Haitao Huang

Hacker takes over JavaScript library, injects malware to steal Bitcoin

November 28, 2018 by Haitao Huang Leave a Comment

An open-source code stored in a popular JavaScript library was poisoned by its latest administrator with a malicious code allowing an attacker to swipe Bitcoin from Bitpay and Copay wallets.

The attacker injected a malicious code, called Event-Stream, into a NodeJS package that is used by the Copay and BitPay apps enabling an attacker to steal a wallet’s private keys, a fact confirmed by Bitpay. Bitpay warned users to assume their private keys on affected wallets have been compromised, so any funds should be moved to new wallets immediately.

https://www.scmagazine.com/home/security-news/hacker-takes-over-javascript-library-injects-malware-to-steal-bitcoin/

The Latest in Phishing: October 2018

November 28, 2018 by Haitao Huang 1 Comment

Here are a few highlights:

Malicious phishing message volume increased 36% between Q1 and Q2 2018.
Proofpoint customers, on average, were targeted by 35 business email compromise (BEC) emails in Q2 2018. This represents a 26% increase over Q1, and a startling 87% increase over Q2 2017.
Ransomware was back on the scene in Q2, but is still lagging from a volume perspective, accounting for just a little more than 11% of total malicious messages during the measurement period.
Proofpoint researchers also detected a 30% increase in phishing links on social media.

https://www.wombatsecurity.com/blog/the-latest-in-phishing-october-2018

8 Popular Android Apps Caught Up In Million-Dollar Ad Fraud Scheme

November 28, 2018 by Haitao Huang 1 Comment

Cheetah Mobile—a prominent Chinese app company, known for its popular utility apps like Clean Master and Battery Doctor—and one of its subsidiary Kika Tech have allegedly been caught up in an Android ad fraud scheme that stole millions of dollars from advertisers.

Here’s the list of seven Cheetah Mobile apps and one Kika app, which received an investment from Cheetah Mobile in 2016, caught participating in the fraudulent ad scheme:

Clean Master (with 1 billion users)
Security Master (with 540 million users)
CM Launcher 3D (with 225 million users)
Battery Doctor (with 200 million users)
Cheetah Keyboard (with 105 million users)
CM Locker (with 105 million users)
CM File Manager (with 65 million users)
Kika Keyboard (owned by Kika Tech with 205 million users)

https://thehackernews.com/2018/11/android-click-ad-fraud.html

From PINs to Prints: Smartphone Locks and Mobile Device Security

November 28, 2018 by Haitao Huang 1 Comment

Smartphone security is one of the topics we recently explored in the 2018 User Risk Report. When we surveyed 6,000 working adults across six countries — the US, UK, France, Germany, Italy, and Australia — more than 90% of respondents said they use a smartphone, and 39% of these use their devices for both personal and business activities. In the BYOD era, that means infosec teams should be keenly aware of how individuals’ poor cybersecurity behaviors can affect their organizations’ security posture.

https://www.wombatsecurity.com/blog/from-pins-to-prints-smartphone-locks-and-mobile-device-security

Another Facebook Bug Could Have Exposed Your Private Information

November 14, 2018 by Haitao Huang 3 Comments

The security company Imperva has released new details on a Facebook vulnerability that could have exposed user data. The bug allowed websites to obtain private information about Facebook users and their friends through unauthorized access to a company API, playing off a specific behavior in the Chrome browser. The bug was disclosed to Facebook and resolved in May.

In technical terms, the attack is a cross-site request forgery, using a legitimate Facebook login in unauthorized ways. For the attack to work, a Facebook user must visit a malicious website with Chrome, and then click anywhere on the site while logged into Facebook. From there, attackers could open a new pop-up or tab to the Facebook search page and run any number of queries to extract personal information.

https://thehackernews.com/2018/11/facebook-vulnerability-hack.html

Managed Threat Hunting Bridges the Talent Gap

November 7, 2018 by Haitao Huang 2 Comments

Threat hunting is the active search for “unknown unknowns,” which describes new and novel attack behaviors that aren’t detected by current automated methods of prevention and detection. It is, by nature, a “hands-on-keyboard activity,” driven by humans. Just like hunting in nature, anyone can do it, but the right experience and tools can make you much more effective.

https://securityledger.com/2018/11/managed-threat-hunting-bridges-the-talent-gap/

User Risk Report: 44% of Workers Don’t Password-Protect Home WiFi

November 7, 2018 by Haitao Huang 4 Comments

The organization surveyed 6,000 technology users across six countries — the US, UK, France, Germany, Italy, and Australia — to determine how their personal actions could introduce cybersecurity vulnerabilities within the organizations they work for.

The results show that users’ WiFi and virtual private network (VPN) use remain suspect. Of particular concern is the fact that home WiFi networks are often left fully unprotected, opening the door for remote workers to be compromised — and for their employers to be compromised in turn.

https://www.wombatsecurity.com/blog/user-risk-report-44-of-workers-dont-password-protect-home-wifi

Flaws in Popular Self-Encrypting SSDs Let Attackers Decrypt Data

November 7, 2018 by Haitao Huang 1 Comment

Researchers at Radboud University in the Netherlands have revealed today vulnerabilities in some solid-state drives (SSDs) that allow an attacker to bypass the disk encryption feature and access the local data without knowing the user-chosen disk encryption password.

The vulnerabilities only affect SSD models that support hardware-based encryption, where the disk encryption operations are carried out via a local built-in chip, separate from the main CPU.

But in a new academic paper published today, two Radboud researchers, Carlo Meijer and Bernard van Gastel, say they’ve identified vulnerabilities in the firmware of SEDs.

The only way users would be safe was if they either changed the master password or if they ‘d configure the SED’s Master Password Capability setting to “Maximum,” which effectively disables it.

https://thehackernews.com/2018/11/self-encrypting-ssd-hacking.html

Apple’s New MacBook Disconnects Microphone “Physically” When Lid is Closed

October 31, 2018 by Haitao Huang 5 Comments

Apple introduces a new privacy feature for all new MacBooks that “at some extent” will prevent hackers and malicious applications from eavesdropping on your conversations.

Apple’s custom T2 security chip in the latest MacBooks includes a new hardware feature that physically disconnects the MacBook’s built-in microphone whenever the user closes the lid.

This feature is excellent as it makes impossible for malware to access your built-in microphone when the lid is closed, but honestly, it doesn’t help when you are most vulnerable, i.e. while working.

https://thehackernews.com/2018/10/apple-macbook-microphone.html

The Latest in Phishing: October 2018

October 24, 2018 by Haitao Huang 4 Comments

The number of fake support accounts targeting Proofpoint’s global customer base rose 37% from Q1 to Q2 2018.
More than 65% of the companies that were targeted by email fraud in Q1 had the identities of more than five employees spoofed.
The number of email fraud attacks per targeted company was 25% higher in Q2 than in Q1, with the government and retail sectors experiencing the largest increase in email fraud attempts.
Malicious phishing message volume increased 36% between Q1 and Q2 2018.
Ransomware was back on the scene in Q2 but is still lagging from a volume perspective, accounting for just a little more than 11% of total malicious messages during the measurement period.
Proofpoint researchers also detected a 30% increase in phishing links on social media.

https://www.wombatsecurity.com/blog/the-latest-in-phishing-october-2018