Some experts have been warning that with the increased use of electronic and network-capable systems in cars produced over the last decade, security concerns could become life-threatening on a massive scale within few years. If not adequately secured, the vehicles’ internal networks could potentially be compromised, affecting brakes, locks, or power steering. While this would clearly be catastrophic, others have said it may not be as dire a situation as some describe, asserting that billions are being invested industry-wide to secure these electronic and digital components. The truth of it may lie somewhere in the middle, but only time will tell.
Commenting plugin Disqus hacked
A few days ago, it was revealed that a popular commenting system used by many websites called Disqus was breached in 2012, compromising the information of over 17.5 million users. Apparently, it went unnoticed for 5 years until this past Thursday when the incident was discovered by an independent security researcher. It is likely that the information obtained (including SHA-1 hashed passwords) could be used in social engineering attacks on certain users. Disqus has made several security upgrades in the years since, including switching to a more secure password hashing algorithm, but this story is still developing as their investigation into the incident continues.
https://thehackernews.com/2017/10/disqus-comment-system-hacked.html
VPN provider assists FBI in arrest
Recently, a Hong Kong-based VPN provider named PureVPN assisted the FBI in the arrest of a cyberstalker by releasing logs of his activity while using their service. The arrest is obviously good news, but the interesting thing is that while PureVPN explicitly states that they “do not monitor activity or keep logs,” this is clearly not the case. Most VPN providers make similar claims, but this is hard to verify from the outside. This should make VPN users take a closer look at the service they use, and be mindful that they may not be as secure as they claim.
https://thehackernews.com/2017/10/no-logs-vpn-service-security_8.html
Damages Awarded in Phone-Hacking Case Against the Mirror Publishing Group
http://www.bbc.com/news/uk-41481307
This story concerns something that happened several years ago, but was just recently resolved and I think is still very much relevant. Back in 2011, it was revealed that MPG (Mirror Publishing Group), a group of daily British newspapers, had been hacking into the phones of celebrities and prominent figures to gain personal information for stories. The original case was a broad investigation known as the Leveson Inquiry, which was closed in 2012. In October 2016, comedian Steve Coogan, among many others, brought a case of his own against the company, citing personal attacks on him by newspapers following his testimony in the Leveson case. Coogan has recently settled the case for an unspecified six-figure sum after MPG admitted to running stories on him using personal information illegally obtained by hacking into his mobile voicemail accounts. While this is not a strictly technical article, it does highlight the growing needs and concerns about mobile device security. As more and more aspects of our lives are run from our phones and mobile devices, it has become painfully clear that strong, layered protections are needed to secure our personal information, as even the smallest gap or vulnerability can be exploited.
Massive Data Breach in India, 6000 Businesses Compromised
Recently, Seqrite Labs and seQtree Infoservices in India tracked a DarkWeb advertisement for the sale of stolen data from over 6000 Indian organizations, including government agencies, private companies, and ISPs. In addition to selling information, the attacker claims to be able to take out the network of any of these breached companies, for a price. Allegedly, they can corrupt the IP allocation pool, rendering the system unable to function. If true, this is very disturbing news for all these organizations, but most of all for the Asia Pacific Network Information Center (APNIC), which investigators are all but certain has been compromised by these attacks. They have ascertained this by posing as a potential buyer online and obtaining sample e-mail lists. As for the identity of the attacker, it seems the persona being used was just created recently, a more and more common tactic used by cyber criminals. If a network damaging attack were to be performed on IRINN, an ISP identified as being breached, it could have catastrophic effects on IP allocation and therefore internet access in India.
RouteX Malware Found Exploiting Netgear Routers
Recently, a vulnerability was discovered in the remote command and execution function of Netgear routers. Malware known as RouteX has been found to be exploiting these devices to turn them into a socket secure or SOCKS proxy server which allows the attacker to anonymously launch attacks on intended targets.
RouteX is different from similar past examples of this kind of attack in that once it has compromised the device, it sets firewall rules and access restrictions to prevent other attacks from exploiting the same vulnerability and gaining control. This is indicative of the growing risks posed by unsecured machines such as routers and IoT devices.