xml version="1.0" encoding="UTF-8"'; ?> GPGLABS : Cyber Security, Internet Security, Tips https://blog.gopuonline.com GPGLABS : Information Security, Hacking News, Cyber Security, Network Security with in-depth technical coverage of issues and events Wed, 31 Oct 2018 06:36:57 +0000 en-US hourly 1 https://wordpress.org/?v=4.9.9 test https://blog.gopuonline.com/index.php/2018/10/31/test/ Wed, 31 Oct 2018 06:36:57 +0000 https://blog.gopuonline.com/?p=1532 hello

The post test appeared first on GPGLABS : Cyber Security, Internet Security, Tips.

]]>
hello

The post test appeared first on GPGLABS : Cyber Security, Internet Security, Tips.

]]>
Facebook Hacked — 10 Important Updates You Need To Know About https://blog.gopuonline.com/index.php/2018/09/30/facebook-hacked-10-important-updates-you-need-to-know-about/ Sun, 30 Sep 2018 14:17:29 +0000 https://blog.gopuonline.com/?p=1527 If you also found yourself logged out of Facebook on Friday, you are not alone. Facebook forced more than 90 million users to log out and back into their accounts in response to a massive data breach. On Friday afternoon, the social media giant disclosed that some unknown hackers managed to exploit three vulnerabilities in …

The post Facebook Hacked — 10 Important Updates You Need To Know About appeared first on GPGLABS : Cyber Security, Internet Security, Tips.

]]>

If you also found yourself logged out of Facebook on Friday, you are not alone.
Facebook forced more than 90 million users to log out and back into their accounts in response to a massive data breach.
On Friday afternoon, the social media giant disclosed that some unknown hackers managed to exploit three vulnerabilities in its website and steal data from 50 million users and that as a precaution, the company reset access tokens for nearly 90 million Facebook users.
We covered a story yesterday based upon the information available at that time

Facebook Hack: 10 Important Updates You Need To Know About

However, in a conference call [Transcript 1Transcript 2] with reporters, Facebook vice president of product Guy Rosen shared a few more details of the terrible breach, which is believed to be the most significant security blunder in Facebook’s history.

Here’s below we have briefed the new developments in the Facebook data breach incident that you need to know about:

1.) Facebook Detected Breach After Noticing Unusual Traffic Spike — Earlier this week, Facebook security team noticed an unusual traffic spike on its servers, which when investigated revealed a massive cyber attack, that had been ongoing since 16 September, aimed at stealing data of millions of Facebook users.

2.) Hackers Exploited Total 3 Facebook Vulnerabilities — The hack was accomplished using three distinct bugs of Facebook in combination.

The first bug incorrectly offered users a video uploading option within certain posts that enables people to wish their friends ‘Happy Birthday,’ when accessed on “View As” page.

The second bug was in the video uploader that incorrectly generated an access token that had permission to log into the Facebook mobile app, which is otherwise not allowed.

The third bug was that the generated access token was not for you as the viewer, but for the user that you were looking up, giving attackers an opportunity to steal the keys to access an account of the person they were simulating.

3.) Hackers Stole Secret Access Tokens for 50 Million Accounts — The attackers walked away with secret access tokens for as many as 50 million Facebook users, which could then be used to take over accounts.

Access Tokens “are the equivalent of digital keys that keep people logged in to Facebook, so they don’t need to re-enter their password every time they use the app.”

4.) Your Facebook Account Password Has Not Been Compromised, But, Wait! — The good news is that the attack did not reveal your Facebook account passwords, but here’s the bad news — it’s not even required.

An application or an attacker can use millions of secret access tokens to programmatically fetch information from each account using an API, without actually having your password or two-factor authentication code.

5.) Hackers Downloaded Users’ Private Information Using Facebook API — Although it is not clear how many accounts and what personal information was accessed by hackers before Facebook detected the incident, the year-old vulnerabilities had left all your personal information, private messages, photos and videos wide open for hackers.

“Since we’ve only just started our investigation, we have yet to determine whether these accounts were misused or any information accessed,” the company said.

6.) Your “Logged in as Facebook” Accounts at 3rd-Party Apps/Websites Are At Risk — Since secret tokens enabled attackers to access accounts as the account holder themselves, it could have allowed them to access other third-party apps that were using Facebook login — a feature that lets you sign up for, and log in to, other online services using your Facebook credentials.

7.) Facebook Reset Access Tokens for 90 Million Accounts — In response to the massive breach, Facebook reset access tokens for nearly 50 million affected Facebook accounts and an additional 40 million accounts, as a precaution. This means that nearly 90 Million Facebook users were logged out of their accounts on Friday.

8.) Check Active Sessions on Facebook to Find If Your Account Have Been Hacked — Many Facebook users have noticed unknown IP addresses from foreign locations that apparently had accessed their account unauthorizedly.

You can head on to “Account Settings → Security and Login → Where You’re Logged In” to review the list of devices and their location that have accessed your Facebook account.

If you found any suspicious session that you never logged in, you can revoke back the access in just one click.

9.) Breach Isn’t Connected to the Hacker Who Pledged to Delete Zuckerberg’s Personal Page — Earlier this week, a Taiwanese hacker, Chang Chi-Yuang, claimed that he would demonstrate a critical zero-day vulnerability in Facebook by broadcasting himself hacking Mark Zuckerberg’s Facebook page on Sunday.

However, it is not clear whether the latest Facebook breach has anything to do with Chang’s hack, at least Facebook does not believe so.

Besides this, Chang Chi-Yuang Today says he canceled the stream and reported the bug to Facebook.

10.) Facebook Faces Class-Action Lawsuit Over The Massive Hack — Just after the news of the breach went public, two residents, Carla Echavarria from California and another from Virginia, filed a class-action complaint against the social media giant in US District Court for the Northern District of California.

Both allege that Facebook failed to protect their and additional potential class members data from going into wrong hands due to its lack of proper security practices.

The social media giant has already been facing criticism on handling of user data and its privacy policies in the wake of the Cambridge Analytica scandal, in which personal data of 87 million Facebook users was sold to and misused by a data-mining firm without their consent.

Facebook has already reset account logins for tens of millions of users and is also advising affected users who had Instagram or Oculus accounts linked to their Facebook account to de-link and than link those accounts again so that the access tokens can be changed.

The vulnerabilities exploited by the hackers are fixed, and Facebook is working with the FBI to investigate the security incident, which has impacted approximately 2.5% of Facebook users of its over 2 billion user base.

Since the investigation is still in the early stages, Facebook has yet to determine whether the attackers misused the stolen access tokens for 50 million accounts or if any information was accessed.

The post Facebook Hacked — 10 Important Updates You Need To Know About appeared first on GPGLABS : Cyber Security, Internet Security, Tips.

]]>
Powerful Android and iOS Spyware Found Deployed in 45 Countries https://blog.gopuonline.com/index.php/2018/09/22/powerful-android-and-ios-spyware-found-deployed-in-45-countries/ Sat, 22 Sep 2018 06:53:00 +0000 https://blog.gopuonline.com/?p=1511 One of the world’s most dangerous Android and iPhone spyware program has been found deployed against targets across 45 countries around the world over the last two years, a new report from Citizen Lab revealed. The infamous spyware, dubbed Pegasus, is developed by NSO Group—an Israeli company which is mostly known for selling high-tech surveillance …

The post Powerful Android and iOS Spyware Found Deployed in 45 Countries appeared first on GPGLABS : Cyber Security, Internet Security, Tips.

]]>

One of the world’s most dangerous Android and iPhone spyware program has been found deployed against targets across 45 countries around the world over the last two years, a new report from Citizen Lab revealed.

The infamous spyware, dubbed Pegasus, is developed by NSO Group—an Israeli company which is mostly known for selling high-tech surveillance tools capable of remotely cracking into iPhones and Android devices to intelligence agencies around the world.

Pegasus is NSO Group’s most powerful creation that has been designed to hack iPhone, Android, and other mobile devices remotely, allowing an attacker to access an incredible amount of data on a target victim, including text messages, calendar entries, emails, WhatsApp messages, user’s location, microphone, and camera—all without the victim’s knowledge.

Pegasus has previously been used to target human rights activists and journalists, from Mexico to the United Arab Emirates.

Now, a new report released Tuesday from the University of Toronto’s Citizen Lab revealed that the Pegasus infections have victimized more countries than previously believed.

36 Pegasus Spyware Operations Found Deployed in 45 Countries

Citizen Lab last month said that it had so far counted as many as 174 publicly-reported cases of individuals worldwide “abusively targeted” with NSO spyware, but now found traces of Pegasus infections across as many as 45 countries.

According to the report, 36 Pegasus operators have been using the spyware to conduct surveillance operations in 45 countries worldwide, and at least 10 of these operators appear to be actively engaged in cross-border surveillance.

Read More: Ex-NSO Employee Caught Selling Pegasus Hacking Tool For $50 Million

The report further said that while some NSO customers may be lawfully using Pegasus, at least 6 of those countries with significant Pegasus operations were “known spyware abusers,” which means they have previously been linked to the abusive use of spyware to target civil society.
Just last month, The Hacker News reported that this nasty spyware was used against one of the staffers of Amnesty International—one of the most prominent non-profit human rights organizations in the world—earlier this year, alongside another human rights defender.

These “known spyware abusers” include Bahrain, Kazakhstan, Mexico, Morocco, Saudi Arabia, and the United Arab Emirates.

The list of countries targeted by Pegasus includes Algeria, Bahrain, Bangladesh, Brazil, Canada, Cote d’Ivoire, Egypt, France, Greece, India, Iraq, Israel, Jordan, Kazakhstan, Kenya, Kuwait, Kyrgyzstan, Latvia, Lebanon, Libya, Mexico, Morocco, the Netherlands, Oman, Pakistan, Palestine, Poland, Qatar, Rwanda, Saudi Arabia, Singapore, South Africa, Switzerland, Tajikistan, Thailand, Togo, Tunisia, Turkey, the UAE, Uganda, the United Kingdom, the United States, Uzbekistan, Yemen, and Zambia

Since Citizen Lab tracked down Pegasus infections by creating fingerprints for Pegasus infrastructure to identify the IP addresses associated with the same spyware system, it admitted that there could be some inaccuracies in its report, due to the possible use of VPN and satellite connections by some of its targets.

Citizen Lab is keeping those fingerprints secret for now but found they could then be detected by scanning the internet.

Spyware Creator “NSO Group” Response:

In response to the Citizen Lab report, an NSO Group spokesperson released a statement saying that the company worked in full compliance with all countries without breaking any laws, including export control regulations.

“Contrary to statements made by you, our product is licensed to government and law enforcement agencies for the sole purpose of investigating and preventing crime and terror. Our business is conducted in strict compliance with applicable export control laws,” NSO Group spokesperson Shalev Hulio told Citizen Lab.

“NSO’s Business Ethics Committee, which includes outside experts from various disciplines, including law and foreign relations, reviews and approves each transaction and is authorized to reject agreements or cancel existing agreements where there is a case of improper use.”

The NSO Group further said that there were some problems with the Citizen Lab research and that the company did not sell in many of the 45 countries listed in the report.

The post Powerful Android and iOS Spyware Found Deployed in 45 Countries appeared first on GPGLABS : Cyber Security, Internet Security, Tips.

]]>
Twitter API Flaw Exposed Users Messages to Wrong Developers For Over a Year https://blog.gopuonline.com/index.php/2018/09/22/twitter-api-flaw-exposed-users-messages-to-wrong-developers-for-over-a-year/ Sat, 22 Sep 2018 11:09:24 +0000 https://blog.gopuonline.com/?p=1523 The security and privacy issues with APIs and third-party app developers are something that’s not just Facebook is dealing with. A bug in Twitter’s API inadvertently exposed some users’ direct messages (DMs) and protected tweets to unauthorized third-party app developers who weren’t supposed to get them, Twitter disclosed in its Developer Blog on Friday. What Happened? Twitter …

The post Twitter API Flaw Exposed Users Messages to Wrong Developers For Over a Year appeared first on GPGLABS : Cyber Security, Internet Security, Tips.

]]>

The security and privacy issues with APIs and third-party app developers are something that’s not just Facebook is dealing with.

A bug in Twitter’s API inadvertently exposed some users’ direct messages (DMs) and protected tweets to unauthorized third-party app developers who weren’t supposed to get them, Twitter disclosed in its Developer Blog on Friday.

What Happened?

Twitter found a bug in its Account Activity API (AAAPI), which is used by registered developers to build tools to support business communications with their customers, and the bug could have exposed those customers’ interactions

The Twitter AAAPI bug was present for more than a year—from May 2017 until September 10—when the microblogging platform discovered the issue and patched it “within hours of discovering it.”

In other words, the bug was active on the platform for almost 16 months.

What Can Affected Users Do?

Nothing. Yes, you really can’t do anything about your data which has already been gone into wrong hands.

Just like in case of Cambridge Analytica scandal, wherein Facebook requested the developer to delete the data citing its privacy policy, but we all know what happened, Twitter can only ensure that the third-party developers comply with their obligations to delete your information, but can not confirm.

The post Twitter API Flaw Exposed Users Messages to Wrong Developers For Over a Year appeared first on GPGLABS : Cyber Security, Internet Security, Tips.

]]>
Reliance Jio Customers’ Data Allegedly Hacked – Company Denies Breach https://blog.gopuonline.com/index.php/2017/07/10/reliance-jio-customers-data-allegedly-hacked-company-denies-breach/ Mon, 10 Jul 2017 13:10:07 +0000 http://blog.gopuonline.com/?p=1457 Personal details of some 120 Million customers have been allegedly exposed on the Internet in probably the biggest breach of personal data ever in India. Last night, an independent website named Magicapk.com went online, offering Reliance Jio customers to search for their identification data (Know Your Customer or KYC) just by typing in their Jio …

The post Reliance Jio Customers’ Data Allegedly Hacked – Company Denies Breach appeared first on GPGLABS : Cyber Security, Internet Security, Tips.

]]>
Personal details of some 120 Million customers have been allegedly exposed on the Internet in probably the biggest breach of personal data ever in India.

Last night, an independent website named Magicapk.com went online, offering Reliance Jio customers to search for their identification data (Know Your Customer or KYC) just by typing in their Jio number.

Reliance set up the Jio 4G network across the length and breadth of India in September last year and gained more than 50 million subscribers within a span of just 83 days. The company gave seven months of free internet, unlimited calls, unlimited music to its subscribers.

Although the website that claimed to have hacked into Jio database is no longer accessible, many users confirmed their personal data showed up on the website, displaying their names, email addresses and most alarmingly, in some cases, Aadhaar numbers.

Aadhaar is a 12-digit unique identification number issued by the Indian government to every resident of India. This number is also used for enrolling for a SIM.

In response to the breach, Reliance Jio released a statement, saying that the claims are unverified and that the leaked data appears to be “unauthentic.”

“We have come across the unverified and unsubstantiated claims of the website and are investigating it. Prima facie, the data appears to be unauthentic,” a spokesperson said.

“We want to assure our subscribers that their data is safe and maintained with highest security. Data is only shared with authorities as per their requirement.”

The Jio spokesperson said the company has “informed law enforcement agencies about the claims of the website and will follow through to ensure strict action is taken.”

herefore, the data on the website seems to be authentic, but luckily some customers are spared–probably those who have been issued Jio SIM after the breach.
 
For obvious reasons, we are not naming the customers we tested on the website and found their identity leaked just by typing their mobile number. The leaked information includes:

  • First Name
  • Middle Name
  • Last Name
  • Mobile Number
  • Email-Id
  • Circle-Id
  • SIM Activation Date and Time
  • Aadhaar Number, in some cases

Mobile numbers for other telecom operators in India, such as Vodafone and Airtel, did not work on the website.

Hackers Identity is Unknown Yet

The website was hosted by the web hosting company GoDaddy.com and was registered in May 2017, but so far it is not clear who owned the domain.

Also, it is not clear at this moment that how the hackers got access to sensitive data of Jio customers and was it Jio who got hacked or some third-party marketing company with whom the company shared its customer’s data.

Though there is very little victims (especially those who have exposed their Aadhaar number) can do to protect themselves from future attacks. Hackers holding their Aadhaar number can disguise their identities to carry out several frauds.

All Jio customers are highly recommended to be vigilant to unrequested calls asking for their further details or account passwords. No company asks for these details over phone calls or emails.

Victims should also particularly be alert of the Phishing emails, which are usually the next step of cyber criminals after a large-scale hack at any telecoms company. Phishing tricks users into giving up further personal details like passwords.

The post Reliance Jio Customers’ Data Allegedly Hacked – Company Denies Breach appeared first on GPGLABS : Cyber Security, Internet Security, Tips.

]]>
WordPress Plugin Used by 300,000+ Sites Found Vulnerable to SQL Injection Attack https://blog.gopuonline.com/index.php/2017/07/06/wordpress-plugin-used-300000-sites-vulnerable-sql-injection-attack/ Thu, 06 Jul 2017 07:03:43 +0000 http://blog.gopuonline.com/?p=1454 A SQL Injection vulnerability has been discovered in one of the most popular WordPress plugins, installed on over 300,000 websites, which could be exploited by hackers to steal databases and possibly hijack the affected sites remotely. The flaw has been discovered in the highly popular WP Statistics plugin, which allows site administrators to get detailed information related …

The post WordPress Plugin Used by 300,000+ Sites Found Vulnerable to SQL Injection Attack appeared first on GPGLABS : Cyber Security, Internet Security, Tips.

]]>
A SQL Injection vulnerability has been discovered in one of the most popular WordPress plugins, installed on over 300,000 websites, which could be exploited by hackers to steal databases and possibly hijack the affected sites remotely.

The flaw has been discovered in the highly popular WP Statistics plugin, which allows site administrators to get detailed information related to the number of users online on their sites, the number of visits and visitors, and page statistics.
Discovered by Sucuri team, WordPress plugin WP Statistics is vulnerable to SQL Injection flaw that allows a remote attacker, with at least a subscriber account, to steal sensitive information from the website’s database and possibly gain unauthorized access to websites.

SQL Injection is a web application bug that allows hackers to inject malicious Structured Query Language (SQL) code to web inputs in order to determine the structure and location of key databases, which eventually allows stealing of the database.

The SQL injection vulnerability in WP Statistics plugin resides in multiple functions, including wp_statistics_searchengine_query().

“This vulnerability is caused by the lack of sanitization in user-provided data,” researchers said. “Some attributes of the shortcode wpstatistics are being passed as parameters for important functions and this should not be a problem if those parameters were sanitized.”

“One of the vulnerable functions wp_statistics_searchengine_query() in the file ‘includes/functions/functions.php’ is accessible through WordPress’ AJAX functionality thanks to the core function wp_ajax_parse_media_shortcode().”

This function does not check for additional privileges, which allows website subscribers to execute this shortcode and inject malicious code to its attributes.

The researchers at Sucuri privately disclosed the flaw to the WP Statistics team and the team had patched the vulnerability in its latest version WP Statistics version 12.0.8.

So, if you have a vulnerable version of the plugin installed and your website allowing user registration, you are definitely at risk, and you should install the latest version as soon as possible.

The post WordPress Plugin Used by 300,000+ Sites Found Vulnerable to SQL Injection Attack appeared first on GPGLABS : Cyber Security, Internet Security, Tips.

]]>
WannaCry Kill-Switch(ed)? It’s Not Over! WannaCry 2.0 Ransomware Arrives https://blog.gopuonline.com/index.php/2017/05/15/wannacry-kill-switched-its-over-wannacry-2-0-ransomware-arrives/ Mon, 15 May 2017 07:16:06 +0000 http://blog.gopuonline.com/?p=1450 If you are following the news, by now you might be aware that a security researcher has activated a “Kill Switch” which apparently stopped the WannaCry ransomware from spreading further. But it’s not true, neither the threat is over yet. However, the kill switch has just slowed down the infection rate. Updated: Multiple security researchers have …

The post WannaCry Kill-Switch(ed)? It’s Not Over! WannaCry 2.0 Ransomware Arrives appeared first on GPGLABS : Cyber Security, Internet Security, Tips.

]]>
If you are following the news, by now you might be aware that a security researcher has activated a “Kill Switch” which apparently stopped the WannaCry ransomware from spreading further.

But it’s not true, neither the threat is over yet.

However, the kill switch has just slowed down the infection rate.

Updated: Multiple security researchers have claimed that there are more samples of WannaCry out there, with different ‘kill-switch’ domains and without any kill-switch function, continuing to infect unpatched computers worldwide (find more details below).

So far, over 237,000 computers across 99 countries around the world have been infected, and the infection is still rising even hours after the kill switch was triggered by the 22-years-old British security researcher behind the twitter handle ‘MalwareTech.’

For those unaware, WannaCry is an insanely fast-spreading ransomware malware that leverages a Windows SMB exploit to remotely target a computer running on unpatched or unsupported versions of Windows.

Once infected, WannaCry also scans for other vulnerable computers connected to the same network, as well scans random hosts on the wider Internet, to spread quickly.

The SMB exploit, currently being used by WannaCry, has been identified as EternalBlue, a collection of hacking tools allegedly created by the NSA and then subsequently dumped by a hacking group calling itself “The Shadow Brokers” over a month ago.

“If NSA had privately disclosed the flaw used to attack hospitals when they *found* it, not when they lost it, this may not have happened,” NSA whistleblower Edward Snowden says.

The above-mentioned domain is responsible for keeping WannaCry propagating and spreading like a worm, as I previously explained that if the connection to this domain fails, the SMB worm proceeds to infect the system.

Fortunately, MalwareTech registered this domain in question and created a sinkhole – tactic researchers use to redirect traffic from the infected machines to a self-controlled system. (read his latest blog post for more details)

Updated: Matthieu Suiche, a security researcher, has confirmed that he has found a new WannaCry variant with a different domain for kill-switch function, which he registered to redirect it to a sinkhole in an effort to slows down the infections.

hxxp://ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com/

The newly discovered WannaCry variant works exactly like the previous variant that wreaked havoc across the world Friday night.

But, if you are thinking that activating the kill switch has completely stopped the infection, then you are mistaken.

Since the kill-switch feature was in the SMB worm, not in the ransomware module itself., “WannaCrypt ransomware was spread normally long before this and will be long after, what we stopped was the SMB worm variant,” MalwareTech told The Hacker News.

You should know that the kill-switch would not prevent your unpatched PC from getting infected, in the following scenarios:

  • If you receive WannaCry via an email, a malicious torrent, or other vectors (instead of SMB protocol).
  • If by chance your ISP or antivirus or firewall blocks access to the sinkhole domain.
  • If the targeted system requires a proxy to access the Internet, which is a common practice in the majority of corporate networks.
  • If someone makes the sinkhole domain inaccessible for all, such as by using a large-scale DDoS attack.

MalwareTech also confirmed that some “Mirai botnet skids tried to DDoS the [sinkhole] server for lulz,” in order to make it unavailable for WannaCry SMB exploit, which triggers infection if the connection fails. But “it failed hardcore,” at least for now.

Initially, this part of story was based on research of a security researcher, who earlier claimed to have the samples of new WannaCry ransomware that comes with no kill-switch function. But for some reason, he backed off. So, we have removed his references from this story for now.

However, shortly after that, we were confirmed by Costin Raiu, the director of global research and analysis team at Kaspersky Labs, that his team had seen more WannaCry samples on Friday that did not have the kill switch.

“I can confirm we’ve had versions without the kill switch domain connect since yesterday,”

Updated: WannaCry 2.0 is Someone Else’s Work


Raiu from Kaspersky shared some samples, his team discovered, with Suiche, who analysed them and just confirmed that there is a WannaCrypt variant without kill switch, and equipped with SMB exploit that would help it to spread rapidly without disruption.

What’s even worse is that the new WannaCry variant without a kill-switch believed to be created by someone else, and not the hackers behind the initial WannaCry ransomware.

“The patched version matt described does attempt to spread. It’s a full set which was modified by someone with a hex editor to disable the kill switch,” Raiu told me.

Updated: However, Suiche also confirmed that the modified variant with no kill switch is corrupted, but this doesn’t mean that other hackers and criminals would not come up with a working one.

“Given the high profile of the original attack, it’s going to be no surprise at all to see copycat attacks from others, and perhaps other attempts to infect even more computers from the original WannaCry gang. The message is simple: Patch your computers, harden your defences, run a decent anti-virus, and – for goodness sake – ensure that you have secure backups.” Cyber security expert Graham Cluley told The Hacker News.

Expect a new wave of ransomware attack, by initial attackers and new ones, which would be difficult to stop, until and unless all vulnerable systems get patched.

“The next attacks are inevitable, you can simply patch the existing samples with a hex editor and it’ll continue to spread,” Matthew Hickey, a security expert and co-founder of Hacker House told me.

“We will see a number of variants of this attack over the coming weeks and months so it’s important to patch hosts. The worm can be modified to spread other payloads not just WCry and we may see other malware campaigns piggybacking off this samples success.”

Even after WannaCry attacks made headlines all over the Internet and Media, there are still hundreds of thousands of unpatched systems out there that are open to the Internet and vulnerable to hacking.

“The worm functionality attempts to infect unpatched Windows machines in the local network. At the same time, it also executes massive scanning on Internet IP addresses to find and infect other vulnerable computers. This activity results in large SMB traffic from the infected host,” Microsoft says.

Believe me, the new strain of WannaCry 2.0 malware would not take enough time to take over another hundred of thousand vulnerable systems.

The post WannaCry Kill-Switch(ed)? It’s Not Over! WannaCry 2.0 Ransomware Arrives appeared first on GPGLABS : Cyber Security, Internet Security, Tips.

]]>
Protect Against WannaCry: Microsoft Issues Patch for Unsupported Windows https://blog.gopuonline.com/index.php/2017/05/15/protect-wannacry-microsoft-issues-patch-unsupported-windows/ Mon, 15 May 2017 07:09:17 +0000 http://blog.gopuonline.com/?p=1446 In the wake of the largest ransomware attack in the history that had already infected over 114,000 Windows systems worldwide since last 24 hours, Microsoft just took an unusual step to protect its customers with out-of-date computers. Microsoft has just released an emergency security patch update for all its unsupported version of Windows, including Windows …

The post Protect Against WannaCry: Microsoft Issues Patch for Unsupported Windows appeared first on GPGLABS : Cyber Security, Internet Security, Tips.

]]>

In the wake of the largest ransomware attack in the history that had already infected over 114,000 Windows systems worldwide since last 24 hours, Microsoft just took an unusual step to protect its customers with out-of-date computers.

Microsoft has just released an emergency security patch update for all its unsupported version of Windows, including Windows XP, Vista, Windows 8, Server 2003 and 2008 Editions.

So, if your organization, for some reason, is still running on Windows XP or Vista, you are strongly advised to download and APPLY PATCH NOW!

WannaCrypt, or also known as WannaCry, is a new ransomware that wreaked havoc across the world last night, which spreads like a worm by leveraging a Windows SMB vulnerability (MS17-010) that has been previously fixed by Microsoft in March.
A large number of successful infections of the WannaCry ransomware at an astonishing pace concludes that either significant number of users have not yet installed the security patch released in March (MS17-010) or they are still running an unsupported version of Windows for which Microsoft is no longer releasing any security update.
Moreover, if you are using Windows 10, you are on the safe side.

“The exploit code used by WannaCrypt was designed to work only against unpatched Windows 7 and Windows Server 2008 (or earlier OS) systems, so Windows 10 PCs are not affected by this attack,” Microsoft says.

Once infected, WannaCry locks files on the computers and requires victims to pay $300 in Bitcoins to get back the control of their systems, along with a threat to double the price to $600.

But there’s no guarantee of getting your files back even after paying the ransom.

How is WannaCry Spreading?

Such ransomware infection typically leverages social engineering or spam emails as a primary attack vector, tricking users into downloading and executing a malicious attachment.

WannaCry is also leveraging one such social engineering trick, as FoxIT researchers uncovered one variant of the ransomware that is initially distributed via an email containing a link or a PDF file with payload, which if clicked, installs WannaCry on the targeted system.

Once executed, the self-spreading WannaCry ransomware does not infect the targeted computers immediately, as malware reverse engineers found that the dropper first tries to connect the following domain, which was initially unregistered:

hxxp://www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com

If the connection to the above-mentioned unregistered domain fails (which is obvious), the dropper proceeds to infect the system with the ransomware that would start encrypting files.

But if the connection is successful, the dropper does not infect the system with the WannaCry ransomware module.

A security researcher, tweeting as MalwareTech, did the same and registered the domain mentioned above, accidentally triggering a “kill switch” that can prevent the spread of the WannaCry ransomware, at least for now.

Malware Tech registered this domain by spending just £10, which makes the connection logic successful.

“In other words, blocking the domain with firewall either at ISP or enterprise network level will cause the ransomware to continue spreading and encrypting files,” Microsoft warned.

If infected, the malware scans the entire internal network and spread like a worm into all unpatched Windows computers with the help of SMB vulnerability.

The SMB vulnerability has been identified as EternalBlue, a collection of hacking tools allegedly created by the NSA and then subsequently dumped by a hacking group calling itself “The Shadow Brokers” over a month ago.

Demo of WannaCry Ransomware Infection

Meanwhile, Matthew Hickey, a security expert and co-founder of Hacker House, has provided The Hacker News two video demonstrations, showing packet traces that confirm the use of Windows SMB vulnerability (MS17-010).

So Far, Over 114,000 Infections Detected in 99 Countries

WannaCry Ransomware attack has become the largest ransomware infection in history within just a few hours.

  • A total of 16 U.K. organizations has been affected by the ongoing attack, including the National Health Service (NHS), which was forced to reject patients, cancel operations, and reschedule appointments due to malware infection.
  • WannaCry also targeted Spanish telecom giant Telefónica infecting by some of its computers on an internal network, but did not affect clients or services.
  • Other victims of the attack include Portugal Telecom and Russia’s MegaFon.
  • Delivery company FedEx was also a victim.
  • Users from Japan, Turkey, and the Philippines were also affected.

7 Easy Steps to Protect Yourself

Currently, there is no WannaCry decryption tool or any other solution available, so users are strongly advised to follow prevention measures in order to protect themselves.
  • Keep your system Up-to-date: First of all, if you are using supported, but older versions of Windows operating system, keep your system up to date, or simply upgrade your system to Windows 10.
  • Using Unsupported Windows OS? If you are using unsupported versions of Windows, including Windows XP, Vista, Server 2003 or 2008, apply the emergency patch released by Microsoft today.
  • Enable Firewall: Enable firewall, and if it is already there, modify your firewall configurations to block access to SMB ports over the network or the Internet. The protocol operates on TCP ports 137, 139, and 445, and over UDP ports 137 and 138.
  • Disable SMB: Follow steps described by Microsoft to disable Server Message Block (SMB).
  • Keep your Antivirus software up-to-date: Virus definitions have already been updated to protect against this latest threat.
  • Backup Regularly: To always have a tight grip on all your important files and documents, keep a good backup routine in place that makes their copies to an external storage device that is not always connected to your PC.
  • Beware of Phishing: Always be suspicious of uninvited documents sent an email and never click on links inside those documents unless verifying the source.

The post Protect Against WannaCry: Microsoft Issues Patch for Unsupported Windows appeared first on GPGLABS : Cyber Security, Internet Security, Tips.

]]>
Telegram Messenger Adds AI-powered Encrypted Voice Calls https://blog.gopuonline.com/index.php/2017/03/31/telegram-messenger-adds-ai-powered-encrypted-voice-calls/ Fri, 31 Mar 2017 12:53:25 +0000 http://blog.gopuonline.com/?p=1441 Joining the line with rival chat apps WhatsApp, Viber, Facebook Messenger, and Signal, the Telegram instant messaging service has finally rolled out a much-awaited feature for the new beta versions of its Android app: Voice Calling. And what’s interesting? Your calls will be secured by Emojis, and quality will be better using Artificial Intelligence. No …

The post Telegram Messenger Adds AI-powered Encrypted Voice Calls appeared first on GPGLABS : Cyber Security, Internet Security, Tips.

]]>

Joining the line with rival chat apps WhatsApp, Viber, Facebook Messenger, and Signal, the Telegram instant messaging service has finally rolled out a much-awaited feature for the new beta versions of its Android app: Voice Calling.

And what’s interesting? Your calls will be secured by Emojis, and quality will be better using Artificial Intelligence.

No doubt the company brought the audio calling feature quite late, but it’s likely because of its focus on security — the voice calls on Telegram are by default based on the same end-to-end encryption methods as its Secret Chat mode to help users make secure calls.

Unlike Signal or WhatsApp, Telegram does not support end-to-end encryption by default; instead, it offers a ‘Secret Chat’ mode, which users have to enable manually, to completely secure their chats from prying eyes.However, the voice calling feature in Telegram supports end-to-end encryption by default, enabling users to secure their chats in a way that no one, not even Telegram or law enforcement, can intercept your calls.

Emoji-Based Secure Key Exchange Mechanism

Telegram features an interesting key exchange mechanism to authenticate users and make sure their calls are even more secure: Users are required just to compare four emoji.

While making a call, you will see four emoji on your mobile screen and so the recipient. If the emoji on your screen match the recipient’s, your connection is secure!

“The key verification UI we came up with in 2013 to protect against man-in-the-middle attacks served well for Telegram (and for other apps that adopted it), but for Calls, we needed something easier,” Telegram said in a blog post published Thursday.

“That’s why we’ve improved the key exchange mechanism. To make sure your call is 100% secure, you and your recipient just need to compare four emoji over the phone. No lengthy codes or complicated pictures!”

Voice Calls — Encrypted, Super-Fast and AI-Powered

What’s more? Telegram ensures its users that the audio quality of the voice calls has kept as high as possible by using a peer-to-peer connection, the best audio codecs, and Artificial Intelligence.

Developers say that audio quality of the call is “superior to any of our competitors” by including an AI neural network.So, each time you make a Voice Call, your Telegram app’s AI neural network will optimize dozens of parameters based on technical information of your device and network such as network speed, ping times, packet loss percentage, to adjust the quality of your call and improve future calls on the given device and network.

“These parameters can also be adjusted during a conversation if there’s a change in your connection,” the company states. “Telegram will adapt and provide excellent sound quality on stable WiFi — or use less data when you walk into a refrigerator with bad reception.”

Note: AI doesn’t have access to the contents of the conversation, so your calls are completely secure.

Telegram Offer Complete Control & Video Compression

Unlike WhatsApp and Facebook, Telegram lets you control “who can and who can’t call you with granular precision.”

If you don’t want anyone bothering you, you can simply switch voice calls off altogether, blocking anyone and even everyone from calling you.

Telegram also offers users direct control over the quality of videos they shared over the platform. You can adjust the compression and see the quality of the video before sending it to your friends.

You can also set the video compression rate as the default setting for all your future video uploads.

Telegram version 3.18 which includes new features, such as Voice Calling, is free to download for iPhone on the App Store and Android phone on the Google Play Store.

The post Telegram Messenger Adds AI-powered Encrypted Voice Calls appeared first on GPGLABS : Cyber Security, Internet Security, Tips.

]]>
Websites Can Now Track You Online Across Multiple Web Browsers https://blog.gopuonline.com/index.php/2017/02/21/websites-track-online-multiple-web-browsers/ Tue, 21 Feb 2017 12:01:11 +0000 http://blog.gopuonline.com/?p=1432 You might be aware of websites, banks, retailers, and advertisers tracking your online activities using different Web “fingerprinting” techniques even in incognito/private mode, but now sites can track you anywhere online — even if you switch browsers. A team of researchers has recently developed a cross-browser fingerprinting technique — the first reliable technique to accurately …

The post Websites Can Now Track You Online Across Multiple Web Browsers appeared first on GPGLABS : Cyber Security, Internet Security, Tips.

]]>

You might be aware of websites, banks, retailers, and advertisers tracking your online activities using different Web “fingerprinting” techniques even in incognito/private mode, but now sites can track you anywhere online — even if you switch browsers.

A team of researchers has recently developed a cross-browser fingerprinting technique — the first reliable technique to accurately track users across multiple browsers based on information like extensions, plugins, time zone and whether or not an ad blocker is installed.

Previous fingerprinting methods usually only work across a single browser, but the new method uses operating system and hardware level features and works across multiple browsers.

This new fingerprinting technique ties digital fingerprint left behind by a Firefox browser to the fingerprint from a Chrome browser or Windows Edge running on the same device.

This makes the method particularly useful to advertisers, enabling them to continue serving targeted advertisements to online users, even if they avoid them by switching browsers.

The new technique can be found in a research paper titled (Cross-)Browser Fingerprinting via OS and Hardware Level Features [PDF] by Lehigh University’s Yinzhi Cao and Song Li, and Washington University in St. Louis’ Erik Wijmans.

The cross-browser fingerprinting technique relies on “many novel OS and hardware features, especially computer graphics ones” that are slightly different for each computer.

For example, the technology can be used to identify the machine by performing 20 unique WebGL tasks while rendering 3D graphics in web browsers with carefully selected computer graphics parameters, such as texture, anti-aliasing, light, and transparency.

In total, 36 new features work independently of a particular browser, although they are not confined to one specific web browser on the machine.

The features tested currently includes time zone, number of CPU cores, GPU, hash values of GPU rendering results, plugins, fonts, audio, screen ratio and depth, WebGL, Ad blocking, canvas, cookies, encoding, and language.

The researchers provided both a practical demonstration as well as open source code online on GitHub. They performed a test which involved 3,615 fingerprints and 1,903 users and found that their method successfully identified 99.2% of users.

On the other hand, a single-browser fingerprinting technique called AmIUnique had a success rate of 90.8%.

“This approach is lightweight, but we need to find all possible fingerprintable places, such as canvas and audio context: If one place is missing, the browser can still be somehow fingerprinted. We leave it as our future work to explore the correct virtualization layer,” the paper notes.

The researchers also noted that this new cross-browser fingerprinting technique is not too bad, as in some cases, the method can be used as part of stronger multi-factor user authentications across multiple browsers.

For example, Banks can use this technique to check if a user logging into an online account is using the computer that has been used on every previous visit, making sure the login was legitimate even if the user is using a different machine to usual.

The researchers plan to present their paper at the Network and Distributed System Security Symposium scheduled for February 26 through March 1 in San Diego, California.

The post Websites Can Now Track You Online Across Multiple Web Browsers appeared first on GPGLABS : Cyber Security, Internet Security, Tips.

]]>