Free Rides at San Francisco Metro

27-Nov-2016:
A hacker deployed ransomware making the metro system un-usable, and asked for $73000..!

30-Nov-2016:
The hacker gets hacked. Reminder to change those password recovery questions.

Tesco Bank Hack

About 9000 customers lost over £2.5 million. The Bank was then forced to refund the money. This is after they froze internet banking for over 20K customers.

3.2 million debit cards compromised in India

Hackers allegedly used malware to compromise the Hitachi Payment Services platform — which is used to power country's ATM, point-of-sale (PoS) machines and other financial transactions — and stole details of 3.2 Million debit cards!
Amazing

Distressed Yahoo!

Yahoo is a facing a lot of heat at the moment, with some recent events.

First, 500 million user accounts was stolen in 2014, and got dumped online recently. Then, there is news that Yahoo complied with a secret government order to search the incoming emails of all of its users. This secret initiative was not even known to its internal security team.

Verizon, who has been in talks to acquire Yahoo is now seeking a $1 Billion price cut. Hence, the timing of these revelations couldn't have come at a worse time for Yahoo. 

To make matters worse, to avoid users leaving its platform, Yahoo has disabled email-forwarding. This is totally in bad faith, which will only frustrate it's users.

Update 15-Dec-2016:
Yahoo says an additional 1 Billion users were impacted. This is insane!
More details from Krebs.

Update 14-Jun-2017:
The Verizon deal finally goes thru, and Yahoo's CEO resigns.

Update  04-Oct-2017:
Every single Yahoo account was hacked - 3 billion in all - link

Israeli Online Attack Service

A super investigation (and DOXing) done by Brian Krebs. A look at how a DDoS for hire service operates and launders money!   Link

Update 13-Sep-2106:
Krebs gets DDoS-ed for this article, by the same botnet company

China Launches 'Hack-Proof' Satellite

QUESS will send messages to ground stations using entangled photons, Xinhua reported. Such a system is theoretically impossible to hack. In addition, any attempts to eavesdrop would be picked up via an induced change in the photons' state.

Story here

Car Thieves Can Unlock 100 Million Volkswagens With A Simple Wireless Hack

Next time when you leave your car in a parking lot, make sure you don't leave your valuables in it, especially if it's a Volkswagen. What's more worrisome?

Windows Secure Boot: Insecure by design and mostly likely can't be fixed

Encryption backdoors don’t work; the latest proof of that was discovered by security researchers Slipstream and MY123. This time, the security flub-up involves “golden keys” which can unlock Windows devices allegedly protected by Secure Boot.

Fake LinkedIn Profiles

I am not sure why but I receive way too many connection requests from fake profiles. Take for instance the following request, seemingly coming from a "Gabriella Kimber" in Germany, who in fact owns a premium account with LinkedIn, and has 414 connections (at the time of writing this post).



A simple Google photo search reveals, this photo has been taken as is from the G+ profile (link) of Lika Roman, who is actually Miss Ukraine 2007 (wikipedia).



I am sure a pretty woman's photograph is put up to attract attention, but still what's their end goal here? What do they aim to gain from such fake accounts?

KickassTorrents Busted

KAT counts more than 50 million unique monthly visitors and is estimated to be the 68th most frequently visited website on the internet
Story

200M yahoo accounts for sale for $1800

The hacker, who goes by the pseudonym "Peace" or "peace_of_mind," has uploaded 200 Million Yahoo! credentials up for sale on an underground marketplace called The Real Deal for 3 Bitcoins (US$1,824).
Story

No More Ransom

Europol in collaboration with others have introduced a simple portal to provide all know antidotes to the common cryptoware out there:   https://www.nomoreransom.org/

Update 29-Jul-2016:
Victims of the Chimera ransomware were thrown a lifeline this week after a rival malware author appeared to leak the decryption keys online.
Kudos to competing hackers as well?!

UK: CyberCrime overtakes Physical Crime

The ONS estimated that there were 2.46 million cyber incidents and 2.11 million victims of cyber crime in the U.K. in 2015,” the report’s authors wrote. 

Personally I do not think cyber-crime is materially worse in UK. I think they are tracking and recording it better, and most important the awareness has improved in the country. However, still an eye opener !

Link 1 & Link 2

Forgetting to renew domain names

TP-Link, who manufactures routers, has forgotten to renew it's 2 domains names, which is widely used. This has now been jacked by someone, who is selling it for $ 2.5 M.
These domain names appear to be quite busy; estimates based on Alexa's ranking suggest that tplinklogin-dot-net sees about 4.4 million visits per month, with another 800,000 for tplinkextender-dot-net.
Seems like TP-Link is not at all interested in buying back those domains ... updating its manuals to remove the domain name references altogether.
This is an ideal way for someone to create spoof website, with a target audience of millions !

Ethereum DAO Hack

The hack makes me think about the reliability of crypto-currency. If we go with the assumption that there is no bug-free software, it is always only a matter of time (hence patching is of utmost importance), then how do we have our faith in bitcoins or any other altcoins?

How can they recover the stolen money? They can't -- at least not without destroying the entire principle of cryptocurrencies

Am very curious to see what this community decides to do now. Hack details.

A synopsis of the hack and the Robin Hood hack.

Terrorism blacklist of 2.2 M people leaked

.. came across a “terrorism blacklist” which contains the names of 2.2 million “heightened-risk individuals and organizations. The terrorism category is only a small part of the database. Other categories consist of individuals suspected of being related to money laundering, organized crime, bribery, corruption, and other unsavory activities.

Cyberspace is a New Domain for War

We have known this for a while, just good to see this is now formalized.
The North Atlantic Trade Organization (NATO) has officially declared that cyberspace is a domain for war, placing it alongside the traditional battlegrounds of land, sea and air.

A 0-day that impacts ALL Windows Versions

A Russian website is selling a 0-day, for a meager $ 90K. This impacts a potential 1.5 B Windows users !

There are 2 videos to provide a POC.

Details Here

Myspace & VK lose customer records

VK lost 100 M user records; and MySpace lost 427 M.
VK's dump is being sold for a measly 1 BTC (USD 570).

Introducing e-stonia

For tech companies wondering where to setup their HQ, Estonia seems to be a good (and fair) place to consider.

Its offering is a location-independent, hassle-free and fully digital economic and financial environment for anyone who needs it. The company is managed by its owners themselves, not nominal “directors.”
Where exactly are the taxes paid, at the end of the day? “Taxes must be paid where the value was created” 


Receive SMS - without actually owning the number

There are lots of websites which ask you for a mobile phone number, and send a sms verification. Top 10 websites which are useful to find a disposable number.

BeautifulPeople.com Leaks 1.1 M records

After Ashley Madison, another dating website hit!
BeautifulPeople.com Leak has exposed 1.1 million customer records, including 15 million private messages sent between users. It seems like the records are for sale on the shadier parts of the web and actively being traded by those who trade these kind of things.
Story

Panama Papers Leak

A data leak that showcases how miserably some of the big names try and hide their wealth from the tax authorities.
Eleven million documents were leaked from the secretive Panamanian law firm Mossack Fonseca. They show how the company has helped some clients launder money, dodge sanctions and avoid tax.

Story Here

Rigging elections via the cyber world

He knew that accounts could be faked and social media trends fabricated, all relatively cheaply ... he could manipulate the public debate as easily as moving pieces on a chessboard - or, as he puts it, “When I realized that people believe what the Internet says more than reality, I discovered that I had the power to make people believe almost anything.”
Story here.

Update 15-Jun-2016:
Related, but not the same guy, some news of stealing data on the ongoing elections, on Trump.

Update 22-Jul-2016:
Wikileaks dumps thousands of leaked emails (here) from USA's DNC party. This helps Republican nominee Trump tremendously. Some believe this is done by Russian hackers, which I am skeptical to. Anyway, if there is anyone who still believes hackers cannot help with elections, it is high time to reconsider.

Update 12-Aug-2016:
Seems like I am not the only one who believes that elections could be rigged, using the power of web.

Update 31-Dec-2016:
In case there are still some skeptics who think cyber-world cannot rig, something as allusive as elections:
  • US imposes sanctions on Russia
  • The IOC and a detailed report from DHS
  • The story of a Russian hacker - Aleksandr B Vyarya
Update 02-Jun-2017:
How are these leaks happening (and the tainted leaks)?

Update 20-Feb-2018:
So, how were the USA elections influenced, the investigation is now complete.


Learn from the hacker!

The hacker who hacked "The Hacking Team", shares his knowledge. Helps us appreciate how much time and effort goes into a successful hack.
He makes no bones about it; he’s a black hat hacker. Phineas Fisher wrote, “You used to have to sneak into offices to leak documents. You used to need a gun to rob a bank. Now you can do both from bed with a laptop in hand.”

Philippine voters' data leaked

55 million Filipino voters’ data was now out in the wild ... a ginormous data breach with extremely sensitive information and at 55M individuals, that’s also more than half the country’s population.

Dreamhost does not hash passwords!

Does anyone use DreamHost for cloud hosting? I am astonished to see they do not hash user passwords, and their support staff have the ability to view my password in plain-text. Even more astonishing is that they have no idea why this is a bad idea.
My tweet to them

Hacking Lottery via Random Num Generator

For several years, Eddie Tipton, the former security director of the US Multi-State Lottery Association, installed software code that allowed him to predict winning numbers on specific days of the year, investigators allege.
Full story!
 

50 M Turkish Citizens' Personal Data leaked Online

The leaked database (about 6.6 GB file) contains the following information:
  • First and last names
  • National identifier numbers (TC Kimlik No)
  • Gender
  • City of birth
  • Date of birth
  • Full address
  • ID registration city and district
  • User's mother and Father's first names
To prove the authenticity of the data, the group of hackers published the personal details of Turkish President Recep Tayyip Erdogan, along with his predecessor Abdullah Gul, and Prime Minister Ahmet Davutoglu.
Full Story

Bangladesh Bank hit by $1 Billion cyber heist

Four requests to transfer a total of about $81 million to the Philippines went through, but a fifth, for $20 million, to a Sri Lankan non-profit organisation got held up because the hackers misspelled the name of the NGO.
At the same time the unusually high number of payment instructions and the transfer requests to private entities ... made the Fed suspicious, which also alerted the Bangladeshis ...  The transactions that got stopped totalled between $850 million and $870 million
Story here & here.

Update 24-Apr-2016:
The bank's security was in a pitiful condition!
Bangladesh's central bank was vulnerable to hackers because it did not have a firewall and used second-hand, $10 switches to network computers connected to the SWIFT

Update 27-Apr-2016:
A very sophisticated attack, which makes sense knowing the attackers targetted almost $1B from this one bank alone, and maybe others.
That apparently allowed the attackers to delete outgoing transfer requests and intercept incoming requests, as well as change recorded account balances – effectively hiding the heist from officials.
The malware even interfered with a printer to ensure that paper copies of transfer requests didn’t give the attack away.

Update 13-May-2016:
Another bank hit, by the same malware

Update 27-May-2016:
More banks are investigating a potential breach. Ecuador Bank become the third victim !

Update 28-May-2016:
Is North Korea responsible?

An interesting article with all the known facts from the Bangladesh hack.

Update 29-Jun-2016:
Ukrainian Bank loses 10 M, to a swift attack.

Update 11-Nov-2016:
$15M recovered by the Bangladesh Bank, thanks to the courts.

Update 07-Apr-2017:
Lazarus group exposed, with links to N Korea

Ukraine's Power Grid hacked

This was one of the concerns highlighted by the American government as well. Russia becomes the first in the world to suffer a power outage because of hackers.
The hackers who struck the power centers in Ukraine—the first confirmed hack to take down a power grid—weren’t opportunists who just happened upon the networks and launched an attack to test their abilities; according to new details from an extensive investigation into the hack, they were skilled and stealthy strategists who carefully planned their assault over many months, first doing reconnaissance to study the networks and siphon operator credentials, then launching a synchronized assault in a well-choreographed dance.
Update Dec-2016:
Another attack confirmed in Ukraine.

Veil Framework – Antivirus Evasion Framework

As if there weren't already enough frameworks to help the bad guys get organized.
The Veil-Framework is a collection of red team security tools that implement various attack methods focused on antivirus evasion and evading detection.
Details here.

DROWN Attack

Yet another attack on SSL. This time on ver-2!
More here.

Google's Project Shield

Google has finally launched its much touted Project Shield DDoS mitigation service, with a mission to preserve free speech by protecting news, human rights and election monitoring sites around the world.
Details here; project website here 

MouseJack: Injecting Keystrokes into Wireless Mice

Interesting hack to take over wireless mice (non-Bluetooth).
Wireless mice and keyboards commonly communicate using proprietary protocols operating in the 2.4GHz ISM band. In contrast to Bluetooth, there is no industry standard to follow, leaving each vendor to implement their own security scheme. 

Pwn2Own 2016

The annual event, which was originally hosted by HP's ZDI, will now be jointly hosted by HP and TrendMicro (post the acquisition). Details are here and here.

Highlights:

  • Exploiting Google Chrome or Microsoft Edge will earn hackers $65,000
  • Exploiting Apple Safari on Mac only $40,000. 
  • Achieving system-level access on Windows or root access on Mac OS X would add another $20,000 to the final payout.
  • Adobe Reader, Mozilla Firefox and Internet Explorer are no longer on the contest's target list. Adobe Flash remains, but only the version that comes bundled with Microsoft Edge
  • If anyone manages to escape the VMware Workstation virtual machine and achieves code execution on the host operating system, they’ll receive an additional $75,000


HSBC Under Attack

They say, it's a standard DDoS attack, with no threat to client data.... Makes me wonder if there is anything else going on, with the DDoS acting as a smoke screen.

Cybercriminal Call Centers

There is no limit to how organized the cyber-crime is getting
Crooks who make a living via identity theft schemes, dating scams and other con games often run into trouble when presented with a phone-based challenge that requires them to demonstrate mastery of a language they don’t speak fluently. Enter the criminal call center, which allows scammers to outsource those calls to multi-lingual men and women who can be hired to close the deal.

Introducing: Diskpart

Ever thought of having a virtual drive on your Windows PC? Instead of partitioning your hard-disk, how about a virtual container, which would be completely portable and can be carried to any Windows PC?

No special downloads needed: DiskPart is build into Windows. This batch file could help speed things up a bit. If security is of a concern, you could easily use Bitlocker to encrypt the entire drive.

Introducing Red Star OS

In case people think PRISM is a concern to the citizen's privacy, here is a look into the Red Star OS. It's a state sponsored (North Korea) custom version of linux:
Red Star tackles this by tagging, or watermarking, every document or media file on a computer or on any USB stick connected to it. That means that any file can be traced back to the person who had previously opened or created the file.