Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Tinder Vulnerability Lets Anyone Snoop Over Users Swipe, Match and Photos

 An Israeli security firm Checkmarx has found two critical vulnerabilities in the popular dating app Tinder that enable hackers to keep a hawk eye on all your moves.

The firm has released a report entitled “Are You on Tinder? Someone May Be Watching You Swipe.” It covers two distinct and potentially troubling flaws. One of them is about the unsecured Tinder protocols; the app lets anyone connected to the same WiFi as you to potentially snoop in your Tinder photos and also see the matches that you might have made.

The first flaw which is known as CVE-2018-6017 takes advantage of the fact that the app does not use secure HTTP connections to display the profile pictures of the users. A hacker would easily be able to monitor network traffic, and through that, they can easily peek which device is looking at which profiles.

Erez Yalon, Checkmarx’s manager of application security research, “We can simulate exactly what the user sees on his or her screen. You know everything: What they’re doing, what their sexual preferences are, a lot of information.”

The second flaw, which is dubbed as  CVE-2018-6018, the App has swipes and likes behind an HTTPS protocol, and for each of these actions, different amount of data is required. Rejections require 278 bytes, approvals require 374 bytes and likes require 581 bytes.  Through a code to calculate data from the second flaw and combining it with the first, an attacker could easily discover which profiles you’re accepting and rejecting.

The security firm created a simple program called Tinderdrift to demonstrate the two vulnerabilities in the dating app.

“We take the security and privacy of our users very seriously. We employ a network of tools and systems to protect the integrity of our global platform,” a Tinder representative. "That said, it’s important to note that Tinder is a free global platform, and the images that we serve are profile images, which are available to anyone swiping on the app.”

However, in response to these flaws the company issued a statement which reads, “We are working towards encrypting images on our app experience as well. However, we do not go into any further detail on the specific security tools we use, or enhancements we may implement to avoid tipping off would be hackers.”
Read more »

Will the next cold war be fueled by AI?

It is easy to confuse the current geopolitical situation with that of the 1980s. The United States and Russia each accuse the other of interfering in domestic affairs. Russia has annexed territory over U.S. objections, raising concerns about military conflict.

As during the Cold War after World War II, nations are developing and building weapons based on advanced technology. During the Cold War, the weapon of choice was nuclear missiles; today its software, whether its used for attacking computer systems or targets in the real world.

As tensions between the US and Russia escalate, both sides are developing technological capabilities, including artificial intelligence that could be used in the conflict. Artificial intelligence has increasingly been integrated into the weapons systems of the world's leading militaries, and at least one expert has said the futuristic technology may soon be the subject of a new Cold War.
In a piece published Tuesday by The Conversation, North Dakota State University assistant professor Jeremy Straub argued that unlike the nuclear weapons that dominated much of the 21st century arms race between the U.S. and the Soviet Union, the use of cyberweapons and artificial intelligence largely remained "fair game," even as tensions again flared between the rivals. Both countries have invested heavily in developing new tools to wage war on this new front, but Russia particularly has sought to use it as an opportunity to upstage the more conventionally powerful U.S.

Russian rhetoric about the importance of artificial intelligence is picking up – and with good reason: As artificial intelligence software develops, it will be able to make decisions based on more data, and more quickly, than humans can handle.

Just like the Cold War in the 1940s and 1950s, each side has reason to fear its opponent gaining a technological upper hand. In a recent meeting at the Strategic Missile Academy near Moscow, Russian President Vladimir Putin suggested that AI may be the way Russia can rebalance the power shift created by the US outspending Russia nearly 10-to-1 on defence each year. Russia’s state-sponsored RT media reported AI was “key to Russia beating [the] US in defence.”

This is a grave cause of worry that the world is entering or perhaps already in another cold war, fueled by AI.
Read more »

Smell of doubt in Bitcoins online


The cybersecurity experts claimed to have unearthed a huge scam where the ransomware authors and their victims are left cheated even in Bitcoin. Thus, a hefty amount sent to someone in the most innovative payment network might reach an anonymous person.

One can counter the scam when one take resort to some Bitcoins online. The entire amount paid here straightly goes to the hackers’ pockets since files are encrypted.

The money sender who is caught in ransomware needs to pay via a Tor .onion site on the dark web. That’s the moment to be looted in the nefarious networking system.

A victim has not left the option to know the tips to install the Tor browser even after being cheated this way. Caught in a state of utter confusion, they are forced to take resort to Tor proxy. But this system, instead of providing some sort of relief puts the money sends in dire trouble instead since the hackers can ruin this service to ensure that it can act as a man-in-the-middle. Then this won't further allows anybody to log on to a .onion address into a website.

According to what the cybersecurity experts say, they have unearthed the fact that a single Tor proxy keeps working with ransomware payments. As a result, both ransomware’s authors and victims are left cheated.

A school of experts claims that the hackers keep the ransomware webpages deployed in payment matters changing to be visited via the Onion.top Tor-to-web proxy to get a different Bitcoin address displayed in the system.

Then what’s the way out? The experts have the answer. If this fatal scam is to be kept at bay, one should avoid the ransomware effects in the personal computers or smartphones if infected.



Read more »
Security patches
Cyber Security POS Malware remote access Security patches

Security Flaw in Oracle POS systems discovered

Researchers at ERPScan have discovered a new security flaw in the Oracle Micros Point-of-Sale (POS) systems that has left over 300,000 systems vulnerable to attack from hackers.

It was discovered in September 2017 by Dmitry Chastuhin, a security researcher, and was named “CVE-2018-2636”.

Oracle has already issued updates for this issue earlier in the month but due to companies’ fear of unstable patches and losses, it is suspected that it may take months for the patch to reach affected systems.

According to Chastuhin, the POS malware enables hackers to collect configuration files from the systems and gain access to the server.

Hackers can also exploit the flaw remotely using carefully crafted HTTP requests. Many of the vulnerable systems have already been misconfigured to allow such access and are available online to be easily exploited if the patches aren’t used soon.

Patches for the flaw were made available in January 2018 in Oracle’s Critical Patch Update (CPU). More information on the bug can be found here.
Read more »

GPS jammers - an emerging cause of worry

The annual Red Flag war exercise by the US Air Force will cause disruptions in the GPS and navigation systems of many commercial flights in the region according to Foxtrot Alpha. In some cases electronics may be jammed completely.

Red Flag is the Air Force’s top air war training exercise, bringing together USAF fighter, bomber, tanker, and ISR squadrons with select allies for coordinated training over the 5,000 square-mile Nevada Test and Training Range (NTTR). For Red Flag 2018, which kicked off last week and will run through February 16, the Air Force will black out GPS, forcing aircrews to execute strike missions without their familiar satellite-based guide.

Training exercises are limited to 8-11 pm PST, but that will be enough to cause some major disruptions.

Critical infrastructure and emergency services need a satellite back-up.

The UK must reduce the dependency of its critical infrastructure and emergency services on GPS technology to mitigate against the potentially disastrous impact of signal jamming, a government report has warned.

In a forward to the long-awaited doc from the Government Office of Science, Cabinet Office minister Oliver Dowden said global navigation satellite systems (GNSS) are often described as an “invisible utility.” He said: “It is in our national interest, as this report makes clear, that we recognise the precise nature and extent of our dependence on GNSS.

"We must take steps to increase the resilience of our critical services in the event of GNSS disruption, including by adopting potential back-up systems where necessary," he wrote in the The Satellite-derived time and position: A Study of Critical Dependencies report (PDF).

Even the US military is worryingly dependent on GPS. The global positioning satellites tell planes where they are, provide targeting info for smart weapons, and support communication and navigation systems. But in a war with a tech-advanced adversary—think China, Russia, or Iran—GPS could become a big liability because it could be jammed, spoofed, or outright destroyed.

According to Flying Magazine, the National Business Aviation Association (NBAA) issued a warning to expect delays.

So how does the U.S. Air Force train for such a scenario? Simple—just turn it off.
Read more »
Virus Attack
Bypass of Sensitive data. Malware Analyzers Virus Attack

Researchers discover Malware Samples Designed to Exploit CPU Vulnerabilities

As of late scientists have found more than 130 malware samples intended to misuse the recently disclosed Spectre and Meltdown CPU vulnerabilities that enable pernicious applications to sidestep memory isolation mechanisms in order to gain access to passwords, photographs, archives, mails, and other sensitive data.

Experts have cautioned that there could soon be remote attacks, not long after Spectre and Meltdown were unveiled on January 3, and to top that a JavaScript-based Proof of-Concept (PoC) misuse for Spectre had likewise been made accessible.

On Wednesday, January 17 an antivirus testing firm AV-TEST, announced that it has obtained 139 samples from different sources, including researchers, analysers and antivirus companies and had likewise observed 77 malware tests apparently identified with the CPU vulnerabilities making the number fairly rising to 119 by January 23. However, the experts do believe that the prevailing malware samples are still in the "research phase" and assailants are in all likelihood searching for approaches to extract more information from computers especially via the means of web browsers



“Most appear to be recompiled/extended versions of the PoCs - interestingly, for various platforms like Windows, Linux and MacOS,” says Andreas Marx, CEO of AV-TEST , further adds “We also found the first JavaScript PoC codes for web browsers like IE, Chrome or Firefox in our database now.”

Fortinet, which is likewise known for dissecting a significant number of the samples, affirmed that a larger part of them depended on accessible PoC code.

Processor and operating system vendors have been dealing with microcode and software alleviations for the Meltdown and Spectre attacks, yet the patches have regularly caused issues, prompting organizations ending refreshes and disabling alleviations until the point that such issues are settled.


Marx, in addition to the installing of the operating systems and BIOS updates, further proposed a couple of more suggestions that have a solid shot of reducing the attacks, two of them being: turning off the PC when it's not required for over an hour, and closing the web browsers amid work breaks. He is certain that by adjusting to these strategies the attack surface would diminish a considerable measure and furthermore save quite some energy.
Read more »

Digital security certificates are no more safe


Digital security certificates give assurance to regular users that the websites they are visiting are trusted and are free from malicious code. But what if these security certificates are themselves compromised?

Modern digital security certificates provide a confidential and encrypted communication between the users and website owners, the message can be decrypted only by using a  private key which is available to website owners. As a result,  hackers or data miners cannot intercept or gain access to confidential information between the user and owner without certificates.

Modern antivirus services are capable enough to immediately block websites or software that are not secured by such certificates, thereby it is difficult for anyone to inject malicious code into devices using compromised websites.

According to Haydn Johnson, senior consultant at KPMG, modern digital certificates are trusted as 'they require payment and proof of identity to tie the code, document, or application to the legitimate organization. They verify that the Certificate actually belongs to the person, organization, or entity that is noted in the certificate'. This approach prevents cyber-criminals from masquerading malware as legitimate software or website."


'With a certificate, the malware is allowed to run in a trusted state. Bypassing these technologies can save a cyber-criminal organization considerable development time and money,' Johnson adds.
Read more »

Fitness app published exercise routes of Soldiers


A fitness tracking app has published the exercise routes of the US military personnel in bases around the world.

The fitness app, Strava was criticised by security experts for releasing a "heatmap" showing the paths of the user's log as they run or cycle.

The California-based company defended itself by calling themselves a "social network for athletes," which has its mobile apps and website to connect millions of people every day.

The app showed the heatmap of the foreign military bases in countries like Syria and Afghanistan as soldiers move around them. However, the US military was investigating the heatmap.

"Recent data releases emphasize the need for situational awareness when members of the military share personal information," Pentagon spokesman Major Adrian J.T.

It has more than 27 million users around the world.

Strava's Heat Map was first noticed by Nathan Ruser, a university student who studies the Middle East and security issues in Sydney, Australia. He tweeted about Strava's global Heat Map, "It looks very pretty, but not amazing for Op-Sec. U.S. bases are clearly identifiable and mappable."

"I thought the best way to deal with it is to make the vulnerabilities known so they can be fixed. Someone would have noticed it at some point. I just happened to be the person who made the connection."

Rankine-Galloway of the Pentagon said, "We take matters like these very seriously and are reviewing the situation to determine if any additional training or guidance is required and if any additional policy must be developed to ensure the continued safety of DoD personnel at home and abroad.‎"

Read more »
DDOS Attacks
Bank Hacking Cyber Attacks DDOS Attacks

Dutch Tax Authority and Banks Face DDoS Attacks

The national tax office in the Netherlands and several of the country’s largest banks were hit by a distributed denial-of-service (DDoS) attack on Monday.

The tax office said that its website had gone down for 5-10 minutes after the attack.

ABM Amro, ING, and Rabobank are some of the major banks affected by the DDoS attack which disrupted online and mobile banking services over the weekend.

The attacks led to banks’ services being down for hours at a time.

"We are now working on an alternative access route to the site, it is not yet possible to say how long this will take," Rabobank said.

"Since the big DDoS attack on ING in 2013, everything seemed to be in order. There is now clearly something we need to respond to, and we are discussing this with the banks," a spokesperson from the Dutch central bank, DNB, had to say.

Spokesperson for the Tax Authority, André Karels said that no data had been leaked and that the attack is under investigation by the National Cybersecurity Services.

DDoS attacks work to bring down websites by sending a lot of traffic to one server at the same time. While such attacks itself cannot cause a breach in networks or data to be leaked, they are often used as distractions by hackers trying to penetrate a network.
Read more »

Coincheck hackers try to move stolen cryptocurrency, company promises refund

Hackers who stole around $534 million worth of cryptocurrency from Tokyo-based Coincheck exchange last week - one of the biggest such heists ever - are trying to move the stolen "XEM" coins- a move believed to be an attempt to make the stolen currency harder to trace- the foundation behind the digital currency said on Tuesday.

The company suspended trading after detecting "unauthorised access" of its digital exchange. NEM Foundation, creators of the XEM cryptocurrency, have traced the stolen coins to an unidentified account, and the account owner had begun trying to move the coins onto six different exchanges where they could then be sold, Jeff McDonald said.

"He is trying to spend them on multiple exchanges. We are contacting those exchanges," said McDonald. He also told Reuters that he couldn't yet determine how much of the stolen coins had already been spent. The location of the hackers' account is also not known.
As many as 10,000 businesses in Japan are said to accept crypto-currencies.

Coincheck, one of Japan's largest digital currency exchanges has said it will refund more than 46 billion yen of the virtual assets to its 260,000 customers using its own capital.

The heist has raised fresh questions about security and regulatory protection in the booming market.
Read more »
NIS Directive
Cyber Security EU National Cyber Security NIS Directive

UK Government to Fine Infrastructure Organisations up to £17m for Lax Cybersecurity

Industries running critical infrastructure in the UK will be facing fines as much as £17 million ($24 million), if they fail to put in strong cybersecurity measures as required by the NIS Directive.

NIS covers network and information security to be put into place by 9 May, 2018, and was announced by the UK government on Sunday.

The affected industries include transport, water, energy, and health businesses.

These fines are apparently as “last resort” if any of the above-mentioned businesses fails to follow the cybersecurity guidelines as required by all industries in the EU member states.

The government warned that a regulator will be able to assess the cybersecurity infrastructure of the country's critical industries and will have the power to issue legally-binding instructions to make sure the security is up to its mark — including imposing fines.

The Directive’s objectives are outlined as to manage security risk, ensure protection against cyber attacks, detecting cybersecurity events, and minimising the impact of cybersecurity incidents.

"We want our essential services and infrastructure to be primed and ready to tackle cyber attacks and be resilient against major disruption to services. I encourage all public and private operators in these essential sectors to take action now and consult NCSC's advice on how they can improve their cybersecurity,” said Margot James, Minister for Digital and Creative Industries.

According to the government, they are working on a “simple, straightforward reporting system” where it will be one can easily report cyber breaches and IT failures so they can be quickly identified and acted upon.

The National Cyber Security Centre (NCSC) website states that the first iteration of the Cyber Assessment Framework (CAF) will be available by the end of April 2018.
Read more »
Subscribe to: Comments (Atom)