Yahoo Mail Hit By XSS Exploit Putting 400 Million Users At Risk

Yahoo Mail Hit By XSS Exploit Putting 400 Million Users At Risk

Yet again mistrust growing in between the large number of Yahoo users, as it has been continuously failed to protect its customers from cyber attack. Late in last year we have seen that the two major services of Yahoo get compromised, which affects millions of its registered users across the globe. First it was Yahoo Voice, which get hacked while putting 450K users at high risk. Then it was the time for Yahoo Mail, where few Egyptian hacker figured out serious XSS vulnerabilities in Yahoo Mailing service  that lets attackers steal cookies from Yahoo Webmail users. Later cyber criminals made product while exploring that loop holes, that so called product or widely known as exploit was made available at high price in underground market and forums. As expected Yahoo immediately patched these loopholes, but now it seems they did not learn lesson from the decent past. 

You all may be wondering! what happened? Again the security of Yahoo fallen victim in front of hackers.  Shahin Ramezany, a hacker and independent security researcher have figure out a DOM-Based XSS vulnerability in Yahoo Mail that is exploitable in all major browsers. Ramezany tweeted about this issue whihc links to an YouTube video, where he demonstrated the hack. Shahin Ramezany also claimed that the exploit have put more than 400 Million yahoo users at risk. 

As soon as this story get spotted, Yahoo immediately responds the matter, in their official release a Yahoo spokesman said "We’ve been looking into it and the US have now confirmed that they are investigating too. They will be in touch if there is a comment – otherwise I recommend that if users are concerned then they should change their passwords immediately." 

Later Yahoo said that thy have plugged the security hole. In their statement the spokesperson added, “At Yahoo! we take security very seriously and invest heavily in measures to protect our users and their data. We were recently informed of an online video that demonstrated a vulnerability. We confirm that the vulnerability has been fixed. In addition, we are investigating recent reports of increased abusive traffic and will work diligently to fix any vulnerabilities that are found. Concerned users are encouraged to change their passwords to a safe password that combines letters, numbers, and symbols.”

But this issue did not get completely resolved, as immediately after the fix release of Yahoo, Shahin Ramezany said that the fix is not good enough, and the Yahoo Mail exploit is still active. In his twitter he said "not effective enough and users are still [at] risk," since the proof-of-concept code can be easily tweaked to continue attacks. 

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Yahoo Mail Hit By XSS Exploit Putting 400 Million Users At Risk"https://www.voiceofgreyhat.com/2013/01/Yahoo-Mail-Hit-By-XSS-Exploit.html</a>

EU Opens The Door of European Cybercrime Centre (EC3) To Protect Europe From Cyber Threat

EU Opens The Door of European Cybercrime Centre (EC3) To Protect Europe From Cyber Threat

We all are aware of FBI's Internet Crime Complaint Center also known as IC3, which is protecting U.S. citizen from cyber criminals and attacks. But the cyber world is not limited to U.S. so as cyber criminals, and to get rid of this and while protecting every countries digital fence safe and secure there need to be organizations like IC3. All the growing and developing countries across the globe are in rush to ensue maximum digital and cyber security. This same rush and impact also applies for Europe countries and the result is in front of us. As the fight against cyber crime in Europe has got a new home. The European Cybercrime Centre (EC3) officially open its doors from this January 11, at the European Police Office, Europol in the Hague. In the middle of last year European Commission declared that are preparing a cybercrime center to fight against cyber threats. And after an effort of six months they made it possible and live for the people of Europe. Such organization will surely enhance the cyber security of European countries.  In the official press release EUROPA said "EC3 will be up and running to help protect European citizens and businesses from cyber-crime." 

EC3 officially commenced its activities on 1 January 2013 with a mandate to tackle the following areas of cybercrime: 

• That committed by organised groups to generate large criminal profits such as online fraud
• That which causes serious harm to the victim such as online child sexual exploitation
• That which affects critical infrastructure and information systems in the European Union

According to the press release of European Commission - "The Cybercrime Centre will give a strong boost to the EU's capacity to fight cybercrime and defend an internet that is free, open and secure. Cybercriminals are smart and quick in using new technologies for criminal purposes; the EC3 will help us become even smarter and quicker to help prevent and fight their crimes", said Commissioner Malmström.

"In combatting cybercrime, with its borderless nature and huge ability for the criminals to hide, we need a flexible and adequate response. The European Cybercrime Centre is designed to deliver this expertise as a fusion centre, as a centre for operational investigative and forensic support, but also through its ability to mobilise all relevant resources in EU Member States to mitigate and reduce the threat from cybercriminals wherever they operate from", said Troels Oerting, Head of the European Cybercrime Centre

Investigations into online fraud, child abuse online and other cybercrimes regularly involve hundreds of victims at a time, and suspects in many different parts of the world. Operations of this magnitude cannot be successfully concluded by national police forces alone.

The opening of the European Cybercrime Centre (EC3) marks a significant shift in how the EU has been addressing cybercrime so far. Above all, the approach of the EC3 will be more forward-thinking and inclusive. It will pool expertise and information, support criminal investigations and promote EU-wide solutions.

The EC3 will focus on illegal online activities carried out by organised crime groups, especially attacks targeting e-banking and other online financial activities, online child sexual exploitation and those crimes that affect the critical infrastructure and information systems in the EU.

The Centre will also facilitate research and development and ensure capacity building among law enforcement, judges and prosecutors and will produce threat assessments, including trend analyses, forecasts and early warnings. In order to dismantle more cybercrime networks and prosecute more suspects, the EC3 will gather and process cybercrime related data and will provide a Cybercrime Help desk for EU countries' law enforcement units. It will offer operational support to EU countries (e.g. against intrusion, fraud, online child sexual abuse, etc.) and deliver high-level technical, analytical and forensic expertise in EU joint investigations. 

For Detailed Information Please Visit The Official Website of Europol's EC3 

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">EU Opens The Door of European Cybercrime Centre (EC3) To Protect Europe From Cyber Threat"https://www.voiceofgreyhat.com/2013/01/European-Cybercrime-Centre-EC3.html</a>

FBI Wanted Cyber Criminal Hamza Bendelladj Arrested in Thailand

FBI Wanted Cyber Criminal Hamza Bendelladj Arrested in Thailand

Another FBI listed cyber criminal get nabbed. The suspect named Hamza Bendelladj of 24 yrs have been arrested in late Sunday night during a layover at Thailand’s international airport while traveling from Malaysia to Egypt. According to the officials Bendelladj is an Algerian national wanted by the United States Federal Bureau of Investigation (FBI) for allegedly making tens of millions of dollars from cyber crime. Police confiscated two laptops, a tablet computer, a satellite phone and a number of external hard drives from Bendelladj. According to the officials FBI had been pursuing Bendelladj for nearly three years. U.S. authorities believe the suspect hacked private accounts in more than 217 banks and financial companies worldwide, causing about $10 million in losses per transaction. After this arrest, he will be extradited to the U.S. state of Georgia, where a district court has issued an arrest warrant. In an exclusive report Bangkok Post said -a smiling Bendelladj, who was present at the press conference, denied claims by the Thai authorities that he was on the FBI's top-10 most wanted list. "I'm not in the top 10, maybe just 20th or 50th," the Algerian suspect said with a laugh. "I am not a terrorist."

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">FBI Wanted Cyber Criminal Hamza Bendelladj Arrested in Thailand"https://www.voiceofgreyhat.com/2013/01/FBI-Wanted-Hamza-Bendelladj-Arrested-in-Thailand.html</a>

Official Website of Senator Vicente C. Sotto III Hacked By Anonymous Philippines

Official Website of Senator Vicente C. Sotto III Hacked By Anonymous Philippines

Philippines rampage of hacktivist Anonymous continues, as this hacker collective group strikes again and blown the official website of Senator Vicente C. Sotto III. This attack carried under the banner of 'OccupyPhilippines' where the hacker group hacked into server of Senator Tito Sotto and defaced the index page. According to the hacker, the cyber attack was to stand against the controversial "Cybercrime Prevention Act of Philippines" widely known as Republic Act No. 10175. The hacker group believed that, if this bill did not get revised, then the freedom of speech in cyber space will be restricted. During this attack the hacker tried to send his message to the Senator, and that is - 

"It's been a long time, Tito Sen! Deny us our freedom of speech and of expression through R.A. 10175 

and we will deny you your cyberspace. You cannot shut us up, you cannot shut us down. 

And you shall not see us rest until R.A. 10175 is revised.

We are all waiting, we are all ready.

We are Anonymous, we are legion.

We do not forgive and we do not forget.

Expect Us

Protect our Right to Freedom of Expression!..."

The attack took place in yesterday evening, as soon as the intrusion was spotted the site was sent offline for a certain period. And today morning, the whole thing get restored and it came back to its normal format. 

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Official Website of Senator Vicente C. Sotto III Hacked By Anonymous Philippines"https://www.voiceofgreyhat.com/2013/01/Senator-Tito-Sotto-Hacked-By-Anonymous.html</a>

SQL Injection Vulnerability Affected All Versions of Ruby on Rails

SQL Injection Vulnerability Affected All Versions of Ruby on Rails (CVE-2012-5664)

Developers at Ruby on Rails are warning its users regarding a Sql Injection flaws which has affected all the current version of Ruby on Rails web framework. While exploiting the vulnerability an attacker can inject and even execute malicious codes into the web application. "Due to the way dynamic finders in Active Record extract options from method parameters, a method parameter can mistakenly be used as a scope. Carefully crafted requests can use the scope to inject arbitrary SQL," explained the Rails framework's developers. As soon as this vulnerability has been spotted in the wild, the maintainers of Ruby on Rails have released new versions that addresses the flaw, versions 3.2.10, 3.1.9 and 3.0.18. In their advisory Ruby on Rails team recommends that users running affected versions, which is essentially anyone using Ruby on Rails, upgrade immediately to one of the fixed versions mentioned earlier. "We're sorry to drop a release like this so close to the holidays but regrettably the exploit has already been publicly disclosed and we don't feel we can delay the release," Rails developer concluded. 

The original problem was disclosed on the Phenoelit blog in late December where the author applied the technique to extract user credentials from a Ruby on Rails system, circumventing the authlogic authentication framework. While talking about the vulnerability discloser of Ruby on Rails, we would like to remind you that, this is not the first time, earlier in 2012 a Russian security researcher named Homakov has found that Github has succumbed to a public key vulnerability in Ruby on Rails which is allowing a normal user to gain administrator access into the popular Rails Git.

Brief About Ruby on Rails:- Ruby on Rails, often shortened to Rails, is an open source full-stack web application framework for the Ruby programming language. Ruby on Rails runs on the general-purpose programming language Ruby, which predates it by more than a decade. Rails is a full-stack framework, meaning that it gives the web developer the ability to gather information from the web server, talk to or query the database, and render templates out of the box. As a result, Rails features a routing system that is independent of the web server. Ruby on Rails emphasizes the use of well-known software engineering patterns and principles, such as Active record pattern, Convention over Configuration, Don't Repeat Yourself and Model-View-Controller.

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">SQL Injection Vulnerability Affected All Versions of Ruby on Rails"https://www.voiceofgreyhat.com/2013/01/SQL-Injection-Vulnerability-in-Ruby-on-Rails.html</a>

Citi Bank & Bank of America Faced Sent Offline After Massive DDoS Attack (Operation Ababil)

Citi Bank & Bank of America Faced Sent Offline After Massive DDoS Attack (Operation Ababil)

Late in last year we have reported that major banking and finical sector of America faced massive cyber attack. The attack came just after 'anti Islamic' video was posted online. During the time of attack the hacker group named 'Izz ad-Din al Qassam Cyber Fighters' said "these series of attacks will continue until the Erasing of that nasty movie from the Internet". But now its seems that, the earlier deceleration of the hacker collective group was fake, as they again engaged denial of service attack against large banking sector, where Citi Bank and Bank of America fallen victim. Several website of those above banks were reported offline for a certain period of time. "Just moments ago Izz ad-Din al-Qassam Cyber Fighters attacked CitiBank and made all the parts out of reach. This was the 2nd attack this day. Banks could not stop al-Qassam Cyber fighters this week" - said the hacker group in their blog. In thier blog Hilf-ol-Fozoul reports that on Thursday several domains of Citi Bank such as citicards.com, citibank.com and citi.com were inaccessible during the pick hours. "In the 3rd week from Operation Ababil, Bank of America faced technical difficulties due to heavy traffic made by al - Qassam Cyber Fighters and users can no more reach the site." said the hackers. 

The Citi Bank’s representatives acknowledged the cyber attack while saying “Currently we are aware & are working on technical issues with Citi websites. We will let you know when service is fully restored. We apologize for the inconvenience. Please call the number on the back of your card if you need immediate assistance,” on Twitter. But the representatives of Bank of America have not issued any statements on the matter.

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Citi Bank & Bank of America Faced Sent Offline After Massive DDoS Attack (Operation Ababil)"https://www.voiceofgreyhat.com/2013/01/Citi-Bank-Bank-of-America-Faced-DDoS-Attack.html</a>