Friday, 1 March 2019
DATA BREACH AT TURBOTAX EXPOSES USERS’ INFORMATION
Company officials report that unknown actors got access to data using credentials obtained in other incidents
According to network security and ethical hacking specialists from the International Institute of Cyber Security reports, Intuit, a financial software developer and creator of services like Mint and TurboTax, has been the victim of a credential stuffing attack. It is believed that attackers aim to the tax return information of users of these systems.
During a routine safety check, the company’s network security specialists discovered the cyberattack. According to Intuit, both the authorities and the affected users have already been notified; in the incident report, it is mentioned that an unauthorized agent accessed the data of the affected users using user names and passwords obtained from a non-intuitive source, thanks to a credential stuffing attack.
In cases where the attack was successful, hackers could have accessed user tax returns, in addition to additional information stored on the platform, such as:
- Full names
- Social Security numbers
- Users’ addresses
- Dates of birth
- Financial information
The compromised information could also include details about some close relatives of the affected users, according to network security experts.
As a security measure, Intuit temporarily disabled the affected accounts after discovering the incident. In addition, the platform has provided affected users with a year of free identity protection services, bank account monitoring and identity restoration through a certified service.
Intuit insists that the incident should not be considered as a data theft that compromised its infrastructure, but it is an attack against specific accounts of some users.
SPECTRE AND MELTDOWN VULNERABILITIES CAN’T BE CORRECTED WITH SOFTWARE IMPLEMENTATIONS
Google experts consider these vulnerabilities to be inherent in modern processors design
According to network security and ethical hacking specialists from the International Institute of Cyber Security, the vulnerabilities Spectre and Meltdown were reported for the first time about a year ago; since then, countless teams of independent specialists and researchers have tried multiple methods to mitigate the risk of exploiting these flaws, expecting to be able to completely eradicate it in the future.
Unfortunately, for Google network security specialists these vulnerabilities seem to be an inherent feature of modern processors. In other words, software-based correction and mitigation techniques are not enough to overcome these vulnerabilities.
It is worth noting that Meltdown and Spectre attacks take advantage of the speculative execution, a feature of the currently used processors. This means that a processor may assume that a condition can be true or false. If it turns out to be true, the speculative results are maintained; if the condition turns out to be false, the results will be discarded.
Initially, network security specialists assumed that speculative execution was invisible to running programs, as it is a feature of implementations. However, evidence was later discovered that some traces of false speculation were not completely eliminated.
A malicious user could take control of this data through a side channel. In addition, attackers can trick computers into loading sensitive data, such as administrators’ information, passwords, etc. To mitigate the risks posed by these vulnerabilities, developers have resorted to using software-based techniques, such as using sandbox environments, or preventing the processor from running sensitive information.
While these software techniques are quite functional, Google experts claim that this is just a shallow solution. A test made in the Chrome browser showed that, in trying to implement a comprehensive solution against a Spectre attack, the administrators generated a considerable drop in the performance of their developments.
In conclusion, it is not possible to solve Spectre-type vulnerabilities with software deployments only. Speculative execution is a fundamental part of a modern processor; so many specialists consider that Spectre and Meltdown will keep bringing problems for a long time.
HOW TO CHECK IF YOUR DUBSMASH, COFFEE MEETS BAGEL OR MYFITNESSPAL ACCOUNTS WERE HACKED
Hackers accessed personal data from more than 160 million users
According to network security and ethical hacking experts from the International Institute of Cyber Security, Dubsmash, the popular video app, suffered a data breach at the end of 2018. It is estimated that the incident affected about 162 million users, exposing information such as:
- User full names
- Usernames
- passwords
- Phone Numbers
- Emails
- Location data
Recently, the compromised information was found for sale on some hacker forums on dark web. The app has more than 100 million downloads only in Google Play Store.
The information has been published on the Have I Been Pwned platform, which records known data breaches and allows users to check if their email credentials have been compromised in any of these incidents. According to this website, the data breach notification at Dubsmash was published on February 25, 2019, specifying that 161,749,950 Dubsmash accounts worldwide were affected.
Although, according to network security specialists, Dubsmash should notify affected users, the company has not made any actions to meet this requirement. However, not everything is bad news, users concerned about the state of their personal information can go to the Have I Been Pwned (haveibeenpwned.com) website, enter their email id and the platform will verify if their account has been Involved in some data breach incident.
Fortunately there are other similar platforms that host huge databases on security incidents where users can verify if their information has been compromised. As an additional measure, network security specialists recommend identity Protection Services, which monitor the network for suspicious activity carried out with the accounts of the affected user.
The information extracted from Dubsmash is offered for sale on dark web along with another 500 million of accounts stolen from sites such as CoffeeMeetsBagel, MyHeritage, MyFitnessPal, among others. Apparently, the entire database is offered at about $20k USD, paid through cryptocurrency transactions.
ICANN SUGGESTS IMPLEMENTING DNSSEC TECHNOLOGY IMMEDIATELY
The Domain Name System is vulnerable to multiple cyberattacks, so the organization has requested to implement better security measures
According to network security and ethical hacking experts from the International Institute of Cyber Security, the Internet Corporation for Assigned Names and Numbers (ICANN) has called for a collective effort to develop a security technology to reinforce reliability of Domain Name System (DNS) that can protect website operators from attacks by the most dangerous hacker groups.
To be specific, what ICANN proposes is to perform a complete implementation of the DNS Security Extensions (DNSSEC) on all unsecured domain names. The DNS system is the part of the Internet infrastructure worldwide that is responsible for moving the names of sites in common language to IP addresses needed to access websites, use email platforms, etc. DNSSEC would try to implement a new security layer for DNS.
DNSSEC technologies have existed for almost 10 years, although they are not yet widely used. According to network security specialists, less than 20% of DNS registrars worldwide have implemented this technology. It is believed that the adoption of DNSSEC has been delayed because it could reduce functionality in favor of improving security measures, and that DNSSEC was always considered an option, not as a security requirement.
This technology could prevent attacks that take advantage of replies to DNS queries by cryptographically signing DNS records to verify their authenticity.
The problem is that most DNSSEC implementations are incompatible with current DNS requirements. “Inherited implementations of DNSSEC break basic DNS functions, such as geo routing, it is also difficult to implement this technology in multiple vendors, so performance would be affected, as well as its availability for final users would be reduced,” said network security specialists.
According to ICANN, the total implementation of DNSSEC technology ensures that end users access legitimate online websites and services. “While this is not a solution to all Internet security issues, DNSSEC would provide additional protection to a critical sector,” adds ICANN.
In a statement, ICANN claims that its application is backed by multiple reports that mention groups of malicious hackers exploiting a wide variety of resources and methodologies to carry out their plans.
“Some recent cyberattacks have focused on DNS; hackers make some changes to the domain name structure without authorization, so you can perform various malicious activities. DNSSEC technology is fully functional against this type of attack,” says ICANN.
ICANN also published a list of DNS security measures so that industry members can protect their customers, their information systems, and their entire infrastructure.
ICANN’s call comes shortly after the U.S. Department of Homeland Security decreed that all agencies at the federal level had to reinforce their computer security systems to the growing tide of global cyberattacks.
Thursday, 28 February 2019
HACKERS SE INFILTRAN EN SITIOS WEB EXPLOTANDO NUEVA VULNERABILIDAD EN DRUPAL
Algunas versiones del sistema de administración de contenido presentan una vulnerabilidad crítica que los deja expuestos a ataques de ejecución remota de código
Especialistas en seguridad en redes del Instituto Internacional de Seguridad Cibernética reportan la presencia de una vulnerabilidad crítica en Drupal, el popular sistema de administración de contenido.
La vulnerabilidad (CVE-2019-6340) existe porque “algunos tipos de campos no sanean correctamente los datos de fuentes que no son formularios”, menciona el equipo encargado de Drupal, que es un proyecto de código abierto. “Esto podría conducir a la ejecución de código arbitrario”, afirman los especialistas en seguridad en redes.
En días recientes Drupal lanzó las correcciones para actualizar las versiones de 8.6.x hasta 8.6.10, además de Drupal 8.5.x y anteriores a 8.5.11. “No se requiere una actualización del núcleo para Drupal 7, pero varios módulos requieren ser actualizados”.
Según los desarrolladores de Drupal, las versiones del sistema de administración de contenido podrían verse en riesgo si se presenta alguna de las siguientes condiciones:
- Drupal 8 Web Services: Un sitio solo se ve afectado por esto si tiene habilitado el módulo de servicios web RESTful y permite las solicitudes PATCH o POST
- Otros módulos de servicios web: “El sitio tiene otro módulo de servicios web habilitado, como JSON: API en Drupal 8, o Servicios o Servicios web RESTful en Drupal 7
Drupal dice que si bien la versión 7 del módulo de servicios web no está en riesgo, es altamente recomendable aplicar todas las actualizaciones posibles.
Los especialistas en seguridad en redes mencionan que la vulnerabilidad puede ser mitigada desactivando los módulos de servicios web o configurando los servicios para no todas las solicitudes PUT, PATCH, o POST a los recursos de los servicios web.
El equipo del proyecto también observa que cualquier versión de Drupal que sea 8.5.x o anterior ha llegado a su fecha de vencimiento y no recibirá más soporte.
Troy Mursch, especialista en ciberseguridad, mencionó que los hackers han estado explotando esta vulnerabilidad, infiltrándose en sitios web de forma masiva. “Hemos encontrado exploraciones relacionadas con Drupal que intentan usar el método CHANGELOG.txt para localizar sitios vulnerables al error CVE-2019-6340.
Drupal es uno de los sistemas de administración de contenido más populares del mundo, sólo después de Joomla y WordPress, que abarca un 60% del total de este mercado. Acorde a las estimaciones de sus desarrolladores, más de 1 millón de sitios web utilizan Drupal actualmente.
El año pasado, Drupal dio a conocer que alrededor de 500 sitios web habían sido atacados por grupos de hackers desconocidos explotando una vulnerabilidad de ejecución remota de código con el propósito de minar la criptomoneda Monero.
Entre las víctimas de este ataque se encontraban Lenovo, el Zoológico de San Diego y la oficina del Inspector General de la Comisión de Igualdad de Oportunidades Laborales en E.U., entre otros usuarios del sistema de administración de contenido.
USUARIOS DE INSTAGRAM VÍCTIMAS DE CAMPAÑA DE INVERSIONES FALSAS
Múltiples víctimas, la mayoría jóvenes de entre 18 y 25 años, son invitadas a invertir a través de anuncios en la app; después los estafadores desaparecen
Autoridades británicas reportan un incremento en la actividad de algunos grupos criminales en línea, sobre todo los que aseguran incrementar inversiones en poco tiempo. En este caso, acorde a especialistas en seguridad en redes del Instituto Internacional de Seguridad Cibernética, las víctimas reciben promesas de altos rendimientos después de sólo 24 horas, pero los criminales toman el dinero para desaparecer poco tiempo después.
Durante los últimos 5 meses las autoridades británicas han recibido más de 300 denuncias sobre este tipo de fraude, y las pérdidas acumulan más de 3 millones de euros, sin considerar a las víctimas que no han presentado denuncias.
Acorde a los expertos en seguridad en redes, la estafa comienza con un anuncio en la app de Instagram. En éste, se invita a las víctimas a transferir diversas cantidades (600 euros en promedio), prometiéndoles ganancias casi automáticas. Cuando las víctimas envían el dinero a los estafadores, reciben de vuelta capturas de pantalla con sus supuestas ganancias acumulándose en una cuenta bancaria.
Posteriormente los atacantes incitan a las víctimas a incrementar su inversión, además les mencionan que sus ganancias pueden ser liberadas pagando una cuota, por lo que una sola víctima podría llegar a perder miles de euros.
Después viene lo peor: los estafadores cierran las cuentas de Instagram, dejan de contactar a las víctimas y desaparecen llevándose consigo el dinero.
Acorde a expertos en seguridad en redes, los estafadores recurren al uso de imágenes de aspecto profesional, además pueden prometer descuentos especiales en algunos comercios, consejos de inversión en “acciones secretas”, entre otra información relacionada con el mercado de valores.
Según una firma de ciberseguridad, existen más de dos millones de publicaciones potencialmente fraudulentas en Instagram, fraude apodado por el gobierno de Reino Unido como ‘money-flipping’. Action Fraud, una oficina de concientización sobre el fraude en territorio británico, mencionó en un reporte: “Los criminales siempre tratarán de aprovecharse de las redes sociales, pues se han vuelto parte de la vida cotidiana de las personas”.
Action Fraud insiste en que nunca se debe enviar dinero a desconocidos en línea, además invita a los usuarios a denunciar cualquier publicación potencialmente fraudulenta ante las autoridades competentes.
