hackersteam.net & s3curity.net Hacked By Shadow008

Posted by Avik Sarkar On 8/06/2011 05:18:00 pm

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Black Swan Entertainment Hacked by ZHC Dropper.Gen

Posted by Avik Sarkar On 8/06/2011 01:36:00 am

 
Black Swan Entertainment Pvt. Ltd.  Hacked by ZHC Dropper.Gen
 
 

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Apple’s Based Networks are More Vulnerable to Attack than Windows (BH 2011)

Posted by Avik Sarkar On 8/05/2011 10:01:00 pm


For many years, Apple enjoyed security through obscurity. The market share for Mac computers was so small that malware creators bypassed it to go after the much bigger target, Microsoft Windows. Not anymore.
Apple’s market share has been slowly rising and the popularity of the iPhone has put Apple’s products into the spotlight. Hackers are taking notice and they’re figuring out that Apple’s computers have security vulnerabilities, some of them more severe than Windows machines, according to a talk by the iSEC Partners security consulting team at the Black Hat security conference today.
Alex Stamos (pictured), Paul Youn, and B.J. Orvis of iSEC Partners said in their talk that it is possible for hackers to penetrate a network of Apple Mac computers and lurk undetected while gathering data. They concluded that there were so many vulnerabilities on the networking level that Mac machines could be considered more vulnerable than Windows machines.
Apple has not yet responded to a request for comment. At Black Hat, there will also be talks about the vulnerabilities of other operating systems, including Windows. In years past, security researchers have blamed Microsoft for producing vulnerable Windows code. And immediately following the Apple talk, security researchers had another talk about hacking Google’s Chrome operating system.
“This is all changing,” Stamos said. “If [recent hacking events] tell us anything, it’s that any computer is vulnerable to attack.”
The iSEC team said they looked at attacks on the Mac and its latest operating system, code-named Lion, or OS X version 10.7, from the perspective of Advanced Persistent Threats, or long-term security break-ins on networks of computers. They showed examples of the vulnerabilities and detailed proof that they had hacked into the operating system.
The category of Advanced Persistent Threats is a hot one because Google discovered that, under Operation Aurora, dozens of companies were compromised over a long period of time. And McAfee reported today that a similar attacked, dubbed Operation Shady RAT, compromised a total of 72 governments and corporations over a five-year period.
A network of Mac computers can be compromised in the usual way, iSEC’s Stamos said. A single user can be tricked out of giving up a username and password through social engineering or targeted “phishing attacks,” or attacks that use a believable ruse to get you to enter your username and password, which is then captured and compromised by the hackers.
Once inside the network, Stamos said that it is easy for the attacker to escalate the privileges he or she has on the network. That is where Apple’s operating system falls down in comparison to Windows. ”Once you have access, you can compromise the networking,” Orvis said. “Network privilege escalation is where it really gets bad on the Mac.”
The security researchers said that Apple has made improvements to security in version 10.7 of OS X, such as putting applications in a “sandbox,” or isolating them so that they can run (or crash) without taking down the rest of the operating system. Still, the researchers said they had figured out a couple of different ways to compromise the security of Macs through a test program dubbed Bonjoof. They said that it’s possible to lurk on a network and cover your tracks so that intelligence can be gathered on a network over time.
“All of Apple’s major authentication protocols suffer” from some kind of weakness, Orvis said.
There are ways to deal with the vulnerabilities, but company security professionals have to know how to use security forensics technology, which can take a long time. In the meantime, attackers can detect the forensics tools and react to their usage in an attempt to hide. The security researchers said they did talk with Apple about the vulnerabilities they found and communicated a number of ideas about how to improve the security of Apple’s computers.

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Google Chrome OS Has Security Hole (Black Hat 2011)

Posted by Avik Sarkar On 8/05/2011 07:20:00 pm


Black Hat Google has billed its Chrome operating system as a security breakthrough that's largely immune to the threats that have plagued traditional computers for decades. With almost nothing stored on its hard drive and no native applications, there's no sensitive data that can pilfered and it can't be commandeered when attackers exploit common software vulnerabilities.
But according to two researchers who spent the past few months analyzing the Chrome-powered Cr-48 beta released in December, the browser-based OS is vulnerable to many of the same serious attacks that afflict people surfing websites. As a result, users remain susceptible to exploits that can intercept email, documents, and passwords stored on centralized servers, many of which are maintained by Google.
“Even though they put these awesome security protections in place, we're just moving the security problems to the cloud now,” Matt Johansen, a researcher with WhiteHat Security, told The Register. “We're moving the software security problem that we've been dealing with forever to the cloud. They're doing a lot of things right, but it's not the end all and be all for security.”
Virtually all of the threats identified by Johansen and his WhiteHat colleague Kyle Osborn stem from Chrome's reliance on extensions, which are essentially web-based applications. A fair number of the extensions they analyzed contain XSS, or cross-site scripting, bugs, which have the potential to inject malicious code and content into a visitor's browser and in some cases steal credentials used to authenticate user accounts.
As they went about testing what kind of attacks various XSS vulnerabilities could allow, Johansen and Osborn noticed something curious: a bug in one extension often allowed them to hijack the communications of a second extension, even when the latter one had no identifiable security flaws. At the Black Hat security conference in Las Vegas on Wednesday, they demonstrated this weakness by exploiting an XSS hole in one extension to steal passwords from an otherwise secure account on cloud password storage service LastPass.
“If any of the other vulnerable extensions have an XSS hole, we can utilize JavaScript to hijack that communication,” Johansen said. “LastPass is doing absolutely nothing wrong here. You can have an extension that's perfectly fine, but if you have another that has a cross-site scripting error in it we can still access information in secure applications.”
The discovery has generated a quandary for the researchers.
“Whose problem is this to fix?” Johansen continued. “We don't really have an answer for that. LastPass did everything correctly. It's the other extension developers that developed an extension with a vulnerability in it.”
After being informed of the specific attack, LastPass made changes to its Chrome extension that prevented it from being carried out, so it's reasonable to assume extension makers foot some of the responsibility for preventing their apps from being compromised by others. But Johansen couldn't rule out the possibility that vulnerabilities and other apps could probably make LastPass vulnerable again. He said Google might be able to fix the problem by overhauling the application programming interfaces extension developers use.
The researchers also demonstrated an XSS vulnerability in Scratchpad, a text-editor extension that's bundled with Chrome. By sharing files with names containing JavaScript commands stored on Google Docs they were able to obtain the Google session cookies of anyone who used a Chromebook to view the documents. An attacker could exploit the vulnerability to read a victim's email, or to send instant messages to everyone on the victim's contact list. If any of the contacts are using Chromebooks, they could be similarly vulnerable to booby-trapped filenames stored on Google Docs.
A Google spokeswoman defended the security of Chromebooks and said the vulnerabilities enumerated by the researchers weren't unique to the cloud-based OS. In an email, she issued the following statement:
This conversation is about the web, not Chrome OS. Chromebooks raise security protections on computing hardware to new levels. They are also better equipped to handle the web attacks that can affect browsers on any computing device, thanks in part to a carefully designed extensions model and the advanced security available through Chrome that many users and experts have embraced.
The researchers stressed Google engineers were extremely quick to fix the Scratchpad vulnerability and awarded them a $1,000 bounty for their report. But they remain convinced that the security of Chrome OS in many cases is only as strong as its' weakest extensions. They also pointed out that penetration-testing tools such as the Browser Exploitation Framework could be used to help streamline attacks in much the way Metasploit is used to manage exploits for traditional machines.
And, Johansen said, Chrome hacking through XSS may be only the beginning, since the flaws are among the easiest to find and exploit.
“Who knows what we're going to be looking for months or years from now when Google can figure out a way to thwart the cross-site scripting threat,” he said. “Why would we be trying to write buffer overflows when we can just write a simple JavaScript command.” 
-News Source (The Register)

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

DARPA Launched Cyber Fast Track (Fund To Innovate Military)

Posted by Avik Sarkar On 8/05/2011 06:27:00 pm



The Defense Advanced Research Projects Agency on Thursday launched Cyber Fast Track, an effort to fund innovative cybersecurity efforts by groups and people who don't usually do work for the government, including hobbyists, boutique security labs, and other small groups of hackers, DARPA project manager Peiter "Mudge" Zatko announced at Black Hat, a UBM TechWeb event, in Las Vegas.
The Cyber Fast Track program, first announced at the annual ShmooCon cybersecurity conference in January, will fund between 20 and 100 projects a year, Zatko said. The short, fixed-price contracts will be awarded with little turnaround time--about 10 days from the receipt of proposals--based on a simple proposal template so as to lower the barrier to entry. Projects will be carried out over no more than a few months. 
Cyber Fast Track will fund experimental projects, including commodity high-end computing, open software tools, and others, that might help the military. For example, Zatko raised possibilities like cheap unmanned aerial vehicles and an automated war-dialer that could repeatedly ring phones in a given area to discourage bomb-makers from building improvised explosive devices. Cyber Fast Track may also fund community efforts, possibly including a bug hunting exercise.
In addition to funding fast, cheap innovation that can later be leveraged by the Department of Defense, Zatko sees Cyber Fast Track as a way to link hackers up with government. "The way government is set up, it's almost impossible for the small businesses, the researchers, the hackers, to get money for research without giving up intellectual property or being purchased and having their company gutted," Zatko said. "I want to make it easier."
While some hackers may be reticent of the federal government, Zatko comes with impeccable hacker credentials. He was a member of the L0pht hacker group, created a famous password-cracking tool, and in 1998 testified before Congress that hackers could shut down the Internet in a half hour.
Zatko said that it is difficult for organizations like the L0pht to parse the legalese and government-talk in government contracts, and challenging for them to put together proposals. It takes too long and too much money for venture-backed companies, meanwhile, to justify crafting proposals.
When research is complete, researchers will be able to keep commercial rights to whatever they create, but the government will get government purpose rights that allow it to use, modify, repurpose, or release technical data on the projects in question. They may also be asked to present their efforts to a forum of undergraduate students at a U.S. military service academy, and will be encouraged to continue to update DARPA on the status of their projects once the contract has ended.
In his time at DARPA, Zatko has also been responsible for CINDER, a project that was initially reported by the government to be about insider threats, but which Zatko says is more about combating attacks like Stuxnet and next-generation advanced persistent threats. 

-News Source (Information Week)

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Android Browser Injection Vulnerability Found By IBM Researchers

Posted by Avik Sarkar On 8/05/2011 06:27:00 pm


Researchers with IBM have discovered what could be a very serious flaw in the Android operating system. The flaw is billed as allowing hackers to intercept web browser operations by injecting JavaScript code into the system.
According to Roee Hay and Yair Amit of IBM's Rational Application Security Research Group, this means that a malicious, non-privileged application could break into the browser URL loading process and its allied sandbox to inject JavaScript.
This is potentially very serious, Infosecurity notes, as the sandbox element of the browser environment seen on Android is supposed to defend the smartphone/tablet platform against this type of attack.

The researchers note that the vulnerability "has the same implications as global XSS, albeit from an installed application rather than another website."
The IBM security researchers go on to say that Android 2.3.5 and 3.2 have been released and which incorporate a fix for this bug.
Patches are also available for Android 2.2 and will, they note, be released at a later date.

The Researchers have also posted a video about this vulnerability:-


For more information Click Here

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

hidilli.com Hacked By c7 King h3x0r

Posted by Avik Sarkar On 8/05/2011 04:35:00 pm


One of Indian Bollywood related site hacked by c7 King h3x0r

Hacked Site:-  
http://hidilli.com/c7.htm


Mirror Link:-

http://www.zone-h.com/mirror/i​d/14560445

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Related Posts Plugin for WordPress, Blogger...

Site search