Chinese Network Security Laboratory Offering Bounty for Cyber Attacks



A 24-hour online testbed known as Network Endogens Security Testbed (NEST) is proposed by a Chinese network security laboratory for the purpose of testing the security measures provided by various organizations. It's a globally accessible testbed which would welcome cyber attacks from people and organizations across the world.

As per the Purple Mountain Laboratory for Network Communication and Security, the testbed would accept public tests with a reward money of 1.5 million yuan ($2,18,000).

Authorized users are likely to receive corresponding bounties on the basis of their test outcomes, according to the Nanjing-based laboratory.

Justifying the purpose of the proposal, Wu, the proposer of Cyber Mimic Defence Theory, said that improved "autoimmunity" should be made a priority for the upcoming generation information technology.

Wu Jiangxing, an academician of the Chinese Academy of Engineering, compared the present day network security measures which are patches for the flaws and the antiviruses to taking medicine after catching the disease.

“Whether the network is safe or not, hackers have a say. They are also welcomed to challenge it,” he added.

NEST is designed to subdue security threats that arise due to unknown flaws, vulnerabilities or Trojans, Wu told that NEST could effectively put an end to such network security threats without having to rely upon an external safeguarding measure.




A new type of fraud was discovered in WhatsApp


The Russian edition Cnews reported that ESET experts warned users of WhatsApp messenger about a new type of fraud.

At this time, users began to receive a message with a special offer on the occasion of the tenth anniversary of the messenger. The attackers promise 1 TB of free Internet traffic, moreover, this traffic can be used without Wi-Fi.

Users must follow simple steps to get a huge amount of free traffic: follow a special link, answer a number of questions, and send the same survey to his 30 contacts.

ESET experts believe that the ultimate goal of attackers is to distribute intrusive advertising without the consent of users. It turned out that this scheme really works; users who want to get a gift are playing a game of the scammers.

Analysts of the anti-virus company conducted an investigation, during which they managed to find the site of cybercriminals, which was used for several phishing campaigns. This is a type of fraud aimed at obtaining personal data of users. Fraudsters launched more than 66 phishing services from the same domain. All fake promotions were sent to subscribers under the guise of well-known brands – Adidas, Rolex, etc.

An interesting fact is that the scammers have already used such schemes to deceive WhatsApp users. In early May, it became known that the victims received a letter with an offer to get a premium account in the Spotify service. The attached link led to a phishing site similar to the official music platform portal.

It should be noted that WhatsApp posted on its website a publication in which it announced that WhatsApp will sue the organizers of mass mailings starting from December 7, 2019. Also, WhatsApp prohibits the use of the application for non-personal purposes. The messenger warns that it will collect evidence of illegal activity not only on its own platform. Moreover, in the fight against violators will be used technical means.

Hackers attacked Russian Prime Minister Dmitry Medvedev's Twitter


Source: RT
Unknown hacked the page of Russian Prime Minister Dmitry Medvedev on Twitter. They posted on the Twitter page meaningless letters and words in response to the message of the Iraqi Ambassador in Moscow.

The hacking of the Russian Prime Minister's Twitter page was recorded on 12 June. The Press Service of the Cabinet of Ministers said that currently control over the account is restored.

We are talking about the English version of the account @MedvedevRussiaE. Mysterious messages on Medvedev's Twitter appeared in response to the message of the Ambassador of Iraq in Moscow Haidar Mansur Hadi. He posted few photos from the ceremonial reception of Heads of diplomatic missions in the Kremlin on the occasion of Day of Russia. The answer to him was an incomprehensible phrase written in Latin letters, from which only one word “cucumber” is understandable.

Some users of social networks suggested that in such an unusual way Dmitry Medvedev decided to congratulate the Ambassador on Russia's holiday. However, the second phrase was no less mysterious “Hop cc very very hubby cheers cheers her very vav chi hi”. After this comment, users decided that the English-language Twitter account of the Prime Minister was attacked by hackers. Shortly after publication, both messages were deleted.

Currently, on June 12, the account @MedvedevRussiaE contains congratulation on the Day of Russia.

Earlier, Medvedev's Twitter was hacked in August 2014. Then, in the Twitter account of Dmitry Medvedev, there were ports of his resignation, as well as criticism of colleagues in the Government. The motive for the resignation was based on the fact that the Prime Minister was allegedly ashamed of the Government's actions. In a short time, records on behalf of the Prime Minister scored thousands of retweets, and the Media began to publish screenshots of the hacked page. Subsequently, the Press Service of the Government reported that the account was hacked.

It should be noted that Medvedev started a Twitter account long ago when he was the President of Russia. During a trip to the United States in 2010, Medvedev visited Apple Headquarters and received an iPhone 4 from Steve Jobs as a gift. He also visited Twitter Headquarters, where he created an account and wrote his first tweet. The Russian-language Twitter account of Medvedev has 4.84 million subscribers, the English version has 1.04 million.

Hackers made Bank clients debtors - Large-scale data breach occurred in Russia



On June 8-9, Alfa-Bank was attacked for several hours, as a result of which the stolen funds appeared on the accounts of random customers of the credit institution.

Some clients of the Bank received amounts from 10 to 15 thousand rubles ($ 155-235). Many of them quickly spent this easy money.

However, immediately after the payment, Alfa-Bank clients were charged amounts two to three times more than the fraudsters sent. They formed an overdraft or a short-term loan.

Alfa-Bank solved the problem with hacking within a few hours, and clients of Bank are obliged to return the money that came from hackers in full amount. However, there were no official comments from Alfa-Bank.

Experts said that such a fraud can be done only with access to the Bank's system. Therefore, the security service is looking for fraud among its employees.

It is worth noting that on June 9, the Russian newspaper Kommersant reported the leakage of personal data of 900 thousand clients of Alfa-Bank, OTP Bank and Home Credit Bank in Russia. According to the published material, the names, phone numbers (mobile, home and work), address and place of works, passport data of almost 900 thousand Russians including 55 thousand customers of Alfa-Bank were publicly available on the Internet, as well as balances on the accounts of clients of Alfa-Bank limited to a range of 130-160 thousand rubles.

The company DevicеLock found the leaks. They occurred at the end of May, the data were collected a few years ago, but a significant part of the information is still relevant. Moreover, DeviceLock discovered two customer databases of Alfa-Bank: one contains data on more than 55 thousand customers from 2014-2015, the second contains 504 records from 2018-2019.

An interesting fact is that one of the databases of clients of Alfa-Bank contains data on about 500 employees of the Ministry of Internal Affairs and about 40 people from the FSB (the Federal Security Service).

The Press Service of Alfa Bank said that at the moment they are checking the accuracy and relevance of information.


Gmail's Confidential Mode for G-Suite to be Launched on June 25




In an attempt to mature its email services, Google rolled out a privacy-centric feature called as ‘confidential mode’ which according to the announcements made by the company will be available for all the G suite users in the month of June. Reportedly, in 2018, a beta version of the feature has been launched in the month of August.
The feature is well-built to serve the users and their sensitive information; once available, the mode is configured to “be set to default ON for all domains with Gmail enabled, unless you choose to disable this feature" as per the Google announcements.
With the newly added Confidential Mode turned on, users are aided with inbuilt information rights management controls which allow them to set a specific expiration date for emails that will delete them automatically after the set deadline and they can also, revoke sent emails.
This groundbreaking feature of Gmail will also allow users to send self-destructing emails that will restrict forwarding and block printing to other users. 
As the officials further explained, “Because a sender can require additional authentication via text message to view an email, it’s also possible to protect data even if a recipient’s email account has been hijacked while the message is active."

How to use confidential mode

First of all, ensure that you are using the new version of Gmail which can be activated from the gear icon at the top.
Now open Gmail and click on compose, at the bottom of the mailbox will appear a tiny clock icon, click on that icon to configure the settings of that mail.  
You will have to go through this procedure for each mail you wish to use the feature with as the mode is configured on a per-email basis.



Sberbank lists the major trends in cybercrime

Stanislav Kuznetsov, the Deputy Chairman of Sberbank, said that now there are three main trends in the field of cybercrime. The first trend is DDoS attacks, the number of which continues to increase. The second trend is data leakage. "The whole market is developing in this direction," Kuznetsov added.

According to the representative of Sberbank, the third trend called fraud associated with the methods of social engineering. Kuznetsov explained that criminals often play on the trust of citizens.

"Russia is a unique country, the level of public confidence is very high in everything that is done by state institutions, corporations. This is good, but the scammers use this uniqueness of the Russian population, especially the elderly," says Kuznetsov.

For example, a serious threat is phishing (theft of confidential data through e-mail on behalf of financial and government agencies). According to the Deputy Chairman, about 27-30% of office workers in Russia in different corporations can now safely open such phishing emails. And this is a great indicator.

The representative of Sberbank admitted that he does not see the factors that would help to stop the growth of crimes using the methods of social engineering. According to him, the situation can be changed only with the help of educational activities.

Kuznetsov said that the economic damage caused to the country by hackers in 2018 could reach 1.3 trillion rubles (20 million $). Since the beginning of 2019, Sberbank stopped more than 40 intense DDoS attacks, but the financial structure did not finish its activities for a second.

Thus, cybercriminals often use DDoS attacks, social engineering fraud and data leaks. According to Kuznetsov, information security specialists will try to prevent such violations.

It is important to note that from 2020 the Central Bank may begin to conduct stress tests of credit institutions for resistance to cyber threats.


Canadian Investigation Found Facebook to be Violating Privacy Laws



On Thursday, Canadian officials said that owing to its assailable security algorithms, Facebook exposed sensitive information of millions of its users. It has been counted as a critical failure on the company’s part which it did admit to letting happen but denied to fix.

Facebook has violated local as well as national laws when it gave access to private data of millions of its users to third parties, according to an investigation conducted by the information and privacy commissioner of British Columbia and the privacy commissioner for Canada.

The company CEO, Mark Zuckerberg put forth an apology for the major breach of trust that happened in the political scandal associated with Cambridge Analytica, however, they did not take into consideration the issued recommendations regarding the prevention of further exploitation of user data.

Putting the same into perspective, at a news conference, Daniel Therrien, head at federal privacy watchdog, said, “There’s a significant gap between what they say and what they do,”

As the regulators decided to push Facebook to a Canadian federal court which is likely to impose fines on the company, Mr. Therrien told that, “historically there have been very small penalties — in the tens of thousands of dollars.”

Facebook told the investigators that it does not agree with their findings, in response, Mr. Therrien said, “I find that absolutely untenable that a company can tell a regulator that it does not respect its findings.”

Furthermore, he asserted the need to have more authorities for the inspection of companies and even strict privacy laws in the North American country, Canada.

Reportedly, Facebook has denied audits of its privacy procedures and said that it has taken necessary measures against the problems raised by the investigators.

Referenced from the statements given by Facebook on the account, “there’s no evidence that Canadians’ data was shared with Cambridge Analytica, and we’ve made dramatic improvements to our platform to protect people’s personal information.”

“After many months of good-faith cooperation and lengthy negotiations, we are disappointed” that regulators consider the issues raised in this report unresolved,” the company added.




Hackers stole 150 thousand rubles from the accounts of Belarusian enterprises through the Client Bank

At the beginning of April 2019, the police received a statement from an employee of one of a metropolitan organization, who reported that an unknown person had made unauthorized access to the computer of the organization, which uses the Client Bank software.

As it became known, the hacker not only made unauthorized access to the organization's computer, but also infected it with malware, which allowed him to make illegal payments to a certain account.

It turned out that the scammer had used RTM malware (Redaman) and sent it by e-mail.

During the investigation, it was found that the attacker made three money transfers to the account of another Bank. The amount of damage was about 30 thousand rubles (470 $). The account to which the amounts were transferred was opened in the name of the foreigner.

The investigators found out that the hacker gained access to the Bank account via a USB key, which the chief accountant had left inside the computer after the end of the working day. This allowed remote access to the system and illegally transfer money.

It was established that such a malicious program was sent by e-mail to more than 90 business entities, the total damage amounted to more than 150 thousand rubles (2 350 $).




Facebook 'unintentionally' uploaded the email addresses of 1.5 million users without their knowledge


On Wednesday, Facebook admitted that it happened to upload email addresses of 1.5 million users without their consent. However, the contacts were not distributed to anyone and the company said that all the users whose email addresses were uploaded will be sent a notification stating the same.

While the company is in the process of deleting the imported contacts, it said that it had no intentions of uploading these user contacts and will delete them soon.
In the recent years, Facebook fall prey to various security-related problems, including the major Cambridge Analytica political scandal which revealed that the personal data of millions of users has been harvested from their Facebook profiles by Cambridge Analytica to be used for political purposes; another major hit that the company took was a glitch which put to risk the passwords of millions of people.
Facebook has been battling public relation issues for the management of its users’ personal data which it shared with app developers who paid handsomely for advertisements and those who were friends with the company CEO, Mark Zuckerberg.
This month, sensitive documents dealing with internal deliberations over personal data of users were leaked. The documents, which comprised of presentations, emails, meeting summaries and spreadsheets, were shared by a British journalist to various media outlets, as per by NBC News.
Reportedly, the documents indicated deliberations over the selling of users’ data to third-party app developers and seemingly, Facebook decided against it. However, they opt to share the data with CEO Mark Zuckerberg’s friends who in-turn provided their valuable data or spend a huge amount of money on Facebook advertisements.  
A report indicated that Facebook finalized deals of sharing their user data with developers of Sony, Microsoft, Tinder, and Amazon, whereas access to the same information to others was restricted by Facebook.
Referencing from the statements given by Facebook VP and Deputy General Counsel Paul Grewald, 'The documents were selectively leaked as part of what the court found was evidence of a crime or fraud to publish some, but not all, of the internal discussions at Facebook at the time of our platform changes. But the facts are clear: we've never sold people's data,
'The set of documents, by design, tells only one side of the story and omits important context,' he added.  





Half of the online Banks in Russia does not have enough security

More than half of the Internet applications of Russian Banks were not sufficiently protected. According to the research of Positive Technologies, attackers can view some programs and also edit the information in them.

Cybersecurity Experts analyzed dozens of applications. In their opinion, 61 percent of programs have extremely low or low levels of protection.

It turned out that every second online Bank (54 percent) allows attackers to make fraudulent transactions and theft of money. For example, scammers can spoil the number to which the auto payment is set up or steal the victim's card number.

In addition, according to researchers, almost 80 percent of Banks carry out many operations without additional protection. You can transfer funds or disable the sending of one-time passwords without confirmation by SMS.

Earlier it became known that 85 percent of all ATMs are vulnerable to attacks aimed at stealing money. It turned out that Banks prefer not to update the ATM software, as it requires additional costs.

Information security Experts note that radical measures are needed to correct the situation.

Voice messages of social network Vkontakte were in the open access

Part of the voice messages of users of the Russian popular social network Vkontakte (Vk) was in the open access.

On Monday, users of the social network reported that they can find personal voice messages of other users in the "Documents" section. It was noted that messages could be found on the search request “audiocomment.3gp”.

Representatives of the social network stressed that it is not a vulnerability in the mechanism of the site, as all voice messages in the Vk application protected and only participants can access the correspondence materials.

According to the Vk Press Service, audio records could get into open access if users downloaded them through third-party unofficial applications.

The Vk administration also added that the social network does not use the audio format audiocomment.3g. The company recommended using official Vk applications to avoid such leaks. At the moment, the Vk Team quickly removed from public access about two thousand audio messages.


Lipetsk hacker made transport cards to be unlimited

Since 2017, the citizens of the city of Lipetsk can pay for travel in transport using special electronic travel cards, the balance of which must be regularly replenished.

However, the 22-year-old hacker managed to bypass the system and recorded the transport cards to unlimited.

The young man managed to create a virtual card account, which was recognized by the bus validators and accepted as a real payment. He sold unlimited cards to four residents for a thousand rubles ($ 16) each.

According to owners of unlimited cards, they didn't suspect that the young man carried out illegal manipulations.

The truth came out when one of the buyers appealed to the transport company with complaints about the failure, the validator stopped reading the card. Managers found that the card did not appear in the database, the balance was not replenished for a long time, but at the same time, the owner of the card actively traveled in public transport. After that, the employees of the transport company appealed to the police.

It is worth noting that the transport company lost about 11 thousand rubles.

The criminal case was opened under two articles: fraud and illegal access to computer information.

Kaspersky Lab found a serious vulnerability in Windows

A team of specialists from Kaspersky Lab, an anti-virus company headquartered in Russia, discovered a 0-day vulnerability in Windows systems. Cybercriminals were actively exploiting this security problem in real targeted attacks.

According to Kaspersky Lab experts, they found a previously unknown vulnerability in Windows that was allegedly used to carry out targeted attacks by at least two cyber groups — FruityArmor and the recently discovered SandCat.

Using this vulnerability, an attacker could infiltrate the victim's network or device by attacking Windows 8 and 10. As a result of a successful attack, the cybercriminal got full control over the vulnerable system.

Kaspersky lab promptly notified Microsoft of the problem, which allowed the developers to release a patch that is already available to users.

"The discovery of this exploit shows that such expensive and rare tools are still of great interest to hacker groups. Organizations need to find solutions that can protect against such threats," says Anton Ivanov, Kaspersky Lab anti-virus expert.

The First-Ever Millionaire Hacker on HackerOne




At a tender age of 19, Santiago Lopez is earning a handsome sum of money via bug bounty program HackerOne and discovering security flaws through vulnerability coordination. He is said to be the first one to make more than USD 1 million through the aforementioned channels and he ranks second on HackerOne.
Lopez is self-taught on how to quash layers of security protections as he resorted to tutorial videos and content on the internet for his hacking and information security classes which he started taking in 2015 at the age of 16.
He has worked and reported vulnerabilities for renowned organizations such as Twitter, Automattic, Verizon, HackerOne among others. As of now, he has successfully reported 1676 different vulnerabilities for online assets. Additionally, he has worked for the US government and other private organizations.
It was a year later when he was awarded a $50 pay for a CSRF vulnerability, the inflow of rewards began; the largest bounty being $9,000, which he received for a SSRF.
Santiago invested his initial bug bounty earnings on a brand new PC and as the money multiplied, the young IT enthusiast considered buying cars.
At HackerOne, the goal of their program is to touch the mark of $100 million by the end of 2020 and on the way of realizing this goal, in 2018, the security researchers at HackerOne have made more than $19 million in bounties which is significantly larger than over $24 million paid in the past five years.
It has been reported that the majority of the hackers dedicate around 10 hours per week searching for bugs, while one-fourth of them are found to be working 10-20 hours every week.
Referencing from a survey, the security researchers with extensive experience in the corresponding field forms the smallest percentage, whereas the majority which is 72.3% carries experiences ranging from one to five years.
It is the joys of accumulating money and dealing with challenges which are among the top driving factors for the researchers to submit bugs through HackerOne.





Sberbank created a phishing website for flowers delivery

The biggest Russian bank "Sberbank" created a phishing web site for ordering flower delivery to demonstrate how mobile device infection working when visiting a fake website created by cyber criminals.

Stanislav Kuznetsov, deputy Chairman of the Board of Sberbank, showed how such web sites are working on the conference in Sochi.

According to Stanislav, phishing is one of the most difficult types of fraud.  The fake website exactly copies the website you are used to seeing.  The fake site will claim it will provide free prize and tricks victims into providing the financial information including card number, PIN number.

Sometimes, the website also infects the victims devices with malicious software.  The Bank representative explained that in this way fraudsters have successfully accessed  to data on mobile devices, including personal messages.

Moreover, Stanislav Kuznetsov gave a lecture at the XIX World festival of youth and students, entitled "Cyber security — how to protect yourself in the world of cyber threats". According to him, the loss of the Russian companies and citizens from cyber attacks in two years will grow 4 times and will surpass the 1.5 trillion rubles (26 million $ or 1,7 trillion Rupee). Therefore, Sberbank developed for protecting against cyber threats a unique system of fraud monitoring, based on an artificial intelligence. With this technology, Sberbank detects 96-97% of fraudulent transactions.

- Christina


Are enough safeguards built within BHIM?

About BHIM:
BHIM (Bharat Interface for Money - Bhim App) is a Mobile App developed by National Payments Corporation of India (NPCI), based on the Unified Payment Interface (UPI). It was launched by Narendra Modi, the Prime Minister of India, at a Digi Dhan programme at Talkatora Stadium in New Delhi on 30 December 2016. (source:Wikipedia)

Issues:

The BHIM application has an option to create a payment address(Virtual ID). It auto suggests a persons name+(value) as a many of the typical Indian Names are already taken.


Example if a person called Vijay Kumar R is trying to create a personal payment address he will be suggested "vijaykumarr" . This is the primary identifier and during transfer it does not do any further checking. A simple mistake in the name might cause a catastrophe for the sender.

If a person by mistake types in "vijaykumart" (instead of "vijaykumarr") the application will show the proper full name as "Vijay Kumar" and it is highly probable that a person would send the money to the wrong person as the name is matching. Since the BHIM application is mostly targeted towards "New Adopters" mostly from rural locations they might not be able to find the difference or spot a mistake on what they are typing.

The application should ask for a secondary detail (Eg:Mobile Number,Bank Name etc) about a person and cross check it with the database and only process it if the details are matching.

When it comes to NEFT and IMPS it has multilayer verification , even if the user gives a wrong inputs it will not send the amount if any of the details are incorrect.


BHIMNEFT/IMPS
Checks Full NameNoYes
Checks Bank AddressNoYes
Checks Account NumberNoYes

There is an option to refund the money back to the senders only on the receivers end. It does not have any option to raise a complaint on the senders side. Many of the banks are unable to get the money back if it is wrongly sent to another person. There is no option in the UPI ecosystem for such cases. How can this be ? Why did they not think about this?

The same issue was faced by us when we sent about 9200 to the wrong ID.  The bank (Axis) that we used could not get our money back, even though we made a compliant within few minutes.  It was also not possible for us to track who it was sent to and request them to send it back.

We recommend that people stick to the traditional NEFT and IMPS for any high value transactions as there is no support in the UPI system for raising issues during transactions.

Be careful with whom you share your Jio Hotspot!

If you are sharing your Jio internet with others via mobile hotspot, you should know what is the risk that you are taking.  Our research shows that sharing your Jio with others puts your sensitive information in their hands.

The person who is using your Jio Internet can easily log into your Jio account. All they have to do is download the MyJio app and click "SIGN IN WITH SIM". 

Steps to replicate:
Step 1:
    You should have two phones - one with Jio Sim and another one with non-Jio SIM(make sure you have not installed Jio app in the second phone yet).

Step 2:
    Turn on Wi-Fi hotspot in the Jio phone and connect from your non-Jio phone

Step 3:
    Install Jio app from playstore and open.  When it is asking for authentication, click "SIGN IN WITH SIM". Now you will be able to access the Jio account from your non-Jio mobile.

View/Modify Details:
After logging in, it is possible to view sensitive information including name, date of birth, mobile number, alternate contact work, address, photo, usage details.  Also, some of the details can be edited.



Once you are logged in, the session is getting maintained even if you are disconnected from the Jio network.

Account lockout:
If you mistakenly log out from the Jio-phone when it is logged in the non-Jio phone, you won't be able to log in to your Jio app unless the other person logs out from the app.

If the victim has installed Jio Security app, it is possible for an attacker to track the current location or see the last location details.

Let's say that you are in public place and a stranger(attacker) asking for Internet connection to check his email.  If you share the Internet, it is enough for the attacker to steal your sensitive information.

The issue can be resolved by adding OTP Check when doing authentication.

We thank Suriya Prakash from Cyber Security & Privacy Foundation(CSPF) for helping us with this research.


DROWN attack risks millions of popular websites

An international team of researchers warned that more than 11 million websites and e-mail services protected by the transport layer security protocol are vulnerable to a new, low-cost attack that decrypts sensitive communications in few hours.

The cybersecurity experts from universities in Israel, Germany and the US as well as a member of Google's security team found that more than 81,000 of top one million popular websites are vulnerable.
The researchers said many popular sites - including ones belonging to Samsung, Yahoo and a leading Indian bank - appeared to be vulnerable.

The DROWN attack works against TLS-protected communications that rely on the RSA cryptosystem when the key is exposed even indirectly through short for secure sockets layer version 2 (SSLv2).

The vulnerability allows everyone on the internet to browse the web, use e-mail, shop online and send instant messages without third-parties being able to read the communication.  It allows attackers to break the encryption and read or steal sensitive communications, including passwords, credit card numbers, trade secrets, or financial data. Under some common scenarios, an attacker can also impersonate a secure website and intercept or change the content the user sees.

While many security experts believed the removal of SSLv2 support from browser and e-mail clients prevented abuse of the legacy protocol, some misconfigured TLS implementations still tacitly support the legacy protocol when an end-user computer specifically requests its use.

Websites, mail servers, and other TLS-dependent services are at risk for this attack, and many popular sites are affected.

In practice, older email servers would be more likely to have this problem than the newer computers typically used to power websites.

In addition, because many of the servers vulnerable to Drown were also affected by a separate bug, a successful attack could be carried out using a home computer.

Though a fix has been issued but it will take time for many of the website administrators to protect their systems.

The researchers have released a tool that identifies websites that appear to be vulnerable.

The SSLv2 protocol was weakened because, at the time of its creation, the US government wanted to try to restrict the availability of tough encryption standards to other countries.

It has since eased its export limits, but the effects live on.

5,200 affected after unauthorized access of Neiman Marcus Group's websites

Neiman Marcus Group (NMG) has reported an unauthorized access to their online customer accounts on the websites  Neiman Marcus, Bergdorf Goodman, Last Call, and CUSP.

According to the public notice released on Jan. 29, 2016  by the company,  approximately 5,200 accounts has been affected. Information compromised includes Usernames, passwords, names, mailing addresses, phone numbers, last four digits of payment cards, and purchase histories.

No sensitive information like Social security number, date of birth, financial account number, or PIN number is visible through online accounts.

The  websites has been breached on or around Dec. 26, 2015, when an unauthorized individual gained access by using automated attacks to attempt various login and password combinations. As a result the hacker was able to make purchases on approximately 70 of these accounts.

Company's senior vice president Lindy Rawlinson,  said in a letter to the customers that the company's fraud team “has detected these unauthorized purchases, and Neiman Marcus has credited the affected customers for the full amount of the unauthorized purchase.”

The company has taken steps to limit the ability of the threat actors to access customer accounts, and has initiated a comprehensive response and investigation to understand the scope of the incident.

However the company has requested its customers to change their passwords on all NMG websites and any other site that uses the same username password combination. 

Irked train hackers talk derailment flaws, drop SCADA password list

A report published in The Register says that Russian hackers claimed to have found out flaws in rail networks which allow crooks to hijack and derailment.

The flaws reportedly affect various systems including mobile communication and interlocking platforms that control braking and help prevent collisions.

“Industrial control specialist hackers Sergey Gordeychik, Aleksandr Timorin, and Gleb Gritsai did not describe the bugs in detail, since that would allow others to replicate the attacks nor reveal the names of the affected rail operators,” the report reads.

According to the report, "If somebody can attack the modem, the modem can attack the automatic train control system, and they can control the train," Gordeychik says

So, there is a danger as the flaws expose physical systems like power grids, dams, and trains to unauthorized external modification in ways largely unknown to those outside of the security industry.

It is said that human programming errors were responsible for various remote code execution holes which could affect interlocking systems.

“We are releasing the list to force vendors to not use hardcoded and default passwords," an irritated Gordeychik says.
 
The Register report says that the attack vectors against computer-based interlocking include attacks against workstation, attacks against networking gateways that connect interlocking to the rest of the world, and communications between CPU and object controllers and wayside devices.