Tag Archives: hack

10Fold – Security Never Sleeps – 87

Your daily digest of “All Things Security” gathered, collected and researched by your very own 10Fold Security Practice team.

Big items to consider: Vanguard Cybersecurity owner David Michael Levin was charged with three counts of unauthorized access to a computer, network, or electronic device of a Florida county and released on $15,000 bond–the reason for this is because he leveraged pilfered credentials of the county’s supervisor of elections to show security concerns of the county’s elections website. Researchers at security firm Check Point discovered a new Android malware that will automatically join the smartphone to a botnet which disguise ad clicks to generate money. Investigations by the FBI has led to evidence that at least one employee of Bangladesh’s central bank was involved in the theft of $81 million from the bank. However, bank officials still partly blame the SWIFT financial network that allegedly left loopholes for hackers.

How a security pro’s ill-advised hack of a Florida elections site backfired – Publication: Ars Technica – Reporter name: Dan Goodin

A Florida man has been slapped with felony criminal hacking charges after gaining unauthorized access to poorly secured computer systems belonging to a Florida county elections supervisor.

New Android malware poses as popular game, but enlists phones into botnet – Publication: ZDNet – Reporter name: Zack Whittaker

Tens of thousands of Android users are thought to have fallen victim to a newly-discovered malware, which enlists devices as part of a hacker-controlled botnet. The malware is dubbed “Viking Horde,” after one of the popular apps it poses as. The sophisticated malware campaign consists of a number of games and apps that are readily available through Google Play, the app store for Android devices.

Bangladesh central bank hack may be an insider job, says FBI – Publication: ComputerWorld – Reporter name: John Ribeiro

The U.S. Federal Bureau of Investigation has found evidence that at least one employee of Bangladesh’s central bank was involved in the theft of $81 million from the bank through a complex hack, according to a newspaper report.

10Fold – Security Never Sleeps – 86

Your daily digest of “All Things Security” gathered, collected and researched by your very own 10Fold Security Practice team.

Big items to consider: Starting today Google will start sending out notifications to employees about a data breach that occurred at a third party company that they do business with for their benefit management services. Babycare retailer Kiddicare has warned customers that personal data shared with the store has been stolen by hackers. Cyber Security Breaches Survey 2016 reveals that of those hit by cyberattacks, a quarter experience a repeated breach at least one a month. Experts are skeptical over the alleged 272 million credentials that were discovered last week, both Google and a Russia-based e-mail service unveiled analyses that call into question the validity of the security firm’s entire report.

Google suffers data breach via benefits provider – Publication: CSO – Reporter name: Dave Lewis

In the Google case, the whoops factor was curtailed and the damage was limited. There were names and Social Insurance Numbers in the document in question but, that didn’t leak beyond that immediate parties according to the breach notification letter which is due out today. Even though the issue was contained, Google is providing credit monitoring for affected parties.

Babycare e-tailer Kiddicare admits customer data breach – Publication: The Register – Reporter name: John Leyden

The compromised data is restricted to name, delivery address, telephone number and email address, according to Kiddicare, which is keen to stress that customer payment details or credit/debit card information has not been accessed.

Two thirds of large businesses have suffered a data breach in the past year – Publication: ZDNet- Reporter name: Danny Palmer

The proportion of businesses that have suffered a breach declines as the organization gets smaller: 51 percent of medium firms said they’d been the victim of an attack, compared to 33 percent of small firms, while just 17 percent of micro firms say they’d suffered a data breach. This could be because smaller firms are less attractive targets to hackers, or perhaps because they lack the skills to recognize a breach has taken place.

Garbage in, garbage out: Why Ars ignored this week’s massive password breach – Publication: Ars Technica – Reporter name: Dan Goodin

What has been clear all along to anyone paying attention is that the plaintext credentials recovered by Hold Security almost certainly didn’t come from hacks on the e-mail providers. Instead, they most likely were collected by hackers who hit dozens, hundreds or thousands of third-party Web services over the years and dumped the account databases into a single list.

10Fold – Security Never Sleeps – 85

Your daily digest of “All Things Security” gathered, collected and researched by your very own 10Fold Security Practice team.

Big items to consider: Cybersecurity professionals warn that anyone with a personal email account might want to change their passwords following revelations of a massive cache of stolen usernames and passwords being offered for sale on the Internet. Fiat Chrysler Automobiles Chief Executive Sergio Marchionne said Friday FCA and Alphabet Inc’s Google have yet to determine who will own data collected in their collaboration on testing self-driving vehicles. Hackers caused disruption to a Locky campaign after they breached one of the attackers’ server and replaced the real ransomware with a harmless file containing the string “Stupid Locky.” For the past five years, a vulnerability in many Android phones has left users’ text messages, call histories, and possibly other sensitive data open to snooping, security researchers said Thursday.

Cyber Experts: Change Passwords After Massive Hack – Publication: NBC News – Reporter name: Tom Costello

The thefts involved some of the biggest email providers in the world such as Google, Yahoo, Hotmail and Microsoft. The bulk of the stolen accounts—some 272.3 million—include Russia’s Mail.ru users, according to Alex Holden, founder and chief information security officer of Hold Security who discovered the theft. “We know he’s a young man in central Russia who collected this information from multiple sources,” Holden told NBC News. “We don’t know the way he did it or the reason why he did it.” The user names and passwords were being offered for sale on the so-called “dark web” where hackers hock their goods.

Fiat Chrysler CEO: Data ownership unclear in working with Google – Publication: Reuters- Reporter name: Bernie Woodall

Earlier this week, FCA and Google announced that they would align to fit 100 of the Pacifica minivans made at Windsor for Google’s self-driving test fleet. Marchionne said there are many aspects of the project with Google that have yet to be determined, such as whether the two will develop an open-source software platform that could be shared with others. Marchionne said that what has been agreed so far with Google is limited, but he suggested that the alliance could evolve.

Hackers Disrupt Locky Ransomware Campaign – Publication: SecurityWeek – Reporter name: Eduard Kovacs

According to Avira researcher Sven Carlsen, the attack started with a spam email designed to trick recipients into opening an attachment by informing them of an unpaid fine. The attached file is actually a malware downloader configured to fetch the Locky ransomware from a server whose location is determined based on a domain generation algorithm (DGA). The downloader then executes the file. However, in the attack analyzed by Avira, the downloader did not fetch Locky and instead it downloaded a 12Kb executable containing the message “STUPID LOCKY.” Since the file did not have a valid structure, the downloader failed to execute it, resulting in an error message being displayed.

Critical Qualcomm security bug leaves many phones open to attack – Publication: Ars Technica – Reporter name: Dan Goodin

The flaw, which is most severe in Android versions 4.3 and earlier, allows low-privileged apps to access sensitive data that’s supposed to be off-limits, according to a blog post published by security firm FireEye. But instead, the data is available by invoking permissions that are already requested by millions of apps available in Google Play. Company researchers said the vulnerability can also be exploited by adversaries who gain physical access to an unlocked handset. Indexed as CVE-2016-2060, the bug was first introduced when mobile chipmaker Qualcomm released a set of programming interfaces for a system service known as the “network_manager” and later the “netd” daemon.

10Fold – Security Never Sleeps – 82

Your daily digest of “All Things Security” gathered, collected and researched by your very own 10Fold Security Practice team.

Big items to consider: Computer scientists have discovered vulnerabilities in Samsung’s Smart Home automation system that allowed them to carry out a host of remote attacks, including digitally picking connected door locks from anywhere in the world. In March 2016, more than 2.5 million patient records were put at risk due to stolen laptops, unauthorized access, and hacking, according to data from the U.S. Department of Health and Human Services. Europe’s police agency Europol has been given enhanced cyber powers to track down terrorists and other criminals. Last week, a security researcher discovered a vulnerability that exposed all 866 million account credentials harvested by pwnedlist.com, a service designed to help companies track public password breaches that may create security problems for their users.

Samsung Smart Home flaws let hackers make keys to front door – Publication: Ars Technica – Reporter name: Dan Goodin

The attack, one of several proof-of-concept exploits devised by researchers from the University of Michigan, worked against Samsung’s SmartThings, one of the leading Internet of Things (IoT) platforms for connecting electronic locks, thermostats, ovens, and security systems in homes. The researchers said the attacks were made possible by two intrinsic design flaws in the SmartThings framework that aren’t easily fixed. They went on to say that consumers should think twice before using the system to connect door locks and other security-critical components.

What to ask your doctor, lawyer, and accountant about protecting your personal data – Publication: PCWorld- Reporter name: Robert Lemos

The issues underscore that one of the greatest benefits of the Internet economy—the ability to conduct transactions without needing to be face-to-face—is also a great weakness. As not-present transactions have become the norm, the information that can be used as a digital identity—known as “fullz” in the underground community—has become more valuable. Experts say that a little due diligence can go a long way. Here are some basic steps that consumers can take to make sure that their accountants, doctors and lawyers protect their information

Eurocops get new cyber powers to hunt down terrorists, criminals – Publication: Ars Technica – Reporter name: Jennifer Baker

The new governance rules were approved by the European Parliament’s civil liberties committee on Thursday by a massive majority. MEPs claimed that the new powers come with strong data protection safeguards and democratic oversight. It means that Europol will be able to more easily set up specialized units to respond immediately to emerging threats, in particular cross-border crimes and terrorist threats.

How the Pwnedlist Got Pwned – Publication: Krebs on Security – Reporter name: Brian Krebs

Pwnedlist is run by Scottsdale, Ariz. based InfoArmor, and is marketed as a repository of usernames and passwords that have been publicly leaked online for any period of time at Pastebin, online chat channels and other free data dump sites. The service until quite recently was free to all comers, but it makes money by allowing companies to get a live feed of usernames and passwords exposed in third-party breaches which might create security problems going forward for the subscriber organization and its employees. The vulnerability has since been fixed, but this simple security flaw may have inadvertently exacerbated countless breaches by preserving the data lost in them and then providing free access to one of the Internet’s largest collections of compromised credentials.

10Fold – Security Never Sleeps – 80

Your daily digest of “All Things Security” gathered, collected and researched by your very own 10Fold Security Practice team.

Big items to consider: Yesterday, research surfaced showing how Waze, the Google-owned driving assistance app, has a vulnerability that would let hackers track users’ whereabouts unbeknownst to them. Mobile and IoT devices are still not a factor in real-world data attacks, according to Verizon’s 2016 Data Breach Investigation Report (DBIR). Conficker, Ramnit malware found in German Nuclear Power Plant ‘harmless’ since the affected systems were not connected to the Internet. The Philippine central bank has foiled attempts to hack its website, its governor said on Thursday amid a warning from global financial network SWIFT about recent multiple cyber fraud incidents targeting its system.

Google’s Waze says, ‘Nope, hackers can’t stalk you on our app’ – Publication: Re/Code – Reporter name: Mark Bergan

The Google unit released a statement addressing what it calls “severe misconceptions” about the study, released by researchers at University of California Santa Barbara, and an unnamed “news article.” In its response, Waze notes that faux car icons are the norm — a way to make users feel like they’re not so alone in places where Waze is new. And it insisted that “a stranger cannot” find or follow you while using the app. Plus, there’s a hitch here, Waze countered: Hill wanted to be found. “The reporter in the article gave her location and username to the research team,” the post reads, “which greatly simplified the process of deducing sections of her route after the fact by using a system of ghost riders.”

Mobile, IoT yet to become data breach targets  – Publication: Business Insider- Reporter name: STAFF

The annual report, which looks at emerging trends and patterns in global data breaches found a similar story in 2015 to that of 2014. While web attacks surged and financial gain and espionage remained prominent motives, mobile and IoT devices are still low priority for attacks from malicious actors. Verizon drew from over 100,000 security incidents (more than 3,100 of which were actual data breaches), and included third-party data from around 65 global organizations, including the US Department of Homeland Security and security vendors.

German Nuclear Power Plant Infected With Malware – Publication: Dark Reading – Reporter name: STAFF

A German nuclear power plant near Munich reportedly was found infected with malware. RWE, the German utility that runs the facility, has confirmed that since the plant is cut off from the Internet, the malware infection did not affect or harm operations, according to Reuters. Conficker and W32.Ramnit malware was discovered in unit B of the Gundremmingen plant on the computer system that operates the tools that move nuclear fuel rods. Conficker is a worm that can spread quickly through networks, while W32.Ramnit steals files from computers and is spread through USB sticks, for instance.

Philippine central bank says foiled attempts to hack its website – Publication: Reuters – Reporter name: Karen Lema

SWIFT’S disclosure came as law enforcement authorities in Bangladesh and elsewhere investigated the February cyber theft of $81 million from the Bangladesh central bank account at the New York Federal Reserve Bank.”There were attempts, and I think this is a fact of life, but we have been able to turn them back,” Amando Tetangco told reporters. “Attempts are always there.” Tetangco stressed the hacking only involved its website and that it has been updating its cyber security systems. He did not say when the hacking attempts occurred.

10Fold – Security Never Sleeps – 79

Your daily digest of “All Things Security” gathered, collected and researched by your very own 10Fold Security Practice team.

Big items to consider: Netcraft researchers have discovered an extremely convincing Facebook phishing attack – the fraudsters made it look like the fake “Facebook Page Verification” form they’ve asked the victims to fill and submit is legitimate, as the page serving it is on a Facebook subdomain. One cyber underground group saw a golden opportunity and created Ran$umBin, a Dark Web service that acts as a one-stop shop for monetizing ransomware. As the Republican presidential contenders, Sen. Ted Cruz and Gov. John Kasich, battle over who can best protect America, at least two candidates are having trouble protecting potential voters’ personal information on their campaign apps. Hacking group “PLATINUM” used Windows’ own patching system against it, the unknown group has been attacking targets in South East Asia since at least 2009, with Malaysia being its biggest victim, with just over half the attacks, and Indonesia in second place.

Facebook made to serve phishing forms to users – Publication: Help Net Security – Reporter name: Zeljka Zorz

The phishers have registered Facebook apps, and have managed to load the form inside it via iframes. The form is hosted on the crooks’ own servers, which also uses HTTPS, so no warnings about unsecure connections will pop up. Another trick up the fraudsters’ sleeve is that they made the form return an “incorrect credentials” notification the first time the user submits them (whether they are correct or not). This trick is used to convince the most suspicious users, who might have inserted incorrect credentials on purpose, that the form works as it should and is legitimate.

Crowdsourcing The Dark Web: A One-Stop Ran$om Shop – Publication: Dark Reading- Reporter name: STAFF

The website is dedicated to criminals and victims alike: it lets criminals upload stolen data (embarrassing information, user credentials, credit data, stolen identities, and any other kind of cyber-loot), and lets victims pay for the removal of said stolen data from the Dark Web, where it could be bought by any cybercriminal who’s willing to pay. Ran$umBin has been active for under two months; it is very user-friendly and its business model is simple: hackers can upload stolen data and either sell it to other criminals or extort the data’s owner – while the site takes commission. The site’s cut is based on who the data owner is: criminals who want to buy data belonging to a pedophile would pay $100 and the site would take a 30% commission; if a criminal is looking for data belonging to a celebrity or a law enforcement representative, the price could be double and the commission would climb to 40%. Alternatively, the hacker who uploads the data can choose their own ransom demand and simply send their victim instructions on how to log in to Ran$umBin and pay. I’ve seen several Dox markets, but this one truly stands out: it’s a platform where any criminal can use what other criminals have stolen, like a cyber-ransom Uber or AirBnB.

 Cruz, Kasich campaign apps under scrutiny over security issues – Publication: Fox News – Reporter name: STAFF

The official apps for GOP candidates Sen. Ted Cruz and Gov. John Kasich have come under scrutiny after a Monday report from cybersecurity firm Symantec found users’ data was improperly secured and vulnerable to hackers. Symantec’s analysis used a test that collects unencrypted personal data being transmitted from phones running the campaigns’ apps. “The data may be going to a legitimate destination, but it could be intercepted by someone intercepting the traffic,” Symantec engineer Shaun Aimoto said. Cruz data director Chris Wilson on Monday denied the campaign’s app leaks data.

Hacking group “PLATINUM” used Windows’ own patching system against it – Publication: Ars Technica – Reporter name: Peter Bright

Microsoft’s Windows Defender Advanced Threat Hunting team works to track down and identify hacking groups that perpetrate attacks. The focus is on the groups that are the most selective about their targets and that work the hardest to stay undetected. Almost half of the attacks were aimed at government organizations of some kind, including intelligence and defense agencies, and a further quarter of the attacks were aimed at ISPs. The goal of these attacks does not appear to have been immediate financial gain—these hackers weren’t after credit cards and banking details—but rather broader economic espionage using stolen information.

10Fold – Security Never Sleeps – 76

Your daily digest of “All Things Security” gathered, collected and researched by your very own 10Fold Security Practice team.

Big items to consider: New information surfaces around the Bangladesh Bank heist that lead police to believe that the bank had no firewall. Australia has pumped $230m into their cyber security efforts and claims to be able to hack their enemies “if necessary.” New research into the “Rowhammer” bug that resides in certain types of DDR memory chips raises a troubling new prospect: attacks that use Web applications or booby-trapped videos and documents to trigger so-called bitflipping exploits that allow hackers to take control of vulnerable computers. IT security stocks have soared after the seven big data breaches made public over the past three years, according to the Bessemer Venture Partners Cyber Index released Tuesday..  

Bangladesh Bank exposed to hackers by cheap switches, no firewall: police – Publication: Reuters- Reporter name: Serajul Quadir

Bangladesh’s central bank was vulnerable to hackers because it did not have a firewall and used second-hand, $10 switches to network computers connected to the SWIFT global payment network, an investigator into one of the world’s biggest cyber heists said. The shortcomings made it easier for hackers to break into the system earlier this year and attempt to siphon off nearly $1 billion using the bank’s SWIFT credentials, said Mohammad Shah Alam, head of the Forensic Training Institute of the Bangladesh police’s criminal investigation department.

Australia says it can hack enemies as it invests $230 million in cyber security – Publication: Mashable- Reporter name: Jenni Ryall

The Australian government is watching and has the means to launch a cyber attack. On Thursday, Prime Minister Malcolm Turnbull introduced a massive A$230 million cash injection to arm the country for cyber security issues and deal with online threats it is facing, including cyber war and internal whistleblowers. Within the new Internet strategy, pushed down to page 28, the government also makes clear it has the capabilities to launch a cyber attack if necessary. “Australia’s defensive and offensive cyber capabilities enable us to deter and respond to the threat of cyber attack,” the report reads. “Any measure used by Australia in deterring and responding to malicious cyber activities would be consistent with our support for the international rules based order and our obligations under international law.”

 DRAM bitflipping exploits that hijack computers just got easier – Publication: Ars Technica – Reporter name: Dan Goodin

The scenario is based on a finding that the Rowhammer vulnerability can be triggered by what’s known as non-temporal code instructions. That opens vulnerable machines to several types of exploits that haven’t been discussed in previous research papers. For instance, malicious Web applications could use non-temporal code to cause code to break out of browser security sandboxes and access sensitive parts of an operating system. Another example: attackers could take advantage of media players, file readers, file compression utilities, or other apps already installed on Rowhammer-susceptible machines and cause the apps to trigger the attacks

Huge data breaches have been good for security stocks – Publication: CNBC – Reporter name: Harriet Taylor

IT security stocks have soared after the seven big data breaches made public over the past three years, according to the Bessemer Venture Partners Cyber Index released Tuesday. The BVP Cyber Index tracked the capital-weighted performance since Jan. 1, 2011, of 29 public companies whose primary business is cybersecurity. Almost half of those companies are valued at more than a billion dollars. The public IT security sector outperformed the stock market by more than two times during that time, and outperformed the market by about five times the month after those breaches were made public.

10Fold – Security Never Sleeps – 74

Your daily digest of “All Things Security” gathered, collected and researched by your very own 10Fold Security Practice team.

Big items to consider: A new brand of malware called GozNym, is targeting business accounts at banks rather than the bank itself. New artificial intelligence platform offers 3x detection capabilities with 5x fewer false positives – Dubbed AI2, the technology has shown the capability to offer three times more predictive capabilities and drastically fewer false positive than today’s analytics methods. Real-life whaling attempts show the intricate changes perpetrators try to make to trick a CEO. “60 Minutes” highlights iPhone vulnerability by showcasing how they tapped into a congressman’s calls.

New “Double-Headed” Malware Has Stolen $4 Million From U.S. and Canadian Banks – Publication: Fortune- Reporter name: Clay Dillow

Meet GozNym, the hybrid malware robbing your business account. A new breed of malicious software has stolen roughly $4 million from 24 U.S. and Canadian banks over the first several days of April, IBM cybersecurity researchers report. The malware—known by the portmanteau GozNym—is a hybrid of two strains of known malware “that takes the best of both,” according to a blog post by IBM’s X-Force, part of IBM’s security division. The program is largely targeting business accounts, mostly in the U.S., and mostly via credit unions and “popular e-commerce platforms.” IBM didn’t name the specific institutions but says they have been notified.

MIT AI Researchers Make Breakthrough on Threat Detection – Publication: DarkReading – Reporter name: Ericka Chickowski

CSAIL gave a sneak peek into AI2 in a presentation to the academic community last week at the IEEE International Conference on Big Data Security, which detailed the specifics of a paper released to the public this morning. The driving force behind AI2 is its blending of artificial intelligence with what researchers at CSAIL call “analyst intuition,” essentially finding an effective way to continuously model data with unsupervised machine learning while layering in periodic human feedback from skilled analysts to inform a supervised learning model.

 10 whaling emails that could get by an unsuspecting CEO – Publication: NetworkWorld – Reporter name: Ryan Francis

Whaling threats or CEO fraud continues to grow with 70 percent of firms seeing an increase in these email-based attacks designed to extort money. There has been an uptick of activity lately as fraudsters spend the first few months of the year taking advantage of tax season, targeting finance departments with emails that look like they are coming from a company’s senior executive. Case in point are Snapchat and Seagate as companies that inadvertently gave up employees’ personal information. Email security company Mimecast has shared a handful of real-life examples of fraud attempts targeted at the person in the corner office.

Hackers Track Your Phone No Matter What Security Measures You Take – Publication: Fortune – Reporter name: Aaron Pressman

“60 Minutes” taps congressman’s calls in demo. A flaw in one part of the global cellphone network allows hackers to track phone locations and listen in on calls and text messages, 60 Minutes reported Sunday. Hackers in Germany used the weakness in Signaling System Seven, or SS7, which carriers use to exchange billing information for roaming customers, in a demonstration to track and tap the calls of U.S. Rep. Ted Lieu (D-Calif.). 60 Minutes arranged the demonstration and Lieu knew hackers would be trying to tap his iPhone

10Fold – Security Never Sleeps – 71

Your daily digest of “All Things Security” gathered, collected and researched by your very own 10Fold Security Practice team.

Big items to consider: The British government will now allow immigration officials to hack refugees phones. A botnet took control of 4,000 Linux computers and forced them to blast spam for over a year before the whole operation was shut down.  An analysis of Dridex infrastructure shows dangerous changes, potentially new operators.

Immigration officials allowed to hack phones of refugees and asylum seekers – Publication: BetaNews – Reporter name: Mark Wilson

The British government secretly rolled out powers that permitted the immigration officials to hack the mobile phones of asylum seekers and refugees, the Observer reveals. The Home Office has confirmed the hacking powers which have sparked outrage from privacy and human rights groups. In a statement about the powers afforded immigration officials, immigration minister James Brokenshire said: “They may only use the power to investigate and prevent serious crime which relates to an immigration or nationality offence, and have done so since 2013”.

Researchers help shut down spam botnet that enslaved 4,000 Linux machines – Publication: Ars Technica – Reporter name: Dan Goodin

A botnet that enslaved about 4,000 Linux computers and caused them to blast the Internet with spam for more than a year has finally been shut down. Known as Mumblehard, the botnet was the product of highly skilled developers. It used a custom “packer” to conceal the Perl-based source code that made it run, a backdoor that gave attackers persistent access, and a mail daemon that was able to send large volumes of spam. Command servers that coordinated the compromised machines’ operations could also send messages to Spamhaus requesting the delisting of any Mumblehard-based IP addresses that sneaked into the real-time composite blocking list, or CBL, maintained by the anti-spam service.

FBI Cyber Warning: Ignore Your CEO’s E-Mail And Phone Her Back — Or Your Company May Pay For It – Publication: Forbes – Reporter name: Steve Morgan

The FBI is warning people about a business email scheme which has resulted in huge losses to companies in Phoenix and other U.S. cities. A CEO seemingly emails an employee — typically in a finance or administrative role — instructing them to perform a wire transfer. The employee follows directions and executes the wire. Money is successfully transferred from the CEO’s company to another party. Turns out the CEO didn’t send the email. The CEO’s email identity was spoofed by a cybercriminal who sent the email. E-Mail spoofing is a widespread hacker practice involving the forgery of an e-mail header.

Dridex Malware Now Used For Stealing Payment Card Data– Publication: Dark Reading – Reporter name: Jai Vijayan

New analysis of the command and control panel and attack mechanisms of the Dridex banking Trojan shows the malware is being used in a wider range of malicious campaigns — and likely by a different set of threat actors than before. Spain-based security vendor buguroo says it recently was able to leverage a surprisingly easy-to-exploit weakness in the C&C infrastructure of Dridex to gain unprecedented visibility into how exactly the malware is being used. The analysis shows that Dridex is no longer being used just to hijack online banking sessions in order to transfer money from a victim’s account to fraudulent accounts, says Pablo de la Riva Ferrezuelo, chief technology officer and co-founder of buguroo.

10Fold – Security Never Sleeps – 68

Your daily digest of “All Things Security” gathered, collected and researched by your very own 10Fold Security Practice team.

Big items to consider:  The entire Turkish citizen database has been leaked online, and the hack appears to be politically motivated. Microsoft released a 64-bit version of Windows 10 IoT Pro that is specifically designed for small internet-connected devices. Today Toyota announced a partnership with Microsoft to further develop a connected car and their systems to personalize to every driver. Lastly, in an interesting blog post, a security researcher explained how he hacked the Domino’s pizza app to bypass the payment page and get free pizza which highlighted the vulnerabilities located in company apps.


The entire Turkish citizenship database has allegedly been leaked online – Publication: Business Insider – Reporter name: Lianna Brinded

The entire Turkish citizenship database has allegedly been hacked and leaked online. A website with purportedly leaked details of 49,611,709 Turkish citizens is online and allegedly gives the following details of each citizen — including the Turkish President Tayyip Erdogan: National Identifier (TC Kimlik No), First Name, Last Name, Mother’s First Name, Father’s First Name, Gender, City of Birth, Date of Birth, ID Registration City and District, Full Address. The apparent hack seems to be politically motivated. The website reads: “Who would have imagined that backwards ideologies, cronyism and rising religious extremism in Turkey would lead to a crumbling and vulnerable technical infrastructure?”

Microsoft releases a 64-bit version of Windows 10 IoT Core Pro – Publication: VentureBeat – Reporter name: Jordan Novet

Microsoft today announced that it’s releasing a 64-bit (x64) version of Windows 10 IoT Core Pro. This is a special flavor of the edition of Windows 10 designed for small Internet-connected devices that’s exclusively available to original equipment manufacturers (OEM). “This will enable OEM/ODMs (original design manufacturers) to move between Windows 10 IoT Core and Windows 10 IoT Enterprise without the need to maintain a separate firmware image for their devices,” Brett Bentsen, partner group program manager for Windows IoT at Microsoft, wrote in a blog post. “Additionally, we’re making the Board Support Package for the Raspberry Pi open source (except for the UEFI parts) to help OEM/ODMs provide a customized board experience.”

Toyota teams with Microsoft on connected cars – Publication: USA Today – Reporter name: Nathan Bomey & Chris Woodyard

Toyota announced an enhanced relationship with Microsoft on Monday aimed at delivering “connected car” services to drivers in ways they probably never could have imagined. Already, drivers ask the infotainment system in their cars for restaurant recommendations, but many locations often would require that a driver turn around. But with Toyota Connected, the system might be modified to only recommend restaurants on the highway ahead — and then only the kinds of food that the driver usually prefers.

This Hacker Found a Way to Get Free Domino’s Pizza for Life – Publication: Fortune – Reporter name: Robert Hackett

Paul Price, a computer security researcher based in the United Kingdom, three years ago hit the pizza jackpot. He found a computer bug affecting a Domino’s mobile app on Google Android that allowed him to place orders free of charge. All Price had to do to hack the system was to input some obviously fake debit card information (Visa number: 4111111111111111), intercept the traffic between his phone and Domino’s computer servers, and tweak the data that typically turns up an error message, he says. Literally, he rewrote some code to read “accepted” instead of “declined,” which green-lit the order.