Bug in the GitHub Extension for Visual Studio Makes Developer Lose $6,500


Carlo van Wyk, a South African web developer, said that he lost $6,500 (£4,250) in just a few hours because of a flaw in a tool for using Microsoft's Visual Studio IDE with code-sharing site GitHub inadvertently exposed his sensitive data.

He used the GitHub Extension for Visual Studio 2015 to commit one of his local Git code repositories to a private repository on GitHub. However, an unknown to him at the time the bug in the extension, developed and maintained by GitHub itself, caused his code to be committed to a public GitHub repository, rather than a private one as he intended.

Once he reported the bug, both of the concerned companies fixed it.

According to a report published in The Register, within around ten minutes after publishing his code, he received a notification from Amazon Web Services telling him his account had been compromised. He had included an AWS access key in the code that he had committed to GitHub.

Although, he immediately changed his AWS root password, revoked all of his access keys, and created new ones, within hours the crooks had managed to sign him up for AWS's Elastic Compute 
Cluster and fire off more than 20 instances in each EC2 region.

After that his AWS account had racked up a bill of $6,484.99.

AWS was not available for the comment, as per The Register. However, GitHub has apologized for the error in its code, regarded it as "inexcusable."

Lizard Squad disrupt National Crime Agency website

The website of National Crime Agency (NCA), a national law enforcement agency in the United Kingdom which replaced the Serious Organised Crime Agency, was temporarily down on Tuesday morning by attackers.

According to a news report published in The Guardian, the attackers did this as a revenge for arrests made last week. Four days ago before the attack, six teenagers were released on bail on suspicion of using hacking group Lizard Squad’s cyber-attack tool to target websites and services.

They arrests were in an operation codenamed Vivarium, coordinated by the NCA and involving 
officers from several police forces.

Those who were arrested: an 18-year-old from Huddersfield; an 18-year-old from Manchester; a 16-year-old from Northampton; and a 15-year-old from Stockport, were arrested last week, while two other suspects, both 17, were arrested earlier this year, one from Cardiff and another from Northolt, north-west London.

However, all of them have been bailed, while a further two 18-year-olds – one from Manchester and one from Milton Keynes – were interviewed under caution.

“The six suspects are accused of using Lizard Stresser, a tool that bombards websites and services with bogus traffic, to attack a national newspaper, a school, gaming companies and a number of online retailers,” the report reads.

The NCA spokesperson told The Guardian that the NCA website is an attractive target. Attacks on it are a fact of life. DDoS is a blunt form of attack which takes volume and not skill. It isn’t a security breach, and it doesn’t affect our operational capability.

“At worst it is a temporary inconvenience to users of our website. We have a duty to balance the value of keeping our website accessible with the cost of doing so, especially in the face of a threat which can scale up endlessly. The measures we have in place at present mean that our site is generally up and running again within 30 minutes, though occasionally it can take longer. We think that’s proportionate,” he added.


iOS malware steals over 225,000 Apple accounts to create free App Utopia


Researcher from Palo Alto Networks, a computer security firm, have found out that hackers, who have targeting jail-broken iPhones, have raided more than 225,000 Apple accounts, using them for app buying sprees or to hold phones for ransom.

The jailbreak is a tool in iPhones to use additional iThing tweaks available through the alternative Cydia store, and for some to pirate software by installing ripped-off apps for free.

“In cooperation with WeipTech, we have identified 92 samples of a new iOS malware family in the wild. We have analyzed the samples to determine the author’s ultimate goal and have named this malware “KeyRaider”. We believe this to be the largest known Apple account theft caused by malware,” the researchers posted in a blog.

Claud Xiao, a researcher, said that the KeyRaider malware, hidden in jailbreaking utilities, is slurping login credentials and GUIDs from the user's iTunes data, and siphoning them off to remote servers.

"We believe this to be the largest known Apple account theft caused by malware," Xiao said. "The malware hooks system processes through MobileSubstrate, and steals Apple account usernames, passwords and device GUID by intercepting iTunes traffic on the device.”

He confirmed that the purpose of the attack was to make it possible for users of two iOS jailbreak tweaks to download applications from the official App Store and make in-app purchases without actually paying.

It is said that especially the people in China got affected but herald from 17 other countries including France, Russia, Japan, United Kingdom, United States, Canada, Germany, Australia, Israel, Italy, Spain, Singapore, and South Korea from the attack.

Similarly, some people said that they were being locked out of phones and forced to pay ransoms.


According to the researchers, the attack was discovered by a Yangzhou University student known as i_82 who worked with Xiao alongside a group. They exploited an SQL injection vulnerability on the bad guy's server to learn about the attack. They siphoned about half of the stolen accounts before the VXer became savvy and punted the white hats. They have now set up a website for users to check if they are impacted. 

Six teenagers arrested for using Lizard Squad's DDoS service


(PC- google images)
Six teenagers were recently arrested and later bailed on account of using the hacking tools of a certain Lizard Squad to breach softwares and websites, which included gaming companies, school servers and even newspapers.


The teenagers, aged between 15 to 18 and all male, were arrested during an operation by the UK police in search of hackers using the Lizard Stresser tool that allows the user to send spam to system and facilitate the denial of service (ddos) attack, which makes the website unavailable to the real time visitors.

In the past, such ddos attacks have caused both reputational and financial damage to services provided by big business giants like Sony to even government websites, while these attacks interrupt the smooth functioning for a time interval that starts from a few hours and can last till weeks.

This tool was effectively used by the Lizard Squad in December 2014, to interrupt the online gaming services of Microsoft’s Xbox Live and Sony’s PlayStation Network. The tool is available in the market and can acquiring it can make a normal person into a potential hacker who can then select their targets according to their will.
The UK police arrested the teenagers with the help of the National Crime Agency(NCA), while they were trying to pay anonymously for the tool using BitCoin. However, none of the six teenagers have been confirmed to be a member of the Lizard Squad.

Tony Adams of NCA’s cybercrime unit, explained that by a small amount, a person can acquire the Lizard Stresser that can ruin big businesses and make access to information a deliria for the public. He further added that the arrest was made under an operation named ‘Vivarium’, and that the teenagers were operating from all across UK.


A member of Lizard Squad was arrested in Twickenham in December for their involvement in cyber attacks, while a further member was arrested in May for pranking armed police. However, the hacking group’s tool remains available, despite its site being hacked revealing customers’ details.

Uber Hires Security Analysts For Enhancing Car Safety

(PC- GOOGLE IMAGES)
When it comes to vehicle security, Uber has taken a step ahead in making the vehicles safer. The officials have confirmed that the company has hired two top-notch security analysts to ramp up its target of achieving the technology of self-driven cars. Uber promises the joining of Charlie Miller and Chris Valasek who have been working for Twitter Inc. and security firm IOActive respectively.

Uber’s Advanced Technologies Centre, a research laboratory set up by the company in Pittsburgh in February has already hired dozens of vehicle experts from Carnegie Mellon University, and now will be joined by Miller and Valasek.

There appointment was confirmed by a welcome tweet from Raffi Krikorian, head of Uber ATC. Both have started with their new appointments from Tuesday.

Uber at the moment is knee-deep with the target to develop or adapt the self-driving cars technology, and Miller and Valasek will be joining the company to make the vehicles more secure. This can help the company to reduce the man-power it has under the header of the thousands of contract drivers that the company has hired.

In order to develop this technology, the company has also shook hands with the University of Arizona, by providing the students grants in order to research and help developing the technology.

In march, Uber bought digital mapping firm deCarta, a San Jose, California-based company whose technology offers search and turn-by-turn directions.

FCA USA LLC recalled 1.4 million vehicles to install software intended to prevent hackers from emulating the experiment, which used the cellular network to enter the entertainment system and then win control of the engine, brakes and steering.

Man jailed for 18 months for hacking into 900 Aviva phones

Richard Neele (40) has been sentenced to 18 months in prison for hacking into 900 phones of insurance company Aviva.

Neele deleted the data on all the 900 smart phones making the company lose out on 5,00,000 pounds onf business.

Neele was a director at Esselar. a company which had been contracted by Aviva to manage its security network.

Neele has said that he carried out hte attacks becauys eof falling out with his colleagues.

He hacked the system at Aviva in May 2014 when Esselar was giving a security demonstration to Aviva.

Teenager who hacked US and British government website faces jail

A British teenage hacker has been warned by the Birmingham Crown Court that he faces possible jail time for bringing down the FBI's and the Home Office's website.

Charlton Floate  (19) has pleaded guilty to three counts under the Computer Misuse Act and three charges for possessing prohibited images.

Charlton's lawyers argued that their client was only on the outside of the whole conspiracy and not deeply involved in the matter but the court has ruled out that possibility saying that Charlton is a very intelligent man who is an expert in computer marketing.

The judge quoted in the hearing, "A successful attack on the FBI.gov website is regarded by hackers as the Holy Grail of hacking. It was this which he attempted and, indeed, achieved.He was the person who instituted such attacks and assembled the tools and personnel for doing so."

The FBI site was down for about five hours where as the Home Office site crashed for 83  minutes.

Ola leaks personal information of its customer, claims a girl

A girl from Chennai claimed that OlaCabs, famous as Ola, a mobile app for personal transportation in India, had sent personal information of more than 100 customers to her via SMS.

Swapnil Midha posted on Facebook that the Ola, which started as an online cab aggregator in Mumbai, now based out of Bangalore and is among the fastest growing businesses in India, leaked personal details such as mobile numbers, locations of users.

However, the company regarded it as a technical fault and confirmed that it has been fixed now.

“About three weeks ago, I booked an Ola cab for a long distance drive. After the ride I received a few garbled texts from "VM-OLACAB" that I didn't think much of and ignored. These messages were alpha-numeric with hashes and made no sense to me whatsoever. I assumed there was some system error and did not anticipate the sleep deprivation that followed,” she wrote on Facebook.

She added, “My phone beeped throughout the night. 1:06, 2:34, 2:37, 2:38, 4:05, 5:17. I couldn't get my head around why these were coming at these times. I then called their call centre the next day to explain that there was probably some sort of bug and my number had somehow gotten into their highly cryptic message transmission systems, whatever secrets they were trying to transmit.”

Although, the Ola assured her to fix the problem soon, she had been receiving SMS after SMS. She received text between 300 and 400.

“I received no further communication from them, no update, no email, just more garbled messages,” she explained. I reached out to them through every channel possible. I called their call centre at least 5 times, demanded to speak to the senior managers, and had to explain my problem each time in great detail, answering the same annoying questions.”

She said that the company shared personal details of their customers throughout the day and throughout the night.

“What scares me the most, is that THIS should be their number one priority. I questioned their lack of concern for privacy and data protection. I threatened to report them to the authorities and TRAI. Nothing seemed to work which makes you think - do they even care about protecting customer information? If they are sending all this to me, who are they sending MY booking details to? Whose number is receiving all of my data? Which creepy criminal knows my full name, my mobile number, my door number, my account details, when I'm home and when I'm out?” she added.

The girl has raised a serious question which the company concerned need to answer as soon as possible. If this, one of the most trusted companies like the Ola does such careless, what do we expect from others?  

PayPal fixes serious vulnerability in its domain

Photo Courtesy: Security Down

A serious flaw in PayPal Holdings Inc, an American company which operates a worldwide online payments system, has been patched. The flaw could have allowed an attacker to trick users into handing over their personal and financial details.

The flaw, which was detected by Ebrahim Hegazy, was caused by a stored cross-site scripting (XSS) bug in the SecurePayments.PayPal.com domain, which is used for PayPal’s hosted solution that enables buyers to pay with a payment card or their PayPal account, eliminating the need to capture or store sensitive payment information

“I’ve found a Stored XSS vulnerability that affects the SecurePayment page directly which allowed me to alter the page HTML and rewrite the page content, An attacker can provide his own HTML forms to the user to fullfill and send the users data back to attacker’s server in clear text format, and then use this information to purchase anything in behave of users or even transfere the users fund to his own account,” the researcher posted in his blog.

According to the Egypt-based researcher, a malicious actor could have set up a rogue shopping site or hijacked a legitimate website, and alter the “Checkout” button with a URL designed to exploit the XSS vulnerability.

The flaw could allow the attacker to change the contents of the SecurePayments page and display a phishing page where the victim is instructed to enter personal and financial information. The collected data is then sent back to a server controlled by the attacker, the researcher explained.

The researcher, who had found a serious flaw in Yahoo domain last year, reported about the vulnerability to PayPal on June 19. The payment processor confirmed patching the flaw on August 25.


After that, the company concerned awarded Hegazy $750 for his findings, which is said to be the maximum bug bounty payout for XSS vulnerabilities. 

Facebook to bring “Video Matching Technology” to control Piracy


Here comes a good news for those video creator who are fed up with the video piracy especially on social networking sites as Facebook is planning to launch a “Video Matching Technology” which will inform the real video owners that those videos are uploaded by others. 

A news report published in ReCode, confirms that in order to control the video piracy on Facebook, the company has decided to come up with the technology.

“We’ve heard from some of our content partners that third parties too frequently misuse their content on Facebook,” Facebook posted in its blog. “It’s not fair to those who work hard to create amazing videos. We want creators to get credit for the videos that they own.”

It is said that the company and its partners have started testing the new technology, which requires content owners to upload the clips they want to protect into Facebook’s system.

“It is the first step to creating the equivalent of YouTube’s Content ID system, which the video giant built up over years as a response to its own copyright/piracy problems. After years of ignoring video, 
Facebook is now a major player, so this kind of effort was obvious and overdue,” the news report reads.

“Facebook’s response comes after video makers and distributors have grown increasingly vocal about pirated videos, which by one estimate accounted for more than 70 percent of Facebook’s most popular videos. In May, Jukin Media, a video licensing agency best known for “Fail” clips, described Facebook’s copyright problems as “massive.” In June, Fullscreen CEO George Strompolos, who runs one of the biggest YouTube video networks,tweeted that he was “getting very tired of seeing our videos ripped there with no way to monitor or monetize,” the news report reads.

Now Facebook says Jukin and Fullscreen are two of its initial launch partners for the new technology, along with Zefr, a service company that helps content owners track their clips on YouTube. Facebook says it is also working with major media companies on the effort, but won’t identify them.