Sunday, 26 February 2017

Microsoft opens Cybersecurity Engagement Center in Mexico

Microsoft has announced the opening of what it calls a Cybersecurity Engagement Center in Mexico. This will join the Transparency and Cybersecurity Center for Asia-Pacific, as well as the one in India, and its Redmond Cybercrime Center.
The complex, based in the country's capital city, will serve Mexico as well as other Latin American countries, in an effort to use technology, experience, and services to protect citizens and companies from an array of cyber threats.
As highlighted in the post, some of the main objectives of this facility are:
  • Taking advantage of Microsoft’s proactive role in matters of fighting cybercrime, particularly in the dismantling of criminal organizations that operate through Botnet schemes
  • Allowing cybersecurity experts from Mexico and elsewhere in Latin America to work with Microsoft specialists to fight cybercrime together
  • Acting as a headquarters for the development of training activities in order to support the building and strengthening of technical capabilities; these activities are geared toward authorities and the public sector
According to Jean-Philippe Courtois, Executive VP and President, Microsoft Global Sales, Marketing and Operations, this newly opened complex will work in tandem with the software giant's Redmond-based Cybercrime Center opened back in 2013. The Cybercrime Center was unveiled after the merger of the digital crimes and software piracy teams, which employed 30 staff at the time, collaborating with over 70 individuals worldwide to locate and fight hacker threats and malware.
Microsoft stated it is committed to invest in Latin America, by bringing over its cybersecurity capabilities to help governments identify "current threats that affect the economy’s prosperity". To make good on its promise, the company will use its "robust and trustworthy cloud computing" platform to fight cyber threats, as it has done in the past.
In concert with the opening of the facility, a Government Security Program was signed between the Redmond giant and the Federal Police (representing the Mexican government) to promote IT security. What this does is it gives participating authorities "access to the source code for current versions of Windows and Windows service packs, Windows Embedded CE, and Microsoft Office".
It is not the first time Microsoft has collaborated with authorities on this issue, as the company helped bring down the ZeroAccess botnet in conjunction with the FBI and Europol a few years ago.

63 Universities and US Government agencies breached by hacker

A “Russian-speaking and notorious financially-motivated” hacker, Rasputin has reportedly hacked the computer systems of various universities and government agencies of US and sold the stolen data on the dark web.

According to the cyber security research firm,  Recorded Future, the hackers gained access to computer systems of more than 63 universities and federal, state, and local U.S. government agencies. The prominent universities include Cornell and New York University.

The firm claimed that the victims are “intentional targets of choice based on the organization’s perceived investment in security controls and the respective compromised data value. Additionally, these databases are likely to contain significant quantities of users and potentially associated personally identifiable information (PII).”

The list of the Rasputin's targets are quite long and it does extend to the 10 U.K university and one Indian University in Delhi as well. All the hacked agencies and universities have been informed about the hack by the Recorded Future's researchers.

The victims include 16 U.S state government, 6 U.S. cities and four federal agencies, Child Welfare Information Gateway, which is operated by the U.S. Department of Health and Human Services, and   Fermi National Accelerator Laboratory, America’s premier particle physics lab. The severity of the breaches are unclear

The List of U.S University victims: Cornell University, University of the Cumberlands, VirginiaTech, Oregon College of Oriental Medicine, University of Maryland, Baltimore County, Humboldt State University, University of Pittsburgh, The University of North Carolina at Greensboro, New York University, University of Mount Olive, Rice University, Michigan State University, University of California, Los Angeles, Rochester Institute of Technology, Eden Theological Seminary, University of Tennessee, Arizona State University, St. Cloud State University, NC State University, University of Arizona, Purdue University, University at Buffalo, Atlantic Cape Community College, University of Washington.

The list of U.K University Victims: University of Cambridge, Coleg Gwent, University of Oxford, University of the Highlands and Islands, Architectural Association School of Architecture, University of Glasglow, University of Chester, the University of the West of England, University of Leeds, The University of Edinburgh.

And one Indian University: Delhi University.

Hackers could easily bypass SBI's OTP security

One Time Password (OTP) has become the new security feature on most of the websites, including the banks. This feature allows a user to make online transactions after the identity of the customer is verified by putting the OTP password sent to the registered mobile number from the bank. But who knew this security feature could be easily bypassed and lead to huge loss of money.

A white-hat hacker, bug bounty hunter and web application security researcher, Neeraj Edwards shared his research on how he could easily bypass the OTP of one of the most popular bank, State Bank of India (SBI) and could make the transaction with any amount.

While making a transaction, the last page of SBI’s website shows a One Time Password screen where there is a parameter called ‘smartotpflag is set to Y i.e. smartotpflag=Y’.

Smartotpflag parameter is used to generate OTP, and Y represents ‘yes’ to send the code to the registered mobile. However, the risk factor arises if someone changes ‘Y’ to ‘N’ which means ‘No’. The transaction then will be completed without entering the OTP.

Though after Edwards discovery, the vulnerability was patched but it was highly disappointing that the person who could have easily benefited from this vulnerability, but choose not to, was neither rewarded nor acknowledged for his work.

The press too could not make this important news to the papers, thus keeping the public in dark and keeping the discoverer from any achievement.

Spies Hack Israeli Soldiers' Android Phones

More than 100 soldiers from the Israel Defense Forces (IDF) have become the target of a cyberespionage group when information from their mobile devices was stolen using malicious Android applications.

ViperRAT, the clandestine hacking collective was found actively hijacking soldiers’ Android-based smartphones to remotely siphon images and audio directly from the devices.

Highly sophisticated malware allowed the attackers to control each phone’s microphone and camera. In effect, the hackers could eavesdrop on soldiers’ conversations and peer into live camera footage — wherever an affected smartphone’s camera would be pointed, that vantage point could have also been viewable to the hackers.

A list of installed apps on the infected mobile device is also sent out by the dropper. Some variants will pretend to be chat apps, another variant will pretend to be a YouTube layer, depending on what's already installed on the device.

Other Android smartphone applications common to Israeli citizens and available in the Google Play store — including a billiards game, an Israeli Love Songs player, and a Move To iOS app — where found to contain hidden ViperRat malware.

While the malicious actors behind ViperRAT have yet to be explicitly identified, their activity patterns suggest that the cyberespionage is being carried out by a group operating out of the Middle East.

Google looks to hire Australian hackers

Google is searching for Australia’s best and brightest hackers to employ them for hard-to-fill cyber security positions at the search giant’s own business. The tech giant's Australian hiring raid may likely exacerbate the IT skills shortage in government agencies.

This step has been taken by the Google because of a difficulty in finding the right mix of people to take up cyber security positions. Despite the various specialised courses offered by Australian universities, not many appear to be interested in taking up the courses. The number of people taking up information and communications technology degrees has halved over the last decade according to the Government's Cyber Security Strategy.

Moreover, “it’s difficult to find such people who have the skills of hacking into a system but ultimately want to make it more secure and not use those skills negatively and are also willing to work in a big software company,” said Google Chrome’s security head, Parisa Tabriz.

The shortage can also be felt by Google which is now looking to hire as many quality cyber security positions in Australia as it can.

But Google’s gain could be government’s loss. The federal government expects demand for cyber security services and related jobs — such as legal services, insurance and risk management — will grow by at least 21% over the next five years.

The government services though have been competing with private firms on salaries. It is a common problem for governments across the globe when attempting to attract people for jobs, to fall short of being able to provide the kind of salaries and perks that private firms serve up to prospective employees.

Two weeks ago, the giant US-based telco Verizon announced it has strengthened its armoury in the fight against cyber adversaries with its investment in next-generation security capabilities at its Asia-Pacific Advanced Security Operations Centre in Canberra.

The opening of the new security centre followed Verizon’s appointment last December to the federal government’s new whole of government telecommunications services panel which provides coordinated telecommunications services.