Author Archives: Vibhooti Bhatnagar

Google’s Nest Secure had a built-in microphone no one knew about


After the hacking fiasco a few weeks ago, Nest users have been more on edge about their security devices than ever before. The recent discovery of a built-in, hidden microphone on the Nest Guard, part of the Nest Secure security system, has only served to further exacerbate those concerns.

Alphabet Inc's Google said on February 20 it had made an "error" in not disclosing that its Nest Secure home security system had a built-in microphone in its devices.

Consumers might never have known the microphone existed had Google not announced support for Google Assistant on the Nest Secure. This sounds like a great addition, except for one little problem: users didn’t know their Nest Secure had a microphone. None of the product documentation disclosed the existence of the microphone, nor did any of the packaging.

Earlier this month, Google said Nest Secure would be getting an update and users could now enable its virtual assistant technology Google Assistant on Nest Guard.

A microphone built into its Nest Guard alarm/motion sensor/keypad wasn't supposed to be a secret, Google said after announcing Google Assistant support for the Nest Secure system but the revelation that Google Assistant could be used with its Nest home security and alarm system security was a surprise.

“The on-device microphone was never intended to be a secret and should have been listed in the tech specs. That was an error on our part. The microphone has never been on and is only activated when users specifically enable the option,” Google said.

Google’s updated product page now mentions the existence of the microphone.

If your first thought on hearing this news is that Google was spying on you or doing something equally sinister, you aren’t alone. Ray Walsh, a digital privacy expert at BestVPN.com, said “Nest’s failure to disclose the on-board microphone included in its secure home security system is a massive oversight. Nest’s parent company Google claims that the feature was only made available to consumers who activated the feature manually. Presumably, nobody did this; because the feature wasn’t advertised.

Indian hackers hack over 200 Pakistani websites


Just days after the dastardly attack on CRPF convoy in Pulwama, more than 200 Pakistani websites have reportedly been hacked by an Indian hacker group - 'Team I Crew', as a sign of protest.
On Saturday, the official website of Pakistan's Ministry of Foreign Affairs was also reportedly hacked.

Pakistan foreign ministry spokesperson Mohammad Faisal had said complaints were received about the site being inaccessible by users from several countries.

According to a report in Times Now, the Indian hacker group shared the list of hacked websites on various social media platforms. The hackers also claimed that this is one of biggest cyber attack launched by Indian hackers on Pakistan.

"Pakistan has faced its worst cyber attack in history, in last 72 hours," reads the message.
Messages like “We will never forget #14/02/2019,” "Dedicated to the martyrs sacrificed their lives in #PulwamaTerrorAttack,” appear on some of the websites along with a condolence note for the families of the CRPF jawans killed in the attack.

On February 14, an explosives-laden SUV rammed into a convoy carrying CRPF personnel in Pulwama. The attack killed 40 CRPF soldiers. The Pakistan-based terror group Jaish-e-Mohammad took responsibility of the attack.

The attack, which is being considered as one of the deadliest terrorist strikes on Indian force, has drawn criticism from various quarters with several countries coming out in support of India and condemning the barbaric attack. India also withdrew the Most Favoured Nation (MFN) status accorded to Pakistan following the terror strike.

The list of Pakistani websites hacked include:

https://sindhforests.gov.pk/op.html
https://mail.sindhforests.gov.pk/op.html
https://pkha.gov.pk/op.html
https://ebidding.pkha.gov.pk/op.html
http://kda.gkp.pk/op.html
http://blog.kda.gkp.pk/op.html
http://mail.kda.gkp.pk/op.html
https://kpsports.gov.pk/op.html
https://mail.kpsports.gov.pk/op.html
http://seismic.pmd.gov.pk/op.html
http://namc.pmd.gov.pk/op.html

http://rmcpunjab.pmd.gov.pk/FlightsChartFolder/op.html

Mobile networks calls for 5G security test

Europe is on the cusp of the next industrial revolution: the 5G era.

The mobile network industry has called for a new European security testing scheme to check the safety of 5G equipment before it is deployed without having to resort to the disruptive step of excluding vendors from the market.

GSMA initiative, which represents 800 operators worldwide, follows as the US steps up pressure on its allies to ban China’s Huawei Technologies and ZTE on national security grounds.

Several countries have stopped individual companies supplying equipment for their next-generation networks, citing security concerns.

The GSMA said a testing scheme would reduce the need to ban suppliers.

5G will transform the way that European citizens live and work. 5G – working together with and built as an add on to, existing 4G networks – will connect people and things faster than ever before. It will drive efficiency, productivity and help us all use finite resources more effectively, particularly for industrial applications. In addition to the huge benefits for business and the economy, it will offer important breakthroughs in the provision of health care, skills and education.

As with 4G, robust competition amongst network infrastructure suppliers is essential to European operators’ ability to deliver innovative services to European citizens and businesses at competitive and affordable prices. By 2025, mobile operators are expected to invest between €300 billion and €500 billion on the rollout of 5G across Europe, and as an industry will generate over 4 per cent of GDP.

Operators warn that such a step would disrupt the supply of equipment, increase costs to them and their customers, delay the rollout of next-generation 5G services by years, and potentially hobble existing networks.

To safeguard this investment, retain competitiveness and data affordability, as well as maintain consumer trust, mobile operators have always prioritised network integrity, will never compromise on security and already have a proven track record of deploying secure 4G networks. 5G is, in essence, an evolution of the 4G standard, with enhanced features in terms of latency, speed and security.

Bomb hoax suspect arrested in US

Multiple charges have been laid thanks to the efforts of multiple departments spanning two countries, stemming from 10 bomb threats, including one in a school, late last week.

The man at the centre of recent bomb threats in Taber, Alta, has made his first appearance in a U.S. courtroom. It's not the first time the 36-year-old suspect has been arrested for allegedly making threats.

Justin Bagley of Elkville, Illinois has been charged with 11 counts of felony disorderly conduct in connection to a series of bomb threats made in the Town of Taber that spanned over three days. Class 3/4 disorderly conduct felonies can carry sentences ranging from one to five years in prison in the state of Illinois on each charge.

Timothy Dalton Vaughn is suspected of being part of the Apophis Squad hacker group that was allegedly behind the pranking spree. LA's airport was one target for the Apophis hacker group.

On Friday, police said three schools in Taber received anonymous bomb threats via phone calls from an unknown individual. Investigations found there was no threat at any of the schools, according to police.

In a news release issued on Monday, the Jackson County state’s attorney in Illinois said Bagley has now been charged with “11 separate disorderly conduct counts of making false bomb threats.”

A joint investigation got underway on Saturday when police in Taber contacted the Jackson County Sheriff’s office in Illinois.

The Taber Police Service, Medicine Hat Police Service, Jackson County police and United States Department of Homeland Security all participated in the investigation.

One member of Apophis, Briton George Duke-Cohan, is serving a three-year jail sentence for aiding the attacks.

Jackson County Sheriff’s office noted investigators were able to track the phone number used to call the targets in Taber, leading to the arrest of Bagley. All told, an international suspect was able to be arrested within a 72-hour time frame from when the first bomb threat was received on Thursday night at Wal-Mart in Taber.

14.8 million 500px users’ data stolen




500px, an online photography community suffering a massive data breach that leaked 14.8 million users personal information by cybercriminals.

500px global network for photographers and the platform managing around 16 million users who get paid for their work and skills.

Security experts learned this security incident in July 2018 when an unauthorized party breaking the 500px systems and gained access to users personal information.

In this case, Intruder accessed the user’s sensitive information including first and last name, username, email address, hashed password, Date of birth, city, state/province, country, and gender.

500px Engineering team already deployed to mitigate this incident and the company believes that there is no indication of unauthorized access” to user accounts, adding that information like credit card numbers since these data aren’t saved on a company server.

The company said that users who have opt-in prior to July 5, 2018, are potential victims of this data breach and the company notify to all users via email as well as onsite and with mobile notifications, however, given the volume of users affected.

According to 500px, following Steps are taken to protect their customer from future attacks.

▬ Given the nature of the personal data involved, we have already forced a reset of all MD5-encrypted passwords, and a system-wide password reset is underway.

▬ We have vetted access to our servers, databases, and other sensitive data-storage services.

▬ We have and are continuing to monitor our source code, both public-facing and internal, to protect against security issues.

▬ We are partnering with leading experts in cybersecurity to further secure our website, mobile apps, internal systems, and security processes.

▬ We are modifying our internal software development process.

▬ We are continuing to upgrade our network infrastructure. The company also states that it’s alerted the enforcement and has retained a private security firm to investigate the issue.

E Hacking News – Latest Hacker News and IT Security News 2019-02-14 05:22:00


In a fresh case of internet fraud, the salary account of BJP leader and Karnataka MP Shobha Karandlaje was hacked. More than Rs 15 lakh was withdrawn in the past two months from her salary account in State Bank of India's Parliament House branch.

Hailing from Puttur in Coastal Karnataka, BJP MP Shobha Karandlaje represents the Udupi-Chickmagalur constituency.

The hack was confirmed by Shobha who claimed that she did not receive an SMS prompt for any transaction.

The incident came to light when she went to the bank for some transactions on Monday and when she obtained her bank account statement, she found that Rs 15.62 lakh was withdrawn without her knowledge.

Karandlaje approached Parliament Street Police Station on Monday after she came to know about the withdrawal of money.  The complaint was filed at North Avenue police station in the national capital. The State Bank of India account was frozen after lodging of complaint.

“We have registered a case into the matter at North Avenue police station under relevant sections of Indian Penal Code. It will be transferred to the cyber cell for detailed investigation. We are getting the details of the transactions from the bank to find out whether the transactions were done in the country or from outside the country,” said a police officer speaking to The Hindu.

 “The police are also probing whether any of the bank staff compromised the bank account details of the MP since she claimed that she did not receive the SMS alert,”a senior police officer said.

Bank details of Bernard Matthews employees stolen

A suspected cyber-attack "potentially compromised" the bank account details of 200 workers at Bernard Matthews.

The turkey producer has made staff aware of the suspected hack.

The Norfolk-based company said it was alerted by its bank on 22 January, as first reported in the EDP.

A spokesman said: “After being first alerted by our bank, we reported the incident to the relevant authorities and put in place extra security measures, as well as offering additional security advice to those affected.” "We continue to monitor the situation but we are not aware colleagues have been affected any further," he added.

The person or group behind the hack is unknown.

Bernard Matthews employs 3,000 people across East Anglia. The company is a major employer in Norfolk and Suffolk, including at its plant at Holton, near Halesworth, and its headquarters at Great Witchingham.
The business has been through a difficult time in recent years, coming close to collapse in 2013.

Last year, it was one of two interested parties bidding to take over Banham Poultry, in Attleborough, which was eventually sold to Chesterfield Poultry.

In 2016 the Boparan Private Office, owned by food tycoon and 2 Sisters Food Group entrepreneur Ranjit Boparan, known as the “Chicken King”, bought the firm in a pre-pack deal in 2016 from Rutland Partners, saving 2,000 jobs after the firm posted pre-tax losses of £5.2m.

Crypto CEO dies holding only password to unlock customer coins

Quadriga CX can’t retrieve about $145 million in Bitcoin, Litecoin, Ether and other digital tokens held for its customers. The sudden death of its CEO Gerald Cotten has left a huge stash of cryptocurrencies locked off from the people who own them.

The company’s inability to release its clients’ money has created an uproar among angry — and highly suspicious — investors.

The company said in court filings on January 31 in Halifax, Nova Scotia that the CEO was the only person who knew the security keys and passwords needed to access the funds.

Many of the digital currencies held by Quadriga are stored offline in accounts known as "cold wallets," a way of protecting them from hackers. Cotten was the only person with access to the wallets, according to the company.

In its Facebook post on January 14, the company said that 30-year-old Cotten died of complications arising from Crohn's disease while he was travelling to India to open an orphanage. The note said Cotten, 30, had died December 9.

This case again highlights about the unregulated world of cryptocurrencies.

The Supreme Court of Nova Scotia on Tuesday approved the company’s request for protection against creditors for 30 days and the appointment of accounting firm Ernst & Young to sort out Quadriga’s finances and explore a possible sale.

Vulnerability found in digital signage system

A swathe of severe vulnerabilities was found in Tightrope Media Systems’ digital signage system.

A researcher has uncovered severe vulnerabilities in digital signage software developed by Tightrope Media Systems (TRMS) thanks to the use of a default password.

The findings were made due to a recent penetration test of the Carousel system conducted by cybersecurity researcher Drew Green.

Green's client was making use of the software on an appliance provided by TRMS which the researcher describes as "essentially an x86 Windows 10 PC."

The researcher decided to explore further. TRMS's Carousel system allows users to upload "bulletins" which are the items displayed on digital signs.

The interface accepts .ZIP files for uploads, and during testing, Green was not only able to export existing, legitimate bulletins, but was also able to upload a .ZIP file containing two malicious files to Carousel.

However, the researcher came across a stumbling block when he attempted to travel to the URL of the malicious files.

"It appeared that when inserting files into this ZIP archive, the path separator for files and directories was being set to the forward-slash character ("/") rather than the backslash character ("\")," Green said. "This caused the files I added to be discarded by the server upon upload. I was eventually able to see this clearly by opening the file in a hex editor."

In order to overcome this barrier, all it took was for the researcher to manually change the characters in question. Green was then able to execute commands on the system via a web shell.

With access assured, the researcher uploaded a Powershell file which connected a remote shell back to his system -- granting Green the ability to upload arbitrary files and remotely execute code.

Another vulnerability, CVE-2018-18931, was uncovered which allowed the researcher to bump up privileges on a user account to a local administrator, and while exploiting the bug required a system restart -- something basic accounts cannot do -- he was able to send a command to force a reboot and trigger the exploit.

29 camera apps removed from Play Store for stealing users’ info

Google has banned around 29 beauty camera apps on the Play Store as it was discovered that these apps were sending users pornographic content, redirecting users to phishing websites and also stealing their private pictures.

Some of these Android apps have been downloaded millions of times and a large number of the download counts originated from Asia -- particularly in India.

Most of the 29 removed apps went out of their way to disguise their malicious nature.

An investigation carried out by security researchers at US-based cyber security firm, Trend Micro, found these apps displaying full-screen pop-up ads that linked to explicit content, while some went to the length of downloading a paid media player, and redirect to websites that collected phone numbers and addresses of users.

The apps also used tactics to ensure that they cannot be analysed.

As per the blog post, one of the tactics used by apps promising to let users edit and “beautify” their photos involved having them upload their photos to a server, and then responding with a fake prompt about needing to update. Instead of actually returning edited photos, the developers were able to collect users' photos for other purposes.

First, several of these beauty camera apps were “accessing remote ad configuration servers that can be used for malicious purposes,” says the security firm. The analysis shared by Trend Micro shows that most users would not realise that something was wrong with the apps until they wanted to delete the app.

All 29 apps removed claimed to be camera or photo-editing related, with the top three — Pro Camera Beauty, Cartoon Art Photo, and Emoji Camera, each getting over 1 million downloads. Other popular apps that were removed include, Artistic Effect Filter, Selfie Camera Pro and Horizon Beauty Camera, with each over 1,00,000 downloads.

The apps have now been removed by Google from the Play Store.

Sensitive data of Airbus employees stolen

European aeroplane maker Airbus has admitted that IDs and contacts of some of its Europe-based employees were compromised in a massive hack. The company is rushing to reinforce its security measures.

Airbus European Aeronautic Defence and Space Company manufactures and sells civil and military aerospace products worldwide with more than 129,000 employees.

Experts learned the cyber incidents in their Airbus “Commercial Aircraft business” information systems, but it doesn’t affect the Airbus’ commercial operations.

The company said in a brief statement published late last night that the breach is "being thoroughly investigated by Airbus' experts". The company has its own infosec business unit, Stormguard.

The firm didn’t elaborate on the nature of the hack but said that “investigations are ongoing to understand if any specific data was targeted,” according to a press release.

Also, experts have taken immediate and appropriate actions to reinforce existing security measures and to mitigate its potential impact, as well as determining its origins.

Airbus authorities are in contact with the "relevant regulatory authorities", which for Airbus is France's CNIL data protection watchdog. We understand no customer data was accessed.

The plane manufacturer instructed its employees to “take all necessary precautions going forward.”

Cyber crime victims lose £ 190,000 every day

Hacking of social media and email accounts continues to be the most prolific means of scamming people online, contributing to more than 5,000 cases out of the 13,357 cyber crimes reported in the six months between April and September 2018. It is estimated such hacking has cost victims £14.8 million.

People falling prey to cybercrime have reported losing £34.6 million, the latest numbers from Action Fraud show which is a 24% increase on the previous six months. More than £190,000 a day is lost in the UK by victims of cyber-crime, police statistics show.

“Cybercrime is a growing trend with the total losses increasing by 24%,” said Commander Karen Baxter of the City of London Police. “In particular criminals are targeting social media users and online account holders in a bid to make money and steal personal details. This leaves victims out of pocket and at risk of identity theft,” added Baxter.

The figures show 13,357 people in the UK reported cyber crimes over six months.

The City of London Police, which runs Action Fraud, has warned people to keep separate passwords for online accounts. They are advising people to step up their online security measures by ensuring their password is strong and to be careful of unsolicited requests for personal data.

“To avoid falling victim, it’s important that people keep a strong, separate password for their email accounts,” Commander Baxter continued.

“They should also use the latest software and app updates. Always be suspicious of unsolicited requests for your personal or financial information and never call numbers or follow links provided in unsolicited texts or emails; contact the company directly using a verified and trusted email or phone number. If you or someone you know believes they have fallen victim to cybercrime, please report it to Action Fraud.”

Commander Karen Baxter said cybercriminals were targeting people's social media accounts "in a bid to make money and steal personal details", adding it could leave victims "at risk of identity theft".

Fake GPS navigation apps detected on Google Play Store

The more Google works towards making apps on its Play Store secure and less intrusive for users, the more skeletons seem to be tumbling out of the cupboard as it were.
Despite Google's screening process to detect fake app on the Play Store, 15 GPS and navigation apps that have been found to be fake, were spotted on the virtual store. Put together, the apps reportedly have over 50 million installations.

Prominent malware expert at ESET, Lukas Stefanko unearthed the malicious navigation apps, which just open Google Maps or use their API to only display ads.

The purpose of these fake GPS apps is to earn easy money by duping users into downloading their app and then forcing them to pay up to remove the ads. Some other apps also asked access to the Android device’s dialer and other permissions that a navigation app would generally not need and could very well pose a security risk for the user.

These apps, which includes the like of GPS Route Finder, GPS Live Street Maps and Maps GPS Navigation among others, as Stefanko pointed out in a series of Tweets, don't provide any additional service of their own to the users.

Earlier this month, Google removed 85 malicious apps from its Play Store. These adware apps were disguised in the form of gaming and remote control simulator apps and had been downloaded over 9 million times from Google's app store. And now, less than a month later, a new set of apps have been spotted violating the company's Play Store guidelines.

Google, however, quickly reacted and moved in to do damage control. Many of the apps identified by Stefanko have since been removed from the Play Store. This time, a majority of them are in the GPS and navigational systems areas. And these apps have already been downloaded and are used by over 50 million users worldwide. These people would not have known that what they are using are not official Google apps but mere fake ones. Some have been seen just popping up ads on the mobile phone screens of the users. Google has a nice policy for these things in place but the app operators have been exploiting the weakness in the Google ecosystem that lets them pass through and operate with impunity.

Anatova ransomware is targeting gamers

A new ransomware called Anatova has been discovered in a private peer to peer network which is believed to be a very serious threat.

This code is prepared for a modular extension that also checks for connected network-shares and will encrypt the files on the identified shares too.

Anatova uses the icon of a game or application to try and fool the user into downloading it. It has a display to request admin rights.

The goal of Anatova, as with other ransomware families, is to encrypt all or many files on an infected system and insist on payment to unlock them. The actor(s) demand a ransom payment in cryptocurrency of 10 DASH – currently valued at around $700 USD, a quite high amount compared to other ransomware families.

McAfee tested and analyzed Anatova’s operation as follows:

Anatova will retrieve the username of the logged in and/or active user and compares it with a list of names encrypted. If one of those names is detected, it will go to the cleaning flow procedure and exit.

These usernames are by default used by some analysts or virtual machines/sandboxes in their setup, meaning that the ransomware will not work on these machines/sandboxes.

After user-check, Anatova checks for the first installed language on the system to ensure that a user cannot install one of the blacklisted languages to avoid encryption of the files.

Anatova looks for a flag value of 0, but if this flag would change to the value of 1, it will load two DLLs with the names (after decryption) of “extra1.dll” and “extra2.dll”. This might indicate that Anatova is prepared to be modular in the near future.

Malware calculates all the processes in the system and compares them with a large list including, “steam.exe”, “sqlserver.exe”, which will then be opened and terminated. This action is typical of ransomware that attempts to unlock files that later will be encrypted, such as database files, game files, Office related files, etc.

Survey finds chinese apps are being nosy


Chinese digital applications that are widely used in India are seeking excessive information from consumers, according to an independent study by an information security firm, stoking privacy concerns among experts.

At least six of the ten most popular Chinese apps, including Helo and Shareit as well as browsers such as UC Browser, ask users to provide access to camera and microphones on their smartphones even when such access is not required, the study found.

“This is 45% more than the number of permissions requested by the top 50 global apps,” said Sandeep Rao, co-founder of Pune-based Arrka Consulting, which studied the privacy controls of ten of the most popular Chinese apps in India across different categories like entertainment, news and shopping.

The apps that were reviewed include Helo, Shareit, TikTok, UC Browser, Vigo Video, Beauty Plus ClubFactory Everything, News-Dog, UC News and VMate.

The study, commissioned by The Economic Times in the second week of January, reviewed the permissions sought and data shared by these apps among themselves or with third parties outside India. It also covered the various permissions sought by the apps to access features on users’ phones such as contacts, camera, microphone, sensors, location and text messages.

Given the proliferation of Chinese apps in India, the study focused specifically on the privacy aspects of mobile apps – the so-called “dangerous permissions” being taken by the apps and the data being shared with external parties. Social platform TikTok, and UC Browser — owned by Chinese e-commerce giant Alibaba — have hundreds of millions of users accessing these apps every day. UC Browser has over 130 million of its global 430 million users in India, according to the company.

The study found that on an average, these apps transfer data to around seven outside agencies, with 69% of the data being transferred to the US. TikTok sends data to China Telecom; Vigo Video to Tencent; BeautyPlus to Meitu; and QQ and UC Browser to its parent owned by Alibaba.

Customer data of lending firm breached

New age data-driven technology companies are always prone to attack on their data storage facilities, more so if they are in the fintech domain.

Last week, an early-stage lending startup Rupee-Redee discovered vulnerabilities in its data stack stored on the Amazon cloud. A data security enthusiast who goes by the name of Gareth on Twitter pointed out that RupeeRedee was ‘leaking’ customer details because of some vulnerability on its cloud storage facilities. What could be accessed was customer scanned copies of Aadhaar or Pan cards which are usually submitted by applicants during KYC.

On being pointed out by ET, after some redacted files were put out in the public domain, the company swiftly got the leak sealed with help of professionals by late Friday.

“A potential isolated vulnerability in one of our data storage block (Amazon) was brought to our attention by a data surveillance enthusiast. Thankfully the vulnerability was recognized and fixed within a few hours thereby preventing any compromise of our systems or customer data. It is noteworthy that we have been audited by Certified Information Systems Auditor (CISA) in the recent past and continue to be committed to maintaining highest standards in data security and privacy,” said Jitin Bhasin, director, RupeeRedee in an official comment to ET.

RupeeRedee, is a subsidiary of Digital Finance International, which serves millions of customers across 16 countries. It is a digital platform, headquartered in Haryana, India. It enhances its services through technology to provide short-term lending, aiming to do so easily and efficiently.

iPhone users get nude photos while travelling on public transport

Increasingly people are being sent nude photos from strangers without their consent. It’s called cyber-flashing.

Graphic images are sent to people's phones via features like Bluetooth, and AirDrop on iPhones.

Police in London says it’s a growing problem.

Anyone in a public space even kids could have a photo like that pop up on their phone if they have features like AirDrop switched on. People around the world have reported it happening on them on public transports like planes and trains.

When people receive these graphic images and don’t know who they’re from or what their motives are only that they’re nearby it can cause serious distress.

Some people are saying that Apple needs to remove its photo preview feature.

Apple, however, told BBC that users who are facing issues can just change their privacy settings.

Meanwhile, campaigners want a new law to tackle cyber-flashing. But for now, as according to Apple, if you face issues, you have to just change your privacy settings so that you cannot get the photos you don’t want to see.

Police have also asked people to report this form of harassment.

FBI records, Social Security numbers leaked

Cybersecurity researchers with UpGuard said a massive data leak has been discovered at the Oklahoma Securities Commission, in which millions of records have been exposed including confidential government data, files related to sensitive FBI investigations over the last seven years, emails dating back 17 years and thousands of Social Security numbers.

An Oklahoma Department of Securities (ODS) server allowed anyone to download the government files. ODS is a US government department which deals with securities cases and complaints.

"The data was exposed via an unsecured rsync service at an IP address registered to the Oklahoma Office of Management and Enterprise Services (OMES), allowing any user from any IP address to download all the files stored on the server," the researchers say.

Last December, millions of files and thousands of Social Security numbers were left unprotected and accessible to anyone with an internet connection, cybersecurity researchers found. The breach was uncovered last month by Greg Pollock, a cybersecurity researcher at UpGuard, who claims the millions of files were publicly available on an online server and didn’t require any password to access them. UpGuard, an Australian cybersecurity startup was founded in 2012. “It represents a compromise of the entire integrity of the Oklahoma Department of Securities’ network,” UpGuard’s Chris Vickery told Forbes, the first outlet that reported the breach. “It affects an entire state level agency. … It’s massively noteworthy.” The database was found through the Shodan search engine which registered the system as publicly accessible on 30 November 2018. The UpGuard team stumbled across the database on 7 December and notified the department a day later after verifying what they were working with. UpGuard said, "public access was removed that day, preventing any further downloads by the means used by the UpGuard analysts." UpGuard said the data was "generated over decades" with the oldest data being from 1986. The most recently-modified information was from 2016.

Truecaller starts storing Indian user data locally

Sweden-headquartered phone directory app Truecaller announced on Wednesday that it is locally storing the Indian users' data to ensure transparency and provide faster and more reliable services. The company becomes one of the first international technology companies to proactively take this step.
"Truecaller is one of the first international tech companies to proactively take the step of storing its Indian users' data locally in India. This is a user-centric move that is aimed at safeguarding personal data and encouraging more transparency in the ecosystem," Truecaller said in a statement.  With locally stored data, and significant investments in its Indian infrastructure, Truecaller has also doubled the search result speed for its core services like caller ID and spam detection, it added.
It said for the overseas part of the transaction, the data may be stored in a foreign country.
The draft of Personal Data Protection Bill, 2018 -- drafted by a high-level panel headed by Justice B N Srikrishna -- also restricts and imposes conditions on the cross-border transfer of personal data.
The central bank’s data localisation policy had elicited mixed response from the payment services industry.
The RBI, in April last year, had issued a circular instructing all payments system providers in the country to ensure that data relating to systems operated by them is stored only in India and had set a deadline of October 15, 2018. “All system providers shall ensure that the entire data relating to payment systems operated by them are stored in a system only in India. This data should include the full end-to-end transaction details/information collected/carried/processed as part of the message/payment instruction,” RBI said in its 6 April 2018 circular.
Truecaller pointed out that it was already storing payments data of its Indian users, who use its unified payment interface (UPI)-based payment service in India. 

BSNL, UBI told to pay Rs 10 lakh to sim swap fraud victim

The Bengaluru Urban Second Additional District Disputes Redressal Forum has ordered BSNL Bengaluru and the Union Bank of India (UBI) to jointly pay Rs 9.62 lakh with interest at the rate of 8% per annum and Rs 10,000 litigation cost to a businessman from SP Road after fraudsters syphoned off money from his bank account in what was described as a sim swap fraud.

The national telecom provider was pulled up for issuing a duplicate sim to fraudsters without adhering to Know Your Customer (KYC) norms and the bank for not alerting the customer on time.

Nagarathpet resident Ramesh Kumar has been using a mobile phone with a BSNL sim card for many years and had linked it to his account at Union Bank of India’s BVK Iyengar Road branch.

The forum, comprising president T Shobhadevi and members Balakrishna V Masali and V Anuradha, held BSNL responsible for issuing a duplicate SIM to an unidentified fraudster in the name of the businessman Ramesh Kumar (52), residing at Nagarathpet in the city, without verifying documents. This resulted in Ramesh Kumar being robbed of Rs 9.62 lakh by the fraudster who gained access to his account as a beneficiary using mobile banking, transferred the money and withdrew it.

On September 22, 2015, Kumar checked his email to find that an unknown beneficiary had been added to his online bank account. By the time he could alert bank authorities about the breach, the fraudsters managed to transfer Rs 9,62,700 from his account. The sim card on his cellphone that was supposed to receive a one-time password (OTP) mysteriously remained de-activated all the while.

Union Bank was held responsible for not blocking the account despite the customer informing it about some unknown beneficiary being added to his firm’s account, due to which the accused was able to draw the money.

However, UBI said the password of the complainant was blocked within 30 minutes of receiving a call from him.

Man accused for hacking Pippa Middleton’s iCloud account wanted in US

A stay-at-home father once accused of hacking into the iCloud account of Duchess of Cambridge's sister, Pippa Middleton, is now wanted by U.S. authorities for allegedly blackmailing healthcare companies.

Nathan Wyatt was accused of stealing more than 3,000 pictures which were then hawked to several newspapers in the following weeks, according to The Sun. Middleton asked for an order barring publication of any photos or material leaked from her iCloud account. Wyatt was, however, cleared of hacking Middleton's iCloud account in 2016 after she and her husband took the case to the High Court. But police found he hacked US law firm during probe and he was jailed.

Wyatt, 37, was arrested upon release from prison over similar charges in US. He is now fighting extradition over blackmail claims on firms in Missouri.

Wyatt allegedly used the name The Dark Overlords to demand ransoms for data he stole from four companies.

Wyatt has already served 3 years for blackmailing a law firm in the U.K. and for unrelated credit card fraud charges.

Wyatt is now facing extradition to the U.S. at Westminster magistrates’ court later this month. The prosecuting attorney Daniel Sternburg said Wyatt set up multiple accounts to extort the companies and is being charged in the conspiracy.

Amazon India fixes glitch that disclosed sellers’ details

E-commerce giant Amazon India reported the cybersecurity lapse only a month after it 'inadvertently disclosed' email addresses of its users. The tech giant has reported a data breach that spooked e-commerce users.
The technical glitch had accidentally disclosed the financial information of some sellers while others tried to download reports pertaining to merchant tax. Amazon India said the error has been addressed.

"On Sunday, some sellers who attempted to download merchant tax reports for the month of December 2018 experienced a technical issue. Our teams identified the issue and resolved it on priority and sellers were soon able to download the correct reports," Amazon India said.

Some merchants who were downloading their monthly sales report, which includes details of sales through Amazon, were instead provided with financial data of other sellers.
The tech giant, while confirming the security lapse on its part, said that the sellers are now able to download their own tax reports for the month of December 2018.
Amazon India, however, did not disclose the number of sellers who were affected by the data breach, according to Business Standard.

Lack of personal information

The cybersecurity lapse occurred only a month after the Washington-headquartered e-commerce giant leaked personal information such as names and email addresses of its users. Although Amazon admitted to "inadvertent data leak", it didn't disclose the names and numbers of the users who were affected.

While compromised personal data such as email, phone numbers and addresses are often illegally used by hackers in phishing scams, the leak of business data of the sellers/ traders is even more detrimental.

Not only does the information breach puts distrust among the sellers/users, but such security lapse could also affect the merchant's business by providing their sales/business data to rivals.

In India, there is no law in place that holds the e-commerce giants accountable for data leak. However, a bill is likely to be tabled in Parliament soon aiming to strengthen cybersecurity laws and penalise tech giants responsible for such lapses.

NSFAS students warned of online scams


National Student Financial Aid Scheme (NSFAS) has advised students to use My NSFAS Online Self-Service Portal to view their application status or any other information related to funding as it has stopped communicating with students via SMSes due to fraudulent activities that aims to access their personal information.

Applicants register to study at CPUT. There are concerns that few students are registering at technical and vocational education and training colleges.

Malicious cyber attackers have recently tried to gain access to students’ financial aid at multiple tertiary institutions in a scheme that involves sending fraudulent emails and SMSes to students.

Students who apply for NSFAS do so free of charge and are not required to pay for the application.

NSFAS spokesperson Kagisho Mamabolo said for the first-time over the past two weeks returning and continuing students had been targeted by the phishing mails.

Other scams identified by the scheme include fraudsters luring students into providing confidential information via a link or a site controlled by the suspects. The email or text message scam is designed to look like an official message issued by the scheme’s contact centre. Students receive mails requesting them to update their account information by clicking on a link. The scheme is warning all students to take extra care when sharing personal information online or on their cellphones.

NSFAS said it would never ask applicants for their account details, password, Pin or OTP over the phone or via email.

“Unidentified attackers are posing as NSFAS representatives and sending out emails requesting applicants and progressing students to update their account information by clicking on an embedded link. We would like to warn all the applicants, students and parents to be aware of these fraudsters and take extra care when dealing with their personal information online or over the phone,” read the NSAS notice.

Students should use the myNSFAS self-service at www.nsfas.org.za

More malware apps removed from Play Store, downloaded 2 million times

When it comes to online security, no news is good news. Sure, online threats are constantly evolving and we need to hear about new dangers and how to deal with them, but you don’t want to keep hearing about security issues relating to a single product. This is why it’s disappointing to hear about another bunch of malware apps that have been removed from the Google Play Store. There have been so many problems lately and towards the end of 2018 that the whole thing became pretty disturbing. What’s worse, before they were removed from the Play Store, they’d been downloaded over 2 million times.

Google forced to pull even more malware filled apps from the Play Store

A report coming from the security company called Sophos claims that Google managed to remove 22 apps from the Google Play Store that included backdoor malware. Unsuspecting users who downloaded the apps unleashed a plethora of problems onto their devices and created backdoors for hackers to then secretly download files from their own servers.

En.Softonic.com reported that the issues for users who downloaded any of these 22 apps grey more severe.

The apps click on fraudulent ads and drain battery power in the process. They also continue to run in the background, even after they’ve been closed, draining both battery power and mobile data. Although the apps have been removed from the Play Store, there is a chance some users still have the apps on their phones. Below is a full list of the apps:

The problematic apps

Sparkle FlashLight, Snake Attack, Math Solver, ShapeSorter, Tak A Trip, Magnifeye, Join Up, Zombie Killer, Space Rocket, Neon Pong, Just Flashlight, Table Soccer, Cliff Diver, Box Stack, Jelly Slice, AK Blackjack, Color Tiles, Animal Match, Roulette Mania, HexaFall, HexaBlocks and PairZap.

If you have any of these apps on your phone, delete them right away.

Cyber researcher cancels public talk on hacking Apple’s Face ID

A cyber security researcher Wish Wu canceled a hacking conference briefing on how he said he could crack biometric facial recognition on Apple iPhones, at the request of his employer, which called the work “misleading.”

Apple's facial recognition uses a combination of cameras and special sensors to capture a three-dimensional scan of a face that allows it to identify spoofs with photographs or determine if the user is asleep or otherwise not looking at the phone.

The prospect that Face ID could be defeated is troubling because it is used to lock down functions on tens of millions of iPhones from banking and healthcare apps to emails, text messages and photos.

There is a one in 1 million chance a random person could unlock a Face ID, versus one in 50,000 chance that would happen with the iPhone’s fingerprint sensor, according to Apple.

Face ID has proven more secure than its predecessor, Touch ID, which uses fingerprint sensors to unlock iPhones. Touch ID was defeated within a few days of its 2013 launch.

China-based researcher Wish Wu was scheduled to present a talk entitled “Bypass Strong Face ID: Everyone Can Deceive Depth and IR Camera and Algorithms” at the Black Hat Asia hacking conference in Singapore in March.

Wu told Reuters that his employer, Ant Financial, asked him to withdraw the talk from Black Hat, one of the largest and most prestigious organizers of hacking conferences.

Ant Financial’s Alipay payment system is compatible with facial recognition technologies including Face ID. Nobody has publicly released details on a successful Face ID hack that others have been able to replicate since Apple introduced the feature in 2017 with the iPhone X, according to biometric security experts. The company has introduced three other Face ID phones: iPhone XS, XS Max and XR.

Wu told Reuters that he agreed with the decision to withdraw his talk, saying he was only able to reproduce hacks on iPhone X under certain conditions, but that it did not work with iPhone XS and XS Max.