Author Archives: Vibhooti Bhatnagar

Yale alarm app debacle causes chaos, new rules to protect consumers

Web-connected security cameras are among many devices hijacked and use for cyber-attacks. There are many connected devices on the market that lack basic security measures, though, which makes them susceptible to hacking. Poorly secured devices pose a serious threat. They can put our privacy and security at risk and can even be used as part of large-scale cyber-attacks.

A system failure has caused the Yale smart security app to crash and customers have reported that app failures left them powerless to disable or enable alarms. The app aims to stop gadgets being hijacked and used to mount cyber-attacks - and stamp out designs that let cyber-thieves steal data.

On Wednesday, Yale told customers across the United Kingdom on Twitter that "unplanned network maintenance" might cause some customers to "experience connection issues."

The government has launched a new code of practice to ensure that connected products are ‘secure by design’ with security considered in the design process rather than being left as an afterthought. Makers of smart home devices are to be encouraged to make their gadgets secure against hack attacks. Tech companies HP Inc and Centrica Hive are the first to commit to making their products ‘secure by design’.

The UK has published a voluntary code of practice for manufacturers that shows how they can prove their creations against common attacks.

It’s estimated that each household in the UK owns at least 10 internet-connected devices and that there’ll be more than 420m in use across the UK within the next three years. From turning your lighting or heating on remotely to scheduling your coffee maker via an app, the ‘internet of things’ is becoming increasingly mainstream.

While Yale promised that the work would be complete within 24 hours to resolve the issue, this was later followed by a message which indicated the fix would take longer than expected.

WhatsApp booby-trap video call bug fixed

Answering a booby-trapped video call through the WhatsApp messaging service could force the app to crash and close, a security expert has found.

The bug was a “big deal” said researcher Tavis Ormandy, who is part of the team that found it. The bug made answering some video calls risky.

It was found in the messaging service’s apps used on Android and Apple smartphones.

The software loophole was discovered in late August and fixed in early October, said WhatsApp’s owner Facebook.

Natalie Silvanovich, a member of a team Google set up to hunt for vulnerabilities in widely-used software, discovered the WhatsApp weakness.

The problem exposed by Ms Silvanovich resides in the way the phone apps transport video. By changing packets of data used to do this, it was possible to make the app shut down, she discovered.

The web version of WhatsApp uses a different method for moving video, so is not vulnerable to this bug.

Facebook said it reacted “promptly” to fix the issue once it was identified.

“We routinely engage with security researchers from around the world to ensure WhatsApp remains safe and reliable,” it said.

It added that there was no evidence that the bug was widely known in the malicious hacking world or was exploited to attack WhatsApp users.

The messaging app is used by more than 1.2 billion people around the world.

Vulnerability in GitLab leaks confidential data

GitLab – a web-based repository manager – has recently patched a critical flaw in its API that posed a security threat to its services. As disclosed, a GitLab API vulnerability allegedly exposed confidential information on public projects. The glitch appeared in the events API that was leaking data for about a year.

A HackerOne researcher with the alias ngalog discovered the flaw last month. Later, he reported the matter to GitLab. He discovered a bug in the code of the GitLab Event API. (According to GitLab, they have a “track record of great engagements” with this hacker.)

After receiving the alert, GitLab began investigating the matter only to confirm the glitch. The bug reportedly appeared in June 2017, at the time of the release of GitLab 9.3. Further, explaining the impact of this vulnerability, GitLab stated in their disclosure.

“The Events API was introduced with the release of GitLab 9.3, and it enabled users to programmatically access the activity log of projects and users… Unfortunately, a bug was introduced at release time and the API would not honour the private flag of events related to numerous target types that belonged to public projects. As a result, events for said target types were exposed to potentially unauthenticated and unauthorized parties.”

As reported, the bug resulted in the exposure of private information related to projects. This includes private milestones, private merge requests, private snippets, private notes, and confidential issues. The GitLab API vulnerability affected all GitLab versions between 9.3 and 11.3, where the exposure of information happened “only through the API”. After the investigations, GitLab patched the flaw and deployed the hotfix across the GitLab infrastructure by September 24, 2018. Although GitLab did not state the exact impact of this vulnerability, they did confirm that the bug remained unexploited. “Given the wide time window during which the issue was present (more than a year), we are unable to determine with accuracy the extent of the impact… We investigated four months of retained logs, and found no evidence that unauthorized parties accessed any of your private events.”

Malicious apps found on Google Play

Android fans have been put on alert and warned about a password risk involving smartphones using the hugely popular Google mobile OS.

More than 50 malicious apps designed for kids as colouring apps or games found on Google play has no functionality other than displaying interstitial ads that cover the entire device screen.

Mobile security researcher Lukas Stefanko identified the malicious app and reported to Google Security team, now most of the apps have been removed but few are still available to download.

Another set of fake finance apps was found by Antivirus & Internet Security Solutions company ESET South Africa and finance apps.

ESET South Africa said in a statement: "The apps have impersonated six banks from New Zealand, Australia, the United Kingdom, Switzerland and Poland and the Austrian cryptocurrency exchange Bitpanda. Using bogus forms, the malicious fakes phish for credit card details and/or login credentials to the impersonated legitimate services."

Once these malicious apps installed and launched it displays error and hides from user view and continues to run the background.

The malicious fakes were uploaded to Google Play in June 2018 and were installed more than a thousand times before being taken down by Google. The apps were uploaded under different developer names, each using a different guise, however, code similarities suggest the apps are the work of a single attacker. The apps use obfuscation, which might have contributed to their slipping into the store undetected.

Android smartphone users have been put on alert about a risk affecting devices. Android is one of the most used pieces of software in the world, with over two billion devices using the Google mobile OS each and every month. These numbers are only going to be added more with the upcoming release of high-profile Android devices like the Pixel 3, Pixel 3 XL and OnePlus 6T. 

US warns of new hacking spree from China

The US government on Wednesday (October 3) warned that a hacking group widely known as cloudhopper, which Western cybersecurity firms have linked to the Chinese government, has launched attacks on technology service providers in a campaign to steal data from their clients.

The Department of Homeland issued a technical alert for cloudhopper, which it said was engaged in cyber espionage and theft of intellectual property after experts with two prominent US cybersecurity companies warned earlier this week that Chinese hacking activity has surged amid the escalating trade war between Washington and Beijing.

"These cyber threat actors are still active and we strongly encourage our partners in government and industry to work together to defend against this threat," DHS official Christopher Krebs said in a statement.

Chinese authorities have repeatedly denied claims by Western cybersecurity firms that it supports hacking.

Homeland Security released the information to support US companies in responding to attacks by the group, which is targeting information technology, energy, healthcare, communications and manufacturing firms.

The reported increase in Chinese hacking follows what cybersecurity firms have described as a lull in such attacks prompted by a 2015 agreement between Chinese President Xi Jinping and former US President Barrack Obama to curb cyber-enabled economic theft.

“I can tell you now, unfortunately, the Chinese are back,” Dmitri Alperovitch, chief technology officer of U.S. cybersecurity firm CrowdStrike, said Tuesday at a security conference in Washington, D.C.

“We’ve seen a huge pickup in activity over the past year and a half. Nowadays they are the most predominant threat actors we see threatening institutions all over this country and western Europe,” he said.

‘Admin’, ‘password’ and other weak passwords will no longer cut it

Default passwords such as ‘admin’, ‘1234’ and ‘password’ will be illegal for electronics firms to use in California from 2020 as part of a crackdown on cyber attacks. Law has been passed that requires manufacturers to give gadget unique passwords. Manufacturers often use a single password because it is easier for them. However, lots of consumers don't bother to change this password. Now, customers who have gadgets hacked could sue a company as a result.

The move has come as an effort to better protect the residents from falling victim to cyber attacks and set higher security standards for net-connected devices made or sold in the region. Before now, easy-to-guess passwords have helped some cyber-attacks spread more quickly and cause more harm. Net-connected cameras, in the past, have helped attackers stage large-scale attacks.

Default passwords often allow hackers to easily access consumer devices. Now, manufacturers will be required to give each gadget a unique, complex password and 'reasonable' security features.

The Information Privacy: Connected Devices bill requires that all electronics manufacturers equip their devices with “reasonable” security features. This means they can either use unique passwords on their products or include a start-up procedure that forces users to generate their own when setting up their device for the first time.

The bill means that customers who have their gadgets hacked could sue a company if it did not abide by these new changes.

Writing on tech news site the Register Kieren McCarthy said the law was "a step forward" but also a "massive missed opportunity". According to McCarthy, devices that can not be updated are just as big of a problem as poor passwords and California should have included a clause that required manufacturers to make their devices updatable so that they could be passed following a cyber attack.

Mozilla’s Firefox Monitor will now tell when your email was hacked

Mozilla has finally launched Firefox Monitor, a website that connects to the TroyHun’s Have I Been Pwned? (HIBP), one of the biggest breach notification databases which can be used to check in an email address for known breaches or also can be used to register for a breach notification so that if the address is detected in the future breaches are logged by HIBP.

Earlier this year, Mozilla announced Firefox Monitor, a service that tells you if your online accounts were hacked in a recent data breach. All you have to give it is your email address and it’ll use the Have I Been Pwned database to show you if you need to worry and what data was compromised. Mozilla is taking this a step further by also letting you sign up for alerts for when your accounts appear in any (known) breaches in the future.

We often get the massive data breach news where millions of accounts get compromised along with their email addresses and passwords. However, we can never know if our email addresses or any other personal details were a part of that breach or not. It is practically not possible to check for a single email address amongst the millions of email addresses compromised.

There are many advantages of using the Firefox monitor as the connection of HIBP website brand being used in conjunction with the Firefox name will allow them to grow significantly and therefore will also help to promote the breach checking. This, in turn, will help the users of HIBP as the increased notifications from many users will increase the chances of the major advanced breach detection as it helps the users know before even the company knows that it has been breached.

When it first launched, Mozilla considered Firefox Monitor an experimental service. Now, it’s being launched as an official service.

Firefox bug crashes browser

Last week, a security researcher pointed out how a CSS-based attack could crash iPhones, iPads, and Mac devices. The same researcher has now come up with another interesting finding. He demonstrates how a new Firefox bug called Browser Reaper crashes a browser allowing for a denial of service. In fact, the same bug can crash Windows PCs as well. Exploit also 'occasionally' freezes entire OS on Windows. But he gave Mozilla short notice of the flaw.

Sabri Haddouche, a software engineer and a security researcher at encrypted instant messaging app Wire, said that the bug resides in the Firefox API that prompts automatic download and it can cause Firefox to crash on all major desktop operating systems - Mac, Linux and Windows.

Haddouche created the proof-of-concept (POC) exploit and published it this week on GitHub. Haddouche previously created and released several denial-of-service POCs that cause Chrome, Firefox and Safari web browsers to crash or freeze.

As explained, upon clicking a certain web-link abusing the buggy API, the browser may freeze in an attempt to handle the repeated download attempts of a file having an extensively long name. Since Firefox cannot handle downloading files with long names, such as one having more than 26,000 characters which was used in his demonstration, it eventually crashes following a DoS.

In explaining how the exploit works, Haddouche - who has reported the bug to Mozilla - told ZDNet that “What happens is that the script generates a file (a blob) that contains an extremely long filename and prompts the user to download it every one millisecond. It, therefore, floods the IPC (Inter-Process Communication) channel between Firefox’s child and main process, making the browser at the very least freeze.”

This series of exploits is called Browser Reaper, and the latest one for Mozilla works on Firefox versions 62.0.2 and earlier. Haddouche has also created exploits that could crash an iPhone using CSS and HTML.

GrandCrab v5 released with ransom note

A new version of GandCrab ransomware released, as like the previous version it was not distributed through exploit kits. The distribution method of GandCrab v5 is currently unknown.

Gandcrab Ransomware is a widespread ransomware, nowadays it evolves with newly updated features under constant development to target various countries.

GandCrab v5 has been released with a few noticeable changes. The most noticeable changes are that the ransomware now appends a random 5 character extension on the encrypted files and creates HTML ransom note.

Security researcher nao_sec has discovered that the GandCrab v5 ransomware is currently being distributed via malvertising that redirects to sites hosting the Fallout exploit kit. As the exploit kit utilizes vulnerabilities in the visitor's software to install the software, a victim will become infected without knowing about it until they find the encrypted files and ransom note.

Like previous versions, there is no way to decrypt victims of GandCrab v5 for free. For those who wish to discuss this ransom or receive support, you can use our dedicated GandCrab Help & Support topic.

GANDCRAB V5.0 is a severe cryptovirus that belongs to the notorious ransomware family GandCrab. In case of infection with this iteration of the threat, valuable files stored on the computer will be encrypted and marked with an extension of five ransom letters. With the help of a few ransom messages ransomware creators will attempt to blackmail you into paying them a ransom of $2, 400 in DASH or Bitcoin. Your desktop wallpaper will be also changed with instructions provided by hackers.

“When I tested the ransomware it appended the .lntps extension to the encrypted file’s name, for example, test.doc has been encrypted and renamed to test.doc.lntps,” wrote Lawrence Abrams.

Victims could potentially restore encrypted files with the help of alternative data recovery tools. Victims can use Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice. This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only a few of them, depending on the situation and whether or not you have reformatted your drive.

Aadhaar face authentication feature put on hold

The telecom department has put Aadhaar-based face authentication on hold and in a letter sent to the UIDAI, the telecom department said that the Supreme Court judgement is pending on petitions challenging issuance of new mobile connections and re-verification through the use of the unique identity.

The Department of Telecom (DoT) in a letter dated September 19, 2018, to the UIDAI CEO said that the judgement on a petition filed in the apex court challenging Aadhaar based e-KYC process is expected to be delivered this month.

The mobile operators sought more time to implement the UIDAI-mandated face authentication feature, citing non-preparedness of biometric device makers.

UIDAI is expected to rollout face recognition feature as an additional mode of authentication for Aadhaar on Saturday, starting with telecom service providers.
" has been decided by the department that the instructions for implementation of face authentication in Aadhaar based e-KYC (know your customer) process including amendments in consumer application form/database formats may be issued by DoT to TSPs after procurement of final judgement on Aadhaar by Hon'ble Supreme Court after comprehensive re-look on the whole Aadhaar based e-KYC process," the letter said.

The UIDAI said the ‘live face photo’ capture and its verification with the photo obtained in eKYC will be essential in those cases where Aadhaar is used for issuance of mobile SIMs. It had proposed a monetary disincentive for telcos found slipping on the prescribed targets.

The Unique Identity Authority of India (UIDAI) in August had directed all telecom service providers (TSPs) to implement double factor authentication in their system using matching of the face of the subscriber as captured in Aadhaar from September 15, 2018, onward.

The operators under the ambit of Apex Advisory Council for Telecom in India (ACT) said that the date of implementation of face authentication should be at least two months from the date that the device ecosystem is ready, and till such time no penalty should be levied.

Malware disguised as job offers targets freelancers

According to a report from the MalwareHunterTeam, hackers are using freelancing web applications such as the Fiverr and Freelancer to distribute malware disguised as job offers which contain attachments that are pretending to be a job description but are actually installing keyloggers such as Agent Tesla or Remote Access Trojan (RATs)in victim files.

For example, an attacker can create a fake job offer with the "my details.doc" attachment and send it to multiple users. As job briefs are commonly sent as attachments, to the targets they look like legitimate job offers. When the victims open the malicious document attached to the job offers, they become infected.

If an attacker wished to gain control of a user’s mobile device they would say the document cannot be opened on a PC and instead can only be opened on a mobile device.

Not only are victims opening the attachments and getting infected, but some of them are asking for support when they have problems opening the document. Attackers are using innovative ways to distribute their malware and also going the extra mile in “helping” these victims to install their malware on the devices. For example, a user responded to the attacker stating that they were unable to open it on their mobile device and the attacker responds that they need to open it on their PC.

It is important to have updated anti-virus software and OS patches installed on your systems. If you are unsure of an attachment run it through websites such as Virustotal, also consider using a separate sandbox environment for opening attachments.

US State Department’s email breach leaks employees’ personal data

Data breaches are not unusual in this day and age. In fact, the frequency of such incidents makes them look like the norm. However, it becomes more alarming when things go wrong at government institutions. Recently, the State Department endured a speculated cyber attack on their email system, resulting in a compromise of some of its data. Specifically, the State Department email breach affected a small proportion of employees exposing their personal records.

The US State Department's classified email system was not affected by the breach, it said.

The news about the State Department email breach surfaced online after a report from Politico. Whilst sharing a copy of the official notice about the breach, the source reported that the State Department generated alerts on September 7, 2018, to inform employees of the breach. As disclosed, the breach exposed the personal data of victim employees. Nevertheless, the incident only affected 1% of staff inboxes.

"The department recently detected the activity of concern in its unclassified email system affecting less than 1% of employees inboxes," the warning read. According to the department's own records, it employs 69,000 people, of which about 600-700 were affected by the breach.

As stated in the notice, “We have determined that certain employees’ personally identifiable information (PII) may have been exposed. We have notified those employees.”

The warning established that employees' PII may have been exposed. However, it did not specify exactly what information had been accessed. The department was investigating the cause by working with partner agencies to conduct a full assessment, a State Department official said in an emailed statement.
The agency didn't suggest who might be responsible for the breach, but noted that steps have been taken to secure systems and that the affected employees will be given three years of free credit monitoring, ZDNet reported.

Windows secretly collects sensitive data via Handwriting Recognition tool

Windows has a built-in tool for improving its own handwriting recognition capability, and like many modern, smart features that increase their accuracy over time, it employs user data to do that. Windows Handwriting Recognition has been around for quite a while. Many Windows users who prefer touch-screen or stylus as input methods know the importance of this feature. However, the same, seemingly “innocent” feature is actually tracking your texts. According to a recent discovery, a Windows file named WaitList.dat secretly stores your texts with the help of Windows Search Indexer service. This includes everything from your passwords, emails, texts, and private chats.

This feature was first introduced in Windows 8 as part of its big drive toward touchscreen functionality. It automatically translates touch or stylus (these are the best ones) inputs into formatted text, improving its readability for the user, and giving other applications the ability to comprehend it. It means the secret tracking of users has been occurring for a number of years. Some are concerned that the way it stores that information could prove to be a security risk.

Digital Forensics and Incident Response (DFIR) expert Barnaby Skeggs first discovered the information about the file back in 2016 but wasn’t paid much attention. However, after a new and exclusive interview with ZDNet – it appears that the file, in fact, is reasonably dangerous.

Every touch-screen Windows PC with a handwriting recognition feature enabled maintains this file storing users text.

“Once it (handwriting recognition tool) is on, text from every document and email which is indexed by the Windows Search Indexer service is stored in WaitList.dat. Not just the files interacted via the touchscreen writing feature,” Skeggs says.

Considering how ubiquitous the Windows search indexing system is, this could mean that the content of most documents, emails, and forms ends up inside the WaitList file. The concern is that someone with access to the system — via a hack or malware attack — could find all sorts of personally identifiable information about the system’s owner. Worse yet, WaitList can store information even after the original files have been deleted, potentially opening up even greater security holes.

Students, staff may be behind many college cyber-attacks

A security analysis of cyber-attacks against universities and colleges in the UK has discovered staff or students could often be responsible, rather than organised crime or hacking groups who are often blamed for these cyber attacks.

Attributing cyber attacks is often a difficult task but Jisc, a government-funded digital support service for higher education that provides cyber-security has examined the timing of 850 attacks in 2017-18 and found that Distributed Denial of Service (DDoS) attacks against university campuses are more likely in term time and during the working day and dramatically drop when students are on holiday.

They increased from 8 or 9am and then tailed off in the early afternoon. There was a very sharp decline in attacks in the Christmas, Easter and summer breaks and during half-terms - with attacks rising again sharply when terms resumed.

Rather than criminal gangs or agents of foreign powers, the findings suggest many of the attacks on universities and colleges are more likely to have been caused by disgruntled staff or students wanting to provoke "chaos".

While the research paper notes that in many cases the reasons behind these DDoS campaigns can only be speculated about, just for fun, for the kudos and to settle grudges are cited as potential reasons.

"This pattern could indicate that attackers are students or staff, or others familiar with the academic cycle. Or perhaps the bad guys simply take holidays at the same time as the education sector," said John Chapman, head of security operations at Jisc (formerly the Joint Information Systems Committee).

In one case, a DDoS attack against a university network which took place across four nights in a row was found to be specifically targeting halls of residence. In this instance, the attacker was launching an attack in order to disadvantage a rival in online games.

"It's notoriously difficult to identify individual cyber-criminals," says Chapman.

2 arrested in Uttarakhand for whatsapp char on killing Defence minister

Two persons were arrested on Monday from Uttarakhand over an exchange of messages on WhatsApp discussing a plan to allegedly kill Indian Defence Minister Nirmala Sitharaman during her visit to the state.

The minister paid a visit to Dharchula town of Pithoragarh district in Uttarakhand on Monday to inaugurate a mega medical camp organised by the Army on the occasion of Prime Minister Narendra Modi's birthday. His birthday is being celebrated as 'Seva Diwas'.

The police were alerted to the message at 9.30pm on Sunday. It is being probed whether the duo had any criminal background or possessed any arms and ammunition.

The two have been booked under Section 506 (criminal intimidation) of the IPC and Section 66 of the Information Technology (IT) Act, Pithoragarh SP Ramchandra Rajguru said. "We were alerted to the chat (about killing the defence minister) on a WhatsApp group at 9.30 pm on Sunday. We identified two persons between whom the chat was taking place and arrested them Monday morning ahead of the defence minister's arrival here," he said.

The controversial message sent by one of the arrested duo reads as, "Main shoot karunga Sitharaman ko, kal uska akhiri din hoga. ('I will shoot Sitharaman, tomorrow will be her last day')", police said.

The credentials of the admin of the WhatsApp group are also being looked into, the SP said. While the matter is still under investigation, Rajguru said that it appeared, prima facie, that the duo was drunk while they were chatting.

Cold boot attacks can affect nearly all modern computers

Many people tend to put laptops to ‘Sleep’ instead of shutting it down. Whether you’re at home, or at your workplace, leaving desktops and laptops unattended might have become a habit. A cybersecurity firm discovered a way to access a laptop’s data even with full disk encryption. According to their findings, anyone with physical access to a high-value computer can steal sensitive data such as passwords, corporate files, and more, stored on your RAM via new cold boot attacks.

In their recent blog post, F-Secure disclosed a way to steal data stored on a laptop when left unattended. They described how an attacker can pilfer encryption keys along with all data from the laptop.

The attack only takes about five minutes to pull off, if the hacker has physical access to the computer, F-Secure principal security consultant Olle Segerdahl said in a statement Thursday. These attacks require special hardware tooling to perform, and are generally not considered a threat vector for normal users, but only for computers storing highly-sensitive information, or for high-value individuals such as government officials or businessmen. Cold boot attacks can steal data on a computer's RAM, where sensitive information is briefly stored after a forced reboot.

Earlier, attempts have been made to mitigate cold boot attacks by overwriting the RAM after power restoration. However, F-Secure security consultants, Olle Segerdahl and Pasi Saarinen, discovered a way to bypass such mitigations. Explaining their findings in the blog post, they state,

“The two experts figured out a way to disable this overwrite feature by physically manipulating the computer’s hardware. Using a simple tool, Olle and Pasi learned how to rewrite the non-volatile memory chip that contains these settings, disable memory overwriting, and enable booting from external devices. Cold boot attacks can then be carried out by booting a special program off a USB stick.”

Morgan Stanley to offer bitcoin swap trading

Another of the world’s largest investment banks is quietly building a product that will allow its clients to trade bitcoin, at least indirectly.

Morgan Stanley, the sixth-largest bank in the U.S. by assets, is joining Wall Street’s race toward an institutional-friendly bitcoin derivative, Bloomberg reported on Thursday, citing a person familiar with the matter. The financial institution is creating a proprietary derivatives product that will give traders “synthetic exposure” to the price of bitcoin. These derivatives would allow investors to indirectly invest in the market’s flagship currency, allotting them the option to buy into long or short positions through the contracts.

From the report:

“The U.S. bank will deal in contracts that give investors synthetic exposure to the performance of Bitcoin, said the person, who asked not to be identified because the information is private. Investors will be able to go long or short using the so-called price return swaps, and Morgan Stanley will charge a spread for each transaction, the person said.”

The report further indicated that Morgan Stanley, whose CEO — James Gorman — said earlier this year taking their prices from bitcoin futures, the swaps will not handle bitcoin directly through the bank. Seeing as Morgan Stanley is a regulated and established financial institution, tying the product to futures contracts is a safer bet than basing them on bitcoin’s spot price, as the Chicago Mercantile Exchange and Chicago Board of Exchange offer fully-regulated bitcoin futures from which Morgan Stanley can pool pricing data.

Bloomberg’s source claimed that the derivatives are ready for launch, but it’s waiting on an in-house approval process and sufficient investor demand before taking them to market.

However, Morgan Stanley’s spokesperson has declined to comment on the developments.

Last week, Business Insider reported that rival Goldman Sachs Group Inc was ditching plans to open a desk for trading cryptocurrencies, as the regulatory framework for crypto remains unclear.

Banking Trojan attacks increase

Check Point’s latest Global Threat Index reveals an increase in banking trojan attacks in August as organisations feel the impact of large scale Ramnit campaign, that has been converting victim’s machines into malicious proxy servers.

Ramnit's fundamental makeup positions it in the fore of malware trends, despite being based on old source code that’s been knocking around for years.

After staying dormant for few years, the Ramnit banking trojan resurfaced in July and jumped to sixth place. A wider analysis of how the banking trojan is evolving shows innovative development on the part of its authors, with an eye to broader malware trends.

“This is the second summer running where we have seen criminals increasingly using banking trojans to target victims and make a quick profit,” Maya Horowitz, Threat Intelligence Group Manager at Check Point commented. “Trends like this should not be ignored as hackers are acutely aware of which attack vectors are most likely to be successful at any given time, suggesting internet users’ browsing habits during the summer months make them more susceptible to banking trojans. This underlines that malicious hackers are tenacious and sophisticated in their attempts to extort money.”

Horowitz added: “In order to prevent exploitation by banking trojans – and other types of attacks – it is critical that enterprises employ a multi-layered cybersecurity strategy that protects against both established malware families cyber-attacks and brand new threats.”

During the period Coinhive remained the most prevalent malware, with impact on 17% of organization worldwide. Dorkbot and Andromeda were ranked in second and third place respectively, each with a global impact of 6%.

Coinhive – Crypto Miner designed to perform online mining of Monero cryptocurrency when a user visits a web page without the user’s knowledge or approval the profits with the user. The implanted JavaScript uses a great deal of the computational resources of end users’ machines to mine coins, and may crash the system.

Karnataka’s land records software hacked for the third time

In a serious security breach of Karnataka’s famed land record database, 19 acres of government wasteland in the outskirts of Bengaluru, near Devanahalli was shifted to a private individual illegally last week.

In Gobbaragunte village of Devanahalli taluk, around 40 km from Bengaluru, land value is very high due to the presence of the Kempegowda International Airport. The incident has caused ripples in the revenue department. Land sharks are believed to be behind the manipulation of records.

The breach happened in the Bhoomi software. This is the third time that the Bhoomi software has been breached. Bhoomi, introduced to digitise land records, came into being in 2002. The first breach was reported in Mangaluru a decade ago when Bhoomi software was still in its nascent stage. A failed attempt was made by certain individuals to change the mutation of a government property to a private person. Two years ago, the department discovered another case where an attempt was made to change the RTC (Record of Rights, Tenancy and Crop Information) of a nine-acre government plot in Malur taluk of Kolar district to a private individual. The department had then filed a police complaint but the investigation did not progress. “The modus operandi of Malur and Devanahalli cases are similar. In both cases, the culprit has changed the RTC of government land to a private person by manipulating the database. This has been done bypassing the mutation process,” said a source at the Bhoomi Monitoring Cell.

It is learnt that an insider could be involved in the cases to help the land mafia grab unused government land. Due to the fact that modifications made can be tracked immediately, the department has been able to identify the changes made in the database. “We soon checked the history of land records and found out that the change was done manually,” the source said. In the Devanahalli case, the owner of government land was mentioned as Huchappa bin Nanjappa, someone non-existent.

Your face to soon become your boarding pass at Bengaluru airport

At the Bengaluru airport, soon will not have to carry your boarding pass and your face will be your boarding pass. Bengaluru airport will debut facial recognition in air travel in India. The first implementation milestone of the paperless biometric self-boarding technology at the airport will be completed in the first quarter of 2019.

The move is aimed at transforming the passenger experience and creating a future-ready airport.

Aviation in India is on a big upswing in terms of passenger demand. Now, the focus is on to make the entire process of providing access to the plane as easy as possible. Bengaluru International Airport (BIAL) has partnered with Portuguese technology company Vision-Box to implement this smart project, the airport authority said in a tweet.

The deal was signed on Wednesday in Lisbon, Portugal in the presence of Portuguese Prime Minister Antonio Costa.

"Your face is your boarding pass," said BIAL's MD & CEO Hari Marar, describing the revolutionary technology that is set to transform air travel. “Vision-Box’s state-of-the art biometric technology, combined with its passenger flow platform will enable a seamless journey for our passengers, without obstacles, waiting for lines or hassles, from registration to boarding,” Marar added.

Vision-Box CEO Miguel Leitmann said that this will be the first end-to-end face recognition-based walkthrough experience in Asia. "We’re very proud to team up with Kempegowda International Airport, Bengaluru. We’re together raising the flag of a historical milestone, marking not only the significant improvement of the experience of those who travel through Bangalore but also the accomplishment of a seamless digital airport journey. This is the first end-to-end face recognition-based walkthrough experience in Asia and the largest in the world,” said Leitmann.

Vision-Box provided Automated Border Control and electronic identity solutions that use ICAO-compliant standards. Biometric technology will identify the passengers by their face as they move across the airport, avoiding stops and the repeated presentation of boarding passes, passports or other physical identity documents, the statement said.

Airlines like Air Asia, SpiceJet and Jet Airways may be among the early users of the technology.

Bitfi withdraws ‘unhackable’ claim

Bitfi, a cryptocurrency wallet backed by anti-virus software entrepreneur and POTUS candidate John McAfee, has issued a statement saying it will no longer describe its service as “unhackable”.

The announcement followed the release of evidence by a group of security researchers showing the wallet being compromised.

While this was not even the first time the $120 hardware wallet was hacked, it was enough for Bitfi to strike the “unhackable” claim from its website.

At the end of July, McAfee had announced a bounty programme: following certain rules, a hacker had to get access to Bitfi’s wallet and in return receive a bounty, which was raised by McAfee from $100 000 to $250 000. Eventually, a few hackers, including a fifteen-year-old, rooted the device which is apparently a cheap Android phone. That bounty, which many in the security community deemed a sham, specified that a hack counted only if someone got the coins off the “cut-down Android phone” wallet. Bitfi and John Mcafee, in particular, have continuously denied that the hack occurred with McAfee openly challenging the word’s definition and refused to pay researchers who did hack the device, claiming the attacks didn’t meet the bounty conditions. It wasn’t horribly surprising that Bitfi won the PwnieAward for “Lamest Vendor Response.”

Bitfi stated that the Bitcoin inside must be removed from the wallet - which was controversial among the cybersecurity community as often weaknesses are identified but not acted upon. Security researchers had argued that the terms of the bug bounty programme were too specific.

The newest hack of Bitfi, a cold boot attack, was pulled off by 15-year-old Saleem Rashid, who previously turn Bitfi into a Doom gaming console. Rashid is part of a team of security researchers going by “THCMKACGASSCO.”

Despite Bitfi having been hammered and exploited many times, Bitfi finally backed off its “unhackable” claim shortly after Rashid posted video proof of the hack on Twitter.

Now the company is even labelling their actions as “counterproductive” and has allegedly hired an experienced Security Manager to fix multiple “vulnerabilities.”

Cyber criminals are hacking emails, sending fake messages

Hackers are on the prowl, looking for your email data. From just seven cases of hacking email IDs in the city last year, the number has shot up to 13 so far this year. It turns out it doesn't take much for hackers to see what's being displayed on your computer screen.

Cybercrime police said fraudsters hack the victim’s email account and send fake emails to their contacts, stating that the victim is in dire need of money.

“After the account is hacked, emails are sent to all contacts of the victim stating the account holder’s family member is in the hospital and he or she urgently needs money. Thinking it’s true, the contacts transfer money to the given account details in the mail,” said Hyderabad additional deputy commissioner of police (cyber crime) Raghu Vir.

According to a police source, the Dark Web has become a marketplace of Gmail data. “Several fraudsters get hold of the information about accounts through Dark Web and use it to blackmail people and siphon off money,” the source added.

In a recent case, a 33-year-old businessman approached the Rachakonda Cyber crime police saying that he received a mail saying his account was hacked and his activities were being followed by the fraudsters. "The hacker claimed he knows what kind of pornography websites the victim was watching and threatened to send details to his family and friends," Rachakonda assistant commissioner of police, cybercrime, S Harinath said. "We asked him to get bank details of the hacker so that we can track him. Hyderabad police too had registered a similar case a month ago. However, the man refused to register a case due to stigma," the official added.

A team of researchers have discovered that ultrasonic sounds picked up by a webcam microphone can be analyzed using machine learning to determine what's being shown on a remote computer screen.