Showing posts sorted by date for query white-hat. Sort by relevance Show all posts
Showing posts sorted by date for query white-hat. Sort by relevance Show all posts

Cartoon Network (CN) Official Website is Vulnerable to XSS Attack

Posted by Avik Sarkar On 12/10/2013 02:26:00 am

XSS Vulnerability Found in Cartoon Network's (CN) Official Website By Dr41DeY 
After the successful breach of 'DY365 TV' yet again the hacker going by the name of Dr41DeY from Nigerian Cyber Army targeted another TV network. Guess what, this time he caught even a bigger fish. Unlike defacement or breach this time the hacker did something what it called ethical or can be categorized in white-hat list. Okey now without pulling the intro more longer lets directly come to the story -and that is the official website of Cartoon Network is vulnerable of cross site scripting attack also known as XSS attack. Cartoon Network mostly known as CN is the worlds leader in broadcasting  animated programming, ranging from action to animated comedy & many more. This satellite channel is the most preferred channel for the children and teenagers between the ages of 7 to 5 among the whole of the world. So it is quit indisputable that the official website of Cartoon Network (CN) is indeed a valuable website which have large number of traffic everyday. But it is unclear that being such a big and popular brand name, why CN committed such a massacre while leaving XSS vulnerability in their official portal. Dr41DeY shared with VOGH, that the search box in the home page of CN poses non persistent XSS vulnerability. The above screen shots was taken as a proof of the story. I on behalf of Team VOGH has already contacted CN authorities, and knocked them about this issue. Hopefully they will take appropriate steps with out doing any further delay. For updates in this story and also other hot cyber issues, just stay tuned with VOGH.  


SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Twitter Hacked, More Than 250,000 User Data Compromised

Posted by Avik Sarkar On 2/03/2013 01:55:00 am

Twitter Hacked, More Than 250,000 User Data Compromised

The social networking giant and the world famous micro blogging site Twitter again fallen victim of cyber attack. Last year we have seen that the tight security system if twitter have been compromised many times. Yet again in this year the San Francisco based social media giant who have more than 500 million registered users failed to protect them selves from hackers. On last Friday Twitter acknowledged that it had become the latest victim in a number of cyber-attacks against media companies, saying hackers may have gained access to information on 250,000 of its more than 200 million active users. The micro blogging giant said in a blog posting that earlier this week it detected attempts to gain access to its user data. It shut down one attack moments after it was detected. According to reports usernames, email addresses, session tokens and encrypted/salted passwords for 250,000 users might have been accessed in what it described as a “sophisticated attack” 

"This attack was not the work of amateurs, and we do not believe it was an isolated incident,” said Bob Lord, Twitter’s director of information security. “The attackers were extremely sophisticated, and we believe other companies and organisations have also been recently similarly attacked” Bob added. 

Jim Prosser, a Twitter spokesman, would not say how hackers infiltrated Twitter’s systems, but Twitter’s blog post said hackers had broken in through a well-publicized vulnerability in Oracle’s Java software. Last month, after a security researcher exposed a serious vulnerability in the software, though Oracle patched the security hole, but Homeland Security said the fix was not sufficient. The DHS issued a rare alert that warned users to disable Java on their computers. Prosser said Twitter was working with government and federal law enforcement to track down the source of the attacks. For now, he said the company had reset passwords for, and notified, every compromised user. The company encouraged users to practice good password hygiene, which typically means coming up with different passwords for different sites, and using long passwords that cannot be found in the dictionary.
Twitter said it “hashed” passwords — which involves mashing up users’ passwords with a mathematical algorithm — and “salted” those, meaning it appended random digits to the end of each hashed password to make it more difficult, but not impossible, for hackers to crack. Once cracked, passwords can be valuable on auction-like black market sites where a single password can fetch $20.

While talking about Twitter and cyber issues, I would like to remind you that in last year twitter faced several cyber attacks where more than 55,000 twitter account details was leaked, after this issue in the middle of last year the social networking giant faced massive denial of service which interrupted its services. Later a huge number of Twitter users across the globe received  emails warning that their account have been compromised and their passwords had been reset, and it was another security breach which affected twitter. Such big organization are not at all careless about security, so as twitter and it has been proved when they hired renowned white hat hacker Charlie Miller to boost up their security, but after this current massacre, it seems that twitter need to think more and emphasize a lot to make sure that their system is good enough to prevent cyber attacks. For all the hot cyber updates and reviews stay tuned with VOGH.


SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Twitter Hires Renowned Apple Hacker Charlie Miller For Twitter Security Team

Posted by Avik Sarkar On 9/20/2012 03:44:00 pm


Twitter Hires Renowned Apple Hacker Charlie Miller For Twitter Security Team

It is almost impossible task for social networks to keep everything safe against hacks and other vulnerabilities. Hackers will constantly find their way around anything that you put in place. So they often deals with hackers & turn themselves to beef up the security level. Social networking giant Twitter exactly did the same thing. The micro-blogging network has hired the famous/infamous Apple hacker, Charlie Miller, to be a part of its security team. Charlie Miller, a popular figure among hackers, broke the news via his Twitter account, saying, “Monday I start on the security team at Twitter. Looking forward to working with a great team there!” Twitter issued a short statement noting that Miller’s title will be that of Software Engineer, but declined to discuss any further details.
Charlie Miller has a background as a Global Exploitation Analyst in the National Security Agency, and has hacked devices running on iOS, OSX, and Android. He is considered to be a white-hat hacker, which means that he hacks to expose vulnerabilities in a system in order to have those weaknesses fixed. Five year ago, Miller was said to be the first to hack the iPhone using the device’s browser, exposing the handset’s vulnerability to security attacks. Several months after this, he was likewise able to hack a MacBook Air in just two minutes. This feat allowed Miller to win the Pwn2Own hacking competition. Miller also showed a way to hijack iPhones through SMS in 2009. In 2011, he used the MacBook power adapter to implant malware on the laptop. In the same year, his license as an Apple developer got revoked because Apple found that he breached the development agreement. 
In more recent times, Miller had been working on Android devices. In June, he was able to overcome Bouncer, Google’s security program. He has furthermore experience in using Near Field Communications to control Samsung and Nokia handsets with a simple wave of another phone that is within the vicinity. 
While talking about Charlie Miller, we must have to take another name and that is Nicholas Allegra, the world-famous hacker known as "Comex", creater of JailbreakMe.com; who later has been hired by Apple itself . In case of Twitter we must have to say, apart from Miller, Twitter also hired Moxie Marlinspike, a hacker who specializes in SSL and VPN encryption.







SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

NSA Calls Defcon The "World's Best Cybersecurity Community" & Asks for Their Help

Posted by Avik Sarkar On 8/01/2012 02:10:00 am

NSA Calls Defcon The "World's Best Cybersecurity Community" & Asks for Their Help

A week ago DEFCON confirmed the presence of National Security Agency Director General Keith B. Alexander at DEFCON 20 in Las Vegas.  “I’ve spent 20 years trying to get someone from the NSA” to speak at Defcon, said Defcon founder Jeff Moss, who serves on the U.S. Homeland Security Advisory Council and is chief security officer for ICANN. Moss added “On the NSA’s 60th anniversary and our 20th anniversary this has all come together.” Here comes a double boom, Mr. Alexander not only attended the world's largest annual party but also greets Defcon the "world's best cybersecurity community" and asks for their help to secure cyberspace. Hackers can and must be part, together with the government and the private industry, of a collaborative approach to secure cyberspace, he said. Hackers can help educate other people who don't understand cybersecurity as well as they do, the NSA chief said. "You know that we can protect networks and have civil liberties and privacy; and you can help us get there."
Gen. Alexander congratulated the organizers of Defcon Kids, an event dedicated to teaching kids how to be white-hat hackers, and described the initiative as superb. He called 11-year-old Defcon Kids co-founder CyFi to the stage and said that training young people like her in cybersecurity is what the U.S. needs.
He encouraged hackers to get involved in the process. "We can sit on the sidelines and let others who don't understand this space tell us what they're going to do, or we can help by educating and informing them" of the best ways to go forward. "That's the real reason why I came here. To solicit your support," he said. "You have the talent. You have the expertise." The hacker community has built many of the tools that are needed to protect cyberspace and should continue to build even better ones, he said during his keynote at Defcon. He gave the example of Metasploit and other penetration testing tools. 
VOGH Reaction:-
On behalf of VOGH team I personally thanks Mr. Keith B. Alexander for his presence at DEFCON. I do believe that such approach will encourage young hackers, and will surely give them extra enthusiasm, by which in coming future we will get a better and much secured cyber space. 


-Source (PCW)




SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Hacker Are Invited To Attack Facebook's Corporate Network

Posted by Avik Sarkar On 7/30/2012 01:52:00 am


Hackers Are Invited To Attack Facebook's Corporate Network

Last year the social networking giant, Facebook introduced its bug bounty program, inviting security researchers to poke around the site, discover vulnerabilities that could compromise the integrity or privacy of Facebook user data, and then responsibly disclose them to the company. The minimal reward amount was of $500. White hats were urged to search for Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF/XSRF) and Remote Code Injection bugs. In Facebook's White Hat program the company strictly announced that they should not be bothered with spam or social engineering techniques, DoS vulnerabilities, bugs in Facebook's corporate infrastructure and vulnerabilities in third-party websites or apps. Now they changed their mind. When the social network's security team randomly receiving tips from a researcher about a vulnerability in the company's own network which would allow attackers to eavesdrop on internal communications, they made an unprecedented choice by broadened the scope of the bug bounty program and inviting researchers to search for other holes in the Corporate Network. There are quite a few bug bounty programs instituted by tech companies such as Google, Paypal but Facebook has become the first firm that gave formal permission to white hats to target its networks. Ryan McGeehan, the manager of Facebook's security-incident response unit, stated that if there’s a million-dollar bug, they will pay it out.
Given that Facebook has a strong incentive to protect the data belonging to its 900 million users, and the fact that data breaches have become a disturbingly common occurrence in the last two years or so, the step seems like a logical one. 


-Source (Net-Security)





SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Facebook Said - Please Hack Us & Get Bounty of $500

Posted by Avik Sarkar On 5/13/2012 12:30:00 am

Facebook Said - Please Hack Us & Get Bounty of $500

Earlier through Hackers Cup, Facebook has already shown honour to hackers now social networking giant Facebook is directly encouraging hackers to try hacking its security systems to find weaknesses. Those who succeed will receive a reward of US$500 or more and have their name added to a list of helpful hackers.
The hackers have taken part in Facebook's White Hat program. Anyone who finds a way of breaching the site's networks, and owns up, can earn rewards worth thousands of dollars. As well as money, Facebook promises not to land them in trouble with the police & legal harassment if they have complied with the program's golden rules. Already one British hacker has earned more than $2400 from Facebook, and the most prolific White Hat contributors are now given their own Facebook "bug bounty" credit cards. Facebook's chief security officer, Joe Sullivan, says he would much rather the hackers worked with the company, rather than against it. In time, he hopes the hackers will be able to find legitimate ways of expressing themselves within schools and universities. "There is a real lack of practical academic programs for cyber-security not only in the US but also internationally," he said. "Cyber-security is a skill best learned by doing, and unfortunately many of the current academic programs place little emphasis on real-world practical experience such as that gained in competition or via bug-bounty programs.

According to Facebook - "If you're a security researcher, please review our responsible disclosure policy before reporting any vulnerabilities. If you give us a reasonable time to respond to your report before making any information public and make a good faith effort to avoid privacy violations, destruction of data and interruption or degradation of our service during your research, we will not bring any lawsuit against you or ask law enforcement to investigate you."

Eligibility:-
To qualify for a bounty, you must:
  • Adhere to our Responsible Disclosure Policy:
  • Be the first person to responsibly disclose the bug
  • Report a bug that could compromise the integrity of Facebook user data, or circumvent the privacy protections of Facebook user data, such as:
  • Cross-Site Scripting (XSS)
  • Cross-Site Request Forgery (CSRF/XSRF)
  • Remote Code Injection
  • Broken Authentication (including Facebook OAuth bugs)
  • Circumvention of our Platform permission model
  • A bug that allows the viewing of private user data
  • Reside in a country not under any current U.S. Sanctions (e.g., North Korea, Libya, Cuba, etc.)
Rewards:-
  • A typical bounty is $500 USD
  • We may increase the reward for specific bugs
  • Only 1 bounty per security bug will be awarded
Exclusions:-
The following bugs aren't eligible for a bounty (and we don't recommend testing for these):
  • Security bugs in third-party applications (e.g., http://apps.facebook.com/[app_name])
  • Security bugs in third-party websites that integrate with Facebook
  • Security bugs in Facebook's corporate infrastructure
  • Denial of Service Vulnerabilities
  • Spam or Social Engineering technique


                      For detailed information click Here





SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

'The Unknowns' Claimed to Breach NASA, European Space Agency, French & Bahrain Ministry of Defense, US Air Force

Posted by Avik Sarkar On 5/10/2012 04:02:00 pm

'The Unknowns' Claimed to Breach NASA, European Space Agency, French & Bahrain Ministry of Defense & Many More
A new group of hacker collective group calling themselves 'The Unknowns' had claimed to breach the security system of a range of government agencies, organizations & many high profile sites. According to a PasteBin release The Unknowns said that they hacked into ten different organizations and published documents and other data alleged to have originated from the servers. Among them there are NASA - Glenn Research Center, US military, US AIR FORCE, European Space Agency, Thai Royal Navy, Harvard, Renault Company, French ministry of Defense, Bahrain Ministry of Defense and Jordanian Yellow Pages
NASA has confirmed that an attack did take place on 20 April, but noted that no "sensitive or controlled information" was compromised. The ESA also admitted to having suffered an attack, which it said made use of SQL injection. 
The hacker group claims that their mission is not malicious, but rather to help. "Victims, we have released some of your documents and data, we probably harmed you a bit but that's not really our goal because if it was then all of your websites would be completely defaced but we know that within a week or two," said the groups post, "the vulnerabilities we found will be patched and that’s what we're looking for."  In other word they are pretending to be 'White Hat'.
If you dig the history you will find that previously NASA was hit many times by the hackers from different part of the world Such as Spamers targeted NASA, TeaMp0isoN hacked NASA official forum, Chinese Hackers hit NASA satellites, Indian hacker minhal stole secrete  information from NASA, Code Smasher has found CSRF vulnerability in the official website of Virtual Heliospheric Observeatory NASA and so on.
 


SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Hackers Breached The Security System of Ministry of Defence (MoD)

Posted by Avik Sarkar On 5/09/2012 12:27:00 am

Hackers Breached The Security System of Ministry of Defence (MoD) 

Couple of days ago we have seen  Serious Organised Crime Agency (SOCA) had become the victim of denial of service attack. And now its the turn of MoD. The military's head of cyber-security has revealed that hackers have managed to breach some of the top secret systems within the Ministry of Defence (MoD). Major General Jonathan Shaw told - "The number of serious incidents is quite small, but it is there," he said. "And those are the ones we know about. The likelihood is there are problems in there we don't know about." Government computer systems come under daily attack, but though Shaw would not say how or by whom, this is the first admission that the MoD's own systems have been breached.
A former director of UK special forces, Shaw, 54, said he thought the military could learn a trick or two from firms such as Facebook. The company has a "white hat" programme in which hackers are paid rewards for informing them when they have found a security vulnerability.
Nine people in the UK have been paid a total of $11,000 for working with Facebook. Shaw said this was the kind of "waacky idea we need to bring in".
Shaw has spent the last year reviewing the MoD's approach to cyber-security, and the kind of cyber-capability the military will need in the future.
He says next year's MoD budget is expected to include new money for cyber-defence – an acknowledgment that even during a time of redundancies and squeezed budgets, this is now a priority.
The general said the MoD wasn't "doing badly … but we could do a hell of a lot better. We will get there, but we will have to do it fast. I think it was a surprise to people this year quite how vulnerable we are, which is why the measures have survived so long in the [budget] because people have become aware of the vulnerabilities and are taking them seriously." 
Shaw said the number of attacks was "still on an upward curve … and the pace of change is unrelenting". In his last interview before retiring, Shaw said the UK had to develop an array of its own cyber-weapons because it was impossible to create entirely secure computer systems.



-Source (Guardian)





SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

The 2012 Cyber Defence University Challenge (Australia's First National Cyber Security Competition)

Posted by Avik Sarkar On 3/19/2012 12:11:00 am

The 2012 Cyber Defence University Challenge - Australia's First National Cyber Security Competition
The 2012 Cyber Defence University Challenge, Australia’s first national cyber security competition, has been announced  by The Gillard Government, in partnership with Telstra and Australian universities. The ultimate prize, sponsored by Telstra, is travel and entry to the Black Hat 2012 Conference in Las Vegas, USA, in July 2012. Black Hat conferences are much sought-after technical information security congresses and briefing seminars which bring together trainers and speakers from corporate, government and research sectors worldwide.
Minister for Broadband, Communications and the Digital Economy Senator Stephen Conroy said the Challenge would test the cyber problem-solving skills of teams of Australian undergraduates in a virtual computer network scenario. “The Challenge will raise awareness of the importance of cyber security, particularly in the university and business sectors, while also showcasing the diverse career opportunities for ICT graduates,” Senator Conroy said.
“The need for greater awareness of cyber security issues and for more high-skilled ICT graduates were two of the key themes to emerge from the public engagement process associated with the Government’s Cyber White Paper, due for release later this year. “The Challenge is a positive example of the Government partnering with industry and academia to enable Australia to overcome the challenges associated with being a modern, digital economy. “The Government is committed to working with industry to develop a safe and secure digital economy for Australians.  We are also committed to increasing the skills and expertise necessary to protect online environments from cyber crime such as data theft.”
The Challenge will run for 24 hours on 3 – 4 April 2012. University undergraduates across Australia who are studying computer science and related degrees are encouraged to register a team in the Challenge via their university.


SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

FBI Partner InfraGard Hacked Again By #Anonymous (#FFF)

Posted by Avik Sarkar On 2/26/2012 12:10:00 am

FBI Partner InfraGard Hacked Again By #Anonymous (#FuckFBIFriday
It seems that this week #FuckFBIFriday rampage of Anonymous is really on the high node. In this week #FFF they have given two big boom. The 1st one was the hack of US Prison Contractor Site and the second one is FBI affiliated InfraGard. Earlier Lulzsec hit the InfraGard  and they breached the digital security perimeter surrounding the Atlanta chapter of Infragard, took complete control of the site, defaced it and leaked the local user base. So this is the second time when InfraGard became the target of Hactivist. According to AnonymousIRC twitter "#FFF FBI-INFRAGARD ROOTED AGAIN. ONE MORE TIME. FOR THE LULZ. infragard.dayton.oh.us #Anonymous #AntiSec #LulzSec #OWS" 
The message on the deface page was saying - "Today we targeted the Dayton Ohio chapter of InfraGard, the sinister alliance between law enforcement, corporations, and white hat wannabees. We broke into their webserver, perused their assorted presentation materials, and finally deleted everything and vandalized their website so we can boost our zone-h rankings..." 
So for #FFF the list of victims are increasing, in the last Friday they have breached the Federal Trade Commission (FTC) Server and hacked the official website of U.S. Federal Trade Commission, consumer rights, & National Consumer Protection Week. Also one week before for Friday rampage Anonymous released sensitive conference call between FBI & Scotland Yard. Now the name of US Prison Contractor & Infragard are also enlisted. 




SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Anonymous Exposed The Private Information of The Special Agent, Officers, Cyber Crime Investigators Of Department Of Justice

Posted by Avik Sarkar On 11/26/2011 04:08:00 pm


The hacktivists claim to have hacked into Baclagan's Gmail account and to have accessed his voicemails and SMS message logs using unspecified techniques as part of their ongoing campaign against law enforcement officials and their "allies" in the computer security industry.
The email dump, released as a torrent last Friday in part of what has become the group's regular FuckFBIFriday release, is also said to contain personal information including Baclagan's home address and phone number. The cache of emails – which according to AntiSec are from the account of Fred Baclagan, a retired special agent supervisor of the Californian Department of Justice – includes 38,000 emails detailing various computer forensic techniques and cybercrime investigation protocols. 
Baclagan told that he was nobody special in the Justice Department ... which is what he would say, of course. He said that he had specialised in identity theft before he retired last year. "I'm really just a nobody," he told the Post, "just a local investigator, not involved in anything dynamic or dramatic

In the Press Release Anon Said:-

################################################################################
#        ANTISEC LEAKS DOJ SPECIAL AGENT SUPERVISOR'S PRIVATE EMAILS,         #
#               IACIS CYBERCRIME INVESTIGATOR COMMUNICATIONS                              #
#         care of the #OCCUPYWALLST CRACKDOWN RETALIATION TASK FORCE         #       
################################################################################

Greetings Pirates, and welcome to another exciting #FuckFBIFriday release.

As part of our ongoing effort to expose and humiliate our white hat enemies, we
targeted a Special Agent Supervisor of the CA Department of Justice in charge of
computer crime investigations. We are leaking over 38,000 private emails which
contain detailed computer forensics techniques, investigation protocols as well
as highly embarrassing personal information. We are confident these gifts will 
bring smiles to the faces of our black hat brothers and sisters (especially 
those who have been targeted by these scurvy dogs) while also making a mockery 
of "security professionals" who whore their "skills" to law enforcement to 
protect tyrannical corporativism and the status quo we aim to destroy.

We hijacked two gmail accounts belonging to Fred Baclagan, who has been a cop
for 20 years, dumping his private email correspondence as well as several dozen 
voicemails and SMS text message logs. While just yesterday Fred was having a 
private BBQ with his CATCHTEAM high computer crime task force friends, we were 
reviewing their detailed internal operation plans and procedure documents. We 
also couldn't overlook the boatloads of embarrassing personal information about 
our cop friend Fred. We lulzed as we listened to angry voicemails from his 
estranged wives and ex-girlfriends while also reading his conversations with 
girls who responded to his "man seeking woman" craigslist ads. We turned on his 
google web history and watched him look up linux command line basics, golfing 
tutorials, and terrible youtube music videos. We also abused his google 
voice account, making sure Fred's friends and family knew how hard he was owned.

Possibly the most interesting content in his emails are the IACIS.com internal
email list archives (2005-2011) which detail the methods and tactics cybercrime 
units use to gather electronic evidence, conduct investigations and make 
arrests. The information in these emails will prove essential to those who want 
to protect themselves from the techniques and procedures cyber crime 
investigators use to build cases. If you have ever been busted for computer 
crimes, you should check to see if your case is being discussed here. There are 
discussions about using EnCase forensic software, attempts to crack TrueCrypt 
encrypted drives, sniffing wireless traffic in mobile surveillance vehicles, how 
to best prepare search warrants and subpoenas, and a whole lot of clueless 
people asking questions on how to use basic software like FTP. In the end, we
rickrolled the entire IACIS list, causing the administrators to panic and shut
their list and websites down.

These cybercrime investigators are supposed to be the cream of the crop, but we
reveal the totality of their ignorance of all matters related to computer
security. For months, we have owned several dozen white hat and law enforcement
targets-- getting in and out of whichever high profile government and corporate
system we please and despite all the active FBI investigations and several
billion dollars of funding, they have not been able to stop us or get anywhere
near us. Even worse, they bust a few dozen people who are allegedly part of an
"anonymous computer hacking conspiracy" but who have only used 
kindergarten-level DDOS tools-- this isn't even hacking, but a form of
electronic civil disobedience. 

We often hear these "professionals" preach about "full-disclosure," but we are
sure these people are angrily sending out DMCA takedown notices and serving
subpoenas as we speak. They call us criminals, script kiddies, and terrorists, 
but their entire livelihood depends on us, trying desperately to study our 
techniques and failing miserably at preventing future attacks. See we're cut 
from an entirely different kind of cloth. Corporate security professionals like
Thomas Ryan and Aaron Barr think they're doing something noble by "leaking" the
public email discussion lists of Occupy Wall Street and profiling the "leaders"
of Anonymous. Wannabe player haters drop shitty dox and leak partial chat logs
about other hackers, doing free work for law enforcement. Then you got people 
like Peiter "Mudge" Zatko who back in the day used to be old school l0pht/cDc 
only now to sell out to DARPA going around to hacker conventions encouraging 
others to work for the feds. Let this be a warning to aspiring white hat 
"hacker" sellouts and police collaborators: stay out the game or get owned and 
exposed. You want to keep mass arresting and brutalizing the 99%? We'll have to 
keep owning your boxes and torrenting your mail spools, plastering your personal 
information all over teh internets.

Hackers, join us and rise up against our common oppressors - the white hats, the 
1%'s 'private' police, the corrupt banks and corporations and make 2011 the year 
of leaks and revolutions! 

We are Anti-Security,
We are the 99%
We do not forgive.
We do not forget.
Expect Us!

For More information Click Here


SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Microsoft Started "BlueHat" Contest for Better Security

Posted by Avik Sarkar On 8/05/2011 05:09:00 am


As any Jedi knight knows, the temptation to turn to the Dark Side is difficult to resist. The same can be true for White Hat hackers--malware fighters who discover vulnerabilities in software.
The black market prices for those kinds of security flaws are as tantalizing to ethical hackers as the malevolent side of The Force was to Luke Skywalker. Microsoft wants to temper those temptations, though, and has announced a contest that offers more than $250,000 in prizes for developing better solutions to counter security threats.
Microsoft's "BlueHat Prize," announced by the company at the Black Hat security conference in Las Vegas Wednesday, offers a grand prize of $200,000, a runner-up purse of $50,000, and a third-place award of a one-year subscription to MSDN Universal--a developer's platform for Microsoft products--worth $10,000--to security researchers who design the most effective ways to prevent the use of memory safety vulnerabilities. Those kinds of vulnerabilities can create problems like buffer overflows that can be exploited by Net miscreants to compromise computers.
“As the risk of criminal attacks on private and government computer systems continues to increase, Microsoft recognizes the need to stimulate research in the area of defensive computer security technology," Matt Thomlinson, Microsoft’s General Manager of Trustworthy Computing Group, said.
“Our interest is to promote a focus on developing innovative solutions rather than discovering individual issues," Thomlinson continued. "We believe the BlueHat Prize can catalyze defensive efforts to help mitigate entire classes of attacks."

Top Experts Needed:-

In offering the prize, Microsoft hopes to attract the world's top experts to focus their "little gray cells" on a major security problem. “Microsoft wants to encourage more security experts to think about ways to reduce threats to computing devices," observed Katie Moussouris, senior security strategist lead for the Microsoft Security Response Center.
“We’re looking to collaborate with others to build solutions to tough industry problems," she added. "We believe the BlueHat Prize will encourage the world’s most talented researchers and academics to tackle key security challenges and offer them a chance to impact the world."

The Origin of the Concept:-

According to Microsoft, it got the idea for the BlueHat prize from a previously launched security information-sharing program. That initiative, the Microsoft Active Protections Program (MAPP), allows Microsoft to share information with security vendors around the world so they can release protection technologies to their customers much faster. The success of that program got Microsoft thinking about mounting a similar effort for the security research community.
One vendor with praise for BlueHat was Adobe, a company that's no stranger to software with vulnerabilities. “The Microsoft BlueHat Prize announced at Black Hat [on August 3] is an exciting new initiative and a great example of encouraging community collaboration in the defense against those with malicious intent," observed Adobe's Senior Director for Product Security and Privacy Brad Arkin.
“This call for entries promises to stimulate research activity within the broader security community on how to mitigate entire classes of attacks, rather than thinking about software security as a challenge best addressed one bug at a time," he continued. "This research has the potential to lower costs for third-party developers and increase the level of security assurance for end users."
Here are the official rules and guidelines for the competition. Contest submissions will be accepted until Sunday, April 1, 2012, Microsoft said. A panel of Microsoft security engineers will judge submissions based on the following criteria: Practicality and functionality (30 percent); robustness--how easy it would be to bypass the proposed solution (30 percent); and impact (40 percent). The winners will be announced at Black Hat USA conference in 2012.

-News Source (PC World)

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Vulnerability in Apple MacBooks Which Could ruin Batteries

Posted by Avik Sarkar On 7/24/2011 02:54:00 pm


One prominent security researcher has discovered a vulnerability in the batteries of Apple's MacBook line of portable computers that could allow hackers to ruin the batteries or install malware on them that could corrupt a Mac.
Charlie Miller, a renowned white-hat hacker who works for security firm Accuvant, plans to reveal and offer a fix next month for a MacBook battery vulnerability he has discovered, Forbes reports. Miller uncovered default passwords, which are used to access the microcontroller in Apple's batteries, within a firmware update from 2009 and used them to gain access to the firmware.

Apple and other laptop makers use embedded chips in their lithium ion laptop batteries to monitor its power level, stop and start charging and regulate heat.
During the course of his tests, the researcher "bricked" seven batteries, rendering them unusable by rewriting the firmware. Of more concern is the possibility that hackers could use the vulnerability to install difficult to remove malware, or, in a worst case scenario, cause the batteries to explode.

“These batteries just aren’t designed with the idea that people will mess with them,” he said. “What I’m showing is that it’s possible to use them to do something really bad.” According to him, IT few administrators would think to check the battery, providing hackers with an opportunity to hide malicious software on a battery that could repeatedly implant itself on a computer.

Miller admitted that he hasn't tried to blow up any batteries, but he did say it might be possible. "You read stories about batteries in electronic devices that blow up without any interference,” he noted. “If you have all this control, you can probably do it.”
another researcher, Barnaby Jack, who works for antivirus software maker McAfee, also looked into the battery issue a couple years ago, but said he didn't get as far as Miller did.

Miller, who is a regular winner of security contests demonstrating Mac, Safari and iPhone exploits, has notified Apple and Texas Instruments of the issue. Despite requests from several other researchers not to proceed, he plans to unveil the vulnerability, along with a fix he calls "Caulkgun," at the Black Hat security conference next month.
"Caulk Gun" will change a battery's default passwords to a random string of characters. While the fix will prevent hackers from breaking into the battery, it would also block any future firmware updates from Apple.

In spite of the battery vulnerability that he uncovered, Miller believes Mac OS X security is better than ever before. According to him, Apple engineers made few security-related changes in the jump from Leopard to Snow Leopard, but they made substantial improvements in Mac OS X 10.7 Lion, which was released on Wednesday.
"Now, they've made significant changes and it's going to be harder to exploit,” he said, as noted by The Register.
“It's a significant improvement, and the best way that I've described the level of security in Lion is that it's Windows 7, plus, plus,” said noted security consultant Dino Dai Zovi.
Apple offered security researchers, including Miller and Dai Zovi, an unprecedented early look at Lion in order to get their feedback.
According to researchers, Lion's biggest security improvement is Lion's support for Address Space Layout Randomization. ASLR randomizes the location of critical system components to reduce the risk of attack. Apple also added sandboxing security measures in Safari that will isolate potential bugs or malware. Finally, the newly revamped File Vault now allows an entire drive to be encrypted.


-News Source (Appleinsider)

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Kids (Age Between 8-16 Years) Conference to Teach "White Hat" Skills

Posted by Avik Sarkar On 6/24/2011 09:24:00 pm



DEFCON was started in 1993, and has grown into the largest annual gathering of hackers. Attendees to this year’s conference, DEFCON19, will include cyber-criminals, hackers, computer security professionals, security personnel, US Federal agents, and any one else with interest in anything that can be hacked. Activities at the event include speakers on different subjects of interest to hackers, social events and contents. In August the first ever DEFCON kid’s conference will take place. This conference will be run as part of the main DEFCON conference, and is meant to teach kids between 8 and 16 years “white hat” hacker skills. As opposed to “black hat” hacking, the DEFCON Kids will be taught “white hat” hacker skills that will give them the ability to protect themselves against cyber crime. Black hat involves the dark side of internet hacking, including looting of money and destruction of hardware or software. The aim is to convince kids that it is cool to fight crime by being an ethical hacker.
The courses will be run by some of the world’s most elite hackers. According to the DEFCON Kids website, the training and demonstrations will include “learning how to open Master locks, Google Hacking, making Electronics, Social Engineering, coding in Scratch and Communicating in Code.”

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Lulzsec & Anonymous jointly declared "Operation Anti-Security"

Posted by Avik Sarkar On 6/21/2011 12:05:00 am

                                  

Lulzsec and Anonymous have just declared full open war against all governments, banks and big corporations in the world. They are calling all hackers in the world to unite. Their objective is to fully expose all corruption and dark secrets: 

Salutations Lulz Lizards,
As we're aware, the government and whitehat security terrorists across the world continue to dominate and control our Internet ocean. Sitting pretty on cargo bays full of corrupt booty, they think it's acceptable to condition and enslave all vessels in sight. Our Lulz Lizard battle fleet is now declaring immediate and unremitting war on the freedom-snatching moderators of 2011.
Welcome to Operation Anti-Security (#AntiSec) - we encourage any vessel, large or small, to open fire on any government or agency that crosses their path. We fully endorse the flaunting of the word "AntiSec" on any government website defacement or physical graffiti art. We encourage you to spread the word of AntiSec far and wide, for it will be remembered. To increase efforts, we are now teaming up with the Anonymous collective and all affiliated battleships.
Whether you're sailing with us or against us, whether you hold past grudges or a burning desire to sink our lone ship, we invite you to join the rebellion. Together we can defend ourselves so that our privacy is not overrun by profiteering gluttons. Your hat can be white, gray or black, your skin and race are not important. If you're aware of the corruption, expose it now, in the name of Anti-Security.
Top priority is to steal and leak any classified government information, including email spools and documentation. Prime targets are banks and other high-ranking establishments. If they try to censor our progress, we will obliterate the censor with cannonfire anointed with lizard blood.
It's now or never. Come aboard, we're expecting you...
History begins today.
Lulz Security
This is not going to end well. Or perhaps it will end well. Could this movement help change the world for the better? With the growing worldwide discontent against the political and financial establishment—in my home country and all through Europe people are organizing to fight corrupted politicians and their greedy fat owners—I wonder if this may very well be the beginning of our May 1968. That was the time when the young French generations stood up against the government to demand a much needed change.
Opening the vaults of dark secrets and exposing corruption everywhere would certainly help towards that goal: Real change. Perhaps this is just the beginning of a quiet and angry revolution that will make the world a better place. Maybe making that information public will be instrumental to wake everyone up.
That said, exposing emails and private information from normal people or sinking ships that are neutral in this battle will not help towards that cause. That's not good and will not help anyone but those who they declare their enemies.
But uncovering the wrongdoings of states and economical institutions? I'm all for it. 

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Metasploit declared $5,000.00, in 5 weeks for exploits Bug Bounty program

Posted by Avik Sarkar On 6/15/2011 04:54:00 pm


If you've got a way to crack Google Chrome, the Metasploit team wants to pay you for it. Today Rapid 7 announced that it has a total of $5000 in cash to reward to contributors who send in exploits for its Top 5 or Top 25 vulnerability lists. The exploits have to be submitted, and accepted, as modules under its standard Metasploit Framework license. 
Cash for bugs is a controversial but common way for security firms to encourage hackers to send exploits to the white hats. As far as Bug Bounty programs go, Metasploit's program is meager. But for an open source program that relies on contributions sent in for free, it's an interesting experiment. The program will end quickly, lasting only five weeks (July 20). One fun thing that the team is doing is letting people stake a claim to their exploit of choice from their Top 5 (prize is $500) or Top 25 (prize is $100) lists. After claiming an exploit, hackers get a week to submit their Metasploit module for their chosen bug. The prize money will "only be paid out to the first module contributor for a given vulnerability," the Metasploit team says.
And guess what? Denial of Service exploits won't qualify. Metasploit wants your bug to be able to do more than that. It should also bypass ASLR/DEP when applicable and be geared toward English-based targets. Metasploit wants hackers to follow its hacking guidelines and they cannot be residents of a US embargoed country.
All accepted submissions will not only win a bit of cash but their submissions will be made available to other Metasploit users, again under the Metasploit Framework license (3-clause BSD).
As I look at the list of 30 possible exploits while writing this blog post, I see that only two have been claimed so far. CVE/ZDI 2011-1218, Lotus Notes - Autonomy Keyview(.zip attachment), and an exploit not listed in the CVE database, known as " DATAC RealWin On_FC_CONNECT_FCS_LOGIN packet containing a long username." So plenty of room for participants remains.
The cash-for-bugs program is interesting, but the list of vulnerabilities for which Metasploit is seeking help is even more so.

The Top 5 are for specific holes in ...
  1. Google Chrome (before 11.0.696.71)
  2. Lotus Note
  3. IBM Tivoli Directory Server
  4. DNS
  5. GDI
In the Top 25, the entries on the list that caught my eye include holes in JScript, VBScript Scripting Engines, JBOS, Oracle VM and Citrix, among others. (Yes, browsers are in there, too, including Firefox, Chrome and Opera).
Of course, if you do have a killer bug, particularly for some of the browsers like Firefox or Chrome you can perhaps earn more than $100 for it. Mozilla's Bug Bounty program pays up to $3000 cash reward and you get a Mozilla T-shirt. For web applications or services related security bugs, Mozilla pays from $500 to $3,000. In January, Google plunked out what was then a record reward, $3,133, to a hacker for reporting a flaw Chrome. (Google raised its bug bounty fee about a year ago, from $1,337 after Mozilla bumped up its reward rate to $3,000).
TippingPoint, known as one of the founders of the bug bounty concept, not only pays cash (as much as $5,000 for your zero-day), but it also awards bonus points in a scheme more complicated than an airline mileage rewards program. Participants earn points for referring others into the program, for each zero-day they submit and so on. These points gain you bonuses for your hacks, and other goodies like all-expense-paid trips to hacker conferences like Black Hat.
Who knew hacking could be so rewarding?

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Young Hacker been Approached Diplomatically To Avoid Backlash by Microsoft

Posted by Avik Sarkar On 5/31/2011 04:32:00 pm




Sony’s recent nightmarish experiences with hackers has made Microsoft rethink their policies regarding how to engage with hackers. If we are to believe the words of Microsoft Corp.’s Ireland General Manager Paul Rellis, his company has learned a valuable lesson from the recent assault on Sony’s worldwide network, and has decided to approach hackers more diplomatically, TechEye reports. 
Apparently a 14-year-old Irish boy was caught trying to break into the Xbox LIVE network, but instead of prosecuting him, Microsoft has decided to help him become a better coder. Microsoft hopes that by helping the young hacker he will become a productive, white-hat hacker in the future instead of an online trouble-maker, and that they company will earn some respect from the hacker community in the process. 

Sony's problems began when they prosecuted the hacker Geohot for jailbreaking the PlayStation 3. Jailbreaking a device allows users to run their own code and, while it is controversial, its legality is still a matter of dispute.
Sony's harsh reaction to an activity that most online hackers consider relatively harmless brought about the attacks that have cost Sony more than $100 million in damages according to their own reports.

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Hackers, Crackers, Tramps & Thieves

Posted by Avik Sarkar On 5/16/2011 11:00:00 pm


Recently, we have saw a “hacker group,”, loosely known as Anonymous wage a denial of service attack (DDoS) against various companies that withdrew services to WikiLeaks. This was done in a supposed noble defense of WikiLeaks. Now it appears the same group has taken credit for attacks against Sony. Why attack Sony? Because Anonymous believes individuals should be able to modify PlaySation3 consoles and Sony’s says they no they shouldn’t be and are fighting the copyright infringement with legal action. It is sort of like I disagree with you and we end up in court and you then throw a rock through my window (funny…. I didn’t mean to bring Microsoft into the mix…LOL). Well apparently, more then a rock got thrown through Sony’s “window".It now appears that 2.2 million credits cards with CVV were stolen as well . Anonymous is now only claiming they broke the window, not that they stole anything. Who exactly are “hackers”?
Initially the term came to refer to individuals who pushed technology to its limits. Hacking was making technology (hardware/software) do more, more efficiently, etc. However, somewhere along the mix it began to be used as a term to describe individuals exploiting technology for illegal purposes. Latter the term crackers came to refer to hackers who did bad things, such as breaking into systems, causing damage, stealing data, etc. We also had the “color” system if you will, in part no doubt due to the old adage in Western movies, good and bad guys wear different colored hats. Yep you guessed it you have White Hat hackers (good guys) and Black Hat Hackers (bad guys). Of course, you also then have the Grey Hat Hackers (good or bad, depending upon what they are doing). As an old John Wayne fan I never really paid much attention to what hat he was wearing but that is beside the point.
In my opinion, hackers have come to enjoy a unique position in our society. For instance, there is no such thing as a “white hat” embezzler, drug dealer, or bank robber. The closest think I can think of is maybe Robin Hood, where he was a criminal but his ends justified his means (steal from the rich and give to the poor). I suppose there was some romanticizing about train/bank robberies, Jessie James or even Bonnie and Clyde. But in the end we still consider them criminals when all is said and done. We just don’t have other offender groups being described by their head apparel. I also am amazed being a hacker is viewed by some as the best pathway to becoming an IT security expert. It is sort of like someone being a burglar or robber as a path to a career as security professional. I guess these folks think honest hard work and education just doesn’t look as good as I was a criminal on a resume.
So what does this have to do with corrections? Well, many of these folks do get caught. They go before a judge and someone has to look at what was done and make a call. Answering it was illegal is easy. What do you do with them? Some would argue they are Robin Hoods, making information free for the world. Some believe they are just really smart and the corporations are the real corrupt ones. (See The Conscience of a Hacker)
Here is the problem I have. My Robin Hood didn’t burn Sherwood Forrest to help the poor. He also did not use the poor as pawns in his fight with the rich. Take a look at the Sony case. They have a right to protect their intellectually property. They were pursing the matter in court, following the law. A group of offenders breaks into Sony, allegedly to embarrass them. However, someone during the break-in, (more then likely the same folks that broke in) stole 2.2 million credits cards with CVV. There are reports that those card number are being sold. Sony looks bad for the security breach. But was it really necessary to harm Sony’s customers in the fight to make right? So, are hackers misguided “Robin Hoods”, out to defend us against the big bad corporations out there? Or are they what we normally call, common criminals?
On the other hand some of these “criminals” are what we call in the business, “success” stories. “rtm”who released the first Internet worm, later went on to get a doctorate and is a respected expert in the field. The “Condor” is an author and runs a successful information security consulting firm (not withstanding my comment about criminals becoming future security experts). The “Dark Dante” is a senior editor for a major publication as well as an accomplished author.
The bottomline to this discussion, is corrections must do what we always do. Condemn the acts but not the individuals. Hackers, whatever the reasons, are offenders, not modern Robin Hoods. They can be rehabilitated. They are however not modern day technological heroes. Making them sound like a quarter pounder with cheese does not change the fact they have no meat between the buns. Take care and be safe. Time for a cigar! 

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Related Posts Plugin for WordPress, Blogger...

Site search