Bihar BJP website hacked and defaced by Pakistani Hackers

Bharatiya Janata Party's(BJP) website once again has been targeted by hackers claimed to be from Pakistan.

This time, a hacker named Muhammad Bilal from Pak Cyber Experts group breached the official Bihar Bjp website(www.biharbjp.org) and defaced the home page.

The defacement contains a picture of person standing on Narendra Modi's photo and posted some comments.  The hacker also called India as Stupid.

"I just woke up for reading Namaz. I just thought i will check BJP website :D good site it was :( then my mind changed :( i thought to write 'Pakistan Army' or 'pakistan zindabad' on the site of people who say [redacted] about Pakistan." defacement message reads(translated).

The hacker has a past history of attacking Indian websites and Modi's related websites.

This is not the first time BJP's websites being defaced by Pakistani Hackers.  Earlier this month, hacker with online handle 'Sniper Haxxx' defaced the BJP Junagadh unit's website.

It seems like the website was defaced before 14 hours. The website is still showing the defacement. You can find the mirror of the defacement here: http://zone-h.com/mirror/id/22233554

Michaels confirms security breach affecting 2.6 Million cards

After over two months of investigation, Michaels stores has finally confirmed the payment card data breach affecting approximately 2.6 million cards.

The compromised data includes Payment card information such as numbers and expiration date for the payment cards.  However, there is no evidence that other data such as names, PINs,addresses have been accessed.

The data breach occurred between May 8, 2013 and January 27, 2014.  The company said only a small percentage of cards(7%) used at Michaels stores during this period were impacted by this breach.

The company is offering one year free credit card monitoring.  After receiving limited reports of fraud,  the company is also offering one year free identity protection and fraud assistance services.

The location of affected stores and dates of exposure are listed here.

Aaron Brothers, one of the subsidiaries of Michaels stores, was also attacked by criminals.  The breach which took place between june 26,2013 and Feb 27,2014 have affected approximately 400,000 cards.

"We have now identified and fully contained the incident, and the malware no longer presents a threat while shopping at Michaels or Aaron Brothers" The retailer said they have removed the malware in question. 

Android malware iBanking helps attackers to hack Facebook account

An attacker can't hack a facebook account which has enabled two-step authentication, even if he know the username and password.  But, if you think Two-Step authentication is enough to keep your faebook account safe from hackers, Think Again!

Cyber criminals have started to use Android Banking Trojan "iBanking" to bypass Facebook's two-factor verification.

iBanking is malicious android application capable of intercepting SMS messages, forwarding incoming voice calls to any number and record victim's voice using mic.

Recently, RSA noted the release of source code for the iBanking trojan.  This source code leak helped other cyber criminals to customize this trojan according to their needs.

ESET reports that a customized iBanking malware targeting Facebook users is being delivered via a new variant of Computer Banking Trojan Qadars 

When a system is infected with Qadars Trojan, it will show a message when user is logging into Facebook telling them "Facebook introduces new extra safety protection system" and instructs them to install an android app.  This app will help cybercriminals to intercept SMS so that they can bypass the Facebook's two-factor verification.

"The way iBanking is installed on the user’s mobile is quite common, but it is the first time we have seen such a mobile application targeting Facebook users for account fraud." Researchers said.

Hacker arrested for exploiting HeartBleed vulnerability to steal information

A 19-year-old computer science student has been arrested by the Royal Canadian Mounted Police (RCMP) and accused of stealing personal data by exploiting the "HeartBleed" vulnerability.

HeartBleed, the bug that left the Internet vulnerable, is a recently uncovered security flaw in the popular open-source encryption library(OpenSSL) which allows attackers to read memory of the server running vulnerable OpenSSL - means attacker can steal sensitive information.

Stephen Arthuro Solis-Reyes from London, Ontario, accused of exploiting HeartBleed bug to steal sensitive information from servers of the Canadian Revenue Agency(CRA), according to RCMP.

During the Police raid, his computer was seized by Canadian police.  He is scheduled to appear in court in Ottawa on July 17.

The arrest came after CRA announced that someone exploited the HeartBleed bug to steal 900 Social Insurance numbers of taxpayers.  The agency had shut down its site temporarily to prevent further attacks.

"The RCMP treated this breach of security as a high priority case and mobilized the necessary resources to resolve the matter as quickly as possible." Assistant Commissioner Gilles Michaud said in a statement.

"Investigators from National Division, along with our counterparts in “O” Division have been working tirelessly over the last four days analyzing data, following leads, conducting interviews, obtaining and executing legal authorizations and liaising with our partners".

LaCie Security Breach went unnoticed for a Year


If you used a credit or debit card to purchase electronic items at LaCie's website last year, you may want to eagle-eye your card statements.

LaCie, French Computer Hardware company specializing in external hard drives, announced that it fell victim to a security breach that put customers' personal information and financial information at risk.

The company says cybercriminals used malware to infiltrate their website.  After getting notification from FBI on March regarding the breach, LaCie hired cyber forensic investigation firm.

Customers who made transactions between March 27,2013 and March 10,2014 were affected by this data breach.

According to an incident notification, customers' usernames, passwords, names, addresses, email IDs, credit and debit card information are all at risk.

Customers' passwords have been reset. e-commerce portion of the site has temporarily been disabled while the company "transition to a provider that specializes in secure payment processing services".

How researchers hack Google using XXE vulnerability !

What is most secure website? NOTHING.  Even Google is vulnerable to all sort of attacks!

Security researchers and Co-Founders of Detectify have discovered a critical security vulnerability in Google that allowed them to access Internal servers.

The vulnerability exists in the Google Toolbar button gallery.  The page allows users to customize their toolbar with buttons. It also allows users to create their own buttons by uploading XML file containing various meta data.

Researchers identified this function is vulnerable to XML External Entity vulnerability.

By sending a crafted XML file, researchers are able to gain access to internal files stored in one of Google's product server.  They have managed to read the 'etc/passwd' and 'etc/hosts' files of the server. 

By exploiting this vulnerability, researchers could have accessed any files on the Google's server, also they could have done SSRF Exploitation to access internal systems.

Google has rewarded the researchers with $10,000 for finding and reporting this vulnerability. 

GovWin IQ website hacked, credit card information of 25,000 at risk

GovWin IQ System run by an enterprise software and information solutions provider Deltek suffers a security breach that puts information of around 80,000 employees of federal contractors at risk.

GovWin  are designed specifically for Government Contractors aiming to grow their business.

The breach occurred sometime between July 3,2013 and November 2,2013.  However, the company came to know about the breach only on March 13,2014.  

The hacker exploited a security vulnerability in the GovWin IQ System and managed to access customers' data.  The information accessed by hackers includes Names, billing addresses, phone numbe,s. and business email IDs.

According to Federal News radio report, the hackers also had access to credit card information of about 25,000 of those affected customers. Those who had card information compromised are being offered free credit monitoring services.

The company says it is cooperating with law enforcement on this case.  They have also hired a cyber security forensic firm. They also claimed to have arrested the hacker believed to behind the breach.

BJP Junagadh website hacked by Pakistani hackers

Local news organizations reports that BJP Junagadh unit's website (bjpjunagadh.org) was hacked and defaced by some unknown hackers.

The hackers who defaced the website posted comments against BJP and RSS. The defacement also contains several images of people burning and standing on the Indian tricolor.

We have referred some defacement-mirror websites, the hack appears to have taken place in February.  It is unclear whether these local reports referring this incident or the website got defaced again today.

According to the defacement-mirror record(hxxp://dark-h.org/deface/id/12604), this website was defaced by a Pakistani hacker going by handle "Sniper haxXx" who is responsible for many Indian websites' hacks.

"As soon as I reached office, our IT cell employees told me that someone has hacked our website http://www.bjpjunagadh.org and uploaded photographs and comments to malign reputation of BJP, RSS and Narendra Modi,"Indian Express quoted In-charge of BJP Junagadh office Raju Jivani as saying.

A complaint has reportedly been lodged against the unknown hacker, police are trying to find the hacker who is responsible for the breach.

Meanwhile, Gujarat Pradesh Congress Committee's President Arjun Modhwadia told reporters that "This is purely an attempt to get votes by playing the communal card ahead of the election"

Wired website blocked by Google Chrome

Official website of popular American magazine Wired has been blocked by Google and Chrome.  Users who tries to access few urls of wired are getting a warning message saying "This site may harm your computer".

We tried to access wired.com from Google search result, there was no warning message for home page.  However, when i tried to access the 'wired.com/business/', i was presented with Malware warning page.

"Hey folks, we had a brief technical issue this morning, but it's fixed. Thanks to those of you who brought it to our attention." Wired tweeted regarding the issue.

It is unclear what they mean by 'technical issue' and how come Google has blocked the website.  At the time of the writing, visitors are still presented with the malware warning message.  Wired says it is waiting for Google chrome to remove the warning.

Android malware steals money from QIWI Wallets

Cyber criminals are continually finding new ways to earn money using infected devices.  We aware of SMS Trojans that earn money by sending out premium-rated messages from the infected android devices.

Experts at Kaspersky have recently spotted a new Android Trojan that not only send SMSs to premium-rate numbers but also steals money from QIWI electronic wallet.

Visa QIWI Wallet is electronic payment service can be used to pay for goods and services around the world, receive payments, and transfer money.

Once installed on a device, the malware, dubbed as 'Waller', attempts to communicate with Command and control (C& C) server located at playerhome.info and awaits further commands.

Malware is capable of checking the balance of infected phone by sending SMS to mobile network operator and intercepts the reply, send SMS, open web pages, download and install other malware.  It is also capable of updating itself and send SMS to victim's contact list.

This trojan also checks the balance in the QIWI Wallet by sending an SMS to 7494.  The response messages is intercepted by the trojan and forwarded to the cyber criminals.  If there is money in the Wallet, the malware will send message to 7494 with attacker's wallet number and the amount to be transferred.

The Trojan is being distributed via SMS spam and cybercriminal's site disguising as various applications.

Pileup flaw: Android updates can be exploited by malware to gain permissions

Upgrading an operating system patches the security holes in the previous versions.  However, researchers found a bug in upgrading process of Android itself, which can be exploited by malicious apps.

A team of researchers from Indiana University and Microsoft have published a paper explains a new critical security bugs which are referred as "Pileup flaws".  The vulnerability exists in Package Management Service (PMS) of Android.

When a user upgrades android to the latest version, a malicious app with few or no permission in the old version can exploit this vulnerability to update itself with new set of permissions.

An attacker can exploit this vulnerability to steal sensitive information from the compromised device, change security configurations and also prevent installation of critical system services.

Researchers say they have confirmed the presence of security hole on all official android versions as well as 3,000 customized android versions.

Researchers also have developed a new service called 'SecUp' which is capable of detecting the malicious apps designed to exploit PileUp vulnerabilities.

EA Games website hacked to host Apple phishing page

A webserver belonging to the EA Games has been compromised by cybercriminals and it is now hosting a phishing page attempting to steal Apple IDs.

According to Netcraft report, hackers managed to break into the sub-domain by exploiting vulnerabilities in the outdated version of web calendar application.

The Web Calendar version 1.2.0 has a critical vulnerability that allows attacker to run arbitrary code.

The phishing page tricks users into handing over their login credentials for the Apple website.  After entering the Apple ID and password, it will display second form which asks to victim to enter card details, name, birth date, phone number and few other details.  Like the usual phishing pages, once victim submit the details, he will be redirected to legitimate apple site.

Netcraft says the hacker might also have gained access to the internal servers and other information.

"In this case, the hacker has managed to install and execute arbitrary PHP scripts on the EA server, so it is likely that he can at least also view the contents of the calendar and some of the source code and other data present on the server." The blog post reads.

Full-Disclosure Security mailing List Suspended Indefinitely



Today , users subscribed to the Full disclosure security lists received a shocking email from the admin of the Full-disclosure that they are going to suspend the service.

"I'm not willing to fight this fight any longer. It's getting harder to operate an open forum in today's legal climate, let alone a security-related one. There is no honour amongst hackers any more. " the email reads.

"There is no real community. There is precious little skill. The entire security game is becoming more and more regulated. This is all a sign of things to come, and a reflection on the sad state of an industry that should never have become an industry."

" I'm suspending service indefinitely.  Thanks for playing."

Justin Bieber Twitter account hacked, malicious url tweeted


Justin Bieber official twitter account which has more than 50 million followers has been hijacked by attackers to spread spam links from the account.

The attacker posted a tweet saying "Justin Bieber Cemberut? [Malicious link] " ( Cemberut is Indonesian word, it means  'Sullen').

The shortened link provided in the tweet leads to a .tk domain 'rumahfollowers[.]tk'.  At the time of writing, we are not able to access the site.  So, we are not able to determine exactly what has been delivered to users.

More than 13k users have favorited the spam tweets and over 7,000 users have re-tweeted them.  It means thousands of users might have followed the link and affected by this spam.

It is worth to note that this is not the first time his account being hijacked by attackers.  We are not sure how this time the account get compromised by the attacker. 

His team managed to recover the account and posted saying " all good now, we handled it".

Critical Bug in GnuTLS library affects Linux and hundreds of apps


A critical bug(CVE-2014-0092) in handling the errors in the GNU Security library GnuTLS affects hundreds of software packages including RedHat, Debian and Ubuntu distros.

According to RedHat security advisory, there is a coding error in GnuTLS which fails to handle certain errors that could occur during the verification of an X.509 certificate, results in reporting 'a successful verification'.

"An attacker could use this flaw to create a specially crafted certificate that could be accepted by GnuTLS as valid for a site chosen by the attacker." the advisory reads.

The bug exists in returning the value in the verify.c file (https://www.gitorious.org/gnutls/gnutls/commit/6aa26f78150ccbdf0aec1878a41c17c41d358a3b?diffmode=sidebyside).  It appears the uninitialized variable "result" is causing the problem.  There is also another coding error where it returns value of issuer_version when issuer_version is less than zero, instead of returning zero.  And, when result is less than zero, it goes to 'cleanup' location instead of 'fail'.

Nikos Mavrogiannopoulos from Red Hat Security Technologies Team discovered this security flaw, while doing an audit of GnuTLS for the RedHat.

Users are advised to upgrade to the latest GnuTLS version (3.2.12 or 3.1.22) or apply the patch for GnuTLS 2.12.x.

Bitcoin Exchange Poloniex website got hacked

Here comes another hacking news related to Bitcoin.  Multi crypto currency exchange Poloniex has announced today that their website suffered a cyber attack, leading to Bitcoins being stolen from their company.

On BitcoinTalk forum, the company explained how hackers stole the Bitcoins; Placing multiple withdrawls requests at the same time will result in negative balance but still the request is being processed.

"Another design flaw is that withdrawals should be queued at every step of the way. This could not have happened if withdrawals requests were processed sequentially instead of simultaneously" the forum post explaining another bug reads.

One of the forum's member gave a link to the attacker's bitcoin address "https://blockchain.info/address/1Ktq7TE3J5vZ3c99M5weqKfFcNkHQdqPrq".  It appears the loss is around $50,000(76BTC).

The owner of Poloniex said he will take the full responsibility and will repay the debt of BTC.  However, due to shortage of 12.3% in funds, the company will temporarily deduct 12.3% balance from all accounts.

"If I had the money to cover the entire debt right now, I would cover it in a heartbeat. I simply don't, and I can't just pull it out of thin air." he said.

Bitcoin Bank Flexcoin website hacked, $600,000 worth Bitcoins stolen

Bitcoin Bank "FlexCoin" website has been closed after reportedly hackers attacked the site and stole 896 bitcoins worth $600,320.

The organization claims the attack happened on March 2nd, in which attackers transferred the bitcoins to two different addresses.

"As Flexcoin does not have the resources, assets, or otherwise to come back from this loss, we are closing our doors immediately." the company posted a statement on its main page.

The bitcoins stored in cold storage were not affected by this breach, as coins were held offline.  Those users who put their coins into cold storage will be contacted by Flexcoin and asked to verify their identity.

For others, the company pointed out a link to TOS, where it says "Flexcoin Inc is not responsible for insuring any bitcoins stored in the Flexcoin system. You are entering into this agreement with Flexcoin Inc. You agree to not hold Flexcoin Inc, or Flexcoin Inc's stakeholders, or Flexcoin Inc's shareholders liable for any lost bitcoins."

The company says they are working with law enforcement and trying to find the cause of the security breach.  

Defcon Kerala Information Security Meet 2014


DEFCON KERALA chapter is pleased to announce that the second edition of DEFCON Kerala 2014 will be held on March 8th at Hotel Travancore Court, Kochi. DEFCON Kerala (DC0497) is the first DEFCON Chapter in Kerala and is a DEFCON USA Registered group for promoting and demonstrating research and development in the field of Information Security. We are a group of Information Security Enthusiasts actively interested in promoting information security.

Whether you are an information security expert, researcher or newbie in the field of information security, we have the right events to satisfy your appetite. This year DEFCON Kerala bring you a host of events which include.

KEYNOTE SESSION
N. Vinayakumaran Nair, Assistant Commissioner, Hi-Tech Cell, Kerala Police

TECHNICAL TALKS
Be there with us to hear from the experts who are at the forefront of information security research. This year we have about 12 Technical Talks that demonstrate Information Security Research in various fields.

  • WI-Hawk - Anamika Singh, Product Specialist
  • Android Security and Mobile OS Security in General - Anto Joseph, Technical Consultant
  • Compromising a DB via the XSS Vulnerability. XSS + Metasploit + Social Engineering -Fadli B. Sidek&VikneshwaranVeeran, Security Consultants
  • Security through Obscurity No More Alive - Gaurav Raj Anand, Independent Researcher
  • XMLChor-XPATH Injection exploitation - HarshalJaiprakashJamdade, Security Researcher
  • Interactive Web Security Testing with IronWASP- Lavakumar, Founder IronWASP
  • Windows 8 Forensics - Nikhalesh Singh Bhadoria, Information Security Researcher
  • DrupSnipe: Vulnerability Scanner for live Drupal powered website - Ranjeet Singh Sengar and Sukesh Reddy, Security Researchers
  • Securing the Web-Native Bridge in Hybrid Mobile Apps - Sachinraj Shetty, Application Security Manager
  • Android Forensics and Security Analysis - Santhosh Kumar, Independent Security Researcher.
  • To be announced - Francis Alexander, Security Researcher, OpenSecurity
  • HackSpace Workshop - YashinMehaboobe, Security Researcher, OpenSecurity

HACKSPACE-Free Hardware hacking workshop


HackSpace is a free and interactive hands on workshop on hardware hacking. It'll cover everything from basic microcontroller programming to hardware based attacks. Workshop will start with basic programming fundamentals. This will serve as a base for the rest of the class. Attendees will be introduced to various boards such as the Raspberry Pi, various Arduino boards as well as boards such as the MSP430 Launchpad.

The course will include fundamentals of bus protocols such as UART,I2C and SPI and how they are used. This will all be covered from an HackSpace is a free and interactive hands on workshop on hardware hacking. It'll cover everything from basic microcontroller programming to hardware based attacks. Workshop will start with basic programming fundamentals. This will serve as a base for the rest of the class. Attendees will be introduced to various boards such as the Raspberry Pi, various Arduino boards as well as boards such as the MSP430 Launchpad. The course will include fundamentals of bus protocols such as UART,I2C and SPI and how they are used. This will all be covered from an InfoSec perspective. Attendees will learn how to utilize the boards for penetration testing and security research.

DEFKTHON CTF
DEFKTHON CTF is DEFCON Kerala's trademark CTF. This is a jeopardy style CTF with challenges categorized into Recon, Reversing, Web, Crypto and Miscellaneous. The CTF is open to all and will be online on March 3rd 9.00 IST and will run till March 4th 21.00 IST. Stay tuned to http://ctf.defconkerala.com/


BEST SPEAKER AWARD

Cyber Security and Privacy Foundation(CSPF) will award the best speaker a grant of Rs.10,000. The Speakers will be judged by a Committee including Team DEFCON Kerala and an honorable member form CSPF. Delegates can contribute 50% to this selection process.

Top 5 reasons to attend DEFCON KERALA 2014
Access to cutting edge Technical Talks.
Access to Hack Space, the Hardware Hacking workshop.
Certificate of Participation.
Slides, Tools or Materials provided by the Speaker.
A niche networking platform.


Entry Pass: Rs.1100
Student Pass: Rs.800 (with discount code)
DISCOUNT CODE: STUDENT_14
Complimentary food coupons for all attendees.

Visit: www.defconkerala.com
Register Here: http://defconkerala.com/registration.html

KickStarter kicked by Hackers, username and password stolen

Online Crowdfunding website KickStarter is to be the latest high-profile website reporting security breach.  KickStarter became aware of the breach, after receiving a notification from Law enforcement.

Hackers breached their website( kickstarter.com) and gained access to the user's information including usernames, encrypted passwords, email IDs and phone numbers.  The company says there is No Credit card data compromised in this breach.  

Even though the password is encrypted one,  we aware the fact that attackers with enough computing power can easily crack those passwords.

The company informs that two accounts have been accessed by hackers so far.  All users are recommended to change their password immediately for the KickStarter website.

If you are using the same password in any other websites(most of us do), you are also advised to reset the password there also.

"We’re incredibly sorry that this happened. We set a very high bar for how we serve our community, and this incident is frustrating and upsetting." the company apologizes in their blog post.

Target data breach started with a Spear phishing attack targeting HVAC firm

A latest information on Target data breach published by security blogger Brian Krebs shows the power of Social Engineering attacks. 

It appears everything began from a spear phishing attack in which employees of HVAC company Fazio Mechanical Services targeted with an email containing a piece of malware.

Sources have told Krebs that the malware used in the attack is Citadel- a notorious banking trojan capable of stealing login credentials and other information.  However, Krebs isn't able to confirm the information.

The reason why the company didn't get chance to identify the malware is because it is using a free version of Malwarebytes Anti-malware to protect is internal systems.

Malwarebytes is one of good tool capable of scanning and removing threats from infected machines.  However, unlike the Pro version(just $25), it doesn't offer any real-time protection.

Furthermore, the free version is meant for individuals not for companies, also the license for free version prohibits corporate use.