Skype is Still Vulnerable

Posted by Avik Sarkar On 7/15/2011 04:56:00 pm

 
An Armenian hacker is claiming that Skype has failed to learn from prior security lessons, falling victim to a cross-site scripting (XSS) vulnerability similar to one it patched in May, which would allow users to redirect victims to unwanted websites or run arbitrary code.  The May vulnerability allowed users to fool the Mac client of Skype into running arbitrary code as the client didn't check, or sanitise, instant messages to ensure they were free of malicious code.

While Skype issued a low-priority patch at the time, a 28-year-old Armenian-based security engineer, Levent "noptrix" Kayan, claimed on Wednesday night that a similar XSS vulnerability existed elsewhere in Skype's software. He said that the failure to sanitise certain user information or the output rendered in Skype clients could still allow code to be executed.

In particular, Kayan claimed that he could see remote users' session information, which he said a malicious user could utilise to masquerade as the remote user and make calls on their account. He also said it could be used to take advantage of other holes, possibly allowing full control over the PC. Both of the latest versions of Windows and Mac clients are affected.
HE told that "An attacker would need to [submit] malicious code. The victim doesn't have to do anything. He will be attacked, when he just logs into his account."
Skype said the vulnerability was considered a minor issue and that it had developed a fix for it which would be deployed next week.
Skype's head of information security, Adrian Asher, said that in order to exploit this, a person would have to be a validated contact of yours and one of the most frequent people you are in contact with and was therefore very unlikely to cause any issues in the real world. Nevertheless, he said the vulnerability shouldn't have existed and it would be fixed.
Additionally, Skype said that the session information that Kayan had been able to access was in relation to the web session IDs and not Skype IDs, suggesting that the attacker couldn't make calls using the exploit. It did, however, concede that it was possible for a victim's contacts to redirect them to any website using the web browser built into the Skype client, but stressed that only validated contacts would be able to do so. In the meantime, it said users should not authorise people they do not know and/or do not want to talk to.
HackLabs director, Chris Gatford, said that it was common to come across these sorts of vulnerabilities in the work penetration testing of client systems his company does.
"I would suggest that 80 per cent, perhaps even 90 per cent of the time, cross-site scripting vulnerabilities are present," he said.
Gatford mentioned the previous XSS vulnerability in the Skype client and thought that it was surprising that Skype had not patched all of its input validation problems when it was previously brought to its attention. "This would be a simple fix for them. To be honest, I'm kind of surprised they didn't learn their lesson the first time and extend the fix system-wide then."

-News Source (ZDNet)



SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

New Hacking Alert System Introduced By Hotmail

Posted by Avik Sarkar On 7/15/2011 04:49:00 pm



Microsoft on Thursday introduces a hacking alert system to its Windows Live Hotmail email service alongside banning common passwords. "When someone's account gets hijacked, their friends often find out before they do, because the hijacker uses their account to send spam or phishing email to all their contacts," said Microsoft in a blog post.
The new security feature adds a "My friend's been hacked!" option in the "mark as" menu in Hotmail and also enables users to report hacked accounts via the junk mail filing screen. Then an alert will be sent to Microsoft, which will "make sure the account can no longer be used by spammers and activates an account recovery process to allow the owner to take back control the accounts." Users can report any email account as compromised and Hotmail will provide the information to other email providers like Yahoo! and Gmail, said the blog. Meanwhile, Microsoft said Hotmail will roll out a feature to prevent users from choosing commonly used and weak passwords, such as "123456," "ilovecats" and "gogiants." Users who currently use a weak password will be asked to change to a stronger one in the future.
Hotmail, first launched in July 1996, is one of the first free email providers, and was acquired by Microsoft in 1997 for an estimated 400 million U.S. dollars. According to statistics released by comScore last August, Hotmail was then the world's largest web-based email service with around 364 million users, followed by Yahoo! Mail (280 million) and Gmail (191 million).

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Jawahar Knowledge Centre (Indian Government) Database Hacked By PCA

Posted by Avik Sarkar On 7/15/2011 04:31:00 pm


Indian Government's Jawahar Knowledge Centre Database Hacked By Shak (Pak Cyber Army). They Exposed useremail,password, surname, name, designation, address, phone, college-code, dateofreg, gender, districtid, hallticketno, question, answer, alterem & other confidential datas.

To Download the Data Base Click Here

According to the Official Press Release of PCA:-

INDIAN GOVERNMENT HACKED BY <=Shak=>

DATABASE LEAK: 100%

>_ Words To Kidi V0iD:

Get a Life Kid , This is Payback from Pak Cyber Army .

---------------------------------------------------------------------------------------------
 

http://ieg.gov.in/
= 0Wn3D

Here are the , password, surname, name, designation, address, phone, useremail, collegecode,

dateofreg, gender, districtid, hallticketno, question, answer, alteremail | Still need something els

ALL PASSWORDS ARE CRACKED


DOWNLOAD DATABASE : Multiupload.com - upload your files to multiple file hosting sites!

INDIAN GOVERNMENT HACKED BY <=shak=> - Pastebin.com

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

VODAFONE UK Network Compromised

Posted by Avik Sarkar On 7/15/2011 01:21:00 am

The Hacker's Choice (http://www.thc.org) announced a security problem with Vodafone's Mobile Phone Network today. An attacker can listen to UK Vodafone mobile phone calls.
An attacker can exploit a vulnerability in 3G/UMTS/WCDMA - the latest and most secure mobile phone standard in use today. The technical details are available at http://wiki.thc.org/vodafone.
THC was not immediately available for comments but an associated member of the group commented that 'the problem lies within Vodafone's Sure Signal / Femto equipment'.A Femto Cell is a tiny little home router which boosts the 3G Phone signal. It's available from the Vodafone Store to any customer for 160 GBP.
THC managed to reverse engineer - a process of revealing the secrets - of the equipment. THC is now able to turn this Femto Cell into a full blown 3G/UMTC/WCDMA interception device.
-News Source (THC)

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

2 Hackers Forum Hacked By Shadow008

Posted by Avik Sarkar On 7/14/2011 09:30:00 pm


Now a days it has became a very common scenario that Hacker's site is getting hacked. Same thing happens again. This time the victim are thehackingcrew.net & hackk.net, famous Pakistani Hacker Shadow008 hacked these Forums.

Hacked Sites:-


Mirror Link:-


SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

A Man Has been Jailed for 18 Years Due to Hacking into Neighbours Wi-Fi

Posted by Avik Sarkar On 7/14/2011 05:55:00 pm


A man has been jailed for 18 years following a prolonged campaign of hacking his neighbours Wi-Fi in an attempt to frame them for child pornography and threats against the US Vice President.
Minnesota resident Barry Ardolf was sentenced to a lengthy stretch in America's finest following an astonishing campaign of revenge against his neighbours, apparently motivated by the neighbours reporting Ardolf to the police after kissing their 4-year-old son.
The FBI, having become involved following the death threats against Vice President Joe Biden , discovered documents stolen from the man's neighbours as well as detailed revenge plans against his neighbours Matt and Bethany Kostolnik. While the Kostolnik's Wi-Fi router network was encrypted, Ardolf reportedly used password cracking software to discover the password to the router where upon he would access the Kostolnik's home network and set up fake MySpace and Yahoo email accounts posting as his neighbours. In a court document from the prosecution prior to sentencing, Ardolf was described as a "dangerous man" that "uses his technical skills both to inflict harm and to avoid getting caught."

-News Source (PCR)

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

US & Russia "reset" their Cybersecurity Relationship

Posted by Avik Sarkar On 7/14/2011 01:50:00 pm


The United States and Russia have for several years been engaged in a high-level diplomatic “reset” of their relationship, complete with a physical "reset" button; now, that “reset” has been extended to the Internet.
The current goal of a better working relationship with Russia is much like the goal pursued by the US during the Cold War: making sure that the two countries did not misinterpret each others actions in such a way as to start an unnecessary conflict. While such relationships used to be about understanding troop movements or missile positioning, the two countries are now just as concerned with Internet actions.
"Both the US and Russia are committed to tackling common Cybersecurity threats while at the same time reducing the chances a misunderstood incident could negatively affect our relationship," said Howard Schmidt, US Cybersecurity Coordinator, in a statement yesterday.
We’re actively working on doing so in numerous ways: through regular exchanges of information on technical threats to both sides like botnets; by better understanding each other’s military views on operating in cyberspace; and by establishing 24/7 systems allowing us to communicate about cybersecurity issues via our existing and highly successful crisis prevention communications links between our two capitals. We plan to have all three mechanisms established by year’s end.
Such measures are increasingly important. The recent “International Strategy for Cyberspace," released by the US back in May, made clear that American officials would treat things like cyberattacks and Internet espionage the same way they would any offline threat. Indeed, an electronic attack could even bring the US military into action on behalf of an allied country.
"When warranted, the United States will respond to hostile acts in cyberspace as we would to any other threat to our country," said the document. "All states possess an inherent right to self-defence, and we recognize that certain hostile acts conducted through cyberspace could compel actions under the commitments we have with our military treaty partners We reserve the right to use all necessary means—diplomatic, informational, military, and economic—as appropriate and consistent with applicable international law, in order to defend our Nation, our allies, our partners, and our interests."
Given the difficulty of definitively identifying bad actors on the Internet and determining whether they are freelancers, organized crime, or foreign government agents, the possibilities for suspicion and misunderstanding remain high. The newest element of the US/Russian "reset" is meant to create some level of trust between officials on both sides.

To See the Statement of White House Click HERE 
To download the PDF of the International Strategy for Cyberspace Click HERE


-News Source (ars, white-house)

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Related Posts Plugin for WordPress, Blogger...

Site search