Team GhostShell are back with a bang

 
They are back again after almost three years! Team GhostShell, a well-known hacking group, has returned with hacks and database leaks.

The hacking group claims to have leaked data from various websites within 24 hours.

On June 29, the team posted on twitter links to a number of Korean and Japanese websites, educational portals, university websites and travel websites which they claim to have hacked.

The posted websites and services do not appear to follow a particular trend or pattern so it is believed that the sites have been hacked.

Lee J, a security researcher, posted on Cyber War News that when he contacted TeamGhostShell, they had explained that not all data is going to be leaked from targeted sites and as an example of this got shown an exclusive set of data from an Australian cloud provider (redacted for now) which contains 1,500+ full banking information such as full names, home addresses, mobile contact numbers, contract dates and probably worst of all Tax file number (TFN). The provider has been contacted at time of publishing.

According to him, till the date, 444 different databases have been dumped from various sites and sub-domains mostly being education and government based.

“A basic scan of these sites has shown that there is a heap of accounts leaks, over 17,700 have email and password combinations as well as many other user name and password combinations as well,” he added.

“I have been told in a conversation with TeamGhostShell that they plan to leak data until they are caught,” he said.

He said that the team has added pastebin.com account with a paste titled “Dark Hacktivism- Information is everything”.

It is said that this is not the end. There are a lot more data to come over in coming days or weeks.

Don’t click every link to read sensational stories on social networking site

Credits: Symantec

Sensational stories! Wow, the only one thing common which we all love. Especially on social medias, we do not think even hesitate before clicking any sites or email to read such stories.

However, researchers say that we need to be vigilant and skeptical when reading sensational stories on social media sites or in emails.

People should visit trusted news sources for information instead of clicking on random links online, go directly to your trusted news source because few days ago, a Brazilian singer and songwriter Cristiano Ara├║jo lost his life in a car accident.

After his death, Symantec started to observe malicious spam email using the news as a lure. Some of the spam emails attempt to entice users into downloading video footage of the accident. If users click on the Google Drive URL found in the email, they will end up downloading malware. The malware is detected as "Download.Bancos", a well-known banking malware that has been plaguing South America for a while now.

Once the initial malware, a downloader, infects the computer, it will download Infostealer.

Security researchers from Symantec Security Response wrote in the blog that their telemetry on the malware distributed by this spam campaign shows it targeting users in Brazil and Venezuela.

“Symantec advises users to be cautious when it comes to emails crafted around popular news stories such as the one discussed in this blog as they may be malicious. This type of social engineering is not limited to email and users should also be careful on social media sites as similar tactics can also be used,” the researcher added.

The researchers strongly suggest that never install applications or do surveys in order to view gated content. It's a trick to put money in the pockets of scammers and anyone’s computer or device is at risk to malware.

“Report suspicious content. Do your part by reporting this type of content as spam,” the blog read.

Airtel injecting Scripts into browsers? Will it Affect Your Privacy and Security?


After receiving huge criticism by its Airtel Zero plan, Bharti Airtel, an Indian multinational telecommunications services company, is now being accused of secretly injecting Javascripts, and iframes into the web browser in order to alter the browsing experience.

Thejesh GN, an info-activist and a programmer, published his findings on GitHub according to which Airtel is inserting Javascripts into user browsing sessions.

He said that the iframe tries to insert a toolbar into the browsing experience and that the parent URL of both the iframe and Javascript belongs to Bharti Airtel Bangalore.

He shared the injected script in Github.  The script is trying to inject an iframe pointing to this url "hxxp://223.224.131.144:80/l8/Layer8Servlet". 

However, Airtel has released a statement clarifying that it is building a tool to allow broadband users to get information about the amount of data they have used.

The company said that it developed new tool as non-mobile consumers demanded for easily tracking data usage while using surfing the web.

“Our customers have frequently asked us for ways of easily keeping a track of their data consumption specifically dongle and broadband users, who unlike mobile users, cannot receive real-time alerts on their usage,” Airtel said in a statement to NextBigWhat.

It is said that for an ISP, it is highly unethical to carry out such programs. However, no one has come up with any solution or anything.

In a reddit post, one of the users accused Vodafone of doing the same.

Just a month ago, a user posted the same issue in reddit.

Will Cyber Security Companies shift their Headquarters out of US?


Until now nuclear, radiological, chemical and biological weapons considered to be a Weapon of Mass Destruction(WMD).

The Bureau of Industry and Security (BIS), an agency of the United States Department of Commerce that deals with issues involving national security and high technology, is proposing to classify cyber security tools as weapons of War in an attempt to control the distribution.

The tools used for extraction of data or information, from a computer or network-capable device, or the modification of system or user data, will come under this law and is being classified as Intrusion software. Also, the tools designed to avoid detection by 'monitoring tools'( Antivirus, IDS/IPS,End point security products) will be considered as a weapon.

Any penetration testing products designed to identify security Vulnerabilities of computers and network-capable devices fall under this category.

"The proposal is not beneficial. Most vulnerability scanners and penetration testing products come under it. The proposal means tools from US companies which have been used to do assessments and audits in corporate will need to go through the clearance. It could also lead to corporate getting tracked" says J.Prasanna, founder of Cyber Security and Privacy Foundation(CSPF).

Most of these Cyber Security firms either should convince their world wide clients to go through the process or shift their head quarter out of USA.

Prasanna pointed out that US government tried to stop the export of cryptography in the past. But, Russian, European and Israeli companies got advantage by the cryptography restriction.

He said that the new proposal is a bad news for the cyber security researchers. If it becomes a law, it will force them to find a new way to beat the Cyber Criminals.

"Hackers are already may steps ahead of us. Some tools like canvas and Metasploit Pro are important tool for penetration testing" said Prasanna.

Thomas Dullien, Google Researcher, said "addition of exploits to the Wassenaar arrangement is an egregious mistake for anyone that cares about a more secure and less surveilled Internet" in his personal blog.


Rapid7, a Boston-based cybersecurity firm, well known for its Metasploit Pentesting framework, said that they are investigating implications of Wassenaar for Metasploit and security research, and working on comments for the consultation.

According to the proposal, the governments of Australia, Canada, New Zealand or the UK will get favorable treatment for license applications, as they have partnered with the US on Cyber Security Policy and issues.

The BIS is seeking comments before 20th July 2015 on the proposed rule. You can submit the comments here.

Adult dating site hacked to leak intimate secrets of 4 million users

Hackers have targeted one of the largest online dating sites of the world, Adult Friend Finder to leak personal data of four million users.

The stolen data includes the sexual orientation of the users, their sexual preferences, and might even potentially reveal who are the ones seeking extramarital affairs. The data also includes email addresses, usernames, dates of birth, postal codes and unique internet addresses of users' computers.

The hack is estimated to have affected 4 million users, including users who have requested the site for a deletion of their accounts.The leaked information contain addresses linked to dozens of government and armed services personnel and members of the British Army.

Channel 4 news, who have been actively tracking such incidents of hacking and information release to the Deep web have found a secretive forum in which a hacker nicknamed ROR[RG] posted the details of users of Adult Friend Finder.

Shaun Harper is among those whose details have been published. Harper, who had requested his account to be deleted stated that, "The site seemed OK, but when I got into it I realized it wasn't really for me, I was looking for something longer term. But by that time I'd already given my information. You couldn't get into the site without handing over information. He added, "I thought the information had gone. These sites are meant to be secure."

Mr. Harper has been targeted with a spate of spam emails ever since his information was leaked. Experts are of the opinion that hackers will further sift through the leaked data to zero down on potential blackmailing targets.

FriendFinder Networks Inc, the owner of Adult FriendFinder have already started working with law enforcement to investigate the matter and have assured customers of strong action in case they are affected.

Venom Vulnerability allows hackers to escape from VM and hack Host Machine

 
CrowdStrike’s senior security researcher Jason Geffner disclosed the vulnerability in the virtual Floppy Drive Code used by many computer virtualization platforms.

Vulnerability VENOM, CVE-2015-3456, attacker can easily escape from the confines of virtual machine guest and exploit the code-execution access to the host. This may result in  elevated access to the host’s local network and adjacent systems.

By exploiting  the VENOM vulnerability one can get access to corporate intellectual property (IP), sensitive and personally identifiable information (PII), which will potentially affect thousands of organizations and millions of end user’s connectivity, storage, security, and privacy.

According to the researcher, the bug is in QEMU’s virtual Floppy Disk Controller (FDC), notably used in  Xen, KVM, and the native QEMU client. Whereas VMware, Microsoft Hyper-V, and Bochs hypervisors are not impacted by this vulnerability.

“The VENOM vulnerability has existed since 2004, when the virtual Floppy Disk Controller was first added to the QEMU codebase“ wrote Jason Geffner in his blog post.

Major vulnerability in medical equipment poses security risk


The Internet enabled PCA3 drug infusion pump manufactured by Hospira suffers from authorization vulnerabilities that can allow unauthenticated users to remotely access and modify pump configurations, drug libraries and software updates.

The Hospira Life care infusion pump, version 5.0 and prior runs "SW ver 412". It does not require authentication for Telnet sessions, which allows remote attackers to gain root privileges via TCP port 23. By attaching any device to the pump via Ethernet, one can easily extract the wireless encryption keys stored in plain text on the device and thus gain access to the keys Life critical network.

The attacker can then impact the pump configurations or medical libraries by conducting firmware updates, command execution, and drug library updates.  However, Hospira maintained that the Operation of the Life Care PCA Infusion pump required the physical presence of a clinician to manually program the dosage into the pump for administration.

Even if credentials are implemented on the Telnet port there are still web services which allow a remote attacker to carry out the remote modifications. Even if that was made secure there are additional services like FTP that are open with hard coded accounts. 

Billy Rios, the independent researcher who discovered these vulnerabilities has been co-ordinating with Hospira since May 2014. A new version has been developed by Hospira which mitigates these vulnerabilities and is under U.S. Food and Drug Administration (FDA) review.

In defense, ICS-CERT  has advised organizations to ensure closure of unused ports, use of VPN, detaching of the pump from insecure networks and use of good design practices with network segmentation.

Impact of the vulnerability varies depending on each organization, so individual organizations need to evaluate and secure themselves based on their operational environment.

Google fixes comment cloning vulnerability in Youtube


Google has fixed a flaw in Youtube, which was discovered by an Egyptian security researcher. The vulnerability allowed anyone to move or copy comments from one video to another without any user-interaction.

On April 15, Ahmed Aboul-Ela wrote on his blog that he and his friend, Ibrahim Mosaad, discovered the flaw that allowed them to duplicate or copy any comments from one video on YouTube to other.

Aboul-Ela wrote, while they were testing the features of reviewing comments, they found it.
These two researchers mainly focused on the setting which allows the user to hold the comments for review before they get published. They found that if that feature is enabled, then the comments will be listed in a control panel labeled “held for review.”

If anyone comments on a Youtube video, it shows the comment_id and video_id in the post parameters. Now, if anyone changes the video_id to any other video id, he/she will get an error. However, if he/she does not touch the video_id and change only the comment_id to any other comment-id on any Youtube video, the request will get accepted and that comment will be copied and appear on his/her own video.

“The author of the comment does not get notified that his comment is copied onto another video nor the original comment from the original video doesn’t get removed,” Aboul-Ela wrote.

According to him, the flaw could be used to make a good video unpopular. And it could have been used to copy any celebrity or public figure’s comment and paste it on their videos.

Aboul-Ela wrote that Google decided to give $3,133.7 reward which is the maximum payment for disclosing vulnerabilities in normal Google applications.

HSBC Finance confirms data breach of mortgaged customers


In a breach notification letter sent to the New Hampshire Attorney General, HSBC Finance Corporation has revealed that sensitive mortgage information of customers of a number of its subsidiaries has been potentially compromised.

The company says that personal information of 685 New Hampshire residents, about mortgage accounts, such as customers’ names, Social Security numbers, account numbers and possibly telephone numbers, were “inadvertently made accessible via the Internet.”

HSBC said that the notice was sent by HSBC Finance Corporation on behalf of its subsidiaries regarding a breach that it learned about on March 27th.

Its subsidiaries include Beneficial Financial I Inc., Beneficial Consumer Discount Company, Beneficial Homeowner Service Corporation, Beneficial Maine, Inc., Beneficial Massachusetts, Inc., Beneficial New Hampshire, Inc., Household Finance Corporation II, Household Finance Corporation of Alabama, Household Financial Center, Inc., and Household Realty Corporation.

HSBC said that it takes the issue seriously, and deeply regrets it happening. “We are conducting a thorough review of the potentially affected records and have implemented additional security measures designed to prevent a recurrence of such an incident,” it said. “We have ensured that the information is no longer accessible publicly. The company has notified law enforcement and the credit reporting agencies of the incident, and no delay in advising you has been caused by law enforcement notification.”


HSBC said it has ensured that the information is no longer publicly available. It began notifying affected customers on April 9 by letter and it's offered customers a free one-year subscription to Identity Guard, a credit monitoring and identity theft protection service.

Personal data exposed as Linux Australia server hacked


Linux Australia, an organization of open-source and free software user group, revealed that one of their server was hacked. The personal details of conference attendees might have been accessed.

According to the organization only the personal data including the names, street, phone numbers and email addresses of delegates for Linux Australia conferences and PyCon have been exposed in a server breach. No financial data have been exposed because they use a third party payment system.

A server had been attacked on March 22, but the Linux Australia discovered the breach on March 24,after conference management software Zookeepr started sending a large number of error reporting emails.

The hackers utilized an unknown vulnerability to trigger a remote buffer overflow and obtain full control of the server hosting the information by installing  a remote access tool and then botnet command and control software.

Joshua Hesketh, Linux Australia’s president wrote “It is the assessment of Linux Australia that the individual utilised a currently unknown vulnerability to trigger a remote buffer overflow and gain root level access to the server. A remote access tool was installed, and the server was rebooted to load this software into memory. A botnet command and control was subsequently installed and started. During the period the individual had access to the Zookeepr server, a number of Linux Australia’s automated backup processes ran, which included the dumping of conference databases to disk.”

Immediately  responding to the incident, Linux Australia has decommissioned the infected server, and announced improvements to its architecture and security.

Slack hacked, over 100k users data compromised


Slack, a team communication tool, has suffered suffered a security breach on its central user database, potentially leaving user's login credentials in the hands of hackers.

Slack was launched in 2013 and its android application has been downloaded by more than 100,000 users so far(according to Google Play store).

The company confirmed the breach in a company blog post. The unauthorized access took place for about 4 days in February.

The database accessed by the intruders included usernames, email IDs, and  passwords(hashed). It also contained optional data added by users such as phone numbers, Skype IDs.

On the bright side, Slack didn't store the passwords in a plain-text format. The passwords have been hashed with a bcrypt and a randomly generated salt.  It does not mean this will thwart hackers from accessing your account, it will just slow down the process and give you a time to take action. And, NO Financial or payment data compromised in this attack.

In the wake of security breach, the company strengths its security for the authentication.  One of them is "2 step authentication" - a verification code in addition to your normal password whenever you sign in to Slack. Let's hope the company also fixes any other vulnerabilities in their website.

Hackers won $317,500 on day one of Pwn2Own 2015

Hackers have been awarded a total of $317,500 USD, for finding three bugs in Adobe Flash, three bugs in Adobe Reader, three bugs in the Windows operating system, two bugs in Internet Explorer, and two bugs in Mozilla Firefox, on the first day of Pwn2Own 2015, sponsored by HP’s Zero Day Initiative (ZDI) and Google’s Project Zero at the CanSecWest security conference in Vancouver, Canada.

Peter, Jihui Lu, and Zeguang Zhao of Team509, and wushi of KeenTeam were awarded $60,000 for exploiting flash by a heap overflow remote code execution vulnerability, and won additional of $25,000 for achieving system-level code execution by leveraging a local privilege escalation in the Windows kernel through TrueType fonts.

Nicolas Joly used a use-after-free (UAF) remote code execution vulnerability and sandbox escape directory traversal vulnerability in the Flash broker, and won $30,000.

Nicolas won another $60,000 for his exploitation of Adobe Reader through a stack buffer overflow, which lead to info leak and remote code execution.

Peter, Jihui Lu, Wen Xu, wushi (KeenTeam), and Jun Mao (Tencent PCMgr) earned $30,000 for targeting Adobe Reader with an integer overflow and achieved pool corruption through a different TTF bug, and $25,000 bonus for the SYSTEM escalation.

Mariusz Mlynski knocked out Mozilla Firefox through a cross-origin vulnerability, and execute a logical flaw to escalate to SYSTEM in Windows. Awarded $30,000 USD for the Firefox bug and an additional $25,000 bonus for the privilege escalation. 360VulcanTeam won $32,500 USD for exploiting 64-bit Microsoft Internet Explorer 11 for medium-integrity code through an uninitialized memory vulnerability.

Yahoo to the rescue of forgetful users with "on-demand password"

Passwords are not meant to be remembered. It is meant to be generated fresh, every time you forget it.

This is what Yahoo seems to think as the company just introduced an on-demand password system.

The system works like this: After signing into the Yahoo account one has to select Account security from the account information page and opt-in for “On-demand passwords”. Then one has to enter the phone number where Yahoo sends the verification code and after entering this code one never has to worry about memorizing passwords ever again.

It can be argued that the move away from default passwords is welcome as password theft is very common now a days but some feel that the privacy is being sacrificed because anybody with access to the phone for even a few seconds has the potential to read through all your communication.

But the fact remains that peril of default passwords had been dealt well with the two step authentication process; whereby if one logs in from a new device, in addition to the password one is asked for a code that has been sent to the associated mobile number. A move to completely eliminated the first step seems to be inclining towards laxer cyber-security norms.

At a time when Google tries to put one in panic mode by notifying what happens if you forget your password and repeated reports of security breaches makes one paranoid, the move from Yahoo to eliminate passwords has invited mixed reactions.

Presently, it is available only to US users.

While the effort is in the right direction to deal with password security issues by closely connecting the virtual and real identities, the approach adapted seems to be fallacious.

Everything you need to know about Bash Bug "ShellShock"


A new critical security vulnerability in the BASH shell, the command-line shell used in many Unix and Linux operating systems, leaves a large number of systems at security risk. The bug also affects Mac OS X.

CVE Number: CVE-2014-6271

Technical Details: 

Here is technical details of the vulnerability, posted by Florian Weimer in Seclists:

"Bash supports exporting not just shell variables, but also shell functions to other bash instances, via the process environment to (indirect) child processes.  Current bash versions use an environment variable named by the function name, and a function definition starting with “() {” in the variable value to propagate function definitions through the environment.

The vulnerability occurs because bash does not stop after processing the function definition; it continues to parse and execute shell commands following the function definition.  For example, an environment variable setting of

  VAR=() { ignored; }; /bin/id

will execute /bin/id when the environment is imported into the bash process. (The process is in a slightly undefined state at this point. The PATH variable may not have been set up yet, and bash could crash after executing /bin/id, but the damage has already happened at this point.) "

Proof of Concept:
env e='() { Ignored; }; echo Vulnerable' bash -c "echo Hello"

Running the above command in Linux Terminal prints "vulnerable" and "Hello".So what exactly is happening here.

The 'env' command used to either print a list of environment variables or run another utility in an altered environment without having to modify the currently existing environment.

Here, the utility is 'bash' that executes the 'echo hello' command - and the environment variable 'e' is imported into the 'bash' process.

The bash shell process the function definition "() { Ignored; };"and then executes the "echo vulnerable" command.

* You can use the above POC code to test whether your system is vulnerable or not.

Real world Attack Scenario:

CGI stores the HTTP headers in environment variables. Let's say the example.com is running a CGI application written in Bash script.

We can modify the HTTP headers such that it will exploit the shellshock vulnerability in the target server and executes our code.

POC:

curl -k http://example.com/cgi-bin/test -H "User-Agent: () { :;}; echo Hacked > /tmp/Hacked.txt"
Here, the curl is sending request to the target website with the User-Agent containing the exploit code.  This code will create a file "Hacked.txt" in the "/tmp" directory of the server.

Who should be worried?
An attacker needs to send a malicious environment variable to an application that interacting with the Internet and this application should have either written in Bash or execute bash script within the app. So, Normal Desktop users are likely not affected by this bug.

However, if you are admin of a website and running CGI app written in BASH or using Bash script, You should be worried.

Metasploit Module:

A Metasploit Module has been released that exploits a code injection in specially crafted environment variables in Bash, specifically targeting Apache mod_cgi scripts through the HTTP_USER_AGENT variable.

You can find the module here.

Malware:
Cyber Criminals are already started to exploit this vulnerability for the malicious purpose.  A malware(ELF format) named as 'Linux/Bash0day', found by @yinettesys.

"Cybercriminals exploit bash 0day to get the ELF malware into web servers. ELF scans routers IP and sends exploit busybox to hack routers and doing DDoS." Malware Must Die who analyzed the malware told EHN.

"If exploit busybox hits the target, they will try to gain shell /bin/sh & brute the default login/passwords commonly used by routers"


Strings contained in the Malware sample

At the time of writing, the detection ratio in Virustotal is 0/55.

You can find the malware sample and more details of the malware at KernelMode website.

Wormable:
Robert Graham of Errata Security says the bug is wormable.  He wrote a script that scans the Internet and finds the vulnerable machines. So far, he found nearly 3,000 vulnerable systems on port 80.

"Consequently, even though my light scan found only 3000 results, this thing is clearly wormable, and can easily worm past firewalls and infect lots of systems." Graham wrote in his blog post.

DHCP RCE Proof of Concept:
https://www.trustedsec.com/september-2014/shellshock-dhcp-rce-proof-concept/


ModSecurity Rules:
RedHat has posted several mod_security rules that helps to prevent the attack:

Request Header values:

SecRule REQUEST_HEADERS "^\(\) {" "phase:1,deny,id:1000000,t:urlDecode,status:400,log,msg:'CVE-2014-6271 - Bash Attack'"

SERVER_PROTOCOL values:

SecRule REQUEST_LINE "\(\) {" "phase:1,deny,id:1000001,status:400,log,msg:'CVE-2014-6271 - Bash Attack'"

GET/POST names:

SecRule ARGS_NAMES "^\(\) {" "phase:2,deny,id:1000002,t:urlDecode,t:urlDecodeUni,status:400,log,msg:'CVE-2014-6271 - Bash Attack'"

GET/POST values:

SecRule ARGS "^\(\) {" "phase:2,deny,id:1000003,t:urlDecode,t:urlDecodeUni,status:400,log,msg:'CVE-2014-6271 - Bash Attack'"

File names for uploads:

SecRule  FILES_NAMES "^\(\) {"  "phase:2,deny,id:1000004,t:urlDecode,t:urlDecodeUni,status:400,log,msg:'CVE-2014-6271  - Bash Attack'" 
Patch:
A Patch has been released which ensures that no code is allowed after the end of a Bash function.  If you try to run the exploit code after applying the patch, you will get the following error message:



Unfortunately, the patch is incomplete, it still can be bypassed.  There is a workaround here, but it is not advisable. "CVE-2014-7169" has been assigned for the incomplete fix.

If you think we missed any information, feel free to comment here, we will add it to the article.

---------------------------------

Additional details:
This details isn't for you if you already know how export functions,'env' commands work :

Bash Export function-definition feature: 



Defining a function in Bash script:

       hello(){ echo "Hello World";}

Calling function in Bash script:
   hello

Create a child bash process and call our user-defined function:
bash -c hello

It won't work, because the child bash process doesn't aware that there is user-defined function called "hello". So, what to do?! Let us add the 'hello' function to the environment variable with Export command:

export -f hello

This will export the 'hello' function to the child process.  Let's try to create the child bash process again:

bash -c hello

Now the function is called without a problem.


We can achieve the samething in a single line with 'env' command. Let me first explain what 'env' command does.



'env':


The 'env' command used to either print a list of environment variables or run another utility in an altered environment without having to modify the currently existing environment.

Let's try to print environment variables with bash(creating child process):

bash -c printenv



The above command will print environment variables. Using 'env' command, you can pass a temporary environment variables to the child process:

env e="hello" bash -c printenv


Now, If you check the printed environment variables, you can find the "e='hello" in the result :)

Function passing with env command:

env hello='() { echo Hello World;};' bash -c hello

Data Breach at TripAdvisor's Viator affects 1.4 million customers, card information stolen

The travel site Viator, a subsidiary of TripAdvisor, has suffered a data breach that has compromised customer's information which includes payment card information.

The company is in the process of notifying nearly 1.4 million customers about the breach.  Of that number, approximately 880,000 people had their payment card data compromised(credit/debit card number, expiration date, name, billing address, email address).

A further 560,000 customers had their account information including email IDs, hashed passwords and nickname accessed by the attackers.

The company said that at this time they have no reason to believe customer's card security codes had been compromised.  They company also said that they don't collect debit PIN numbers, so it could not be compromised.

Viator became aware of the breach after receiving a notification from its payment card service provider that unauthorized charges occurred on a number of our customers' credit cards.

The company said it hired forensic experts to investigate the incident and to identify how their systems may have been impacted.

It is also offering a free identity protection services and credit card monitoring services for those affected individuals.



Vulnerability in Android default browser allows attackers to hijack Sessions


A Serious vulnerability has been discovered in the Android default browser(AOSP) that allows a malicious website to bypass "Same Origin Policy(SOP)" and steal user's data from other websites opened in other tabs. AOSP browser is the default browser in Android versions older than 4.4. 

What is Same Origin Policy?
SOP plays an important role in the Web Security, restricts a website from accessing scripts and data stored by other websites.  For example, the policy restricts a site 'Y' from accessing the cookies stored by site 'X' in user's browser.

Same Origin Policy Bypass:
Rafay Baloch, a security researcher, found a security flaw in the "Same Origin Policy" system used by the AOSP browser.  The bug allows the website 'Y' to access the scripts and user's data stored by website 'Y'.

Imagine You are visiting attacker's website while your webmail is opened in another tab, the attacker is now able to steal your email data or he can steal your cookies and could use it to compromise your mail account.

Proof of Concept:
<iframe name="test" src="http://www.example.com"></iframe>
<input type=button value="test"
onclick="window.open('\u0000javascript:alert(document.domain)','test')" >


"Its because when the parser encounters the null bytes, it thinks that the string has been terminated, however it hasn't been, which in my opinion leads the rest of the statement being executed." Rafay said in his blog.

Metasploit Module:
Rafay published the poc on his blog in August.  However, it remained largely unnoticed until rapid7 released a metasploit module that exploits the vulnerability.
http://www.rapid7.com/db/modules/auxiliary/gather/android_stock_browser_uxss

This browser also known for the remote code execution vulnerability, has been discontinued by Google. But older versions of Android do come with this browser.

What you should do?
Stop using the default android browser, Use Google Chrome or Mozilla.

Malicious Ad Network "Kyle and Stan" serves Windows and Mac Malware


Cyber Criminals have been placing malicious ads on a number of popular websites including YouTube, Yahoo that serves malicious software.  The campaign also targets Mac users.

The malicious network, uncovered by Cisco Researchers comprise of over 700 domains.  They observed nearly 10,000 connections to the malicious domains.

The operation has been dubbed "Kyle and Stan" because most of the domains used in this campaign for distributing malicious software contain "kyle" and "stan" strings in the sub-domain name.

The users website who visit the websites containing malicious ad will be redirected to another website.  Users will then be redirected to another page that will serve mac or windows malware based on their user agent.

"The attackers are purely relying on social engineering techniques, in order to get the user to install the software package. No drive-by exploits are being used thus far" Armin Pelkmann, Cisco researcher, wrote in a blog post.

Hackers exploit HeartBleed vulnerability to compromise CHS


Community Health Systems (CHS) recently revealed that hackers have compromised their computer network and stolen personal information of around 4.5 million patients.


The report says the attackers have breached the CHS network in between April and July.  Mandiant, the company that did the forensic investigation found that the group responsible for the "Advanced Persistent Threat" attack is originated from China.

The compromised information includes patients names, phone numbers, Social Security Numbers and other details.

The company claims that no patient credit card, medical or clinical information has been taken.

According to TrustedSec, hackers have exploited the infamous OpenSSL "heart bleed" vulnerability to compromise the CHS network.

"Attackers were able to glean user credentials from memory on a CHS Juniper device via the heartbleed vulnerability (which was vulnerable at the time) and use them to login via a VPN." TrustedSec explained.



Security Vulnerability in Android allows any app to make phone calls

An application normally needs permission and should alert user that it needs permission to make phone call, when it is being installed.

Researchers at Security firm CureSec has discovered a security flaw in the Android system that allows malicious applications to initiate unauthorized phone calls. 

By exploiting this vulnerability, malicious apps can make phone calls to premium-rated numbers and terminate any outgoing calls.  It is also capable of sending Unstructured Supplementary Service Data (USSD) codes that can be used for enabling call forwarding, blocking your sim cards and so on.

The security bug appears to be introduced in Android Jelly bean 4.1.1  and it exits in all latest versions through Android Kitkat 4.4.2.

CureSec has also released a source code and proof-of-concept application to demonstrate the existence of vulnerability.

The bug has been fixed in the latest version of android (v4.4.4).

Bug in GnuTLS allows hackers to run malicious code in Your Linux

Another major security vulnerability has been discovered in the popular cryptographic Library 'GnuTLS' that leaves Linux vulnerable to remote code execution.

GNUTLS is a free library implementing Secure Socket Layer(SSL), Transport Layer Security (TLS) and Datagram Transport Layer Security(DTLS) protocols which are used to offer secure communications.
 
"A flaw was found in the way GnuTLS parsed session ids from Server Hello packets of the TLS/SSL handshake." an entry posted on the Red Hat Bug Tracker reads.

Flaw: The read_server_hello function checks only whether the length of the Session ID does not exceed incoming packet size but it fails to ensure it doesn't exceed maximum length of Session ID.

A malicious server could exploit this vulnerability by sending a very long Session ID value and run a malicious code in "a connecting TLS/SSL client using GnuTLS".

In March, a different vulnerability was patched in GnuTLS Library that could have allowed attackers "to create a specially crafted certificate that could be accepted by GnuTLS as valid for a site chosen by the attacker"

I've updated my Linux, Did you?