Cyber Security Training from QA

Cyber Pulse: Edition 42

Read the latest edition of Cyber Pulse, our roundup of Cyber news.


23 November 2018

Amazon Inadvertently Leaked Customer Information

A technical error on Amazon inadvertently revealed the names and email addresses of customers, according to an email sent to affected users in the US and UK on Tuesday. While Amazon said the exposure was not a breach of the website or any of its systems, the company did not reveal how many customers or share details on what the technical error was. The security lapse’s scope and who obtained the data remains unknown, so it’s a very good idea to secure your Amazon account immediately. “Disclosure of email addresses alone exposes consumers to increased risk of brute-force hacking attempts, and targeted phishing attacks,” said Travis Jarae, CEO of data research firm One World Identity. Jarae also advised that consumers still change their passwords, and “remember to avoid using the same password across multiple websites, and to never enter account password information into links opened directly from emails.” An email Amazon sent to customers said, “The issue has been fixed. This is not a result of anything you have done, and there is no need for you to change your password or take any other action.” In a statement to BuzzFeed News, an Amazon spokesperson confirmed the leak and wrote, “We have fixed the issue and informed customers who may have been impacted.” The full details aren’t known, and it’s a good idea to secure your Amazon account anyway — Amazon account hacking is more common than you might think.

Top tips To Secure Your Account:

  • ​Amazon recommends users change their password every one to two months.
  • Set up a password manager app on your phone.
  • Next, use the password manager app to generate a strong password for your Amazon account.
  • Then, download an authenticator app, which you’ll need for the next step.
  • On Amazon, enable two-factor authentication.

 

3 New Code Execution Flaws Discovered in Atlantis Word Processor

Cybersecurity researchers at Cisco Talos have once again discovered multiple critical security vulnerabilities in the Atlantis Word Processor that allow remote attackers to execute arbitrary code and take over affected computers. An alternative to Microsoft Word, Atlantis Word Processor is a fast-loading word processor application that allows users to create, read and edit word documents effortlessly. Just 50 days after disclosing 8 code execution vulnerabilities in previous versions of Atlantis Word Processor, Talos team today revealed details and proof-of-concept exploits for 3 more remote code execution vulnerabilities in the application. All the three vulnerabilities, listed below, allow attackers to corrupt the application's memory and execute arbitrary code under the context of the application. All these vulnerabilities affect Atlantis Word Processor versions 3.2.7.1, 3.2.7.2 and can be exploited by convincing a victim into opening a specially crafted malicious booby-trapped document. Talos researchers responsibly reported all the vulnerabilities to the developers of the affected software, who have now released an updated version 3.2.10.1 that addresses the issues. The easiest way to prevent yourself from being a victim of attacks leveraging such vulnerabilities is never to open any document provided in an email from unknown or untrusted sources.

York council app exposes personal details of nearly 6,000 residents

An app made by York council to inform residents about bin collections has exposed the personal details of nearly 6,000 residents. The One Planet York app, which also gives advice about local recycling, revealed the the names, addresses and passwords of residents who use the app. City of York Council said on Monday that it was not sure what the hackers had done with the personal data, but said that it was "deeply” sorry for the breach taking place. The council said a hacker contacted them in November to say they had found a way to access the personal data of the app’s users. A letter from the council to app users reads: "We value your privacy and deeply regret this incident occurred. "We have conducted a thorough review of the One Planet York app, we have deleted all links with the app and as a result, will no longer support it going forward. "We have deleted it from our website and asked for it to be removed from the app stores and ask that you now delete it from your device." The council suggested the hacker was “someone who looks for data vulnerabilities in the public interest”. The incident has been reported to the Information Commissioner's Office (ICO), the UK’s data watchdog, which will now carry out an investigation into the breach. There were 5,994 data records on the app, which could have all been accessed by the hacker, said the council. The issue was investigated by Appware, the developers of the app, and within three hours of being notified of the vulnerability, the app and its servers were removed to prevent a further breach. Ian Floyd, City of York Council deputy chief executive, said: “The council immediately undertook a controlled investigation to fully understand the nature of the breached data. “As a result of this investigation, a decision was taken not to reinstate the app and the council wrote to all the app users asking them to remove the app from their devices and check passwords in line with good practice.”

More Than 6,500 Dark Web Sites Erased By Hackers

One of the largest hosting services for the ‘Dark Web’ Tor network has had its entire roster of more than 6,500 sites erased in a hack attack, the service has confirmed. Daniel’s Hosting, operated by German Daniel Winzen, hosted a wide variety of Onion websites, which operate on the Tor, or The Onion Router, network. Tor is designed to protect the anonymity of web users, and the services on Daniel’s Hosting ranged from fan fiction to malware, web marketplaces and drop sites for whistleblowers. The wide range of sites may mean an equally diverse selection of possible culprits. As yet Winzen said he has not determined the source of the attack or how it was carried out. He said an unknown user logged into the hosting server on Thursday, 15 November and deleted all accounts. “There is no way to recover from this breach, all data is gone,” Winzen wrote in a message on the service’s main portal. He said he is planning to re-enable the hosting service once the vulnerability has been found and patched, possibly next month. Winzen’s service is thought to be one of the largest on the Tor network, if not the largest. It took over the top spot after the previous largest provider, Freedom Hosting II, was taken offline by the Anonymous hacker collective in February of last year. Thus far there has been no indication that Anonymous was behind last week’s attack. Winzen said he had identified a flaw in the service’s underlying code related to a newly discovered and as-yet unpatched PHP flaw. The flaw came to wider notice last Wednesday, a day before Daniel’s Hosting was taken offline. But Winzen said the way the service was configured shouldn’t have allowed that flaw to have such a broad effect. As such, he said, he isn’t convinced the PHP flaw was the primary vulnerability used in the attack. “Commands run by this vulnerability shouldn’t have had the necessary permissions,” he told ZDNet. He said the attack could be an opportunity to “improve some bad design choices of the past and start with an all new and improved setup”. In the past, Tor has become known for its use by websites selling contraband ranging from illegal drugs to firearms, with the Silk Road marketplace being the most famous example.

Electric Scooters potentially unsafe to ride as it suffer from poor security

Matthew Garrett who works for Google showed how easily e-scooters, such as those operated by Lime, can be unlocked without authorisation and their riders tracked, at the Kiwicon IT security conference in Wellington. Garrett found much of the information he needed for this in the Java-based Android apps that users run on their smartphones to rent scooters from multiple vendors. He was also able to query the servers the apps connected to over the internet for further information, without access restrictions. In the process, Garrett discovered that the same six-digit unlock code works for all scooters of a particular brand. With this knowledge, anyone with moderate technical skills can use the scooters without paying. Since the Global Positioning System (GPS) tracking device on e-scooters is independent of their digital management systems, all that the rental company would see remotely are two-wheelers zooming around supposedly without any riders on them. Unauthorised access to the management system on e-scooters could also be abused to switch them off while riders use them, or to manipulate the accelerators with potentially disastrous consequences. There are privacy impacts as well from the poor security of e-scooters' management system. Renters' rides can be silently tracked in real-time as servers can be queried for, and will reveal the GPS-reported location of e-scooters to anyone. This can be done at scale as well: Garrett was able to issue over a million queries to the servers for e-scooter information, after which the servers limited the amount of requests. Tracking and mapping riders can be done globally, in all the countries a company is active in

Real Identity of Hacker Who Sold LinkedIn, Dropbox Databases Revealed

The real identity of Tessa88, the notorious hacker tied to several high-profile cyber attacks including the LinkedIn, DropBox and MySpace mega breaches, has been revealed as Maksim Vladimirovich Donakov, a resident of Penza, Russian Federation. In early 2016, a hacker with pseudonym Tessa88 emerged online offering stolen databases from some of the biggest social media websites in the world for sale in various underground hacking forums. The stolen data, taken years ago from several social media sites, included more than half a billion username and password combinations, which were then used in phishing, account takeover, and other cyber attacks. Though Tessa88's profile was active for a few months between February and May 2016, the OPSEC analysis revealed that the same person was involved in various cybercriminal activities since as early as 2012 under different aliases including Paranoy777, tarakan72511, stervasgoa, janer93 and Daykalif. Researchers with US-based threat intelligence firm Recorded Future's Insikt Group used a combination of their own data, dark web activity, multiple chats and email accounts associated with Tessa88 to find a connection between his other online aliases, and collected information from publicly available sources to unveil his true identity. After exploring several confidential sources, Penza records, and Russian crime database, researchers find Tessa88 as Maksim Vladimirovich Donakov, whose persona matches with the YouTube username 'Donakov,' Mitsubishi Lancer and person revealed in Imgur picture.

 

Visit cyber.qa.com for more information on how they can help solve the Cyber Security skills gap.

 

Useful links

Cyber Pulse: Edition 41

Cyber Pulse: Edition 40

Cyber Pulse: Edition 39

Cyber Pulse: Edition 38

Cyber Pulse: Edition 37

Cyber Pulse: Edition 36

Cyber Pulse: Edition 35

Cyber Pulse: Edition 34

Cyber Pulse: Edition 33

Cyber Pulse: Edition 32

 

Edited and compiled by

 

James Aguilan

James Aguilan

Cyber Security Specialist

James Aguilan currently works as a Cybersecurity Researcher. He has provided upskilling and development to Government Agencies, National Critical Infrastructures and Large Corporations through the simulation of cyber-attacks and forensic investigations workshops. In the past, James worked as a Data Consultant where he advised high profiling clients on how to handle their data in a Civil Litigation or Criminal Investigation. Notably, this includes the largest Merger between two US Powerhouse Conglomerate, a deal worth $87 billion. Additionally, he has also served as a Cybersecurity Consultant where he would Respond to Incidents and Perform Full Forensic Investigations. James holds a first-class honour in Computer Forensics and is actively working towards a Masters in Network Security and Penetration Testing.
Talk to our learning experts

Talk to our team of learning experts

Every business has different learning needs. QA has over 30 years of experience in combining the highest quality training with the most comprehensive range of learning services, ensuring the very best fit for your organisation.

Get in touch with our learning experts to talk about how we can help.