"The only person who know how to secure your system is the person who know how to break- Hacker." BreakTheSec.
A Romanian cybercriminal , who is six months into a 5-year sentence for supplying gadgets that conceal ATM skimmers has invented a new device that prevents ATM thefts, Reuters reported.
Valentin Boanta, 33-year-old, who was arrested in 2009 said his arrest made him happy because it helped him to get of his Blackhat hacking addiction.
"Crime was like a drug for me. After I was caught, I was happy I escaped from this adrenaline addiction." Reuters quoted as Boanta saying. "So that the other part, in which I started to develop security solutions, started to emerge."
Secure Revolving System-SRS:SRS device, funded by a technology firm called MB Telecom, can be installed in any existing ATM that prevents the operation of skimming devices.
An unknown hackers with "Unlimited Hack Team(UHT)" defacement signature recently attacked Thai PM website and posted insulting message about the Prime minister Yingluck Shinawatra.
Narongrit Suksarn, aka Window 98se, 29, from Nakhon Si Thammarat, suspected hacker who met the police last week insisted he didn't hack into the PM's site, nor post insulting messages on it. But he admitted he was one of the member of the Unlimited Hack Team.
The Police said they have gathered information and are confident Narongrit and other suspects from the hacking group will be charged.
Technology Crime Suppression Division (TCSD) commander Pol Maj Gen Pisit Paoin said they believed the Narongrit had hacked into PM site three days before the attack but he didn't change anything.
The police said the suspect will be charged with a violation of Section 5 of the 2007 Computer Act for allegedly sharing the stolen data with the team members, according to Bangkok post report.
It appears the UHT was established by a Cambodian group. The TCSD have requested Cambodian authorities to help in investigating the Cambodian hackers.
Mozilla has released Firefox 21 that closes eight security vulnerabilities including four High level and three critical security flaws.
Critical vulnerabilities : Memory corruption found using Address Sanitizer(MFSA 2013-48 ), Use-after-free with video and onresize event(MFSA 2013-46), Miscellaneous memory safety hazards ( MFSA 2013-41).
High level vulnerabilities: Uninitialized functions in DOMSVGZoomEvent( MFSA 2013-47), Mozilla Updater fails to update some Windows Registry entries( MFSA 2013-45), Local privilege escalation through Mozilla Maintenance Service ( MFSA 2013-44 ), Privileged access for content level constructor(MFSA 2013-42).
Firefox 21 introduces new feature Social API that "makes it easy for your favorite social providers to add a sidebar with your content to Firefox or notification buttons directly on the Firefox toolbar."
It also introduces Health report that "logs basic health information about your browser and then give you tools to understand that information and fix any problems you encounter".
Users are advised to upgrade the firefox as soon as possible, you can check version and update your browser by selecting to Help->About firefox.
An alleged international cyber criminals managed to steal $45 million from thousands of ATM's in matter of hours.
Their first operation started from India, the hackers were able to "infiltrate the system of an unnamed Indian credit-card processing company that handles Visa and MasterCard prepaid debit cards. "
In their first operation, the crews made 4,500 ATM transactions worldwide and stole $5million, according to New York Times report.
In the second operation, the crews made 36,000 transactions worldwide and stole about $40 million in approximately 10 hours. It included $2.4 million stolen by a team of eight people in New York City.
The seven of the eight suspected members of the New York crew have been arrested. The eighth, said to be the ringleader, was found dead on April 27 in the Dominican Republic.
The vulnerability affects only IE8 so users running Internet explorer versions 6, 7, 9 and 10 do not need to take any action.
Microsoft is working on fixing the issue. In the meantime, users are urged to apply the temporary fix to prevent from the attack.
To do this, visit this page "http://support.microsoft.com/kb/2847140" and click the Fix it button or link under the Enable heading.
If you are a pentester, the technical analysis and metasploit module can be found here:
https://community.rapid7.com/community/metasploit/blog/2013/05/05/department-of-labor-ie-0day-now-available-at-metasploit
The China Posts reports that Taiwan police has arrested an individual suspect surnamed Shih on May 1 for hacking into a popular local classic music website.
The police raided the apartment of Shih and seized his computer which is found to be used in his hacking attempts.
The hacker admitted that he hacked into the website's customer database and made unauthorized changes to customer data by exploiting the SQL Injection vulnerability.
Criminal Investigation Bureau (CIB) stated the investigation was launched after it received a report from the web site's operator who said their site had been been hacked in March.
Earlier this year, Security Researchers Billy Rios and Terry McCorkle from Cylance demonstrated a newly discovered zero-day attack on the Industrial control system at the Kaspersky Threatpost Security Analyst Summit.
The Industrial control system is a computer-based system used to control electronic door locks, lighting systems, elevators, video surveillance camera, electricity and boiler system via the internet - used by the military, hospitals and others
The researcher noted the security flaw in the Tridium Niagara AX Framework allows a hacker to access the sensitive file of the system, "config.bog" file which contains username and password for all devices.
Their research reveals the Internet giant Google using Tridium Niagara for various Building Management Systems in their Google Wharf 7 building is also affected by this zero-day vulnerability.
Although Tridium has released a patch for the system, Google's fails to patch the vulnerability which allowed the researchers to access the config.bog file of Tridium device used by the Google.
The credentials stored in the config.bog file allowed them to get into the admin panel of the device. The panel gave access to a variety of Building Management features including "Active Alamrs", "Active overrides", "Alarm console".
Researchers reported this issue to the Google Vulnerability Rewards Program (VRP).
The researchers stated more than 25,000 of building using the Tridium Niagara AX system that haven't patched the security hole are vulnerable to hack.
"If Google can fall victim to an ICS attack, anyone can." Researcher noted.
A security researcher Greg MacManus from iSIGHT Partners Labs discovered a critical security flaw in several recent version of NGINX - an open source web server.
"A stack-based buffer overflow might occur in a worker process while handling a specially crafted request, potentially resulting in arbitrary code execution"
The security flaw now identified with CVE id "CVE-2013-2028" affects nginx version 1.3.9 - 1.4.0. NGINX developers released patch for fixing this security vulnerability.
The problem is fixed in nginx 1.5.0, 1.4.1. Patch for the problem can be found here: http://nginx.org/download/patch.2013.chunked.txt
Last month, ESET analyzed a new sophisticated and stealthy Apache backdoor "Linux/Cdorked.A" that drive traffic to malicious pages.
Security researchers at ESET observed that more than 400 web servers infected with the backdoor "Linux/Cdorked.A" including 50 Top ranked websites.
In their recent report, ESET noted that the Lighttpd and nginx web servers also are affected by this backdoor.
"we found it will not deliver malicious content if the victim’s IP address is in a very long list of blacklisted IP ranges, nor if the victim’s internet browser’s language is set to Japanese, Finnish, Russian and Ukrainian, Kazakh or Belarusian." The report reads.
Researchers still not able to identify how this malicious software was deployed on the affected web servers.
The technical details are available at WeLiveSecurity
A Few days ago Alienvault Labs reported U.S Department of Labor website was hacked and redirects to malware page. In their report, they mentioned the exploit used in the attack was CVE-2012-4792.
After further analysis security researchers have discovered the vulnerability exploited in the cyber attack wasn't CVE-2012-4792 but a new zero-day affecting the Internet Explorer 8.
CVE identifier CVE-2013-1347 has been assigned for this new IE vulnerability. Microsoft noted that Internet Explorer 6, IE7, IE9, and IE10 are not affected by the vulnerability.
"U.S Department of Labor website wasn’t the only entity affected and we can confirm that at least 9 other websites were redirecting to the malicious server at the same time" AlienVault reports.
According to their report, the cyber attack targets the websites belong to several non-profit groups and institutes as well as a big european company that plays on the aerospace, defence and security markets.
Invincea's founder Anup Ghosh told NextGov that the "target of the attack are [Energy Department] folks in a watering hole style attack compromising one federal department to attack another".
Facebook updated the feature that allows users to recover the hacked account with the help of three Facebook friends. In the past, Facebook sent secret code to 3 facebook friends you choose. Using those secret codes, you can retrieve your account.
But this feature was abused by BlackHat hackers to compromise the victim's account by becoming friend from three different profiles.
To overcome this problem, Facebook introduced a new feature called "Trusted Contacts" that allows users to select 3 to 5 friends to receive the secret code to recover your account.
"It's sort of similar to giving a house key to your friends when you go on vacation--pick the friends you most trust in case you need their help." Facebook security update reads.
Simple steps to add trusted contacts to your account:
- Go to your Security Settings
- Click on the Trusted Contacts section
- Click Choose Trusted Contacts
- Choose 3-5 friends and confirm your choices
However, there are few risks in using this feature. If friends decided to have fun with you, they are able to access your facebook account.
I don't know why Facebook is not providing the two-step authentication like Google Does.
An Algerian man who is believed to be the creator of the infamous Banking Trojan "SpyEye" was extradited from Thailand to the United States to face charges.
Hamza Bendelladj, 24-year-old, also known as Bx1, will face charges for allegedly playing a role in developing, marketing ,distributing and controlling the SpyEye virus, according to FBI report.
SpyEye is a Banking Trojan(similar to Zeus virus) that steals confidential personal data and finance information such as online banking credentials , credit card information.
He was arrested at Suvarnabhumi Airport in Bangkok, Thailand, on Jan 5, while he was in transit from Malaysia to Egypt.
If convicted, he will face a maximum sentence of up to 30 years in prison for conspiracy to commit wire and bank fraud; up to 20 years for each wire fraud count; up to five years for conspiracy to commit computer fraud; up to five or 10 years for each count of computer fraud; and fines of up to $14 million.
A Software programmer who was employed at the High-voltage power manufacturer company arrested for hacking into the computer network of the company.
According to the FBI report, Michael Meneses, was employed at the victim company as a software programmer and system manager specializing in developing and customizing the software that the company used to run its business operations.
He was one of two employees who were primarily responsible for ensuring that the software that drove the company’s manufacturing business. His responsibilities gave him high-level access to the company’s computer network.
He had voiced displeasure at having been passed over for promotions, tendered his resignation in late December 2011. Then, he allegedly launched cyber attack against the company and steal employee's security credentials. He then used those credentials for accessing the network remotely via VPN. The complaint says the company suffered over $90,000 in damages as a result of Meneses’s intrusions.
If convicted, he will face a statutory maximum sentence of years’ imprisonment, a $250,000 fine, and restitution.
Canonical on May 2 released security advisory to fix ten Linux kernel vulnerabilities that affect the Ubuntu 12.10 version.
The list of vulnerabilities include Information leak in the Linux kernel's UDFfile system implementation ((CVE-2012-6548), Information leak in the Linux kernel's ISO9660 CDROM file system driver(CVE-2012-6549), Integer overflow in the Direct Rendering Manager (DRM), subsystem for the i915 video driver in the Linux kernel(CVE-2013-0913), Denial of service flaw in guest OS time updates in the Linuxkernel's KVM((CVE-2013-1796)).
Other vulnerabilities are Use after free error in guest OS time updates in the Linux kernel;s KVM (CVE-2013-1797), Flaw in the way KVM emulated the IOAPIC (CVE-2013-1798), Escalate privileges vulnerability in the Linux kernel's ext3 filesystem(CVE-2013-1848) , Buffer overflow was discovered in the Linux Kernel's USB subsystem for devices reporting the cdc-wdm class (CVE-2013-1860), information leak in the Linux kernel's dcb netlink interface (CVE-2013-2634) ,kernel stack information leak in the RTNETLINK component(CVE-2013-2635).
To patch these vulnerabilities, Ubuntu users are urged to update your system to the following package version: linux-image-3.5.0-28-generic 3.5.0-28.48 .
To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.
Reputation.com , an online reputation management website lost their own reputation when a hacker invade their website and accessed the personal data of users.
Reputation.com on Tuesday sent an email to customers disclosing the security breach. Reputation.com said in the mail that intruders had accessed the personal information including names, email , physical address, phone numbers, date of birth and occupational info.
On top of that, hackers had accessed the encrypted passwords of a small number of users. Reputation.com claimed that the passwords are highly encrypted(Hash+Salt) and "it was highly unlikely that these passwords could ever be decrypted".
One of the EHN's user commented on the issue "You fail at cryptology. The salt is stored with the hash. It doesn't add any strength to the individual hash's resistance to brute-force attacking, it only strengthens hashes from being attacked by pre-built rainbow tables. Even if you used bcrypt with a cost of 16 and 128-bit /dev/random salts, all an attacker has to do is iterate the10,000 most common passwords and they'll hit 98% of internet users. "
However the company immediately reset the password to prevent unauthorized access.
Though the company claimed that hacker didn't access the financial information such as credit card numbers which they don't store, they are offering free credit monitoring for one year.
Hello EHN readers and everyone else from the World Wide Web Community, I’m Tushar Rajhans Kumbhare from India. Probably, your next question would be related to my work, so here goes: I am pursuing a B.E Degree in Telecommunication & Electronics.
At the moment, I am awaiting my study completion, which is going to take a while. However, what I actually do right now and something that has become my destiny as of last few weeks, is my role as a Security Analyst and Pen Tester at Defencely.Com.
Am I too chatty, aren’t I? To cut it short, Defencely is India’s number one and upcoming online cloud penetration services company. Prior to joining their team, I was independently working as a security researcher, and got several awards of recognition from:
• Microsoft
• Apple
• Adobe
• RedHat
• PayPal
• ZenDesk
• Weraki
• Avira
• iFixit
That’s about it… I guess.
2. How did you get into Information Security Field?
Yeah, that is an interesting tale. Generally speaking, I belong to the modern generation, where kids are fascinated with the idea of computers, website hacking, security intrusion, whether good or bad, and reverse engineering. I guess it kind of gives them a sense of control and purpose in life.
However, there are hardly any cases when these “kids” grow up to pursue their dreams. I, for one, loved the idea of computer and website hacking. Not that I was a hardcore hacker, I did things ethically and wanted to become part of the good guys team :P
I just got my laptop 3 years ago. Before that, I was using computers at par level. It is unbelievable, right? It took me 3 years to get better at online security penetration related stuff. As the story goes, there I was in my 2nd Semester’s Programming class. They have that mandatory C language course for everyone.
The first day when I was in C language lab, I was the only student sitting in front of a computer that wasn’t even powered on. How so? I didn’t know how to turn that “darn PC” On. The snobbish teacher walked up to me, thinking that I was just wasting her time, and said, “Why don’t I see you writing any program like the rest of the class?”
I hesitated. By then the dialogue took a wild turn when I admitted to know nothing about powering on computers. Her words: “What” and “Get out of my class, young man” still echo in my head. Besides, I was the laughing stock of the entire university for about two weeks.
My parents were very supportive of me. They spent a chunk of their savings to buy me a laptop. Since then, I have been pursuing my fascination, which is computer and website hacking. From then on, I scavenged all kinds of knowledge about Hall of Fame security acknowledgements.
Hard work and persistence took the better of me, and there I was, trying to get listed on these company pages.
3. Why did you choose to become a Security Researcher?
Curiosity is the harbinger of dreams - (I just came up with this quote myself. Dibs on that) I already said that security research always inspired something in me. Therefore, I set off to develop my “how stuff works” mentality. My long term goal was to get listed in various websites’ Hall of Fame pages. They have these pages set up for security analysts; anyone who points out a vulnerability in the system.
But it wasn’t easy. Endless nights and countless hours were spent to achieve this dream. I worked diligently and was finally able to become a part of society that believes in making the internet a better place for all.
4. How did your first vulnerability report go? How did you find it and what did it feel like at that time?
I’m very glad you asked that question. No one forgets his first encounter with a big company. For me, it was Microsoft back then. After detecting a vulnerability in their network, I reported it without any hopes of seeing my name at their website’s Hall of Fame section. Time went on, and one day I got confirmation from the guys at Microsoft. They thanked me as their company’s custom goes.
It was the most wonderful moment of my life. I was ecstatic, speechless, happy and downright surprised at myself. The incident sparked confidence in me and motivated me to pursue cloud penetration professionally.
Here I’d love to tell all aspiring security analysts that you are your own boss. The so-called “experts” will not only laugh at you, but they’ll also refuse to help you. People hardly part ways with their knowledge in this field. Therefore, you have to work hard and one day you’ll overcome your dreams.
5. What's your research that makes you especially proud?
3 months ago was a “Bug Hunting and Reporting” season for me. I’m not talking about pesticides and actual insects lurking around; it was kind of a virtual online thing. Jokes apart, it took me a lot of time to cover the gaps. No one guided me, or helped me; all upcoming security researchers know this by heart.
The crux of my research is to manually scan any online resource for security threats, and then report it to the concerned authorities. Other than computer related stuff, I also submitted a research paper on Einstein’s Theory of Relativity in 12th Standard. They thanked me and gave me a certificate. I guess this “research” factor comes to me by blood :P
6. How do you feel after being part of Defencely?
How did I feel? I can’t give words to my feelings. First of all, Defencely is the only cloud penetration services company that purely hails from India. There are others too, but most of them are headed in the U.S of A, with some team members scattered around in India.
So it was a big deal for me to be a part of a network that belongs to my country. Defencely also inspired me to chase my dreams with due diligence. Besides that, my parents were damn proud of me… at last. I was kind of a lazy bum in studies, so my dad started doubting my future. I’m going to dedicate the rest of my time and effort to Defencely and brute force ethical standard hacking.
7. What is your advice for new bug hunters?
Dear brothers, I know it is quite easy to give advices but bear with me. As an upcoming security researcher of high caliber, you have to throw yourself at it. No one is going to teach you or hold your finger.
Keep in mind the high competition factor and make the internet your new teacher. On your way, you’ll meet all kinds of people. Some of them will vow to help you but they won’t. Others, though EXTREMELY rare, will give you in depth knowledge about hacking and security assessment. That’s about it. The rest of the stuff, you’re going to have to handle it on your own.
Stay motivated and don’t lose hope, no matter what kind of field you are interested in. By the way, start immediately with OWASP standards. Move your skills across WASC classes and learn anything that any online tutorial has to churn out.
Got it? Why are you still here, then? Go and start your work!
Here’s another one of my chin up speeches for you: To be successful in this field (or any field) you must have a positive and “can do” approach in life. Don’t let haters and their negative energy take you down. You will feel like a loser every now and then – this happens, but don’t give up on anything.
As a matter of fact, you can connect with me on:
8. What do you think about E Hacking News?
EHN is a great opportunity for anyone who is connected to the internet. Granted that you are contributing to someone or something and it is related to the scope of this website, talk to their super friendly admins. They will love to interview you; expose your skills to the world and help you meet fellow community members.
Already EHN has created buzz with its published content. I can only wish you guys all the best for your future endeavors.
9. Is there anything else you like to add?
I would like to add a few things here. First of all, a very special thank you note goes to Mr. Ritesh A. Sarvaiya, CEO and Founder of Defencely.Com. His character and role definitely bypasses as that of a CEO, which itself is a big responsibility these days.
Ritesh Sir (as everyone likes to call him that) has a knack for finding talent all over the world. One thing that I love about him is the fact that he is one of the very few people who would go to extremes to give your destiny a shape. As long as you have the talent to show for, and something that Ritesh Sir can work on, you’ll have it.
Atul Shedage. To me, Atul is like a brother and a great mentor. He is CTO (Chief Technology Officer) at Defencely. We have already heard a lot about him. He is the youngest Indian CTO to receive multiple awards of recognition from many online companies.
Lastly, I would like to thank Sabari Selvan; EHN website webmaster and owner. Without his unmatched support, I wouldn’t be here talking about my dreams and everything that you just read. Thanks Sabari, and good luck to you with whatever you are up against in life. A bunch of appreciation also goes to the entire Defencely and EHN panel. You guys rock.
The Australian Federal Police(AFP) has reportedly arrested a 24-year-old self-proclaimed leader of LulzSec hacking group.
The arrest comes few days after the LulzSec member was jailed for the SQL Injection attack that allowed him access to the Sony Pictures Entertainment site.
According to the ABC news report,the AFP says the investigation began less than two weeks ago when investigators found a government website had been breached.
The report didn't reveal the man's identity who has been charged with the two counts of unauthorised modification of data to cause impairment and one count of unauthorised access to a restricted computer system.
The recent report from Symantec shows that, even Cyber criminals became a fan of Telugu actresses Kajal agarwal and Samantha. Cybercriminals started to use these actresses' name in their phishing campaign.
Few days after symantec spotted a phishing campaign with the title "Samantha & Kajal very hot song from Brindavanam Telugu movie", they spotted another phishing campaign that uses their name.
"the phishing site displayed a picture from a captivating musical number from the movie 'Saitan'." Symantec report reads. "The phishing site was titled, 'Samantha & Kajal Very Hot Song' but in fact, these celebrities were not a part of this movie. "
The phishing page requests the internauts who visit the page to log in for watching the video. When a user give the login credentials, they will be redirected to the legitimate movie website.
" If users fell victim to the phishing site by entering their login credentials, phishers would have successfully stolen their information for identity theft purposes." researcher says.
Few days after symantec spotted a phishing campaign with the title "Samantha & Kajal very hot song from Brindavanam Telugu movie", they spotted another phishing campaign that uses their name.
"the phishing site displayed a picture from a captivating musical number from the movie 'Saitan'." Symantec report reads. "The phishing site was titled, 'Samantha & Kajal Very Hot Song' but in fact, these celebrities were not a part of this movie. "
The phishing page requests the internauts who visit the page to log in for watching the video. When a user give the login credentials, they will be redirected to the legitimate movie website.
" If users fell victim to the phishing site by entering their login credentials, phishers would have successfully stolen their information for identity theft purposes." researcher says.
WordPress.com , a blog web hosting service provided, announced that they have enabled Two-step authentication feature to keep your blogger account secure.
Two factor authentication is a security feature that prompts you to enter a temporary secret number sent to your phone whenever you log into your account.
How to enable Two step authentication in Wordpress?
To enable this feature, go to the new Security tab in your WordPress.com account settings, and go through the setup wizard.
"We know your blog is important to you, and today we’re proud to announce Two Step Authentication: an optional new feature to help you keep your WordPress.com account secure." Wordpress.com blog post reads.
HconSTF is Open Source Penetration Testing Framework based on different browser technologies, Which helps any security professional to assists in the Penetration testing or vulnerability scanning assessments.
Hcon is very delighted to announce this, After around 14 months its released, HconSTF v0.5 codename 'Prime' is here
Noticeable things for this version :
Now its more enhanced for,
- Web Penetration Testing
- Web Exploits Development
- Web Malware Analysis
- Osint , Cyber Spying and Doxing !!
- and moch more with lots of hidden features
so HconSTF v0.5 briefly,
- based on Firefox 17.0.1
- Designed in Process based methodology
- Less in size (40mb packed-80mb extracted), consumes less memory
- More than 165+ search plugins
- New IDB 0.1 release integrated
- underlined Logging for each and every request
- more NEW scanners for DomXSS, Reflected XSS
- New reporting features like note taking, url logging for easy report making
- Smart searchbox - just select and it will copy it and just change search engine to search
- Integrated Tor, AdvoR, I2p and more proxies
- New Grease monkey scripts (18 scripts)
