27-Nov-2016:
A hacker deployed ransomware making the metro system un-usable, and asked for $73000..!
30-Nov-2016:
The hacker gets hacked. Reminder to change those password recovery questions.
2016-11-30
2016-11-14
Tesco Bank Hack
2016-10-20
3.2 million debit cards compromised in India
Hackers allegedly used malware to compromise the Hitachi Payment Services platform — which is used to power country's ATM, point-of-sale (PoS) machines and other financial transactions — and stole details of 3.2 Million debit cards!
Amazing
Amazing
2016-10-12
Distressed Yahoo!
Yahoo is a facing a lot of heat at the moment, with some recent events.
First, 500 million user accounts was stolen in 2014, and got dumped online recently. Then, there is news that Yahoo complied with a secret government order to search the incoming emails of all of its users. This secret initiative was not even known to its internal security team.
First, 500 million user accounts was stolen in 2014, and got dumped online recently. Then, there is news that Yahoo complied with a secret government order to search the incoming emails of all of its users. This secret initiative was not even known to its internal security team.
Verizon, who has been in talks to acquire Yahoo is now seeking a $1 Billion price cut. Hence, the timing of these revelations couldn't have come at a worse time for Yahoo.
To make matters worse, to avoid users leaving its platform, Yahoo has disabled email-forwarding. This is totally in bad faith, which will only frustrate it's users.
Update 15-Dec-2016:
Yahoo says an additional 1 Billion users were impacted. This is insane!
More details from Krebs.
Update 14-Jun-2017:
The Verizon deal finally goes thru, and Yahoo's CEO resigns.
Update 04-Oct-2017:
Every single Yahoo account was hacked - 3 billion in all - link
Update 15-Dec-2016:
Yahoo says an additional 1 Billion users were impacted. This is insane!
More details from Krebs.
Update 14-Jun-2017:
The Verizon deal finally goes thru, and Yahoo's CEO resigns.
Update 04-Oct-2017:
Every single Yahoo account was hacked - 3 billion in all - link
2016-09-10
Israeli Online Attack Service
A super investigation (and DOXing) done by Brian Krebs. A look at how a DDoS for hire service operates and launders money! Link
Update 13-Sep-2106:
Krebs gets DDoS-ed for this article, by the same botnet company
Update 13-Sep-2106:
Krebs gets DDoS-ed for this article, by the same botnet company
2016-09-08
2016-08-21
China Launches 'Hack-Proof' Satellite
QUESS will send messages to ground stations using entangled photons, Xinhua reported. Such a system is theoretically impossible to hack. In addition, any attempts to eavesdrop would be picked up via an induced change in the photons' state.
Story here
2016-08-13
Car Thieves Can Unlock 100 Million Volkswagens With A Simple Wireless Hack
Next time when you leave your car in a parking lot, make sure you don't leave your valuables in it, especially if it's a Volkswagen. What's more worrisome?
Windows Secure Boot: Insecure by design and mostly likely can't be fixed
Encryption backdoors don’t work; the latest proof of that was discovered by security researchers Slipstream and MY123. This time, the security flub-up involves “golden keys” which can unlock Windows devices allegedly protected by Secure Boot.
2016-08-09
Fake LinkedIn Profiles
I am not sure why but I receive way too many connection requests from fake profiles. Take for instance the following request, seemingly coming from a "Gabriella Kimber" in Germany, who in fact owns a premium account with LinkedIn, and has 414 connections (at the time of writing this post).
A simple Google photo search reveals, this photo has been taken as is from the G+ profile (link) of Lika Roman, who is actually Miss Ukraine 2007 (wikipedia).
I am sure a pretty woman's photograph is put up to attract attention, but still what's their end goal here? What do they aim to gain from such fake accounts?
A simple Google photo search reveals, this photo has been taken as is from the G+ profile (link) of Lika Roman, who is actually Miss Ukraine 2007 (wikipedia).
I am sure a pretty woman's photograph is put up to attract attention, but still what's their end goal here? What do they aim to gain from such fake accounts?
2016-08-08
KickassTorrents Busted
KAT counts more than 50 million unique monthly visitors and is estimated to be the 68th most frequently visited website on the internetStory
2016-08-02
200M yahoo accounts for sale for $1800
The hacker, who goes by the pseudonym "Peace" or "peace_of_mind," has uploaded 200 Million Yahoo! credentials up for sale on an underground marketplace called The Real Deal for 3 Bitcoins (US$1,824).Story
2016-07-28
No More Ransom
Europol in collaboration with others have introduced a simple portal to provide all know antidotes to the common cryptoware out there: https://www.nomoreransom.org/
Update 29-Jul-2016:
Update 29-Jul-2016:
Victims of the Chimera ransomware were thrown a lifeline this week after a rival malware author appeared to leak the decryption keys online.Kudos to competing hackers as well?!
2016-07-22
UK: CyberCrime overtakes Physical Crime
The ONS estimated that there were 2.46 million cyber incidents and 2.11 million victims of cyber crime in the U.K. in 2015,” the report’s authors wrote.
Personally I do not think cyber-crime is materially worse in UK. I think they are tracking and recording it better, and most important the awareness has improved in the country. However, still an eye opener !
Link 1 & Link 2
2016-07-08
Forgetting to renew domain names
TP-Link, who manufactures routers, has forgotten to renew it's 2 domains names, which is widely used. This has now been jacked by someone, who is selling it for $ 2.5 M.
These domain names appear to be quite busy; estimates based on Alexa's ranking suggest that tplinklogin-dot-net sees about 4.4 million visits per month, with another 800,000 for tplinkextender-dot-net.This is an ideal way for someone to create spoof website, with a target audience of millions !
Seems like TP-Link is not at all interested in buying back those domains ... updating its manuals to remove the domain name references altogether.
2016-07-02
Ethereum DAO Hack
The hack makes me think about the reliability of crypto-currency. If we go with the assumption that there is no bug-free software, it is always only a matter of time (hence patching is of utmost importance), then how do we have our faith in bitcoins or any other altcoins?
Am very curious to see what this community decides to do now. Hack details.
A synopsis of the hack and the Robin Hood hack.
How can they recover the stolen money? They can't -- at least not without destroying the entire principle of cryptocurrencies
Am very curious to see what this community decides to do now. Hack details.
A synopsis of the hack and the Robin Hood hack.
2016-06-29
Terrorism blacklist of 2.2 M people leaked
.. came across a “terrorism blacklist” which contains the names of 2.2 million “heightened-risk individuals and organizations. The terrorism category is only a small part of the database. Other categories consist of individuals suspected of being related to money laundering, organized crime, bribery, corruption, and other unsavory activities.
2016-06-16
Cyberspace is a New Domain for War
We have known this for a while, just good to see this is now formalized.
The North Atlantic Trade Organization (NATO) has officially declared that cyberspace is a domain for war, placing it alongside the traditional battlegrounds of land, sea and air.
2016-06-07
A 0-day that impacts ALL Windows Versions
A Russian website is selling a 0-day, for a meager $ 90K. This impacts a potential 1.5 B Windows users !
There are 2 videos to provide a POC.
Details Here
There are 2 videos to provide a POC.
Details Here
Myspace & VK lose customer records
2016-05-28
Introducing e-stonia
For tech companies wondering where to setup their HQ, Estonia seems to be a good (and fair) place to consider.
Its offering is a location-independent, hassle-free and fully digital economic and financial environment for anyone who needs it. The company is managed by its owners themselves, not nominal “directors.”
Where exactly are the taxes paid, at the end of the day? “Taxes must be paid where the value was created”
2016-05-17
Receive SMS - without actually owning the number
There are lots of websites which ask you for a mobile phone number, and send a sms verification. Top 10 websites which are useful to find a disposable number.
2016-05-03
BeautifulPeople.com Leaks 1.1 M records
After Ashley Madison, another dating website hit!
BeautifulPeople.com Leak has exposed 1.1 million customer records, including 15 million private messages sent between users. It seems like the records are for sale on the shadier parts of the web and actively being traded by those who trade these kind of things.Story
2016-04-30
Panama Papers Leak
A data leak that showcases how miserably some of the big names try and hide their wealth from the tax authorities.
Story Here
Eleven million documents were leaked from the secretive Panamanian law firm Mossack Fonseca. They show how the company has helped some clients launder money, dodge sanctions and avoid tax.
Story Here
2016-04-27
2016-04-21
Rigging elections via the cyber world
He knew that accounts could be faked and social media trends fabricated, all relatively cheaply ... he could manipulate the public debate as easily as moving pieces on a chessboard - or, as he puts it, “When I realized that people believe what the Internet says more than reality, I discovered that I had the power to make people believe almost anything.”
Story here.
Update 15-Jun-2016:
Related, but not the same guy, some news of stealing data on the ongoing elections, on Trump.
Update 22-Jul-2016:
Wikileaks dumps thousands of leaked emails (here) from USA's DNC party. This helps Republican nominee Trump tremendously. Some believe this is done by Russian hackers, which I am skeptical to. Anyway, if there is anyone who still believes hackers cannot help with elections, it is high time to reconsider.
Update 12-Aug-2016:
Seems like I am not the only one who believes that elections could be rigged, using the power of web.
Update 31-Dec-2016:
In case there are still some skeptics who think cyber-world cannot rig, something as allusive as elections:
Update 15-Jun-2016:
Related, but not the same guy, some news of stealing data on the ongoing elections, on Trump.
Update 22-Jul-2016:
Wikileaks dumps thousands of leaked emails (here) from USA's DNC party. This helps Republican nominee Trump tremendously. Some believe this is done by Russian hackers, which I am skeptical to. Anyway, if there is anyone who still believes hackers cannot help with elections, it is high time to reconsider.
Update 12-Aug-2016:
Seems like I am not the only one who believes that elections could be rigged, using the power of web.
Update 31-Dec-2016:
In case there are still some skeptics who think cyber-world cannot rig, something as allusive as elections:
- US imposes sanctions on Russia
- The IOC and a detailed report from DHS
- The story of a Russian hacker - Aleksandr B Vyarya
Update 02-Jun-2017:
How are these leaks happening (and the tainted leaks)?
2016-04-18
Learn from the hacker!
The hacker who hacked "The Hacking Team", shares his knowledge. Helps us appreciate how much time and effort goes into a successful hack.
He makes no bones about it; he’s a black hat hacker. Phineas Fisher wrote, “You used to have to sneak into offices to leak documents. You used to need a gun to rob a bank. Now you can do both from bed with a laptop in hand.”
2016-04-17
Philippine voters' data leaked
55 million Filipino voters’ data was now out in the wild ... a ginormous data breach with extremely sensitive information and at 55M individuals, that’s also more than half the country’s population.
2016-04-16
Dreamhost does not hash passwords!
Does anyone use DreamHost for cloud hosting? I am astonished to see they do not hash user passwords, and their support staff have the ability to view my password in plain-text. Even more astonishing is that they have no idea why this is a bad idea.
My tweet to them
My tweet to them
2016-04-13
Hacking Lottery via Random Num Generator
For several years, Eddie Tipton, the former security director of the US Multi-State Lottery Association, installed software code that allowed him to predict winning numbers on specific days of the year, investigators allege.Full story!
2016-04-06
50 M Turkish Citizens' Personal Data leaked Online
The leaked database (about 6.6 GB file) contains the following information:Full Story
- First and last names
- National identifier numbers (TC Kimlik No)
- Gender
- City of birth
- Date of birth
- Full address
- ID registration city and district
To prove the authenticity of the data, the group of hackers published the personal details of Turkish President Recep Tayyip Erdogan, along with his predecessor Abdullah Gul, and Prime Minister Ahmet Davutoglu.
- User's mother and Father's first names
2016-03-20
Bangladesh Bank hit by $1 Billion cyber heist
Four requests to transfer a total of about $81 million to the Philippines went through, but a fifth, for $20 million, to a Sri Lankan non-profit organisation got held up because the hackers misspelled the name of the NGO.Story here & here.
At the same time the unusually high number of payment instructions and the transfer requests to private entities ... made the Fed suspicious, which also alerted the Bangladeshis ... The transactions that got stopped totalled between $850 million and $870 million
Update 24-Apr-2016:
The bank's security was in a pitiful condition!
Bangladesh's central bank was vulnerable to hackers because it did not have a firewall and used second-hand, $10 switches to network computers connected to the SWIFT
Update 27-Apr-2016:
A very sophisticated attack, which makes sense knowing the attackers targetted almost $1B from this one bank alone, and maybe others.
That apparently allowed the attackers to delete outgoing transfer requests and intercept incoming requests, as well as change recorded account balances – effectively hiding the heist from officials.
The malware even interfered with a printer to ensure that paper copies of transfer requests didn’t give the attack away.
Update 13-May-2016:
Another bank hit, by the same malware
Update 27-May-2016:
More banks are investigating a potential breach. Ecuador Bank become the third victim !
Update 28-May-2016:
Is North Korea responsible?
An interesting article with all the known facts from the Bangladesh hack.
Update 29-Jun-2016:
Ukrainian Bank loses 10 M, to a swift attack.
Update 11-Nov-2016:
$15M recovered by the Bangladesh Bank, thanks to the courts.
Update 07-Apr-2017:
Lazarus group exposed, with links to N Korea
2016-03-11
Ukraine's Power Grid hacked
This was one of the concerns highlighted by the American government as well. Russia becomes the first in the world to suffer a power outage because of hackers.
The hackers who struck the power centers in Ukraine—the first confirmed hack to take down a power grid—weren’t opportunists who just happened upon the networks and launched an attack to test their abilities; according to new details from an extensive investigation into the hack, they were skilled and stealthy strategists who carefully planned their assault over many months, first doing reconnaissance to study the networks and siphon operator credentials, then launching a synchronized assault in a well-choreographed dance.
2016-03-06
Veil Framework – Antivirus Evasion Framework
As if there weren't already enough frameworks to help the bad guys get organized.
The Veil-Framework is a collection of red team security tools that implement various attack methods focused on antivirus evasion and evading detection.Details here.
2016-02-27
Google's Project Shield
MouseJack: Injecting Keystrokes into Wireless Mice
Interesting hack to take over wireless mice (non-Bluetooth).
Wireless mice and keyboards commonly communicate using proprietary protocols operating in the 2.4GHz ISM band. In contrast to Bluetooth, there is no industry standard to follow, leaving each vendor to implement their own security scheme.
2016-02-14
Pwn2Own 2016
The annual event, which was originally hosted by HP's ZDI, will now be jointly hosted by HP and TrendMicro (post the acquisition). Details are here and here.
Highlights:
Highlights:
- Exploiting Google Chrome or Microsoft Edge will earn hackers $65,000
- Exploiting Apple Safari on Mac only $40,000.
- Achieving system-level access on Windows or root access on Mac OS X would add another $20,000 to the final payout.
- Adobe Reader, Mozilla Firefox and Internet Explorer are no longer on the contest's target list. Adobe Flash remains, but only the version that comes bundled with Microsoft Edge
- If anyone manages to escape the VMware Workstation virtual machine and achieves code execution on the host operating system, they’ll receive an additional $75,000
2016-02-06
Introducing GoPhish
Gophish – Open-Source Phishing Framework
Making it even easier to create phishing campaigns.
Making it even easier to create phishing campaigns.
2016-01-30
HSBC Under Attack
They say, it's a standard DDoS attack, with no threat to client data.... Makes me wonder if there is anything else going on, with the DDoS acting as a smoke screen.
2016-01-16
Cybercriminal Call Centers
There is no limit to how organized the cyber-crime is getting
Crooks who make a living via identity theft schemes, dating scams and other con games often run into trouble when presented with a phone-based challenge that requires them to demonstrate mastery of a language they don’t speak fluently. Enter the criminal call center, which allows scammers to outsource those calls to multi-lingual men and women who can be hired to close the deal.
2016-01-09
Introducing: Diskpart
Ever thought of having a virtual drive on your Windows PC? Instead of partitioning your hard-disk, how about a virtual container, which would be completely portable and can be carried to any Windows PC?
No special downloads needed: DiskPart is build into Windows. This batch file could help speed things up a bit. If security is of a concern, you could easily use Bitlocker to encrypt the entire drive.
No special downloads needed: DiskPart is build into Windows. This batch file could help speed things up a bit. If security is of a concern, you could easily use Bitlocker to encrypt the entire drive.
2016-01-03
Introducing Red Star OS
In case people think PRISM is a concern to the citizen's privacy, here is a look into the Red Star OS. It's a state sponsored (North Korea) custom version of linux:
Red Star tackles this by tagging, or watermarking, every document or media file on a computer or on any USB stick connected to it. That means that any file can be traced back to the person who had previously opened or created the file.
Subscribe to:
Posts (Atom)