Oracle Released Java 7 update 10 With Security Enhancements & Bug Fixes

Oracle Released Java 7 update 10 With Security Enhancements & Bug Fixes 

This is the third time in a year when Oracle has updated the standard edition of Java platform. This release includes new security controls in addition to a bug fix and updated timezone data. This latest update also contains a number of security enhancements and is now certified for Mac OS X 10.8 and Windows 8. The security enhancements include the ability to disable any Java application from running in the browser and the ability to set a desired level of security for unsigned applets, Java Web Start applications, and embedded JavaFX applications. While keeping in mind the last security issues with Java, in the press release of this Java update Oracle said "if the JRE is deemed expired or insecure, additional security warnings are displayed. In most of these dialogs, the user has the option to block running the app, to continue running the app, or to go to java.com to download the latest release."

Security Feature Enhancements

The JDK 7u10 release includes the following enhancements:

• The ability to disable any Java application from running in the browser. This mode can be set in the Java Control Panel or (on Microsoft Windows platform only) using a command-line install argument.
• The ability to select the desired level of security for unsigned applets, Java Web Start applications, and embedded JavaFX applications that run in a browser. Four levels of security are supported. This feature can be set in the Java Control Panel or (on Microsoft Windows platform only) using a command-line install argument.
• New dialogs to warn you when the JRE is insecure (either expired or below the security baseline) and needs to be updated.

For more information, see Setting the Level of Security for the Java Client and Java Control Panel.

Bug Fixes

Notable Bug Fixes in JDK 7u10

The following are some of the notable bug fixes included in JDK 7u10.

Area: java command

Description: Wildcard expansion for single entry classpath does not work on Windows platforms.

The Java command and Setting the classpath documents describe how the wildcard character (*) can be used in a classpath element to expand into a list of the .jar files in the associated directory, separated by the classpath separator (;).

This wildcard expansion does not work in a Windows command shell for a single element classpath due to the Microsoft bug described in Wildcard Handling is Broken.

See 7146424.

For a list of other bug fixes included in this release, see JDK 7u10 Bug Fixes page. 

The updated Java Development Kit and Java Runtime Environment are available to download from the Oracle site. 

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Oracle Released Java 7 update 10 With Security Enhancements & Bug Fixes"https://www.voiceofgreyhat.com/2012/12/Oracle-Released-Java7-update-10.html</a>

Hollywood Celebrities Nude Photo Hacker Sentenced to 10 Years in Prison

Hollywood Celebrities Nude Photo Hacker Sentenced to 10 Years in Prison 

Photo hacking case of Hollywood celebrities takes another direction, as Christopher Chaney, who pleaded guilty to hacking into the e-mail accounts of Scarlett Johansson and other celebrities including Mila Kunis, Christina Aguilera and few others, has been sentenced to 10 years in prison by the  federal judge in Los Angeles. Chaney was arrested last year as part of a year-long investigation  of FBI dubbed Operation Hackerazzi. At a hearing on Monday, U.S. District Court judge S. James Otero said that Chaney's conduct demonstrated a "callous disregard to the victims," some 50 in total, including two non-celebrities who the judge noted was stalked by Chaney for more than 10 years. The prison term was accompanied by an order to pay $66,179 in restitution. Chaney pleaded guilty to nine offences, including illegal wire-tapping and unauthorized access to computers. In his guilty plea, Chaney admitted to having repeatedly hacked email accounts over a period of at least eleven months. He hacked into email accounts by taking advantage of the "forgotten password" feature on web interfaces and using publicly available information to answer security questions. 

Chaney admitted that as his hacking scheme became more extensive, he began using a proxy service called “Hide My IP” because he wanted to “cover his tracks” and not be discovered by law enforcement agents. Even after his home computers were seized by law enforcement, Chaney used another computer to hack into another victim’s e-mail account. As a result of his hacking scheme, Chaney obtained private photographs and confidential documents, including business contracts, scripts, letters, driver’s license information, and Social Security information. On several occasions, after hacking into victims’ accounts, Chaney sent e-mails from the hacked accounts, fraudulently posing as the victims and requesting more private photographs. Chaney e-mailed many of the stolen photographs to others, including another hacker and two gossip websites. As a result, some of the stolen photographs were posted on the Internet.

"I don't know what else to say other than I'm sorry," Chaney said. "I could be sentenced to never use a computer again and I wouldn't care." For detailed information about this case click here.

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Hollywood Celebrities Nude Photo Hacker Sentenced to 10 Years in Prison"https://www.voiceofgreyhat.com/2012/12/Hollywood-Celebrities-Nude-Photo-Hacker-Sentenced.html</a>

Samsung Galaxy S III, S II & Note II Vulnerable to Inject Malicious Code Directly into Kernel

Samsung Galaxy S III, S II & Note II Vulnerable to Inject Malicious Code Directly into Kernel

Serious security hole has been discovered in Samsung smartphones. According to a member of XDA-Developer forum named 'alephzain' the vulnerability exists in the Samsung Galaxy S III, Galaxy S II and Galaxy Note II along with several other Samsung devices. As per sources the vulnerability is marked as "severe". This vulnerability could provide a malicious way for remotely downloaded apps to read user data, brick phones and perform other malicious activities. In other words, this hole could allow a malicious app free reign over your smartphone’s memory, and basically take complete control of your device. Prepare tin foil hats. Another XDA-Developer user, supercurio says Samsung has been notified of the security hole, but had not yet acknowledged the issue. That is until this morning when Samsung dropped word to Android Central that they are “currently in the process of conducting an internal review” in reference to the security hole. Supercurio says the potential exists for millions of devices to be in harms way, especially those with Exynos 4210 and 4412 processors that use Samsung code. Another XDA user, Entropy512 adds “this exploit changes things — there is a no root exploit that can be used by an app straight from the market, in the background, with little to no user intervention.” 

While talking about security holes in Samsung phones, then we would like to remind you that few moths ago, researcher have unveiled several android based handsets including Samsung Galaxy S3, S2 were vulnerable to 'remote wipe' hack.   

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Samsung Galaxy S III, S II & Note II Vulnerable to Inject Malicious Code Directly into Kernel"https://www.voiceofgreyhat.com/2012/12/Samsung-Galaxy-Vulnerable-Inject-Malicious-Code.html</a>

NASA & UFO Hacker Gary McKinnon Will Not Face Prosecution in UK

NASA & UFO Hacker Gary McKinnon Will Not Face Prosecution in UK

Infamous NASA hacker Gary McKinnon who broke into US government computer system, while hunting for evidence of UFOs and fought a long fight against extradition, has been told that he will now not face prosecution in the UK. After discussing the case with US Department of Justice and the police, The Crown Prosecution Service (CPS) has decided the appropriate jurisdiction for the McKinnon case to be heard is the US. According to Karen Todner, McKinnon's solicitor, the decision on Friday is an "interesting" one given that he was first arrested and questioned by UK police.

The reasons for that decision were:

1. The harm occurred in the US - the activity was directed against the military infrastructure of the US;
2. An investigation had already been launched in the US;
3. There were a large number of witnesses, most of whom were located in the US;
4. All of the physical evidence (with the exception of Mr McKinnon's computer) was located in the US;
5. The US prosecutors were able to bring a case that reflected the full extent of Mr McKinnon's alleged criminality; and
6. The bulk of the unused material was located in the US. Given the nature of the offences, this inevitably included highly sensitive information and the US courts were best placed to deal with any issues arising in relation to this material.

In a statement, the CPS's Director of Public Prosecutions (DPP), Kier Starmer QC, and Mark Rowley, Assistant Commissioner of the Metropolitan Police Service, said that they had convened a joint panel to discuss the issue and decide whether a new criminal investigation should take place. They decided that the original reasoning for the trial being held in the US still held, and looked into the possibility of holding the trial in the UK. This would have involved transferring witnesses and sensitive physical evidence to the UK. The panel consulted with the US Department of Justice as to whether this would be possible, given that they believed that "the prospects of a conviction against Mr McKinnon, which reflects the full extent of his alleged criminality, are not high".

According to the statement, the US authorities "indicated to us that they would be willing to co-operate with a prosecution in England and Wales if that would serve the interests of justice." However, the US authorities did not feel that transferring all the witnesses and evidence to the UK would be in that interest, given the panel's representations. The statement goes on to say: "That is a decision the US authorities are fully entitled to reach and we respect their decision." On that basis, the panel concluded that a new criminal investigation should not be started and the Assistant Commissioner accepted that advice.

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">NASA & UFO Hacker Gary McKinnon Will Not Face Prosecution in UK"https://www.voiceofgreyhat.com/2012/12/Gary-McKinnon-Will-Not-Face-Prosecution-in-UK.html</a>

Internet Explorer Vulnerability Allowing Hackers to Track Your Mouse Cursor

Internet Explorer Vulnerability Allowing Hackers to Track Your Mouse Cursor, Still Microsoft is Apathetic 

Yet again Microsoft Internet Explorer have fallen victim in front of hackers. Spider.io a website analytics firm has discovered a security vulnerability in all current versions of Internet Explorer that allows attackers to trace mouse cursors anywhere on users' screens even if the Internet Explorer window is minimized  The vulnerability is particularly troubling because it compromises the security of virtual keyboards and virtual keypads. Spider.io said -The vulnerability is notable because it compromises the security of virtual keyboards and virtual keypads.

As a user of Internet Explorer, your mouse movements can be recorded by an attacker even if you are security conscious and you never install any untoward software. An attacker can get access to your mouse movements simply by buying a display ad slot on any webpage you visit. This is not restricted to lowbrow porn and file-sharing sites. Through today’s ad exchanges, any site from YouTube to the New York Times is a possible attack vector. Indeed, the vulnerability is already being exploited by at least two display ad analytics companies across billions of webpage impressions each month. As long as the page with the exploitative advertiser’s ad stays open—even if you push the page to a background tab or, indeed, even if you minimize Internet Explorer—your mouse cursor can be tracked across your entire display.

Vulnerability Disclosure
Package: Microsoft Internet Explorer
Affected: Tested on versions 6–10
BugTraq Link: seclists.org/bugtraq/2012/Dec/81

Spider.io has set a demo page to demonstrate how the vulnerability is working. According to sources, Microsoft Security Research Center has acknowledged the vulnerability, but unfortunate that Microsoft are not in a hurry to patch this vulnerability in existing versions of its popular browser. "There are no immediate plans to patch this vulnerability in existing versions of the browser."  said MSRC

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Internet Explorer Vulnerability Allowing Hackers to Track Your Mouse Cursor "https://www.voiceofgreyhat.com/2012/12/IE-Vulnerability-Allowing-Hackers-to-Track-Mouse-Cursor.html</a>

Two Nigerians Arrested For Hacking into Mail Servers of Ghana Armed Force & Stealing $13,978

Two Nigerians Arrested For Hacking into Mail Servers of Ghana Armed Force & Stealing $13,978

Two middle aged Nigerians have been arrested for hacking into mail server of Ghana Armed Force (GAF). The suspects, Peter Okechukwu, 32, and Emmanuel Ifedi, 31, were arrested by officials of the Criminal Investigations Department (CID) of the Ghana Police Service at a branch of the United Bank of Africa (UBA). In a report Ghana Business News said-  these two cyber criminal get busted in Accra  while attempting to divert $13,978 belonging to, Ghanaian peacekeepers after they had succeeded in hacking into the e-mails of GAF. According to the Director-General of the CID, Commissioner of Police Mr Prosper Agblor, in November this year the two suspects managed to enter the e-mails of Continental African Trading Limited (CATAL) and the United Nations Interim Force in Lebanon (UNIFIL) GHANBATT 76 and intercepted all electronic communications between the two parties. CATAL, an international organisation, had been supplying home appliances' to Ghanaian peacekeeping troops on various missions at different locations in the world. 

Recently, CATAL was contacted, as usual, by the GAF to supply home appliances to UNIFIL GHANBATT 76 peacekeeping troops in Lebanon. Mr Agblor said there was correspondence concerning the supply of the items between CATAL and the military through the Internet. Along the line, he said, the e-mails between the GAF and CATAL were hacked into by the two Nigerians, who intercepted all mails from both ends and replied them as if the replies were coming from the rightful receivers of the e-mails. 

He said the two suspects, using the identity of CATAL, sent an e-mail to the GAF instructing it to pay $13,978 into a UBA account number 01011651102235 as part payment for the supply of the goods. Upon receipt of the information, the GAF transferred $13,978 into the account as instructed by the two suspects.

Mr Agblor said CATAL realized that the GAF had suddenly stopped communicating with the company on matters relating to the transfer of the money and so it followed up with a phone call and detected that the GAF had paid $13,978 into an account number supplied by CATAL. 

He said it was at that stage that the two organisations realised that someone had hacked into their e-mails and quickly reported the issue to the Documentation and Visa Fraud Unit of the CID. Mr Agblor said the Business Development Manager of CATAL reported the case to the police and checks at the bank revealed that the money had not yet been cashed by the suspects. The police quickly mounted surveillance at the bank, awaiting the arrival of the suspects to cash the money. 

According to the CID boss, on November 11, 2012, Okechukwu, who happened to be the owner of the said account, was arrested when he turned up at the bank to cash the amount. Upon interrogation, the police said, Okechukwu admitted to the offence but mentioned Ifedi as the master brain behind the whole deal and led the police to Ifedi's house at Ashaley Botwe, an Accra suburb. Mr Agblor said investigations were still ongoing, after which the two would be put before court.

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Two Nigerians Arrested For Hacking into Mail Servers of Ghana Armed Force & Stealing $13,978"https://www.voiceofgreyhat.com/2012/12/2-Nigerians-Arrested-For-Hacking-into-Mail-Servers-of-GAF.html</a>

#ProjectWhiteFox -Team GhostShell Hacked 1.6 Million Accounts of NASA, ESA, Pentagon & FBI

#ProjectWhiteFox -Team GhostShell Hacked 1.6 Million Accounts of NASA, ESA, Pentagon & FBI

After the devastating "Project Blackstar" now the hacktivist group calling them selves "Team GhostShell" announced another big hack, where the hackers have targeted several big organizations. This round of cyber attack was going under the banner of #ProjectWhiteFox, in which GhostShell has posted log-in details of 1.6 million accounts they claim are taken from a series of attacks on organizations including NASA, FBI, European Space Agency and Pentagon, as well as many companies that partner with these organizations. The Anonymous subsidiary group has posted the details on Pastebin, while describing the aim of the hack; as part of their #ProjectWhiteFox campaign to promote hacktivism and freedom of information on the internet. The hacker group claimed that the leaked information contained log-in names, passwords, email addresses, CV & several other sensitive information. In their release GhostShell said - "For those two factors we have prepared a juicy release of 1.6 million accounts/records from fields such as aerospace, nanotechnology, banking, law, education, government, military, all kinds of wacky companies & corporations working for the department of defense, airlines and more."

GhostShell members also said that they have messaged security bosses about the insecurity a number of organizations they targeted during attacks throughout 2012, describing it as "an early Christmas present." 

In a Pastebin file, GhostShell features a list of 37 organizations and companies, including The European Space Agency, NASA’s Engineers: Center for Advanced Engineering, and a Defense Contractor for the Pentagon. GhostShell sets itself apart from other hacktivist groups by targeting more than just one company or organization, and then releasing the results of its attack all at once. This set of hacks is spread out across 456 links, many of which simply contain raw dump files uploaded to GitHub and mirrored on paste sites Slexy.org and PasteSite.com.

The uploaded files contain what appears to be user data that looks to have been obtained from the servers of the various firms (likely via SQL injection). The entries include IP addresses, names, logins, email addresses, passwords, phone numbers, and even home addresses. Email accounts include the big three (Gmail, Hotmail, and Yahoo), as well as many .gov accounts. There are also various documents and material related to partnerships between companies and government bodies, as well as sensitive information for the aforementioned industries. 

Furthermore, the group says it has sent an email to the ICS-CERT Security Operations Center, Homeland Security Information Network (HSIN), Lessons Learned and Information Sharing (LLIS), the FBI’s Washington Division and Seattle location, Flashpoint Intel Partners, Raytheon, and NASA. In it, they say to have detailed “another 150 vulnerable servers from the Pentagon, NASA, DHS, Federal Reserve, Intelligence firms, L-3 CyberSecurity, JAXA, etc.”

-Source (TNW)

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">#ProjectWhiteFox -Team GhostShell Hacked 1.6 Million Accounts of NASA, ESA, Pentagon & FBI"https://www.voiceofgreyhat.com/2012/12/ProjectWhiteFox-TeamGhostShell-Hacked-1.6M-Accounts.html</a>