Rs 500, 10 minutes, and you have access to billion Aadhaar details
Spotting an opportunity to make a quick buck, more than one lakh VLEs are now suspected to have gained this illegal access to UIDAI data to provide “Aadhaar services” to common people for a charge, including the printing of Aadhaar cards. ” Today, The Tribune “purchased” a service being offered by anonymous sellers over WhatsApp that provided unrestricted access to details for any of the more than 1 billion Aadhaar numbers created in India thus far. What is more, The Tribune team paid another Rs 300, for which the agent provided “software” that could facilitate the printing of the Aadhaar card after entering the Aadhaar number of any individual. in”, through which one could access and print Aadhaar cards of any Indian citizen. It was only last November that the UIDAI asserted that “Aadhaar data is fully safe and secure and there has been no data leak or breach at UIDAI. The hackers seemed to have gained access to the website of the Government of Rajasthan, as the “software” provided access to “aadhaar. These groups targeted over 3 lakh village-level enterprise (VLE) operators hired by the Ministry of Electronics and Information Technology (ME&IT) under the Common Service Centres Scheme (CSCS) across India, offering them access to UIDAI data. Lo and behold, you could enter any Aadhaar number in the portal, and instantly get all particulars that an individual may have submitted to the UIDAI (Unique Identification Authority of India), including name, address, postal code (PIN), photo, phone number and email. However, in wrong hands, this access could provide an opportunity for gross misuse of the data. CSCS operators, who were initially entrusted with the task of making Aadhaar cards across India, were rendered idle after the job was withdrawn from them.
Hackers can figure out your phone’s PIN code using just its sensor data
Researchers have found a way that hackers could exploit phone sensors to crack its PIN code iStock Security researchers have discovered a brand new method that hackers can potentially use to unlock and compromise a user’s smartphone using just the device’s sensors. While a malicious application may not be able to correctly guess a PIN immediately after installation, using machine learning, it could collect data from thousands of users over time from each of their phones to learn their PIN entry pattern and then launch an attack later when the success rate is much higher,” researchers noted. According to researchers at Nanyang Technology University (NTU) in Singapore, information gathered from six different sensors in smartphones paired with machine learning and deep learning algorithms could be used to unlock Android smartphones within only three tries. The researchers used six sensors to identify a smartphone’s 4-digit number sequence including the magnetometer, accelerometer, ambient light sensor, gyroscope, proximity sensor and barometer. For example, sensors that are accessible without user permissions, so-called zero-permission sensors may be exploited by an attacker, without the knowledge of the user. Hackers could potentially install a malicious app that may not get it right on the first try, but could eventually guess a user’s PIN code using machine learning. Researchers have called for the mobile OS to restrict access to the six vulnerable sensors in the future and give users to ability to choose to give permissions to trusted apps that require them. When you hold your phone and key in the PIN, the way the phone moves when you press 1, 5, or 9, is very different. Along with the potential for leaking passwords, we are concerned that access to phone sensor information could reveal far too much about a users behaviour.
Popular Chrome extension with over 105,000 users found secretly mining cryptocurrency
The Archive Poster extension was found secretly mining Monero via the Chrome browser – File photo Dado Ruvic/Reuters The year 2017 has been a watershed one for cryptocurrency as its value, interest and acceptance continued to surge in recent months, both for legitimate and nefarious actors. According to Bleeping Computer, Archive Poster — an extension that allows Tumblr users to reblog or report from other websites — was found running Coinhive with a number of users reporting significant spikes in their CPU usage. Over the past few months, The Pirate Bay, Showtime, Starbucks, Politifact and UFC’s website were found running cryptocurrency miners such as Coinhive without users’ express consent. Besides PCs and websites, hackers have also targeted Android apps and Facebook Messenger to generate cryptocurrency as well. Coinhive was also targeted by hackers in October who hijacked its server, tweaked its settings and briefly redirected generated cryptocurrency to a third-party server. Now, a popular Chrome extension with over 105,000 users has been found running the in-browser cryptocurrency miner Coinhive that covertly hijacks visitors’ CPU processing power to mine Monero. Extension users reported observing the change around the beginning of December and have bombarded the Chrome web store with bad reviews. He recently reported that telecom firm Movistar’s official website was found hosting Coinhive as well. Looking to tap into the growing market, several websites have been caught hijacking users’ computer resources to secretly mine digital currency without their knowledge or permission. In the meantime we have alerted the users to use a safe version of the extension on a different link.
Forever 21 hack: Customers’ payment card details left exposed to hackers throughout most of 2017
Forever 21 said a number of PoS devices at some of its stores in the US were infected with malware Dimitrios Kambouris/Getty Images for Forever 21 Fashion retailer Forever 21 has confirmed that customers’ payment card information may have been stolen over seven months this year after its point-of-sale terminals in numerous stores across the US were breached by hackers. Forever 21 stores outside of the US have different payment processing systems, and our investigation is ongoing to determine if any of these stores are involved,” the company said, noting that payment cards used on Forever 21’s website were not affected in the breach. The company said malware was also installed on these log devices in some affected stores to steal customers’ payment card data. Each Forever 21 store has multiple POS devices, and in most instances, only one or a few of the POS devices were involved,” the company said. Forever 21 did not specify how many stores were affected by the attack and only said that not all terminals in every affected store were infected with malware. In most instances, the malware only found track data that did not have cardholder name – only card number, expiration date, and internal verification code – but occasionally the cardholder name was found. If encryption was off on a POS device prior to April 3, 2017, and that data was still present in the log file at one of these stores, the malware could have found that data. In an updated notification to customers, the company recently said hackers managed to install malicious software on some PoS devices at some of its stores at varying times between 3 April and 18 November. The malware searched only for track data read from a payment card as it was being routed through the POS device,” the firm added.
Exmo hack: UK Bitcoin exchange hit with DDoS attack days after lead analyst was kidnapped
The Bitcoin exchange was hacked just days after one of Exmo’s leading analysts, a blockchain expert named Pavel Lerner, was kidnapped in Kiev while he was leaving his office iStock A UK-based Bitcoin exchange called Exmo was hit by hackers with what appears to be a targeted DDoS attack on 28 December (Thursday. The Bitcoin exchange was hacked just days after one of Exmo’s leading analysts, a blockchain expert named Pavel Lerner, was kidnapped in Kiev while he was leaving his office, according to local reports. Exmo’s official statement on Lerner’s kidnapping says that a group of unknown masked men snatched Lerner off the street on 26 December. 8m in cryptocurrency stolen — not by a hacker but at gunpoint, Exmo says that it had no contact with Lerner until he was finally found on 29 December. Exmo said Lerner’s kidnapping is currently being investigated by the authorities. It is still unclear if the DDoS attack launched against the firm has any connections to the kidnapping. At the time of writing, Exmo’s site was back up online, indicating that the DDoS attack has likely been mitigated. Nevertheless, Pavel is currently in a state of major stress, therefore, he will not provide any official comments in the coming days,” Exmo said in a statement. EXMO is under the DDoS attack. The hack, which Exmo confirmed in a post on Twitter, briefly shut down the exchange’s site.
Homeland Security data breach: Sensitive information of over 240,000 employees and case witnesses exposed
The US Department of Homeland Security has suffered a data breach exposing sensitive, personally identifiable information of more than 240,000 former and current employees. The breach affected 247,167 people employed by the DHS in 2014 along with subjects, witnesses, and complainants associated with DHS OIG investigations from 2002 through 2014, the department said. The Department of Homeland Security takes very seriously the obligation to serve the Department’s employees and is committed to protecting the information in which they are entrusted,” DHS Chief Privacy Officer Phillip Kaplan said. The DHS emphasised that the incident was not the result of a cyber attack by nefarious threat actors and the affected individuals’ personal information was not the primary target of the breach. For affected individuals associated with DHS OIG investigations, names, Social Security numbers, alien registration numbers, dates of birth, email addresses, phone numbers, addresses and other personal information provided in interviews with DHS agents were compromised. It has asked people involved in DHS OIG investigations between 2002 and 2014 to reach out to the department. The investigation was complex given its close connection to an ongoing criminal investigation,” the DHS said in a statement. However, the department is unable to directly notify other individuals affected by the breach due to “technological limitations. In May 2017, an unauthorised copy of the files was discovered in the possession of a former DHS OIG employee, the department discovered in an ongoing criminal investigation. This file did not include any information about employees’ spouses, children, family members and/or close associates,” the DHS said.
Hundreds of Android apps found covertly using your phone’s microphone to track your TV habits
Some smartphone games have been found using a specific software that uses your device’s microphone to track users’ TV watching habits and collect data for advertisers. According to a recent New York Times report, more than 250 games on the Google Play Store use software from a company called Alphonso that uses the smartphone’s mic to listen for audio signals in TV ads and shows. Dream Run app on the Google Play Store was found integrating the Alphonso software Google Play The revelation does seem to echo the years-long conspiracy theory that apps by major tech giants such as Facebook tap into users’ smartphone mics to secretly listen in on conversations and offer up relevant ads. A simple search for “Alphonso software” and “Alphonso automated” on the Play Store yields numerous apps that integrate the software. One game called “Dream Run” by Dumadu Games – which has been downloaded and installed by about 5000 to 10,000 users – discloses under a “Read More” button that it is integrated with Alphonso Automated Content Recognition (ACR) software. Both Apple and Google require apps to get explicit permission from users in order to access certain phone features such as the camera, microphone, location, photo gallery and more. Although the software’s activities are creepy, some of the apps do disclose its tracking of “TV viewership details” in their descriptions under the “read more” button and software use policies. He added that the firm does not approve of its software being used in apps targeting children. However, most users don’t usually read the disclosure and are often unaware they have agreed to let the app access their phone’s microphone. With your permission provided at the time of downloading the app, the ACR software receives short duration audio samples from the microphone on your device,” the disclosure reads. “Access to the microphone is allowed only with your consent, and the audio samples do not leave your device but are instead hashed into digital ‘audio signatures.’
MacOS zero-day: 15-year-old Apple root access bug was publicly released on the last day of 2017
A 15-year-old unpatched MacOS vulnerability was publicly released on New Year’s Eve by a security researcher. When a Twitter user asked Siguza why he chose to publicly release the MacOS bug instead of selling it, Siguza responded: “My primary goal was to get the write-up out for people to read. The zero-day flaw allows hackers root access to targeted Macs and can be easily exploited, according to a security researcher going by the pseudonym Siguza, who posted the Apple bug on Twitter on 31 December. 2017 saw multiple instances of security researchers publicly releasing Apple bugs, which are considered to be rare in the infosec community and often fetch a substantial sum of money if sold to third-parties. Since Siguza did not alert Apple prior to releasing the bug, it remains unpatched at the moment. The bug can also affect Apple’s security programs such as the System Integrity Protection (SIP) and Apple Mobile File Integrity (AMFI), allowing hackers to disable both programs. Full system compromise,” the security researcher wrote. I would’ve submitted to Apple if their bug bounty included macOS, or if the vuln was remotely exploitable. Happy New Year, everyone,” Siguza wrote, posting a GitHub link to the proof-of-concept code. But if I wanted to watch the world burn, I would be writing 0-day ransomware rather than write-ups.
Hackers have posted the malware code behind Satori botnet for free on Pastebin
According to NewSky Security, the malware targets CVE-2017–17215, which is a vulnerability in Huawei HG532 devices and has already been weaponised in two botnet attacks, including Satori and Brickerbot. NewSky Security further warned, “When an IoT exploit becomes freely available, it hardly takes much time for threat actors to up their arsenal and implement the exploit as one of the attack vectors in their botnet code.The security firm added that it found the usage of the same exploit when analysing snippets of the Brickerbot source code in December, implying that the code has been in the hands of nefarious threat actors for a while now. Hackers have posted the malware code behind Satori botnet for free on Pastebin Hackers have publicly posted the working code that exploits a zero-day vulnerability in a Huawei router model for free on Pastebin, security researchers have discovered. NewSky Security has not shared the link to the leaked working code to prevent it from being misused by threat actors. Prior to the Huawei bug, NewSky Security already observed the leakage of NetGear router exploit (aka NbotLoader), which lead to that code being integrated in well-known botnet Qbot. Huawei has already released a security patch to protect its devices against the remote code execution vulnerability. However, with the release of the full code now by the threat actor, we expect its usage in more cases by script kiddies and copy-paste botnet masters. The proof of concept code was not made public to prevent attackers from abusing it,” Ankit Anubhav, principal researcher at NewSky Security wrote in a blog post. Researchers have warned that the public release of the code will soon see other cybercriminals taking advantage of the exploit to carry out crippling distributed denial-of-service (DDoS) attacks in the future.
Watch out for this new Android malware that poses as Uber to steal passwords
Android users should be on alert for a new malware variant which is posing as popular ride-hailing app Uber in an attempt to steal passwords, security researchers warn. To avoid alarming the user, the malware displays a screen of the legitimate app that shows the user’s current location, which would not normally arouse suspicion because that’s what’s expected of the actual app,” explained Symantec threat expert Dinesh Venkatesan. According to Venkatesan, the FakeApp malware should now be “of particular concern to Uber users”/ In an email to The Daily Beast, an Uber spokesperson said: “We recommend only downloading apps from trusted sources. Symantec said there are a number of steps Android users can take to stay protected: Keep software up to date Refrain from downloading apps from unfamiliar sites Pay close attention to the permissions requested by apps Make frequent backups of important data On the dark web, an underground internet which is used by hackers to sell stolen credentials, login details are commonplace – and as a result, cheap. To show the said screen, the malware uses the deep link URL of the legitimate app that starts the app’s Ride Request activity, with the current location of the victim preloaded as the pickup point. Experts from Symantec, a US-based cybersecurity company, said in a blog post published Wednesday (3 January) that they had discovered a new strain of the “FakeApp” malware, which was recently observed using a “quite novel and different monetisation technique. The public relations contact said that systems were already in place to help users “detect and block” unauthorised login attempts using hijacked passwords. This case again demonstrates malware authors’ neverending quest for finding new social engineering techniques to trick and steal from unwitting users,” Venkatesan wrote.