Month: September 2015

It’s an Indo-Pak Cyberspace WAR!

image

On Sunday morning, India’s southern Kerala state woke up to the news of the state government’s official website (www.Keralagov.in) being hacked by Pakistani hackers, who posted image of a burning Indian flag.
The hackers had left messages such as “Pakistan Zindabad”, “We are Team Pak Cyber Attacker” and “Security is just an illusion”. The page also carried the identity of the hacker; “hacked” by Faisal 1337”. The Home Page also contained the website address www(dot)Faisal1337(dot)com.

However, preliminary reports suggested the hackers were could not get past the home page and into the server hosting this website.

This news spread like fire over social media and the issue instead of being a government website being hacked turned into being an attack on India by the neighbouring country. But few expected that within a span of few hours an Indian hacking group with the name of “The Mallu Cyber Soldiers” will payback the favour.
The Indian hacking group had hacked over 100 official websites of Pakistani government and posted message on their websites- “Better stay away from Indian Cyber Space”.

They also posted a message on their facebook page.

” !!Message to Script Kiddies of Pakistan ….Do not touch Indian Websites !!! Now your 46 Pakistan government websites got crashed and 4 educational websites got defaced This is a small payback for hacking kerala.gov.in ”

They also posted a list of websites which were crashed. Few included Pakistan’s government website Pakistan.gov.pk, president.gov.pk and cabinet.gov.pk.

But the war did not cyber war did not there. In the same message, the group ‘Hell Shield Hackers’ stated that the motive behind this attack was to retaliate against the attack on the Kerala government’s website.
Often gunfire exchanges across the border seem to take place. During the cricket matches also between the two countries, the rivalry of the two nations are frequently seen but now a full-blown hacking and defacement war seems to have simultaneously erupted in cyber space.

This is not the first time that the hacking has taken place between the two nations.

In October 2014, a Malayali actor and producer, Mohanlal Viswanathan Nair’s  website was hacked by a group known as Cyber Warriors, who had posted several “Free Kashmir slogans” and warned Indian Army about their activities in the Kashmir valley.

The Government from both the nations have nothing to do with it.

Hacking the government sites exposes the vulnerability of official websites.

Though it was just a defacement and officials told that the server of Kerala Government’s website is safe. Yet, the incident calls for a better cyber security mechanism.

The Indian public sees this retaliation as ‘revenge’. However, it’s an issue much more than patriotism.
 Hackers mostly target large organisations, government or community websites which store personal information of thousands or millions of users.

While the Modi government talks about digitizing India, incidents like these highlight the importance for improved cyber security which comes foremost and is a much important issue before the digitization of the country.

While the USA and China are entering into a cyber security agreement, the Indo Pak cyber hack games continue unabated which exposes the weak cyber security of both the nations.

——–myabhya——–
(Perfect Training Center)

Advertisements

5.6 million fingerprints stolen, but the reason is still unknown

image

Some people are blaming Office of Personnel Management (OPM), which serves as a sort of human resources department for the federal government,  some are saying unchangeable biometrics and others are blaming Chinese hackers behind the massive breach in U.S of the OPM’s servers during which fingerprints of 5.6 million people were stolen.

No matter, what was the reason but the tension is about those millions people whose fingerprints have been stolen. What would be the consequence? Or there is nothing to worry about?

The authority concerned needs to come up with some program to address the issue.

Now, the U.S. officials have blamed Chinese government hackers without any evidence. China has also denied to have any involvement in the breach.

The OPM has said that the federal experts believe there is low chance of fingerprints being misused. However, there is a possibility that future technologies could take advantage of this information.

The OPM had earlier confirmed that the number of people was 1.1 million only. However, the number has now increased to 5.6 million.

“The fact that the number [of fingerprints breached] just increased by a factor of five is pretty mind-boggling,” Joseph Lorenzo Hall, the chief technologist at the Center for Democracy & Technology, told Boing Boing. “I’m surprised they didn’t have structures in place to determine the number of fingerprints compromised earlier during the investigation.”

Not only the fingerprints, it is said that about 21.5 million individuals had their Social Security Numbers and other sensitive information affected by the hack.

As per the OPM, now, Department of Homeland Security and Defense Department representatives are planning to review the implications of the stolen fingerprint data.

——–myabhya——–
(Perfect Training Center)

Starbucks fixes critical flaws that could allow an attacker to steal users’ credit-cards

image

Mohamed M. Fouad, an Information Security Consultant from SecureMisr, has discovered a critical flaw in Starbucks that allowed an attacker to steal users’ credit-cards and perform Remote Code Execution.

“I discovered a lot of critical security vulnerabilities at (Starbucks) that can lead to very harmful impact on all users by forcing them to change their passwords, add alternative emails or change anything in their store profile settings and steal users’ stored credit-cards. It can also perform phishing attack on users and remote code execution on Starbucks servers,” the Egyptian researcher said in a blog post.

According to the researcher, Remote File Inclusion Vulnerability occurs when a file from any location can be injected into the attacked page and included as source code for parsing and execution. It allowed me to able to perform:

         –  Code execution on the web server.

          – Code execution on the client-side such as JavaScript which can lead to other    attacks   such as cross site scripting (XSS).

         –  Data theft/manipulation via phishing attack to steal users accounts that contain Credit cards and payment orders information.

The researcher started his research a year ago when there was a Zero-Day for Starbucks about iOS Mobile Application and “Insecure Data Storage” vulnerability was detected.

While he was searching about Starbucks hacking news he found another vulnerability two months ago which allowed the attackers to steal Starbucks users gift cards and duplicate funds on Starbucks gift cards.

“I noticed 2 months ago that Starbucks joined bug bounty programs. So my passion lead me to take a look on Starbucks  looking for a vulnerabilities in Starbucks until I found two major vulnerabilities which allow an attacker to perform Remote Code Execution on Starbucks server also phishing attacks via Remote File Inclusion Vulnerability and another one it was critical also about CSRF store account take over by just one-click. Starbucks store account contains payment history,” he added.

However, Starbucks confirmed that it has fixed the vulnerabilities.

——–myabhya——–
(Perfect Training Center)

WordPress Team releases version 4.3.1, fixes two vulnerabilities

image

The WordPress security team has released version 4.3.1 which is now available for download. This release fixes three issues including two cross-site scripting vulnerabilities and a potential privilege escalation. The vulnerabilities were revealed by Check Point researchers Shahar Tal and Netanel Rubin.

The first vulnerability CVE-2015-5714, a cross-scripting issue was present in all WordPress versions 4.3 and earlier. The earlier versions were vulnerable to this issue while processing shortcode tags.

Most users are very well-acquainted with shortcodes and it is a valuable asset for WordPress developers. The Check Point researchers have found a fault in the way shortcodes are handled. In general, a “KSES filtering is performed prior to the insertion of data into the DB, and shortcode parsing is performed when printing it to responses.”

The researchers, then, came up with a method that tangled HTML code with the shortcode’s content, and they were able to leave an HTML anchor tag open to perform persistent attacks. This as the HTML and shortcode validations took place at different times.

The second vulnerability CVE-2015-5714, a privilege escalation bug, grants the users to publish private posts and even make them sticky on a site. This last vulnerability could have a greater impact on WordPress websites that use the CMS’ built-in user management features to build a community around the site.

——–myabhya——–
(Perfect Training Center)

Facebook’s ‘Dislike Button’ scam

image

Few days after Facebook CEO Mark Zuckerberg, on September 2015, in a Q&A session announced that the long awaited Facebook ‘Dislike Button’ will be implemented soon, scammers seized upon this opportunity in spreading phishing attacks and malware.

Soon after this, many users got the link inviting them to download the Facebook’s ‘ Dislike Button’, it says that it is “invite-only feature”. One of the most popular dislike button scam is titled as “Get newly introduced Facebook dislike button on your profile”. Once clicking on these links leads the victims to a malicious websites.

The ultimate goal of the scammer  is to encourage users to share the link on their Facebook page. Once it is  spread on Facebook, they asks you for your personal information and account credentials, or sometimes it  downloads the malicious software causing further damage to the computer.

Zuckerberg,  the co-founder and CEO said that, “We are working on it, and are very close to shipping a test of it.”

Computer security expert Graham Cluley  showed this concern over this on his blog.  “Scams like this trick you into liking pages, and sharing the link with your friends, using the bait of something alluring…in some cases they will even lead you to pricey premium rate mobile phone subscriptions, online surveys that generate the scammers income, or trick you into downloading malicious code onto your PC.”

And advised that, “Don’t be duped. If you’re a Facebook crack-addict then try to resist the urge of falling for the latest scam, and wait for Facebook to properly roll-out new features as and when they choose.”

——–myabhya——–
(Perfect Training Center)

Apple cleaning up iOS App Store after first major attack

image

A news report published in Reuters confirmed that after several cyber security firms reported a malicious iPhone and iPad program that attack on the popular mobile software outlet and was embedded in hundreds of legitimate apps, Apple Inc APPL.O on Sunday said it was cleaning up its iOS App Store to remove the malicious program dubbed XcodeGhost.

According to cyber security firm Palo Alto Networks Inc (PANW.N), it is the first reported case of large numbers of malicious software programs making their way past Apple’s stringent app review process. Prior to this attack, only five malicious apps had ever been found in the App Store.

Then, the malicious code was embedded in the apps by convincing developers of legitimate software to use a tainted, counterfeit version of Apple’s software for creating iOS and Mac apps, which is known as Xcode.

Researchers said infected apps included Tencent Holdings Ltd’s (0700.HK) popular mobile chat app WeChat, car-hailing app Didi Kuaidi and a music app from Internet portal NetEase Inc.

Tencent said on its official WeChat blog that the security flaw affects WeChat 6.2.5, an old version of its popular chatting app, and that newer versions were unaffected. A preliminary investigation showed there had been no data theft or leakage of user information, the company said.

Chinese security firm Qihoo360 Technology Co (QIHU.N) said on its blog that it had uncovered 344 apps tainted with XcodeGhost.

“We’ve removed the apps from the App Store that we know have been created with this counterfeit software,” Apple spokeswoman Christine Monaghan said in an email. “We are working with the developers to make sure they’re using the proper version of Xcode to rebuild their apps.”
However, it was not clear that what steps iPhone and iPad users could take to determine whether their devices were infected.

Ryan Olson, director of threat intelligence at Palo Alto Networks, told Reuters that the malware had limited functionality and his firm had uncovered no examples of data theft or other harm as a result of the attack.

——–myabhya——–
(Perfect Training Center)

G Data releases new secure chat app for Android users

image

G Data, a Germany based internet security firm has released its highly secure messaging chat application, SECURE CHAT, on its 30 Anniversary for Android users.

Secure Chat has opted for the secure multiple-encrypted asynchronous chat protocol, Axolotl, which is internationally considered to be practically impossible to hack. The app guarantees the secure exchange of photos, videos and other media. It protects the privacy of the user from the hackers and cyber eavesdropping.

“In today’s world, the privacy of the individual as well as businesses is in constant peril with the growing ability of hackers to tap into and steal data,” said Andy Hayter, security evangelist, G DATA. “We created the SECURE CHAT app with the strongest encryption protocol possible, to offer users the ability to easily communicate with each other without having to worry about the security of their conversations and data.”

While installing G Data Secure Chat, it will ask you to verify your mobile number, it will use this number to identify you if you wish to install it on another device. It first sends SMS on your mobile  number, but if it doesn’t verify correctly — it didn’t like my Google Voice number — you have the option to verify over a voice call.

One of the most prominent feature of G Data Secure Chat is to set timer for messages to auto delete from both ends, senders as well as receivers, filter for incoming and outgoing messages and SMS, and its ability to  hide SMS messages from specific contacts.

G DATA SECURE CHAT is now available for free in the Google Play store.

——–myabhya——–
(Perfect Training Center)

Security experts detects Odlanor malware that cheats at poker

image

Security experts from at ESET have discovered a malware that targets Pokerstars’ users and Full Tilt Poker and that lets competitors (crooks) cheat their way to winning games by leaking their information about their cards to their competitors. It affects people who have accounts on PokerStars and Full Tilt Poker.

Researchers have said that the hackers have been using the malware dubbed Odlanor to sneak a look at a player’s virtual poker hand on popular gambling sites. They are then signing into the same game and betting against their victim to up the stakes and steal their money.

It is said that the malware is a successor to the Zynga-targeting Pokeragent Facebook worm, which was discovered two years ago.

According to the researchers, once the Odlanor executed, it will be used to create screenshots of the window of the two targeted poker clients PokerStars or Full Tilt Poker, if the victim is running either of them. The screenshots are then sent to the attacker’s remote computer.

Then, the cheating attackers can retrieve the screenshots. They reveal not only the hands of the infected opponent but also the player ID. Both of the targeted poker sites allow searching for players by their player IDs, hence the attacker can easily connect to the tables on which they’re playing.

—myabhya—

Apple claims to have fully fixed a critical iOS Airdrop vulnerability, which researcher says it doesn’t

image

Some days ago, Mark Dowd, a security researcher, discovered a critical flaw in iOS 9 that allows an attacker within Bluetooth range of an iPhone to install malicious apps using the Airdrop filesharing feature.

A report published in Ars Technica confirms that after that, the researcher privately reported it to Apple.

Then, Apple released a press statement on Wednesday informing that the vulnerability has been mitigated in iOS 9.

However, the researcher did not stop his research and revealed that the bug still hasn’t been fixed.

The mitigations available in Wednesday’s release of iOS 9 are one more benefit that security-conscious iPhone users should consider when deciding whether to install the update.

The researcher exploited a directory traversal flaw that allows attackers to write and overwrite files of their choice to just about any file location they want.

The researcher used an enterprise certificate that Apple makes available to developers so large organizations can install custom apps on large fleets of iPhones.

During his research, his technique installs did not generate a dialog that warns the end user that the app is signed by a third party and asking for approval to proceed.

“Another method for bypassing iOS code-signing restrictions would be to combine my Airdrop hack with jailbreak exploit, such as the TaiG jailbreak that Apple recently patched with version 8.4 of iOS,” he said.

He posted a video to show how thw bug allows attackers who briefly have physical access to a vulnerable iPhone or who are within Bluetooth range of it, to install an app that the device will trust without prompting the user with a warning dialog.

—myabhya—

Lackadaisical VAPT leads to big hole in Cyber Security

image

Vulnerability analysis and penetration testing (VAPT) is the bedrock for cyber security. How can one fix problems if one does not know what the problem is? Ignorance is no bliss when it comes to cyber security – one estimate of annual cost of cyber crime to global economy ranges from US $ 375 billion – US $ 575 billion. That’s a lot of money.

Pity then that many companies undertake VAPT as an eye wash for ISO 270001, to secure for themselves a compliance certificate. IT vendors/IT Consultants are usually tasked with undertaking VAPT, and these firms in turn outsource it further to so called specialists, sometimes without the clients’ knowledge.

Vulnerability testing is deeply technical issue. When one is faced with situations such as Advanced Persistent Threats (APT) and 0 Day Vulnerabilities, it needs to be borne in mind that businesses are up against highly skilled and creative hackers. Such attackers typically belong to organized criminal groups, mafia groups, Black Hat hacker groups or state backed groups.

APT attack happens when committed adversaries persistently utilize advanced technologies to compromise targets. Extremely hazardous 0 Day exploits (vulnerabilities found by hackers and never reported to security vendors) are found in Operating Systems, Application Software, Browsers’ like Chrome, Firefox, Antivirus Software, Firewall, and Internal Application Software. On an average, twenty 0 Day vulnerabilities exist in any given server. O Days have the greatest amount of success and damage rates and least probability of detection by firewalls/IDS/AV’s etc.

The lack of seriousness with respect to VAPT also extends to the “purchasers” of such services. Businesses are not fully equipped to understand the complexities of VAPT. One has heard of instances where a firm sought to dictate the nature of a Test, the date, time and even the server and port/s to be tested. All this fussiness may be relevant when it comes to a haircut, but not in the context of a VAPT. Hackers, of course, are famous for not following any rules whatsoever and thumbing their noses even at hyperactive cyber defenses, leave alone amateurish ones.

The crux of the whole problem appears to lack of senior management or CISO involvement in a VAPT or a similar exercise. This is a matter that cannot be left to systems administrators or developers who are better equipped to remediate the security issues than discovering vulnerabilities.

The lack of senior management attention is often seen in the nature of testing firms recruited to undertake the assignment. Inferior manpower (tool runners abound), no post exploitation skills, – no access to ultra critical 0 Day exploits, no APT “War Gaming” skills, no real white hat hackers on board with practical experience (only people with some theoretical knowledge), limited skills on network analysis – these are some of the downsides of testing firms normally used.

Businesses need to address such issues by ensuring senior level, even board level involvement in cyber security. Further their cyber security vendor selection process needs to be more precise and demanding. Vendors need to have very deep domain knowledge, years of penetration testing experience, sophisticated tools, access of hundreds of 0 Day exploits, and staffed by established and well networked bug bounty hunters and white hat hackers.

—myabhya—