White collar hackers managed to breach the security measures built in Firefox and Safari at a hacking competition.
No piece of software is without its fair share of vulnerabilities in the world. Web browsers are the most common portal for cyber attacks, being used extensively by hackers for stealing financial credentials. While Google Chrome is one of the most preferred browsers, Firefox and Safari are also present on numerous systems around. And there’s a bad news for users of the latter — they have been detected with multiple vulnerabilities.
Both Firefox and Safari browsers have been detected with multiple vulnerabilities at a hacking competition. Richard Zhu managed to hack into Firefox with a Windows kernel Elevation of Privilege (EoP) at the Pwn2Own hacking event. The hack managed to snatch him a prize money of $50,000. Apple’s Safari was the next one on the list, hacked by Ret2 Systems Inc, who used a macOS kernel EoP to compromise the browser.
It’s to be noted that while the browsers are ridden with several vulnerabilities and issues, none of them has been made public to people with malicious intentions. The hackers helped the companies to detect the unknown issues, which will allow them to rollout a patch in subsequent updates. If you are a Firefox or Safari user, then it’s advisable to keep a tab on the latest update notifications and install them once available for download.
The company would repay the roughly 260,000 owners of NEM coins in Japanese yen, though it was still working on timing and method.
Tokyo-based cryptocurrency exchange Coincheck Inc said it would return about 46.3 billion yen ($425 million) of the virtual money it lost to hackers two days ago in one of the biggest-ever thefts of digital money.
That amounts to nearly 90 percent of the 58 billion yen worth of NEM coins the company lost in an attack that forced it to suspend withdrawals of all cryptocurrencies except bitcoin. Coincheck said in a statement it would repay the roughly 260,000 owners of NEM coins in Japanese yen, though it was still working on timing and method.
The theft underscores security and regulatory concerns about bitcoin and other virtual currencies even as a global boom in them shows little signs of fizzling. Two sources with direct knowledge of the matter said Japan’s Financial Services Agency (FSA) sent a notice to the country’s roughly 30 firms that operate virtual currency exchanges to warn of further possible cyber-attacks, urging them to step up security.
The financial watchdog is also considering administrative punishment for Coincheck under the financial settlements law, one of the sources said. Japan started to require cryptocurrency exchange operators to register with the government only in April 2017. Pre-existing operators such as Coincheck have been allowed to continue offering services while awaiting approval. Coincheck’s application, submitted in September, is still pending.
Coincheck told that its NEM coins were stored in a “hot wallet” instead of the more secure “cold wallet”, outside the internet. Asked why company President Koichiro Wada cited technical difficulties and a shortage of staff capable of dealing with them.
In 2014, Tokyo-based Mt. Gox, which once handled 80 percent of the world’s bitcoin trades, filed for bankruptcy after losing around half a billion dollars worth of bitcoins. More recently, South Korean cryptocurrency exchange Youbit last month shut down and filed for bankruptcy after being hacked twice last year.
World leaders meeting in Davos last week issued fresh warnings about the dangers of cryptocurrencies, with US Treasury Secretary Steven Mnuchin relating Washington’s concern about the money being used for illicit activity.
McAfee forecasts developments in adversarial machine learning, ransomware, serverless apps and more.
McAfee Inc. released its McAfee Labs 2018 Threats Predictions Report, which identifies five key trends to watch in 2018. This year’s report focuses on the evolution of ransomware from traditional to new applications, the cybersecurity implications of serverless apps, the consumer privacy implications of corporations monitoring consumers in their own homes, long-term implications of corporations gathering children’s user-generated content, and the emergence of a machine learning innovation race between defenders and adversaries.
“The evolution of ransomware in 2017 should remind us of how aggressively a threat can reinvent itself as attackers dramatically innovate and adjust to the successful efforts of defenders,” said Steve Grobman, Chief Technology Officer for McAfee, LLC. “We must recognise that although technologies such as machine learning, deep learning, and artificial intelligence will be cornerstones of tomorrow’s cyber defences, our adversaries are working just as furiously to implement and innovate around them. As is so often the case in cybersecurity, human intelligence amplified by technology will be the winning factor in the ‘arms race’ between attackers and defenders.”
The report reflects the informed opinions of dozens of McAfee thought leaders from McAfee Labs, McAfee Advanced Threat Research, and members of McAfee’s Office of the CTO. It examines current trends in cybercrime and IT evolution, and anticipates what the future may hold for organizations working to take advantage of new technologies to both advance their businesses and provide better security protection:
1. An adversarial machine learning “arms race” will develop between defenders and attackers.
Machine learning can process massive quantities of data and perform operations at great scale to detect and correct known vulnerabilities, suspicious behaviour, and zero-day attacks. But adversaries will certainly employ machine learning themselves to support their attacks, learning from defensive responses, seeking to disrupt detection models, and exploiting newly discovered vulnerabilities faster than defenders can patch them.
To win this arms race, organizations must effectively augment machine judgment and the speed of orchestrated responses with human strategic intellect. Only then will organizations be able to understand and anticipate the patterns of how attacks might play out, even if they have never been seen before.
2. Ransomware will pivot from traditional extortion to new targets, technologies, and objectives.
The profitability of traditional ransomware campaigns will continue to decline as vendor defences, user education, and industry strategies improve to counter them. Attackers will adjust to target less traditional, more profitable ransomware targets, including high net-worth individuals, connected devices, and businesses.
The pivot from the traditional will see ransomware technologies applied beyond the objective of extortion of individuals, to cyber sabotage and disruption of organizations. This drive among adversaries for greater damage, disruption, and the threat of greater financial impact will not only spawn new variations of cybercrime “business models,” but also begin to seriously drive the expansion of the cyber insurance market.
“While much about the motives behind WannaCry and NotPetya are still debated, the use of pseudo ransomware is likely to continue, partly due to the ease with which as-a-service providers can make such techniques available to anybody with the means to pay,” said Raj Samani, Chief Scientist and head of McAfee Advanced Threat Research. “Such attacks could be sold to parties seeking to paralyze national, political and business rivals, which raises perhaps the biggest, unavoidable ransomware question of 2017: Were WannaCry and NotPetya actually ransomware campaigns that failed in their objectives to make significant revenue? Or perhaps incredibly successful wiper campaigns?”
3. Serverless apps will save time and reduce costs, but they will also increase attack surfaces for organisations implementing them.
Serverless apps enable greater granularity, such as faster billing for services. But they are vulnerable to attacks exploiting privilege escalation and application dependencies. They are also vulnerable to attacks on data in transit across a network, and potentially to brute-force denial of service attacks, in which the serverless architecture fails to scale and incurs expensive service disruptions.
Function development and deployment processes must include the necessary security processes, scalability capabilities must be made available, and traffic must be appropriately protected by VPNs or encryption.
4. Connected home device manufacturers and service providers will seek to overcome thin profit margins by gathering more of our personal data—with or without our agreement—turning the home into a corporate storefront.
Corporate marketers will have powerful incentives to observe consumer behaviour in order to understand the buying needs and preferences of the device owners. Because customers rarely read privacy agreements, corporations will be tempted to frequently change them after the devices and services are deployed to capture more information and revenue.
McAfee believes that there will be regulatory consequences for corporations that make the calculation to break existing laws, pay fines, and continue such practices, thinking they can do so profitably.
5. Corporations collecting children’s digital content will pose long-term reputation risks.
In their pursuit of user app “stickiness,” corporations will become more aggressive in enabling and gathering user-generated content from younger users. In 2018, parents will become aware of notable corporate abuses of digital content generated by children, and consider the potential long-term implications of these practices for their own children.
McAfee believes many future adults will suffer from negative “digital baggage,” user content developed in a user-app environment where socially appropriate guidelines are not yet well defined or enforced, and where the user interface is so personally engaging that children and their parents do not consider the consequences of creating content that corporations could use andpotentialabuse in the future.
In a competitive app environment where “stickiness” easily becomes “unstuck,” the most enterprising, forward-looking apps and services will recognize the brand-building value of making themselves a partner with parents in this education effort.
In the corporate world, McAfee predicts that the May 2018 implementation of the European Union’s General Data Protection Regulation (GDPR) could play an important role in setting ground rules on the handling of both consumer data and user-generated content in the years to come. The new regulatory regime impacts companies that either has a business presence in EU countries, or process the personal data of EU residents, meaning that companies from around the world will be compelled to adjust the way in which they process, store, and protect customers’ personal data. Forward-looking businesses can leverage this to set best practices that benefit customers using consumer appliances, content-generating app platforms, and the online cloud-based services behind them.
"The year 2018 could well be remembered most for how we finally started to tackle data protection and for whether consumers truly have the right to be forgotten," said Vincent Weafer, Vice President at McAfee Labs. “The large-scale gathering of personal information and user-generated content opens consumers up to the risk of data misuse, abuse, and even compromise. Irresponsible service providers can overindulge in the gathering and monetization, allowing user privacy to be carried away by market forces, data to be compromised, and user reputations threatened years into the future. GDPR makes 2018 a critical year for establishing how responsible businesses can pre-empt these issues, respecting users' privacy, responsibly using consumer data and content to enhance services, and setting limits on how long they can hold the data.”