Breaking News »

Latest Hacking News

OpenSSL gears up to fix high impact vulnerabilities

OpenSSL project had announced on Thursday (April 28) upcoming security fixes for several vulnerabilities affecting the crypto library.

Every OpenSSL release since the infamous Heartbleed vulnerability1 of April 2014 has been met with nervous anticipation, and that applies as much to the upcoming 1.0.2h, 1.0.1t which will be released on May 3 between 12:00 and 15:00 UTC. These releases will patch several flaws, including ones rated 'high severity'.
Issues that have a high severity rating affect less common configurations or are less likely to be exploitable. The forthcoming releases are due to be out by next Tuesday. They are not accompanied by any logo or a catchy title.

OpenSSL versions 1.0.0 and 0.9.8 are no longer supported and they will not receive any security updates. Support for version 1.0.1 will end on December 31, 2016.

These updates will be the third round in a year. In January, the project released versions 1.0.2f and 1.0.1r to address a high severity flaw that allows attackers to obtain information that can be used to decrypt secure traffic, and a low severity SSLv2 cipher issue.

The last major flare-up on this front coincided with the DROWN vulnerability, which emerged last month in March. DROWN is a serious flaw that can be exploited to crack encrypted communications. DROWN affected a quarter of the top one million HTTPS domains and one-third of all HTTPS websites at the time of disclosure.

FBI paid $1.3 million for hacking a iPhone

Apple's war with the USA over decryption of iPhone came to halt when the director of the F.B.I. revealed that they paid at least $1.3 million to an undisclosed group hackers to hack  the encrypted iPhone used by an attacker in the mass shooting in San Bernardino, Calif.

At a conference on global security in London, James B. Comey Jr., the F.B.I. chief, was asked how much they  had to pay to the group to demonstrate how to bypass the phone’s encryption.

He replied, “A lot,”, as audience members at the Aspen Institute event laughed.

He continued: “Let’s see, more than I will make in the remainder of this job, which is seven years and four months, for sure.”

The F.B.I. had refused to comment anything until Thursday about how much it paid for demonstration of the iPhone hacking.

If this price tag is true then it will be interesting to know how much other giant companies  have offered for identifying iOS vulnerabilities.

'Blackhole' exploit kit creator sentenced for 7 years

Dmitry Fedotov, a Russian national who created the infamous Blackhole exploit kit, was sentenced to 7 years in prison by a Moscow Court. Known as “Paunch” in the cybercrime world, Fedotov, along with his seven accomplices, was arrested in October 2013 for involvement in a criminal organization.

According to a Russian security firm, Paunch had more than 1,000 customers and was earning $50,000 per month from his illegal activity. The Blackhole exploit kit was rented for $500 per month if run on the seller’s server and $700 if customers wanted to run it on their own server.

Coming into existence in 2010, Blackhole exploit kit was responsible for large number of malware infections. It was stitched into malicious sites and exploited a variety of Web-browser vulnerabilities.

(pc-google images)
A few months before his arrest, Paunch teamed up with a fraudster known online as “J.P. Morgan” and announced that they had set aside $100,000 to acquire zero-day exploits. The budget for zero-days later doubled, and “J.P. Morgan” increased it to $450,000 after Fedotov’s arrest.

Russian authorities estimated that Paunch and his accomplices caused damage of 70 million rubles (approx. $2 million) at the time of his arrest.

Adobe Flash vulnerabilities more in focus for exploit kit writers: NTT reports

A study done by  NTT Group reveals that exploit kit writers are more interested in vulnerabilities in Adobe Flash rather than the Java vulnerabilities.

In 2015, the top 10 vulnerabilities targeted by exploit kits belonged to Adobe Flash. However in 2013, the scenario was different, the top 10 vulnerabilities targeted by exploit kits included one Flash and eight Java vulnerabilities.

The reason behind this shift is that the  vulnerabilities in Java have dropped drastically, while vulnerabilities in Flash has jumped by almost 312 per cent (four-fold) over 2014 levels, NTT reports.

In their latest global threat intelligence report that was published on Tuesday, states that spear phishing attacks accounted for approximately 17 per cent of incident response activities, and an 18 per cent rise in malware detected for every industry other than education.

The report consists of analysis of  threats and trends from the 1999, information from 24 security operations centers, seven R&D centers, 3.5 trillion logs, 6.2 billion attacks and nearly 8,000 security clients across six continents.

"NTT clients from the education sector tended to focus less on the more volatile student and guest networks, but malware for almost every other sector increased," a spokesman from NTT Group's Solutionary managed security service business commented.

Vulnerability »

Malware Report »

Defacements »

Spam Report »