All about Security, News, Events and Incidents

Discussion in 'Security and Anti-Virus Software' started by Dr. AMK, Apr 26, 2018.

  1. 6730b

    6730b Notebook Evangelist

    Reputations:
    788
    Messages:
    620
    Likes Received:
    1,148
    Trophy Points:
    156
    hmscott, Aroc and Dr. AMK like this.
  2. Dr. AMK

    Dr. AMK Living with Hope

    Reputations:
    3,527
    Messages:
    2,120
    Likes Received:
    4,394
    Trophy Points:
    281
    British Airways, Another Victim of Ongoing Magecart Attacks
    https://www.securityweek.com/british-airways-another-victim-ongoing-magecart-attacks
    The data breach that British Airways said last week to have impacted 380,000 of its users was caused by an attack from Magecart, a threat group known for the use of web-based card skimmers.
    The incident, the airline revealed on September 6, resulted in cybercriminals accessing the personal and financial details of customers who made bookings between August 21 and September 5, either via the company’s website or their mobile app.
    On Friday, chief executive Alex Cruz told BBC the airline experienced “a very sophisticated, malicious, criminal attack” on their website. The breach resulted in customer names, postal addresses, email addresses and credit card information being stolen.
    British Airways says the breach of customer data spanned a total of 15 days, but the attackers likely had access to the company’s systems before that, RiskIQ reveals. A paid certificate from Comodo used in this attack was issued on August 15, suggesting the miscreants “likely had access to the British Airways site before the reported start date of the attack on August 21st,” the security firm says.
    RiskIQ, which has been tracking Magecart attacks since 2015, and which found a couple of months ago that the threat group also stole the information of Ticketmaster UK customers, said today they discovered how the data of British Airways’ customers was stolen.
    The culprit was a modified version of the Modernizr JavaScript library that was loaded from the baggage claim information page of the British Airways website. Modified on August 21, the file contained 22 lines of JavaScript, and was long enough to steal the information of 380,000 users.
    The script would extract user’s name and information from the payment form as soon as they hit the button to submit their payment on the compromised British Airways site. The data was sent to the attackers’ server.
    “This attack is a simple but highly targeted approach compared to what we’ve seen in the past with the Magecart skimmer which grabbed forms indiscriminately. This particular skimmer is very much attuned to how British Airways’ payment page is set up, which tells us that the attackers carefully considered how to target this site instead of blindly injecting the regular Magecart skimmer,” RiskIQ says.
    The attackers’ infrastructure was also specifically tailored for this attack, targeting scripts that would blend in with normal payment processing to stay under the radar. The attackers set up the domain baways.com, hosted on 89.47.162.248, an IP located in Romania but part of a VPS provider based in Lithuania.
    What made it possible to target the users of British Airways’ mobile app as well, the security firm reveals, was the fact that the software loads a series of resources from the airline’s website, including the same compromised Modernizr JavaScript library. The hackers, however, also “put in the touchend callback in the skimmer to make it work for mobile visitors as well,” RiskIQ points out.
    “Magecart set up custom, targeted infrastructure to blend in with the British Airways website specifically and avoid detection for as long as possible. While we can never know how much reach the attackers had on the British Airways servers, the fact that they were able to modify a resource for the site tells us the access was substantial, and the fact they likely had access long before the attack even started is a stark reminder about the vulnerability of web-facing assets,” RiskIQ concludes.
    Magecart is an active threat that has been continuously refining tactics and targets to maximize returns. As part of the Ticketmaster attack, they targeted third-party provider Inbenta, but switched to targeting a specific brand in the British Airways incident, specifically tailoring their attack to match the site’s functionality. The threat group is expected to continue to evolve, the security firm says.
     
    hmscott and Aroc like this.
  3. 6730b

    6730b Notebook Evangelist

    Reputations:
    788
    Messages:
    620
    Likes Received:
    1,148
    Trophy Points:
    156
    And now, Newegg.

    "We urge banks to issue new cards or added protection through OTP on cards they can correlate belonging to transactions that occurred on Newegg between August 14th and September 18th"

    https://www.riskiq.com/blog/labs/magecart-newegg/
     
    hmscott and Dr. AMK like this.
  4. Dr. AMK

    Dr. AMK Living with Hope

    Reputations:
    3,527
    Messages:
    2,120
    Likes Received:
    4,394
    Trophy Points:
    281
    Governments are using games to engage citizens — but #beware before you play.

    They can be a tool for citizen participation, but raise concerns about #privacy and exclusion.

    https://apolitical.co/solution_arti...to-engage-citizens-but-beware-before-you-play

    In Suining, China, all residents aged 14 and above are graded by a complex social credit system designed to monitor and shape citizens’ behaviour. Did you take care of a sick family member? You earn 50 points. Were you convicted of drunk driving? Fifty are taken away.

    Suining served as a testing ground for a mass surveillance system China is currently rolling out nationwide. Citizen behaviour is carefully watched and ranked for “trustworthiness”: Grade-A citizens may get first priority for jobs, skip hospital queues and get discounts on energy bills. Grade-D citizens, meanwhile, can be denied public services, banned from buying plane tickets or even blocked from dating websites.

    Critics say China’s social credit system is a glimpse into a dystopian future; a place where all citizens are watched and rated by government, which doles out rewards or punishments accordingly. But at its core, China’s social credit system is one of the most widespread uses of gamification — an “underexplored approach to governance”, according to Gianluca Sgueo, a New York University professor and policy analyst for the European Parliament.

    • For more like this, see our government innovation newsfeed.

    Sgueo is the author of Games, Power and Democracies, which is one of the first books to analyse how government can use elements of games — such as points, levels, ranking and badges — to encourage civic participation and mould citizens’ behaviour. Sgueo doesn’t extol the tool as a cure-all for what’s broken in the policymaking process. In fact, he writes that in terms of improving interaction between government and the public, gamification has yet to have “any real impact”.

    But, Sgueo says, gamification has the potential to bring apathetic citizens into the policymaking process and make decision-making more participatory. Here, he discusses why governments are using gamification wrong, and how the tool can be harnessed to change how citizens interact with government.

    You open your book with a description of an episode of the TV show Black Mirror, in which every citizen has a rating that measures their social value. Do you think this is where governments’ use of gamification is heading?

    I think there are two threads. One is a good one — not like the Black Mirror episode, but something more positive: gamification as a tool to engage people in policymaking. However, I have to be honest: sometimes the risk is that government, in experimenting with gamification, invades citizens’ privacy and is too intrusive with their lives.

    One well-known case is in China. In Suining, your behaviour as a citizen is rated and it affects your social life. You can be denied a permit to go to the hospital or access to other public services if your rating is low. That’s very scary.

    The other experiment that is very intrusive, is one in which citizens’ garbage and recycling habits were judged. People were rated by photos of their garbage, which were shared publicly. [BinCam, a Newcastle University project aimed at monitoring individuals’ recycling behaviour, installed a mobile phone inside garbage bins and took a photo every time they were used. People rated the photos on Facebook.] Overall, the trend is more positive, but there are some scary examples like these.

    So far, experiments have generally been confined to small subsets of a population. Do you think gamification has the power to bring citizens into decision-making on a larger scale?

    That’s the challenge. If you look at the number of people attracted by games — mobile games, video games, the numbers are crazy. The potential to attract people is there; we just need to use it to engage citizens.

    The issue is that when we play a game, there is always a moment when we get bored and abandon the game. Let’s say you’re playing a game, but struggling to go to the next level — if it’s too difficult, you abandon it. If it’s too easy, you get bored.

    The same principle is applied to gamification and public policy. If there are too many confusing game elements or citizens don’t feel sufficiently engaged after the first time, they just stop trying it.

    The example I have in mind is from London. A couple of years ago, the government was struggling with people throwing cigarettes on the ground right before entering the metro instead of throwing them away.

    They wanted people to use the bins, but they were too often in a rush. So, what they did is install two bins with [football players] Ronaldo and Messi on them. Above, it was written “Which player is better?” It worked very well for the first few months — people were throwing cigarettes away — but after awhile, they got bored. If citizens don’t find the game interesting anymore, it won’t be effective in the long term.

    What are some common mistakes governments make when trying to use gamification?

    The first one is to lock in a strategy for the long term. Maybe your game is super cool, but it’s not going to last for too long. There is no game you could play forever with the same level of engagement. Think about Monopoly: I like to play it but I don’t play it every day. In a way, the same thing happens with gamification. In my opinion, the most common mistake is implementing a game that is not easily changed.

    The second common mistake is to only go digital. This goes back to the issue of digital divide and exclusion. The best examples of gamification include both offline and online elements. If you just use digital games, you’ll leave out a lot of people. My mother is 65 years old — if the Italian government was to launch a public consultation through digital games, she wouldn’t take the time to see what it’s about. And there are a lot of people like her whose opinion they would miss out on.

    Has any one government been able to overcome these challenges?

    Not yet, not entirely, and definitively not satisfactorily. The problem of inclusiveness and ethical issues are common to all initiatives of gamification. The first is a natural consequence of the digital nature of nearly all cases of gamified public policy.

    One exception to the rule is the case of Macon Money, [from Macon, Georgia] a game designed for community engagement. It’s a virtual currency distributed to residents — but the interesting thing is that to redeem the value of Macon dollars, you have to find someone who has the other half of your coin. It was posted in the local newspaper who had what half, and the two people were forced to meet an interact. They could redeem the money in local stores.

    This type of thing wouldn’t work in a city like Rome or London, but in a small city like Macon it helps neighbours socialise and stay informed on civic affairs. It’s meant to engage both the digitally illiterate and people who have no interest in community affairs.

    Finally, ethical concerns are common to every nudging initiative, including gamification. In the final chapter of the book I describe attempts from think tanks and researchers to develop ethically neutral algorithms that could be used to counterweight ethical biases in gamification. At present, however, these initiatives are in the trial phase.

    What would you say is the most successful example of a government using gamification to involve citizens in policymaking?

    The municipalities of Madrid and Barcelona have both adopted platforms for engaging people in policymaking: Decide Madrid and Decidim Barcelona, which means “We Decide” in Catalan.

    The platforms have implemented simple elements to give points to people who participate more. So if your ideas and comments aren’t successful — as in, they don’t make it into government — you still get points for participation. It’s not just about using the platform to convince the municipality to adopt your ideas; it’s about contributing and how you are rewarded with a system of points. The result is that more people are willing to participate. It’s very simple, very basic but very successful, which shows the promise of these types of platforms.

    You say that gamification alone is not a game-changer, and that it’s yet to have any real impact in terms of advancing interactions between citizens and government. Why should governments even try to use this tool?

    Because of the promise they see in it. They see an easy way to get a response from citizens. They see a low-cost way — which is not actually a reasonable way if you want to do it seriously. And they see in it probably the only escape we can find in this age where distrust for government is so spread.

    I’m not saying that gamification is useless. I’m saying in most examples that I’ve analysed while writing this book, I could spot some, let’s say, naive approaches from government. In other very few cases, I saw gamification used as part of a broader strategy. These three factors — underestimating costs; overestimation of results; and the lack of a proper strategy — are probably the reasons for which governments are using it without much of a result. — Jennifer Guay
     
    hmscott likes this.
  5. 6730b

    6730b Notebook Evangelist

    Reputations:
    788
    Messages:
    620
    Likes Received:
    1,148
    Trophy Points:
    156
    Last edited: Sep 28, 2018
    hmscott and Dr. AMK like this.
  6. hmscott

    hmscott Notebook Nobel Laureate

    Reputations:
    7,087
    Messages:
    20,398
    Likes Received:
    25,149
    Trophy Points:
    931
    With another Facebook hack on the way? Streamed Live? I wouldn't attend that BTW, or click on the link to attend it... that Live Stream might be the actual hack itself. :)

    "News of this security exploit comes just hours after a prominent Taiwanese hacker by the name of Chang Chi-yuan pledged to delete Zuckerberg’s personal page on Sunday as a way to demonstrate some type of security flaw in Facebook, Chang’s proficiency as a hacker, or both. It was not immediately clear whether the issue affecting Facebook’s View As feature is the one Chang intended to exploit, but the timing had some suspecting they could be related. Facebook said this exploit does not have anything to do with Chang’s stunt, which he reportedly planning to stream on Facebook Live."

    I remember reading this, they were going to go without a lead Security group, and were going to let each group work out their own security, I wondered how long that was going to last, before something catastrophic happened to change it.

    "A more pressing concern for Facebook is the absence of a chief security officer, afterformer CSO Alex Stamos left the company last month. Following Stamos’ departure, Facebook said it would not be filling the CSO role and would instead restructure its security organization and embed specialists through its many divisions. A Facebook spokesperson said at the time that the company would “continue to evaluate what kind of structure works best” to protect users’ security."

    Right about now, I guess... :)
     
    Last edited: Sep 28, 2018
    efjay and Dr. AMK like this.
  7. hmscott

    hmscott Notebook Nobel Laureate

    Reputations:
    7,087
    Messages:
    20,398
    Likes Received:
    25,149
    Trophy Points:
    931
    China Used Tiny Chip in Hack That Infiltrated Amazon, Apple
    The attack by Chinese spies reached almost 30 U.S. companies, including Amazon and Apple, by compromising America’s technology supply chain, according to extensive interviews with government and corporate sources.
    http://forum.notebookreview.com/thr...in-hack-that-infiltrated-amazon-apple.823509/

    "In addition to the three Apple insiders, four of the six U.S. officials confirmed that Apple was a victim. In all, 17 people confirmed the manipulation of Supermicro’s hardware and other elements of the attacks. The sources were granted anonymity because of the sensitive, and in some cases classified, nature of the information."
     
    Vasudev and Dr. AMK like this.
  8. Dr. AMK

    Dr. AMK Living with Hope

    Reputations:
    3,527
    Messages:
    2,120
    Likes Received:
    4,394
    Trophy Points:
    281
  9. Vasudev

    Vasudev Notebook Nobel Laureate

    Reputations:
    9,196
    Messages:
    10,867
    Likes Received:
    8,186
    Trophy Points:
    931
    Recently I was redirected to bad webpage to type my debit card number for payment, I noticed my PC wasn't responding which is a first time on Linux. I went to task mgr and saw the webpage was using 99% of my CPU in firefox. I closed it and opened the same payment gateway that lands me on debit card based payment. I suspected it was Crypto miner inside some script on server side that actually didn't show up in uBO log at all! I closed it and went to Net banking and my PC was back to normal. Sad to see this happen on the site, that actually conduct PhD entrance exams.
     
    hmscott and Dr. AMK like this.
  10. Dr. AMK

    Dr. AMK Living with Hope

    Reputations:
    3,527
    Messages:
    2,120
    Likes Received:
    4,394
    Trophy Points:
    281
    Is this is related to any of my links in the post? or this is something else? I mean if any of the links in this post is suspicious please let me know so I can remove it.
    I'm sorry for what happen with you, you have to be more careful those days.
    Good luck with your PhD, I'll be happy to help you with anything I can do.
     
    Last edited: Oct 5, 2018
    Vasudev likes this.
Loading...

Share This Page