Skip links

GuardNet Info

Your Private Guard

Main navigation

Trump Hotels Hit By 3rd Card Breach in 2 Years

by 2 Comments

A carding shop that sells stolen credit cards and invokes 45's likeness and name. No word yet on whether this cybercriminal store actually sold any cards stolen from Trump Hotel properties.

Maybe some of you missed this amid all the breach news recently (I know I did), but Trump International Hotels Management LLC last week announced its third credit-card data breach in the past two years. I thought it might be useful to see these events plotted on a timeline, because it suggests that virtually anyone who used a credit card at a Trump property in the past two years likely has had their card data stolen and put on sale in the cybercrime underground as a result.

Sabre Corp.experienced a significant breach of its payment and customer data tied to bookings processed through a reservations system that serves more than 32,000 hotels and other lodging establishments. Last week, Trump International Hotels disclosed the SABRE breach impacted at least 13 Trump Hotel properties between August 2016 and March 2017. Trump Hotels said it was first notified of the breach on June 5.

NukeBot banking trojan

by Leave a Comment

New “operational” samples of the NukeBot banking trojan have emerged months after its original creator published its source code.

NukeBot’s source code leak, which occurred in late March 2017, apparently attracted the attention of malware developers seeking to push out their own threats.

Kaspersky Lab’s Sergey Yunakovsky spotted some of those new samples in the wild. A few are “active,” but most of them only in a limited form. As Yunakovsky explains:

“We managed to get our hands on a number of compiled samples of the Trojan. Most of them were of no interest, as they stated local subnet addresses or localhost/127.0.0.1 as the C&C address. Far fewer samples had ‘genuine’ addresses and were ‘operational’. The main functionality of this banking Trojan is to make web injections into specific pages to steal user data, but even from operational servers we only received ‘test’ injections that were included in the source code as examples.”

Test injections from the NukeBot source code.

Test injections from the NukeBot source code.

Most of the versions detected by Yunakovsky and his colleagues come with either plaintext or encrypted strings. From that data, Kaspersky Lab extracted NukeBot’s command and control (C&C) addresses. These assets send the malware a RC4 key for decrypting injections after the trojan has successfully established contact.

The web injections conducted by some of NukeBot’s “combat versions” reveal that the malware is mainly going after French and U.S. users’ banking credentials.

Fortunately, at most five percent of the samples detected by Kaspersky were combat-ready. But that doesn’t mean there could be more in the future. As Yunakovsky rightly notes:

“It is still unclear if these versions were created by a few motivated cybercriminals and the use of NukeBot will taper off soon, or if the source code has fallen into the hands of an organized group (or groups) and the number of combat-grade samples is set to grow.”

To guard their banking credentials against threats like NukeBot, it’s important that users install an anti-virus solution on their computers and exercise caution around suspicious links and email attachments.

You should also enable two-factor authentication (2FA) if it is available on your bank account. Some trojans can bypass this security feature, but doing so considerably raises the stakes of an attack beyond the interest or capabilities of ordinary computer criminals.

Adobe, Microsoft Push Critical Security Fixes

by Leave a Comment

The updates from Microsoft concern many of the usual program groups that seem to need monthly security fixes, including Windows, Internet Explorer, Edge, Office, .NET Framework and Exchange.

According to security firm Qualys, the Windows update that is most urgent for enterprises tackles a critical bug in the Windows Search Service that could be exploited remotely via the SMB file-sharing service built into both Windows workstations and servers.

Qualys says the issue affects Windows Server 2016, 2012, 2008 R2, 2008 as well as desktop systems like Windows 10, 7 and 8.1.

“While this vulnerability can leverage SMB as an attack vector, this is not a vulnerability in SMB itself, and is not related to the recent SMB vulnerabilities leveraged by EternalBlue, WannaCry, and Petya.” Qualys notes, referring to the recent rash of ransomware attacks which leveraged similar vulnerabilities.

8tracks data leak exposed 18 million user accounts

by Leave a Comment

The Music streaming service 8tracks suffered a major data leak, 18 million user accounts have been exposed and is available online.

Music streaming service 8tracks has been affected by a major data leak that exposed ‘millions’ of customer details.

The leak seems to have been caused by a staffer that erroneously exposed 18 million user accounts. The employee left some markers on his GitHub account that breached by hackers.

The lack of security for the GitHub repository seems to be the root cause of the breach, the employee wasn’t using two-factor authentication. The staffer was keeping backups of database tables in his repository.

“We received credible reports today that a copy of our user database has been leaked, including the email addresses and encrypted passwords of only those 8tracks users who signed up using email. If you signed up via Google or Facebook authentication, then your password is not affected by this leak. 8tracks does not store passwords in a plain text format, but rather uses one-way hashes to ensure they remain difficult to access. These password hashes can only be decrypted using brute force attacks, which are expensive and time-consuming, even for one password.” states the breach notification published by the company,

“We have found what we believe to be the method of the attack and taken precautions to ensure our databases are secure. 8tracks does not store sensitive customer data such as credit card numbers, phone numbers, or street addresses.”

According to the post published by the Music streaming service, 8tracks passwords hashed and salted, users that signed up to 8Tracks via Google or Facebook aren’t affected.

8Tracks confirmed to have identified an unauthorised attempt at a password change and investigation is still ongoing.

“We do not believe this breach involved access to database or production servers, which are secured bypublic/private SSH-key pairs. However, it did allow access to a system containing a backup of database tables, including this user data.” continues the company.”We have secured the account in question, changed passwords for our storage systems, and added access logging to our backup system. We are auditing all our security practices and have already taken steps to enforce 2-step authentication on Github, to limit access to repositories, and to improve our password encryption.”

As usual, let me recommend to change your password on 8tracks and any websites on which you used the same login credentials.

Company fired an employee, he shut down water utility providers’ networks in 5 cities

by Leave a Comment

A former employee was sentenced to one year and one day in prison for damaging the IT networks of several water utility providers across the US East Coast.

Adam Flanagan (42) of Bala Cynwyd, PA was sentenced to one year and one day in prison by a Pennsylvania court for damaging the IT networks of several water utility providers across the US East Coast.

The news was reported by Bleeping Computer, the man worked between November 2007 and November 2013 as engineer for an unnamed company that manufactured smart water, electric, and gas readers.

Among the Flanagan’s tasks, there was the set up of Tower Gateway Basestations (TGB) for the customers, which were mainly water utility networks.
The Tower Gateway Basestations are essential components for water facility networks composed of smart meters installed at people’s homes that exchange data with water facility operators’ systems.

These networks allow water facility operators to collect consumption data and check the status of the installs at the customers’ homes.

On November 16, 2013, the company fired Flanagan for undisclosed reasons, then the man decided to punish the company by shutting down the TGB stations paralyzing the water facility networks of the company customers. Flanagan also changed passwords on some TGBs, using offensive words.

The utility providers had to send out employees at customer homes to collect monthly readings about their consumption.

“According to court documents, the FBI tracked down Flanagan’s actions to six incidents in five cities across the US East Coast: Aliquippa (Pennsylvania), Egg Harbor (New Jersey), Kennebec (Maine), New Kensington (Pennsylvania), and Spotswood (New Jersey).”reported  from Bleepingcomputer.

The investigators were able to identify the former employee as the responsible of the incidents, then the US authorities filed charges on November 22, 2016. Flanagan faced a maximum sentence of 90 years in prison, plus a $3 million fine. He pleaded guilty on March 7, 2017, before receiving his sentence on June 14, 2017.

Flanagan faced a maximum sentence of 90 years in prison, plus a $3 million fine. He pleaded guilty on March 7, 2017 and on June 14, 2017 he was sentenced to one year in the jail, let me say that judges were clement.

UK politicians’ login credentials up for sale in the dark web

by Leave a Comment

Russians hackers are offering for sale on the dark web login credentials of thousands of top UK politicians, top officials, and diplomats.

According to The Times, Russians hackers are selling on the dark web login credentials of thousands of top UK politicians, top officials, and diplomats.

Journalists at the British newspaper have found two huge lists of stolen credentials that were available for sale on Russian-speaking hacking sites. The huge trove of credentials included the log-in details of 1,000 British MPs and parliamentary staff, 7,000 police employees and over 1,000 Foreign Office officials.

“Passwords belonging to British cabinet ministers, ambassadors, and senior police officers have been traded online by Russian hackers, an investigation by The Times has found.” reads The Times. “Two huge lists of stolen data reveal private log-in details of 1,000 British MPs and parliamentary staff, 7,000 police employees and more than 1,000 Foreign Office officials, an analysis shows — including the department’s own head of IT.”

According to experts that analyzed the lists speculate they are composed of old credentials. The list appears as composed starting from data coming from old data breaches such as LinkedIn and MySpace.

“They include passwords used by the former ambassador to Israel and the director-general of the Department for Exiting the European Union.” continues The Times.

The main risk is related to the possibility that victim used the same credentials to access other sensitive systems and networks.

It is interesting to note that despite official guidance advising the use of strong passwords, the data leak shows that many politicians were using easy to guess passwords.

“Peter Jones, the Foreign Office’s chief operating officer, who has overall responsibility for IT, appears to have used a highly insecure password which occurred more than 3,700 times in one of the lists.” continues the newspaper.

Many victims re-used insecure passwords on multiple websites. such as the former Cabinet Office minister Brooks Newmark,