Intro-to-Ethical-Hacking-Week-12 Updated
https://capture.fox.temple.edu/Mediasite/Play/48f351a58ac7498b867296ddbb531f2d1d
ITACS 5211: Introduction to Ethical Hacking
Wade Mackey
http://archive.icann.org/en/announcements/hijacking-report-12jul05.pdf
Article: Domain Theft Strands Thousands of Web Sites
After I read this article I searched some related keywords from Google. I found a report which was published by ICANN Security and Stability Advisory Committee. In general, this report is describing domain hijacking. You all can find some useful information regarding following:
– Risk and threats associated with domain hijacking
– Vulnerabilities observed from domain hijackings
– Recovery mechanism
– Security measures to protect domain names
According to the survey, there were more than 5,000 reported data breaches worldwide, and there were more than 1,500 in the U.S. alone. There for data breach response plan is important for every organization. The article lists several questions on an interview of Michael Bruemmer for organizations to help them prepare for the data breach response plan.
https://www.securitymagazine.com/articles/89607-is-your-data-breach-response-plan-ready
An open-source code stored in a popular JavaScript library was poisoned by its latest administrator with a malicious code allowing an attacker to swipe Bitcoin from Bitpay and Copay wallets.
The attacker injected a malicious code, called Event-Stream, into a NodeJS package that is used by the Copay and BitPay apps enabling an attacker to steal a wallet’s private keys, a fact confirmed by Bitpay. Bitpay warned users to assume their private keys on affected wallets have been compromised, so any funds should be moved to new wallets immediately.
Hacker takes over JavaScript library, injects malware to steal Bitcoin
Here are a few highlights:
https://www.wombatsecurity.com/blog/the-latest-in-phishing-october-2018
Cheetah Mobile—a prominent Chinese app company, known for its popular utility apps like Clean Master and Battery Doctor—and one of its subsidiary Kika Tech have allegedly been caught up in an Android ad fraud scheme that stole millions of dollars from advertisers.
Here’s the list of seven Cheetah Mobile apps and one Kika app, which received an investment from Cheetah Mobile in 2016, caught participating in the fraudulent ad scheme:
https://thehackernews.com/2018/11/android-click-ad-fraud.html
Smartphone security is one of the topics we recently explored in the 2018 User Risk Report. When we surveyed 6,000 working adults across six countries — the US, UK, France, Germany, Italy, and Australia — more than 90% of respondents said they use a smartphone, and 39% of these use their devices for both personal and business activities. In the BYOD era, that means infosec teams should be keenly aware of how individuals’ poor cybersecurity behaviors can affect their organizations’ security posture.
https://www.wombatsecurity.com/blog/from-pins-to-prints-smartphone-locks-and-mobile-device-security
https://thehackernews.com/2018/11/usps-data-breach.html
US Postal Service Left 60 Million Users Data Exposed For Over a Year
Even our postal service is susceptible to weak APIs…? Yeah even the government has weaknesses. What might make this worse is the cyber security researcher notified USPS of the vulnerability over a year ago and nothing was done. 60 Million USPS users data was exposed for over a year. USPS did finally do something about it and when they went to action it only took them two days. Two. 48 hours before they fixed it required a journalist contacting USPS on behalf of the researcher to initiate a response. OH, and what a silly response it is:
“We currently have no information that this vulnerability was leveraged to exploit customer records.”
“Out of an abundance of caution, the Postal Service is further investigating to ensure that anyone who may have sought to access our systems inappropriately is pursued to the fullest extent of the law.”
in other words, “we’re good” because we don’t know of any breaches.
NICE!
Instagram has recently patched a security issue in its website that might have accidentally exposed some of its users’ passwords in plain text.
U.S. Postal Service just fixed a security flaw that allowed anyone who has an account at usps.com to view account details for some 60 million other users. They could even modify the account details on their behalf! The problem arose out of a security weakness in the API. The API accepted “wildcard” search parameters. This API was tied to a Postal Service initiative called “Informed Visibility,” which was designed to let businesses, advertisers and other bulk mail senders “make better business decisions by providing them with access to near real-time tracking data” about mail campaigns and packages. So, the real time data about packages and mail being sent by USPS commercial customers was being exposed. Also, any logged-in user could query the system for account details belonging to other users, such as their email addresses, usernames, account number, street address, phone number, etc.
Another fact that alarmed me was that the flaw was discovered and reported to the USPS over a year ago, but they never acted on it until now.
https://krebsonsecurity.com/2018/11/usps-site-exposed-data-on-60-million-users/
The company recently started notifying affected users of a security bug that resides in a newly offered feature called “Download Your Data” that allows users to download a copy of their data shared on the social media platform, including photos, comments, posts, and other information that they have shared on the platform.
According to Instagram, the plain-text passwords for some users who had used the Download Your Data feature were included in the URL and also stored on Facebook’s servers due to a security bug that was discovered by the Instagram internal team.
The company said the stored data has been deleted from the servers owned by Facebook, Instagram’s parent company and the tool has now been updated to resolve the issue, which “affected a very small number of people.”
https://thehackernews.com/2018/11/instagram-password-hack.html