Twitter Hacked, More Than 250,000 User Data Compromised

Twitter Hacked, More Than 250,000 User Data Compromised

The social networking giant and the world famous micro blogging site Twitter again fallen victim of cyber attack. Last year we have seen that the tight security system if twitter have been compromised many times. Yet again in this year the San Francisco based social media giant who have more than 500 million registered users failed to protect them selves from hackers. On last Friday Twitter acknowledged that it had become the latest victim in a number of cyber-attacks against media companies, saying hackers may have gained access to information on 250,000 of its more than 200 million active users. The micro blogging giant said in a blog posting that earlier this week it detected attempts to gain access to its user data. It shut down one attack moments after it was detected. According to reports usernames, email addresses, session tokens and encrypted/salted passwords for 250,000 users might have been accessed in what it described as a “sophisticated attack” 

"This attack was not the work of amateurs, and we do not believe it was an isolated incident,” said Bob Lord, Twitter’s director of information security. “The attackers were extremely sophisticated, and we believe other companies and organisations have also been recently similarly attacked” Bob added. 

Jim Prosser, a Twitter spokesman, would not say how hackers infiltrated Twitter’s systems, but Twitter’s blog post said hackers had broken in through a well-publicized vulnerability in Oracle’s Java software. Last month, after a security researcher exposed a serious vulnerability in the software, though Oracle patched the security hole, but Homeland Security said the fix was not sufficient. The DHS issued a rare alert that warned users to disable Java on their computers. Prosser said Twitter was working with government and federal law enforcement to track down the source of the attacks. For now, he said the company had reset passwords for, and notified, every compromised user. The company encouraged users to practice good password hygiene, which typically means coming up with different passwords for different sites, and using long passwords that cannot be found in the dictionary.

Twitter said it “hashed” passwords — which involves mashing up users’ passwords with a mathematical algorithm — and “salted” those, meaning it appended random digits to the end of each hashed password to make it more difficult, but not impossible, for hackers to crack. Once cracked, passwords can be valuable on auction-like black market sites where a single password can fetch $20.

While talking about Twitter and cyber issues, I would like to remind you that in last year twitter faced several cyber attacks where more than 55,000 twitter account details was leaked, after this issue in the middle of last year the social networking giant faced massive denial of service which interrupted its services. Later a huge number of Twitter users across the globe received  emails warning that their account have been compromised and their passwords had been reset, and it was another security breach which affected twitter. Such big organization are not at all careless about security, so as twitter and it has been proved when they hired renowned white hat hacker Charlie Miller to boost up their security, but after this current massacre, it seems that twitter need to think more and emphasize a lot to make sure that their system is good enough to prevent cyber attacks. For all the hot cyber updates and reviews stay tuned with VOGH.

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Twitter Hacked, More Than 250,000 User Data Compromised"https://www.voiceofgreyhat.com/2013/02/Twitter-Hacked-250000-User-Data-Compromised.html</a>

Apple Hired Kristen Paget, Renowned Hacker & Former Security Expert of Microsoft

Apple Hired Kristen Paget, Renowned Hacker & Former Security Expert of Microsoft 

To become  the very best along with that to maintain and hold your position, you need to deliver your hundred percent even some times more than hundred percent, and this race continues. For that we have to gather the very best guy with as. The above fact took place again, when Apple hired a renowned computer security researcher who helped Microsoft to rid Windows Vista from glaring exploits. I think, you already started guessing, let me tell you that yes you are absolutely right. Kristen Paget formerly known as Chris Paget who was part of an elite team of security experts of Microsoft has now been hired by Apple to lend her expertise to securing the company's operating systems. Apple, slowly, has been trying to make inroads into the security community. This summer, an Apple engineer spoke at the Black Hat security conference for the first time. So it is a bit predictable that why Apple is looking for security experts. Paget's exact charge at Apple is still somewhat of a mystery, with company representatives declining to comment on the specifics of what she'll be working on. After leaving Microsoft and prior to her move to 1 Infinite Loop, Paget was employed by security firm Recursion Ventures. According to sources, this past July, she'd departed stating that she wished to focus on developing security-related hardware.  

According to a report by Wired - Paget’s work at Microsoft had been similarly secretive. She’d been forbidden from speaking about it for five years after her work there ended.

But in 2011, the NDA expired, and she spilled the beans on her Vista hacking at the Black Hat Las Vegas conference. In short: Microsoft’s security team had expected Vista to be pretty clean when Paget got her hands on it, but they were wrong.

“We prevented a lot of bugs from shipping on Vista,” Paget said, according to a recording of her talk. “I’m proud of the number of bugs we found and helped get fixed.” Paget and company’s bug-hunt was so successful, in fact, that it forced Microsoft to push back Vista’s ship date. When the work was done, the hackers received special T-shirts, signed by Microsoft Vice President of Windows Development Brian Valentine. They read: “I delayed Windows Vista.” 

Until this past summer, Paget had been chief hacker at Recursion Ventures, a company that specializes in hardware security. When she left in July, she said she was looking for a break from bug-finding, hoping to find a job that involved building “security-focused hardware.”

“I’ve done too much breaking of things, it’s time to create for a change,” she said on Twitter. She was hired in September as a core operating system security researcher at Apple, according to her Linkedin Profile. 

Paget made headlines in 2010 when she built her own cellphone-intercepting base station at the Defcon hacker conference. Back then, Paget was known as Chris. She switched genders last year.

While talking about hiring geniuses by giant firms, we would like to remind you that very recently Apple has hired search guru Bill Stasior to oversee Apple's Siri voice-activated personal assistant. Along with this, few months ago social networking giant Twitter had appointed famous whitehat hacker Charlie Miller, to boost up its security.  Also in late 2011 Nicholas Allegra, the world-famous hacker known as "Comex", creator of JailbreakMe.com comes was also hired by Apple.

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Apple Hired Kristen Paget, Renowned Hacker & Former Security Expert of Microsoft"https://www.voiceofgreyhat.com/2012/12/Apple-Hired-Renowned-Hacker-Kristen-Paget.html</a>

Search Guru Bill Stasior CEO of Amazon’s A9 Unit, Hired By Apple To Oversee Siri

Search Guru Bill Stasior CEO of Amazon’s A9 Unit, Hired By Apple To Oversee Siri

To be the very best, you need to deliver your hundred percent even some times more than hundred percent, and this race continues. As a result Apple has hired 'search guru' Bill Stasior, CEO of Amazon.com’s A9 search and advertising search unit, to oversee Apple's Siri voice-activated personal assistant. Stasior, who joined Amazon in 2003 as director of search and navigation, founded A9.com in May 2004 and then became CEO of the wholly owned subsidiary in February 2006, according to his LinkedIn profile. Stasior, who holds undergraduate and graduate degrees from the Massachusetts Institute of Technology, describes A9.com as a “company with a mission to create groundbreaking technologies in search, advertising, and mobile that power customer centric, Internet businesses.” Apple confirmed his hire but didn't provide any comment. Stasior has an impressive pedigree (you can read his resume and see a really geeky binary image he posted of himself here). The MIT PhD has taught there, too, and has done stints at Oracle, Netcentives and AltaVista. 

 Siri, Apple's famous voice-activated personal assistant program, was acquired in April 2010 to launch a big stake in voice-activated search. Since Apple kicked Google Maps to the curb in iOS 6, the only remaining tie with Google is search. Will Apple eventually do its own search network? Who knows. Stasior’s background in search will certainly be of value if the time ever comes. While Siri has had a high profile in the iPhone range, Apple has lost some of the talent who created it. Adam Cheyer, who co-founded the voice recognition software, recently left the company. CEO Dag Kittlaus departed in October 2011. 

Here we want to remind you that last month Twitter hired famous whitehat hacker Charlie Miller, to boost up its security. Here its Apple who hired Stasior presumably, strengthening Apple’s search and search advertising technology in the wake of its increasing competition with Google. While talking about the news of hiring geniuses then the name of Nicholas Allegra, the world-famous hacker known as "Comex", creater of JailbreakMe.com comes. He was also hired by Apple in 2011. 

-Source (AllThingsD) 

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Search Guru Bill Stasior CEO of Amazon’s A9 Unit, Hired By Apple To Oversee Siri"https://www.voiceofgreyhat.com/2012/10/Search-Guru-Bill-Stasior-Hired-By-Apple.html</a>

Twitter Hires Renowned Apple Hacker Charlie Miller For Twitter Security Team

Twitter Hires Renowned Apple Hacker Charlie Miller For Twitter Security Team

It is almost impossible task for social networks to keep everything safe against hacks and other vulnerabilities. Hackers will constantly find their way around anything that you put in place. So they often deals with hackers & turn themselves to beef up the security level. Social networking giant Twitter exactly did the same thing. The micro-blogging network has hired the famous/infamous Apple hacker, Charlie Miller, to be a part of its security team. Charlie Miller, a popular figure among hackers, broke the news via his Twitter account, saying, “Monday I start on the security team at Twitter. Looking forward to working with a great team there!” Twitter issued a short statement noting that Miller’s title will be that of Software Engineer, but declined to discuss any further details.

Charlie Miller has a background as a Global Exploitation Analyst in the National Security Agency, and has hacked devices running on iOS, OSX, and Android. He is considered to be a white-hat hacker, which means that he hacks to expose vulnerabilities in a system in order to have those weaknesses fixed. Five year ago, Miller was said to be the first to hack the iPhone using the device’s browser, exposing the handset’s vulnerability to security attacks. Several months after this, he was likewise able to hack a MacBook Air in just two minutes. This feat allowed Miller to win the Pwn2Own hacking competition. Miller also showed a way to hijack iPhones through SMS in 2009. In 2011, he used the MacBook power adapter to implant malware on the laptop. In the same year, his license as an Apple developer got revoked because Apple found that he breached the development agreement. 

In more recent times, Miller had been working on Android devices. In June, he was able to overcome Bouncer, Google’s security program. He has furthermore experience in using Near Field Communications to control Samsung and Nokia handsets with a simple wave of another phone that is within the vicinity. 

While talking about Charlie Miller, we must have to take another name and that is Nicholas Allegra, the world-famous hacker known as "Comex", creater of JailbreakMe.com; who later has been hired by Apple itself . In case of Twitter we must have to say, apart from Miller, Twitter also hired Moxie Marlinspike, a hacker who specializes in SSL and VPN encryption.

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Twitter Hires Renowned Apple Hacker Charlie Miller For Twitter Security Team"https://www.voiceofgreyhat.com/2012/09/Twitter-Hires-Renowned-Apple-Hacker-Charlie-Miller.html</a>

Android Vulnerability- Hacker Can Gains Complete Control Into Your SmartPhone

Android Vulnerability- Hacker Can Gains Complete Control Into Your SmartPhone  

 

Security experts have discovered a serious flaw in a component of the operating system of Google Inc’s widely used Android smartphone that they say hackers can exploit to gain control of the devices. Researchers at startup cyber security firm CrowdStrike said they have figured out how to use that bug to launch attacks and take control of some Android devices.
CrowdStrike, which will demonstrate its findings next week at a major computer security conference in San Francisco, said an attacker sends an email or text message that appears to be from a trusted source, like the user’s phone carrier. The message urges the recipient to click on a link, which if done infects the device. At that point, the hacker gains complete control of the phone, enabling him or her to eavesdrop on phone calls and monitor the location of the device, said Dmitri Alperovitch, chief technology officer and co-founder of CrowdStrike.
Google spokesman Jay Nancarrow declined comment on Crowdstrike’s claim. Alperovitch said the firm conducted the research to highlight how mobile devices are increasingly vulnerable to a type of attack widely carried out against PCs. In such instances, hackers find previously unknown vulnerabilities in software, then exploit those flaws with malicious software that is delivered via tainted links or attached documents. He said smartphone users need to prepare for this type of attack, which typically cannot be identified or thwarted by mobile device security software.
“With modifications and perhaps use of different exploits, this attack will work on every smartphone device and represents the biggest security threat on those devices,” said Alperovitch, who was vice president of threat research at McAfee Inc before he co-founded CrowdStrike.
Researchers at CrowdStrike were not the first to identify such a threat, though such warnings are less common than reports of malicious applications that make their way to online websites, such as Apple’s App Store or the Android Market.
In July 2009, researchers Charlie Miller and Collin Mulliner figured out a way to attack Apple’s iPhone by sending malicious code embedded in text messages that was invisible to the phone’s user. Apple repaired the bug in the software a few weeks after the pair warned it of the problem.
The method devised by CrowdStrike currently works on devices running Android 2.2, also known as Froyo. That version is installed on about 28 percent of all Android devices, according to a Google survey conducted over two weeks ending February 1. Alperovitch said he expects to have a second version of the software finished by next week that can attack phones running Android 2.3. That version, widely known as Gingerbread, is installed on another 59 percent of all Android devices, according to Google. CrowdStrike’s method of attack makes use of a previously unpublicized security flaw in a piece of software known as webkit, which is built into the Android operating system’s Web browser.

-Source (MyBoradband, Google, CrowdStrike)

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Android Vulnerability- Hacker Can Gains Complete Control Into Your SmartPhone"https://www.voiceofgreyhat.com/2012/02/android-vulnerability-hacker-can-gains.html</a>

Vulnerability in Apple MacBooks Which Could ruin Batteries

One prominent security researcher has discovered a vulnerability in the batteries of Apple's MacBook line of portable computers that could allow hackers to ruin the batteries or install malware on them that could corrupt a Mac.
Charlie Miller, a renowned white-hat hacker who works for security firm Accuvant, plans to reveal and offer a fix next month for a MacBook battery vulnerability he has discovered, Forbes reports. Miller uncovered default passwords, which are used to access the microcontroller in Apple's batteries, within a firmware update from 2009 and used them to gain access to the firmware.

Apple and other laptop makers use embedded chips in their lithium ion laptop batteries to monitor its power level, stop and start charging and regulate heat.
During the course of his tests, the researcher "bricked" seven batteries, rendering them unusable by rewriting the firmware. Of more concern is the possibility that hackers could use the vulnerability to install difficult to remove malware, or, in a worst case scenario, cause the batteries to explode.

“These batteries just aren’t designed with the idea that people will mess with them,” he said. “What I’m showing is that it’s possible to use them to do something really bad.” According to him, IT few administrators would think to check the battery, providing hackers with an opportunity to hide malicious software on a battery that could repeatedly implant itself on a computer.

Miller admitted that he hasn't tried to blow up any batteries, but he did say it might be possible. "You read stories about batteries in electronic devices that blow up without any interference,” he noted. “If you have all this control, you can probably do it.”
another researcher, Barnaby Jack, who works for antivirus software maker McAfee, also looked into the battery issue a couple years ago, but said he didn't get as far as Miller did.

Miller, who is a regular winner of security contests demonstrating Mac, Safari and iPhone exploits, has notified Apple and Texas Instruments of the issue. Despite requests from several other researchers not to proceed, he plans to unveil the vulnerability, along with a fix he calls "Caulkgun," at the Black Hat security conference next month.
"Caulk Gun" will change a battery's default passwords to a random string of characters. While the fix will prevent hackers from breaking into the battery, it would also block any future firmware updates from Apple.

In spite of the battery vulnerability that he uncovered, Miller believes Mac OS X security is better than ever before. According to him, Apple engineers made few security-related changes in the jump from Leopard to Snow Leopard, but they made substantial improvements in Mac OS X 10.7 Lion, which was released on Wednesday.
"Now, they've made significant changes and it's going to be harder to exploit,” he said, as noted by The Register.
“It's a significant improvement, and the best way that I've described the level of security in Lion is that it's Windows 7, plus, plus,” said noted security consultant Dino Dai Zovi.
Apple offered security researchers, including Miller and Dai Zovi, an unprecedented early look at Lion in order to get their feedback.
According to researchers, Lion's biggest security improvement is Lion's support for Address Space Layout Randomization. ASLR randomizes the location of critical system components to reduce the risk of attack. Apple also added sandboxing security measures in Safari that will isolate potential bugs or malware. Finally, the newly revamped File Vault now allows an entire drive to be encrypted.

-News Source (Appleinsider)

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Vulnerability in Apple MacBooks Which Could ruin Batteries"https://www.voiceofgreyhat.com/2011/07/vulnerability-in-apple-macbooks-which.html</a>

Security firm exploits Chrome zero-day to hack browser, escape sandbox

 French security company Vupen said today that it's figured out how to hack Google's Chrome by sidestepping not only the browser's built-in "sandbox" but also by evading Windows 7's integrated anti-exploit technologies.

Google said it was unable to confirm Vupen's claims.

"The exploit ... is one of the most sophisticated codes we have seen and created so far, as it bypasses all security features including ASLR/DEP/Sandbox," said Vupen in a blog post Monday. "It is silent (no crash after executing the payload), it relies on undisclosed ('zero-day') vulnerabilities and it works on all Windows systems."

Vupen posted a video demonstration of its exploit on YouTube.

According to Vupen, its exploit can be served from a malicious Web site. If a Chrome user surfed to such a site, the exploit executes "various payloads to ultimately download the Calculator from a remote location and launch it outside the sandbox at Medium integrity level."

Vupen used the Windows Calculator only as an example: In an actual attack, the "calc.exe" file would be replaced by a hacker-made payload.

Historically, Chrome has been the most difficult browser to hack, primarily because of its sandbox technology, which is designed to isolate Chrome from the rest of the machine to make it very difficult for a hacker to execute attack code on the PC.

For example, Chrome has escaped unscathed in the last three Pwn2Own hacking contests, an annual challenge hosted by the CanSecWest conference in Vancouver, British Columbia, and sponsored by HP TippingPoint's bug bounty program.

Last March, a team from Vupen walked away with a $15,000 cash prize afterhacking Safari, the Apple browser that, like Chrome, is built on the open-source WebKit browser engine.

But no one took on Chrome at 2011's Pwn2Own, even though Google had offered a $20,000 prize to the first researcher who hacked the browser and its sandbox.

The Vupen attack code also bypassed Windows 7's ASLR (address space layout randomization) and DEP (data execution prevention), two other security technologies meant to make hackers' jobs tougher.

Vupen said it would not publicly release details of the exploit, or the unpatched bug(s) in Chrome. "This code and the technical details of the underlying vulnerabilities will not be publicly disclosed," said Vupen. "They are shared exclusively with our Government customers as part of our vulnerability research services."

Last year, Vupen changed its vulnerability disclosure policies when it announced it would no longer report bugs to vendors, but instead would reveal its research only to paying customers.

Other security experts reacted today to the news of one or more Chrome zero-days, and to Vupen's practice of providing details only to its clients.

"I suppose that means we have a known Chrome 0-day floating around. That's fun," said Jeremiah Grossman, CTO of WhiteHat Security, in a Twitter message today.

"That also means for that the [government] is outbidding Google for bug bounties," Grossman added in a follow-up tweet.

"For now, the [government] still has more money than Google," chimed in Charlie Miller, the only researcher who has won cash prizes at four straight Pwn2Own contests.

Google, like rival browser maker Mozilla, runs a bounty program that pays independent researchers for reporting flaws in Chrome. Last month, Google paid out a record $16,500 in bounties for bugs it patched in a single update. In the first four months of 2011, Google spent more than $77,000 on bug bounties.

Google cited Vupen's policy of not reporting flaws as the reason it could not verify the French firm's assertions.

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Security firm exploits Chrome zero-day to hack browser, escape sandbox"https://www.voiceofgreyhat.com/2011/05/security-firm-exploits-chrome-zero-day.html</a>

Metasploit 3.7 Takes Aim at Apple iOS

The open source Metasploit vulnerability testing framework got a major overhaul this week with the release of Metasploit 3.7.
The Metasploit 3.7 release provides an enhanced session tracking backend that is intended to improve performance. Metasploit 3.7 also provides over 35 new exploit modules for security researchers to test, including new ones designed to test Apple's iOS mobile operating system security.
The Apple iOS Backup File Extraction module however is not an attack vector for directly exploiting iOS. Rather it is what is known as a post-exploitation module.
"The post-exploitation modules (post for short) are designed to run on systems that were compromised through another vector, whether its social engineering, a guessed password, or an unpatched vulnerability," HD Moore, Rapid7 chief security officer and Metasploit chief architect told InternetNews.com. "This module requires iTunes to be installed and for a backend to be accessible that has not been encrypted."

Apple's iOS was specifically targeted during this year's pw2own hacking challenge in which security researcher Charlie Miller was able to exploit the system. Apple has since patched the pw2own flaw.
"In large corporate environments, a single domain administrator login can yield access to hundreds of desktop systems, and the Metasploit Pro product makes it easy to scavenge these iTunes backup files from the entire network at once," Moore said.
Metasploit is a popular vulnerability testing frame and is available in Express, Pro and Open Source editions. The Metasploit 3.7 release follows the Metasploit 3.6 release, which came out in March and had a focus on compliance related issues.
With Metasploit 3.7, in addition to new exploit module, there is a focus on improving performance. The improvements to the session tracking system and the associated database in Metasploit 3.7, means that Metasploit is now faster.

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Metasploit 3.7 Takes Aim at Apple iOS"https://www.voiceofgreyhat.com/2011/05/metasploit-37-takes-aim-at-apple-ios.html</a>