Categories
privacy security

Online databases dropping like flies, with >10,000 falling to ransomware

The first story of ransomware in 2017. We’re likely to see more stories about ransomware given its lucrativeness – people/organizations are quite willing to pay a “small” fee to get their data back. This in turns encourages more cybercriminals to turn to ransomware. The rise of cryptocurrencies like Bitcoin also helps to facilitate this as it makes it hard to trace the perpetrators.

More than 10,000 website databases have been taken hostage in recent days by attackers who are demanding hefty ransoms for the data to be restored, a security researcher said Friday.

Source: Online databases dropping like flies, with >10,000 falling to ransomware

Categories
privacy security

PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10045-Vuln-Patch-Bypass

The fragile PHP ecosystem continues to break down with holes like this. To be fair, this is a PHPMailer vulnerability. However this is likely to affect a large chunk of PHP sites as “PHPMailer continues to be the world’s most popular transport class, with an estimated 9 million users worldwide”.

An independent research uncovered a critical vulnerability in PHPMailer that could potentially be used by (unauthenticated) remote attackers to achieve remote arbitrary code execution in the context of the web server user and remotely compromise the target web application.

Source: PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10045-Vuln-Patch-Bypass

Categories
privacy security

How is NSA breaking so much crypto?

It has long been speculated that NSA is able to eavesdrop on even encrypted traffic. Researchers think they have figured out how.

The Snowden documents also hint at some extraordinary capabilities: they show that NSA has built extensive infrastructure to intercept and decrypt VPN traffic and suggest that the agency can decrypt at least some HTTPS and SSH connections on demand.

It shows that the agency’s budget is on the order of $10 billion a year, with over $1 billion dedicated to computer network exploitation, and several subprograms in the hundreds of millions a year.
How is NSA breaking so much crypto?

In order words, really expensive and dedicated hardware. Something only state actors can afford.

Categories
privacy security

Yahoo Says 1 Billion User Accounts Were Hacked

Haven’t I heard this before, you may ask. No, this is a different hack from the earlier one. It’s deja vu all over again.

Back in the days Yahoo was like Google or Facebook now. It’s hard to imagine how a company in such a superior position can end up in this state. Yahoo’s story serves as a cautionary tale for the current Internet darlings.

The company says the attack was separate from the breach that led to an earlier disclosure that 500 million accounts were hacked.

Source: Yahoo Says 1 Billion User Accounts Were Hacked

Categories
privacy security

How a Grad Student Found Spyware That Could Control Anybody’s iPhone from Anywhere in the World | Vanity Fair

A long form article on the earlier story about NSO Group’s iPhone Zero-Days. Pretty long but easy to follow.

Last summer, Bill Marczak stumbled across a program that could spy on your iPhone’s contact list and messages—and even record your calls. Illuminating shadowy firms that sell spyware to corrupt governments across the globe, Marczak’s story reveals the new arena of cyber-warfare.

Source: How a Grad Student Found Spyware That Could Control Anybody’s iPhone from Anywhere in the World | Vanity Fair

Categories
privacy

EXCLUSIVE-Yahoo secretly scanned customer emails for US intelligence-sources

Just when you thought things couldn’t get worse for Yahoo, which is dealing with the fallout from news of its massive hack. It is also trying to sell itself to Verizon, which is taking the opportunity to ask for a massive price cut.

YAHOO-NSA/ (EXCLUSIVE, PIX):EXCLUSIVE-Yahoo secretly scanned customer emails for US intelligence-sources

Source: EXCLUSIVE-Yahoo secretly scanned customer emails for US intelligence-sources

Categories
privacy security

Hack Brief: Yahoo Breach Hits Half a Billion Users

Largest password breach so far – 500M users.

After earlier reports of a cybercriminal hack that affected 200 million users, the real breach turns out to be far more serious.

Source: Hack Brief: Yahoo Breach Hits Half a Billion Users

[2016-09-29]: Defending Against Hackers Took a Back Seat at Yahoo, Insiders Say. ‘Cos it doesn’t affect the bottom line, no?

“Yahoo is already suffering. I don’t think they’ll suffer more because of this,” said Avivah Litan, a security analyst with the research firm Gartner.
Ouch.

Categories
privacy security

The Dropbox hack is real

It’s not a suspect breach. Change your Dropbox password now.

Earlier today, Motherboard reported on what had been rumoured for some time, namely that Dropbox had been hacked. Not just a little bit hacked and not in that “someone has cobbled together a list of credentials that work on Dropbox” hacked either, but proper hacked to the tune of 68

Source: The Dropbox hack is real

Categories
privacy security

New air-gap jumper covertly transmits data in hard-drive sounds

Your secrets should be safe as long as your machine is not connected to any network right? Think again. There have been extremely innovative ways of transmitting information from unplugged (or what is known as air-gapped) computers to other devices, including:

and now.. via the sound that a hard drive makes.

“DiskFiltration” siphons data even when computers are disconnected from the Internet.

Source: New air-gap jumper covertly transmits data in hard-drive sounds

Categories
privacy security

TeamViewer denies hack after PCs hijacked, PayPal accounts drained

TeamViewer is a very popular tool for remote access due to its ease of use and firewall bypassing capability. It is widely used by IT support, sysadmins, appliance manufacturer, Pos system makers, individuals etc. If this hack is real it would have huge ramifications for users of this tool.

Remote-control tool wobbles offline, blames bad passwords for compromises

Source: TeamViewer denies hack after PCs hijacked, PayPal accounts drained

Update (2016-06-04): Also reported here.