Showing posts with label breach. Show all posts
Showing posts with label breach. Show all posts

Monday, October 24, 2016

Million Hacked IOT Devices broke the internet


A massive Distributed Denial of Service (DDoS) attack against Dyn, a major domain name system (DNS) provider, broke large portions of the Internet on Friday, causing a significant outage to a ton of websites and services, including Twitter, GitHub, PayPal, Amazon, Reddit, Netflix, and Spotify.

But how the attack happened? What's the cause behind the attack?


Exact details of the attack remain vague, but Dyn reported a huge army of hijacked internet-connected devices could be responsible for the massive attack.

Yes, the same method recently employed by hackers to carry out record-breaking DDoS attack of over 1 Tbps against France-based hosting provider OVH.


According to security intelligence firm Flashpoint, Mirai bots were detected driving much, but not necessarily all, of the traffic in the DDoS attacks against DynDNS.


Mirai is a piece of malware that targets Internet of Things (IoT) devices such as routers, and security cameras, DVRs, and enslaves vast numbers of these compromised devices into a botnet, which is then used to conduct DDoS attacks.


Since the source code of Mirai Botnet has already made available to the public, anyone can wield DDoS attacks against targets.


This time hackers did not target an individual site, rather they attacked Dyn that many sites and services are using as their upstream DNS provider for turning internet protocol (IP) addresses into human-readable websites.

The result we all know: Major sites and services including Twitter, GitHub, Reddit, PayPal, Amazon, AirBnb, Netflix, Pinterest, and so on, were among hundreds of services rendered inaccessible to Millions of people worldwide for several hours on Friday.


"Flashpoint has confirmed that at least some of the devices used in the Dyn DNS attacks are DVRs, further matching the technical indicators and tactics, techniques, and procedures associated with previous known Mirai botnet attacks," Flashpoint says in a blog post.

This type of attack is notable and concerning because it largely consists of unsecured IoT devices, which are growing exponentially with time. These devices are implemented in a way that they cannot easily be updated and thus are nearly impossible to secure.


Manufacturers majorly focus on performance and usability of IoT devices but ignore security measures and encryption mechanisms, which is why they are routinely being hacked and widely becoming part of DDoS botnets used as weapons in cyber attacks.


An online tracker of the Mirai botnet suggests there are more than 1.2 Million Mirai-infected devices on the Internet, with over 166,000 devices active right now.


In short, IoT botnets like Mirai are growing rapidly, and there is no easy way to stop them.


According to officials speaking to Reuters, the US Department of Homeland Security (DHS) and the FBI are both investigating the massive DDoS attacks hitting DynDNS, but none of the agencies yet speculated on who might be behind them.

Most Popular DNS Server 'Dyn' attacked by DDOS - Popular Sites get offline




Cyber attacks are getting evil and worst nightmare for companies day-by-day, and the Distributed Denial of Service (DDoS) attack is one such attacks that cause a massive damage to any service.


Recently, the Internet witnessed a record-breaking largest DDoS attack of over 1 Tbps against France-based hosting provider OVH, and now the latest victim of the attack is none other than Dyn DNS provider.

A sudden outage of popular sites and services, including Twitter, SoundCloud, Spotify, and Shopify, for many users, is causing uproar online. It's because of a DDoS attack against the popular Domain Name System (DNS) service provider Dyn, according to a post on Ycombinator.


DNS act as the authoritative reference for mapping domain names to IP addresses. In other words, DNS is simply an Internet's phone book that resolves human-readable web addresses, like thehackernews.com, against IP addresses.


Dyn DNS is used by many websites and services as their upstream DNS provider, including Twitter, Spotify, SaneBox, Reddit, Box, Github, Zoho CRM, PayPal, Airbnb, Freshbooks, Wired.com, Pinterest, Heroku and Vox Media properties.


All of these sites and services are reportedly experiencing outages and downtime, either completely or partially.

According to Dyn DNS, the DDOS started at 11:10 UTC and is mostly affecting its customers in the East Coast of the United States, specifically Managed DNS customers.

"We are aware of the ongoing service interruption of our Managed DNS network. For more information visit our status page," Dyn tweeted.
At the time, it's not clear who is behind this DDoS attack, but the company said its engineers are working on "mitigating" the issue.


Here's the statement posted by Dyn on its website:

"This attack is mainly impacting US East and is impacting Managed DNS customers in this region. Our Engineers are continuing to work on mitigating this issue.


Starting at 11:10 UTC on October 21th-Friday 2016 we began monitoring and mitigating a DDoS attack against our Dyn Managed DNS infrastructure. Some customers may experience increased DNS query latency and delayed zone propagation during this time. Updates will be posted as information becomes available.


Customers with questions or concerns are encouraged to reach out to our Technical Support Team."
What websites are down for you? Let us know in the comments below.

Wednesday, August 3, 2016

Yahoo Hacked ! Hackers Selling 200 Million Record on Dark Web



Hardly a day goes without headlines about any significant data breach. In the past few months, over 1 Billion account credentials from popular social network sites, including LinkedInTumblrMySpace and VK.com were exposed on the Internet.



Now, the same hacker who was responsible for selling data dumps for LinkedIn, MySpace, Tumblr and VK.com is now selling what is said to be the login information of 200 Million Yahoo! users on the Dark Web.



200 Million Yahoo! Logins for 3 BTC


The hacker, who goes by the pseudonym "Peace" or "peace_of_mind," has uploaded 200 Million Yahoo! credentials up for sale on an underground marketplace called The Real Deal for 3 Bitcoins (US$1,824).


Yahoo! admitted the company was "aware" of the potential leak, but did not confirm the authenticity of the data.



The leaked database includes usernames, MD5-hashed passwords and date of births from 200 Million Yahoo! Users. In some cases, there is also the backup email addresses used for the account, country of origin, as well as the ZIP codes for United States users.



Easily Crackable Passwords


Since the passwords are MD5-encrypted, hackers could easily decrypt them using an MD5 decrypter available online, making Yahoo! users open to hackers.



In a brief description, Peace says the Yahoo! database "most likely" comes from 2012, the same year when Marissa Mayer became Yahoo's CEO.



Just last week, Verizon acquired Yahoo! for $4.8 Billion. So, the hacker decided to monetize the stolen user accounts before the data lose its value.



When reached out, the company said in a statement:
"We are committed to protecting the security of our users' information and we take such claim very seriously. Our security team is working to determine the facts...we always encourage our users to create strong passwords, or give up passwords altogether by using Yahoo Account Key, and use different passwords for different platforms."

Use Password Managers to Secure Your Online Accounts


Although the company has not confirmed the breach, users are still advised to change their passwords (and keep a longer and stronger one using a good password manager) and enable two-factor authentication for online accounts immediately, especially if you are using the same password for multiple websites.



You can also adopt a good password manager that allows you to create complex passwords for different sites as well as remember them for you.

We have listed some best password managers here that could help you understand the importance of password manager and help you choose a suitable one, according to your requirement.

Beware ! Advertisers are Tracking you via Mobile Battery Status



Is my smartphone battery leaking details about me?


Unfortunately, YES!


Forget about supercookies, apps, and malware; your smartphone battery status is enough to monitor your online activity, according to a new report.


In 2015, researchers from Stanford University demonstrated a way to track users' locations – with up to 90 percent accuracy – by measuring the battery usage of the phone over a certain time.


The latest threat is much worse.


Two security researchers, Steve Engelhard and Arvind Narayanan, from Princeton University, have published a paper describing how phone's battery status has already been used to track users across different websites.


The issue is due to the Battery Status API (application programming interface).


How Does Battery Status API Help Advertisers Track You?


The battery status API was first introduced in HTML5 and had already shipped in browsers including Firefox, Chrome, and Opera by August last year.


The API is intended to allow site owners to see the percentage of battery life left on a laptop, tablet, or smartphone in an effort to deliver an energy-efficient version of their sites.


However, researchers warned last year about the API’s potential threat that could turn your battery level into a "fingerprintable" tracking identifier.

The researchers found that a combination of battery life loss in seconds and battery life as a percentage offers 14 Million different combinations, potentially providing a pseudo-unique identifier for each device that can be used to pinpoint specific devices between sites they visit.


Now, the last year's research has grown into a proper threat.



Advertisers Are Tracking You via your Battery Status


One of those researchers named Lukasz Olejnik has published a blog post this week, saying that companies are currently leveraging the potential of this battery status information.

"Some companies may be analyzing the possibility of monetising the access to battery levels," he writes. "When a battery is running low, people might be prone to some - otherwise different - decisions. In such circumstances, users will agree to pay more for a service."
Olejnik underlined the latest research by Engelhard and Narayanan, who discovered two tracking scripts of shady code running on the Internet at large scale, which take advantage of battery status API and currently tracking users.


The duo explains that they observed the behavior of two actual scripts and suggested the companies and other entities are perhaps leveraging this technique for their own purposes.

"These features are combined with other identifying features used to fingerprint a device," the researchers write in their paper titled, "Online Tracking: A 1-million-site measurement and analysis."
For in-depth information, you can head on to the research paper [PDF].


Here's come the worst part of this attack:


There's hardly any way to mitigate against this attack. Nothing works: Deleting browser cookies or using VPNs and AdBlockers will not solve your problem.


The only option is to plug your smartphone into the mains.

"Some companies may be analyzing the possibility of monetising the access to battery levels," Olejnik writes.
Over two months ago, Uber's head of economic research Keith Chen said the company had been monitoring the battery life of its users, as it knows users are more likely to pay a much higher price to hire a cab when their phone's battery is close to dying.

Tuesday, July 26, 2016

Hacker Downloaded VINE entire Source Code



Vine is a short-form video sharing service where people can share 6-second-long looping video clips. Twitter acquired the service in October 2012.



Indian Bug bounty hunter Avinash discovered a loophole in Vine that allowed him to download a Docker image containing complete source code of Vine without any hassle



Launched in June 2014, Docker is a new open-source container technology that makes it possible to get more apps running on the same old servers and also very easy to package and ship programs. Nowadays, companies are adopting Docker at a remarkable rate.



However, the Docker images used by the Vine, which was supposed to be private, but actually was available publically online.



While searching for the vulnerabilities in Vine, Avinash used Censys.io – an all new Hacker’s Search Engine similar to Shodan – that daily scans the whole Internet for all the vulnerable devices.



Using Censys, Avinash found over 80 docker images, but he specifically downloaded 'vinewww', due to the fact that the naming convention of this image resembles www folder, which is generally used for the website on a web server.


After the download was complete, he ran the docker image vinewww, and Bingo!

The bug hunter was able to see the entire source code of Vine, its API keys as well as third-party keys and secrets. "Even running the image without any parameter, was letting me host a replica of VINE locally," He wrote.



The 23-year-old reported this blunder and demonstrated full exploitation to Twitter on 31 March and the company rewarded him with $10,080 Bounty award and fixed the issue within 5 minutes.



Avinash has been an active bug bounty hunter since 2015 and until now has reported 19 vulnerabilities to Twitter.


Wednesday, July 13, 2016

Warning - Millions of Xiaomi Phones Vulnerable, Remote Hacking



Millions of Xiaomi smartphones are vulnerable to a dangerous remote code execution (RCE) vulnerability that could grant attackers complete control of handsets.


The vulnerability, now patched, exists in MIUI – Xiaomi's own implementation of the Android operating system – in versions prior to MIUI Global Stable 7.2 which is based on Android 6.0.


The flaw, discovered by IBM X-Force researcher David Kaplan, potentially allows attackers with privileged network access, such as cafe Wi-Fi, to install malware remotely on the affected devices and fully compromise them.


Researchers found some apps in the analytics package in MIUI, which can be abused to provide malicious ROM updates remotely through a man-in-the-middle attack.


"The vulnerability we discovered allows for a man-in-the-middle attacker to execute arbitrary code as the highly privileged Android 'system' user," researchers say.

Researchers say they discovered vulnerable analytics packages in at least four default apps provided by Xiaomi in its MIUI distributions, one of those apps being the default browser app.


The flaw allows an attacker to inject a JSON response to force an update by replacing the link and MD5 hash with a malicious Android application package containing malicious code, which is executed at the system level.



Since there is not any cryptographic verification of the update code, the analytics package (com.xiaomi.analytics) will replace itself with "the attacker-supplied version via Android's DexClassLoader mechanism."


In order words, the analytics package neither uses HTTPS to query an update server for updates, nor it downloads the package over HTTPS, thus allowing attackers to modify the updates.


The custom ROM ships on devices manufactured by developer Xiaomi – World's third largest smartphone maker with over 70 Million devices shipped just last year alone – and is also ported to over 340 different handsets including Nexus, Samsung, and HTC.


Since the company has patched the flaw and released a over-the-air update, users are strongly recommended to update their firmware to version 7.2 as soon as possible in order to ensure they are not vulnerable to this issue that plagues Millions of Xiaomi devices.