Yahoo to the rescue of forgetful users with "on-demand password"

Passwords are not meant to be remembered. It is meant to be generated fresh, every time you forget it.

This is what Yahoo seems to think as the company just introduced an on-demand password system.

The system works like this: After signing into the Yahoo account one has to select Account security from the account information page and opt-in for “On-demand passwords”. Then one has to enter the phone number where Yahoo sends the verification code and after entering this code one never has to worry about memorizing passwords ever again.

It can be argued that the move away from default passwords is welcome as password theft is very common now a days but some feel that the privacy is being sacrificed because anybody with access to the phone for even a few seconds has the potential to read through all your communication.

But the fact remains that peril of default passwords had been dealt well with the two step authentication process; whereby if one logs in from a new device, in addition to the password one is asked for a code that has been sent to the associated mobile number. A move to completely eliminated the first step seems to be inclining towards laxer cyber-security norms.

At a time when Google tries to put one in panic mode by notifying what happens if you forget your password and repeated reports of security breaches makes one paranoid, the move from Yahoo to eliminate passwords has invited mixed reactions.

Presently, it is available only to US users.

While the effort is in the right direction to deal with password security issues by closely connecting the virtual and real identities, the approach adapted seems to be fallacious.

Web users exposed to "FREAK" attack

SSL/TLS breached

Newly discovered security vulnerability in the SSL/TLS protocol, dubbed as “FREAK” poses potential risks for millions of people surfing the web on Apple, Google and Microsoft browsers.

A whole range of browsers including Internet Explorer, chrome for Mac OS and Android , Apple browsers and about 12% of popular websites like,, have been found to be vulnerable.

The flaw would allow a “man in the middle” attack which can downgrade security of connections between vulnerable clients/servers by tricking them into using low strength “export grade RSA” , thus rendering TLS security useless.

This 512 bit export grade mode of cryptography can then be easily cracked to compromise the privacy of users, by stealing passwords and other personal information. Larger attacks on the Web sites could be launched as well.

Computing power worth 100 dollars and seven hours is all that is required for a skilled code breaker to crack it.

The flaw was exposed by a team of researchers at INRIA and Microsoft Research who named it as “FREAK” for Factoring attack on RSA-EXPORT Keys.

The “export grade” RSA ciphers resulted from the 1980s policy of the US government which required US software makers to use weaker security in encryption programs which were shipped to other countries. It was meant to facilitate internet eavesdropping for intelligence agencies to monitor foreign traffic. These restrictions were lifted in the late 1990s, but the weaker encryption got wired into widely used software that percolated throughout the world and back into US.

Christopher Soghoian, principal technologist for the American Civil Liberties Union said, “You cannot have a secure and an insecure mode at the same time… What we’ve seen is that those flaws will ultimately impact all users.”

This reveals that a weaker crypto-policy ultimately exposes all parties to hackers and serves a strong argument against the recent requests of the US and European politicians to enable new set of backdoors in established systems.

Apple said its fix for both mobiles and computers will be available next week and Google said it has provided an update to device makers and wireless carriers.

For web server providers , the way ahead entails disabling support for all export cipher and known insecure ciphers.

A full list of vulnerable sites is available here.

Wired website blocked by Google Chrome

Official website of popular American magazine Wired has been blocked by Google and Chrome.  Users who tries to access few urls of wired are getting a warning message saying "This site may harm your computer".

We tried to access from Google search result, there was no warning message for home page.  However, when i tried to access the '', i was presented with Malware warning page.

"Hey folks, we had a brief technical issue this morning, but it's fixed. Thanks to those of you who brought it to our attention." Wired tweeted regarding the issue.

It is unclear what they mean by 'technical issue' and how come Google has blocked the website.  At the time of the writing, visitors are still presented with the malware warning message.  Wired says it is waiting for Google chrome to remove the warning.

Users targeted with large number of Spam mails containing Banking Trojan

A new massive spam campaign has been spotted by security researchers at AppRiver which sends large amount of spam mails to data centers in an effort to evade Email-filtering engines.

AppRiver's data centers received 10 to 12 times normal traffic.  Even though AppRiver managed to block the spam mails, tremendous volume of traffic caused some of its customers delays in sending and receiving emails.

CyberCriminals are targeting users with large amount of emails with varying premise.  One of the spam mails is targeting Bank of America customers.  A fake alert message pretending to be from Bank of America contains a Bredo malware.

Researchers say the malware is capable of recording the keystrokes and steal financial information.  It has also capabilities to do download additional malware on the victim's machine.  The spam mails reportedly detected only by 11 out of 51 antiviruses.

Another mail analyzed by AppRiver is pretending to be from "VISA/MasterCard" and informs recipients that their account has been blocked due to unusual activity.

Some of the malicious attached files have pointed to Andromeda botnet and some other pointing to Bredo Botnet.  This botnet activity being referred as TidalWave/TidalBotnet by AppRiver.

One of the largest Botnet "Sirefef" disrupted by Microsoft

Microsoft teamed up with law enforcement agencies and A10 Networks has disrupted one of the world's largest Botnet "ZeroAccess" that defrauded online advertisers.

ZeroAccess also known as Sirefef is a notorious malware which makes money for cyber criminals through Click fraud - Hijacking victim's search results and generating fake clicks on ads. It also installs Bitcoin miners in the infected machines.

Victims usually get infected by the ZeroAccess through drive by download attacks.

The malware has reportedly infected more than two million computers. It costs online advertisers around $2.7 million per month.

David Finn, executive director and associate general counsel of the Microsoft Digital Crimes Unit said the disruption "will stop victims’ computers from being used for fraud and help us identify the computers that need to be cleaned of the infection"

Microsoft said the action will not "fully eliminate the ZeroAccess botnet due to the complexity of the threat". However, it will significantly disrupt the botnet's operation and will bring loss of revenue for the cyber criminals who behind the ZeroAccess.

Used memory sticks being sold online contains sensitive Government data

Selling an used memory sticks often pose an information security risk-  We might be thinking that we completely erased the data from it, but it is possible to recover the files that are not properly deleted with the help of some tools.

A recent study found that "old memory sticks" being sold online contain sensitive Australian Government data.

The research paper which is to be presented at a cyber security conference in Perth reveals how researchers discovered the confidential Government data while they are researching the used memory sticks, The Australian news reports.

The study found that sellers are sending memory cards without properly erasing the data. The recovered data not only contains a personal info but also appears to be information belong to Australian government.

"It is evident that actions must be taken by second hand auction sites, and the media to raise awareness and educate end-users on how to dispose of data in an appropriate manner," the study says.

AutoCAD malware opens gateway for cybercriminals

Security Researchers at Trend Micro have discovered a new and rare type of malware which is disguised as a legitimate Autocad component with '.FAS' extension.

The malware opens up infected machines to exploits. It first creates user account with admin privileges and then creates network shares for all drives in the victim's machine.

It also opens the ports 137 to 139 (ports known for NetBIOS service) and 445 is used for Microsoft-DS SMB file sharing service that provides access to files, printers, serial ports .

The open ports can be abused by cybercriminals for exploiting old SMB based vulnerabilities.

It appears the attacker created admin account for the sake of making his "access" to the system is easy so that he doesn't need to crack password for existing accounts or remotely create one.  

The attacker can now easily steal all files from the infected machines.  He can also infect the target machine with any other data stealing malware.

Cyber Society of India wants to Ban Ethical Hacking course in India- Compares hackers to rapists

I was totally shocked when i heard the words came out from the President of Cyber Society of India( on local channel "Puthiya Thalaimurai'. The local channel covered a story about Ethical Hacking.

He told in the Puthiya Thalaimurai's interview that "Ethical hacking" is like ethical rape.  He asked "how one can claim it is legal by adding 'Ethical' word in front of Hacking".

He also added that "We are not doing rape in order to prevent rapes. Then, why we should do ethical hacking to prevent hacking?". 
It is ridiculous to compare ethical hackers with rapists. 

Here is Puthiya Thalaimurai's video covering Ethical Hacking (Tamil):

"I will say ban Internet, no Internet no Hacking we all will be safe. Even Pollution is increasing so shall we stop breathing????? " One hacker commented . " What I understand from my side is you should increase Cyber Forensics Courses so that we get good investigators."

"If you have good Cyber Forensics Investigators the crime rate will go down, and only those people will get enrolled to even Ethical Hacking Course who have good ethics as they know that if thet go wrong they will be arrested."

Yes, i agree with what hacker said.  An Ethical Hacking course with a cyber laws always produce a good ethical hackers.  We can't just simply ban ethical hacking course as India need more Ethical Hackers/PenTesters.  We just need to teach them cyber laws as well.

 "This is one of the most ridiculous discussions I have ever seen. Now guys will come and say don’t teach programming they will write virus" One cyber security expert comment.

"There is a great demand for “ethical” hackers all over the world and they are required to make cyber world secure. As its said in movie Spiderman “with great powers come great responsibilities” and should make kids understand the responsibilities associated with this great art."

India to prepare Army of Reverse Engineers to Counter Cyber Attacks

National Security Database, an initiative of Information Sharing and Analysis Center (ISAC) in association with Ground Zero Summit 2013,  organized a Seminar on Reverse Engineering in New Delhi. The Seminar was organized to identify and create the need for the most credible and valuable Information Security professionals in India, especially in Reverse Engineering, to protect the National Critical Infrastructure and economy of the country.

The Seminar touched upon the growing need of Reverse Engineers in the country to counter cyber attacks and piracy. As the $100 billion information technology industry seeks to chart a new course by fostering software product companies, Reverse Engineering to become a promising field for jobs in the IT and software development sector.

According to NSD, there are less than 5,000 Reverse Engineering experts currently in India. NSD in collaboration with various Academic Institutions across India aims to increase the number of Reverse Engineering professionals in the country to 1 lakh by 2015, through training and awareness.

National Security Database has joined hands with Ground Zero Summit (G0S) 2013 and is promoting Asia’s largest Information Security Summit (G0S) scheduled to take place from 7-10 November, 2013 at The Ashok, New Delhi.

Speaking at the Seminar, Mr. Rajshekar Murthy, Director, National Security Database, said “Hacking has become a growing threat to Indian IT industry. Some recent data theft cases by hackers has made India's $100 billion IT industry a primary target. The acute shortage of Reverse Engineering professionals will further hit the IT industry and the economic loss will grow exponentially due to piracy and insecure coding.”

“Today, reversing techniques are used for 'studying' viruses and malwares to help catch the criminals, create 'patches' to clean the viruses from computers and mobiles and also test closed systems and technologies for quality assurance and security vulnerabilities. Reverse engineering experts are immensely useful in the intelligence and defence sector for offensive research such as exploit development and embedded systems security. Companies can also hire reverse engineering experts to oversee security aspects during product design stage and protect their software from being copied or have security issues”, further added Murthy.

National Security Database has developed Intensive and in-depth Reverse Engineering Boot-camps offered by Information Sharing and Analysis Center (ISAC) approved partners. The program helps engineers to understand different aspects of application security, learn anti-cracking techniques and to create secure code for internal use that cannot be easily hacked. Through these programs the engineers also learn different approaches for Reverse Engineering and Application to get a strong foundation in dealing with new Malwares and gain expertise to analyze it.

Grab Your tickets Now! Defcon Bangalore Information Security Meet 2013

We invite you to the Defcon Bangalore 2013 Meet.  Defcon Bangalore is information security meet that you should not miss- The place where top Indian security researchers gather to share their knowledge.

The meet is going to be organized on coming Saturday, August 17th 2013 - The day that will give a chance for you to meet the WhiteHat hackers.

The reason why we mentioned this meet shouldn't be missed is that there are hackers from Brazil going to give a talk on "SCADA Exploitation".

Final list of Speakers:
  • Himanshu Sharma – Planning to rob someone? Here is an easier way
  • Ajin Abraham – Pwning with XSS reverse Shell
  • Dr. Daniel Singh – Tracing the Ghosts of Cyber World
  • Manas Prathim Sharma – IUTM
  • Francis Alexander – Abusing LFI-RFI with a twist
  • Aditya Gupta and Subho Halder – Droid Exploitation
Don't Miss the Training sessions.  Security researchers are going to give a training on several interesting topics on Information Security.

Training Track Sessions By
  • Aditya Gupta and Subho Halder on Droid Exploitation
  •  Bitcoins – Suriya Prakash
  • Deep Web – The TOR network – Nikhil P Kulkarni
  • Sabari Selvan on Exploit code writing
  • Hacking Hardwares with Raspberry Pi – Yashin Mehboobe
Book your tickets at:

You can find more details at

    Twitter finally introduces Two-step authentication to prevent account hacks

    Here we go, Twitter finally introduced the most anticipated security feature "Two-Step authentication" that prevents hackers getting access to your twitter accounts.

    The recent cyberattacks from Syrian Electronic army(SEA) forced the twitter to enable the 2-step verification feature.

    The SEA is the syrian hacker group who recently hijacked the high profile twitter accounts including accounts of Guardian , Telegraph, FT, AP and more via Social engineering attack(Phishing).

    Once i said, the only feature that can stop the Syrian Electronic army is 2-step verification :

    Thank you twitter for enabling this feature.

    What is exactly 2-step Authentication?
     Though i have already explained about this in my previous articles, i would like to explain one more time in this article.

    "2-step authentication is a security feature that prompts you to enter a temporary password sent to your phone whenever you log into your account."

    So how to enable this security feature?

    • Go to page
    • Scroll to the bottom of the page , there you can find the "Account security" option.  
    • Select the option and follow the instructions 

    Dorkbot malware spy on Facebook users' browser activities

    Security researchers from Bitdefender Labs have spotted a new variant of the Dorkbot malware that targets Facebook users , spreading through the social network's internal chat.

    Dorkbot is a IRC based worm that spreads via instant message programs, social networks that can steal login credentials and blocks security updates.

    The malware has been uploaded with '.JPG' extension in file sharing website mediafire. Once the malware compromised the victim's system, it sent links to the malware to the victim's friends via chat service, according to Computer world report.

    Researchers said the malware is capable of spying on users’ browsing activities and stealing their personal details.Bitdefender discovered links to the malware circulating in the United States, India, Portugal, the UK, Germany, Turkey and Romania.

    Alleged leader of LulzSec hacking group arrested by Australian Police

    The Australian Federal Police(AFP) has reportedly arrested a 24-year-old self-proclaimed leader of LulzSec hacking group.

    The arrest comes few days after the LulzSec member was jailed for the SQL Injection attack that allowed him access to the Sony Pictures Entertainment site.

    According to the ABC news report,the AFP says the investigation began less than two weeks ago when investigators found a government website had been breached.

    The report didn't reveal the man's identity who has been charged with the two counts of unauthorised modification of data to cause impairment and one count of unauthorised access to a restricted computer system.

    Another OAuth Vulnerability allowed to hack facebook accounts

    Just a few weeks ago Nir Goldshlager released a OAuth vulnerability on Facebook. A security researcher Amine Cherrai has also found similar vulnerability on facebook that allowed hackers to get the access_token and full permissions of any account on facebook.

    "As you may know, last month Facebook has closed many bugs leading to security reinforcement of  'redirect_uri' parameter and prevent hijacking attacks. One of these reinforcement were rejecting all   'redirect_uri' that has '#' or  '#!'." Researcher wrote in his blog.

    "While I was looking in the Facebook Javascript SDK I found something strange, I found that it uses” as  aredirect_uri and it’s not rejected… So I said let’s use it too!!!"

    Amine successfully generated a poc that redirects to another facebook page with the access token.  But he faced some problem while redirecting to external website.

    Nir Goldshlager helped Amine by suggesting to redirect to an application in facebook then the application redirects to an external website instead of redirecting directly to an external website. After following the instructions from Nir Goldshlager, he successfully manged to generate a final redirect_uri.

    POC video

    Facebook has learnt from its previous lessons and is now fixing vulnerabilities as soon as somebody reports them,this Vulnerability has already been fixed. boosts security with Two Step authentication , a blog web hosting service provided, announced that they have enabled Two-step authentication feature to keep your blogger account secure.

    Two factor authentication is a security feature that prompts you to enter a temporary secret number sent to your phone whenever you log into your account.

    How to enable Two step authentication in Wordpress?
    To enable this feature, go to the new Security tab in your account settings, and go through the setup wizard.

    "We know your blog is important to you, and today we’re proud to announce Two Step Authentication: an optional new feature to help you keep your account secure." blog post reads.

    Failure To Restrict Url Vulnerability in Adobe exposes Internal data

    Information Security Researchers Parveen Yadav and Mayank Bhatodra have identified a critical security flaw in Adobe website that exposes the sensitive internal data of Adobe Systems Inc.

    Adobe uses an application called P4web which provides convenient access to versioned files through popular web browsers. Files can be viewed as icons or thumbnails and all standard operations can be performed in the browser.

    Unfortunately,  the Adobe fails to restrict the Perforce P4web web client being accessed by users , it results in exposing the internal data.

    For a security reasons, we are not providing the vulnerable link here.  The URL allows us to read the internal data including email IDs of Employees, Full Name. It also exposes the Internal system directory and computer names, Source codes.

    "An application only protects sensitive functionality by preventing the display of links or URLs to unauthorized users. Attackers can use this weakness to access and perform unauthorized operations by accessing those URLs directly." Researcher said.

    The researcher notified Adobe before few months but they failed to respond to them.  We have also notified Adobe about the vulnerability but there is no response from their side.

    Australia Central Bank infected by virus developed in China

    The Reserve Bank of Australia has been infected by a piece of malicious software that allegedly developed in China, Reuters report says.

    The bank was targeted by a suspicious emails purporting to be send from a senior bank staff member regarding "Strategic Planning FY2012 on November, 2011, according to Documents released by RBA.

    The cyber criminals embedded a link to virus payload instead of attaching the malware in the email. The link leads to a zip file that contains a Trojan , the antivirus used by the Bank fails to detect this malware.

    To Bypass the existing security controls, the cybercrimanl included a legitimate signature, plausible subject &content and had no attachments in the email.

    "It was also found that six users had clicked on malicious link , potentially compromising their workstations". the report noted.

    The Bank said the affected PCs didn't have local admin rights, this prevented the virus from spreading around the network.  Bank spokesperson told Reuters that nothing was stolen.

    Time Now Tv & Shiksha Official Websites Vulnerable To XSS Security Flaw

    An 21 Years Old Information Security Expert, Narendra Bhati(R00t Sh3ll The Untracable) From Sheoganj Rajasthan ,Who Recently Acknowledge By and also find Many Persistent XSS And One SQL Injection In A Bank Website has discovered a non-persistent XSS security flaw in the official website of,Times Of India, News Bullet Sub Domain Of Start News Channel.

    Narendra Says- Kailash Bhayya ,Ravi Sir & Sabari Sir This Is For You :-) is part of the group-Indias No.1 job portal. Other portals owned by our parent company Info Edge are,, and

    TIMES NOW( is a Leading 24-hour English News channel that provides the Urbane viewers the complete picture of the news that is relevant, presented in a vivid and insightful manner, which enables them to widen their horizons & stay ahead.

    In all these websites search fields are found to be vulnerable to the XSS injection.

    POC code for Times Of India Tv:"/><iframe+src=""+width="1000px"+height="1000px"></iframe>&srchcombo=1&x=0&y=0

    POC FOR :"/><iframe+src=""+width=1000+height=1000></iframe>&start=0&institute_rows=-1&content_rows=-1&country_id=&city_id=&zone_id=&locality_id=&course_level=&course_type=&min_duration=&max_duration=&search_type=&search_data_type=&sort_type=&utm_campaign=site_search&utm_medium=internal&utm_source=shiksha&from_page=homepage&autosuggestor_suggestion_shown=5
     Narendra also found that is also vulnerable to CSRF that allow attacker to change mobile no. of victim by a malicious web page .

    Narendra also claimed that he try a lot to contact these all website by email,facebook page etc. But they not replied him from 1 month. After this he decided to disclose this vulnerability and reported to EHN. 

    Paypal running out of Money in its Bug Bounty budget

    It seems like Paypal is running out of Money in its Bug Bounty budget.  Bug Hunters started to report that the Paypal stopped to give Bounties. 

    Recently, a security Researcher Mahadev Subedi discovered two xss vulnerabilities in one of the Paypal domain( and sent notification to PayPal.

    But Paypal responded "we have determined that these bugs are not eligible for payment based on the fact the website is in the process of being decommissioned and will be shut down in the near future."

    XSS vulnerability in Paypal-marketing
    Mahadev discovered Post-based Cross site scripting in the Two pages of Paypal-Marketing domain : 1.,  POCs for these vulnerabilities can be found here.

    Researchers say that Paypal is stopped to give bug bounty because they have paid a lot to low priority bugs.

     Bug Hunter Harsha Vardhan Boppana asked PayPal about this issue and they responded with this mail:

    Our second party hosted sites (www.paypal-*.com) are mainly marketing based sites that are not part of the core Paypal domains (* and are managed by hosting vendor companies. They do not retain as long a life cycle as the core domains and can have a more volatile timeline as many are tied to projects and regional initiatives. For your own reference, I have provided you a list of sites currently in process of being decommissioned and therefore not eligible for Bug Bounty processing.

    Sites to be decommissioned in coming months:

    Click based XSS vulnerability in Yahoo

    Today, Information Security Researcher QuisterTow come with interesting vulnerability finding in one of Top Search Engine website, Yahoo.

    There is a cross site scripting vulnerability resides in the domain.  The vulnerability is click based xss .  When i click the flash, it will display the xss code.

    Poc code: E Hacking News /);

    The above finding is really interesting one.  Just load the url and click in the flash content and it results in the code being executed.

    At the time of writing, the vulnerability is still there .