Category Archive: Uncategorized

Hyatt Hotels discovers card data breach at 41 properties

Hyatt Hotels Corp (H.N) said on Thursday it had discovered unauthorized access to payment card information at certain Hyatt-managed locations worldwide between March 18, 2017 and July 2, 2017.

Hyatt said the incident affected payment card information, such as, cardholder name, card number, expiration date and internal verification code, from cards manually entered or swiped at the front desk of certain Hyatt-managed locations. (

The owner of Andaz, Park Hyatt and Grand Hyatt chain of hotels said a total of 41 properties were affected in 11 countries, with China accounting for 18 properties, the most among impacted countries.

Seven Hyatt properties were affected at U.S. locations, including three in Hawaii, three in Puerto Rico and one in Guam.

The Chicago, Illinois-based company said its cyber security team discovered signs of the unauthorized access in July and launched an internal investigation, completed on Thursday, that resolved the issue and took steps to prevent this from happening in the future.

This is not the first time Hyatt is facing data breach problem at its hotels.

In late 2015 Hyatt said its payment processing system was infected with credit-card-stealing malware, that had affected 250 hotels in about 50 countries.


via:  reuters

Save pagePDF pageEmail pagePrint page

Microsoft’s mystery update arouses anger, suspicion among Windows 10 users

Microsoft’s update servers are pushing out a new Photos Add-on app, with no explanation of what it does. Windows 10 users aren’t taking it well.

Microsoft’s update servers began pushing out a mysterious new app recently, and the new arrival is stirring up suspicion and anger among some Windows 10 users.

The new app is called Photos Add-on, and its entry in the Windows Store offers few clues about what it is or does.


This mystery app has drawn caustic reviews from suspicious Windows 10 users.

On my test systems, the new app appeared as part of Windows updates delivered on October 10. Based on ratings and reviews in the Store, other Windows 10 users saw the update as early as October 1.

More than 70 percent of the early reviews have given the mystery add-on a 1 star rating, with reviewers adding comments like these:

  • Installed without permission
    I didn’t ask for this, I didn’t approve this, I didn’t even know you were planning on installing this. When will you get it that people don’t want YOU to decide what gets installed on MY computer. Stop it already.
  • Forced install
    Not cool, MS.
  • Don’t install without asking
    I have no idea what this even does. Why do I have it and why didn’t I have a choice?

So, what is the mystery app? The answer turns out to be relatively innocuous.

It is indeed an update for the built-in Photos app, included with every copy of Windows 10. Its official name is Photos.DLC.Main (DLC apparently stands for “downloadable content”), and it’s listed in Settings > Apps > Apps & Features. Find the Photos app, click Advanced Options, and look under the App Add-ons & Downloadable Content heading:


The Photos add-on can be uninstalled, although there’s no reason to do so.

Ad far as I can tell, this is the first public release of a feature that was announced 18 months ago, as part of a Windows 10 preview build delivered in April 2016:

You will also be able manage app add-ons and downloadable content [in Settings] if the app supports this capability as discussed at Build 2016. While there are currently no apps that support add-ons or downloadable content in the Store, please stay tuned for availability of apps that do once they are released.

The add-on model is documented in this reference page for the Universal Windows Platform API. A source with knowledge of this add-on told me that it’s part of an architectural change that will allow Microsoft to deliver new functionality and content updates to the Photos app, including 3D effects, filters, and text.

It’s also yet another example of an unforced error on Microsoft’s part. Even a tiny amount of documentation in the listing for this add-on would have tamped down the suspicion. Instead, it’s fresh fuel for conspiracy theorists.


via: zdnet

Save pagePDF pageEmail pagePrint page

Equifax website borked again, this time to redirect to fake Flash update

In May credit reporting service Equifax’s website was breached by attackers who eventually made off with Social Security numbers, names, and a dizzying amount of other details for some 145.5 million US consumers. For several hours on Wednesday, and again early Thursday morning, the site was maliciously manipulated again, this time to deliver fraudulent Adobe Flash updates, which when clicked, infected visitors’ computers with adware that was detected by only three of 65 antivirus providers.

Randy Abrams, an independent security analyst by day, happened to visit the site Wednesday evening to contest what he said was false information he had just found on his credit report. Eventually, his browser opened up a page on the domain hxxp// that looked like this:


He was understandably incredulous. The site that previously gave up personal data for virtually every US person with a credit history was once again under the influence of attackers, this time trying to trick Equifax visitors into installing crapware Symantec calls Adware.Eorezo. Knowing a thing or two about drive-by campaigns, Abrams figured the chances were slim he’d see the download on follow-on visits. To fly under the radar, attackers frequently serve the downloads to only a select number of visitors, and then only once.

Abrams tried anyway, and to his amazement, he encountered the bogus Flash download links on at least three subsequent visits. The picture above this post is the higher-resolution screenshot he captured during one visit. He also provided the video below. It shows an Equifax page redirecting the browser to at least four domains before finally opening the Flash download at the same page.



The file that got delivered when Abrams clicked through is called MediaDownloaderIron.exe. This VirusTotal entry shows only Panda, Symantec, and Webroot detecting the file as adware. This separate malware analysis from Packet Security shows the code is highly obfuscated and takes pains to conceal itself from reverse engineering. Malwarebytes flagged the site as one that pushes malware, while both Eset and Avira provided similar malware warnings for one of the intermediate domains,



It’s not yet clear precisely how the Flash download page got displayed. The group-sourced analysis here and this independent assessment from researcher Kevin Beaumont—both submitted in the hours after this post went live—make a strong case that Equifax was working with a third-party ad network or analytics provider that’s responsible for the redirects. In that case, the breach, technically speaking, isn’t on the Equifax website. But even if that’s true, the net result is that the site is arguably compromised in some way, since administrators can’t control the pages visitors see when they’re trying to use key functions, some which require visitors to enter Social Security numbers.

Several hours after this post went live, an Ars reader e-mailed to say he recently encountered a sketchy ad when putting a temporary fraud alert on his Equifax file. The reader wrote:

When I clicked it (from Gmail on Android) I was redirected to a spam page shortly after seeing the Equifax credit file form. I thought maybe it was an anomaly because it didn’t happen again. But after reading your article about how sometimes hacks will redirect randomly I tried the link again just now and sure enough I got a spam page again ( saying I won an iPhone X). This is Chrome-in-a-tab from Gmail so i don’t believe there’s any extensions or other malware on my device that could have caused this redirect.



In the hour this post was being reported and written, Abrams was unable to reproduce the redirects leading to the malicious download, but he said they returned early Thursday morning. Shortly after that, a section of the site was taken down. In an e-mail sent mid Thursday morning, an Equifax representative wrote:

We are aware of the situation identified on the website in the credit report assistance link. Our IT and Security teams are looking into this matter, and out of an abundance of caution have temporarily taken this page offline. When it becomes available or we have more information to share, we will.

Post updated at several times on the morning of 10/12/2017 Pacific time to discuss ad networks and add details of ad served on reader. The word “hacked” was removed from the headline to reflect the possibility the redirects are the result of a third-party malvertising campaign.


via:  arstechnica

Save pagePDF pageEmail pagePrint page

How Cybercriminals Change Tactics During Their Cyber Attacks

Here’s how online criminals use the surprise factor to spread malware.

Cyber attacks continue to rise and impact both organizations and home users worldwide. Despite all the efforts and prevention measures taken by everyone, these attacks keep wreaking havoc, with no signs of slowing downs.

Why are these online threats still spreading? How do cyber criminals manage to change tactics during their attacks?

With these questions in mind, we will look into the threat landscape to see how malware authors have switched to more sophisticated attack vectors. They are now using more advanced and complex technology to find their next targets, infect various devices, and get access to users’ sensitive data.

Have you noticed that cyber criminals became ingenious during attacks and use a surprise factor?

This year, WannaCry was the largest global ransomware attack in the Internet history.

Why was this cyber attack a success for cyber criminals? What was different from the rest of attacks? It had a low detection rate. Attackers exploited a vulnerability in Windows system that allowed it to move laterally within networks and infect hundreds of computers. They used a leaked NSA exploit called EternalBlue, for quickly spreading malware and infecting a large number of computers.

This is just one of the examples that we’ll discuss in this article, so you can understand how online criminals are changing their ways.

How cyber attacks have evolved in 2017

So far, 2017 has proved to be a productive year for cybercriminals, as we witnessed a large number of new cyber attacks hitting the malware market. From the massive WannaCry ransomware of “unprecedented level” to the (non)Petya outbreak, from the historical Equifax data breach to the recent CCleaner incident; they come in all shapes and sizes, are difficult to be anticipated and cause a lot of damage.

It seems that this year cyber attacks are happening at a higher frequency than previous years, and still have a high impact rate. Everyone has been (and is) suffering from these large-scale attacks, whether they lose their valuable data or businesses are being disrupted. Everyone is vulnerable, but we can always learn to become more resilient to such attacks and take cyber security more seriously.

For example, the mid-year CheckPoint Research for 2017 found that most global regions have been hit by ransomware, already a mainstream and a widespread security threat.

The ransomware invasion has increased significantly this year with a big impact and causing data leakage/important financial loss for both organizations and home users. It continues to dominate the threat landscape and also affect important sectors such as hospitals, banks, universities, Government, law firms, mobile users.

The financial consequences of the cyber attacks don’t seem to be on a positive note, as the global average costs of cybercrime continue to increase. A recent “Cost of CyberCrime” Study conducted by Ponemon Institute and jointly developed by Accenture, has shown that cost of cybercrime is now 23 percent more than last year and is costing organizations, on average, US$11.7 million.

Source: Accenture

Inside the mind of cybercriminals

You might wonder: what’s inside the mind of a cyber criminal? What motivates these bad guys to take malicious actions and steal other people’s sensitive information? Is it just money or are they looking to show off?


Often, technology is being used against us, and not to our benefit, as expected. This happens with skilled people who are tech-savvy and know how to operate efficiently.They can reach these days further than before, into our private lives, our homes or work offices. And most of the time, we can’t do nothing about it.

Here’s how hackers approach an attack:

Source: MIT Sloan Management Review

Putting yourself in the shoes of cybercriminals gives you more insights of their behaviour and the way they think. They tend to be intelligent and creative individuals who enjoy taking risks, have a keen interest in computer science and are often labeled as geeks. Good social and communications skills are also required, as they might use them to easily manipulate victims or to better perform various critical actions. Sometimes they operate alone, sometimes they are organized in a group.

Cybercriminals now change tactics during attacks

As we live in an interconnected world, cyber attacks seem to become a cliche in today’s society. Without any doubts, we are more and more addicted to our smart devices and apps/software programs that should make our lives easier. While they are designed to help us better communicate and interact, they are vulnerable to online threats.

The vulnerability issue of our devices is linked with the fact that software isn’t 100% secure or perfect. It might have small flaws and fail at some point. Despite the engineers’ efforts of covering all the technical aspects and trying to make software better, computers become easy targets for the bad guys. What matters is to build quality software.

Having a world with less software is not an option. The software is actually doing stuff that is helping us. So this should not be an excuse for deploying vulnerable software, but an incentive to make software better.” said Walter Belgers in an interview for DefCamp.

As expected, in many cases, cyber criminals take advantage of the vulnerable software, exploit flaws and start spreading malware. But they aim to do this in ways that are difficult to anticipate and, consequently, challenging to stop.

Cyber attacks have been happening for years, as malicious hackers focus on stealing money, financial data, intellectual property or simply disrupting the a company’s operations. What has changed is the modus operandi of cyber criminals. They’ve become more skilled and use new workarounds to help them avoid the usual security tactics employed by organizations worldwide. They seem to know which tactics (will) work.

The following examples are proof of the cyber criminals’ level of ingenuity.

1. Leveraging vulnerabilities that affect widely used types of software

During the massive WannaCry ransomware, cyber criminals used theEternalBlue method for quickly spreading malware and infecting a large number of computers. The reason why this particular malicious campaign became so extensive is that it exploited a vulnerability in Windows system that allowed it to move laterally within networks and infect other computers.

It’s the same type of ransomware that hasn’t changed, but cybercriminals decided to use a different tactic: exploiting an unpatched vulnerability found in a piece of software used on a global scale. This ransomware outbreak was different because of its self-replicating abilities that enabled it to spread fast and affect many companies and public institutions worldwide.

2. Changing the type of malware delivered during the same cyber attack

Petya (Petya.A, Petya.D, or PetrWrap) was another ransomware outbreak similar to WannaCry, that spread fast, but changed the type of malware from ransomware to wiper. Unlike WannaCry, it used multiple attack vectors and dropped a malware cocktail meant to encrypt and then take in and exfiltrate as much confidential data as possible. The purpose of a wiper is to destroy and damage, while ransomware is mainly focused on making money.

Using a different type of malware during cyber attacks is another surprise factor from cyber criminals. Malware cocktails proved to have a high rate of success with the Cerber ransomware campaign where they injected malicious scripts to drive infection rates.

In another malicious campaigns, attackers used GootKit and Godzilla info stealers to collect and steal victims’ financial information. These types of banking Trojans are part of a more complex malware cocktail, that can include rootkits, worms or other malware that enslave a computer to a botnet. Cyber criminals used these info stealers to compromise users of various online banking solutions.

This type of malware with a low detection rate was also used during the (non)Petya ransomware outbreak. Attackers decided to change the type of malware from ransomware to wiper, and they also dropped a malware cocktail to encrypt users’ files.

3. Changing ransomware extensions to delay strain detection

Not only are spam campaigns more frequent, but they’re also larger in scale and use new infection vectors. Locky ransomware made its appearance again and the most recent campaign used a new extension called .lukitus to encrypt files.

Locky stands out from the pack, because of its frequent attacks, but other ransomware strains have applied the same tactic in the past years as well.

Each time a new extension pops up, victims wonder how they can retrieve their data and it usually takes a few days, depending on the strain’s complexity, to figure out what the type of malware really is.

4. Using auto-updating elements to automate new payload delivery

Attackers also turned to auto-updating links in malicious emails, which is a fairly new tactic. This approach was different because “the file exploits a Microsoft Word feature that can make files automatically update links included in them as soon as they are opened”.

The same attack can thus be used to deliver multiple types of malware, depending on the attacker’s objectives.

We recommend keeping an eye on these malicious spam emails!

Source: Helpnet Security

5. The matrioshka social engineering attack

For the malware threat discovered via Facebook Messenger, cyber criminals used a slightly different form of social engineering.

The unusual factor comes from the various angles used in the same attack. Online criminals employed a malicious browser extension for Chrome and Firefox and a binary package that installed adware on users’ computers.

They tried to trick people by convincing they access a legitimate link from one of their Facebook friends, so they can click on the malicious link. The message included a BIT.LY link which had a video with the person’s name.

Although this approach to luring victims with malicious links in social media messages is not new, it still works to the dismay of many home users.

6. Spoofing gets more difficult to identify

Spoofing attacks have changed and became more difficult to be spotted. During an email spoofing attack, the malicious hackers disguise and sent a fake email which looks similar to the original one. Cyber criminals aim at making victims believe they receive a genuine email from the real sender, while it is quite difficult for the untrained user to spot the suspicious elements.

During a new Locky spam campaign, cyber attackers used these tactics to spoof Dropbox, and here’s how a misleading email looks like as opposed to the legitimateone:

As you can see, attackers are getting better and better at impersonating legitimate entities. With so many online accounts, it’s becoming increasingly difficult to identify spoofing or phishing, which leads to more users getting compromised.

Filtering this kind of threats and educating users to identify them proactively is an uphill battle that will certainly continue in the next years.

7. Proof of concept attacks targeting widespread vulnerabilities get scarier

Last month, researchers warned about a new attack vector – known as “Blueborne” – can potentially enable cyber attackers to spread malware through thin air and potentially infect all devices that include Bluetooth wireless technology. This method of operation was different from two points of view: zero human interaction and no Internet connection. The result? More than 5.3 billion devices across Android, Windows, iOS, or Linux were found vulnerable to BlueBorne!

These are proof of concept attacks and similar to car hacking that happened a few years ago.  We could anticipate that such attacks might become a reality showing us how easily attackers can take advantage of vulnerabilities in software or hardware to compromise our devices.

Source: Google Play

8. Everyone’s data is (now) leaked

Data breaches have reached catastrophic proportions. The recent Equifax data breach has potentially impacted 145.5 million US consumers who might have had their sensitive personal information exposed. During this attack, cyber criminals took advantage of a security hole in the Apache Struts web application framework (CVE-2017-5638), the one supporting the Equifax online dispute portal web application. Failing to install the security updates can lead to massive business disruption and many other negative effects.

This only gives cyber criminals a massive amount of confidential information about potential victims that they won’t shy away from using in the next months.

9. Spambots on steroids

Emails are still an easy target for cyber criminals and the recent (yet biggest) data dump confirms it. Over 700 million of email addresses (and passwords) were exposed online with the help of a spambot operation, which sent out emails en masse to people hoping they’ll be tricked into clicking on them.

This massive spam operation showed us how vulnerable our inboxes are, and why attackers can easily plan a spam campaign to spread malicious code and infect as many users as possible.

I found out that cyber criminals use the surprise factor during cyber attacks


10. Sophisticated supply-chain attacks with deeper geopolitical implications

Supply-chain attacks that involve exploiting vulnerabilities in the supply network used by a specific organization are not new. But the way cyber criminals used the backdoor tactic and managed to infiltrate malware into two versions of CCleaner, the popular PC cleaner software application, is. Not only did they potentially impact millions of devices and their users, but they also affected IT infrastructure and led to severe business disruption.

But the story doesn’t end here, as investigations are still under way, the geopolitical implications of this attack seem to ramificate.

At the recent Virus Bulletin 2017 conference, Jakub Kroustek and Jiri Bracek shared technical details on the attack and said there are more than three stages of this attack.

“This suggests it was very targeted and used only against a specific group of users,” Bracek said.

Protection guide against malware threats

In the context of the sophisticated nature of modern cybercriminals, both organizations and home users should acknowledge this threat and understand the importance of software patching. This is why we need to prioritize things by proactively changing our behaviors in a way that will enhance our security online.

Knowing that the online landscape isn’t safe anymore, securing our valuable data should be on top of everyone’s list of priorities.

Here are some useful ways to maximize your protection against these attacks:

  • Keep all your software up to date, and install  the latest updates, as soon as possible. Having the system up to date and protected with multiple layers of security decrease the chances of being infected with malware.
  • Use unique and strong passwords with the help of a password manager program.It’s worth reminding not use the same password for all your email/social accounts, as it gets easier to be hacked and every account will be vulnerable.
  • Secure your data and have at least two backups for them: an external hard drive and another one in a cloud system. Also, check to see if your backups are intact and can be restored if needed.
  • When cyber criminals launch a new attack, they use various tactics and businesses with an outdated infrastructure or software are the most vulnerable to such online threats. This is why it is essential for businesses to keep their infrastructure up to date and actively defend it by closing potential holes in cyber security.
  • To enhance protection, it is recommended to use an antivirus program and aproactive cyber security software solution (together).
  • Users need to change their “it can’t happen to me” mindset and focus on education themselves to stay safe online. Cyber security education is essential for everyone to have minimum cyber security knowledge, so they can easily discern the good from the bad, and be safer in the online landscape.

What can we learn from cyber criminals’ malicious actions so we can have the best defense against their criminal tactics? We have to keep on investigating what makes them tick and always have a proactive behavior and react to attacks in a timely manner.


via:  heimdalsecurity

Save pagePDF pageEmail pagePrint page

Accenture left a huge trove of highly sensitive data on exposed servers

The four exposed servers had no password, but contained the “keys to the kingdom.

Technology and cloud giant Accenture has confirmed it inadvertently left a massive store of private data across four unsecured cloud servers, exposing highly sensitive passwords and secret decryption keys that could have inflicted considerable damage on the company and its customers.

The servers, hosted on Amazon’s S3 storage service, contained hundreds of gigabytes of data for the company’s enterprise cloud offering, which the company claims provides support to the majority of the Fortune 100.

The data could be downloaded without a password by anyone who knew the servers’ web addresses.

Chris Vickery, director of cyber risk research at security firm UpGuard, found the data and privately told Accenture of the exposure in mid-September. The four servers were quietly secured the next day.

According to Vickery, the four servers contained data that amounted to the “keys to the kingdom,” he told ZDNet on a call last week.

Each server contained a range of different types of credentials, including private signing keys that could be used to impersonate the company, and passwords — some of which were stored in plaintext.

Vickery said he also found Accenture’s master keys for its Amazon Web Service’s Key Management System (KMS), which if stolen could allow an attacker full control over the company’s encrypted data stored on Amazon’s servers.

Kenneth White, a security expert, said the exposure of master keys is as “bad as it gets for a cloud service provider.”

“Whatever assets and infrastructure was being protected by this KMS master key must be assumed to be completely compromised,” said White.

One of the other servers contained a folder that stored keys and certificates that could be used to decrypt traffic between Accenture and its customers as it traveled across the internet. Vickery said he also found credentials that appear to relate to Accenture’s access to Google’s Cloud Platform and Microsoft’s Azure, which could give an attacker further access to the company’s cloud assets, as well as virtual private network keys, which could have allowed an attacker to access Accenture’s internal corporate network.

According to Vickery, the largest server contained over 137 gigabytes of data, which included large databases of credentials, some of which appeared to relate directly to Accenture customers. Vickery also found almost 40,000 passwords in one backup database — the vast majority were stored in plaintext.

When ZDNet first reached out to Accenture, the company downplayed the exposure, saying the data was less than half a percent of its cloud service, and that “none of our client’s information was involved and there was no risk to any of our clients,” citing the company’s “multi-layered security model.”

When we challenged that assertion based on the information Vickery had seen, a spokesperson later said that an investigation was ongoing.

“We closed the exposure when the Amazon Web Services S3 issue was first reported. As we continue our forensic review we may learn more but, the email and password information in the database is more than two and a half years old and for Accenture users of a decommissioned system,” the spokesperson said.

Accenture isn’t the first company to be stung by this kind of data exposure. In recent months, a spate of high-profile companies, including phone companies and voter records analytics firms, have exposed sensitive data because they allowed their Amazon cloud servers to sit open and unsecured.

Vickery said that Accenture was likely using the Amazon servers to migrate data from development to production. While some of the data he found included test accounts, he said many of the credentials “would have led me to plenty of client data if I had been willing to take advantage of it.”

There was no way to know for sure as doing so would fall foul of US computer hacking laws, he said.

“But if I have credentials for their production environments, it’s pretty safe to say anyone using Accenture’s Cloud Platform was at great risk,” Vickery told ZDNet.

UpGuard’s Dan O’Sullivan, who blogged about the data discovery, said hackers could have done an “untold amount of financial damage” to Accenture and any of its cloud-using customers.

We asked if anyone else had accessed the servers, the spokesperson said its logs showed access “by only a single non-authorized IP address which we traced back to a data security consultant who contacted us about about two weeks ago,” referring to Vickery.

We reached out to several companies whose credentials appeared in the data.

None of the companies would speak on the record prior to publication. But one company said when they contacted Accenture, the company told them it was “not aware” of any breach or exposure.

When asked, a spokesperson would not say if any Accenture customers had been informed of the data exposure.


via:  zdnet


Save pagePDF pageEmail pagePrint page Breached! 4th Major Business entity that is Breached within a span of 30 Days

One of world’s leading market research company Forrester has confirmed a data breach on the infrastructure hosting their website

Forrester helps customers to take decisions on launching their new product or service based on the existing and potential impact of technology.

After Equifax, Deloitte, Disqus, Forrester is the 4th business entity to be reported as breached in a span of 30 days.

The company said on Friday that the breach occurred during last week and it is still unknown who is behind this breach.

The hacker accessed the accounts using a stolen valid user credentials. Using that access, hackers stole the research reports which were made available to customers.

Steven Peltzman, Forrester’s Chief Business Technology Officer, said that: “There is no evidence that confidential client data, financial information, or confidential employee data was accessed or exposed as part of the incident.”

The company said that no sensitive information was stolen, but the market research data of their customers can be very useful for the economic espionage hacker group.

Based on the stolen data hackers can find out what all technologies are used by their clients and which all are the products ready to launch. Hackers can also sell this information in dark web marketplaces.

“We recognize that hackers will attack attractive targets — in this case, our research IP. We also understand there is a tradeoff between making it easy for our clients to access our research and security measures, We feel that we have taken a common-sense approach to those two priorities; however, we will continuously look at that balance to respond to changing cybersecurity risk,” said George F. Colony, Chairman and Chief Executive Officer of Forrester.

Forrester said that the investigation is still going on and it has informed the Law and Enforcement Authorities to take necessary actions and do the needful.

You may be interested in reading: Breach in Deloitte Exposes Clients Confidential Information.


via:  securereading

Save pagePDF pageEmail pagePrint page

VPN logs helped unmask alleged ‘net stalker, say feds

PureVPN assisted investigation of suspect.

Virtual private network provider PureVPN helped the FBI track down an Internet stalker, by combing its logs to reveal his IP address.

The Department of Justice announced on Friday the arrest of Ryan Lin, a 24-year-old from Newtown, Massachusetts, on charges that he cyber-stalked a former room-mate.

According to the complaint [PDF] against Lin in the Massachusetts District Court, his alleged campaign against Jennifer Smith included doxxing (including posting passwords to her online accounts), posting intimate photos with the suggestion they were of Smith (though without her face), rifling her personal journal and emailing private information to her contacts, posting fake profiles of her to sites “dedicated to prostitution, sexual fetishes, and other sexual encounters”, bomb threats, tricking a friend of Smith’s into calling the police to her house, death and rape threats, and sending “images that likely constitute child pornography” to her family and friends.

The Feds allege Lin used various privacy services: logging in via Tor, to conceal his IP address; VPN services; anonymized international texting services; and offshore private email providers.

However, the complaint revealed, he made a fundamental error by using a work computer for some of his campaign, and even though he’d been terminated and the OS reinstalled on the machine, there were footprints left behind for investigators to associate Lin with the 16-month campaign against Smith.

Key details turned up by investigators included:

  • Lin’s most-visited Website was the TextNow anonymous texting service;
  • Lin had a Proton Mail account;
  • There were “artefacts” indicating he used PureVPN; and
  • Similar artefacts suggesting he’d accessed his Gmail account from the machine.

“Further, records from PureVPN show that the same email accounts – Lin’s Gmail account and the teleprtfx Gmail account – were accessed from the same WANSecurity IP address,” the document stated.

And that’s where the surprise came in – at least for those who believed a VPN is a complete protection: “Significantly, PureVPN was able to determine that their service was accessed by the same customer from two originating IP addresses,” claim the Feds (allegedly, those IP addresses were at Lin’s work and home addresses).

The investigators claim that tweets from Lin showed he was aware there was some risk of logging from VPN providers. As recently as June, he posted a tweet critical of provider IPVanish about its logging claims:

“There is no such thing as a VPN that doesn’t keep logs. If they can limit your connections or track bandwidth usage, they keep logs.”

If found guilty, Lin faces up to five years in prison and up to three years of supervised release.

Pure VPN’s privacy policy states: “We will only share information with authorities having valid subpoenas, warrants [and] other legal documents…provided we have the record of any such activity.


via:  theregister

Save pagePDF pageEmail pagePrint page

Sneaky phishing attack hijacks your chats to spread malware

Organizations around the world have fallen victim to a highly-targeted phishing campaign which intercepts ongoing email threads to customize messages and spread malware.

Hackers are intercepting legitimate email conversations between individuals and hijacking them to spread malware to corporate networks by using highly-customized phishing messages designed to look as if the victim is still communicating with the person they were originally messaging.

The target still believes they’re in contact with the person they were originally messaging, but in fact they have fallen victim to a highly targeted cyber attack and may have infected their network via a malicious attachment.

Attacks using this technique and have already infiltrated several networks, including those of a Middle Eastern bank, European intellectual services firms, an international sporting organization and ‘individuals with indirect ties to a country in North East Asia’

Dubbed FreeMilk – after words found in the malware’s code – by the Palo Alto Networks Unit 42 researchers who uncovered the campaign, these attacks have been active since at least May 2017.

The attack leverages CVE-2017-0199, a remote code execution vulnerability in the way Microsoft Office and Wordpad parse specially crafted files – which was subsequently patched in April this year.

The exploit allows attackers to take full control of an infected system – likely through credential theft – then intercept in-progress conversations with specific targets using carefully crafted content designed to fool them into installing malware from what the victim believes to be trusted source.

Upon successful execution of a FreeMilk phishing attack, two payloads will be installed on the target system – named PoohMilk and Freenki by researchers.

PoohMilk’s primary objective is to run the Freenki downloader. The purposes of Freenki malware are two-fold – the first is to collect information from the host and the second is to act as a second-stage downloader.

Information collected by the malware include username, computer name, ethernet MAC addresses, and running processes. Freenki can also take screenshots of the infected system, with all the information sent to a command server for the attackers to store and use.

Freenki is also capable of downloading further malware to the infected machine, although researchers have so far been unable to identify any additional payloads being dropped.

While the threat actors behind FreeMilk have yet to be formally identified, Unit 42 notes that the PoohMilk loader tool has previously been used to carry out attacks. One campaign saw it distributed in a phishing campaign which saw emails disguised as a security patch in January 2016.

Attackers also attempted to distribute Freeniki in an August 2016 watering-hole attack on an anti-North Korean government website by defectors in the United Kingdom

While researchers describe the FreeMilk spear phishing campaign as limited in the number of attacks carried out, they note that it has a wide range of targets in different regions across the globe.

But by hijacking legitimate conversations, and specially crafting content, the attackers have a high-chance of successfully infecting the individual within the organization they’re targeting.


via:  zdnet

Save pagePDF pageEmail pagePrint page

Google’s New Earbuds Instantly Translate 40 Languages

Your holiday wish list just got one item longer.

Google held its annual hardware event Wednesday, at which it unveiled its newest Pixel and Google Home, among other products. But, it was an item revealed late in the presentation that might have been the most mind-blowing.

Google’s Pixel Buds are essentially the company’s answer to Apple’s AirPods. They’re earbuds that connect to a smartphone–in this case, the Pixel–via Bluetooth. At $159, they’re priced exactly the same as AirPods.

But, because they pair with the Pixel smartphone, and thus Google’s software, the headphones can do something Apple’s headphones can’t do: Translate spoken language in real time.

The operation is performed using Google Translate, which is built into the Google Pixel. The wearer taps the right earbud and says something like, “Help me speak Spanish,” and Google gets to work. A person standing nearby can speak out loud in Spanish, and the earbuds will give the wearer the English translation in her ear. She can then hold down her right earbud and speak in English, and her phone will project the Spanish translation from the Pixel’s speaker. The live translation begins only a second or two after the person stops speaking.

Google demoed the technology in action on Wednesday, and the earbuds quickly translated a conversation between English and Swedish–to much applause from the audience. The platform operates in 40 different languages. That’s essentially like having a translator that can speak in 1,600 different language combinations right in your ear.

The Pixel Buds can be used with the iPhone too, but only Pixel owners will be able to use tools like Translate and the Google Assistant.

The earbuds don’t have any buttons–you can adjust the volume by swiping or change music tracks by swiping. They connect to your phone wirelessly, but the two earbuds are tethered together by a cloth-like cord.

The Pixel Buds come with a case that’s also used to charge them. According to a blog post on Google’s site, they can play music for about 24 hours without needing a charge.They will be available in November, conveniently just in time for your holiday shopping.



via: inc

Save pagePDF pageEmail pagePrint page

Google Chrome is to Block autoplay Video from January 2018

Chrome 64

Google Chrome yesterday announced its initiative in blocking autoplay web video in Chrome browser. It is a perfect move to stop the most irritating and bandwidth consuming autoplay videos.

Chrome released a roadmap on this, starting from Chrome 63 they are to add a new user option which allows users to completely block audio for a website and it will persist among perusing sessions, permitting users to modify when and where the sound will play.

Starting with Chrome 64, autoplay will be allowed when either the media won’t play sound, or the user has indicated an interest in the media. This will allow autoplay to occur when users want media to play, and respect users’ wishes when they don’t.

With Safari version 11 it enables more granular options enabling users to mute sound or even completely blocking the auto play media.

With the Chrome’s new update media content will be allowed to autoplay only under the following conditions:
  • The content is muted or does not include any audio (video only)
  • The user tapped or clicked somewhere on the site during the browsing session
  • On mobile, if the site has been added to the Home Screen by the user
  • On desktop, if the user has frequently played media on the site, according to the Media Engagement Index


September 2017 New autoplay policies announced Site muting available in M63 Beta Begin collecting Media Engagement Index (MEI) data in M62 Canary and Dev

October 2017 Site muting available in M63 Stable. Autoplay policies available in M63+ Canary and Dev

December 2017 Autoplay policies available in M64 Beta

January 2018 Autoplay policies available in M64 Stable

With these new options, it will give more control to the users in controlling media and also be making it easier for publishers to implement autoplay where it benefits the user.


via:  gbhackers

Save pagePDF pageEmail pagePrint page