A white hat hacker discovered how to break Tchap, a new secure messaging app launched by the French government for officials and politicians.
The popular French white hat hacker Robert Baptiste (aka @fs0c131y) discovered how to break into Tchap, a new secure messaging app launched by the French government for encrypted communications between officials and politicians. The app was developed by DINSIC (Interministerial Directorate of Digital and Information System and Communication of the State), as a project controlled by France’s National Cybersecurity Agency (ANSSI).
It aims at replacing popular instant messaging services like Telegram and WhatsApp for government people.
The Tchap was launched on April 18 and is available on the official iOS and Android app stores, but only French government employees (using @gouv.fr or @elysee.fr email accounts) can sign-up for an account.
The key point Tchap is that encrypted communications flow through internal servers to prevent cyber attacks carried out by foreign nation-state actors.
Anyway, the French government published Tchap’s source code on GitHub, it is based on Riot, a well-known open-source instant messaging client-server package.
News of the day is that Robert Baptiste found a security bug that could allow anyone to sign up an account with the Tchap app and access groups and channels without using an official government email account.
The expert made a dynamic analysis of the mobile app and discovered it implements certificate pinning in the authentication process. Even if he disables it with Frida, during the registration process, the app requests a token.
The expert noticed that depending on the email address provided by the user, the app will refer the “correct” id_server. The list of available servers is defined in the AndroidManifest.xml.
“I set id_server to matrix.agent.elysee.tchap.gouv.fr. For info, Elysée is the French presidential palace. As I choose this server I guessed I should have an @elysee.fr email address. So, in the requestToken request, I modified email to firstname.lastname@example.org@elysee.fr. Hum, no validation email in my inbox… Wait, maybe it is waiting a known @elysee.fr email address. So I did a Google search “email @elysee.fr”” wrote the expert in a blog post.
“So I did another try and in the requestToken request andI modified email to email@example.com@firstname.lastname@example.org. Bingo! I received an email from Tchap, I was able to validate my account! “
The expert demonstrated how to create an account with the service using a regular email ID by exploiting a potential email validation vulnerability in the Android version of the Tchap app.
After he logged as an Elysée employee, he was able to access to the public rooms.
Robert reported the issue the Matrix team who developed the Riot client, and it quickly fixed the bug and released a patch. The released patch was specific only to the application developed by French intelligence.
Just for curiosity, last week Matrix.org warned users of a security breach, a hacker gained unauthorized access to the production databases, including unencrypted message data, access tokens, and also password hashes.
According to Matrix.org, the attacker has exploited a known vulnerability in the Jenkins open source automation server to hijack credentials and gain access to the systems of the organization. Homeservers, source code and packages, identity servers, and Modular.im servers were not impacted.
Djevair Ametovski was sentenced to 90 months in prison for operating an international cybercrime marketplace named Codeshop.
Macedonian national Djevair Ametovski (32) was sentenced to 90 months in prison by US DoJ authorities for operating an international cybercrime marketplace named Codeshop.
Codeshop.su was a website that specialized in selling stolen payment card data. Ametovski acquired payment card data from hackers who had stolen it from financial institutions and individuals.
According to the investigators, the man commercialized data of 181,000 payment cards between 2010 and 2014.
Ametovski (known online as Codeshop, Sindromx, xhevo, and Sindrom) was arrested by Slovenian authorities in January 2014, at the time he was charged with aggravated identity theft, access device fraud conspiracy, and wire fraud conspiracy. The Macedonian citizen was extradited to the United States in May 2016.
The man pleaded guilty to access device fraud and aggravated identity theft, he was also ordered to forfeit $250,000 and pay restitution that will be determined later.
Codeshop customers were able to buy stolen card data searching for specific types of data based on criteria such as country, bank, and bank identification number.
“Ametovski used a network of online money exchangers and anonymous digital currencies, including Bitcoin, to reap revenues from the Codeshop website and to conceal all participants’ identities, including his own. Over the course of the scheme, Ametovski obtained and sold stolen credit and debit card data for more than 1.3 million cards,” said the Justice Department.
Lab Dookhtegan hackers leaked details about operations carried out by Iran-linked OilRig group, including source code of 6 tools.
A hacker group that goes online with the name Lab Dookhtegan have disclosed details about operations conducted by the Iran-linked cyber-espionage group tracked as OilRig, APT34, and HelixKitten.
OilRig is an Iran-linked APT group that has been around since at least 2014, it targeted mainly organizations in the financial, government, energy, telecoms and chemical sectors in the United States and Middle Eastern countries.
The Lab Dookhtegan hackers used a Telegram channel to dump information about the OilRig infrastructure, revealing details about its hacking tools, members, and operations. The hackers also disclosed IP addresses and domains involved in operations conducted by the group over the years.
It seems that the tools have been leaked since mid-March on a Telegram channel by a user with the Lab Dookhtegan pseudonym.
The dump also includes OilRig victims’ data, including login credentials to several services obtained through phishing attacks.
The entity that leaked the information aimed at disrupting the operations of the Iran-linked hacking groups, it is likely an opponent of the Regime.
Lab Dookhtegan leaked the source code of the following six hacking tools, including data related on their contained in the compromised admin panels:
A ransomware attack knocked the Weather Channel off the air for at least 90 minutes Thursday morning, federal law enforcement are investigating the incident.A ranomware attack knocked the Weather Channel off the air for at least 90 minutes Thursday morning, federal law enforcement are investigating the incident.
A cyber attack hit the Weather Channel and forced it off the air for at least 90 minutes.
The broadcaster confirmed via Twitter that the incident is the result of a cyber attack, it claims that the problems were caused by “a malicious software attack on the network.”
Details are scant at the moment and a tweet from the station does not lift the haze, informing only that it was the victim of “a malicious software attack on the network.”
This morning the broadcaster transmitted a taped programming “Heavy Rescue” instead of the “AMHQ” live show.
The live show started more than 90 minutes later and the anchors informing viewers of the cyber attack. IT staff has restored the normal operations using the backups.
Federal law enforcement has immediately started an investigation on the case, at the time The Weather Channel did not disclose technical details about the attack.
According to 11 Alive News, the attack was caused by ransomware, a circumstance confirmed by Feds toThe Wall Street Journal. The live show was interrupted due to a ransomware attack, likely an attempt to extort money to from the broadcaster.
Ransomware attacks continue to represent a serious threat for companies and organizations, it is essential to adopt good cyber hygiene using defence software, having up to date applications and implementing an efficient backup policy.
Experts warn of security flaws in the Broadcom WiFi chipset drivers that could allow potential attackers to remotely execute arbitrary code and to trigger DoS.
According to a DHS/CISA alert and a CERT/CC vulnerability note, Broadcom WiFi chipset drivers are affected by security vulnerabilities impacting multiple operating systems. The flaws could be exploited to remotely execute arbitrary code and to trigger a denial-of-service condition.
“The CERT Coordination Center (CERT/CC) has released information on multiple vulnerabilities in Broadcom Wi-Fi chipset drivers. A remote attacker could exploit some of these vulnerabilities to take control of an affected system.” reads the alert published by the DHS/CISA.
“The Broadcom wl driver and the open-source brcmfmac driver for Broadcom WiFi chipsets contain multiple vulnerabilities. The Broadcom wl driver is vulnerable to two heap buffer overflows, and the open-source brcmfmac driver is vulnerable to a frame validation bypass and a heap buffer overflow.” reads the security advisory published by the CERT/CC.
The flaws were discovered by Hugues Anguelkov during his internship at Quarkslab are tracked as CVE-2019-8564, CVE-2019-9500, CVE-2019-9501, CVE-2019-9502, CVE-2019-9503.
The heap buffer overflows could be exploited to execute arbitrary code on vulnerable systems.
“You can find these chips almost everywhere from smartphones to laptops, smart-TVs and IoT devices. You probably use one without knowing it, for example if you have a Dell laptop, you may be using a bcm43224 or a bcm4352 card. It is also likely you use a Broadcom WiFi chip if you have an iPhone, a Mac book, a Samsumg phone or a Huawei phone, etc.” reads the post published by Anguelkov.
“Since these chips are so widespread they constitute a high value target to attackers and any vulnerability found in them should be considered to pose high risk.”
According to the CERT/CC, In the worst case scenario, by sending specially-crafted WiFi packets, a remote, unauthenticated attacker may be able to execute arbitrary code on a vulnerable system. More typically, these vulnerabilities will result in denial-of-service attacks. a remote and unauthenticated attackers could exploit the flaws in Broadcom WiFi chipset driver by sending maliciously-crafted WiFi packets to execute arbitrary code on vulnerable systems.
Anguelkov confirmed that two of those vulnerabilities affect both in the Linux kernel and firmware of affected Broadcom chips.
The researcher pointed out that the most common exploitation scenario leads to a remote denial of service.
“Although it is technically challenging to achieve, exploitation for remote code execution should not be discarded as the worst case scenario.” Anguelkov adds.
Below the details for the flaws:
Vulnerabilities in the open source brcmfmac driver: • CVE-2019-9503: If the brcmfmac driver receives the firmware event frame from the host, the appropriate handler is called. It is possible to bypass frame validation by using the USB as a bus (for instance by a wifi dongle.). In this case, firmware event frames from a remote source will be processed.
• CVE-2019-9500: a malicious event frame can be crafted to trigger an heap buffer overflow in the brcmf_wowl_nd_results function when the Wake-up on Wireless LAN functionality is configured. This flaw could be exploited by compromised chipsets to compromise the host, or when used in combination with the above frame validation bypass, can be used remotely.
Vulnerabilities in the Broadcom wl driver: Two heap buffer overflows can be triggered in the client when parsing an EAPOL message 3 during the 4-way handshake from the access point (AP). • CVE-2019-9501: supplying a vendor information element with a data length larger than 32 bytes, a heap buffer overflow is triggered in wlc_wpa_sup_eapol. • CVE-2019-9502: If the vendor information element data length is larger than 164 bytes, a heap buffer overflow is triggered in wlc_wpa_plumb_gtk. NOTE: When the wl driver is used with SoftMAC chipsets, these vulnerabilities are triggered in the host’s kernel. When a FullMAC chipset is being used, these vulnerabilities would be triggered in the chipset’s firmware.
The researcher published a timeline for the vulnerabilities that include information on patches released by some vendors.
Iran-linked APT group OilRig is heavily leveraging on DNS tunneling for its cyber espionage campaigns, Palo Alto Networks reveals.
Security researchers at Palo Alto Networks reported that Iran-linked APT group OilRig is heavily leveraging on DNS tunneling for its cyber espionage campaigns, Palo Alto Networks reveals.
OilRig is an Iran-linked APT group that has been around since at least 2014, it targeted mainly organizations in the financial, government, energy, telecoms and chemical sectors in the United States and Middle Eastern countries.
Many of the malware used by the group in the attacks over the years use DNS tunneling to protect communications with the command and control (C&C) infrastructure.
Experts pointed out that DNS tunneling clearly represents one of the preferred communication methods of the group.
OilRig usage of DNS tunneling was first documented in 2016, some of the Trojans in its arsenal using it are Helminth, ISMAgent, QUADAGENT BONDUPDATER, and ALMACommunicator.
The analysis of the tunneling protocols used by the OilRig suggests:
All subdomains contain a randomly generated value to avoid the DNS query resulting in a cached response
Most rely on an initial handshake to obtain a unique system identifier
Most rely on hardcoded IP addresses within the DNS answers to start and stop data transfer
Data upload includes a sequence number that allows the C2 to reconstruct the uploaded data in the correct order
Depending on the tool, A, AAAA, and TXT query types have been used by OilRig for tunneling
All of the DNS tunneling protocols will generate a significant number of DNS queries
“Regardless of the tool, all of the DNS tunneling protocols use DNS queries to resolve specially crafted subdomains to transmit data to the C2 and the answers to these queries to receive data from the C2.” reads the analysis published by Palo Alto Networks. “Therefore, the protocols must abide by the DNS protocol, so the specially crafted subdomains must have labels (portions of the subdomain separated by periods) must start and end with a letter or digit, contain letters, digits and hyphens and be less than 63 characters in length. Also, the entire domain queried, which includes the C2 domain and the specially crafted subdomain cannot exceed 253 characters.”
All the tools leverage DNS queries to resolve specially crafted subdomains and send data to the command and control servers. The tools use protocols in different ways, they differ for the structure of the subdomains queried, for the data received by the Trojans, for the subdomains used to transmit data.
Experts observed multiple variants of the Helminth backdoor over the years all using the same DNS Type A, but the threat actors are able to change the generated subdomains to avoid detection.
“There are several variants of Helminth, as the OilRig actors actively developed this Trojan during the course of their attack campaigns. The Helminth Trojan came in two forms, a portable executable version and a PowerShell version, both of which received updates to their DNS tunneling protocol over time.” continues the analysis. “The DNS tunneling protocols used in each variant operated the same way, but the developer would make changes to the generated subdomains to make them look visually different to evade detection.”
OilRig also used the ISMAgent in many campaigns, the malware uses the DnsQuery_A API function to issue DNS AAAA requests to resolve custom subdomains. Before transmitting the data, the Trojan issues a beacon to inform the server it is ready.
OilRig also leveraged two variants of the ALMA Communicator in its attacks, each of them using a different domain structure. The two variants sent different information to the server and the formatted data within the DNS tunneling protocol in different ways.
Palo Alto researchers also documented different variants of both the BONDUPDATER tool and QUADAGENT Trojan, the latter uses AAAA queries to transmit/receive data via DNS tunneling.
“This threat group saw the benefits of using DNS tunneling, as DNS is almost universally allowed through security devices.” Palo Alto Networks concludes. “One major drawback of using DNS tunneling is the high volume of DNS queries issued to transmit data back and forth between the tool and the C&C server, which may stand out to those monitoring DNS activity on their networks,”
Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn how baby monitors may be susceptible to hacking. Also, learn about a medical flaw that enables hackers to hide malware.
According to the International Telecommunications Union’s (ITU) 2018 Global Cybersecurity Index, only half of countries around the globe had a government cybersecurity strategy in 2017, which rose to 58 percent in 2018.
A malware campaign is actively attacking Asian targets using the EternalBlue exploit and taking advantage of Living off the Land (LotL) obfuscated PowerShell-based scripts to drop Trojans and a Monero coinminer on compromised machines.
A hacker or group of hackers broke into a customer support account for Microsoft, and then used that to gain access to information related to customers’ email accounts such as the subject lines of their emails and who they’ve communicated with.
Departures of top officials at the Secret Service and Department of Homeland Security (DHS) will add to an already difficult public-private disconnect on cybersecurity, especially since Kirstjen Nielsen has a rare set of cybersecurity skills that helped the DHS protect companies in critical industries.
Microsoft has notified affected Outlook users of a security breach that allowed hackers access to email accounts from January 1 to March 28, 2019.
Do you think the leadership turnover at DHS and the Secret Service will hurt US cybersecurity plans? Why or why not? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.
In mid-March, a suspicious Office document referencing the Ukraine elections appeared in the wild, is it related to APT28 and upcoming elections?
The uncertain attribution of the Ukrainian themed malicious document discussed in our past article “APT28 and Upcoming Elections: Possible Interference Signals”, led us to a review of Sofacy’s phishing techniques to confirm or deny the possible involvement of Russian state-sponsored actors in the election interference. We ended up in an old fake Hotel reservation request form, containing dummy interactive text boxes used to lure the victims to enable the macro code execution.
We analyzed this sample two years ago and we linked it to a Sofacy attack operation discovered by FE researchers in the mid of 2017, which hit several hotels in European and Middle Eastern countries.
The macro code inside the 2017 document is password protected, just like the last suspicious document we analyzed to investigate a possible Ukraine elections interference by Russian groups. After its opening, the reference sample decodes the extracted Base64 content using a custom “DecodeBase64” function:
The decoded content is actually a DLL file which is written into “%AppData%\user.dat”. After that, it will be executed through an ASR bypass technique (Attack Surface Reduction) allowing attackers to run new child process within the Office environment. This is the same publicly available exploit previously found into the Ukrainian sample (more details in the next section).
In this reference sample, the “user.dat”’s purpose is to create two new artifacts and to set persistence through “HKCU\Environment->UserInitMprLogonScript”. The created files are:
The “mrset.bat” file is a short bash file, designed to check the “mvtband.dat” existence and to run it through “rundll32.exe” system utility.
Finally, the “mvtband.dat” file, which actually is a Delphi DLL library, is a well-known malware named “GAMEFISH” (f9fd3f1d8da4ffd6a494228b934549d09e3c59d1). Russian groups were used to use it in recon-phases to steal information from victim machine and to implant new payloads.
Despite some differences between the “Hospitality campaign” vector and the Ukraine elections one, both use similar TTP related to the APT28 group. The link between Hospitality malware and the “FancyBear” actor has been already sifted by Info-Sec community. So, we can exploit the similarities between it and the Ukrainian elections sample to link it to Russian hacker groups.
Both documents under analysis use protected macro code. All the code inside the macro is not obfuscated in any way: Hospitality document surprisingly contains code comments too. Moreover, the main macro function name is “Execute” for both documents and the ASR trick used to create new processes from the Office work-space is substantially the same.
In both cases the real payload is encoded in Base64 and it is stored into an Office hidden section: the first sample uses a document property, the second one employs an XML resource.
The next stages are different: the Ukraine sample deploys some Powershell obfuscated scripts, which at the end carry an Empire stager, allowing the attackers to directly interact with the victim machine; the reference sample, instead, implants the GAMEFISH malware which automatically exfiltrates victim information while waiting for new payloads to install.
Finally, the attribution of the Ukraine elections sample (highlighted in our previous report) can be confirmed due to the strong similarities with the first stage of the Sofacy’s Hospitality malware, because:
Both use password protection.
Both have the same function name.
Both have the same macro code structure.
Both embeds the real payload in a hidden document section.
The ASR trick is implemented using the same instructions.
The presence of these similarities between the droppers indicates, with high probability, the attacker is the same and consequentially suggests APT28 is reusing some 2017 tricks and code snippets which, despite their simplicity, make their attacks effective.
Further details, including Indicators of Compromise and Yara rules, are reported in the analysis published on the Yoroi Blog. Stay Tuned.
DNS hijacking isn't new, but this seems to be an attack of unprecedented scale:
Researchers at Cisco's Talos security division on Wednesday revealed that a hacker group it's calling Sea Turtle carried out a broad campaign of espionage via DNS hijacking, hitting 40 different organizations. In the process, they went so far as to compromise multiple country-code top-level domains -- the suffixes like .co.uk or .ru that end a foreign web address -- putting all the traffic of every domain in multiple countries at risk.
The hackers' victims include telecoms, internet service providers, and domain registrars responsible for implementing the domain name system. But the majority of the victims and the ultimate targets, Cisco believes, were a collection of mostly governmental organizations, including ministries of foreign affairs, intelligence agencies, military targets, and energy-related groups, all based in the Middle East and North Africa. By corrupting the internet's directory system, hackers were able to silently use "man in the middle" attacks to intercept all internet data from email to web traffic sent to those victim organizations.
Cisco Talos said it couldn't determine the nationality of the Sea Turtle hackers, and declined to name the specific targets of their spying operations. But it did provide a list of the countries where victims were located: Albania, Armenia, Cyprus, Egypt, Iraq, Jordan, Lebanon, Libya, Syria, Turkey, and the United Arab Emirates. Cisco's Craig Williams confirmed that Armenia's .am top-level domain was one of the "handful" that were compromised, but wouldn't say which of the other countries' top-level domains were similarly hijacked.
Russian financially motivated threat actor TA505 used remote access Trojans (RATs) in attacks on financial entities in the United States and worldwide.
Security experts at CyberInt uncovered a new campaign of a Russian financially motivated threat actor tracked as TA505. The hackers used remote access Trojans (RATs) in attacks aimed at financial entities in the United States and worldwide.
“CyberInt researchers have been tracking various activities following the spear-phishing campaign targeting large US-based retailers detected in December 2018.” reads the analysis published by Cyberint. “The research focused on scenarios with the same tactics, techniques and procedures (TTP) along with the repeated nefarious use of a ‘legitimate’ remote administration tool ‘Remote Manipulator System’ (RMS), developed by a Russianbased company ‘TektonIT’.”
The TA505 group was first spotted by Proofpoint back 2017, it has been active at least since 2015 and targets organizations in financial and retail industries.
Tracked by the research community as TA505, the Russian threat group is known for the use of banking Trojans such as Shifu and Dridex, as well as for the massive Locky ransomware campaigns observed several years ago.
In recent attacks the experts observed the group using new backdoors, including the modular tRat and ServHelper.
In campaigns carried out between December 2018 and February 2019, the TA505 group leveraged the Remote Manipulator System (RMS) backdoor to target financial institutions in Chile, India, Italy, Malawi, Pakistan and South Korea, and retailers in the United States.
In December 2018 also targeted large US retailers and organizations in the food and beverage industry with spear-phishing attacks. The phishing messages used a weaponized Word document containing a Visual Basic for Applications (VBA) macr. The macro downloads a payload from the command and control (C&C) server, the last stage of the attack chain is the RMS RAT.
The investigation conducted by the researchers allowed them to uncover other campaigns conducted between December 2018 and March 2019.
Hackers hit targets in many countries worldwide, including Chile, India, Italy, Malawi, Pakistan and South Korea. Researchers believe that other attacks against targets in China, Great Britain, France and the United States could be attributed to the same threat actor.
The weaponized documents used in the attacks leverage Microsoft Windows Installer to fetch a payload from the C2 and execute it.
“This behaviour is consistent with other TA505 campaigns utilising a combination of weaponised Microsoft Office files containing either VBA macros or exploit code to spawn additional processes.” continues the analysis published by Cyberint. “Of the spreadsheet lures analysed in this campaign, four different C2 servers and payloads were identified, with each likely being unique to a specific target organization or victim cluster.”
Experts also observed the attackers using the ServHelper RAT since November 2018, it allows them to set up reverse SSH tunnels for remote access to the compromised machine via RDP.
The report states that indicators of compromise identified in the campaigns against the US retail campaign are consistent with an attack against the Notary Chamber of Ukraine conducted by the same threat actor in December 2018.
At the time, the threat actor was delivering the RMS Trojan in spear-phishing attack.
Further technical details on the attacks are included in the report published by Cyberint.
Electronic Arts (EA) has fixed a security issue in the Windows version of its gaming client Origin that allowed hackers to remotely execute code on an affected computer.
Electronic Arts (EA) has addressed a vulnerability in the Windows version of its gaming client Origin that allowed hackers to remotely execute code on an affected computer.
Electronic Arts already released a security patch for the remote code execution vulnerability. The Origin app on Windows is used by tens of millions of gamers. The Origin client for macOS was not affected by this flaw.
The flaw was reported by security experts Dominik Penner and Daley Bee from Underdog Security.
“We located a client-sided template injection, where we proceeded to use an AngularJS sandbox escape and achieve RCE by communicating with QtApplication’s QDesktopServices.” reads a blog post published by Underdog Security.
“To make it easier to access an individual game’s store from the web, the client has its own URL scheme that allows gamers to open the app and load a game from a web page by clicking a link with origin:// in the address.” reported Techcrunch.
The experts shared a proof-of-concept code with Techcrunch to trigger the issue.
Researchers pointed out that the code allowed any app to run at the same level of privileges as the logged-in user. In the following image, the security duo popped open the Windows calculator remotely.
“But worse, a hacker could send malicious PowerShell commands, an in-built app often used by attackers to download additional malicious components and install ransomware.” continues the post.
An attacker could craft a malicious link and send it via email to the victims or include it on a webpage, the issue could also be triggered if the malicious code was combined with cross-site scripting exploit that ran automatically in the browser.
The flaw can also be exploited by an attacker to take over gamers’ accounts by stealing access token with just a single line of code.
A database belonging to the Indian local search service JustDial was left online without protection exposing personal data of over 100M users.
The archive is still leaking personally identifiable information of more than JustDial customers that are accessing the service via its website, mobile app, or even by calling on the customer care number (“88888 88888”).
The news was first reported by The Hacker News that independently verified the authenticity of the story.
JustDial is the largest and oldest search engine in India that allows its users to find vendors of various products and services.
The independent researcher Rajshekhar Rajaharia discovered how an unprotected, publicly accessible API endpoint of JustDial’s database can be accessed by anyone.
The leaked data includes username, email, mobile number, address, gender, date of birth, photo, occupation, company name and other.
According to the expert, data remained exposed since at least mid-2015 through unprotected API, at the time it is not clear if anyone had accessed the huge trove of data.
Experts at THN provided Rajshekhar a new phone number that was never before registered with Justdial server, then used it to contact the JustDial service and request information on restaurants, The service created a profile and associated it with the number provided by THN. Rajshekhar was able to access the profile a circumstance that confirmed that expose DB was the one associated with production systems.
“Although the unprotected API is connected to the primary JD database, Rajshekhar revealed that it’s an old API endpoint which is not currently being used by the company but left forgotten on the server.” reads the post published by THN.
Rajshekhar discovered this unprotected end-point while conducting a penetration test on the latest APIs, which are apparently protected.
Rajshekhar also found other issued associated with old unprotected APIs, one of them could be exploited by anyone to trigger OPT request for any registered phone number making possible to spam users.
Rajshekhar attempted to report the issues to the company but without success.
In what I am sure is only a first in many similar demonstrations, researchers are able to add or remove cancer signs from CT scans. The results easily fool radiologists.
I don't think the medical device industry has thought at all about data integrity and authentication issues. In a world where sensor data of all kinds is undetectably manipulatable, they're going to have to start.
Automotive manufacturers have realized the future lies in self-driving cars. We may be taking small steps, yet we would like to be headed to an autonomous driving utopia. Here, every road is safe, smart, connected, fast, reliable.
It may be just a dream right now, but how far are we from achieving this goal?
In this article, we will walk you through the current state of autonomous vehicles, and most importantly, examine how safe driverless cars actually are from a cybersecurity perspective.
A brief history of self-driving cars
Let’s start off with a little bit of history.
You may be amazed to hear people started working on driverless cars prototypes since the 1920s. Back then, a radio-controlled car was invented by Francis Houdina, which he controlled without a person behind the steering wheel on the streets of New York.
Throughout time, there have been multiple attempts to develop the industry and encourage driverless cars’ adoption. You can access this resource to go through a quick timeline of self-driving cars.
Fast forward to more recent days, Waymo, formerly known as Google’s self-driving car project, is the first commercial self-driving car and was launched in December 2018. Through an app, Waymo offers ride-hailing services to people in from the United States, Phoenix area.
Will 2019 be the year of self-driving cars?
Here are a few facts and predictions for 2019:
This year, companies such as General Motors, Uber, Volkswagen, and Intel are competing in the ride-hailing movement and are making promises regarding when their fully autonomous vehicles will be available. The general answer seems to be between 2019 and 2022.
Autonomous vehicle manufacturers promise to deliver a safe, enjoyable, and fast experience, freeing the drivers of the stress of driving, while allowing them to fulfill other tasks.
But what is the general opinion towards autonomous cars?
According to Deloitte’s 2019 Global Automotive Study, consumer perception of the safety of autonomous cars has stalled in the last year. This attitude is predominantly influenced by media reports of accidents involving self-driving cars, many of which were fatal.
Here you can read a report on these type of accidents.
The concern around safety is also reinforced by Perkincoie’s research, which shows that consumers’ perception of safety is the biggest roadblock to the development of self-driving vehicles in the next five years.
As per another study conducted by the American Automobile Association (AAA), almost 3 in 4 Americans are afraid of self-driving cars. According to the same research, only 19% would trust self-driving cars to transport their loved ones.
What’s more, there are some people who seem to despise the autonomous vehicle’s technology and even manifest violent behavior towards it. At least 21 attacks against Waymo cars have been reported. People have tried to run the vehicles off the road, thrown rocks at them, slashed the tires, or even yelled at them to leave the neighborhood. This behavior seems to be fueled by people’s concern with safety and even potential job losses.
What is the reason for that, you may be wondering since they were created to simplify traffic movement in the first place?
The autonomous cars could be programmed to aimlessly drive on the streets, without parking, in order to avoid payments. Basically, the price for recharging an electric autonomous car would be much lower than the overall parking fee.
The concerns around data collection and privacy
The same Deloitte 2019 report shows most people are worried about biometric data being collected by self-driving car manufacturers through their connected vehicles and sent to other parties.
In truth, data does need to be collected in order to improve functionalities, but this could also cause the invasion of your privacy.
So the question is where that data ends up and how it’s actually used. Some may argue that it could be shared with the government or used for marketing purposes.
Thus, authorities need to put strict rules and regulations in place.
If you liked this post, you will enjoy our newsletter.
Receive new articles directly in your inbox
Solving the cybersecurity question
Without a doubt, autonomous vehicles need state-of-the-art cybersecurity.
According to a recent study which surveyed auto engineers and IT experts, 84% of respondents were concerned that car manufacturers are not keeping pace with the industry’s constantly increasing cybersecurity threats.
Since self-driving cars have been involved in numerous accidents, this means they still have flaws, which can become exploited by malicious actors. Although taking care of aspects such as having proper navigation systems and avoiding collisions are obvious priorities for manufacturers, cybersecurity should also be top of mind.
According to Skanda Vivek, a postdoctoral researcher at the Georgia Institute of Technology, if people were to hack even a small number of internet-connected self-driving cars on the roads of the United States, the flow of traffic would be completely frozen. And emergency vehicles would not even be able to pass through.
Source: Skanda Vivek/ Georgia Tech
“Compromised vehicles are unlike compromised data,” argues Vivek in the study’s press release. “Collisions caused by compromised vehicles present physical danger to the vehicle’s occupants, and these disturbances would potentially have broad implications for overall traffic flow.”
Around four years ago, researchers Charlie Miller and Chris Valasek remotely hacked a Jeep Cherokee as an experiment. They used a laptop to do it while being at a 10-mile distance and managed to take full control of the vehicle.
Watch below what happened:
This was not even a self-driving vehicle, but the same scenario can be applied to one. In fact, this can even be more plausible in the case of autonomous cars due to their increased internet connectivity.
Right now, you won’t find two identical automation systems in the industry. Yet, according to the University of Michigan’s report, as systems become more generic, or even using open-source software, one attack could spread across every car deploying the same system. Just like it happened with the WannaCryransomware attack, which infected more than 300,000 computers in 150 countries during, at an estimated cost of $4 billion.
But are things really that bad?
On a more positive note, there are cybersecurity experts who believe in the future, fully-autonomous cars will be much harder to be hacked than we might think. This “fully-autonomous” technology (remember Level 5 we were talking about above?), will rely on multiple sensors and communication layers.
At the moment, self-driving cars are only using one or two sensors for object detection, according to Craig Smith, research director of cyber analytics group Rapid7.
In his view, since it’s already quite difficult to hack a single sensor, a malicious criminal will find it even harder to override a complex sensor system.
“If we’re having a discussion about what’s safe, it’s more likely that you’ll get into a car accident today than someone will hack into your car tomorrow”, Smith pointed out.
How can we stop self-driving cars from being hacked?
The good news is that experts are constantly working on developing better security systems.
For instance, just a few weeks ago, SK Telecom announced the launch of a solution based on Quantum Encryption.
As per SK Telecom, this is an “integrated security device that will be installed inside cars and protect various electronic units and networks in the vehicle”.
Also, the gateway, which was developed together with the controller maker GINT, will be used to secure the all the vehicle systems: Vehicle-2-Everything (V2X) and Bluetooth communication systems, car’s driver assistance, radar, and smart keys. Drivers will also be alerted of any suspicious behavior.
The gateway basically transfers a quantum random number generator and Quantum Key along with the vehicle’s data that will “fundamentally prevent hacking and make the cars unhackable”, according to SK Telecom. The company also added that this move was to facilitate security in the 5G era.
This is not the first initiative of this kind. In another project, the cyber-security group at Coventry University’s Institute for Future Transport and Cities (FTC) teamed up with the quantum experts at cybersecurity start-up Crypta Labs and they also reportedly worked on this quantum technology that can prevent hacking.
Here’s a bonus
We stumbled upon a great video that we’d like to share with you, in which Victor Schwartz, a partner at Shook, Hardy & Bacon, talks about the potential risks of driverless cars – privacy issues and cybersecurity.
You can watch the full video here:
At the moment, concerns around the self-driving technology clearly outweigh the benefits. It’s now crucial for manufacturers to focus on autonomous cars cybersecurity problems, employing dedicated staff to work on these issues. However, with proper security measures in place, hacking risks can be, in time, dramatically reduced.
Would you trust a self-driving car? What’s your opinion on the overall security of autonomous vehicles? We would love to hear your thoughts in the comments section below.
Scan WordPress websites for vulnerabilities WPScan Kali Linux WPScan is a black box vulnerability scanner for WordPress websites. WPScan comes pre-installed in Kali Linux. Kali Linux is a popular Linux distribution built on Debian Kali Linux comes with many of the best ethical hacking tools pre-installed. If you’re not using Kali Linux and you […]
DMitry Deepmagic information Gathering Tool Kali Linux DMitry (Deepmagic Information Gathering Tool) is a open source Linux CLI tool developed by James Greig. Coded in C. DMitry is a powerful information gathering tool that aims to gather as much information about a host that is possible. Features include subdomains search, email addresses, uptime information, […]
Company admits to mistake and says it has no evidence of abuse – but the risk was huge
Facebook mistakenly stored “hundreds of millions” of passwords in plaintext, unprotected by any encryption, the company has admitted.
The mistake, which led to user passwords being kept in Facebook’s internal servers in an insecure way, affects “hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users”, according to the social networking site. Facebook Lite is a version of Facebook created for use in nations where mobile data is unaffordable or unavailable.
Kali Linux Micro Hacking Station Raspberry Pi Raspberry Pi is a small pocket sized low cost computer. Today we will be setting up Kali Linux on Raspberry Pi. We can use Kali Linux on Raspberry Pi to hack WiFi passwords, launch various social engineering attacks, Set up rogue access points and a wide range […]
Create Metasploit Payload in Kali Linux MSFvenom Payload Creator (MSFPC) Disclaimer Any actions and or activities related to the material contained within this Website is solely your responsibility. The misuse of the information in this website can result in criminal charges brought against the persons in question. The authors of Hackingvision.com will not be […]
This Is How Easy It Is To Get Hacked Vice News talks about how easy it is to get hacked. VICE News went to Moscow to see the country’s expert hackers in action. “If someone wants to hack you, they’re gonna be able to” former NSA hacker Patrick Wardle told VICE News. And if a […]
Google Dorks List 2019 SQLi Dorks Google Dorks List 2019, Google Dorks List, Find SQL Injectable Websites, Hack Websites using Google Dorks, Google Dorks List SQL Injection. Google Dorks List 2019 is a list of dorks to find SQL injectable websites. A Google dork query, sometimes just referred to as a dork, is a search […]
Free eBooks list of free Python programming eBooks to learn Python programming. Download eBooks in PDF EPUB 2019 Python eBooks. List curated by Hackingvision.com Disclaimer: The contributor(s) cannot be held responsible for any misuse of the data. This repository is just a collection of URLs to download eBooks for free. Download the eBooks at your […]
DorkMe – Google Dorks Tool Google Dorks Tool DorkMe is a tool designed with the purpose of making easier the searching of vulnerabilities with Google Dorks, such as SQL Injection vulnerabilities. Dependencies pip install -r requirements.txt It is highly recommended to add more dorks for an effective search, keep reading to see how Usage […]
A guest article authored by Giles Kirkland Giles is a car expert and dedicated automotive writer with a great passion for electric vehicles, autonomous cars and other innovative technologies. He loves researching the future of motorisation and sharing his ideas with auto enthusiasts across the globe. You can find him on Twitter, Facebook and at Oponeo.
Automotive Technologies and Cyber Security Surveys show that about 50% of the UK feel that driverless vehicles will make their lives much easier and are eagerly anticipating the arrival of this exciting technology. Cities expect that when driverless car technology is fully implemented, the gridlock which now plagues their streets will be relieved to a large extent. Auto-makers predict that the new technology will encourage a surge in vehicle purchases, and technology companies are lining up with the major auto manufacturers to lend their experience and knowledge to the process, hoping to earn huge profits.
Delays to Driverless Technology While some features of autonomous technology have already been developed and have been rolled out in various new vehicles, the full technology will probably not be mature for several decades yet. One of the chief holdups is in establishing the infrastructure necessary on the roads themselves and in cities, in order to safely enable driverless operation.
The full weight of modern technology is pushing development along at a breakneck pace. Unlike safety testing of the past, where some real-life scenarios were simulated to anticipate vehicle reactions, high-powered simulators have now been setup to increase the rapidity at which vehicle software can 'learn' what to do in those real-life situations. This has enabled learning at a rate exponentially greater than any vehicle of the past, which is not surprising, since vehicles of the past were not equipped with 'brains' like autonomous cars will be.
The Cyber Security aspect of Autonomous Vehicles Despite the enormous gains that will come from autonomous vehicles, both socially and economically, there will inevitably be some problems which will arise, and industry experts agree that the biggest of these threats is cyber security. In 2015, there was a famous incident which dramatically illustrated the possibilities. In that year, white-collar hackers took control of a Jeep Cherokee remotely by hacking into its Uconnect Internet-enabled software, and completely cut off its connection with the Internet. This glaring shortcoming caused Chrysler to immediately recall more than one million vehicles, and provided the world with an alarming illustration of what could happen if someone with criminal intent breached the security system of a vehicle.
Cars of today have as many as 100 Electronic Control Units (ECU's), which support more than 100 million coding lines, and that presents a huge target to the criminal-minded person. Any hacker who successfully gains control of a peripheral ECU, for instance the vehicle's Bluetooth system, would theoretically be able to assume full control of other ECU's which are responsible for a whole host of safety systems. Connected cars of the future will of course have even more ECU's controlling the vehicle's operations, which will provide even more opportunities for cyber attack.
Defense against Cyber Attacks
As scary as the whole cyber situation sounds, with the frightening prospect of complete loss of control of a vehicle, there is reason for thinking that the threat can be managed effectively. There are numerous companies already involved in research and development on how to make cars immune from attacks, using a multi-tiered defense system involving several different security products, installed on different levels of the car's security system.
Individual systems and ECU's can be reinforced against attacks. Up one level from that, software protection is being developed to safeguard the vehicle's entire internal network. In the layer above that, there are already solutions in place to defend vehicles at the point where ECU's connect to external sources. This is perhaps the most critical area, since it represents the line between internal and external communications. The final layer of security comes from the cloud itself. Cyber threats can be identified and thwarted before they are ever sent to a car.
The Cyber Security Nightmare If you ask an average person in the UK what the biggest problem associated with driverless cars is, they’d probably cite the safety issue. Industry experts however, feel that once the technology has been worked out, there will probably be less highway accidents and that driving safety will actually be improved. However, the nightmare of having to deal with the threat which always exists when anything is connected to the Internet, will always be one which is cause for concern.
Am I the only one? When I hear or see the word Artificial Intelligence (AI), my mind instantly defaults to images from sci-fi movies I’ve seen like I, Robot, Matrix, and Ex Machina. There’s always been a futuristic element — and self-imposed distance — between AI and myself.
But AI is anything but futuristic or distant. AI is here, and it’s now. And, we’re using it in ways we may not even realize.
AI has been woven throughout our lives for years in various expressions of technology. AI is in our homes, workplaces, and our hands every day via our smartphones.
Just a few everyday examples of AI:
Cell phones with built-in smart assistants
Toys that listen and respond to children
Social networks that determine what content you see
Social networking apps with fun filters
GPS apps that help you get where you need to go
Movie apps that predict what show you’d enjoy next
Music apps that curate playlists that echo your taste
Video games that deploy bots to play against you
Advertisers who follow you online with targeted ads
Refrigerators that alert you when food is about to expire
Home assistants that carry out voice commands
Flights you take that operate via an AI autopilot
While AI sounds a little intimidating, it’s not when you break it down. AI is technology that can be programmed to accomplish a specific set of goals without assistance. In short, it’s a computer’s ability to be predictive — to process data, evaluate it, and take action.
AI is being implemented in education, business, manufacturing, retail, transportation, and just about any other sector of industry and culture you can imagine. It’s the smarter, faster, more profitable way to accomplish manual tasks.
An there’s tons of AI-generated good going on. Instagram — the #2 most popular social network — is now using AI technology to detect and combat cyberbullying on in both comments and photos.
No doubt, AI is having a significant impact on everyday life and is positioned to transform the future.
So, as quickly as this popular new technology is being applied, now is a great time to talk with your family about both the exciting potential of AI and the risks that may come with it.
Talking points for families
Fake videos, images. AI is making it easier for people to face swap within images and videos. A desktop application called FakeApp allows users to seamlessly swap faces and share fake videos and images. This has led to the rise in “deep fake” videos that appear remarkably realistic (many of which go viral). Tip: Talk to your family about the power of AI technology and the responsibility and critical thinking they must exercise as they consume and share online content.
Privacy breaches. Following the Cambridge Analytica/Facebook scandal of 2018 that allegedly used AI technology unethically to collect Facebook user data, we’re reminded of those out to gather our private (and public) information for financial or political gain. Tip: Discuss locking down privacy settings on social networks and encourage your kids to be hyper mindful about the information they share in the public feed. That information includes liking and commenting on other content — all of which AI technology can piece together into a broader digital picture for misuse.
Cybercrime. As outlined in McAfee’s 2019 Threats Prediction Report, AI technology will likely allow hackers more ease to bypass security measures on networks undetected. This can lead to data breaches, malware attacks, ransomware, and other criminal activity. Additionally, AI-generated phishing emails are scamming people into handing over sensitive data. Tip: Bogus emails can be highly personalized and trick intelligent users into clicking malicious links. Discuss the sophistication of the AI-related scams and warn your family to think about every click — even those from friends.
IoT security. With homes becoming “smarter” and equipped with AI-powered IoT products, the opportunity for hackers to get into these devices to steal sensitive data is growing. According to McAfee’s Threat Prediction Report, voice-activated assistants are especially vulnerable as a point-of-entry for hackers. Also at risk, say security experts, are routers, smartphones, and tablets. Tip: Be sure to keep all devices updated. Secure all of your connected devices and your home internet at its source — the network. Avoid routers that come with your ISP (Internet Security Provider) since they are often less secure. And, be sure to change the default password and secure your primary network and guest network with strong passwords.
A list of Cyber and Information Security conferences to consider attending in 2019. Conference are not only great places to learn about the evolving cyber threat landscape and proven security good practices, but to network with industry leading security professionals and likeminded enthusiasts, to share ideas, expand your own knowledge, and even to make good friends.
SANS Cyber Threat Intelligence Summit Monday 21st & Tuesday 22nd January 2019
Your home screen is just a matrix of numbers. Your device loses its charge quickly, or restarts suddenly. Or, you notice outgoing calls that you never dialed. Chances are your smartphone has been hacked. The sad truth is that hackers now have a multitude of ways to get into your phone, without ever touching it.
Given that our smartphones have become our new wallets, containing a treasure trove of personal and financial information, a breach can leave you at serious risk.
The intruder could log in to your accounts as you, spam your contacts with phishing attacks, or rack up expensive long-distance charges. They could also access any passwords saved on your phone, potentially opening the door to sensitive financial accounts. That’s why it’s important to be able to recognize when your smartphone has been hacked, especially since some of the signs can be subtle.
Here are some helpful clues:
Is your device operating slower, are web pages and apps harder to load, or does your battery never seem to keep a charge? What about your data plan? Are you exceeding your normal limits? These are all signs that you have malware running in the background, zapping your phone’s resources.
You may have downloaded a bad app, or clicked on a dangerous link in a text message. And malware, like Bitcoin miners, can strain computing power, sometimes causing the phone to heat up, even when you aren’t using it.
Mystery Apps or Data
If you find apps you haven’t downloaded, or calls, texts, and emails that you didn’t send, a hacker is probably in your system. They may be using your device to send premium rate calls or messages, or to spread malware to your contacts.
Pop-ups or Strange Screen Savers
Malware can also be behind spammy pop-ups, changes to your home screen, or bookmarks to suspicious websites. In fact, if you see any configuration changes you didn’t personally make, this is another big clue that your smartphone has been hacked.
What To Do
If any of these scenarios sound familiar, it’s time to take action. Start by deleting any apps or games you didn’t download, erasing risky messages, and running mobile security software, if you have it. Warn your contacts that your phone has been compromised, and to ignore any suspicious links or messages coming from you.
If the problem still doesn’t go away, consider restoring your phone to its original settings. Search online for instructions for your particular phone and operating system to learn how.
Now, let’s look at how to avoid getting hacked in the first place.
Secure Smartphone Tips
1. Use mobile security software—These days your smartphone is just as data rich as your computer. Make sure to protect your critical information, and your privacy, by using comprehensive mobile security software that not only protects you from online threats, but offers anti-theft and privacy protection.
2. Lock your device & don’t store passwords—Make sure that you are using a passcode or facial ID to lock your device when you’re not using it. This way, if you lose your phone it will be more difficult for a stranger to access your information.
Also, remember not to save password or login information for banking apps and other sensitive accounts. You don’t want a hacker to be able to automatically login as you if they do gain access to your device.
3. Avoid using public Wi-Fi—Free Wi-Fi networks, like those offered in hotels and airports, are often unsecured. This makes it easy for a hacker to potentially see the information you are sending over the network. Also, be wary of using public charging stations, unless you choose a “charging only” cable that cannot access your data.
4. Never leave your device unattended in public—While many threats exist online, you still have to be aware of real-world threats, like someone grabbing your device when you’re not looking. Keep your smartphone on you, or within view, while in public.
If you have a “phone visibility” option, turn it off. This setting allows nearby devices to see your phone and exchange data with it.
5. Stay aware—New mobile threats are emerging all the time. Keep up on the latest scams and warning signs, so you know what to look out for.
Looking for more mobile security tips and trends? Be sure to follow @McAfee Home on Twitter, and like us on Facebook.
It is not a secret that many people nowadays do not pay much attention when they surf the web at home or at work. There are new data breaches and exploits on a daily basis and still avoiding to take any precautions may result in a catastrophic consequences. Even the biggest corporations are paying millions of dollars so they can improve their cybersecurity and remain safe. However, if you still believe in some of the cybersecurity myths you may put your own computer or even your whole organization to a huge risk. We from CyberDB have decided to bust some of the top 5 cyber security myths and make it clear for you.
Only the IT department is responsible for cybersecurity
It is not wrong to say that the IT department is responsible to implement new processes and policies to keep the cybersecurity in a top notch state. However, they just don’t have a magic stick to protect all of the computers in the network. In reality each employee should be extremely careful when receiving and opening different e-mail messages from colleagues or third parties. It is dangerous since the infection can spread across all of the departments within the organization and this may cause a further data breach for example.
Using just an antivirus software is enough
Antivirus software might have been enough to safe your business from potential attack 20 years ago – nowadays it definitely is just not enough to protect your whole organization. Hackers find new ways to disable your antivirus and hide their attacks in the system. With ransomware gaining more popularity among hackers the time of getting infected and getting your information locked is just a matter of seconds. So using an antivirus is not always enough, but you also need to stay informed about the latest threats. Check out our database of cyber security vendors to find the best solution for your personal or business needs.
A strong password is enough
It is not a secret that having a long and complex password on your accounts is an essential. However, even big tech giants like Facebook or Apple experience data breaches and are pretty often a target for hackers. Every website requires you to create a strong password, but it is also good to use two-factor-authentication (2FA). At first the user was getting an SMS with a code for 2FA, but even this can be compromised by using a cloned sim card. So make sure you have an app like Google Authenticator for example to make your accounts more secure.
Threats are being spread only through the Internet
Some users may think that disconnecting from the internet will prevent the threats spreading around the network and they are completely wrong. Just imagine what happens if an employee brings an infected flash drive and plugs it in – all of the computers may become infected and your company may lose valuable information. You may have your information stolen even when you shop at a local retailer. So threats are not only online, but in our daily life and we need to be very careful and take care of our personal information.
Only certain industries experience cyber attacks
Some businesses still believe that they may be not targeted by hackers because they are a small or mid-sized business or in a specific industry. Well, they are completely wrong. Some companies also believe they do not have anything that hackers may find valuable to steal. In reality there is information like personal addresses or credit card numbers which can make every business in every industry a potential target. Here are the industries which are most vulnerable to cyber-attacks nowadays:
The assumption that software security can stay ahead of the hackers is not true because the software security industry is always reacting to threats that hackers expose. Once hackers start exploiting a flaw in an application, security companies try to block the resulting threat by providing security updates for existing software or by developing new programs. Either way, hackers will be one step ahead because the software security industry can’t predict what new threats the hackers will unleash.