ITACS 5211: Introduction to Ethical Hacking

Wade Mackey

Week 12: Web Services

Domain Name Hijacking: Incidents, Threats, Risks and Remedial Actions

by Leave a Comment

http://archive.icann.org/en/announcements/hijacking-report-12jul05.pdf

Article: Domain Theft Strands Thousands of Web Sites

After I read this article I searched some related keywords from Google. I found a report which was published by ICANN Security and Stability Advisory Committee. In general, this report is describing domain hijacking. You all can find some useful information regarding following:

– Risk and threats associated with domain hijacking
– Vulnerabilities observed from domain hijackings
– Recovery mechanism
– Security measures to protect domain names

Is Your Data Breach Response Plan Ready?

by Leave a Comment

According to the survey, there were more than 5,000 reported data breaches worldwide, and there were more than 1,500 in the U.S. alone. There for data breach response plan is important for every organization. The article lists several questions on an interview of  Michael Bruemmer for organizations to help them prepare for the data breach response plan.

  1. How have typical responses to data breaches changed over the past five years?
  2. What still needs to occur to improve enterprises’ data breach response protocols and practices?
  3. When auditing their data breach response plan, what in particular should security leaders be looking for?
  4. What are the top three issues business security leaders should plan for next year?
  5. Are there any key tools or strategies security leaders can use to better engage with the C-Suite?
  6. The cybersecurity talent gap continues to be a real struggle for many security leaders. How can security professionals recruit the appropriate stakeholders and staff?
  7. Regarding response exercises and drills, what suggestions do you have for security leaders looking to involve multiple departments? What after-action steps are necessary to get the most out of these exercises?

 

https://www.securitymagazine.com/articles/89607-is-your-data-breach-response-plan-ready

Hacker takes over JavaScript library, injects malware to steal Bitcoin

by Leave a Comment

An open-source code stored in a popular JavaScript library was poisoned by its latest administrator with a malicious code allowing an attacker to swipe Bitcoin from Bitpay and Copay wallets.

The attacker injected a malicious code, called Event-Stream, into a NodeJS package that is used by the Copay and BitPay apps enabling an attacker to steal a wallet’s private keys, a fact confirmed by Bitpay. Bitpay warned users to assume their private keys on affected wallets have been compromised, so any funds should be moved to new wallets immediately.

https://www.scmagazine.com/home/security-news/hacker-takes-over-javascript-library-injects-malware-to-steal-bitcoin/

 

 

The Latest in Phishing: October 2018

by 1 Comment

Here are a few highlights:

  • Malicious phishing message volume increased 36% between Q1 and Q2 2018.
  • Proofpoint customers, on average, were targeted by 35 business email compromise (BEC) emails in Q2 2018. This represents a 26% increase over Q1, and a startling 87% increase over Q2 2017.
  • Ransomware was back on the scene in Q2, but is still lagging from a volume perspective, accounting for just a little more than 11% of total malicious messages during the measurement period.
  • Proofpoint researchers also detected a 30% increase in phishing links on social media.

 

https://www.wombatsecurity.com/blog/the-latest-in-phishing-october-2018

 

8 Popular Android Apps Caught Up In Million-Dollar Ad Fraud Scheme

by 1 Comment

Cheetah Mobile—a prominent Chinese app company, known for its popular utility apps like Clean Master and Battery Doctor—and one of its subsidiary Kika Tech have allegedly been caught up in an Android ad fraud scheme that stole millions of dollars from advertisers.

Here’s the list of seven Cheetah Mobile apps and one Kika app, which received an investment from Cheetah Mobile in 2016, caught participating in the fraudulent ad scheme:

  • Clean Master (with 1 billion users)
  • Security Master (with 540 million users)
  • CM Launcher 3D (with 225 million users)
  • Battery Doctor (with 200 million users)
  • Cheetah Keyboard (with 105 million users)
  • CM Locker (with 105 million users)
  • CM File Manager (with 65 million users)
  • Kika Keyboard (owned by Kika Tech with 205 million users)

https://thehackernews.com/2018/11/android-click-ad-fraud.html

 

From PINs to Prints: Smartphone Locks and Mobile Device Security

by 1 Comment

Smartphone security is one of the topics we recently explored in the 2018 User Risk Report. When we surveyed 6,000 working adults across six countries — the US, UK, France, Germany, Italy, and Australia — more than 90% of respondents said they use a smartphone, and 39% of these use their devices for both personal and business activities. In the BYOD era, that means infosec teams should be keenly aware of how individuals’ poor cybersecurity behaviors can affect their organizations’ security posture.

https://www.wombatsecurity.com/blog/from-pins-to-prints-smartphone-locks-and-mobile-device-security

 

US Postal Service Left 60 Million Users Data Exposed For Over a Year

by 1 Comment

https://thehackernews.com/2018/11/usps-data-breach.html

US Postal Service Left 60 Million Users Data Exposed For Over a Year

Even our postal service is susceptible to weak APIs…? Yeah even the government has weaknesses. What might make this worse is the cyber security researcher notified USPS of the vulnerability over a year ago and nothing was done. 60 Million USPS users data was exposed for over a year. USPS did finally do something about it and when they went to action it only took them two days. Two. 48 hours before they fixed it required a journalist contacting USPS on behalf of the researcher to initiate a response. OH, and what a silly response it is:

“We currently have no information that this vulnerability was leveraged to exploit customer records.”
“Out of an abundance of caution, the Postal Service is further investigating to ensure that anyone who may have sought to access our systems inappropriately is pursued to the fullest extent of the law.”

in other words, “we’re good” because we don’t know of any breaches.

NICE!

Instagram Accidentally Exposed Some Users’ Passwords In Plaintext

by Leave a Comment

Instagram has recently patched a security issue in its website that might have accidentally exposed some of its users’ passwords in plain text.

The company recently started notifying affected users of a security bug that resides in a newly offered feature called “Download Your Data” that allows users to download a copy of their data shared on the social media platform, including photos, comments, posts, and other information that they have shared on the platform.

According to Instagram, the plain-text passwords for some users who had used the Download Your Data feature were included in the URL and also stored on Facebook’s servers due to a security bug that was discovered by the Instagram internal team.
The company said the stored data has been deleted from the servers owned by Facebook, Instagram’s parent company and the tool has now been updated to resolve the issue, which “affected a very small number of people.”

https://thehackernews.com/2018/11/instagram-password-hack.html

USPS Site Exposed Data on 60 Million Users

by 1 Comment

U.S. Postal Service just fixed a security flaw that allowed anyone who has an account at usps.com to view account details for some 60 million other users. They could even modify the account details on their behalf! The problem arose out of a security weakness in the API. The API accepted “wildcard” search parameters. This API was tied to a Postal Service initiative called “Informed Visibility,” which was designed to let businesses, advertisers and other bulk mail senders “make better business decisions by providing them with access to near real-time tracking data” about mail campaigns and packages. So, the real time data about packages and mail being sent by USPS commercial customers was being exposed. Also, any logged-in user could query the system for account details belonging to other users, such as their email addresses, usernames, account number, street address, phone number, etc.

Another fact that alarmed me was that the flaw was discovered and reported to the USPS over a year ago, but they never acted on it until now.

https://krebsonsecurity.com/2018/11/usps-site-exposed-data-on-60-million-users/