Yahoo revamps security to protect users' data from NSA


Yahoo says they have introduced few improvements in encrypting the users' data in an attempt to prevent cyber attacks and Government surveillance.

Alex Stamos, who recently joined Yahoo as Chief Information Security Officer, said that traffic moving from one Yahoo's data center to another is fully encrypted as of March 31.

The move came after whistleblower Edward Snowden leaked documents that alleged that traffic from Google and Yahoo data centers were being intercepted by NSA.

Yahoo has enabled encryption of mail between its servers and other mail providers.  Search requests made from Yahoo homepage are also now automatically being encrypted. 

Yahoo is promising to release a new, encrypted, version of Yahoo messenger within next few months.

"In addition to moving all of our properties to encryption by default, we will be implementing additional security measures such as HSTS, Perfect Forward Secrecy and Certificate Transparency over the coming months. This isn’t a project where we’ll ever check a box and be 'finished.' " Stamos wrote in the blog post.

"Our fight to protect our users and their data is an on-going and critical effort. We will continue to work hard to deploy the best possible technology to combat attacks and surveillance that violate our users’ privacy."he added.

Fake Google apps found in Windows Phone store


Both android iOS have official apps from Google,  but Windows phone users are not blessed with the Google Apps.  But, they have one official Google search app for windows phone.

Recently some of Google apps including Google Hangouts, Google voice, Google + , Google maps and Gmail were placed in the Windows phone store with the price tag of $1.99.

While the legitimate Google search app for Windows has been published with developer name as 'Google Inc', all of these apps were published by "Google, Inc".

The clear intention here is to fool the windows phone users into believe these are official apps from Google.  These fake apps were first spotted by WinBeta.

Microsoft has removed these apps from its store, after The Next Web contacted the Microsoft about the issue.

“We removed a series of apps for violating our policies concerning the use of misleading information,” a Microsoft spokesperson told TNW. "The apps attempted to misrepresent the identity of the publisher."

Full-Disclosure Security mailing List Suspended Indefinitely



Today , users subscribed to the Full disclosure security lists received a shocking email from the admin of the Full-disclosure that they are going to suspend the service.

"I'm not willing to fight this fight any longer. It's getting harder to operate an open forum in today's legal climate, let alone a security-related one. There is no honour amongst hackers any more. " the email reads.

"There is no real community. There is precious little skill. The entire security game is becoming more and more regulated. This is all a sign of things to come, and a reflection on the sad state of an industry that should never have become an industry."

" I'm suspending service indefinitely.  Thanks for playing."

Nullcon international security conference 2014

Recently we all witnessed this season of NULLCON unfold, NULLCON, which is India’s biggest Security Conference that happens in Goa every year, this year it was held on 14th of Feb, and its tagline being ”Spread Love, Not Malware”.

This year’s Nullcon International Conference was filled with speakers from across the Globe with various interesting papers that were presented. This year’s Nullcon did see some of the upcoming talents of Indian Cyber Space.

The event started off with a bang with the Night Talks on 13th night which was followed by a Grand Party. The evening part of the talks even had “Black Shield Award” segment which brought out the eminent personalities being awarded the Black Shield Award. The Achievers List of Black Shield is as follows:


The day talks started on 14th morning and went on till 15th evening. This year’s Nullcon’s talks featured various well known Security Researchers such as Rahul Sasi, Alexander Polyakov, LavaKumar Kuppan, Vivek Ramachandran, Saumil Shah and many more. And as Nullcon always tries to bring out the budding talents from India, this time we did have upcoming talents from Indian Infosec Community such as Yahin Mehboobe, Ankita Gupta, Abhay Rana and many more.

One of the major paparazzi grabber this time was the Ultra Geeky nullcon2014 hardware badge that was developed by Indian researchers “Amay Gat” and “Umesh Jawalikar”.

One of the new things that was seen this time at Nullcon was the NULLCON AMMO which showcased some of the coolest, geekiest opensource tools developed by young Indian Researchers and Developers.

The tools found at Nullcon Ammo were:
  • OWTF (The Offensive Web Testing Framework) – By: Abharam Aranguren & Bhardwaj Machhiraju.
  • NoSQL Exploitation Framework – By: Francis Alexander.
  • XML Chor – By: Harshal Jamdade.
  • Drup Snipe - By: Sukesh Reddy and Ranjeet Senger.
  • OWASP Xenotix XSS Exploitation Framework – By: Ajin Abharam
And there were plenty of other tools too that got featured this time at Nullcon Ammo event.

Overall this season of Nullcon was filled with more geekness , fun, party and awesome feast of Information and Knowledge for Infosec Enthusiasts. It was really more exciting than the previous season of Nullcon. The experience this time the hackers had was the best. For a Hacker , you can’t ask anything better than Nullcon. 

Bug Bounty Programs: Github now offers $100 to $5000 for security vulnerability

Github is the latest organization to join the list of organizations offering Bounty to security researchers who find and report vulnerabilities.

Github has previously listed the name of those who report vulnerabilities in the 'Hall of fame' page, now offers bounty amount starting from $100 to $5,000. 

The exact bounty amount for each vulnerability is determined by GitHub based on actual risk and potential impact to their users.

Let us say, you find a non-persistent XSS vulnerability which only work in Opera browser(affects only 2% of its users) will get small bounty.  If you managed to find a Persistent(stored) XSS that will work in Chrome(affects 60% of its users), it will earn you larger reward. 

The bounty program currently covers the GitHub API, GitHub Gist and GitHub.com.  GitHub says its other applications are not part of the open bounty, but researchers may receive a bounty at its discretion.

So far, two researchers have received 1000 points for reporting 'Broken Authentication or Session Management' and 'Missing Function Level Access Control'

Hackers reportedly used stolen vendor credentials for hacking Target system


Target Corporation told Wall Street Journal that the massive data breach it suffered last month happened after cyber criminals compromised credentials from a vendor and used them for hacking into the Target system.

The company didn't provide much information.  It didn't say how hackers stole the credentials.  They also didn't specify in which portal hackers logged into.

Cyber security blogger Brian Krebs who brought the Target breach to the light, said in his blog that malware used in the breach had used username 'Best1_user' and password 'BackupU$r' to access the shared drive.  Krebs highlighted the fact that the username is same as the default password used in IT management software developed by BMC Software.

"According to BMC’s documentation, this account is normally restricted, but the attackers may have usurped control to facilitate lateral movement within the network." said in Dell SecureWorks report pointed out by Krebs.

The report also revealed that malware component installed a service called "BladeLogic", appeared to be mimicking the name of another product of BMC.

A Trusted source told Krebs that BMC's software is used by many major retailers.  He believes targets also use it.

Krebs also confirmed that cyber criminals known as Rescator are selling millions of cards stolen in the Target data breach.

Southwest General notifies patients of privacy breach

Southwest General Health Center is notifying over 480 patients who were part of an obstetrics study that a binder containing their private information is missing, according to local news report.

The binder which has been missing since December 5 contains information gathered between April and October 2013.

It includes patient names, date of birth, medical record numbers and clinical information.  Southwest General said no Social Security numbers and financial information were involved in this privacy breach.

The hospital tried to find the missing binder.  However, they are not able to locate it.

They also apologized to its patients and said they have implemented some procedures to prevent this type of incident from reoccurring in future.

New service will protect Hong Domains(.hk) from DNS Hijacking


We have recently seen several DNS Hijacking attacks. Hackers had defaced several high profile domains including Google, facebook.

Hackers normally attempt to obtain login details for the Domain admin panel through various method including Social Engineering attack.  If he succeeds, he will change the DNS records fort the websites.

By modifying DNS records, hacker can deface the website or redirect to any other malicious websites.

To make an end to such kind of attacks, a new " registry-lock" service has been launched by Hong Kong domain registrar.

"We are putting back the human factor in the verification process," South China Morning Post quoted the Internet Registration Corporation head Jonathan Shea Tat-on as saying.

The new service will require telephone call verification in order to make any changes to the existing DNS records.  Only up to three persons can be authorized to modify the records.  In addition, the server will be unlocked for just 15 minutes each time.  These options are believed to be security measures that will remove the existing loopholes in automation. 

Google acquires a cybersecurity startup Impermium

Google has added one more startup to its acquisitions list, this time it is a cyber security startup "Impermium".

Impermium, founded three years ago, had raised $9 million in funding.  The company offers advanced risk-evaluation platform for detecting fraudulent registrations and risky transactions. 

"By joining Google, our team will merge with some of the best abuse fighters in the world. With our combined talents we’ll be able to further our mission and help make the Internet a safer place." Mark Risher, CEO and Co-founder of Impermium said in the official statement.

The company thanked its valuable investors in its statement including Accel Partners, AOL Ventures, Charles River Ventures, Data Collective.

According to Techcrunch, the company is notifying its customers that it will stop the services to third-party sites.  But, the team will be working on the same core problems and technology over at Google.  Google hasn't disclosed the value of acquisition. 

McAfee Antivirus will be rebranded as Intel Security

Intel has decided to say Good bye to the McAfee brand name for its security software, the McAfee Security will be renamed "Intel Security".

The rebranding will begin immediately, but the company estimates it will take a year to complete.  The red McAfee shield logo will remain.

Along with the rebranding, Intel is offering the mobile version of McAfee's security solutions for free to use on iOS and Android devices.

The controversial founder of McAfee company, John McAfee told BBC that he was elated by the name change. 

"I am now everlastingly grateful to Intel for freeing me from this terrible association with the worst software on the planet. These are not my words, but the words of millions of irate users." he said.

NETRA - An Internet spy system to be launched by Indian Government


Think twice before using words like "bomb", "blast", "kill", "attack" in your emails, blogs, tweets, facebook status or any other social network status updates.

Using such kind of words will put you under a surveillance of Indian security agencies.

"NETRA", is an Internet Spy System, developed by Centre for Artificial Intelligence and Robotics (CAIR), a lab under Defence Research and Development Organization (DRDO), which is capable of detecting mala fide message, reports Times of India.

Besides status update in social networks, the NETRA project is capable of capture any dubious voice traffic passing thorough VOIP services such as Skype or Google Talk.

"When Netra is operationalized, security agencies will get a big handle on monitoring activities of dubious people and organizations which use Internet to carry out their nefarious designs," a government official said.

Indian Election Commission-Google tie up may impact National Security


Thanks to Our Indian Election Commission for tie up with the "US Based" Internet Giant Google, Now NSA can easily get the info of every Indian citizen.

According to Times of India, Google and Election Commission have entered into an agreement under which Google will help EC to manage online registration of new voters and facilitation services ahead of the 2014 elections.

The registered voters can check the address at which they are registered and get directions to the nearest polling station.

Cyber Security experts says the EC'S move will impact national security and democracy itself.

"It is shocking that in a country like India which is called world's software superpower, Election Commission, instead of an Indian company, has chosen a foreign company like Google, which has colluded with American intelligence agencies like NSA (National Security Agency) for global cyberspying, to provide electoral registration and facilitation services by providing them the whole database of registered voters in India," TOI quoted the Indian Infosec Consortium as saying.

The group said it will pose a potential risk to India, as the data could possibly misused by Google and US agencies for cyber espionage.

Rajsekhar Murthy, another member of the consortium, said the poll panel should have spoken to Indian companies such as Infosys or TCS before jumping into such a decision. "Cost wise it is not much," he said.

NSA paid $10 million to RSA for making flawed algorithm to weaken encryption


The US National Security Agency(NSA) has secretly paid $10 million for one of the major & respected security firm RSA, to make a flawed algorithm in order to weaken the encryption, according to exclusive report from Reuters.

In September, New York Times reported a story based on documents leaked by former NSA contractor Edward Snowden that NSA created a flawed formula for generating random numbers to create "backdoor" in encryption software.

Reuters later reported RSA became the lead distributor of the formula by using it into an encryption tool known as Bsafe that is used by software developers to improve security in their products.

Two sources disclosed a new information to Reuters that RSA had received the money in exchange for making the NSA's formula as the default method for number generation in the BSafe software.

In a statement to Reuters, RSA denied the allegations saying "RSA always acts in the best interest of its customers and under no circumstances does RSA design or enable any back doors in our products. Decisions about the features and functionality of RSA products are our own."

Source: Reuters

DSHS mistakenly sent client's personal info to incorrect address

The Washington State Department of Social and Health Services (DSHS) mistakenly mailed letters containing client's personal info to previous or incorrect address.

According to the Seattle Times, the private data of at least 2,600 and possible up to 7,000 clients are at risk. They say a coding error is reason for the breach.

The letters in question contained client's name, address, ID and possibly Social Security numbers, contact info, birth dates, medical information, phone numbers and other information.

The letters were sent in envelopes marked 'Return Service Requested,' requiring the Postal Service to return them to Economic Services Administration (ESA) if the person named no longer lived at that address. It is unknown precisely how many letters were returned.

ESA said it is unknown whether the letters has been accessed or the info used for identity theft. They are notifying all affected clients.

Cyber Security Awareness: How a Grandma got phished by a Hacker

Christmas is getting closer, children are expecting gifts from Santa Claus.  I'm not sure whether Santa is going to send gifts to your children but definitely cyber criminals have much interest to send phishing emails for you.

Now you should be extreme caution about the emails claiming to give special Christmas offers or free Christmas gifts.

University IT at The University of Rochester has uploaded a funny video in Youtube called "Grandma Got Phished by a Hacker" to create awareness of cyber security.




They have conveyed the warning message about phishing mails in funny way.

The University also has launched a new service called "Proofpoint Targeted Attack Protection", which is designed to improve the protection of University mail systems against phishing attacks.

University of North Carolina notifies 6000 individuals affected by Data Breach

University of North Carolina is investigating a data breach in which files containing more than 6,000 people's personal information inadvertently became accessible on the Internet.

The exposed information including Social Security numbers, addresses, birth dates, Tax id belong to current and former University employees, students and vendors.

The university came to know about this incident on Nov. 11, it immediately started forensic investigation.

According to their investigation, the safeguards protecting the files public access were accidentally disabled during the maintenance of one computer on July 30.

The university also learned that Google also indexed the link to the file. So, they asked Google to remove the index. On Nov. 23, Google removed the link from their database.

On Dec. 13 , the university began notifying those individual affected by this data breach.

Gmail now automatically displays images, helps attacker to know when you open the mail


Google yesterday announced that it will automatically display the embedded images in emails by default, which was previously disabled by Google. 

By enabling this feature, Google made a mistake, now sender is able to track whether the user have opened the mail or not.

An attacker with a unique image link (eg:www.breakthesecurity.com/123456.jpg) can easily determine when the recipient opened the mail.

"Turning those images on means we’ll be more accurate when tracking unique opens."MailChimp, a bulk Mail service, said in their blog post.

"GMail's new image caching doesn't occur until the user views the message, still provides read tracking." HD Moore, security researcher commented about this new feature in his tweet.

You can disable this feature by choosing the option "Ask before showing" in the "image" section under the General tab in settings. However, it is still in question how many of users going to disable it, most of them don't bother.

Stolen laptop of Poker Player mysteriously returned with Remote Administration Tool


Jens Kyllönen, a professional Poker player from Finland, has shocked when his laptop apparently stolen from his hotel room while he was playing in a tournament, mysteriously returned to the same place where he left it.

Jens complaint about this incident to the hotel however the staffs are not helpful. They told him that camera's are not working properly so not able to find out how it was happened.

Interestingly, the laptop again stolen while he was getting help from staffs and placed in hotel lobby. The one who accessed his laptop managed to remove the password security.

Then, he got an idea to visit the F-Secure Labs to do forensics investigation on his laptop to find out what happened.

According to F-Secure Labs, the laptop was in fact infected with a java-based Remote Administration Tool(RAT). Based on the timestamps, the malware was introduced to the laptop when the laptop had gone missing.

He is not the only person who fell victim to this attack, there is another professional player, Henri Jaakkola who stayed in the same room at the event, had the same exact same trojan installed in his laptop.

Those who have laptop with sensitive information are advised to put it in a safe when you are not around it, and encrypt disks.

ANZ inadvertently sent Bank Statement of customers to 2 year old kid


Privacy Breach:

The Australia and New Zealand (ANZ) Bank has inadvertently sent the bank statements of customers holding hundreds of dollars to a two year old kid.

The kid Joel Morrison who has his own saving account of about $200 received those statements in the mail after his mom Stacey Morrison requested details of her own spending.

The ANZ requested Stacey to return the statements. However, she first informed the account holders in question and they are all disappointed with the incident.

ANZ Spokesperson told TVNZ that they have launched an investigation to find out how it happened.  He said their "inquiries point to it being a handling error at a printer".

The bank replied to those client who asked what could have happened if the details fallen into wrong hands that it didn't contains any sensitive data that put their accounts at risk.

One of the largest Botnet "Sirefef" disrupted by Microsoft


Microsoft teamed up with law enforcement agencies and A10 Networks has disrupted one of the world's largest Botnet "ZeroAccess" that defrauded online advertisers.

ZeroAccess also known as Sirefef is a notorious malware which makes money for cyber criminals through Click fraud - Hijacking victim's search results and generating fake clicks on ads. It also installs Bitcoin miners in the infected machines.

Victims usually get infected by the ZeroAccess through drive by download attacks.

The malware has reportedly infected more than two million computers. It costs online advertisers around $2.7 million per month.

David Finn, executive director and associate general counsel of the Microsoft Digital Crimes Unit said the disruption "will stop victims’ computers from being used for fraud and help us identify the computers that need to be cleaned of the infection"

Microsoft said the action will not "fully eliminate the ZeroAccess botnet due to the complexity of the threat". However, it will significantly disrupt the botnet's operation and will bring loss of revenue for the cyber criminals who behind the ZeroAccess.