Category Archives: Hacking

Hacker broke into super secure French Government’s Messaging App Tchap hours after release

A white hat hacker discovered how to break Tchap, a new secure messaging app launched by the French government for officials and politicians.

The popular French white hat hacker Robert Baptiste (aka @fs0c131y) discovered how to break into Tchap, a new secure messaging app launched by the French government for encrypted communications between officials and politicians.
The app was developed by DINSIC (Interministerial Directorate of Digital and Information System and Communication of the State), as a project controlled by France’s National Cybersecurity Agency (ANSSI).

It aims at replacing popular instant messaging services like Telegram and WhatsApp for government people.

The Tchap was launched on April 18 and is available on the official iOS and Android app stores, but only French government employees (using
@gouv.fr or @elysee.fr email accounts) can sign-up for an account.

The key point Tchap is that encrypted communications flow through internal servers to prevent cyber attacks carried out by foreign nation-state actors.

Anyway, the French government published Tchap’s source code on GitHub, it is based on Riot, a well-known open-source instant messaging client-server package.

News of the day is that Robert Baptiste found a security bug that could allow anyone to sign up an account with the Tchap app and access groups and channels without using an official government email account.

The expert made a dynamic analysis of the mobile app and discovered it implements certificate pinning in the authentication process. Even if he disables it with Frida, during the registration process, the app requests a token.

tchap

The expert noticed that depending on the email address provided by the user, the app will refer the “correct” id_server. The list of available servers is defined in the AndroidManifest.xml.

“I set id_server to matrix.agent.elysee.tchap.gouv.fr. For info, Elysée is the French presidential palace. As I choose this server I guessed I should have an @elysee.fr email address. So, in the requestToken request, I modified email to fs0c131y@protonmail.com@elysee.fr. Hum, no validation email in my inbox… Wait, maybe it is waiting a known @elysee.fr email address. So I did a Google search “email @elysee.fr”” wrote the expert in a blog post.

“So I did another try and in the requestToken request and I modified email to fs0c131y@protonmail.com@presidence@elysee.fr. Bingo! I received an email from Tchap, I was able to validate my account! “

The expert demonstrated how to create an account with the service using a regular email ID by exploiting a potential email validation vulnerability in the Android version of the Tchap app.

After he logged as an Elysée employee, he was able to access to the public rooms.

tchap app

Robert reported the issue the Matrix team who developed the Riot client, and it quickly fixed the bug and released a patch. The released patch was specific only to the application developed by French intelligence.

Just for curiosity, last week Matrix.org warned users of a security breach, a hacker gained unauthorized access to the production databases, including unencrypted message data, access tokens, and also password hashes.

According to Matrix.org, the attacker has exploited a known vulnerability in the Jenkins open source automation server to hijack credentials and gain access to the systems of the organization. Homeservers, source code and packages, identity servers, and Modular.im servers were not impacted.

Pierluigi Paganini

(SecurityAffairs – hacking, Tchap app)

The post Hacker broke into super secure French Government’s Messaging App Tchap hours after release appeared first on Security Affairs.

Operator of Codeshop Cybercrime Marketplace Sentenced to 90 months in prison

Djevair Ametovski was sentenced to 90 months in prison for operating an international cybercrime marketplace named Codeshop.

Macedonian national Djevair Ametovski (32) was sentenced to 90 months in prison by US DoJ authorities for operating an international cybercrime marketplace named Codeshop.

Codeshop.su was a website that specialized in selling stolen payment card data. Ametovski acquired payment card data from hackers who had stolen it from financial institutions and individuals.

According to the investigators, the man commercialized data of 181,000 payment cards between 2010 and 2014.

CodeShop carding

Ametovski (known online as Codeshop, Sindromx, xhevo, and Sindrom) was arrested by Slovenian authorities in January 2014, at the time he was charged with aggravated identity theft, access device fraud conspiracy, and wire fraud conspiracy. The Macedonian citizen was extradited to the United States in May 2016.

The man pleaded guilty to access device fraud and aggravated identity theft, he was also ordered to forfeit $250,000 and pay restitution that will be determined later.

Codeshop customers were able to buy stolen card data searching for specific types of data based on criteria such as country, bank, and bank identification number.

“The stolen data could then be used to make online purchases and to encode plastic cards to withdraw cash at ATMs.” reads the press release the Justice Department.      

“Ametovski used a network of online money exchangers and anonymous digital currencies, including Bitcoin, to reap revenues from the Codeshop website and to conceal all participants’ identities, including his own.  Over the course of the scheme, Ametovski obtained and sold stolen credit and debit card data for more than 1.3 million cards,” said the Justice Department.      

Pierluigi Paganini

(SecurityAffairs – Codeshop, carding)

The post Operator of Codeshop Cybercrime Marketplace Sentenced to 90 months in prison appeared first on Security Affairs.

Source code of tools used by OilRig APT leaked on Telegram

Lab Dookhtegan hackers leaked details about operations carried out by Iran-linked OilRig group, including source code of 6 tools.

A hacker group that goes online with the name Lab Dookhtegan have disclosed details about operations conducted by the Iran-linked cyber-espionage group tracked as OilRig, APT34, and HelixKitten.

OilRig is an Iran-linked APT group that has been around since at least 2014, it targeted mainly organizations in the financial, government, energy, telecoms and chemical sectors in the United States and Middle Eastern countries.

The Lab Dookhtegan hackers used a Telegram channel to dump information about the OilRig infrastructure, revealing details about its hacking tools, members, and operations. The hackers also disclosed IP addresses and domains involved in operations conducted by the group over the years.

OilRig dump
Source ZDnet
OilRig dump
Source ZDnet

It seems that the tools have been leaked since mid-March on a Telegram channel by a user with the Lab Dookhtegan pseudonym.

The dump also includes OilRig victims’ data, including login credentials to several services obtained through phishing attacks.

The entity that leaked the information aimed at disrupting the operations of the Iran-linked hacking groups, it is likely an opponent of the Regime.

Lab Dookhtegan leaked the source code of the following six hacking tools, including data related on their contained in the compromised admin panels:

  • Glimpse (aka BondUpdater), the latest version of the PowerShell-based trojan;
  • PoisonFrog, an older version of BondUpdater;
  • HyperShell web shell (aka TwoFace);
  • HighShell web shell;
  • Fox Panel phishing tool;
  • Webmask, the main tool behind DNSpionage;

According to Chronicle, Dookhtegan leaked data from 66 victims in private industry and Government organizations, most from the Middle East, Africa, East Asia, and Europe.

The list of victims includes Etihad Airways and Emirates National Oil, hackers hit individuals in many industries including energy, transportation, and financial.

Lab Dookhtegan also doxxed Iranian Ministry of Intelligence officers, the leaked shared phone numbers, images, social media profiles, and names of officers involved with APT34 operations.

“We have more secret information about the crimes of the Iranian Ministry of Intelligence and its managers and we are determined to continue to expose them,” Dookhtegan said in a Telegram.

No doubt, the leak will have a severe impact on the future operations of the OilRig group.

Pierluigi Paganini

(SecurityAffairs – hacking, OilRig)

The post Source code of tools used by OilRig APT leaked on Telegram appeared first on Security Affairs.

Ransomware attack knocks Weather Channel off the Air

A ransomware attack knocked the Weather Channel off the air for at least 90 minutes Thursday morning, federal law enforcement are investigating the incident.A ranomware attack knocked the Weather Channel off the air for at least 90 minutes Thursday morning, federal law enforcement are investigating the incident.

A cyber attack hit the Weather Channel and forced it off the air for at least 90 minutes.

The broadcaster confirmed via Twitter that the incident is the result of a cyber attack, it claims that the problems were caused by “a malicious software attack on the network.”

Details are scant at the moment and a tweet from the station does not lift the haze, informing only that it was the victim of “a malicious software attack on the network.”

This morning the broadcaster transmitted a taped programming “Heavy Rescue” instead of the “AMHQ” live show.

The live show started more than 90 minutes later and the anchors informing viewers of the cyber attack. IT staff has restored the normal operations using the backups.

Weather Channel ransomware

Federal law enforcement has immediately started an investigation on the case, at the time The Weather Channel did not disclose technical details about the attack.

According to 11 Alive News, the attack was caused by ransomware, a circumstance confirmed by Feds to The Wall Street Journal. The live show was interrupted due to a ransomware attack, likely an attempt to extort money to from the broadcaster.

Ransomware attacks continue to represent a serious threat for companies and organizations, it is essential to adopt good cyber hygiene using defence software, having up to date applications and implementing an efficient backup policy.

Pierluigi Paganini

(SecurityAffairs – ransomware, Wheater Channel)




The post Ransomware attack knocks Weather Channel off the Air appeared first on Security Affairs.

Broadcom WiFi Driver bugs expose devices to hack

Experts warn of security flaws in the Broadcom WiFi chipset drivers that could allow potential attackers to remotely execute arbitrary code and to trigger DoS.

According to a DHS/CISA alert and a CERT/CC vulnerability note, Broadcom WiFi chipset drivers are affected by security vulnerabilities impacting multiple operating systems. The flaws could be exploited to remotely execute arbitrary code and to trigger a denial-of-service condition.

“The CERT Coordination Center (CERT/CC) has released information on multiple vulnerabilities in Broadcom Wi-Fi chipset drivers. A remote attacker could exploit some of these vulnerabilities to take control of an affected system.” reads the alert published by the DHS/CISA.

“The Broadcom wl driver and the open-source brcmfmac driver for Broadcom WiFi chipsets contain multiple vulnerabilities. The Broadcom wl driver is vulnerable to two heap buffer overflows, and the open-source brcmfmac driver is vulnerable to a frame validation bypass and a heap buffer overflow.” reads the security advisory published by the CERT/CC.

The CERT/CC vulnerability note includes a list of all vendors potentially impacted by the flaws in Broadcom WiFi chipsets.

The flaws were discovered by Hugues Anguelkov during his internship at Quarkslab are tracked as CVE-2019-8564, CVE-2019-9500, CVE-2019-9501, CVE-2019-9502, CVE-2019-9503.

The heap buffer overflows could be exploited to execute arbitrary code on vulnerable systems.

“You can find these chips almost everywhere from smartphones to laptops, smart-TVs and IoT devices. You probably use one without knowing it, for example if you have a Dell laptop, you may be using a bcm43224 or a bcm4352 card. It is also likely you use a Broadcom WiFi chip if you have an iPhone, a Mac book, a Samsumg phone or a Huawei phone, etc.” reads the post published by Anguelkov.

“Since these chips are so widespread they constitute a high value target to attackers and any vulnerability found in them should be considered to pose high risk.”

broadcom-wifi chipset

According to the CERT/CC,
In the worst case scenario, by sending specially-crafted WiFi packets, a remote, unauthenticated attacker may be able to execute arbitrary code on a vulnerable system. More typically, these vulnerabilities will result in denial-of-service attacks.
a remote and unauthenticated attackers could exploit the flaws in Broadcom WiFi chipset driver by sending maliciously-crafted WiFi packets to execute arbitrary code on vulnerable systems.

Anguelkov confirmed that two of those vulnerabilities affect both in the Linux kernel and firmware of affected Broadcom chips.

The researcher pointed out that the most common exploitation scenario leads to a remote denial of service.

“Although it is technically challenging to achieve, exploitation for remote code execution should not be discarded as the worst case scenario.” Anguelkov adds.

Below the details for the flaws:

Vulnerabilities in the open source brcmfmac driver:
• CVE-2019-9503: If the brcmfmac driver receives the firmware event frame from the host, the appropriate handler is called. It is possible to bypass frame validation by using the USB as a bus (for instance by a wifi dongle.). In this case, firmware event frames from a remote source will be processed.

CVE-2019-9500: a malicious event frame can be crafted to trigger an heap buffer overflow in the brcmf_wowl_nd_results function when the Wake-up on Wireless LAN functionality is configured. This flaw could be exploited by compromised chipsets to compromise the host, or when used in combination with the above frame validation bypass, can be used remotely.

Vulnerabilities in the Broadcom wl driver:
Two heap buffer overflows can be triggered in the client when parsing an EAPOL message 3 during the 4-way handshake from the access point (AP).
• 
CVE-2019-9501: supplying a vendor information element with a data length larger than 32 bytes, a heap buffer overflow is triggered in wlc_wpa_sup_eapol.
• 
CVE-2019-9502: If the vendor information element data length is larger than 164 bytes, a heap buffer overflow is triggered in wlc_wpa_plumb_gtk.
NOTE: When the wl driver is used with SoftMAC chipsets, these vulnerabilities are triggered in the host’s kernel. When a FullMAC chipset is being used, these vulnerabilities would be triggered in the chipset’s firmware.

The researcher published a timeline for the vulnerabilities that include information on patches released by some vendors.

Pierluigi Paganini

(SecurityAffairs – hacking, Broadcom WiFi chipset)

The post Broadcom WiFi Driver bugs expose devices to hack appeared first on Security Affairs.

Analyzing OilRig’s malware that uses DNS Tunneling

Iran-linked APT group OilRig is heavily leveraging on DNS tunneling for its cyber espionage campaigns, Palo Alto Networks reveals.

Security researchers at Palo Alto Networks reported that Iran-linked APT group OilRig is heavily leveraging on DNS tunneling for its cyber espionage campaigns, Palo Alto Networks reveals.

OilRig is an Iran-linked APT group that has been around since at least 2014, it targeted mainly organizations in the financial, government, energy, telecoms and chemical sectors in the United States and Middle Eastern countries.

Many of the malware used by the group in the attacks over the years use DNS tunneling to protect communications with the command and control (C&C) infrastructure.

Experts pointed out that DNS tunneling clearly represents one of the preferred communication methods of the group.

OilRig usage of DNS tunneling was first documented in 2016, some of the Trojans in its arsenal using it are Helminth, ISMAgent, QUADAGENT
BONDUPDATER, and ALMACommunicator.

DNS tunnelling OilRig

The analysis of the tunneling protocols used by the OilRig suggests:

  • All subdomains contain a randomly generated value to avoid the DNS query resulting in a cached response
  • Most rely on an initial handshake to obtain a unique system identifier
  • Most rely on hardcoded IP addresses within the DNS answers to start and stop data transfer
  • Data upload includes a sequence number that allows the C2 to reconstruct the uploaded data in the correct order
  • Depending on the tool, A, AAAA, and TXT query types have been used by OilRig for tunneling
  • All of the DNS tunneling protocols will generate a significant number of DNS queries

“Regardless of the tool, all of the DNS tunneling protocols use DNS queries to resolve specially crafted subdomains to transmit data to the C2 and the answers to these queries to receive data from the C2.” reads the analysis published by Palo Alto Networks. “Therefore, the protocols must abide by the DNS protocol, so the specially crafted subdomains must have labels (portions of the subdomain separated by periods) must start and end with a letter or digit, contain letters, digits and hyphens and be less than 63 characters in length. Also, the entire domain queried, which includes the C2 domain and the specially crafted subdomain cannot exceed 253 characters.”

All the tools leverage DNS queries to resolve specially crafted subdomains and send data to the command and control servers. The tools use protocols in different ways, they differ for the structure of the subdomains queried, for the data received by the Trojans, for the subdomains used to transmit data.

Experts observed multiple variants of the Helminth backdoor over the years all using the same DNS Type A, but the threat actors are able to change the generated subdomains to avoid detection.

“There are several variants of Helminth, as the OilRig actors actively developed this Trojan during the course of their attack campaigns. The Helminth Trojan came in two forms, a portable executable version and a PowerShell version, both of which received updates to their DNS tunneling protocol over time.” continues the analysis. “The DNS tunneling protocols used in each variant operated the same way, but the developer would make changes to the generated subdomains to make them look visually different to evade detection.”

OilRig also used the ISMAgent in many campaigns, the malware uses the DnsQuery_A API function to issue DNS AAAA requests to resolve custom subdomains. Before transmitting the data, the Trojan issues a beacon to inform the server it is ready.

OilRig also leveraged two variants of the ALMA Communicator in its attacks, each of them using a different domain structure. The two variants sent different information to the server and the formatted data within the DNS tunneling protocol in different ways.

Palo Alto researchers also documented different variants of both the BONDUPDATER tool and QUADAGENT Trojan, the latter uses AAAA queries to transmit/receive data via DNS tunneling.

“This threat group saw the benefits of using DNS tunneling, as DNS is almost universally allowed through security devices.” Palo Alto Networks concludes. “One major drawback of using DNS tunneling is the high volume of DNS queries issued to transmit data back and forth between the tool and the C&C server, which may stand out to those monitoring DNS activity on their networks,”

Pierluigi Paganini

(SecurityAffairs – hacking, OilRig)

The post Analyzing OilRig’s malware that uses DNS Tunneling appeared first on Security Affairs.

This Week in Security News: Medical Malware and Monitor Hacks

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn how baby monitors may be susceptible to hacking. Also, learn about a medical flaw that enables hackers to hide malware.

Read on:

Is Your Baby Monitor Susceptible to Hacking?

In a number of high-profile cases, home surveillance cameras have been easily compromised and disturbing reports of hacked baby monitors are in the news. 

 

Global Governments Demonstrate Rising Commitment to Cybersecurity

According to the International Telecommunications Union’s (ITU) 2018 Global Cybersecurity Index, only half of countries around the globe had a government cybersecurity strategy in 2017, which rose to 58 percent in 2018.

What Did We Learn from the Global GPS Collapse?

The problem highlights the pervasive disconnect between the worlds of IT and OT.

Malware Creates Cryptominer Botnet Using EternalBlue and Mimikatz

A malware campaign is actively attacking Asian targets using the EternalBlue exploit and taking advantage of Living off the Land (LotL) obfuscated PowerShell-based scripts to drop Trojans and a Monero coinminer on compromised machines.

Medical Format Flaw Can Let Attackers Hide Malware in Medical Images

Research into DICOM has revealed that the medical file format in medical images has a flaw that can give threat actors a new way to spread malicious code through these images.

Hackers Could Read Your Hotmail, MSN, and Outlook Emails by Abusing Microsoft Support

A hacker or group of hackers broke into a customer support account for Microsoft, and then used that to gain access to information related to customers’ email accounts such as the subject lines of their emails and who they’ve communicated with.

New Business Email Compromise Scheme Reroutes Paycheck by Direct Deposit

A new business email compromise (BEC) scheme, where the attacker tricks the recipients into rerouting paychecks by direct deposit, has emerged.

Leadership Turnover at DHS and Secret Service Could Hurt US Cybersecurity Plans

Departures of top officials at the Secret Service and Department of Homeland Security (DHS) will add to an already difficult public-private disconnect on cybersecurity, especially since Kirstjen Nielsen has a rare set of cybersecurity skills that helped the DHS protect companies in critical industries.

Microsoft Disclosed Security Breach From Compromised Support Agent’s Credentials

Microsoft has notified affected Outlook users of a security breach that allowed hackers access to email accounts from January 1 to March 28, 2019.

Do you think the leadership turnover at DHS and the Secret Service will hurt US cybersecurity plans? Why or why not? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: Medical Malware and Monitor Hacks appeared first on .

APT28 and Upcoming Elections: evidence of possible interference (Part II)

In mid-March, a suspicious Office document referencing the Ukraine elections appeared in the wild, is it related to APT28 and upcoming elections?

Introduction

The uncertain attribution of the Ukrainian themed malicious document discussed in our past article “APT28 and Upcoming Elections: Possible Interference Signals”, led us to a review of Sofacy’s phishing techniques to confirm or deny the possible involvement of Russian state-sponsored actors in the election interference. We ended up in an old fake Hotel reservation request form, containing dummy interactive text boxes used to lure the victims to enable the macro code execution. 

We analyzed this sample two years ago and we linked it to a Sofacy attack operation discovered by FE researchers in the mid of 2017, which hit several hotels in European and Middle Eastern countries. 

Technical Analysis

Sha256a4a455db9f297e2b9fe99d63c9d31e827efb2cda65be445625fa64f4fce7f797
ThreatAPT28 GAMEFISH
Brief DescriptionGAMEFISH document dropper (reference sample, 2017)
Ssdeep1536:009J0E4v13p/gL7Jj4P9bvzKGXpIiUvh23oKRO/HhcKmFoR:fb4v13pYL7J49bvr5Iias32Jc5FoR

The macro code inside the 2017 document is password protected, just like the last suspicious document we analyzed to investigate a possible Ukraine elections interference by Russian groups. After its opening, the reference sample decodes the extracted Base64 content using a custom “DecodeBase64” function:

Figure 1: Custom Base64 decryption routine

The decoded content is actually a DLL file which is written into “%AppData%\user.dat”. After that, it will be executed through an ASR bypass technique (Attack Surface Reduction) allowing attackers to run new child process within the Office environment. This is the same publicly available exploit previously found into the Ukrainian sample (more details in the next section). 

Figure 2: Technique used to bypass Microsoft ASR protection

In this reference sample, the “user.dat”’s purpose is to create two new artifacts and to set persistence through “HKCU\Environment->UserInitMprLogonScript”. The created files are:

  • %AppData%\mrset.bat
  • %AppData%\mvtband.dat
Figure 3: Persistence setting and artifacts creation by “user.dat” file

The “mrset.bat” file is a short bash file, designed to check the “mvtband.dat” existence and to run it through “rundll32.exe” system utility.

Figure 4: “mrset.bat” file code

Finally, the “mvtband.dat” file, which actually is a Delphi DLL library, is a well-known malware named “GAMEFISH” (f9fd3f1d8da4ffd6a494228b934549d09e3c59d1). Russian groups were used to use it in recon-phases to steal information from victim machine and to implant new payloads. 

Figure 5: Information retrieved by mvtband.dll

Comparison with Ukrainian Elections Sample

Sha256 a4a455db9f297e2b9fe99d63c9d31e827efb2cda65be445625fa64f4fce7f797
Threat APT28 GAMEFISH
Brief Description GAMEFISH document dropper (reference sample, 2017)
Ssdeep 1536:009J0E4v13p/gL7Jj4P9bvzKGXpIiUvh23oKRO/HhcKmFoR:fb4v13pYL7J49bvr5Iias32Jc5FoR

Despite some differences between the “Hospitality campaign” vector and the Ukraine elections one, both use similar TTP related to the APT28 group. The link between Hospitality malware and the “FancyBear” actor has been already sifted by Info-Sec community. So, we can exploit the similarities between it and the Ukrainian elections sample to link it to Russian hacker groups.

Both documents under analysis use protected macro code. All the code inside the macro is not obfuscated in any way: Hospitality document surprisingly contains code comments too. Moreover, the main macro function name is “Execute” for both documents and the ASR trick used to create new processes from the Office work-space is substantially the same.

Figure 6. The Ukraine elections macro on the left; Hospitality’s one on the right.

In both cases the real payload is encoded in Base64 and it is stored into an Office hidden section: the first sample uses a document property, the second one employs an XML resource. 

The next stages are different: the Ukraine sample deploys some Powershell obfuscated scripts, which at the end carry an Empire stager, allowing the attackers to directly interact with the victim machine; the reference sample, instead, implants the GAMEFISH malware which automatically exfiltrates victim information while waiting for new payloads to install.

Conclusion

Finally, the attribution of the Ukraine elections sample (highlighted in our previous report) can be confirmed due to the strong similarities with the first stage of the Sofacy’s Hospitality malware, because:

  • Both use password protection.
  • Both have the same function name.
  • Both have the same macro code structure.
  • Both embeds the real payload in a hidden document section.
  • The ASR trick is implemented using the same instructions.

The presence of these similarities between the droppers indicates, with high probability, the attacker is the same and consequentially suggests APT28 is reusing some 2017 tricks and code snippets which, despite their simplicity, make their attacks effective.

Further details, including Indicators of Compromise and Yara rules, are reported in the analysis published on the Yoroi Blog.
Stay Tuned.  

Pierluigi Paganini

(SecurityAffairs – Ukraine, APT28)

The post APT28 and Upcoming Elections: evidence of possible interference (Part II) appeared first on Security Affairs.

New DNS Hijacking Attacks

DNS hijacking isn't new, but this seems to be an attack of unprecedented scale:

Researchers at Cisco's Talos security division on Wednesday revealed that a hacker group it's calling Sea Turtle carried out a broad campaign of espionage via DNS hijacking, hitting 40 different organizations. In the process, they went so far as to compromise multiple country-code top-level domains -- the suffixes like .co.uk or .ru that end a foreign web address -- putting all the traffic of every domain in multiple countries at risk.

The hackers' victims include telecoms, internet service providers, and domain registrars responsible for implementing the domain name system. But the majority of the victims and the ultimate targets, Cisco believes, were a collection of mostly governmental organizations, including ministries of foreign affairs, intelligence agencies, military targets, and energy-related groups, all based in the Middle East and North Africa. By corrupting the internet's directory system, hackers were able to silently use "man in the middle" attacks to intercept all internet data from email to web traffic sent to those victim organizations.

[...]

Cisco Talos said it couldn't determine the nationality of the Sea Turtle hackers, and declined to name the specific targets of their spying operations. But it did provide a list of the countries where victims were located: Albania, Armenia, Cyprus, Egypt, Iraq, Jordan, Lebanon, Libya, Syria, Turkey, and the United Arab Emirates. Cisco's Craig Williams confirmed that Armenia's .am top-level domain was one of the "handful" that were compromised, but wouldn't say which of the other countries' top-level domains were similarly hijacked.

Another news article.

Russian TA505 threat actor target financial entities worldwide

Russian financially motivated threat actor TA505 used remote access Trojans (RATs) in attacks on financial entities in the United States and worldwide.

Security experts at CyberInt uncovered a new campaign of a Russian financially motivated threat actor tracked as TA505. The hackers used remote access Trojans (RATs) in attacks aimed at financial entities in the United States and worldwide.

“CyberInt researchers have been tracking various activities following the spear-phishing campaign targeting large US-based retailers detected in December 2018.” reads the analysis published by Cyberint. “The research focused on scenarios with the same tactics, techniques and procedures (TTP) along with the repeated nefarious use of a ‘legitimate’ remote administration tool ‘Remote Manipulator System’ (RMS), developed by a Russianbased company ‘TektonIT’.”

The TA505 group was first spotted by Proofpoint back 2017, it has been active at least since 2015 and targets organizations in financial and retail industries.

The group carried out a large number of campaigns using weaponized Office and PDF documents to deliver notorious malware, including 
the Dridex banking trojantRAT RAT, FlawedAmmy RAT, 
Philadelphia ransomware, GlobeImposter and Locky ransomware.

Tracked by the research community as TA505, the Russian threat group is known for the use of banking Trojans such as Shifu and Dridex, as well as for the massive Locky ransomware campaigns observed several years ago.

In recent attacks the experts observed the group using new backdoors, including the modular tRat and ServHelper.

In campaigns carried out between December 2018 and February 2019, the TA505 group leveraged the Remote Manipulator System (RMS) backdoor to target financial institutions in Chile, India, Italy, Malawi, Pakistan and South Korea, and retailers in the United States.

In December 2018 also targeted large US retailers and organizations in the food and beverage industry with spear-phishing attacks. The phishing messages used a weaponized Word document containing a Visual Basic for Applications (VBA) macr. The macro downloads a payload from the command and control (C&C) server, the last stage of the attack chain is the RMS RAT.

The investigation conducted by the researchers allowed them to uncover other campaigns conducted between December 2018 and March 2019.

Hackers hit targets in many countries worldwide, including Chile, India, Italy, Malawi, Pakistan and South Korea. Researchers believe that other attacks against targets in China, Great Britain, France and the United States could be attributed to the same threat actor.

The weaponized documents used in the attacks leverage Microsoft Windows Installer to fetch a payload from the C2 and execute it.

“This behaviour is consistent with other TA505 campaigns utilising a combination of weaponised Microsoft Office files containing either VBA macros or exploit code to spawn additional processes.” continues the analysis published by Cyberint. “Of the spreadsheet lures analysed in this campaign, four different C2 servers and payloads were identified, with each likely being unique to a specific target organization or victim cluster.”

Experts also observed the attackers using the ServHelper RAT since November 2018, it allows them to set up reverse SSH tunnels for remote access to the compromised machine via RDP.

TA505

The report states that indicators of compromise identified in the campaigns against the US retail campaign are consistent with an attack against the Notary Chamber of Ukraine conducted by the same threat actor in December 2018.

At the time, the threat actor was delivering the RMS Trojan in spear-phishing attack.

Further technical details on the attacks are included in the report published by Cyberint.

Pierluigi Paganini

(SecurityAffairs – hacking, VSDC)

The post Russian TA505 threat actor target financial entities worldwide appeared first on Security Affairs.

RCE flaw in Electronic Arts Origin client exposes gamers to hack

Electronic Arts (EA) has fixed a security issue in the Windows version of its gaming client Origin that allowed hackers to remotely execute code on an affected computer.

Electronic Arts (EA) has addressed a vulnerability in the Windows version of its gaming client Origin that allowed hackers to remotely execute code on an affected computer.

Electronic Arts already released a security patch for the remote code execution vulnerability. The Origin app on Windows is used by tens of millions of gamers. The Origin client for macOS was not affected by this flaw.

The flaw was reported by security experts Dominik Penner and Daley Bee from Underdog Security.

“We located a client-sided template injection, where we proceeded to use an AngularJS sandbox escape and achieve RCE by communicating with QtApplication’s QDesktopServices.” reads a blog post published by
Underdog Security.

“To make it easier to access an individual game’s store from the web, the client has its own URL scheme that allows gamers to open the app and load a game from a web page by clicking a link with origin:// in the address.” reported Techcrunch.

“But two security researchers, Daley Bee and Dominik Penner of Underdog Security, found that the app could be tricked into running any app on the victim’s computer.”

The experts shared a proof-of-concept code with Techcrunch to trigger the issue.

Researchers pointed out that the code allowed any app to run at the same level of privileges as the logged-in user. In the following image, the security duo popped open the Windows calculator remotely.

Electronic Arts Origin client

“But worse, a hacker could send malicious PowerShell commands, an in-built app often used by attackers to download additional malicious components and install ransomware.” continues the post.

An attacker could craft a malicious link and send it via email to the victims or include it on a webpage, the issue could also be triggered if the malicious code was combined with cross-site scripting exploit that ran automatically in the browser.

The flaw can also be exploited by an attacker to take over gamers’ accounts by stealing access token with just a single line of code.

Pierluigi Paganini

(SecurityAffairs – hacking, Electronic Arts)

The post RCE flaw in Electronic Arts Origin client exposes gamers to hack appeared first on Security Affairs.

Code execution – Evernote

A local file path traversal issue exists in Evernote 7.9 for macOS which allows an attacker to execute arbitrary programs.

Technical observation:
A crafted URI can be used in a note to perform this attack using file:/// as an argument or by traversing to any directory like
(../../../../something.app).

Since Evernote also has a feature of sharing notes, in such a case an attacker could leverage this vulnerability and send crafted notes (.enex) to the victim to perform further attacks.

Evernote

Patch: 
A patch for this issue was released in Evernote 7.10 Beta 1 and 7.9.1 GA for macOS [MACOSNOTE-28840]. CVE-2019-10038 was assigned to this issue.

About the Author: Security Researcher Dhiraj Mishra (@mishradhiraj_)

Original post at:

https://www.inputzero.io/2019/04/evernote-cve-2019-10038.html

Pierluigi Paganini

(Security Affairs – Evernote, hacking)

The post Code execution – Evernote appeared first on Security Affairs.

Justdial is leaking personal details of all customers real-time

A database belonging to the Indian local search service JustDial was left online without protection exposing personal data of over 100M users.

The archive is still leaking personally identifiable information of more than JustDial customers that are accessing the service via its website, mobile app, or even by calling on the customer care number (“88888 88888”).

The news was first reported by The Hacker News that independently verified the authenticity of the story.

JustDial is the largest and oldest search engine in India that allows its users to find vendors of various products and services.

The independent researcher Rajshekhar Rajaharia discovered how an unprotected, publicly accessible API endpoint of JustDial’s database can be accessed by anyone.

The leaked data includes username, email, mobile number, address, gender, date of birth, photo, occupation, company name and other.

According to the expert, data remained exposed since at least mid-2015 through unprotected API, at the time it is not clear if anyone had accessed the huge trove of data.

justdial data-breach-hacking

Experts at THN provided Rajshekhar a new phone number that was never before registered with Justdial server, then used it to contact the JustDial service and request information on restaurants, The service created a profile and associated it with the number provided by THN. Rajshekhar was able to access the profile a circumstance that confirmed that expose DB was the one associated with production systems.

“Although the unprotected API is connected to the primary JD database, Rajshekhar revealed that it’s an old API endpoint which is not currently being used by the company but left forgotten on the server.” reads the post published by THN.

Rajshekhar discovered this unprotected end-point while conducting a penetration test on the latest APIs, which are apparently protected.

Rajshekhar also found other issued associated with old unprotected APIs, one of them could be exploited by anyone to trigger OPT request for any registered phone number making possible to spam users.

Rajshekhar attempted to report the issues to the company but without success.

Pierluigi Paganini

(SecurityAffairs – hacking, JustDial)

The post Justdial is leaking personal details of all customers real-time appeared first on Security Affairs.

Maliciously Tampering with Medical Imagery

In what I am sure is only a first in many similar demonstrations, researchers are able to add or remove cancer signs from CT scans. The results easily fool radiologists.

I don't think the medical device industry has thought at all about data integrity and authentication issues. In a world where sensor data of all kinds is undetectably manipulatable, they're going to have to start.

Research paper. Slashdot thread.

UK hacker jailed for six years for blackmailing pornography site users

Zain Qaiser targeted millions of computers with ransomware demanding large sums

A hacker who blackmailed users of pornography websites in what investigators say is the UK’s most serious cybercrime case has been jailed for six years and five months.

Zain Qaiser targeted millions of computers with malicious browser-locking software that demanded payment of up to $1,000 (£765) to unfreeze screens, Kingston crown court heard.

Continue reading...

Are Hackers Threatening the Adoption of Self-Driving Cars?

Automotive manufacturers have realized the future lies in self-driving cars. We may be taking small steps, yet we would like to be headed to an autonomous driving utopia. Here, every road is safe, smart, connected, fast, reliable.

It may be just a dream right now, but how far are we from achieving this goal?

In this article, we will walk you through the current state of autonomous vehicles, and most importantly, examine how safe driverless cars actually are from a cybersecurity perspective.

A brief history of self-driving cars

Let’s start off with a little bit of history.

You may be amazed to hear people started working on driverless cars prototypes since the 1920s. Back then, a radio-controlled car was invented by Francis Houdina, which he controlled without a person behind the steering wheel on the streets of New York.

Impressive, right?

Throughout time, there have been multiple attempts to develop the industry and encourage driverless cars’ adoption. You can access this resource to go through a quick timeline of self-driving cars.

Fast forward to more recent days, Waymo, formerly known as Google’s self-driving car project, is the first commercial self-driving car and was launched in December 2018. Through an app, Waymo offers ride-hailing services to people in from the United States, Phoenix area.

Will 2019 be the year of self-driving cars?

Here are a few facts and predictions for 2019:

  • This year, companies such as General Motors, Uber, Volkswagen, and Intel are competing in the ride-hailing movement and are making promises regarding when their fully autonomous vehicles will be available. The general answer seems to be between 2019 and 2022.
  • Elon Musk, CEO of Tesla, is expecting to see Tesla’s self-driving feature fully available by 2020.
  • The UK government has announced its commitment to having completely autonomous vehicles on the roads by 2021.
  • 2019 will be the year of Level 4 autonomous vehicles.

Did you know a car can have six automation levels?

In the image below you can see exactly what Level 0 to Level 5 actually mean.

image4 1

Source

How do people view self-driving cars?

Autonomous vehicle manufacturers promise to deliver a safe, enjoyable, and fast experience, freeing the drivers of the stress of driving, while allowing them to fulfill other tasks.

But what is the general opinion towards autonomous cars?

According to Deloitte’s 2019 Global Automotive Study, consumer perception of the safety of autonomous cars has stalled in the last year. This attitude is predominantly influenced by media reports of accidents involving self-driving cars, many of which were fatal.

Here you can read a report on these type of accidents.

Source: Deloitte

The concern around safety is also reinforced by Perkincoie’s research, which shows that consumers’ perception of safety is the biggest roadblock to the development of self-driving vehicles in the next five years.

As per another study conducted by the American Automobile Association (AAA), almost 3 in 4 Americans are afraid of self-driving cars. According to the same research, only 19% would trust self-driving cars to transport their loved ones.

What’s more, there are some people who seem to despise the autonomous vehicle’s technology and even manifest violent behavior towards it. At least 21 attacks against Waymo cars have been reported. People have tried to run the vehicles off the road, thrown rocks at them, slashed the tires, or even yelled at them to leave the neighborhood. This behavior seems to be fueled by people’s concern with safety and even potential job losses.

Some also believe self-driving will most likely cause traffic congestions.

What is the reason for that, you may be wondering since they were created to simplify traffic movement in the first place?

The autonomous cars could be programmed to aimlessly drive on the streets, without parking, in order to avoid payments. Basically, the price for recharging an electric autonomous car would be much lower than the overall parking fee.

The concerns around data collection and privacy

The same Deloitte 2019 report shows most people are worried about biometric data being collected by self-driving car manufacturers through their connected vehicles and sent to other parties.

Source: Deloitte

In truth, data does need to be collected in order to improve functionalities, but this could also cause the invasion of your privacy.

So the question is where that data ends up and how it’s actually used. Some may argue that it could be shared with the government or used for marketing purposes.

Thus, authorities need to put strict rules and regulations in place.

Solving the cybersecurity question

Without a doubt, autonomous vehicles need state-of-the-art cybersecurity.

According to a recent study which surveyed auto engineers and IT experts, 84% of respondents were concerned that car manufacturers are not keeping pace with the industry’s constantly increasing cybersecurity threats.

Since self-driving cars have been involved in numerous accidents, this means they still have flaws, which can become exploited by malicious actors. Although taking care of aspects such as having proper navigation systems and avoiding collisions are obvious priorities for manufacturers, cybersecurity should also be top of mind.

According to Skanda Vivek, a postdoctoral researcher at the Georgia Institute of Technology, if people were to hack even a small number of internet-connected self-driving cars on the roads of the United States, the flow of traffic would be completely frozen. And emergency vehicles would not even be able to pass through.

image5

Source: Skanda Vivek/ Georgia Tech

“Compromised vehicles are unlike compromised data,” argues Vivek in the study’s press release. “Collisions caused by compromised vehicles present physical danger to the vehicle’s occupants, and these disturbances would potentially have broad implications for overall traffic flow.”

Around four years ago, researchers Charlie Miller and Chris Valasek remotely hacked a Jeep Cherokee as an experiment. They used a laptop to do it while being at a 10-mile distance and managed to take full control of the vehicle.

Watch below what happened:

This was not even a self-driving vehicle, but the same scenario can be applied to one. In fact, this can even be more plausible in the case of autonomous cars due to their increased internet connectivity.

Right now, you won’t find two identical automation systems in the industry. Yet, according to the University of Michigan’s report, as systems become more generic, or even using open-source software, one attack could spread across every car deploying the same system. Just like it happened with the WannaCry ransomware attack, which infected more than 300,000 computers in 150 countries during, at an estimated cost of $4 billion.

But are things really that bad?

On a more positive note, there are cybersecurity experts who believe in the future, fully-autonomous cars will be much harder to be hacked than we might think. This “fully-autonomous” technology (remember Level 5 we were talking about above?), will rely on multiple sensors and communication layers.

At the moment, self-driving cars are only using one or two sensors for object detection, according to Craig Smith, research director of cyber analytics group Rapid7.

In his view, since it’s already quite difficult to hack a single sensor, a malicious criminal will find it even harder to override a complex sensor system.

“If we’re having a discussion about what’s safe, it’s more likely that you’ll get into a car accident today than someone will hack into your car tomorrow”, Smith pointed out.

How can we stop self-driving cars from being hacked?

The good news is that experts are constantly working on developing better security systems.

For instance, just a few weeks ago, SK Telecom announced the launch of a solution based on Quantum Encryption.

image3

Source

How does it work?

As per SK Telecom, this is an “integrated security device that will be installed inside cars and protect various electronic units and networks in the vehicle”.

Also, the gateway, which was developed together with the controller maker GINT, will be used to secure the all the vehicle systems: Vehicle-2-Everything (V2X) and Bluetooth communication systems, car’s driver assistance, radar, and smart keys. Drivers will also be alerted of any suspicious behavior.

The gateway basically transfers a quantum random number generator and Quantum Key along with the vehicle’s data that will “fundamentally prevent hacking and make the cars unhackable”, according to SK Telecom. The company also added that this move was to facilitate security in the 5G era.

This is not the first initiative of this kind. In another project, the cyber-security group at Coventry University’s Institute for Future Transport and Cities (FTC) teamed up with the quantum experts at cybersecurity start-up Crypta Labs and they also reportedly worked on this quantum technology that can prevent hacking.

Here’s a bonus

We stumbled upon a great video that we’d like to share with you, in which Victor Schwartz, a partner at Shook, Hardy & Bacon, talks about the potential risks of driverless cars – privacy issues and cybersecurity.

You can watch the full video here:

Conclusion

At the moment, concerns around the self-driving technology clearly outweigh the benefits. It’s now crucial for manufacturers to focus on autonomous cars cybersecurity problems, employing dedicated staff to work on these issues. However, with proper security measures in place, hacking risks can be, in time, dramatically reduced.

Would you trust a self-driving car? What’s your opinion on the overall security of autonomous vehicles? We would love to hear your thoughts in the comments section below.

The post Are Hackers Threatening the Adoption of Self-Driving Cars? appeared first on Heimdal Security Blog.

Scan WordPress websites for vulnerabilities WPScan Kali Linux

Scan WordPress websites for vulnerabilities WPScan Kali Linux   WPScan is a black box vulnerability scanner for WordPress websites. WPScan comes pre-installed in Kali Linux. Kali Linux is a popular Linux distribution built on Debian Kali Linux comes with many of the best ethical hacking tools pre-installed. If you’re not using Kali Linux and you […]

The post Scan WordPress websites for vulnerabilities WPScan Kali Linux appeared first on HackingVision.

DMitry Deepmagic information Gathering Tool Kali Linux

DMitry Deepmagic information Gathering Tool Kali Linux   DMitry (Deepmagic Information Gathering Tool) is a open source Linux CLI tool developed by James Greig. Coded in C. DMitry is a powerful information gathering tool that aims to gather as much information about a host that is possible. Features include subdomains search, email addresses, uptime information, […]

The post DMitry Deepmagic information Gathering Tool Kali Linux appeared first on HackingVision.

Facebook stored hundreds of millions of passwords unprotected

Company admits to mistake and says it has no evidence of abuse – but the risk was huge

Facebook mistakenly stored “hundreds of millions” of passwords in plaintext, unprotected by any encryption, the company has admitted.

The mistake, which led to user passwords being kept in Facebook’s internal servers in an insecure way, affects “hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users”, according to the social networking site. Facebook Lite is a version of Facebook created for use in nations where mobile data is unaffordable or unavailable.

Related: Facebook's security is so bad it's surprising Zuckerberg hasn't deleted his account

Continue reading...

Kali Linux Micro Hacking Station Raspberry Pi

Kali Linux Micro Hacking Station Raspberry Pi   Raspberry Pi is a small pocket sized low cost computer. Today we will be setting up Kali Linux on Raspberry Pi. We can use Kali Linux on Raspberry Pi to hack WiFi passwords, launch various social engineering attacks, Set up rogue access points and a wide range […]

The post Kali Linux Micro Hacking Station Raspberry Pi appeared first on HackingVision.

Create Metasploit Payload in Kali Linux MSFvenom Payload Creator

Create Metasploit Payload in Kali Linux MSFvenom Payload Creator (MSFPC)   Disclaimer Any actions and or activities related to the material contained within this Website is solely your responsibility. The misuse of the information in this website can result in criminal charges brought against the persons in question. The authors of Hackingvision.com will not be […]

The post Create Metasploit Payload in Kali Linux MSFvenom Payload Creator appeared first on HackingVision.

This Is How Easy It Is To Get Hacked – Vice News – HackingVision

This Is How Easy It Is To Get Hacked Vice News talks about how easy it is to get hacked. VICE News went to Moscow to see the country’s expert hackers in action. “If someone wants to hack you, they’re gonna be able to” former NSA hacker Patrick Wardle told VICE News. And if a […]

The post This Is How Easy It Is To Get Hacked – Vice News – HackingVision appeared first on HackingVision.

Google Dorks List 2019 SQLi Dorks – HackingVision

Google Dorks List 2019 SQLi Dorks Google Dorks List 2019, Google Dorks List, Find SQL Injectable Websites, Hack Websites using Google Dorks, Google Dorks List SQL Injection. Google Dorks List 2019 is a list of dorks to find SQL injectable websites. A Google dork query, sometimes just referred to as a dork, is a search […]

The post Google Dorks List 2019 SQLi Dorks – HackingVision appeared first on HackingVision.

25 Free eBooks to learn Python 2019 – HackingVision

Free eBooks list of free Python programming eBooks to learn Python programming. Download eBooks in PDF EPUB 2019 Python eBooks. List curated by Hackingvision.com Disclaimer: The contributor(s) cannot be held responsible for any misuse of the data. This repository is just a collection of URLs to download eBooks for free. Download the eBooks at your […]

The post 25 Free eBooks to learn Python 2019 – HackingVision appeared first on HackingVision.

DorkMe – Google Dorks Tool Search For Vulnrabilities

DorkMe – Google Dorks Tool Google Dorks Tool DorkMe is a tool designed with the purpose of making easier the searching of vulnerabilities with Google Dorks, such as SQL Injection vulnerabilities. Dependencies   pip install -r requirements.txt It is highly recommended to add more dorks for an effective search, keep reading to see how Usage […]

The post DorkMe – Google Dorks Tool Search For Vulnrabilities appeared first on HackingVision.

Automotive Technologies and Cyber Security

A guest article authored by Giles Kirkland
Giles is a car expert and dedicated automotive writer with a great passion for electric vehicles, autonomous cars and other innovative technologies. He loves researching the future of motorisation and sharing his ideas with auto enthusiasts across the globe. You can find him on Twitter, Facebook and at Oponeo.


Automotive Technologies and Cyber Security
Surveys show that about 50% of the UK feel that driverless vehicles will make their lives much easier and are eagerly anticipating the arrival of this exciting technology. Cities expect that when driverless car technology is fully implemented, the gridlock which now plagues their streets will be relieved to a large extent. Auto-makers predict that the new technology will encourage a surge in vehicle purchases, and technology companies are lining up with the major auto manufacturers to lend their experience and knowledge to the process, hoping to earn huge profits.



Delays to Driverless Technology
While some features of autonomous technology have already been developed and have been rolled out in various new vehicles, the full technology will probably not be mature for several decades yet. One of the chief holdups is in establishing the infrastructure necessary on the roads themselves and in cities, in order to safely enable driverless operation.

The full weight of modern technology is pushing development along at a breakneck pace. Unlike safety testing of the past, where some real-life scenarios were simulated to anticipate vehicle reactions, high-powered simulators have now been setup to increase the rapidity at which vehicle software can 'learn' what to do in those real-life situations. This has enabled learning at a rate exponentially greater than any vehicle of the past, which is not surprising, since vehicles of the past were not equipped with 'brains' like autonomous cars will be.

The Cyber Security aspect of Autonomous Vehicles
Despite the enormous gains that will come from autonomous vehicles, both socially and economically, there will inevitably be some problems which will arise, and industry experts agree that the biggest of these threats is cyber security. In 2015, there was a famous incident which dramatically illustrated the possibilities. In that year, white-collar hackers took control of a Jeep Cherokee remotely by hacking into its Uconnect Internet-enabled software, and completely cut off its connection with the Internet. This glaring shortcoming caused Chrysler to immediately recall more than one million vehicles, and provided the world with an alarming illustration of what could happen if someone with criminal intent breached the security system of a vehicle.

Cars of today have as many as 100 Electronic Control Units (ECU's), which support more than 100 million coding lines, and that presents a huge target to the criminal-minded person. Any hacker who successfully gains control of a peripheral ECU, for instance the vehicle's Bluetooth system, would theoretically be able to assume full control of other ECU's which are responsible for a whole host of safety systems. Connected cars of the future will of course have even more ECU's controlling the vehicle's operations, which will provide even more opportunities for cyber attack.


Defense against Cyber Attacks
As scary as the whole cyber situation sounds, with the frightening prospect of complete loss of control of a vehicle, there is reason for thinking that the threat can be managed effectively. There are numerous companies already involved in research and development on how to make cars immune from attacks, using a multi-tiered defense system involving several different security products, installed on different levels of the car's security system.

Individual systems and ECU's can be reinforced against attacks. Up one level from that, software protection is being developed to safeguard the vehicle's entire internal network. In the layer above that, there are already solutions in place to defend vehicles at the point where ECU's connect to external sources. This is perhaps the most critical area, since it represents the line between internal and external communications. The final layer of security comes from the cloud itself. Cyber threats can be identified and thwarted before they are ever sent to a car.

The Cyber Security Nightmare
If you ask an average person in the UK what the biggest problem associated with driverless cars is, they’d probably cite the safety issue. Industry experts however, feel that once the technology has been worked out, there will probably be less highway accidents and that driving safety will actually be improved. However, the nightmare of having to deal with the threat which always exists when anything is connected to the Internet, will always be one which is cause for concern.

AI & Your Family: The Wows and Potential Risks

artificial intelligenceAm I the only one? When I hear or see the word Artificial Intelligence (AI), my mind instantly defaults to images from sci-fi movies I’ve seen like I, Robot, Matrix, and Ex Machina. There’s always been a futuristic element — and self-imposed distance — between AI and myself.

But AI is anything but futuristic or distant. AI is here, and it’s now. And, we’re using it in ways we may not even realize.

AI has been woven throughout our lives for years in various expressions of technology. AI is in our homes, workplaces, and our hands every day via our smartphones.

Just a few everyday examples of AI:

  • Cell phones with built-in smart assistants
  • Toys that listen and respond to children
  • Social networks that determine what content you see
  • Social networking apps with fun filters
  • GPS apps that help you get where you need to go
  • Movie apps that predict what show you’d enjoy next
  • Music apps that curate playlists that echo your taste
  • Video games that deploy bots to play against you
  • Advertisers who follow you online with targeted ads
  • Refrigerators that alert you when food is about to expire
  • Home assistants that carry out voice commands
  • Flights you take that operate via an AI autopilot

The Technology

While AI sounds a little intimidating, it’s not when you break it down. AI is technology that can be programmed to accomplish a specific set of goals without assistance. In short, it’s a computer’s ability to be predictive — to process data, evaluate it, and take action.

AI is being implemented in education, business, manufacturing, retail, transportation, and just about any other sector of industry and culture you can imagine. It’s the smarter, faster, more profitable way to accomplish manual tasks.

An there’s tons of AI-generated good going on. Instagram — the #2 most popular social network — is now using AI technology to detect and combat cyberbullying on in both comments and photos.

No doubt, AI is having a significant impact on everyday life and is positioned to transform the future.

Still, there are concerns. The self-driving cars. The robots that malfunction. The potential jobs lost to AI robots.

So, as quickly as this popular new technology is being applied, now is a great time to talk with your family about both the exciting potential of AI and the risks that may come with it.

Talking points for families

Fake videos, images. AI is making it easier for people to face swap within images and videos. A desktop application called FakeApp allows users to seamlessly swap faces and share fake videos and images. This has led to the rise in “deep fake” videos that appear remarkably realistic (many of which go viral). Tip: Talk to your family about the power of AI technology and the responsibility and critical thinking they must exercise as they consume and share online content.

Privacy breaches. Following the Cambridge Analytica/Facebook scandal of 2018 that allegedly used AI technology unethically to collect Facebook user data, we’re reminded of those out to gather our private (and public) information for financial or political gain. Tip: Discuss locking down privacy settings on social networks and encourage your kids to be hyper mindful about the information they share in the public feed. That information includes liking and commenting on other content — all of which AI technology can piece together into a broader digital picture for misuse.

Cybercrime. As outlined in McAfee’s 2019 Threats Prediction Report, AI technology will likely allow hackers more ease to bypass security measures on networks undetected. This can lead to data breaches, malware attacks, ransomware, and other criminal activity. Additionally, AI-generated phishing emails are scamming people into handing over sensitive data. Tip: Bogus emails can be highly personalized and trick intelligent users into clicking malicious links. Discuss the sophistication of the AI-related scams and warn your family to think about every click — even those from friends.

IoT security. With homes becoming “smarter” and equipped with AI-powered IoT products, the opportunity for hackers to get into these devices to steal sensitive data is growing. According to McAfee’s Threat Prediction Report, voice-activated assistants are especially vulnerable as a point-of-entry for hackers. Also at risk, say security experts, are routers, smartphones, and tablets. Tip: Be sure to keep all devices updated. Secure all of your connected devices and your home internet at its source — the network. Avoid routers that come with your ISP (Internet Security Provider) since they are often less secure. And, be sure to change the default password and secure your primary network and guest network with strong passwords.

The post AI & Your Family: The Wows and Potential Risks appeared first on McAfee Blogs.

Cyber Security Conferences to Attend in 2019

A list of Cyber and Information Security conferences to consider attending in 2019. Conference are not only great places to learn about the evolving cyber threat landscape and proven security good practices, but to network with industry leading security professionals and likeminded enthusiasts, to share ideas, expand your own knowledge, and even to make good friends.

JANUARY 2019

SANS Cyber Threat Intelligence Summit
Monday 21st & Tuesday 22nd January 2019
Renaissance Arlington Capital View Hotel, VA, USA
https://www.sans.org/event/cyber-threat-intelligence-summit-2018


AppSec California 2019 (OWASP)
Tuesday 22nd & Wednesday 23rd January 2019
Annenberg Community Beach House, Santa Monica, USA
https://2019.appseccalifornia.org/


PCI London
Thursday 24th January 2019
Park Plaza Victoria Hotel, London, UK
https://akjassociates.com/event/pcilondon

The Future of Cyber Security Manchester
Thursday 24th January 2019
Bridgewater Hall, Manchester, UK
https://cybermanchester.events/

BSides Leeds
Friday 25th January 2019
Cloth Hall Court, Leeds, UK
FEBRUARY 2019
Cyber Security for Industrial Control Systems

Thursday 7th & Friday 8th February 2019
Savoy Place, London, UK
https://events.theiet.org/cyber-ics/index.cfm

NOORD InfoSec Dialogue UK
Tuesday 26th & Wednesday 27th February 2019
The Bull-Gerrards Cross, Buckinghamshire, UK

MARCH 2019
RSA Conference
Monday 4th to Friday 8th March 2019
At Moscone Center, San Francisco, USA
https://www.rsaconference.com/events/us19

17th Annual e-Crime & Cybersecurity Congress
Tuesday 5th & Wednesday 6th March 2019
Park Plaza Victoria

Security & Counter Terror Expo
Tuesday 5th & Wednesday 6th March 2019
Olympia, London, UK
https://www.counterterrorexpo.com/


ISF UK Spring Conference
Wednesday 6th & Thursday 7th March 2019
Regent Park, London, UK
https://www.securityforum.org/events/chapter-meetings/uk-spring-conference-london/


BSidesSF
Sunday 3rd and Monday 4th March 2019
City View at Metreon, San Francisco, USA
https://bsidessf.org/

Cloud and Cyber Security Expo
Tuesday 12th to Wednesday 13 March 2019
At ExCel, London, UK
https://www.cloudsecurityexpo.com/

APRIL 2019

(ISC)2 Secure Summit EMEA
Monday 15th & Tuesday 16th April 2019
World Forum, The Hague, Netherlands
https://web.cvent.com/event/df893e22-97be-4b33-8d9e-63dadf28e58c/summary

Cyber Security Manchester
Wednesday 3rd & Thursday 4th April 2019
Manchester Central, Manchester, UK
https://cybermanchester.events/

BSides Scotland 2019
Tuesday 23rd April 2019
Royal College of Physicians, Edinburgh, UK
https://www.contextis.com/en/events/bsides-scotland-2019


CyberUK 2019
Wednesday 24th & Thursday 25th April 2019
Scottish Event Campus, Glasgow, UK
https://www.ncsc.gov.uk/information/cyberuk-2019

Cyber Security & Cloud Expo Global 2019
Thursday 25th and Friday 29th April 2019
Olympia, London, UK
https://www.cybersecuritycloudexpo.com/global/


JUNE 2019
Infosecurity Europe 2019
Tuesday 4th to Thursday 6th June 2019
Where Olympia, London, UK
https://www.infosecurityeurope.com/

BSides London

Thursday 6th June 2019
ILEC Conference Centre, London, UK
https://www.securitybsides.org.uk/

Blockchain International Show
Thursday 6th and Friday 7th June 2019
ExCel Exhibition & Conference Centre, London, UK
https://bisshow.com/

Hack in Paris 2019
Sunday 16th to Friday 20th June 2019
Maison de la Chimie, Paris, France
https://hackinparis.com/

UK CISO Executive Summit
Wednesday 19th June 2019
Hilton Park Lane, London, UK
https://www.evanta.com/ciso/summits/uk#overview

Cyber Security & Cloud Expo Europe 2019
Thursday 19th and Friday 20th June 2019
RIA, Amsterdam, Netherlands
https://cybersecuritycloudexpo.com/europe/

Gartner Security and Risk Management Summit
Monday 17th to Thursday 20th June 2019
National Harbor, MD, USA
https://www.gartner.com/en/conferences/na/security-risk-management-us

European Maritime Cyber Risk Management Summit
Tuesday 25th June 2019
Norton Rose Fulbright, London, UK


AUGUST 2019
Black Hat USA
Saturday 3rd to Thursday 8th August 2019
Mandalay Bay, Las Vegas, NV, USA
https://www.blackhat.com/upcoming.html

DEF CON 27

Thursday 8th to Sunday 11th August 2019
Paris, Ballys & Planet Hollywood, Las Vegas, NV, USA
https://www.defcon.org/


SEPTEMBER 2019
44Con
Wednesday 11th to Friday 13th September 2019
ILEC Conference Centre, London, UK
https://44con.com/

2019 PCI SSC North America Community Meeting
Tuesday 17th to Thursday 19th September 2019
Vancouver, BC, Canada
https://www.pcisecuritystandards.org/about_us/events

OCTOBER 2019

Hacker Halted
Thursday 10th & Friday 11th October 2019
Atlanta, Georgia, USA
https://www.hackerhalted.com/

BruCON
Thursday 10th & Friday 11th October 2019
Aula, Gent, Belgium
https://www.brucon.org/2019/

EuroCACS/CSX (ISACA) 2019

Wednesday 16th to Friday 19th October 2019
Palexpo Convention Centre, Geneva, Switzerland
https://conferences.isaca.org/euro-cacs-csx-2019

6th Annual Industrial Control Cyber Security Europe Conference
Tuesday 29th and Wednesday 30th October 2019
Copthorne Tara, Kensington, London, UK
https://www.cybersenate.com/new-events/2018/11/13/6th-annual-industrial-control-cyber-security-europe-conference

2019 PCI SSC Europe Community Meeting

Tuesday 22nd to Thursday 24th October 2019
Dublin, Ireland
https://www.pcisecuritystandards.org/about_us/events

ISF 30th Annual World Congress
Saturday 26th to Tuesday 29th October 2019
Convention Centre Dublin, Dublin, Ireland



NOVEMBER 2019
Cyber Security & Could Expo North America 2019
Wednesday 13th and Thursday 14th November 2019
Santa Clara Convention Centre, Silicon Valley, USA
https://www.cybersecuritycloudexpo.com/northamerica/

DevSecCon London 
Thursday 14th & Friday 15th November 2019
CodeNode, London, UK


Cyber Security Summit 2019
Wednesday 20th November 2019
QEII Centre, London, UK
https://cybersecuritysummit.co.uk/

2019 PCI SSC Asia-Pacific Community Meeting 

Wednesday 20th and Thursday 21st November 2019
Melbourne, Australia
https://www.pcisecuritystandards.org/about_us/events

DeepSec
Thursday 20th to Saturday 30th November 2019
The Imperial Riding School Vienna, Austria
https://deepsec.net/

Post in the comments about any cyber & information security themed conferences or events you recommend.

How To Tell If Your Smartphone Has Been Hacked

Your home screen is just a matrix of numbers. Your device loses its charge quickly, or restarts suddenly. Or, you notice outgoing calls that you never dialed. Chances are your smartphone has been hacked. The sad truth is that hackers now have a multitude of ways to get into your phone, without ever touching it.

Given that our smartphones have become our new wallets, containing a treasure trove of personal and financial information, a breach can leave you at serious risk.

The intruder could log in to your accounts as you, spam your contacts with phishing attacks, or rack up expensive long-distance charges. They could also access any passwords saved on your phone, potentially opening the door to sensitive financial accounts. That’s why it’s important to be able to recognize when your smartphone has been hacked, especially since some of the signs can be subtle.

Here are some helpful clues:

Performance Differences

Is your device operating slower, are web pages and apps harder to load, or does your battery never seem to keep a charge? What about your data plan? Are you exceeding your normal limits? These are all signs that you have malware running in the background, zapping your phone’s resources.

You may have downloaded a bad app, or clicked on a dangerous link in a text message. And malware, like Bitcoin miners, can strain computing power, sometimes causing the phone to heat up, even when you aren’t using it.

Mystery Apps or Data

If you find apps you haven’t downloaded, or calls, texts, and emails that you didn’t send, a hacker is probably in your system. They may be using your device to send premium rate calls or messages, or to spread malware to your contacts.

Pop-ups or Strange Screen Savers

Malware can also be behind spammy pop-ups, changes to your home screen, or bookmarks to suspicious websites. In fact, if you see any configuration changes you didn’t personally make, this is another big clue that your smartphone has been hacked.

What To Do

If any of these scenarios sound familiar, it’s time to take action. Start by deleting any apps or games you didn’t download, erasing risky messages, and running mobile security software, if you have it. Warn your contacts that your phone has been compromised, and to ignore any suspicious links or messages coming from you.

If the problem still doesn’t go away, consider restoring your phone to its original settings. Search online for instructions for your particular phone and operating system to learn how.

Now, let’s look at how to avoid getting hacked in the first place.

Secure Smartphone Tips

1. Use mobile security software—These days your smartphone is just as data rich as your computer. Make sure to protect your critical information, and your privacy, by using comprehensive mobile security software that not only protects you from online threats, but offers anti-theft and privacy protection.

2. Lock your device & don’t store passwords—Make sure that you are using a passcode or facial ID to lock your device when you’re not using it. This way, if you lose your phone it will be more difficult for a stranger to access your information.

Also, remember not to save password or login information for banking apps and other sensitive accounts. You don’t want a hacker to be able to automatically login as you if they do gain access to your device.

3. Avoid using public Wi-Fi—Free Wi-Fi networks, like those offered in hotels and airports, are often unsecured. This makes it easy for a hacker to potentially see the information you are sending over the network. Also, be wary of using public charging stations, unless you choose a “charging only” cable that cannot access your data.

 4. Never leave your device unattended in public—While many threats exist online, you still have to be aware of real-world threats, like someone grabbing your device when you’re not looking. Keep your smartphone on you, or within view, while in public.

If you have a “phone visibility” option, turn it off. This setting allows nearby devices to see your phone and exchange data with it.

5. Stay aware—New mobile threats are emerging all the time. Keep up on the latest scams and warning signs, so you know what to look out for.

Looking for more mobile security tips and trends? Be sure to follow @McAfee Home on Twitter, and like us on Facebook.

The post How To Tell If Your Smartphone Has Been Hacked appeared first on McAfee Blogs.

Busting 5 Cybersecurity Myths

It is not a secret that many people nowadays do not pay much attention when they surf the web at home or at work. There are new data breaches and exploits on a daily basis and still avoiding to take any precautions may result in a catastrophic consequences. Even the biggest corporations are paying millions of dollars so they can improve their cybersecurity and remain safe. However, if you still believe in some of the cybersecurity myths you may put your own computer or even your whole organization to a huge risk. We from CyberDB have decided to bust some of the top 5 cyber security myths and make it clear for you.

Only the IT department is responsible for cybersecurity

It is not wrong to say that the IT department is responsible to implement new processes and policies to keep the cybersecurity in a top notch state. However, they just don’t have a magic stick to protect all of the computers in the network. In reality each employee should be extremely careful when receiving and opening different e-mail messages from colleagues or third parties. It is dangerous since the infection can spread across all of the departments within the organization and this may cause a further data breach for example.

Using just an antivirus software is enough

Antivirus software might have been enough to safe your business from potential attack 20 years ago – nowadays it definitely is just not enough to protect your whole organization. Hackers find new ways to disable your antivirus and hide their attacks in the system. With ransomware gaining more popularity among hackers the time of getting infected and getting your information locked is just a matter of seconds. So using an antivirus is not always enough, but you also need to stay informed about the latest threats. Check out our database of cyber security vendors to find the best solution for your personal or business needs.

A strong password is enough

It is not a secret that having a long and complex password on your accounts is an essential. However, even big tech giants like Facebook or Apple experience data breaches and are pretty often a target for hackers. Every website requires you to create a strong password, but it is also good to use two-factor-authentication (2FA). At first the user was getting an SMS with a code for 2FA, but even this can be compromised by using a cloned sim card. So make sure you have an app like Google Authenticator for example to make your accounts more secure.

Threats are being spread only through the Internet

Some users may think that disconnecting from the internet will prevent the threats spreading around the network and they are completely wrong. Just imagine what happens if an employee brings an infected flash drive and plugs it in – all of the computers may become infected and your company may lose valuable information. You may have your information stolen even when you shop at a local retailer. So threats are not only online, but in our daily life and we need to be very careful and take care of our personal information.

Only certain industries experience cyber attacks

Some businesses still believe that they may be not targeted by hackers because they are a small or mid-sized business or in a specific industry. Well, they are completely wrong. Some companies also believe they do not have anything that hackers may find valuable to steal. In reality there is information like personal addresses or credit card numbers which can make every business in every industry a potential target. Here are the industries which are most vulnerable to cyber-attacks nowadays:

 Top 10 Sectors Breached

The post Busting 5 Cybersecurity Myths appeared first on CyberDB.

The Myth of “Staying One Step Ahead of the Hackers”

 

The assumption that software security can stay ahead of the hackers is not true because the software security industry is always reacting to threats that hackers expose. Once hackers start exploiting a flaw in an application, security companies try to block the resulting threat by providing security updates for existing software or by developing new programs. Either way, hackers will be one step ahead because the software security industry can’t predict what new threats the hackers will unleash.