“On Friday, a group called the Shadow Brokers published details of several hacking tools, indicating they had been used by the US National Security Agency (NSA) to spy on money transfers.” Many suggested that Microsoft may have been vulnerable. The company suggests that these vulnerabilities have been patched back in March. Microsoft has not revealed how it became aware of the flaws.
Week 11
Presentation and Wireless Capture File
Private Cyber Security Insurance
Insurance giant AIG has recently started selling “personal cyber security insurance”. Corporate cyber security insurance has been around for a while with interesting consequences. Making claims has often been difficult for customers because of the way that the policies are written. This is a very interesting concept for a private individual because it will be hard to determine damages from certain attacks. Not all attacks result in the loss of money or can be directly associated with a cash theft. How do you value someone’s privacy in the example of an email breach or a social media breach?
It sounds like AIG is currently just targeting the wealthy with this product but it will be interesting to see how this will progress in the near future as we become far more dependent on the internet and the product will have to trickle down to the mainstream.
http://fortune.com/2017/04/08/cyber-security-insurance-cybersecurity-aig-2017-tools-news/
HackerOne CEO: The tech industry has some ‘catching up to do’ on software security
This article offers one the best approaches against cyber criminals. In fact, the “bug bounty” concept that Tech Republic’s Matt Asay explains in this piece may be yet the best answer many organizations have been waiting for. In a few words, the “bug bounty” program is an approach of a common platform like HackerOne, working for major companies to get them access to thousands of hackers who are vetted and scored according to HackerOne CEO, Marten Mickos. In other words, this is a strategy to enable companies immediate access to a diverse group of ethical hackers. Remember that for each vulnerability that gets fixed, that system is more secure. Another benefit of this program is that malicious attackers tend to stay away from systems that are much tougher to break into.
Marten also describes the traits of a highly productive bug hunter. According to the CEO, “The most important characteristic is curiosity.” After that comes creativity and the ability to write elegant reports that the receiving security team can quickly understand and assess.
This is an excellent piece of writing that I would advise even IT Security executives to read because it offers good and simple solutions against malicious hackers.
Code running Millions Of Samsung Devices is Full of Giant, Gaping Security Holes
Researchers in Israel have found major security holes in millions of Samsung IoT devices, Televisions, Refrigerators, Washer and Dryers and any other device running Samsung in-house OS called Tizen. Tizen is Samsung equivalent to Android. Fourty so called zero-day, vulnerabilities have been found in the OS and reported to Samsung months ago with no further action taken by Samsung. Those 40 hacks will allow an attacker to take over your device. Could you imagine someone taking over your stove or oven and turning it on while no one is home? The researchers stated Tizen “may be the worst code I’ve ever seen.”
Hackers Are Emptying ATMs With a Single Drilled Hole and $15 Worth of Gear
This is an interesting article on hackers combining their physical penetration skills with technical skills. Hackers were able to drill a whole the size of a golf ball next to the PIN pad and insert a wire to take command and control of the ATM and dispense cash. Security researchers at Kaspersky demonstrated that the technical hack could easily be done with a simple Arduino controller, a breadboard, and a 9 volt battery.
These stories remind me of Terminator 2 when young John Connor was hacking the ATM machine. The ironic thing is that the ATMs that were compromised have been used since the 90s when that movie came out!
The challenge that banks will face in fixing this vulnerability is that the software cannot be done remotely and they are also recommending adding additional hardware enhancements and physical security controls (e.g. surveillance cameras, physical access controls). This all requires work to be done on premises and these devices are apparently widely in use.
Hackers Are Emptying ATMs With a Single Drilled Hole and $15 Worth of Gear
Scareware vulnerability confirmed for iOS 10.2 and Earlier
Apple recently confirmed that there was a vulnerability that allowed hackers to send infinite loop alert messages on the Safari application. Instead of just affecting the tab that the website was opened it, it affects the entire application making Safari unusable. Alert such as “Your device has been locked” was used to scare users into buying iTunes gift card and paying the ransom. The only problem with this is it didn’t actually lock the iOS or encrypt any files. hence the name scareware. The scammers registered domains and launched the attack from the domains they owned, such as police-pay[.com]. When the user clicks links to those domain, they’ll get a infinite loop alert message.
Well the good thing is Apple recently patched this vulnerability in iOS 10.3. If you don’t want to update, the other option is to clear your Safari’s cache.
Article: http://www.securityweek.com/ios-scareware-campaign-abuses-safari-vulnerability