Wired website blocked by Google Chrome

Official website of popular American magazine Wired has been blocked by Google and Chrome.  Users who tries to access few urls of wired are getting a warning message saying "This site may harm your computer".

We tried to access wired.com from Google search result, there was no warning message for home page.  However, when i tried to access the 'wired.com/business/', i was presented with Malware warning page.

"Hey folks, we had a brief technical issue this morning, but it's fixed. Thanks to those of you who brought it to our attention." Wired tweeted regarding the issue.

It is unclear what they mean by 'technical issue' and how come Google has blocked the website.  At the time of the writing, visitors are still presented with the malware warning message.  Wired says it is waiting for Google chrome to remove the warning.

Users targeted with large number of Spam mails containing Banking Trojan

A new massive spam campaign has been spotted by security researchers at AppRiver which sends large amount of spam mails to data centers in an effort to evade Email-filtering engines.

AppRiver's data centers received 10 to 12 times normal traffic.  Even though AppRiver managed to block the spam mails, tremendous volume of traffic caused some of its customers delays in sending and receiving emails.

CyberCriminals are targeting users with large amount of emails with varying premise.  One of the spam mails is targeting Bank of America customers.  A fake alert message pretending to be from Bank of America contains a Bredo malware.

Researchers say the malware is capable of recording the keystrokes and steal financial information.  It has also capabilities to do download additional malware on the victim's machine.  The spam mails reportedly detected only by 11 out of 51 antiviruses.

Another mail analyzed by AppRiver is pretending to be from "VISA/MasterCard" and informs recipients that their account has been blocked due to unusual activity.

Some of the malicious attached files have pointed to Andromeda botnet and some other pointing to Bredo Botnet.  This botnet activity being referred as TidalWave/TidalBotnet by AppRiver.

One of the largest Botnet "Sirefef" disrupted by Microsoft

Microsoft teamed up with law enforcement agencies and A10 Networks has disrupted one of the world's largest Botnet "ZeroAccess" that defrauded online advertisers.

ZeroAccess also known as Sirefef is a notorious malware which makes money for cyber criminals through Click fraud - Hijacking victim's search results and generating fake clicks on ads. It also installs Bitcoin miners in the infected machines.

Victims usually get infected by the ZeroAccess through drive by download attacks.

The malware has reportedly infected more than two million computers. It costs online advertisers around $2.7 million per month.

David Finn, executive director and associate general counsel of the Microsoft Digital Crimes Unit said the disruption "will stop victims’ computers from being used for fraud and help us identify the computers that need to be cleaned of the infection"

Microsoft said the action will not "fully eliminate the ZeroAccess botnet due to the complexity of the threat". However, it will significantly disrupt the botnet's operation and will bring loss of revenue for the cyber criminals who behind the ZeroAccess.

Used memory sticks being sold online contains sensitive Government data

Selling an used memory sticks often pose an information security risk-  We might be thinking that we completely erased the data from it, but it is possible to recover the files that are not properly deleted with the help of some tools.

A recent study found that "old memory sticks" being sold online contain sensitive Australian Government data.

The research paper which is to be presented at a cyber security conference in Perth reveals how researchers discovered the confidential Government data while they are researching the used memory sticks, The Australian news reports.

The study found that sellers are sending memory cards without properly erasing the data. The recovered data not only contains a personal info but also appears to be information belong to Australian government.

"It is evident that actions must be taken by second hand auction sites, and the media to raise awareness and educate end-users on how to dispose of data in an appropriate manner," the study says.

AutoCAD malware opens gateway for cybercriminals

Security Researchers at Trend Micro have discovered a new and rare type of malware which is disguised as a legitimate Autocad component with '.FAS' extension.

The malware opens up infected machines to exploits. It first creates user account with admin privileges and then creates network shares for all drives in the victim's machine.

It also opens the ports 137 to 139 (ports known for NetBIOS service) and 445 is used for Microsoft-DS SMB file sharing service that provides access to files, printers, serial ports .

The open ports can be abused by cybercriminals for exploiting old SMB based vulnerabilities.

It appears the attacker created admin account for the sake of making his "access" to the system is easy so that he doesn't need to crack password for existing accounts or remotely create one.  

The attacker can now easily steal all files from the infected machines.  He can also infect the target machine with any other data stealing malware.

Cyber Society of India wants to Ban Ethical Hacking course in India- Compares hackers to rapists

I was totally shocked when i heard the words came out from the President of Cyber Society of India(cysi.in) on local channel "Puthiya Thalaimurai'. The local channel covered a story about Ethical Hacking.

He told in the Puthiya Thalaimurai's interview that "Ethical hacking" is like ethical rape.  He asked "how one can claim it is legal by adding 'Ethical' word in front of Hacking".

He also added that "We are not doing rape in order to prevent rapes. Then, why we should do ethical hacking to prevent hacking?". 
It is ridiculous to compare ethical hackers with rapists. 

Here is Puthiya Thalaimurai's video covering Ethical Hacking (Tamil):

"I will say ban Internet, no Internet no Hacking we all will be safe. Even Pollution is increasing so shall we stop breathing????? " One hacker commented . " What I understand from my side is you should increase Cyber Forensics Courses so that we get good investigators."

"If you have good Cyber Forensics Investigators the crime rate will go down, and only those people will get enrolled to even Ethical Hacking Course who have good ethics as they know that if thet go wrong they will be arrested."

Yes, i agree with what hacker said.  An Ethical Hacking course with a cyber laws always produce a good ethical hackers.  We can't just simply ban ethical hacking course as India need more Ethical Hackers/PenTesters.  We just need to teach them cyber laws as well.

 "This is one of the most ridiculous discussions I have ever seen. Now guys will come and say don’t teach programming they will write virus" One cyber security expert comment.

"There is a great demand for “ethical” hackers all over the world and they are required to make cyber world secure. As its said in movie Spiderman “with great powers come great responsibilities” and should make kids understand the responsibilities associated with this great art."

India to prepare Army of Reverse Engineers to Counter Cyber Attacks

National Security Database, an initiative of Information Sharing and Analysis Center (ISAC) in association with Ground Zero Summit 2013,  organized a Seminar on Reverse Engineering in New Delhi. The Seminar was organized to identify and create the need for the most credible and valuable Information Security professionals in India, especially in Reverse Engineering, to protect the National Critical Infrastructure and economy of the country.

The Seminar touched upon the growing need of Reverse Engineers in the country to counter cyber attacks and piracy. As the $100 billion information technology industry seeks to chart a new course by fostering software product companies, Reverse Engineering to become a promising field for jobs in the IT and software development sector.

According to NSD, there are less than 5,000 Reverse Engineering experts currently in India. NSD in collaboration with various Academic Institutions across India aims to increase the number of Reverse Engineering professionals in the country to 1 lakh by 2015, through training and awareness.

National Security Database has joined hands with Ground Zero Summit (G0S) 2013 and is promoting Asia’s largest Information Security Summit (G0S) scheduled to take place from 7-10 November, 2013 at The Ashok, New Delhi.

Speaking at the Seminar, Mr. Rajshekar Murthy, Director, National Security Database, said “Hacking has become a growing threat to Indian IT industry. Some recent data theft cases by hackers has made India's $100 billion IT industry a primary target. The acute shortage of Reverse Engineering professionals will further hit the IT industry and the economic loss will grow exponentially due to piracy and insecure coding.”

“Today, reversing techniques are used for 'studying' viruses and malwares to help catch the criminals, create 'patches' to clean the viruses from computers and mobiles and also test closed systems and technologies for quality assurance and security vulnerabilities. Reverse engineering experts are immensely useful in the intelligence and defence sector for offensive research such as exploit development and embedded systems security. Companies can also hire reverse engineering experts to oversee security aspects during product design stage and protect their software from being copied or have security issues”, further added Murthy.

National Security Database has developed Intensive and in-depth Reverse Engineering Boot-camps offered by Information Sharing and Analysis Center (ISAC) approved partners. The program helps engineers to understand different aspects of application security, learn anti-cracking techniques and to create secure code for internal use that cannot be easily hacked. Through these programs the engineers also learn different approaches for Reverse Engineering and Application to get a strong foundation in dealing with new Malwares and gain expertise to analyze it.

Grab Your tickets Now! Defcon Bangalore Information Security Meet 2013

We invite you to the Defcon Bangalore 2013 Meet.  Defcon Bangalore is information security meet that you should not miss- The place where top Indian security researchers gather to share their knowledge.

The meet is going to be organized on coming Saturday, August 17th 2013 - The day that will give a chance for you to meet the WhiteHat hackers.

The reason why we mentioned this meet shouldn't be missed is that there are hackers from Brazil going to give a talk on "SCADA Exploitation".

Final list of Speakers:
  • Himanshu Sharma – Planning to rob someone? Here is an easier way
  • Ajin Abraham – Pwning with XSS reverse Shell
  • Dr. Daniel Singh – Tracing the Ghosts of Cyber World
  • Manas Prathim Sharma – IUTM
  • Francis Alexander – Abusing LFI-RFI with a twist
  • Aditya Gupta and Subho Halder – Droid Exploitation
Don't Miss the Training sessions.  Security researchers are going to give a training on several interesting topics on Information Security.

Training Track Sessions By
  • Aditya Gupta and Subho Halder on Droid Exploitation
  •  Bitcoins – Suriya Prakash
  • Deep Web – The TOR network – Nikhil P Kulkarni
  • Sabari Selvan on Exploit code writing
  • Hacking Hardwares with Raspberry Pi – Yashin Mehboobe
Book your tickets at:  http://www.meraevents.com/event/defcon-bangalore

You can find more details at http://defcon.cysecurity.org/

    Twitter finally introduces Two-step authentication to prevent account hacks

    Here we go, Twitter finally introduced the most anticipated security feature "Two-Step authentication" that prevents hackers getting access to your twitter accounts.

    The recent cyberattacks from Syrian Electronic army(SEA) forced the twitter to enable the 2-step verification feature.

    The SEA is the syrian hacker group who recently hijacked the high profile twitter accounts including accounts of Guardian , Telegraph, FT, AP and more via Social engineering attack(Phishing).

    Once i said, the only feature that can stop the Syrian Electronic army is 2-step verification :

    Thank you twitter for enabling this feature.

    What is exactly 2-step Authentication?
     Though i have already explained about this in my previous articles, i would like to explain one more time in this article.

    "2-step authentication is a security feature that prompts you to enter a temporary password sent to your phone whenever you log into your account."

    So how to enable this security feature?

    • Go to https://twitter.com/settings/account page
    • Scroll to the bottom of the page , there you can find the "Account security" option.  
    • Select the option and follow the instructions 

    Dorkbot malware spy on Facebook users' browser activities

    Security researchers from Bitdefender Labs have spotted a new variant of the Dorkbot malware that targets Facebook users , spreading through the social network's internal chat.

    Dorkbot is a IRC based worm that spreads via instant message programs, social networks that can steal login credentials and blocks security updates.

    The malware has been uploaded with '.JPG' extension in file sharing website mediafire. Once the malware compromised the victim's system, it sent links to the malware to the victim's friends via chat service, according to Computer world report.

    Researchers said the malware is capable of spying on users’ browsing activities and stealing their personal details.Bitdefender discovered links to the malware circulating in the United States, India, Portugal, the UK, Germany, Turkey and Romania.

    Alleged leader of LulzSec hacking group arrested by Australian Police

    The Australian Federal Police(AFP) has reportedly arrested a 24-year-old self-proclaimed leader of LulzSec hacking group.

    The arrest comes few days after the LulzSec member was jailed for the SQL Injection attack that allowed him access to the Sony Pictures Entertainment site.

    According to the ABC news report,the AFP says the investigation began less than two weeks ago when investigators found a government website had been breached.

    The report didn't reveal the man's identity who has been charged with the two counts of unauthorised modification of data to cause impairment and one count of unauthorised access to a restricted computer system.

    Another OAuth Vulnerability allowed to hack facebook accounts

    Just a few weeks ago Nir Goldshlager released a OAuth vulnerability on Facebook. A security researcher Amine Cherrai has also found similar vulnerability on facebook that allowed hackers to get the access_token and full permissions of any account on facebook.

    "As you may know, last month Facebook has closed many bugs leading to security reinforcement of  'redirect_uri' parameter and prevent hijacking attacks. One of these reinforcement were rejecting all   'redirect_uri' that has '#' or  '#!'." Researcher wrote in his blog.

    "While I was looking in the Facebook Javascript SDK I found something strange, I found that it uses http://static.ak.facebook.com/connect/xd_arbiter.php?version=21#channel=f876ddf24&origin=http://localhost&channel_path=/oauth/PoC_js/?fb_xd_fragment#xd_sig=f3adf0e04c&” as  aredirect_uri and it’s not rejected… So I said let’s use it too!!!"

    Amine successfully generated a poc that redirects to another facebook page with the access token.  But he faced some problem while redirecting to external website.

    Nir Goldshlager helped Amine by suggesting to redirect to an application in facebook then the application redirects to an external website instead of redirecting directly to an external website. After following the instructions from Nir Goldshlager, he successfully manged to generate a final redirect_uri.

    POC video

    Facebook has learnt from its previous lessons and is now fixing vulnerabilities as soon as somebody reports them,this Vulnerability has already been fixed.

    WordPress.com boosts security with Two Step authentication

    WordPress.com , a blog web hosting service provided, announced that they have enabled Two-step authentication feature to keep your blogger account secure.

    Two factor authentication is a security feature that prompts you to enter a temporary secret number sent to your phone whenever you log into your account.

    How to enable Two step authentication in Wordpress?
    To enable this feature, go to the new Security tab in your WordPress.com account settings, and go through the setup wizard.

    "We know your blog is important to you, and today we’re proud to announce Two Step Authentication: an optional new feature to help you keep your WordPress.com account secure." Wordpress.com blog post reads.

    Failure To Restrict Url Vulnerability in Adobe exposes Internal data

    Information Security Researchers Parveen Yadav and Mayank Bhatodra have identified a critical security flaw in Adobe website that exposes the sensitive internal data of Adobe Systems Inc.

    Adobe uses an application called P4web which provides convenient access to versioned files through popular web browsers. Files can be viewed as icons or thumbnails and all standard operations can be performed in the browser.

    Unfortunately,  the Adobe fails to restrict the Perforce P4web web client being accessed by users , it results in exposing the internal data.

    For a security reasons, we are not providing the vulnerable link here.  The URL allows us to read the internal data including email IDs of Employees, Full Name. It also exposes the Internal system directory and computer names, Source codes.

    "An application only protects sensitive functionality by preventing the display of links or URLs to unauthorized users. Attackers can use this weakness to access and perform unauthorized operations by accessing those URLs directly." Researcher said.

    The researcher notified Adobe before few months but they failed to respond to them.  We have also notified Adobe about the vulnerability but there is no response from their side.

    Australia Central Bank infected by virus developed in China

    The Reserve Bank of Australia has been infected by a piece of malicious software that allegedly developed in China, Reuters report says.

    The bank was targeted by a suspicious emails purporting to be send from a senior bank staff member regarding "Strategic Planning FY2012 on November, 2011, according to Documents released by RBA.

    The cyber criminals embedded a link to virus payload instead of attaching the malware in the email. The link leads to a zip file that contains a Trojan , the antivirus used by the Bank fails to detect this malware.

    To Bypass the existing security controls, the cybercrimanl included a legitimate signature, plausible subject &content and had no attachments in the email.

    "It was also found that six users had clicked on malicious link , potentially compromising their workstations". the report noted.

    The Bank said the affected PCs didn't have local admin rights, this prevented the virus from spreading around the network.  Bank spokesperson told Reuters that nothing was stolen.

    Time Now Tv & Shiksha Official Websites Vulnerable To XSS Security Flaw

    An 21 Years Old Information Security Expert, Narendra Bhati(R00t Sh3ll The Untracable) From Sheoganj Rajasthan ,Who Recently Acknowledge By Acquia.com and also find Many Persistent XSS And One SQL Injection In A Bank Website has discovered a non-persistent XSS security flaw in the official website of Shiksha.com,Times Of India, News Bullet Sub Domain Of Start News Channel.

    Narendra Says- Kailash Bhayya ,Ravi Sir & Sabari Sir This Is For You :-)

    Shiksha.com is part of the naukri.com group-Indias No.1 job portal. Other portals owned by our parent company Info Edge are 99acres.com, JeevanSathi.com, Brijj.com and AskNaukri.com.

    TIMES NOW(timesnow.tv) is a Leading 24-hour English News channel that provides the Urbane viewers the complete picture of the news that is relevant, presented in a vivid and insightful manner, which enables them to widen their horizons & stay ahead.

    In all these websites search fields are found to be vulnerable to the XSS injection.

    POC code for Times Of India Tv:

    POC FOR Shiksha.com :
     Narendra also found that shiksha.com is also vulnerable to CSRF that allow attacker to change mobile no. of victim by a malicious web page .

    Narendra also claimed that he try a lot to contact these all website by email,facebook page etc. But they not replied him from 1 month. After this he decided to disclose this vulnerability and reported to EHN. 

    Paypal running out of Money in its Bug Bounty budget

    It seems like Paypal is running out of Money in its Bug Bounty budget.  Bug Hunters started to report that the Paypal stopped to give Bounties. 

    Recently, a security Researcher Mahadev Subedi discovered two xss vulnerabilities in one of the Paypal domain(paypal-marketing.com.hk) and sent notification to PayPal.

    But Paypal responded "we have determined that these bugs are not eligible for payment based on the fact the website is in the process of being decommissioned and will be shut down in the near future."

    XSS vulnerability in Paypal-marketing
    Mahadev discovered Post-based Cross site scripting in the Two pages of Paypal-Marketing domain : 1. paypal-marketing.com.hk/merchant-enquiries/index.php, 2.paypal-marketing.com.hk/merchant-enquiries/index-zh.php.  POCs for these vulnerabilities can be found here.

    Researchers say that Paypal is stopped to give bug bounty because they have paid a lot to low priority bugs.

     Bug Hunter Harsha Vardhan Boppana asked PayPal about this issue and they responded with this mail:

    Our second party hosted sites (www.paypal-*.com) are mainly marketing based sites that are not part of the core Paypal domains (*paypal.com) and are managed by hosting vendor companies. They do not retain as long a life cycle as the core domains and can have a more volatile timeline as many are tied to projects and regional initiatives. For your own reference, I have provided you a list of sites currently in process of being decommissioned and therefore not eligible for Bug Bounty processing.

    Sites to be decommissioned in coming months:
    • paypal-deutschland.de
    • paypal-danmark.dk
    • paypal-promo.es
    • paypal-europe.com
    • paypal-france.fr
    • paypal-nederland.nl
    • paypal-norge.no
    • paypal-marketing.pl
    • paypal-sverige.se
    • paypal-turkiye.com
    • paypal-business.co.uk
    • paypal-marketing.co.uk
    • paypal-shopping.co.uk
    • paypal-australia.com.au
    • paypal-biz.com
    • paypal-business.com.hk
    • paypal-marketing.com.hk
    • paypal-offers.com.hk
    • paypal-shopasia.com
    • paypal-japan.com
    • paypal-apac.com
    • paypal-plaza.com
    • thepaypalblog.com
    • www.paypal-brasil.com.br
    • paypal-marketing.ca

    Click based XSS vulnerability in Yahoo

    Today, Information Security Researcher QuisterTow come with interesting vulnerability finding in one of Top Search Engine website, Yahoo.

    There is a cross site scripting vulnerability resides in the hk.promotions.yahoo.com domain.  The vulnerability is click based xss .  When i click the flash, it will display the xss code.

    Poc code:
    http://hk.promotions.yahoo.com/wedding2010/home_banner.swf?clickTAG=javascript:alert(/ E Hacking News /);

    The above finding is really interesting one.  Just load the url and click in the flash content and it results in the code being executed.

    At the time of writing, the vulnerability is still there .

    D-Link Routers vulnerability allows Hackers to redirect Your Internet traffic to target server

    A Security Researcher Michael Messner has identified multiple vulnerabilities in D'Link DIR-600 and DIR-300 routers that allows hackers to execute arbitrary shell commands.

    According to researcher blog post, the vulnerability is caused by missing access restrictions and missing input validation in the cmd parameter .

    The OS Command Injection vulnerability allows attacker to start telnetd to compromise the device.

    CSRF vulnerability: For changing the password, there is no request to the current password. So, a hacker can change the password without knowing the current password, by sending malicious script to victim that sends request to change the password.

    The researcher identified that there is no password hashing implemented and saves root password in plain text in the var/passwd file.

    According to H-online report, a hacker can exploit the vulnerability for redirecting a router's entire internet traffic to a third-party server.

    Messner send notification about the vulnerability to D-Link but they responded that the issue is browser related and they will not provide a fix.

    Multiple Cross Site Scripting Vulnerability in Airtel website

    A Security Researcher Vedachala who got acknowledged by PayPal, Zynga and more sites, has discovered a Reflected Cross Site scripting vulnerability in the India's leading telecommunications services provider, Airtel(airtel.com)

    The researcher found that Username and Password field in this page "ebpp.airtelworld.com/myaccount" are vulnerable to XSS attack. This vulnerability is POST request based xss.

    When you enter the this code in the username field with any password , it results in XSS :


    The researcher has claimed to have found XSS on BSNL, Tatadocomo and 000webhost. He also claimed that he reported about vulnerability to Airtel but they failed to respond.

    Recently,  I(Sabari Selvan aka BreakTheSec) discovered a XSS vulnerability in Airtel website and  reported to them.  It seems like they neither reply nor patch the vulnerability , So it is better to publish my finding in this same post itself.

    The POC code for my finding: