Issue 35 - Week of Oct 19th

1.       TalkTalk hack hits up to 4 million in unencrypted data theft: UK ISP TalkTalk says customers' credit-card and banking details may have been accessed by hackers after a "sustained cyber-attack" on its website last week. Following its second major breach in the past year, the British broadband provider has vaguely admitted it may have failed to protect customers' financial data properly. Among details it says may have been "accessed" were customers' name, address, date of birth, email address, telephone number, account information, credit-card and bank-account details. TalkTalk customers were targeted by fraudsters earlier this year following a breach of its internal security procedures linked to its use of a third-party call center.

2.       WikiLeaks posts data from CIA director's email account: Last week, Hackers accessed CIA Director's personal AOL email account by using social engineering techniques. One hacker posed as a Verizon worker and called a Verizon worker and tricked him to obtain personal information; with which he reset the Director's password. The hackers were able to access sensitive government documents stored as attachments in the personal account because the spy chief had forwarded them from his work email. In 2012 another CIA director had to step down as he mishandled classified information by allegedly storing it in a Gmail drafts folder, he avoided jail by pleading guilty but was fined $100,000.

3.       Governments  seeks to outlaw Car hacking: A house committee will consider automotive safety reforms that, among other proposed changes, would make it illegal to hack vehicles and will be punishable by penalties up to $100k. A group of researchers argue that hackers make car safer and hence they should not be banned from tinkering. Car Hacking is not just remotely disabling its functionalities - it could also be used for surveillance as well as sabotage. As discussed in the issue of 27th-July - following a demo of hack -  Chrysler had recalled 1.4M Vehicles for Bug Fix while the hackers released a video of their demo.

4.       Just how many websites are vulnerable because of SHA-1: Some certificate authorities are still issuing digital certificates signed with the SHA-1 hashing algorithm, despite recent research showing that the cost of undermining it is not beyond criminals' budgets. Browser makers Google, Microsoft, and Mozilla have announced plans to stop accepting SHA-1 SSL certificates by 2017. But researchers recently called for this deadline to be brought forward, after estimating the cost of causing a SHA-1 collision is much cheaper than initially thought - and definitely within reach of cybercriminal budgets. It is estimated that by renting Amazon servers with an approx. cost of $75K USD, hackers can crack SHA-1 based encryption.

5.       Thousands of e-commerce Magento websites struck with Guruncsite malware: Websites running the Magento Content Management System are being infected with malware in a fresh campaign which has impacted thousands of domains in a matter of days. The attack involves the injection of malicious scripts through iframes from guruincsite.com (Neutrino exploit kit). Google has already blacklisted almost 8,000 infected websites; Removing the malicious scripts then resubmitting clean websites back to Google for review should remove the blacklisting. The Magento content management system, tailored for e-commerce, is used by over 200,000 companies worldwide.

6.       Computer clocks can be easily scrambled, undermining encryption and bitcoin trades: Researchers from Boston University said they've found several flaws in NTP that could undermine encrypted communications and even jam up bitcoin transactions. One of the problems they found is that it's possible for an attacker to cause an organization's servers to stopping checking the time altogether. NTP has a rate-limiting mechanism, nicknamed the "Kiss O' Death" packet, that will stop a computer from repeatedly querying the time in case of a technical problem. When that packet is sent, systems may stop querying the time for days or years, according to a summary of the research. They found a big issue: it's possible for an attacker to spoof a Kiss O' Death packet, making it appear to have come from a system experiencing trouble when it's actually fine.

7.       “I am stranded without any money, so I was wondering if I could get a quick loan of $1,850 from you or any amount, you can afford if not all,” read the mail from the hacked account. Hackers appear to have adopted a new modus operandi to make people transfer money to their accounts. Recently, somebody who is believed to be from Ukraine, hacked a yahoo mail account of a journalist and created similar ID with Microsoft web mail service Outlook. The hacker used contacts from the hacked Yahoo ID to send mails to the person’s friends and relatives asking money from the newly created ID. The mail typically claim that the sender was stuck in a foreign country and his debit and credit cards are not working and is in dire need of money. Since hackers used a different account, the original user didn’t know about the mails sent in his name.

8.     Unbelievably simple scam cost The ONGC ₹197 Crore: Another classic case of typo-squatting. 'patel_dv@ongc.co.in' is an original id of ONGC. Hackers used a parked domain to create a fake id 'patel_dv@ognc.co.in'. Note the simple change in spelling of the fake id. ONGC was engaged in a business transaction with Saudi Arabia-based oil company Aramco. Using their fake id, Hackers began interacting with Aramco and instructed them to make the payment to a Bangkok Bank instead of the regular State Bank of India. A case has been registered with the cybercrime police station.

9.   Cybersecurity skills gap continues to grow: Last week the Digital India Initiative of the Government appointed - an Ethical hacker as its new Brand Ambassador. This in way acknowledges hacking as an acceptable activity, a legitimate career option & an honest way to earn one's livelihood. A deeper look at the colleges and institutes that offer ethical hacking courses show that ethical hacking in India is making large strides, but there is still some distance to cover. Worldwide market indicators show the need for as many as 4.25 million  security professionals by 2017, representing the potential for a 47% shortage in qualified personnel. 

10.   State-sponsored attack? Facebook will now tell you 'You've been hacked': Facebook has started to notify users when it suspects they've been targeted by government-sponsored hackers, rather by than run-of-the-mill cybercriminals. Facebook won't be revealing how it tells when a state-sponsored hacker is targeting a particular user, although there are numerous pieces of known malware that are suspected to have been created by government-backed hackers, such as the Stuxnet, thought to have been built by the US, Duqu, DarkSeoul, supposedly from North Korea, China's ShadyRAT and Russia's The Dukes malware.