Author Archives: Sandhya Chauhan

Cybersecurity Audit Discovered Vulnerabilities in U.S. Ballistic Missile Defense Systems





A US DOD cybersecurity audit of US missile defense systems outlined the failure in the implementation of basic cybersecurity controls like data encryption and multifactor authentication.

The report which was released last Friday, also revealed how officials are employing substandard cybersecurity practices to fortify the United States' ballistic missile defense systems (BMDS). 

The findings were compiled in the report after DOD IG investigators inspected five places where BMDS ballistic missiles were stationed by the Missile Defense Agency (MDA). BMDS is a DOD program made with an objective to protect US territories by launching ballistic missiles to intercept incoming nuclear rockets.

The audit deduced that the networks and systems that store, process and transmit BMDS technical information were not protected by the US Army, Navy, and MDA. The information that was left unfortified by the US officials is of highly sensitive nature and could have been exploited to incite security threats.

"The disclosure of technical details could allow U.S. adversaries to circumvent BMDS capabilities, leaving the United States vulnerable to deadly missile attacks." the heavily redacted report reads.
 
“Inadequate security controls that result in unauthorized access to or disclosure of BMDS technical information may allow U.S. adversaries to circumvent BMDS capabilities, leaving the United States vulnerable to missile attacks that threaten the safety of U.S. citizens and critical infrastructure,” 

"Although the [redacted] did not require data stored on removable media to be encrypted, system owners and Information System Security Officers have a responsibility to implement and enforce Federal and DoD cybersecurity policies and procedures for encrypting data stored on removable media. In May 2018, the [redacted] directed [redacted] to begin encrypting data stored on removable media using Federal Information Processing Standard 140-2 certified methods by October 9, 2018, as a condition to operate on the [redacted]." stated the DoD report. 

Along with the computer and data security issues, the presence of physical security issues was also noted. Officials discovered mismanagement at data center managers at BMDS facilities, they found instances of server racks not being locked.

“The National Security Agency publishes capabilities packages that provide architecture and configuration requirements that allow organizations to implement secure solutions to protect data at rest using commercial off-the-shelf products,” states the report.

Unfortunately, the draft report attracted no response from Chief Information Officers of various facilities. Now, the Director, Commanding General, Commander, and Chief Information Officers are asked by the Inspector General's office to comment on the findings of the final report latest by 8th of January, 2019. 

The last decade witnessed a dramatic rise in cyber attacks both in terms of variety as well as quantity and global IT infrastructures are recorded to be the most preferable preys of the attackers.


Samsung fixed three vulnerabilities that allowed hackers to take control of users’ accounts.



A Cross-Site Request Forgery (CSRF) vulnerability in Samsung's account management system has been taken care of by the company. The vulnerability which was identified by Artem Moskowsky, a Ukrainian bug bounty hunter, allowed hackers to take over any Samsung account by exploiting the users' gullibility and make them access an infected link.

What is CSRF?  

The vulnerability is classified as a CSRF as it allows fraudsters to manipulate user consciousness and make hidden commands operational on other websites the users are currently logged into while they are browsing the hacker's site.

Notably, three CSRF issues were found in Samsung's account management system.
While the first one allowed a hacker to make alterations in the profile details, the second one led them to disable two-factor authentication (in case of being enabled) and the last and the most disastrous one permitted attackers to change an account's security question and answer.

Once exploited, the vulnerability could have been misused by the hackers to log into the victim's account by creating a new password via password recovery. 

That further would have allowed the attacker to exercise authority over the user's inter-connected smart devices, access to personal notes, health-related data and to keep an eye on the victim's movements through the feature ’Find My Device'. 

There's no clarity on whether the vulnerabilities were taken advantage of or not. Meanwhile, for the discovery of the three aforementioned vulnerabilities, Samsung rewarded $13,300 to the security researcher. 

Google+ hit by second bug, exposes data of 52 million users


Google has announced that it would now shut down the consumer version of Google+ from April 2019 instead of the initial deadline of August 2019. The decision came in the wake of another massive data breach which compromised the data of 52.5 million users.
The data that was configured to stay on private was exposed to developers of apps requesting permission to access the user data; it entailed information such as names, email addresses, gender and age of the customers.
It is reported as to be an additional bug in the Google+ People application programming interface (API) that triggered the data exploit, Google identified the vulnerability and rectified it by 13th November which means that the illicit data exposure lasted for a total of six days.
Though Google confirmed that no evidence of data being misused or being compromised by a third party was found, it still is advancing the shutting down of the service from the month of April 2019 itself. In addition to that, the access to Google+ APIs will be cut off in 90 days.
Google has no evidence, "that the app developers that inadvertently had this access for six days were aware of it or misused it in any way"  is how David Thacker, VP of Product Management for G Suite puts it.
"Our testing revealed that a Google+ API was not operating as intended. We fixed the bug promptly and began an investigation into the issue," David mentioned in a blog post. "We have begun the process of notifying consumer users and enterprise customers that were impacted by this bug. ... We want to give users ample opportunity to transition off of consumer Google+. "
The vulnerability did not expose passwords and more sensitive user information pertaining to financial and social security matters but some profile data exchanged privately between users that weren't supposed to be the in public domain was put to risk.
"Issues like these, which have direct security implications, reflect the world we live in today with agile development. The whole goal is to get the code and features out to customers faster, but with that comes the risk of exposure and introducing something like this." says David Kennedy, CEO of the penetration testing and incident response consultancy TrustedSec.

Google, at its best, is notifying the users about the breach and is trying to configure a mechanism that could barricade other apps from illegitimately drawing their user data for nefarious gains. 

UPI apps hijacked, victims lost ₹12 lakh



In Kerala, the bank accounts of at least three customers were wiped clean wherein the sum that was lost totaled around ₹12 lakh.

All the three victims used a United Payments Interface (UPI) smartphone application for "account to account" electronic cash transfer and this element of commonality account for the roots of the fraud.

Referenced from the statements ISP, chief, Kerala Police Cyberdome, Manoj Abraham gave to The Hindu; the fraud was “ingenious”. The fraudsters have attacked the accounts in an elaborate and technically advanced manner.

What transpired?

The hijackers, in order to execute the fraud, downloaded the UPI application on their smartphones and then configured the phishing messages to appear to be coming from the bank.

Once the application was successfully installed, the con men advanced towards the activation of the UPI app on their mobile via the account details and phone numbers of the victims. 

Then the “hijacked app” was exploited to smoothly extract the money out of the accounts of the victims who were oblivious to the attack.  

However, the pattern they resorted to while deciding their potential targets remains to be in question.
The hijackers manipulated their targets just enough to acquire their bank IDs, OTPs, card numbers, and passwords.

According to the police, the con men moved the money from the owners’ accounts to some of their own accounts based in rural Jharkhand.

The mobile numbers that were used to carry out the fraud had been traced by The Cyberdome.
“We have their numbers, not their real-world identity. Officers in Jharkhand are on their scent,” an investigator commented.

Investigators noted that some payment applications which smoothens the process of account to account transfer didn’t always alert customers of the digital transactions.

Preventive measures

Reserve Bank of India (RBI) has been approached via a written complaint by the police and UPI services are urged to strengthen the security, they were requested to use more anti-fraud protections like two-way passcode authentication.


Quora Reports Data Breach, 100 Million Users Affected




The knowledge sharing platform, Quora announced on Monday that its users fall prey to an unauthorized access as hackers may have stolen account information of around 100 million Quora users.
The information which was compromised in the data breach includes email addresses, private direct messages, encrypted passwords, imported data from other linked networking sites and the questions and answers that were written on the platform by Quorans. The Q&A website said that the information pertaining to the users’ location and contacts was also being compromised.  
"The overwhelming majority of the content accessed was already public on Quora, but the compromise of account and other private information is serious,"  Quora CEO, Adam D'Angelo, wrote in an associated blog post. Meanwhile, he noted, the questions and answers that were posted anonymously were spared by the massive data breach; anonymous content remained unaffected.
The website which was founded by two former Facebook employees, D’Angelo and Charlie Cheever, said that it is engaged with security experts and law enforcement officials to probe into the matter and devise effective solutions. Notably, additional preventive measures have been taken by the company to strengthen the security and retain the trust that is invested by millions of users across the globe.
Aside from that, the company said that it is logging out all of its affected users in order to prevent further injury. Additionally, victims have been notified timely via an email, they are advised to not continue with the initial passwords and set up a new one.
"It is our responsibility to make sure things like this don't happen, and we failed to meet that responsibility. We recognize that in order to maintain user trust, we need to work very hard to make sure this does not happen again," said D'Angelo, gracefully acknowledging his duties, in the blog. 

Hackers are Still Using NSA Leaks to Attack Unpatched Systems




A year ago, NSA’s most competent hacking tools were abused by the attackers, and though, patches were released to keep the exploit in check, hundreds of thousands of systems were still left unarmed against the attacks. 

Now, the vulnerable configurations of the computers are taken advantage of by the hackers. As per the reports, hackers, equipped with even more advanced methods of attacking, compromised more than 45,000 internet routers.

With NSA’s hacking tools leaked online, it was quite evident that the agency has cemented its place in the arena of developing intelligent hacking tools which can be the detective for all kinds of networked hardware across the globe. 

However, there’s something else that came along with the leak  the advantage that hackers could take and needless to say, they did.

Initially, hackers exploited the vulnerabilities to spread ransomware followed by cryptocurrency mining attacks. Now, researchers suggest that the leaked tools are used by hackers to create an even bigger malicious proxy network.

Cloud service provider, Akamai Technologies evinced that the first spotted UPnProxy vulnerability, which threatened the common Universal Plug and Play network protocol, can now attack unpatched systems behind the router’s firewall.

Referenced from the findings of Akamai on the subject, out of 277,000 vulnerable systems, around 45,000 have already been attacked.

Out of 3.5 million devices that were examined, approximately 80% cent carry a vulnerable version of UPnP, said Akamai.

The hack exposes ports 139 and 445 which open up around 2 million PCs, smartphones, speakers, tabs, robot vacuum cleaners and various other devices linked to the aforementioned routers.

"Victims of this attack will be at the mercy of the attackers, because they'll have machines existing on the internet that were previously segmented, and they'll have no idea this is happening," Akamai mentioned. "Moreover, machines within the network that had a low priority when it came to patches will become easy pickings.”

Now the question which arises is what happens to the infected devices? Well, that is for us to speculate. A first healthy step would be to update your router firmware.

Meanwhile, victims can also try doing a factory reset. However, those who reckon that disabling UPnP is the quick-fix, Seaman argues, “it’s the equivalent of plugging the hole in the boat, but it does nothing to address the water that has made it into your sinking ship.”



Dell Urges Customers to Reset Passwords Following a Potential Data Breach



American multinational computer technology, Dell, on Wednesday, detected and prevented a data breach attempt. 

The company announced that hackers infiltrated its network and tried to steal their customers' personal information which included the names, email addresses and hashed passwords.

The company said that the perpetrators somehow got hold of the information stored on its server; however, it simultaneously expressed a possibility of none being extracted. 

It is on the basis of the initial investigations carried out by the experts, the officials at Dell confirmed that the attackers were not able to obtain any of the information. 

Aside from that, the security experts at Dell drew some relieved conclusions implying that the more sensitive customer data like credit card information were not targeted and the company confirmed the same in a press release statement. 

It said, "These include the hashing of our customers’ passwords and a mandatory Dell.com password reset. Credit card and other sensitive customer information were not targeted. The incident did not impact any Dell products or services."



In an attempt to take appropriate remedial measures, Dell has associated itself with a digital forensics firm to carry out an independent investigation and has also approached legal aids. 

Alongside, in an effort to minimize the potential threat, the Texas-based company has requested its users to change their passwords and also reset it for other accounts if it's the same. 

On being enquired about the number of customers that were affected by the breach, Dell rationally denied to actualize the statistics and justified its denial in a statement it gave to Digital Trends, it said “Since this is a voluntary disclosure, and there is no conclusive evidence that customer account information was extracted, it would not be prudent to publish potential numbers when there may be none.”

Uber Fined Over £900,000 for 2016 Data Breach



Data regulation authorities in the UK and the Netherlands on Tuesday fined ride-hailing service Uber Technologies Inc for failing to protect its users' data during a 2016 hack attack which affected over 50 million of Uber users across the globe. 

Labeling the incident as a “series of avoidable data security flaws” which invited hackers to obtain the sensitive information, the Information Commissioner’s Office (ICO) imposed a fine of £385,000 ($490,759.50) on the enterprise. On the other hand, the Dutch Data Protection Authority penalized the firm with a fine of €600,000 ($678,780.00). 

The breach which affected 174,000 people in the Netherlands and 2.7 million people in the UK in 2016 was reportedly kept a secret until 2017. 

Instead of immediately informing the regulators about the attack and the customers about their data being compromised, reports say that Uber paid the attackers to destroy the hacked information. 

ICO Imposed Fines on Uber

Steve Eckersley, ICO Director of Investigations corroborated the reported account in a statement, he said, “This was not only a serious failure of data security on Uber’s part but a complete disregard for the customers and drivers whose personal information was stolen. At the time, no steps were taken to inform anyone affected by the breach, or to offer help and support. That left them vulnerable.”

“Paying the attackers and then keeping quiet about it afterward was not, in our view, an appropriate response to the cyber attack.”


Uber's take 

Referenced from an Uber Spokesperson's response, "We're pleased to close this chapter on the data incident from 2016. As we shared with European authorities during their investigations, we've made a number of technical improvements to the security of our systems both in the immediate wake of the incident as well as in the years since.

"We've also made significant changes in leadership to ensure proper transparency with regulators and customers moving forward. Earlier this year we hired our first chief privacy officer, data protection officer, and a new chief trust and security officer. We learn from our mistakes and continue our commitment to earn the trust of our users every day."

$63 Billion Deleted From Crypto in 7 Days, Ethereum Drops Under $100


The past week saw a lot of movement in the crypto market as Ripple, capitalizing on its financial institution's flexibility in terms of acceptance continued to make headlines overhauling all other cryptocurrencies every now and then to secure a bronze tier and the most powerful cryptocurrencies — Bitcoin and Ethereum, including others, experienced a steep double-digit fall. 

The entire market recorded a drop of more than $63 billion as the price of BTC declined to $3,456 on fiat-to-cryptocurrency exchanges like Coinbase and Kraken.

While, Bitcoin (BTC), the currency which rules the roost, dropped by 12 percent (from $4.300 to $3,800) setting a new yearly low, Ethereum (ETH) fall to $98. However, it’s currently exhibiting a daily volume which outperforms Ripple (XRP) and Bitcoin Cash (BCH) combined at $2.2 billion.

Charting the performances — Bitcoin at $3,456 and Ethereum at $98, reveals an oscillator that has reached a low extreme. Though the recovery has been rough for all the digital assets, BTC recovered comparatively faster from a low of $3,400 to a recovered high of $3,700 within few hours.

Initially, the price of BTC declined to $4,000, in the wake of which a lot of investors predicted a possibility of further fall below the mark of $4,000 given that at $4,000, BTC was experiencing a drop which is 79% low from its all-time high.

As soon as the BTC’s expected drop came into sight, investors and traders got a comfort zone to find a short-term bottom in the BTC’s price trend.

To exemplify, here’s what Alex Krüger, a cryptocurrency trader and economist, said -

“Think that was it. Impossible to know if a bottom is a short or long-term bottom. Possible to sense once a major bottom may be in by looking at high-frequency price bars and volume i.e. when the elastic is ready to snap back. If it swings 15-30% off the lows, that’s a major bottom in % terms.”

Meanwhile, Hsaka, a technical analyst, was recorded to be bent towards the opinion that it’s too early to call a short-term bottom for Ethereum. He took into consideration the steeper fall Ethereum underwent in comparison to BTC.

“Really stumped here. That wick could be chalked up to cascading liquidations and thin books. Looking for a HL on any retrace to confirm a daily bottom,” said Hsaka.



Over 6,500 Sites Down as Hackers Wiped Out Database





Daniel's Hosting, one of the most popular and largest hosting services providers for the 'Dark Web' Tor network was heavily targeted by cybercriminals, the hack attack wiped the server clean of 6,500 websites. Though the attack and the statistics have been confirmed by the service, the administrator still does not know where the vulnerability exactly is. 

Apparently, the websites have been forced to go offline but there's more to the injury. 

Acknowledging the hack attack, Daniel Winzen who is a German software developer and the hosting administrator stated on the hosting provider's website that the attack was instigated on Thursday i.e., 15th of November which is a day after a PHP zero-day exploit was leaked. 
  
Referenced from Winzen's writings, “The account “root” has been deleted,” 

“To this day around 6500 Hidden Services were hosted on the server and there is no way to recover from this breach, all data is gone.”

“I might re-enable the service once the vulnerability has been found, but right now I first need to find it,” said Winzen having ambiguous thoughts on the 'type' of vulnerability. 

According to him, the attackers worked their way to gain root access via phpMyAdmin and subsequently had all the data erased from the server. 

Quite oddly, Winzen noted that the attackers somehow did not get access to the full system. 

Putting that into perspective, he explained, "Other than the root account, no accounts unrelated to the hosting were touched and unrelated files in /home/ weren’t touched either. As of now, there is no indication of further system access and I would classify this as a “database only” breach, with no direct access to the system. From the logs, it is evident that both, adminer and phpmyadmin have been used to run queries on the database." 

As the culprit remains to be unidentified along with the reason why Daniel's Hosting was particularly targeted, Winzen quite reasonably is seeking IT security researchers and ethical hackers to get him through the crisis by identifying the vulnerability. 

Microsoft PowerPoint Susceptible to Malware Attacks



In the nefarious domain of malware attacks, researcher Marco Ramilli has discovered a slight glitch which can exploit Microsoft Office tools, specifically, the Excel, Word, and PowerPoint for malware attacks.
The feature exploit can possibly lead to malware drops and repeated cyber attacks including Phishing. MS office becomes an easy prey due to its rising ranks of popularity among digital enthusiasts.
Sharing a striking resemblance to phishing, the execution of the attack involves the malicious file directing the victim to a link having the payload.
While the technical details of the exploit have been elucidated by the researcher in his blog post, here is a summarized step by step execution of the same.
As the attack unfolds, the infected file in its execution falsely appears to have a blank page, but stealthily secures a connection to a malicious link which is the first stage of the attack. 
In the second stage, the researcher examined the slide structure and an external OLEobject caught his eye which he further analyzed to conclude that the target device was already infected by the file downloaded on the system, i.e., wraeop.sct.

Moving further towards the stage 3 of the attack, it witnesses the utilization of an internal image to execute additional code which then leads to the final stage i.e., the payload execution.

After detailed traffic analysis, Ramilli has drawn conclusions suspecting the malware to be AzoRult.  


MS Office exploits: not a bizarre discovery


In the past year, cybercriminals ran a massive malware campaign which involved malicious PowerPoint email attachments. Therefore, one can easily conclude that the present discovery though peculiar lacks novelty as the exploit for dropping malware is not the first of its kind. 

However, these findings need to be treated with consideration as Ramilli cautioned us that we, the MS office users are susceptible to the attack at the moment. Potentially speaking, the exploit can lead to an eruption of cyber attacks if preventive measures are not timely devised.

 “Microsoft should probably take care of this and try to filter or to ask permissions before include external contents, but still this will not be a complete solution (on my personal point of view). A more deep and invasive action would be needed to check the remote content.” Ramilla said in his blog post.


Virologist Tricked for Virus Attack on Debit Card, Loses Over Rs 1 Lakh


Debit card attacks made headlines again as a veteran virologist fall prey to one losing a sum of Rs 1,08,988 from his Citibank account. It was a week ago, the victim who was tricked over a call sought cybercrime police to file a complaint and an investigation was instigated, it was done as part of the bank’s probe into the cheating. 

Referenced from the police statements, the fraudster identified himself as a staffer with the associated Citibank by the name of Rajkumar Verma. He proceeded to say, “Your debit card attacked by a virus,” and had the Banglore based doctor fooled and consequently convinced after providing some personal details of the mildly popular octogenarian in the city. In the sphere of pathology, the doctor has an international participation in various top medical forums. 

Reportedly, the attacker alarmed the doctor by saying that his bank card was vulnerable and could be attacked by a virus and hence needs urgent fixing in order to ensure safety against fraudsters. 
Falling for the trap, an alarmed doctor let his guard down and gave away his card details along with the OTPs that followed and the vishing scam got successfully executed as attacker made multiple transactions from his Citibank account. 

The realization of the fraud hit the doctor a bit too late to avoid. By the time he fully discerned the fact that he has been subjected to a fraud, the money was gone. 

Commenting on the matter, Na. Vijayashankar, a cyber-security consultant said, “Banks should be held completely responsible in such cases,” he implied that the systems and mechanisms used by the banks to manage digital technology are insecure. He also said, “One needs to question how a fraudster obtained confidential details of the customer, which the fraudster used to target him.” 

According to him, mainly it's the victim who is blamed and labeled ignorant and banks shy away from taking the responsibilities and owning up to security flaws. 


Authentication Flaw in DJI Drone Web App Let Attackers Gain Control


Researchers have found a critical authentication flaw in the DJI drone web app which poses a serious threat to the security of business giants and to the solo clan as well. Once exploited, the vulnerabilities discovered were reported to trigger remote hacks gaining access to DJI's web store, synced cloud server data, and FlightHub
Security Vulnerability Found in the DJI Drone Web App

As discovered by the researchers at Check Point Research, a critical authentication flaw has existed in the DJI drone web app which when exploited allowed attackers to access targeted user’s DJI account without any alarm going off.

The security vulnerability was nestled in the authentication process of DJI which allowed the attacker to sneak around protections and get access to the victim’s account in the manner as follows – referenced from Check Point Reports
DJI uses a cookie that the attacker can obtain to identify a user and create tokens, or tickets, to access their platforms. Through the use of this cookie, an attacker is able to simply hijack any user's account and take complete control over any of the user's DJI Mobile Apps, Web Account or DJI FlightHub account."
How the exploit unfolds?

To set the execution of the attack in motion is far from a complex mechanism, simply clicking on an infectious link that the attacker publishes on the DJI forum will have your account held hostage. 

The attack type is known to be a cross-site scripting attack which provides unethical access to the victim’s account from where the attackers can sneak sensitive data such as multimedia captured by the drone, its flight logs, camera view, profile information, and live map.


DJI’s take on the security crisis

A DJI which has battled with security issues lately, this time welcomed the findings by the researchers with open arms as DJI's Mario Rebello, vice president, and the country manager was recorded saying, "We applaud the expertise Check Point researchers demonstrated through the responsible disclosure of a potentially critical vulnerability,” in a statement. He said, “This is exactly the reason DJI established our bug bounty program in the first place."
Appropriately responding to the findings by the Check Point Reports, DJI acknowledged the escalated risk factor of the bug but also attributed low probability to the flaw easing the concerns of the users. Alongside, they also confirmed that the flaw remained unexploited. 


Hackers Advancing Towards Memory Steal And Spy




The global village that internet is called nestles hacking and various other cyber threats which are notably expanding with the heightened exploitation capabilities of the cybercriminals. Initially, the threats ranged from stealing account data to scams for monetary gains. But with the strengthening of their attack arsenal, cybercriminals may soon be in a configuration to alter or control human memories and it will be made executable by exploiting memory implants to steal, spy on and to gain command over human brain.

In Netflix’s dystopian near-future series, Black Mirror, there’s an episode which revolves around an implanted chip allowing users to record and play whatever they see and hear- the perplexing enigma in the series makes the audience wonder whether the technology is powerful enough to manipulate the human brain or even to fiddle the memories.

Quite similar correlations between the human mind and the technology can be drawn from Michel Gondry’s science fiction,Eternal Sunshine of the Spotless Mind”. However, moving beyond the fiction scene, we have neuroscientists at the Riken-MIT Center for Neural Circuit Genetics at the Massachusetts Institute of Technology (MIT) who almost five years ago demonstrated how they could plant deceptive memories in the brain of mice. 

Instinctively, one can conclude the positive applications of the aforementioned demonstration – which is to delete the painful and hurt causing memories but as that’s just a side of this coin, the fraudsters could exploit the terrific technology to brainwash an entire population by implanting misleading and vicious memories.

Referenced from a report by Kaspersky Lab researchers and the University of Oxford Functional Neurosurgery Group - though, the most radical of all threats may be several decades away, the fundamental technical requirements already exist disguised as implantable deep brain stimulation devices.
The research categorizes the ability of cybercriminals to exploit memory implants as a growing concern with the advancements in the technological sphere; it joined the ‘coming soon’ list along with the robotic prosthetic limbs, motorized wheelchairs, and digital avatars.

Addressing the vulnerabilities and the potential threats that lie ahead the detailed study of memory implant and the intricacies of human memories - its creation and restoration is deemed essential by the scientists involved in the research. Against the vulnerabilities in the hardware and the software, they cautioned, “these need to be addressed if we are to be ready for the threats that lie ahead”. They further added, “Manipulation could result in changed settings causing pain, paralysis or the theft of private and confidential personal data,”
Experts take on memory falsification
The disorders associated with the implantable devices are ‘Parkinson’s diseases’, ‘obsessive-compulsive disorder’, ‘major depression’ and ‘essential tremor’. They are triggered by electrical impulses sent to the specific targets in the brain.  
“Current vulnerabilities matter because the technology that exists today is the foundation for what will exist in the future”, said Dimitry Galoy, a junior security researcher at Kaspersky Lab.
“Memory prostheses are only a question of time. Collaborating to understand and address emerging risks and vulnerabilities, and doing so while this technology is still relatively new, will pay off in the future”, corroborated Laurie Pycroft, a doctoral researcher at the University of Oxford Functional Neurosurgery Group.
According to the researchers and the scientists, in five years from now, it is expected that they will be technologically and cognitively equipped to record the brain signals which build memories and then rewrite them before placing them back into the brain. The advancements will allow for extensive control over memories, the extent of which goes as farther as uploading a human mind into a machine with all the necessary consents.
However, the vulnerabilities that will emerge and consequently be exploited by hackers not only minimize the beauty of this terrific technology but also inflate the concerns.

.



HSBC Online Banking Customers’ Data Compromised: Confirms the Bank



HSBC Bank USA, an American subsidiary of UK based HSBC has partially confirmed that the perpetrators may have made off with personal information – names, addresses, and DOBs along with the more sensitive information like the account numbers, transaction histories, payee details and balances of thousands of its online banking customers.

In the paperwork [PDF] HSBC submitted to the California Attorney General's office, it says that it came to know about the unauthorized access between October 4 and 14. Refraining from providing the exact number of online accounts affected by the hack, the bank summarized the attack statistics as follows, “less than 1 percent” of its U.S. customers.

Given the bank’s U.S. client base which estimates around 1.2 million customers, 12,000 customers possibly fall prey to the data breach. They had their personal details and bank specifics compromised.

HSBC Bank USA: In Response to the Security Incident

Responding to the incident, HSBC bank USA immediately suspended the online access and strengthened the authentication process, the aforementioned steps ensured that no further damage can be done to the accounts; meanwhile the bank took care of the victimized accounts.

Further preventive measures include, the bank offering a subscription to credit monitoring and identity theft protection services.  

Expressing regret, the bank said, "HSBC regrets this incident, and we take our responsibility for protecting our customers very seriously,"

"We have notified those customers whose accounts may have experienced unauthorized access, and are offering them one year of credit monitoring and identify theft protection service."

"We are reminding our customers to protect access to their banking accounts by regularly changing their passwords, and by using unique passwords they are not using elsewhere, including on any social media accounts," the bank’s spokesperson told The Register.

Preventive Measures

The client base of HSBC is advised to update their passwords and to add additional security measures.
The bank recommended the victimized customers to monitor their account transactions and place fraud alerts on their accounts.