Nishit Darade

US Postal Service Left 60 Million Users Data Exposed For Over a Year

December 16, 2018 by Nishit Darade Leave a Comment

US Postal Service Left 60 Million Users Data Exposed For Over a Year
– Swati Khandelwal

News just came out that United States Postal Service has patched a critical security vulnerability that exposed the data of more than 60 million customers to anyone who has an account at the USPS.com website.

The vulnerability was tied to an authentication weakness in an application programming interface(API). According to the cybersecurity researcher, who has not disclosed his identity, the API was programmed to accept any number of “wildcard” search parameters, enabling anyone logged in to usps.com to query the system for account details belonging to any other user.

The vulnerability was reported almost a year ago and it took outside intervention to address this serious vulnerability. As of now there is no evidence to support that this vulnerability was taken advantage of.

Reference: https://thehackernews.com/2018/11/usps-data-breach.html

Instagram Accidentally Exposed Some Users’ Passwords In Plaintext

November 30, 2018 by Nishit Darade 1 Comment

Instagram Accidentally Exposed Some Users’ Passwords In Plaintext

Swati Khandelwal

Instagram recently patched a security issue in its website that was responsible of accidentally exposing some its users passwords in plain text.

The bug originated in the feature called “Download Your Data” that allows users to download a copy of their data shared on the social media platform. Plaintext passwords of some users who had used this feature had their passwords were included in the URL as plaintext.

The company has assured users that the stored data has been deleted from the servers and the tool has now been updated to resolve the issue, which “affected a very small number of people.”

Instagram suggest that affected users to change their passwords and clear their browser history as soon as possible.

Reference: https://thehackernews.com/2018/11/instagram-password-hack.html

Congress Votes to Create Federal Cybersecurity Agency

November 14, 2018 by Nishit Darade Leave a Comment

The United States House of Representatives voted unanimously to pass legislation creating the Cybersecurity and Infrastructure Security Agency (CISA) within the Department of Homeland Security (DHS).

This new agency would reorganize DHS’ National Protection and Programs Directorate (NPPD) into a new agency and prioritize its mission as the Federal leader for cyber and physical infrastructure security.

One NPPD official said that it actually will help better secure the nation’s critical infrastructure and cyber platforms.

Reference: https://www.securitymagazine.com/articles/89590-congress-votes-to-create-federal-cybersecurity-agency

Private messages from 81,000 hacked Facebook accounts for sale

November 14, 2018 by Nishit Darade Leave a Comment

The perpetrators told the BBC Russian Service that they had details from a total of 120 million accounts, which they were attempting to sell, although there are reasons to be skeptical about that figure. The hackers offered to sell access for 10 cents (8p) per account. However, their advert has since been taken offline.

The cyber-security company Digital Shadows examined the claim on behalf of the BBC and confirmed that more than 81,000 of the profiles posted online as a sample contained private messages.

Facebook is still denying that it was hacked and is sticking to their story that a browser extension was compromised and that’s how the user information was compromised.

Reference: https://www.bbc.com/news/technology-46065796?intlink_from_url=https://www.bbc.com/news/topics/cz4pr2gd85qt/cyber-security&link_location=live-reporting-story

Two New Bluetooth Chip Flaws Expose Millions of Devices to Remote Attacks

November 6, 2018 by Nishit Darade Leave a Comment

Two New Bluetooth Chip Flaws Expose Millions of Devices to Remote Attacks

– Swati Khandelwal

Security researchers have unveiled details of two critical vulnerabilities in Bluetooth Low Energy (BLE) chips embedded in millions of access points and networking devices used by enterprises around the world. The vulnerability is called as BleedingBit which allows remote attackers to execute arbitrary code and take control of devices.

This vulnerability affects medical devices such as insulin pumps and pacemakers, as well as point-of-sales and IoT devices. Discovered by researchers at Israeli security firm Armis, the vulnerabilities exist in Bluetooth Low Energy (BLE) Stack chips made by Texas Instruments (TI) that are being used by Cisco, Meraki, and Aruba in their enterprise line of products.

Following are two vulnerabilities CVE-2018-16986 and CVE-2018-7080 have their patches released by respective vendors.

Reference: http://community.mis.temple.edu/mis5206sec401fall18/2018/11/02/in-the-news/

Tumblr Patches A Flaw That Could Have Exposed Users Account Info

October 30, 2018 by Nishit Darade 1 Comment

Tumblr Patches A Flaw That Could Have Exposed Users Account Info

– Swati Khandelwal

Tumblr today published a report admitting the presence of a security vulnerability in its website that could have allowed hackers to steal login credentials and other private information for users’ accounts.

The affected information included users email addresses, protected (hashed and salted) account passwords, self-reported location (a feature no longer available), previously used email addresses, last login IP addresses, and names of the blog associated with every account.

Tumblr assured that its internal investigation found no evidence of the bug being abused by an attacker.

Reference: https://thehackernews.com/2018/10/tumblr-account-hacking.html

Facebook hack victims will not get ID theft protection

October 22, 2018 by Nishit Darade 1 Comment

Facebook hack victims will not get ID theft protection
– Dave Lee

On Friday it revealed 14 million users had highly personal information stolen by hackers. It included search history, location data and information about relationships, religion and more. This information can be used by cyber criminals to create social engineering based theft programs on the 14 million affected users.

Typically, companies affected by large data breaches – such as Target, in 2013 – provide access to credit protection agencies and other methods to lower the risk of identity theft. But a Facebook spokeswoman told the BBC it would not be taking this step “at this time”. Users would instead be directed to the website’s help section. The spokesperson would not say if the help pages in question had been updated since the company discovered the recent breach.

Reference: https://www.bbc.com/news/technology-45845431?intlink_from_url=https://www.bbc.com/news/topics/cz4pr2gd85qt/cyber-security&link_location=live-reporting-correspondent

Google to Encrypt Android Cloud Backups With Your Lock Screen Password

October 17, 2018 by Nishit Darade 1 Comment

Google to Encrypt Android Cloud Backups With Your Lock Screen Password

– Swati Khandelwal

In an effort to secure users’ data while maintaining privacy, Google has announced a new security measure for Android Backup Service that now encrypts all your backup data stored on its cloud servers in a way that even the company can’t read it.

Starting with Android Pie, Google is going to encrypt your Android device backup data in the following way:

Step 1: Your Android device will generate a random secret key (not known to Google).

Step 2: The secret key will then get encrypted using your lock screen PIN/pattern/passcode (not known to Google).

Step 3: This passcode-protected secret key will then securely sent to a Titan security chip on Google’s servers.

Reference: https://thehackernews.com/2018/10/android-cloud-backup.html

New iPhone Passcode Bypass Hack Exposes Photos and Contacts

October 10, 2018 by Nishit Darade 1 Comment

New iPhone Passcode Bypass Hack Exposes Photos and Contacts

– Wang Wei

Jose Rodriguez, an iPhone enthusiast, has discovered a passcode bypass vulnerability in Apple’s new iOS version 12 that potentially allows an attacker to access photos and contacts, including phone numbers and emails, on a locked iPhone XS and other recent iPhone models.

The attacker can begin the complicated 37-step iPhone passcode bypass process by tricking Siri and iOS accessibility feature called VoiceOver to sidestep the iPhone’s passcode and access users the contacts stored in the iPhone, including phone numbers and email addresses, and to access Camera Roll and other photo folders, by selecting a contact to edit and change its image.

Until Apple comes up with a fix, you can temporarily fix the issue by just disabling Siri from the lock screen.

Please refer to the video attached in the article for the iPhone passcode bypass hack.

Reference: https://thehackernews.com/2018/10/iphone-passcode-bypass-hack.html

4 Things You Should Include In Your Data Breach Response Plan

October 3, 2018 by Nishit Darade 1 Comment

4 Things You Should Include In Your Data Breach Response Plan
– By JAKE OLCOTT

Data breach response pages can be tens to hundreds of pages long depending on the size of your organization and the criticality of your data. Following a set data breach response template isn’t advisable because different organization have different infrastructure and their unique scenario.
The following are four must have points for a data breach response plan:

1. The type of data that constitutes a data incident.
• Incidents or breaches that involve legally protected information such as PII or PHI which requires immediate notification to affected users.
• Incidents or breaches that represent a small material loss to the company which may not require notification to stakeholders.
2. The parties responsible during a data breach.
• IT/IT Security Department
• Legal Department
• Communications Department
• HR Department
• Executives
3. The internal escalation processes:
When a data incident occurs on your network, you need a rock-solid internal escalation process established for escalating the incident up through your organization.
4. The external escalation process:
Aside from escalating a data incident inside your organization, you also need to include the external escalation process in your data breach response plan.

Reference:
1) JAKE OLCOTT, “4 Things You Should Include In Your Data Breach Response Plan,” February 16, 2017 , https://www.bitsighttech.com/blog/data-breach-response-plan-4-things-include