Vulnerability in Android default browser allows attackers to hijack Sessions


A Serious vulnerability has been discovered in the Android default browser(AOSP) that allows a malicious website to bypass "Same Origin Policy(SOP)" and steal user's data from other websites opened in other tabs. AOSP browser is the default browser in Android versions older than 4.4. 

What is Same Origin Policy?
SOP plays an important role in the Web Security, restricts a website from accessing scripts and data stored by other websites.  For example, the policy restricts a site 'Y' from accessing the cookies stored by site 'X' in user's browser.

Same Origin Policy Bypass:
Rafay Baloch, a security researcher, found a security flaw in the "Same Origin Policy" system used by the AOSP browser.  The bug allows the website 'Y' to access the scripts and user's data stored by website 'Y'.

Imagine You are visiting attacker's website while your webmail is opened in another tab, the attacker is now able to steal your email data or he can steal your cookies and could use it to compromise your mail account.

Proof of Concept:
<iframe name="test" src="http://www.example.com"></iframe>
<input type=button value="test"
onclick="window.open('\u0000javascript:alert(document.domain)','test')" >


"Its because when the parser encounters the null bytes, it thinks that the string has been terminated, however it hasn't been, which in my opinion leads the rest of the statement being executed." Rafay said in his blog.

Metasploit Module:
Rafay published the poc on his blog in August.  However, it remained largely unnoticed until rapid7 released a metasploit module that exploits the vulnerability.
http://www.rapid7.com/db/modules/auxiliary/gather/android_stock_browser_uxss

This browser also known for the remote code execution vulnerability, has been discontinued by Google. But older versions of Android do come with this browser.

What you should do?
Stop using the default android browser, Use Google Chrome or Mozilla.

Malicious Ad Network "Kyle and Stan" serves Windows and Mac Malware


Cyber Criminals have been placing malicious ads on a number of popular websites including YouTube, Yahoo that serves malicious software.  The campaign also targets Mac users.

The malicious network, uncovered by Cisco Researchers comprise of over 700 domains.  They observed nearly 10,000 connections to the malicious domains.

The operation has been dubbed "Kyle and Stan" because most of the domains used in this campaign for distributing malicious software contain "kyle" and "stan" strings in the sub-domain name.

The users website who visit the websites containing malicious ad will be redirected to another website.  Users will then be redirected to another page that will serve mac or windows malware based on their user agent.

"The attackers are purely relying on social engineering techniques, in order to get the user to install the software package. No drive-by exploits are being used thus far" Armin Pelkmann, Cisco researcher, wrote in a blog post.

Hackers exploit HeartBleed vulnerability to compromise CHS


Community Health Systems (CHS) recently revealed that hackers have compromised their computer network and stolen personal information of around 4.5 million patients.


The report says the attackers have breached the CHS network in between April and July.  Mandiant, the company that did the forensic investigation found that the group responsible for the "Advanced Persistent Threat" attack is originated from China.

The compromised information includes patients names, phone numbers, Social Security Numbers and other details.

The company claims that no patient credit card, medical or clinical information has been taken.

According to TrustedSec, hackers have exploited the infamous OpenSSL "heart bleed" vulnerability to compromise the CHS network.

"Attackers were able to glean user credentials from memory on a CHS Juniper device via the heartbleed vulnerability (which was vulnerable at the time) and use them to login via a VPN." TrustedSec explained.



Security Vulnerability in Android allows any app to make phone calls

An application normally needs permission and should alert user that it needs permission to make phone call, when it is being installed.

Researchers at Security firm CureSec has discovered a security flaw in the Android system that allows malicious applications to initiate unauthorized phone calls. 

By exploiting this vulnerability, malicious apps can make phone calls to premium-rated numbers and terminate any outgoing calls.  It is also capable of sending Unstructured Supplementary Service Data (USSD) codes that can be used for enabling call forwarding, blocking your sim cards and so on.

The security bug appears to be introduced in Android Jelly bean 4.1.1  and it exits in all latest versions through Android Kitkat 4.4.2.

CureSec has also released a source code and proof-of-concept application to demonstrate the existence of vulnerability.

The bug has been fixed in the latest version of android (v4.4.4).

Bug in GnuTLS allows hackers to run malicious code in Your Linux

Another major security vulnerability has been discovered in the popular cryptographic Library 'GnuTLS' that leaves Linux vulnerable to remote code execution.

GNUTLS is a free library implementing Secure Socket Layer(SSL), Transport Layer Security (TLS) and Datagram Transport Layer Security(DTLS) protocols which are used to offer secure communications.
 
"A flaw was found in the way GnuTLS parsed session ids from Server Hello packets of the TLS/SSL handshake." an entry posted on the Red Hat Bug Tracker reads.

Flaw: The read_server_hello function checks only whether the length of the Session ID does not exceed incoming packet size but it fails to ensure it doesn't exceed maximum length of Session ID.

A malicious server could exploit this vulnerability by sending a very long Session ID value and run a malicious code in "a connecting TLS/SSL client using GnuTLS".

In March, a different vulnerability was patched in GnuTLS Library that could have allowed attackers "to create a specially crafted certificate that could be accepted by GnuTLS as valid for a site chosen by the attacker"

I've updated my Linux, Did you?

Hackers lock iPhones remotely and demanding $100 to unlock it


In recent hours, a number of users from Australia had a nightmare as cyber criminals locked their devices and demanding payment of a ransom.

The locked devices show the following message "Device Hacked by Oleg Pliss" and instructs victims to send $100 dollars to lock404@hotmail.com to unlock their devices.

The cyber attack came to light, after one user from Melbourne shared his experience in Apple support forum and asked help to fix the problem.  Following his post, several users have reported of being affected by this attack.

It appears hackers used stolen Apple IDs and passwords to access iCloud account that allowed them to lock victim's devices and display a message.

What you should do? Don't pay the Ransom !
Affected users are advised to contact Apple directly to regain access to their account.  

Once you have access to your account, change the password immediately and enable two step authentication feature for your account.

eBay hacked, Encrypted passwords and non-financial data stolen


If you have an account in eBay, it is time to change your password!

E-commerce company eBay Inc urges users to change their passwords following a security breach impacting a database containing encrypted passwords and non-financial data.

The database accessed by hackers includes customers' information such as names, encrypted passwords, email IDs, birth dates and phone number.

eBay said it had found no evidence that any financial or credit card information, which is said to be stored in separate database server in encrypted format. 

The company also said a small number of employee login credentials have been stolen in the breach, which allowed intruders to gain access to its corporate network.

The company said the breach happened between late February and early March.

eBay can sent out all the "Offer" mails to users immediately...but why it is taking long to send a security warning?! Once they know the attack has happened and details have been compromised, why wait?!

Doge Vault hacked, 121 Million Dogecoin appears to be stolen


A Popular Dogecoin online wallet service DogeVault has reportedly been infiltrated by cyber criminals, millions of Dogecoins missing from user's wallet.

A note on the front page of the website(www.dogevault.com) says DogeVault service compromised by attackers on May 11, resulting in a service disruption and tampering with wallet funds.

The website has not provide much information about how much they lost in the heist.  However,  Some users at reddit reported that coins have been transferred to a newly created mega wallet.

According to Dogechain records, this wallet (DHKM6NDUUv9kaHAGi1QU7MRBNKfQiAdP3F) has more than 121 million Dogecoins that is about $56,000 dollars.

"We are currently in the process of identifying the extent of the attack and potential impact on user's funds" The statement on the website reads.

DogeVault suggests users not to transfer any funds to Doge Vault addresses until they finish the investigation.

Syrian Electronic Army hacks 4 Wall Street Journal twitter accounts


Wall Street Journal was caught in the crossfire between the Syrian Electronic Army and Ira Winkler who is the CEO of security firm Secure Mentem.

The Syrian Electronic Army(SEA) hijacked four twitter accounts belong to WSJ : @WSJD,  WSJ Europe(@WSJPEurope), WSJ Africa(@WSJAfrica) and WSJ Vintage(@WSJVintage).

SEA posted the message "@Irawinkler is a cockroach" with a picture of Ira Winkler's head on the body of a cockroach.

The attack was carried out in response to a RSA Conference presentation in which Winkler talked about the hacking methods of the SEA and made fun of them.

In his presentation, Winkler also commented that "these people are like cockroaches of the Internet".

This is not the first attack carried out by SEA in response to this presentation.  Last month, the group also defaced the RSA Conference website and said "If there is a cockroach in the internet, it would be definitely you "

Wall Street Journal seems to have recovered the hijacked twitter accounts posted in twitter "We have secured our compromised Twitter accounts and they are now functioning normally."

BSNL website hacked by Pakistani hacker Kai-H4xOrR


Website of Indian state-owned Telecoms company Bharat Sanchar Nigam Limited is one of the highest targets of Pakistani hackers. The site has been defaced a dozens of times in the past decade.

Today, a Pakistani hacker known as Kai-H4xOrR from Pakistan Haxors Crew has managed to deface a BSNL's sub-domain for International Roaming (http://ir.bsnl.co.in/).

" Payback For Hacking Pak Sites .!! " The hacker said in the defacement.

"And Dont mess with Pakistan else you will lose both your Name and this Game Backoff Lamers from our cyber space.. Everybody Knows whose cyber space is more vulnerable You will hack 1 we will hack thousands ./Logout "

At the time of writing, the website is still defaced.  The mirror of the defacement can be found here: http://legendhacks.com/defacements/?id=7173

The same hacker defaced the BSNL's sub-domain for the Online Certificate Programme in the mid of March, 2014.

New Zero-day vulnerability affects all IE Versions from 6 to 11

A new Zero-day vulnerability in the Internet Explorer impacts all IE Versions from 6 to 11 and is being exploited in limited and targeted attacks. The worst part is there is no patch.

The zero-day exploit have been Dubbed as "Operation Clandestine Fox" by FireEye, is currently targeting only users of Internet explorer 9 through IE11.

To get infected by malware, user don't need to open a suspicious email attachments.  A simple visit to malicious webpage loaded with this IE exploit code will deliver the malware into your system.

According to FireEye report, the exploit page loads a malicious flash file(.swf) that calls javascript in IE to trigger the IE vulnerability.  The reason why attackers used the flash file is to make the attack successful bypassing the ASLR and DEP Protections.

What do you can do to protect yourself?
Microsoft didn't mention when it is going to release the patch. But, it has issued few workarounds for IE users.

One of them is to use the Enhanced Mitigation Experience Toolkit(EMET), a free software from Microsoft that will help in mitigating the exploitation of vulnerabilities by adding additional protection layers.

Micorosof also suggested few other workarounds such as disabling IE extension VGX.dll by entering the following command in cmd:
"%SystemRoot%\System32\regsvr32.exe" -u "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll" 

Buffer Overflow vulnerability in Acunetix scanner allows to hack the noobs who attack your website

Danor Cohen, a Security researcher who recently discovered the 'WinRAR file spoofing vulnerability', has discovered one more zero day vulnerability.  This time it is Buffer Overflow vulnerability in one of the popular web application vulnerability scanner 'Acunetix'.

There is a feature in Acunetix that allows to scan the additional domains or subdomains detected during the scan.

"It learns about the external related domains from the external sources that appear at the scanned website, for example: "<a href=http://externalSource.com/ ></a>"

Danor found that if the 'external' source url's length is larger than 268Bytes, the Acunetix vulnerability scanner will get crashed.

For Ex:
 <A href= “http://AAAAAAAAAAAAAAAAAAAAAAAAAA...........AAAAA”>

Researcher managed to exploit this vulnerability and successfully launched an executable file(calc.exe). By modifiying the code, one can infect the computers of newbies with a malware who attempt to scan their websites.

More technical details are available at his blog post.

Here is Proof of concept video:


*Update*:
Acunetix says this vulnerability affects only the illegitimate(cracked) copies of Acunetix WVS.

"The blogger seems to have managed to pull his exploit by using a cracked version of v8. The cracked version, probably required the replacement of the official executable with a vulnerable one." Acunetix says.

"Once again we want to re-assure all users of legitimate installations of Acunetix WVS that they are in no danger, and are not affected by this at all"

OpenSSL vulnerability allows hackers to read 64k of memory on target server


HeartBleed: A potentially critical security vulnerability in OpenSSL has been discovered that allows an attacker to read up to 64kilobytes of memory from the server running a vulnerable OpenSSL version.

As a normal user, you may not aware what is OpenSSL.  It is cryptographic library which is used for encrypting communication between web server and users - used by plenty of websites including Google, Yahoo, Twitter.

The bug( CVE-2014-0160), dubbed as 'HeartBleed', was independently discovered by Neel Mehta from Google Security team and Codenomicon.  The bug appropriately named HeartBleed because vulnerability is located in HeartBeat extension and it leads to memory leak.

The attacker can read only up to 64k of memory during one iteration of the attack.  However, according to Heardbleed.com, an attacker can "keep reconnecting or during an active TLS connection keep requesting arbitrary number of 64 kilobyte chunks of memory content until enough secrets are revealed".

An attacker can retrieve the private key used for encrypting the communication that will allow to read all information passed to server and user like it wasn't encrypted at all.

How to fix it?
If your server is using OpenSSL 1.0.1 and 1.0.1f, then better upgrade to 1.0.1g. If you are using 1.0.0 and 0.9.8, you are not vulnerable to this bug.  As a temporary fix, users can remove HeartBeat extension by recompiling OpenSSL with -DOPENSSL_NO_HEARTBEATS

Check whether Your server is vulnerable or not:
"http://filippo.io/Heartbleed/" allows to find whether your server is vulnerable to this bug or not.

Details about the Bug:
TLS Heartbeat extension is to ping from one end to another end - a specific message with size of it is being sent from client to server and server responds with the same message.

But, if an attacker send a small size of data(Let's say 1 kilo byte) and claims it's large size(64k), then the server(running vulnerable OpenSSL) will respond with 1 kilo byte of attacker's data + 63 kilobytes of data read from memory of the server.

Technical details of this bug can be found here .(read only if you are good in 'C' program).

Here is POC script written in Python: https://gist.github.com/ixs/10116537

*Update:
Metasploit Module :
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/ssl/openssl_heartbleed.rb

Nessus Plugin:
http://www.tenable.com/plugins/index.php?view=single&id=73404

Nmap Script(NSE):
http://nmap.org/nsedoc/scripts/ssl-heartbleed.html

One should always be careful, when using pointers in C programming ;)

Germany's biggest data theft, 18 million emails and passwords stolen


18 Million email addresses and passwords have been stolen in what is being called the biggest data theft in Germany's history.

The compromised accounts are reportedly being misused for criminal purposes such as spreading spam emails.

The authorities have determined that at least three million of compromised accounts belong to German citizens(accounts ending with '.de').  The rest had international domain extensions such as '.com'.

It is still unknown exactly how many German and people from other countries have been affected by this massive data theft. 

A spokesperson for the states prosecutor's office in Verden, Lower Saxony, Germany, told The Local that they are currently in the process of determining how hackers accessed 18 million accounts.

It is second major data theft in Germany this year.  In January, German authorities announced that hackers accessed 16 million email addresses and passwords.

Spec's breach affects 550,000 customers

Texas liquor store Spec's says it experienced a cyber attack on its network  that exposed personal and financial information of more than a half million customers.

The company issued a statement saying the breach affects fewer than 5% of its total transactions.  Those who shopped at one of the 34 their affected stores were affected by this breach.

According to the statement, the attack began on October 31,2012 and may have continued through March 20 of this year.

The exposed information includes names, credit/debit card number, expiration date and card security code or check information including Bank account number, bank routing number, birth dates, driver's license number.

Spec's spokeswoman Jenifer Sarver told the Houston Chronicle that the breach affected "an estimated fewer than 550,000" customers and Spec's employees.

Spec's says it's working with United States Secret service in ongoing criminal investigation to arrest the attackers and taking steps to prevent future attacks.

Opening an email containing RTF in Outlook hands your computer to hackers

How many of you are using Microsoft Outlook in your office? Previewing or opening an email containing .RTF file in Microsoft Outlook will open a backdoor for remote hackers to access your machine.

Microsoft warned today that attackers are exploiting a new zero-day vulnerability in Microsoft Word that allows them to run arbitrary code in the vulnerable system.

"The vulnerability could allow remote code execution if a user opens a specially crafted RTF file using an affected version of Microsoft Word" Security advisory reads. "or previews or opens a specially crafted RTF email message in Microsoft Outlook while using Microsoft Word as the email viewer."

The vulnerability affects Microsoft word 2003, 2007,2010,2013, word viewer and Microsoft Office for Mac 2011.  Advisory states that the exploits it has seen so far have targeted Microsoft word 2010 users.

Microsoft is in the process of creating patch for this security flaw.  In the meantime, they have released a temporary Fix it solution which prevents opening of RTF files in Microsoft word.

Other suggestion to prevent yourself from being victim are 'configuring the outlook to read email messages in plain text format', 'using Enhanced Mitigation Experience Toolkit(EMET)'.

Syrian Electronic Army gather evidence that Microsoft selling your information to FBI

A document recently leaked by Syrian Electronic Army shows that Microsoft is charging FBI secret division to legally view customer information.  The documents are said to have been taken from Microsoft.

Syrian Electronic Army(SEA) is known for hacking social media accounts and websites of top organizations including Microsoft, CNN, Daily dot and more. 

SEA allowed the Daily Dot to analyze the documents before they published in full.

The document is said to be containing emails and invoices between Microsoft's Global Criminal Compliance team and the FBI's Digital Intercept Technology Unit (DITU).

The documents shows that Microsoft charged FBI $145,100 in December 2012, broken down to $100 per request for information.  But in 2013, Microsoft allegedly doubled the amount, charged FBI $200 per request for a total of $352,200.  For the recent invoice(Nov 2013), they charged $281,000.

The information provided to FBI including Live email ID, PUID, name, address, country, IP address, Date of Registration and few other details.

Here is the screenshot of documents:





Operation Windigo: Thousands of Linux and Unix Servers hacked to deliver malware, spam

Hackers compromised thousands of Linux and Unix servers and used them for stealing SSH credentials, sending millions of spam messages and infecting visitors with malware.

The campaign has been dubbed as Operation Windigo, which was uncovered by researchers at security firm ESET.

According to the report, the operation has been ongoing since 2011 and more than 25,000 servers have been compromised in the last two years. 

Even some of high profile servers including Cpanel and Kernel.org had been affected by this campaign.

Millions of users to legitimate website hosted on affected servers are being served with malware via exploit kits and 35 Million spam messages are being sent each day from the compromised servers.

Three main components used in this operation are:

  • Linux/Ebury – an OpenSSH backdoor used to keep control of the servers and steal credentials
  • Linux/Cdorked – an HTTP backdoor used to redirect web traffic. We also detail the infrastructure deployed to redirect traffic, including a modified DNS server used to resolve arbitrary IP addresses labeled as Linux/Onimiki
  • Perl/Calfbot – a Perl script used to send spam

Detailed technical paper on "Operation Windigo" is here.

25,000 cards data compromised in Sally Beauty data breach


Earlier this month, Krebs on Security first reported that one of the largest retailers of beauty products 'Sally Beauty' had been hacked.  At the time, the Sally Beauty said there is no card data involved in the breach.

Today, the company confirmed that its network has been breached and fewer than 25,000 credits cards data may have been compromised by attackers. 

“As experience has shown in prior data security incidents at other companies, it is difficult to ascertain with certainty the scope of a data security breach/incident prior to the completion of a comprehensive forensic investigation." Sally Beauty said.

"As a result, we will not speculate as to the scope or nature of the data security incident." the company added.

The company said they will continue to work with Verizon and US secret services on this investigation.  The company is taking necessary actions and precautions.

In the meantime, an unknown hacker defaced a website selling the stolen credit card data and send a message to the admin of the site as well as to Brian Krebs.

" Hi subhumans and miscreants, your fraud site is gone now. Go away.
Also, Krebs, please dont call me a punk on Twatter: im trying to be a good person :(" The defacement page reads.

"To all the people who used this service to blackmail and threaten and "dox" people's families: fuck you especially. To the "regular" fraudsters: fuck you too but slightly less.  To Cloudflare: why in a billion 6000-degree hells is your NS TTL 80000?" 

Miley Cyrus, Taylor Swift and Britney Spears websites hacked by Ethical Spectrum

Update :
The latest tweet from the hacker shows he compromised the database containing username and password details belong to these websites "The database of #MileyCyrus, #SelenaGomez......etc with 2,5 million users and pass is for sell, anyone interested email me at my mail"

Exclusive Information:
The hacker told E Hacking News that he found multiple vulnerabilities in the Groundctrl website and gained access to the database server.

He also gained access to the CMS panel which manages the celebrities' websites.
GroundCtrl CMS Panel

Original Article:

 
A hacker going by online handle "Ethical Spectrum" has hacked into websites belong to several celebrities and defaced the sites.

The affected websites include Miley Cyrus official site(mileycyrus.com), Selena Gomez(selenagomez.com), Taylor Swift site(taylorswift.com), Britney Spears site(britneyspears.com).

We are able to confirm that these are official websites of the celebrities, as it is being linked from their twitter account.

According to hackers twitter account(@Eth_Spectrum), he hacked into the above mentioned websites on March 8th.  The website was restored after the breach.  However, hacker mentioned he once again managed to deface them.  ]

Other websites attacked by the hacker are Ground Ctrl(groundctrl.com), mypinkfriday.com, Chelsea Handler site (chelseahandler.com), Aaron Lewis(aaronlewismusic.com/), therealcocojones.com, christinagrimmieofficial.com, Kacey Musgraves(kaceymusgraves.com).

The defacement just reads "Why i hacked this site, you can ask this person greg.patterson@groundctrl.com".

Greg Patterson is the co-founder of the Groundctrl, an organization that build websites for artists.  It appears the security breach started from Groundctrl.

Other affected sites:
  • Pat Green(patgreen.com),  
  • Rob Thomas(robthomasmusic.com), 
  • Rock Mafia(rockmafia.com  ), 
  • ritawilson.com  , 
  • sum41.com
  • nickcarter.net
  • jordanknight.com
If you are not able to see the defacement, you can find the mirror here:
http://www.zone-h.org/archive/notifier=Ethical%20Spectrum

All of the affected websites are currently showing the maintenance error message except groundctrl official website.

Hacker didn't provide much information about the breach, so we are not sure how exactly he hacked into all of these websites, whether he found a zero-day exploit on the cms developed by groundctrl or all of the affected sites managed in a central place.