Hack an iPhone, win $ 1 million


Apple has massively increased the amount it’s offering hackers for finding vulnerabilities in iPhones and Macs, up to $1 million. It’s by far the highest bug bounty on offer from any major tech company.

That’s up from $200,000, and in the fall the program will be open to all researchers. Previously only those on the company’s invite-only bug bounty program were eligible to receive rewards.

As Forbes reported on Monday, Apple is also launching a Mac bug bounty, which was confirmed Thursday, but it's also extending it to watchOS and its Apple TV operating system. The announcements came in Las Vegas at the Black Hat conference, where Apple’s head of security engineering Ivan Krstić gave a talk on iOS and macOS security.

Forbes also revealed on Monday that Apple was to give bug bounty participants “developer devices”—iPhones that let hackers dive further into iOS. They can, for instance, pause the processor to look at what’s happening with data in memory. Krstić confirmed the iOS Security Research Device program would be by application only. It will arrive next year.

$1 million for an iPhone hack

The full $1 million will go to researchers who can find a hack of the kernel—the core of iOS—with zero clicks required by the iPhone owner. Another $500,000 will be given to those who can find a “network attack requiring no user interaction.” There’s also a 50% bonus for hackers who can find weaknesses in software before it's released.

Apple is increasing those rewards in the face of an increasingly profitable private market where hackers sell the same information to governments for vast sums.

As Maor Shwartz told Forbes, the cost of a single exploit (a program that uses vulnerabilities typically to take control of a computer or phone) can fetch as much as $1.5 millon. An exploit targeting WhatsApp where no clicks are required from the user, for instance, can be sold to a government agency for that much, though such tools are rare. Only one or two a year will be sold, from a pool of around 400 researchers who focus on such high-end hacking. “It’s really hard to research them and produce a working exploit,” he said.

XSS in Photobucket fixed

Recently a 15 year old tech blogger and security researcher named Indrajeet bhuyan found and helped fix a XSS vulnerability in Photobucket.







He had previously found vulnerabilities in Samsung, Disqus, NDTV, Jabong, IIT Bombay and many others. 

Editor's Note: It is good to see that such young hackers are acting responsibly and reporting vulnerabilities instead of simply defacing the site or using the vulnerabilities for malicious motives.I hope that Mr.Indrajeet bhuyan continues this.

Self Proclaimed Ethical Hacker Trishneet Arora website hacked by Team Cyber-Rog


Last night, Self Proclaimed Ethical Hacker Trishneet Arora official website(trishneetarora.in) has breached and defaced by the hacker group called "Team Cyber-Rog ".

Trishneet is the author of a book "The Hacking Era". And claims himself to be awarded as India's best ethical hacker, Punjab's No.1 Cyber Crime Consultant and World's 2nd Youngest Author of Ethical Hacking Books.Trishneet has been known on the internet as founder of TAC Security Solutions, a cyber security company.

As far as Wikipedia is concerned they deleted his own made page (http://en.wikipedia.org/wiki/Trishneet_Arora) 3 times in the past for the following reasons:

"12:29, 20 October 2012 Bwilkins (talk | contribs) deleted page Trishneet Arora (G4: Recreation of a page that was deleted per a deletion discussion (CSDH))
18:01, 18 October 2012 MBisanz (talk | contribs) deleted page Trishneet Arora (Wikipedia:Articles for deletion/Trishneet Arora)
13:13, 2 September 2012 Boing! said Zebedee (talk | contribs) deleted page Trishneet Arora (G11: Unambiguous advertising or promotion)"

After Numerous restore tries by him , the deface page is still up ,Exposing his true face.  Trishneet as claimed by hackers conducts so called ethical hacking workshops around the country.  A lot of people have informed us that this guy has absolute 0 knowledge in this field and yet goes around acting as a "professional it security expert". All his websites are under free hosting and last night another one of his domain was hacked .

http://pastebin.com/2L3VVyrf

"You have dissapointed us, we will continue to own and expose people like Trishneet . Learn to secure yourself before you teach others . Trishneet ,stop making fake account of girls and and conducting fake workshops for money/profit. We are watching you ,Expect Us!" the message from the Cyber-Rog team. "oh and good luck with your book sales now :P"

The defaced page: http://trishneetarora.in/index.html


We come to know about this hack when a security researcher Vedachala reported a XSS security flaw in the Trishneet website.

The POC code provided by Vedachala for the Reflected XSS:
http://trishneetarora.in/assets/';alert(String.fromCharCode(80,79,79,82,32,78,48,111,98,44,40,86,51,68,64,67,72,52,76,65,32,72,51,114,101,41,46,32,83,51,99,117,114,101,32,121,111,117,114,32,97,36,36,32,102,105,114,115,116,46,46))//';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(80,79,79,82,32,78,48,111,98,44,40,86,51,68,64,67,72,52,76,65,32,72,51,114,101,41,46,32,83,51,99,117,114,101,32,121,111,117,114,32,97,36,36,32,102,105,114,115,116,46,46))//";alert(String.fromCharCode(80,79,79,82,32,78,48,111,98,44,40,86,51,68,64,67,72,52,76,65,32,72,51,114,101,41,46,32,83,51,99,117,114,101,32,121,111,117,114,32,97,36,36,32,102,105,114,115,116,46,46))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(80,79,79,82,32,78,48,111,98,44,86,51,68,64,67,72,52,76,65,32,72,51,114,101,46,32,83,51,99,117,114,101,32,121,111,117,32,97,36,36,32,102,105,114,115,116,46,46))</SCRIPT>

*Note: This is guest post submitted by one of the Reader.

List of Bug Bounty program for PenTesters and Ethical Hackers


"The Best way to improve Network security is hiring hackers" Unfortunately, companies can't hire all best hackers.  So the companies has chosen another best way to improve their system security, "Bug Bounty Programs".

Bug Bounty program is the place where Security researchers and Ethical hackers love to find vulnerabilities in target website or app and get rewarded for their findings.

Here is the list of Bug bounty programs that offers reward for security researchers who find vulnerabilities.

Google:
If you find vulnerability in google , you will get reward as well as your name will be listed in the Google Hall of fame page.

Details about Vulnerability Reward Program: http://www.google.com/about/appsecurity/reward-program/

Hall of fame: http://www.google.com/about/appsecurity/hall-of-fame/

The following table outlines the usual rewards for the anticipated classes of bugs:
Vulnerability type accounts.google.com Other highly sensitive services [1] Normal Google applications Non-integrated acquisitions and other lower priority sites [2]
Remote code execution $20,000 $20,000 $20,000 $5,000
SQL injection or equivalent $10,000 $10,000 $10,000 $5,000
Significant authentication bypass or information leak $10,000 $5,000 $1,337 $500
Typical XSS $3,133.7 $1,337 $500 $100
XSRF, XSSI and other common web flaws $500 - $3,133.7
(depending on impact)
$500 - $1,337
(depending on impact)
$500 $100


Security Bug Bounty from facebook:
Minimum reward is $500 USD.
The reward will be increased for severe or creative bugs
Only 1 bounty per security bug will be awarded

https://www.facebook.com/whitehat/bounty

Mozilla Bug Bounty program:


The Mozilla Security Bug Bounty Program is designed to encourage security research in Mozilla software and to reward those who help us create the safest Internet clients in existence.

The bounty for valid web applications or services related security bugs, the are giving a range starting at $500 (US) for high severity and, in some cases, may pay up to $3000 (US) for extraordinary or critical vulnerabilities. they will also include a Mozilla T-shirt.

http://www.mozilla.org/security/bug-bounty.html

Paypal Bug Bounty Program For Professional Researchers

https://www.paypal.com/us/webapps/mpp/security/reporting-security-issues

Secunia Vulnerability Coordination Reward Program (SVCRP)
SVCRP – a reward program incentive offered by Secunia to researchers who have discovered a vulnerability and would like a third party to confirm their findings and handle the coordination process with the vendor on their behalf: http://secunia.com/community/research/svcrp/

Etsy :
Will pay a minimum of $500 for qualifying vulnerabilities, subject to a few conditions and with qualification determined by the Etsy Security Team.

http://codeascraft.etsy.com/2012/09/11/announcing-the-etsy-security-bug-bounty-program/

Barracuda Networks
www.barracudalabs.com/bugbounty

Companies that mentions researcher name in the site but won't give bounties.

Adobe Systems Incorporated:
Details :http://www.adobe.com/support/security/alertus.html
Security Acknowledgments : http://www.adobe.com/support/security/bulletins/securityacknowledgments.html

Twitter:

https://twitter.com/about/security

EBay:
http://pages.ebay.com/securitycenter/ResearchersAcknowledgement.html

Microsoft
http://technet.microsoft.com/en-us/security/ff852094.aspx
http://technet.microsoft.com/en-us/security/cc308589
http://technet.microsoft.com/en-us/security/cc308575
http://technet.microsoft.com/en-us/security/cc261624
http://www.microsoft.com/security/msrc/default.aspx

Apple
http://support.apple.com/kb/HT1318
https://ssl.apple.com/support/security/

Dropbox
https://www.dropbox.com/security
https://www.dropbox.com/special_thanks

Reddit
http://code.reddit.com/wiki/help/whitehat

Github
https://help.github.com/articles/responsible-disclosure-of-security-vulnerabilities

Ifixit
http://www.ifixit.com/Info/responsible_disclosure

37 Signals
http://37signals.com/security-response

Twilio
http://www.twilio.com/blog/2012/03/reporting-security-vulnerabilities.html

Constant Contact
http://www.constantcontact.com/about-constant-contact/security/report-vulnerability.jsp

Engine Yard
http://www.engineyard.com/legal/responsible-disclosure-policy

Lastpass
https://lastpass.com/support_security.php

RedHat
https://access.redhat.com/knowledge/articles/66234

Acquia
https://www.acquia.com/how-report-security-issue

Zynga
http://company.zynga.com/security/whitehats

Owncloud
http://owncloud.org/security/policy
http://owncloud.org/security/hall-of-fame

Tuenti
http://corporate.tuenti.com/en/dev/hall-of-fame

soundcloud:
http://help.soundcloud.com/customer/portal/articles/439715-responsible-disclosure

Nokia Siemens Networks
http://www.nokiasiemensnetworks.com/about-us/responsible-disclosure


Yandex Bug Bounty:

http://company.yandex.com/security/hall-of-fame.xml


List of Ethical Hacker Conferences & computer security conferences

Security and Hacker conferences

The best way to learn new things and get into the InfoSec world is attending Security and Hacker Conferences.  You can meet lot of security Experts and Black Hat hackers.

Here is a list of International IT Security and Hacker conferences with a short description about the conference.

DEFCON Hacking Conference:

DEF CON, one of the worlds largest and longest running hacking conferences, celebrates it's 20th year with an energetic and appropriately themed compilation, entitled "XX". Founder and head of the conference Jeff Moss, also known as Dark Tangent, tasked DEF CON "goon" and Muti Music artist Great Scott with curating the talent filled track selections; acknowledging that music can be pure hacker fuel.
www.defcon.org

*EHN is official media partner of DefCon India

www.defcon.co.in

Black Hat hacker conference::

The Black Hat Briefings are a series of highly technical information security conferences that bring together thought leaders from all facets of the infosec world - from the corporate and government sectors to academic and even underground researchers. The environment is strictly vendor-neutral and focused on the sharing of practical insights and timely, actionable knowledge. Black Hat remains the best and biggest event of its kind, unique in its ability to define tomorrow's information security landscape.

https://www.blackhat.com/

Nullcon :

The nullcon conference is a unique platform for security companies/evangelists to showcase their research and technology. Nullcon hosts Prototype, Exhibition, Trainings, Free Workshops, null Job Fair at the conference. It is an integrated and structured platform which caters to the needs of IT Security industry at large in a comprehensive way.

*E Hacking News(EHN) is official media partner of Nullcon

http://www.nullcon.net/


ClubHack:

ClubHack is a NOT-FOR-PROFIT initiative to bring security awareness in common people who use computers and internet in their daily life. It’s a member driven open community to make cyber security a common sense. The phenomenal growth of the Internet economy has led to a sharp increase in computer crimes and hacking incidents. ClubHack aims at making technology users aware of the risks associated with cyber transactions as well as the security measures.


*E Hacking News(EHN) is official media partner of ClubHack


http://www.clubhack.com/

C0C0N :

c0c0n, previously known as Cyber Safe, is an annual event conducted as part of the International Information Security Day.

c0c0n is aimed at providing a platform to discuss, showcase, educate, understand and spread awareness on the latest trends in information, cyber and hi-tech crimes. It also aims to provide a hand-shaking platform for various corporate, government organizations including the various investigation agencies, academia, research organizations and other industry leaders and players for better co-ordination in making the cyber world a better and safe place to be. It will also serve as a platform to devise strategies to prevent cyber crimes against women.

http://is-ra.org/c0c0n/

X.25 Ethical Hacking Conference :

X.25 Ethical Hacking Conferences is performed every year in Mexico and one of the busiest in terms of computer security issues.

*E Hacking News(EHN) is official media partner of ClubHack

www.x25.org.mx

Intelligence-Sec

Intelligence-Sec is a fully integrated Conferences and Exhibitions Company managing and producing topical events for the security industry. All our global events are well researched and discussed with industry experts. Intelligence-Sec's main objective is to ensure that all attendees gain the best value for money when they participate in one of our events.

http://www.intelligence-sec.com/


Hackers Halted

The Hacker Halted APAC event annually gathers around 500 individuals; this consists of everyone, from ethical hackers to key C-level executives from corporates, government bodies and solution seekers.

The event is aimed at providing the opportunity to CEOs, COOs, CIOs, CFOs, Senior IT Professionals and all other decision makers to assess the best practices in acquiring, implementing, managing and measuring information security.

http://hackerhaltedapac.org

OWASP AppSec Conference

OWASP AppSec conferences bring together industry, government, security researchers, and practitioners to discuss the state of the art in application security. This series was launched in the United States in 2004 and Europe in 2005. Global AppSec conferences are held annually in North America, Latin America, Europe, and Asia Pacific. Additionally, regional events are held in locations such as Brazil, China, India, Ireland, Israel, and Washington D.C. Presentations and videos are generally posted several months after each conference.

ISWec

Infosecurity World is an annual exhibition and conference dedicated to Asia Pacific information security marketplace. The event showcases latest innovation, products and services from established to emerging brands.

http://infosecurityworld.net/


ShmooCon

ShmooCon is an annual east coast hacker convention hell-bent on offering three days of an interesting atmosphere for demonstrating technology exploitation, inventive software and hardware solutions, and open discussions of critical infosec issues. The first day is a single track of speed talks called One Track Mind. The next two days bring three tracks: Build It, Belay It and Bring It On.

http://www.shmoocon.org/

Hackinthebox:

Asia’s largest network security conference held annually in Kuala Lumpur, Malaysia and more recently the Middle East.
http://conference.hackinthebox.org

NOTACON

Not quite sure what hacker cons are really about? Do you like building and creating stuff? Are you tired of infosec focused conferences? Do you want to have fun while actively learning about cool stuff and meeting awesome people? NOTACON is the conference for you! No degree in computer science, nor job in IT is required to have a great time at Notacon. In fact, we believe some of the best hacks occur in areas outside of technology altogether.
http://www.notacon.org/

CONFidence


CONFidence is an annual IT security conference that will take place on 23-24th May, 2012 in Krakow, Poland for the 10th time! The best speakers, latest issues, laid-back atmosphere and Krakow crazy night life – that is why CONFidence has become a meeting point of hackers’ community in Europe.

http://confidence.org.pl/

BruCON

BruCON is an annual security and hacker(*) conference providing two days of an interesting atmosphere for open discussions of critical infosec issues, privacy, information technology and its cultural/technical implications on society. Organized in Belgium, BruCON offers a high quality line up of speakers, security challenges and interesting workshops. BruCON is a conference by and for the security and hacker(*) community.

brucon.org

MalCon

MALCON is a premier international technology security conference focusing exclusively on proactive malware research and analysis. MalCon is a part of Information Sharing and Analysis Center, in support with the Government of India.

http://www.malcon.org/

AthCon

AthCon is an annual, European two-day conference targeting particular areas of information security. It’s aim: to bring leading information security experts together. Attacking techniques of exploitation and various forms of penetration testing have become an important component of any organisation. This conference aims to provide a venue for understanding the ever evolving changes as well as new threats.
http://www.athcon.org/


DerbyCon :

This is the place where security professionals from all over the world come to hang out. DerbyCon 3.0 will be held September 25-29th, 2013. DerbyCon 2012 pulled in over 1,100 people with an amazing speaker lineup and a family-like feel. We’ve listened to your feedback and plan on making this conference even better. Our goal is to keep it around the same size and maintain a close-knit conference where we all come together to learn and share ideas
http://www.derbycon.com/

ekoparty

Electronic Knock Out Party - Security Conference, is the annual computer security, for its unique features and its particular style, has become a benchmark for all of Latin America.
http://www.ekoparty.org

GrrCON

GrrCON is an information security and hacking conference being held in the Midwest. This conference was put together to provide the Midwest regional information security community with a venue to come together and share ideas, information, solutions, forge relationships, and most importantly engage with like minded people in a fun atmosphere. Whether you are a Fortune 500 executive, security researcher, security industry professional, student, or a hacker of “flexible” morals you will find something for you at GrrCON.
http://grrcon.org/

T2 Infosec conference


t2 was born at a time when there was a need for a conference that was “from hacker to hacker” when there was not one single independent, technically oriented, information security conference in Finland in existence.

The mission of t2 has remained the same from its commencement, to be an annual conference dedicated to those who are interested in the technical aspects of information security. t2 offers the opportunity to publish new research and ideas as well as networking, the latter an elemental part of its ideology.

http://t2.fi/

DefCamp

DefCamp is a national initiative dedicated to developing the skills of the young passionate by computer security, by creating a stimulating offline environment which allows offline and online exchange of knowledge between underground security specialists, academic and corporate entities in Romania. DefCamp is focusing on presenting technical information related to the security and insecurity of both virtual and real environment.

The idea of DefCamp came out in March 2011, after some informal discussions between more computer security addicts from Romania, passionate about various INFOSEC topics

http://defcamp.com

Root CON
ROOTCON is an annual Hacker Conference and Information Security gathering held in the Philippines and was founded by Dax Labrador a.k.a semprix.  The conferences aims to share best practices and technologies through talks by qualified speakers and demos of exciting stuff (hacks, tools, tips, disclosures, cyber warfare, cyber espionage, etc). ROOTCON is open to everyone and that previous participants have included InfoSec personnel, developers, programmers, engineers, hackers, businessmen, students, lawyers, feds, and the like.
www.rootcon.org

ACSAC(Annual Computer Security Applications Conference):

ACSAC has a tradition of bringing together security professionals from academia, government and industry who are interested in applied security. It is an internationally recognized forum where practitioners, researchers, and developers in information system security meet to learn and to exchange practical ideas and experiences. Started in 1984, the conference has grown over the years to achieve worldwide attendance and recognition for the high quality of its presentations, discussions, and interactions.

http://www.acsac.org


Blue Hat Microsoft Hacker Conference:


An event that is intended to open communication between Microsoft engineers and hackers is called Blue Hat Microsoft Hacker Conference. The event has led to both mutual understanding as well as the occasional confrontation.

www.bluehatsecurity.com


DeepSec

The DeepSec IDSC is an annual European two-day in-depth conference on computer, network, and application security.

https://deepsec.net/

CarolinaCon

CarolinaCon is an annual conference in North Carolina that is dedicated to sharing knowledge about technology, security and information rights. CarolinaCon also serves to enhance the local and international awareness of current technology related issues and developments. CarolinaCon also strives to mix in enough entertainment and side contests/challenges to make for a truly fun event.
http://www.carolinacon.org/

GreHack


GreHack is a non profit Security Conference (during day) and an Ethical Hacking Contest - aka CTF - (during night).
http://grehack.org/en/

Hack.lu

Hack.lu is an open convention/conference where people can discuss about computer security, privacy, information technology and its cultural/technical implication on society.

http://hack.lu

CanSecWest
The world's most advanced conference focusing on applied digital security, is about bringing the industry luminaries together in a relaxed environment which promotes collaboration and social networking

http://cansecwest.com/

RSA Conference

RSA Conference is helping drive the information security agenda worldwide with annual industry events in the U.S., Europe and Asia.
http://www.rsaconference.com/

SOURCE Conference:
SOURCE is a computer security conference in Boston, Seattle, and Barcelona that offers education in both the business and technical aspects of the security industry.

http://www.sourceconference.com

TROOPERS IT Security Conference:
Annual international IT Security event with workshops held in Heidelberg
https://www.troopers.de

The HackMiami Conference

The HackMiami Hackers Conference seeks to bring together the brightest minds within the information security industry and the digital underground.
http://hackmiami.com

If you think we have missed a great one, feel free to contact me with details .