Author Archives: Luana PASCU

Winter Olympics ceremony allegedly hacked by Russia; no comment from IOC

Hackers attacked the opening ceremony of the Pyeongchang Winter Olympics in South Korea, organizers confirmed. The attacks were allegedly carried out by Russia following a doping ban, but the organizers made no comments, writes the Guardian. Soon after the event started on Friday, the official website went offline for 12 hours, and the stadium’s Wi-Fi stopped working, along with television and network connections in the press center.

“There was a cyberattack and the server was updated yesterday during the day and we have the cause of the problem,” said Sung Baik-you, a spokesperson for the Olympics. “They know what happened and this is a usual thing during the Olympic Games.

“We are not going to reveal the source,” he said. “We are taking secure operations and, in line with best practice, we’re not going to comment on the issue because it is an issue that we are dealing with. We wouldn’t start giving you the details of an investigation before it is coming to an end, particularly if it was on security which, at these games, is incredibly important.”

International Olympic Committee (IOC) spokesman Mark Adams has not yet commented on the source of the attack but he assured users that their systems are secure.

When asked about accusations that Russia is behind the cyberattack, Russia’s foreign ministry said there was no evidence to present. In addition, he knew “that Western media are planning pseudo-investigations on the theme of ‘Russian fingerprints’ in hacking attacks on information resources related to the hosting of the Winter Olympic Games in the Republic of Korea.”

Russia appealed the ban, arguing they had been unjustly eliminated from the competition, decimating their Olympics team. Their appeal was rejected at the last minute and resulted in the exclusion of around 47 coaches and athletes, including Viktor Ahn, a six-time Olympic gold medalist.

The Pyeongchang Winter Olympics take place some 80 kms from the North Korean border, in a complicated political context as the two states are on hostile terms, and South maintains close ties to the US.

WhatsApp tests viability of digital payment feature in India

After working on its development since last year, WhatsApp has introduced a beta version of its digital payment feature on Android and iOS in India. The network’s peer-to-peer payment specification will be available to an exclusive group of testers and, if all goes well, it will be released for wide adoption in India. The company hasn’t said whether it will expand the feature to Europe or North America.

WhatsApp is the preferred communication network, with some 200 million daily users.

“Over 80% of small businesses in India and Brazil say WhatsApp helps them both communicate with customers and grow their business today,” says the company’s blog, so no wonder India is an important test market for digital payments.

More and more organizations are switching to digital payments to make their products and services more available to a larger audience. WhatsApp is not the only tech company developing payments via the government-backed UPI (Unified Payment Interface) standard; Amazon India is now also accepting such payments.

Samsung, Zomato and Google are also looking to integrate the interface.  A significant number of banks including the State Bank of India, HDFC Bank, and ICICI Bank have agreed to take part in the digital payment initiative, which is a major step forward as financial institutions deal with a historical flow disruption.

The growing interest and transition towards digital payments in the consumer sector is raising concerns about the security efforts required to sustain the proper flow of transactions. Soon enough, innovative technologies such as the Internet of Things will be also be assimilated to make payments even more accessible. But, looking at their current infrastructures, quite a large number of institutions are not fully prepared to handle this drastic transformation that will expose fintech to a number of risks.

Hackers made $5,000 a night off crypto users by impersonating Elon Musk and Bill Gates

While “Nigerian princes” abound on the internet in some of the oldest known scams, there has been only one Bill Gates and one Elon Musk. Until now. Hundreds of crypto users looking to make a quick buck were scammed by criminals impersonating the two billionaires and popular cryptocurrency traders like Vitalik Buterin, discovered BleepingComputer.

How? People just don’t pay attention to minor changes such as extra or missing letters in the name. For the past two weeks at least, a dozen fake accounts such as @WarrenBuffert, @Billgavtes, @SatoshiLitev, @elonnmuusk,  @VittaliBuuteri and @officialmcafee tweeted they were giving away free cryptocurrency. If users wanted some, they had to also donate ethereum to the address in the tweet. The fake profiles had similar messages; only the amounts varied. The most profitable accounts were those impersonating John McAfee, Elon Musk and Vitalik Buterin.

The scam made about $5,000 in a single night from gullible crypto users hoping to become rich quick through a crypto giveaway. Since cryptocurrency is anonymous by nature, the money is lost and the scammers can’t be detected. Because they are violating its user agreement, Twitter will most likely block the accounts, but that doesn’t mean hackers won’t create new ones.

It’s recommended users pay close attention to whom they engage with on social media. Before sending money, double check that the address, campaign or person involved are legitimate to reduce the risk of phishing. Avoid clicking on links that seem fake or if there are any doubts about the domain’s validity, especially when purchasing wallets. Most importantly, never give away personal information, passwords or private keys, and beware of deals that are too good to be true.

India bans cryptocurrencies, but will further explore blockchain

The Indian government doesn’t recognize bitcoin as legal tender and is fully committed to eliminating cryptocurrency payments from its system, Bloomberg writes. Government officials have repeatedly called cryptocurrency payments mere ‘Ponzi schemes’ and sent out thousands of tax notices to cryptocurrency investors.

Despite banning the purchase and sale of cryptocurrency, the Indian government wants to further explore blockchain technology (on which bitcoin is based).

“The government does not consider cryptocurrencies legal tender or coin and will take all measures to eliminate use of these crypto-assets in financing illegitimate activities or as part of the payment system,” Finance Minister Arun Jaitley told lawmakers in New Delhi on Thursday. “The government will explore use of blockchain technology proactively for ushering in digital economy.”

India is not the only country taking measures affecting cryptocurrencies; South Korea and China also announced recently they would regulate cryptocurrencies.

Generally, countries have different policies regarding cryptocurrencies and are looking into either banning them or legalizing cryptocurrency payments by enforcing the same taxes and reporting obligations as for traditional currency.

Social media giant Facebook announced this week that it will ban ads promoting “financial products and services that are frequently associated with misleading or deceptive promotional practices, such as binary options, initial coin offerings and cryptocurrency.”

Following Jaitley’s announcement that India will ban cryptocurrencies, bitcoin, ripple and ethereum prices dropped dramatically.

Patch released to fix Firefox arbitrary code execution vulnerability

Mozilla Firefox released an update to patch its open-source web browser after developer Johann Hofmann detected a critical HTML flaw that could allow hackers to exploit the browser remotely. The vulnerability only affected the desktop version of Firefox, and not iOS, Android and Amazon Fire TV versions.

The vulnerability was the result of “insufficient sanitization of HTML fragments in chrome-privileged documents by the affected software,” according to a detailed advisory released by Cisco on Tuesday.

To infiltrate the system, the hacker would use either misleading language or instructions to convince the user to click on a link or open a file that seems legitimate. After the user follows instructions, the attacker gets admin privileges and can remotely corrupt the vulnerable software.

The critical HTML hijack vulnerability exploited Firefox’s Chrome User Interface design elements (no relation to Google Chrome) such as “menu bars, progress bars, window title bars, toolbars, or UI elements created by add-ons,” explains BleepingComputer.

Firefox 58.0.1 is the first update to the new Firefox Quantum browser, just after a week the browser was officially launched. Firefox users are advised to immediately update their browser and not open any emails or click on links that appear suspicious or are sent by unknown contacts. If there any doubts regarding the source of a link, file or email, it’s safer not to click, download or open.

When asked about its plans for 2018, Mozilla wants to expand into the mobile ecosystem by launching an improvement similar to Quantum and heavily focus on Focus, the iOS and Android Firefox version.

“Mobile will be huge for Mozilla in 2018 and we will see how much of that we want to include in Firefox, Focus or even other apps,” Barbara Bermes, product manager for Firefox Mobile told Neowin in an interview. “As it relates in particular to Focus, we want to be the trusted browser providing the most privacy by design and by default. The idea is to include smart defaults that address privacy concerns while not sacrificing performance or convenience.”

Google used machine learning to remove over 700,000 malicious apps from its store in 2017

Google is working hard at stopping malware from sneaking into its Play Store to abuse billions of Android users. The number of malicious apps removed from the store rose more than 70 percent in 2017 from 2016 to 700,000, thanks to an improved machine learning detection algorithm for malicious and abusive techniques, according to the company’s end-of-year report.

Besides malicious programs, Google engineers also removed more than 100,000 developer accounts linked to cybercriminals abusing the store.

“In 2017, we took down more than 700,000 apps that violated the Google Play policies, 70% more than the apps taken down in 2016. Not only did we remove more bad apps, we were able to identify and action against them earlier,” writes Andrew Ahn, Product Manager, Google Play.

“In fact, 99% of apps with abusive contents were identified and rejected before anyone could install them. This was possible through significant improvements in our ability to detect abuse – such as impersonation, inappropriate content, or malware – through new machine learning models and techniques.”

The deleted applications fall under three categories, Ahn explains. The first is copycat applications impersonating popular titles. The second, and most pervasive category, represents applications with content related to pornography, hate and extreme violence. The third is dubbed Potentially Harmful Applications, meaning the apps are malicious and could lead to SMS fraud, turn into Trojans or phishing attempts.

“The annual PHA installs rates on Google Play was reduced by 50 percent year over year,” according to Ahn, whereas the second category is still extremely widespread. Although Google regularly improves its detection capabilities, the tech giant admits that some malicious apps could bypass security layers, so users should remain vigilant.

Major security flaw in Lenovo’s ThinkPad Manager allows hackers access into your laptop

A critical encryption vulnerability in Lenovo’s ThinkPad Manager Pro software exposes laptops running Windows 7, 8, and 8.1 could allow hackers access into a user’s computer by bypassing fingerprint recognition, the company confirmed last week in a security advisory.

“A vulnerability has been identified in Lenovo Fingerprint Manager Pro. Sensitive data stored by Lenovo Fingerprint Manager Pro, including users’ Windows logon credentials and fingerprint data, is encrypted using a weak algorithm, contains a hard-coded password, and is accessible to all users with local non-administrative access to the system it is installed in,” reads the statement.

Devices running Windows 10 were not affected because they use the fingerprint reader support from Microsoft.

To exploit the vulnerability, hackers had do to it in person as local access was required.

A patch for the Fingerprint Manager Pro application was released on Jan. 25. Users with vulnerable models are encouraged to download and install version 8.01.87.

The vulnerable machines are:

ThinkPad L560
ThinkPad P40 Yoga, P50s
ThinkPad T440, T440p, T440s, T450, T450s, T460, T540p, T550, T560
ThinkPad W540, W541, W550s
ThinkPad X1 Carbon (Type 20A7, 20A8), X1 Carbon (Type 20BS, 20BT)
ThinkPad X240, X240s, X250, X260
ThinkPad Yoga 14 (20FY), Yoga 460
ThinkCentre M73, M73z, M78, M79, M83, M93, M93p, M93z
ThinkStation E32, P300, P500, P700, P900

HOTforSecurity: Major security flaw in Lenovo’s ThinkPad Manager allows hackers access into your laptop

A critical encryption vulnerability in Lenovo’s ThinkPad Manager Pro software exposes laptops running Windows 7, 8, and 8.1 could allow hackers access into a user’s computer by bypassing fingerprint recognition, the company confirmed last week in a security advisory.

“A vulnerability has been identified in Lenovo Fingerprint Manager Pro. Sensitive data stored by Lenovo Fingerprint Manager Pro, including users’ Windows logon credentials and fingerprint data, is encrypted using a weak algorithm, contains a hard-coded password, and is accessible to all users with local non-administrative access to the system it is installed in,” reads the statement.

Devices running Windows 10 were not affected because they use the fingerprint reader support from Microsoft.

To exploit the vulnerability, hackers had do to it in person as local access was required.

A patch for the Fingerprint Manager Pro application was released on Jan. 25. Users with vulnerable models are encouraged to download and install version 8.01.87.

The vulnerable machines are:

ThinkPad L560
ThinkPad P40 Yoga, P50s
ThinkPad T440, T440p, T440s, T450, T450s, T460, T540p, T550, T560
ThinkPad W540, W541, W550s
ThinkPad X1 Carbon (Type 20A7, 20A8), X1 Carbon (Type 20BS, 20BT)
ThinkPad X240, X240s, X250, X260
ThinkPad Yoga 14 (20FY), Yoga 460
ThinkCentre M73, M73z, M78, M79, M83, M93, M93p, M93z
ThinkStation E32, P300, P500, P700, P900



HOTforSecurity

HOTforSecurity: Hacker uses malware to steal, resell gas in major Russian fraud scheme

Russian Federal Security Service (FSB) agents arrested a Russian national in Stavropol on Sunday for launching a large malware campaign targeting gas stations in southern Russia, informs Russian news outlet Rosbalt.

According to the investigation, Denis Zayev created a malicious program that he sold to dozens of gas station employees to inject in the pumps’ software and cash registers. In some schemes he was also a partner, getting a share of the money from the stolen fuel.

The scam was simple: after the malware was installed on the IT systems, a gas tank would be left empty on purpose so some of the fuel that customers bought would be diverted to the empty tank. Customers would get less fuel than they paid for, while employees resold the fuel collected in the empty tank.

Zayev and his partners stole between 3% and 7% of the fuel for some “hundreds of millions or rubles.” The malicious program was undetectable and they fully covered their tracks by showing fake data and deleting any information about the resale operation.

Zayev’s scheme covered the Russian territories of Stavropol, Adygea, Krasnodar, Kalmykia and a number of regions in North Caucasus, in what sources in law enforcement have named the largest scam of its kind.

FSB agents did not say how they detected the crime, but they confirmed it was almost impossible to identify since the malware corrupted the pumps, cash registers and back-end systems.

“In the past, scammers used special ‘bugs’ for theft at the gas station, then they were replaced by viruses,” said a law enforcement source for Rosbalt.

“However, they could still be found. Zayev also created a unique product. His malicious programs could not be detected either by the specialists of the control service of oil companies, who constantly conduct inspections at the filling stations, or the employees of the Ministry of Internal Affairs. And we managed to establish all this in an operative way.”



HOTforSecurity

Hacker uses malware to steal, resell gas in major Russian fraud scheme

Russian Federal Security Service (FSB) agents arrested a Russian national in Stavropol on Sunday for launching a large malware campaign targeting gas stations in southern Russia, informs Russian news outlet Rosbalt.

According to the investigation, Denis Zayev created a malicious program that he sold to dozens of gas station employees to inject in the pumps’ software and cash registers. In some schemes he was also a partner, getting a share of the money from the stolen fuel.

The scam was simple: after the malware was installed on the IT systems, a gas tank would be left empty on purpose so some of the fuel that customers bought would be diverted to the empty tank. Customers would get less fuel than they paid for, while employees resold the fuel collected in the empty tank.

Zayev and his partners stole between 3% and 7% of the fuel for some “hundreds of millions or rubles.” The malicious program was undetectable and they fully covered their tracks by showing fake data and deleting any information about the resale operation.

Zayev’s scheme covered the Russian territories of Stavropol, Adygea, Krasnodar, Kalmykia and a number of regions in North Caucasus, in what sources in law enforcement have named the largest scam of its kind.

FSB agents did not say how they detected the crime, but they confirmed it was almost impossible to identify since the malware corrupted the pumps, cash registers and back-end systems.

“In the past, scammers used special ‘bugs’ for theft at the gas station, then they were replaced by viruses,” said a law enforcement source for Rosbalt.

“However, they could still be found. Zayev also created a unique product. His malicious programs could not be detected either by the specialists of the control service of oil companies, who constantly conduct inspections at the filling stations, or the employees of the Ministry of Internal Affairs. And we managed to establish all this in an operative way.”

HOTforSecurity: New ransomware dubbed MoneroPay targets crypto-fans, impersonates wallet

Crypto-fans are now being targeted by MoneroPay, a new ransomware released in a thread discussing altcoin on popular crypto forum BitcoinTalk on Jan. 6. Posing as a wallet for the SpriteCoin cryptocurrency, enthusiasts rushed to download it in the desire to make a lot of money fast.

The authors of the ransomware took advantage of the surge in interest in cryptocurrency to target some tech-savvy users. These wallets are often reported by security solutions so many users have made a habit of disabling the solution to minimize false positives.

The hackers behind MoneroPay exploited this practice and created the malware to perfectly impersonate a regular installation. Once MoneroPay was installed on their devices, it started collecting user data and passwords saved in Firefox and Chrome. The data is sent to a C2 server.

The victims figured out they were dealing with ransomware after full sync with the blockchain was completed and an announcement appeared that their data is encrypted.

According to BleepingComputer, the ransomware encrypts files with extensions affiliated with programing languages such as txt, doc, rtf, cpp, tcl, html, ppt, docx, xls, xlsx, pptx, key, pem, psd, mkv, mp4, ogv, zip, jpg, jpeg, work, pyw, hpp, cgi, rar, lua, img, iso, webm, jar, java, class, one, htm, css, vbs, eps, psf, png, apk, ps1, wallet.dat. MoneroPay adds the .encrypted extension to the infected files.

Even though crypto-fans are usually tech savvy, malware developers collect insights from multiple threads on the forum, and elsewhere, to take advantage of their weaknesses. This is precisely why they need to take extra security measures such as keeping regular backups of their data so it can be restored if encrypted or lost, and using a virtual machine to scan files before download to ensure they’re not malware.



HOTforSecurity

New ransomware dubbed MoneroPay targets crypto-fans, impersonates wallet

Crypto-fans are now being targeted by MoneroPay, a new ransomware released in a thread discussing altcoin on popular crypto forum BitcoinTalk on Jan. 6. Posing as a wallet for the SpriteCoin cryptocurrency, enthusiasts rushed to download it in the desire to make a lot of money fast.

The authors of the ransomware took advantage of the surge in interest in cryptocurrency to target some tech-savvy users. These wallets are often reported by security solutions so many users have made a habit of disabling the solution to minimize false positives.

The hackers behind MoneroPay exploited this practice and created the malware to perfectly impersonate a regular installation. Once MoneroPay was installed on their devices, it started collecting user data and passwords saved in Firefox and Chrome. The data is sent to a C2 server.

The victims figured out they were dealing with ransomware after full sync with the blockchain was completed and an announcement appeared that their data is encrypted.

According to BleepingComputer, the ransomware encrypts files with extensions affiliated with programing languages such as txt, doc, rtf, cpp, tcl, html, ppt, docx, xls, xlsx, pptx, key, pem, psd, mkv, mp4, ogv, zip, jpg, jpeg, work, pyw, hpp, cgi, rar, lua, img, iso, webm, jar, java, class, one, htm, css, vbs, eps, psf, png, apk, ps1, wallet.dat. MoneroPay adds the .encrypted extension to the infected files.

Even though crypto-fans are usually tech savvy, malware developers collect insights from multiple threads on the forum, and elsewhere, to take advantage of their weaknesses. This is precisely why they need to take extra security measures such as keeping regular backups of their data so it can be restored if encrypted or lost, and using a virtual machine to scan files before download to ensure they’re not malware.

Twitter accused of breaking privacy claims by conservative media group

Social media giant Twitter is in the midst of a scandal following accusations of breaking privacy claims. Pro-Trump group Project Veritas released three videos in which Clay Haynes,  a senior engineer at Twitter, is recorded without his consent in a bar making various statements about the company’s policy on disclosing sensitive tweets and DMs.

Speaking in what he thinks is a casual, possibly romantic meeting, he says Twitter has developed a machine learning algorithm that analyzes tweets and DMs, yet the video is selectively edited to fit Project Veritas’ story that actual employees monitor this information. Twitter is not the only social network to aggressively monitor its content to eliminate pornography, spam and deviant behavior.

“We do not proactively review DMs. Period. A limited number of employees have access to such information, for legitimate work purposes, and we enforce strict access protocols for those employees,” Twitter said.

What’s more, the man expresses a negative opinion about US President Donald Trump and said Twitter would voluntarily hand over the president’s deleted tweets and DMs to the US Department of Justice.

“We’re more than happy to help the Department of Justice in their little investigation,” Haynes says. “Giving them every single tweet that he’s posted, even the ones he’s deleted, any direct messages, any mentions.”

“The individual depicted in this video was speaking in a personal capacity and does not represent or speak for Twitter,” a company spokesperson said.

“Twitter only responds to valid legal requests and does not share any user information with law enforcement without such a request… Twitter is committed to enforcing our rules without bias and empowering every voice on our platform, in accordance with the Twitter Rules. We deplore the deceptive and underhanded tactics by which this footage was obtained and selectively edited to fit a pre-determined narrative.”

Project Veritas is a controversial media group known for unethical investigations and fake news, trying in the past to convince the Washington Post to publish a fake story to lose credibility among readers.

Hackers can execute malicious code through vulnerability in Transmission BitTorrent client

If you download content through the popular Transmission BitTorrent client, take a closer look at its security settings: a critical vulnerability has been detected by Google’s Project Zero reporting team.

According to the report published Tuesday, the flaw lets hackers execute malicious code and gain remote control of user PCs through their web browsers.

40 days after the report, because developers in charge of fixing the flaw didn’t apply the patch from Google researchers, researcher Tavis Ormandy posted a proof-of-concept attack based on a hacking technique called DNS rebinding.

“I’m finding it frustrating that the transmission developers are not responding on their private security list, I suggested moving this into the open so that distributions can apply the patch independently. I suspect they won’t reply, but let’s see,” Ormandy’s report says.

Ormandy wrote:

“The attack works like this:

  1. A user visits http://attacker.com.
  2. attacker.com has an <iframe> to attack.attacker.com, and have configured their DNS server to respond alternately with 127.0.0.1 and 123.123.123.123 (an address they control) with a very low TTL.
  3. When the browser resolves to 123.123.123.123, they serve HTML that waits for the DNS entry to expire, then they XMLHttpRequest to attack.attacker.com and have permission to read and set headers.”

The app is based on a server-client architecture. To download content, users install a daemon service locally and then go to a web-based interface.

“I regularly encounter users who do not accept that websites can access services on localhost or their intranet,” Ormandy wrote.

“These users understand that services bound to localhost are only accessible to software running on the local machine and that their browser is running on the local machine—but somehow believe that accessing a website “transfers” execution somewhere else. It does not work like that, but this is a common source of confusion.”

Ormandy tested his demo on Chrome and Firefox on Windows and Linux, but believes other platforms and browsers are vulnerable.

 

Canadian behind leaked credentials website appears in court

The Canadian arrested for running leaked credentials site and allegedly selling billions of passwords from major data breaches appeared in his first court hearing on Monday. The man is accused of trafficking in identity information, unauthorized use of computer (s. 342.1 of the Criminal Code), mischief to data and possession of property obtained by crime, announced the Royal Canadian Mounted Police (RCMP).

27-year-old Jordan Evan Bloom from Ontario was identified as the man behind Leakedsource.com, a site hosted on servers in Quebec that collected a database of some 3 million identity records and passwords. Bloom was arrested on Dec. 22 in the Project “Adoration” criminal investigation. According to the RCMP, he made approximately $198,000 from selling identity information.

“This investigation is related to claims about a website operator alleged to have made hundreds of thousands of dollars selling personal information,” said Inspector Rafael Alvarado, Officer in Charge of the RCMP Cybercrime Investigative Team at National Division. “The RCMP will continue to work diligently with our domestic and international law enforcement partners to prosecute online criminality.”

Leakedsource.com appeared in 2015 and it was the largest collection of stolen credentials from major high-profile data breaches such as Ashley Madison, Last.fm, Yahoo, LinkedIn and Myspace. The site was used as a resource by a number of journalists investigating data breaches and leaked records. Although it was taken down, currently the same domain is live but hosted in Russia.

The arrest was part of an international effort between the RCMP’s National Division Cybercrime Investigative Team, Dutch National Police and the FBI.

HOTforSecurity: Canadian behind leaked credentials website appears in court

The Canadian arrested for running leaked credentials site and allegedly selling billions of passwords from major data breaches appeared in his first court hearing on Monday. The man is accused of trafficking in identity information, unauthorized use of computer (s. 342.1 of the Criminal Code), mischief to data and possession of property obtained by crime, announced the Royal Canadian Mounted Police (RCMP).

27-year-old Jordan Evan Bloom from Ontario was identified as the man behind Leakedsource.com, a site hosted on servers in Quebec that collected a database of some 3 million identity records and passwords. Bloom was arrested on Dec. 22 in the Project “Adoration” criminal investigation. According to the RCMP, he made approximately $198,000 from selling identity information.

“This investigation is related to claims about a website operator alleged to have made hundreds of thousands of dollars selling personal information,” said Inspector Rafael Alvarado, Officer in Charge of the RCMP Cybercrime Investigative Team at National Division. “The RCMP will continue to work diligently with our domestic and international law enforcement partners to prosecute online criminality.”

Leakedsource.com appeared in 2015 and it was the largest collection of stolen credentials from major high-profile data breaches such as Ashley Madison, Last.fm, Yahoo, LinkedIn and Myspace. The site was used as a resource by a number of journalists investigating data breaches and leaked records. Although it was taken down, currently the same domain is live but hosted in Russia.

The arrest was part of an international effort between the RCMP’s National Division Cybercrime Investigative Team, Dutch National Police and the FBI.



HOTforSecurity

Chinese toy company VTech violated US child privacy laws; fined $650,000 by FTC

An educational toy manufacturer from China has settled with the FTC to pay $650,000 in fines over an older data breach that exposed data illegally collected from approximately 5 million parents and children, the FTC announced. The FTC discovered the illegal data collection in 2015 while investigating a cyberattack detected by a journalist.

“As connected toys become increasingly popular, it’s more important than ever that companies let parents know how their kids’ data is collected and used and that they take reasonable steps to secure that data,” said Acting FTC Chairman Maureen K. Ohlhausen. “Unfortunately, VTech fell short in both of these areas.”

Not only did VTech not ensure data “confidentiality, security and integrity” by encrypting it, but it also broke US Children’s Online Privacy Protection Act by collecting personal information from children under 13 and their parents, without the parents’ verifiable consent and without informing children about it.

In response to the FTC, VTech “does not admit any violations of law or liability.”

Through Kid Connect, available for download on the Learning Lodge Navigator online platform, and gaming and chat platform Planet VTech, the manufacturer collected parents’ personal information, such as names, email addresses, passwords, IPs, download history, kids’ names, dates of birth and gender, among others. The Kid Connect app is used with most of its toys.

In the 2015 data breach, a hacker infiltrated the company network and gained access to the personal information of some 2.25 million parents and 3 million children. The hacker also had access to photos and audio files uploaded by parents and their children on the platform.

“We are pleased to settle this two-year-old investigation by the FTC,” said Allan Wong, Chairman and Group CEO of VTech Holdings Limited. “Following the cyberattack incident, we updated our data security policy and adopted rigorous measures to strengthen the protection of our customers’ data. We also took steps to address the technical notice and consent issues under COPPA.”

VTech is the largest manufacturer of cordless phones, and its products are meant for children from infancy to preschool. Despite the issue with the FTC, the company’s Kidizoom Smartwatch, designed for ages 4 and up, received last week the 2018 KAPi (Kids at Play Interactive) Award for innovation and design excellence.

Malware-infected beauty shop hadn’t backed up data in 2 years

Not having a backup and recovery strategy has drastic business implications, as an online vendor of makeup sponges from California found out. Known online as ‘beautyblender,’ Rea.deeming Beauty, Inc. sent a notification to California’s Office of the Attorney General informing the department that their online shop had been infected with malware that stole payment data at checkout.

Because the vendor hadn’t backed up data daily, they couldn’t determine who had fallen victim and what the exact implications of the breach were, writes BleepingComputer. As a result, the company is reaching out to all its 3,673 customers residing in California, because they have no idea who has been affected.

Beautyblender started a forensic investigation and informed its web host after two customers reported fraudulent transactions made with credit cards used on the website. The malware was detected by the web host in October 2017. Third-party investigators confirmed it in November, and reported that the website was infected sometime in July. Hackers had unauthorized access to customer names, addresses, phone numbers, emails and credit or debit card information.

“The forensic investigator then began efforts to determine when the malware was placed on the website,” Beautyblender says. “Unfortunately, due to the lack of backups of the website that were available from the website hosting company, beautyblender has been unable to confirm the date that the malware was placed on the website.”

The company had last backed up its data in April 2015, leaving it extremely vulnerable. Not only were its customers exposed to data theft and fraud, but Beautyblender can’t rebuild the data that consisted in years of valuable information for their business. Failure to kee[ regular, multiple backups is one of the most common mistakes companies make, because in case of natural disasters, system failure or cyberattacks, the company could face permanent data loss.

In the notification email sent to customers, Beautyblender confirms the infected code has been removed from the website, but thorough monitoring of credit card statement is still recommended.

“We have removed the infected code that led to the vulnerability and implemented additional security measures to reduce the likelihood of a similar incident from happening in the future,” reads the email signed by Catherine Bailey, President and COO. “We are providing notice of this incident to those who may have been impacted so that they can take steps to prevent against possible fraud, should they feel it is necessary to do so. We will also notify any required state regulators and the credit reporting agencies about this incident.”

The company has not made public statement.

Bitcoin loses ground; hackers opt for other encrypted digital currencies

Bitcoin’s popularity is waning as alternatives such as Stellar, ZCash or monero climb the cybercriminals’ preferred list. Hackers are switching to other cryptocurrencies that law enforcement may be less familiar with, so chances of detecting crime or money laundering related transactions decrease. ZCash and monero, for example, allegedly bring better encryption and privacy features to the table.

“The two most well-known cryptocurrencies are considered too expensive for most new entrants. Despite being able to purchase a fraction of each, there is a real psychological barrier around owning something in its entirety,” explained for CNBC Dave Chapman, managing director at trading house Octagon Strategy.

At a total value of more than $750 billion, bitcoin covers 36 percent of the cryptocurrency market, leaving plenty of room for others like litecoin, ethereum, ripple, dash and monero to grow in market capitalization. Bitcoin’s market share dropped from last month’s 56 percent, while ethereum’s share has tripled.

“With the Ethereum blockchain reaching 1 million transactions per day, and both Ethereum and other blockchain projects frequently reaching their full transaction capacity, the need for scaling progress is becoming more and more clear and urgent,” announced ethereum founder Vitalik Buter.

As a result, “two experimental subsidy schemes” will be started to “tie into and improve Ethereum’s scalability.”

Even Dogecoin, a new cryptocurrency created as a joke, has grown in popularity, reaching a market cap of over $1 billion in January.

According to Bloomberg, analytic firms are paying more attention to transactions and are improving techniques to detect illicit activity and transactions.

“The altcoins today, in large part, are not trying to be bitcoin competitors,” said Lex Sokolin, global director of fintech strategy at Autonomous Research LLP in London. “They are doing something else entirely — ethereum as a smart-contracts platform, iota as a machine-economy token, ripple for interbank payments, and so on.” Their use “should become increasingly relevant as the novelty of crypto wears off.”

DHS breach exposes data of almost 247,000 employees, subjects, witnesses, complainants

Philip Kaplan, chief privacy officer of the US Department of Homeland Security, has confirmed in a statement that a 2014 security breach exposed personally identifiable information of more than 240,000 people who worked for the department in the previous 12 years, as well as subjects, witnesses and complainants in investigations.

An unauthorized copy of the database was found during a criminal investigation on the home server of a former employee.

“From May through November 2017, DHS conducted a thorough privacy investigation, extensive forensic analysis of the compromised data, an in-depth assessment of the risk to affected individuals, and comprehensive technical evaluations of the data elements exposed,” reads the press release.

“These steps required close collaboration with law enforcement investigating bodies to ensure the investigation was not compromised.”

Although the data was leaked in 2014, the leak was detected in May 2017 and reported by media outlets in November. A number of DHS employees have been informed via email that their personal data may have been exposed, including Social Security Numbers, dates of birth, addresses, phone numbers, positions, grades, and duty stations. The leaked database contained no information about family members.

“This message is to inform you of a privacy incident involving a database used by the Department of Homeland Security’s (DHS) Office of the Inspector General (OIG),” wrote the Office of the Inspector General (OIG).

“You may have been impacted by this privacy incident if you were employed by DHS in 2014, or if you were associated with a DHS OIG investigation from 2002 through 2014. “

DHS will take further precautions to strengthen its security system. People affected will receive free identity protection services for 18 months.

“The privacy incident did not stem from a cyber-attack by external actors, and the evidence indicates that affected individual’s personal information was not the primary target of the unauthorized transfer of data.”

According to the New York Times reporting in November, the inside job was run by three employees who had stolen the computer system to alter the software used in investigations and then sell it to other offices in federal government.

The IRS, the NSA and other agencies have also dealt with similar privacy incidents in the past.

Iranian officials suspend Telegram for ‘encouraging hateful conduct’; Trump reacts

In an attempt to quell mass protests across the country, Iranian officials have blocked access since Dec. 31 to Telegram, an application used by activists to arrange anti-government rallies due to its end-to-end encryption functionality.

“Iranian authorities are blocking access to Telegram for the majority of Iranians after our public refusal to shut down … peacefully protesting channels,” Telegram CEO Pavel Durov wrote on Twitter.

Iranian officials claim the situation is only temporary and Telegram was suspended because it was “encouraging hateful conduct, use of Molotov cocktails, armed uprising, and social unrest,” tweeted on Saturday Mohammad-Javad Azari Jahromi, Iran’s Minister of Information and Communications Technology.

“The rumors about the permanent closure of the social networks do not correspond to the reality. It seems that they seek to create social discontent and pessimism,” the minister wrote on his Twitter account, according to Tehran Times.

US President Donald Trump commented on Twitter that Iran “closed down the internet so that peaceful demonstrators cannot communicate. Not good!”

“Big protests in Iran. The people are finally wise as to how their money and wealth is being stolen and squandered on terrorism,” Trump wrote. “Looks like they will not take it any longer. The USA is watching very closely for human rights violations!”

Following an increase in internet censorship in recent years and the implementation of content control software, Facebook and Twitter have been blocked since 2009, and access is now restricted for YouTube and most top 500 websites as well. Despite Iran’s aggressive censorship, people have found alternatives to accessing the restricted websites. For example, Iranian President Hassan Rouhani has a Facebook account. The number of Tor users has also increased to 10,000.

With over 40 million accounts in Iran alone, Telegram has been repeatedly criticized by US and European governments, which demanded access to user data to intercept communication between terrorists.

‘starwars’ joins the top 100 worst passwords list in 2017

2017 will be remembered for some of the worst hacks and data leaks. Equifax, WannaCry, Goldeneye and Uber’s concealment of the leak of 57 million user records have apparently taught the average internet user nothing about security. Users still haven’t understood the importance of strong unique passwords, password management provider SplashData concluded after analyzing over 5 million leaked credentials.

According to the company’s list of the 100 worst passwords of 2017, ‘123456’ and ‘password’ are still the most used passwords. Amid intense promotion of the Star Wars movies this year, ‘starwars’ has made the list as one of the most used passwords in 2017.

“Unfortunately, while the newest episode may be a fantastic addition to the Star Wars franchise, ‘starwars’ is a dangerous password to use,” said Morgan Slain, CEO of SplashData, Inc. “Hackers are using common terms from pop culture and sports to break into accounts online because they know many people are using those easy-to-remember words.”

Other passwords include sports terms such as ‘baseball,’ ‘football,’ ‘Lakers,’ ‘jordan23,’ car brands such as ‘ferrari’ and ‘corvette,’ and words such as ‘welcome,’ ‘monkey,’ ‘cheese,’ and ‘trustno1.’ According to the list, many users choose first names as passwords, including ‘Robert,’ ‘Joshua,’ ‘Maggie’ and ‘Phoenix.’

“Hackers know your tricks, and merely tweaking an easily guessable password does not make it secure,” says Slain. “Our hope is that our Worst Passwords of the Year list will cause people to take steps to protect themselves online.”

With some users thinking that replacing the letter ‘o’ with the number ‘0’ makes an insecure password safe, 2017 ends on a sad note for computer security. Users still lack interest in online security and protecting their data from identity theft.

Nissan Canada Finance waits 10 days to inform 1.13 million customers of data breach

Nissan Canada Finance was breached, and the personal information of 1.13 million customers in Canada may have been leaked, possibly including customer name, address, vehicle make and model, vehicle identification number (VIN), credit score, loan amount and monthly payment, reads a company statement released on Thursday.

The automaker waited 10 days before announcing it had fallen victim to a cyberattack. On Dec. 11, it detected the breach that “may have involved unauthorized person(s) gaining access to the personal information of some customers that have financed their vehicles through Nissan Canada Finance and INFINITI Financial Services Canada.”

For now, the company is investigating the breach and has reached out for help to Canadian privacy regulators, law enforcement and specialists in data security. An exact number of affected customers has not been released, but all customers are being contacted as a precaution. It is believed customers outside of Canada were not affected. Nissan Canada Finance assures customers that neither payment card information nor other personal banking details were leaked.

“We sincerely apologize to the customers whose personal information may have been illegally accessed and for any frustration or inconvenience that this may cause,” said company president Alain Ballu. “We are focused on supporting our customers and ensuring the security of our systems.”

As hackers may attempt to exploit the stolen information for illicit purposes, Nissan Canada Finance said affected customers will receive free credit monitoring for one year through TransUnion.