Kaspersky Lab found a serious vulnerability in Windows

A team of specialists from Kaspersky Lab, an anti-virus company headquartered in Russia, discovered a 0-day vulnerability in Windows systems. Cybercriminals were actively exploiting this security problem in real targeted attacks.

According to Kaspersky Lab experts, they found a previously unknown vulnerability in Windows that was allegedly used to carry out targeted attacks by at least two cyber groups — FruityArmor and the recently discovered SandCat.

Using this vulnerability, an attacker could infiltrate the victim's network or device by attacking Windows 8 and 10. As a result of a successful attack, the cybercriminal got full control over the vulnerable system.

Kaspersky lab promptly notified Microsoft of the problem, which allowed the developers to release a patch that is already available to users.

"The discovery of this exploit shows that such expensive and rare tools are still of great interest to hacker groups. Organizations need to find solutions that can protect against such threats," says Anton Ivanov, Kaspersky Lab anti-virus expert.

The First-Ever Millionaire Hacker on HackerOne

At a tender age of 19, Santiago Lopez is earning a handsome sum of money via bug bounty program HackerOne and discovering security flaws through vulnerability coordination. He is said to be the first one to make more than USD 1 million through the aforementioned channels and he ranks second on HackerOne.
Lopez is self-taught on how to quash layers of security protections as he resorted to tutorial videos and content on the internet for his hacking and information security classes which he started taking in 2015 at the age of 16.
He has worked and reported vulnerabilities for renowned organizations such as Twitter, Automattic, Verizon, HackerOne among others. As of now, he has successfully reported 1676 different vulnerabilities for online assets. Additionally, he has worked for the US government and other private organizations.
It was a year later when he was awarded a $50 pay for a CSRF vulnerability, the inflow of rewards began; the largest bounty being $9,000, which he received for a SSRF.
Santiago invested his initial bug bounty earnings on a brand new PC and as the money multiplied, the young IT enthusiast considered buying cars.
At HackerOne, the goal of their program is to touch the mark of $100 million by the end of 2020 and on the way of realizing this goal, in 2018, the security researchers at HackerOne have made more than $19 million in bounties which is significantly larger than over $24 million paid in the past five years.
It has been reported that the majority of the hackers dedicate around 10 hours per week searching for bugs, while one-fourth of them are found to be working 10-20 hours every week.
Referencing from a survey, the security researchers with extensive experience in the corresponding field forms the smallest percentage, whereas the majority which is 72.3% carries experiences ranging from one to five years.
It is the joys of accumulating money and dealing with challenges which are among the top driving factors for the researchers to submit bugs through HackerOne.

Sberbank created a phishing website for flowers delivery

The biggest Russian bank "Sberbank" created a phishing web site for ordering flower delivery to demonstrate how mobile device infection working when visiting a fake website created by cyber criminals.

Stanislav Kuznetsov, deputy Chairman of the Board of Sberbank, showed how such web sites are working on the conference in Sochi.

According to Stanislav, phishing is one of the most difficult types of fraud.  The fake website exactly copies the website you are used to seeing.  The fake site will claim it will provide free prize and tricks victims into providing the financial information including card number, PIN number.

Sometimes, the website also infects the victims devices with malicious software.  The Bank representative explained that in this way fraudsters have successfully accessed  to data on mobile devices, including personal messages.

Moreover, Stanislav Kuznetsov gave a lecture at the XIX World festival of youth and students, entitled "Cyber security — how to protect yourself in the world of cyber threats". According to him, the loss of the Russian companies and citizens from cyber attacks in two years will grow 4 times and will surpass the 1.5 trillion rubles (26 million $ or 1,7 trillion Rupee). Therefore, Sberbank developed for protecting against cyber threats a unique system of fraud monitoring, based on an artificial intelligence. With this technology, Sberbank detects 96-97% of fraudulent transactions.

- Christina

Are enough safeguards built within BHIM?

About BHIM:
BHIM (Bharat Interface for Money - Bhim App) is a Mobile App developed by National Payments Corporation of India (NPCI), based on the Unified Payment Interface (UPI). It was launched by Narendra Modi, the Prime Minister of India, at a Digi Dhan programme at Talkatora Stadium in New Delhi on 30 December 2016. (source:Wikipedia)


The BHIM application has an option to create a payment address(Virtual ID). It auto suggests a persons name+(value) as a many of the typical Indian Names are already taken.

Example if a person called Vijay Kumar R is trying to create a personal payment address he will be suggested "vijaykumarr" . This is the primary identifier and during transfer it does not do any further checking. A simple mistake in the name might cause a catastrophe for the sender.

If a person by mistake types in "vijaykumart" (instead of "vijaykumarr") the application will show the proper full name as "Vijay Kumar" and it is highly probable that a person would send the money to the wrong person as the name is matching. Since the BHIM application is mostly targeted towards "New Adopters" mostly from rural locations they might not be able to find the difference or spot a mistake on what they are typing.

The application should ask for a secondary detail (Eg:Mobile Number,Bank Name etc) about a person and cross check it with the database and only process it if the details are matching.

When it comes to NEFT and IMPS it has multilayer verification , even if the user gives a wrong inputs it will not send the amount if any of the details are incorrect.

Checks Full NameNoYes
Checks Bank AddressNoYes
Checks Account NumberNoYes

There is an option to refund the money back to the senders only on the receivers end. It does not have any option to raise a complaint on the senders side. Many of the banks are unable to get the money back if it is wrongly sent to another person. There is no option in the UPI ecosystem for such cases. How can this be ? Why did they not think about this?

The same issue was faced by us when we sent about 9200 to the wrong ID.  The bank (Axis) that we used could not get our money back, even though we made a compliant within few minutes.  It was also not possible for us to track who it was sent to and request them to send it back.

We recommend that people stick to the traditional NEFT and IMPS for any high value transactions as there is no support in the UPI system for raising issues during transactions.

Be careful with whom you share your Jio Hotspot!

If you are sharing your Jio internet with others via mobile hotspot, you should know what is the risk that you are taking.  Our research shows that sharing your Jio with others puts your sensitive information in their hands.

The person who is using your Jio Internet can easily log into your Jio account. All they have to do is download the MyJio app and click "SIGN IN WITH SIM". 

Steps to replicate:
Step 1:
    You should have two phones - one with Jio Sim and another one with non-Jio SIM(make sure you have not installed Jio app in the second phone yet).

Step 2:
    Turn on Wi-Fi hotspot in the Jio phone and connect from your non-Jio phone

Step 3:
    Install Jio app from playstore and open.  When it is asking for authentication, click "SIGN IN WITH SIM". Now you will be able to access the Jio account from your non-Jio mobile.

View/Modify Details:
After logging in, it is possible to view sensitive information including name, date of birth, mobile number, alternate contact work, address, photo, usage details.  Also, some of the details can be edited.

Once you are logged in, the session is getting maintained even if you are disconnected from the Jio network.

Account lockout:
If you mistakenly log out from the Jio-phone when it is logged in the non-Jio phone, you won't be able to log in to your Jio app unless the other person logs out from the app.

If the victim has installed Jio Security app, it is possible for an attacker to track the current location or see the last location details.

Let's say that you are in public place and a stranger(attacker) asking for Internet connection to check his email.  If you share the Internet, it is enough for the attacker to steal your sensitive information.

The issue can be resolved by adding OTP Check when doing authentication.

We thank Suriya Prakash from Cyber Security & Privacy Foundation(CSPF) for helping us with this research.

DROWN attack risks millions of popular websites

An international team of researchers warned that more than 11 million websites and e-mail services protected by the transport layer security protocol are vulnerable to a new, low-cost attack that decrypts sensitive communications in few hours.

The cybersecurity experts from universities in Israel, Germany and the US as well as a member of Google's security team found that more than 81,000 of top one million popular websites are vulnerable.
The researchers said many popular sites - including ones belonging to Samsung, Yahoo and a leading Indian bank - appeared to be vulnerable.

The DROWN attack works against TLS-protected communications that rely on the RSA cryptosystem when the key is exposed even indirectly through short for secure sockets layer version 2 (SSLv2).

The vulnerability allows everyone on the internet to browse the web, use e-mail, shop online and send instant messages without third-parties being able to read the communication.  It allows attackers to break the encryption and read or steal sensitive communications, including passwords, credit card numbers, trade secrets, or financial data. Under some common scenarios, an attacker can also impersonate a secure website and intercept or change the content the user sees.

While many security experts believed the removal of SSLv2 support from browser and e-mail clients prevented abuse of the legacy protocol, some misconfigured TLS implementations still tacitly support the legacy protocol when an end-user computer specifically requests its use.

Websites, mail servers, and other TLS-dependent services are at risk for this attack, and many popular sites are affected.

In practice, older email servers would be more likely to have this problem than the newer computers typically used to power websites.

In addition, because many of the servers vulnerable to Drown were also affected by a separate bug, a successful attack could be carried out using a home computer.

Though a fix has been issued but it will take time for many of the website administrators to protect their systems.

The researchers have released a tool that identifies websites that appear to be vulnerable.

The SSLv2 protocol was weakened because, at the time of its creation, the US government wanted to try to restrict the availability of tough encryption standards to other countries.

It has since eased its export limits, but the effects live on.

5,200 affected after unauthorized access of Neiman Marcus Group's websites

Neiman Marcus Group (NMG) has reported an unauthorized access to their online customer accounts on the websites  Neiman Marcus, Bergdorf Goodman, Last Call, and CUSP.

According to the public notice released on Jan. 29, 2016  by the company,  approximately 5,200 accounts has been affected. Information compromised includes Usernames, passwords, names, mailing addresses, phone numbers, last four digits of payment cards, and purchase histories.

No sensitive information like Social security number, date of birth, financial account number, or PIN number is visible through online accounts.

The  websites has been breached on or around Dec. 26, 2015, when an unauthorized individual gained access by using automated attacks to attempt various login and password combinations. As a result the hacker was able to make purchases on approximately 70 of these accounts.

Company's senior vice president Lindy Rawlinson,  said in a letter to the customers that the company's fraud team “has detected these unauthorized purchases, and Neiman Marcus has credited the affected customers for the full amount of the unauthorized purchase.”

The company has taken steps to limit the ability of the threat actors to access customer accounts, and has initiated a comprehensive response and investigation to understand the scope of the incident.

However the company has requested its customers to change their passwords on all NMG websites and any other site that uses the same username password combination. 

Irked train hackers talk derailment flaws, drop SCADA password list

A report published in The Register says that Russian hackers claimed to have found out flaws in rail networks which allow crooks to hijack and derailment.

The flaws reportedly affect various systems including mobile communication and interlocking platforms that control braking and help prevent collisions.

“Industrial control specialist hackers Sergey Gordeychik, Aleksandr Timorin, and Gleb Gritsai did not describe the bugs in detail, since that would allow others to replicate the attacks nor reveal the names of the affected rail operators,” the report reads.

According to the report, "If somebody can attack the modem, the modem can attack the automatic train control system, and they can control the train," Gordeychik says

So, there is a danger as the flaws expose physical systems like power grids, dams, and trains to unauthorized external modification in ways largely unknown to those outside of the security industry.

It is said that human programming errors were responsible for various remote code execution holes which could affect interlocking systems.

“We are releasing the list to force vendors to not use hardcoded and default passwords," an irritated Gordeychik says.
The Register report says that the attack vectors against computer-based interlocking include attacks against workstation, attacks against networking gateways that connect interlocking to the rest of the world, and communications between CPU and object controllers and wayside devices.

UOB first in Asia Pacific to roll out Visa Token Service

United Overseas Bank has implemented the Visa Token Service, and it is the first bank to do so in Asia Pacific.

“The Visa Token Service is a new security technology that replaces sensitive payment account information found on payment cards, such as the 16-digit account number, expiration date and security code, with a unique digital identifier or “tokens” that can be used to process payments without exposing actual account details,” visa report.

All Visa cardholders can now make contactless payments through the UOB Mighty app that will be available on NFC-enabled Android smartphones. With this you can make payments in the country and overseas, for that you just have to open the app, select the “Pay” function, enter a PIN, and tap to pay at all NFC-enabled terminals.

According to the report notes that  this gateway of payment is much more secure than the other methods because it doesn’t carry the customer’s primary account number in their tokens. The tokens can be instantly re-issued if you lost your phone  or it has been stolen, without changing the primary account.

The tokens are based on existing ISO standards, they can be processed the same way as traditional card payments.

Facebook’s notification to aware people about suspected cyber attack

Sample of the newly launched notification.
Don’t ignore a notification on Facebook by the Facebook which warns its users that their accounts have been targeted or compromised by an attacker suspected of working on behalf of a nation-state.

Along with other emotions, Facebook has recently launched the notification which warns the user if it finds his/her Facebook account has been targeted by an attacker working on behalf of a nation-state.

“Starting today, we will notify you if we believe your account has been targeted or compromised by an attacker suspected of working on behalf of a nation-state,” Alex Stamos, chief security officer at Facebook, said on October 17.

He added, “While we have always taken steps to secure accounts that we believe to have been compromised, we decided to show this additional warning if we have a strong suspicion that an attack could be government-sponsored. We do this because these types of attacks tend to be more advanced and dangerous than others, and we strongly encourage affected people to take the actions necessary to secure all of their online accounts.”

The company has also clarified that the warning is not related to any compromise of Facebook's platform or systems, and that having an account compromised in this manner may indicate that users’ computers or mobile devices have been infected with malware.

“Ideally, people who see this message should take care to rebuild or replace these systems if possible,” the security officer said.

However, at this point, the Facebook is still not able to explain how they attribute certain attacks to suspected attackers, in order to protect the integrity of our methods and processes.

“We plan to use this warning only in situations where the evidence strongly supports our conclusion. We hope that these warnings will assist those people in need of protection, and we will continue to improve our ability to prevent and detect attacks of all kinds against people on Facebook,” he added.

New Xerox PARC Processor capable of Self-destructing

Some may find it a good news and some may find it a bit risky as researchers from Xerox PARC, have now come up with a new type of cryptographic processor dubbed Xerox PARC processor, which is capable of self-destructing if someone ordered to do so.

The researcher have created the cryptographic processor under a DARPA-funded security push which aims to create ways of safeguarding top secret information that are less susceptible to hacking if they fall into the wrong hands.

The chip was built on a Corning Gorilla Glass substrate.

“The applications we are interested in are data security and things like that,” Gregory Whiting, a senior scientist at PARC in Palo Alto, California, told Extreme Tech. “We really wanted to come up with a system that was very rapid and compatible with commercial electronics.”

“We take the glass and we ion-exchange temper it to build in stress,” said Whiting. “What you get is glass that, because it’s heavily stressed, breaks it fragments into tiny little pieces.

According to a news report published in Extreme Tech, creating a chip that can store cryptography keys and self-destruct if it falls into the wrong hands could solve a problem that’s as old as cryptography itself how do you ensure that the right recipient can read your messages, while still protecting the data from unauthorized recipients?

However, quantum computing could offer a potential solution to this in the long run as attempting to read the data being transferred between two quantum computers will inevitably change the data-state and alert the users that they are being spied on. Since quantum computing remains a long way off, however, other solutions for data security are needed.

So, in order to address this issue, the researchers came up with the Xerox PARC processor.
Many people expressed their opinion regarding the Xerox PARC processor.
SH4ZB0T commented, “It reminds me of the MIPS-X instruction hsc (that I believe was a joke).”
Whereas, Darkstar36 said, “Now hackers really can make your computer explode! What a time to be alive.”

Mikemol said, “Anyone else amused at the thermal limits this places on a device? You're not going to want to leave it in your car on a hot day. (So, for things like DRM device keys in mobile devices, this might not be the best solution...”

Uber Hires Security Analysts For Enhancing Car Safety

When it comes to vehicle security, Uber has taken a step ahead in making the vehicles safer. The officials have confirmed that the company has hired two top-notch security analysts to ramp up its target of achieving the technology of self-driven cars. Uber promises the joining of Charlie Miller and Chris Valasek who have been working for Twitter Inc. and security firm IOActive respectively.

Uber’s Advanced Technologies Centre, a research laboratory set up by the company in Pittsburgh in February has already hired dozens of vehicle experts from Carnegie Mellon University, and now will be joined by Miller and Valasek.

There appointment was confirmed by a welcome tweet from Raffi Krikorian, head of Uber ATC. Both have started with their new appointments from Tuesday.

Uber at the moment is knee-deep with the target to develop or adapt the self-driving cars technology, and Miller and Valasek will be joining the company to make the vehicles more secure. This can help the company to reduce the man-power it has under the header of the thousands of contract drivers that the company has hired.

In order to develop this technology, the company has also shook hands with the University of Arizona, by providing the students grants in order to research and help developing the technology.

In march, Uber bought digital mapping firm deCarta, a San Jose, California-based company whose technology offers search and turn-by-turn directions.

FCA USA LLC recalled 1.4 million vehicles to install software intended to prevent hackers from emulating the experiment, which used the cellular network to enter the entertainment system and then win control of the engine, brakes and steering.

Facebook to bring “Video Matching Technology” to control Piracy

Here comes a good news for those video creator who are fed up with the video piracy especially on social networking sites as Facebook is planning to launch a “Video Matching Technology” which will inform the real video owners that those videos are uploaded by others. 

A news report published in ReCode, confirms that in order to control the video piracy on Facebook, the company has decided to come up with the technology.

“We’ve heard from some of our content partners that third parties too frequently misuse their content on Facebook,” Facebook posted in its blog. “It’s not fair to those who work hard to create amazing videos. We want creators to get credit for the videos that they own.”

It is said that the company and its partners have started testing the new technology, which requires content owners to upload the clips they want to protect into Facebook’s system.

“It is the first step to creating the equivalent of YouTube’s Content ID system, which the video giant built up over years as a response to its own copyright/piracy problems. After years of ignoring video, 
Facebook is now a major player, so this kind of effort was obvious and overdue,” the news report reads.

“Facebook’s response comes after video makers and distributors have grown increasingly vocal about pirated videos, which by one estimate accounted for more than 70 percent of Facebook’s most popular videos. In May, Jukin Media, a video licensing agency best known for “Fail” clips, described Facebook’s copyright problems as “massive.” In June, Fullscreen CEO George Strompolos, who runs one of the biggest YouTube video networks,tweeted that he was “getting very tired of seeing our videos ripped there with no way to monitor or monetize,” the news report reads.

Now Facebook says Jukin and Fullscreen are two of its initial launch partners for the new technology, along with Zefr, a service company that helps content owners track their clips on YouTube. Facebook says it is also working with major media companies on the effort, but won’t identify them.

Researchers comes up with Sound-proof which may protect your online accounts

Swiss researchers from Institute of Information Security ETH Zurich have come up with a two-factor authentication based on ambient sound. The researchers claim that it does not require any user interaction to help speed adoption of strong security.

Researchers, Nikolaos Karapanos, Claudio Marforio, Claudio Soriente, and Srdjan Capkun, have presented a paper about their research at the recent Usenix conference in Washington, DC.

The researchers have proposed Sound-Proof, a usable and deployable two-factor authentication mechanism.

“Sound-Proof does not require interaction between the user and his phone,” they said.

In the Sound-Proof, second authentication factor is the proximity of the user's phone to the device being used to log in. The proximity of the two devices is verified by comparing the ambient noise recorded by their microphones.

As the audio recording and comparison are transparent to the user, the user experience is similar to the one of password-only authentication.

It can be easily deployed as it works with current phones and major browsers without plugins.

“Two-factor authentication protects online accounts even if passwords are leaked. Most users, however, prefer password-only authentication. One reason why two-factor authentication is so unpopular is the extra steps that the user must complete in order to log in,” the researchers said in the paper.

According to the researcher, currently deployed two-factor authentication mechanisms require the user to interact with his/her phone to, for example, copy a verification code to the browser. Two-factor authentication schemes that eliminate user-phone interaction exist, but require additional software to be deployed.

"We build a prototype for both Android and iOS. We provide empirical evidence that ambient noise is a robust discriminant to determine the proximity of two devices both indoors and outdoors, and even if the phone is in a pocket or purse. We conduct a user study designed to compare the perceived usability of Sound-Proof with Google 2-Step Verification,” the researcher added.

The researchers claim that many people like the Sound-Proof. And they are willing to it for scenarios in which two-factor authentication is optional.

Soft Tokens : Low cost mass market 2-Factor Authentication for e-banking, e-commerce and e-governance

Many banks in India use SMS OTP system for customer authentication. However, a recent incidence of a fraud in a bank showed that the SMS OTP token was not fully effective. In this incidence, hackers modified the customer’s mobile number in the bank’s database and redirected the OTP to the modified mobile number that they controlled.

Problems arising due to misdirected creativity of Black Hat hackers apart, most bank officials also privately complain about high costs of the SMS method of authentication. Banks apart, the customer also incurs monthly SMS charges.

Sometime back, in a customized Zeus MITM malware attack, a researcher showed how such customized malware could easily intercept communication between a net banking portal and a desktop.

The demo clearly demonstrated money ending up in a hacker’s account after a customer concluded a transaction. This vulnerability was exposed in a MNC bank’s Indian operation. Checking further, the researcher discovered that this particular vulnerability could be exploited in other bank's net banking systems as well.

It is widely accepted that the only real security is offered by use of a hardware token. Such a token generates time based token numbers on the customer side and net banking /e-commerce/payment wallets can undertake token verification on the server side. However, while effective, the hardware token method is accompanied by significant costs.

An elegant solution to the cost conundrum is to use the ubiquitous mobile phone as a soft token dispenser, and completely do away with the costs and hassles of using a separate hardware token.

But the soft token model is only being offered by some major MNC security technology firms and comes accompanied by MNC prices and price structure that Banks find discomforting. These vendors insist on levying a fee on the bank on a per customer basis and the sum adds up to a significant amount when a bank or an enterprise deals with many millions of customers.

One possible solution for a Bank or other enterprises is to implement a 2 factor soft token authentication program by developing their own system. They could develop a system on their own with a 6 month R&D effort. It took us, Cyber Security and Privacy Foundation (CSPF), less than 3 months R&D to develop a 2FA system which can be implemented in banks and other enterprises and institutions.

Our research suggests that it can be both practical and economical to implement net banking with soft tokens given to all customers and thus prevent a lot of frauds.

The authentication server can be placed in a bank’s premise and soft tokens can be integrated with net banking. On an indicative basis, we envisage a first year license fee US $ 50,000 for up to 100000 customers (something like half a dollar per customer for the first year).

We further envisage an annual recurring license fee of US $ 10,000 per 100000 customers to be levied Year 2 onwards. The price per customer could be reduced further to just 25 cents for a 500000 user base.

Convenience, cost, comfort and security all suggest that it is now time to look beyond the SMS OTP and the hardware token and adopt an in-sourced soft tokens 2 Factor authentication model. Banks, e-ecommerce players and wallet providers should all seriously evaluate this option.

Database breach occurs at Hanesbrands Inc.

Hanesbrands Inc. has reported that a database of their's containing 900 thousand contact details about their carious customers has been breached.

The hacker gained access to the database by posing as a guest on the brands website while checking out something.

The hacker got access to addresses, phone numbers and last four digits of a credit or debit card of customers according to Hanesbrands Inc.

The breach happened in the last month of June according to Hanesbrands spokesman Matt Hall and does not affect the retail stores of the brand.

The brand had themselves been contacted by the hacker to inform them of the breach.

Astoria - Researchers develop a new Tor client which aims to beat NSA

With an aim to beat powerful intelligence: like NSA, researchers have developed Astoria, a new Tor client which is said to be capable of protecting user’s privacy, even from such powerful intelligence agencies.

A cyber security researcher team from America and Israel come up with a new Tor client which is designed to make spying more difficult for the world's most capable intelligence agencies.

According to the research paper, people have used Tor, a popular anonymity system for users who wish to access the Internet anonymously or circumvent censorship, to prevent their activity from being tracked as Internet anonymity becoming difficult to establish.

However, Tor is not as safe as it was supposed to be, from the powerful intelligence agencies.

As a result the researchers have developed Astoria, which particularly focuses on defeating autonomous systems that has set up to intrude into Tor’s anonymity.

“In our experiments, we find that 58% of all circuits created by Tor are vulnerable to attacks by timing correlation and colluding sibling ASes. We find that in some regions (notably, China) there exist a number of cases where it is not possible for Tor to construct a circuit that is safe from these correlation attacks,” said in the research paper.

It added, “To mitigate the threat of such attacks, we build Astoria, an AS-aware Tor client. Astoria uses leverages recent developments in network measurement to perform pathprediction and intelligent relay selection. It not only reduces the number of vulnerable circuits to 5.8%, but also considers how circuits should be created when there are no safe possibilities. It performs load balancing across the Tor network, so as to not overload low capacity relays. Moreover, it provides reasonable performance even in its most secure configuration.”

The Astoria is aimed to do a list of things:
• Deal with asymmetric attackers.
• Deal with the possibility of colluding attackers.
• Consider the worst case possibility.
• Minimize performance impact.

Google launches 'Password Alert' to protect its users from phishing attacks

Google on April 29 launched a new extension, ‘Password Alert’, which warns people whenever they type in their Google password on any site that is not a Google sign-in page.

Drew Hintz, security engineer and Justin Kosslyn, Google Ideas, posted on the Google’s Online Security Blog, that the Password Alert, which is now available on the Chrome Web Store, is aimed to prevent phishing attacks. However, it also aims to minimize the over use of Google password.

They wrote that it is designed to alert people while they use their Google password on those sites which are not operated by Google.

According to them, if anyone enters his/her password on a website that’s imitating accounts.google.com and aims to get personal details, he/she will receive a warning. It also provides people time to change their password before it gets misused.

It works by checking the HTML of the page to identify whether it’s a legitimate Google sign-in page or not.

According to Google, the password hacking is known as “phishing” which represents two percent of all Gmail messages.

The new tool is believed to be an additional attempt of security for Google’s users. The Password Alert sits among a number of tools which are aimed to safeguard user accounts. Other methods include two-step authentication and security key.

Colombian hacker gets 10 years in jail for spying

A Colombian court sentenced hacker Andres Sepúlveda to 10 years in prison after he admitted to various crimes, including spying on the government’s peace talks with the Revolutionary Armed Forces of Colombia (FARC). He admitted to spying on representatives of both the government and the FARC guerilla during peace negotiations.

The Internet pirate was arrested in May 2014 after being traced to secret offices that hacked confidential information and messages, including one whose objective was to sabotage the peace process.
According to the sentence handed down by the 22nd Presiding Court of Bogota, he was judged guilty of five crimes including, espionage, illegal wire-tapping, malicious use of software, breaching communications, and unauthorized access to classified information. He must also pay a fine of his current monthly minimum salaries as part of the agreement.
Sepulveda intercepted the communications of top-ranking FARC Commander Rodrigo “Timochenko” Londono and former Senator Piedad Cordooba.

According to the investigation, then-presidential candidate Óscar Iván Zuluaga hired Sepúlveda to carry out a smear campaign against President Juan Manuel Santos during the 2014 presidential campaign. The hacker told authorities that former President Álvaro Uribe was aware of his operations, and that Zuluaga paid him to undermine the peace process.

Sepúlveda has accepted the prosecution's offer of a reduced penalty in exchange for his cooperation. He cut a deal with the prosecutors in February that limited his prison term to 10 years in exchange for providing information that could help Colombian authorities.

Bulgarian hacker who hacked Bill Gate’s account undergoes legal proceeding

Photo Courtesy: GMA News
A Bulgarian man, who was arrested for withdrawing money with the fake ATM cards including the account of the Microsoft co-founder Bill Gates during a sting operation in Quezon City, faced legal proceedings on Friday, authorities said.

The sting operation was jointly launched by Presidential Anti-Organized Crime Commission (PAOCC) and PNP Criminal Investigation and Detection Group's (CIDG) Anti-Fraud.

While addressing the medias on Friday, Police Supt. Milo Bella Pagtalunan, chief of the CIDG Anti-Fraud and Commercial Crime Unit (CCU), said Konstantin Simeonov Kavrakov, who was arrested on Thursday while he was withdrawing money using different fake bank cards at the ATM booth of the PS Bank branch along Quezon Avenue, was charged for violating the Access Device Regulations Act (ADRA) for using and producing fake access devices.  

Kavrakov was arrested in Paraguay back in 2011 for hacking bank accounts and commercial fraud, he added.

According to the PAOCC, they are investigating on how Kavrakov got released in Paraguay. They are also checking the date he landed in Philippines.

According to the executive director of the PAOCC Reginald Villasanta, seven assorted credit cards credit cards including a Citi Visa, Standard Chartered MasterCard, Citibank MasterCard, Citi MasterCard, Citibank Visa, East-west Bank Vice and a blank Gold card, nine ATM receipts, a mobile phone, and a bag containing cash amounting to P76,570 have been recovered. He is currently detained at the office of the CIDG's Anti-Fraud and the CCU.