How to Guess Visa Card Details in 6 Seconds*:
- If you shop online you know how retailers ask for extra credit card information such as a security code to reduce the risk of fraud.
- In the case of Visa, it turns out there’s a way for hackers to guess that card information in mere seconds.
- The trick described in a new academic paper may have been responsible for the hack of thousands of Tesco customers in the U.K.
- The hackers use bots to submit credit card information to hundreds of retailers at once in order to guess the missing security code information.
- Online retailers are also part of the problem since many of them allow someone to submit the same credit card details over and over again the report suggests.
- To avoid this weakness, Visa could adopt a similar approach to MasterCard and shut down a card when someone tries to guess card details multiple times in rapid succession.
- There have been no confirmed cases of hackers carrying out the attack described in the paper but some security experts believe it has indeed been used including in a major security breach last month at Tesco.
*Source: Fortune, December 05, 2016
Researchers Found ‘Fatal’ Flaws in 10 Medical Devices*:
- Researchers at the University of Birmingham in the U.K. and the University of Leuven in Belgium discovered vulnerabilities in the software and signals that communicate with implant devices.
- The software is used to update the devices or gather data readings on a patient.
- The device manufacturer name has not been disclosed but researchers said the bugs have since been patched by the maker before the research paper was made public.
- The remote software for medical devices like pacemakers helps doctors manage a patient’s condition and make sure they are working properly.
- According to the paper, the reverse engineering hackers could use on devices was carried out using “inexpensive Commercial Off-The-Shelf (COTS) equipment.”
- An attacker would be able to collect sensitive data readings about the patient and change the commands for a device like pacemakers to disable certain functions or deliver an unneeded shock to the person, which could be fatal.
- In another attack, the researchers were able to keep an Implantable Cardioverter Defibrillator (ICD) turned on despite “standby mode” being selected, which would drain the battery and put the patient at risk.
- Earlier in the year, hackers showed how it was possible to break into insulin pumps and alter the dosage.
*Source: Business Insider, December 03, 2016
Where Are We on Encryption?*:
- The debate over encryption and government access to secured communications dates decades back.
- For Americans, it grabbed their attention early in 2016 as law enforcement was looking for leads on the San Bernardino shooter’s iPhone.
- The FBI got a court order and demanded that Apple write special software to thwart security measures that otherwise threatened to erase its content if muscled through.
- The conversation about encrypted devices quickly merged with that about encrypted communications.
- The FBI paid a mysterious third party and unlocked the phone without Apple's help, over the following months, several bills appeared and faded in the outgoing Congress.
- Since the Apple-FBI standoff, the push for stronger encryption has been marching on.
- Google, despite its struggle to push updated software to the fragmented market of various Android devices, is also promoting default encryption.
- WhatsApp, the most popular messaging platform, has doubled-down on encryption and has even introduced secured video chat.
- Christopher Soghoian, principal technologist at the ACLU said, “I don’t see a situation where the government … is going to force Apple to roll back encryption of the iPhone.”
*Source: NPR, December 03, 2016
Where Cybercriminals Go to Buy Your Stolen Data*:
- With nothing more than a standard Web browser, cybercriminals can find personal, private information all over the public Internet.
- It isn’t just legitimate services that can be exploited for nefarious purposes; openly malicious criminal activities are also happening on the public Internet.
- It’s true that much of the cybercrime underground consists of private and established communities that don't appear in a normal search engine and are not accessible by regular users without special authorization.
- However, there are different levels of cybercriminal resources - and not all are so tightly protected.
- The quality and quantity of the more easily accessible forums are still high, and anyone can access content like stolen credit cards and even advanced malware.
- Data sold on criminal marketplaces age quickly, meaning that once the information is stolen, it has to be used for fraudulent purposes quickly.
- Companies should have these marketplaces monitored, looking for trends in data breaches and attacks as well as to see if any of their data has been compromised.
- Researching and absorbing this information requires significant training and experience, and it’s more than any one IT person can handle.
- Even large US banks that have dedicated security staff are not able to do some of the research and analysis that specialized reconnaissance teams can perform.
*Source: Dark Reading, December, 2016
A Hacker’s Tips for Protecting Your Digital Privacy*:
- Protecting individual privacy from government intrusion is older than American democracy.
- In 1604, the attorney general of England, Sir Edward Coke, ruled that a man’s house is his castle – this was the official declaration that a homeowner could protect himself and his privacy from the king’s agents.
- Malicious hackers and governments can monitor the most private communications, browsing habits, and other data breadcrumbs of anyone who owns a smartphone, tablet, laptop, or personal computer.
- President-elect Donald Trump’s criticism of encryption technology and interest in expanding government surveillance have technologists and civil libertarians deeply concerned.
- People who think like hackers have some really good ideas about how to protect digital privacy during turbulent times.
- Here are the tips we can protect our digital privacy:
- When you communicate with people, you want to be sure only you and they can read what’s being said, so you need “end-to-end encryption”
- Avoid being tracked by installing free software called a “browser extension”
- A virtual private network (VPN) can encyrpt your online activity
- Use DuckDuckGo or F-Secure Safe Search if you don’t want anyone to know what you’re searching for online.
- Add security to your email and social media accounts by enabling two-factor authentication.
*Source: Fast Company, December 09, 2016
Germany Sees Rise in Russian Propaganda, Cyber Attacks*:
- Germany's domestic intelligence agency reported a striking increase in Russian propaganda and disinformation campaigns aimed at destabilizing German society, and targeted cyber-attacks against political parties.
- The goal was to spread uncertainty, strengthen extremist groups and parties, complicate the work of the federal government and "weaken or destabilize the Federal Republic of Germany".
- The agency said it had seen a “striking increase” in spear-phishing attacks attributed to a Russian hacking group; the attacks were directed against German parties and lawmakers and were carried out by government bodies posing as "hacktivists".
- German officials have accused Moscow of trying to manipulate German media to fan popular angst over issues like the migrant crisis, weaken voter trust and breed disent within the European Union so that it drops sanctions against Moscow.
- Russian officials have denied all accusations of manipulation and interference intended to weaken the European Union or to affect the U.S. presidential election.
*Source: Reuters, December 08, 2016