Certification problems from NetNanny exposes users to attack

NetNanny, the popular content control software has been found to be using a shared private key and root certificate authority which leaves it open to HTTPS spoofing and intercept.

“The certificate used by NetNanny is shared among all installations of NetNanny,” said Garret Wassermann, a vulnerability analyst at CERT. He added that " the private key used to generate the certificate is also shared and may be obtained in plain text directly from the software.”

An attacker can easily exploit this limitation to generate new certificates just by accessing the software. The spoofed certificate signed by NetNanny would appear to be trustworthy and might lead the user to a malicious site which is faking as a secure HTTPS site. Moreover, the attacker could intercept HTTPS traffic o carry out man in the middle attacks in the affected system without browser certificate warnings being triggered by the system.

The software, launched in 1995 is widely used by parents to filter internet services for their children. Presently the version has been found to be vulnerable, as warned by CERT but other builds might be affected as well.Questions regarding a fix on the issue remains unanswered by ContentWatch, the dedeveloping company.

The users are strongly advised to remove NetNanny or at least remove the bogus certificates created by the service or to disable SSL filtering and manually remove certificates from there.

CSPF donates one lakh rupees to IronWASP project

Cyber Security & Privacy Foundation (CSPF), a non-profit organisation which provides solution to tackle cyber security and privacy issues, has donated Rs.1,000,00 to Iron Web application Advanced Security testing Platform (IronWASP) project, Asia's largest open source security project.

"We will use the donation to support the further development of the project," said Lavakumar Kuppan, the founder of IronWASP.

"It is really encouraging. We are not only getting funds but also feedbacks and comments which mean a lot to us."

According to Lavakumar, IronWASP’s main objective is to make web security easy and accessible to everyone. It is a scanner which automatically discovers security problems in web applications.

Though it is designed for security testers, others like admins, developers and QA testers can also use the software by following the video tutorials available on the project website. Almost anyone can download IronWASP and use it is for free.

"We are regularly adding new features to IronWASP" said Lavakumar. "We recently added Dynamic JavaScript vulnerability analysis capability, a feature that is unique to IronWASP. More additions are planned for future versions to make it more effective and help create a safer internet."

Hotel Management Company White Lodging appears to be latest victim of Data breach

There have been three massive data breaches reported in the last two months. The data breaches just keep coming. Now, it looks like people used their cards in a number of hotels might be at financial risk.

A latest report from Cybersecurity blogger Brian Krebs reveals a hotel management company White Lodging, which manages hotel franchises under nationwide brands including Hilton, Marriott, Sheraton and Westin, suffered a data breach involving customer's card information.

Krebs started the investigation, after he received reports from multiple sources in Bank industry saying that they have noticed a "pattern of fraud" on a number of cards that were previously used at Marriott hotels.

White Lodging told Krebs that an investigation is in progress and it will provide additional information as soon as it is available.

Krebs said the breach only impacted Mariott guests who used their cards at White Lodging-managed gift shops and restaurants.

Krebs is the one who uncovered the massive data breaches reported in the last two months at Target,Neiman Marcus and most recently Michaels Stores.

Google acquires a cybersecurity startup Impermium

Google has added one more startup to its acquisitions list, this time it is a cyber security startup "Impermium".

Impermium, founded three years ago, had raised $9 million in funding.  The company offers advanced risk-evaluation platform for detecting fraudulent registrations and risky transactions. 

"By joining Google, our team will merge with some of the best abuse fighters in the world. With our combined talents we’ll be able to further our mission and help make the Internet a safer place." Mark Risher, CEO and Co-founder of Impermium said in the official statement.

The company thanked its valuable investors in its statement including Accel Partners, AOL Ventures, Charles River Ventures, Data Collective.

According to Techcrunch, the company is notifying its customers that it will stop the services to third-party sites.  But, the team will be working on the same core problems and technology over at Google.  Google hasn't disclosed the value of acquisition. 

CyberTech 2014, International exhibition & conference for Cyber solutions

CyberTech 2014 (cybertechisrael.com) is one of the best International Cyber security conference going to happen in Israel which is Inaugurated by Israeli Prime Minister, Mr.Benjamin Netanyahu.

Leading multi-national companies, over a hundred start-ups, private and corporate investors, experts and many more are going to participate in this event.

The keynote speakers of the event are leading cyber security experts including Chairman and CEO of Kaspersky lab 'Eugene Kaspersky', Head of the Israeli National Cyber Bureau 'Dr.Eviatar Matania',  Senior Vice President of Cisco Systems 'Bryan Palma'.

Cyber Security Privacy Foundation(CSPF) is interested to take a delegation of corporate/companies to Israel.

Indian companies who would like to tie up with Israeli hi-tech cyber start-ups can contact CSPF.  If you need any assistance in getting VISA to Israel for the conference, you can also contact CSPF.

Contact Details of CSPF: Founder@CySecurity.org

Vevo website hacked by TeslaTeam via SQL Injection vulnerability

Tesla Team, one of the hacker group from Serbia has claimed to have breached the Vevo website(Vevo.com).

Vevo is a joint venture music video website owned and operated by Universal Music Group, Google, Sony Music Entertainment, and Abu Dhabi Media.

The team has discovered a SQL Injection vulnerability in one of the sub-domains of Vevo website that allowed hackers to compromise their database.

In a pastebin leak(pastebin.com/TAjce91x), the group leaked a vulnerable link as well as a proof of concept that exploits the vulnerability.  The dump of the database is claimed to have containing emails and password of admins and other users.

It appears some one with username "JoinSeventh" in HackForums has already published the vulnerability details in 2012.

90+ Russian Malicious domains used by Kelihos group taken down by Malware Must Die

Exclusive: Malware Must Die(MMD), the team which is dedicated to Malware analysis research, has taken down more than 90 Russian domains which have been confirmed as malicious.

It is part of their ongoing operation named "Operation Tango Down", an operation that deactivate the malicious domains with the help of Authorities - Several malware domains have been suspended.

Today, MMD announced that they are shutting down 97 .Ru Domains that serves the notorious Kelihos Trojan for the Red Kit Exploit Kit. 

Suspended Malicious .Ru domains - Image Credits: E Hacking News

According to the blog post , "the Kelihos Trojan were distributed in (mainly) East European (Ukrainian, Latvia, Belarus, Russia) and Asia servers (Japan, Korea, Taiwan and Hongkong) as the secondary layers, with also using the scattered world wide hacked machines".

You can find further details and full list of suspended domains at their blog: http://malwaremustdie.blogspot.jp

Facebook Spam abuses McAfee URL Shortener and Google Translator

We yesterday got a notification about a new facebook spam from one of EHN's reader.  What's interesting about this new spam is that it abuses the McAfee URL shortener for hiding the malicious URLs.

The spam post contains an adult picture saying "Emma Watson Star of Harry Potter made a sex Tape"  and "Link in the description".

Clicking the link will take the victim to the Google Translator page.  Within few seconds, you will be redirected to another page from translator - The page is hosted in a free hosting service "altervista.org".

As usual, the victims are asked to copy and paste the URL that contains the facebook access token in order to verify your age.

Facebook Access token stealing - Image Credits: E Hacking News

Once you clicked the "Activate" button , it will display a pop-up saying "8 New comments". Clicking the "continue" or next button will take you to a facebook app that asks the users to give permission for accessing your public profile, friend list, email addresses, birthday.

The spammers didn't ask your birthday for not sending birthday wishes :P .  The collected information will be used in future spam or for any other malicious purpose.

Permission to Access personal Information - Image Credits: E Hacking News

In the background, the spam post will be posted in your wall and your groups on behalf of you with the stolen access token. From what i observed, the spam also abuses the alturl, tinyurl, linkee and other url shortening services.

We have already warned you that Facebook is not the right place to watch porn.  Please spread this article and create awareness about the facebook spams.

We got a notification from one of our users that the same group is posting spam post with Twilight star Kristen Stewart name.

Update 2:
Redirection flow:
Url shortener link-->Google Translator --> fiddle.jshell.net --> plgngl.info -->ngltoken.altervista.org

The whois details of plgngl.info:
  • Registrant Name: Ngl Power
  • Street : Nonteladico 23
  • City : Roma
  • Email address: ngl@live.it

Other Domains registered by the same person:

The 2fun4u.info has a text saying "If you're here maybe you're trying to steal my scripts. If so good luck" with a page title "NGL's viral scripts".

The plgngl.info has also been used in the Rihanna sex tape Facebook spam attak at the starting of this year.

*Update 3 - Tracking the Spammer:
Me and My friend "Janne Ahlberg" investigated the spam and found some interesting stuffs.  Here, I am sharing with you what we have found.

We started our investigation with the Domain Registrant name "Ngl Power". With few hints, we have managed to find the profile of the cyber criminal in one of the Top underground hacking forum.

He is distributing malicious facebook spam scripts to other cyber criminals.  From our investigation, we found that he is doing the distribution of malicious scripts since 2010.  It appears he is the criminal behind several Facebook spam campaigns.

He has provided malicious script for following SPAM campaigns:
  • "98 Percent Of People Cant Watch This Video For More Than 15 Seconds"
  • "Busty Heart - The woman that can smash things with her br****ts!"
  •  Man accused of trying to hide stolen TV in his pants 
  • Find Your Facebook Stalkers
  • Dad walks in on daughter... EMBARRASING!!! 
  • This is what Happend to his Ex GirlFriend
  • John Cena  died of a head injury
  • Justin Bieber Sex Tape

Janne found one of the thread posted in the forum by another cyber criminal  "kira2503" saying "NGL's money is refunded" with a screenshot where it displays the possible real name of the NGL.

However, what i observed from the thread is that it appears the spammer(NGL) got scammed by a scammer(kira2503). So we can't be sure whether the name provided in the screenshot is true one or not.

Our investigation leads to a "Facecrooks" facebook fan page where they have warned about the facebook spam.

One of the comment posted by user in the page reads "Really Angelo Tropeano?? You think with a pic of Facecrooks x'd out .. on a thread > Warning us NOT to click links Anyone is going to fall for your malware attempt?? Shameful. Reported".

One more user posted a comment "the troll known as angelo's link resolves to a html file on tumblr hxxx://static.tumblr.com/c5apoln/7Prmiktpx/cena.html? 93561071".  Following the Tumblr link leads us to the "hxxx://plgngl.info/tkn".  Yes it is the same domain used in the recent attack.

Following profiles might be associated with the spammer:

YouTube Profile: hxxx://www.youtube.com/user/nglyt2

Spammer's Blogger

Blogger  : hxxx://www.blogger.com/profile/11389969837864256446

Spammer's Twitter account

Twitter :  hxxxx://twitter.com/ngltw

We are still investigating the campaign.  If we find anything interesting, we will update.

Hackers convince bank to send $15000 wire transfer with the help of Hacked Gmail account

It is time to enable the Google two-step authentication feature.  If the website is providing you additional security feature, it is always good to use that feature.  This news will help you to understand the risk of ignoring the additional security feature.

Cybercriminals hacked the Gmail account of a Dubai based Indian expatriate Anil Abraham and used the account to convince bank to transfer $15,000 from his bank account in India.

When Anil contacted the Bank, he was told by the Branch Manager that the Money was transferred at his request only via email.  The cybercriminals are reportedly send a signed document with the email to trick the Bank into transfer the money.

According to Emirates247 report, the money was transferred to someone named Garry Albert Frazer to Westpac bank account in New Zealand.

Anil said whoever hacked into his email id had managed to steal fianancial information and managed to use those info to write email to Bank with forged signature.

I'm still wondering how bank allowed the cyber criminal to steal the money, they usually don't allow us to transfer money via email accounts without any personal verification.  As far as i know, Bank always careful when it comes to big amount of transfer - $15,000(nearly 90,0000 Rupees).

Though it is mistake of Bank, It is always good to enable security feature on your side.  Don't wait until your account get hacked, Enable the Two-step authentication : http://www.google.com/landing/2step/

Hacked email ids of Delhi Export Company helped hackers to trick clients into wiring Money

Delhi cyber cell has recently received complaints from a leading export house in the city.

The complaint was that the criminals got access of the email ids and tricked their clients by sending them mails on their behalf and managed to get $31,000 from one of the client.

On further inspection it has been noticed that the attack is done from two different parts one from Delhi and the other from London.

A case under section of fraud and Information Technology Act has been registered by the crime branch. "Till now, cyber criminals had been targeting individuals. But this shows that an extremely organized gang is committing crimes on an international level," a source said. Times of India Reports.)

Manoj Tuli, the managing director of the company has revealed that at least three email-ids, belonging to him and his staff, were hacked by the criminals.

An officer reported that-'In the fake emails attackers deceived the clients by informing that the company's bank account could not receive payments any more and therefore, further payments must be made on their new account — 304259*** — of Nationwide bank in London.'

One of the emails, as accessed by TOI, reads - "Our bank just informed us about our account reaching its payment-receiving limit. Please use our new account details, attached alongwith, to make payments from now on."  The attackers account was in the name of Naankang Dawan.

Well the officers are at their work and tracing the frauds and the route of money transaction but its time to think is anythng safe out here now.

Is Government really going to Ban Android in India?

Few days back, We became aware of a rumor saying "Android may get banned in India by government".

If i'm not wrong, Telecom Minister Kapil Sibal just wanted to ban the apps from Playstore that serves adult-content.

"I want you people to suggest how can we close it. If we want to close it, you will attack us. I want all the media to come together and tell the minister how to deal with it so that if I do something about it, you don't attack me," DNA India quoted Sibal as saying.

In a response to the Telecom Minister's statement, the Google spokesperson said "Google Play developer programme policy does not allow content that contains nudity, graphic sex acts, or sexually explicit material. Google has a zero-tolerance policy against child pornography"

It added that if Google becomes aware of such kind of adult content with child pornography , they will report it to the authorities and remove the account which distributes the app.

It is just about android app serving adult content, they are not going to ban the Android OS itself.  As a matter of fact, the Akash Tablets are also using Android OS.

Using Internet ?! Then, Don't expect Privacy , #PRISM is here !

Yes, If you are using Internet, then forget about the Privacy.  Recent report from Guardian is another example that confirms privacy in internet is Illusion.  The whistleblower Edward Snowden has leaked few files that confirms Microsoft collaboration with the U.S authorities.

According to the Guardian report,  Microsoft helped the NSA and FBI to access the unencrypted messages sent over Outlook web chat, Hotmail services and Skype.

Microsoft also helped the authorities to access its cloud storage service SkyDrive. The Skype video & audio calls was also reportedly being collected through PRISM.

"Microsoft also worked with the FBI's Data Intercept Unit to "understand" potential issues with a feature in Outlook.com that allows users to create email aliases;" The report reads.

Secure Gmail Chrome extension to encrypt Gmail Messages

Are You Worrying about Privacy and PRISM? Would you like to boost little security to your confidential mails? Then, here is a small solution for you.  SecureGmail is a Google chrome extension that allows you to encrypt your Gmail messages before sending.

Once you installed the extension, you can see a lock icon near to the Compose button in your Gmail.  Just click the icon to send the Secure Mail. Once you clicked the icon, you will get a normal Gmail "compose" interface with title "Secured"

In Secure mode, the Gmail can't track what you are typing and won't able to save the message in the Draft. 

Click the "Send Encrypted" button, now you will be asked to enter the password- a long & strong password will be good and don't enter any hints.

The best part is that the encryption process will be done in your local machine, Google won't be able to read the plain-text message. 

The recipients will be able to decrypt the message only if they have the passwords that you can message them(but don't send it via Internet )

It is open source project which means that you can review the source code of the extension and help/share your ideas to improve it.
Here you can download it:

* Using the Same password for all messages is not good security measure but using unique and strong passwords will be hard to remember. 

You can use our comment section to share Your Thought about this extension- Do You think it will provide complete protection against privacy problems?

Fingerprints may now needed to get new SIM cards in India

Fraudulent SIM cards being circulated through small retailers poses a potential risk to the National Security. To bring end to misuse of the SIM Cards and reduce security issues, the Home Ministry has asked the Department of Telecommunication(DoT) to make the Fingerprint verification or any other biometric scans mandatory when issuing new SIM Card.

"Sim cards are used for various authentication...if this is taken it can make sure the culprit cant claim i did not take the SIM. proving is easy if someone used fingerprint and took the SIM." Experts from Cyber Security &Privacy Foundation(CSPF) told EHN when we asked about the new verification method.

"It makes it in convenient for people to purchase SIM cards. people cant buy in small shops...may be we should go to showrooms of service providers and buy it."

EHN: Do you think it will stop the people who get sim card with forged doc?
CSPF: depends on how fingerprint is done and taken. lets us say if fingerprint is taken directly on the machine which processes application using fingerprint reader. the showroom people are involved issuing the sim card to a criminal. they can make another guy put his fingerprint for criminals sim card and issue....if its in a paper its more easy to do this

"I think this system wont work if insiders are involved. most black SIM gets sold with insider involvement." Says experts.

According to TelecomLead, the new initiative may be rejected by telecom operators, as it will be a lengthy and costly process.

Incapsula Login Protect - Boost Your Website Security with Two Factor Authentication

Exclusive: You want to Protect your Admin Panel and Feeling just a password is not good enough to secure your website? Here, Incapsula is introducing a newest security feature "Login Protect" to boost the Website Security.

Login Protect is a flexible and easy-to-integrate Two Factor Authentication solution. Incapsula clients can use it to deploy 2 Factor Authentication (2FA) on any URL (or URL group).

With Login Protect you can:
  • Protect login to administrative areas (e.g., Wordpress or Joomla admin) 
  •  Protect remote access to corporate applications (e.g., employee portal, web mail)
  • Restrict access to sites or parts of a site (e.g., staging or invitation only areas)

Unlike other 2FA services, Login Protect's integration requires absolutely no coding, data base modification of usage of additional hardware (i.e. security keys).

All Incapsula clients, free or paid, will be able benefit from this new feature and the extra layer of protection it provides to their websites and web applications.

"By now, the need for Two Factor Authentication should be quite obvious. Still, many website owners and web developers shy away from 2FA, mostly due to the complexity of integration." Igal Zeifman, Incapsula Product Evangelist told EHN.

"We aim to change that by providing a flexible and easy-to-use 2FA solution – a solution that anyone can use to secure their login pages, internal portals, staging areas and web applications."

Adriana Lima FuckTape! - Another Facebook spam campaign use New Trick

Here we go, E Hacking News have come across a new facebook spam campaign titled "Adriana Lima FuckTape! ".   I became aware of this spam after few Facebook friends got infected by this campaign.

According to Wikipedia, Adriana Lima is a Brazilian model and actress who is best known as a Victoria's Secret Angel since 2000. (Sorry i didn't know about her before Cybercriminals started to use her name :P )

Unfortunately, i can't post the screenshot of the spam post as it contains adult pictures.  "Adriana Lima FuckTape! Watch: hxxx://xxx-videotube.com/"  The spam post reads.

At first, i thought it is real porn website( The name made me to believe and they didn't use any URL-shortners).  So i didn't follow the provided link and asked friends how users are getting infected.  Suddenly , i realized that it is the spam website ;) 

I followed the link and the website invited me with a gif image mimicking an embedded YouTube video player.   The video player displayed an error message saying "Sorry, you must be 18+ to view this video.  Click to verify".

Here comes the interesting part.  CyberCriminals implemented a new method to trick facebook users.

Once you click the image, it will ask you to "Move the favicon out of the box".  I hope you know what will happen when you follow the instructions-  Your account will be compromised.

When you drag the favicon, it actually drags the URL Opened in the small browser(The url contains the facebook access-token).  You are unwittingly handing over the Faecbook access token to the cyber Criminals.  Using the stolen token, they can post from your facebook account.

This new method is quite different from the previous method used by the spammers in recent spam campaign titled "She went inclusively nuts and lost all control of the razor-sharp axe".

Mozilla Firefox 21 closes three critical security holes

Mozilla has released Firefox 21 that closes eight security vulnerabilities including four High level and three critical security flaws.

Critical vulnerabilities : Memory corruption found using Address Sanitizer(MFSA 2013-48 ),  Use-after-free with video and onresize event(MFSA 2013-46), Miscellaneous memory safety hazards ( MFSA 2013-41).

High level vulnerabilities:  Uninitialized functions in DOMSVGZoomEvent( MFSA 2013-47),  Mozilla Updater fails to update some Windows Registry entries( MFSA 2013-45), Local privilege escalation through Mozilla Maintenance Service ( MFSA 2013-44 ),  Privileged access for content level constructor(MFSA 2013-42).

Firefox 21 introduces new feature Social API that "makes it easy for your favorite social providers to add a sidebar with your content to Firefox or notification buttons directly on the Firefox toolbar."

It also introduces Health report that "logs basic health information about your browser and then give you tools to understand that information and fix any problems you encounter".

Users are advised to upgrade the firefox as soon as possible, you can check version and update your browser by selecting to Help->About firefox.

Massive Cyber attack Shut down Knight Center's websites for Two weeks

The websites of the Knight Center for Journalism in the Americas and the International Symposium for Online Journalism hit by massive cyber attack that left the sites down for last two weeks.

“The malicious cyber-attack was enough to shut our websites down, but not to enough to shut us up. We rapidly created WordPress blogs to continue our regular and unique report on Journalism in the Americas,” said professor Rosental Alves, founder and director of the Knight Center for Journalism in the Americas at the University of Texas at Austin.

“We have no idea why someone would want to attack our sites"said professor Alves.

They noticed that the origin of the cyber-attack was in computers located in Russia.

According to the Knight center news report, the attack was taken place on March 11. Those affected websites are now back online.

"We had to shut down the sites, while the University of Texas IT department conduct its work to clean the sites and make sure increase its security levels.We are happy to be back with our normal presence on the Web,” said professor Alves.

China blames US for more than half of cyber attacks this year

China's National Computer Network Emergency Response Coordination Center (CNCERT) , the Chinese top cyber security agency reportedly identified that more than half of cyber attacks on this year targeting their nation's computer system are originated from the US.

CNCERT detected 2,196 US-based control servers were controlling 1.29 million infected computers in china.

According to Xinhua report, more than 80 websites of public institutions , Government and companies were attacked from september 2012 to February 2013. CNCERT found that 39 of those websites were attacked from U.S. IP addresses.

"A large amount of facts have proven that for many years, China has been one of the primary victims of cyber attacks," an unnamed official from the China National Internet Information Office told Xinhua.

Last month, US-based computer security company released a report which accused Chinese military unit of conducting a series of sophisticated hacking attack on US. But Chinese authorities denied the accusations and claimed that their systems are targeted by US.

India will soon have National Cyber Security Policy

India will soon have National Cyber security Policy that will ensure appropriate measures to tackle cyber crime and cyber attacks, Indian Government officials said.

"We are working on a cyber security policy. We need more work to curb cyber crimes," SiliconIndia News quoted Minister for Communications and Information Technology Kapil Sibal as saying.

In a press report published today by NIC,Minister of State in the Ministry of Home Affairs Shri R.P.N.Singh in Rajya Sabha stated that Government is taking various measures to ensure necessary awareness and robust security system in all the critical Government agencies.

The officials advised All Central Government Ministries / Departments and State / Union Territory Government to do security auditing of entire IT infrastructure including websites.

To prevent Government websites are being hacked by cyber criminals, NIC will not host websites which are not audited with respect to cyber security.