Certification problems from NetNanny exposes users to attack

NetNanny, the popular content control software has been found to be using a shared private key and root certificate authority which leaves it open to HTTPS spoofing and intercept.

“The certificate used by NetNanny is shared among all installations of NetNanny,” said Garret Wassermann, a vulnerability analyst at CERT. He added that " the private key used to generate the certificate is also shared and may be obtained in plain text directly from the software.”

An attacker can easily exploit this limitation to generate new certificates just by accessing the software. The spoofed certificate signed by NetNanny would appear to be trustworthy and might lead the user to a malicious site which is faking as a secure HTTPS site. Moreover, the attacker could intercept HTTPS traffic o carry out man in the middle attacks in the affected system without browser certificate warnings being triggered by the system.

The software, launched in 1995 is widely used by parents to filter internet services for their children. Presently the version 7.2.4.2 has been found to be vulnerable, as warned by CERT but other builds might be affected as well.Questions regarding a fix on the issue remains unanswered by ContentWatch, the dedeveloping company.

The users are strongly advised to remove NetNanny or at least remove the bogus certificates created by the service or to disable SSL filtering and manually remove certificates from there.

"No iOS Zone" - DoS vulnerability in iOS Devices

Skycure, a mobile threat defense solutions, witnessed  sudden crash of an iOS app while setting the router in a specific configuration and connecting the devices to it.

Elisha and Roy members of research team started to analyze the crashes further, and identified the source of the problem.  They found that by generating a specially crafted SSL certificate, attackers can regenerate a bug and cause apps that perform SSL communication to crash at will. Then they created a script that exploits the bug over a network interface.

Parsing SSL certificate vulnerability affects the underlying iOS operating system, and with heavy use of devices exposed to the vulnerability, the operating system crashes. Under certain conditions, the  devices can be put  into a repeatable reboot cycle, rendering them useless.

For most of the people iOS app crash is simply a quality issue. They just install a different firmware and move on.

 But the victim’s device in an unusable state for as long as the attack impacts a device. Even if victims understand that the attack comes from a Wi-Fi network, they can’t disable the Wi-Fi interface in the repeated restart state as shown in the video.

The issues have been reported  to the Apple. To avoid this vulnerability exploit the users may take following steps.

1)Users should disconnect from the bad Wi-Fi network or change their location in case they experience continuous crashing or rebooting.
2)The latest iOS 8.3 update might have fixed a few of the mentioned threats–users are highly advised to upgrade to the latest version.
3)In general, users should avoid connecting to any suspicious “FREE” Wi-Fi network.

Taipei City govt plans to install more monitoring equipment

The Taipei city government is planning to install more monitoring equipment and protect the messaging application line after a huge amount of information was leaked in a hacking breach of city computers, according to Taipei Times report.

a bid to avoid further breaches, the officials have decided to install additional monitoring equipment to identify unusual activities on city systems.

Taipei Mayor Ko Wen-je said that secretariat computers were breached last week, which had revealed a “troublesome” information.

Taipei Department of Information Technology (TDoIT) Commissioner Lee Wei-bin said that in the information breach, numbers of city department heads along with their confidential information had been compromised.

He said that the hacks could allow the hackers to predict the names of secretaries to “friend” commissioners and their staffs. In order to identify all of the members, the management would take a special caution. However, any new member would join the group.

He added that the existing antivirus software on the city secretariat’s computer, which got infected, could not detect the unauthorised access. The management would review the existing divisions between computer systems among the city’s departments, secretariat and the mayoral office.

Although, Taipei city councilors criticised the maximum usage of Line groups for messaging, which creates risk, by the city government, Lee said there was an implicit tradeoff between perfect security and administrative efficiency.

He said that they could not switch to any other messaging software, which is domestically designed and hosted, because it would be more costly and time consuming.

Moreover, Mayor Wen-je, who is used to Line software, has already introduced it extensively within every department.

He added that the department however, was imposing clearer standards for Line usage. The Line groups must have designated members who could take responsibility for policing membership lists.

He said that the city government’s decision would be recorded in official documents which would be to councilors. However, Line conversations would be confidential as telephone calls or private discussions within the city government.

Beware of emails with resume attachments as Phishers still use JavaScript attachments


Beware of emails with an attached resume from a job applicant because some of the hackers are still using old JavaScript attachments to deliver the CryptoWall which could leave people in great trouble.

In an article by Brian Bebeau posted on SpiderLabs Blog (Trustwave SEG Cloud), mentioned that recently, it was noticed that a spam run of emails which contained an attached resume from a job applicant. The attachment, with a file extension ‘.js’, was in plain-text and consisted of JavaScript.

After some days, the next spam was noticed which looked more serious and zipped the attachment. The hackers tried to give the attachment a MIME type of "image/png" in order to appear it as an image among the people.

If anyone retrieves the picture, it will turn out to be a Windows executable.

Bebeau wrote that after analysing the file, they came to know that this is a Cryptowall ransomware variant. So, if anyone opens the attachment to look a resume or picture, he/she could end up with his/her entire system in trouble.

He added that some group of spammers also uses JavaScript to hide their phishing attachments. Instead of a resume, they used that old standby, the common account phish.

Bebeau wrote that people can verify an email by looking at the header addresses, before opening the attachments.

Subject lines include:

- Un-authorized User
- Verification Required
- Must verify your account
- Validate account

He said that it is said that people’s account has been limited or disabled, and that to restore their account, they must follow some steps in the attachment.

Now, the attachment is an HTML file with a JavaScript section which instructs people to turn on JavaScript. If they view the attachment in a JavaScript-enabled browser, it creates a form which asks for their personal information.

The form asks for peoples’ social security number and their credit card number along with their name and address. And if anyone fills it and clicks submit button, his/her all data goes to a server in Russia.

According to Bebeau, if people can examine an attachment carefully, it can be a useful to pull JavaScript code for content blocking.

He wrote that, Trustwave SEG Cloud, blocked around 200 of these phishing messages within three days. People should not turn on JavaScript even if some email asks them to do so.

Hacker's tweet led FBI to issue warning for airlines in US

In response to the claims and reports of the recent United Airlines incident, The US Federal Bureau of Investigation has issued a warning to all the airlines to be on the lookout for hackers. It follows an onboard tweet from Chris Roberts, pro hacker and the founder of One World Labs.

Roberts, a researcher specializing in the security of commercial airplanes, was detained by FBI (Federal Bureau of Investigation) agents while deplaning his United Airlines flight from Denver to Syracuse, New York. This action was taken after he tweeted a joke about taking control of the plane’s engine-indicating and crew-alerting system, which provides flight crews with information in real-time about an aircraft’s functions, including temperatures of various equipment, fuel flow and quantity, and oil-pressure.

The computer expert tweeted: “Find myself on a 737/800, lets see Box-IFE-ICE-SATCOM, ? Shall we start playing with EICAS messages? 'PASS OXYGEN ON' Anyone ? :)”. This apparently caught the attention of Federal authorities who confiscated Robert’s iPad, MacBook Pro, and storage devices after questioning him for four hours.


Roberts stated that he was perturbed by the actions of the US law enforcement as he has been demonstrating vulnerabilities in the avionics system used on modern airplanes and telling CNN that he could connect a computer under his seat to view data from the aircraft’s engines, fuel and flight-management systems. And he is not the only one, according to an article by Forbes, Thomas Lim, head of security consultancy Cose Inc, has repeatedly been checked going through airports in recent years. On a flight from New York to Taipei, he was searched of all his belongings at the airport in Anchorage.

United Airlines has now banned Chris Roberts from all its flights.

Moreover, in a notification reported by the Wired Magazine, the FBI advised airlines to report any suspicious activity i.e. passengers connecting unknown wires and cables, or tampering or the forced removal of covers to network connection ports, along with reporting any evidence of suspicious behaviour concerning aviation wireless signals, including social media messages with threatening references to onboard network systems, automatic dependent surveillance systems (ADS-B), aircraft communications addressing and reporting systems (ACARS) and air traffic control networks.

WordPress 4.1.2 version released, fixes critical security bugs


Wordpress 4.1.2 is the latest version of WordPress to be released to the public. A critical security release for all previous versions, WordPress 4.1.2 fixes as much as four other security issues.
The earlier versions of WordPress including version 4.1.1 were affected by a serious critical cross-scripting vulnerability, which could enable anonymous users to compromise a site. This was reported by Cedric Van Bockhaven and fixed by Gary Pendergast, Mike Adams and Andrew Nacin of the WordPress security team.

Discovered by Michael Kapfer and Sebastian Kraemer of HSASec, files with invalid or unsafe names could be uploaded in version 4.1 and higher.

In WordPress 3.9 and higher, a very limited cross-site scripting vulnerability could be used as a part of a social engineering attack. It was discovered by Jakub Zoczek.  

Some plugins were vulnerable to an SQL injection vulnerability. Four hardening changes, including better validation of post titles within the Dashboard were discovered by J.D.Grimes, Divyesh Prajapati, Allan Collins, Marc-Alexandre Montpas and Jeff Bowen.

To download WordPress 4.1.2, the update can be updated automatically from the Dashboard and simply click “Update Now”. Sites that support automatic background updates are already updating to WordPress 4.1.2.

Researchers discover fingerprint flaw on Samsung Galaxy S5


Photo Courtesy: Mobilesyrup website
Despite the various efforts made to secure biometric information on Samsung Galaxy S5 by the Android phone makers, hackers can still take copies of fingerprint which is used to unlock the phone set, said researchers.

Tao Wei and Yulong Zhang, researchers at FireEye, a security firm, said that even though there is a separate secure enclave for the information on the phone, it is possible to grab the biometric data before it reaches that safe area which allows hackers to copy people’s fingerprints for further attacks.

Wei and Zhang, who conducted research on Galaxy S5 including other unnamed Android devices, will be presenting their findings at the RSA conference on April 24.

The researchers said that in order to clone the fingerprints, the hackers don’t have to break the protected zone where the data is stored. They just have to collect data from the device’s fingerprint sensor.

According to them, any hacker can easily clone fingerprints from the phone sets. They have to get user-level access and run a program as root. They wouldn’t need to go deeper on Samsung Galaxy S5 because the malware needs only system-level access.

And once the hackers break the operating system of the phone, they can easily read the fingerprint sensor. Then, the hackers get the data from which they can generate an image of fingerprint. After that, those hackers can do whatever they want.

After finding the flaw on the phone, the researchers had contacted Samsung. However, they did not get any updates or measures to fix the vulnerability from the company.

They said that it is better to update Android version in order to get protected from this vulnerability because it is not resident on Android 5.0 or later versions.

"Samsung takes consumer privacy and data security very seriously. We are currently investigating FireEye’s claims,” said a spokesperson for Samsung via email to Forbes.

Although, there are various security concerns about biometric, it is going to be the primary form of authentication on mobile phones.

It is said that Microsoft is testing out a range of biometric options for its upcoming Windows 10 operating system. 

However, Wei and Zhang said they only tested Android devices as of now.

They said that not all of the Android phones below 5.0 with fingerprint authentication were affected but this vulnerability is likely to spread among other phone companies as well.  Like HTC One Max, Motorola Atrix, Samsung Galaxy Note 4 and Edge, Galaxy S6, and Huawei Ascend Mate 7.

“We only tested a limited number of devices. While we expect the issue is more widespread, we are not sure,” the FireEye spokesperson said in an email to Forbes

GTA V users accounts have not been hacked but change passwords to ensure safety


In a response to a number of reports from Grand Theft Auto V (GTA V) users who said their Social Club accounts have been hacked and even modified, Rockstar Games Social Club (RGSC), a hub for GTA V and other games, has confirmed that the accounts have not been hacked.

However, the user can change his/her password in order to prevent his/her account from hacking in the future.

After receiving numbers of complaints about hacking, which did not allow the users to log in to their accounts and they cannot play games, via twitter the authority concerned sent a statement to Kotaku Australia.

According to the statement, their accounts have not been hacked. It seems that some unknown users or website tried to access another’s user accounts using email and password combinations. However, the company is in the process of repairing the affected account in to the original. It also suggested the users not to share their Social Club account username and password to other multiple websites. They should keep different passwords and usernames for their different accounts.

“We are responding to customers, whose accounts got affected, to reinstate full user access within 24 hours of contacting Customer Support. Please keep looking at the Rockstar Support website for more information and updates,” mentioned in the statement.

Earlier, it was said that more than 2500 GTA V users account have been hacked. People were facing problem in drivers, download speeds from Steam, FPS hiccups while playing games.

Similarly, many users complained as the RGSC took a lot of time to take any initiative.

A GTA V user wrote on the Rockstar Support page, “I purchased the game before it got released and got my pre-order bonus. Everything was great until Wednesday night, when I received an email saying that my email address and password on social account has been changed.”

He added that he immediately emailed Rockstar Support. When he did not get any reply, he called the support team.  They gave him a ticket number 3579087 and said it was escalated. Since then, he hasn’t received any information on how long will it take to get back his account.

Hackers get to Prince's facebook page

Prince's Facebook page made a quick re-appearance on the social media site on Saturday for few hours before being it was taken down for being a hacked one.

Prince, who has been in the music industry for about forty years had avoided social media until last year. In an era where reaching close to the audience has been the aim of most musicians, Prince chose to avoid the buzz of online socializing. It was only in 2014 October that he opened a Facebook page and hosted a fan Q&A but  replied to only one question before taking the page down in November.

He even shut his Twitter account and deleted videos from the official You Tube account. The page was activated with promises of new music, but then it started being self-deprecating and rude with messages like " My name is Prince and I don't care about my fans, I put my hit and run pause on tour so I can be the true asshole I am." Some were funny as well, with one saying, “Bring omelets to my next show, free entry.”

The surge of insulting and absurd messages pointed towards a hack and the page was promptly taken down by the site.

The AirDroid Lesson: Don't let apps take over your life

The popular android app AirDroid which lets users organize their lives by  providing the remote ability to send text messages, edit files, manage other apps and perform GPS tracking suffers from a serious authentication flaw which allows attackers to take control over user's activities.

Th flaw can be exploited  to take photos of the victim via the phone’s camera, track the victim via GPS or harass the victim’s friends and family via contacts.Anything that the app has permission to access to can be accessed by the remote attacker.

The mode of attack is very simple, the attacker would send a innocent-looking link to the user which if clicked leads to the webpage of the attacker. The attacker thus assumes control over the user's phone and can activate the phone's camera to take photos of the user and taunt the user.

This bug has been fixed as of now but the security risk it posed raises questions on how much should an app be permitted to know.

Often for the sake of convenience we offer personal information to the apps thus compromising our security. The long list of permissions that an app asks for is also cumbersome for many users to scan through and they just hit agree.  One never knows how many vulnerabilities are lurking in the apps we freely download and use and how those vulnerabilities can be exploited to take over our daily activities.One must be careful of the things they are agreeing to while installation.

Constant vigilance is the key.