Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Featured
Featured

JD Wetherspoon's website hacked, 650,000 people affected

Hackers breached  the  website of a major pub chain JD Wetherspoon, operating in the UK and Ireland, in mid-June 2015.

The company sent an email to all its customers last week info
rming them about the breach, the company also got to know about the breach on December 1.

According  to the company “ the attackers gained access to a customer database linked to the firm’s old website, which had been hosted by a third party. At some point after the breach, the website was replaced and taken over by a new service provider that is not connected to the incident.”

The database compromised includes the  personal details of 656,723 people who signed up for newsletters, registered Wi-Fi users, and those who bought  online vouchers between January 2009 and August 2014, or used the contact form on the company’s website.

For customers who bought online  vouchers, the last four digits of their payment card numbers had also been accessed. Whereas the company says that website never stored the sensitive information.

JD Wetherspoon says “there is no evidence of fraudulent activity involving the exposed data, but customers have been advised to beware of emails asking for personal and financial information, or ones that instruct recipients to click on links or install software.”


The investigation is ongoing on , and the Information Commissioner’s Office (ICO) in the UK has been notified.
Read more »
Breaking News
Breaking News

Critical vulnerabilities found in Modbus

Security researchers have found various critical vulnerabilities in Modbus gateways built by Advantech , that are used for serial connection of devices in industrial control environments to IP networks. 

There have been hard - coded SSH keys in Advantech EKI series of devices , buffer overflow and code injection flaws in the same product. 

There are two critical flaws Shellshock and Heartbleed in bash shell and OpenSSL ,to which EKI -1322 GPRS Ip gateway device is  vulnerable, Researchers of Rapid 7 have confirmed . 

Patches for Shellshock and Heartbleed for Bash shell and OpenSSL library  were released immediately , but Advantech failed to apply those patches on device and moreover kept its silence on Rapid 7's disclosure . 

Chief Researcher of Rapid 7 showed his concern on vulnerabilities by saying there have been previous  similar kind of security bugs for SSH keys  and still Shellshock bug was not looked upon after doing all the reverse engineering .

Rapid 7 has also found security issues in the DHCP client version 1..3.20-p10 product which had stack based buffer overflow . But they were not sure of the vulnerabilty to exploit for that.

After disclosure of hard coded SSH keys , Advantech and ICS -CERT warned about hardcoded SSH keys in the product EKI-122x series and they told the firmwares about the fix. 

SSH hard coded keys were found in :
EKI-136* product line prior to firmware version 1.27,
EKI-132* product line prior to firmware version 1.98, and
EKI-122*-BE product line prior to firmware version 1.65.

There have been few more vulnerabilities exposed while Moore found out about SSH configuration , the keys were not being generated on the fly while Dropbear SSH client was being used to generate keys .
Read more »
Hacking News
Hacking News

FireEye Patches Critical Flaw Found by Google Researchers

FireEye has rushed to patch a serious vulnerability identified in its products by researchers at Google’s Project Zero.

Project Zero researchers Tavis Ormandy and Natalie Silvanovich announced on Friday evening that they had developed a reliable exploit for a remote code execution (RCE) vulnerability affecting FireEye’s Malware Protection System (MPS). The experts haven’t provided any technical details, but Ormandy noted on Twitter that the bug likely affected “every version ever shipped.”

FireEye told SecurityWeek that the RCE vulnerability affected the company’s Network Security (NX), Email Security (EX), Malware Analysis (AX), and File Content Security (FX) products.

“FireEye had been engaged with and was supporting the Google Project Zero team prior to this discovery around the testing of our products. Due to the severity of the vulnerability discovered, we released an automated remediation to customers just 6 hours after notification, mitigating any customer exposure by Saturday morning,” FireEye spokesman Kyrksen Storer said in an emailed statement.

“We are thankful for the opportunity to support the Google team in this process, will continue to support their efforts, and fully support the broader security research community’s efforts to test and improve our products,” Storer added.

This was not the first time researchers reported finding vulnerabilities in FireEye products. In September, FireEye patched several vulnerabilities discovered by Kristian Erik Hermansen and Ron Perris. Hermansen disclosed the details of a flaw before the security firm could release a fix, claiming that he had reported the issue 18 months prior to its public disclosure.

In September, FireEye also resolved five vulnerabilities reported by German security firm ERNW. The issues – which included command injection, code execution, privilege escalation and memory corruption vulnerabilities – affected NX, EX, AX, FX, HX (Endpoint Security) and CM (Central Management) products.

FireEye’s support site currently lists nearly a dozen advisories describing vulnerabilities affecting the company’s products. The list does not include an advisory for the latest flaw reported by Ormandy.

FireEye is not the only security company whose products have been analyzed by the Google researcher. In September, Ormandy reported serious vulnerabilities in products from Kaspersky Lab.

source: Security Week
Read more »
Cyber Security News
Cyber Security News

Smart devices at risk with three-year-old vulnerability

A total of 6.1 million smart TVs, routers and phones are at risk due to a three-year-old vulnerability which has not been patched by many vendors.

The problem came due to a loophole in the portable SDK for UPnP™ Devices or libupnp that allows a buffer overrun to run arbitrary code on an affected device that can give the attacker ability to take control of the device.

Devices that do not have defenses such as data execution prevention and address space layout randomization are ast risk because of this.

This library is used to implement media playback (DLNA) or NAT traversal (UPnP IGD). Apps on a smartphone can use thtese features to play media files or connect to other devices within a user’s home network.

This is the reason why researchers think China's behind the attack on Australia's BoM and why Chinese criminals target journalists.

Although a patch was issued for the component in December 2012, a global security software company, Trend Micro found 547 apps used an older unpatched version of it. 326 out of them are available on Google Play store, including high-profile apps such as Netflix and Tencent QQMusic.

The vulnerability is also found widely in 3G and 4G cellular USB modems and routers.

The campaign first installs "Pony," then a "cocktail" of malware that harvests credentials before encrypting files.

The concern is growing to look over how manufacturers of devices such as routers and smart TVs deal with security vulnerabilities that emerge in their products.


Android and iOS developers need to be keep an eye out for security fixes when including 3rd party libraries that use c/c++ and updating apps accordingly.
Read more »
Hacking News
Hacking News

Data hacked at UK pub chain JD Wetherspoon

The latest firm to be hit by a cyber attack is UK pub chain JD Wetherspoon. One of Britain’s biggest pub companies, JD Wetherspoon’s website has been hacked, leading to the data breach of their customers’ personal details.

The cyber attack leaked the names, email addresses and birthdates of 650000 customers as well as the card details of 100 others.

The company statement said: “These credit or debit card details cannot be used on their own for fraudulent purposes, because the first 12 digits and the security number on the reverse of the card were not stored on the database.

Wetherspoon, however, said that the breach occurred in June but has just been discovered.
The company has alerted customers by email and informed the information commissioner’s office in the UK.

In a letter to its customers, Chief Executive John Hutson said that the company has taken all the necessary measures to make the website again. A forensic investigation is continuing in the breach.

The customers have been recommended to remain vigilant for any unexpected emails asking for their personal information as well as messages requesting them to click on links or download files.

Hutson added, "We apologize wholeheartedly to customers and staff who have been affected. Unfortunately, hacking is becoming more and more sophisticated and widespread. We are determined to respond to this by increasing our efforts and investment in security and will be doing everything possible to prevent a recurrence.”


Read more »
National Cyber Security
Cyber Security National Cyber Security

CERT – In empanelment norms may be suboptimal for national cyber security

IT Security compliance is a mandatory requirement for the critical sector organizations. Due to a Government directive or prevailing legal / regulatory provisions, only CERT - In empanelled IT Security auditing organisations are eligible to carry out such IT Security audits - Guidelines for applying to CERT - In for Empanelment of IT Security Auditing Organisations

Indian Computer Emergency Response Team (CERT – In) no doubt had the best intentions in mind when it issued its guidelines. But as they say, the best laid plans sometimes go awry and such a result may arise as a consequence of some of the technical qualifications specified in the guidelines.

Why should CERT – In be in the business of empanelling organisations or pre-qualifying the security industry? Neither in the US or the UK, for example, do the respective CERTs get involved in such issues. Does a CERT – In empanelment guarantee anything or is it part of a bureaucratic check list? Such practises also fly in the face of the Government’s commitment to Less Government and More Governance. The empanelment norms may also result in regulatory capture.

Pre-qualification criteria including minimum number of technical manpower, formal qualifications, formal experience, number of formal audits in a specified time frame – may be acceptable for financial audits, medical audits, bridge inspection etc but do not make sense in the area of cyber security.

The best in cyber security in India, indeed the world over, are freelancers - young kids/hackers who are on the Hall of Fames of companies such as Google, Facebook, Microsoft for having discovered vulnerabilities which bypassed the expert eyes of hundreds of highly qualified and experienced domain experts in such organisations. These freelancers and individuals have no certifications, no formal qualifications, no formal audit experience and will never work formally with any organisation.

Countries like the US have realised this. Instead of concentrating on a few empanelled entities, organisations are more focused on 0 Day exploit finders and bug bounty hunters. These countries realise that the main threat comes from hundreds of highly motivated (if maliciously so), highly skilled, highly unconventional individuals either working alone or in informal partnerships. Cyber risks are asymmetrical, unconventional and global and as such need an appropriate response.

Empanelment can also breed complacency, a false sense of security. In contrast, what effective cyber security needs is a degree of paranoia. Will anyone get fired for ineffective cyber security if the security audit has been done by a firm empanelled by CERT – In? Will CERT-In formally certify an organisation’s cyber security preparedness if the security audit is done by an empanelled firm? Will CERT-In and the empanelled firms provide financial guarantees to back up cyber audits?

It is commonly known that ISO 270001 as implemented in India by auditors concentrates more on process, rather than ferreting out vulnerabilities. Out of the 25 organisations that CSPF has done security consulting with, 21 suffered a hacker attack despite being certified by auditors. The certification did not prevent hackers from gaining access to data in these organisations. All 25 organisations had IS0 270001 certification and were conducting vulnerability assessments and penetration testing every 3 months as is mandatory in ISO 270001. When CSPF did APT assessment post incident, it found websites even had had simple vulnerabilities like CSRF, Sql injection (almost 3/10 OWASP top10 vulnerabilities). In over 50 % of cases, formal discovery of APT attacks or cyber espionage was made only after 7-8 months of the actual event.

0 Day exploits or unknown vulnerabilities in software are amongst the most potent tools used by black hat hackers for cyber attacks. How many cases does one know of black hats revealing their secrets on 0 Days, especially to security auditors? They would make more money selling it to National Security Agencies or Governments for use as espionage tools.

To counter black hats, one needs equally motivated, unconventional and highly skilled white hats who are more often than not lone wolves. Some of the best white hats this writer knows of have not even passed Std 10, but are yet on the Google Hall of Fame. This is the talent India needs to leverage, and talent that India cannot afford to waste.

Critical infrastructure organisations and businesses in India need to look beyond CERT – In empanelled security auditors. Formal rules and norms apart, organisations need to set up liberal bugs bounty programs and invite independent bugs bounty hunters to take a crack. This alone will separate the men from the boys.

J Prasanna, Founder, Cyber Security & Privacy Foundation
Read more »

Critical vulnerabilities in Zen Cart patched

A Switzerland based Security firm High - Tech Bridge reported critical security issue in Zen Cart , a popular open source shopping cart software used by large number of websites . The issue was exploited on November 25 , and it was patched within 24 hours by Zen Cart .

The vulnerability was related to PHP file inclusion affecting /ajax.php file . Exploiting the vulnerability , a remote attacker could execute arbitrary PHP code and get unlimited access to thr files and database of application . According to High-Tech Bridge CEO Kolochenko ,vulnerabiltiy was very easy to exploitation was possible even on hardened webservers.

Only the recent version of Zen Cart 1.5.4 had security flaw , as previous versions didn't have vulnerable script , so it could be just fixed by replacing /ajax.php file with the patched version .

There were other patches released for medium severity and low level severity vulnerabilities released by Zen Cart. One of the medium severe vulnerability patch had  issue in cross site scripting (XSS ) in "order - comments " ,security hole was reported by Trustware and it affected Zen cart 1.5.4 and  earlier versions . There was one patch released for low severity issue as well , the issue was storing incorrect password in input field which was causing invalid login attempts .

There were other XSS vulnerabilities exposed by Trustware ,whose patches have not been released yet and  which have been classified as low severity As those vulnerabilities could not be exploited without admin logins  and they couldn't be harmed by the third party .
Read more »

Microsoft offers potentially unwanted applications protection

Tech-giant Microsoft has now decided that it will keep potentially unwanted applications (PUAs) off their user windows, and hence, has started offering PUA protection in its anti-malware products for enterprise customers.

Microsoft is helping administrators to block these unwanted apps with a new Microsoft System Center 2012 Configuration Manager feature.

Microsoft Malware Protection Center (MMPC) staffers, in a Nov. 26 announcement stated that,"If you are an enterprise user, and you are running System Center Endpoint Protection (SCEP), or Forefront Endpoint Protection (FEP), it's good to know that your infrastructure can be protected from PUA installations when you opt-in to the PUA protection feature.”

Meanwhile, potentially unwanted applications or PUAs, can increase the risk of your network by infecting it with malware, wasting help desk, putting data at risk and imposing additional burden on IT personnel.

The Potentially Unwanted Application Protection feature acts much like antivirus software. In the announcement by Microsoft Malware Protection Center, it was stated that,"PUA protection updates are included as part of the existing definition updates and cloud protection for Microsoft's enterprise customers. No additional configuration is required besides opting into PUA protection. When enabled, client systems will begin detecting and blocking PUAs after the next system restart or signature update. Blocked PUAs can be viewed in SCEP's history tab.”


However, it is recommended that before implementing a PUA, companies should first create a clear corporate policy and also inform the users about the updated policy or guidance so that they are aware that potentially unwanted applications are not allowed in your corporate environment.
Read more »
Breaking News
APT attacks Breaking News

Chinese Cybercriminal gang uses Dropbox to Target Media outlets

A Chinese Advanced Persistent Threat (APT) gang which had been allegedly responsible for attacks against foreign governments and ministries has shifted its focus on Hong Kong based media companies by using Dropbox for communicating malware.

The group identified as ‘admin@338’ has been active since 2008 and uses publicly available Trojans like ‘Poison Ivy’ to attack organizations in the financial services, telecoms, government, and defense sectors.
The group is also known to use some non-public backdoors.

But this is the first instance where the group has used phishing lures in Chinese against targets. Each phishing email containing of three attachments included exploits for a patched Microsoft Office vulnerability, CVE-2012, 0158, a buffer overflow in the Windows Common Control Library patched in early 2012.

On execution, the exploit triggers a backdoor dubbed ‘Lowball’ which connects to an external location on finding it. After this, Lowball syncs with the legitimate Dropbox account which is controlled by the remote attackers.

In the first stage, the attack runs many commands on the infected computer and sends the output to the Dropbox account for C&C communications. The attackers then retrieve the information analyse it and if the target is worthy, a second stage backdoor is delivered called ‘Bubblewrap’ which is used for remote control and stealing data.

This research was found out by network security company, FireEye.

This group was also suspected of launching phishing campaign in August against media organizations in Hong Kong. Last year in March, this group had leveraged the disappearance of Malaysia Airlines Flight, MH370 to target a government in the Asia-Pacific region and a US-based think tank.

This isn’t the first time China has targeted media outlets seeking out sources to stay ahead in news cycle.
In January 2013, hackers, allegedly connected to the Chinese government, were blamed by Mandiant for a breach at the New York Times. The group broke into the email accounts of investigative journalists for seeking information on the corruption scandal which involved then-Chinese premier, Wen Jiabao.


Read more »

Jakub escapes from punishment after he got 200,000 likes on a video


A 30-year-old convicted software pirate escaped from a punishment (cash fine) after he got 200,000 views on a video on Youtube.

Actually, Czech court had ordered, Jakub F had to produce 200,000 views on his Public Service Announcement (PSA) as an alternative to coughing up what the aggrieved copyright holding companies had decided was their financial loss due to his piracy.

The video entitled “The Story of my Piracy”, which includes a message that reads, a faithful depiction of how Jakub initially enjoyed pirating the software, before being tracked down and receiving a visit from the police.

If he would have got the like, he would have to pay around $373,000, with Microsoft alone calling for $223,000.

It all started when the firms, which included Microsoft, HBO Europe, Sony Music and 20th Century Fox, estimated that the financial damage amounted to thousands of pounds, with Microsoft alone valuing its losses at 5.7m Czech Crowns (£148,000).

But, Business Software Alliance (BSA), which represented Microsoft, acknowledged that Jakub could not pay that sum.

After that, the companies said they would be happy to receive only a small payment and his co-operation in the production of the video.

They put a condition that the video would have to be viewed at least 200,000 times within two months.


A spokesman for the BSA told BBC that the stipulation was to ensure that Jakub would help share it as widely as possible. If he could not do so, the firms would have grounds to bring a civil case for damages.
Read more »
Hacking News
Hacking News

Vtech hacked, customers’ information accessed by intruders

Whether hackers find it is easy to hack kid’s toy or they like such toys so much that they have been targeting those things now and then.

Recently, VTech, a Hong Kong global supplier of electronic learning products from infancy to preschool and the world's largest manufacturer of cordless phones, app store database hacked by “unauthorized access”.

The customers can download games, e-books and other content on to their Vtech devices from that app stores.

The company made it public on November 27 via a post that the names, home and email addresses, security questions and answers and other information of millions of families had been breached from a top toymaker's database on 14 November.

“An unauthorized party accessed VTech customer data housed on our Learning Lodge app store database on November 14, 2015 HKT. Learning Lodge allows our customers to download apps, learning games, e-books and other educational content to their VTech products,” the firm wrote in the post.

However, the firm has not provided exact number of victims of the hack.

After discovering the unauthorized access, the company started an investigation, which involved a comprehensive check of the affected site and implementation of measures to defend against further attacks.

“Our customer database contains general user profile information including name, email address, encrypted password, secret question and answer for password retrieval, IP address, mailing address and download history,” it added.

The company has clarified that the database does not contain any credit card information of the customers.

“VTech does not process nor store any customer credit card data on the Learning Lodge website. To complete the payment or check-out process of any downloads made on the Learning Lodge website, our customers are directed to a secure, third party payment gateway,” the post read.

Furthermore, the customer database does not contain any personal identification data (such as ID card numbers, Social Security numbers or driving license numbers).


The investigation is still going on. The firm is looking for additional ways to strengthen Learning Lodge database security. 
Read more »
Subscribe to: Comments (Atom)