1. Dropbox hacked: Hackers have obtained credentials for more than 68 Million accounts of online cloud storage platform Dropbox from a known 2012 data breach. Last week, Dropbox sent out emails alerting its users that a large chunk of its users’ credentials that was obtained in 2012 data breach, may soon be seen on the Dark Web marketplace, prompting them to change their password if they hadn’t changed since mid-2012. Dropbox is the latest to join the list of “Mega-Breaches,” which includes LinkedIn, MySpace, VK.com and Tumblr.
- Kimpton Hotels hit by Point-of-Sale breach: Kimpton Hotels & Restaurants is alerting payment card customers of a payment card breach at more than 60 of its hotels and restaurants that occurred between February 16 and July 7 of this year. The hotel chain said in a message on its website that it first got word of unauthorized charges on guests’ payment cards in mid-July. An ensuing investigation uncovered malware on PoS servers at the front desks and restaurants of some of its hotels. “The malware searched for track data read from the magnetic stripe of a payment card and routed it through the affected server. Kimpton’s POS woes follow that of Eddie Bauer and HEI Hotels & Resorts, which operates Marriott, Hyatt and Sheraton and Westin hotels.
- Music website hacked: UK based – Music website called Last.fm, was hacked in March 2012 and three months after the breach, the company admitted to the incident and issued a warning, encouraging its users to change their passwords. Now, four years later the stolen data has surfaced in the public. The leaked records include usernames, hashed passwords, email addresses, the date when a user signed up to the website, and ad-related data. Last.fm stored its users’ passwords using MD5 hashing – which has been considered outdated even before 2012 – and that too without any Salt. (Salt is a random string added to strengthen encrypted passwords that make it more difficult for hackers to crack them.)
- St. Jude says Muddy Waters, MedSec video shows security feature, not flaw: St. Jude Medical, is a medical device company which makes pacemakers. MedSec is a Cyber security firm that specializes in security flaws in medical devices. Muddy Waters Research is a due diligence based investment firm. After a yearlong research by Medsec, it was found that St Jude’s products had severe issues. Medsec did not responsibly disclose its findings to St Jude but instead joined hands with Muddy waters to profit in the stock market with this information. St. Jude has refuted the allegations and has issued a statement saying the supposed “flaw” was actually a “security feature. If attacked, the pacemakers place themselves into a ‘safe’ mode to ensure the device continues to work.
- Double Whammy – Ransomware steals data before Encrypting: Betabot, the first known weaponized password-stealing malware that also infects victims with ransomware in a second stage of attack. In many instances it is still able to evade detection, it uses the Neutrino exploit kit, which uses infected documents disguised as CVs to ask the victim to enable macros. If they do, the malware is able to steal login data and passwords from web browsers. The Trojan then downloads and installs the Cerber ransomware onto the victim’s computer, demanding the user pays up in order to regain access to their compromised machine.
- ‘Guccifer’ gets 52-month Jail term: Romanian hacker “Guccifer,” who pleaded guilty in May this year to hacking and identity theft of around 100 high-profile Americans, has been sentenced to 52 months in prison by a US court. Guccifer hacked the email and social media accounts of his victims between October 2012 and January 2014 and made public confidential emails, photographs and private medical and financial data. Not to confuse with Guccifer 2.0, the hacker behind the DNC hack.
- Suspect arrested for 2011 Linux Kernel organization breach: In September 2011, kernel.org site that hosts the core development infrastructure behind the Linux kernel was breached. For the last five years, not many details about the attack were revealed and the attacker remained at large—that is, until he was picked during a traffic stop in Miami – last week. The hacker had managed to steal login credentials of one of the Linux Kernel Organization system administrators in 2011 and used them to install a hard-to-detect malware backdoor, dubbed Phalanx, on servers belonging to the organization. Using this backdoor, he installed malware on various Linux installations. He faces a possible sentence of 40 years in prison as well as $2 Million in fines. Threat protection for Linux can help in such situations.
- California may soon treat Ransomware as extortion: Ransomware may soon be regarded as a form of extortion in California once legislation is approved by governor. The Bill if passed, could land culprits in jail for two to four years. The move has received widespread support from different quarters that want ransomware attacks to be treated as a felony. The state’s law enforcement unit and the tech sector all support the legislation.
- SWIFT reveals new hacking attempts on member Banks: SWIFT has revealed new hacking attempts on several member banks following its June disclosure of the $81-million Bangladesh Bank heist and is pushing members to comply with new safety features. “The threat is persistent, adaptive and sophisticated – and it is here to stay,” SWIFT told the banks. SWIFT members have been warned that failure to meet a November 19 deadline for installing latest security software would be reported to banking regulatory bodies and partners.
- India registers 350 percent rise in cybercrime in last three years: According to a study, in India, there has been a surge of approximately 350% in cybercrime cases registered under the Information Technology (IT) Act, from the year of 2011 to 2014. The Indian Computer Emergency Response Team (CERT-In) has also reported a surge in the number of incidents handled by it, with close to 50,000 security incidents in 2015. Bangalore leads in the number of cybercrime cases, the city recorded 1,041 cybercrime cases in 2015, the highest among the country’s 53 mega cities, and a 42% increase over the 2014 figures. State-wise data shows the worst states to be: Maharashtra (2,195 cases) and Uttar Pradesh (2,208). Most cases relate to credit card fraud, email hacking and online cheating, including fake lottery scams. Use of technology and building awareness can reduce cybercrime.