High School Teen claims he hacked CIA Director’s personal account

An American high school student says he hacked the personal email account of Central Intelligence Agency’s (CIA’s) Director, John Brennan. That’s what the law enforcement sources have also confirmed.

Brennan’s private account held sensitive files, including his 47-page application of SF-86 that Brennan had filled to obtain top-secret security clearance; until he recently learned that it had been infiltrated.

The applications are used by the government to conduct background check. They contain a lot of sensitive data about workers seeking security clearance, about their friends, spouses and other family members. They also include criminal history, psychological records and information about past drug use as well as potentially sensitive information about the applicant’s interactions with foreign nationals which can be used against those nationals in their own country.

The hacker said the director had the information stored on his personal AOL account which reportedly had social security numbers of more than a dozen American senior intelligence officials. Moreover, it also consisted of a document on ‘harsh interrogation techniques’ on terrorism suspects.

The high school kid who had hacked into Brennan’s account has not given his name or location where he lives but according to social media information, he said he was motivated to go after the CIA director’s because he is opposed to US foreign policy and supports Palestine. Even though he says he is not Muslim, his twitter page reportedly uses quotes from Quran and about Allah being the one true God.

He also mentions that he and his classmate will be tweeting “CWA owns John Brennan of the CIA” as a means of verifying his control over the @phphax Twitter account.

CWA stood for “Crackas with Attitude”.

Not only did he break in the account of Brennan but also posted some of the stolen documents and a portion of Brennan’s contact list on Twitter.

The teen claimed he has repeatedly prank-called America’s top spy since August, once reciting Brennan’s Social Security number to him.

The teen told New York post first that he used the tactic called ‘Social engineering’ to hack the account. He posed as a Verizon worker to trick another employee into hacking CIA director general’s personal information and getting duped AOL into resetting his password.

The hacker did not work alone but other unknown people were also involved with him in this work. Their team first did a reverse lookup of Brennan’s mobile number to discover that he was a Verizon customer after which one of them posed as a Verizon technician and called the company asking for details about Brennan’s account.

Brennan’s account was disabled as of Friday.

In a statement, the CIA said: “We are aware of the reports that have surfaced on social media and have referred the matter to the appropriate authorities.”

The Law enforcement agency, Federal Bureau of Investigation (FBI) and other federal agencies have started investigating about the hacker. There is a possibility that criminal charges are put on him.

Apart from Brennan’s account, the hackers also broke into the Comcast account of Homeland Security Secretary, Jeh Johnson.

The news of the breach comes in the midst of another email scandal involving Hillary Clinton who has been under fire for months over a private server and email account she maintained to do official work.

If the director of the CIA had kept a secret database of information on his personal account, it is a violation of the federal law of U S that requires people who have possession of top secret information to keep it only in a secure government venue. Breaking the law is a felony.

Cyber threats may well face an insurance vacuum, firms need to look after themselves

Anecdotal evidence suggests that the global insurance industry is unwilling to play ball on writing cyber insurance policies. Companies are facing unprecedented cyber threats and thus seeking ever larger cyber insurance covers. Insurers, however, are either unwilling to write policies, or are writing limited policies at a fat cost or with significant conditionalities. Firms are looking for US $ 1 billion covers, but the insurers are not biting.

It is not hard to understand the predicament of insurers. As it stand today, cyber insurers face a situation of information asymmetry, there is none or very limited actuarial insights available. No insurer has a clue as to what hidden vulnerabilities exist in a company’s IT set up - software, websites, network, data centres and processes. How can the insurers know when companies themselves do not fully understand their vulnerabilities?

The task for insurers is made even more difficult by the fact that attacks may not aimed at a big firm directly. The recent attack on iOS (Apple) app store suggests that hackers may have discovered another route to compromise the internet – by infecting machines of software developers writing legitimate programs and apps. Developers are a huge, globally dispersed (geopolitical risks) and logical target for hackers, and this approach may be harder to defend against.

Further, insurers also need to take into account that one lives in the days of internet linked business ecosystems which include multiple partners and suppliers of various sorts, apart from outsourced software development. Smaller, less prepared, less equipped members of ecosystems offer hackers a easier route to sneak into the systems of the big firms

The situation gets extremely complicated when one considers the size of cyber threats. One estimate of annual cost of cybercrime to global economy ranges from US $ 375 bn – US $ 575 bn. That’s a lot of money, and the reluctance of insurers to write out policies to protect against hugely expensive and unknown threats is unsurprising to say the least. Attackers are remotely located, face no direct/immediate physical threat and are unafraid to take risks.

Testing for vulnerabilities is a deeply technical issue. When one is faced with situations such as Advanced Persistent Threats (APT) and 0 Day Vulnerabilities, it needs to be borne in mind that businesses are up against attackers typically belong to organised criminal groups, mafia groups, Black Hat hacker groups or state backed groups.

APT attack happens when committed adversaries persistently utilise advanced technologies to compromise targets. Extremely hazardous 0 Day exploits (vulnerabilities found by hackers and never reported to security vendors) are found in Operating Systems, Application Software, Browsers, Antivirus Software, Firewall, and Internal Application Software. On an average, twenty 0 Day vulnerabilities exist in any given server. O Days have the greatest amount of success and damage rates and least probability of detection by firewalls/IDS/AV's etc.

The problem is also compounded by lack of senior management involvement in a vulnerability assessment and penetration testing similar exercise. This is a matter that cannot be left to systems administrators or developers who are better equipped to remediate security issues than discovering vulnerabilities.

Given the reluctance of insurers to play ball, companies may have little choice but to look after themselves. The buck needs to stop at the desk of senior management and Boards need to ask difficult questions. Cyber threats are strategic in nature and as such a strategic response is called for to defend against financial and non-financial damage.

Constant vigilance, vulnerability assessments and penetration testing are essential for defence. Companies also need to utilise country-cyber espionage and counter-intelligence techniques to protect themselves against cyber-attacks, as well as inject themselves with a healthy dose of paranoia.

Author: Prasanna J, Founder of Cyber Security and Privacy Foundation(CSPF)

Turn off macros in Microsoft Office applications to protect yourselves from active malware spam campaign

Email samples. 

Think before while opening an attachment from unsolicited emails especially if you are in Japan, as you might be the victim of malware-ridden spam attack. No need to worry, to protect yourselves, turn off macros in Microsoft Office applications. It prevents from macro-based threats from executing.

The problem came in to light when the employees of various corporations in Japan started to receive suspicious-looking emails which turned out to carry malicious attachments on October 8.

Researchers from Symantec, who found out the malware, confirmed that those emails were part of a wave of malware-ridden spam attacks that were currently active in Japan.

Along with the emails, there were attached Microsoft Word document files, which contained a malicious macro.

Researchers said that it attempted to download the same executable file (65g3f4.exe) from multiple remote locations. The multiple downloads was probably a redundancy measure in case some sources were taken down.

“We have observed download attempts from the following domains: Leelazarow[.]com, Rockron[.]com, www[.]profes-decin[.]kvalitne[.]cz,” they said in a blog post.

“There are two variations of the emails: one is an order confirmation from a Japanese equipment supplier and the other pretends to come from a local printing company,” the researchers added.

They have detected a malicious Word document dubbed W97M.Downloader, a known vehicle for other threats such as Trojan.Cryptodefense and Trojan.Cridex.

In the process, along with the document a banking Trojan which Symantec detects as Infostealer.Shiz, also gets downloaded. The researchers said that installing such a Trojan on corporate computers could give the attackers a foothold on the network from which they can spread and find other items of value.

It is also said that the malware is especially designed for Japan as 98 percent this malware detections are located in the country.

“Our telemetry shows that this particular variant of Infostealer.Shiz is being distributed almost exclusively in Japan, as 98 percent of the detections are located in this region. There are currently no indications that specific industries or companies are targeted,” the researchers concluded.

Encryption Law Outrage forces Indian Government to Retreat

Ruling Bhartiya Janata Party (BJP) withdrew the contentious draft encryption policy on Tuesday (September 22) after massive public uproar on proposed measures.

The government said it would place it in public domain again after reworking some of the “expressions” that had given rise to “misgivings”.

The draft policy which was set up by an "expert group" under the Department of Electronics and Information Technology (DeitY) which comes under the union ministry of communications and information technology, sparked outrage on social media, as most messaging services use some form of encryption.

The policy was introduced under Section 84 A of the Information Technology Act (2000). It was proposed to enhance information security in India.

It was released earlier on Monday (September 21) and proposed to make it mandatory for every citizen including business, telecoms and internet companies to save all digital communications, including emails and chats, for a period of 90 days in plain text which should be presented before the law enforcement agencies whenever asked to. Failing to do so would mean legal action as per the laws of the country.

Later in the day, it had sought to address the issue by releasing an addendum to the draft which clarified that web-based applications and social media sites such as WhatsApp, Facebook and Twitter were exempt. Payment gateways; e-commerce and password based transactions were also excluded as the transaction details through payment gateways could be vulnerable to hackers.

But the next morning Union Minister for Communications and Information Technology (IT), Ravi Shankar Prasad had directed withdrawal of the draft.

During a news conference held, Prasad stressed that users would not come under the ambit of the encryption policy which the government is in the process of framing.

The minister also said that the government completely supported freedom on social media. But the regulation of encryption technologies was the need of the hour.

With the regular stream of terrorist attacks, cyber attacks from international borders, freedom has become very vital. Though it’s the basic right, but citizens need safety, security and assurance that their lives will continue to be safe.

Most experts termed this policy as non practical as the end consumers did not have any idea about encryption and in most cases it was done by applications. Users could not decrypt that, only application providers could.

Meanwhile, the Opposition parties too attacked the government on the issue with the Congress saying that the Centre’s intent stood “exposed,” while the Communist Party of India (Marxist) (CPI(M)) tagged it ‘Gujarat Snooping Model.’

In 2010, the United Progressive Alliance (UPA) government said it would ban Blackberry Messenger Service (BBM) in India unless the company gave security agencies access to snoop on emails. The two eventually reached an arrangement that allowed the government to intercept messages sent on Blackberry's platform.

WordPress Team releases version 4.3.1, fixes two vulnerabilities

(pc- google images)
The WordPress security team has released version 4.3.1 which is now available for download. This release fixes three issues including two cross-site scripting vulnerabilities and a potential privilege escalation. The vulnerabilities were revealed by Check Point researchers Shahar Tal and Netanel Rubin.

The first vulnerability CVE-2015-5714, a cross-scripting issue was present in all WordPress versions 4.3 and earlier. The earlier versions were vulnerable to this issue while processing shortcode tags.

Most users are very well-acquainted with shortcodes and it is a valuable asset for WordPress developers. The Check Point researchers have found a fault in the way shortcodes are handled. In general, a "KSES filtering is performed prior to the insertion of data into the DB, and shortcode parsing is performed when printing it to responses."

The researchers, then, came up with a method that tangled HTML code with the shortcode’s content, and they were able to leave an HTML anchor tag open to perform persistent attacks. This as the HTML and shortcode validations took place at different times.

The second vulnerability CVE-2015-5714, a privilege escalation bug, grants the users to publish private posts and even make them sticky on a site. This last vulnerability could have a greater impact on WordPress websites that use the CMS' built-in user management features to build a community around the site.

Besides this, WordPress has also fixed 26 bugs in this new version.

G Data releases new secure chat app for Android users

G Data, a Germany based internet security firm has released its highly secure messaging chat application, SECURE CHAT, on its 30 Anniversary for Android users.

Secure Chat has opted for the secure multiple-encrypted asynchronous chat protocol, Axolotl, which is internationally considered to be practically impossible to hack. The app guarantees the secure exchange of photos, videos and other media. It protects the privacy of the user from the hackers and cyber eavesdropping.

"In today's world, the privacy of the individual as well as businesses is in constant peril with the growing ability of hackers to tap into and steal data," said Andy Hayter, security evangelist, G DATA. "We created the SECURE CHAT app with the strongest encryption protocol possible, to offer users the ability to easily communicate with each other without having to worry about the security of their conversations and data."

While installing G Data Secure Chat, it will ask you to verify your mobile number, it will use this number to identify you if you wish to install it on another device. It first sends SMS on your mobile  number, but if it doesn't verify correctly — it didn't like my Google Voice number — you have the option to verify over a voice call.

One of the most prominent feature of G Data Secure Chat is to set timer for messages to auto delete from both ends, senders as well as receivers, filter for incoming and outgoing messages and SMS, and its ability to  hide SMS messages from specific contacts.

G DATA SECURE CHAT is now available for free in the Google Play store.

Security Bug allows Hackers to take Control of Curiosity Rover's OS

Serious security flaws has been discovered in VxWorks, a real-time operating system made by Wind River of Alameda, California, US, in 1987. The OS is used from network  routers to critical instruments like NASA's Curiosity Rover on Mars and Boeing 787 Dreamliners.

A Canadian researcher Yannick Formaggio presented a detailed significant flaw in VxWorks at 44Con, an information security conference in London. He said that, "VxWorks is the world's most widely used real-time operating system deployed in embedded systems. Its market reach spans across all safety critical fields, including the Mars Curiosity rover, Boeing 787 Dreamliner, network routers to name a few." Formaggio added, "In this age of IoT, the issue will have a widespread impact."

The researcher discovered the flaw after an Istuary client requested about the understanding of the critical  infrastructure industry.

The flaw allowed Formaggio “to target a specific part of the operating system and write to memory on the machine running VxWorks. From there, it was possible to set up a backdoor account and control functions of the operating system."

One of the another major finding of his research was that the “FTP server is susceptible to ring buffer overflow when accessed at a high speed” and crashes when sent a “specially crafted username and password”.

The current version of VxWorks is 7, Versions 653 has the problem, which might have affected many millions of devices and they need to be patched. Wind River has acknowledged the flaw and is in the process of providing patches.

Stay alert Security Researchers as Fake Recruiters send you invitation on LinkedIn

 a fake invitation on LinkedIn   
A report published in Security Week confirms that LinkedIn accounts of security researchers across the globe have been recently assaulted with recruitment requests from a series of fake accounts in what appears to be an attempt to map their networks.

Sabari Selvan, Senior Researcher at Cyber Security and Privacy Foundation, has received a fake LinkedIn invitation from Jannine Viray who asked him to send his updated resume to jannine.viray[at]v-key.com as her company needed a mobile security researcher.

It is said that the targeted security professionals might receive multiple recruitment invitations per day. from Talent Sources’ supposed employees over the course of several days, yet they might want to steer clear of them.

The fake recruiters keep an attractive woman’s picture in the profile to attract the people. However, soon after the account details and the picture are changed, provided that the profile does not disappear entirely.

However, they used legitimate logo, copied from a real business, that its Twitter account hasn’t been updated since January, that it uses and egg and only two tweets have been ever posted, and that some of the LinkedIn accounts in question have already disappeared.

According to the news report, another Fox-IT’s Yonathan Klijnsma raised a flag on this activity a few weeks back and explained the manner in which the so-called “recruitment” works, but could not offer specific details on the purpose of this type of activity.

F-Secure's Sean Sullivan took a closer look at these accounts and discovered that they were all for people supposedly working for Talent Src (Talent Sources) and that each was seemingly focused on a particular type of specialist.

“The profile pictures of some of these so called recruiters were found to be flipped copies of images on Instagram and on some legitimate LinkedIn accounts, while their specialties and areas of interest were revealed to be at least questionable,” the report added.

In May 2014, cyber intelligence firm iSIGHT Partners outed a group of Iranian threat actors, who were found using more than a dozen fake personas on popular social networking sites to run a wide-spanning cyber espionage operation since 2011.

“These credible personas then connected, linked, followed, and “friended” target victims, giving them access to information on location, activities, and relationships from updates and other common content,” iSIGHT Partners said.

Global XMPP Android Ransomware Campaign hits tens thousands devices

Check Point’s malware research team has detected a new variant of mobile ransomware that encrypts the content of Android smartphones is putting a new spin on both how it communicates with its masters and how it spurs its victims into action.

“We estimate that tens of thousands of devices have been infected. We have evidence that users have already paid hundreds of thousands of dollars to get their files unencrypted, and the actual infection rate may be much higher. ” the research team posted in its blog.

The updated version of Simplocker masquerades on app stores and download pages as a legitimate application, and uses an open instant messaging protocol to connect to command and control servers.

Now, the phone owner sees a message holding his data hostage. The message, which looks like an official text, is also not a new ruse: the “NSA” allegedly accuses the mobile phone holder of wrong-doings such as browsing to pornographic sites on his phone, or violating copyrights law by holding/using protected content such as video, music, etc. To regain access to his device, he will have to pay a “fine.”

“The victim seems to have no alternative. The app can’t be removed by a regular user. Even if he were somehow able to remove it, his files would still remain encrypted. The ransom payment, however, will probably not reach the NSA but rather make its way to the hands of a cyber-criminal,” the team added.

According to team, while posing as a legal or governmental authority to intimidate the victim into paying up is not new, the use of Extensible Messaging and Presence Protocol (XMPP), the instant messaging protocol used by Jabber and previously by GTalk, is a shift in tactics to evade detection by anti-malware tools. 

XMPP communication makes it more difficult for security and anti-malware tools to catch the ransomware before it can communicate with its command and control network because it conceals the communication in a form that looks like normal instant message communications.

Most previous ransomware packages have communicated with a website over HTTPS to obtain encryption keys; those websites can generally be identified by their URLs, IP addresses, or the signature of their Web requests and then blocked.

An application making a secure HTTP request to a suspicious destination would be a good sign that something bad was afoot. But the XMPP communications channel used by the new Simplocker variant uses an external Android library to communicate with the command and control network through a legitimate messaging relay server. And these messages can be encrypted using Transport Layer Security (TLS). The messages were pulled from the command and control network by the operators of the scheme via Tor.

The XMPP channel allows a number of other commands to be launched remotely by the malware operators, including sending SMS messages and placing phone calls, as well as re-setting the configuration of the malware's communications (and the Bitcoin account to be used to submit victims' payments).

The team observed that ~10% of the users paid between $200 and $500 in ransom to decrypt their files. This means that for every 10k infections, the malware authors raked in $200k-$500k. They say the actual infection rate is probably much higher.

Security vulnerabilities fixed in latest Drupal versions

After addressing several vulnerabilities, Drupal  has asked its user to upgrade its existing Drupal 7 and 6 sites.

A XSS vulnerability found in the auto-complete functionality of forms as the requested URL is not sanitized properly, which affected both Drupal 6 and 7. The flaw could allow an attacker to upload files to vulnerable websites under another user’s account.

“For security reasons, the autocomplete system now makes Ajax requests to non-clean URLs only, although protection is also in place for custom code that does so using clean URLs,” Drupal explained.

The Drupal, which is used by more than 1.1 million websites, published a security advisory on August 19 confirming that it had patched several vulnerabilities in its versions 7.39 and 6.37.

It revealed that the version 7 was affected by a cross-site scripting (XSS) vulnerability that could allow an attacker to launch attacks by invoking Drupal.ajax() on a whitelisted HTML element.

Drupal developers warn that version 7 of the CMS is plagued by a SQL injection vulnerability that allows an attacker with elevated privileges to inject malicious code in SQL comments. The flaw, found in the SQL comment filtering system, can only be exploited on one contributed module.

“When form API token validation fails (for example, when a cross-site request forgery attempt is detected, or a user tries to submit a form after having logged out and back in again in the meantime), the form API now skips calling form element value callbacks, except for a select list of callbacks provided by Drupal core that are known to be safe. In rare cases, this could lead to data loss when a user submits a form and receives a token validation error, but the overall effect is expected to be minor,” Drupal said in the advisory.

The last vulnerability patched in Drupal 6 and 7 is an information disclosure issue related to menu links.

“Users without the ‘access content’ permission can see the titles of nodes that they do not have access to, if the nodes are added to a menu on the site that the users have access to,” reads Drupal’s advisory.

The vulnerabilities affect Drupal core 6.x versions prior to 6.37 and Drupal core 7.x versions prior to 7.39. CVE identifiers have yet to be assigned to these vulnerabilities.

Fourth Android vulnerability detected; Is it safe to use?

One after another vulnerability in Android has raised various questions about its safety. Android users are now, thinking is it safe to use or not?

Researchers from Trend Micro, a security firm, have uncovered yet another Android mediaserver vulnerability in its versions 2.3 to 5.1.1, which they have said, could allow attackers to run their code with the same permissions that the mediaserver program already has as part of its normal routines.
However, Google has patched the vulnerability via the Android Open Source Project (AOSP).

According to the researchers, the vulnerability comes with the AudioEffect, a component of the mediaserver program. It uses an unchecked variable which comes from the client, which is usually an app. In order to attack, the attacker must convince the victim to install an app that doesn’t require any required permissions, giving them a false sense of security.

“Since the mediaserver component deals with a lot of media-related tasks including taking pictures, reading MP4 files, and recording videos, the privacy of the victim may be at risk. Devices with customized versions of Android but with no modification made to the mediaserver component are also affected,” they said.

The researchers have suggested that in order to block the threat, the Android users can download Trend Micro Mobile Security (TMMS), which can detect threats trying to use this vulnerability and running any of the scenarios presented. They can also reboot their device using safe mode to uninstall the malicious app.

“We also recommend that device manufacturers patch their devices regularly to prevent their users from suffering from attacks that use this vulnerability,” they explained.

 It is said that the new flaw is quite similar to those three other major vulnerabilities in Android’s mediaserver component that detected recently. CVE-2015-3823 could allow attackers to trap phones in endless reboots and ANDROID-21296336 may render devices silent. Lastly, CVE-2015-3824 dubbed Stagefright can be used to install malware through a multimedia message.

Facebook rewards Researchers for Vulnerability Discovery Tool

(pc- google images)
Facebook has awarded a prize of $100,000 to a team of security researchers in Georgia for finding a new class of vulnerabilities in browser-based C++ programs.

The award “Internet Defense Prize” was given at the 24th USENIX Security Symposium in Washington D.C. for projects that encourage internet safety. The payout of $100,000 was double of what was awarded to German researchers Johannes Dahse and Thorsten Holz last year, who won the prize for their paper, “Static Detection of Second-Order Vulnerabilities in Web Applications.”

This year’s prize winners; PhD students Byoungyoung Lee and Chengyu Song, along with Professors Taesoo Kim and Wenke Lee revealed a new class of C++ vulnerabilities and introduced CaVeR, a runtime bad-casting detection tool.

CaVeR performs instrumentation at compile time and uses a new runtime type tracing mechanism—the type hierarchy table—to overcome the limitation of existing approaches and efficiently verify type casting dynamically. The researchers claim to have applied CAVER to the code of the Chromium and Firefox browsers and discovered 11 previously unknown security vulnerabilities: nine in GNU libstdc++ and two in Firefox.

Facebook Security Engineering Manager Ioannis Papagiannis explains, “C++ supports two major different types of casting operators to convert one type of data into another: static and dynamic casts. Dynamic casts are checked at runtime for correctness, but they also incur a performance overhead.
People typically prefer to use static casts because they avoid that overhead, but if you cast to the wrong type using a static cast, the program may end up creating a pointer that can point past the memory allocated to a particular object. That pointer can then be used to corrupt the memory of the process."

Papagiannis said that CAVER makes it possible to have the best of both worlds: using static type casting to improve performance, but identifying type casting vulnerabilities that can then be addressed.

He added, “We all benefit from this kind of work. A large part of why Facebook has been successful in serving nearly 1.5 billion people is because we have been quick to introduce and adopt categories of systems and frameworks that prevent whole classes of vulnerabilities at once. As an industry, we need to invest in those kinds of solutions that scale.”

34-year-old woman receives vulgar images on phone via Apple's Airdrop sharing function

Normal day, that was. As always, Lorraine Crighton-Smith took a train to go to her work. However, something unusual happened which left her shocked and violated.

The 34-year-old lady was holding her phone in the train as she thinking of sending message. But, two messages back to back arrived on her phone. The messages contained images pictures of an unknown man's penis on her phone via Apple's Airdrop sharing function.

Crighton-Smith told BBC, "I had Airdrop switched on because I had been using it previously to send photos to another iPhone user, and a picture appeared on the screen of a man's penis, which I was quite shocked by.”

Soon after that, she reported it to the British Transport Police (BTP).

As per the report published in BBC, the police are now investigating a "new" crime of cyber-flashing after the incident.

Since, Crighton-Smith declined the message, the BTP said that there was no technological evidence for them to work with and recorded it as intelligence.

"I declined the image, instinctively, and another image appeared, at which [point] I realised someone nearby must be sending them, and that concerned me. I felt violated, it was a very unpleasant thing to have forced upon my screen. I was also worried about who else might have been a recipient, it might have been a child, someone more vulnerable than me,” she told BBC.

According to the report, Supt Gill Murray said this particular crime was new to her force and urged people to report any other incidents.

Murray said the force had dealt with cases involving Bluetooth but an incident via Airdrop was "new to us".

"We have a dedicated Cyber Crime Unit who can analyze mobile phones and track data transfers back to suspects' devices. By linking this to physical evidence, such as CCTV footage or witness statements, we can catch offenders and bring them to justice through the courts,” Murray added.

Air gapped PC's not safe anymore

Researchers have proven that even air-gapped computers are not safe any more as they can be hacked through simple devices such as a cell phone.

The researchers who are based out of Israel achieved this extra-ordinary feat simply by making using of the GSM network, electro-magnetic waves a simple mobile phone.

The researchers wrote in a paper, “Unlike some other recent work in this field, [this attack] exploits components that are virtually guaranteed to be present on any desktop/server computer and cellular phone."

They have called for companies which work with sensitive information to improve their security standards so that they don't fall prey to suck kind of cyber attacks.

Creepy Voice that you heard from Your Baby Monitor is not of a Ghost

Beware of the cameras connected to the Internet or the security cameras and monitoring as these systems can be easily hacked by the hackers. It camera hacking has become a serious issue now as of the potential for unauthorized people to make video recordings.

Ontario Provincial Police (OPP) issued a warning on Wednesday reminding people that these systems can be susceptible to hackers because many have an option to be used remotely enabled by default after a family from southwestern Ontario witnessed on July 7 a baby monitor watching their young child when it suddenly began playing music and a voice said they were being watched.

According to Liz Melvin, the OPP Const, the child was about to sleep in the nursery when the camera was remotely activated.  

“The camera played some eerie music and a voice could be heard indicating the parent and child were being watched,” Melvin told National Post. “Obviously it’s going to be disturbing.”

She said the family’s Internet service provider confirmed the router had been hacked and the source of the hack could be from anywhere in the world.

Although, such kid monitor hacking cases have been reported every month, Melvin said no other incidences have been reported and she wasn’t aware of any past investigations into this type of camera hacking in the area.

She said there are no suspects in the case and the investigation is ongoing.

In a bid to protect, people should use passwords to protect access to the Internet connection and access to monitoring systems. Similarly, buy cameras from trusted sources and cover them cameras when not in use.

Google protests against US government's new legislation "Wassenaar Arrangement"

Google has protested against the proposed legislation changes in the “Wassenaar Arrangement”  that would let the US government control the export of security research and technologies.

Google’s legal team member Neil Martin, and Tim Willis, Hacker Philanthropist, Chrome Security Team, opposed the proposed legislation by saying “it will hurt general web users” in a blog post.

Blog emphasized on how the proposed changes will directly affect the security research, “The time and effort it takes to uncover bugs is significant, and the marketplace for these vulnerabilities is competitive. That’s why we provide cash rewards for quality security research that identifies problems in our own products or proactive improvements to open-source products. We’ve paid more than $4 million to researchers from all around the world - our current Hall of Fame includes researchers from Germany, the U.S., Japan, Brazil, and more than 30 other countries.”

According to the blog post proposed legislation changes would apply Wassenaar Arrangement controls to software and tools, which will hamper the companies, who hire hackers to find vulnerabilities in their network and products.

If the proposed changes are approved then the companies operating in the US have to have a license to export their security technologies, or information on newly discovered vulnerabilities to anywhere other than Canada.

Google submitted their comments on the proposed rules to the United States Commerce Department’s Bureau of Industry and Security (BIS).

GarettCom launches new versions to tackle Magnum vulnerabilities

US-based company GarrettCom has produced new firmware versions to mitigate vulnerabilities in Magnum 6k and Magnum 10k product lines. Issues like authentication, denial of service, and cross-site scripting vulnerabilities have been encountered in those versions. All versions prior to 4.5.6 of both the product lines have been affected.

The vulnerabilities can be exploited remotely by executing arbitrary code on the target device.

However, operational environment, architecture, and product implementation are the factors on which the impact on the individual organizations is based.

Researchers have found multiple XSS (cross-site scripting) vulnerabilities in the web server present on the device, which can be exploited by an unauthenticated attacker.

CVE-2015-3960 has been assigned for the vulnerabilities related to the use of hard core credentials. The firmware contains hard-coded RSA private keys and certificate files, which are used by the server for SSH connections and HTTPS connections. There is a hard-coded password for a serial console connected high privileged user.

Memory can be corrupted by issuing a certain form of URL against the device’s web server.

These vulnerabilities can be remotely exploited and no known public exploits specifically target them.

 According to the ICS-CERT, the latest versions of GarrettCom Magnum 6K and Magnum 10K software fix these vulnerabilities. Version 4.5.5 was released December 2014, and Version 4.5.6 was released January 2015. Users may download the latest software version and release notes from the following web site:

ICS-CERT recommends that users should perform access control checks to limit the user’s reach of the feature. Use an application firewall to detect XSS attacks. Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.

Airtel injecting Scripts into browsers? Will it Affect Your Privacy and Security?

After receiving huge criticism by its Airtel Zero plan, Bharti Airtel, an Indian multinational telecommunications services company, is now being accused of secretly injecting Javascripts, and iframes into the web browser in order to alter the browsing experience.

Thejesh GN, an info-activist and a programmer, published his findings on GitHub according to which Airtel is inserting Javascripts into user browsing sessions.

He said that the iframe tries to insert a toolbar into the browsing experience and that the parent URL of both the iframe and Javascript belongs to Bharti Airtel Bangalore.

He shared the injected script in Github.  The script is trying to inject an iframe pointing to this url "hxxp://". 

However, Airtel has released a statement clarifying that it is building a tool to allow broadband users to get information about the amount of data they have used.

The company said that it developed new tool as non-mobile consumers demanded for easily tracking data usage while using surfing the web.

“Our customers have frequently asked us for ways of easily keeping a track of their data consumption specifically dongle and broadband users, who unlike mobile users, cannot receive real-time alerts on their usage,” Airtel said in a statement to NextBigWhat.

It is said that for an ISP, it is highly unethical to carry out such programs. However, no one has come up with any solution or anything.

In a reddit post, one of the users accused Vodafone of doing the same.

Just a month ago, a user posted the same issue in reddit.

Astoria - Researchers develop a new Tor client which aims to beat NSA

With an aim to beat powerful intelligence: like NSA, researchers have developed Astoria, a new Tor client which is said to be capable of protecting user’s privacy, even from such powerful intelligence agencies.

A cyber security researcher team from America and Israel come up with a new Tor client which is designed to make spying more difficult for the world's most capable intelligence agencies.

According to the research paper, people have used Tor, a popular anonymity system for users who wish to access the Internet anonymously or circumvent censorship, to prevent their activity from being tracked as Internet anonymity becoming difficult to establish.

However, Tor is not as safe as it was supposed to be, from the powerful intelligence agencies.

As a result the researchers have developed Astoria, which particularly focuses on defeating autonomous systems that has set up to intrude into Tor’s anonymity.

“In our experiments, we find that 58% of all circuits created by Tor are vulnerable to attacks by timing correlation and colluding sibling ASes. We find that in some regions (notably, China) there exist a number of cases where it is not possible for Tor to construct a circuit that is safe from these correlation attacks,” said in the research paper.

It added, “To mitigate the threat of such attacks, we build Astoria, an AS-aware Tor client. Astoria uses leverages recent developments in network measurement to perform pathprediction and intelligent relay selection. It not only reduces the number of vulnerable circuits to 5.8%, but also considers how circuits should be created when there are no safe possibilities. It performs load balancing across the Tor network, so as to not overload low capacity relays. Moreover, it provides reasonable performance even in its most secure configuration.”

The Astoria is aimed to do a list of things:
• Deal with asymmetric attackers.
• Deal with the possibility of colluding attackers.
• Consider the worst case possibility.
• Minimize performance impact.

An American admits hijacking plane mid-air: FBI

A security researcher told the Federal Bureau of Investigation (FBI) he had hacked an airplane’s engine with his laptop.

Chris Roberts admitted to hijacking a plane mid-flight in Feburary  taking control of its entertainment system resulting in the aircraft to fly sideways

According to a search warrant application, which was written by Mark Hurley, a FBI agent, in April, posted on Wired on Friday, Roberts said that he controlled one of the airplane engines to climb resulting in a lateral or sideways movement of the plane during one of these flights.

He was questioned last month when he was escorted off a United Airlines flight, there he had posted a tweet, which was in a humor, he gave hint in the tweet that he could control the aircraft's crew alert system and could passenger oxygen masks to drop.

After that, his computers were also seized by the FBI.

According to the application, Roberts said in a interview in February and March, he had hacked in-flight entertainment systems on 15 to 20 flights between 2011 and 2014. Every time he had pried open the cover of the electronics box which was located under passenger seats and he would connect his computer to the system with an ethernet cable. He had checked the system for security flaws and monitored communications from the cockpit.

 “We found that the electronics box under the seat in front of Roberts' showed signs of tampering,” Hurley wrote in the document.

On the same day, Roberts was removed from the flight.

Along with that the U.S. Government Accountability Office (GAO) released a report warning that hackers could bring down a plane by using onboard Wi-Fi systems.

In a report published on Sydney Morning Herald, Ken Westin, a security analyst from Tripwire said, 

“Connecting your laptop to an in-flight media system or anything on an actual plane with people on it is not the way to conduct security research."

"To also tweet a 'joke' about hacking a plane using specific technical details is also incredibly irresponsible I think," he added.