Showing posts with label internet security. Show all posts
Showing posts with label internet security. Show all posts

Monday, 2 November 2020

Zerologon Bug – Know the Unknown | Mono-Live

Zerologon Bug

We have recently got warnings from Microsoft about a critical vulnerability about which they told in August. We know it as the "Zerologon bug,'' CVE-2020-1472. Now, it has spread in a wide range. Due to which the attackers can hack the database of a company. And they can also remotely control a company's domain.

The bug has affected Windows 2008 and other new updated versions of windows. According to Microsoft, the attackers take the help of the Netlogon Remote Protocol for setting up a secure channel connection with a domain of a company. CISA, known as Cybersecurity and Infrastructure Security Agency, assumes that it can help the attackers to access a network with a domain controller. Zerologon flaw enables hackers to know about the whole network and all Active Directory identity services connected with them.

Recently, CISA has issued an emergency directive in which they have ordered all federal civilian agencies. The identifier of the bug is CVE-2020-1472. Researchers have found a nasty bug in Windows Server which they gave the name 'Zerologon'.

The Active Directory domain controller code has earned a complete ten rating on the CVSS scale. It stands for Common Vulnerability Scoring System. But the details of the controller can never be revealed. It means that users and I.T. administrators are unable to know how dangerous the problem is.

Importance of the Zerologon Bug for the attackers:

The attackers always have a foothold inside the network using which they can target the specific domain with ease. Now, the attackers get help from the post-compromise exploits also. The exploits have become very valuable to the attackers in recent times. 

When they have got some of the previous data, they can easily hack the domains of any company. As soon as the employees click on any links or attachments in the email, the attackers will hack their domains and steal important data.

Using the Zerologon bug, the hackers can quickly get control of the Active Directory. Moreover, you can get free rein to control it.

How Zerologon Bug works:

The Zerologon exploits uses a string of zeros. The attackers send it via the email of any targeted company. When any employee of that company clicks on it, the attackers using the Netlogon protocol to hack the servers of the company's domain. 

But it depends on various tasks like they allow the users to log in. That's why the Administrators need to be concerned about their installing updates. The network components are susceptible. So, you need to be concerned about the updates always.

It is reported that this bug is the most hazardous one comparing to the previous ones. The worth value of it is a 10/10 CVSSv3 severity score. For Microsoft, patching the bug is not so easy a job. It is scheduled in such a way so that it can be run over in two phases. For the first one, Microsoft will help you to let you know about how to fix the first phase. 

 

Microsoft has done this and made the Netlogon security features mandatory. However, if you want to get a more effective patch, then you need to wait till February. The attack made by the hackers was so quick that it only took nearly three seconds or less than that for hacking the domain of the targeted company.

Take over a domain controller with a number of zeros:

People can get in-depth knowledge about the bug from the team at Secura B.V. that is a Dutch security firm. They have published a technical report from where you can know about the CVE-2020-1472. According to this report, we come to know that the bug is precious for its 10/10 CVSSv3 severity score.

It was the Secura experts who named this bug as Zerologon. According to these professionals, it has taken the benefit of a cryptographic algorithm. The attackers used this algorithm in the Netlogon authentication process. 

They use the bug to follow the Netlogon authentication method. It can hide the identity of any computer with ease on a network. Therefore, it will become easier for them to hide their real identity against the domain controller.

By following the Netlogon authentication process, they can disable security features with ease. With the help of the Netlogon authentication process, one can change the password of a computer on the domain controller's Active Directory. Usually, a database of a computer is connected with a domain and their passwords.

The reason why it is named Zerologon is that the hackers attack the database only by adding zero characters in specific Netlogon authentication parameters.

Take over a corporate network within three seconds:

For the beginners, they must need a foothold inside a network to hack the domain. They can't hack the Windows Servers that are not included in the arena of that specific company's network Or belong to the outside of the company's network. It just takes a few seconds to hack all the databases.

The bug can quickly attack anyone's computer of the targeted company and then spread the malware to all computers.

Patches available; more to come

Nowadays, big companies like Microsoft, need to modify their devices that are connected to corporate networks. Now the Netlogon security features become mandatory for this temporary patch in which process the Zerologon got disabled. It is also vital for all Netlogon authentications.

Recently, it has been decided to reschedule the bug for February 2021. People use this name Zerologon for its broad impact, severity, and benefits for attackers. Secura did not release any proof-of-concept code for a weaponized Zerologon attack. In addition to this, the company has also released a Python script instead of the previous script that you have got earlier.

Protecting devices against Zerologon Bug

Microsoft is trying to fix this bug problem in two-phase. During this time, Microsoft has updated the FAQs in its original documentation. This documentation can help you to identify further clarity. It is because a few users are there who found the documentation very confusing.

That's why Microsoft told its users to find out those devices that make vulnerable connections. For this, they said to their employees to monitor event logs, address non-compliant devices, etc. They also said to enable enforcement mode for managing CVE-2020-1472 in their environment.

Companies use Microsoft Defender for Identity, or Microsoft 365 Defender to detect the attackers who try to use the bug against their domain controllers. Microsoft Defender for Identity was known as Azure Advanced Threat Protection. Whereas Microsoft 365 Defender was known earlier as Microsoft Threat Protection. 

Moreover, the Microsoft company is the one that has taken the help of the Cybersecurity and Infrastructure Agency (CISA). They issued some local agencies to look into this matter step by step. Any company that has the Windows Server device needs to patch it for running the server smoothly. This process helps to avoid potential attacks that can steal your database also.

Conclusion:

Microsoft has recently informed its employees to update the domain controllers. And they also told them to find out those devices that are making vulnerable connections. The main focus of the attackers was to get a connection to the domain controller so that they become the domain admin with only one click.

Friday, 20 December 2019

Juice Jacking Cyber-Attack and Some Tips to Avoid

Power Points and Juice Jacking
Before going any further, let us fathom the definition of Juice Jacking. Well, it is nothing but a cyber-attack, where the charging point is involved. During that time, your charging points works as a data connection. Most of the time, it engages with malware or access to sensitive data.

So, you can understand that it is pretty significant to avoid this situation. Or else, there is a possibility that your personal information will go in the hands of hackers.

Tips to Avoid Juice Jacking

Therefore, we will present you with some tips, which will help you to avoid juice jacking. So, here are the tips that we are talking about.

Charge your phone when you are not using it 


Make sure not to use your phone while charging. It doesn’t matter if you are at your home or your office, whenever you are charging, try to stay away from your phone. It gives hackers a chance to extract your personal information. To be precise, make it a habit as it is a safe option for you.

Make sure to carry your charger 


These days, chargers are pretty portable. Therefore, you don’t have to face any issues while carrying your charger. Also, you can opt for a power bank. It is a pretty handy device that helps you to charge your phone whenever you want. Besides, you can also charge your phone wherever you want. So, buy a power bank and enjoy the perks of it.

Make sure to lock your phone to avoid Juice Jacking 


Well, securing your phone is the most important. Almost all of us lock our phones. We don’t want to show our data to anyone else. It will protect your phone to some extent. Also, it will deter your devices to get paired with other devices. Therefore, you can see the functionality of this feature.

Power off your phone 


Another thing that you can do is to shut down your phone while charging. We can understand that you have some important calls to receive. Well, we are suggesting that if you can do that, it will be beneficial for you. When your phone is switched off, no one can get access to your data. However, some devices allow the USB circuit to get connected with the flash storage, even if you switch off the phone.

Use the USB cables that only circulates power 


Well, some of the USB is capable of power transmission. To be precise, in the case of the traditional USBs, there are two wires. One is used for power transmission, and the other one serves the purpose of data transmission. So, choose a data cable that consists of only one wire that can transmit power. To be specific, those chargers will charge your phone, but data transfer through them is impossible.

So, these are some of the things that you should keep in mind if you want to avoid the Juice jacking. We assure you that if you can follow these points, you can easily prevent the juice jacking.

Monday, 9 December 2019

Things to know about StrandHogg Vulnerability

StrandHogg Vulnerability
Promon security research has newly found a vulnerability in the Android Operating System, which could allow real-life malware to act as legit apps without the user's consent. In doing so, they could track or target any user without their knowledge. This harmful bug is known as “Strandhogg.” StrandHogg Vulnerability has successfully affected all versions of Android, including Android 10, which released in September. In a statement released by Promon states that the malware gangs have fully utilized the StrandHogg.

What is StrandHogg Vulnerability? 


StrandHogg Vulnerability can enter any Android OS and can switch its processing method according to different applications. The vulnerability makes it easy for a malicious app to ask permission while acting as a legit app. The attack is designed as a "request permission method," in such cases, the hackers portray themselves as an official app and ask for permission from the user. The user naturally thinks that they are giving consent to a legit app, but the truth is they are allowing the hacker to go through their SMS, photos, GPS, etc. They also make a similar clone of your app so that when you click to open your legit app, a malicious version pops out on your screen.

Effects of StrandHoggVulnerability. 


1. Listen through microphone

The hacker can easily hack your phone’s microphone and listen to everything you are saying. They can hear and record your private calls and know confidential things.

2. Read and send messages

Everyone receives numerous messages. Some messages are highly classified, and you should not share them with anyone. However, with the help of StrandHogg, hackers can easily read all your messages from your phone and can also send messages to whoever they want without your consent.

3. Take photos

The hackers can take permission to access your photos and files and use them how they like. They can also use your camera to take photos or record videos from it.

4. Login credentials

They quickly know your passwords, account name, and personal questions to access your social media account and hack them. They can also access your bank details, work details, and other private information just by knowing your login credentials.

5. Get location from GPS

With the help of GPS, they can track you down and spy on you. They will know your every movement.

6. Access contact list

The hacker can easily access your call logs or contact list and use it for their purpose.

StrandHogg Vulnerability: What to do? 


Google has already taken a step to control and address StrandHogg Vulnerability and has removed all the potential harmful apps from Google Play. They have also updated their security that detects and blocks malicious apps. They have also formed a separate research team, who continuously investigate in StrandHogg Vulnerability to improve and protect Google Play from further harm. However, Security researcher Sean Wright states that the threat is pretty significant, and it is actively exploited. So, it is challenging to distinguish that something is wrong with a particular app.

Conclusion


However, for now, Google has successfully removed all the malicious apps, but in the future,those similar apps may reappear because StrandHogg Vulnerability is not entirely fixed. Therefore, it is better to be very cautious before installing any app and giving it any kind of permission to access your phone. You can also read reviews or do a web search about the app you want to install. At last, always install or update your apps through Google Play only.

Friday, 22 February 2019

Rietspoof Malware on the Rise

Rietspoof Malware on the Rise
Rietspoof malware a new malware discovered by  security researchers is spreading via instant messaging sites like Facebook messenger and Skype. Researchers have said that this new form of malware develops in stages. The rietspoof malware was first discovered in August of last year but had not been taken seriously. An uptick in distribution in the last month has got the rietspoof malware back in everyone’s attention.

Rietspoof malware and its role: 


The main idea behind the rietspoof malware is to infect victims and then persist on the host victim. The malware does this so that it can download other malware onto the host device depending on orders from a central command and control server.

The rietspoof malware gains persistence by downloading an LNK file which is a shortcut file onto the host computer. This tends to be a risky area for malware as most security/ antivirus products know to look at this folder when running security scans. But rietspoof malware has all the legitimate certificates allowing the malware to bypass any security scans.

The actual rietspoof malware consists of four stages. The malware itself is dropped onto the host computer somewhere in the third stage. The last stage is the stage when a more serious malware is downloaded. The last stage malware can cause serious disruption to the computer.

Rietspoof Malware known as a “dropper” or “downloader”: 


The rietspoof malware has come to be known as the “dropper” or “downloader” by those in the tech world. This is because the malware is being used to download other more serious malware onto the computer after it itself has taken root.

Since it is only meant to download a more potent version of malware, its functionality is also reduced. The Rietspoof malware can only download, execute, upload and delete files and in a more serious scenario delete itself when in emergency. However even with this limited functionality, it can still cause serious damage.

Avast the researchers behind discovering the rietspoofmalware, say that since they have discovered the malware, the malware has changed its C&C protocol and gone through some modifications. This had led them to believe that the malware was still being developed. Avast says that they are still not sure whether they’ve got to grasps with the entirety of the malware.

Rietspoof malware not the only “dropper” on the rise: 


“Dropper” or “downloader” malware is on the rise. Rietspoof malware is not the only malware that has developed in the previous months. A malware known as Vidar has helped criminals distribute ransomware and has also obtained passwords on their behalf.

The rietspoof malware downloads itself in stages and offers no information on what hosts it picks. Since its discovery back in August, it was initially thought of to be in its early or developmental stages, since then theRietspoof malware has really begun to pick up speed.

At present the end goal of the rietspoof malware, the choice of targets and exact infection chain remain unknown.

Monday, 11 February 2019

First Clipper Malware Discovered on Google Play

Clipper malware
Android/Clipper.C impersonating MetaMask on Google Play
Clippper malware was discovered on Google Play, the official Android app store. This malicious malware was discovered in Feb 2019.

What is the clipper malware? 


Addresses of the online cryptocurrency wallets have a long string of characters that includes alphabets and numbers.These addresses are basically long for security reasons. The users generally copy and paste the addresses using the clipboard instead of taking the trouble to type them out.

The people who steal the cryptocurrency, take advantage of this lapse and replace the wallet address in the clipboard. This is the clipper malware.

The attacker intercepts the address on the clipboard and changes it to the address belonging to him.
The user then ends up with the wallet address that has been switched by the attacker.

Though the clipper malware is relatively new, where the cryptocurrency stealers alter the address, it is considered an established malware.

The origins of clipper malware


The clipper malware was first discovered in 2017 on the Windows platform.

Later it was noticed in the shady Android app stores in the summer of 2018.

In August 2018, the first Android clipper malware was discovered. It is sold on underground hacking forums and subsequently seen in shady Android app stores.

The clipper malware was also hosted on download.cnet.com. This is one of the most popular software hosting sites. This malware was discovered by ESET researchers.

In February 2019, the malware was found on Google Play, which is the official Android app store.

How does the clipper malware function? 


The clipper malware was detected on the Google Play store. This malicious malware was found out by ESET security solutions. The malware, Android/Clipper.C, impersonates a genuine service known as MetaMask.

The clipper malware basically steals the user’s credentials and private keys in order to access the user’s Ethereum funds. This malware can also change the Bitcoin or Ethereum wallet address of the user and replace it with the address of the hacker. The wallet address of the user is replaced by the wallet address of the hacker using the clipboard.

When and how was the clipper malware discovered? 


On 1st Feb 2019, the ESET security solutions discovered the clipper malware, Android/Clipper.C on Google Play, the official Android app store. This was then intimated to the Google Play security team. They immediately removed the app from the Store.

This hacking targets the users who make use of the mobile version of the MetaMask service. The MetaMask service runs Ethereum decentralized apps in the browser without any need of running a complete Ethereum node.

Currently, the MetaMask service is not offering the mobile app. They are available as add-ons for desktop browsers like Chrome and Firefox.

Previously too, malicious apps were discovered on Google Play impersonating MetaMask in order to access the victim’s cryptocurrency funds.

Security measures against clipper malware


Users should update their Android devices and use reliable mobile security solution.

Download apps from the official Google Play store.

For any Google Play search, stick to the official website of the app developer or service provider for the link to the official app.

For any sensitive transactions involving information or money, double check every step.

Friday, 28 December 2018

Computer Chip Vulnerabilities Discovered

Computer Chip Vulnerabilities

Researchers discover new Computer Chip Vulnerabilities!

We all know computer chips, software updates and their ilk are all not free from bugs and more. But now researchers at Washington State University have discovered another flaw in computer chips that could cause some serious vulnerabilities. These so called computer chip vulnerabilities were previously unknown to man and now that they are known can cause some huge problems.

These computer chip vulnerabilities can cause failures in modern high tech electronics even though they of the high performance variety. One would expect the high performance computer chips to be relatively free from such problems but the reality is something else altogether. 

Causing a deliberate Computer Chip Vulnerability: 


Researchers at Washington State University found that by deliberately adding malicious work load onto the computer chip they could affect the communication system on the chip. This communication system on the chip is important and damaging that could cause some big problems.

Talking of big problems, such a computer chip vulnerability could cause the computer chip’s life to shorten drastically.

Working to Understand Computer Chip Vulnerabilities: 


Researchers have been at work trying to understand how vulnerable computer chips really are to malicious attacks. This they do in order to identify threats and devise suitable actions to remedy such computer chip vulnerabilities.

Many tech vendors such as Samsung and Apple deliberately send software updates that intentionally slow down earlier phone models as a way to encourage people to buy newer more expensive models.
Research into computer chip vulnerabilities has earlier looked at various computer chip components like computer chip memory, circuit boards, processors and other areas for computer chip vulnerabilities. But researchers at Washington State University have discovered new threats in the most important part, which was previously not looked into – The communications system.

Not only was this vulnerability discovered in the backbone of the computer chip, it was also discovered that high performing computer chips had such vulnerability too.

“The Glue that Holds Everything Together”

The communications system in a computer chip is the glue that holds that entire processing of the chip together. Once that glue breaks down, a very powerful chip becomes useless.

High performance computer chips have a number of processors that perform large amounts of complex work. These processors communicate with each other through the communications system on the chip. This communication system also coordinates all the processes. So it is not hard to imagine a slight flaw in such area could cause some serious damage.

Researchers are at present looking for ways to incorporate such high performance chips with multiple processors onto hand held devices. This computer chip vulnerability could potentially affect our smartphones too.

Researchers at Washington State University devised a series of attacks that targeted the communications system. The results were shocking, in that the entire communications system was affected and was likely to fail because of such an attack.

Such computer chip vulnerabilities could be used by malicious persons to target a computer chip and cause it to malfunction.

Friday, 15 December 2017

Horrifying macOS Bug Lets Anyone Become Admin With No Password

macOS Bug

New bug found on macOS giving Admin Access to anyone without password input

All the users with a Mac should note that a new bug has been discovered on the latest version of macOS High Sierra. This particular bug can jeopardise your security as it allows anyone to get into the system that also as an administrator by simply typing ‘root’ in the username section. This bug is so dangerous after giving up the name as ‘root’ users are not even required to put in the password.
 

Taking the Twitter by storm

 
This dangerous bug has been found by a software engineer going by the name Lemi Orhanm Ergin. He claimed that this bug has the ability to grant admin access to anyone of any mac system within few seconds. The most horrifying thing about this bug is that it even allows anyone to login to the system just after the reboot. He described his finding in a series of tweets which were picked by a number of tech enthusiasts and soon the Twitter was flooded within huge number of users replicating the acts of the bugs.

It became apparently clear to millions of macOs High Sierra users that simply typing the ‘root’ in the username will help in bypassing the Apple security in no time. Some of the experts had stated that this bug is eerily similar to the Apple’s very own ‘root user’ login feature. It seems like this bug is actively making use of this feature which happens to enabled by default on the macOS. If you are whether your system is affected by this bug or then check your macOS by giving a click on the Apple logo present on the left top left corner of the screen. Now select the option “About this Mac” to know your device macOS version.
 

Bringing updates in quick time intervals

 
Apple has claimed that its macOS is simply the most secure operating system in the world but that doesn’t mean it is free of bugs. Apple is known to offers patches and fixes as quickly as possible which isn’t the case with other operating systems where users have to wait for months to get the incremental updates.

Just a few weeks ago Apple brought a massive supplemental update for the macOS High Sierra which helped in fixing a wide range of bugs along with improving the installer robustness and along with other issues. Some of the major issues resolved with this update include the fixing of the graphical problem associated with Adobe InDesign and issue related to addressed in the Yahoo accounts.

Apple has been quick at coming up with the fix as well this time around. Apple has even issued a statement where it stated that security is always been a top priority for every Apple product. It even clarified that the Apple engineers have found this issue in the Tuesday afternoon and they had started immediately working on patching up the security hole.

Now this big has been squashed in the macOS High Sierra for good and it shows why a huge number of are fan of the Apple products.

Monday, 16 October 2017

SWIFT Says Hackers Still Targeting Bank Messaging System

The $81 million heist that was carried out from the Bangladesh Bank in February was done by attackers who hacked into the bank’s SWIFT software. They were able to steal the money by hacking into the software to transfer the money. The attackers were also able to cover up their tracks in a very effective manner.

The attacker, based in Bangladesh, was able to develop a malware which was highly sophisticated and could interact with the local SWIFT software in his vicinity.

SWIFT is a cooperative of 3,000 organizations, based in Belgium. It provides a platform to transfer funds internationally. SWIFT is in the know, that there exists a malware that can reduce the financial institutions systems abilities that can cause various fraudulent transactions on their local systems. They are however saying that this malware is not capable of hacking into their network or causing extreme damage as far as their messaging services are concerned. This is contrary to the reports, which suggest otherwise.

In case of any hacking to the SWIFT software can cause transfer of funds from the victim’s account to the attackers account. As seen in the Bangladesh Bank case, there were 30 SWIFT transactions on FEB 5th, for a withdrawal of $ 1 billion from the US Federal Reserve in New York using the SWIFT bank code. Only $ 81 million could be transferred and the balance $ 6.9 million was still retrievable.

The malware used in the Bangladesh Bank SWIFT software was specially designed with a complete know how of the SWIFT Alliance Access software and excellent malware coding abilities.

The malware used by the attacker was not only used to change the SWIFT transactions, but also to hide any of the changes made, since all the transfers that take place are sent by the SWIFT’s software to a printer. When the transactions are printed out, the officials of banking sector can notice any fraudulent transactions and take action immediately. They can thus prevent any malafide transactions from taking place. The malware used in this case intercepted the SWIFT messages and the altered manipulated copies of such messages were printed. In this way they were able to cover up their fraudulent transactions. The malware used, seems to be a wider attack toolkit, allowing the attacker to send forged instructions for payment and also cover up his tracks. This gave the attacker ample amount of time to carry out the transactions and enabling multiple transactions without being detected.

SWIFT is coming out with a software to counteract such related attacks, including alteration in the database records. The customers on their part are encouraged to keep all their IT systems up to date in order to prevent the attackers from hacking into any loopholes in their local security systems.

A spokesperson has advised their customers to keep an eye on any anomalies seen in their local database records whereby helping the customers to keep their accounts secure. The most vital is to adopt adequate security measures and safeguard their systems.

The authorities warn that the malware and the various related tools can be a threat for SWIFT customers. They can be configured easily and likely to cause similar attacks in future. A worrying aspect is how the attackers sent these transactions, the malware used in the systems and who are the people behind this scam.

Saturday, 9 September 2017

Catching the Hackers While They Act

Catching the Hackers
How investigators trying to catch hackers work

The role of the computer expert becomes increasingly relevant to the proliferation. Nowadays, the attacks such as phishing or data hacking for ransomware purposes are the main issues. Hence, these specialists perform a thorough analysis on the affected devices to solve the issues. And also they obtain the digital evidence to get it right.
While hackers try not to leave traces, their footprints are not so easy to erase. That is why their job is to shed light on the hacking. This can be done by the reconstruction of the activity of the electronic device that has been used by the hackers. This is explained by Telam Maximiliano Bendinelli, the computer forensic expert.
A specialist works with Pablo Rodríguez Romeo in the CySI, said that last year they received a large number of queries from companies about the attack.

Virtual Hijacking of Data

Bendinelli cited virtual hacking of data for extortionate purposes known as ransomware. The hacking of data stored in a technological device to be later released in exchange for a ransom.

With their experience in the cases, the experts dealt with in the study. They found that the cost for the release of the data usually ranges from the US $ 300 to the US $ 1,500, always in Bitcoins.

These experts found sometimes interesting turns in the case of ransomware. They could even solve the situation without paying the hackers.

The hackers trick the users with some fraudulent methods that intend to direct them to some other page. If the user gets into to the page, paves the way to download some malicious codes into their computer for hacking their data.

Some reputed banks are also victims of these attacks, but they don't want to expose it. Rather, they get the experts' consultation to solve the issues.

The intervention of the computer expert becomes crucial in the field. They carry out the corresponding analysis, obtain and safeguard the digital evidence of the users. And also to implement the necessary methods to avoid invalidating the test.

The investigation of the issues arises from an audit, working with those who might be involved. And also identifying the correlation of facts and equipment.

The victims or the users never work with the original evidence. Because the users run the risk of damaging it. Hence, they proceed to preserve the evidence from a forensic copy.

The Forensic copy helps to identify the hacker


The forensic copy allows recovering all the information on the disk. Even the deleted, and also rebuilding the hacker's steps on the computer.
Currently, it is very common to use the forensic investigation software. It allows the analysis and processing of a lot of information with unmatched speed. This kind of software showed very good results. It makes technology a top-quality alternative to the old forensic computer applications.

The specialists summarized the work of the computer expert as a researcher and consultant. This is to carry out the processes, using the benefits offered by the research software and the management of various analytical tools to find hackers. This allows the identification of relevant data and cross-referencing of fundamental information.

Wednesday, 2 August 2017

How Hackers Hijacked a Bank’s Entire Online Operation

Hackers

Extraordinary Incident of Wholesale Bank Fraud Done by Hackers


Hacking a bank is not different from the out-dated means of raiding it and hackers can get in and out with the goods quite easily. However a particular enterprising team of hackers aiming a Brazilian bank seemed to take a much more inclusive and a scheming method of operation.

On a certain weekend afternoon, they had rerouted all the online customers of the bank to effortlessly reconstructed fakes of the bank’s properties wherein the marks offered over their information of the accounts. The researchers at Kapersky the security firm had defined an extraordinary incident of wholesale bank fraud, which had basically hijacked the complete internet footprint of the bank.

 Last year, on October 22 at 1 pm, the researchers had stated that the hackers had altered the Domain Name System registration of all 36 online properties of the bank, taking the desktop and mobile website domains of the bank to take users to phishing site. That meant that the hackers had the potential of stealing login credentials at the sites which had been hosted at the legitimate web addresses of the bank.

The researchers of Kaspersky were of the belief that the hackers could have also simultaneously redirected most of the transactions at ATMs or point-of-sale systems to their own servers, gathering the details of the credit card of anyone who utilised their card on that Saturday afternoon.

Malware Infecting Customers


One of the researchers of Kaspersky, Dmitry Bestuzhey, who had analysed that attack in real time on seeing malware infecting customers from what seemed to be the fully valid domain of the bank, had stated that absolutely all of the bank’s online operations had been under the control of the attackers for five to six hours.

From the point of view from the hackers, according to Bestuzhey, the DNS attack meant that `you become the bank and everything belongs to you now’. Kaspersky has not revealed the name of the bank which had been targeted in the DNS redirect attack. He has stated that it seems to be a major Brazilian financial company with hundreds of branches, operations in the US and the Cayman Islands, with 5 million customers and over $27 billion in assets.

Though Kaspersky is not aware of the full extent of the damage caused due to the takeover, it should be a warning to banks all over to consider how the insecurity of their DNS would support a nightmarish loss of control of their core digital assets. Bestuzhev had commented that they have never seen it exploited in the wild on such a big scale.

DNS – Vital Decorum Under Cover of Internet


The Domain Name System – DNS tends to serve as a vital decorum running under the cover of the internet and translates domain names in alphanumeric characters such as Google.com, to the IP addresses such as 74.125.236.195, which tends to represent the definite locations of the computers hosting websites or other services related on those machines.

 However attacking the records could take the sites down or redirect them to a destination of a hackers’ choice. For instance, in 2013, the Syrian electronic Army groups of hacker had changed the DNS registration of The New York Times in redirecting visitors to a page with their logo. Recently, the Mirai Botnet attack on the DNS provider Dyn had cracked a main portion of the web offline inclusive of Amazon, Reddit and Twitter.

However the attackers of Brazilian bank had subjugated their victim’s DNS in a much more directed and profit-driven manner. Kaspersky was of the belief that the hackers compromised the account of the bank at Registro.br which is the domain registration service of NIC.br, the registrar for the sites ending in the Brazilian .br top-level domain which is said that it also manages the DNS for the bank.

Changing Registrar – Domains of Bank


The researchers are of the opinion that with that access, the hackers had been capable of changing the registrar at the same time for all the domains of the bank, redirecting them to servers which the attackers had set up on the Cloud Platform of Google.

With the hijacking of the domain, those visiting the website URL of the bank were redirected to the duplicate sites where those sites also had valid HTTPS certificates issued in the name of the bank. Hence those visitors’ browsers portrayed a green lock together with the name of the bank like they would in the real sites. Kaspersky also observed that the certificates was provided six months earlier by Let’s Encrypt, the non-profit certificate authority which makes obtaining an HTTPS certificate easy in case of increasing HTTPS acceptance.

 Josh Aas, founder of Let’s Encrypt had stated that `if an entity had gained control of DNS and had gained effective control over a domain, there could be a possibility for that entity to get a certificate from them. Such issuance would not constitute mis-issuance on their part since the entity receiving the certificate would have been able to properly demonstrate control over the domain’.

Hoaxed Sites Infected with Malware


Eventually the hijack had been so thorough that the bank was unable to even send email. Bestuzhev stated that they could not even communicate with the customers to send them an alert and if your DNS is in control of the cybercriminals, you are basically screwed’. Besides phishing, the hoaxed sites also infected victims with malware download which had disguised itself as an update to the Trusteer browser security plug-in which the Brazilian bank provided the customers.

As per the analysis of Kaspersky the malware gathers not only banking logins from the Brazilian banks but also eight others as well as email and FTP credentials together with contact lists from Outlook and Exchange. All of these had gone to command-and-control server hosted in Canada. The Trojan also comprised of an operation intended to disable antivirus software for infected victim, and could have persisted much beyond the five hour window when the attack had taken place.

The malware had scraps of Portuguese language, implying that the attackers could have been Brazilian. Bestuzhev of Kaspersky debates that for the banks the incident could have been a clear warning to check on the security of their DNS. He notes that half of the top 20 banks ranked by total assets do not manage their DNS but tend to leave it in the hands of a potentially hackable third party and irrespective of who tends to control the DNS of a bank they can take special precautions in preventing their DNS registrations from being changed without safety checks such as `registry lock’, which some registrars tend to provide together with two-factor authentication making it difficult for hackers to change them.

Tuesday, 18 July 2017

Terrifying LeakerLocker Ransomware Can Send Your Most Embarrassing Private Photos to Friends

Ransomware

New ransomware threat found- notorious for sending embarrassing photos to all friends


Ransomware threat doesn’t seem to end any soon. Security experts have found a new one which is notoriously designed to find the private photos of the victims and send it across all their contacts present in the address book. This particular threat has been discovered by a team of experts at the renowned cyber security firm McAfee and this virus has been named as LeakerLocker. This virus has the ability to lockdown the phone and threatens the victim of sending out the private images to all the numbers or addresses present on the phone.

£39 ransom for saving ‘grace’

Like any other ransomware this also has a similar modus operand wherein victim’s phone is locked and a ransom is asked for. In this case users are threatened with sending out the embarrassing photos unless the victim is willing to pay £38 to save his or her modesty. Most of the victims are most likely to pay the token amount in order to save them from humiliation but this is resulting in attackers laughing to the bank.

Earlier ransomware threats

Just a few months back a worldwide ransomware attack was launched which was called WannaCry and this virus is also the same one. WannaCry went on to bring the NHS right to its knees while quite recently McAfee security experts found a virus on the Google Play store which doesn’t really went all the way to encrypting the files but it was still evil in its working. This virus was found in two apps present on the Google Play Store namely “Booster & Cleaner Pro” and “Wallpapers Blur HD”.

However LeakerLocker kept itself below the security experts radar by settling with a really modest ransom. However it did go ahead with making a backup of the phone’s sensitive data and threatened to leak it all to the user’s contacts unless it demands are met which was just £38.

How bad is LeakerLocker?


Any phone infected with the LeakerLocker showcases a ransom threat on the screen which states that all the data present on the device would be sent out to ever person present in the phone contact list and email contact list. Victims are required to pay a modest ransom amount of $50 if they wish to abort this action. It even suggests that there is no other way of deleting the data from the device but it can be done through paying the ransom. If any victim tries to harm the phone or power off the device then it wouldn’t mean that the threat is avoided rather attackers has very smartly backed up all the data in cloud from where it can be sent to the copies email and contact list of the victim.

Security experts at McAfee has clarified that the claims in the form of threats made by this ransomware is not completely true. This virus is not capable enough to access, read or leak every data present in the phone device. But it is banking on the fear of private photos leaking onto every known person of the victim is enough to get $50 ransom easily out of the victims.

Saturday, 6 May 2017

FalseGuide Malware Victim Count Jumps to 2 Million

1

2 Million Android Users Infected By Malware, Learn How to Protect Yourself

Check Point researchers recently reported that millions have unintentionally downloaded a malware called FalseGuide hidden in over 50 apps downloaded from Google Play Store. Attacks like this have been made through Play Store before with the use of malwares like Vikinghorde and Dresscode. The botnet malware spread through the download of guide apps for games like FIFA, Pokemon Go, Subway Surfers, GTA San Andreas, Asphalt and others. The malware quickly spread and infected over 2 million android devices, compromising their internet security. Initially, a report published on 24th April had informed that the malware has affected only 600,000 users but since then Check Point has researched that the FalseGuide malware attack is far worse. FalseGuide was uploaded onto Play Store as early as November last year and has been sitting there ever since, generating more and more downloads. Find out whether you have been a victim of this attack and learn how you can boost your internet security to protect yourself from such attacks.

How does FalseGuide operate?

Hackers behind this attack developed these simple apps as guides for games are widely popular and are downloaded by people all around the world. They don’t require much maintenance and updates which makes the hacker’s job all the more easier. This is how FalseGuide malware infects your device-

  • After the installation of the game guide, FalseGuide asks for device admin permission from the user. 
  • If you have given it administrative permission, it cannot be deleted from the device. It can then use methods to hide its activities.
  • You will then be part of a botnet without your knowledge. The hackers will control your device for adware purposes and make an income through it. 
  • Then FalseGuide registered itself on a message topic of the same name on a cross-platform messaging service called Firebase Cloud Messaging. After subscribing to this topic, the attackers can send messages containing links to more malware, download and install them to your device. 
  • After restarting, a background service will start running and display illegal pop-up ads so the hackers can make money. 
  • Highly malicious coding has been found in these modules which can actually allow the attackers to root your device, launch a DDoS attack or infiltrate private networks.

Did the attack originate from Russia?

Check Point surmised that the malicious apps containing FalseGuide malware was submitted to Play Store by two fake developers with Russian names, Sergei Vernik and Nikolai Zalupkin. Later, they updated their post with the information that 5 more of such apps had been found and these had been developed by Anatoly Khmelenko (translated from a Russian name).

What to Do If You Are a Victim?

Google has already removed the apps from the Play Store but your device might still be infected. You must perform a factory reset on your device. If it still does not work, you must take your phone to a professional.
How to Protect Yourself from Similar Attacks

  • Only download apps from trusted sources and developers. 
  • Beware of installing apps that request administrative permission. 
  • Keep an updated antivirus on your device.

Monday, 13 March 2017

iPhone Spying Bugs Revealed By Wikileaks Have Been Fixed, Apple Says

 WikiLeaks
Apple iPhone is revered as the most secure device which even government security agencies can get into. But Wikileaks has revealed a number of vulnerabilities in the iPhone which can be easily utilized by the agencies to launch ‘zero day’ attacks. Apple was quick to swing into action which resulted in fixing all the vulnerabilities before can think about using it against millions of iPhone users. Wikileaks also pointed that a number of hacking tools were exclusively developed by the GCHQ which is the infamous British spy agency.
Apple has released an statement where it confirmed to fix all the vulnerabilities present in the 8,761 pages long documentation published by the Wikileaks. These vulnerabilities were not just limited to the iPhone but also the iPad and iOS as a whole.

Some tips to secure iPhone from hackers

  • Make use of PIN or fingerprint security: This will help you in securing the smartphone against unwanted individuals getting inside your phone. 
  • Make use of longer password: Simply going to the settings followed by ‘Touch ID & Passcode’ and turn the ‘Simple Passcode’ off. Now indulge in creating a complex and longer password for your phone which consists of upper and lower case letter along with numbers & symbols. 
  • Boost your privacy settings: Carefully allot the privileges for different apps by simply turning them on/ off by going to the Settings followed by ‘Privacy’. 
  • Don’t forget to activate the self destruct: When someone tries to break into your phone then you can set it for self-destruct where all the data will be deleted instantly. This feature can be activated by simply going to the Settings followed by the enabling the ‘erase data’. This will ensure that your iPhone turns the device cleans after ten incorrect PIN guesses. 
  • Turn of the notification: One doesn’t need to unlock the device in order to read the notification and this can result in revealing too much about you than you wish.
Apple has worked towards fixing the 14 different iOS vulnerabilities and it has been found that most of it was linked to the older version of the operating system. When compared against the Google’s Android operating system Apple iPhone is always considered to be highly secured and protected device. Secondly Apple tends to offer or bring over-the-air security updates to the iPhone more quickly than Google. Android platform isn’t known to be hyper active when it comes to operating system version up-gradation and updates.

Wikileaks has given a dramatic revelation to the world wherein it stated that CIA has dedicated the whole specialized unit of the Mobile Development Branch for the iOS devices. The reason behind is pretty simple as most of the prominent figures in the field of entertainment, politics and business tend to use iPhone than the Android device. Quite incidentally Apple has been in fierce battle against FBI over creating a backdoor in it device which will help agencies get into iPhone.

Thursday, 9 March 2017

Protection Against Android Malware

Android
BGR
Some tips could always be useful irrespective of the user being new to Android who would be eager to explore new available options on the screen. Some of them could also be annoying which tends to come with the daily functions and operations. These tips could be helpful to the user since every few months there seems to be some security vulnerability in Android which could affect many users of Android smartphones, for instance in recent years, Quadrooter together with Stagefright.

 These two security vulnerabilities were considered to be different. In regular life, how secure would Android be and what would be helpful against the dangers from the internet? Numerous security holes had been exploited by Quadrooter, in Qualcomm drivers in the summer of 2016 wherein nine hundred million Android devices had been affected.

This had been presented by those who had identified the gaps. But in order to take the benefit of the Quadrooter exposure, the invader needs to be capable of installing and running an appropriate designed app on a smartphone. The Stagefright susceptibility seemed to be different which was unseen in the functions in processing of streams or media files and the issue was that when even a video would be sent as an MMS there was a tendency of it being misused.

The invader had the capability of sending a file to the user where the dangerous code could be accomplished. Beginning with Android 4.0, it seemed difficult to exploit the susceptibility owing to the system intervention, though it is not difficult. The dissimilarity between the two security breaches is evident. While Quadrooter tends to need few steps from the user, Stagefright can be exploited remotely without the need of interaction of the user. Android tends to have various means of safeguarding the security of the users. The most significant methods are:

1. Prevention of installation of unfamiliar apps 



There is said to be a setting in the Android system which enables or disables installations of apps of unfamiliar source wherein the option gets deactivated on the device in its delivery state where one can install apps only from the Play Store. Some of the companies tend to have their own app store preinstalled like in the case of Samsung, with its Galaxy Apps. The capability of limiting the option is not relevant for these and this option tends to protect the user against malware spreads through an unfamiliar app store or simple internet pages. News regarding malware in the Play Store seems to be quite rare since these disreputable apps are eradicated rapidly from the Play Store. However, unknown sources need to be activated in using app store of Amazon or perhaps for another like F-Droid.

2. Virus Scanner of Google 



The second line of defense of Google does not seem to have compatibility issue but provides security against malicious apps – virus scanning. Beginning with Android 4.2, this has been made available and is now a part of the services of Google Play. It has also been activated by default and should be left that way. The setting is said to enable apps to be scanned for likely malware before the installation. However if malware tends to be discovered, Android rejects the installation.

Quadrooter Malware 



Google had confirmed with Android Central some few days after discovering that Quadrooter malware cannot be installed while the corresponding setting had been set. Adrian Ludwig, security chief of Android had declared that it was identical to Gooligan, the malware which had hacked Google accounts in December 2016. As of April 2016, Android Security Report, in 2015 states that with this procedure, the threat landscape for users of Android could be considerably less and with this feature the malware apps does not have any chance against Google. Essentially the verification of the app tends to function by calculating the fingerprint – hash value of an APK which is compared against the database of Google comprising of likely threats. Google tends to scan apps on the Play Store, as well as APKs which are accessible through the web.

Alerts against Ensuing Manipulation



This system seems to be quite effective since around 90% of the apps connected outside the Play Store seemed to be well-known to Google which had been scanned for probable security concerns. Besides this, Google is also capable of extracting specific features from the apps subjecting them to identical process which enables Google to identify dangerous feature. Thus it warns the user if essential and also prevents the installation of such a kind of app. Google, in the meantime tends to scan the installed apps during the process and can also alert against ensuing manipulation of the app, which is already installed. In the case of extreme condition, there is also the likelihood of removing apps from the smartphone if these have been permitted by a device administrator.

Thursday, 15 December 2016

Popcorn Time Ransomware Offers to Restore Your Files for Free — If You Infect Two Friends


Popcorn Time Ransomware
Instead of luring users into clicking on the link and then asking for money hackers has come up with an innovative approach. Ransomware has been in vogue for almost a decade where modus operandi has become standardized. This has helped hackers in doing way with billions of dollars in last decade by taking way the control over the files or networks and devices leaving user’s at hacker’s wisdom. Most of the time user decides to pay upfront and get back the critical data or simply lose it by wiping up the machine. With constant campaign against such malpractices and attacks people have vigilant and the ransomware cases started to die down but didn’t went way at all.

Hackers have come up with an innovative alternative wherein the ransomware offers an opportunity to recover the files by simply making your two friends victim of the same.

New Ransomware ‘Popcorn Time’

This new ransomware has been named ‘Popcorn Time’ which offers a lucrative deal to the victims by asking them to infect two other friends in order to safeguard their own data. This ransomware is designed to find all the files present on the desktop along with the files present in My Documents folder and encrypt them using the AES-256 encryption.

Like every other ransomware this one also asks users to pay up in Bitcoin in order to salvage their files and the price is set at just 1 Bitcoin which amounts to $780. Secondly the warning screen also lays down the instruction for paying in the Bitcoins in case a user is not so familiar with this popular cyrpto currency. Even after paying the money users should understand that entering the decryption key wrongly for more than four time will result in losing all the data.

Apart from it this malware also offers an opportunity to get back the files by simply infecting any two of your friend’s system. Victims are simply required to click on the link containing the unique ID which will help in downloading the malware. Simply forward it to your friends and save your files is the modus operandi here.

Hackers living up to their bargain

Most of the promises made by the hackers are not kept but this ransomware originators are showing never seen before honor among the hackers attitude. When a user pays the ransom then he gets a decryption key which helps in restoring the files and it is old school. If ransom is unpaid then that data is lost forever. In a number of cases affected users even after paying up the ransom users were unable to get their data back.

Security analysts and firms are actively working towards finding decryption keys for some of the popular ransomware infections which will offer a free way of getting back the files to the victims. But such initiatives will become obsolete if hackers start using Popcorn Time or its enhanced variants in future which encourage towards making other infected in order to save their skins.

Saturday, 3 December 2016

Why Light Bulbs May Be the Next Hacker Target

Smarthome

Smart Light Bulbs – Wireless Fault - Hackers Take Control


Supporters debate that the Internet of Things provides several benefits like energy efficiency, technology convenience that can anticipate what one needs and also reduce congestion on the roads. However, placing a cluster of wirelessly connected devices in one spot could be tempting to hackers and would enable them to spread malicious code via air, just like a flu virus on a plane. Researchers had reported in a recent paper release that they had discovered an error in a wireless technology which is generally included in smart home devices like lights, locks, switches, thermostats and several of the components of the smart home of the future.

According to researchers at the Weizmann Institute of Science near Tel Aviv and Dalhousie University in Halifax, Canada, they focused on the Philips Hue smart light bulb and discovered that the wireless fault can permit hackers in taking control of the light bulbs. It may not sound like a great deal. But considering thousands or even hundreds of thousands of internet-connected devices in close proximity and the malware that is created by hackers could spread among the devices on compromising with just one of them.

Popular Websites Experience Outages/Interruption


Moreover they would not need to have direct access to the devices to pollute them. The researchers were capable of spreading infection in a network within a building by driving a car 70 metres away. The hackers had briefly denied access to complete chunks of the internet recently, by developing a flood of traffic which had overwhelmed the servers of a US company known as Dynthat assists in handling key components of the internet.

 Pinterest, Twitter, Reddit together with PayPal were down for most part of a day since their domain name provider, Dyn had been compelled to be offline. It had also resulted in popular Australian websites like ANZ, Coles, The Daily telegraph; Ebay, NAB, 9News and many others, to experience outages and interruption. Security experts are of the belief that the hackers discovered the horsepower essential for their attack by gaining control of a range of internet-linked devices.

Password Partially Blamed for Attack


However the hackers did not utilise the system provided in the report that had been released recently. A Chinese wireless camera company had stated that weak passwords on some of its products could be partially blamed for the attack. Although it had not been the first attempt hackers had utilised the Internet of Things to control an attack, the measure of effort against Dyn had been an eye opener to users who had not realized that the impact of internet-linked things joined in daily life would foresee new risks.

A widely respected cryptographer, Adi Shamir who assists pioneer modern encryption methods and is also one of the authors of the report, had commented that `even the best internet defense technologies would not stop such an attack.The new risk is said to come from a little-known radio protocol named ZigBee which had been developed in 1990s.

 ZigBee is a wireless standard which is used extensively in home consumer devices. Though it has been presumed to be secure, it has not been held up for scrutiny of the other safety methods utilised across the internet. The researchers had discovered that the ZigBee standard could be utilised in creating a computer worm to spread the malevolent software in devices which were internet-linked.

Wednesday, 26 October 2016

Hackers Used New Weapons to Disrupt Major Websites Across U.S.


map
Crucial sites were difficult to reach to individuals crosswise over wide swaths of the United States on Friday after an organization that oversees vital parts of the web's framework said it was under assault. Programmers unleashed a mind-boggling operation on the internet through some devices like webcams and computerized recorders and slice access to a portion of the world's best-known sites, a staggering rupture of worldwide web dependability. Clients reported sporadic issues achieving a few sites, including The New York Times, Spotify, Twitter, Reddit, Airbnb,Etsy, SoundCloud, and Netflix. The organization, Dyn, whose servers screen and reroute web activity, said it started encountering what security specialists called a dispersed dissent of-administration assault in the early morning.

Reports that numerous locales were blocked off began on the East Coast, however, spread westbound in three waves as the day wore on and into the night. Also, in an upsetting improvement, the assault seems to have depended on a huge number of web associated gadgets without their proprietors' knowledge — with programming that permits programmers to summon them to surge an objective with overpowering activity.

The assaults were not just more regular, they were greater and more advanced. The run of the mill assault dramatically increased in size. Besides, the aggressors were all the while utilizing diverse techniques to assault the organization's servers, making them harder to stop. The most successive targets were organizations that give web foundation administrations like Dyn.

The main cause and working of the gadgets-

Jason Read, the creator of the web execution checking firm CloudHarmony, possessed by Gartner Inc., said his organization followed a half-hour-long interruption early Friday influencing access to numerous destinations from the East Coast. Dyn is a New Hampshire-based supplier of administration for overseeing DNS, which goes about as switchboard associating web activity. Krebs, whose site was focused by a comparative assault in September, said the XiongMai gadgets are basically unfixable and will remain a threat to others unless they are completely expelled from the web.

These gadgets are thusly used to make a botnet, or robot system, to send a large number of messages that thumps the out casualties' PC frameworks. The source code for Mirai was discharged on the purported dull web, locales that work as a kind of online underground for programmers, toward the start of the month.

The assault comes during an era of increased open affectability and worry that the country's establishments and framework could confront huge scale hacking assaults. The latest illustration has been the arrival of messages stolen from the servers of the Democratic National Committee, which the USA knowledge sources say was the work of Russian Federation.

The theme has come up often amid the fall's hard-battled presidential crusade. The US Department of Homeland Security and Federal Bureau of Investigation both were mutually exploring the late blackout. Dyn authorities wouldn't affirm the figure amid a phone call later Friday with correspondents.

It is too soon to figure out who was behind the assaults, however, it is this kind of assault that has US authorities concerned. They are concerned that an assault could keep nationals from submitting votes.

Thursday, 6 October 2016

Have hackers turned my printer into an offensive weapon?



list
It was just last month that is in September one of the largest net attacks took place with pinpointed a renowned OVH a French hosting firm and a blogger. This single attack is believed to have comprised of over one trillion bits of data. Both of the hacking events marked a change in the methods used by hackers who survive by breaking into websites which hold widespread data add this form of attacks is known as Distributed Denial of Service attacks (DDoS). The data was sent to the targets through and other such "smart" devices which were hijacked by the hackers.

Can I tell if my webcam/DVR/printer is attacking someone? 

Well to be honest, not easily. If you are a medium of bombarding someone else, your internet speed may slow down however it may not be noticed at times of normal browsing while it may be evident when it comes to video or music streaming or games which will lag. For those who are tech savvy, they can make use of software’s which keep a tab on the flow of data packs on their home network, however this is not easy if you are unaware of what you are doing exactly.

Could I get in trouble for letting my webcam attack someone? 

In terms of legality, you can’t get into trouble with the police however it is believed through researches that a hacker can get into your internal network through a webcam hack and keep a tab on everything else. So in such a case you have an intruder which is best if gotten rid of by taking the necessary action.

Why are malicious hackers using these devices? 

That’s because it is way easier to hack in comparison to PCs or servers and these devices tend to make use of default passwords and fail to have any kind of security software in place. And to the benefit of the hackers, there are endless numbers that stay on all day long and it is a task to both update as well as secure. In modern days it is extremely easy for hackers, they are able to target vulnerable devices and put together an army of their own to create a botnet without having to rent hijacked machines like in the past.

What kind of devices are they scanning for? 

Web-associated cameras are especially prominent however outputs are likewise being completed for advanced TV recorders, home routers and printers. All these have a fundamental processor inside that can be subverted to pump out attack packets. Brian Krebs, the blogger who experienced an assault an IoT botnet, has ordered a rundown of gadgets known to have misused his webpage with information. Large portions of the login names and passwords for these gadgets are anything but difficult to-crack. On 1 October, source code for one IoT assault was freely shared, driving some to propose that numerous more malignant programmers will now begin checking for vulnerable gadgets. This guide made by security firm Symantec demonstrates where Europe's botnets are facilitated. Turkey is home to the vast majority of the commandeered devices and PCs.

How new are these types of attacks? 

The main DDoS assaults were seen on the web in 2000. The primary influx of information bombardments was gone for betting locales which were undermined with being thumped disconnected unless they paid an expense. The greater part of those coercion endeavors utilized commandeered PCs to send information. Presently the ascent of the Internet of Things that is populated with brilliant gadgets has commenced recharged enthusiasm for these sorts of assaults. Security scientists have cautioned about the perils of unreliable IoT gadgets for quite a while yet they are beginning to be utilized for critical assaults sooner than numerous individuals anticipated.

Friday, 12 August 2016

Hackers Breach the Ultra-Secure Messaging App Telegram in Iran

Telegram

Telegram Accounts Hacked – Susceptibility of SMS Text Message


According to Reuters, over a dozen Iranian Telegram accounts, like the messaging app having a focus on security have been compromised in the last year due to the susceptibility of an SMS text message.They have recognized around 15 million Iranian users’ phone numbers, which seems to be the biggest known breach of the encrypted communication systems as informed by cyber researchers to Reuters.

 According to independent cyber researcher Collin Anderson and Amnesty International technologist Claudio Guarnieri, studying Iranian hacking groups for three years has informed that the attack which had occurred this year, had not been reported earlier, has endangered the communication of activists, journalist together with several others in sensitive positions in Iran, where Telegram is said to be utilised by around 20 million users.

Telegram tends to endorses itself as an ultra-secure instant messaging system since all the data is encrypted from beginning to end which is known as end-to-end encryption. Various other messaging services comprising of Facebook Inc., WhatsApp state that they have the same proficiencies. Telegram, which is headquartered inBerlin, states that it has 100 million active subscribers and is extensively usedin Middle East, inclusive ofthe Islamic State militant group and in Central and Southeast Asia as well as Latin America.

Authorization Code –Diverted by Phone Company/Shared with Hackers


According to Anderson and Guarnieri, the susceptibility of Telegram is in its use of SMS text messages in activating new devices. When a user tends to log on to Telegram from a new phone, the company directs them with an authorization code through SMS which can be diverted by the phone company and shared with the hackers, according to the researchers.

Equipped with the codes, the hackers can now add new devices to the Telegram account of the user enabling them to read chat histories together with the new messages. Anderson had informed during an interview that they had over a dozen cases where Telegram accounts have been negotiated through ways that sound like fundamentally coordinated with the cellphone company.

According to the researchers, Telegram’s dependence on SMS verification tends to make it defenceless in any country where the cellphone companies are possessed or profoundly influenced by the government.

Iranian Hacking Group – Rocket Kitten


Telegram spokesman stated that customers could defend against these attacks by not relying on the verification of SMS. Telegram enables though it is not essential that customers create passwords which could be reset with the so-called recovery emails.

The spokesman, Markus Ra has informed that if one has a strong Telegram password and the recovery email is secure, the attackers can do nothing about it. The researchers believe that the Iranian hacking group Rocket Kitten is responsible for the Telegram breaches based on resemblances to the setup of past phishing attacks credited to the group.

There is a prevalent rumour that Rocket Kitten tends to have ties to the Iranian government. John Hultquist, managing the cyber espionage intelligence team at the security firm FireEye, of Rocket Kitten has informed that `their focus generally revolves around those with an interest in Iran and defense issues however their action is completely global. With regards to Telegram attacks, it has also been suggested by the researchers that SMS messages could have been conceded by Iranian cell phone companies, which is an industry that has prospective links with the government

Wednesday, 4 May 2016

Hackers Steal Millions of Minecraft Passwords

Minecraft

Minecraft Passwords Stolen by Hackers


Login data of more than seven million members of the Minecraft site Lifeboat has been stolen by hackers. Lifeboat is a service for determined servers and customized multiplayer games for Minecraft Pocket Edition and this data breach tends to affect customers who seem to use the service. If one has used Minecraft Pocket Edition without signing up for Lifeboat, it is ok but if one used Lifeboat, they would possibly get a message compelling them to change the password for the site in early 2015 which was because the company was aware about the hack, though it had not made the information public till recently. Lifeboat permits members to run servers for customised, multiplayer maps for smartphone edition of Minecraft.

There is confirmation that the information that is stolen comprising of email addresses and passwords is provided on site that trade in hacked data. Investigation recommends that passwords were weakly protected and hence attackers could work them out with ease. Evidence regarding the breach had been passed to Tony Hunt, independent security expert, who stated that he had received the list from someone who tends to trade in stolen identifications. Most of the people had informed him that the data had been circulating on dark net sites.

Passwords for Lifeboat Hashed – Little Security


Mr Hunt had mentioned that the data had been stolen in early 2016 though the breach had only been known, now. He said that passwords for Lifeboat accounts were hashed though the procedure utilised provided little security. Hashing is said to be a technique utilised to scramble passwords in order that they are not easily read if the data tends to get stolen or lost. According to Mr Hunt, usually a Google search for hashed password would practically provide it in an accurate plain text and people familiar in cracking tools could possibly computerize and accelerate this procedure.

He further stated that a Google search for a hashed password could quickly return the correct plain text value and well known cracking tools could automate as well as speed up this procedure. He had mentioned in a blogpost regarding the breach that a large percentage of those passwords would be reverted to plain text in a short time. He also informed that this often tends to lead to other security problems since several people re-use passwords and find out one which could lead attackers to compromise accounts on other sites. Lifeboat, in a statement provided to Motherboard, had stated that it had taken action in limiting the damage.

How to Minimise Damage to Users


It informed the news site that when this occurred in early January, they figured the best thing for their players was to quietly force password resets without letting the hackers know they had limited time to act, adding that it now used stronger hashing procedures. It also mentioned that they had not received any reports of anyone being damaged by this. Mr Hunthad been critical of the company for `quietly’ compelling the password re-set stating this policy had left him speechless.

As an alternative, he said that Lifeboat should have done more in alerting users so that they could change passwords rapidly if they used the same one on other sites. He said that the first thing which should be a priority with any company after an incident like this is `How to minimise the damage to the users’.