Hacker arrested for exploiting HeartBleed vulnerability to steal information

A 19-year-old computer science student has been arrested by the Royal Canadian Mounted Police (RCMP) and accused of stealing personal data by exploiting the "HeartBleed" vulnerability.

HeartBleed, the bug that left the Internet vulnerable, is a recently uncovered security flaw in the popular open-source encryption library(OpenSSL) which allows attackers to read memory of the server running vulnerable OpenSSL - means attacker can steal sensitive information.

Stephen Arthuro Solis-Reyes from London, Ontario, accused of exploiting HeartBleed bug to steal sensitive information from servers of the Canadian Revenue Agency(CRA), according to RCMP.

During the Police raid, his computer was seized by Canadian police.  He is scheduled to appear in court in Ottawa on July 17.

The arrest came after CRA announced that someone exploited the HeartBleed bug to steal 900 Social Insurance numbers of taxpayers.  The agency had shut down its site temporarily to prevent further attacks.

"The RCMP treated this breach of security as a high priority case and mobilized the necessary resources to resolve the matter as quickly as possible." Assistant Commissioner Gilles Michaud said in a statement.

"Investigators from National Division, along with our counterparts in “O” Division have been working tirelessly over the last four days analyzing data, following leads, conducting interviews, obtaining and executing legal authorizations and liaising with our partners".

LaCie Security Breach went unnoticed for a Year

If you used a credit or debit card to purchase electronic items at LaCie's website last year, you may want to eagle-eye your card statements.

LaCie, French Computer Hardware company specializing in external hard drives, announced that it fell victim to a security breach that put customers' personal information and financial information at risk.

The company says cybercriminals used malware to infiltrate their website.  After getting notification from FBI on March regarding the breach, LaCie hired cyber forensic investigation firm.

Customers who made transactions between March 27,2013 and March 10,2014 were affected by this data breach.

According to an incident notification, customers' usernames, passwords, names, addresses, email IDs, credit and debit card information are all at risk.

Customers' passwords have been reset. e-commerce portion of the site has temporarily been disabled while the company "transition to a provider that specializes in secure payment processing services".

9 charged for stealing millions of dollars with Zeus Malware

The Zeus malware is one of the most damaging pieces of financial malware that has helped the culprits to infect thousands of business computers and capture passwords, account numbers and other information necessary to log into online banking accounts.

U.S. Department of Justice unsealed charges against nine alleged cyber criminals for distributing notorious Zeus malware to steal millions of dollars from bank accounts.

Vyachesla V Igorevich Penchukov, Ivan Viktorvich Klepikov, Alexey Dmitrievich Bron, Alexey Tikonov, Yevhen Kulibaba, Yuriy Konov Alenko, And John Does are charged to devise and execute a scheme and artifice to defraud Bank Of America, First Federal Savings Bank, First National Bank Of Omaha, Key Bank, Salisbury Bank & Trust, Union Bank And Trust, And United Bankshares Corporation, all of which were depository institutions insured by the Federal Deposit Insurance Corporation.

They are also accused to use Zeus, or Zbot, computer intrusion, malicious software, and fraud to steal or attempt to steal millions of dollars from several bank accounts in the United States, and elsewhere.

It has also been reported that defendants and their co-conspirators infected thousands of business computers with software that captured passwords, account numbers, and other information necessary to log into online banking accounts, and then used the captured information to steal millions of dollars from account-holding victims' bank accounts.

Account holding victims include Bullitt County Fiscal Court, Doll Distributing, Franciscan Sisters Of Chicago, Husker Ag, Llc, Parago, Inc., Town Of Egremont, And United Dairy...

They have also been given notice by the United States of America, that upon conviction of any defendant, a money judgment may be imposed on that defendant equal to the total value of the property subject to forfeiture, which is at least $70,000,000.00.

The United States of America has also requested that trial of the case be held at Lincoln, Nebraska, pursuant to the rules of this Court. The Metropolitan Police Service in the U.K., the National Police of the Netherlands’ National High Tech Crime Unit and the Security Service of Ukraine are assisting the investigation.

31 Security bugs fixed in Google Chrome 34

Google has announced the stable release of Chrome 34, an update brining number of fixes, functionality improvements and security updates.

In total, 31 security vulnerabilities have been patched in this latest version 34.0.1847.116 which includes medium to high severity bugs.

The list of high severity bugs are UXSS in V8, OOB access in V8, Integer overflow in compositor, Use-after-free in web workers, Use-after-free in DOM, Memory corruption in V8, Use-after-free in rendering, Url confusion with RTL characters and Use-after-free in speech.

The medium severity bugs include Use-after-free in speech, OOB read with window property and Use-after-free in forms.

A total of $29,500 has been awarded to researchers who reported the above security vulnerabilities.

Syrian Electronic Army gather evidence that Microsoft selling your information to FBI

A document recently leaked by Syrian Electronic Army shows that Microsoft is charging FBI secret division to legally view customer information.  The documents are said to have been taken from Microsoft.

Syrian Electronic Army(SEA) is known for hacking social media accounts and websites of top organizations including Microsoft, CNN, Daily dot and more. 

SEA allowed the Daily Dot to analyze the documents before they published in full.

The document is said to be containing emails and invoices between Microsoft's Global Criminal Compliance team and the FBI's Digital Intercept Technology Unit (DITU).

The documents shows that Microsoft charged FBI $145,100 in December 2012, broken down to $100 per request for information.  But in 2013, Microsoft allegedly doubled the amount, charged FBI $200 per request for a total of $352,200.  For the recent invoice(Nov 2013), they charged $281,000.

The information provided to FBI including Live email ID, PUID, name, address, country, IP address, Date of Registration and few other details.

Here is the screenshot of documents:

Critical SSRF vulnerability in Paypal's subsidiary allows to access Internal Network

Shubham Shah, a web application pentester from Australia, has discovered a critical Server Side Request Forgery(SSRF) vulnerability in the Bill Me Later website, a subsidiary of Paypal. The vulnerability exists in the subdomain(merchants.billmelater.com).

"The vulnerability itself was found within a test bed for BillMeLater’s SOAP API, which allowed for queries to be made to any given host URL." researcher explained in his blog post.

An attacker is able to send request to any internal network through the API and get the response.  Some internal admin pages allowed him to query internal databases without asking any login credentials.

Researcher says that a successful exploitation may result in compromising the customers data.

The bug was reported to Paypal on October 2013 and he got reward from them on Jan. 2014.

Paypal has partially fixed the bug by restricting the SOAP API to access the internal servers.  However, researcher says that it still act as proxy to view other hosts.

If you would like to know more details about SSRF vulnerability and how it can be exploited for port scanning or internal network finding, you can refer the Riyaz Waliker blog post and this document.

Syrian National Coalition website and US Central Command hacked by Syrian Electronic Army

The official website of the National Coalition for Syrian Revolutionary and Opposition Forces(etilaf.org) and few other websites have been hacked and defaced by Syrian Electronic Army.

In addition to Syrian National Coalition hack, the group also hacked into Masarat Syria (masaratsyria.com) and the City Council of Daraya (darayacouncil.org).

The hacked websites went offline at the time of writing, A mirror of the defacement can be found here:
  • http://www.zone-h.org/mirror/id/22015751
  • http://www.zone-h.org/mirror/id/22015787
  • http://www.zone-h.org/mirror/id/22015855
Recently, the group also announced that they have successfully breached the US Central Command(CENTCOM) and accessed hundreds of documents.

In the meantime, the Syrian Electronic army also posted a tweet "How much does @Microsoft charge @FBIPressOffice ever month to spy on your emails? Stay tuned for their leaked documents. #SEA #PRISM".

Miley Cyrus, Taylor Swift and Britney Spears websites hacked by Ethical Spectrum

Update :
The latest tweet from the hacker shows he compromised the database containing username and password details belong to these websites "The database of #MileyCyrus, #SelenaGomez......etc with 2,5 million users and pass is for sell, anyone interested email me at my mail"

Exclusive Information:
The hacker told E Hacking News that he found multiple vulnerabilities in the Groundctrl website and gained access to the database server.

He also gained access to the CMS panel which manages the celebrities' websites.
GroundCtrl CMS Panel

Original Article:

A hacker going by online handle "Ethical Spectrum" has hacked into websites belong to several celebrities and defaced the sites.

The affected websites include Miley Cyrus official site(mileycyrus.com), Selena Gomez(selenagomez.com), Taylor Swift site(taylorswift.com), Britney Spears site(britneyspears.com).

We are able to confirm that these are official websites of the celebrities, as it is being linked from their twitter account.

According to hackers twitter account(@Eth_Spectrum), he hacked into the above mentioned websites on March 8th.  The website was restored after the breach.  However, hacker mentioned he once again managed to deface them.  ]

Other websites attacked by the hacker are Ground Ctrl(groundctrl.com), mypinkfriday.com, Chelsea Handler site (chelseahandler.com), Aaron Lewis(aaronlewismusic.com/), therealcocojones.com, christinagrimmieofficial.com, Kacey Musgraves(kaceymusgraves.com).

The defacement just reads "Why i hacked this site, you can ask this person greg.patterson@groundctrl.com".

Greg Patterson is the co-founder of the Groundctrl, an organization that build websites for artists.  It appears the security breach started from Groundctrl.

Other affected sites:
  • Pat Green(patgreen.com),  
  • Rob Thomas(robthomasmusic.com), 
  • Rock Mafia(rockmafia.com  ), 
  • ritawilson.com  , 
  • sum41.com
  • nickcarter.net
  • jordanknight.com
If you are not able to see the defacement, you can find the mirror here:

All of the affected websites are currently showing the maintenance error message except groundctrl official website.

Hacker didn't provide much information about the breach, so we are not sure how exactly he hacked into all of these websites, whether he found a zero-day exploit on the cms developed by groundctrl or all of the affected sites managed in a central place. 

Hacker breaches Johns Hopkins University website

A hacker claiming to be part of the Anonymous hackers group has breached the Johns Hopkins University website and leaked the data compromised from the database server.

The database server contains information of current and former biomedical engineering students.  The stolen information includes name, phone number and email id of students.

The University says no information such as Social Security numbers and credit card numbers that would make identity theft a concert, is not involved in the breach.

According to the Baltimore Sun, the so-called anonymous hacker attempted to extort the university for further access to its database server, threatening to leak the stolen data unless university handed over the server password.

The breach reportedly occurred in last November, the vulnerability responsible for the breach has been patched.  The University is currently working with FBI and trying to remove the leaked data from online. 

Hackers compromised 300k personal records from University of Maryland

Hackers breached University of Maryland's computer and compromised data belong to more than 300,000 people affiliated with the school on its College Park and Shady Grove campuses.

Details of students, staffs have been compromised in this security breach.  The accessed information includes Social Security numbers, names, birth dates and university ids, reports TwinCities.com

On Tuesday, 4 a.m, an Intruder gained access to a database containing information dating to 1998.  Other than stealing the data, the hacker didn't do any damage for the server.

University President Wallace D. Loh. said school officials are investigating the security breach and trying their best to prevent such kind of attacks in future.

Loh said they are also working with Law enforcements authorities. Computer forensics experts are examining the logs to determine how intruders gained access.

University plans to offer one year free credit card monitoring service to those who affected by this breach. 

400Gbps NTP-based DDOS attack hits CloudFlare - largest DDOS attack in History

Until a week ago, it was believed that Distributed denial-of-service(DDOS) attack against Spamhaus is the largest one in the history.  Now, an even bigger DDOS attack has been recorded by the Content delivery Network CloudFlare.

Matthew Prince, CloudFlare CEO, said in twitter that very big NTP reflection attack was hitting them and appears to be bigger than the Spamhaus attack from last year.

According to Matthew, the attack reached 400Gbps which is 100Gbps higher than the ddos attack targeting Spamhaus. 

CloudFlare said all websites have returned to production.

Founder of a French hosting firm OVH also said their network received more than 350Gbps traffic, but it is not clear whether it is related or not.

Last month, CloudFlare also wrote an article detailing about the Network Time protocol(NTP) based DDOS attacks that caused trouble for some gaming web sites and service providers.

NTP protocol is UDP-based protocol runs on port 123 which is used by Internet connected computers to set clocks accurately.  A system will synchronize with the server and receives the current time.

Experts says this protocol is prone to amplification attacks because it will response to the packets with spoofed source IP address "and because at least one of its built in commands will send a long reply to a short request. That makes it ideal as a DDoS tool."

List of open NTP servers on the Internet allows attackers to launch Denial of attack against any target network. 

Dubai Police's Twitter and other Social media accounts hacked by @TheHorsemenLulz

A hacker identified as @TheHorsemenLulz attacked Dubai Police's official Social media accounts including verified Twitter account with 258k followers.

"Dubai Police is spying on you, Isn’t it fair that we the people do the same back? hacked by @TheHorsemenLulz," message posted in the hijacked twitter account reads.

Hacker posted a number of screenshots in his twitter account, it shows that he also hijacked other social media accounts : Pinterest, Linkedin and Tumblr.

Dubai Police have regained access to their twitter account and the tweets posted by hacker have been removed from the feeds.

It appears the hacker has ddosed several websites including Central Bank of the United Arab Emirates, UAE Computer Emergency Response Team and Emirates Integrated Telecommunications Company.

Facebook almost got hacked by Syrian Electronic Army, MarkMonitor website Hacked

Earlier today the Syrian Electronic Army posted a tweet with screenshots which suggested they had hijacked the Facebook's domain and changed the Registrant details and name server.

"Happy Birthday Mark! http://Facebook.com  owned by #SEA http://whois.domaintools.com/facebook.com" Hackers said in a tweet.

How hackers take control of Facebook Domain?
The next tweet confirmed that the hacker group took control of the MarkMonitor website - a website that manages Top Level domains including Facebook, Google, Yahoo and more.

The group managed to gain the admin panel of the Mark Monitor website that allowed them to access records of all domains hosted.

After learning about the breach, the Markmonitor immediately took down the Management portal.

It seems like facebook is lucky this time.  Even though the group changed the nameserver of the domain, it didn't reflect.  It's failed attempt to compromise domain's DNS records.  If they had managed to change the records successfully, it could have affected millions of facebook users.

Few other screenshots provided by Syrian Electronic Army shows that the group had access to Google, Yahoo and Amazon domains.

RedHack claimed to have hacked ISP TTNET, Vodafone and Turkcell

The Turkish hacktivist collective RedHack claims to have breached systems of Turkish ISP TTNet(www.ttnet.com.tr), vodafone and leading Turkish mobile operator TurckCell(turkcell.com.tr).

"Customer data of ISP TTNET, mobile operator Vodafone and Turkcell infiltrated and vast amount of data collected from the systems. +"  Hackers announced the hack earlier today.

Hackers claimed to have compromised millions of records from the servers.

"If we are able to reach these info on their systems with our limited resources imagine what can foreign intelligence agency do. These companies have 90% of the population's data on their systems and they can't protect them." Hackers said.

The have dumped(http://justpaste.it/eaml) some of data compromised from TTNet.  The dump only contains the membership details of Ministries, National Intelligence Agency(MIT),and Security Directorate.  Hackers didn't publish the data belong to general public, "as a matter of principle".

The leak contains information such as names, phone numbers, addresses, email IDs and other information.

Hackers said the reason for these breaches is to prove the fact that no one and no system is 100% secure.

"In the coming days we'll continue with those exploiting the country. No public information will be shared. Our people can be at ease." The group said that they will continue the operation.

Indian Public Health Engineering Department website hacked by Pakistan Hackers

West Bengal Branch of Indian Public Health Engineering Department website(www.wbphed.gov.in) has been breached by a hacker from Pakistan.

A hacker with handle H4$N4!N H4XOR from Pakistan Haxors CREW has has uploaded a defacement page in the "Uploads" directory of the site (http://www.wbphed.gov.in/applications/GO/uploads/index.html).

When we asked about the vulnerability responsible for the breach, the hacker said that the website is vulnerable to SQL Injection vulnerability.

"Security Breach!Free Kashmir. Free Syria. Stop Spying On US. Stop Killing Muslims. We Have All Your Data. Don't Try To Catch Us" The defacement message reads.

The hackers said the defacement is revenge for hacking Pakistan websites.  He also claimed to have compromised the database from the server.

In the last two days, the group hacked into Indian Railways website and Official website of Assam Rifles.

Third-party database compromise leads to Yahoo mail account hack

Yahoo has acknowledged a number of yahoo mail accounts have been accessed by hackers.  Yahoo says the unauthorized access came after hackers compromise a third-party database.

Yahoo didn't specify the name of the third-party and didn't disclose number of affected users.  After learned about the unauthorized access, Yahoo is sending password reset mail to all impacted accounts.

The company also said in its official statement that they have found no evidence that the credentials were compromised directly from its server.  Their investigation revealed a malicious software is using the login credentials to access Yahoo mail accounts.

The company said that it is now working with federal law enforcement to find the cause of the unauthorized access.  Additional measures also implemented to secure its server.

Yahoo says if your account is affected by this breach, you will get a notification through your yahoo email or SMS if a phone number is linked to your account.

Guccifer, the hacker responsible for several high-profile hacks arrested in Romania

Marcel Lazăr Lehel, 40-year-old, from Romania suspected of being the notorious hacker Guccifer has been arrested by Romanian Authorities, at his home in Arad county.

"Guccifer", is the hacker who responsible for a number of high-profile account hacks.  In Feb. 2013, he hacked into 6 separate email accounts including AOL email account of Dorothy Bush Koch, daughter of former president George H.W. Bush and exposed emails, photos & personal information.

Other persons targeted by "Guccifer" includes George Maior(The head of the Romanian Intelligence Service (SRI)), Colin Powell, U.S. Senator Lisa Murkowski, comedian Steve Martin, actress Mariel Hemingway, editor Tina Brown and many others.

This is not the first time Lazăr Lehel has been arrested for hacking.  In Feb. 2012, he received a three year suspended sentence.

Thousands of websites infected via Vulnerability in WordPress OptimizePress Theme

A file upload vulnerability in the OptimizePress theme allowed attackers to infect thousands of Wordpress websites, reports Sucuri.

The vulnerability in question is at "lib/admin/media-upload.php" location that allows anyone to upload any kind of files to the "wp-content/uploads/optpress/images_comingsoon" folder.

Sucuri Team has detected that more than 2,000 websites using the Optimizepress theme have been compromised.  All of the compromised sites have been injected with iFrame to same malicious domain.

Almost 75% infected websites have already been blacklisted in Google Safe browsing.

If you are using the above theme, you are urged to immediately upgrade to the latest version.  Otherwise, you will soon find yourself victim to malware infection. 

Fake Minecraft Android App sold at cheap price contains virus code

A fake version of Android app "Minecraft - Pocket Edition" is found to be hosted on third-party marketplaces which contains a malware code.

These kind of fake and malicious version of apps are usually available for free.  However, cyber criminals made some exception for this app which is being sold for half of the actual price of the original app.

PC Magazine reports that F-Secure researchers have discovered a trojanized version of the Minecraft PE asking users to pay 2.50 Euros- the original app costs5.49 Euros.

The cyber criminals didn't stop by just scamming with fake version, they also added malicious code.  It will send SMS to premium rated phone numbers and sign up victims to expensive services.

Researchers have noticed that this malicious app is using a hacking tool called "Smalihook" to bypass "an authentication routine that causes it to fail to run if it does a certificate verification check and doesn't find the correct certificate". 

The good news is that it is only hosted in some third-party app stores but not in the official Google Play store.  This is one more example why you should never trust third party app stores, always download apps from Google Play.

The Official Microsoft Blog also hacked and defaced by Syrian Electronic Army

It appears new year starts with bad luck for the Microsoft.  Microsoft has found itself under the radar of Syrian Electronic Army, one of the popular syrian hacker group known for high profile website hacks.

Few hours after we yesterday reported that Microsoft official twitter account hijacked,  their blog also got hacked by the Syrian Electronic Army(SEA).

The group managed to create an articled entitled "Hacked by Syrian Electronic Army" in the Microsoft official Technet blog(" blogs.technet.com/b/microsoft_blog/‎").

It appears the group still have access to the email accounts of Microsoft.  They also published emails sent from one employee to another employee regarding the security breach.

Now, the Technet blog is back up and functioning normally. The attack just came after the hijack of Microsoft Xbox twitter account and official twitter account of Skype.  The group also defaced the Skype's blog.

Stay Tuned at +E Hacking News to get more Exclusive information about the hack.