Master Card Blog Hacked & defaced By Syrian Electronic Army

Master Card Payments Perspectives Blog Hacked & defaced By Syrian Electronic Army

It's became a very common scenario that hackers targets banks, payment gateway and other financial sectors. Sites like Paypal, Visa, Master Card were among those common victims who used to face massive round of cyber attacks. Past two years hacktivist managed to interrupt the service of those websites many times. Here also in the beginning of 2013 almost same situation took place, when the official blog of Master Card get hacked and defaced.  It was the Saturday evening when a hackers collective group named "Syrian Electronic Army" managed to breach and get access inside Master Card blog. I am sure that all our readers will be shocked after hearing the way of intrusion. In the platform of the blog, Master Card was using an older version of WordPress (Ver. 3.3.2) which has several critical vulnerabilities like XSS, file uploading, CSRF and so on. Exploiting those loopholes the hacker managed to get access inside the blog and defaced one of the page of the giant in international financial services company's blog. Though WordPress have released a security patch and also version 3.5, but it's quite unfortunate and shocking that Master Card did not even patched their older version for which their system get penetrated. It is truly unbelievable that sites like Master Card is so careless about basic security and counter measure of cyber attack. According to sources Syrian Electronic Army used  the CSRF exploit of WordPress which is said to be available on the Internet and allows an attacker to add a new administration user. This is a possible explanation of how the Syrian Electronic Army managed to hack and deface the blog. After this incident occurs Master Card immediately updated the version of WP and closed those back doors. Still the the defaced and cached version of the  blog can be viewed on Google’s Web Cache. 

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Master Card Blog Hacked & defaced By Syrian Electronic Army"https://www.voiceofgreyhat.com/2013/01/MasterCard-Blog-Hacked-By-Syrian-Electronic-Army.html</a>

Hacker Are Invited To Attack Facebook's Corporate Network

Hackers Are Invited To Attack Facebook's Corporate Network

Last year the social networking giant, Facebook introduced its bug bounty program, inviting security researchers to poke around the site, discover vulnerabilities that could compromise the integrity or privacy of Facebook user data, and then responsibly disclose them to the company. The minimal reward amount was of $500. White hats were urged to search for Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF/XSRF) and Remote Code Injection bugs. In Facebook's White Hat program the company strictly announced that they should not be bothered with spam or social engineering techniques, DoS vulnerabilities, bugs in Facebook's corporate infrastructure and vulnerabilities in third-party websites or apps. Now they changed their mind. When the social network's security team randomly receiving tips from a researcher about a vulnerability in the company's own network which would allow attackers to eavesdrop on internal communications, they made an unprecedented choice by broadened the scope of the bug bounty program and inviting researchers to search for other holes in the Corporate Network. There are quite a few bug bounty programs instituted by tech companies such as Google, Paypal but Facebook has become the first firm that gave formal permission to white hats to target its networks. Ryan McGeehan, the manager of Facebook's security-incident response unit, stated that if there’s a million-dollar bug, they will pay it out.

Given that Facebook has a strong incentive to protect the data belonging to its 900 million users, and the fact that data breaches have become a disturbingly common occurrence in the last two years or so, the step seems like a logical one. 

-Source (Net-Security)

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Hacker Are Invited To Attack Facebook's Corporate Network"https://www.voiceofgreyhat.com/2012/07/HackersareInvitedToAttackFacebookCorporateNetwork.html</a>

PayPal Announced Paid “Bug Bounty” Program for Security Researchers

PayPal Announced  Paid “Bug Bounty” Program for Security Researchers

Giant in payment services provider PayPal recently announced the launch of a new paid bug bounty program where PayPal will reward security researchers who will discover vulnerabilities in its website with handsome amount of money. In the official blog PayPal's Chief Information Security Officer Michael Barrett said- "The security of our customers’ data is our number one priority" Its very obvious and clear that while enhancing more security PayPal took this step because we all know that PayPal is listed among those sites where cyber-criminals always kept their eyes. 

If you are a security researcher, and you've discovered a site or product vulnerability, please forward your details to sitesecurity@paypal.com. We also like to give you reminder that before PayPal- Facebook, Google & many other has already started this paid bug bounty program.

-:PayPal Bug Bounty Program In Details:-

• PayPal security team will determine the bounty amount and all decisions are final. 

• Bounty is awarded to the first person that discovers the previously unknown bug.

• The bug bounty program is subject to change or to cancellation at any point without notice.

• Bug bounty is valid for the following site: www.paypal.com.

• Payment is paid out through a verified PayPal account, once the bug is fixed.

• For all submissions, do not send personal information in your report and please use PayPal's PGP key to encrypt your email.

• Individuals from sanctioned countries are not allowed to participate in this program.

• eBay Inc. employees, contractors and their immediate relatives are not allowed to participate in the program.

Vulnerabilities That Are in Scope:

• XSS
• CSRF/XSRF
• SQLi
• Authentication bypass

Note: While "Logout CSRF" is a well-acknowledged issue, there are other techniques  like "cookie forcing" and "cookie bombardment" that can make it futile to defend against this attack. Also, PayPal's web sessions are relatively short lived and hence the Bug Bounty panel will not consider reports of the ability to log out users from PayPal as qualifying for the reward.

In Your Bug Submission Email, Please Include The Following:

• Your email address
• Your PayPal account (in order to receive the bounty)
• Vulnerability type (i.e., XSS, CSRF, SQLi, etc.)
• Vulnerability Scope: Domain(s), URL(s) and Parameter(s) impacted
• Steps to reproduce bug

Guidelines for Responsible Disclosure

• Share the security issue with us before making it public on message boards, mailing lists, and other forums.
• Allow us reasonable time to respond to the issue before disclosing it publicly.
• Provide full details of the security issue.

Terms for Participation :- As between eBay Inc. and the Submitter, as a condition of participation in the PayPal Bug Bounty program, the Submitter grants eBay Inc., its affiliates and customers a perpetual, irrevocable, worldwide, royalty-free and non-exclusive license to use, reproduce, adapt, modify, publish, distribute, publicly perform, create derivative work from, make, use, sell, offer for sale and import the Submission for any purpose. Submitter represents and warrants that the Submission is original to the Submitter and Submitter owns all rights, title and interest in and to the Submission. Submitter waives all other claims of any nature, including express contract, implied-in-fact contract, or quasi-contract, arising out of any disclosure of the Submission to eBay. In no event shall eBay be precluded from discussing, reviewing, developing for itself, having developed, or developing for third parties, materials which are competitive with those set forth in the Submission irrespective of their similarity to the information in the Proposal, so long as eBay complies with the terms of participation stated herein. 

For additional information click Here

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">PayPal Announced Paid “Bug Bounty” Program for Security Researchers"https://www.voiceofgreyhat.com/2012/06/paypal-announced-paid-bug-bounty.html</a>

Facebook Said - Please Hack Us & Get Bounty of $500

Facebook Said - Please Hack Us & Get Bounty of $500

Earlier through Hackers Cup, Facebook has already shown honour to hackers now social networking giant Facebook is directly encouraging hackers to try hacking its security systems to find weaknesses. Those who succeed will receive a reward of US$500 or more and have their name added to a list of helpful hackers.

The hackers have taken part in Facebook's White Hat program. Anyone who finds a way of breaching the site's networks, and owns up, can earn rewards worth thousands of dollars. As well as money, Facebook promises not to land them in trouble with the police & legal harassment if they have complied with the program's golden rules. Already one British hacker has earned more than $2400 from Facebook, and the most prolific White Hat contributors are now given their own Facebook "bug bounty" credit cards. Facebook's chief security officer, Joe Sullivan, says he would much rather the hackers worked with the company, rather than against it. In time, he hopes the hackers will be able to find legitimate ways of expressing themselves within schools and universities. "There is a real lack of practical academic programs for cyber-security not only in the US but also internationally," he said. "Cyber-security is a skill best learned by doing, and unfortunately many of the current academic programs place little emphasis on real-world practical experience such as that gained in competition or via bug-bounty programs.

According to Facebook - "If you're a security researcher, please review our responsible disclosure policy before reporting any vulnerabilities. If you give us a reasonable time to respond to your report before making any information public and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research, we will not bring any lawsuit against you or ask law enforcement to investigate you."

Eligibility:-
To qualify for a bounty, you must:

• Adhere to our Responsible Disclosure Policy:

• Be the first person to responsibly disclose the bug

• Report a bug that could compromise the integrity of Facebook user data, or circumvent the privacy protections of Facebook user data, such as:

• Cross-Site Scripting (XSS)

• Cross-Site Request Forgery (CSRF/XSRF)

• Remote Code Injection

• Broken Authentication (including Facebook OAuth bugs)

• Circumvention of our Platform permission model

• A bug that allows the viewing of private user data

• Reside in a country not under any current U.S. Sanctions (e.g., North Korea, Libya, Cuba, etc.)

Rewards:-

• A typical bounty is $500 USD

• We may increase the reward for specific bugs

• Only 1 bounty per security bug will be awarded

Exclusions:-
The following bugs aren't eligible for a bounty (and we don't recommend testing for these):

• Security bugs in third-party applications (e.g., http://apps.facebook.com/[app_name])

• Security bugs in third-party websites that integrate with Facebook

• Security bugs in Facebook's corporate infrastructure

• Denial of Service Vulnerabilities

• Spam or Social Engineering technique

                      For detailed information click Here

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Facebook Said - Please Hack Us & Get Bounty of $500"https://www.voiceofgreyhat.com/2012/05/facebook-said-please-hack-us-get-bounty.html</a>

'The Unknowns' Claimed to Breach NASA, European Space Agency, French & Bahrain Ministry of Defense, US Air Force

'The Unknowns' Claimed to Breach NASA, European Space Agency, French & Bahrain Ministry of Defense & Many More

A new group of hacker collective group calling themselves 'The Unknowns' had claimed to breach the security system of a range of government agencies, organizations & many high profile sites. According to a PasteBin release The Unknowns said that they hacked into ten different organizations and published documents and other data alleged to have originated from the servers. Among them there are NASA - Glenn Research Center, US military, US AIR FORCE, European Space Agency, Thai Royal Navy, Harvard, Renault Company, French ministry of Defense, Bahrain Ministry of Defense and Jordanian Yellow Pages. 

NASA has confirmed that an attack did take place on 20 April, but noted that no "sensitive or controlled information" was compromised. The ESA also admitted to having suffered an attack, which it said made use of SQL injection. 

The hacker group claims that their mission is not malicious, but rather to help. "Victims, we have released some of your documents and data, we probably harmed you a bit but that's not really our goal because if it was then all of your websites would be completely defaced but we know that within a week or two," said the groups post, "the vulnerabilities we found will be patched and that’s what we're looking for."  In other word they are pretending to be 'White Hat'.

If you dig the history you will find that previously NASA was hit many times by the hackers from different part of the world Such as Spamers targeted NASA, TeaMp0isoN hacked NASA official forum, Chinese Hackers hit NASA satellites, Indian hacker minhal stole secrete  information from NASA, Code Smasher has found CSRF vulnerability in the official website of Virtual Heliospheric Observeatory NASA and so on.

 

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">'The Unknowns' Claimed to Breach NASA, European Space Agency, French & Bahrain Ministry of Defense, US Air Force"https://www.voiceofgreyhat.com/2012/05/unknowns-claimed-to-breach-nasa.html</a>

NASA Technical Reports Server, Encyclopedia Britannica & Dhaka Stock Exchange is Vulnerable

NASA Technical Reports Server, Encyclopedia Britannica & Dhaka Stock Exchange is Vulnerable

A 15 years ethical hacker from India named Akshay code name "0z0n3" find out non-persistent cross site scripting vulnerability in three very high profile websites. Those are the official website of NASA Technical Reports Server (NTRS), Encyclopedia Britannica, & Dhaka Stock Exchange. Earlier he has found out XSS vulnerability in the official website of National Geographic. The vulnerability details have already been reported to the web-masters and immediately Dhaka Stock Exchange & Encyclopedia Britannica has fixed those security holes but the vulnerability status of NASA Technical Reports Server (A Sub-domain of NASA) is unpatched. To know the vulnerable link click here.  If you dig the history you will find that previously NASA was hit many times by the hackers from different part of the world Such as Spamers targeted NASA, TeaMp0isoN hacked NASA official forum, Chinese Hackers hit NASA satellites, Indian hacker minhal stole secrete  information from NASA, Code Smasher has found CSRF vulnerability in the official website of Virtual Heliospheric Observeatory NASA and so on. Though the vulnerability in Encyclopedia Britannica & DSE is fixed, still the below screen-shots will clarify the fact.  

-:Encyclopedia Britannica:-

-:Dhaka Stock Exchange:-

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">NASA Technical Reports Server, Encyclopedia Britannica & Dhaka Stock Exchange is Vulnerable"https://www.voiceofgreyhat.com/2012/04/nasa-technical-reports-server.html</a>

NASA Sub-Domain is Vulnerable To Hackers

NASA Sub-Domain is Vulnerable To Hackers 

Virtual Heliospheric Observeatory, a sub-domain of NASA is Vulnerable. A fourteen years old ethical hacker from India named Code Smasher has found Cross-site request forgery (CSRF) vulnerability on the official website of Virtual Heliospheric Observeatory NASA. The hacker also claimed that using this vulnerability an attacker can even exploit the website and execute unauthorized commands. Click Here to know the vulnerable link. Few days ago another ethical hacker group found CSRF on wikileaks official site. If you dig the history you will find that previously NASA was hit many times by the hackers from different part of the world. Such as Spamers targeted NASA, TeaMp0isoN hacked NASA official forum, Chinese Hackers hit NASA satellites, Indian hacker minhal stole secrete  information from NASA and so on. Also we would like to give you reminder that well known hacker TinKode get busted for hacking into NASA server. So before playing with NASA be little conscious :)

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">NASA Sub-Domain is Vulnerable To Hackers"https://www.voiceofgreyhat.com/2012/02/nasa-sub-domain-is-vulnerable-to.html</a>

New York State Senate Official Site Is Vulnerable

New York State Senate Official Site Is Vulnerable

Few days ago Sec Indi Security Team exposed a Cross-site request forgery (CSRF) vulnerability in wikileaks website. Again they have found SQL-i on the official website of New York State Senate. Earlier this group have also detected  SQL-i vulnerability on the official website of US Senate, also they have hacked the Admin panel of famous Indian website click India. The vulnerability on the NY State Senate is still UN-patched. They hacker group has submitted the vulnerable link to VOGH and to know that click here. According to the hackers group - an attack can easily misuse this security flaws and can gain illegal access on the database of the NY Sate Senate.

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">New York State Senate Official Site Is Vulnerable"https://www.voiceofgreyhat.com/2012/01/new-york-state-senate-official-site-is.html</a>

Wikileaks.org Hacked By Sec Indi Security Team !!!

Wikileaks.org hacked By Sec Indi Security Team

Sec Indi Security Team strikes again. This time also they have maintained their class. If you dig the history you will find that this group has already made thier influence in the cyber space. Earlier they have found SQL-i vulnerability on the official website of US Senate, also they have hacked the Admin panel of famous Indian website click India. Now they have targeted Wikileaks official website. And as expected they have found a Cross-site request forgery (CSRF) vulnerability in wikileaks website. Sec Indi Security Team also submitted the vulnerable link. To know that link click Here. This not the first time, before this Wikileaks have faced cyber attack & an Anonymous member took responsibility of that Attack on Wikileaks website. That was a massive Denial of Service attack executed by newly developed tool #refref. Also that DDoS attack was recognized as one of biggest cyber attack in 2011.

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Wikileaks.org Hacked By Sec Indi Security Team !!!"https://www.voiceofgreyhat.com/2012/01/wikileaksorg-hacked-by-sec-indi.html</a>

MyBB 1.6.5 Released Vulnerabilities Patched, Features Updated !!!

MyBB 1.6.5 is now available from the MyBB website. It updates feature, security, and maintenance.

In 1.6.5, there are 3 vulnerabilities and over 70 reported issues fixed. Please be aware that not all of the existing problems have been fixed in this version.

Vulnerabilities Patched :-

• Non Critical: Unparsed user avatar in the buddy list – reported by labrocca
• Non Critical: Potential XSS vulnerability validating usernames via AJAX – reported by Will G
• Low Risk: CSRF vulerability in ?language – reported by Nathan Malcolm

There are also over 10 new feature updates in 1.6.5 and they are:-

• Birthdays
• Signature Control
• Find Users
• Custom Profile Fields
• Hidden CAPTCHA
• reCAPTCHA
• Reputation
• PM Override
• Parent Forum Lightbulbs
• And so on

For more information Click Here to go to MyBB Wiki Page

To Download MyBB 1.6.5 Click Here

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">MyBB 1.6.5 Released Vulnerabilities Patched, Features Updated !!!"https://www.voiceofgreyhat.com/2011/11/mybb-165-released-vulnerabilities.html</a>

Facebook Launches Security Bug Bounty

Facebook is set to announce today a bug bounty program in which researchers will be paid for reporting security holes on the popular social-networking Web site.

Compensation, which starts at $500 and has no maximum set, will be paid only to researchers who follow Facebook's Responsible Disclosure Policy and agree not to go public with the vulnerability information until Facebook has fixed the problem.

Facebook Chief Security Officer Joe Sullivan told that "Typically, it's no longer than a day" to fix a bug,

Facebook's Whitehat page for security researchers says: 

"If you give us a reasonable time to respond to your report before making any information public and make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service during your research, we will not bring any lawsuit against you or ask law enforcement to investigate you."

The compensation program is a good way to provide an incentive and show appreciation to the research community for helping keep Facebook safe for users, according to the company's security team. Up until now, researchers received recognition on the Facebook Whitehat page, maybe some "swag," and--if they were lucky--a job.

"Some of our best engineers have come to work here after pointing out security bugs on our site," like Ryan McGeehan, manager of Facebook's security response team, said Alex Rice, product security lead at Facebook. (Facebook also recently hired famed iPhone jailbreaker and Sony PlayStation 3 hacker George Hotz, who works on security issues.)

Meanwhile, Facebook is allowing security researchers a way to create test accounts on Facebook to ensure they don't violate terms of use or impact other Facebook users, Rice and McGeehan said.

Facebook is following in the steps of Mozilla, which launched its bug bounty program in 2004, and Google, which offers a bug bounty program with payments ranging from $500 to more than $3,000 for finding Web security holes, as well as a program specifically for Chrome bugs.

Microsoft has offered bounties of $250,000 for information leading to the arrest of virus writers, but does not pay researchers who find bugs in its software. However, other companies do, like TippingPoint's Zero Day Initiative.

Researchers typically are paid more for finding bugs in desktop software, which can take much longer to fix and to update software on computers than bugs in Web-based software, which can be fixed much more quickly.

According To FACEBOOK:- 

Eligibility

To qualify for a bounty, you must:

• Adhere to our Responsible Disclosure Policy:
  

  ... give us a reasonable time to respond to your report before making any information public and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research ...
• Be the first person to responsibly disclose the bug
• Report a bug that could compromise the integrity or privacy of Facebook user data, such as:
  

  • Cross-Site Scripting (XSS)
  • Cross-Site Request Forgery (CSRF/XSRF)
  • Remote Code Injection
• Reside in a country not under any current U.S. Sanctions (e.g., North Korea, Libya, Cuba, etc.)

Our security team will assess each bug to determine if qualifies.

Rewards

• A typical bounty is $500 USD
• We may increase the reward for specific bugs
• Only 1 bounty per security bug will be awarded

Exclusions

The following bugs aren't eligible for a bounty (and we don't recommend testing for these):

• Security bugs in third-party applications (e.g., http://apps.facebook.com/[app_name])
• Security bugs in third-party websites that integrate with Facebook
• Security bugs in Facebook's corporate infrastructure
• Denial of Service Vulnerabilities
• Spam or Social Engineering techniques

                                                                                                                                                                     -News Sourec (FACEBOOK & Cnet)

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Facebook Launches Security Bug Bounty"https://www.voiceofgreyhat.com/2011/07/facebook-launches-security-bug-bounty.html</a>