It was my first time attending a networking event, and I found the ISACA networking event to be really interesting. I was glad to meet several senior IT auditors and know their perspective about auditing. I got a chance to understand some everyday audit situations and also critical skills that employers look for in an auditor. I also got a chance to interact with Prof Thu, outside class. Although I did not talk a lot about cyber security topics, I had some interesting general conversations.
USPS Site Exposed Data on 60 Million Users
U.S. Postal Service just fixed a security flaw that allowed anyone who has an account at usps.com to view account details for some 60 million other users. They could even modify the account details on their behalf! The problem arose out of a security weakness in the API. The API accepted “wildcard” search parameters. This API was tied to a Postal Service initiative called “Informed Visibility,” which was designed to let businesses, advertisers and other bulk mail senders “make better business decisions by providing them with access to near real-time tracking data” about mail campaigns and packages. So, the real time data about packages and mail being sent by USPS commercial customers was being exposed. Also, any logged-in user could query the system for account details belonging to other users, such as their email addresses, usernames, account number, street address, phone number, etc.
Another fact that alarmed me was that the flaw was discovered and reported to the USPS over a year ago, but they never acted on it until now.
https://krebsonsecurity.com/2018/11/usps-site-exposed-data-on-60-million-users/
Police crack encrypted chat service IronChat and read 258,000 messages from suspected criminals
Police in the Netherlands announced on Tuesday that were able to break the encryption used on a cryptophone app called IronChat. IronChat is said to be a supposedly secure encrypted messaging service available on BlackBox IronPhones. Police say that criminals mostly purchased these Iron Phones and used the Iron Chat app to communicate amongst themselves, believing that they were safe. The cost of a six-month subscription was around USD 1500. Although, the police did not reveal how they managed to crack the Iron Chat system for obvious reasons, it is suspected that the app had a weakness – such as its reliance on a central server.
As a result of their surveillance, law enforcement agencies have seized automatic weapons, large quantities of hard drugs (MDMA and cocaine), 90,000 Euros in cash, and dismantled a drugs lab.
Radisson Hotel Group Spills Customer Data
Radisson hotel group is one of the largest hotel groups in the world with more than 1,400 hotels in 114 countries. The hotel group informed that a small percentage of their loyalty club members had their personal information accessed by an unauthorized person. It seems that the attackers first gained access to staff accounts which led them to customer data.
The breach didn’t seem to affect credit card and password information. However, it exposed rewards member names, addresses, email addresses, company names, phone numbers, rewards member number and frequent flyer numbers. Such information is to be monetized through enhancing pattern analysis on particular individuals, either high net worth or people with specific access to something.
Since the hotel chain has its presence all over the world, GDPR is likely to come into play. Also, the hotel group was not forthright while dealing with this breach, because the breach was discovered on October 1, but the company informed the members only last week, which was after a month.
https://www.infosecurity-magazine.com/news/radisson-hotel-group-spills/
Multiple Phishing Campaigns Target Universities
As per the research performed by Kaspersky Lab, there has been nearly 1,000 phishing attempts hitting at least 131 universities in 16 countries over the last year. Researchers say that attackers are targeting users with fraudulent web pages that look identical to the university’s official page. The only thing that distinguishes it from the original web page is a slightly different URL, which mostly is difficult to detect. Once a user clicks on the link, they are redirected to credentials-stuffing pages, and are asked to provide sensitive information, which includes university account credentials, IP addresses and location data. There were phishing pages mimicking the login pages of the University of Washington, Harvard Business School, and Stanford University.
Collecting the IP addresses would enable cyber-criminals to circumvent anti-fraud systems “by masquerading as account holders”. Moreover, personal accounts on the university site would provide access to both general information as well as paid services and research results.
The University of Washington (11.6% of attack attempts), Cornell University (6.8%) and the University of Iowa (5.1%) were top three targeted schools.
https://www.infosecurity-magazine.com/news/multiple-phishing-campaigns-target/
Magecart Hackers Now Targeting Vulnerable Magento Extensions
Magecart is a hacker group specializing in skimming credit card information from unsecured payment forms on websites. This hacker group had previously compromised large websites including British Airways and Ticketmaster. They have now turned to vulnerable Magento extensions. As part of this, these attackers insert a small piece of JavaScript code onto the compromised website to steal all of the credit card information.
The hackers conduct a thorough reconnaissance and only then do they inject their code since each attack is specifically tailored for the targeted site. They make sure that their code blends in with the rest of the domain’s resources, thus making them hard to detect.
https://www.securityweek.com/magecart-hackers-now-targeting-vulnerable-magento-extensions
Innovative Phishing Tactic Makes Inroads Using Azure Blob
A new approach to phishing has become popular wherein the attackers sent spam along with PDF attachments. These PDF documents were disguised as documents of a law firm based out of Denver. The email had a download button with a link and when the users clicked on the button, they are were directed to an HTML page which looked similar to the Office 365 form stored in the Microsoft Azure Blob storage solution. The address is a valid Blob address and the site is also marked as secure. The SSL Certificate carried a signature issue by Microsoft IT TLS CA 5.
https://threatpost.com/innovative-phishing-tactic-makes-inroads-using-azure-blob/138183/
New Virobot Ransomware and Botnet Emerges
A new piece of malware, Virobot, has been discovered that has both ransomware and botnet capabilities in a single package. It propagates itself via Microsoft Outlook spam e-mails. Virobot infected emails are sent to the victim’s entire contact list on Outlook, which contains a copy of the malware or a link to a payload file which will be downloaded on the target machine when the spam message is opened.
Once the malware hits a machine, it scans the registry of the machine to identify the Product ID and GUID. It then generates an encryption and decryption key using a cryptographic Random Number Generator. All these gathered data are then sent to the Command and Control server and later it starts encrypting the hard drive. Once encryption is completed, the malware displays a ransom note and a ransom screen.
Apparently, the malware’s server has been taken down and it can no longer carry out encryption unless it establishes connection with its C&C.
This malware also includes a keylogging feature, wherein it records everything that the target types on its machine and then shares it with its C&C server.
Although the malware’s C&C server is offline, we may never know when these malicious actors would switch their operations to another command and control server.
https://www.securityweek.com/new-virobot-ransomware-and-botnet-emerges
Hackers can compromise your network just by sending a Fax
Two critical remote code execution (RCE) vulnerabilities have been identified in the communication protocols used by tens of millions of fax machines globally. Fax is still popular among several business organizations and bankers and there are more than 300 million fax numbers and 45 million fax machines in use globally. Most of the fax machines these days are connected with printers, a WiFi network and PSTN phone line, the attacker can seize control of the whole network by just send a specially-crafted image via fax. The attacker just needs the fax number in this case, which is publicly available information. The attackers could code the image file they plan to send with malware including ransomwares, cryptocurrency miners, or surveillance tools based on their motives.
The attack involves buffer overflow vulnerabilities which leads to remote code execution. The attack was demonstrated by Check Point Malware Research Team on HP Officejet Pro All-in-One fax printers, the HP Officejet Pro 6830 all-in-one printer and OfficeJet Pro 8720. HP quickly fixed the flaws in its all-in-one printers as soon as they got to know about the findings. However, the researchers believe that the same vulnerabilities could impact most of the fax-based all-in-one printers sold by other manufacturers as well.
https://thehackernews.com/2018/08/hack-printer-fax-machine.html
Facebook Offers Rewards for Access Token Exposure Flaws
Facebook has announced expansion of its bug bounty program to include third-party apps and websites that let people use their Facebook accounts to log in. The company has declared that it will pay at least $500 to anyone who reports vulnerabilities that involve “improper exposure of Facebook user access tokens.” Access tokens allow users to log into third – party applications and websites through Facebook. One condition that the company has put forth is that the bug should be discovered by passively viewing data sent to or from a device while the affected application is in use.
https://www.securityweek.com/facebook-offers-rewards-access-token-exposure-flaws