Category Archives: cyber victim

CyberSecurity: Fake firms who say they recover data from ransomware but not really

As per ProPublica report, There are two firms identified in U.K. who market themselves as Data recovery firm. These firms provide solution to the their clients If any organization or individual are attacked by the ransomeware. But in reality, They just negotiate with hackers and make payment on behalf of victims and later on put bills to the victim by saying they have resolved the problem.

In a very simple terms, Ransomeware is a type of sophisticated attack by which Hackers encrypt & crippled someone data also lock the systems. Then hackers threatened to destroy it and other option they provide is to pay money to decrypt/Restore their data and allow users/organizations to use their own systems or data.

FROM 2015 TO 2018, a strain of ransomware known as SamSam paralyzed computer networks across North America and the U.K. It caused more than $30 million in damage to at least 200 entities, including the cities of Atlanta and Newark, New Jersey, the Port of San Diego and Hollywood Presbyterian Medical Center in Los Angeles. It knocked out Atlanta’s online water service requests and billing systems, prompted the Colorado Department of Transportation to call in the National Guard, and delayed medical appointments and treatments for patients nationwide whose electronic records couldn’t be retrieved. In return for restoring access to the files, the cyberattackers collected at least $6 million in ransom.

Reads more in wonderful articles:

Sting Catches Another Ransomware Firm — Red Mosquito — Negotiating With “Hackers”

The Trade Secret

CyberSecurity: EMV enabled credit cards does not stop fraud!

State bank of India asked their customer to get rid of a conventional swipe card and replace with EMV enabled chip cards. EMV Chips are considered to be safer & prevent credit/Debit cards fraud.

FYI: EMV stands for ‘Europay MasterCard Visa’ while the PIN is an acronym for the personal identification number.

Purpose of EMV

In theory, EMV should reduce fraud because every card transaction requires an encrypted connection between the chip card and the merchant’s point-of-sale terminal. EMV is meant to replace conventional swipe transactions that rely on magnetic strips, which contain data that is relatively easy for criminals to intercept and then copy on to a new card.

Reality of EVM

new report from the research firm Gemini Advisory has found that, of more than 60 million cases of credit card theft in the last 12 months, a whopping 93% of the stolen cards had the new chip technology.

This represents a major setback for the technology, known as the EMV standard, which is named after the companies (Europay, Mastercard and Visa) that created it.

“45.8 million…records [were] likely compromised through card-sniffing and point-of-sale (POS) breaches of businesses such as Saks, Lord & Taylor, Jason’s Deli, Cheddar’s Scratch Kitchen, Forever 21, and Whole Foods. To break it down even further, 90% or 41.6 million of those records were EMV chip-enabled,” states the report.

How fraud is still possible?

While the EMV standard is supposed to ensure the card data cannot be captured, many merchants are failing to properly configure their systems. This is the problem where banks & merchants are not configuring their systems and keep the system vulnerable.

What is the use of stolen Data?

There are multiple ways cybercriminals use stolen data. First & easy way is to sell these credit cards number in the dark web. A market full of criminals & isn’t public web or apps. The second method is that They create the replica of these cards & use it to withdraw money.

Reference:

http://fortune.com/2018/11/05/credit-card-chips-fail-to-halt-fraud-survey-says/

CyberSecurity: How one click could make your life miserable?

Here is the story of Delaine Maria D’Costa a blogger happens to be a victim of a phishing attack (i.e clicked on the unknown link). A phishing attack is a way to fool the user and ask to login to dummy site as same as the original site. like facebook.com but hackers would use dummy one. Read the full story here.

https://www.grahamcluley.com/when-your-instagram-account-has-been-hacked-how-do-you-get-it-back/

After reading the above story, It reminds me that in festival season, There are thousands of services like indian-choice.com etc would be circulated in every WhatsApp group. When you click on it, it says Happy Diwali <Sender Name>. here is the snapshot. We received such links from many friends & WhatsApp groups. 

After seeing such links, I decided to evaluate these things. And found that purpose of these services is not bad but to generate some money through advertisement. And some users personal information. Hard to know though what are the things they track for. apart from unknow trackings, These services have many security issues running on simple HTTP. And, pretty hackable.

Screen Shot 2018-11-11 at 10.12.49 PM

From a user perspective, it is new & interesting to wish someone. But the problem is what if someone trying to trick you. What if someone has bad intention. Is there a way these services stop it? Not really.

Most of the links are accessed by the phone. Once you click on it, it could simply download the executable file in your phone. And, the person who clicks will not know or guess what this file for and How does it effect. So, most of us could ignore and busy seeing flashing page or in hurry to forward the same to others.

A downloaded file could be a potential malware (i.e bad piece of software) which could access all your information like contact no, emails, messages etc. In general, people don’t bother much if someone has access to my message but what if someone can read your OTP messages and all information your chat, talk etc are available to someone. That is pretty scary isn’t?

On click that’s all, someone needs to ruin or make your life miserable.

Takeaway

Aware yourself and think what you are accessing and consuming. Be a good consumer of information. Open or access the service which you know or coming from a trusted source. Not every information is free. One click could cost you your entire saving & hard earned money. Cyberworld is pretty open & almost free with lots of services however nothing comes free as such. Everybody is trying to make money here.

For more suggestion & stories, Post a comment or you can contact me directly.

Cyber Security: Lesson to be learned

Below is the reference of the paper which is one of the finest paper i have read in recent time. Here is the glimpse of the paper & Reference.

https://www.thirdway.org/report/to-catch-a-hacker-toward-a-comprehensive-strategy-to-identify-pursue-and-punish-malicious-cyber-actors

In this paper, the author argues that the United States currently lacks a comprehensive overarching strategic approach to identify, stop and punish cyberattackers.Header-For-Cyber-Report

  1. There is a burgeoning cybercrime wave: A rising and often unseen crime wave is mushrooming in America. There are approximately 300,000 reported malicious cyber incidents per year, including up to 194,000 that could credibly be called individual or system-wide breaches or attempted breaches.9 This is likely a vast undercount since many victims don’t report break-ins to begin with.10 Attacks cost the US economy anywhere from $57 billion to $109 billion annually and these costs are increasing.11
  2. There is a stunning cyber enforcement gap: Our analysis of publicly available data shows that cybercriminals can operate with near impunity compared to their real-world counterparts. We estimate that cyber enforcement efforts are so scattered that less than 1% of malicious cyber incidents see an enforcement action taken against the attackers.
  3. There is no comprehensive US cyber enforcement strategy aimed at the human attacker: Despite the recent release of a National Cyber Strategy, the United States still lacks a comprehensive strategic approach to how it identifies, pursues, and punishes malicious human cyberattackers and the organizations and countries often behind them.

My takeaway & View:

Despite so many levels of effort by security experts & organizations and putting million dollars on security, it is a pretty scary situation. And the big question comes to my mind is that what about countries like India, Sri Lanka, Bangladesh or developing countries many others. These countries have not realized the threats yet and do not have an infrastructure to deal with such a horrible situation. However, cyber threat is real.

China bulldozes all their neighbours & In the cyber world, China is much advanced than anyone else. They are capable of listening to Mr Trump phone call as well. If President of United State phone isn’t considered as safe then what we can expect from the technology which many countries trying to adopt. What if China starts targeting their rivals. Does India has the power to hold himself in such attacks?

With given situation in the cyber world & technological advancement. The Lesson from all above can be learned. I won’t say it is too late for countries like India to learn and adapt the technology which could be safer to use. OR, enforce organizations to keep their services secure. Everything must be viewed now from the security perspective. Every digitalization must have security as their first priority.

Indian govt has been very pro-active in digitalization of their services however there are many services/portals which are vulnerable. And a lesson must be learned otherwise it would be very damaging & developing countries can’t afford it. Good stuff, however, has been identified but only on paper so far. For instance, GDPR.

I don’t want to sound like an expert here but truth to be told. Indian IT service companies must learn & realize the threat. Make our service more secure and deliver what it could make your client safer. Have security in mind when designing an application. Invest in training, skill newcomer to develop more secure applications. In reality, the issue is more of a mindset than a skill gap. People never understand what info to be exposed or hidden. As long as the application works, it is great. Here are the few instances:

  1. A simple example is that allowing users to change the password without checking the current password.
  2. Support Changing password, email or profile info using GET method in web service.
  3. If you check application, the application shows more insights. Don’t want to review any application but that is how software is developed.

Final words: Keep yourself aware of things which could impact you directly or indirectly.