Search This Blog

Showing posts with label Cyber Security. Show all posts

More Than 22 Billion Records Revealed in Data Leaks in 2020

 

A new record has been set with regards to the data breach, ‘more than 22 billion records were revealed globally amid 730 publicly leaked data violations in 2020’, as stated in a report published on Friday. A major chunk of data breaches was linked to ransomware attacks which are nearly thirty-five percent.

Cyber exposure company Tenable’s Security Response Team (SRT) analyzed that 14 percent of data leaks were the outcome of email compromises in the period of January 2020 to October 2020. The main tactics used by threat actors was the dependency on unpatched susceptibilities in their strikes, meanwhile, encompassing multiple other vulnerabilities. 

While giving insights, Satnam Narang, a Staff Research Engineer at Tenable stated “every day, cybersecurity professionals in India and the rest of the world are faced with new challenges and vulnerabilities that can put their organizations at risk. The 18,358 vulnerabilities disclosed in 2020 alone reflects a new normal and a clear sign that the job of a cyber defender is only getting more difficult as they navigate the ever-expanding attack surface”. 

The growth rate of common vulnerabilities and exposures (CVEs) increased at an average of 36.6 percent from 2015 to 2020. In 2020 it shot up to 183 percent as compared to 2015; 18,358 CVES were reported in 2020 as compared to 6,487 in 2015. 

“Pre-existing vulnerabilities in virtual private network (VPN) solutions - many of which were initially disclosed in 2019 or earlier – continue to remain a favorite target for cybercriminals,” Narang told. 

Search engines such as Mozilla Firefox, Google Chrome, Microsoft Edge, and Internet Explorer resulted in 35 percent of all zero-day susceptibilities abused in wild by the threat actors. 

“In 2021, we must have the tools, awareness, and intelligence to effectively reduce and eliminate blind spots” Narang concluded. 

Security System Enhanced by Google and Mozilla

 

The development teams of Google and Mozilla shared their progression regarding the minimization of classic web security attack vectors such as cross-site request forgery (CSRF) and cross-site scripting (XSS). The latest browser security features present assurance of destroying or at least bringing down the classic web security attack vectors. 

Google elaborated in a blog post last year on how to strengthen its security mechanism and safeguard its applications from usual web susceptibilities and the features safeguarding its applications are Content Security Policy and Trusted Types - depends on script nonces, Cross-Origin Opener Policy and Fetch Metadata Request Headers. 

These security mechanisms safeguard the application from injected strikes and enhance isolation capacities. Google stated that even if the small segment of the malicious script is inserted by an attacker, “the browser will refuse to execute any injected script which doesn’t identify itself with the current nonce” and this eases down the impact of any server-side inserted susceptibilities containing reflected XSS and reflected XSS. 

The Content Security Policy (CSP) was refined by the enforcement of these developments by Google and the tech giant stated that “CSP has mitigated the exploitation of over 30 high-risk XSS flaws across Google in the past two years. Nonce-based CSP is supported in chrome, Firefox, Microsoft Edge, and other Chromium-based browsers. Partial support for this variant of CSP is also available in Safari”.

Meanwhile, Mozilla spokesperson stated to The Daily Swig that Mozilla’s security was boosted due to the injection of Project Fission last year and the Firefox security team has played a massive role in making the internet more secure for all users. He added that the primary aim for this team has been Project Fission and Mozilla’s enforcement of Site Isolation in Firefox; currently. the Project Fission can be tried out in the Nightly version of the search engine.

Project Fission along with Embedded Policy and Cross-Origin Opener is the component of Mozilla’s mitigations against Spectre-style strikes. The search engines must add the security mitigations that support today’s browsing experience. 

Santiago Diaz, who is working as an information security manager at Google stated that on the inserted side Trusted Types and CSP3 are “battle-tested mitigations that make the vast majority of DOM-based XSS unexploitable when used correctly”.

Interview with Waylay: Power of Automation to Everyone?

 

On 8th January, E-Hacking News conducted an interesting interview with Waylay. The guest speaker for the interview was Mr. Veselin Pizurica, CTO & Co-Founder, Waylay. The company helps to connect IoT solutions to IT systems, empowering them to build new applications faster and better than ever before.

Q1. Can you please tell us about “Waylay” as a company? 
Waylay is a technology company that builds automation software for the Internet of Things. Our platform is used by enterprises to develop new digital solutions with IoT, IT, and OT data in the most flexible way. We have about fifty enterprise customers from Australia, Japan, Europe to the US. We are expanding to the US with a physical presence because we’ll like to get better support for our US customers. Today we are more focused on OEM technology meaning we work as an invisible layer, where other companies can buy our software that integrates our automation technology with their solutions. 

Q2. In what industries Waylay is useful for? What type of customers may be interested? 
In the context of IoT, one has two approaches – either go for a vertical approach or being a platform-neutral player where other customers create their own solutions based on automation technology. In this regard, we are the latter case. Our customers are either in the smart buildings or HVAC connected appliances or even B2C. Our technology is used mostly in manufacturing spaces, smart buildings as well as HVAC. The reason for customers being interested in Waylay is because we are a cloud-capable platform as well. We have built a unique set of interfaces that work on top of all other cloud technology in a way that the bigger automation players can replicate the same use case in different clouds. 

Q3. Do you integrate with the existing HVAC system? What if an end customer wants to integrate into your dashboard, how do they do it? Do they need to put a specific IoT controller for this? 
What we have done is to create a kind of convergence layer that integrates to other IoT clouds or IoT systems in such a way that we put in just data for a variety of different systems. In other words, we are just saying we’ll create a bridge layer that can integrate with our system. Secondly, many of these HVACs are not connected and they will never be connected. Our technology offers the opportunity to integrate with other IoT systems. We are not enforcing our connectivity on our customers; we are rather saying whatever we have already we’ll create a layer that will enable us to get data in our systems 

Q4. Do you directly work with OEM (Original Equipment Manufacturer)? If so, do you have a development kit for OEM? What are the types of OEM you work with? 
We do actually. If you have the HVAC suppliers/manufacturers they, face a couple of different problems and none of them are actually trivial. So, basically what we offer is a sort of total automation that enables experts from both sides of the story (machine learning builders and machine learning experts) to bring them on one platform to be able to do total automation. The next thing you could do is offer new services; people are actually renting machines as a service rather than actually selling them. For instance, if you like to rent a machine as a service then your absolute interest is that the machine operates with optimum settings. 

Q5. IoT awareness is so low in many countries, will Waylay contribute positively to increase awareness in the IoT space? 
There are various angles to answer this question. First, IoT is something that people have been talking about for a long time. In a B2C context, if you buy any device, one or the other way, it is connected, it’s just that people are not aware of that. In smart home automation, it is already happening. In industries, things are much more complicated as there is a lot of different technology. Now, awareness also depends on the countries, some people are more eager to try things than others. In industries, the very first problem is connectivity, it not only depends on the use case vertical but also on the country. The thing with IoT is, it’s already happening but not at the same pace (compared to other technologies). What makes our company very confident is eventually, everything will be connected, it’s just that the pace of adoption in some countries is slower than others. 

Q.6 Your blog talked about “Waylay’s Digital Twin Revolutionizes Provisioning in Industrial IoT.” Please tell us more about it. 
When we talk about Digital Twins, we are talking about the digital representations of the objects. It can mean different things to different people. “In an ideal world, all equipment would be connected. In reality, millions of legacy machines are locked out of Industry 4.0 solutions because of the prohibitive cost of retro-fitting them.” 

Q.7 How has Waylay helped to bring a change in Digital Industry? 
Our goal is to bring the power of automation to everyone. Waylay believes that automation liberates human intelligence, cuts down costs, and increases value creation.

Hacking Group Earth Wendigo Exploits Emails via Spear-phishing Attacks


As per the cybersecurity experts, the cyberattacks are related to Earth Wendigo, a cyber criminal currently not linked to any of the hacking groups. At the start of May 2019, Trend Micro reported that multiple organizations were attacked by Earth Wendigo. The targets include research institutions, government organizations and universities. The cyberattack used spear-phishing mails to exploit its victims, which include activists and politicians based in Hong Kong, Tibet and Uyghur region. 

Trend Micro reports, "we discovered a new campaign that has been targeting several organizations — including government organizations, research institutions and universities in Taiwan — since May 2019, aiming to exfiltrate emails from targeted organizations via the injection of JavaScript backdoors to a webmail system that is widely-used in Taiwan. With no clear connection to any previous attack group, we gave this new threat actor the name “Earth Wendigo.” 

Earth Wendigo deployed spear-phishing emails that contained obfuscate Java script code, using initial attack vectors, Java script loaded corrupted scripts from remote servers controlled by attackers. The scripts were built for stealing Webmail session keys and browser cookies, spread the malicious scripts through appending code with the target's email signature, and exploiting an XSS (cross-site scripting) vulnerability in the Javascript injection Webmail server. "The Earth Wendigo threat actor will establish a WebSocket connection between the victims and their WebSocket server via a JavaScript backdoor. The WebSocket server instructs the backdoor on the victim’s browser to read emails from the webmail server and then send the content and attachments of the emails back to the WebSocket servers," says Trend Micro. 

The XSS vulnerability exploit exists in system shortcut feature of webmail, which allows the threat actor to put craft payload shortcut that replaces webmail system page's parts by corrupted JavaScript codes. "Additional investigation shows that the threat actor also sent spear-phishing emails embedded with malicious links to multiple individuals, including politicians and activists, who support movements in Tibet, the Uyghur region, or Hong Kong. However, this is a separate series of attacks from their operation in Taiwan, which this report covers," reports Trend Micro.

Mozilla Firefox Disabling Backspace Key to Prevent Data Loss

Mozilla Firefox is about to disable the browser's backspace key to help users avoid data loss. 

In 2014, Google Chrome and Microsoft Edge have already removed the ability to go back to a previous page by using the backspace key as there were possibilities of losing data entered into forms on the current page. Those who are using Google Chrome have to download an extension to use this again, whereas Microsoft Edge had offered a flag for its users to re-active it. In the same way, Mozilla Firefox is also offering its users the option to re-activate the backspace key if they wish to do so. 

"Would be useful to determine how commonly backspace is used as a "back" action shortcut, so we can figure out if we need to tweak the UX somehow to avoid accidental loss of form data due to mistyping the backspace key," Google Chrome developers stated in a 2014 bug post. 

According to the sources, seven years ago, Mozilla Firefox had set up the committee and reviewed the bug post: whether the backspace key should be disabled or not. Finally, the committee had decided not to change anything at that time. Around six years later, Mozilla finally came to the point where it has decided to remove the backspace key after realizing that except for Mozilla and Internet Explorer 11, no browsers support this keyboard shortcut. 

"To prevent user data loss when filling out forms, the Backspace key as a navigation shortcut for "Go back one page" is now disabled. To re-enable the Backspace keyboard shortcut, you can change the about: config preference browser.backspace_action to 0. You can also use the recommended Alt + Left arrow (Command + Left arrow on Mac) shortcut instead," Firefox Release Manager Pascal Chevrel added to the Firefox Nightly 86.0a1 release notes. 

According to TechDows, the first who reported about this change which is now available live on the Firefox browser for users to test and know. 
Further information is for those users who want to continue using the backspace key, you will be able to re-enable this key just follow these steps: 

1. Enter about: config in the Firefox address bar. 
2. Search for browser.backspace_action and change its value to '0'. 

Once the setting is configured, you will be able to use the backspace key to go back to the previous page in Mozilla Firefox.

NSA Issues Guidelines for Eliminating Obsolete TLS Protocols

 

The National Security Agency is a US-based agency on which America highly relies on to collect and process foreign signals, understand them and share them with US Officials, and to take any action against dubious acts. These signals are not comprehensible by common men instead a team of mathematicians, technical experts, or analysts is required to decode the encrypted signals to comprehensible format. 

The NSA has distinctly recommended replacing antiquated protocols configuration of TLS (Transport Layer Security). This has been done because of the obsolete protocols that were harming the sensitive information of those using it. With time new deleterious dimensions of the TLS authentication and configuration have been discovered by the NSA. Such flaws are not acceptable as they breach the wall of privacy between the client and the server by incapacitating the encrypted data that is easily accessible by the hackers. 

The exchange of communication between the server and the client is sensitive information and valuable data that needs protection and for this purpose, strong protection channels and electronic systems like TLS and Secure Sockets Layer (SSL) were developed. 

Considering TLS, it’s a protocol to secure communication between the client and the server. It uses encrypted signals and authentication to protect the information. Nevertheless recently some new attacks against TLS and its authentication have been discovered. Network connections employing obsolete protocols are at an elevated risk of exploitation by the opponents. For the aforementioned sitch, the NSA has issued strict guidelines that need to be enforced as soon as possible. They claimed that the obsolete and incapacitated TLS protocol implementation was being observed recently, which is a threat to the country’s intelligence. Furthermore, they stated, “nation-state of sufficiently resourced actors are able to exploit these weak communications”. 

As a solution, the NSA recommended that only TLS 1.2 and TLS 1.3 should be used and that SSL 2.O , SSL 3.0 , TLS 1.0, and YLS 1.1 should not be used. They said that all the TLS implementations should be up to date and configuration should be in accordance with the CNSS and NIST guidelines. 

NSA urged the public to follow the guidelines and implement the new TLS protocol as they are familiar with the dangerous consequences of using obsolete encryptions which includes delivering a false feeling of security because of a distorted sense of trust we have in the functioning of the system. However, updating the TLS protocols and configuration will be in our best interests as it will now provide stronger encryption and authentication. 

US Intelligence Task Force Accuses Russia Of Cyber Attack

 

Previously, US President Donald Trump had accused China of malicious security incidents; security experts and officials have suspected China to be involved in the recent cyberattacks on the US government and several other organizations in the nation but now other members of his administration are pointing out the finger at Moscow. 

In a joint statement on 5 January, the intelligence bodies said, "the attack believed to be an 'intelligence gathering' attempt, rather than cyber warfare, as touted by multiple lawmakers including President Donald Trump. Currently, it is also being observed that cyber-attack which attempted to sabotage online privacy and information has affected fewer than ten US government agencies along with several other organizations outside government”. 

 A collective report of government organizations, the UGC, also called Cyber Unified Coordination Group which has been set up to deal with the recent attack, stated that the Advance Persistence Threat (APT) actor which is responsible for the cyberattack was “likely Russian in origin”. It also said other government organizations that are collaborating for the collective report, are the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), the Office of the Director of National Intelligence (ODNI), and the National Security. 

The intelligence stated that the research regarding this is still going on to understand the scope of the data compromised during cyber attacks. According to the committee, the hacking attempts were initially made in March 2019 when the updated version of the IT network management tool called Orion was compromised. 
The report says those thousands of people who had installed this hacked tool across American territory, many of whom worked in important US federal agencies. Besides non-government organizations, a major part of the US government was compromised during the recent cyber attacks such as the Treasury and Department of Commerce, and the National Telecommunications and Information Administration.

"This is a serious compromise that will require a sustained and dedicated effort to remediate. Many organizations have to scour their systems for signs that they may have been compromised. The incident sent shockwaves across the US partly because the breach was undiscovered for many months and was potentially far-reaching in terms of who it might have affected. It also suggested a degree of sophistication and stealth which was widely seen as a trademark of hackers from the SVR", Russia's foreign intelligence agency, the Intelligence committee said in a statement.

India the Internet Blackout Capital of the World

 

Cutting off the internet and its services has become a trend in a country like India. The government claims that these cut-offs are done to be on the safer side so as to cease the riots and protests that can take place through any sort of wrongful communication done via internet services. The internet is essentially shut down to prevent the smooth flow of information that in turn limits the communication within the communities. 

In the year 2019, almost 35 countries reported a huge cut-off on the internet, and in the year 2020, the number was 21. The aforementioned information was provided by the team of the Digital Rights Groups Access.  

This year, India topped the list of the 21 South Asian countries that went through internet shut down in the year 2020 which restrained the web access for its citizens. The massive shutdown of the internet cost India a loss of $ 2.8 billion. With this India contributes to about three–quarters of the sum of $ 4 billion lost worldwide. Whereas in the year 2019 the same internet shutdowns cost India a loss of $ 1.3 billion with almost 4,196 hours of cut-off time, that is almost half a year. The total hours that India saw as cut off was 8,927 hours, approximately 372 days. 

Internet blackouts are very specific and are goal-oriented and always target a particular community or are in respect of any incident. Initially, the government used to shut down the internet for the whole nation but now it focuses on a particular region where such things have become essential according to them. There is no limit on such internet shutdowns and can happen ‘n’ number of times. As in the year 2019, India faced several internet blackouts in various parts of the country almost 106 times and in the year 2020, the counting stopped on 83.

The duration of these blackouts is uncertain and can last from a few days to several months. The aforementioned situation was witnessed in an Indian state, Jammu, and Kashmir. In the year 2019, the state saw an internet blackout that started on 5th August 2019 and lasted till 15th August 2020. The government claimed to execute this blackout to cease the ingrowing riots and protests that were in reaction to the revocation of Article 370. 

Though the Indian Constitution provides freedom of expression through the internet under article 19(1)(a), still there are situations where people are still unaware of these facts and must face blackouts under the name of safety and security of the citizens. 

 Whereas the main aim behind such blackouts is to hide incidents from the citizens that need prior public attention to stay aware of what is happening.

Top VPN Provider Zyxel Hacked, Here's a Quick Look into the Security Incident

 

Technology and networking have turned out to be the need of the hour and we must also be equally qualified to operate networking devices. One such innovation-oriented and customer-focused company is Zyxel. The network equipment company offers routers, gateways, security solutions along with several other services to make communication simpler and uninterrupted. One of the company's main services also includes providing VPN services to its patrons. Recently, the aforesaid communications corp. became a swift target for hackers because of undetected flaws in the networking devices and their VPN. 

Headquartered in Hsinchu, Taiwan Zyxel is a networking hardware company, focused on providing devices with eHome Shield that is geared up by F-Secure to give lasting protection against cybercriminals worldwide and other potential threats as well. It's a wide known fact how hackers employ specialized programming to easily break through the firewall of networking devices and access the other smart home gadgets and devices running on the compromised connection – for instance, Smart TVs, Mobile Phones, Laptops, etc. 

A while ago, an association of some cybersecurity researchers of a Dutch firm named 'Eye Control' discovered a prospective damaging the security of the system and a popular VPN solution and networking agency, Zyxel, making it more vulnerable. 

Although Zyxel has produced and transported some hundred thousand highly encrypted devices with zero percent of compromising security still it malfunctioned. This vulnerability was later confirmed by the firm itself. 

Now the question that arises is what happened and how did the hackers manage to enter the encrypted system of such a big firm with ease? 

According to the cybersecurity researchers, the backdoor account of Zyxel devices and VPN uses a username and password that were completely visible in the plain text within the Zyxel system binaries, that were running firmware version 4.60, patch 0. These credentials allowed hackers to completely access the confidential information of the users of Zyxel devices. 

After further investigation, the team of researchers concluded that the hundred thousand devices that were affected by the vulnerability were because of the latest version of the firmware update 4.60, patch 0. The Zyxel devices affected by the vulnerability included the Advanced Threat Protection series of devices, the company’s NCX series of devices, its VPN of Gateways, and a few more. 

The company has already issued new patches for the Advanced Threat Protection series (ATP), Unified Security Gateway (USG), USG Flex, and VPN series. Alongside, it has also affirmed that it would release another patch for the remaining compromised devices like the WLAN access point controller, NCX series, etc., and will launch its new update around April for better fixation of devices and safety. Till then it has requested its consumers to download the available new patches with the latest updates for the devices to ensure their safety. 

Ticketmaster Fined $10 Million by Department of Justice for Unlawful Business

Ticketmaster had to pay €7.3 Million ($10M) fine compensation for intervening in a rival company's computer systems, says the US Department of Justice. Ticketmaster agreed to pay a fine amount after it faced allegations by the US DoJ that the company gained unlawful access into rival company's systems to obtain information about its business. According to DoJ, the US ticket sales and distribution company illegally used retained passwords of a former employee of a rival company to access their computer systems. Ticketmaster had done this as a scheme to wipe out the competitor's business. Responding to the action, Ticketmaster has said that it feels good now that the issue is resolved.


The DoJ in the released statement said that the unlawful activity happened in 2017. The scheme involved 2 company employees, both now dismissed. According to Ticketmaster, the employees' actions violated their company policies and conflicted with their organizational values. Federal officers alleged Ticketmaster of computer intrusion, wire fraud, and other illegal activities dating back to 2013. The federals have agreed to remove charges in 3 years if the company doesn't make any trouble as per the federal prosecution deal. The inquiry emphasized the company's (Ticketmaster) attempts to obtain information, specifically related to concert pre-sale tickets, says the court statements. 

The rival is a UK based company with headquarters in Brooklyn, New York, but the information in legal documents suggest it was Songkick. Songkick holds expertise in offerings performance artists digital widgets called "artist's toolbox," which allowed Songkick to pre-sell tickets to their events on its online websites separately from ticket blocks which were available to Ticketmaster, a company owned by Live Nation Entertainment Inc. 

Live Nation and Ticketmaster unlawfully took a former worker rival company to get details about its business operations, client details, and marketing plans. The employee gave Ticketmaster the login credentials of his former company, which Ticketmaster used several times to gain access to computer systems and get information about Songkick's pricing to develop their own competing platform. 

Bloomberg reports, "songkick sued Live Nation and Ticketmaster in Los Angeles federal court and reached a $110 million settlement in 2018 that included the sale of its ticketing assets to Live Nation. Other Songkick assets had been sold earlier to Warner Music Group."

6.15 Lakh Facebook Users' Account Compromised by Facebook Ad Phishing Campaign

 



A large scale ad phishing campaign that has compromised more than 6.15 lakh Facebook users' account was exposed by cybersecurity researchers. This ad phishing campaign is spread in at least 50 countries and reportedly the accounts are being compromised by exploiting the pages of open source repository GitHub. 
 
ThreatNix which is a Nepal-based security firm, while giving insights into the attack, said that the number of affected users is rapidly increasing, at an unusual pace of over 100 entries per minute and the situation is expected to worsen furthermore if necessary steps are not taken in due time.  
 
The researchers noted, "the phishing campaign by a sponsored Facebook post that was offering 3GB mobile data from Nepal Telecom and was redirecting to a phishing site hosted on GitHub page; the attackers created different pages imitating the legit pages from numerous entities. The attackers were using the profile picture and name of Nepal Telecom". 
 
Additionally, the cybersecurity firm claimed in a statement this week, “similar Facebook posts were used to target the Facebook users from Pakistan, Tunisia, Norway, Malaysia, Philippines, and Norway”. As per the findings of the firm, this ad phishing campaign is using localized Facebook posts and sending links inside these Facebook posts which redirected to a static GitHub page website that contained a login panel for Facebook. 
 
The cybersecurity researchers also noted that “after redirecting to a static GitHub page it forwarded the phished credentials to two endpoints one to a Firestore database and another to a domain which was owned by the phishing group”. The researchers also unearthed that nearly 500 GitHub repositories containing phishing pages are part of the identical phishing campaign. 
 
According to cybersecurity firm ThreatNix, they are working in unison with other authorities to “bring down the phishing infrastructure by reserving the information related to the domain”. The attackers were using Bitly link’s which pointed towards a benign page and when the Facebook ad was approved it was getting converted to point to the phishing domain, they used Bitly’s link because now Facebook takes all necessary steps to ensure that such phishing pages are not approved for ads.

2010-2020 Decade Roundup: 10 Most Frequently Occurred Security Vulnerabilities

 


A decade has come to an end but the security vulnerabilities of this decade in the IT sectors cannot be forgotten. In this article, we will be learning about the 10 most frequently occurred cyber vulnerabilities, which allowed threat actors to breach applications, steal user credentials, and tried to hurt millions at once. 

Understandably, this list will not be enough to enlist all vulnerabilities that strangled the IT world in the entire decade. Hence, in this article, we will be focusing on the vulnerabilities that had affected Unix, Linux, macOS, servers, and cloud computing. 

1. BlueBorne: This security attack occurred via a Bluetooth implementation in Android, iOS, Linux, and Windows. Reports showed that the blueBorne bug had affected over 8.2 billion devices worldwide. It was on 12 September 2017 when the vulnerabilities were reported by Armis, an IoT security firm, for the first time. This bug of affecting many electronic devices such as smartphones, laptops, smart cars, and wearable gadgets. 

2. Badlock: It was on 12 April 2016 when it has been discovered that a crucial security bug is affecting devices with CVE-2016-2118. The security bug that had been found in Microsoft Windows and Samba was affecting the Security Account Manager (SAM) and Local Security Authority (Domain Policy) (LSAD) remote protocols supported by Windows and Samba network. 

3. DirtyCow: It was a very serious computer security vulnerability that was found in the Linux kernel. It had affected all Linux-based running devices, such as Android devices but there was an exception, this bug was only affecting those systems that were using older versions of the Linux kernel created before 2018. This bug is a local privilege escalation that exploits a race hazard in the implementation of the copy-on-write tool in the kernel's memory-management subsystem. It must be noted that those computers and devices that still use the older kernels remain vulnerable. 

4. ForShawod: This decade has crippled Modern Intel/AMD processors with many security bugs. L1 Terminal Fault or Foreshadow affects modern microprocessors. The first version discloses sensitive information from PC and cloud network, whereas, the second version targets –Hypervisors (VMM), Virtual machines (VMs), System Management Mode (SMM) memory, and the Operating systems (OS) kernel memory. 

5. Heartbleed: It was a very dangerous cyber attack in the popular OpenSSL cryptographic software library that allowed stealing sensitive information under normal conditions by SSL/TLS encryption which is used to secure the Internet. SSL/TLS provides services such as communication security and privacy over the internet for applications including email, instant messaging (IM), Web, and some virtual private networks (VPNs). After this vulnerability Google had established ‘Project Zero’, its task is to secure the Web and society. 

6. iSeeYou: It was affecting Apple laptops, hackers were leveraging the vulnerability to exploit remote access and taking photographs of a person. Apple’s laptops involved a variety of operating systems, such as macOS, Linux, and Microsoft Windows. Therefore, litigations against this attack vary depending upon the operating system. In response to the discovery of this attack, the organization released iSightDefender to reduce the attack. 

7. Lazy: This security vulnerability affects Intel CPUs. The malicious actor uses this vulnerability to leak the FPU registers’ content which belongs to another process. This vulnerability is associated with Spectre and Meltdown vulnerabilities. Patches such as OpenBSD, Linux, Xen, and others have been released to address the vulnerability. 

8. Linux.Encoder: It is also known as ELF/Filecoder.A and Trojan.Linux.Ransom.A. It is the first ransomware Trojan that targets computers, servers, cloud, and devices functioning Linux. Also, there are additional variants of this Trojan that target Unix and Unix-like systems. 

9. POODLE: This attack is also known as the man-in-the-middle that exploits Internet and security software clients’ fallback to SSL 3.0. Any software which supports a fallback to SSL 3.0 is affected. To overcome its effects people have to disable SSL 3.0 on the client-side and the network-side. Various platforms such as Microsoft, Google, Apple, OpenSSL, and others have released software patches so they can protect their platforms against the POODLE security attack. 

10. Rootpipe: Rootpipe security vulnerability had been seen in OS X that gives privilege escalation. Exploiting security vulnerabilities on a system allows a hacker to gain superuser (root) access and with other bugs on a Mac, such as an unpatched Apache web browser, hackers can take advantage of root pipe to gain complete command of the running system and Apple computers or Network. According to the researchers in November 2017, a similar attack had been seen in macOS High Sierra which was giving easy access to the hackers into the system without a password and root account.

SolarWind Cyberattack: Microsoft Admits Hackers Could View Its Source Code

While Microsoft is investigating the major SolarWinds cyberattack, according to the company, it found that Microsoft's systems were hacked "beyond just the presence of malicious SolarWinds code." Microsoft believes that the Solorigate incident can be a chance to be together and work towards essential safety steps like sharing information, strengthening security, and countering cyberattacks. As per Microsoft, the attackers could see source codes in multiple source code repositories; however, the hacked account didn't give any permission to change any systems or code. 

Currently, Microsoft hints to “a very sophisticated nation-state actor” as the attacker, cybersecurity experts, and the U.S government has alleged Russia for orchestrating the SolarWinds attack. The cyberattack also revealed a listing of susceptible companies. Besides this, today's announcement of Microsoft shows that experts may find the further impact of the cyberattack in the coming weeks and months. As of now, Microsoft said that meanwhile the hackers managed to intercept deeper than before, the company didn't find any evidence which may suggest "access to production services or customer data,” or "no indications that our systems were used to attack others." 

Besides this, the company said that it holds a common assumption that hackers may be able to intercept its source code and that Microsoft doesn't depend merely on the privacy of source codes to safeguard its products. However, Microsoft didn't disclose how much the hackers were able to view the source code and what the hackers did with it.  In December, Dan Smith, Microsoft President warned that the cyber attack is a "moment of reckoning" and alarmed about its threat. He termed it as unusual espionage, not attacking any particular targets, but disrupting critical infrastructure trust and reliability to progress a country's intelligence organization.  

"The list of vulnerable companies is much smaller than SolarWinds’ overall client list, so simply appearing on the list doesn’t mean a company has been affected. SolarWinds claims that only 33,000 companies use the Orion product, compared to its total client base of 330,000," reports Verge. "As with many companies, we plan our security with an “assume breach” philosophy and layer in defense-in-depth protections and controls to stop attackers sooner when they do gain access," says Microsoft blog.

Declaring War Against Cyber Negligence

Amidst perhaps the most widespread and impactful cyberattack in history, American businesses and government agencies alike must take a drastically different approach to cybersecurity. Unfortunately, many cybersecurity professionals have become complacent and have become far too dependent on a handful of well-marketed tools designed for yesterday’s threats that underperform against modern attacks.

It is far easier for cybersecurity manufacturers to deliver services from their own cloud. It may be less expensive for the vendor but relying on a “trusted 3rd party” for your security is a foundational vulnerability that has been proven to be disastrous for you as a customer.

We are currently in a state of cyber-warfare. Nation-states regularly use their practically limitless resources and technical sophistication to overpower companies and government agencies. Cybersecurity professionals need to shift their focus from “indicators of compromise” to data protection, which will limit how widespread these vicious digital attacks can have an impact.

Most cloud providers claim they alone provide the “best cloud protection” and brag billions spent on beefing up the many layers surrounding their server farms to reassure their clients that “everything will be alright.” But will it?

Vulnerabilities from security vendors will likely continue far into the future. While much of the industry has moved towards promoting “zero-trust” infrastructures, they often forget to remove themselves from the client’s circle of trust. Instead, everyone from individuals to multinationals should take security into their own hands. Firewalls, antivirus, and network monitoring tools indeed still have their place, but a shift must be taken to provide more independence between the owner of data and its protectors.

Active Cypher, a California-based cybersecurity startup led former-Microsoft/Cisco/U.S. intelligence with decades of experience protecting (and at times stealing data), has led the charge against what it calls “cyber-negligence”.

“IT organizations need to stay nimble, test and adopt new approaches quickly, and don’t be afraid to throw out solutions that were simply inherited,” says Active Cypher’s CEO, Mike Quinn.

Active Cypher has pioneered a unique, independent security infrastructure that provides its clients the automated tools, proprietary cryptography, and advanced anti-ransomware sensors to control their data with the utmost precision. Yet unlike the numerous SaaS applications which plague the market and create undue “man-in-the-Middle” vulnerabilities, Active Cypher deploys and operates its software directly within the client’s tenant. Cryptographic keys, the soft underbelly of security, are held not by Active Cypher, who knows well it may be a target of state actors and cybercriminals but by the client alone. Once deployed, the security solution uniquely runs alone without contact with any 3rd party home base.

While the solution Active Cypher provides is certainly not an end-all, it gives a much-needed last line of defence against increasingly menacing (and successful) threats. “We believe cybersecurity is a human right. Something that is sacrosanct and should be upheld with the highest degree. Yet, too many executives still see it as just another budget line within often ballooning IT budgets without considering what kind of impact a security breach will have on their brand, and ultimately their revenue,” explains Mike Quinn.

Based in Newport Beach, California, with partners and operations across the US and in Western Europe, Active Cypher and the rest of its industry saw an uptick in business when Covid-19 forced companies to rapidly extend its security frontier to its employee’s homes.

“It has become increasingly clear that the focus for cybersecurity needs to be on data protection. Once the perimeter is breached, and it will be, there’s nothing to stop them. We’ve built great systems to observe and record cyber theft in action but little to defend the data inside.” says Devin Jones, Active Cypher’s new Chief Product Officer and a veteran of both Cisco, Juniper Networks, and a variety of cyber-startups.

Active Cypher uncovered that many major companies had regulated the management of vital security infrastructures to the “back-office” of IT but often hadn’t evolved and updated systems, like the prolific Active Directory in years. The result was growing technical messes that left gaping holes in security. Active Cypher also encountered a level of defeatism; one company declined to expand and solidify its cybersecurity posture, choosing instead to continue to pay ransomware demands at the cost of an astounding $1million per month. In this firm’s view, it was easier to keep paying and therefore avoid the risk of negative press surrounding disclosures of data breaches.

“But thankfully, not all companies have been so lethargic. We are thrilled to be working with a variety of innovating clients ranging from state agencies, healthcare providers, and sports teams who understand that the success of their future protection should be in their own hands. Active Cypher provides them with the tools to own their own destiny,” says Devin Jones.

As IT organizations across the nation take time over the next few weeks to uncover the extent of their firm’s exposure to recent and still unfolding cyberattacks, one only hopes they seek to not simply install a short-lived patch but take a leap towards the zero-trust, zero-vendor contact future; only then can cyber-negligence be finally tackled.

URL Spoofing: Interview With Bug Bounty Hunter Narendra Bhati


On 24th December, E-Hacking News conducted an interesting interview with Mr. Narendra Bhati, a Bug Bounty Hunter/Ethical Hacker. He was recently awarded a total of $20,500 by Apple Security. Narendra also discovered an Address Bar Spoofing Vulnerability in multiple browsers.
 
Q.1 Can you please start by introducing yourself to our readers? 
My name is Narendra Bhati, I’m a Bug Bounty Hunter and Ethical Hacker. I belong to a small town called Sheoganj in Rajasthan. Currently, I’m working as a lead Pentester in Suma Soft Private Limited for the last 7 years. 

Q.2 How do organizations react when you find a bug and go to them? 
Especially Google, Apple, and Hacker One, I believe that the response time has been better than the last time. Nowadays, everyone is working from their home and they can look into the issues quickly as they do not have to go to the office, which saves time. 

Q.3 On your blog Web Security Geeks, you posted about a banking vulnerability, how did you deal with it. Did you try contacting RBI? 
Last year, I had a few bank accounts and I tested these banking apps and found that these applications were vulnerable to very basic hacking attacks. I tried to contact the bank but as these banks do not have any bug bounty program for security, I contacted their customer support service and after 2-3 months, still, no response came. The customer service couldn’t understand what I was trying to explain. But now, four out of 5 banks have fixed the issue, one still remains. In the case of RBI, I was a bit afraid that if I try contacting RBI, it might come back at me asking why did I attest any application. But in similar cases, I’ve found the same issues with the mutual funds’ apps. 

Q.4 Did these banks respond to you or just silently fixed these issues? 
I sent an email to these banks and tried to contact the higher authority via LinkedIn. I found some senior security team and contacted them. Luckily, they were able to understand me and fix the issue within seven days. So basically, it took around 6 months to close the issue. 

Q.5 Many Indian organizations are not ready for opening the Bug Bounty Program. Why do you think it’s not happening here? 
I spent around 2-3 months and found 30+ bugs. I think why the hunters are not interested in the Indian Bug Bounty Program and why it’s not doing good is because the amount of work that hunters invest in finding a bug is not equal to what they are paid. For example, in a typical scenario, an International Bounty program has a price range of $500-800, whereas in India they offer only $80-100. So, the hunters think “why should I focus on the Indian bug bounty program when they offer such low reward” and the same works for me also. 

Q.6 Please tell us more about the URL Spoofing Vulnerability in the web browser and how does it work? 
The basic idea of URL spoofing is user trust. In URL spoofing, what an attacker can do is, whenever you click a URL, you’ll see that the URL belongs to Google.com but the content is shown from the attacker’s domain, so the attacker can show any desired content using the trusted domain. 
The same problem occurred with the Jio platform; the content was being shown from the attacker’s domain. Meanwhile, the user could attest to this data thinking the content shown from Jio is real but the attacker could violate this or do a phishing attack. I think the URL spoofing impacts banking websites the most, the attacker can use any trusted banking domain in India to create a fake page and the victim will most likely attest to that. 

Q.7 What made you interested in Bug Bounty? 
It all began when I was in 8th class and my father bought a computer worth INR 18,000 which was a lot back then. Also, my cousin Karan Gehlot influenced me a lot and brought my interest in computers. After doing my BCA from a local college, I went to Ahmedabad for an Animations course and enrolled myself. The course was to start after 10 days, and in that time, I came across a cybersecurity workshop ad on Facebook. I struggled a lot with stammering and lacked self-confidence but somehow, I went to that workshop. On the 2nd day, I talked with the organizers of the workshop and asked them that “I want to do a job and get in cybersecurity.” So, I started my journey with that organization as a Head Trainer of the Ethical Hacking course and I was also learning side-by-side, I worked for two years there, and in 2014, I joined Suma Soft. 

Q.8 When you found the vulnerability in Jio Browser, did the company respond? 
I contacted Jio via Twitter and they responded immediately, I shared all the information with them but after 2-3 mails, they stopped responding to me, I don’t know why. Recently, they renamed the browser to ‘Jio Smart Pages’ from Jio Browser and fixed the issue, but they didn’t reply to me back. 

Q.9 Is that the common thing, that the companies don’t respond to but silently fix? If so, why do you think it happens? 
That’s what I’m talking about, the Indian programs, they don’t respond. They’ll sweet talk to you in the beginning but once they receive the required information, you cease to exist for them. The companies have a brand image in the market, and if they disclose any information regarding any issue, it may affect their brand value. 

Q.10 Any advice to our readers on Cybersecurity? 
I give the same advice to all my connections/friends and I’ll give the same to you, don’t stop learning. Whenever you do a Bug Bounty Program, just stick to that, don’t change your timeline, spend a good amount of time in research and you’ll surely have good results.

'Ransomware Task Force': Microsoft, McAfee and Rapid7 Coalition

 

19 tech companies, cybersecurity firms, and non-profits have collaborated with the Institute for Security and Technology (IST) to form a new group called "The Ransomware Task Force" (RTF) to tackle the increasingly destructive and prevalent threat of ransomware. The joint venture includes big names such as Microsoft, McAfee, Rapid7, Cybereason along with other cyber advocacy groups, threat intelligence, think tanks, and research groups – The Global Cyber Alliance, The Cyber Threat Alliance, and The CyberPeace Institution, to name a few. 
 
The primary focus of The Ransomware Task Force will be to provide security against Ransomware attacks by engaging various stakeholders in assessing technical solutions and identifying loopholes in already existing solutions. The idea is to work collectively on building a roadmap to address the scope of the threat based on an 'industry consensus' instead of relying upon individual suggestions.  
 
The founding members came together to combat a form of cybercrime that they believe is expansive in its scope and has led to violent consequences that go beyond economic ruination. Actively addressing the threat of ransomware while providing clear guidance will effectively diminish the varying levels of the ransomware kill chain. Other founding partners include Aspen Digital, Citrix, Resilience, SecurityScorecard, The Cybersecurity Coalition, Stratigos Security, Team Cymru, Third Way, UT Austin Stauss Center, Shadowserver Foundation. The website for The Ransomware Task Force inclusive of full membership and leadership roles will be rolled out in January 2021.  
 
While giving insights, the Institute for Security and Technology, one of the founding members, said, “The RTF’s founding members understand that ransomware is too large of a threat for any one entity to address, and have come together to provide clear recommendations for both public and private action that will significantly reduce the threat posed by this criminal enterprise,”
 
As per Sam Curry, one of the founding members of RTF and Chief Security Officer at Cybereason, "Time and time again, we see ransomware capabilities deployed early in hacking operations but not immediately detonated,"  
 
"In these cases, the ransomware is detonated only after preliminary stages of the attack are finished across all compromised endpoints to achieve maximum impact on the victim. Reducing hackers' attempts to amplify the impact of ransomware attacks will drive down ransomware costs for the victim and decrease the victim's inclination to pay ransom demands."

The Ministry of Internal Affairs of Russia is creating a cyber police

 Deputy Interior Minister Igor Zubov noted that the number of cybercrimes has increased significantly in the context of the coronavirus pandemic

The Ministry of Internal Affairs of Russia organizes cyber police in its structure, the corresponding decision has already been made by the head of the department, Vladimir Kolokoltsev.

"Today we can talk about the phenomenon of influence on the mass consciousness of young people in terms of changing their behavior in a destructive way. Therefore, this part of the work requires very serious attention. We are making serious changes directly in our structures. The Minister of Internal Affairs Kolokoltsev Vladimir made the decision on the creation of cyber police, it is a question not of one day, it will take a lot of time, demands both money, and equipment, and changes of qualification of employees" said he.

Zubov also noted that in the context of the coronavirus pandemic, the overall crime rate in Russia remained the same, but the number of cybercrimes increased significantly.

"For a number of reasons, this is the impact of digitalization of society, and the fact that people, being isolated, have more opportunities to draw on the Internet various knowledge, including criminal plan, and try themselves in this," added he.

Zubov said that once he tried to file a complaint with a district police officer about an Internet crime, but the officer did not understand anything. Accordingly, here we are talking about concentrating all competent people in one place and investigating cybercrime.

At the same time, the ex-adviser to the president doubted that the Ministry of Internal Affairs will be able to provide such specialists with decent wages since professionals in the IT-sphere are highly paid employees.

Earlier this year, it was reported that the investigative Department of the Ministry of Internal Affairs created units to combat IT crimes. This measure has become necessary, as police investigators increasingly have to investigate crimes of this kind.

Massive Cyberattack On US Government Exposes Shortcomings, Russia Named Top Suspect

Not long ago, US agencies had confirmed a massive data breach that compromised their networks. The problem persists, and US federals are still grappling to comprehend the extent of the breach. The data breach is linked to a large-scale hacking campaign that the experts have associated with Russia's operations. "The broad Russian espionage attack on the US government and private companies, underway since spring and detected only a few weeks ago, is among the most significant intelligence failures of modern times," reports The New York Times

As of now, various firms are investigating the issue, and a cybersecurity agency Fireye on Wednesday revealed that the malware has a "killswitch" that allows the software to shutdown. However, even if the malware is deactivated, the infected systems can remain susceptible to hackers' attacks. Besides this, currently, US federal agencies are under a lot of pressure to take strict action against Russia. In reality, the officials are still trying to address the exploited vulnerabilities and officially find the threat actor. 

The attack has exposed the vulnerabilities and shortcomings of the US cyber defenses. The news appears at a delicate time when the Biden administration has just taken over the office. President Joe Biden's administration is currently meeting with various agencies to look for options for dealing with this alarming threat. The Biden staff came to know about the massive intrusion on Monday, says DHS and Infrastructure Security Agency. US cybersecurity experts and officials say that the incident should be a warning to both the US government and private sector organizations because foreign actors will keep charging more damage in the future. 

"House and Senate Intelligence Committee aides received a phone briefing on the hack from administration officials on Wednesday, but the full extent of the breach remains unclear, according to sources familiar with the briefing. The Biden transition team was also briefed on the attack this week, an official from the Department of Homeland Security's cyber arm told CNN. The official declined to provide additional details about what was discussed," reports CNN.

Putin: the US State Department and the US intelligence agencies come up with fake about Russian hackers

According to the Russian President, he is counting on the experience of the President-elect of the United States, which will help solve some problems in relations between the two countries

Vladimir Putin called a provocation the question of the general producer of the RTVI channel Sergey Shnurov, who during a press conference asked why Russian hackers this time did not help Donald Trump become President of the United States and whether Russia is ready to provide asylum to the outgoing American leader.

"This is not a question, but a provocation. Hackers did not help Trump and did not interfere in the American elections. This is all speculation, an excuse to spoil relations between Russia and the United States, an excuse not to recognize the legitimacy of the US president for domestic political reasons," Putin said.

According to the Russian President, relations between Moscow and Washington have become hostages of the internal political situation in the United States: "It is their choice, let them do what they want."

Putin also expressed hope that "the elected President of the United States will understand what is happening." "He is an experienced man. We hope that some problems will be resolved under the new administration," the President said.

It is worth noting that the US authorities previously reported that hackers working for Russia obtained information from the databases of the Department of Homeland Security (DHS) and the US Treasury and Commerce Department.

During a press conference, Russian President Vladimir Putin named the real authors of the fakes about Russian hackers.

According to the President, they are the US State Department and the US intelligence agencies. He also added that it was they who in 2016 made a throw-in about the connections of hackers who hacked the mail of members of the US Democratic Party with Russian military intelligence.

"So they are the authors in fact. In any case, according to their instructions, this was done, it is quite obvious," the head of state said in a live broadcast.

On Thursday, December 17, the head of state held a large press conference. The event included a direct line with the President.

Facebook Shuts Down Fake Accounts Associated With Russia and French Military

Earlier this week, in a press conference, Facebook closed two misinformation networks related to Russia, one of which was associated with the French military. Facebook has accused these accounts of orchestrating interference campaigns in African regions. Two networks using multiple FB accounts were given to users associated with the Russian Internet Research Agency. In contrast, the third account had links to persons related to the French military, says Facebook. 

Facebook has closed all three accounts for violating the policy of foreign or government interference. These networks, according to Facebook, attacked targets in North Africa and Middle East countries. As of now, the French military has offered no comments on Facebook's allegations. The campaigns battled with each other, said Nathaniel Gleicher, Facebook's head of security policy, and David Agranovich, head of global threat disruption in a blog. 

It is the first time that Facebook found two campaigns (from France and Russia) fighting with each other, commenting on each other's accounts, claiming it is fake. These accounts used fake accounts as a central part of their operations to mislead people about who they are and what they are doing, and that was the basis for our action, says Facebook. One sample post read, "The Russian imperialists are a gangrene on Mali!" The French network accounts mainly targeted Mali and the Central African Republic. Other targets include Cote d'Ivoire, Chad, Algeria, Niger, and Burkina Faso. It involved 84 FB accounts, six pages, nine groups, and fourteen Instagram accounts that infringed a policy facing "coordinated inauthentic practice." 

In French and Arabic, some of the posts were about France's Francophone Africa systems, allegations of Russian meddling in CAR elections, supportive comments about the French military, and Russia's criticism. According to Gleicher and Agranovich, "we shared information about our findings with law enforcement and industry partners. We are making progress rooting out this abuse, but as we've said before, it's an ongoing effort, and we're committed to continually improving to stay ahead." As of now, the investigation is ongoing, and no further detail has been offered.