Yahoo revamps security to protect users' data from NSA


Yahoo says they have introduced few improvements in encrypting the users' data in an attempt to prevent cyber attacks and Government surveillance.

Alex Stamos, who recently joined Yahoo as Chief Information Security Officer, said that traffic moving from one Yahoo's data center to another is fully encrypted as of March 31.

The move came after whistleblower Edward Snowden leaked documents that alleged that traffic from Google and Yahoo data centers were being intercepted by NSA.

Yahoo has enabled encryption of mail between its servers and other mail providers.  Search requests made from Yahoo homepage are also now automatically being encrypted. 

Yahoo is promising to release a new, encrypted, version of Yahoo messenger within next few months.

"In addition to moving all of our properties to encryption by default, we will be implementing additional security measures such as HSTS, Perfect Forward Secrecy and Certificate Transparency over the coming months. This isn’t a project where we’ll ever check a box and be 'finished.' " Stamos wrote in the blog post.

"Our fight to protect our users and their data is an on-going and critical effort. We will continue to work hard to deploy the best possible technology to combat attacks and surveillance that violate our users’ privacy."he added.

Cyber Defence Course Level 1 in Anna University, Chennai

Most of us from beginners to advanced users use mobile phone/laptops/desktops. We don’t know to secure our machines/phones from hackers, viruses, spies who want to get our information. Here is a short course on securing your computer. mobile phones and laptops from most advanced cyber espionage guys.

Who should learn this:

a. Corporate users – Marketing, sales, CEO, CFO’s who are targeted by corporate espionage

b. Women & Children who want to secure their phones, emails, social media.

c. Lawyers , Doctors who may be targeted to get information on their clientele.

d. Common Man – Anyone who uses computers from young to old for securing their own machines/laptops to protect their loved ones.

e. College Students

Content:

Computer:

  • Security in general.
  • Online security and safe browsing practices.
  • Using live CD for banking.
  • Social Media privacy settings (FB, Twitter, Gmail , 2 factor auth)
  • What can malware do ?
  • Firewall.
  • Check for malware without AV (find undetectable virus).
  • Removing malware manually.
  • Checking USB for malware also disabling autorun.inf type virus.
  • Anti Keylogger.
  • Sandbox.
  • Recover Files.
  • Secure Wipe Files.
  • Encrypt files.
  • Encrypted Email
  • Encrypted Chat

Phone:

Secure Chat, Phone, Messaging on windows, android & others.


Certificate:

Cyber Security & Privacy Foundation will give certificate.

Register here

Venue:
Anna University, Chennai

Bug in Twitter could allow anyone to read tweets from protected accounts

Twitter has fixed a bug in their website that could allow non-approved followers to read the tweets made by protected twitter accounts.

Normally, Tweets from protected accounts can't be seen by public user;  One should get approval from the account holder to view the protected tweets.

This bug could allow anyone to view hidden tweets by getting SMS or push notification from the accounts.  

The microblogging firm said a member of white hat security community helped them to discover and diagnose the bug.  According to its blog post, the bug is there since November 2013.

"As part of the bug fix, we’ve removed all of these unapproved follows, and taken steps to protect against this kind of bug in the future."

The bug affects around 93,788 protected accounts.  Twitter has sent mail to all affected users to inform about the bug and apologize.

Nullcon international security conference 2014

Recently we all witnessed this season of NULLCON unfold, NULLCON, which is India’s biggest Security Conference that happens in Goa every year, this year it was held on 14th of Feb, and its tagline being ”Spread Love, Not Malware”.

This year’s Nullcon International Conference was filled with speakers from across the Globe with various interesting papers that were presented. This year’s Nullcon did see some of the upcoming talents of Indian Cyber Space.

The event started off with a bang with the Night Talks on 13th night which was followed by a Grand Party. The evening part of the talks even had “Black Shield Award” segment which brought out the eminent personalities being awarded the Black Shield Award. The Achievers List of Black Shield is as follows:


The day talks started on 14th morning and went on till 15th evening. This year’s Nullcon’s talks featured various well known Security Researchers such as Rahul Sasi, Alexander Polyakov, LavaKumar Kuppan, Vivek Ramachandran, Saumil Shah and many more. And as Nullcon always tries to bring out the budding talents from India, this time we did have upcoming talents from Indian Infosec Community such as Yahin Mehboobe, Ankita Gupta, Abhay Rana and many more.

One of the major paparazzi grabber this time was the Ultra Geeky nullcon2014 hardware badge that was developed by Indian researchers “Amay Gat” and “Umesh Jawalikar”.

One of the new things that was seen this time at Nullcon was the NULLCON AMMO which showcased some of the coolest, geekiest opensource tools developed by young Indian Researchers and Developers.

The tools found at Nullcon Ammo were:
  • OWTF (The Offensive Web Testing Framework) – By: Abharam Aranguren & Bhardwaj Machhiraju.
  • NoSQL Exploitation Framework – By: Francis Alexander.
  • XML Chor – By: Harshal Jamdade.
  • Drup Snipe - By: Sukesh Reddy and Ranjeet Senger.
  • OWASP Xenotix XSS Exploitation Framework – By: Ajin Abharam
And there were plenty of other tools too that got featured this time at Nullcon Ammo event.

Overall this season of Nullcon was filled with more geekness , fun, party and awesome feast of Information and Knowledge for Infosec Enthusiasts. It was really more exciting than the previous season of Nullcon. The experience this time the hackers had was the best. For a Hacker , you can’t ask anything better than Nullcon. 

Android SMS malware hosted on Google Play infects 1.2 Million users


Experts often suggest to download android apps only from Google Play to avoid malware infection.  But, it doesn't mean that we can trust all of the apps hosted on Google.  

Security researchers from Panda security has found more than five malicious apps being hosted on Google play.

The apps in question appear to be targeting users in Spain.  Name of the apps are in Spanish: “Peinados Fáciles” (Easy Hairdos), “Dietas para Reducir el Abdomen” (Abs Diets), “Rutinas Ejercicios para el Gym” (Workout Routines) and “Cupcakes Recetas” (Cupcake Recipes).

The apps obtain phone number of the infected device from WhatsApp and uses it to sign the victim up to a premium rated SMS subscription services.

Researchers say that each of these apps have been downloaded by between 50k and 100k users. It means that between 300k and 1.2 Million users might have affected this malware.

“The truth is that fraudsters are making insane amounts of money from these premium services. A conservative estimate of, let’s say, €20 paid by each user would result in a huge sum of 6 to 24 million euros stolen from victims”, said Luis Corrons, Technical Director of PandaLabs.

Gmail now automatically displays images, helps attacker to know when you open the mail


Google yesterday announced that it will automatically display the embedded images in emails by default, which was previously disabled by Google. 

By enabling this feature, Google made a mistake, now sender is able to track whether the user have opened the mail or not.

An attacker with a unique image link (eg:www.breakthesecurity.com/123456.jpg) can easily determine when the recipient opened the mail.

"Turning those images on means we’ll be more accurate when tracking unique opens."MailChimp, a bulk Mail service, said in their blog post.

"GMail's new image caching doesn't occur until the user views the message, still provides read tracking." HD Moore, security researcher commented about this new feature in his tweet.

You can disable this feature by choosing the option "Ask before showing" in the "image" section under the General tab in settings. However, it is still in question how many of users going to disable it, most of them don't bother.

Stolen laptop of Poker Player mysteriously returned with Remote Administration Tool


Jens Kyllönen, a professional Poker player from Finland, has shocked when his laptop apparently stolen from his hotel room while he was playing in a tournament, mysteriously returned to the same place where he left it.

Jens complaint about this incident to the hotel however the staffs are not helpful. They told him that camera's are not working properly so not able to find out how it was happened.

Interestingly, the laptop again stolen while he was getting help from staffs and placed in hotel lobby. The one who accessed his laptop managed to remove the password security.

Then, he got an idea to visit the F-Secure Labs to do forensics investigation on his laptop to find out what happened.

According to F-Secure Labs, the laptop was in fact infected with a java-based Remote Administration Tool(RAT). Based on the timestamps, the malware was introduced to the laptop when the laptop had gone missing.

He is not the only person who fell victim to this attack, there is another professional player, Henri Jaakkola who stayed in the same room at the event, had the same exact same trojan installed in his laptop.

Those who have laptop with sensitive information are advised to put it in a safe when you are not around it, and encrypt disks.

ANZ inadvertently sent Bank Statement of customers to 2 year old kid


Privacy Breach:

The Australia and New Zealand (ANZ) Bank has inadvertently sent the bank statements of customers holding hundreds of dollars to a two year old kid.

The kid Joel Morrison who has his own saving account of about $200 received those statements in the mail after his mom Stacey Morrison requested details of her own spending.

The ANZ requested Stacey to return the statements. However, she first informed the account holders in question and they are all disappointed with the incident.

ANZ Spokesperson told TVNZ that they have launched an investigation to find out how it happened.  He said their "inquiries point to it being a handling error at a printer".

The bank replied to those client who asked what could have happened if the details fallen into wrong hands that it didn't contains any sensitive data that put their accounts at risk.

FBI uses Spear Phishing technique to plant malware in Suspect's system


It's not surprising that FBI uses malware to track the activities and location of suspects. A New article published by Washington Post covers the story about FBI using malware for surveillance to track suspect's movements.

FBI team works much like other hackers, targets suspects with the Spear Phishing technique that will attempt to exploit vulnerability in the target's machine and installs malware. The malware then collects information from the infected machine and send it back to FBI's server. The malware is also capable of covertly activating webcams.

In a bank fraud case, Judge Stephen Smith rejected FBI request to install spyware in the suspect's system in April.

Smith pointed out that using such kind of technologies ran the risk of accidentally capturing information of others who are not involved in any kind of illegal activity.

In another case, another judge approved the FBI's request in December 2012. The malware also successfully gathered enough information from the suspect's system and helped in arresting him.

In another case, July 2012, an unknown person who is calling himself "Mo" from unknown location made a series of threats to detonate bombs at various locations. He wanted to release a man who had been arrested for killing 12 people in a movie theater in the Denver suburb of Aurora, Colo.

After investigation, they found out Mo was using Google Voice to make calls to Sheriff , he also used proxy for hiding his real IP.

After further investigation, FBI found out Mo used IP address located in Tehran when he signed up for the email account in 2009. 

In December 2012, judge approved FBI's request that allowed the FBI to send email containing surveillance software to the suspect's email id. However, the malware failed to perform as intended.  But, Mo's computer sent a request for info to FBI's server from two different IP address.  Both suggested that he was still in Tehran.

WordPress Plugins containing Backdoor distributed via phishing emails

What would you do when you receive an email offering Pro version of Wordpress plugin for free, if you are a WordPress user? Don't get tempted by such kind of emails, they also give malicious code for free!

Sucuri reported about a phishing emails asking their clients to download Pro-version of "All in one SEO Pack" WordPress plugin.  The email claims that the plugin is $79.00 worth and giving it for free.

"You have been chosen by WordPress to take part in our Customer Rewarding Program.  You are the 23rd from 100 uniques winners." The phishing email reads.

Credit : Sucuri

The download link provided in the email is not linked to WordPress plugin store, it is linked to a zip file hosted in a compromised website.

Security researchers at Sucuri analyzed the plugin and found out that it is modified with a Backdoor which gives attackers full access to the server.

The malicious code in the plugin replaces the index.php file with the malicious code retrieved from the attacker's server.  So, when user visit the site, they either redirected to SPAM sites or to Exploit kits where it will infect the visitor's system.

Scientists developed Malware capable of sending data using Mic and Speakers


How a malware can steal the data from an infected system that doesn't have internet connection? You might think it is impossible.  Computer scientists say it is possible.

German Researchers at Fraunhofer Institute for Communication, Information Processing, and Ergonomics, say that a malware can transmit data using inaudible sounds.

It can steal confidential data or keystrokes using nothing more than a normal speakers and Microphones without any internet connection. 


Security researchers often suggest not to connect the system that has sensitive data to Internet so that cyber criminals can't reach them.  But now, It can steal from audio sounds without network connection.  So what now?! Then, Let us remove the audio devices. 

The researchers says it can be prevented by switching off audio I/O devices.  Sometimes, we might need audio devices.  In that case, the inaudible communication can be prevented "by application of a software-defined lowpass filter".

The researchers has described their idea in their paper entitled "On Covert Acoustical Mesh Networks in Air".  You can find the research paper here.

(h/t: Ars Technica)

Antivirus that will alert about Criminal and Illegal content for $500

Isn't the title interesting?! There is no such Antivirus that will alert about criminal and illegal content.  It is being advertised in recently discovered ransomware.

Ransomware usually lock the victim's system or browser and displays a warning message pretending be from FBI or any other authority.  It will inform victims that their system is locked because of their illegal activities and asks them to pay money to unlock  it.

A new ransomware spotted by Malwarebytes team interestingly informs the victims that "Your criminal records have been deleted". 


The malware also suggest the victims to buy an Antivirus for $500 from them in order to unlock the system and avoid other legal consequences.

Those who fall for this scam end up in paying around $1200 dollars.  As i said earlier,  there is no such kind of antivirus exist.  After paying ransom, you will just receive a message "your browser will be unlocked within 12 hours" nothing else.

Used memory sticks being sold online contains sensitive Government data


Selling an used memory sticks often pose an information security risk-  We might be thinking that we completely erased the data from it, but it is possible to recover the files that are not properly deleted with the help of some tools.

A recent study found that "old memory sticks" being sold online contain sensitive Australian Government data.

The research paper which is to be presented at a cyber security conference in Perth reveals how researchers discovered the confidential Government data while they are researching the used memory sticks, The Australian news reports.

The study found that sellers are sending memory cards without properly erasing the data. The recovered data not only contains a personal info but also appears to be information belong to Australian government.

"It is evident that actions must be taken by second hand auction sites, and the media to raise awareness and educate end-users on how to dispose of data in an appropriate manner," the study says.

Larry Clinton addresses at an event held by CSPF and Anna University


Mr. Larry Clinton, President & CEO Internet Security Alliance gave an informative speech at the recent event held by the Cyber Security Privacy Foundation(CSPF) and Anna University.

The event was inaugurated by Mr. Ramamurthy, Chairman, Cyber Security and Privacy Foundation and followed by Dr. Chellappan, Dean Anna University.


Speaking on "The Evolving Cyber Threats, and How to Address Them", Larry Clinton said that Chief Financial Officier(CFO) in 95% of companies are not directly involved in information security.

He suggested CFOs to "appoint an enterprise wide cyber risk team and Develop an enterprise wide cyber risk management plan" in order to improve information security of an organization.


Clinton also appreciates CSPF's Tech Core which is headed by J Prasanna for pre-empting cyber threats.


"First of all, let me thank the Cyber Security and Privacy Foundation for all your efforts in putting together the interactive session with Mr. Larry Clinton at Anna University on November 21." In an email sent to CSPF, US Consulate said. "My colleagues and I were very pleased with the level of participation and engagement"


"Mr. Clinton was particularly happy to have had such a well-informed audience and their enthusiastic participation in the discussions."

Cybercriminals embed Banking Trojan inside RTF file

If you are waiting for a bank receipt via email and living in Brazil, then be careful. Kaspersky security researchers have spotted a spam mail in which Brazilian Cyber criminals have come with a new and interesting trick to infect recipients.

The attack starts with a spam mail carrying "Comprovante_Internet_Banking.rtf"("Receipt from Internet Banking.rtf) file as attachment.

Usually, the attachment will be an executable file masquerades as a pdf file or an exploit file. Interestingly, in this case, it is just RTF file and is not exploit file. But it doesn't mean that the file is innocuous file.

When a user open the RTF file, the document shows an image thumbnail with a message "Click to see in a larger size". You may think what is going to happen when clicking an image thumbnail in a rtf file, but you will be presented with a message saying a CPL file is about to be executed.


Yes, it is a malware. Kaspersky detects it as "Trojan.Win32.ChePro", a Brazilian banking trojan written in Delphi.

How did the cybercriminals insert a malware inside a document?! The .RTF file and few other text editors allows us to insert file objects inside documents even an executable file. The attackers managed to embed the malware file using this feature.

Ground Zero Summit 2013 - Asia’s largest Information Security Summit Kicks off in New Delhi

New Delhi, November 07, 2013: In an attempt to generate information security awareness and combat sophisticated threats that the country is facing in cyber security domain, the “Information Security Consortium” - an independent apex body and an outcome of an alliance between industry and Government of India kicked off Ground Zero Summit 2013 at Hotel Ashok, New Delhi today.


The inauguration speech by given by Dr. Rajagopala Chidambaram, Principal Scientific Advisor to Govt. of India, the special address was made by Mr. Pratyush Kumar, Chairman – National Council on Cyber Security, ASSOCHAM. Special Keynote was given by Dr. S.K. Nanda, Additional Chief Secretary, Home, Government of Gujarat and Dr. Gulshan Rai, National Cyber Security Coordinator - Director General, CERT-In, Government of India and Mr. Muktesh Chander, IPS, Joint CP, Delhi Police. Shantanu Ghosh, VP and MD – India Product Operations, Symantec Corporation addressed an executive keynote on Cyber readiness challenges. Special note was given by Chief Guest H.E. Shekhar Dutt, Governor of Chhattisgarh.

Day 2 will witness Keynote by Dr. Nirmalijeet Singh Kalsi, IAS, Joint Secretary (Police) – II, Ministry of Home Affairs, Government of India; Capt. P Raghu Raman, CEO, NATGRID and John McAfee, Original founder, McAfee.

The two day conference will take a holistic view of the Information Security landscape in Asia and will examine various issues related to it. It also focuses on the Information Security challenges emerging on the horizon and looks at finding ways in which enterprises, service providers and government can overcome challenges. The vision of the Summit is to guide the development of next generation cyber security policies and technology, to bring about changes in the current process, involve all affected industries and form the largest PPP in this domain.


Ground Zero Summit is a result of collaboration between different security conferences in the country that have joined hands to create a massive platform for cyber security research, technology showcase and policy creation and amendments. Ground Zero Summit in its debut year has emerged as the largest collaborative platform in Asia for this. It has proved to be Asia’s largest Information Security gathering for industry experts converging private and government players, to bring across issues in information/cyber security space, which is being presented, debated and deliberated over four days - two days of technical conference, followed by two days of hands-on technical workshops on information security. G0S will be a triple track conference with papers, demos and presentations focusing on the key areas concerning Information Security.

Some of the key focus areas at the event were:

  •  Cyber readiness challenges
  • Cloud Security: Enabling continuous, scalable security for today’s hyper connected world
  •  Exploring accuracy and correctness of modern network defence products
  •  Towards a next generation secure Internet
  • Evolution of network security around Software Defined Networking (SDN) – The intelligent network
  •  Internet – Transforming terrorism
  •  Surveillance, privacy and cyber espionage, in the aftermath of PRISM

The summit is a result of an industry - government alliance in this domain, and a collaborative effort between the four major cyber security conferences in the region viz. ClubHack, c0c0n, Malcon, nullcon and InfoSec research firm INNEFU. The summit will be executed by UBM India Pvt Ltd, a leading player in the live media space and the largest trade exhibition organizer in India responsible for over 20 large scale exhibitions.

India to prepare Army of Reverse Engineers to Counter Cyber Attacks

National Security Database, an initiative of Information Sharing and Analysis Center (ISAC) in association with Ground Zero Summit 2013,  organized a Seminar on Reverse Engineering in New Delhi. The Seminar was organized to identify and create the need for the most credible and valuable Information Security professionals in India, especially in Reverse Engineering, to protect the National Critical Infrastructure and economy of the country.


The Seminar touched upon the growing need of Reverse Engineers in the country to counter cyber attacks and piracy. As the $100 billion information technology industry seeks to chart a new course by fostering software product companies, Reverse Engineering to become a promising field for jobs in the IT and software development sector.

According to NSD, there are less than 5,000 Reverse Engineering experts currently in India. NSD in collaboration with various Academic Institutions across India aims to increase the number of Reverse Engineering professionals in the country to 1 lakh by 2015, through training and awareness.


National Security Database has joined hands with Ground Zero Summit (G0S) 2013 and is promoting Asia’s largest Information Security Summit (G0S) scheduled to take place from 7-10 November, 2013 at The Ashok, New Delhi.


Speaking at the Seminar, Mr. Rajshekar Murthy, Director, National Security Database, said “Hacking has become a growing threat to Indian IT industry. Some recent data theft cases by hackers has made India's $100 billion IT industry a primary target. The acute shortage of Reverse Engineering professionals will further hit the IT industry and the economic loss will grow exponentially due to piracy and insecure coding.”


“Today, reversing techniques are used for 'studying' viruses and malwares to help catch the criminals, create 'patches' to clean the viruses from computers and mobiles and also test closed systems and technologies for quality assurance and security vulnerabilities. Reverse engineering experts are immensely useful in the intelligence and defence sector for offensive research such as exploit development and embedded systems security. Companies can also hire reverse engineering experts to oversee security aspects during product design stage and protect their software from being copied or have security issues”, further added Murthy.

National Security Database has developed Intensive and in-depth Reverse Engineering Boot-camps offered by Information Sharing and Analysis Center (ISAC) approved partners. The program helps engineers to understand different aspects of application security, learn anti-cracking techniques and to create secure code for internal use that cannot be easily hacked. Through these programs the engineers also learn different approaches for Reverse Engineering and Application to get a strong foundation in dealing with new Malwares and gain expertise to analyze it.

Want to be a World Record Holder? Come to E-Hack


Ever had a dream of becoming a World Record Holder? We are giving you an opportunity of a lifetime; Be a part of it and don’t repent later! All you need to do to become a world record holder is to be part of the largest information security workshop E-HACK.

E-HACK is an Information Security Workshop, organized by infySEC. The workshop aims at creating awareness about INFORMATION SECURITY by showing in what all ways information or data can be stolen.Meddle in cyber-warfare, battle with our machine master mind who will throw challenges on web application security, network security, algorithms, reverse engineering and decryption. The team which cracks the final level will attain the glory of being Winner at our E-HACK Guinness record attempt with tons of prizes waiting. Be simple but not simpler is the famous quote by Einstein, that’s secret of success for E-HACK.

Heard of CTF (Capture the Flag)? We are going to have an Online CTF where you will have to showcase your skills in by passing security systems to claim top honors. The only way to know how to protect our information is by knowing the ways in which it can be stolen. So, we’ll be having wide range of discussions on what all ways a HACKer can get his hands on your information and in what all ways you can thwart him.

Capture the Flag (CTF) is a real time scenario game. You’ll be given a scenario which will require you to HACK into a server/site. There will be multiple levels and you have to progress through each level by HACKing through it. For instance the first level will need a password to enter, so you’ll have to identify the password and progress to the next level. It’s not going to be straight forward like this, it’s just an example. With a total of 50 levels, the team/person which cracks the maximum number of levels within the time limit, will be announced the winner.

The first couple of levels are bound to be easier because of the training provided throughout day 1, but in the later levels you’ll be facing things which you might’ve never faced before like a combination of HACKs for instance. There will be a live leader board which will be reflecting the performance of each and every team. That will heat up the contest more. Amidst all this, social engineering is totally allowed and please do have fights but only online! Use of fists not allowed!!

Be prepared for a jaw dropping, entertaining and educative learning experience. This is a great networking opportunity for the security enthusiasts and ethical HACKers across the country to have intense knowledge sharing sessions. Apart from that, live demonstration, hands on experience on the latest tools, capture-the-flag competition and various other technologies will enable you to discover and contribute to make the world a secure place to live in.

E-HACK is a 2 day event. Starts on 27th July 2013(Saturday) and ends on 28th July 2013(Sunday) at Velammal Engineering College, surapet, Chennai. The first day will begin with the registration at 08.00 followed by breakfast for all. After breakfast, the keynote of the event will delivered and the instructions, rules and regulation of the event will be explained. Then the Record Clock will be officially setup at 09.59 and after that the training begins. The participants will be trained in the various aspects of HACKing by industrial experts. The training ends after lunch at 19.30. The registration for the event will be closed and the registration for the CTF will start after dinner at 20.00. Overnight CTF starts around 21.00 with live scoreboard which will constantly track which team is leading. The entire night will be activity filled.


The game will continue into the second day and will end by 09.00 (Don’t even think about sleep!! We bet you can’t!) After this point CTF can’t be attempted. The experts provide CTF demos after it ends and will explain all the levels. The clock ends at 10.30 with which E-HACK comes to an end. After 10.30 every single person in that room will be a record holder.Ain’t that cool? After CTF closes, the experts and our eminent speakers will address the gathering regarding Information Security. Results of CTF are announced at 10.50 and Grand prizes are distributed. The entire event comes to an end at 11.00.

The event is going to be graced with the presence of various eminent personalities and industrial experts to share their views and thoughts about Information Security. We are going to have Mr. Shiva Ayyadurai, Inventor of EMailTechnology ,Mr.PatrickMartinent from Google Development team, India , Dr.Prateep Phillips, ADGP of cyber Crime Branch Division, Chennai, Dr.SanthoshBabu,IAS,Commisioner Indian Medicine , Mr. SanthoshSrinivasan, Ex-Director of Symantec, Mr.Karthikeyan, Business consultant and Innovation Expert as speakers for this 2 day extravaganza.

As far as the eligibility for the event is concerned, if you have been to high school and have huge interest to showcase your skills or interested in learning new things, you can be a part of E-HACK. Just bring a laptop with a decent internet connection.

Can’t come down to Chennai to be a part of the event but have a huge group of enthusiasts?? No worries, physical barriers are no excuse for you to be a part of the event. Collect the group, contact and us and be an Organiser of E-HACK Xtended in your own locality. You can have live webinar and what more; you can also be a part of CTF and a part of history.

This event, E-HACK, is going to be the largest ever workshop on information security in 2013. On its way, we are also attempting for some records. MICROSOFT holds the record for most number of participants in a software development marathon in a single location, by having a head count of 2567 participants. We are going to beat that record by having 3000+ participants in a single venue.

This event is going to be an attempt for a record, in The Indian Book of Records, The Asian Book of Records and The Guinness Book of World Records, as the event with the largest number of participants in an information security workshop. Don’t be a part of History; Create History, with us!

The event also aims at helping people grow along with us. Any company that wants to have a product launch or expand their business; they can just be our event sponsors and have a huge reach. The brand value and image of the sponsors can be easily boosted as they have a chance to publicize themselves among the 3000+ students participating in the event. Apart from this, we also have a huge following base online, so your brand can have viral publicity. Imagine a reach of 3000+ target audience overnight! That’s what we are offering you!

REGISTRATION FOR THE EVENT IS FREE

P.S: World renowned web security experts will be watching you at E-HACK, who knows you might end up working for them. Prove you’re potential.

Do you wish to organize E-HACK Xtended at your institute, then

Contact: enquiry@infysec.com

Contact Numbers :
 Chetan (+91) 44 26202634
Gary (+91) 44 26202637
Gary (+91) 9952054575
S.Prabhu Ebenezer (+91) 7305633561
Murali Ramakrishnan (+91) 8056205286

Disclosing Security vulnerabilities in India

 

Security Researchers usually disclose vulnerabilities openly on the internet like full disclosure. But most often the researchers dont realise it is illegal and can be punished by law under IT act and other IPC section and it can have fatal consequences.

When a researcher detects a vulnerability, he often reports to the company but most often the companies dont reply to his message. If the company is not interested to take action, the researcher feels this is in greater interest of national security/public security.

He can send this vulnerability report again to the company and send a copy to CERT-In(central emergency response team). Most often CERT-In responds back to the hacker/researcher and they also contact the company and advise them to fix it. There is no proper format for reporting, it would be nice if government can come up with a frame work which can allow a proper disclosure of vulnerability policy.

If the company does not fix, the researcher can wait for a months time before he can disclose it fully to the community through media(online and offline) also offer proofs that he has communicated enough to the company and to CERT-In before he has released it.

However, does this protect the researcher from prosecution? If the victim company decides to go in legally, the researcher can be prosecuted for publishing this vulnerability.

Some of incidents have seen where hackers work for some company and because of various problems they had with company, they get involved in revenge hacking. If any crime has pre-mediation or pre-planning the crime is considered serious according to any Law. Such actions are totally illegal.

Many companies like FB, Google offer bounty to hackers. These bugs can be reported to these companies. however if the companies dont take these vulnerabilities they can be published to CERT-In and then publically.

Law does not protect the reporter of the vulnerability. It becomes the responsbility of the hacker/researcher to prove that he did it for greater social good (which could mean lot of head ache with law). If government does not come with proper frame work, it s going to drive hackers to report vulnerabilities anonymously fearing prosecution from police(with victim /company complaining).

What happens to hackers who publish the vulnerability openly without going to CERT-In and companies. They do it ofcourse to get fame or they really didnot want to fix it. Most companies will view these hackers as some one who is not reliable due to their poor full disclosure practice and wont hire them for anything important. They lose opportunity.

It is recommended proper reporting is followed first to the company who is victim, followed by reporting to CERT-In. giving them enough time to fix. Only if the vulnerability can affect public at large and no action was taken then other option of full disclosure should be considered.

Author:J Prasanna, Founder, Cyber Security & Privacy Foundation

Yahoo! Blind SQL Injection could lead to data leakage


It seems that 2013 is the "Data Leakage Year"!many customers information and confidential data has been published on the internet coming from government institutions, famous vendors, and companies too.

Ebrahim Hegazy(@Zigoo0) an Egyptian information security advisor who found a high severity vulnerability in "Avira license daemon" days ago, is on the news again, but this time for finding and reporting Blind SQL Injection vulnerability in one of Yahoo! E-marketing applications.SQL Injection vulnerabilities is ranked as Critical vulnerabilities, because if used by Hackers it will cause a database breach which will lead to confidential information leakage.

A time based blind SQL Injection web vulnerability is detected in the official Yahoo! TW YSM Marketing Application Service.The vulnerability allows remote attackers to inject own sql commands to breach the database of that vulnerable application and get access to the users data.

The SQL Injection vulnerability is located in the index.php file of the soeasy module when processing to request manipulatedscId parameters. By manipulation of the scId parameter the attackers can inject own sql commands to compromise the webserverapplication dbms.

The vulnerability can be exploited by remote attackers without privileged application user account and without requireduser interaction. Successful exploitation of the sql injection vulnerability results in application and applicationservice dbms compromise.

But Ebrahim is a white hat hacker, so he reported the vulnerability to the Yahoo! security team with recommendations on how to patch the vulnerability.

According to Ebrahim, the time line of the vulnerability was:
================
2013-02-24:    Researcher Notification & Coordination
2013-02-25:    Vendor Notification
2013-03-01:    Vendor Response/Feedback
2013-04-01:    Vendor Fix/Patch by check
================

More details about the vulnerability could be found here:
http://www.resecure.me/public/Yahoo-TW-YSM-BSQLI.txt

As most of readers know that Yahoo! don't have a bug bounty program or Hall of fame too, so as a reward from Yahoo! to the researchers who find a vulnerabilities in Yahoo! applications, they do award researchers by sending them a T-shirts with Yahoo! logo and some other tokens.the researcher told us that he received a package sent to him by Yahoo! which contains 2 T-shirts and a big cup as a reward.