Hackers break into the Tesla car web browser to win a Model 3

Tesla Model 3

Well it’s certainly one way to get yourself a Model 3: hackers have successfully exploited a security hole in Tesla’s in-car browser at the Pwn2Own hacking contest, earning themselves one of the electric cars as a prize.

TechCrunch reports that Richard Zhu and Amat Cam – aka team Fluoroacetate – were able to bypass various security measures to get a message displayed on the browser.

Tesla has said it will issue a fix for the bug to prevent it being exploited in the future. Meanwhile, the Fluoroacetate team walked away from Pwn2Own with some $375,000 (about £283,700 or AU$529,100) in prize money, as well as their new car.

“We understand that this demonstration took an extraordinary amount of effort and skill, and we thank these researchers for their work to help us continue to ensure our cars are the most secure on the road today,” said Tesla in a statement.

Browser changes

It’s worth pointing out that the bug that Zhu and Cam exploited was limited to the browser – they weren’t able to take control of the car or anything like that.

At the same hacking conference, hundreds of thousands of dollars were paid out for bugs discovered in Apple Safari, Microsoft Edge, Microsoft Windows, VMware Workstation and Mozilla Firefox.

In other Tesla browser-related news, CEO Elon Musk announced on Twitter that the in-car software would soon be making the switch to Chromium – the same open source code that Google Chrome is built on.

Whether or not that makes the browser more secure remains to be seen, but as always, don’t try browsing the web and driving a car at the same time.

View Source Here

Banking Malware uses Fake reCAPTCHA page to target banking customers

A fake Google reCAPTCHA is one of the latest email campaigns to target a Polish bank. Sucuri researchers reported their discovery on Thursday via its blog.

How it works

Victims are typically targeted emotionally as hackers play on the urgent feeling a user gets when receiving an email relating to their financial affairs. They receive a fake confirmation email requesting them to confirm a recent transaction they carried out. As the hacker sends generalised emails, it is not specific to an actual transaction. This email will contain an attachment with a malicious.PHP file. PHP files are often used as web page files to generate HTML from a PHP engine running on a web server. The hacker will obfuscate their malicious content hidden within, to search the current directory of files with the same extensions. In this instance, the malicious email contains a log which takes the users login and serves a fake 404 error page to users with defined user agents

Where the Google reCAPTCHA replica page comes in

When a request goes through the user-agent filter, the PHP code loads a fake reCAPTHCA and determines which malware to put on users’ machines. It loads the fake page by using a combination of HTML elements and JavaScript. As these elements are static, the only way a user will be able to tell the page is fake is the fact that the still images remain the same. The only time it changes is if the malicious PHP file’s coding changes. Another way to spot the difference is to play the audio. With the fake page, this will not work.

When determining whether to put the .zip dropper or an .apk type malware on the users’ device, the PHP rechecks the user-agent. The .apk type malware will, for example, download it detects the users’ device runs on Android.

Upon the malware storing itself on a users’ device, it starts to intercept SMS multifactor authentication and further steals credentials.

Phishing emails continue to rise as well as the constant changes in  tactics carried out. The banking and financial sector particularly are frequent targets with the Bankbot Anubis Found Again in Google Play store, Redaman Banking Malware, Gozi and Gandcrab on the rise.

Original Source Here


Cryptocurrency Broker Had 450,000 of its Users Credentials Leaked on The Darkweb

Cryptocurrency broker, Coinmama, suffered a data breach with around 500,000 customers’ emails and password credentials compromised. Customers affected stretch back as far as 2017.

Coinmama is an online broker dealing with the exchange of Bitcoins and Etherium. It allows customers to buy e-currency easily with the option to purchase with a credit card. With over 1,250,000 customers since 2013, it boasts a large database and a great platform to steal masses of data from.

It comes at a time where a spade of large companies’ websites are experiencing the same breaches. MyFitnessPal. Houz and Coffee Meets Bagel are just a few of the affected companies. For more on these stories, check out ‘A Further 127 Million Users Records Found for Sale on the Dark Web’

Similarly, the latest bundle offered by the hacker, Gnosticplayers, include Coinmama’s 450,000 records. This will be the third round of mass data dumps. It is on offer for 0.351 Bitcoin (£1051), with 70,000 cracked passwords.

What do we know about Gnosticplayers

Hacker, Gnosticplayers is suspected of being behind mass data breaches happening across large company websites. Targeting such companies allowed the actor to get their hands on data in large amounts because of the companies’ large clientele.

Details on how the actor is stealing the data remain unclear. Researchers have noticed that one common trend with the attacks is the exploitation of the software PostgreSQL. There are suggestions that there are vulnerabilities in this open source software that the hacker was able to take advantage of. However, Postgre SQL developers disputed this fact stating that they are not aware of any vulnerabilities. The last known vulnerability was late last year. CVE-2018-16850 allowed an attacker to cause arbituary SQL statements to run with superuser privileges. PostgreSQL consequently released updates for all versions of the software. Alternatively, its surrounding applications have flaws that accessed PostgreSQL. Another tactic of Gnosticplayers is to target email addresses, username, passwords, phone numbers and IP addresses.

In a recent Interview with ZDNET, the alleged hacker claimed that he is directly behind the attacks and does not only act as a mediator. He also mentioned his intention is to sell over 1 billion stolen records and disappear shortly after. He is not far from his target as the total figure to date is just over 830 million.

Recommended steps Coinmama customers should take

It is recommended customers take this opportunity to change their passwords. These changes include their Coinmama account, their connected email account and to other accounts, they have with the same or similar passwords.

Additionally, users should take this opportunity to add multi-factor authentication to any of their user accounts that provide this for extra security.

Coinmama issued a statement via a blog updating its customers before the weekend about the breach that took place and its swift actions to remediate the breach. Despite this, the data resurfaced on the dark web for sale during the weekend.

Original Source Here

Cyberattack on VFEmail erases 18 years worth of customer details, including all backups

A hacker gained access to US VFEmail servers attacking and destroying data contained within. Their destruction affected 18 years’ worth of customer emails and included data held in all file and backup servers. One longtime user from Florida, John Senchak, had 60,000 emails going back a decade, wiped from his inbox and outbox.

The motive remains unclear as to why the hacker targeted VFEmail but the evidence so far shows it was to destroy data. VFEmail, an email service provider, primarily in the US, issued the following statement:

“This person has destroyed all data in the US, both primary and backup systems. We are working to recover what data we can,”

The attack, which occurred earlier this week targeted externally facing servers across the data centres. The hacker managed to gain access to each operating system and bypassed various authentication measures, changing it all to the same details. The unidentified hacker also attacked VFEmail’s server based in the Netherlands. VFEmail discovered the attack at this point and consequently kicked the hacker out of the system. The IP address traced back to a service provider in Bulgaria. Restoration efforts took place, and by Monday afternoon the servers were back up and running and paid customers were receiving emails.

Organisations can put measures in place to mitigate the impact of such attacks

Cases like this are a wake-up call for organisations to ensure business continuity plans are in place with set procedures for circumstances like this that can occur. Businesses should aim to both risks assess threats to the company and carry out business impact assessments to examine and put appropriate procedures in place to bring business back to the point of normality having a little impact as possible. Preserving the availability of data is crucial to maintaining the security of data assets. Process and procedures should be mapped out for both business continuity and disaster recovery. Methods such as offline backups is an example of controls organisations need to ensure are in place following assessments. This is already a standard control in place by companies to mitigate the impact of ransomware. Testing these procedures will also allow organisations to see how effective the measures are.

Original Source Here

Stay Anonymous with kali-anonsurf

Greetings all,

Its been a while since i actually wrote a tutorial. I have been lost in space but i think i am back now.

The tutorial i want to share today is in regards to a tool call “kali-anonsurf”, this is by far the best and easiest method to set your kali system to run all its services through Tor. And more importantly, the setup is fast and convenient.

Personally i happen to cross upon this while using “The Lazy Script” and found it to be really convenient. But for this tutorial, instead of using The Lazy Script, we shall manually install it.

Lets Begin:

1) Start up your kali and load up a terminal.

2) Type : git clone https://github.com/Und3rf10w/kali-anonsurf

3) Type : cd kali-anonsurf to make your way into the directory.

4) To begin installing, type : ./installer.sh

5) To launch kali-anonsurf , type : anonsurf

6) As you can see the switches are pretty straight foward. But lets go througt them.

7) To start your anonsurf, simply open a terminall and type : anonsurf start

8) In the event you would like to stop and restart your Anonsurf, simply type : anonsurf restart

9) If you feel the need to change your identity on your Tor network, simply type : anonsurf change

10)  To check if your Tor is set up successfully, type: anonsurf status

11) To check your new IP address, simply type : anonsurf myip

12)  To launch the i2p service, type : anonsurf starti2p

13) You will be presented the page shown below to adjust your settings.

14) And ofcourse to stop your i2p service, type : anonsurf stopi2p

15) Lets take a look at my current Tor enabled IP address.

16) 5 mins later, the IP successfully changes.

17)  As you can see, kali-anonsurf is successfully set up! Happy Anonymous Surfing!!

Hope that helps.

The Messiah

Vulnerability In Xiaomi Electric Scooters Allows Attackers to Take Control of the Machine

Xiaomi electric scooters

Electric scooters have proved to be a convenient form of travel for some over short distances. Security researchers have highlighted another problem. As discovered, Xiaomi electric scooters bear serious vulnerabilities. Exploiting the flaws could allow an attacker to remotely hack the scooters and execute commands, such as sudden breaks.

Security Flaw Discovered In Xiaomi Electric Scooters

A researcher Rani Idan from Zimperium has discovered a serious vulnerability in Xiaomi electric scooters. As per his findings, the vulnerability could allow an attacker to take control of the machine. A successful remote attack could then result in sudden breaking or acceleration.

Reportedly, he discovered problems with the user authentication process of the scooters. Describing the details of his findings in a blog post, Idan stated,

“During our research, we determined the password is not being used properly as part of the authentication process with the scooter and that all commands can be executed without the password.”

Precisely, the scooters keep no track of the authentication state as the password validation takes place at the app side only. As a result, it becomes easy for an attacker to exploit the bug by sending any malicious payload to execute desired commands. The attacker may be present anywhere within proximity of 100 meters from the target device.

Idan has demonstrated the exploit in the following video. It shows successful locking of the Xiaomi M365 scooters by sending crafted payload.

A Temporary Mitigation Might Help

The researcher confirmed that he has disclosed the flaw responsibly. However, Xiaomi hasn’t patched the bug yet despite knowing about the vulnerability since January 28, 2019. Even in their acknowledgment to the researcher, they confirmed their knowledge of the flaw.

Nonetheless, the researcher suggests users connect the Xiaomi app to their mobiles before riding, as a temporary mitigation.

“Once your mobile is connected and kept connected to the scooter an attacker won’t be able to remotely flash malicious firmware or lock your scooter.”

Original Source Here