Top secret Saudi documents hacked and released to public

A group of hackers from Yemen have put out a message saying that they have hacked the servers of Saudi Arabia's Interior, Defense and Foreign and gained access to thousands of top secret documents.

"We have gained access to the Saudi Ministry of Foreign Affairs (MOFA) network and have full control over more than 3000 computers and servers, and thousands of users. We also have access to the emails, personal and secret information of hundreds of thousands of their staff and diplomats in different missions around the world," the Yemen Cyber Army (the hackers) said in a statement which has been published on many hacking related websites.

The group has published some of the documents online and have threatened the Saudi government that they would inflict greater damage on them by releasing more documents, archived since the 1980s.

The group has said that it will wipe the servers of the Foreign Ministry of Saudi Arabia at midnight on Wednesday.

The Yemen Cyber Army has been previously known for hacking AlHayat.com.

Bettys Tea Rooms firm’s website hacked


The Bettys Tea Rooms  firm’s website was hacked on Wednesday, affecting more than 120,000 customers.

In a statement released by the company, they apologized, and blamed "industry-wide software weakness" for the data breach.

The hackers gained access to the firm’s website database, and stole the personal details of the customers which includes their names, email addresses, postal addresses, encrypted passwords and telephone numbers.

"We would like to stress that your credit or debit card details have not been copied as this information is stored on a completely separate system managed by a certified third party. Bettys takes customer confidentiality extremely seriously and, whilst customer passwords were encrypted, it is important that you change your password as soon as possible by clicking this link or entering www.bettys.co.uk into your browser," Bettys said.

They also advised their customers to not to respond to any of the phone or email communication regarding their personal and financial information.

"To be clear, Bettys will never contact you and ask you to share any personal financial information," the tea shop chain said.

Gang of old ladies named 'Northern N00bz' is suspected to be behind the data breach. To take revenge for some disservice, they acquired  some coding skills. A full investigation is going on.

Distributed Denial of Service(DDOS) attacks

A well-known Indian security news portal was targeted on May 21st morning by a DDOS attack. 2 hours before the attack the company tweeted "NSA planned to hijack Google App Store and plant malware on all Android Apps" and provided a news link. Whether the DDoS attack and this tweet are connected is an interesting speculation.

But the larger and more critical question is the vulnerability of digital assets. One would naturally assume that they had a robust defensive strategy in place. But, the DDoS attack which has brought down the portal suggests otherwise.

There has been series of hack and DDOS attacks on major corporate, Telecommunication and net banking portals.

“Today the digital assets of a knowledge or service based company has more value than its tangible physical assets. It’s imperative that they think beyond ready made security tools from the market and move towards employing security professionals who can provide customized security audit. “ says J.Prasanna of Cyber Security and Privacy Foundation.

"Even going to the police will be of not much help since these attacks are sophisticated and originate from different geographies. Very few have the forensics capability to make a credible case in a court." says SreeRam, the Police KravMaga instructor who is also part of a singapore based security company.

Both agree that … “with India's increasing clout in world trade and balance of power tilting gradually towards Asia, asymmetric warfare tactics like cyber terrorism will be relied more frequently to dent the credibility of the nation. As on date, India does not seem to have the aggressive posture as a deterrent.”

Telstra reveals security breach in Pacnet's IT network

Australia’s biggest telecoms company Telstra revealed that the corporate IT network of Pacnet, the company acquired by it  on April 16 this year, has been hacked.

This breach came into light shortly after it finished the acquisition of Pacnet Limited, a Singapore and Hong Kong based telecommunications provider that offers data center services to multinational companies and governments in Asia-Pacific Region.


The telecom company cited that the investigations have revealed that a third party had accessed  Pacnet’s corporate network through a SQL vulnerability and led to the hacking of admin and user testimonials.

 “We immediately addressed the security vulnerability that allowed access to the network, removed all known malicious software and put in place additional monitoring and incident response capabilities that we routinely apply to all our networks.”, Mike Burgess, Chief Information Security Officer, Corporate Security and Investigations of Telstra quoted in an announcement.

It was also clarified by Telstra that the Pacnet corporate IT network is not connected to it and there has been no proof of any activity on Telstra’s network.

"We have had no contact from the perpetrators so we don't know the reason behind it or who was involved,”,quoted Burgess.

The telecom company has stated that it will now talk to its customers to make them aware of what has exactly happened in the breach and how is the company responding to it.

FBI investigating e-billboard hacking

The FBI has been called into action after an electronic billboard was hacked on Peachtree road in Atlanta, according to local report.

While driving down the road on Saturday, commuters saw the image of a man exposing himself, on the billboard. One of the drivers was so disgusted that she called 911 to report the matter.

The owner of the billboard cut the power to it as a temporary measure to bring down the image. Security experts told Channel 2 that hacking into electronic billboards is often as easy as learning a password and does not require too much effort.

The FBI is currently looking into all the servers that could have been used to hack the billboard.

EllisLab urges its users to change their password after hack

EllisLab, a software development company, has urged all its users to change their password after hackers managed to gain unauthorized access to its servers on March 24 this year.

According to the company’s statement, in a bid to be safe from the hackers who might have stolen its members’, who are registered at EllisLab, personal information, it has asked people to change their EllisLab.com password.

The company said that the new users can also remove their account from the site. It is must, if anyone has sent his/her password via plaintext email instead of using the company’s secure form.

As the company form encrypts the passwords and removes them after 30 days, it is believed that those encrypted passwords would only be available to the hackers if anyone submitted it after February 24, 2015.

Similarly, if people have used their EllisLab.com’s password on other sites, they should change those too.

The company asked people to change the passwords periodically, and enable two-factor authentication whenever available. It also recommends tools which simplify the creation and use of unique passwords.

It is said that the hackers used a Super Admin’s stolen password to log in to the company’s site. The hacker then uploaded a common PHP backdoor script (a WSO Web Shell variant) that allowed them to control the company’s server. 

The company wrote that the Nexcess hosting prevented the "privilege escalation" attempt.  After getting alerts about the malicious activity, the unauthorized access had been shut down at the firewall level.

The company also thanks the Nexcess for their alertness and speed on their blog post.
Then the officials started dissecting the server logs to retrace hacker’s steps and learn how they got the access. They wrote that they had gone through all their files to remove what they added. 

The attackers had access to the server for three hours. Although the evidence does not show any stealing the database, the company prefers to be cautious and assume the hackers had access to everything.

After hack, Costa Coffee temporarily disabled its online Club Card accounts

 
Photo Courtesy: Costa Coffee website.

Costa Coffee, which runs a chain of coffee shop, has removed the ability to access Coffee Club Card accounts online after an unusual activity detected on its Coffee Club card’s members accounts.

Costa Coffee informed its Coffee Club Card members via E-mail that its loyalty scheme, under which people get 5 p of credit for spending every pound in the store and unlimited free Wi-Fi, got hacked.

It said that unusual activity was noticed on about 1 in every 5000 accounts (0.02%).

According to the E-mail, Costa Coffee had conducted a full security review and temporarily disabled its online Club Card account. As a result, people cannot change their password as of now.

The E-mail said that the company has already contacted those customers whose accounts have been affected. Along with that, the officials are resetting account passwords of every Coffee Club member as an additional precaution.

The account password will be reset in the next few days. They will confirm via email once the procedure gets completed.

Moreover, Costa Coffee is all set to introduce a new format for password to further optimise security and protect public Coffee Club points.

The E-mail said, “We apologise for any inconvenience this causes but it’s very important to us that your points and registration details remain safe. We thank you for your patience.”

While opening an account on Costa Coffee Club, it will ask for name, email, birthday, phone number, physical address and password.

The officials suggested that the password must be between 8 and 15 characters and include at least 1 uppercase letter, 1 lowercase letter, and 1 number. They suggested that people should avoid common words while choosing passwords.

SendGrid urges its customers to change their password

SendGrid, an email service used by billions of companies, including Bitcoin exchange Coinbase, has urged its customers to change their passwords after attackers compromised one of its employee’s account in order to steal the usernames, email addresses and (hashed) passwords of customer and employee accounts.

Moreover, it has asked people to take advantage of multi-factor authentication offering, provided by the company, to ensure safety.

SendGrid said it is adding more authentication methods for its two-factor security. It is working to expedite the release of API keys, which will allow the customers to use keys instead of passwords while sending emails.

The company announced about the hacking case several weeks after it made sure that only one account was hacked.

According to a report of The New York Times on April 9, Coinbase had its Sendgrid credentials compromised. The hackers were using the access to launch phishing attacks against Bitcoin’s businesses.

“The story has now been updated in order to show that a single SendGrid customer account was compromised,” SendGrid wrote on a blog post.

According to David Campbell, SendGrid’s chief security officer, the company carried out investigation collaborating with law enforcement and FireEye’s (Mandiant) Incident Response Team. They got to know about a SendGrid employee whose account had been compromised by a cyber criminal and was used to access several of the company’s internal systems on three separate dates in February and March 2015.

He added that these systems contained usernames, email addresses, and passwords for SendGrid customer and employee accounts. The investigation suggested that the cyber criminal accessed servers that contained some of their customers’ recipient email lists/addresses and customer contact information.

“We have not found any forensic evidence that customer lists or customer contact information was stolen. However, we are implementing a system-wide password reset as a precaution. Because SendGrid does not store customer payment cards and we know that payment card information was not involved,” he wrote on the blog post.

As SendGrid manages emails of thousands of companies, including some big brand names, like Pinterest, Spotify and Uber, it has become a major target of spammers.

Millions of ID’s and Password’s stolen to access online shopping website

The Metropolitan Police Department have found  IDs and passwords of 5.06 million people on computer servers, that it seized in connection with unauthorized access through proxy server by a Chinese group,reports the Japan news.

While investigating MPD found that Chinese fraud group obtained the personal information of about 60,000 people was used to log into online shopping sites. The server contained three kinds of hacking tools.

The proxy servers contains the computer code that automatically attempts unauthorized access to online shopping sites to check whether the IDs and passwords can be used.

There has been no report of financial damage from the illegal use of the IDs and passwords, they  have asked the companies to check whether there is any purchases were made using stolen user information.

A LINE official said: “It is greatly regrettable that our customer information was leaked illegally and could be used inappropriately. We'd like to implement safety measures and make efforts to improve our services.”

Pro-ISIS hackers targeting vulnerable WordPress websites, FBI warns

The Federal Bureau of Investigation (FBI) has issued a public service announcement concerning the continuous WordPress website attacks, which are being carried out by individuals sympathetic to the Islamic State in the Levant (ISIL) a.k.a. Islamic State of Iraq and al-Shams (ISIS) through a vulnerability in the WordPress content management system.

According to the researchers, an attacker could install malicious software; manipulate data; or create new accounts with full user privileges by  exploiting the vulnerabilities resulting in an attacker gaining unauthorized access, injecting scripts, bypassing security restrictions, and stealing cookies from computer systems or network servers.

The attackers didn’t targeted Web sites by name or business type. They used common WordPress plug-in vulnerabilities, which can be easily exploited by common hacking tools.

These are the following steps recommended by FBI, if your web
site has been targeted.

1)Review and follow WordPress guidelines:
 http://codex.wordpress.org/Hardening_WordPress

2)Identify WordPress vulnerabilities using free available tools such as
 http://www.securityfocus.com/bid
 http://cve.mitre.org/index.html
  https://www.us-cert.gov/

3)Update WordPress by patching vulnerable plugins:
  https://wordpress.org/plugins/tags/patch

4)Run all software as a non-privileged user, without administrative privileges, to diminish the effects of a successful attack

5)Confirm that the operating system and all applications are running the most updated versions

Personal data exposed as Linux Australia server hacked


Linux Australia, an organization of open-source and free software user group, revealed that one of their server was hacked. The personal details of conference attendees might have been accessed.

According to the organization only the personal data including the names, street, phone numbers and email addresses of delegates for Linux Australia conferences and PyCon have been exposed in a server breach. No financial data have been exposed because they use a third party payment system.

A server had been attacked on March 22, but the Linux Australia discovered the breach on March 24,after conference management software Zookeepr started sending a large number of error reporting emails.

The hackers utilized an unknown vulnerability to trigger a remote buffer overflow and obtain full control of the server hosting the information by installing  a remote access tool and then botnet command and control software.

Joshua Hesketh, Linux Australia’s president wrote “It is the assessment of Linux Australia that the individual utilised a currently unknown vulnerability to trigger a remote buffer overflow and gain root level access to the server. A remote access tool was installed, and the server was rebooted to load this software into memory. A botnet command and control was subsequently installed and started. During the period the individual had access to the Zookeepr server, a number of Linux Australia’s automated backup processes ran, which included the dumping of conference databases to disk.”

Immediately  responding to the incident, Linux Australia has decommissioned the infected server, and announced improvements to its architecture and security.

Hackers target Executive club members of British Airways

Being an executive customer at British Airways (BA) does not guarantee any better security from hackers. Thousands of executive customers found this out to their peril as BA confirmed the hacking of the accounts.

According to the company, it was not a direct attack on the central database; the attack was carried out on some account holders using information on the users available elsewhere on the internet. Also, the company maintained that only “a small number of frequent flyer Executive Club accounts” had been affected and though there has been some unauthorized activity, no sensitive information had been leaked.

Though the company said that the hackers had not gained any access to any subsequent information pages like travel histories or payment card details within accounts, BA Executive Club (BAEC) account holder have registered complaints on the forums saying that their Avios points have been stolen. Avios points are accumulated through frequent travel can be used for other flights or upgrades. Tier points have not been affected due to this hack.

One user wrote, “My Avios balance, which was 46,418 yesterday, is suddenly zero,” Another said, “217,000 taken from my account this morning. 30 minute hold on the silver line.”
Other people are also reporting they are unable to access their accounts at all, with their BAEC number not being recognized at all.The company responded saying that the accounts have been locked down from access as a response to the breach and all the points would be subsequently reinstated.

Some members of BAEC affected by the issue have received emails requesting change of passwords, for those who have not but still are locked out of the accounts can place a call to the customer care.

For customers wanting to book flights now, bookings as redemption of points might not be available pending resolution of the matter but still can be checked for availability.

Alternatively, one might, if the options are available try to book through Avios.com which has not been affected.

However, with so many cases, it is best to wait for a few days till the situation becomes clearer.

Banking Trojan Vawtrak

Banking Trojan Vawtrak (aka Neverquest or Snifula) which additionally uses the Pony module to steal wide range of log-in credentials has been proliferating rapidly over the last few months

 USA, Germany, UK, Czech Republic are the  top  affected countries this year.

While Trojans like this are not new, what makes it remarkable is the  the multi-layered concealing processes and wide range of functions it can execute.

The Vawtrak Trojkan spreads via drive-by download – in the form of spam email attachments or links to compromised sites or  through malware downloaders such as Zemot or Chaintor or through exploit kits like Angler.

Tracking the Trojan  Vawtrak, AVG has revealed a detailed analysis of its installation and functionality.

Installation
The trojan was delivered through a spam email from Amazon which contained link to a zip archive stored on a compromised Wordpress site. The delivered file which actually was a executable tried to simultaneously look as  a pdf and a screen saver. It then installed itself into the system and ensured persistence by enabling auto-execution  Windows start-up. Without causing visible changes in the system, it then dropped the DLL into the program folder and deleted its original version.

This shorter second DLL decrypts its payload, which looks like  a normal Windows exe file but is a compressed file. The decompressed file replaces the second DLL and extracts the final module in a compressed format which further contains another two DLL files. The appropriate DLL then executes Vawtrak's main functionality.

Functionality
Once executed, Vawtrak disables antivirus protection of almost all known anti-viruses, steals multiple passwords from browsers (even obscure browsers such as K-Meleon or Flock) or applications, steals browser history, modifies browser settings, logs keystrokes, takes screenshots or records user actions on desktop, enables remote access to victim's system.

Further it communicates with remote Control & Command servers, executing commands from a remote server, sending stolen information, downloading new versions of itself and web-injection frameworks.
One fascinating feature is that it can connect to the update servers  hosted on the Tor hidden Web services via a Tor2web proxy without installing any special software such as Tor browser. Moreover, the communication with the remote server is done over SSL, which adds further encryption. Due to the use of steganography, the user remains totally ignorant of the working and updation of the Trojan.

Vawtrak is not as advanced as some others but its actions are too aggressive and they may cause stability or performance issues in the infected machines.

Staying vigilant about online phishing and scams is the most efficient way of avoiding Vawtrak but as it may still find its way, even without a user's direct interaction. So having an efficient and updated antivirus solution is of utmost importance.

For full analysis of the Trojan, read the complete report by AVG.

UK based gaming company Multiplay reports unauthorised access of servers, sounds warning bell

Multiplay, a gaming event company recently bought by GAME has alerted its users of a potential breach of its network.

The alert was sounded by Multiplay, by sending an email to its users, encouraging them to change their passwords due to an unauthorized access detected by the company on its systems. Multiplay has assured users that no payment information has been leaked as such information is not stored on its servers.

The email was confirmed by Multiplay on its twitter handle also and asked users to follow the instructions in the email.

Speculations are going around that the breach of the company's servers is the work of some gamers not happy with the recent acquisition of Multiplay, by retailer GAME.

The step has been seen as action to undermine this years gaming festival, Insomnia, hosted by Multiplay.

Hackers won $317,500 on day one of Pwn2Own 2015

Hackers have been awarded a total of $317,500 USD, for finding three bugs in Adobe Flash, three bugs in Adobe Reader, three bugs in the Windows operating system, two bugs in Internet Explorer, and two bugs in Mozilla Firefox, on the first day of Pwn2Own 2015, sponsored by HP’s Zero Day Initiative (ZDI) and Google’s Project Zero at the CanSecWest security conference in Vancouver, Canada.

Peter, Jihui Lu, and Zeguang Zhao of Team509, and wushi of KeenTeam were awarded $60,000 for exploiting flash by a heap overflow remote code execution vulnerability, and won additional of $25,000 for achieving system-level code execution by leveraging a local privilege escalation in the Windows kernel through TrueType fonts.

Nicolas Joly used a use-after-free (UAF) remote code execution vulnerability and sandbox escape directory traversal vulnerability in the Flash broker, and won $30,000.

Nicolas won another $60,000 for his exploitation of Adobe Reader through a stack buffer overflow, which lead to info leak and remote code execution.

Peter, Jihui Lu, Wen Xu, wushi (KeenTeam), and Jun Mao (Tencent PCMgr) earned $30,000 for targeting Adobe Reader with an integer overflow and achieved pool corruption through a different TTF bug, and $25,000 bonus for the SYSTEM escalation.

Mariusz Mlynski knocked out Mozilla Firefox through a cross-origin vulnerability, and execute a logical flaw to escalate to SYSTEM in Windows. Awarded $30,000 USD for the Firefox bug and an additional $25,000 bonus for the privilege escalation. 360VulcanTeam won $32,500 USD for exploiting 64-bit Microsoft Internet Explorer 11 for medium-integrity code through an uninitialized memory vulnerability.

Data Breach at Sacred Heart Health Systems


A security breach at one of the third-party vendors of Sacred Heart Health Systems has resulted in the exposure of health and personal information of approximately 14,000 patients.

Hackers were able to access patients’ names, dates of service, dates of birth, diagnoses and procedures, total charges, and physicians’ names, and 40 of the patients Social Security numbers were also compromised, through phishing attack by gaining access to the email account of an employee of the billing vendor.

The incident was first discovered on Dec. 3, 2014, and username and password of the employee was immediately shut down. On Feb 2,2015, Sacred Heart was notified of the attack.

 They immediately launched an internal investigation by engaging computer forensics experts, to conduct and analyze the incident and help to accurately identify affected ones, and they sent letters to all affected patients informing them about the hacking attack. The hacker has not been identified.

Data breach of Advantage Dental


An intruder had accessed internal membership information of more than 151,000 patients of an Advantage Dental, a Redmond-based provider that serves low-income patients at more than 30 clinics in Oregon, in late February, announced on Monday.

According to the Advantage Dental, there is unauthorized access to patients’ names, social security numbers, home addresses, phone numbers, and dates of birth, but treatment details, payment or other financial data were not accessed.

A malware obtained a username and password of Advantage employee’s computer that allows access to the membership database, which is separate from the database that contains financial and treatment information.

An intruder accessed the information continuously for three days from 23 Feb to 26 Feb. Internal IT specialists of Advantage Dental terminated the illegal access immediately upon discovery. Computers equipped with anti-virus software fails to detect new variations of a virus.

No patients have complained about the data being used for criminal activity. Advantage has made necessary security changes in all its clinics, and headquarters in Redmond to avoid further data breach.

Limited portion of ASML's IT System hacked


An unnamed hacker broke into a limited portion of an  IT system of a semiconductor supplier company called ASML on Sunday. In their initial investigation, ASML revealed that only a limited amount of data has been accessed.

According to  ASML, there has not been any evidence of  valuable files, both  from their or customers and suppliers side, has been compromised. Their IT staff quickly got to know about the break-in the IT system and took immediate step.

ASML is a multinational Dutch company, with its presence  felt in more than 16 countries in over 70 different locations. They make photolithography machines for the production of integrated circuits such as CPUs and memory chips, that improve the quality of life.

In recent times, many large companies have been targeted by hackers, but they  are constantly working to improve their defenses against hacking attempts and their detection capabilities.

ASML is listed in Euronext Amsterdam and NASDAQ under the symbol ASML.

Three suspects arrested in china for spreading WireLurker malware


Now a days, any mention of malware and Macs in the same setting generally conjures up images of WireLurker. It was notable as a new family of malware specifically targeting iOS devices via USB and is able to penetrate the iPhone's strict software controls.

WireLurker has been in action in China for the past six months, first infecting Macs by inserting Trojan software through repackaged OS X apps, then moving on to iOS devices. The firm claims that it is the first to automate generation of malicious iOS apps by implementing a binary file replacement attack.

Security experts at Palo Alto Networks traced WireLurker in a research paper saying "It is the biggest in scale we have ever seen! “. WireLurker can jump from a Mac onto an iPhone running a vanilla version of Apple's operating system by leveraging Apple's enterprise provisioning assets.

The WireLurker attackers "probably aren't people who do this often," says Ryan Olson, intelligence director of Palo Alto Networks' Unit 42. They are "clearly very skilled MacOS or iOS developers," but they definitely are not very experienced in writing malware.

With Apple's global smart phone market share continues to rise, so do the number of attempts to surreptitiously harvest data from unsuspecting consumers. As for who created WireLurker, Palo Alto's best guess is that this is one individual or a small group of individuals operating within China, independently of any nation-state. They could be a startup malware house in the new financially motivated, politically independent cybercrime underground growing behind the Great Wall.

Taking advantage of an app provisioning vulnerability, WireLurker lays dormant on a user's computer in an infected OS X app. The malware monitors for new iOS devices and installs malicious apps downloaded from an off-site server or generated autonomously on-device. From there, the program can access user information like contacts, read iMessages and perform other functions determined by the command-and-control server.

So far, 467 OS X apps have been infected and distributed through China's third-party Maiyadi App Store, with downloads totaling over 356,104 possibly impacting "hundreds of thousands of users."

While many publications have dubbed WireLurker “a new brand of threat,” it seems that the majority of users have nothing to worry about. It’s relies on a USB connection for delivery—a practice that has gone by the wayside for most folks in recent years.

On November 14, the Beijing Municipal Public Security Bureau announced it had arrested three people in connection with the WireLurker malware which brought a sense of relief among Apple users of China.

The police received a tip from the Chinese technology company Qihoo 360 and subsequently arrested three individuals, respectively surnamed Chen, Li, and Wang.

The third-party app store that had been serving WireLurker, Maiyadi, was also shut down. Apple has already taken steps to block infected programs but the rest of the work rests on users.

Author:
Medha Anand

Cape May-Lewes Ferry Confirms Credit Card Data Breach


The Cape May – Lewes Ferry has confirmed its payment data systems were infiltrated by hackers who took payment card data on certain systems at the Cape May-Lewes Ferry’s terminals and vessels.

Delaware River and Bay Authority(DRBA) that operates the Cape May – Lewes Ferry learned of a possible data breach on July 30 - The same day Jimmy John's learned of the data breach.

The organization with the help of third-party cyber forensic experts has determined that its card processing systems relating to food, beverage , and retail sales only were compromised.

Credit and Debit card data of individuals who have made purchases from September 20, 2013 through August 7, 2014 at the Cape May – Lewes Ferry ’s terminals and vessels at risk.

The malware planted by the cyber criminals has been eliminated.  The card data accessed by the malware includes card numbers, cardholder's names and/or card expiration dates.

DRBA is offering free identity protection services, including credit monitoring to affected customers.