Issue 44 - Week of Dec 21st

1.       What a year in security 2015 was: The biggest security stories of 2015 include - major cyberespionage groups being uncovered, the most embarrassing data breach in history, an unbelievable Android flaw, and incredibly stupid decisions from two major PC makers. The top 10 are:

a.       Ashley Madison: Hackers were able to breach and steal sensitive data of many users of the infidelity service.

b.      VTech: Suffered a major data breach losing data records of millions of children and their parents.

c.       OPM Hack: Office Of Personnel Management lost millions of sensitive data records of federal employees.

d.      Hacking Team: Surveillance company lost 400GB data, exposed sensitive company data and exposed unknown vulnerabilities that the company was using.

e.      Super fishy security: Dell and Lenovo messed around, Dell added root certificates that help impersonation of any site while Lenovo's superfish left users vulnerable.

f.        Encrypt everything, but leave the back door open: Govt wants backdoor but that makes it possible for hackers to capitalize on. The industry v/s Govt. debate continues.

g.       Android gets stage fright: Hackers can just send a MMS to any android phone and hack it.

h.      Flash crash: When Flash vulnerabilities became public-Mozilla blocked Flash, Facebook called for flash EoL, Amazon dropped it for ads, YouTube switched its default to HTML5 video instead of Flash. Even if Adobe doesn’t kill Flash, the web will.

i.         LastPass Breach: Browser-based password manager LastPass dealt with a major breach. LastPass asked all of its users to reset their master passwords.

j.        Tor hacking: It is believed that FBI paid Carnegie Mellon researchers at least $1 million to hack users on the Tor network in order to reveal their true identities.

2.      2015 Ransonware Wrap-Up:

a.       Pacman: The most highly targeted ransomware attack, the Pacman ransomware only went after Danish chiropractors. The malware was also very difficult to remove.

b.      Tox: Tox was the first to offer ransomware as a service, it offered free toolkit but the site hosting the ransomware takes a 20 percent cut of the profits.

c.       Chimera: Chimera also a ransomware-as-a-service, takes a 50 percent cut of the profits and tries to recruit its victims as new ransomware operators.

d.      CryptoWall 2.0: Used TOR on command-and-control traffic and could execute 64-bit code from its 32-bit dropper.

e.      CryptoWall 3.0: Spread mostly through exploit kits and made $325 million in extortion payments.

f.        Cryptowall 4.0: Nuclear & Angler Exploit Kit used to spread this, steals passwords before encrypting files.

3.      Good guys hacking - 8 Coolest Hacks Of 2015:

a.       Chrysler Jeep hack: Hackers remotely controlled a car on highway by killing its ignition, Chrysler recalled 1.4 million vehicles to fix the bug.

b.      Non smart cars hackable too: Researchers inserted rogue devices in the two police vehicles to reprogram car's electronic operations & attack via mobile devices.

c.       Gun hack: A husband & wife team in August demonstrated how they were able to hack a long-range, precision-guided rifle.

d.      Car wash hack: Web interface in a popular car wash has weak passwords that allows an attacker to hijack the functions to wreak physical damage or score a free wash.

e.      Gas gauge hack: Gas tank monitoring systems at US gas stations have no password protection making them vulnerable to attacks & disrupt the fuel tank operations.

f.        Globalstar hack: A researcher was able to hack the Globalstar satellite data as it was not encrypted, Globalstar has however shot down this work.

g.       GM Onstar hack: A kit called Ownstar that makes it possible to track, remotely unlock & start the engine of GM vehicles that run the OnStar connected car system.

h.      Other cool stuff: DEF CON this year launched its first IoT Hacking Village, everything from Apple network storage, toys, blood pressure monitors, Fitbits, and fridges fell to white-hat hackers there.

4.       87 percent of employees take data they created with them when they leave the company: According to a recent survey - most employees believe they own their work, and take strategy documents or intellectual property with them as they head out of the door. The biggest driver is sense of ownership, 59 percent of them felt the data was theirs while 77% thought the information would be useful in their new job. The common methods used to take data was a Flash or external drive, personal email accounts, hard copies & Dropbox. None of the respondents believed their action will not harm the company. The Security teams have some control on data when the employee is being laid off but when employees leave voluntarily there is hardly any control. To a large extended these can be prevented by using technologies to monitor user behavior -- like behavioral analytics, data exfiltration monitoring -- and regular security awareness programs.

5.       Oracle settles with the FTC over 'deceptive' Java security promises: Oracle acquired Java in 2010 and has been aware of security issues. It promises customers  that updates would keep users' systems safe but in reality, those updates removed only the most recent prior version of the software, leaving older ones intact -- and vulnerable to attacks. Oracle will now be required to notify consumers during the Java SE update process if they have outdated versions of the software on their computer, notify them of the risk of having the older software, and give them the option to uninstall it. In addition, the company will be required to provide broad notice to consumers via social media and their website on how consumers can remove older versions of the software.

6.       Online broadcaster Livestream suffers possible database breach: Live video streaming platform Livestream has discovered that an unauthorized person may have accessed its customer accounts database. The database holds information such as a user's name, email address, an encrypted version of their password, as well as phone numbers and the customer's date of birth. Livestream has issued a warning to users to update their passwords.

7.       Millions of Hello Kitty fans' data exposed by database hack: A database used by Hello Kitty fans has reportedly been found online after servers were hit last month. As many as 3.3 million records are said to be in the database. It's not immediately clear where the database was leaked to, or if the database can be verified for authenticity. The Hello Kitty toy brand has a major sway in far eastern Asian countries, particularly Japan where it was invented. Its parent company Sanrio generates more than $7 billion in revenue from the brand alone.

8.       Yellow Alert Sounded For Juniper Vulns, Feds Called In: The infosec alert level for Juniper backdoors was bumped to yellow last week after the two crucial vulnerabilities rocked the infosec world. As the industry scrambles to fill these gaping holes in its ScreenOS platform, news continues to trickle in that FBI officials are investigating potential nation-state actions that led to the insertion of an authentication backdoor (whose password is public now)  that impacts tens of thousands of devices on the Internet. This fiasco is a major blow-up for government's backdoor rhetoric and a shining example why backdoors are bad.

9.       Yahoo now warns users if they're targets of state-sponsored hackers: The web giant is the latest firm, behind Google, Facebook, and Twitter, to warn users of state attacks. In order to prevent the hackers from learning about Yahoo's detection methods, Yahoo will not share any details publicly about these attacks.

10.   After UP, Maharashtra leads India in cybercrime: In India, the rising cases of hacking, cyber bullying, IP spoofing, credit card fraud has always kept the cyber security team on its toes. As per a recent report - 3,049 people were put behind the bars for committing cybercrime during 2010-2014. Mumbai being the financial capital has seen a 295 per cent increase in cybercrime. Credit card fraud tops the list with hackers using various methods like - Rigged ATM machines, Skimming devices at POS, Phone and email frauds & Duplicate websites. The good news is Banks are getting smarter by issuing EMV cards (Chip and PIN Credit card), Banks are also looking at contact-less credit cards with NFC (Near Field Communication) and RFID technology which do not require swiping of card thereby lowering the chance of any data leakage.