Cyber Security Training from QA

Cyber Pulse: Edition 26

Read the latest edition of Cyber Pulse, our roundup of Cyber news.


2 August 2018

Reddit hit by data breach after hackers hijack SMS login system

Global online forum Reddit has revealed a hacker broke into a few of its systems accessing user data between 14-18 June. According to an announcement issued on 2 August, current email addresses and a 2007 database back-up containing old salted and hashed passwords have been accessed. “On June 19, we learned that between June 14 and June 18, an attacker compromised a few of our employees’ accounts with our cloud and source code hosting providers,” according to Reddit. “Already having our primary access points for code and infrastructure behind strong authentication requiring two factor authentication (2FA), we learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept. "We point this out to encourage everyone here to move to token-based 2FA." According to Webroot senior threat research analyst Tyler Moffitt, the phone number is the weakest link in this type of attack. "Cyber criminals can steal a victim’s phone number by transferring it to a different SIM card with relative ease, thereby getting access to text messages and SMS-based authentication," Moffitt said. Reddit said that the hacker did not gain write access to its systems only read-only access to some systems that contained back-up data, source code and other logs. A complete copy of an old database backup containing early Reddit user data -- from the site’s launch in 2005 through May 2007 was accessed. According to Reddit the most significant data contained in this backup are account credentials (username + salted hashed passwords), email addresses, and all content (mostly public, but also private messages) from way back then. Also accessed were logs containing the email digests Reddit sent between 3-17 June 2018.

Dixons denies data-loss fraud

The electricals and mobile phone retailer had wrongly estimated in June that last year's attack involved 1.2 million personal records as well as an attempt to hack nearly six million bank card details. It said some data may have left its systems but not payment card or bank account details and there is no evidence that any fraud has resulted. Its investigation is nearly complete. Chief executive, Alex Baldock, said: “We've been working around the clock to put it right. We're contacting all our customers to apologise. We're disappointed in having fallen short here. “That's included closing off the unauthorised access, adding new security measures and launching an immediate investigation, which has allowed us to build a fuller understanding of the incident that we're updating on today. “Again, we're disappointed in having fallen short here, and very sorry for any distress we've caused our customers. I want to assure them that we remain fully committed to making their personal data safe with us.” Alex Neill, from consumer lobby group Which?, said: “Dixons Carphone customers will be alarmed to hear about this massive data breach and will be asking why it has taken so long for the company to uncover the extent of its security failure. “It is now critical that the company moves quickly to ensure those affected get clear information about what has happened and what steps they should take to protect themselves. “Anyone concerned they could be at risk of fraud should consider changing their online passwords, monitor bank and other online accounts and be wary of emails regarding the breach as scammers may try and take advantage of it.”

Amnesty employee targeted with Israel spyware

An employee of global human rights group Amnesty International was targeted with Israeli-made surveillance software, the organisation revealed today. According to AP’s report, the disclosure adds “to a growing number of examples of Israeli technology being used to spy on human rights workers and opposition figures in the Middle East and beyond.” In its report, Amnesty described how “a hacker tried to break into an unidentified staff member’s smartphone in early June by baiting the employee with a WhatsApp message about a protest in front of the Saudi Embassy in Washington.” As reported by AP, Amnesty “said it traced the malicious link in the message to a network of sites tied to the NSO Group, an Israeli surveillance company implicated in a series of digital break-in attempts, including a campaign to compromise proponents of a soda tax in Mexico and an effort to hack into the phone of an Arab dissident that prompted an update to Apple’s operating system.” “This is the new normal for human rights defenders,” said Joshua Franco, Amnesty’s head of technology and human rights.

Hackers took over a digital parking lot kiosk and connected to adult content websites

As Internet of Things (IoT) devices become more prevalent, so do the ways that hackers exploit them, according to the Darktrace 2018 Threat Report. In one instance, hackers took over a digital parking payment kiosk and connected it to websites featuring adult content. In another instance, hackers connected to industrial blenders, slicers and other connected devices on a food assembly line in an attempt to access the greater network. In a recent incident, hackers took control of a digital parking kiosk and connected it to websites featuring adult content, according to researchers at the cybersecurity company Darktrace. The kiosk didn't actually display the content, which actually makes the stunt more confusing: If it wasn't for a weird prank, then why even bother? "It’s unknown what the attacker’s motive might have been," says Darktrace. But it points to a worrisome trend, as Darktrace will reveal in its annual Threat Report, to be released on Wednesday, which highlights bizarre and unexpected ways that so-called black hat hackers attempt to subvert and infiltrate networks. The key takeaway is that if there's a flaw, hackers will find and exploit it. "The incident exemplifies the vulnerabilities that IoT devices can pose and the need for comprehensive cyber defense across the entire digital infrastructure," the report says. Darktrace uses AI to identify unusual activity on a network, particularly involving unconventional connected devices.

Binary Options Firm blamed hackers for lost cash

A dodgy financial company that claimed to trade in binary options blamed hackers when money disappeared from customer accounts. But insolvency investigators discovered Eclipse Finance really offered customers unrealistic high returns with false and misleading claims and found no evidence of binary options trading. Binary options is a way of fixed-odds betting on the movements of financial markets – with a pay-out for guessing correctly and nothing for getting the call wrong. Eclipse was a scam set up in a London ‘virtual office’ and that lied about the chances of winning to attract online customers from all over the world. Insolvency Service investigators spoke to investors and found none won, but all had losses averaging £50,000 each. Total losses reported to fraud detectives added up to more than £600,000. The High Court was told by insolvency investigators that “potential investors were subject to high pressure sales tactics with misrepresentations being made as to the returns that would be made on investments. “Trading was then apparently carried out with investor funds without authorisation and monies were removed from investor accounts without authorisation.” The company blamed the losses on hackers – twice. However, the investigating team could find no evidence of computer system intrusion. Other investors complained that their accounts were drained of cash without their permission and no one at the company would explain why and that most attempts to contact the firm went unanswered.

Student arrested in US for US 5-million-dollar crypto theft via SIM jacking

California police have arrested a college student who is suspected to have stolen US$5 million in bitcoin and other cryptocurrencies through a hacking technique known as ‘SIM jacking’. Tech news website Motherboard reported, citing court documents obtained by it, that Joel Ortiz, a 20-year-old college student from Boston, has been accused of hijacking more than 40 phone numbers with the help of some accomplices. Ortiz and his associates targeted people involved in the cryptocurrency and blockchain field, allegedly hacking several crypto investors, including some people who attended the blockchain conference Consensus in New York City this May. Ortiz was arrested at the Los Angeles International Airport while he was on his way to Europe, according to the report. He now faces 28 charges including 13 counts of identity theft, 13 counts of hacking, and two counts of grand theft. Motherboard claimed that it is the first reported case against someone who allegedly used the so-called SIM swapping or SIM hijacking technique which has been used to steal virtual currency. According to the publication, the attack consists of tricking a phone carrier’s security system to swap the target’s phone number to a SIM card controlled by the criminal. The fraudsters then use the phone numbers to reset the victims’ passwords and break into their online accounts, of which cryptocurrency accounts are commonly targeted. In some cases, fraudsters can bypass the target account’s true two-factor authentication systems. According to the Motherboard report, one of the attendees of the Consensus conference has seen more than US$1.5 million getting stolen. “According to court documents, Ortiz took control of the entrepreneur’s cell phone number, reset his Gmail password and then gained access to his cryptocurrency account,” the publication wrote.

 

Visit cyber.qa.com for more information on how they can help solve the Cyber Security skills gap.

 

Useful links

Cyber Pulse: Edition 25

Cyber Pulse: Edition 24

Cyber Pulse: Edition 23

Cyber Pulse: Edition 22

Cyber Pulse: Edition 21

Cyber Pulse: Edition 20

Cyber Pulse: Edition 19

Cyber Pulse: Edition 18

Cyber Pulse: Edition 17

Cyber Pulse: Edition 16

 

Edited and compiled by

 

James Aguilan

James Aguilan

Cyber Security Specialist

James Aguilan currently works as a Cybersecurity Researcher. He has provided upskilling and development to Government Agencies, National Critical Infrastructures and Large Corporations through the simulation of cyber-attacks and forensic investigations workshops. In the past, James worked as a Data Consultant where he advised high profiling clients on how to handle their data in a Civil Litigation or Criminal Investigation. Notably, this includes the largest Merger between two US Powerhouse Conglomerate, a deal worth $87 billion. Additionally, he has also served as a Cybersecurity Consultant where he would Respond to Incidents and Perform Full Forensic Investigations. James holds a first-class honour in Computer Forensics and is actively working towards a Masters in Network Security and Penetration Testing.
Talk to our learning experts

Talk to our team of learning experts

Every business has different learning needs. QA has over 30 years of experience in combining the highest quality training with the most comprehensive range of learning services, ensuring the very best fit for your organisation.

Get in touch with our learning experts to talk about how we can help.