Cyber Security News 4th Week October 2016

  1. Indian origin teenager hacker arrested for disrupting 911 service with DDoS attack: 18 year old Indian origin teen discovered an iOS vulnerability that could be exploited to manipulate devices, including trigger pop-ups, open email, and abuse phone features. He posted links of his exploits on his Twitter account, which has a follower base of 12000 people, all those who clicked on that link had their iPhones hacked and ended up automatically calling 911 non-stop. This resulted in the disruption of 911 service in state of Arizona. Authorities swung into action and traced the issue to the teen and have arrested him.
  1. Hacker gets 18 months in Prison for hacking Celebrity nude photos: The hacker who stole nude photographs of female celebrities two years ago in a massive data breach — famous as “The Fappening” or “Celebgate” scandal — has finally been sentenced to 18 months in federal prison. The hacker  ran phishing scheme between November 2012 and September 2014 and hijacked more than 100 Identities using fake emails disguised as official notifications from Google and Apple, asking victims for their account credentials. Many of the compromised accounts belonged to famous female celebrities including Jennifer Lawrence, Kim Kardashian.
  1. LinkedIn hacker also charged with Dropbox hacking: Last issue we discussed the arrest of the LinkedIn hacker from Prague. Now, US authorities have officially indicted the 29-years-old Russian national, for hacking not just LinkedIn, but also the online cloud storage platform Dropbox. The hacker remains in custody in Prague, Czech Republic. The FBI is waiting for a Czech court to decide on his extradition to the United States.
  1. Chinese IoT cameras used in Dyn DDos attack: we discussed the DDoS attack on DNS provider Dyn by an army of hacked IoT devices. A Chinese IoT firm admitted its products inadvertently played a role in the massive cyber-attack against DynDNS. More such attacks are expected to happen and will not stop until IoT manufacturers take the security of these Internet-connected devices seriously. The company has rolled out patches and has advised its customers to update their product’s firmware and change their default credentials. The company also said it will also recall up to 10,000 webcams.
  1. Mirai Botnet that attacked Dyn is itself Flawed: A Botnet called Mirai was used in the Dyn DDoS attack.  The author of the Botnet released the source code and a researcher found that the botnet itself contains several vulnerabilities that might be used against it in order to destroy botnet’s DDoS capabilities and mitigate future attacks. The researcher has now released his exploit. The DDoS attack that hit French Internet service and hosting provider OVH with 1 Tbps of junk traffic, which is the largest DDoS attack known to date, also came from Mirai bots.
  1. Chinese Hackers won $215k for Hacking iPhone and Google Nexus at Mobile Pwn2Own: For hacking Apple’s iPhone 6S (with the latest iOS 10), the hackers exploited two iOS vulnerabilities – a use-after-free bug in the renderer and a memory corruption flaw in the sandbox – and stole pictures from the device, for which the team was awarded $52.5k. They won another $60k for installing an app on the iPhone though it did not survive a reboot. For hacking the Nexus 6P, the hackers used a combination of two vulnerabilities and other weaknesses in Android and managed to install a rogue application on the Google Nexus 6P phone without user interaction. They were awarded them a whopping $102,500 for the Nexus 6P hack.
  1. AtomBombing is a design flaw in Windows that cannot be patched: Security researchers have discovered a new technique that could allow attackers to inject malicious code on every version of Microsoft’s Windows operating system, even Windows 10, in a manner that no existing anti-malware tools can detect. Dubbed “AtomBombing,” the technique does not exploit any vulnerability but abuses a designing weakness in Windows. AtomBombing attack abuses the system-level Atom Tables, a feature of Windows that allows applications to store information on strings, objects, and other types of data to access on a regular basis. This issue cannot be patched as it is a design issue.
  1. You can hijack nearly any Drone mid-flight using this tiny Gadget: A Security researcher has devised a small hardware, dubbed Icarus, that can hijack a variety of popular drones mid-flight, allowing attackers to lock the owner out and give them complete control over the device. Besides Drones, the new gadget has the capability of fully hijacking a wide variety of radio-controlled devices, including helicopters, cars, boats and other remote control gears that run over the most popular wireless transmission control protocol called DSMx. The loophole relies on the fact that DSMx protocol does not encrypt the ‘secret’ key that pairs a controller and flying device.
  1. Now – iPhone can also be hacked with an Image: Attackers can take over a vulnerable Apple’s iOS device remotely – all they have to do is trick the user to view a maliciously-crafted JPEG graphic or PDF file, which could allow them to execute malicious code on the mobile. That’s a terrible flaw (CVE-2016-4673), but the good news is that Apple has released the latest version of its mobile operating system, iOS 10.1, for iPhones and iPads to address this remote-code execution flaw, alongside an array of bug fixes. Users running older versions of iOS are advised to update their mobile devices to iOS 10.1 as soon as possible. Last year, Stagefright bug in Android allowed hack via just a text message, while in past – we saw how an image can be used to hack the unpatched Android devices.
  1. Big spike in cybercrimes in India: Latest statistics released by the National Crime Records Bureau (NCRB) reflect a massive spike in cybercrimes in India. we saw “Pune based Indian Manufacturing Co. losing $175k”. Last week it was few Hyderabad based Pharma companies that fell victim to a typo-squatting attack when they received fake details of change in bank in an Email, from what appeared to be their suppliers. They ended up sending huge sums of money to Scamsters instead of their suppliers. There are also cases where hackers hacked the email servers and send emails to the company’s customers informing about a fake change in bank details to swindle money. These kinds of hacks are also called BEC – Business Email Compromise.