's smartphone, without any action by the receiver.

“Attackers only need your mobile number, using which they can remotely execute code via a specially crafted media file delivered via MMS. A fully weaponized successful attack could even delete the message before you see it. You will only see the notification. These vulnerabilities are extremely dangerous because they do not require that the victim take any action to be exploited,” the researchers wrote.

After Stagefright had been invoked, which required no action from the victim, other data and apps on the handset could be accessed by the malicious code.

Once the researchers had discovered the flaw, they reported it to the Google, which produced a patch to fix the problem.

According to a report published in BBC, the Google said in statement that the vulnerability was identified in a laboratory setting on older Android devices, and as far as they know, no-one has been affected.

"As part of a regularly scheduled security update, we plan to push further safeguards to Nexus devices starting next week. And, we'll be releasing it in open source when the details are made public by the researcher at Black Hat," the report read.

Your life is in the hands of the hackers, they can remotely hijack your Jeep


Image Credits: Wired
When we think of a term ‘hacking’, computers, bank accounts and websites are the things which come in our mind. One can barely think of hacked vehicles. However, a recent case in which a car was hijacked by hackers has shown that the hackers have left nothing safe in our life.

According to a report published on Wired, zero-day exploit for Chrysler vehicles allow hackers to control everything from the engine to the air-conditioning over the Internet, overriding the driver at the dashboard.

It has been found out that the Uconnect software, which manages the vehicle’s entertainment and navigation systems, provides a Wi-Fi hotspot, and allows drivers to make phone calls. It is said that if anyone who knows the car's IP address can hijack the car.

In the report, Andy Greenberg, senior writer, explained that he signed up to be a guinea pig for security researchers Charlie Miller and Chris Valasek. He was strapped into a Jeep and directed to head onto the highway. From 10 miles away, Miller and Valasek proceeded to hack into his car's software, toggling the windshield wipers, blasting the radio, and, eventually, cutting the transmission.

“Immediately my accelerator stopped working. As I frantically pressed the pedal and watched the RPMs climb, the Jeep lost half its speed, then slowed to a crawl. This occurred just as I reached a long overpass, with no shoulder to offer an escape. The experiment had ceased to be fun,” Greenberg said.

After that, the hackers successfully took over the jeep’s brakes as a result it went into a ditch.

“Miller and Valasek’s full arsenal includes functions that at lower speeds fully kill the engine, abruptly engage the brakes, or disable them altogether. The most disturbing maneuver came when they cut the Jeep’s brakes, leaving me frantically pumping the pedal as the 2-ton SUV slid uncontrollably into a ditch. The researchers say they’re working on perfecting their steering control—for now they can only hijack the wheel when the Jeep is in reverse. Their hack enables surveillance too: They can track a targeted Jeep’s GPS coordinates, measure its speed, and even drop pins on a map to trace its route,” he explained.

According to the news report, on Tuesday Senators Ed Markey (D-Massachusetts) and Richard Blumenthal (D-Connecticut) announced legislation that would ensure automobile companies to meet privacy measures to protect against cyber attacks.

In order to prevent the car hacking, Miller and Valasek reported about the flaw in the vehicles to the company concerned, months ago.

The Chrysler has come up with an updated version of the software however, the company has to manually download it and upgrade their cars through a USB drive.

Credit card data breach at Online Photo service, customers of CVS, Walmart Canada and others affected


Consumer Value Stores (CVS), which is the second largest pharmacy chain after Walgreens in the United States with more than 7,600 stores, has temporarily taken down its online photo center CVSphoto.com after a hacking attack.


 “We have been made aware that customer credit card information collected by the independent vendor who manages and hosts CVSPhoto.com may have been compromised,” the company posted in its website’s homepage content.


Brain Krbes pointed out in his blog that other companies already reporting similar data breach and took down their webpages related to the online photo service.

Those online photo services have been maintained by a company called PNI Digital Media.

Companies including Costco, Walmart Canada, Rite Aid displayed a message in their photo site informing about the security breach.

In a noticed displayed on the Rite Ad's photo site, it is said that information including name, address, phone number, email IDs, photo account password and Credit Card data affected

However, Rite Ad said "PNI does not process credit card information on Rite Aid’s behalf and PNI has limited access to this information."

The Consumer Value Stores said Financial transactions done on their main website CVS.com and in-store are not affected.

Disable Java in your browsers, if installed as researchers spotted new Java based Zero-day Exploit


Researchers from Trend Micro have found out suspicious URLs that hosted a newly discovered Zero-day exploit, which refers to a hole in software that is exploited by hackers before the vendor becomes aware of it, in Java.

Brooks Li, a threat analyst and Feike Hacquebord, a senior threat researcher, who spotted this exploit, said that this was the first time in nearly two years that a new Java zero-day vulnerability was reported.

The researchers came to know about this exploit after receiving a feedback in their  Smart Protection Network.

According to the report, this new zero-day Java Exploit is being used in spear-phishing attacks targeting a certain forces of NATO country and a US Defence Organization
This zero-day bug affects only the latest Java version 1.8.0.45 not the older versions, Java 1.6 and 1.7.
The vulnerability is still not patched by the company concerned.

According to the report, the URLs hosting the new Java zero-day exploit are similar to the URLs seen in the attack launched by the threat actors behind Pawn Storm that targeted North Atlantic Treaty Organization (NATO) members and White House last April 2015.

The researchers have asked the users to disable Java in browsers if installed due to an application.

An unidentified group stole 400 GB data from Hacking Team


An unidentified group of hackers stole 400 GB worth of confidential data from the Hacking Team, which provides effective, easy-to-use offensive technology to the worldwide law enforcement and intelligence communities.

According to report published on Welivesecurity, the attack started late night on July 6. It is said that the weak passwords might be reason behind the leak.

“Passwords are also contained in the leaked documents, including the login for the company’s official Twitter account which was used by the attackers to publish confidential information. The attackers posted private emails from company employees to Twitter, as well as a link from where anybody can download the 400GB file,” the report read.

The company’s official came to know about the attack only on the next morning. 

Christian Pozzi, a security engineer, on July 7 confirmed by stating that, “We are awake. The people responsible for this will be arrested. We are working with the police at the moment.” 

The researchers have claimed that as the company, which develops surveillance tools, sells such tools to various organizations across the world and that might be the reason behind the hacking.

 J. Prasanna, Founder of Cyber Security & Privacy Foundation, said the Hacking team has been accused of selling software to hack into people for last few years. They seem to have supplied to countries where there are dictatorship regime (where people are targeted by government).

“Maybe an activist group would have hacked into the servers of hacking team,” opined Prasanna.
“Companies can make such tools, but it should be sold responsibly to democratic regime, such activity of monitoring should be subject after a court warrant. It should never be sold to countries which does human rights violations,” he added.

 He added that there was always weak element in security.

“There may have a zero day vulnerabilities which hackers could have used to exploit,” he said. 

Regarding about the impact of the attack, Prasanna said that many countries or governments who dealt and bought this software would get exposed.

“Today, many governments and companies are hungry for information on people/corporations/governments. So they hire hackers or software that does hacking,” Prasanna concluded.