Fraudsters attack from almost everywhere. Have you been to any of these hotels?

Have you given a second thought before swiping your card while booking hotels? I bet you never rethink on doing that... but what if we say you have to...

This is something that had happened at InterContinental Hotels recently. IHG didn’t reveal just how many hotel properties were considered to be at risk, but the examination shows that the state-by-state lookup tool they published online reveals it to be higher than 1170. 

In recent years many hotel chains – including Hyatt, Omni, Hilton Hotels, Starwood Hotels, and Trump Hotels – have found themselves targeted by criminals using malware to steal payment card information. The problem has become so serious that you might start to wonder whether it might be safer to pay on hotel properties with cash, or at least with a card which has a low payment limit.

The investigation identified signs of the operation of malware designed to access payment card data from cards used onsite at front desks for certain IHG-branded franchise hotel locations between September 29, 2016 and December 29, 2016. Although there is no evidence of unauthorized access to payment card data after December 29, 2016, confirmation that the malware was eradicated did not occur until the properties were investigated in February and March 2017. Before this incident began, many IHG-branded franchise hotel locations had implemented IHG’s Secure Payment Solution (SPS), a point-to-point encryption payment acceptance solution. the implementation of SPS ended the ability of the malware to find payment card data and, therefore, cards used at these locations after SPS implementation were not affected.

The malware searched for track data (which sometimes has cardholder name in addition to card number, expiration date, and internal verification code) read from the magnetic stripe of a payment card as it was being routed through the affected hotel server. There is no indication that other guest information was affected.

It is always advisable to remain vigilant to the possibility of fraud by reviewing your payment card statements for any unauthorized activity. You should immediately report any unauthorized charges to your card issuer because payment card rules generally provide that cardholders are not responsible for unauthorized charges reported in a timely manner. The phone number to call is usually on the back of your payment card. 

Be aware, Be safe !

Mastercard Unveils Next Generation Biometric Card

If you have read the subheading, then you must be wondering as to how the simple implementation of the ultra-common fingerprint sensor on your debit card will change the banking experience? Consider your cash withdrawals during the period of "demonetization" in 2016. You must be remembering that it was a tricky method to enter your debit card PIN while hiding the num-pad of the ATM machine from prying eyes behind you, pushing each other to get a glimpse of your transaction details.

If you remove that num-pad based PIN entry from the scene, no one in the world would get a clue about your debit card PIN, apart from your bank. This implementation would also make card payments at restaurants or shopping malls a lot more secure.

However, all fingerprint sensors are not alike. Mastercard implementation as involving a trip to "an enrollment center," where a user could store one or two different prints (of their own) on their card. An encrypted digital template of your fingerprint is stored on the card's EMV chip. The new cards authenticate when a matching fingerprint is supplied by the user after inserting the card into a Chip and Pin terminal (not swiped). The card sensor would also not work when used in an ATM that ingests the card.

MasterCard is keen on embedding this basic technology on its line-up of credit and debit cards to enhancing the user security. Not only security, a biometric authentication would make payments faster, in the same way as unlocking your smartphone is just a tap away instead of those complex mazes that you used (many of you still do it) to set as your pattern password.

The demo cards are currently being tested in South Africa and MasterCard plans to roll it out to the world by the end of 2017. The cards are not any different from your regular credit/debit card that you carry in your wallet. While the basic architecture remains mostly the same, you will notice only a matte coloured sensor patch on the top left corner of the card.

The card itself is no thicker than a regular credit card. The fingerprint sensor is a small, thumbnail-sized rectangle that sits at the top right corner, and is easily accessible when you stick the card into a payment terminal.

When the terminal asks you to insert the card, it's communicating to the bank information like your identity and the amount of the transaction. Then, it verifies your identity by asking for your fingerprint. The sensor reads your finger, and sends the information to the card's chip, which determines if you're the owner. If you are, it sends a "Yes" or "Authorized" message to the bank, which then allows the payment to pass.

As for the vendors, there’s no need to upgrade any hardware, unless you are still using the magnetic-type swipe-based transaction machine on your billing desk.

While MasterCard is planning a global roll-out of the fingerprint-enabled debit card, you can be assured that it will take a few years due to the additional time being taken by banks and financial institutions to get their approvals from the management for the implementation of this new convenience.

Android Spyware SMSVova found on Google Play Store

Millions of users have been tricked into downloading Android spyware disguised as a system update in the Play Store. The app that claims to give users access to the latest Android updates remained undetected in the Play Store for three years and was downloaded between one and five million times. 

Experts at Zscaler discovered that the bogus app was posing as a legitimate application called “System Update” and claiming to provide users with access to the latest Android software release.

It has been estimated that the fake application hiding the SMSVova spyware was uploaded in the Google Play in 2014, and has been downloaded between 1,000,000 and 5,000,000 times.

Experts reported the discovery to Google that promptly removed it from the store.

The SMSVova spyware was developed to track the physical location of the users, it was controlled by attackers via SMS messages.

“In our ongoing effort to hunt malware, the Zscaler ThreatLabz team came across a highly suspicious app on the U.S. Google Play Store that has been downloaded between one and five million times since 2014.” reads theanalysis published Zscaler. “Upon analysis, we found it to be an SMS-based Spyware, which can steal and relay a victim’s location to an attacker in real time.”

According to Zscaler, once the app was installed when users try to open it they were displayed the message:

‘Unfortunately, Update Service has stopped.’

Then the app hides itself from the main screen and launches the phone’s MyLocationService which collect location data and stores it in the Shared Preferences directory of the mobile device.

Despite the error message, the spyware sets up an Android service and broadcast receiver:

• MyLocationService: Fetches last known location
• IncomingSMS (Receiver): Scans for incoming SMS message

SMSVova monitors specific incoming SMS messages with specific characteristics, messages with more than 23 characters in length and that contain the text string “vova-” and “get faq.”

It is curious to note that according to the recent Google Android Security 2016 Year In Review report, in 2016 devices that installed applications only from Google Play had fewer than 0.05 percent of potentially harmful applications installed.

“There are many apps on the Google Play store that act as a spyware; for example, those that spy on the SMS messages of one’s spouse or fetch the location of children for concerned parents. But those apps explicitly state their purpose, which is not the case with the app we analyzed for this report,” concluded the analysis.

It is unclear why exactly was the malware focusing on user location alone. The app also hasn’t been updated since December 2014, however, millions of people kept downloading it. Google has now removed it from the store after being alerted, but the app did go undetected since it first appeared in 2014. We are still to hear back from the search giant on why this app remained active for three years in the Play Store.

IOT security and Mobile application security trends

How about taking a look a look at the latest mobile application & IOT security trends. Here is a summary of the Mobile application and IOT application security study conducted. The CIO, CISO, CTO, CRO and the COOs were surveyed from organizations pertaining to Financial Services, Health & Pharmaceuticals, Public Sector, Retail, Technology and Services and several other industries.

58% - Organizations were concerned that they could get hacked through an IOT application.
53% - Organizations were concerned that they could get hacked through a mobile device.

84% - Organizations were concerned about the threat of malware to mobile apps
66% - Organizations were concerned about the threat of malware to IOT apps

79% - People believe that use of mobile apps increases risk
75% - People believe that use of IOT apps increases risk

15% - People say that CISOs are responsible for the security of the mobile application
31% - People say that Head - Applications are responsible for the security of the IOT apps

54% - People believe that only a serious hacking incident influences the organization to increase budget
46% - People believe that New regulations also influences the organization to increase budget

Application security assessment frequency

42% - Organizations care to secure their IOT apps urgently
32% - Organizations care to secure their mobile apps urgently

48% - Organizations do not test their IOT apps
18% - Organizations test the mobile apps when there is a code change

Difficulty levels in fixing OWASP vulnerabilities

57% - People believe that pentesting the primary means of securing mobile apps
30% - People believe that security testing through SDLC is the primary means of securing mobile apps

69% - People believe that the rush to release the mobile app on the development team leaves the code vulnerable
40% - People believe that the lack of testing procedures leaves the code vulnerable

32% - Mobile applications are tested in the development environment
26% - IOT apps are tested in the development environment

Credits: Ponemon Institute.

Is Bose secretly collecting personal data through your headphones??

Audio electronics giant Bose faces data mining charges over accusations that it has been covertly collecting its customers’ personal information, including tastes in music and podcasts, in cooperation with a San Francisco-based aggregator.

According to the class action suit’s lead plaintiff, Kyle Zak, who invites fellow Bose customers to join the fight, the app asks for the user’s phone number, name, email address and headphone serial number in exchange for the extra oomph. Per the suit, the app makes detailed profiles of listening history and habits. Sending that information to a third party without the user’s express consent violates what is known as the WireTap law.

This company has collected and recorded the details of music and audio files customers listen to via its Bose Connect app. They then transmit this data, along with customers’ personal identifies, to third-parties, including data miners. Consumers have no idea that this takes place, according to the suit.

Can funny videos be a malicious Trojan?

More or less we all love watching funny videos online in our own good time. These funny videos can also lead you serious thought of your mobile credentials. 

The security experts have analyzed the Funny Videos app that has 1,000 to 5,000 installs and found that the app acts like any of the regular video applications on Play Store, but in the background, a brand new variant of the notorious mobile banking Trojan concealing in apps beneath totally different names which targets victims from banks around the world. 

This newly discovered android trojan targeting banking apps works like several other banking malware, but two things that makes it different from others; its capability to target victims and use of DexProtector tool to obfuscate the app’s code.

Dubbed BankBot, the banking trojan targets customers of more than 420 banks around the world, including Citibank, ING, and some new Dutch banks like ABN, Rabobank, ASN, Regiobank, and Binck, among many others.

Linkedin Job Applicants : Beware of this !!

Recently, there were reports of attacks being distributed via email designed to trick job seekers into sharing their personal details. Scammers post for job opportunities as communications from LinkedIn, claiming that a company is “urgently seeking” resources that match your experience and within “your region”.

At such times, identify if :

1) It comes from a real LinkedIn email address

2) It addresses recipients by name and it mentions what qualification and location the employer is looking for.

3) It is written in not-so-good English

These emails redirect the user to a website where they would be asked to upload their CV, thereby easily stealing all the information. You would hand over your full name, date of birth, work and home email addresses, work and home telephone numbers to the attacker without hesitation.

Such attacks give rise to targetted spam attacks or phone calls aiming to damage corporate emails of CXOs.

Your smartphone PINs could be stolen by a malicious advertisement on a website

How secure do you think are your Smartphone PINs ?

Every thought how difficult it would for the attackers to steal ur PINs ?      

What if they could be stolen very easily ? Your privacy is completely at stake.....

Let's check out how...

The researchers have discovered an attack that stealthily collects all the sensor information from your smartphone. By accessing these accelerometer and gyroscope sensors, the JavaScript measures even small changes in a phone's angle, rotation, movement speed, and similar characteristics. This data assists in revealing sensitive information about the phone and its user, including the precise start and end of each phone call, if the person using it is stationary, walking, running, on a bus, in a car, or on a train (based on the speed of movement). The keylogging attacks are successful enough to guess the 4-digit PINs 74% correctly in the first attempt and 94% correctly in the third attempt.


The attack doesn't require installation of any malicious apps. Users just need to open a malicious webpage and enter the characters before closing it. The risk increases exponentially when you visit websites which host malicious advertisements (malvertisements) through your mobile. The user-entered data could be captured just by standard JavaScript code that accesses motion and orientation sensors built into virtually all iOS and Android devices.

Browser provided by Baidu had greatest access to sensors. Hence, on accessing a malicious webpage, the browser gave away all the sensitive sensor information. The sensor information was accessible even when the malicious page was loaded directly on an active tab or as an iframe when the device screen was locked.

Chrome on iOS gave away all the sensor information on accessing the malicious ad on a website or on accessing a malicious site on an iframe. Chrome on Android gave away all the sensor information only when the malicious sites were accessed on a tab or an iframe. Google browser on iOS blocked all accesses to sensor information. Firefox for Android and Safari for iOS gave away all the sensor data while accessing the malicious ad or a naive website or on accessing a malicious site on a tab or in an iframe.

Securing Iot devices from Malwares

Many consumer devices on the internet of things are sitting behind a gateway like router so they're not directly addressable from the public internet. Following precautions are been recommended:

• Disable Telnet access to the device.
• Change the device’s factory default credentials.
• Use network behavioral analysis to detect anomalies in traffic and combine with automatic signature generation for protection.
• Set intrusion protection systems to block Telnet default credentials or reset telnet connections. 
• Use a signature to detect the provided command sequences.
• Control system devices should not directly face the Internet; so minimize network exposure for all control system devices.
• Locate control system networks and devices behind firewalls and isolate them from the business network.
• Remove, disable, or rename any default system accounts wherever possible.
• Monitor the creation of administrator level accounts by third-party vendors.
• If remote access is required, employ secure methods, such as Virtual Private Networks (VPNs), recognizing that VPN is only as secure as the connected devices.
• Implement policies requiring the use of strong passwords.
• Perform proper impact analysis and risk assessment prior to taking defensive measures.

BrickerBot - Batman of IoT

There's a new kind of computer malware on the block. It doesn't want to spy on you or hold your data for ransom. Instead, it wants to corrupt and destroy your computer hardware. And it's called BrickerBot - Permanent Denial of Service (PDoS).

Now what is BrickerBot?

Brickerbot is a type of malware, malicious software, that was discovered by a researcher at a cyber-security company called Radware. BrickerBot works in similar fashion to Mirai in that both programs attempt to leverage the tendency for users to neglect to change the factory default username and password combo that ships on IoT devices.

BrickerBot, as its name implies simply wants to exploit hard-coded passwords in IoT and kill the devices in order to cause a permanent denial of service where you will try to override software or try to destroy hardware in such a way that the device cannot be recovered without experts doing recovery on the device and without a doubt it’s becoming increasingly popular now-a-days. The honeypot recorded 1,895 PDoS (Permanent Denial of Service) attempts by BrickerBot from several locations around the world over four days.

This malware tries to make your devices about as useful as a brick, hence the name Brickerbot. The attacks were first identified last month and are still going on.

Devices vulnerable to this type of attack?

BrickerBot seems to be going after a number of different IoT devices that are directly connected to the internet, meaning they have IP addresses that are publicly available on the internet. They also seem to be targeting devices that run embedded versions of Linux like routers, IP cameras and digital video recorders.

Let's look at its details more in depth:

This bot attack is designed to render a connected device useless by causing a PDoS or “bricked,” state. BrickerBot.1 and BrickerBot.2 exploit hard-coded passwords and brute force Telnet or exposed Port 22/SSH. According to open source reporting, the following details regarding BrickerBot.1 and BrickerBot.2 are available:

• BrickerBot.1 targets devices running BusyBox with an exposed SSH command window and an older version of Dropbear SSH server. Most of these devices were also identified as Ubiquiti network devices, some of which are access points or bridges with beam directivity.
• BrickerBot.2 targets Linux-based devices which may or may not run BusyBox or use Dropbear SSH server. However, BrickerBot.2 can only access devices which expose a Telnet service protected by default or hard-coded passwords.

What could be the motive behind designing such a bot to destroy devices?

To be honest we cannot actually derive to the main motive of such sort of designing but yes there could be some theories behind this likely:

• By creating a botnet out of hundreds of thousands or millions of internet of things devices, one can sell access to your botnet & gain some better financial output
• Or otherwise what if we think that someone who's angry or upset at device manufacturers for not fixing security issues as simple as easily guessable passwords or default passwords.

270,000 customers bank details hit by possible data breach

Personal details from hundreds of thousands of accounts may have been illegally accessed, admits payday lender. Wonga is investigating an "illegal and unauthorized access" to data which could affect around 245,000 customers in the UK customers and a further 25,000 in Poland.

The firm discovered the possible breach on Friday and began informing affected customers on Saturday, with the majority now contacted. The matter has also been reported to the Information Commissioner's Office and the police. Wonga says the data that unknown parties have accessed “may have included one or more of the following: name, e-mail address, home address, phone number, the last four digits of your card number (but not the whole number) and/or your bank account number and sort code.”

What to do if you're affected:

Wonga account passwords were not accessed during the suspected breach, meaning it's not necessary to change them - but you can still do so if you feel concerned. Customers whose data may have been accessed are advised to alert their bank and and ask it to keep an eye out for any suspicious activity.

Wongo passed out a letter to affected customers offering the following advice:

"Exercise vigilance: Beware of scammers or unusual online activity. Be cautious of anyone who calls you and asks you to disclose any personal information regardless of where they say they are from. If this happens, we recommend that you hang up. "

Following to this, Wonga has set up a help page on its website for customers and has a phone line for further enquiries.

Does a talking doll pose a cyber security risk?

German authorities banned the talking doll Cayla in recent time as the software inside her could be hacked, posing a security risk and allowing personal data to be revealed. German government watchdog warns parents to destroy a talking IoT doll but does this pose a threat for insurers?

The nation's Federal Network Agency, which oversees telecommunications, issued the warning after security investigators said hackers could access an insecure Bluetooth component embedded in the toy to listen to and speak with the doll's owner. The software in the doll was created by an American company named Genesis Toy. It allows a child to have conversation with the doll while playing with it. It is said that the doll carried a risk of spying and could intrude privacy.

"In a test, I was able to hack the toy even through several walls. It lacks any security features," Hessel told the German website Netzpolitik.org. The toy has been discontinued for the moment.

Is the Amazon cloud safe from hackers?

Amazon accounts of several third party vendors were breached using stolen credentials obtained through the dark web to post fake deals and steal cash.

The threat actors have reportedly changed the bank-deposit information on the compromised accounts to steal tens of thousands of dollars from the users, several sellers and advertisers. Accounts that hadn't been recently used to post nonexistent merchandise for sale at steep discounts in an attempt to pocket the cash were also targeted by the attackers. Still not clear on numbers, how many accounts were compromised and the hack appears to have stemmed from email and password credentials stolen from a previous breach.

“Amazon has cultivated one of the largest and most impressive third-party ecosystems in the history of global business with more than two million sellers on the site,” said Fred Kneip, chief executive officer (CEO) at CyberGRX. “With so many potential weak links, it's no surprise that hackers have found a way to exploit the network for financial gain. “The reality today is that the security and perceived integrity of a network or business extends to the security of the third parties using it. Companies need to more proactively ensure the security of their partners, or risk real damage to their reputation and their brand.”

Cyber-thieves Nearly Stole $170 Million From Union Bank of India:

Hackers launched an attack against the Union Bank of India that was very similar to the Bangladesh bank heist that resulted in the theft of millions last year.

The attempt started after a bank employee opened up an email attachment that appeared to come from the RBI but actually contained malware that allowed hackers to steal the state-run bank’s data. They tried to steal Union Bank of India’s access codes for SWIFT to transfer funds to a bank account at Citigroup in New York.

The attempt closely resembled the cyber theft last year of more than $81 million from the Bangladesh central bank’s account at the New York Federal Reserve. The opening of the email attachment, which looked like it had come from India’s central bank, initiated the malware that hackers used to steal Union Bank’s access codes for the Society for Worldwide Interbank Financial Telecommunication (SWIFT), a system that lenders use for international transactions. The codes were used to send transfer instructions for about $170 million to a Union Bank account at Citigroup Inc in New York. Union Bank was able to trace the fraud and blocked the movement of funds.

Which are the latest Exploit kits used by hackers ?

Exploit kits are a type of malicious toolkit used to exploit security holes found in software applications (such as Adobe Flash, Java, Silverlight etc) for the purpose of spreading malware. These kits contain code which targets users running insecure or outdated software applications on their computers. Attackers behind the exploit kits are just tweaking code, these days, and finding fresh software exploits to target. Some, of the well known exploit kits on the rise are :

1) RIG Exploit kit

This exploit kit continues to drop various ransomware payloads such as CryptoShield, Cerber and Locky. Attackers who use RIG exploit kit typically inject a malicious script into compromised websites. When the compromised site is accessed, the malicious script, which is usually obfuscated, loads the exploit. Recently, RIG exploit kit was primarily used as an exploit for the Adobe Flash vulnerability CVE-2015-8651 that executes a JavaScript file, which then downloads an encrypted PE file

2) Sundawn Exploit kit

Attackers behind Sundown exploit kit are making changes related to URI changes and incorporating new techniques such as steganography. This exploit kit uses .xyz domains as the primary choice for hosting landing pages and registering domains with many other generic top-level domains in the name of well-known organizations.

3) Magnitude Exploit kit

Magnitude’s modus operandi includes distribution via malicious ads distributed via popup and pop-under ad networks attempting to install the Cerber ransomware.

4) Terror Exploit kit

Rig and Terror have been tracked delivering a wide variety of threats, from ransomware and banking Trojans to spambots and BitCoin miners. It is more customized and its target is much more defined.

5) GongDa and KaiXin

GongDa is an older exploit kit that continues to use Java exploits, it has also been found delivering both Flash and VBScript exploits as well. KaiXin attempts to determine the use of security products on the targeted PC’s filesystem before continuing execution. The KaiXin campaign offers exploits for Java, Flash, and Silverlight and if successful installs various Chinese adware packages.

Sysadmin crashes employer's Oracle database with logic bomb !!

For 14 years, a Massachusetts system administrator worked at high-performance computing component manufacturer Allegro MicroSystems with particular responsibility of administration of  Allegro's Oracle financial database module. 

It is claimed that the administrator resigned on January 8 and that his admin rights were not revoked from the database even after he left the job.  The organization din't collect one of his two laptop's from the administrator since only he had the technical expertise to continue the database operations and the company wanted to continue with it till they found his replacement. 

Since the administrator's laptop also contained sensitive information about the employees' credentials, he used this laptop to connect to the network using other employee's credentials and planted a logic bomb on 31st January. The logic bomb was designed to be triggered on 1st of April to delete key financial data headers and pointers from the Oracle files, rendering the module useless.

As expected, on 1st of April, the accounts team identified some critical files missing and on forensic investigation they discovered that the only other employee with the skills to write code for the Oracle database had left long before the system administrator's departure. So, only the system admin had the specific skills to do that and Allegro also claims that he logged into the network using his subordinate's ID before he quit the job.

Currently, he is facing charges of breaking the Computer Fraud and Abuse Act, trespassing, and conversion – using other people's property for a crime – after booby-trapping his former employer's servers. The company claims that the software issues cost it over $100,000 and it is seeking to recover these costs from the system administrator. Additionally, the court could impose other penalties if he was found guilty.

Lessons learnt:

1) Change the administrator passwords before the admin leaves.

2) Revoke logical access to the organization's assets once an employee leaves the organization.

3) Ensure that an employee has handed over all the assets back to the organization before his last day.

Is this a genuine or a phishing mail ?

What you're watching on Netflix is no more a secret!

The problem is information in TCP/IP headers are enough to leak content information. An infosec educator from the United States Military Academy at West Point has taken a look at Netflix's HTTPS implementation, and reckons all he needs to know what programs you like is a bit of passive traffic capture. 

It is explained that the TCP/IP headers of a Netflix HTTPS stream provide a 99.5 per cent content fingerprint. Yes, HTTPS is meant to provide privacy, but the variable bitrate (VBR) encoding happens to yield up predictable behaviour, particularly in how the byte-range portion of HTTP GET commands perfectly aligns with individual video segment boundaries. With a database indexing the content metadata (harvested by setting up a server to automatically “watch” videos) against the fingerprints, it's pretty straightforward to capture the fingerprint on someone else's connection and use it to look up the video.

The server used by the expert in his work was hardly a monster: he used a decade-old box with two quad-core Xeon 2.0 processors running at 2 GHz, with Linux Mint 17.3 MATE as the OS. Even that kit loaded the 184 million fingerprints in 15 minutes, and their assessment found that 99.9989 percent of the “windows” were unique. It is said that on an average, the algorithm identified the videos within three minutes, 55 seconds, with more than half of the videos identified before 2:30.

How does malware still succeed in exfiltrating your data once an attacker 's server IP is blocked?

We all know there have been (and still is) a lot of malware lurking around the Internet. It’s quite usual today that once the victims get infected, they call back to the command and control (C&C) server, which is controlled by the attacker. The attacker can then contact the malware program installed on the victim’s machine through the C&C server.

Once a C&C server is identified and reported by a forensic professional, it is added to the list of blacklisted IP addresses. Hence, there comes a need for the attacker to connect to the next C&C server. So, Instead of relying upon a static list of preconfigured domain names that corresponded to the location of the C&C servers, the malwares used an algorithm to calculate candidate domain names – and then tried reaching out to a handful of the candidates in a vein attempt to locate an active C&C server.

Now let's see what exactly is this Domain Generation Algorithm (DGA)

Domain Generation Algorithms (DGAs) are used in malware to generate a large number of domain names that can be used in communications to the malware’s command and control servers.

What exactly are it's uses?

The DGA technique is in use because malware that depends on a fixed domain or IP address is quickly blocked, which then hinders operations. So, rather than bringing out a new version of the malware or setting everything up again at a new server, the malware switches to a new domain at regular intervals.

An example of DGA in practice is C&C servers for botnets and ransomware. If we were able to block these or take them down, we would cut the link between the victims and the threat actor. Bots would no longer be able to fetch new instructions and machines infected with ransomware would be unable to request encryption keys and send user data.

How does it work?

To better understand how these algorithms work, let’s look at the requirements they have to fulfill:

• The routines have to generate domains that are predictable to both sides of the communication chain.
• The routines have to be as unpredictable for security researchers as possible.
• The domain registration fee has to be low, given the huge amounts of domains that will be used.
• The need for speed can be enormous.
• The registration process has to be anonymous or at least untraceable.

To achieve predictability, yet remain hard to research, the DGA routines use a few building blocks:

• Seed, the base element : The seed can be a phrase or a number. Practically anything that the threat actor can change at will (e.g. when they switch to a new version), and that can be used in an algorithm. The seed and the time-based element are combined in an algorithm to create the domain name and this “body” will be combined with one of the available TLDs.
• Time element: a time-based element need not be something like the date and time. It can be something else that varies with time, like for example the trending topic on Twitter in a certain country at the moment of the connection. Actually, something that is difficult to predict is preferred, as this makes it harder for researchers to register certain domains ahead of time and intercept traffic or do a takeover.
• Top Level Domains (TLDs): To throw off countermeasures is to not use all the domains that the algorithm produces, but only certain ones. This will drastically increase the number of domains necessary to register by researchers if they plan to intercept the traffic.

Summary:

Domain Generating Algorithms are in use by cybercriminals to prevent their servers from being blacklisted or taken down. The algorithm produces random looking domain names. Basically the idea is that two machines using the same algorithm will contact the same domain at a given time, so they will be able to exchange information or fetch instructions.

SBI ATMs spits out cash !! Is your money safe?

State Bank of India has well-arranged a forensic audit into an computerized teller machine in Odisha that emitted out cash without any card being swiped at the ATM machine. Also it is said that this sort of behavior has been identified for about 10 cash dispensers around the country of various banks & this one recently behaved in the similar manner.

​"Around 10 ATMs have been affected as per preliminary information," said Navroze Dastur, managing director of India and South Asia operations at NCR Corporation, which sells and maintains ATMs. 

It was suspected that these are localized hacks on machines running outdated software but don't involve any wider network infections. Experts pointed out that a number of machines are running obsolete Windows XP software, which Microsoft has stopped updating.

A top executive at an ATM deployment conveyed that "Banks mostly do not service and update these machines on time, which makes them vulnerable to highly sophisticated attacks as fraudsters use the most advanced technology available."

"A forensic audit is currently underway and we are trying to understand whether a software malfunction caused the glitch in its systems. Typically, an audit takes around four to six weeks to be completed we should get the report within the end of this month." said a senior State Bank of India official. 

Let's see how the ATM was infected:

ATMs may have been subjected to a 'physical' malware attack that involves plugging a device — say a laptop or phone — into the dispenser's USB port to transfer an infected file or virus that causes the machine to behave unpredictably. Initial reports also suggested that the criminals target machines in remote locations that are usually left unguarded, allowing them to open the outer casing to access the USB port. Once infected, the machine can be remotely controlled by a virtual keyboard and instructed to spew out cash. Experts said that there are keys available which allow an ATM to be opened by unauthorized persons as well and then it needs to be connected to a system through a cord to transfer the virus.

Did Microsoft Windows track your location ? Did Cortana send your voice clips to Microsoft ?

In an effort to be more transparent, Microsoft revealed more about what data Windows 10 Creators Update will collect from users' PCs and clarified what the privacy settings mean. The company has never said precisely what data it collects behind these options, which raised huge privacy concerns among privacy-conscious users.

The Windows 10 Creators Update, which will be available from April 11 for users to download for free, comes with a revamped Privacy settings section.

During the process of upgrading to the Creators Update, you will be displayed a new Privacy Settings screen that will ask you to toggle the following features:

• Location – Allow Windows and apps to request your location and share that data with Microsoft.
• Speech Recognition – Allow Cortana and Windows Store apps to recognize your voice and send that data to Microsoft to improve speech recognition.
• Tailored experiences with diagnostic data – Allow Microsoft to use diagnostic data from your computer to offer tips and recommendations.
• Relevant ads – Allow apps to use advertising IDs to show ads more interesting to you based on your app usage.

Till now there are three options (Basic, Enhanced, Full) for Windows 10 users to select from under its diagnostics data collection section, with no option for users to opt out of sending their data to Microsoft.

Microsoft published a massive list of diagnostics data – both the Basic and Full levels of diagnostics:

• Basic – The Basic level collects a limited set of data that is critical for understanding the device and its configuration. This data includes basic device information, quality-related information, app compatibility and Windows Store.
• Full – The Full level collects data for the following nine categories: common data, software setup and inventory data, product and service usage data, browsing, search and query data, content consumption data, linking, typing, and speech utterance data and licensing and purchase data.

Windows 10 Mobile users will see a similar privacy dashboard, though phones have a cellular data toggle and no tailored experiences option.

With Windows 10’s focus on Windows as a service and built-in cloud-based features like Cortana, the company has stirred a lot of privacy concerns. This new transparency gives users a better sense of what information is being collected—and why. The new privacy dashboards also put in one place most of the personal information the operating system wants to use on a regular basis.

5,00,000 IoT Devices are Infected with Mirai IoT Malware

With the release of the Mirai source code on the Internet, there are increased risks of more botnets being generated. Both Mirai and Bashlite can exploit the numerous IoT devices that still use default passwords and are easily compromised. Such botnet attacks could severely disrupt an organization’s communications or cause significant financial harm.

Reports are claiming that the Mirai IoT malware has now infected almost half a million IoT devices, more than doubling the size of the original Mirai botnet. Since the source code was released in late 2016, the source code has been used by criminals to create their own versions of the malware and are infecting new devices. This new Mirai-derived malware attack actively scanned TCP port 7547 on broadband routers susceptible to a Simple Object Access Protocol (SOAP) vulnerability. These devices can then be remotely used in DDoS attacks. This points us towards hardening the networks against the possibility of a DDoS attack.

Don't Hug These Internet - Connected Stuffed Toys

Spiral Toys, which manufacturers the CloudPets range of Bluetooth-enabled "smart toys," is under privacy fire for exposing 821,000 user records online, as well as links to 2.2 million parent and child voice recordings captured by its interactive toys and related apps.

Copies of the data are in wide circulation and appear to be the focus of multiple attempted ransom shakedowns. Also it was been reported that attackers downloaded and then deleted some of the databases - including one containing 821,000 user records - and left at least three different ransom notices for Spiral Toys. While Spiral Toys stored passwords using the bcrypt password-hashing algorithm, which is good, it failed to enforce stronger password policy. As a result, short - such as "qwe" - or overused passwords could be picked, meaning that many passwords could be easily cracked.

"Aadhaar data has been leaked", admits Indian Government.

If you have an Aadhaar Card and if your bank accounts and other sensitive information are linked to it, chances are that your data is no longer secure.

The unique identification number issued by the government, Aadhaar, has been growing to become an integral part of our day to day life. From getting admission for children in schools to paying our annual income tax, Aadhar Card had become mandatory for every process in India. However, the downside of storing this biometric data has been unveiled which brings back people’s fear of the dark web. According to a Ministry of Electronics and Information Technology that has been leaked online, Aadhaar has been hacked, and the data of various Aadhar card holders has been leaked online.

A letter written by the Ministry of Electronics and Information Technology, confirms the data, which the government has been cautiously guarding, has been leaked online.

For the first time, the Modi government has officially acknowledged that personal identity of individuals, including Aadhaar number and demographic information and other sensitive personal data such as bank account details etc. collected by various Ministries/Departments... has been reportedly published online and is accessible through an easy online search has been leaked to the public domain.

The government, in the recent past, had ignored all warnings and criticisms about the UID data being sensitive and has been aggressively pushing for its adoption across services and platforms.

The main argument against the Aadhaar has been that it infringes upon the citizen’s right to privacy, which flows from Article 21 that talks about the fundamental right to life. A petition filed in the Supreme Court in January said that citizens were required to give their biometric information – iris and fingerprint scans – when there is no system that assures them that this data is safe and would not be misused by the private agencies collecting the data.

Largest data breach in the healthcare sector reported !!

The largest reported data breach in the healthcare sector for 2016 was Banner Health, with 3.62 million individuals impacted by a cyber-security attack that occurred over the summer.

Banner Health discovered the issue on July 13, 2016, but a third-party forensics investigation found that the initial attack occurred on June 17, 2016.

There were “a limited number of Banner Health computer servers as well as the computer systems that process payment card data at certain Banner Health food and beverage outlets” affected in the attack, according to Banner.

Patients, members and beneficiaries, and food and beverage outlet customers may have all had certain information exposed.

The food and beverage outlet breach was discovered on July 7, 2016, while payment cards used at 27 different Banner Health locations from June 23, 2016 to July 7, 2016 may have been affected. Arkansas, Arizona, Colorado, and Wyoming are the possibly affected locations.

“The attackers targeted payment card data, including cardholder name, card number, expiration date and internal verification code, as the data was being routed through affected payment processing systems,” explained Banner.

6 lakhs medical records data exposed

South Carolina’s Bon Secours Health System, Inc. reported that 6,51,971 were likely affected by a data breach stemming from a vendor error. 

The vendor, R-C Healthcare Management, inadvertently made patient files available online as it attempted to adjust its computer network settings from April 18, 2016 to April 21, 2016.

While medical records were not made accessible, patients’ names, health insurers’ names, health insurance identification numbers, limited clinical information, Social Security numbers and in some instances, bank account information may have been exposed.

“To help prevent something like this from happening in the future, we are reinforcing standards with our vendors to ensure our patients’ information is securely maintained,” Bon Secours said in a statement.

85% Of Smart TVs Can Be Hacked Remotely

The Internet-connected devices are growing at an exponential rate, and so are threats to them.

Due to the insecure implementation, a majority of Internet-connected embedded devices, including Smart TVs, Refrigerators, Microwaves, Security Cameras, and printers, are routinely being hacked and used as weapons in cyber attacks.

Now, a security researcher is warning of another IoT threat involving Smart TVs that could allow hackers to take complete control of a wide range of Smart TVs at once without having any physical access to any of them.

“Disappearing Malware” Allowed Hackers Steal $800,000 Cash From Russian ATMs

Some Russian banks are having sleepless nights because of a series of robberies that happened in the strangest way possible. The banks were completely unaware of how the guys performed the attacks as all of this was done without even touching the machine. They didn’t find any existence of malware on their back-end network or the ATM's. The only digital traces of the attack were the two log files which the attackers might’ve left by mistake. The events that occurred on the machines were recorded in the log files. The command, "Take the money bitch," appeared in the log file, and possibly on the ATM's screen as well to signal the money mule to grab the bills and go.

Did you hear that? A hack proof satellite system

Japan plan to develop a hack proof satellite system to protect transmissions between satellites and ground stations with a dynamic encryption of data. As cyber-attacks represent a serious threat to satellite communications, satellites have a crucial role in our digital society, almost every industry is benefiting from their services for this reason their security is a pillar of the cyber security strategy of governments worldwide.

Satellites communicate with terrestrial base stations using radio waves, hackers can intercept with unpredictable consequences. Hackers who can decode the encrypted data can steal information, manipulate it or take the control of the satellite. In August, the Chinese government launched the world’s first quantum satellite, which will help it establish “hack-proof” communications between space and the ground.

Connecting dots: Moonlight Maze cyber espionage campaigns to the Turla APT group

Moonlight Maze is the code name assigned to one of the first detected cyber espionage campaigns that targeted a number of critical U.S. government agencies, including the Pentagon, NASA and the Department of Energy. Threat actors behind the Moonlight Maze were focused on UNIX systems such as Sun Solaris, while the Turla APT is more specialized in attacks on Windows systems.

Guerrero-Saade explained that of the 45 Moonlight Maze binaries that were detected by experts at Kaspersky, nine of them were examples of the LOKI2 backdoor. This discovery is amazing because it demonstrates a 20-year-old hacking tool is still effective against high-value targets.

Biggest security threat to an organization still remains the same !

Despite an increase in spending and investment in deterrence tactics and detection tools, insider threats continue to cause harm to all types of organizations.

Using crowd-based research in partnership with the 300,000-plus members of the Information Security Community on LinkedIn, the report found nearly three-quarters (74 percent) of organizations feel vulnerable to insider threats, a significant seven-percent increase over last year.

Most survey respondents (67 percent) indicate that because insiders already have credentialed access to their networks and services, they are much more difficult to detect and deter than external threats. But only 42 percent of organizations say they are regularly monitoring user behavior while 21 percent do none at all.