Why is a 22GB database containing 56 million US folks’ personal details sitting on the open internet using a Chinese IP address?

Exclusive A database containing the personal details of 56.25m US residents – from names and home addresses to phone numbers and ages – has been found on the public internet, served from a computer with a Chinese IP address, bizarrely enough.

The information silo appears to belong to Florida-based CheckPeople.com, which is a typical people-finder website: for a fee, you can enter someone’s name, and it will look up their current and past addresses, phone numbers, email addresses, names of relatives, and even criminal records in some cases, all presumably gathered from public records.

However, all of this information is not only sitting in one place for spammers, miscreants, and other netizens to download in bulk, but it’s being served from an IP address associated with Alibaba’s web hosting wing in Hangzhou, east China, for reasons unknown. It’s a perfect illustration that not only is this sort of personal information in circulation, but it’s also in the hands of foreign adversaries.

Read more in

https://www.theregister.co.uk/2020/01/09/checkpeoplecom_data_exposed/

CyberSecurity: Hackers can steal your card info at a gas station using card skimmers

What is the Card Skimmer?

Credit card skimming is a type of credit card theft where crooks use a small device to steal credit card information in an otherwise legitimate credit or debit card transaction. When a credit or debit card is swiped through a skimmer, the device captures and stores all the details stored in the card’s magnetic stripe.

You might be wonder how each & everything is weaponized to steal your hard earned money.

Gas station pumps are a different story, however. Most can easily be opened using a universal key which isn’t hard to acquire, allowing the skimming hardware to be installed inside so it’s completely invisible to unsuspecting users

To retrieve the data that’s collected throughout a day, like card numbers and PINs, criminals just need to pull up nearby and download it all over a wireless Bluetooth connection. 

How does hacker use card skimmer?

Read more in https://www.thebalance.com/how-credit-card-skimming-works-960773

Is there any solution to this problem?

The team from the University of California San Diego, who worked with other computer scientists from the University of Illinois, developed an app called Bluetana which not only scans and detects Bluetooth signals, but can actually differentiate those coming from legitimate devices—like sensors, smartphones, or vehicle tracking hardware—from card skimmers that are using the wireless protocol as a way to harvest stolen data. 

So far Bluetana app has identified successfully 42 Gas stations in United States. As of now, details of smartphone app has not been public because of hackers will find a way to bypass app algorithm.

CyberSecurity: Hacked Pakistani bank cards for sale on the dark web again

Abstract

Hackers put the purloined details from 177,878 cards for sale on the dark web market Joker’s Stash around Nov. 13, according to Moscow-based cybersecurity company Group-IB, with 150,632 of those records appearing to come from Pakistani banks. An Oct. 27 breach led at least one bank, Karachi-based BankIslami, to shut down certain operations. Soon afterward, the cybersecurity organization PakCERT found thousands of Pakistani bank card records on the dark web.

Full Story here.https://www.cyberscoop.com/hacked-pakistani-bank-cards-sale-dark-web/

CyberSecurity: Holy Shit! Hashcat tool cracks 55 Character Passwords

Holy shit! That’s exactly I felt when I read about Hashcat tool which is a freely available tool. Also, available in Kali Linux applications set. A fastest & reliable to crack the password up to 55 chars. Tools like this always have two sides:

  1. Cybercriminals to steal the data & use this tool to crack the password.
  2. Another benefit is that Companies can do the stress testing on their user passwords & password policy.

Scared & Still looking for answer? Keep reading…

You might be thinking that All security experts suggest to the normal people to use a strong password but if a tool can crack any password no matter how big it is then how strong password any human being can set & remember that. Does the password has become useless in advance technology? 

Length is still important; but rather than just a combination of words or phrases, it should be a mix of characters, numbers and punctuation symbols & everybody should try to keep password strong & unique to the single application. Not re-using of the password is a good way to keep yourself safe. 

All you can do is to keep password strong enough to make harder for the hackers to crack it. Making their job tough is one way to buy sometime before they hit you.

So, How does HashCat break the password?

Hashcat tool basically needs hashcode to crack the password. Any criminals or penetration tester needs to know hashcode. There are multiple ways of obtaining these hashes, such as .dll injection in Windows systems or capturing the hash in transit. Kali Linux has this tool in their applications. You can explore more on that if you are interested to know.

Is password manager a solution?

I think not a bad idea to start using a password manager like keepass. however, only fear you might have that password manager become a single failure point for all your digital accounts. Some security experts do recommend a password manager software. 

My personal opinion is that we should enable 2FA & biometric authentication in your digital accounts. Like Google authenticator, app-based 2FA etc. Since everything has become crackable, Our objective should be, Let’s make life harder for criminals.