Analecta Cyber Company Blog: November 2015


Joomla 3.4.5 patches Critical SQL Injection Vulnerability

A content management system, or CMS, is a computer application that allows publishing, modifying, organizing, deleting and even maintenance of online content from a central interface.

Joomla is one of the most popular open source CMS software packages. It was recently reported that three critical vulnerabilities in its software have been patched.


New malware holding websites hostage

Cyber criminals recently used a variety of methods to send ransomware to unsuspecting users on Windows computers, and in some cases even hitting smartphones and tablets.

A new form of ransomware has been identified that targets web sites and the servers hosting them. This ransomware is encrypting the entire content of websites and insisting the site operator purchase the encryption key to regain use of the site.


Remote listening possible on some Galaxy phones

The Samsung Galaxy series of phones, specifically the S6, S6 Edge and Note 4, are vulnerable to remote phone call interception by hackers, according to new reports.

A man-in-the-middle attack that exploits the low-level cellular baseband software has been discovered. It allows attackers to intercept and record telephone calls on these Galaxy phones.
Researchers Daniel Komaromy and Nico Golde demonstrated the attack method at a recent Cyber Security conference in Tokyo, Japan. The man-in-the-middle attack is executed by creating a false cellular station that these then phones connect to believing they are connected to an authorized tower of the cell phone company.

The fake cell station is able to change the behavior of the baseband chip used in cellular communications. The modification to the baseband mode of operation occurs without the victim being able to identify a change. The attack allows a hacker to proxy telephone calls so the attacker is able to essentially wiretap the phone calls.


Emergency Patch released for Latest Flash Zero-Day Vulnerability

Just as the last quarter of the year had started, reports came out about the zero-day vulnerability in the newly patched Adobe Flash Player.

Pawn Storm, a well-known group of Russian hackers, exploited the vulnerability and targeted several foreign affairs ministries around the world. The flaw allowed intruders to remotely execute random codes via a crafted SWF (Small Web Format) file  in the Adobe Flash File format.


Android devices vulnerable to new Chrome browser zero-day

Hackers have identified a new zero-day vulnerability in the fully updated Google Chrome web browser for Android phones. The vulnerability lies in the Javascript engine used in Chrome. It allows a hacker to gain full administrative access on an Android-based device. A researcher at Guang Gong discovered the security hole, which affects all versions of the Android OS.


Report: German ATMs vulnerable to hackers

With several credit card hacking incidents regularly reported all around the globe, it appears that the only thing people can do to stop from being a victim of these malicious attacks is to use cash for all of their transactions. But it seems even that idea isn’t that safe anymore.


Backdoor in Android devices puts 100 million at risk

A Google-like search engine in China called Baidu may have put more than 100 million Android users in danger. That’s because of the software development kit (SDK) called Moplus that’s often offered Android users.


Microsoft will automatically offer upgrade to Windows 10

Not long ago, the company “unintentionally” pushed through the Windows operating system update to Windows 7 and Windows 8/8.1 users. The company has also made it no secret that it plans to automatically deliver its Windows 10 system to Windows 7 and 8 users before next year.


Team claims $1 million prize for remotely jailbreaking iOS 9.1 and 9.2

Back in September, the startup company Zerodium, which calls itself the top “zero-day vulnerability and exploit acquisition program,” offered a huge prize for anyone who could create and submit to them an exclusive, browser-based and untethered jailbreak for the latest Apple iOS 9 (iOS 9.1 and the 9.2 beta) operating system and devices. The potential haul: $1 million.

The company’s founder recently confirmed that an anonymous team has claimed that million-dollar bounty just hours before the contest deadline.

The task was made exceedingly complicated by the requirement that the hack go through the Safari or Chrome web browsers, or through an SMS or MMS message. To do this, someone has to find out a new string of bugs never used before.

Details of technique not released

Zerodium refused to present any information as to how the winning team was able to break the software but said it was through a combination of Chrome and iOS vulnerabilities.

It was reported that the U.S. National Security Agency is one of the parties looking to acquire the winning technique. And if the NSA gets a hold of that process, that could mean the agency will be able to get around the security protection of Apple’s latest devices and interfere with a device at will.

However, it is expected that, Apple, being currently the most secure mobile operating system and currently the most complex when it comes to its system protection, will immediately patch the system’s vulnerabilities.


Man and woman recorded using stolen credit card in Virginia Beach

The Virginia Beach Police Department is searching for a woman and a man believed to have used a stolen credit card on Oct. 11 at several shops near the Birdneck Shopping Center.

The card was reported stolen from a vehicle the previous day, police said.

Police described the woman as having long black hair and a large tattoo on her back.
Anyone with information should called call Virginia Beach Crime Solvers at 1-888-562-5887.


Police tell customers to monitor accounts after two men arrested for skimming ATM

Chesterfield Police arrested two men who they believe skimmed from ATM's in Chesterfield on October 29.

Officers arrested Kirill Korotkov, 21, and Andrei Turski, 27, with a skimmer and credit and debit cards at the Bank of America on Buford.

Police have notified customers that they should check their accounts for any unauthorized activity.
“It’s instantaneous, it picks it right up." Special Agent Doug Mease said.

The annual losses from card skimming in the U.S. is more than $1 billion, according to the Secret Service. Skimmers attach devices to ATMs that read card numbers. Video then records people entering PINs.

Agent offers tips

Mease said customers should cover their hand when use the card.

A spokesman of Bank of America said: “Bank of America is committed to the safety and security of our customers’ accounts and financial information. We have a variety of security measures in place to protect customers and clients, including our free $0 Liability Guarantee, which protects customers from unauthorized transactions using their credit cards or ATM/Debit cards if reported in a timely manner.”


Chinese hackers crack into 226,000 iPhones

Hackers have reportedly broken into something like 226,000 iPhones and accessed sensitive customer information.

It’s estimated that the hackers were able to infiltrate iPhones in the United States and 17 other countries, including China, France, Russia, Japan, United Kingdom, Canada, Germany, Australia, Israel, Italy, Spain, Singapore and South Korea.

A Chinese student at Yangzhou University who is also a member of an amateur hacking group called Weiptech is getting credit for the discovery.


Police seek woman they say used stolen credit cards in Hanover

Anne Arundel County Police are hoping the public can help the department locate a woman they say used stolen credit cards in Hanover, Maryland.

The department shared a photograph of the woman on Facebook, noting that even though it is not a clear picture, somebody may still be able to identify the woman.

Anyone with information is asked to call Det. Redman in the Western Division at (410)222-6155.

Hacker, 16, arrested over TalkTalk hack

A London teenager has become the fourth person arrested in connection to the high-profile hack on British telecommunications company TalkTalk.

Officers with the Metropolitan Police Cyber Crime Unit arrested the 16-year-old boy at is Norwich home on suspicion of violating the Computer Misuse Act.

TalkTalk was hit with a large and lengthy attack to its website two weeks ago, putting the personal data about its 4 million customers at risk.

Some 1.2 million affected

As many as 1.2 million customer names, email addresses and phone numbers, plus 21,000 bank account numbers were potentially released in the attack, according to the company.

But any stolen credit card information was incomplete and could therefore not be used to make unauthorized transactions, according to TalkTalk representatives.

Still, the company said customers should keep a close watch on account activity.

In addition to the latest arrest, law enforcement agents have arrested a 20-year-old man from Staffordshire and two other teenagers.

Any connections between the four individuals is not yet clear.


Arkansas and Maryland Health Providers Notify Patients of Data Breaches

Another addition has been reported to the growing list of health data breaches. The latest breach happened in Arkansas and Maryland.
Neither breach included billing information or other sensitive data like Social Security numbers, but they both resulted in notification letters going out to patients because of potential privacy violations.


Banking Group Marks Cyber Security Month by Disclosing Hack

The American Bankers Association, a Washington, DC-based trade association for the U.S. banking industry,  is pushing for laws that force retailers in all industries across the U.S. to improve their data protection. And as the ABA observes National Cybersecurity Awareness Month, association officials are announcing that hackers were able to break into their own system.