Showing posts sorted by relevance for query Yahoo. Sort by date Show all posts
Showing posts sorted by relevance for query Yahoo. Sort by date Show all posts

Yahoo Mail Hit By XSS Exploit Putting 400 Million Users At Risk

Posted by Avik Sarkar On 1/13/2013 05:53:00 pm

Yahoo Mail Hit By XSS Exploit Putting 400 Million Users At Risk

Yet again mistrust growing in between the large number of Yahoo users, as it has been continuously failed to protect its customers from cyber attack. Late in last year we have seen that the two major services of Yahoo get compromised, which affects millions of its registered users across the globe. First it was Yahoo Voice, which get hacked while putting 450K users at high risk. Then it was the time for Yahoo Mail, where few Egyptian hacker figured out serious XSS vulnerabilities in Yahoo Mailing service  that lets attackers steal cookies from Yahoo Webmail users. Later cyber criminals made product while exploring that loop holes, that so called product or widely known as exploit was made available at high price in underground market and forums. As expected Yahoo immediately patched these loopholes, but now it seems they did not learn lesson from the decent past. 
You all may be wondering! what happened? Again the security of Yahoo fallen victim in front of hackers.  Shahin Ramezany, a hacker and independent security researcher have figure out a DOM-Based XSS vulnerability in Yahoo Mail that is exploitable in all major browsers. Ramezany tweeted about this issue whihc links to an YouTube video, where he demonstrated the hack. Shahin Ramezany also claimed that the exploit have put more than 400 Million yahoo users at risk


As soon as this story get spotted, Yahoo immediately responds the matter, in their official release a Yahoo spokesman said "We’ve been looking into it and the US have now confirmed that they are investigating too. They will be in touch if there is a comment – otherwise I recommend that if users are concerned then they should change their passwords immediately." 

Later Yahoo said that thy have plugged the security hole. In their statement the spokesperson added, “At Yahoo! we take security very seriously and invest heavily in measures to protect our users and their data. We were recently informed of an online video that demonstrated a vulnerability. We confirm that the vulnerability has been fixed. In addition, we are investigating recent reports of increased abusive traffic and will work diligently to fix any vulnerabilities that are found. Concerned users are encouraged to change their passwords to a safe password that combines letters, numbers, and symbols.”

But this issue did not get completely resolved, as immediately after the fix release of Yahoo, Shahin Ramezany said that the fix is not good enough, and the Yahoo Mail exploit is still active. In his twitter he said "not effective enough and users are still [at] risk," since the proof-of-concept code can be easily tweaked to continue attacks. 





SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Twitter & Yahoo Tightening Their Security to Prevent Eavesdropping of NSA

Posted by Avik Sarkar On 11/30/2013 03:33:00 am

Twitter & Yahoo Tightening Their Security to Prevent Eavesdropping of NSA & Other Govt Agencies 
Last month a untold and sensational story came to light, when the whistle blowers Edward Snowden unveiled one of the top secret program of NSA called called “Muscular” Former NSA contractor Snowden himself disclosed that the National Security Agency has secretly broken into the main communications links that connect Yahoo and Google data centers around the world in order to collect and snoop the private data of millions of internet users. NSA’s acquisitions directorate sends millions of records every day from internal Yahoo and Google networks to data warehouses at the agency’s headquarters at Fort Meade, Md. In the preceding 30 days, the report said, field collectors had processed and sent back 181,280,466 new records including “metadata,” which would indicate who sent or received e-mails and when, as well as content such as text, audio and video. Both Yahoo & Google said that they had never gave access to nay Govt agency to their data centers. Yahoo spokeswoman said, “We have strict controls in place to protect the security of our data centers, and we have not given access to our data centers to the NSA or to any other government agency.” Google’s chief legal officer, David Drummond said “We are outraged at the lengths to which the government seems to have gone to intercept data from our private fiber networks, and it underscores the need for urgent reform,” 

 But the matter of fact is that NSA has indeed sniffed the personal & private communication of million internet users of tech giants like Yahoo and Google. To get rid of this kind of privacy breach, now the tech giants who hold the personal record and credential of mass, are tightening and enhancing their existing security system. According to Marissa Mayer, CEO of Yahoo "We’ve worked hard over the years to earn our users’ trust and we fight hard to preserve it." Yahoo also says it will encrypt all information moving between its data centers by the end of the first quarter, and it will work on getting international partners to enable HTTPS encryption in Yahoo-branded Mail services.Yahoo says it will give users an option to encrypt all data flow to and from Yahoo. "Yahoo has never given access to our data centers to the NSA or to any other government agency ever. There is nothing more important to us than protecting our users’ privacy. To that end, we recently announced that we will make Yahoo Mail even more secure by introducing https (SSL - Secure Sockets Layer) encryption with a 2048-bit key across our network by January 8, 2014." added Marissa Mayer.

Not only Yahoo, but the social networking giant Twitter, who have registered users of almost 550 million with an active user of 250 million across the globe has also taken immediate steps after this breathtaking story of spying by NSA get the spot light. Twitter is implementing new security measures that should make it much more difficult for anyone to eavesdrop on communications between its servers and users. The entire security mechanism has been taken to tighten the data privacy of its users. According to a blog post of twitter the company has implemented "perfect forward secrecy" on its Web and mobile platforms, which made eavesdropping almost impossible. "As part of our continuing effort to keep our users’ information as secure as possible, we’re happy to announce that we recently enabled forward secrecy for traffic on twitter.com, api.twitter.com, and mobile.twitter.com. On top of the usual confidentiality and integrity properties of HTTPS, forward secrecy adds a new property. If an adversary is currently recording all Twitter users’ encrypted traffic, and they later crack or steal Twitter’s private keys, they should not be able to use those keys to decrypt the recorded traffic." -said the blog post.

While talking about Muscular program of NSA, we would also like to remind you that couple weeks ago we came to know about 'Royal Concierge' another secret program of GCHQ & NSA to spy foreign diplomats through hotel bookings uncovered by Edward Snowden.

-Source (CIO & PC World) 


SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Yahoo! Voice Compromised, 450K Login Credentials Stolen & Posted In Plain Text

Posted by Avik Sarkar On 7/13/2012 01:54:00 am

Yahoo! Voice Compromised, 450K Login Credentials Stolen & Posted In Plain Text

After LinkedIneHarmony and Formspring here comes another big fish, guess who ?? Its one of the widely used web search engine - Yahoo! A list of over 453,491 email addresses and plain-text passwordsin a document named "Owned and Exposed" apparently from users of a Yahoo! service, is in circulation on the internet. According to security expert and former hacker and well known security expert Kevin Mitnick, the passwords belong to the little-known VoIP service, Yahoo! Voice. The information is contained in a 17MB text file and has been released by a group of hackers calling themselves the D33DS Company. Access to the original information is said to have been achieved through use of an SQL injection vulnerability, where databases are accessed through inadequately filtered parameters passing through the web front end. Whether the passwords were originally stored as plain text in the database or if the hackers had already cracked hashed passwords to produce the file is unclear. 

The original D33ds site that posted the login credentials (d33ds.co) was down as of early Thursday morning; however, the text file is available through torrents and sites such as Media Fire.
“We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call, and not as a threat,” the D33ds group said in the text file containing the leaked credentials. The group said it did not reveal which Yahoo service the hacked credentials came from “to avoid further damage.”
Yahoo confirmed it was hacked and provided the following statement:-
“An older file from Yahoo! Contributor Network (previously Associated Content) containing approximately 450,000 Yahoo! and other company users names and passwords was compromised yesterday, Of these, less than 5% of the Yahoo! accounts had valid passwords. We are taking immediate action by fixing the vulnerability that led to the disclosure of this data, changing the passwords of the affected Yahoo! users and notifying the companies whose users accounts may have been compromised. We apologize to all affected users. We encourage users to change their passwords on a regular basis and also familiarize themselves with our online safety tips at security.yahoo.com."

While looking at the current scenario we strongly advise you to change your Yahoo! passowrds immediately & also set a strong password in an alpha-numeric combination. Enjoy reading Voice of Greyhat & stay safe and happy on the Internet. 





SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Egyptian Hackers Selling Zero-day Exploit of Yahoo Mail For $700

Posted by Avik Sarkar On 11/29/2012 06:02:00 pm

Egyptian Hackers Selling Zero-day Exploit of Yahoo Mail For $700

Those people who wander in many underground hackers community, knows very well that several unethical equipment such as Botnet, Zero-day exploit, black hole exploit kit, malware, undisclosed vulnerabilities and so on were sold there for different prices. Those products were generally priced between $5-$500, but today I will talk about an expensive product, which listed itself top on the black market. I am talking about a new cross-site scripting exploit that enables attackers to steal cookies and access Yahoo email accounts. According to the blog post of Krebs on Security -A zero-day vulnerability in yahoo.com that lets attackers hijack Yahoo! email accounts and redirect users to malicious Web sites offers a fascinating glimpse into the underground market for large-scale exploits. The exploit, being sold for $700 by an Egyptian hacker on an exclusive cybercrime forum, targets a “cross-site scripting” (XSS) weakness in yahoo.com that lets attackers steal cookies from Yahoo! Webmail users. Such a flaw would let attackers send or read email from the victim’s account. In a typical XSS attack, an attacker sends a malicious link to an unsuspecting user; if the user clicks the link, the script is executed, and can access cookies, session tokens or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page. The hacker posted the following video to demonstrate the exploit for potential buyers. 


“I’m selling Yahoo stored xss that steal Yahoo emails cookies and works on ALL browsers,” wrote the vendor of this exploit, using the hacker handle ‘TheHell.’ “And you don’t need to bypass IE or Chrome xss filter as it do that itself because it’s stored xss. Prices around for such exploit is $1,100 – $1,500, while I offer it here for $700. Will sell only to trusted people cuz I don’t want it to be patched soon!” -said the hacker.  
In response Ramses Martinez, director of security at Yahoo!, said the challenge now is working out the exact yahoo.com URL that triggers the exploit, which is difficult to discern from watching the video. “Fixing it is easy, most XSS are corrected by simple code change,” Martinez said. “Once we figure out the offending URL we can have new code deployed in a few hours at most.”





SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Yahoo Joins Linux Foundation As Silver-Level Member

Posted by Avik Sarkar On 4/27/2011 12:52:00 am



Yahoo confirmed its decision to join the Linux Foundation and to provide improved service to the Linux community.

According to Yahoo, this move is a part of its effort to maximise its investment in Linux; the company has become a silver-level member of the Linux Foundation.

As a silver member of the foundation, Yahoo will pay a fee of somewhere between $5,000 and $20,000 every year. 

Yahoo will also contribute to the foundation by assisting its existing teams and initiatives who are working on improved virtualisation, legal issues surrounding Linux and the cloud computing market. Yahoo is also expected to actively participate in all the events organised by the Foundation such as the Linux Foundation End User Summit and others.

Raymie Stata, Yahoo’s chief technology officer said in a recent statement as reported on eweek, “The Linux Foundation is host to a variety of very important Linux projects as well as resources, tools and events that allow us to maximize our investment in the platform.”

He added, “Yahoo is excited to collaborate with The Linux Foundation and its peers to advance technologies that will help Linux achieve its promise.”
The primary goal of the Linux Foundation is to protect the patents used by Linux that provide an open source operating system that anyone may use for free.


SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Yahoo Blocked Occupywallstreet.org & Protest Campaign

Posted by Avik Sarkar On 9/26/2011 04:00:00 pm


Yahoo Blocked Occupywallstreet.org & Protest Campaign, when people using its e-mail service were prevented from sending messages about anti-Wall Street demonstrations over the weekend.
The company said that an external spam filter had blocked the messages but maintained that it was inadvertent. It said that the problem has since been resolved, though there may be some residual issues.
After typing in to the text field a message suggesting a visit to the Occupywallstreet.org Web site for more on the protests, the system kicked backThe following message:

Your message was not sent
Suspicious activity has been detected on your account. To protect your account and our users, your message has not been sent.
If this error continues, please contact Yahoo! Customer Care for further help.
We apologize for the inconvenience.
Later Yahoo apologized and a spokeswoman for Yahoo said that the company had not purposely blocked the messages. She said Yahoo initially became aware on Sunday "that some folks sending e-mail were getting the weird bounceback" but that Yahoo has since taken steps to resolve the problem.

Here is a Video To Clarify the Matter:-


SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

0-Day Vulnerability in Yahoo Messenger, An Attacker Can Change The Status Update Remotely

Posted by Avik Sarkar On 12/04/2011 04:41:00 pm


Zero day exploit found in Yahoo messenger allowing attackers to change the status update remotely. Version 11.x of the Messenger client (including the freshly-released 11.5.0.152-us) is infected with this 0day vulnerability. The status message change occurs when an attacker simulates sending a file to a user. This action manipulates the $InlineAction parameter (responsible for the way the Messenger form displays the accept or deny the transfer) in order to load an iFrame which, when loaded, swaps the status message for the attacker's custom text. This status may also include a dubious link. This iFrame is sent as a regular message and comes from another Yahoo Instant Messenger user, even if the user is not in the victim’s contact list. The exploit delivers its payload when the attacker simulates sending a file to the user. The bogus file tricks Messenger into loading an iFrame that then swaps the status message for whatever garbage the attacker wants to load, including a potentially "dubious" link, as Bitdefender describes it. The iFrame comes over as a regular message from another Yahoo Instant Messenger user, even if the user isn't in the victim's contact list.

  • Why it is so dangerous? 
Status messages are highly efficient in terms of click-through rate, as they address a small group of friends. Chances are that, once displayed, they will be clicked by most contacts who see them. One scenario: the victim's status message is swapped with an attention-getting text that points to a page hosting a zero-day exploit targeting the IE browser, the locally installed Java or Flash environments or even a PDF bug, to mention only a few. Whenever a contact clicks on the victim’s status message, chances are they get infected without even knowing it. All this time, the victim is unaware that their status message has been hijacked.
Another lucrative approach to changed status messages is affiliate marketing (ie: sites that pay affiliates for visits or purchases through a custom link). Someone can easily set up an affiliate account, generate custom links for products in campaign, then massively target vulnerable YIM victims to change their status with the affiliate link. Then, they just wait for the contact-generated traffic to kick in. There are actually a couple of services that pay YIM users to change their status with custom links as part of their business.


  • Who is Safe?
You are running a Bitdefender security solution (Bitdefender Antivirus Plus, Bitdefender Internet Security or Bitdefender Total Security). We detect this threat via the HTTP scanner and block it before it reaches the Messenger application.
You have Yahoo Messenger set to “ignore anyone who is not in your Yahoo! Contacts“(which is off by default).


SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Microsoft adCenter Dragged Yahoo Revenue Down

Posted by Avik Sarkar On 7/21/2011 04:10:00 am


Yahoo's quarterly revenue suffered for the second straight quarter at the hands of Microsoft's adCenter technology, the system for buying and delivering online ads.
The Web giant today posted second-quarter revenue excluding traffic acquisition costs of $1.08 billion. That was a bit below analyst expectations of $1.11 billion. It's also a 5 percent decrease from the second quarter of 2010. Yahoo blamed its search agreement with Microsoft. The agreement with Microsoft also led Yahoo to post revenue below expectations in the first quarter.
Display advertising also came in light, something Yahoo Chief Executive Carol Bartz also blamed on a recent management shuffle.
"We experienced softness in display revenue in the second half of the quarter due to comprehensive changes we have made in our sales organization to position ourselves for more rapid display growth in the future," Bartz said in a statement.
Net earnings at Yahoo hit $237 million, up 11 percent from the year-ago period.

-News Source (CNET)

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Spear phishing attacks spread to Hotmail and Yahoo Mail

Posted by Avik Sarkar On 6/04/2011 04:50:00 pm



Security researchers have uncovered a new set of targeted phishing attacks on users of the Microsoft Hotmail and Yahoo Mail services.
Trend Micro is reporting a set of targeted attacks which the company believes are part of a larger campaign to compromise systems and access user data. The company said that the attacks included both malicious file attachments, as well as attempts to exploit flaws in the webmail services themselves to harvest user credentials. Trend Micro senior threat researcher Nart Villeneuve told V3.co.uk that the attackers attempted to exploit cross-site scripting (CSS) flaws in both platforms, as well as use specially-crafted Word documents containing malware. In the case of Yahoo Mail, however, things did not go quite as planned.
"They were trying to exploit a CSS vulnerability in Yahoo Webmail to steal the cookies, so they could have access to that session, but their code didn't actually work," he explained.
Trend's report comes just days after Google reported a series of attacks on its Gmail service, which targeted the accounts of both government officials and political activist groups.
Villeneuve said that while there was similarity in the attacks, the company could not find evidence directly linking the Hotmail and Yahoo Mail operations to the Gmail incident.
In a statement provided to V3.co.uk, Microsoft safety services general manager John Scarrow said that the company did not find any evidence that Hotmail was being targeted by the operation.
"Microsoft is not aware of any Hotmail customers being targeted by the specific phishing attacks that occurred earlier this week," Scarrow said.
"However, phishing attacks and other forms of abuse are a persistent industry challenge."
At the time of publication, Yahoo had yet to respond to a request for comment on the report.
To help prevent users from falling victim to targeted attacks, Villeneuve suggested that users keep a careful eye on emails which claim to be from colleagues. He noted that clues such as grammatical errors and unusual data requests will often give away a phishing attempt.
"Once users are aware that these attacks do happen they can look for things that don't exactly make sense," he said.
"Little tricks like that can help users initially decide to treat an email with a little bit of suspicion."

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Google, Yahoo, Microsoft & AOL Jointly Enhancing Agari Anti-Phishing Service

Posted by Avik Sarkar On 12/01/2011 06:07:00 pm


Google, Microsoft, Yahoo, AOL jointly enhancing the Agari anti-phishing service. Google, Microsoft, Yahoo, and AOL are providing metadata from messages that get delivered to their customers to Palo Alto, Calif.-based Agari so it can be used to look for patterns that indicate phishing attacks. Agari collects data from about 1.5 billion messages a day and analyzes them in a cloud-based infrastructure, according to Agari CEO Patrick Peterson.
The company aggregates and analyzes the data and provides it to about 50 e-commerce, financial services and social network customers, including Facebook and YouSendIt, who can then push out authentication policies to the e-mail providers when they see an attack is happening. "Facebook can go into the Agari console and see charts and graphs of all the activity going on in their e-mail channel (on their domains and third-party solutions) and see when an attack is going on in a bar chart of spam hitting Yahoo," for instance, Daniel Raskin, vice president of marketing for Agari, told the media in an interview. "They receive a real-time alert and they can construct a policy to push out to carriers (that says) when you see this thing happening don't deliver it, reject it."
Agari doesn't collect the actual messages, he said. Some e-mail providers will take a message that is failing authentication and provide the malicious URLs in it to Agari to pass on to the company whose name is being used in the phishing messages, Raskin said. "Other than that we don't want to see the content," he said.
Google expects Gmail users to benefit as more mail senders authenticate their messages and implement block policies. "Since 2004 Gmail has supported several authentication standards and developed features to help combat e-mail phishing and fraud," Google Product Manager Adam Dawes said in a statement to. "Proper coordination between senders and receivers is the best way to cut down on the transmission of unauthorized mail, and AGARI's approach helps simplify this process."
Agari, which has been operating in stealth mode since October 2009, rejected more than 1 billion messages across its e-mail partners' networks in a year, according to Peterson, who was with the original management team of e-mail security firm IronPort. IronPort got acquired by Cisco in 2007.  



SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Indian Govt. Asked Social Networks (Facebook, Google, Yahoo & Microsoft) To Screen Contents From India

Posted by VOICE OF GREYHAT On 12/07/2011 12:18:00 am


Indian government has told social networking giants Facebook, Google, Yahoo and Microsoft to remove material that might "offend Indian sensibilities". Top officials from the Indian units of Google, Microsoft, Yahoo and Facebook are meeting with Kapil Sibal, India’s acting telecommunications minister, on Monday afternoon to discuss the issue, say two executives of Internet companies. The executives asked not to be identified because they are not authorized to speak to the media on the issue.
Mr. Sibal’s office confirmed that he would meet with Internet service providers Monday but did not provide more information about the content of the meeting. About six weeks ago, Mr. Sibal called legal representatives from the top Internet service providers and Facebook into his New Delhi office, said one of the executives who was briefed on the meeting. At the meeting, Mr. Sibal showed attendees a Facebook page that maligned the Congress Party’s president, Sonia Gandhi.  “This is unacceptable,” he told attendees, the executive said, and he asked them to find a way to monitor what is posted on their sites.
In the second meeting with the same executives in late November, Mr. Sibal told them that he expected them to use human beings to screen content, not technology, the executive said. The three executives said Mr. Sibal has told these companies that he expects them to set up a proactive prescreening system, with staffers looking for objectionable content and deleting it before it is posted. The executives said representatives from these companies will tell Mr. Sibal at the meeting on Monday that his demand is impossible, given the volume of user-generated content coming from India, and that they cannot be responsible for determining what is and isn’t defamatory or disparaging.
“If there’s a law and there’s a court order, we can follow up on it,” said an executive from one of the companies attending the meeting. But these companies can’t be in the business of deciding what is and isn’t legal to post, he said. 
Yahoo, Facebook and Microsoft did not respond immediately to calls for comment, and a Google spokeswoman said the company had no comment on the issue. Facebook said earlier this year it has more than 25 million users in India. Google has over 100 million Internet users in India. The demand is the Indian government’s latest attempt to monitor and control electronic information. In April, the ministry issued rules demanding Internet service providers delete information posted on Web sites that officials or private citizens deemed disparaging or harassing. 
The Indian government also plans to set up its own unit to monitor information posted on Web sites and social media sites, executives said, which will report to Gulshan Rai, the director general of India’s cyber-security monitor. 
Some Indian cities like Mumbai have already set up special units to monitor Internet sites like Facebook and Orkut, the social networking site operated by Google, for content considered disparaging or obscene.
Now lets see what these social network authorities do in this case......



-News Source (The Guardian & New York Times) 



SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Webmail gets hacked, corporate passwords exposed

Posted by Avik Sarkar On 5/09/2011 10:56:00 pm


This week, one of our C-level executives suffered a personal security incident that spilled over to the workplace. Here's what happened.
The executive's Yahoo email password was compromised, which she learned after hearing from friends who told her that they had received messages from her requesting money to deal with a crisis. You've probably heard similar stories, but whoever hacked the executive's email was a bit more clever than the average cybercrook. One friend was suspicious of the request and asked for verification of the executive's identity. Most email hijackers would probably give up and move on to another victim at that point, but this hacker had sifted through the executive's emails and learned enough about her family, vacations and health issues to trick the friend and dupe her into wiring the money.
Naturally, the executive had used her Yahoo Mail account for a variety of activities, including setting up accounts with her bank, her brokerage, an airline and various shopping sites. The Yahoo account had received emails containing clear-text passwords when she had forgotten them. Worse, she often used the same password for multiple accounts.
I advised her to abandon the email account and to contact all of her friends and let them know that they should disregard any mail from that address. But that action, or simply changing the password, probably wouldn't be enough to stem the damage. Most identity thieves will download all the email from a compromised account, as well as data such as calendars and contact lists, to a local computer. This is quite simple, since many webmail clients allow customers to use more feature-rich email clients such as Microsoft Outlook to download email. So even if the account were shut down or the password changed, the hacker would probably still have all of its contents.
Because the compromised content could not be safeguarded, I also told her to file a police report; contact all banks, credit card companies, brokerages and other organizations with which she had done business online; file a fraud alert with the major credit agencies; sign up for a credit-monitoring service; and obtain a new email address and update all of her accounts with that address. I also warned her to refrain from using any PCs, including her home PC, until we could verify their integrity, since we still didn't know how her password had been compromised.

Dangerous Habit

In the course of our conversation, I learned that this incident had implications for the company. You see, we have increased our use of software as a service to the point that we now use more SaaS offerings than on-premises applications. Some might see this as an achievement. I see it as a security nightmare.
As I've explained in past articles, most SaaS vendors have focused more on functionality and accessibility than on security. This incident is a perfect example of how that approach can lead to problems. The executive had a habit of forgetting her passwords for SaaS applications, and she gave me a list of seven SaaS apps that had sent password reset notices to her hacked email account -- in clear, unencrypted text!
Fortunately, none of the data used with these particular apps was extremely sensitive. But she had used her domain password for all of the applications. This meant we had to change her domain password and then log in to all the other applications -- about 15 altogether -- that were not synchronized with Active Directory or configured for single sign-on.
Needless to say, this was not a good day for this executive. But on a positive note, I did get a sponsor for my security awareness and training program.



SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Statistic is Saying: Bing Betas Google

Posted by Avik Sarkar On 8/14/2011 09:00:00 pm


A new search-engine study has identified Microsoft’s Bing as more effective than Google judging by the number of results users actually click on. He study, by web tracking firm Experian Hitwise found that some  80 per cent of Bing searches led to a visit to one of the web sites  identified in the results, compared to just 67 per cent of Google searches.

The study said that the relatively high percentage of searches that did not result in a visit to a website indicated that both the  leading search engines had significant opportunities to improve their results.
The study found that Google’s share of the US search market dropped 2 per cent in July to 66,05 per cent as Bing-powered searches increased by 1 per cent to 28,05 per cent. Yahoo, which uses Bing for all searches on Yahoo sites, increased its market share by 4 per cent to 15 per cent, while searches on bing.com itself dropped 2 per cent to 13 per cent.

-News Source (Timeslive)

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Facebook is the most appalling spy machine that has ever been invented, said Wikileaks

Posted by Avik Sarkar On 5/02/2011 10:28:00 pm


Despite awaiting extradition to Sweden on sexual assault charges, Wikileaks founder Julian Assange is still the subject of much media interest.
Russia Today (RT) interviewed Assange, getting his viewpoint on political unrest in Egypt and Libya, particularly probing what the Wikileaks founder makes of social media’s roles in the recent revolutions in both countries. In his interview, Assange focuses particularly on Facebook calling it the “most appalling spy machine that has ever been invented”.
Explaining in more detail, Assange affirms:
Here we have the world’s most comprehensive database about people, their relationships, their names, their addresses, their locations, their communications with each other, and their relatives, all sitting within the United States, all accessible to US Intelligence.”
According to Assange, it doesn’t stop with Facebook. He believes the social network is joined by Google, Yahoo and other major US organisations that have “built in interfaces for US Intelligence”:
It’s not a matter of serving a subpoena, they have an interface they have developed for US Intelligence to use. Now, is the case that Facebook is run by US Intelligence? No, it’s not like that. It’s simply that US Intelligence is able to bring to bear legal and political pressure to them.
It’s costly for them to hand out individual records, one by one, so they have automated the process.
The Wikileaks founder then warns Facebook users, stating that if a user adds their friend to Facebook, they are “doing free work for US Intelligence agencies, in building this electronic database for them”.
The full video has been embedded below, Assange’s thoughts on Facebook, Google and Yahoo begin around the two minute mark
Assange says his website’s revelations are “just the tip of the iceberg”, adding that it’s only a matter of time before more damaging information becomes known.

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Google, Microsoft & Yahoo are looking to buy Hulu

Posted by Avik Sarkar On 7/05/2011 07:24:00 pm


Elisa Schreiber, a spokesman for Hulu was contacted and asked to comment on the subject of the potential sale. She declined to reveal any information regarding the transaction of the company. The spokesmen for the potential buyers, Microsoft, Google and Yahoo!, would not comment on the matter, either. The experts say that if Hulu were to be bought by any of the mentioned companies it would be improved. A new owner could equip it with a better monetary foundation.
Hulu was founded in March 12, 2008 and has its headquarters in Los Angeles, California. Its services cover the area of the United States and its overseas territories. It distributes video on its own website but also on other websites. It also allows its users to embed its videos in their websites. Hulu’s content includes programs from TV channels such as NBC, ABC, FOX, MSNBC, CNBC, MTV, VH1, Nickelodeon and National Geographic Channel, as well as a large number of movies. Since November 2009, Hulu is also distributing music. It signed partnerships with record labels in order to host music videos and concerts. Among the partners, there are EMI (since November 2009) and Warner Music Group (December 2009). Hulu can be followed on TV, on computers, on tablets or on smart phones.



SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

End of Windows Live Messenger: Microsoft Replacing Live Messenger With Skype

Posted by Avik Sarkar On 11/12/2012 06:41:00 am

End of Windows Live Messenger: Microsoft Replacing Live Messenger With Skype

In 2011 the Redmond based software giant Microsoft acquired Skype Communications for US$8.5 billion, later we have seen several ups and downs, along with compliment and criticism of this acquirement. But we have to remember that, it is Microsoft Corporation, who always have done the very best to make its product successful. In case of Skype the same ting happened. Microsoft announced Tuesday that it is retiring Windows Live Messenger & chat tool and replace it with Skype's messaging tool. Microsoft said Windows Live Messenger (WLM) would be turned off by March 2013 worldwide, with the exception of China. This move will allow consumers to use Skype's features such as chat on all platforms including iPad and Android tablets; send instant messages; make video calls; share their screen; join a group chat; and call contacts on their mobile or land lines. This announcement from Microsoft is made in an effort to make Skype the company's main instant messaging software. It reflects the firm's determination to focus its efforts on Skype. 
For the information of VOGH readers, WLM launched in 1999 when it was known as MSN Messenger. According to survey MSN had more than 330 million active users world wide. According to internet analysis firm Comscore, Windows Live Messenger (WLM) still had more than double the number of Skype's instant messenger facility at the start of this year in the US, and was second only in popularity to Yahoo Messenger. But the report suggested WLM's US audience had fallen to 8.3 million unique users, representing a 48% drop year-on-year. By contrast, the number of people using Skype to instant message each other grew over the period. Microsoft highlighted the fact that WLM was still more popular than Yahoo's product in most other territories, but nevertheless decided to call time on the service. To ease the changeover, Microsoft is offering a tool to migrate WLM messenger contacts over. In order to transition over to Skype, just download the latest version, then select the option to sign in with your Microsoft account on the sign in screen. You will then be asked if you’re already using Skype or are a new user. If you use Skype and Messenger already, you can merge your Skype and Messenger account into your Microsoft account. Skype says it will assist users over the coming months to smoothly transition over from Windows Live Messenger. The move is nothing too surprising — it seemed obvious that Microsoft wanted to take advantage of its acquisition of the popular IM and video chat client. So far, it looks like Microsoft is on the right track to do that.


For detailed information about this story Click Here


-Source (Skype, BBC)





SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Android & NVIDIA Forum Hacked, Millions of User Credentials Stolen

Posted by Avik Sarkar On 7/15/2012 04:45:00 pm

Android & NVIDIA Forum Hacked, Millions of User Credentials Stolen 

After the massacre of Formspring & Yahoo! Voice yet again security breach effected NVIDIA & Phandroid Forum. Hackers have gained illegal access and stolen millions username & password hashes from those said forums.
NVIDIA has temporarily shutdown its online developer forum, after it fell victim to cyber criminals who may have gained access to members' hashed passwords. NVIDIA says that it took the site down last week to investigate intrusions into its systems by unauthorised third parties. The intruders reportedly gained access to private user data, including usernames, email addresses, and hashed passwords with random salt values. Data in users' "About Me" profiles, such as age, birthdate, gender and location, was also accessed in the breach; however, this information was already publicly accessible on the site.

In the security notice, NVIDIA said that it is currently "employing additional security measures to minimize the impact of future attacks", adding that it hopes to restore the Forums as soon as possible. Once restored, the company says that it will reset all user passwords and send an email to users with a temporary password and instructions on how to change it

Phandroid, a popular Android news site & online community popular with fans of Android smartphones faced cyber attack. Phandroid has confirmed that its Android Forums was compromised using "a known exploit", and data including usernames, hashed passwords and so forth were accessed. According to Phandroid's notice about the security breach, the user table of Android Forum's database was accessed by unknown intruders. 
The database in question contains a variety of information on forum users, including usernames, email addresses, hashed and salted passwords, registration IP addresses; also other forum-related data, such as last time online and post date as well as post count. Based on current information, the site's community manager says that they cannot confirm if the data was in fact downloaded, adding that they believe the attack was "most likely an e-mail harvesting attempt". Additional steps to further harden server security and "extra 'just in case' actions" have also reportedly been taken.

As per report more than 1 million users of Phandroid forum are potentially affected by the security breach. The site's administrators advise all users to change their passwords as soon as possible through the User Control Panel (UserCP) or by using the "Forgot your password?" function.
We would like to give you reminder that other sites who have been hit by hackers, while stealing information about users in recent weeks include Yahoo Voices, FormspringeHarmony and LinkedIn. There also we have seen the same scenario where hackers have stolen millions of user credentials of those sites. 


 -Source (NVIDIA, Phandroid, The-H)






SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Permanent Internet Ban in Iran, Govt Launching National Intranet Service

Posted by Avik Sarkar On 4/10/2012 02:13:00 pm

Permanent Internet Ban in Iran, Govt Launching National Intranet Service  

The Iran Government has announced its plans to establish a National Intranet within five months. As a result millions of Internet users in Iran will be permanently denied access to the World Wide Web (WWW) and cut off from popular social networking sites, email services & so on. The government is set to roll out the first phase of the project in May, following which Google, Hotmail and Yahoo services will be blocked and replaced with government Intranet services like Iran Mail and Iran Search Engine. At this stage, however, the World Wide Web, apart from the aforementioned sites, will still be accessible. Iran government has already started the registration procedure to apply for procuring Iran Mail ID, which mandates authentic information pertaining to a person's identity, including national ID, address and full name. Registration will be approved only after verifying it against the government data on the particular applicant. The second and final stage of the national Intranet will be launched in August, which will permanently deny Iranians access to the Internet. "All Internet Service Providers (ISP) should only present National Internet by August," Taghipour said in the statement. Iranian ISPs already face heavy penalties if they fail to comply with the government filter list. By establishing the Intranet, the government control is set to become stricter. Foreign sites can still be accessed over the Intranet provided they are mentioned in a "white list" set up by the government. The government is also believed to be planning for better control on proxy servers which allow users to access banned sites. Accordint to statement of Reza Taghipour, the Iranian minister for Information and Communications Technology, announced the setting up of a national Intranet and the effective blockage of services like Google, Gmail, Google Plus, Yahoo and Hotmail, in line with Iran's plan for a "clean Internet."

-Source (IB Times)


SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Microsoft Updates Hotmail with more Signature Options & Keyboard Shortcuts

Posted by Avik Sarkar On 6/25/2011 06:38:00 pm



It's not as titillating as the time Microsoft added conversation view to Hotmail, but the outfit didjust freshen up its email service with a handful of helpful tweaks. Topping the list is an assortment of shortcuts, including the ability to right click a message to reply, reply all, or forward (you could already do this for other things, like marking something as unread). Hotmail also now responds to some additional Gmail- and Yahoo Mail-specific keyboard shortcuts, such as "#" for deleting messages -- a Gmail trick. And the company is none too subtle about admitting it wants the service to be user-friendly for folks if -- or when -- they switch from Google or Yahoo. Rounding out the batch of improvements, you get an easy way to recover deleted emails, an improved back button, HTML5-fueled speed improvements, and the option of changing your default font signature -- something we can't believe Hotmail has been missing until now. Hit the source link for the full spill, and find a short demo video after the break. 

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

CAPTCHA System Penetrated, Cyber Security Have to Face a New Challenge

Posted by Avik Sarkar On 11/04/2011 12:33:00 am






Researchers crack Microsoft, eBay, Yahoo, Digg audio captchas 


Researchers have figured out how to to crack captchas, making it possible to launch automated attacks against sites such as Microsoft, eBay and Digg where opening phony accounts could be turned into cash. Software written by researchers at Stanford University and Tulane University can interpret human speech well enough to crack audio captchas between 1.5% and 89% of the time - often enough to make sites that use them vulnerable to setting up false user accounts, the researchers say. Called Decaptcha, the program was able to decode Microsoft's audio captchas about half the time. It cracked the toughest audio captcha from reCAPTCHA just 1.5% of the time and Authorize.com's audio captchas 89% of the time. It solved eBay audio captchas 82% of the time, Microsoft 48.9% of the time, Yahoo 45.5% of the time and 42% of the time for Digg, say the researchers, headed up by Elie Bursztein, a post-doctoral researcher at Stanford.

According to the Researchers Group the compromised captchas are:-
  • The math captcha
  • The geometric captcha
  • The drag and drop captcha
  • The sexy captcha
  • The cute captcha
  • The Audio Captcha
For more information & to see Elie Bursztein's (Security Research at Stanford) entire post click Here


SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Related Posts Plugin for WordPress, Blogger...

Site search