TeamViewer hack – PCs hijacked and bank accounts drained
TeamViewer, the remote desktop connection software that allows users to share screens and allow remote access from anywhere in the world recently went offline allegedly due to a DOS-attack. Users however, claim that their computers were hijacked and paypal accounts emptied during the time TeamViewer fell offline. According to sources, hackers are using TeamViewer to access the computers and then accessing bank accounts using saved browser passwords, or installing forms of ransomware. TeamViewer denies it has been hacked. To protect against hackers, TeamViewer recommends users to install two-factor authentication, which adds an additional layer of protection, on top of just knowing your password. Some users who use two-factor authentication have still experienced malicious logins. Other tips include using strong passwords unique to TeamViewer.
LinkedIn hacked in 2012, have you been pwned?
We wrote last time about the discovery of a huge dump of data, potentially containing user details of millions of people. Since then, this data has been examined and now uploaded to Troy Hunt’s ‘Have I Been Pwned’ site, making it searchable. It was soon revealed that a chunk of the data had been taken from the LinkedIn business networking site back in 2012, prompting a full password reset for all users, hundreds of millions of them which had not had their passwords reset since the breach took place. As usual, the breach revealed that a majority of users continue to hold very weak passwords and so we would recommend, when resetting yours to make sure you use one with a good combination of both upper and lower case letters, numbers and symbols to make it impossible for anyone to guess.
Encryption legislation looking unlikely
Another big story which has been doing the rounds in the last weeks is a badly drafted senate bill which was designed to make encryption backdoors mandatory. Obviously, despite clearly holding no water the fact that the bill was even drafted added more fuel to the fire of the encryption debate and the responsible senators were duly lambasted. Unsurprisingly, it’s now been confirmed that this bill won’t be going ahead and we now await the next stage in the encryption legal conundrum. Whether we’ll have our answer before the next US Government is put in place remains to be seen.
Australia’s TrainLink breach being investigated by police
New South Wales’ public transport company TrainLink has recently suffered a breach, which potentially could affect some credit card details. The breach affected their online reservations system and the company are currently working with police and the banks to figure out the extent of the breach. Meanwhile, they have warned customers to be extra vigilant regarding their finances and any potential fraudulent activity. The Australian Cyber Emergency Response Team have also been called in, suggesting there is a legitimate cause for concern.
Philippines bank attack may have been committed by same group as Bangladesh attack
Back in February, a US Federal Reserve account held at the Bank of Bangladesh was hit to the tune of $81m. Now that the attack has been investigated, there are claims that the attack may have been carried out by the same group who attempted to steal from a bank in the Philippines around the same time. They are also being credited with attacks on a bank in Ecuador, where $12m were stolen and a failed attempt on a Vietnamese bank. These claims are said to be based on similarities in the code of the malware used in the attacks, which would also link it to a tool used in the Sony breach. We are yet to see any confirmation from the authorities that these claims are true or that any progress has been made in identifying and apprehending those responsible.
Tor network beefing up encryption ahead of next release
It will come as little surprise that the Tor project have announced an enhancement to their encryption mechanisms, due in their next release. The network had famously been infiltrated by the FBI, who have since refused to reveal their methods in court, a bold move which may have allowed a paedophile to go free due to lack of evidence. Since the FBI used its exploit to gain access to the network, users have been less confident in using the platform so strengthening security was a necessity for the project.
Details given on the new measures include the introduction of a distributed random number generator. This would make their encryption key generation methods near-impossible to crack through analysis and thereby hopefully preventing any further exploits from the authorities. The next release it still months away and more changes are to be expected.
Google bug bounty programme finds 23 Chrome vulnerabilities
Google have just patched over 40 vulnerabilities in their Chrome browser, with 23 of them having been discovered as a result of their bug bounty program. Nine of these were considered medium to high in severity and in total the bounties paid out amount to $65k. The remarkable part of this is that half of this went to just one researcher, Polish bug hunter Mariusz Mlynski who uncovered four cross-origin bypasses.
Blame for UK banking fraud may fall on victims
In a rumoured move which has so far gone below the radar of the mass media, there are moves in the UK to shift the liability for fraudulent banking activities. The Financial Times reported that those individuals and companies with poor online security could in future be ‘frozen out’ of systems allowing them to be recompensed by their bank. Naturally, any such move would be hugely controversial, with experts suggesting that it ought to be the responsibility of the banks to strengthen security and authentication processes rather than blaming customers for these incidents. As yet, this is simply rumour and no bill has yet been proposed.
Get the latest content on web security
in your inbox each week.