Showing posts sorted by date for query Black Hat. Sort by relevance Show all posts
Showing posts sorted by date for query Black Hat. Sort by relevance Show all posts

Twitter Hacked, More Than 250,000 User Data Compromised

Posted by Avik Sarkar On 2/03/2013 01:55:00 am

Twitter Hacked, More Than 250,000 User Data Compromised

The social networking giant and the world famous micro blogging site Twitter again fallen victim of cyber attack. Last year we have seen that the tight security system if twitter have been compromised many times. Yet again in this year the San Francisco based social media giant who have more than 500 million registered users failed to protect them selves from hackers. On last Friday Twitter acknowledged that it had become the latest victim in a number of cyber-attacks against media companies, saying hackers may have gained access to information on 250,000 of its more than 200 million active users. The micro blogging giant said in a blog posting that earlier this week it detected attempts to gain access to its user data. It shut down one attack moments after it was detected. According to reports usernames, email addresses, session tokens and encrypted/salted passwords for 250,000 users might have been accessed in what it described as a “sophisticated attack” 

"This attack was not the work of amateurs, and we do not believe it was an isolated incident,” said Bob Lord, Twitter’s director of information security. “The attackers were extremely sophisticated, and we believe other companies and organisations have also been recently similarly attacked” Bob added. 

Jim Prosser, a Twitter spokesman, would not say how hackers infiltrated Twitter’s systems, but Twitter’s blog post said hackers had broken in through a well-publicized vulnerability in Oracle’s Java software. Last month, after a security researcher exposed a serious vulnerability in the software, though Oracle patched the security hole, but Homeland Security said the fix was not sufficient. The DHS issued a rare alert that warned users to disable Java on their computers. Prosser said Twitter was working with government and federal law enforcement to track down the source of the attacks. For now, he said the company had reset passwords for, and notified, every compromised user. The company encouraged users to practice good password hygiene, which typically means coming up with different passwords for different sites, and using long passwords that cannot be found in the dictionary.
Twitter said it “hashed” passwords — which involves mashing up users’ passwords with a mathematical algorithm — and “salted” those, meaning it appended random digits to the end of each hashed password to make it more difficult, but not impossible, for hackers to crack. Once cracked, passwords can be valuable on auction-like black market sites where a single password can fetch $20.

While talking about Twitter and cyber issues, I would like to remind you that in last year twitter faced several cyber attacks where more than 55,000 twitter account details was leaked, after this issue in the middle of last year the social networking giant faced massive denial of service which interrupted its services. Later a huge number of Twitter users across the globe received  emails warning that their account have been compromised and their passwords had been reset, and it was another security breach which affected twitter. Such big organization are not at all careless about security, so as twitter and it has been proved when they hired renowned white hat hacker Charlie Miller to boost up their security, but after this current massacre, it seems that twitter need to think more and emphasize a lot to make sure that their system is good enough to prevent cyber attacks. For all the hot cyber updates and reviews stay tuned with VOGH.


SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Apple Hired Kristen Paget, Renowned Hacker & Former Security Expert of Microsoft

Posted by Avik Sarkar On 12/11/2012 05:53:00 pm

Apple Hired Kristen PagetRenowned Hacker & Former Security Expert of Microsoft 

 To become  the very best along with that to maintain and hold your position, you need to deliver your hundred percent even some times more than hundred percent, and this race continues. For that we have to gather the very best guy with as. The above fact took place again, when Apple hired a renowned computer security researcher who helped Microsoft to rid Windows Vista from glaring exploits. I think, you already started guessing, let me tell you that yes you are absolutely right. Kristen Paget formerly known as Chris Paget who was part of an elite team of security experts of Microsoft has now been hired by Apple to lend her expertise to securing the company's operating systems. Apple, slowly, has been trying to make inroads into the security community. This summer, an Apple engineer spoke at the Black Hat security conference for the first time. So it is a bit predictable that why Apple is looking for security experts. Paget's exact charge at Apple is still somewhat of a mystery, with company representatives declining to comment on the specifics of what she'll be working on. After leaving Microsoft and prior to her move to 1 Infinite Loop, Paget was employed by security firm Recursion Ventures. According to sources, this past July, she'd departed stating that she wished to focus on developing security-related hardware.  
According to a report by Wired - Paget’s work at Microsoft had been similarly secretive. She’d been forbidden from speaking about it for five years after her work there ended.
But in 2011, the NDA expired, and she spilled the beans on her Vista hacking at the Black Hat Las Vegas conference. In short: Microsoft’s security team had expected Vista to be pretty clean when Paget got her hands on it, but they were wrong.
“We prevented a lot of bugs from shipping on Vista,” Paget said, according to a recording of her talk. “I’m proud of the number of bugs we found and helped get fixed.” Paget and company’s bug-hunt was so successful, in fact, that it forced Microsoft to push back Vista’s ship date. When the work was done, the hackers received special T-shirts, signed by Microsoft Vice President of Windows Development Brian Valentine. They read: “I delayed Windows Vista.” 
Until this past summer, Paget had been chief hacker at Recursion Ventures, a company that specializes in hardware security. When she left in July, she said she was looking for a break from bug-finding, hoping to find a job that involved building “security-focused hardware.”
“I’ve done too much breaking of things, it’s time to create for a change,” she said on Twitter. She was hired in September as a core operating system security researcher at Apple, according to her Linkedin Profile. 
Paget made headlines in 2010 when she built her own cellphone-intercepting base station at the Defcon hacker conference. Back then, Paget was known as Chris. She switched genders last year.

While talking about hiring geniuses by giant firms, we would like to remind you that very recently Apple has hired search guru Bill Stasior to oversee Apple's Siri voice-activated personal assistant. Along with this, few months ago social networking giant Twitter had appointed famous whitehat hacker Charlie Miller, to boost up its security.  Also in late 2011 Nicholas Allegra, the world-famous hacker known as "Comex", creator of JailbreakMe.com comes was also hired by Apple.


SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Vasilis Pappas Won 'Blue Hat' Security Contest & Grand Prize of $200,000 From Microsoft

Posted by Avik Sarkar On 7/30/2012 01:52:00 am

Vasilis Pappas Won 'Blue Hat' Security Contest & Grand Prize of $200,000 From Microsoft

Earlier in last year software giant Microsoft started Blue Hat security contest. BlueHat Prize was globally  announced by the company at the 2011 Black Hat security conference in Las Vegas, offers a grand prize of $200,000, a runner-up purse of $50,000, and a third-place award of a one-year subscription to MSDN Universal--a developer's platform for Microsoft products--worth $10,000--to security researchers who design the most effective ways to prevent the use of memory safety vulnerabilities. 
This year Microsoft awarded a bunch of hackers and gave away an amount of  $260,000. 'Hackers' in the good sense here, the clever programmers who won its Blue Hat security contest, including a grand prize of $200,000

The big prize was awarded to a PhD student at Columbia University, Vasilis Pappas, who was handed the check in an American Idol-style contest finale complete with loud music and confetti. The winners were announced during a party at the Black Hat hackers conference 2012 that just happened this week in Las Vegas. Two other guys took home significant prizes, too. Ivan Fratric, a researcher at the University of Zagreb in Croatia, got $50,000 and Jared DeMott, a Security Researcher for Harris Corp. won $10,000.
They all submitted ideas to help solve a really hard security problem called Return-Oriented Programming. ROP is a hacker technique that is often used to disable or circumvent a program's computer security controls. Twenty people submitted ideas in the contest. Without getting into too much technical detail, Pappas came up with something called kBouncer which blocks anything that looks like an ROP attack from running. It's become popular these days to pay security researchers bounties. But what's cool about the Blue Hat contest is that it paid the researcher for actually coming up with a fix to a problem. Not only Microsoft, other compaines- GoogleFacebook, Paypal & many more already have their "Bug Bounty" program, where they reward researchers for simply identifying flaws in thier system. But by contrast Microsoft and Adobe don't pay bounties. Here Microsoft promised that this first Blue Hat prize won't be its last, So this may be a sign of a smart new approach to engaging with security researchers for the software giant. 


-Source (Microsoft & Business Insider)







SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Black Hat 2012- Key-Card of Hotel Door Can Be Bypassed With An Open-Source Tool "Arduino"

Posted by Avik Sarkar On 7/28/2012 02:09:00 am


Black Hat 2012- Key-Card of Hotel Door Can Be Bypassed With An Open-Source Tool "Arduino"

For millions of travelers the ubiquitous hotel key card is the primary and essentially the only way to access their rooms at the end of day. But when you will heard that the key card, you use to access your private room is no longer safe then its very much possible that you will shock. And trust me this happened in Black Hat 2012. A security researcher, Cody Brocious believes the current systems used to secure hotel doors throughout the United States and elsewhere are severely flawed. Speaking at the Black Hat security conference here, Brocious demonstrated how locks from Onity a company that sells security products to hotels and other businesses can easily be bypassed. At the show, Brocious detailed the primary security flaws that allowed him to bypass Onity locks and gain access to rooms.
According to eWEEk -Brocious used an open-source tool known as Arduino, a portable programming platform. Arduino was used as a substitute for the commercial portable programmer that an Onity lock would typically require. Brocious explained that the Onity locks have a serial hardware connection that is easily accessible, as well. In addition to the Arduino tool, Brocious used an oscilloscope that allowed him to see what was happening in the lock whenever a key card was put in and the door opened or closed. He was able to determine through his research that the underlying firmware on the lock does not require any form of authentication to arbitrarily access the memory of the lock. This means it is possible to read out every bit of information that is on the lock, which makes it possible for anyone to gain access or make a key.
In theory, programming for the lock should go over a secure channel, rather than doing direct unencrypted memory access, said Brocious. The problem, according to his research, is that the existing Onity lock design does not easily allow for that, and there is no easy way to update the firmware. Another potential option is to actually provide physical security on the door lock. For example, the company could make the serial port harder to access. However, with 5 million of these locks in use today, Brocious said this would be an expensive and challenging way to add additional security. The actual door locks are only half the problem exposed by Brocious. The card keys are also at risk. Typical card keys in the Onity system use only 32-bit key encryption making them easy to decrypt, according to Brocious. "The system is broken at every layer," said Brocious.
The severity of the issue and its high impact is what led Brocious to choose to release his research at Black Hat. In addition to his research, he is also releasing a software tool so that others can continue or expand on his efforts. "Something needs to be done about this problem, and I didn't want to put it out there in a way that could be defeated by process," said Brocious. "No doubt, this vulnerability has been found before, and it has been in the locks for years."
Brocious added: “I'd be surprised if this hasn't been used by malicious actors in the past.” What Brocious is hoping to achieve from this disclosure is not a mass string of hackers getting unauthorized access to hotel rooms, but rather some kind of fix and industry response. "I'm saying that this is what you're vulnerable [to], so come up with a way to solve the problem," said Brocious.




SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

FBI Used LulzSec To Track & Spy on Wikileaks Founder Julian Assange

Posted by Avik Sarkar On 6/02/2012 02:03:00 am

FBI Used LulzSec To Track & Spy on Wikileaks Founder Julian Assange

After the inside story of Anonymous former leader Hector Xavier Monsegur aka "Sabu" case get revealed, the world came to know that Sabu was working as an under cover agent of FBI which lead a series of arrest for several key members of hacker collective Anonymous & LulzSec. Now we got another twist which came from a new book written by Parmy Olson, the London bureau chief for Forbes Magazine, saying that FBI used an agent inside the LulzSec hacker group to track and spy on Wikileaks founder Julian Assange. According to the book, an associate of WikiLeaks contacted LulzSec spokesman Topiary on June 16 hours after the assault on the CIA. The two would eventually converse over an Internet Relay Chat channel that was reported to be witnessed by Assange, who confirmed his identity by providing a video to the hacker in real time during their chat. For a few weeks, writes Olson, Assange and/or his associate returned to the LulzSec IRC channel “four or five more times,” during which others occasionally engaged in conversation with both sides. During at least one of those conversations, Assange’s contact at WikiLeaks offered LulzSec a spreadsheet of classified government data contained in a file named RSA 128, which she says was heavily encrypted and needed the manpower of black hat hacktivists to decode.
According to an exclusive report of RT - Aside from a few unsealed court documents, details about the now-defunct hacktivism group LulzSec remains few and far between. One journalist is saying she got inside the organization though — along with Julian Assange.
“We Are Anonymous: Inside the Hacker World of LulzSec, Anonymous, and the Global Cyber Insurgency” is an upcoming book from Parmy Olson, the London bureau chief for Forbes Magazine. And although her alleged account has not yet hit the shelves, a lengthy excerpt has been leaked to the Web — and its contents suggest that that the world’s once most powerful hacking collective was in correspondence with WikiLeaks founder Julian Assange after he allegedly reached out to the organization for assistance. The US government says that they had already infiltrated LulzSec by then, though, meaning that WikiLeak’s plea to the hacking collective was actually being offered to an FBI mole.
According to Olson, the June 2011 attack on the public website of the US Central Intelligence Agency by LulzSec caught the attention of Assange, who was residing in the countryside manor of an English journalist while on house arrest.Once he saw that a LulzSec-led invasion had crippled CIA.gov, Assange allegedly sent out two tweets from the WikiLeaks Twitter account, only to delete the micomessages shortly after:
"WikiLeaks supporters, LulzSec, take down CIA . . . who has a task force into WikiLeaks," read one."CIA finally learns the real meaning of WTF” reads the other.
Assange “didn't want to be publicly associated with what were clearly black hat hackers” writes Olson, speaking of computer compromisers who target network for perhaps no real intention other than mischief making. “Instead, he decided it was time to quietly reach out to the audacious new group that was grabbing the spotlight,” she says. Olson says that one of those hackers aware the newfangled relationship was Hector Xavier Monsegur, who spearheaded LulzSec by serving as a leader of sorts under the handle Sabu. Perhaps unbeknownst to all engaged in the IRC chats, however, was that Sabu had been arrested on June 7 and, according to the federal government, began immediately working as an FBI informant.
"Since literally the day he was arrested, the defendant has been cooperating with the government proactively," Assistant US Attorney James Pastore said at a secret bail hearing on August 5 2011, according to a transcript released this March after his arrest was made public.
While details of Sabu’s escapades under the direct influence of the FBI are obviously being kept confidential, federal attorneys have said that the hacker more or less masterminded the group under their command until LulzSec dissolved on June 25; Jake Davis — Topiary — was arrested in the UK on August 1. If Olson’s allegations add up, that could mean that the FBI’s top-secret informant, Sabu, was speaking directly with America’s cyber-enemy number one: Julian Assange.
On Wednesday this week, the UK Supreme Court agreed to extradite Assange to Sweden, where he is facing a lawsuit unrelated to his involvement with WikiLeaks. Once there, however, the United States may be able to more easily fight to have him sent stateside to be charged with aiding the enemy — the crime being pegged to alleged WikiLeaks contributor Bradley Manning, who now faces life in prison for that involvement. The uncertainty of who exactly conversed with whom might be near impossible to confirm given the widespread anonymity of hacktivists tied with LulzSec and Anonymous alike, but if Olson’s account adds up, the FBI’s inside man may very well have come close to working with Assange. On his part, Topiary claims that he never received the RSA 128 file.




SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

The 2012 Cyber Defence University Challenge (Australia's First National Cyber Security Competition)

Posted by Avik Sarkar On 3/19/2012 12:11:00 am

The 2012 Cyber Defence University Challenge - Australia's First National Cyber Security Competition
The 2012 Cyber Defence University Challenge, Australia’s first national cyber security competition, has been announced  by The Gillard Government, in partnership with Telstra and Australian universities. The ultimate prize, sponsored by Telstra, is travel and entry to the Black Hat 2012 Conference in Las Vegas, USA, in July 2012. Black Hat conferences are much sought-after technical information security congresses and briefing seminars which bring together trainers and speakers from corporate, government and research sectors worldwide.
Minister for Broadband, Communications and the Digital Economy Senator Stephen Conroy said the Challenge would test the cyber problem-solving skills of teams of Australian undergraduates in a virtual computer network scenario. “The Challenge will raise awareness of the importance of cyber security, particularly in the university and business sectors, while also showcasing the diverse career opportunities for ICT graduates,” Senator Conroy said.
“The need for greater awareness of cyber security issues and for more high-skilled ICT graduates were two of the key themes to emerge from the public engagement process associated with the Government’s Cyber White Paper, due for release later this year. “The Challenge is a positive example of the Government partnering with industry and academia to enable Australia to overcome the challenges associated with being a modern, digital economy. “The Government is committed to working with industry to develop a safe and secure digital economy for Australians.  We are also committed to increasing the skills and expertise necessary to protect online environments from cyber crime such as data theft.”
The Challenge will run for 24 hours on 3 – 4 April 2012. University undergraduates across Australia who are studying computer science and related degrees are encouraged to register a team in the Challenge via their university.


SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Trinamool Congress Official Website Hacked

Posted by Avik Sarkar On 2/16/2012 11:46:00 pm

Trinamool Congress Official Website Hacked By Bangladesh Black-hat Hackers
All India Trinamool Congress official website get hacked. Hackers from Bangladesh take responsibility of this hack. This attack on the AITMC website is yet another out put of the ongoing cyber war between Bangladesh & India. This ongoing cyber war indeed causing lots of damages for India. Till more than 20K Indian websites get hacked including 30+ Indian Govt Sites, National Informatics Center (NIC), Indian Railways, Passport Dept, MIT, NDTV, Indian Stock Market and many more high profile websites. According to party resources the site was hacked on the 14th February evening and later restored to its original format. The site was hosted on a US server and during this attack the security has been penetrated. Party spokes man also confirmed that the vulnerability has been fixed. MP and party's cyber team head Derek O' Brien said "It was blocked for a few hours but there was no damage to the site. We have lodged a complaint with the cyber cell of the Kolkata Police to get to the bottom of the truth" 
In a statement Bangladesh Black-hat Hackers said that Mamata Banerjee had broken her promise on sharing of Teesta river water with the country. Which effect Bangladesh so they have performed the attack. In short it was a type of revenge.
This is not the first time earlier in 2011 hackers from Pakistan have hacked the official website of All India Congress, Bharatiya Janata Party (BJP) and so on. Also in an attack another Pak Hacker named KhantastiC haXor penetrated the official site of Indian Congress and defaced the Profile page of Party President Sonia Gandhi. Still Indian Govt is very careless about this burning issue. The rise of cyber crime is almost kissing the sky. And the status of Indian cyber security is in the disaster. The very out put is in front of us. Since the last week every day BD hackers penetrating Indian cyber fence very badly which is indeed causing lots of damage for the country not only reputation but also the country has caused lost of economical damage.If such things continues then in very coming future India have to face a massive disaster of National security including defense, army, secrete research areas and in many other sensitive sectors. 



SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Bangladesh Cyber Army (BCA) Hit Indian Stock Market

Posted by Avik Sarkar On 2/15/2012 05:53:00 pm

Bangladesh Cyber Army (BCA) Hit Indian Stock Market (Cyber-War Continues)

The Cyber-War between India and Bangladesh is going on and on. But now its became rather one sided and most of the attack is coming from the Bangladeshi side. Recently they have released their second video where they vow to hit Indian Stock Market websites. During peak hour three main sites of Indian stock market was apparently down due to massive denial of service attack from BD hackers. As expected this DDoS attack surely effect the financial & banking sector of India. 

Targeted Sites:-

Press Release of BCA:-

The video mentioned the reason to be the killing another of innocent Bangladeshi citizens in the Bangladesh-India border zone yesterday. In the last 3-4 days, a huge number of Indian sites fell victim to hacking attacks of Bangladesh Cyber Army. Two other groups, Bangladesh Black Hat Hackers and 3xp1r3 Cyber Army were also involved in the attacks. Besides, they also have supports from Pakistani hackers which we have already covered. National Informatics Center (NIC), Indian Railways, Passport Dept, MIT, NDTV all became victim of this cyber attack.

VOGH Review:-
Being a media its our duty to rise awareness, so after seeing this so called cyber-war we can only see that it is just damaging thousands of websites. In short hackers from both countries are just bringing ruin to their own cyber space. While attacking websites of different countries, either knowingly or UN-knowingly they are just putting their cyber space in risk. Also such cyber-war always make negative reputation for those countries who have engaged the war. In short if they do not end war - the war will end them. 

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Colombiaweb Server Rooted More Than 2K Websites Hacked By Teamgreyhat (TGH)

Posted by Avik Sarkar On 1/08/2012 05:31:00 pm


Well known hacker group Teamgreyhat strikes again. In this attack they have rooted the colombiaweb's web server and thus they hacked into more than 2000 websites. TGH released a pastebin notes where they have mentioned all the hacked sites and their message. If you dig the decent past you will find out that TGH has already made their unique reputation on the web. This black-hat group is specially expert is rooting servers. Earlier they have rooted Mochahost Web Server, Guyana ServerTheexpert ServerMalaysian Web-hostCybertek Web-Server5gbfree.com and many more. Also one of their big blow was that they have hacked the Hotmail mail servers. Again this 2000 sites hacking proves the capabilities of TGH. 



SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Anonymous Exposed The Private Information of The Special Agent, Officers, Cyber Crime Investigators Of Department Of Justice

Posted by Avik Sarkar On 11/26/2011 04:08:00 pm


The hacktivists claim to have hacked into Baclagan's Gmail account and to have accessed his voicemails and SMS message logs using unspecified techniques as part of their ongoing campaign against law enforcement officials and their "allies" in the computer security industry.
The email dump, released as a torrent last Friday in part of what has become the group's regular FuckFBIFriday release, is also said to contain personal information including Baclagan's home address and phone number. The cache of emails – which according to AntiSec are from the account of Fred Baclagan, a retired special agent supervisor of the Californian Department of Justice – includes 38,000 emails detailing various computer forensic techniques and cybercrime investigation protocols. 
Baclagan told that he was nobody special in the Justice Department ... which is what he would say, of course. He said that he had specialised in identity theft before he retired last year. "I'm really just a nobody," he told the Post, "just a local investigator, not involved in anything dynamic or dramatic

In the Press Release Anon Said:-

################################################################################
#        ANTISEC LEAKS DOJ SPECIAL AGENT SUPERVISOR'S PRIVATE EMAILS,         #
#               IACIS CYBERCRIME INVESTIGATOR COMMUNICATIONS                              #
#         care of the #OCCUPYWALLST CRACKDOWN RETALIATION TASK FORCE         #       
################################################################################

Greetings Pirates, and welcome to another exciting #FuckFBIFriday release.

As part of our ongoing effort to expose and humiliate our white hat enemies, we
targeted a Special Agent Supervisor of the CA Department of Justice in charge of
computer crime investigations. We are leaking over 38,000 private emails which
contain detailed computer forensics techniques, investigation protocols as well
as highly embarrassing personal information. We are confident these gifts will 
bring smiles to the faces of our black hat brothers and sisters (especially 
those who have been targeted by these scurvy dogs) while also making a mockery 
of "security professionals" who whore their "skills" to law enforcement to 
protect tyrannical corporativism and the status quo we aim to destroy.

We hijacked two gmail accounts belonging to Fred Baclagan, who has been a cop
for 20 years, dumping his private email correspondence as well as several dozen 
voicemails and SMS text message logs. While just yesterday Fred was having a 
private BBQ with his CATCHTEAM high computer crime task force friends, we were 
reviewing their detailed internal operation plans and procedure documents. We 
also couldn't overlook the boatloads of embarrassing personal information about 
our cop friend Fred. We lulzed as we listened to angry voicemails from his 
estranged wives and ex-girlfriends while also reading his conversations with 
girls who responded to his "man seeking woman" craigslist ads. We turned on his 
google web history and watched him look up linux command line basics, golfing 
tutorials, and terrible youtube music videos. We also abused his google 
voice account, making sure Fred's friends and family knew how hard he was owned.

Possibly the most interesting content in his emails are the IACIS.com internal
email list archives (2005-2011) which detail the methods and tactics cybercrime 
units use to gather electronic evidence, conduct investigations and make 
arrests. The information in these emails will prove essential to those who want 
to protect themselves from the techniques and procedures cyber crime 
investigators use to build cases. If you have ever been busted for computer 
crimes, you should check to see if your case is being discussed here. There are 
discussions about using EnCase forensic software, attempts to crack TrueCrypt 
encrypted drives, sniffing wireless traffic in mobile surveillance vehicles, how 
to best prepare search warrants and subpoenas, and a whole lot of clueless 
people asking questions on how to use basic software like FTP. In the end, we
rickrolled the entire IACIS list, causing the administrators to panic and shut
their list and websites down.

These cybercrime investigators are supposed to be the cream of the crop, but we
reveal the totality of their ignorance of all matters related to computer
security. For months, we have owned several dozen white hat and law enforcement
targets-- getting in and out of whichever high profile government and corporate
system we please and despite all the active FBI investigations and several
billion dollars of funding, they have not been able to stop us or get anywhere
near us. Even worse, they bust a few dozen people who are allegedly part of an
"anonymous computer hacking conspiracy" but who have only used 
kindergarten-level DDOS tools-- this isn't even hacking, but a form of
electronic civil disobedience. 

We often hear these "professionals" preach about "full-disclosure," but we are
sure these people are angrily sending out DMCA takedown notices and serving
subpoenas as we speak. They call us criminals, script kiddies, and terrorists, 
but their entire livelihood depends on us, trying desperately to study our 
techniques and failing miserably at preventing future attacks. See we're cut 
from an entirely different kind of cloth. Corporate security professionals like
Thomas Ryan and Aaron Barr think they're doing something noble by "leaking" the
public email discussion lists of Occupy Wall Street and profiling the "leaders"
of Anonymous. Wannabe player haters drop shitty dox and leak partial chat logs
about other hackers, doing free work for law enforcement. Then you got people 
like Peiter "Mudge" Zatko who back in the day used to be old school l0pht/cDc 
only now to sell out to DARPA going around to hacker conventions encouraging 
others to work for the feds. Let this be a warning to aspiring white hat 
"hacker" sellouts and police collaborators: stay out the game or get owned and 
exposed. You want to keep mass arresting and brutalizing the 99%? We'll have to 
keep owning your boxes and torrenting your mail spools, plastering your personal 
information all over teh internets.

Hackers, join us and rise up against our common oppressors - the white hats, the 
1%'s 'private' police, the corrupt banks and corporations and make 2011 the year 
of leaks and revolutions! 

We are Anti-Security,
We are the 99%
We do not forgive.
We do not forget.
Expect Us!

For More information Click Here


SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Team Ghost Released Tax Records of Brazilian Govt, Exclusive Documents of #op-SouthAfrica & 10K SQL- Vulnerable Sites

Posted by Avik Sarkar On 9/25/2011 01:25:00 pm


Black Hat Ghost is back again with boom. Previously they exposed the secrete documents of DOD, NATO, NSA, DHS and many more. This time they exposed the entire tax record of Brazilian Govt. Also Team Ghost published a documents containing more  than 10,000 SQL-i vulnerable sites and their details.
Not yet completed Team Ghost was running an operation named #opSouthAfrica and in this operation they have hacked into 50+ high profile websites of South-Africa including Govt. and so on.


According to The Official Press Release:- 

Today I posted 3 Mediafire links
First link containing:
Tax records from www.balbinos.sp.gov.br From 2002-2011. I exposed everything they've purchased
in the last 9 years. ;)

Second link containing:
The whole contents of #opSouthAfrica, which was created by myself and involved hacking over 50 SouthAfrican websites, these were the main sites I targeted, and it shows Usernames, passwords, emails, Postal address's,databases,SQL Dumps and so on.

The third link of Tonights raids:
Contained 10,000+ SQL-i Vulnerable website links. Every one of these links was in-fact vulnerable at some point in time. So if a couple don't work now, then they've patched it.
These are just a taste of what's to come.

First  link:
http://www.mediafire.com/?elm9kvaend2tk8y   <--- Tax records

Second link:
http://www.mediafire.com/?nk69n6c5ufek8yk <--- #opSouthAfrica

Third  link:
http://www.mediafire.com/?ryx7apfx6ohca7b   <--- 10k+ Vulnerable Sites
 
Fore more info Click Here


SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Serious Vulnerabilities Found By Deepanker Verma on Online Shopping Website

Posted by Avik Sarkar On 8/30/2011 06:24:00 pm


Serious Vulnerabilities Found By Deepanker Verma on shopping.indiatimes.com
 

Vulnerable Website:-
http://shopping.indiatimes.com/

According To the Hacker:-


"IndiaTimes shopping website has some serious XSS vulnerabilities which can lead to cookie stealing of users. And this may cause some serious loss to users. After going through some pages of the website, we (Shadab and me ) have found that the website is vulnerable to XSS injections and malicious scripts can be injected on the website."

Here are some screen shots submitted by the hacker to prove the vulnerability:-


 XSS on the login Page 


java-script Injection Vulnerability

 

Vulnerability on the product page 


Cookie Stealing Vulnerability


iframe vulnerability

above screen shots are clearly saying that this website is truly vulnerable and has lots of loop holes, one black hat can also inject malicious  codes and do marvellous harm

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Indian Embassy Of Kathmandu, Nepal Hacked By Ghosts

Posted by Avik Sarkar On 8/27/2011 05:05:00 pm


Indian Embassy Of Kathmandu, Nepal Hacked By Ghosts (A Black Hat Team). They hacked into the database of the website and exposed sensitive information like admin details and many more.

Website:-
http://www.indianembassy.org.np/

user_name:- indianembassy
password:- 147f9d55b079a76d6ec6f36b61f4cf1a
full_name:-  Administrator
        
Login Link:-
http://www.indianembassy.org.np/admin/login.php 

Ambassador Name:-   Jayant Prasad     
Amb_id :- 21 
Last Modification:- 2011-08-27    

For More Information Click Here

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Serious Vulnerability Found By zSecure Team On The Web-Portal of Idea

Posted by Avik Sarkar On 8/22/2011 01:06:00 pm


A critical SQL-i vulnerability found on the web-portal of Ideacellular which can compromise the entire Database. This vulnerability has been found by zSecure Team. AS per the vulnerability analysis a smart black hat can exploit the entire DB, perform devastating attacks and also can get   full access on their web-server.

Vulnerable Website:-


Vulnerability Type:-
Hidden SQL Injection Vulnerability 

Database Type:-
MySql 5.0.27 

Alert Level:-
Critical 

Threats:-
Complete Database Access, Database Dump

Here are some Screen Shots  to prove the Vulnerability:-





About Idea (Company Profile):-

Idea is the 3rd largest mobile services operator in India. Idea’s strong growth in the Indian telephony market comes from its deep penetration in the non-urban and rural markets. IDEA Cellular is an Aditya Birla Group Company, India’s first truly multinational corporation. The group operates in 26 countries, and is anchored by over 130,600 employees belonging to 40 nationalities. The Group has been adjudged the ‘6th Top Company for Leaders in Asia Pacific Region’ in 2009, in a survey conducted by Hewitt Associates, in partnership with The RBL Group, and Fortune. The Group has also been rated ‘The Best Employer in India and among the Top 20 in Asia’ by the Hewitt-Economic Times and Wall Street Journal Study 2007.


-News Source (Zsecure.net)

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

SAP Will Patch Their Vulnerability Which Was Exposed By (Blackhat 2011 US)

Posted by Avik Sarkar On 8/06/2011 10:49:00 pm


A reportedly serious security bug affecting the J2EE (Java 2 Platform Enterprise Edition) engine in SAP's NetWeaver middleware will be patched soon, SAP said Friday.
NetWeaver underpins SAP's range of enterprise software, including its flagship Business Suite ERP (enterprise resource planning) product. The bug was discussed by security researcher and ERPScan CTO Alexander Polyakov during a presentation at the Black Hat security conference in Las Vegas on Thursday.
The vulnerability makes it possible to crack SAP systems over the Internet by circumventing authorization checks, Polyakov wrote in a blog post before the conference. "For example, it is possible to create a user and assign him to the administrators group using two unauthorized requests to the system."
The attack is also possible on systems that are protected by two-factor authentication systems that use both a secret key and password, he added. ERPscan is making a tool that can detect the problem available at no charge.
"SAP is working closely with Alexander Polyakov on this issue," SAP spokesman Andy Kendzie said in a statement Friday. "SAP will deliver a patch to its customers shortly."
The patch will come as part of a regular security update, and not an out-of-cycle emergency fix, he added.
The news comes shortly after Oracle's release of Java SE 7. The language update shipped with bugs that Oracle engineers knew about prior to the release, a move met with serious consternation from some critics. Oracle plans to fix the bug in an update.

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Apple’s Based Networks are More Vulnerable to Attack than Windows (BH 2011)

Posted by Avik Sarkar On 8/05/2011 10:01:00 pm


For many years, Apple enjoyed security through obscurity. The market share for Mac computers was so small that malware creators bypassed it to go after the much bigger target, Microsoft Windows. Not anymore.
Apple’s market share has been slowly rising and the popularity of the iPhone has put Apple’s products into the spotlight. Hackers are taking notice and they’re figuring out that Apple’s computers have security vulnerabilities, some of them more severe than Windows machines, according to a talk by the iSEC Partners security consulting team at the Black Hat security conference today.
Alex Stamos (pictured), Paul Youn, and B.J. Orvis of iSEC Partners said in their talk that it is possible for hackers to penetrate a network of Apple Mac computers and lurk undetected while gathering data. They concluded that there were so many vulnerabilities on the networking level that Mac machines could be considered more vulnerable than Windows machines.
Apple has not yet responded to a request for comment. At Black Hat, there will also be talks about the vulnerabilities of other operating systems, including Windows. In years past, security researchers have blamed Microsoft for producing vulnerable Windows code. And immediately following the Apple talk, security researchers had another talk about hacking Google’s Chrome operating system.
“This is all changing,” Stamos said. “If [recent hacking events] tell us anything, it’s that any computer is vulnerable to attack.”
The iSEC team said they looked at attacks on the Mac and its latest operating system, code-named Lion, or OS X version 10.7, from the perspective of Advanced Persistent Threats, or long-term security break-ins on networks of computers. They showed examples of the vulnerabilities and detailed proof that they had hacked into the operating system.
The category of Advanced Persistent Threats is a hot one because Google discovered that, under Operation Aurora, dozens of companies were compromised over a long period of time. And McAfee reported today that a similar attacked, dubbed Operation Shady RAT, compromised a total of 72 governments and corporations over a five-year period.
A network of Mac computers can be compromised in the usual way, iSEC’s Stamos said. A single user can be tricked out of giving up a username and password through social engineering or targeted “phishing attacks,” or attacks that use a believable ruse to get you to enter your username and password, which is then captured and compromised by the hackers.
Once inside the network, Stamos said that it is easy for the attacker to escalate the privileges he or she has on the network. That is where Apple’s operating system falls down in comparison to Windows. ”Once you have access, you can compromise the networking,” Orvis said. “Network privilege escalation is where it really gets bad on the Mac.”
The security researchers said that Apple has made improvements to security in version 10.7 of OS X, such as putting applications in a “sandbox,” or isolating them so that they can run (or crash) without taking down the rest of the operating system. Still, the researchers said they had figured out a couple of different ways to compromise the security of Macs through a test program dubbed Bonjoof. They said that it’s possible to lurk on a network and cover your tracks so that intelligence can be gathered on a network over time.
“All of Apple’s major authentication protocols suffer” from some kind of weakness, Orvis said.
There are ways to deal with the vulnerabilities, but company security professionals have to know how to use security forensics technology, which can take a long time. In the meantime, attackers can detect the forensics tools and react to their usage in an attempt to hide. The security researchers said they did talk with Apple about the vulnerabilities they found and communicated a number of ideas about how to improve the security of Apple’s computers.

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Google Chrome OS Has Security Hole (Black Hat 2011)

Posted by Avik Sarkar On 8/05/2011 07:20:00 pm


Black Hat Google has billed its Chrome operating system as a security breakthrough that's largely immune to the threats that have plagued traditional computers for decades. With almost nothing stored on its hard drive and no native applications, there's no sensitive data that can pilfered and it can't be commandeered when attackers exploit common software vulnerabilities.
But according to two researchers who spent the past few months analyzing the Chrome-powered Cr-48 beta released in December, the browser-based OS is vulnerable to many of the same serious attacks that afflict people surfing websites. As a result, users remain susceptible to exploits that can intercept email, documents, and passwords stored on centralized servers, many of which are maintained by Google.
“Even though they put these awesome security protections in place, we're just moving the security problems to the cloud now,” Matt Johansen, a researcher with WhiteHat Security, told The Register. “We're moving the software security problem that we've been dealing with forever to the cloud. They're doing a lot of things right, but it's not the end all and be all for security.”
Virtually all of the threats identified by Johansen and his WhiteHat colleague Kyle Osborn stem from Chrome's reliance on extensions, which are essentially web-based applications. A fair number of the extensions they analyzed contain XSS, or cross-site scripting, bugs, which have the potential to inject malicious code and content into a visitor's browser and in some cases steal credentials used to authenticate user accounts.
As they went about testing what kind of attacks various XSS vulnerabilities could allow, Johansen and Osborn noticed something curious: a bug in one extension often allowed them to hijack the communications of a second extension, even when the latter one had no identifiable security flaws. At the Black Hat security conference in Las Vegas on Wednesday, they demonstrated this weakness by exploiting an XSS hole in one extension to steal passwords from an otherwise secure account on cloud password storage service LastPass.
“If any of the other vulnerable extensions have an XSS hole, we can utilize JavaScript to hijack that communication,” Johansen said. “LastPass is doing absolutely nothing wrong here. You can have an extension that's perfectly fine, but if you have another that has a cross-site scripting error in it we can still access information in secure applications.”
The discovery has generated a quandary for the researchers.
“Whose problem is this to fix?” Johansen continued. “We don't really have an answer for that. LastPass did everything correctly. It's the other extension developers that developed an extension with a vulnerability in it.”
After being informed of the specific attack, LastPass made changes to its Chrome extension that prevented it from being carried out, so it's reasonable to assume extension makers foot some of the responsibility for preventing their apps from being compromised by others. But Johansen couldn't rule out the possibility that vulnerabilities and other apps could probably make LastPass vulnerable again. He said Google might be able to fix the problem by overhauling the application programming interfaces extension developers use.
The researchers also demonstrated an XSS vulnerability in Scratchpad, a text-editor extension that's bundled with Chrome. By sharing files with names containing JavaScript commands stored on Google Docs they were able to obtain the Google session cookies of anyone who used a Chromebook to view the documents. An attacker could exploit the vulnerability to read a victim's email, or to send instant messages to everyone on the victim's contact list. If any of the contacts are using Chromebooks, they could be similarly vulnerable to booby-trapped filenames stored on Google Docs.
A Google spokeswoman defended the security of Chromebooks and said the vulnerabilities enumerated by the researchers weren't unique to the cloud-based OS. In an email, she issued the following statement:
This conversation is about the web, not Chrome OS. Chromebooks raise security protections on computing hardware to new levels. They are also better equipped to handle the web attacks that can affect browsers on any computing device, thanks in part to a carefully designed extensions model and the advanced security available through Chrome that many users and experts have embraced.
The researchers stressed Google engineers were extremely quick to fix the Scratchpad vulnerability and awarded them a $1,000 bounty for their report. But they remain convinced that the security of Chrome OS in many cases is only as strong as its' weakest extensions. They also pointed out that penetration-testing tools such as the Browser Exploitation Framework could be used to help streamline attacks in much the way Metasploit is used to manage exploits for traditional machines.
And, Johansen said, Chrome hacking through XSS may be only the beginning, since the flaws are among the easiest to find and exploit.
“Who knows what we're going to be looking for months or years from now when Google can figure out a way to thwart the cross-site scripting threat,” he said. “Why would we be trying to write buffer overflows when we can just write a simple JavaScript command.” 
-News Source (The Register)

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Related Posts Plugin for WordPress, Blogger...

Site search