Indian Cyber Army (Indishell) Official Facebook Page Hacked and defaced By Albanian Cyber Army.
Hacked Facebook Page:-
Indian Cyber Army (Indishell) Facebook Page Hacked and defaced By Albanian Cyber Army
Hacked Facebook Page:-
Microsoftestore.com Hacked By Innocent_Hacker from Team TEAM PAKLEETS
Microsoftestore.com Hacked by Innocent_Hacker from team TEAM PAKLEETS
Hacked Site:-
Mirror Link:-
Image-Based Zero-day Vulnerability in WordPress
Bilocating technology blogger Mark Maunder - he claims to live in Seattle and Cape Town concurrently, though I suspect he means consecutively, and I'll wager he wisely avoids winter in both of them - recently wrote about an intrusion to his WordPress site.
It turns out the backdoor was a previously-unexploited, or at least a previously-undocumented, flaw in a useful little WordPress addon, shared by many WordPress themes, called timthumb.
Timthumb is an 864-line PHP script which assists with automatic image resizing, thumbmailing and so forth. (It doesn't squeeze the image manipulation code into those 864 lines, but uses the third-party GD library.)
If you run WordPress and you have a file named timthumb.php, sometimes renamed to thumb.php, in your installation, you may be at risk.
Tracking down the mechanism behind his intrusion, Maunder identified three main problems with timthumb.php: poor default settings; poor verification of input data; and poor choice of file permissions for temporary files.
By default, the vulnerable version of timthumb allowed images from external sites to be accessed from your server. The default list is probably unsurprising:
// external domains that are allowed to be displayed on your website$allowedSites = array ( |
'flickr.com', |
'picasa.com', |
'img.youtube.com', |
'upload.wikimedia.org', |
);But a better default would be an empty list, so that users who want to allow external files to be sourced by their own servers need to take steps to enable that capability.
If you use WordPress and timthumb and you don't need this capability, Maunder suggests simply editing the timthumb.php code to say $allowedSites = array(); in order to prevent remote file trickery.
Secondly, timthumb.php checked the sanity of remote URLs - to verify they really were in the list of allowed sites - by looking for the permitted domains somewherewere the hostname part:
in the hostname part of the URL, rather than making sure they
$isAllowedSite = false;foreach ($allowedSites as $site) { |
if (strpos (strtolower ($url_info['host']), $site) !== false) { |
$isAllowedSite = true; |
} |
} |
This code meant that a dodgy website name such as picasa.com.badsite.example would pass the test, simply because it contains the string picasa.com. Clearly, that is not what was intended.
Lastly, timthumb.php stored the files it generated in a cache directory which is inside the PHP directory tree. This is bad, because files generated from untrusted external content - files only ever intended to be displayed - needlessly became executable.
So if the cached file isn't an innocent image, but a remote access PHP Trojan (in Maunder's case, the attacker used a malicious remote console tool called Alucar), you're owned
If you are a web developer:
* Don't trust externally-sourced content by default. Force your users to think about what they really want.
* Check, test, check, test, check and test again your URL sanitisation code. Build a decent test suite and verify your code against it every time you release an update.
* Keep files which are only ever supposed to be used as data - especially remotely-sourced files - outside the directory tree where your server-side executable code lives.
If you run a WordPress installation:-
Check if any of the blogs you host use timthumb.php, and upgrade to the latest version. The dodgy strpos above has been replaced with a tighter match based on a regular expression, like this:
$isAllowedSite = false;foreach ($allowedSites as $site) { |
if (preg_match ('/(?:^|\.)' . $site . '$/i', $url_info['host'])) { |
$isAllowedSite = true; |
} |
}This doesn't fix all of the issues Maunder describes, but it's better than having a known hole in your site.
Many thanks to Mr Maunder for turning an attack on his site into a training tool to help the rest of us avoid a similar problem!
-News Source (NS) Operation Shady RAT (The Biggest Cyber-Attack Ever)
Researchers from security software concern McAfee say they have discovered the biggest series of computer intrusions ever, covering some 72 organizations and governments around the world, including the U.S., Taiwan, Vietnam, South Korea, Canada and India — some of them dating back as far as 2006. (See the map of targets, courtesy of McAfee, below.)
And these aren’t the kind of cyber attacks carried out by bumbling troublemakers like the LulzSec gang, which make headlines but really only cause a nuisance for companies like Sony. In these cases, networks were compromised by remote access tools — or RATs, as they’re known in the industry. These tools — and they are tools, because they have legitimate uses for system administrators — give someone the ability to access a computer from across the country or around the world. In this case, however, they were secretly placed on the target systems, hidden from the eyes of day-to-day users and administrators, and were used to rifle through confidential files for useful information. It’s not for nothing that McAfee is calling this Operation Shady RAT.
McAfee says the attacker was a “state actor,” though it declined to name it. I’ll give you three guesses who the leading candidate is, though you’ll probably need only one: China.
Dmitri Alperovitch, McAfee’s Vice President, Threat Research, makes a statement in his blog entry on the discovery that should give everyone minding a corporate or government network pause: “I am convinced that every company in every conceivable industry with significant size and valuable intellectual property and trade secrets has been compromised (or will be shortly), with the great majority of the victims rarely discovering the intrusion or its impact.” He further divides the worldwide corporate landscape into two camps: Those who have been compromised and know it, and those who simply don’t know it yet.
This has been a particularly nasty year on the cyber security front. (I hate to say it, but I told you so.) Prior to this, the big attack whose full impact has not yet been fully sized up was the one against the RSA SecureID system, which uses popular keychain devices that create a constantly changing series of numbers that in turn create a second password for access to system resources. They’re widely used in government and military circles and among defense contractors. Google has been a regular target in recent years.
The RSA attack and Operation Shady RAT are examples, Alperovitch says, of an “Advanced Persistent Threat.” The phrase has come to be a buzzword that, loosely translated into English, means the worst kind of cyber attack you can imagine. Unlike the denial-of-service attacks and network intrusions carried out by LulzSec and its ilk, which require only minimal skill and marginal understanding of how networks and servers work, an APT is carried out by someone of very high skill who picks his targets carefully and sneaks inside them in a way that is difficult to detect, which allows access to the target system on an ongoing basis that may persist for years.
How did these attacks happen? Its very simple: Someone at the target organization received an email that looked legitimate, but which contained an attachment that wasn’t. This is called “spear phishing,” and it has become the weapon of choice for sophisticated cyber attackers. The attachments are not what they appear to be — Word documents or spreadsheets or other routine things — and contain programs that piggyback on the targeted user’s level of access to the network. These programs then download malware which gives the attackers further access. This all happens in an automated way, but soon after, live attackers log in to the system to dig through what they can find, copy what they can, and make a getaway — though they often leave the doors unlocked so they can come back for repeat visits.
Alperovitch notes — correctly, to my mind — that the phrase has been picked up and overused by the marketing departments of numerous security companies. His larger point is that too often those attacked in this way refuse to come forward and disclose what they’ve learned, thereby allowing the danger to continue for everyone else.
Alperovitch says that the data taken in Operation Shady RAT adds up to several petabytes worth of information. It’s not clear how it has been used. But, as he says, “If even a fraction of it is used to build better competing products or beat a competitor at a key negotiation (due to having stolen the other team’s playbook), the loss represents a massive economic threat not just to individual companies and industries but to entire countries that face the prospect of decreased economic growth.” It’s also bad for a target’s national security, because defense contractors dealing in sensitive military matters are often the targets. The best thing that can happen is that victims start talking about their attacks and sharing information with each other so that everyone can be ready for the next one, which is surely coming.
Watcher v1.5.3
Watcher is a run time passive-analysis tool for HTTP-based Web applications. Being passive means it won’t damage production systems, it’s completely safe to use in Cloud computing, shared hosting, and dedicated hosting environments. Watcher detects Web-application security issues as well as operational configuration issues. Watcher provides pen-testers hot-spot detection for vulnerabilities, developers quick sanity checks, and auditors PCI compliance auditing. It looks for issues related to mashups, user-controlled payloads (potential XSS), cookies, comments, HTTP headers, SSL, Flash, Silverlight, referrer leaks, information disclosure, Unicode, and more.
This is The Official Change Log:-
X-Frame-Options check now checks every page, unique to path, ignoring query.
So, this release improvees performance of the X-Frame-Options HTTP response header.
To download Watcher v1.5.3 (WatcherSetup.exe) here
This is The Official Change Log:-
X-Frame-Options check now checks every page, unique to path, ignoring query.
So, this release improvees performance of the X-Frame-Options HTTP response header.
To download Watcher v1.5.3 (WatcherSetup.exe) here
NSA (National Security Agency) is Searching For Good Hackers
The National Security Agency has a challenge for hackers who think they’re hot stuff: Prove it by working on the “hardest problems on Earth.”
Computer hacker skills are in great demand in the U.S. government to fight the cyberwars that pose a growing national security threat — and they are in short supply.
For that reason an alphabet soup of federal agencies — DOD, DHS, NASA, NSA — are descending on Las Vegas this week for Defcon, an annual hacker convention where the $150 entrance fee is cash only — no registration, no credit cards, no names taken. Attendance is expected to top 10,000.
The NSA is among the keen suitors. The spy agency plays offence and defence in the cyberwars. It conducts electronic eavesdropping on adversaries, and it protects U.S. computer networks that hold super-secret material — a prime target for America’s enemies.
“Today it’s cyberwarriors that we’re looking for, not rocket scientists,” said Richard “Dickie” George, technical director of the NSA’s Information Assurance Directorate, the agency’s cyber-defense side.
“That’s the race that we’re in today. And we need the best and brightest to be ready to take on this cyberwarrior status,” he told Reuters in an interview.
The NSA is hiring about 1,500 people in the fiscal year, which ends Sept. 30, and another 1,500 next year, most of them cybersecurity experts. With a workforce of about 30,000, the Fort Meade-based NSA dwarfs other intelligence agencies, including the CIA.
It also engages in cyber-spying and other offensive operations, something it rarely, if ever, discusses publicly.
But at Defcon, the NSA and other “Feds” will be competing with corporations looking for hacking talent.
The NSA needs cybersecurity experts to harden networks, defend them with updates, do “penetration testing” to find security holes and watch for signs of cyberattacks.
The NSA is expanding its fold of hackers, but George said there is a shortage of those skills. “We are straining to hire the people that we need.”
It might seem to be an odd-couple fit — strait-laced government types with their rules and missions trying to recruit hackers who by definition want to defy authorities.
George said the NSA is an environment where the hacker mind-set fits with “a critical mass of people that are just like them.”
But what about culture rifts?
“When I walk down the hall there are people that I see every day and I never know what color their hair’s going to be,” George said. “And it’s a bonus if they’re wearing shoes. We’ve been in some sense a collection of geeks for a long, long time.”
The agency has long been known for its brilliant, but sometimes eccentric, mathematicians and linguists.
Jeff Moss, a hacker known as Dark Tangent, knows something about bridging the two worlds. He founded Defcon and the companion Black Hat conference for security professionals and is now a member of the Department of Homeland Security’s Advisory Council, which advises the government on cybersecurity.
“They need people with the hacker skill set, hacker mind-set. It’s not like you go to a hacker university and get blessed with a badge that says you’re a hacker. It’s a self-appointed label — you think like one or you don’t,” Moss told Reuters.
Computer hacker skills are in great demand in the U.S. government to fight the cyberwars that pose a growing national security threat — and they are in short supply.
For that reason an alphabet soup of federal agencies — DOD, DHS, NASA, NSA — are descending on Las Vegas this week for Defcon, an annual hacker convention where the $150 entrance fee is cash only — no registration, no credit cards, no names taken. Attendance is expected to top 10,000.
The NSA is among the keen suitors. The spy agency plays offence and defence in the cyberwars. It conducts electronic eavesdropping on adversaries, and it protects U.S. computer networks that hold super-secret material — a prime target for America’s enemies.
“Today it’s cyberwarriors that we’re looking for, not rocket scientists,” said Richard “Dickie” George, technical director of the NSA’s Information Assurance Directorate, the agency’s cyber-defense side.
“That’s the race that we’re in today. And we need the best and brightest to be ready to take on this cyberwarrior status,” he told Reuters in an interview.
The NSA is hiring about 1,500 people in the fiscal year, which ends Sept. 30, and another 1,500 next year, most of them cybersecurity experts. With a workforce of about 30,000, the Fort Meade-based NSA dwarfs other intelligence agencies, including the CIA.
It also engages in cyber-spying and other offensive operations, something it rarely, if ever, discusses publicly.
But at Defcon, the NSA and other “Feds” will be competing with corporations looking for hacking talent.
The NSA needs cybersecurity experts to harden networks, defend them with updates, do “penetration testing” to find security holes and watch for signs of cyberattacks.
The NSA is expanding its fold of hackers, but George said there is a shortage of those skills. “We are straining to hire the people that we need.”
It might seem to be an odd-couple fit — strait-laced government types with their rules and missions trying to recruit hackers who by definition want to defy authorities.
George said the NSA is an environment where the hacker mind-set fits with “a critical mass of people that are just like them.”
But what about culture rifts?
“When I walk down the hall there are people that I see every day and I never know what color their hair’s going to be,” George said. “And it’s a bonus if they’re wearing shoes. We’ve been in some sense a collection of geeks for a long, long time.”
The agency has long been known for its brilliant, but sometimes eccentric, mathematicians and linguists.
Jeff Moss, a hacker known as Dark Tangent, knows something about bridging the two worlds. He founded Defcon and the companion Black Hat conference for security professionals and is now a member of the Department of Homeland Security’s Advisory Council, which advises the government on cybersecurity.
“They need people with the hacker skill set, hacker mind-set. It’s not like you go to a hacker university and get blessed with a badge that says you’re a hacker. It’s a self-appointed label — you think like one or you don’t,” Moss told Reuters.
-News Source (Washington Post)
Personal Details of Sun Newspaper Readers Hacked
Personal details of Sun newspaper readers - including Miss Scotland applicants - have been stolen by hackers in the latest online security breach.
Britain's biggest selling daily has sent out e-mails warning that information, including addresses, dates of birth and phone numbers, have been accessed. But it added: "No financial or password information was compromised."
News Group Newspapers, which also published the News of the World until it closed last month, said the breach took place on 18 to 19 July, at about the time hackers created a link from the Sun's website to a spoof page that said company owner Rupert Murdoch had been found dead in his garden.
Hacking group LulzSec claimed to be behind that breach but has been silent since alleged spokesman Jake Davis, 18, from Shetland, was arrested on 28 July. Davis faces a string of charges relating to the hacking of organizations such as Sony, the CIA and the UK's Serious Organised Crime Agency, allegedly carried out by LulzSec and another group, Anonymous.
Hacking group LulzSec claimed to be behind that breach but has been silent since alleged spokesman Jake Davis, 18, from Shetland, was arrested on 28 July. Davis faces a string of charges relating to the hacking of organizations such as Sony, the CIA and the UK's Serious Organised Crime Agency, allegedly carried out by LulzSec and another group, Anonymous.
However, a Twitter user, Batteye, has claimed responsibility for taking the Sun readers' details, denied being part of either LulzSec or Anonymous and said the theft took place before 18 July.
Some of the information, including a Scottish students' poll and biographies of Miss Scotland applicants, then appeared on the website Pastebin.
One Miss Scotland entrant said: "I'm not happy at all. I'm kind of worried - because that's everything about me.
"(This data] should have been locked up. This was last year's, so they didn't need to keep my details."
The Batteye post said it was an attempt to expose those who could not be trusted with personal information.
The statement on Pastebin said: "We will begin today by presenting to you various files obtained from the Sun, a company within the News Corp group.
"We will continue, then, by exposing the world for what it is; a less than perfect place where we cannot trust those who we ask to protect our information."
Some of the information, including a Scottish students' poll and biographies of Miss Scotland applicants, then appeared on the website Pastebin.
One Miss Scotland entrant said: "I'm not happy at all. I'm kind of worried - because that's everything about me.
"(This data] should have been locked up. This was last year's, so they didn't need to keep my details."
The Batteye post said it was an attempt to expose those who could not be trusted with personal information.
The statement on Pastebin said: "We will begin today by presenting to you various files obtained from the Sun, a company within the News Corp group.
"We will continue, then, by exposing the world for what it is; a less than perfect place where we cannot trust those who we ask to protect our information."
On Twitter, Batteye posted a message saying: "OK - Anon and @lulzsec may have carried out their own attack, with defacements, emails, and whatnot. This is different."
The hacking of the Sun's website follows hacking by sister newspaper the News of the World of celebrities, politicians, war widows and victims of crime, including murdered schoolgirl Milly Dowler.
The so-called "hacktivist" code deployed by the likes of LulzSec, combines mischief-making or irony with the aggressive targeting of corporations or large organizations they believe are guilty of wrongdoing.
The hacking of the Sun's website follows hacking by sister newspaper the News of the World of celebrities, politicians, war widows and victims of crime, including murdered schoolgirl Milly Dowler.
The so-called "hacktivist" code deployed by the likes of LulzSec, combines mischief-making or irony with the aggressive targeting of corporations or large organizations they believe are guilty of wrongdoing.
-News Source (Scotsman)
