‘India should learn from Russia and China agreement’ says security expert

India should learn from the recent cyber-security agreement between Russia and China where both of the countries have agreed to not launch cyber-security attack against each other said an Indian cyber-security expert on Thursday.

J. Prasanna, cyber-security expert and one of the founders of Cyber Security and Privacy Foundation (CSPF), an organization which solves the cyber security problems, said that India should join such initiatives as it provides a chance to share information among law enforcements of different countries.  

“The agreement is good for China and Russia,” he said.

“However, such agreements are only possible when both of the sides (countries) have equal capabilities,” said Prasanna. “Similarly, they should have advanced cyber capabilities.”

According to the agreement, which was signed on May 8 and provided by The Wall Street Journal, Russia and China agreed to share information between law enforcement agencies, share technologies and ensure security of information infrastructure.

Similarly, these countries have agreed to not “destabilize the internal political and socio-economic atmosphere," or "interfere with the internal affairs of the state".

The agreement is said to be the result of the revelations about US and Western nation hacking and surveillance operations by former US National Security Agency contractor, Edward Snowden. After the revelations, Russian lawmakers had demanded for tighter control over the Internet.

It is also believed that the agreement shows that Beijing and Moscow support changes to global Internet governance that would reduce the traditional role of the U.S.

Last year, Russian Communication Minister Nikolai Nikiforov said Russia was preparing an action plan as a backup plan in case the segment of the Internet was shut down from outside.

“For Russia the agreement with China to cooperate on cyber security is an important step in terms of pivoting to the East,” Oleg Demidov, a cyber-security consultant at the PIR Center, an independent think tank focusing on international security, told to The Wall Street Journal. “The level of cooperation between Russian and China will set a precedent for two global cyber security powers,” Mr. Demidov said.

Couple has important message for other parents

Recently, a couple in Washington gave out an important message to other parents, after they had discovered their baby monitor had been hacked.

A couple in Minnesota, whose baby monitor had also been hacked earlier, had also been in the the news before.

“ We don’t know if they could hear but we know that they were watching, for sure,” said a parent.

The couple had been using the monitor for keeping an eye on their three-year old, who complained that somebody had been talking to him over the monitor at night.

Upon investigation they found out that their baby monitor had been hacked and was being controlled by hackers.

“It got me worried that they’ve seen things maybe they shouldn’t see that are private, our privacy’s been hacked,” said the parent.

GTA V users accounts have not been hacked but change passwords to ensure safety

In a response to a number of reports from Grand Theft Auto V (GTA V) users who said their Social Club accounts have been hacked and even modified, Rockstar Games Social Club (RGSC), a hub for GTA V and other games, has confirmed that the accounts have not been hacked.

However, the user can change his/her password in order to prevent his/her account from hacking in the future.

After receiving numbers of complaints about hacking, which did not allow the users to log in to their accounts and they cannot play games, via twitter the authority concerned sent a statement to Kotaku Australia.

According to the statement, their accounts have not been hacked. It seems that some unknown users or website tried to access another’s user accounts using email and password combinations. However, the company is in the process of repairing the affected account in to the original. It also suggested the users not to share their Social Club account username and password to other multiple websites. They should keep different passwords and usernames for their different accounts.

“We are responding to customers, whose accounts got affected, to reinstate full user access within 24 hours of contacting Customer Support. Please keep looking at the Rockstar Support website for more information and updates,” mentioned in the statement.

Earlier, it was said that more than 2500 GTA V users account have been hacked. People were facing problem in drivers, download speeds from Steam, FPS hiccups while playing games.

Similarly, many users complained as the RGSC took a lot of time to take any initiative.

A GTA V user wrote on the Rockstar Support page, “I purchased the game before it got released and got my pre-order bonus. Everything was great until Wednesday night, when I received an email saying that my email address and password on social account has been changed.”

He added that he immediately emailed Rockstar Support. When he did not get any reply, he called the support team.  They gave him a ticket number 3579087 and said it was escalated. Since then, he hasn’t received any information on how long will it take to get back his account.

Flaw in Sync photos feature on Facebook mobile app

A new flaw has been detected by a hacker in Facebook, which allows any malicious application to view your synced mobile photos.

Sync photos feature allow users to sync their mobile photos with their Facebook account, and it remains private until you publish it. But by default this feature is turned on  in many mobile phones.

Laxman Muthiyah, found that "vaultimages" endpoint of Facebook Graph API is handling these synced photos, and this endpoint is vulnerable.

Facebook app would  retrieve the synced photos using a top level access token making  an HTTP GET request to a specific URL enabling a malicious app to read all your private photos in seconds.

Laxman Muthiyah, reported this flaw to Facebook Security Team, they pushed a fix in less than 30 minutes, and rewarded him $10,000 USD as a part of their bug bounty program.

PHP has fixed several vulnerabilities allowing remote code execution

The PHP development team has released new versions in order to fix three security vulnerabilities -one of them is said to be a critical one and leads to remote code execution.

The vulnerability identified as "CVE-2014-3669" can cause an integer overflow when parsing specially crafted serialized data with the unserialize ().The vulnerability is only a 32-bit system, but the danger is caused by the breach and that the serialized data often come from user-controlled channels.

In addition, the updates have been corrected errors associated with the introduction of a null byte in the library cURL, calling the damage dynamic memory during processing of the modified data as a function of exif_thumbnail () in image processing (CVE-2014-3670), as well as buffer overflow in the function mkgmtime () from the module XMLRPC (CVE-2014-3668).

These vulnerabilities were discovered by the Research lab of IT security company High-Tech Bridge.

The new versions 5.6.2,5.5.18 and 5.4.34 address these three vulnerabilities.

Pakistan targets Indian Officials with FinFisher malware

WikiLeaks last month released a set of documents and copies of 'weaponized malware' developed by FinFisher company which is said to be used by Governments around the world to spy on journalists, political dissidents and others.

Cyber Security & Privacy Foundation(CSPF) has recently published a report providing few details that might be shed an “Indian Perspective” to leaked information.

CSPF noted that a screenshot containing targets list of a Pakistani customer has 16 Indian IP addresses and only 2 Pakistani IP Addresses, suggesting that limited “domestic” use.

"One of the Exe’s leaked by Wikileaks 'finfisher.2.zip' MD5:074919f13d07cd6ce92bb0738971afc7 when opened shows the image of 'khushab nuclear reactor ' in Pakistan." The report reads.

"This might have been used to target Indian Officers as they might be tempted to click on it and view the image".

You can find the full report here:

Antivirus Test conducted by Cyber Security & Privacy Foundation

Cyber Security & Privacy Foundation(CSPF) has got members who have more than 30 man years of experience in Antivirus industry. Recently, due to popular demands from its members, CSPF decided to test good antivirus products. 

CSPF chose Avast antivirus and ESET NOD32 for testing from the various antivirus product available. 

Among all the products, CSPF chose ESET NOD32 best suited for Indian environment. ESET NOD32 has also shown consistency in various international testing for last few years.

To access the test report, you can follow the link :

New Android malware 'Samsapo' spreads via Text Messages

If you get a SMS from your friend asking "is this your photo?" with a link, will you open the link or not? We want a honest answer.  Most of the people will do click the link.

If you do so, your device might get infected by a new type of Android worm!

Malware analyst from security firm ESET have discovered an interesting piece of malware, called "Android/Samsapo.A" that spreads via Text messages.

So far, the malware appears to be targeting Russian users.  Once your device is infected with this worm, it will attempt to send SMS with a malware-link to your contact list in an attempt to infect your friends.

Cyber Criminals use the old social engineering trick to lure users into install the malware.  It sends a message that says "is this your photo" in Russian language(Это твои фото?) with a link to Android application package(APK).

The malware is capable of downloading additional malicious files.  It is also capable of stealing phone numbers, text messages, personal data, device info from the infected device.  It doesn't stop with spying, it also register the victim's number to premium-rate services.  So, the victims will lose money. 

BJP website blocked for Pakistan over repeated hacking attacks

The repeated hacking attacks against Bharatiya Janata Party(BJP) websites have forced the authorities to block the access to its official website in Pakistan.

"The owner of this website (bjp.org) has banned your IP address on the country or region you are accessing it from." This is error which is currently being displayed whenever someone tries to access the bjp.org from Pakistan.

At the time of writing, even the BJP's PM candidate Narendra Modi's website(narendramodi.in) has also been blocked for Pakistan and showing some error message.

This move comes after Pakistan hackers targeted BJP related website and defaced BJP's Leader LK Advani's website and Bihar BJP websites in last two days.

The website can be still accessed by users from Pakistan by using proxies to mask their IP addresses.  If the website is secure against all attacks, then there will be need for such wide range of IP blocks except in cases of DDOS attacks. Even then, only individual IPs usually need to be blocked.

Arvind Gupta, BJP IT Cell Heaad, told NewsWeek that the site had been blocked in Pakistan "automatically" as a security measure and they had request CERT-India to unblock the sites.

31 Security bugs fixed in Google Chrome 34

Google has announced the stable release of Chrome 34, an update brining number of fixes, functionality improvements and security updates.

In total, 31 security vulnerabilities have been patched in this latest version 34.0.1847.116 which includes medium to high severity bugs.

The list of high severity bugs are UXSS in V8, OOB access in V8, Integer overflow in compositor, Use-after-free in web workers, Use-after-free in DOM, Memory corruption in V8, Use-after-free in rendering, Url confusion with RTL characters and Use-after-free in speech.

The medium severity bugs include Use-after-free in speech, OOB read with window property and Use-after-free in forms.

A total of $29,500 has been awarded to researchers who reported the above security vulnerabilities.

Indian Election Commission-Google tie up may impact National Security

Thanks to Our Indian Election Commission for tie up with the "US Based" Internet Giant Google, Now NSA can easily get the info of every Indian citizen.

According to Times of India, Google and Election Commission have entered into an agreement under which Google will help EC to manage online registration of new voters and facilitation services ahead of the 2014 elections.

The registered voters can check the address at which they are registered and get directions to the nearest polling station.

Cyber Security experts says the EC'S move will impact national security and democracy itself.

"It is shocking that in a country like India which is called world's software superpower, Election Commission, instead of an Indian company, has chosen a foreign company like Google, which has colluded with American intelligence agencies like NSA (National Security Agency) for global cyberspying, to provide electoral registration and facilitation services by providing them the whole database of registered voters in India," TOI quoted the Indian Infosec Consortium as saying.

The group said it will pose a potential risk to India, as the data could possibly misused by Google and US agencies for cyber espionage.

Rajsekhar Murthy, another member of the consortium, said the poll panel should have spoken to Indian companies such as Infosys or TCS before jumping into such a decision. "Cost wise it is not much," he said.

WoW players targeted with Fake version of Curse Client containing malware

Blizzard yesterday warned World of Warcraft(Wow) players regarding a new malware disguised as Curse client that attempts to hijack victim's accounts.

The fake version of the Curse Client is served in a fake version of Curse Client website.  The fake website is appeared in the search results when users search for the Curse client in major search engines.

If you believe you are one of the victim or want to make sure yourself, you can download the updated MalwareBytes software.  It is currently detecting and removing the malware in question.

If you are good at technical, you can also follow a manual removal method posted by one of the user in their support forum. 

There are 20 out of 48 antivirus detect the malware in virus total.  However, some of the major antivirus failed to detect the malware.

Users are always advised to download the softwares from official website or trustworthy third-party websites such as softpedia, cnet.

Exclusive: Most of the Malware Exploit kits running in Vulnerable nginx server

Bad guys always attempt to exploit the vulnerabilities in victim's system and infect their system with a malware.  It's our turn, Let us hack them back and break into their box.

Malware Must Die(MMD) Team has discovered that most of the malware exploit kit servers, malware page redirection server and malicious proxy servers are using vulnerable version of nginx server.

The team has released poc codes "that was coded & released in Full Disclosure by KingCope" that will be helpful to break into the malicious server and gain access to them by exploiting the known vulnerabilities.

It can be found here: http://pastebin.com/eX69Db7B

The vulnerability allows the security researchers to take control of the server and obtain the infection source codes.  In some cases, it also helps to track the cyber criminals.

Hackers penetrated into website of anti-abortion group "Youth Defence"

Defaced page
An unknown hacker has penetrated into the website belong to the Irish Anti-abortion organization "Youth Defence".

Hacker has managed to replace the homepage with an article titled "This is not the hate-filled truth-distorting website you’re looking for".

""Youth Defence is not what you think it is.  Youth Defence is an extremist group who actively hide their links to shady right-wing connections and where their funding comes from.  Let's blow the lid." The defacement message reads.

The Hacker also managed to post a link that contains more than 5600 email addresses which is said to be the email IDs of Organization's newsletter subscribers.  No individual or group has claimed responsibility for the security breach.

Following the security breach, Youth Defence has made a complaint to the Garda Síochána, as reported by IrishTimes.

Hacking the Hackers :Carberp Panel vulnerable to Remote Code Execution

Recent Carberp source code leak gave an opportunity for researchers to investigate the bootkit and other components of the Trojan.  While everyone are looking at the source code of malicious parts, a security researcher has shown an interest in investigating the Panels source code.

Steven K, a security researcher from France, who is running the xylibox blog, has discovered a two security vulnerabilities in the Carberp's Panel -  IP Spoofing and Remote Code Execution.

Remote Code Execution is one of the critical security bug that allows hackers to inject and execute commands in the vulnerable server.

Vulnerable code

Researcher found the "data" parameterer in the post request is vulnerable to Remote Code Execution vulnerability.  He has also made a Proof-of-concept code to exploit the vulnerability.

He successfully exploited the bug and compromised the Database Username, password and Auth Key.  The bug also allows you to run the "wget" command to download the backdoor.

The code apparently shows the cybercriminals who is behind the Carberp Trojan are not good in secure web application coding compared to Malware coding.

Gamarue malware abuses SourceForge to host malicious files

One of the leading source code repository SourceForge is found to be abused cybercriminals to host their malicious files which is later being used by the Gamarue malware.

In their malware analysis report, TrendMicro researcher said they found a new variant that download malicious components from the SourceForge website.

The report says the malicious files were hosted under a SourceForge project called "tradingfiles". The cybercriminal who created the project has also created two other projects that were also used to host the malicious components of Gamarue : ldjfdkladf and stanteam.

Once it infects the victim's machine, the malware allows cybercriminals to control the system and use it to launch attacks on other victims. It is also designed to steal the information.

The malware finds a way into the victim system through infected USB drives or infected webpage that serves exploit kit.

Handheld Malware Scanner made with Raspberry Pi

We learned earlier this year that U.S based power plant systems were infected with a malware after an employee used his infected USB drive to update software. Last year, the notorious Stuxnet worm was delivered to Iranian nuclear plant on USB stick.

We also learned last year that cybercriminals attempt to infiltrate the multinational chemicals firm DSM by leaving the malware loaded USB sticks in company car park.

The notorious targeted malware such as Stuxnet, Flame and more contained code to propagate via USB flash drives.One employee inadvertently using the infected usb drive puts the entire system at risk.

To bring end to this and boosts the security, Icarus Labs , a private research labs under the Cyber Security & Foundation, have created a program that would turn the Raspberry Pi, a small computer running Linux into a handheld malware scanner.

Users can plug their USB drive that is to be scanned.  It is said that the Pi will scan all the files in the drive and "check the signatures of 44 different antivirus providers to see if the file is malicious or not".

"This device can be deployed at entry points where it will be used to scan the USBs that are allowed in. This will prevent malicious software from getting in. "

It is also said that once the program is started, no further maintenance is required.  The device is designed in a such way that can be used by even non-technical person like security guards.

New backdoor abuses Encrypting File System to Prevent Forensic Analysis

A new malware spotted by Symantec is said to have a new technique that abuses the Encrypting File System (EFS) to prevent security researchers from accessing the contents of malicious files.

EFS is a feature provided by windows that let any files or folders be stored in encrypted format. The encryption is specially designed to protect confidential data from attackers but it appears cybercriminals find it as best feature to protect their data.

According to Symantec's Malware report, the malware creates a folder in temp folder and then calls the EncryptFileW API to encrypt all its folders and files. Then it copies itself as wow.dll in the folder.

Since the files are encrypted with EFS, it is not possible for a security researcher to access the wow.dll with the help of another OS such as Linux loaded in removable drive.

However, researcher manually executed the threat on a test computer and gathered the contents of the malicious files.

The malware currently detected as Backdoor.Tranwos by Symantec antivirus is capable of downloading more malware onto the victim's system.

New Android Trojan makes the Two-step authentication feature insecure

Two-Step authentication feature become insecure system when your android device got infected with a new malware which is capable of intercepting your messages and forwarding them to cybercriminals.

The Trojan, discovered by the Russian antivirus company Dr.Web , spreads as a security certificate that tricks users into thinking it must be installed onto their device.

Once installed, the malware does nothing other than displaying a message stating "Certificate installed successfully and your device is protected now."

But in background, the malware collects your phone information including Device's serial number, IMEI, model, carrier , phone number, OS.  Once the data has been gleaned, it attempts to send the info to the remote server.

After successfully sending the info, the malware awaits instructions from its master.  The cybercriminal behind the malware can now send instructions and control the malware to do the following : intercept and forward sms from specified numbers, send ussd message, show message and more.

This malware makes the Two-step authentication feature insecure because it can read the message sent to your mobile. It means the trojan can get the temporary password sent from Bank or any other sites using the 2-step authentication feature.

ATM Hacker Boanta invents "Secure Revolving System(SRS)" to prevent ATM thefts

"The only person who know how to secure your system is the person who know how to break- Hacker." BreakTheSec.

A Romanian cybercriminal , who is six months into a 5-year sentence for supplying gadgets that conceal ATM skimmers has invented a new device that prevents ATM thefts, Reuters reported.

Valentin Boanta, 33-year-old, who was arrested in 2009 said his arrest made him happy because it helped him to get of his Blackhat hacking addiction.

"Crime was like a drug for me. After I was caught, I was happy I escaped from this adrenaline addiction." Reuters quoted as Boanta saying. "So that the other part, in which I started to develop security solutions, started to emerge."

Secure Revolving System-SRS:SRS device, funded by a technology firm called MB Telecom, can be installed in any existing ATM that prevents the operation of skimming devices.