Bank Details of Indians up For Sale For Rupees 500*:
- The credit and debit card details, phone numbers, details of the bank account a card is linked to, CVV number, and email IDs are up for sale on the dark web for Rs500.
- The police discovered that the details of Indians were being sold online after busting an international gang led by a Pakistani national.
- The gang was busted after a detective, posing as a customer, bought debit card details of an Indore-based woman in exchange for Bitcoins.
- An investigation was initiated after a banking professional filed a complaint that Rs 72,401 was debited from his credit card in August.
- The international gangs used international websites which do not require a One Time Password.
*Source: India, October 17, 2017
Wi-Fi Security Has Been Breached*:
- Researchers revealed details of a new exploit called KRACK that takes advantage of vulnerabilities in Wi-Fi security to let attackers eavesdrop on traffic between computers and wireless access points.
- It takes advantage of several key management vulnerabilities in the WPA2 security protocol, the popular authentication scheme used to protect personal and enterprise Wi-Fi networks.
- The United States Computer Emergency Readiness Team issued the following warning in response to the exploit:
- US-CERT has become aware of several key management vulnerabilities in the 4-way handshake of the Wi-Fi Protected Access II (WPA2) security protocol.
- The impact of exploiting these vulnerabilities includes decryption, packet replay, TCP connection hijacking, HTTP content injection, and others.
- Note that as protocol-level issues, most or all correct implementations of the standard will be affected.
- All Wi-Fi devices are to some degree susceptible to the vulnerabilities making them ripe for data theft or ransomware code injection from any malicious attacker within range.
- The researchers recommend patching all Wi-Fi clients and access points when the fixes are available and to continue using WPA2 until then.
*Source: The Verge, October 16, 2017
Microsoft Has Already Fixed the Wi-Fi Attack Vulnerability*:
- Technology companies are starting to respond to a new Wi-Fi exploit affecting all modern Wi-Fi networks using WPA or WPA 2 encryption.
- The security vulnerabilities allow attackers to read Wi-Fi traffic between devices and wireless access points, and in some cases even modify it to inject malware into websites.
- Security researchers claim devices running macOS, Windows, iOS, Android, and Linux will be affected by the vulnerabilities.
- Microsoft says it has already fixed the problem for customers running support versions of Windows.
- Microsoft says the Windows updates released on October 10th protect customers.
- It looks like Android and Linux devices are affected by the worst part of the vulnerabilities, allowing attackers to manipulate websites, and Google has promised a fix for affected devices “in the coming weeks.”
- Some researchers claim 41 percent of Android devices are vulnerable to an “exceptionally devastating” variant of the Wi-Fi attack that involves manipulating traffic.
- The Wi-Fi Alliance has responded to the disclosure of the vulnerabilities, saying “this issue can be resolved through straightforward software updates, and the Wi-Fi industry has already started deploying patches to Wi-Fi users.”
- Apple also confirmed that the vulnerability is patched in a beta version of the current operating systems, and the fix should go public in a few weeks.
- AirPort hardware, including the Time Machine, AirPort Extreme base station, and AirPort Express do not have a patch.
*Source: The Verge, October 16, 2017
There’s No Good Decision in the Next Big Data Privacy Case*:
- In 2013, the United States agents served a warrant on Microsoft seeking the emails of a suspect in a drug case.
- Microsoft balked at the request, saying that the data was stored on a server in Ireland and out of the reach of United States law enforcement.
- To access the data, the United States would need to make a request to the Irish government through diplomatic channels a slow and burdensome process.
- The Supreme Court agreed to hear the case this term, and its decision will determine the extent to which United States law enforcement can access data held abroad.
- Microsoft will argue that the data is outside domestic law enforcement’s direct reach.
- The government will make the case that its warrant authority covers data held anywhere, so long as it can be accessed by a company operating from within the United States.
- At issue in the case is the interpretation of a 30-year old statute, the Stored Communications Act – the statute was written before there even was a global internet and it governs when and how law enforcement can demand an internet service provider turn over data needed for a criminal investigation.
- If the Supreme Court backs Microsoft, law enforcement access to data will be limited based on the arbitrary fact of where the data happens to be stored.
- Prosecutors will have to use diplomatic channels to seek enforcement of their warrants overseas, and would put the United States law enforcement investigations under the control of foreign governments, some of which have no interest in cooperating.
- A ruling in favor of Microsoft would provide a blueprint for malicious actors to evade the reach of American law enforcement, ad incentivizes costly data localization mandates.
- This would undermine the growth potential of the internet and potentially price small start-ups out of the international market.
- A government win would have its own costs – it would broadcast to the world that United States law enforcement can access data held by a domestically based company anywhere.
- It would set a dangerous precedent, allowing governments to reach data across borders without regard to the sovereign interests of other states.
- It would make it that much harder for the United States to protect our own citizens and residents from the reach of foreign law enforcement asserting the same authority.
- There’s a middle ground – legislation already pending in Congress would permit the United States to access, pursuant to a warrant, data needed for the investigation of criminal activity, regardless of where that data happens to be.
- It would also require courts to take a second look if the data belongs to a foreign national outside the United States, when certain conditions are met.
- Such a shift makes sense because people have connections to the place that they live, not where their data happens to be stored. Such a system preserves democratic accountability.
- How this issue is resolved will shape privacy, security, the economy, and the very future of the internet for years to come.
*Source: New York Times, October 18, 2017
Ships Are Basically Big Floating Security Nightmares*:
- A researcher for UK-based Pen Test Partners has been exploring maritime satellite communication systems used to keep ships connected while at sea.
- He describes ships as floating industrial control systems that were traditionally isolated but are now always connected to the internet.
- Industrial control systems (ICS), which evolved without much thought for network-based attacks, have struggled for decades to adapt to the constant state of siege on the internet.
- There have been plenty of ship security incidents reported.
- The researcher used a search engine for finding devices on the internet, and looked for several popular brands of maritime satcom systems, including Cobham, Inmarsat, and Telenor kit.
- Pulling up an actual CommBox login page, he found the connection was poorly secured with no HTTPS protection.
- The system presented a link to a queryable user database and it revealed network configuration data merely by mousing over the UI.
- If he had ties to ship-hijacking pirates, he could provide the vessel’s location, alongside crew data, via the automatic identification system (AIS) used to track ships.
- Satcom boxes need to implement TLS, password complexity must be enforced for user accounts, and comms hardware needs secure firmware; start with securing the sitcom boxes, then move on to securing other ship systems.
*Source: The Register, October 13, 2017
This Bug Let a Researcher Bypass GoDaddy's Site Security Tool*:
- A widely used security tool owned by web hosting provider GoDaddy, designed to prevent websites from being hacked, was easily bypassed, putting websites at risk of data theft.
- The company’s website application firewall (WAF) protects websites against a range of attacks by adding an extra layer of security to a website to protect against cross-site scripting and SQL injection techniques.
- It protects websites against a range of attacks by adding an extra layer of security to a website to protect against cross-site scripting and SQL injection techniques.
- A researcher found that the firewall would let through some commands, allowing him to gain access to vulnerable databases behind the scenes.
- SQL injection attacks can be launched from the web browser's address bar. If the attack is successful it will display a list of database tables on the website itself.
- GoDaddy said it patched the bug within a day of the security researcher's private disclosure to the company.
- The company is "not aware of other customers" impacted by the bypass, but wouldn't say how many websites were at risk of the bypass technique.
- A digital forensics and incident response specialist, explained that web application firewalls mimic the behavior of antivirus products rather than a traditional firewall.
- Web traffic filtering relies more on blacklisting bad stuff using signatures than whitelisting slews of unneeded ports and protocols like traditional firewalls.
- Web application firewalls block attacks on sites running web applications that are already vulnerable to attacks, like out-of-date content management systems, like WordPress or Joomla.
- It’s a great move to add another layer of defense to sites, but it should never be mistaken for a replacement for secure coding.
*Source: ZDnet, October 13, 2017
British Intelligence Agencies May Have Been Collecting And Sharing Your Social Media Data*:
- British intelligence agency Government Communications Headquarters (GCHQ) may have been collecting personal social media data of people as part of their mass surveillance efforts.
- According to some reports, the GCHQ has been collecting such information over years, even decades, and has been sharing this information with foreign intelligence and other law enforcement agencies.
- The Investigatory Powers Commissioner's Office (IPCO), the body that oversees the activities of the GCHQ, has also been reportedly left out of the loop with regards to this.
- It is still not clear to what extent the data is being collected and what it is being used for; what kind of data is getting collected is also yet to be revealed.
- The data has been categorised into biographical data, financial activities, travel, and more.
- Privacy International (PI), a privacy watchdog, was reported to have documents that support these claims.
- PI is apparently questioning the British government's overreach in using its investigatory powers to gather mass surveillance data and then share it.
- An investigation was conducted in August and September and an audit of the data was made on all the files held by intelligence agencies like the MI5, MI6 and GCHQ.
- The audit, it was reported, found that they had "sensitive medical data or financial details" apart from social media information.
*Source: IB Times, October 18, 2017