Astoria - Researchers develop a new Tor client which aims to beat NSA


With an aim to beat powerful intelligence: like NSA, researchers have developed Astoria, a new Tor client which is said to be capable of protecting user’s privacy, even from such powerful intelligence agencies.

A cyber security researcher team from America and Israel come up with a new Tor client which is designed to make spying more difficult for the world's most capable intelligence agencies.

According to the research paper, people have used Tor, a popular anonymity system for users who wish to access the Internet anonymously or circumvent censorship, to prevent their activity from being tracked as Internet anonymity becoming difficult to establish.

However, Tor is not as safe as it was supposed to be, from the powerful intelligence agencies.

As a result the researchers have developed Astoria, which particularly focuses on defeating autonomous systems that has set up to intrude into Tor’s anonymity.

“In our experiments, we find that 58% of all circuits created by Tor are vulnerable to attacks by timing correlation and colluding sibling ASes. We find that in some regions (notably, China) there exist a number of cases where it is not possible for Tor to construct a circuit that is safe from these correlation attacks,” said in the research paper.

It added, “To mitigate the threat of such attacks, we build Astoria, an AS-aware Tor client. Astoria uses leverages recent developments in network measurement to perform pathprediction and intelligent relay selection. It not only reduces the number of vulnerable circuits to 5.8%, but also considers how circuits should be created when there are no safe possibilities. It performs load balancing across the Tor network, so as to not overload low capacity relays. Moreover, it provides reasonable performance even in its most secure configuration.”

The Astoria is aimed to do a list of things:
• Deal with asymmetric attackers.
• Deal with the possibility of colluding attackers.
• Consider the worst case possibility.
• Minimize performance impact.

Google launches 'Password Alert' to protect its users from phishing attacks


Google on April 29 launched a new extension, ‘Password Alert’, which warns people whenever they type in their Google password on any site that is not a Google sign-in page.

Drew Hintz, security engineer and Justin Kosslyn, Google Ideas, posted on the Google’s Online Security Blog, that the Password Alert, which is now available on the Chrome Web Store, is aimed to prevent phishing attacks. However, it also aims to minimize the over use of Google password.

They wrote that it is designed to alert people while they use their Google password on those sites which are not operated by Google.

According to them, if anyone enters his/her password on a website that’s imitating accounts.google.com and aims to get personal details, he/she will receive a warning. It also provides people time to change their password before it gets misused.

It works by checking the HTML of the page to identify whether it’s a legitimate Google sign-in page or not.

According to Google, the password hacking is known as “phishing” which represents two percent of all Gmail messages.

The new tool is believed to be an additional attempt of security for Google’s users. The Password Alert sits among a number of tools which are aimed to safeguard user accounts. Other methods include two-step authentication and security key.

Colombian hacker gets 10 years in jail for spying



A Colombian court sentenced hacker Andres Sepúlveda to 10 years in prison after he admitted to various crimes, including spying on the government’s peace talks with the Revolutionary Armed Forces of Colombia (FARC). He admitted to spying on representatives of both the government and the FARC guerilla during peace negotiations.

The Internet pirate was arrested in May 2014 after being traced to secret offices that hacked confidential information and messages, including one whose objective was to sabotage the peace process.
 
According to the sentence handed down by the 22nd Presiding Court of Bogota, he was judged guilty of five crimes including, espionage, illegal wire-tapping, malicious use of software, breaching communications, and unauthorized access to classified information. He must also pay a fine of his current monthly minimum salaries as part of the agreement.
Sepulveda intercepted the communications of top-ranking FARC Commander Rodrigo “Timochenko” Londono and former Senator Piedad Cordooba.

According to the investigation, then-presidential candidate Óscar Iván Zuluaga hired Sepúlveda to carry out a smear campaign against President Juan Manuel Santos during the 2014 presidential campaign. The hacker told authorities that former President Álvaro Uribe was aware of his operations, and that Zuluaga paid him to undermine the peace process.

Sepúlveda has accepted the prosecution's offer of a reduced penalty in exchange for his cooperation. He cut a deal with the prosecutors in February that limited his prison term to 10 years in exchange for providing information that could help Colombian authorities.

Bulgarian hacker who hacked Bill Gate’s account undergoes legal proceeding

Photo Courtesy: GMA News
A Bulgarian man, who was arrested for withdrawing money with the fake ATM cards including the account of the Microsoft co-founder Bill Gates during a sting operation in Quezon City, faced legal proceedings on Friday, authorities said.

The sting operation was jointly launched by Presidential Anti-Organized Crime Commission (PAOCC) and PNP Criminal Investigation and Detection Group's (CIDG) Anti-Fraud.

While addressing the medias on Friday, Police Supt. Milo Bella Pagtalunan, chief of the CIDG Anti-Fraud and Commercial Crime Unit (CCU), said Konstantin Simeonov Kavrakov, who was arrested on Thursday while he was withdrawing money using different fake bank cards at the ATM booth of the PS Bank branch along Quezon Avenue, was charged for violating the Access Device Regulations Act (ADRA) for using and producing fake access devices.  

Kavrakov was arrested in Paraguay back in 2011 for hacking bank accounts and commercial fraud, he added.

According to the PAOCC, they are investigating on how Kavrakov got released in Paraguay. They are also checking the date he landed in Philippines.

According to the executive director of the PAOCC Reginald Villasanta, seven assorted credit cards credit cards including a Citi Visa, Standard Chartered MasterCard, Citibank MasterCard, Citi MasterCard, Citibank Visa, East-west Bank Vice and a blank Gold card, nine ATM receipts, a mobile phone, and a bag containing cash amounting to P76,570 have been recovered. He is currently detained at the office of the CIDG's Anti-Fraud and the CCU.

Yahoo to the rescue of forgetful users with "on-demand password"

Passwords are not meant to be remembered. It is meant to be generated fresh, every time you forget it.

This is what Yahoo seems to think as the company just introduced an on-demand password system.

The system works like this: After signing into the Yahoo account one has to select Account security from the account information page and opt-in for “On-demand passwords”. Then one has to enter the phone number where Yahoo sends the verification code and after entering this code one never has to worry about memorizing passwords ever again.

It can be argued that the move away from default passwords is welcome as password theft is very common now a days but some feel that the privacy is being sacrificed because anybody with access to the phone for even a few seconds has the potential to read through all your communication.

But the fact remains that peril of default passwords had been dealt well with the two step authentication process; whereby if one logs in from a new device, in addition to the password one is asked for a code that has been sent to the associated mobile number. A move to completely eliminated the first step seems to be inclining towards laxer cyber-security norms.

At a time when Google tries to put one in panic mode by notifying what happens if you forget your password and repeated reports of security breaches makes one paranoid, the move from Yahoo to eliminate passwords has invited mixed reactions.

Presently, it is available only to US users.

While the effort is in the right direction to deal with password security issues by closely connecting the virtual and real identities, the approach adapted seems to be fallacious.

Web users exposed to "FREAK" attack

SSL/TLS breached

Newly discovered security vulnerability in the SSL/TLS protocol, dubbed as “FREAK” poses potential risks for millions of people surfing the web on Apple, Google and Microsoft browsers.

A whole range of browsers including Internet Explorer, chrome for Mac OS and Android , Apple browsers and about 12% of popular websites like  Bloomberg.com, kohls.com, mit.edu have been found to be vulnerable.

The flaw would allow a “man in the middle” attack which can downgrade security of connections between vulnerable clients/servers by tricking them into using low strength “export grade RSA” , thus rendering TLS security useless.

This 512 bit export grade mode of cryptography can then be easily cracked to compromise the privacy of users, by stealing passwords and other personal information. Larger attacks on the Web sites could be launched as well.

Computing power worth 100 dollars and seven hours is all that is required for a skilled code breaker to crack it.

The flaw was exposed by a team of researchers at INRIA and Microsoft Research who named it as “FREAK” for Factoring attack on RSA-EXPORT Keys.

The “export grade” RSA ciphers resulted from the 1980s policy of the US government which required US software makers to use weaker security in encryption programs which were shipped to other countries. It was meant to facilitate internet eavesdropping for intelligence agencies to monitor foreign traffic. These restrictions were lifted in the late 1990s, but the weaker encryption got wired into widely used software that percolated throughout the world and back into US.

Christopher Soghoian, principal technologist for the American Civil Liberties Union said, “You cannot have a secure and an insecure mode at the same time… What we’ve seen is that those flaws will ultimately impact all users.”

This reveals that a weaker crypto-policy ultimately exposes all parties to hackers and serves a strong argument against the recent requests of the US and European politicians to enable new set of backdoors in established systems.

Apple said its fix for both mobiles and computers will be available next week and Google said it has provided an update to device makers and wireless carriers.

For web server providers , the way ahead entails disabling support for all export cipher and known insecure ciphers.

A full list of vulnerable sites is available here.

Wired website blocked by Google Chrome

Official website of popular American magazine Wired has been blocked by Google and Chrome.  Users who tries to access few urls of wired are getting a warning message saying "This site may harm your computer".

We tried to access wired.com from Google search result, there was no warning message for home page.  However, when i tried to access the 'wired.com/business/', i was presented with Malware warning page.

"Hey folks, we had a brief technical issue this morning, but it's fixed. Thanks to those of you who brought it to our attention." Wired tweeted regarding the issue.

It is unclear what they mean by 'technical issue' and how come Google has blocked the website.  At the time of the writing, visitors are still presented with the malware warning message.  Wired says it is waiting for Google chrome to remove the warning.

Users targeted with large number of Spam mails containing Banking Trojan

 
A new massive spam campaign has been spotted by security researchers at AppRiver which sends large amount of spam mails to data centers in an effort to evade Email-filtering engines.

AppRiver's data centers received 10 to 12 times normal traffic.  Even though AppRiver managed to block the spam mails, tremendous volume of traffic caused some of its customers delays in sending and receiving emails.

CyberCriminals are targeting users with large amount of emails with varying premise.  One of the spam mails is targeting Bank of America customers.  A fake alert message pretending to be from Bank of America contains a Bredo malware.

Researchers say the malware is capable of recording the keystrokes and steal financial information.  It has also capabilities to do download additional malware on the victim's machine.  The spam mails reportedly detected only by 11 out of 51 antiviruses.

Another mail analyzed by AppRiver is pretending to be from "VISA/MasterCard" and informs recipients that their account has been blocked due to unusual activity.

Some of the malicious attached files have pointed to Andromeda botnet and some other pointing to Bredo Botnet.  This botnet activity being referred as TidalWave/TidalBotnet by AppRiver.

One of the largest Botnet "Sirefef" disrupted by Microsoft


Microsoft teamed up with law enforcement agencies and A10 Networks has disrupted one of the world's largest Botnet "ZeroAccess" that defrauded online advertisers.

ZeroAccess also known as Sirefef is a notorious malware which makes money for cyber criminals through Click fraud - Hijacking victim's search results and generating fake clicks on ads. It also installs Bitcoin miners in the infected machines.

Victims usually get infected by the ZeroAccess through drive by download attacks.

The malware has reportedly infected more than two million computers. It costs online advertisers around $2.7 million per month.

David Finn, executive director and associate general counsel of the Microsoft Digital Crimes Unit said the disruption "will stop victims’ computers from being used for fraud and help us identify the computers that need to be cleaned of the infection"

Microsoft said the action will not "fully eliminate the ZeroAccess botnet due to the complexity of the threat". However, it will significantly disrupt the botnet's operation and will bring loss of revenue for the cyber criminals who behind the ZeroAccess.

Used memory sticks being sold online contains sensitive Government data


Selling an used memory sticks often pose an information security risk-  We might be thinking that we completely erased the data from it, but it is possible to recover the files that are not properly deleted with the help of some tools.

A recent study found that "old memory sticks" being sold online contain sensitive Australian Government data.

The research paper which is to be presented at a cyber security conference in Perth reveals how researchers discovered the confidential Government data while they are researching the used memory sticks, The Australian news reports.

The study found that sellers are sending memory cards without properly erasing the data. The recovered data not only contains a personal info but also appears to be information belong to Australian government.

"It is evident that actions must be taken by second hand auction sites, and the media to raise awareness and educate end-users on how to dispose of data in an appropriate manner," the study says.

AutoCAD malware opens gateway for cybercriminals

Security Researchers at Trend Micro have discovered a new and rare type of malware which is disguised as a legitimate Autocad component with '.FAS' extension.

The malware opens up infected machines to exploits. It first creates user account with admin privileges and then creates network shares for all drives in the victim's machine.

It also opens the ports 137 to 139 (ports known for NetBIOS service) and 445 is used for Microsoft-DS SMB file sharing service that provides access to files, printers, serial ports .

The open ports can be abused by cybercriminals for exploiting old SMB based vulnerabilities.

It appears the attacker created admin account for the sake of making his "access" to the system is easy so that he doesn't need to crack password for existing accounts or remotely create one.  

The attacker can now easily steal all files from the infected machines.  He can also infect the target machine with any other data stealing malware.

Cyber Society of India wants to Ban Ethical Hacking course in India- Compares hackers to rapists


I was totally shocked when i heard the words came out from the President of Cyber Society of India(cysi.in) on local channel "Puthiya Thalaimurai'. The local channel covered a story about Ethical Hacking.

He told in the Puthiya Thalaimurai's interview that "Ethical hacking" is like ethical rape.  He asked "how one can claim it is legal by adding 'Ethical' word in front of Hacking".

He also added that "We are not doing rape in order to prevent rapes. Then, why we should do ethical hacking to prevent hacking?". 
  
It is ridiculous to compare ethical hackers with rapists. 

Here is Puthiya Thalaimurai's video covering Ethical Hacking (Tamil):


"I will say ban Internet, no Internet no Hacking we all will be safe. Even Pollution is increasing so shall we stop breathing????? " One hacker commented . " What I understand from my side is you should increase Cyber Forensics Courses so that we get good investigators."

"If you have good Cyber Forensics Investigators the crime rate will go down, and only those people will get enrolled to even Ethical Hacking Course who have good ethics as they know that if thet go wrong they will be arrested."

Yes, i agree with what hacker said.  An Ethical Hacking course with a cyber laws always produce a good ethical hackers.  We can't just simply ban ethical hacking course as India need more Ethical Hackers/PenTesters.  We just need to teach them cyber laws as well.

 "This is one of the most ridiculous discussions I have ever seen. Now guys will come and say don’t teach programming they will write virus" One cyber security expert comment.

"There is a great demand for “ethical” hackers all over the world and they are required to make cyber world secure. As its said in movie Spiderman “with great powers come great responsibilities” and should make kids understand the responsibilities associated with this great art."

India to prepare Army of Reverse Engineers to Counter Cyber Attacks

National Security Database, an initiative of Information Sharing and Analysis Center (ISAC) in association with Ground Zero Summit 2013,  organized a Seminar on Reverse Engineering in New Delhi. The Seminar was organized to identify and create the need for the most credible and valuable Information Security professionals in India, especially in Reverse Engineering, to protect the National Critical Infrastructure and economy of the country.


The Seminar touched upon the growing need of Reverse Engineers in the country to counter cyber attacks and piracy. As the $100 billion information technology industry seeks to chart a new course by fostering software product companies, Reverse Engineering to become a promising field for jobs in the IT and software development sector.

According to NSD, there are less than 5,000 Reverse Engineering experts currently in India. NSD in collaboration with various Academic Institutions across India aims to increase the number of Reverse Engineering professionals in the country to 1 lakh by 2015, through training and awareness.


National Security Database has joined hands with Ground Zero Summit (G0S) 2013 and is promoting Asia’s largest Information Security Summit (G0S) scheduled to take place from 7-10 November, 2013 at The Ashok, New Delhi.


Speaking at the Seminar, Mr. Rajshekar Murthy, Director, National Security Database, said “Hacking has become a growing threat to Indian IT industry. Some recent data theft cases by hackers has made India's $100 billion IT industry a primary target. The acute shortage of Reverse Engineering professionals will further hit the IT industry and the economic loss will grow exponentially due to piracy and insecure coding.”


“Today, reversing techniques are used for 'studying' viruses and malwares to help catch the criminals, create 'patches' to clean the viruses from computers and mobiles and also test closed systems and technologies for quality assurance and security vulnerabilities. Reverse engineering experts are immensely useful in the intelligence and defence sector for offensive research such as exploit development and embedded systems security. Companies can also hire reverse engineering experts to oversee security aspects during product design stage and protect their software from being copied or have security issues”, further added Murthy.

National Security Database has developed Intensive and in-depth Reverse Engineering Boot-camps offered by Information Sharing and Analysis Center (ISAC) approved partners. The program helps engineers to understand different aspects of application security, learn anti-cracking techniques and to create secure code for internal use that cannot be easily hacked. Through these programs the engineers also learn different approaches for Reverse Engineering and Application to get a strong foundation in dealing with new Malwares and gain expertise to analyze it.

Grab Your tickets Now! Defcon Bangalore Information Security Meet 2013


We invite you to the Defcon Bangalore 2013 Meet.  Defcon Bangalore is information security meet that you should not miss- The place where top Indian security researchers gather to share their knowledge.

The meet is going to be organized on coming Saturday, August 17th 2013 - The day that will give a chance for you to meet the WhiteHat hackers.

The reason why we mentioned this meet shouldn't be missed is that there are hackers from Brazil going to give a talk on "SCADA Exploitation".

Final list of Speakers:
  • Himanshu Sharma – Planning to rob someone? Here is an easier way
  • Ajin Abraham – Pwning with XSS reverse Shell
  • Dr. Daniel Singh – Tracing the Ghosts of Cyber World
  • Manas Prathim Sharma – IUTM
  • Francis Alexander – Abusing LFI-RFI with a twist
  • Aditya Gupta and Subho Halder – Droid Exploitation
Don't Miss the Training sessions.  Security researchers are going to give a training on several interesting topics on Information Security.

Training Track Sessions By
  • Aditya Gupta and Subho Halder on Droid Exploitation
  •  Bitcoins – Suriya Prakash
  • Deep Web – The TOR network – Nikhil P Kulkarni
  • Sabari Selvan on Exploit code writing
  • Hacking Hardwares with Raspberry Pi – Yashin Mehboobe
Book your tickets at:  http://www.meraevents.com/event/defcon-bangalore

You can find more details at http://defcon.cysecurity.org/

    Twitter finally introduces Two-step authentication to prevent account hacks

    Here we go, Twitter finally introduced the most anticipated security feature "Two-Step authentication" that prevents hackers getting access to your twitter accounts.

    The recent cyberattacks from Syrian Electronic army(SEA) forced the twitter to enable the 2-step verification feature.

    The SEA is the syrian hacker group who recently hijacked the high profile twitter accounts including accounts of Guardian , Telegraph, FT, AP and more via Social engineering attack(Phishing).

    Once i said, the only feature that can stop the Syrian Electronic army is 2-step verification :


    Thank you twitter for enabling this feature.

    What is exactly 2-step Authentication?
     Though i have already explained about this in my previous articles, i would like to explain one more time in this article.

    "2-step authentication is a security feature that prompts you to enter a temporary password sent to your phone whenever you log into your account."


    So how to enable this security feature?

    • Go to https://twitter.com/settings/account page
    • Scroll to the bottom of the page , there you can find the "Account security" option.  
    • Select the option and follow the instructions 

    Dorkbot malware spy on Facebook users' browser activities

    Security researchers from Bitdefender Labs have spotted a new variant of the Dorkbot malware that targets Facebook users , spreading through the social network's internal chat.

    Dorkbot is a IRC based worm that spreads via instant message programs, social networks that can steal login credentials and blocks security updates.

    The malware has been uploaded with '.JPG' extension in file sharing website mediafire. Once the malware compromised the victim's system, it sent links to the malware to the victim's friends via chat service, according to Computer world report.

    Researchers said the malware is capable of spying on users’ browsing activities and stealing their personal details.Bitdefender discovered links to the malware circulating in the United States, India, Portugal, the UK, Germany, Turkey and Romania.

    Alleged leader of LulzSec hacking group arrested by Australian Police



    The Australian Federal Police(AFP) has reportedly arrested a 24-year-old self-proclaimed leader of LulzSec hacking group.

    The arrest comes few days after the LulzSec member was jailed for the SQL Injection attack that allowed him access to the Sony Pictures Entertainment site.

    According to the ABC news report,the AFP says the investigation began less than two weeks ago when investigators found a government website had been breached.

    The report didn't reveal the man's identity who has been charged with the two counts of unauthorised modification of data to cause impairment and one count of unauthorised access to a restricted computer system.

    Another OAuth Vulnerability allowed to hack facebook accounts

    Just a few weeks ago Nir Goldshlager released a OAuth vulnerability on Facebook. A security researcher Amine Cherrai has also found similar vulnerability on facebook that allowed hackers to get the access_token and full permissions of any account on facebook.

    "As you may know, last month Facebook has closed many bugs leading to security reinforcement of  'redirect_uri' parameter and prevent hijacking attacks. One of these reinforcement were rejecting all   'redirect_uri' that has '#' or  '#!'." Researcher wrote in his blog.

    "While I was looking in the Facebook Javascript SDK I found something strange, I found that it uses http://static.ak.facebook.com/connect/xd_arbiter.php?version=21#channel=f876ddf24&origin=http://localhost&channel_path=/oauth/PoC_js/?fb_xd_fragment#xd_sig=f3adf0e04c&” as  aredirect_uri and it’s not rejected… So I said let’s use it too!!!"

    Amine successfully generated a poc that redirects to another facebook page with the access token.  But he faced some problem while redirecting to external website.

    Nir Goldshlager helped Amine by suggesting to redirect to an application in facebook then the application redirects to an external website instead of redirecting directly to an external website. After following the instructions from Nir Goldshlager, he successfully manged to generate a final redirect_uri.


    POC video



    Facebook has learnt from its previous lessons and is now fixing vulnerabilities as soon as somebody reports them,this Vulnerability has already been fixed.

    WordPress.com boosts security with Two Step authentication


    WordPress.com , a blog web hosting service provided, announced that they have enabled Two-step authentication feature to keep your blogger account secure.

    Two factor authentication is a security feature that prompts you to enter a temporary secret number sent to your phone whenever you log into your account.

    How to enable Two step authentication in Wordpress?
    To enable this feature, go to the new Security tab in your WordPress.com account settings, and go through the setup wizard.

    "We know your blog is important to you, and today we’re proud to announce Two Step Authentication: an optional new feature to help you keep your WordPress.com account secure." Wordpress.com blog post reads.

    Failure To Restrict Url Vulnerability in Adobe exposes Internal data


    Information Security Researchers Parveen Yadav and Mayank Bhatodra have identified a critical security flaw in Adobe website that exposes the sensitive internal data of Adobe Systems Inc.

    Adobe uses an application called P4web which provides convenient access to versioned files through popular web browsers. Files can be viewed as icons or thumbnails and all standard operations can be performed in the browser.

    Unfortunately,  the Adobe fails to restrict the Perforce P4web web client being accessed by users , it results in exposing the internal data.

    For a security reasons, we are not providing the vulnerable link here.  The URL allows us to read the internal data including email IDs of Employees, Full Name. It also exposes the Internal system directory and computer names, Source codes.


    "An application only protects sensitive functionality by preventing the display of links or URLs to unauthorized users. Attackers can use this weakness to access and perform unauthorized operations by accessing those URLs directly." Researcher said.

    The researcher notified Adobe before few months but they failed to respond to them.  We have also notified Adobe about the vulnerability but there is no response from their side.