By learning about the habits of co-workers in over 100 financial institutions, mainly in Russia, the hackers infected computers using spear fishing techniques. They upped the balance of accounts and transferred away the excess money. They also programmed PIN machines to spit out money at specified times.
Hackers stelen 1 miljard dollar bij 'grootste bankroof ooit' – UPDATE 2 – Webwereld.
Luxury car manufacturer BMW has rolled out a patch for a security flaw that could have allowed hackers to open the doors of some 2.2 million vehicles.
The issue affects BMW, Mini and Rolls Royce models that come equipped with ConnectedDrive – a technology that allows car owners to access internet, navigation and other services via a SIM card installed directly into vehicles.
As Reuters explains, security researchers were able to create a fake cellphone base station to intercept network traffic from the car, and use th
http://grahamcluley.com/2015/02/bmw-security-patch/
Anthem, the US’s second biggest health insurer with about 70 million people on its books across the country, admitted late on Wednesday, Pacific time, that it has been comprehensively ransacked by criminals. Tens of millions of records are likely to have been obtained illegally as a result of the hack, Anthem warned
http://www.theregister.co.uk/2015/02/05/anthem_hacked/
All CPUs emit electromagnetic signals when they are performing tasks, and the first thing these researchers discovered was that binary ones and zeroes emit different levels. The second thing they discovered is that electromagnetic radiation is also emitted by the voltage fluctuations and that it can be read from up to six meters away. These signals, by the way, are known as side-channels, and they are well-documented in the cryptography field.
via An Airgap Won't Secure Your Computer Anymore | Hacked.
Rahul Sasi will present a way to hijack a Parrot drone without using any authentication.
nullcon – Rahul Sasi.
KeySweeper is a stealthy Arduino-based device, camouflaged as a functioning USB wall charger, that wirelessly and passively sniffs, decrypts, logs and reports back all keystrokes from any Microsoft wireless keyboards (which use a proprietary 2.4GHz RF protocol) in the area.
Keystrokes are sent back to the KeySweeper operator over the Internet via an optional GSM chip, or can be stored on a flash chip and delivered wirelessly when a secondary KeySweeper device comes within wireless range of the target KeySweeper. A web based tool allows live keystroke monitoring.
via KeySweeper.
Staples believes that point-of-sale systems at 115 Staples locations were infected with malware that thieves may have used to steal customers’ names, payment card numbers, expiration dates and card verification codes, Staples said on Friday. At all but two of those stores, the malware would have had access to customer data for purchases made between August 10 and September 16 of this year. At the remaining two stores, the malware was active from July 20 through September 16
via Staples: Breach may have affected 1.16 million customers' cards – Fortune.
The data dump, which was reviewed extensively by BuzzFeed News, includes employee criminal background checks, salary negotiations, and doctors’ letters explaining the medical rationale for leaves of absence. There are spreadsheets containing the salaries of 6,800 global employees, along with Social Security numbers for 3,500 U.S. staff. And there is extensive documentation of the company’s operations, ranging from the script for an unreleased pilot written by Breaking Bad creator Vince Gilligan to the results of sales meetings with local TV executives.
The documents made public this weekend, covering the company’s human resources, sales, and marketing teams, among others, are just a fraction of approximately 100TB of data the hackers claim to have taken from Sony. They say it will all be made freely available online, once they figure out how to distribute such an enormous amount of information.
via A Look Through The Sony Pictures Data Hack: This Is As Bad As It Gets – BuzzFeed News.
Excel and Word documents plainly expose thousands of computer log-in, financial, and web services passwords, including the Facebook, Twitter, YouTube, and MySpace passwords for hundreds of major motion picture accounts.
via It Gets Worse: The Newest Sony Data Breach Exposes Thousands Of Passwords – BuzzFeed News.
Oh dear, Sony is really hammering themselves on this one
The South Korean government is considering a complete overhaul of its national identity number computer system – after hackers comprehensively ransacked it and now hold the ID codes for as much as 80 per cent of the population.
Each South Korean citizen is issued with a lifetime unique ID number. This number is used in all transactions, and the system has been in place since the late 1960s.
A public hearing into the database raid heard that hackers have now stolen the vast majority of these numbers, sparking an online crimewave that has hit everyone, from the highest to the lowest.
South Korea faces $1bn bill after hackers raid national ID database • The Register.
Authy provides you Strong Authentication for your daily apps like Facebook, Dropbox, Evernote, AWS, Outlook and many others. You can use Authy to keep safe of hacking & phishing attacks easy & quickly.
It runs on Apple, Android, Blackberry, OS X, Windows and Linux.
It also works when you’re offline.
via Two-Factor Authentication App | Authy.
GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka "ShellShock." NOTE: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix
via NVD – Detail.
Wonderful and funny story
Why this tiny Italian restaurant gives a discount for bad Yelp reviews | Ars Technica.
Security is een ambacht, hackers zijn vaak hun hele leven al bezig om systemen en applicaties te testen, maar evenals bij een goede ICT beheerder is een kenmerk van een hacker dat men liever routineuze taken zal automatiseren (scripten).
In de begindagen van het web hadden hackers veelal hun eigen collecties van scripts en werden deze scripts vaak via bulletin boards of forums onderling uitgewisseld.
Echter al snel bleek het veel efficienter om deze scripts te bundelen en daaruit ontstonden heuse hacking frameworks, een van de bekendste daarvan zijn Metasploit en OpenVAS.
De gereedschapskist van de hacker | Workshop Security en Privacy.
The software first brute forces an icloud username / password, then tricks icloud into thinking your device is the target device and finally performs a full restore to your device.
This software is supposed to be for law enforcement, but can be bought and downloaded by anyone. There are also illegal copies to be found.
The Police Tool That Pervs Use to Steal Nude Pics From Apple’s iCloud | Threat Level | WIRED.
In laboratory tests, the team was able to successfully conceal firearms and plastic explosive simulants from the Rapiscan Secure 1000 scanner. The team was also able to modify the scanner operating software so it presents an “all-clear” image to the operator even when contraband was detected
via Researchers find security flaws in backscatter X-ray scanners – ScienceBlog.com.
This was demonstrated on German TV in 2009, but better late than never guys!
The United Parcel Service announced Wednesday that customers’ credit and debit card information at 51 franchises in 24 states may have been compromised. There are 4,470 franchised center locations throughout the U.S., according to UPS.
via UPS: We’ve Been Hacked – TIME.
So you don’t know when UPS found out about the hack, but if it’s been fighting the fight since January 20, it’s been a bit long in handing over customer data to the hackers.
Turns out that huge amounts of them are apt to input validation and SSL hacks.
This is caused by poor programming practices, which the government does better at avoiding than private companies.
Banking apps: Handy, can grab all your money… and RIDDLED with coding flaws • The Register.
The lights use a wireless radio at 900MHz or 5.8GHz to transmit data to each other. They are all on the same subnet. Entering the network doesn’t require a password and the data is unencrypted. The controller for a network has a debug port opened by default. It’s thus easy to get into the controller and send your own commands. Then you can change lights and control cameras!
Researchers find it’s terrifyingly easy to hack traffic lights | Ars Technica.
Researchers at MIT, Microsoft, and Adobe have developed an algorithm that can reconstruct an audio signal by analyzing minute vibrations of objects depicted in video. In one set of experiments, they were able to recover intelligible speech from the vibrations of a potato-chip bag photographed from 15 feet away through soundproof glass.
via Extracting audio from visual information | MIT News Office.
Multiple Cisco products are affected by a vulnerability involving the Open Shortest Path First (OSPF) Routing Protocol Link State Advertisement (LSA) database. This vulnerability could allow an unauthenticated attacker to take full control of the OSPF Autonomous System (AS) domain routing table, blackhole traffic, and intercept traffic.
via Cisco Security Advisory: OSPF LSA Manipulation Vulnerability in Multiple Cisco Products.
