Author

Oakey

Browsing

Researchers playing with Twinkly IoT lights found security weaknesses that allowed them to display custom lighting effects and to remotely turn off their Christmas brilliance. They estimate that about 20,000 devices are reachable over the internet.

The LEDs in Twinkly lights can be controlled individually. Exploiting inherent security weaknesses related to authentication and the communication of commands, the researchers were able to use the curtain of lights to play Snake, the game made so popular by Nokia phones in the late 1990s.

Users can manage their Twinkly smart decoration via a mobile app that sends unencrypted communication over the local network; this makes trivial analyzing the traffic from a man-in-the-middle position.

To talk to the lights, the app discovers them by running a UDP broadcast to port 5555 and receives in return an IP address and the name of the device.

“Once the application knows the IP address of the lights, it authenticates with them, receives an authentication token and retrieves information about the device. The authentication process, although a good idea, is flawed,” said the researchers from MWR InfoSecurity, a company recently acquired by F-Secure.

After analyzing the hardware internals and the mobile app, the researchers had a clear view of how the entire communication and authentication process worked.

They found the calls to the API endpoints, the algorithms used for creating the authentication challenge-responses.

Another discovery relates to the firmware update process, which does not use signatures to check the authenticity of the files received; this allows installing an arbitrary firmware “to the device over the local network without any real authentication or authorization, making it straightforward to gain arbitrary code execution.”

Hardcoded in the firmware is a username/password, used to connect to a private broker through the Message Queuing Telemetry Transport (MQTT) protocol for exchanging messages with remote IoT boards and sensors.

MQTT allows subscribing to a topic using wildcards using the symbol ‘#’ and doing so to the root means access to all topics and, implicitly, the information published by the lights.

“Monitoring the root for unique mac addresses we estimate there are almost 20,000 devices out there,” MWR Labs says.

Remote tampering with the lights is not difficult

Considering these security faults, it would be easy for an attacker on the network to intercept the communication between the Twinkly lights and the mobile app and use them to manipulate the LEDs into custom patterns or turn them off.

“As any MQTT node can publish to any topic, it is thus possible for anyone to issue commands to any set of lights and turn them off. We tested this remotely from AWS against the lights in the office and it worked perfectly,” MWR Labs experts note in a technical blog post.

To demonstrate remote management of the Twinkly lights across the world, the researchers turned to the DNS rebinding attack technique, known in the infosec industry for over a decade.

An attacker can use DNS rebinding to bypass the same-origin policy (SOP) in web browsers and turn them into a proxy for communicating with devices on the network. All the user would have to do for this to happen is access the wrong link.

MWR Labs created a malicious website specifically for this purpose. When the victim loads it, all the devices on the local network are enumerated. If Twinkly lights are available, they will be configured to show the message ‘Hack the Planet!’ as you can see in the video below.

The vulnerabilities found in Twinkly lights are the exact opposite for the IoT space. In this case, there is little damage an attacker can do by hacking the lights, but other targets may be more valuable, the researchers say.

Source: Bleeping Computer

A possible compromise of servers where NASA stored data on current and former employees may have given hackers access to social security numbers (SSN) and personally identifiable information (PII).

The incident occurred on or before October 23, when NASA cybersecurity team started to look into a possible server breach. Immediate action secured the machines and the data they stored.

Gatwick Airport, the UK’s second largest airport, has just become a key example of how thoroughly today’s consumer tech can disrupt our infrastructure. The airport briefly suspended all flights again Friday, the third time in three days, due to suspected drone sightings in the area. That’s right — drones were able to shut down a major UK artery for well over 24 hours, as police and armed forces have seemingly been unable to find those responsible.

Major cryptocurrency exchange and wallet Coinbase recently made what it claims is the largest transfer of crypto on record, a company blog post reports Dec. 19.

According to the post, 5 percent of all Bitcoin (BTC), 8 percent of all Ethereum (ETH), and 25 percent of all Litecoin (LTC), along with “many other assets” were moved to new cold storage infrastructure in what the firm “believe[s] is the largest crypto migration on record.”

On Tuesday, Apple unveiled its list of the most downloaded iPhone apps of 2018. Topping the list is YouTube, followed by Instagram, Snapchat, Messenger and Facebook, respectively.
Bitmoji — a Snapchat-owned app that lets users create an emoji that looks like them — dropped to sixth place on the list. It was the most downloaded app last year.
It’s been a challenging year for some social media companies, such as Facebook, which has faced criticism over privacy issues, data misuse, misinformation and election meddling on its platform. Nevertheless, Facebook’s flagship app and two others owned by the company (Instagram and Messenger) made the top five on the most downloaded list.
Snapchat also faced challenges this year, including navigating a controversial redesign that was widely panned by users, and heightened competition from Instagram — which has copied many of its popular features.
Once again, the most popular paid app was selfie-editing tool Facetune ($3.99). Kirakira+ ($0.99), which lets you add cool effects to videos and photos, took second place.
Apple declined to say how many times the apps have been downloaded.
In gaming, it was no surprise that the immensely popular Fortnite topped the charts. The number two spot went to Helix Jump, a game in which players navigate a falling ball through a maze. That was followed by Rise Up, a game that lets players protect a balloon from obstacles.
Source: CNN

Marriott

Last Friday, Marriott sent out millions of emails warning of a massive data breach — some 500 million guest reservations
had been stolen from its Starwood database.

One problem: the email sender’s domain didn’t look like it came from Marriott at all.

Marriott sent its notification email from “email-marriott.com,” which is registered to a third party firm, CSC, on behalf of the hotel chain giant. But there was little else to suggest the email was at all legitimate — the domain doesn’t load or have an identifying HTTPS certificate. In fact, there’s no easy way to check that the domain is real, except a buried note on Marriott’s data breach notification site that confirms the domain as legitimate.

But what makes matters worse is that the email is easily spoofable.

Often what happens after a data breach, scammers will capitalize on the news cycle by tricking users into turning over their private information with their own stream of fake messages and websites. It’s more common than you think. People who think they’re at risk after a breach are more susceptible to being duped.

Companies should host any information on their own websites and verified social media pages to stop bad actors from hijacking victims for their own gain. But once you start setting up your own dedicated, off-site page with its unique domain, you have to consider the cybersquatters — those who register similar-looking domains that look almost the same.

Take “email-marriot.com.” To the untrained eye, it looks like the legitimate domain — but many wouldn’t notice the misspelling. Actually, it belongs to Jake Williams, founder of Rendition Infosec, to warn users not to trust the domain.

“I registered the domains to make sure that scammers didn’t register the domains themselves,” Williams told TechCrunch. “After the Equifax  breach, it was obvious this would be an issue, so registering the domains was just a responsible move to keep them out of the hands of criminals.”

Equifax, the biggest breach of last year, made headlines not only for its eye-watering hack, but its shockingly bad response. It, too, set up a dedicated site for victims — “equifaxsecurity2017.com” — but even the company’s own Twitter staff were confused, and inadvertently sent concerned victims to “securityequifax2017.com” — a fake site set up by developer Nick Sweeting to expose the company’s vulnerable incident response.

With the Equifax breach not even a distant memory, Marriott has clearly learned nothing from the response.

Many others have sounded the alarm on Marriott’s lackluster data breach response. Security expert Troy Hunt,  who founded data breach notification site Have I Been Pwned, posted a long tweet thread on the hotel chain giant’s use of the problematic domain. As it happens, the domain dates back at least to the start of this year when Marriott used the domain to ask its users to update their passwords.

Williams isn’t the only one who’s resorted to defending Marriott customers from cybercriminals. Nick Carr, who works at security giant FireEye, registered the similarly named “email-mariott.com” on the day of the Marriott breach.

“Please watch where you click,” he wrote on the site. “Hopefully this is one less site used to confuse victims.” Had Marriott just sent the email from its own domain, it wouldn’t be an issue.

A spokesperson for Marriott did not respond to a request for comment.

Source: Tech Crunch

The internet is indeed an e-world of its own. As of 2012, a survey by Netcraft, a provider of cybercrime disruption services across a wide range of industries based in the UK showed that a total number of 144,000 websites launched daily, which amounts to over 51 million annually.

As of January 2018, (6 years later) the figure stood at 1,805,260,010 (over 1.8 billion) websites. Some of these websites grow big enough to rank among the world wide web’s top 500. Sadly, the rest of these websites get almost no visitors and rank lower not because they suck that bad, but just because the top can only fit too many at a time.

Below is a carefully researched, compiled and comprehensive list of 10 useful websites you wish you knew earlier.

1. The Internet Map
If not the coolest website on the internet right now, the internet map, designed by Ruslan Enikeev for a personal non-commercial project just as the name implies is indeed a map of the internet.

The internet map

The designer claims that this website continuously archives all other sites on the internet, representing them in dots. The sizes of the dots depict the ranking of the websites according to Alexa (Website ranking Algorithm by Amazon) making Google, Facebook among others a distinct turquoise sphere among the rest.

2. Radio Garden
Ever been curious enough to imagine how listening to radio stations from other countries sound? The user interface is quite intuitive, featuring a dynamic world map of live radio across the globe. It has navigation similar to google earth and unique features including Add favorite stations, history lookup, jingle mode, RDS, and mute mode guaranteed to make you want to bookmark this website immediately.

Radio Garden

Asides most social media websites, Radio Garden is ranked as one of the very few controversial sites where users get payable contents for free. The Radio Garden has a similar working concept as radiooooo.com asides the fact that radiooooo lets you choose your desired year and genre of radio.

3. Internet’s first website
The http://info.cern.ch/hypertext/WWW/TheProject.html created by Tim Berners-Lee is the home of the first website. Considering how there are over 1.8 billion websites in 2018, there was none 27 years ago. This first web page of the internet, published on August 6, 1991, was landmark informing the World of the world wide web project and ran on a NeXT computer at the European Organization for Nuclear Research, CERN. It comprises steps on how to create Web pages and explained the meaning of a hypertext.

first website

In the absence of CSS, and simplified website builders including Dreamweaver, Elementor, Divi, and Envato, you should prepare your mind for something ‘amazing,’ especially before attempting to open this website.

4. Web Oasis
Most times, it gets boring staring at that static google.com home page right? How about making https://weboas.is/ your homepage instead?
Asides the cool hacking theme, Web Oasis has prebuilt bookmarks of most websites across the internet with clear navigation links which unveil on mouse hover plus a fully customizable user interface/elements, an add-on for everyday use including News, Tech, Radio, Crypto, quick notepad editor, Weather, Finance, a secure password generator, and even an arcade game.
Web Oasis

It also has an embedded chat room, a 2-character shortcut search engine mode, and a section on the screen’s top right corner showing your local system information. Now, this is the real Google, literally housing all of your wants on a single website.

5. Cymath
If Cymath was available decades earlier than 2013, then the internet would have been a better place, especially for students looking for a step-by-step approach towards the solution to their mathematics problems. Cymaths is every student’s dream plus you can have all your assignments done, be it graphs or equations.
Cymath
It’s inventors believe in the ideology of open education, and that every student deserves math help that is reliable and accessible, powered by a combination of artificial intelligence and heuristics, so that it solves math problems step-by-step like a teacher would.

6. Konboot 
The fact this that this website is available on the surface web is amusing. Konboot prides themselves as the world’s best remedy for forgotten passwords for a simple reason – it bypasses the authentication process of your (or probably not your) operating system without overwriting your old password or leaving a digital footprint.
KonbootTechnically, this website lets you log in to any Windows or Mac Operating system with full rights without prior knowledge of the machine’s password. Konboot is designed primarily for tech repairs, forensic teams, and security audit reasons. Piotr Bania is the mastermind behind this rare tool.

7. User testing
Finally, a freebie on the internet that isn’t a hoax? Except for the fact that this isn’t free money, you earn it. User Testing or usability testing pays between $10 – $30 for every website you test. The goal of user testing is the get a digital product in front of a customer as early as possible.
User testingUsers are asked to perform a specific task that simulates real-world usage of usually a website. These tasks can be as easy as opening multiple pages across a selected website while having a voice and screen capture, A/B tests, preference tests and eventually taking a UI/UX review questionnaire afterward. These tests take less than 10 minutes to complete, no experience is required, and the is no cap on the number of tests a user can take per day.

8. Awwwards
Unlike Amazon’s Alexa, which ranks websites with algorithms based off of web statistics, visits, relevance, and SEO optimization strategy, Awwwards typically accepts website submissions and allow users to rate these sites based on four distinct features: design, usability, creativity, and content.
AwwwardsAwwwards is the abode of a vast collection of mind-blowing websites across the internet where users not only get a chance to rate them based on design, creativity, and innovation on the internet but also gather unexplored ideas regarding their next projects. Users are also able to query and search directories based on their respective niche as well as hire and apply for website design positions site wide.

9. Rhyme Zone
Are you a Poet, song lyricist, into essay writing, a rapper, or just looking for rhythm? Then you should try out Rhyme Zone. RhymeZone is arguably the best and fastest way to find English words for any writing. It has been running continuously since 1996.
Rhyme ZoneIt is a concise guide for finding corresponding rhymes, antonyms, synonyms, descriptive words, definition, thesaurus, lyrics, poems, homophones, similar sounding words, related words, similar spellings, picture search, Shakespearean novel search, and letter matching.

10. Library Genesis
Library Genesis is a search engine for the biggest archive of free e-books on the internet allowing free access to content that is otherwise paywalled or not digitized anywhere else on the internet.
Irrespective of the type of books you read; novels, tech, educational material, LibGen (Sci-Tech), Scientific articles, Fiction, Comics Standards, and Magazines, you are rest assured such books reside here.
Library GenesisLibGen initially used the domain name libgen.org but was forced to shut down and to suspend use of the domain name due to copyright issues from authors In late October 2015. The LibGen website is blocked by a handful of ISPs in the UK for obvious reasons. As of 5 June 2018, Library Genesis claims its database contains over 2.7 million books and 58 million science magazine files.

Bottomline: Now that you’ve probably bookmarked these rare but real websites, spread the love by telling someone about this today.

In recent decades, there exist an imminent familiarity of terms  like; Bluejacking (sending of unsolicited messages over  Bluetooth-enabled devices, Clickjacking (A malicious technique of tricking users into clicking something different from what they perceive), Juice jacking ( A cyber attack wherein malware is installed on to, or data surreptitiously copied from, a computer device using a charging port that doubles as a data connection) and Pagejacking (illegally copying a legitimate website content to another website with the aim of replicating the original website) including an endless “jacking” list in computer security, but none like Formjacking.

In September 2018, Formjacking was officially announced by Symantec Corp in this article, with properly outlined records of massive widespread afterward.

Formjacking, which is the use of malicious JavaScript code to steal credit card details and other information from payment forms on the checkout web pages of e-commerce sites, has been making headlines lately.

Taking a closer look at the more technical aspects of formjacking and detail a new campaign affecting many top shopping sites, below is a typical example of a javascript injection for the primary purpose of formjacking.

 

formjacking

The code shown collects the payment information entered by users on the website and posts it to the domain google-analyitics.org in the scenario. This domain is usually a typo-squatted version of the legitimate Google Analytics domain, google-analytics.com and very easily admissible by users.

Taking note of the increasing number of payment information-stealing script injections available daily especially by script kiddies who have little or no technical understanding of injection attack, but skilled enough to make use of off-the-shelf tools and judging by the current security trends today, This was no news.

The image below shows how the infection chain is implemented.

form jackingThis attack chain is unique because it is the exact opposite of legacy supply chain formjacking attack which went viral during the evolution of the e-commerce industry, where attackers compromise popular third-party script library providers. As many websites load these scripts, with one compromise the attacker manages to load their malicious code on a large number of sites all at the same time. These script creates a script element and sets a fixed .js source which then forces the browser to load malicious obfuscated JavaScript from the original website, which in turn collects the entered payment information and posts it back to the attackers’ domain.

The scripts are obfuscated for difficulty in detection and apply a hook onto forms on the website and collect all the information entered by visitors. The javascript also extracts the URL loaded in the browser and determines if the checkout page of the original site is active. If it has, the script sends the collected form information, which is now the payment information, back to the attacker-controlled domain. This version of a formjacking script was used in various high-profile breaches such as Ticketmaster UK, Shopper Approved, and Feedify.

Prevalence In recent months, an uptick in formjacking attacks against high-profile websites across the globe have been noticed. Websites from security-conscious countries like the U.S., Japan, Germany, and Australia, among other countries, have also being injected with formjacking scripts.

Conclusion


Considering the current standpoint of this vulnerability, which allows attackers to gain unauthorized access to the customer’s checkout information of large companies by exploiting the weaknesses in smaller businesses used by the larger company to provide different services, the big picture of this attack points to the fact that the actual number of infected websites is bound to be higher.

Unfortunately for prospective and current victims. It is hard and almost impossible to tell the existence or extent of a formjacking attack as their websites continue to operate as usual, because attackers are sophisticated, stealthy and take advantage of the fact that this is a much more recent vulnerability.