Showing posts sorted by relevance for query security experts. Sort by date Show all posts
Showing posts sorted by relevance for query security experts. Sort by date Show all posts

Microsoft Releases Patch Fixes for Windows Server and PowerPoint

Posted by Avik Sarkar On 5/14/2011 09:44:00 pm


Microsoft fixed bugs in the WINS name server resolution protocol and a file format vulnerability in PowerPoint for its May Patch Tuesday.

 Microsoft addressed two security bulletins in May’s Patch Tuesday release. Security experts said administrators should apply the fixes immediately—because, despite their small size, they address significant threats.

Microsoft fixed a critical vulnerability affecting Windows Server and an important bug in Microsoft Office PowerPoint, according to the Patch Tuesday advisory released May 10. Microsoft also assigned separate “exploitability” scores for newer versions of the software under the “improved” exploitability index ratings.
The team fixed a critical vulnerability (MS11-035) in the WINS component in Windows Server 2003 and 2008. WINS is a name-resolution service that resolves names in the NetBIOS namespace and does not require authentication to use. While usually not available by default in Windows Server, it is commonly used in the enterprise for internal network servers. Administrators who have enabled WINS in Windows Server should apply the patch immediately as attackers could remotely cause a denial of service, according to Wolfgang Kandek, the CTO of Qualys.
“What might make the WINS vulnerability appealing to attackers is that it is a server-side issue,” Joshua Talbot, security intelligence manager, Symantec Security Response, told eWEEK.
Unlike other threats, attackers don’t have to trick a user into doing anything since it’s just a matter of finding a vulnerable server and feeding the machine “a malicious string of data,” according to Talbot. It is also a more serious issue on Windows Server 2003 than on 2008 because Windows Server 2008 has built-in protections such as DEP (Data Execution Prevention) and ASLR (Address Space Layout Randomization). However, attackers can still create exploit code to get past those security features, Talbot said.
The other “important” bulletin (MS11-036) addressed a security flaw in all versions of Microsoft Office Power Point except Office 2010. The bug would allow attackers to take full control of the target machine as soon as the user opens a malicious PPT file.
Both WINS and PowerPoint vulnerabilities are fairly significant, according to Tyler Reguly, technical manager of security research and development at nCircle. File-format vulnerabilities are “popular exploits” but WINS is remote code execution, so it was “difficult” to decide which was the “biggest risk today.”
Microsoft listed both vulnerabilities using the new exploitability ratings. The PowerPoint bulletin was rated a “1” for a consistent exploit code likely for older software releases, but 0 for latest software because Office 2010 is not affected. The WINS patch was rated a “2” on both the latest and older versions because it affected all versions.
The updated rating system is intended to make it easier for IT administrators to determine their risk level, according to Microsoft.
“With massive updates such as we had in April, it’s easy to get overwhelmed. Microsoft’s new index simplifies the process, which will help IT administrators to prioritize which patches they tackle first,” said Dave Marcus, director of security research and communications at McAfee Labs.
The small release means administrators should “brace themselves for a larger update” in June, according to Kandek.
To complicate things for IT administrators, a fake Patch Tuesday update is making the rounds, according to security researchers at Websense Security Labs ThreatSeeker network. The malware is spread via a link inside an email message supposedly from “Microsoft Canada Co.” which informs users that Microsoft has issued a “Security Update for Microsoft Windows OS,” wrote Amon Sanniez, associate security researcher at Websense. Clicking on the link downloads the fake patch to the computer and infects the system with a Zeus Trojan variant, according to Sanniez.
It “ties in almost perfectly” with the real Patch Tuesday updates from Microsoft, Sanniez said.
The email looks quite legitimate and shows “some effort” went into the creation, as the message is presented in both English and French, and the display names within the headers actually say the mail originated from Microsoft Canada.
The malicious executable is currently not being detected by most major antivirus products tracked on VirusTotal, so IT managers should be careful that none of their staff members or users click on the link to get the security update. Websense said it is a low-volume threat, possibly aimed at a handful of companies. 

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

IU experts find flaws in US web protection plan

Posted by Avik Sarkar On 5/16/2011 03:25:00 pm


The White House proposed new cybersecurity legislation Thursday that aimed to protect the country against threats to the national infrastructure and the economy, but it was too small a step, according to IU cybersecurity experts.
Fred Cate, a professor in the Maurer School of Law and the director of the Center for Applied Cybersecurity Research, said cybersecurity attacks are a huge problem in today’s society.
“We live in a data-driven society — almost everything we do generates or uses digital data,” Cate said. “Yet as the president and most everyone else recognizes, those data and the systems that transmit and store them are not secure.”
The proposal focuses on the protection of American citizens, critical infrastructure, government systems and privacy and civil liberties. The legislation includes harsher penalties for cybercriminals and requires the Department of Homeland Security to work with companies in the private sector to identify and address vulnerabilities.
Von Welch, the deputy director of the CACR, thinks the new legislation was a positive step, but not a big enough one.
“My concern is that it isn’t keeping up with advances we’re seeing in cybercrime,” he said.
The administration’s cybersecurity efforts have been focused on new technologies, rather than on creating legal and economic incentives for the private sector to invest in better security, Cate said. This approach hasn’t worked, he said.
“During the past two years we have witnessed massive security breaches involving hundreds of millions of Americans, involving Sony PlayStation, the online marketing firm Epsilon, even the security powerhouse RSA,” Cate said. “According to one study, more than 2,500 companies were victims of one sophisticated cyberattack that exfiltrated proprietary corporate data, and there are thousands of other successful attacks against companies and agencies.”
Cate said that U.S. counterintelligence officials report that 140 foreign intelligence organizations are actively engaged in trying to hack into U.S. government and business networks.
“Without appropriate incentives, industry won’t invest sufficiently in good security,” he said. “It is that simple.”
Welch agrees. Much of what the legislation does is formalize practices already happening, he said.
“For example, federalizing breach notification laws have already been put in place by many states, and explicitly allowing collaboration and information exchange that is already taking place by cybersecurity practitioners.”
Cate and Welch agree that there are some positive parts to the plan. Its focus on critical infrastructure, by mandating core critical infrastructure operators, creates a plan for addressing threats. Having those plans evaluated by third parties is a good step given the importance of critical infrastructure to national security, Welch said.
What’s missing from the plan, Welch said, is a similar push for other parts of the Internet.
“As recent high-profile cases such as Sony and Epsilon have shown, and what seem to be constant problems with privacy on social networking sites, there are other companies operating on the Internet that while perhaps not critical to our national security, still impact millions of people,” he said. “There is nothing in the proposed legislation to really incentivize these companies to improve their cybersecurity and, in turn, our privacy as their users.”
Cate explained how the plan could be improved.
“The plan could include legal requirements for good information security, tax incentives, safe harbor provisions for businesses that try to enhance security even if they fail, liability provisions to allow injured consumers to recover from harms caused by bad security and new enforcement powers and resources for the Federal Trade Commission,” he said.
In addition to calling for new privacy protections, he said the President should appoint the members of the Privacy and Civil Liberties Oversight Board, which Congress created, but the administration has yet to fill.
Cate also said the administration’s plan includes no effort to curtail risky behaviors by businesses themselves.
“The recent discoveries that Google and Apple are both collecting location data on smart phone users and storing that data, unencrypted, in unsecured files suggests that some regulation may be appropriate to protect individuals as well as industry,” he said.
The bottom line? Technology is very important in security, but the administration’s focus on it is only one step towards enhancing information security.
“Technologies are like magic bullets for the government — no matter what the problem, we want to believe that technology can solve it,” Cate said. “Technology alone just isn’t enough — for security or anything else.”

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

NSA Refused to Disclose Obama's Secret Cyber Security Directive

Posted by Avik Sarkar On 11/27/2012 12:33:00 am

NSA Refused to Disclose Obama's Secret Cyber Security Directive

The cyber security directive of United States President Barack Obama has been twisted a little as the National Security Agency (NSA) has refused to release details of a secret presidential directive document that would establish a broader set of standards that would guide federal agencies in confronting Cyber threats. Several experts are presuming that the cyber security directive could allow the military and intelligence agencies to operate on the networks of private companies, such as Google and Facebook. According to the last week report by Washington Post, cited several U.S. officials saying that Obama signed off on the secret cyber security order, believed to widely expand NSA’s spying authorities, in mid-October. “The new directive is the most extensive White House effort to date to wrestle with what constitutes an “offensive” and a “defensive” action in the rapidly evolving world of cyber war and cyber terrorism,” the report states.  
The Electronic Privacy and Information Center (EPIC), filed a Freedom of Information Act (FOIA) request to make the document public because it said the measure could expand NSA’s Cyber security authority. “Transparency is crucial to the public’s ability to monitor the government’s national security efforts and ensure that federal agencies respect privacy rights and comply with their obligations under the Privacy Act,” said EPIC’s request.
EPIC said that NSA denied the request on Nov. 21 arguing that it doesn’t have to release the document because it is a confidential presidential communication and contains information that is classified “Secret” and “Top Secret” by the agency. NSA said disclosure of the order could “reasonably be expected to cause exceptionally grave damage to the national security.” The agency said EPIC could file an appeal with the NSA/Central Security Service denial and EPIC said it plans to do so. The privacy group said it is litigating similar FOIA requests with NSA, including the release of NSPD 54, a 2008 presidential directive setting out the NSA’s cyber security authority. The group called NSA a “black hole for public information about cyber security” in an official statement to Congress earlier this year. National Security Agency whistle blower William Binney said in Mid July that the U.S. government is secretly gathering information “about virtually every U.S. citizen in the country”, in “a very dangerous process” that violates Americans’ privacy.
Former President George W. Bush signed a presidential order in 2002 allowing the National Security Agency (NSA) to monitor without a warrant the international (and sometimes domestic) telephone calls and e-mail messages of hundreds or thousands of citizens and legal residents inside the United States. The program eventually came to include some purely internal controls -- but no requirement that warrants be obtained from the Foreign Intelligence Surveillance Court as the 4th Amendment to the Constitution and the foreign intelligence surveillance laws require.



-Source (GSN Magazine & Press TV)





SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

2011 "The Year of The Hack" A Brief Over View & Prediction of 2012

Posted by Avik Sarkar On 12/13/2011 10:51:00 pm


Everyday when you open voiceofgreyhat.com you see lost of hacks, defacement, data breached, server rooted, database hacked, information leaked and so on and on. Here is some summary where all the recent attacks ware covered. If 2011 was “the year of the hack,” as it was dubbed by Richard Clarke, former White House cyber-security czar

Would 2012 be the year enterprises apply the lessons learned and stop the attacks? 
Apparently not, as security experts are predicting even more sophisticated attacks for 2012. 

Defense contractors, government agencies, and other public and private organizations reported network breaches where attackers stole intellectual property, financial data and other sensitive data. Hacktivist groups such as Anonymous and LulzSec demonstrated how much damage they can cause large organizations by employing fairly well-known techniques against the application layer. 

What’s the security outlook for 2012? 
It’s appears gloomy, as security experts warn that cyber-attackers will target applications, mobile devices and social networking sites. There will be more social engineering as attackers research victims beforehand to craft even more targeted attacks.
2011 was a year in transition, David Koretz, CEO of Mykonos Software, toldthe year when sophisticated Web application attacks came of age. Before, people were talking about the threat to Web applications but were unable to quantify the problem. “2011 is the year people started caring about Web security for the first time,” Koretz said
Attackers targeted applications through SQL injection and cross-site scripting attacks to get access to sensitive data, said Lori MacVittie, senior technical marketing manager at F5 Networks. There are more kits and exploit tools released that exploit certain vulnerabilities, making it easier for even less skilled attackers to launch sophisticated attacks. There will be more of these tools in 2012, she said.
Social media has become more ubiquitous. Forrester estimated 76 percent of enterprises allow some access to social networking sites from within the corporate networks,  and 41 percent allow “unfettered access” to these sites. Many of the data breach and cyber-attack headlines in 2011 were social engineering attacks that exploited email and the Web as an attack vector, according to Rick Holland, a Forrester analyst.
Attacks against social network sites accounted for only 5 percent of total social engineering attacks in Verizon’s 2011 Data Breach Investigations Report. Forrester expects this number to “increase significantly” in 2012, Holland said.
Malware for mobile platforms grabbed headlines in 2011, starting with Google removing apps infected with DroidDream malware from Android Market and then remotely removing them from user devices.
Malware developed for mobile platforms exploded in volume and sophistication, according to Juniper Networks’ Global Threat Center. Criminals released a mobile version of the Zeus Trojan designed to intercept security controls used for online banking for several mobile platforms. Many users were infected with malware that turned their smartphones into zombies participating in a botnet without their knowledge.
Mobile device adoption is on track to reach 60 million tablets and 175 million smartphones in the workforce by 2012, according to Forrester. The majority of users will not be using these devices secured within the corporate environment as they will be working from home offices, public hotspots and third-party networks.
Organizations will increasingly shift their content security operations to the cloud to better protect mobile users. Security professionals have to adapt quickly to multiple mobile form factors and evolving threats from sophisticated malware and social networks, Holland said. 



SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Pwn2Own 2013 Result: Chrome, Firefox, IE, Adobe Reader, Flash & Java Owned

Posted by Avik Sarkar On 3/11/2013 02:55:00 am

Pwn2Own 2013 Result: Chrome, Firefox, IE, Adobe Reader, Flash & Java Owned Only Safari Survived 

Couple of months ago we have talked about 'Pwn2Own 2013' hacking contest sponsored by HP TippingPoint, ZDI and Google where the most famous and widely used browsers have to face challenges. Now the result of this long awaited security competition has came which is showing that the entire browser security landscape can change in a single day, as browsers thought to be secure are proven to be otherwise. Of the Big Four browsers, only Apple's Safari has so far survived the onslaught of the browser-breakers where Chrome, Internet Explorer 10 and Firefox all fell to the mercy of the hackers. Not only browsers but also three other popular applications that is Adobe Reader, Flash Player and yet again Java fallen victim to hackers at 'Pwn2Own'. And for Java it was a true disaster as Java fell three times, though under the contest rules, only the first attacker was due to win the $20,000 prize. Vupen, a renowned security research firm based in France, cracked both Firefox and Internet Explorer. It roughly explained the attack in a tweet, “We’ve pwned Firefox using a use-after-free and a brand new technique to bypass ASLR/DEP on Win7 without the need of any ROP.” This bug hint leads them winning $100,000 for finding a huge hole. Again in a tweet, Security firm Vupen explained “We’ve pwned MS Surface Pro with two IE10 zero-days to achieve a full Windows 8 compromise with sandbox bypass.” Lastly, U.K.-based security firm MWR Labs cracked Chrome and also gained full control of the operating system, this time Windows 7. It also “demonstrated a full sandbox bypass exploit.” The company explained in a blog post that it found a zero-day in Chrome “running on a modern Windows-based laptop.” It was able to exploit the vulnerability by performing a very similar attack to what took down Facebook, Microsoft, and a number of other well-known companies: It had the laptop visit a malicious website. 

Now lets take look at the final score board of Pwn2Own 2013:

Wednesday:
1:30 - Java (James Forshaw) PWNED
2:30 - Java (Joshua Drake) PWNED
3:30 - IE 10 (VUPEN Security) PWNED
4:30 - Chrome (Nils & Jon) PWNED
5:30 - Firefox (VUPEN Security) PWNED
5:31 - Java (VUPEN Security) PWNED

Thursday:
12pm - Flash (VUPEN Security) PWNED
1pm - Adobe Reader (George Hotz) PWNED
2pm - Java (Ben Murphy via proxy) PWNED


The total damage to the prize fund comes out at a whopping $480k. With HP's announcement that everyone will get paid for each attack, the prize monies will be divvied up as follows:-

  1. James Forshaw: Java = $20K
  2. Joshua Drake: Java = $20k
  3. VUPEN Security: IE10 + Firefox + Java + Flash = $250k
  4. Nils & Jon: Chrome = $100k
  5. George Hotz: Adobe Reader = $70k
  6. Ben Murphy: Java = $20k
As you all know that the main motive of these contest is to make applications, software more safe and secure while figuring out hidden vulnerabilities  Here also for Pwn2Own the security holes figured out by the above experts have already been submitted and taken carefully by those organization  along with that, the expected patch for the browsers have already been released. Those who are still using the older version of those above applications are requested to update their system. So, stay tuned with VOGH and be safe on the Internet. 


 -Source (HP, Naked Security) 








SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Exclusive Threat Report on Mobile Security Breach By IBM X-FORCE TEAM

Posted by Avik Sarkar On 9/30/2011 02:07:00 pm

The number of mobile security exploits is on track to double year over year between 2010 and 2011. “For years, observers have been wondering when malware would become a real problem for the latest generation of mobile devices,” said Tom Cross, a manager at IBM’s X-Force security research arm. “It appears that the wait is over.”
X-Force security experts research and evaluate vulnerabilities and security issues, develop assessment and countermeasure technology and educate the public about emerging web and mobile threats. In a new report on mobile and general Internet security, X-Force researchers found that the combination of new vulnerabilities and more sophisticated phone-hacking technology has led to a huge spike in the number of security exploits on mobile phones.
Add to that the fact that more people are storing more information worth stealing on their phones — including corporate information, since more smartphones and tablets are appearing in the workplace — and you have a perfect storm for criminally focused mobile hacking. The X-Force Mid-Year Trend and Risk Report, released today, is based on data gathered through IBM’s research of public vulnerability disclosures as well as the team’s monitoring and analysis of around 12 billion security events daily since the beginning of the year.
Among the report’s findings is the fact that in 2011, mobile users will experience twice the number of mobile exploit releases than last year. Much of this is due to the fact that, as X-Force researchers observed, “many mobile phone vendors do not rapidly push out security updates for their devices.”

The report urges consumers to be cautious about downloading apps that don’t come from an official app store. Third-party app stores or off-market apps are more likely than officially sanctioned apps to contain malicious (and highly monetizable) software.


Cross gives these six tips for consumers to protect themselves from the threat of a mobile attack:-

  • Make sure you protect access to your phone with a password or PIN to keep intruders out if your phone is lost or stolen.
  • Don’t download applications from third-party application markets.
  • Make sure you install system updates as prompted.
  • Back up your data on a regular basis.
  • Have the ability to track your phone and remotely wipe all its data if it is stolen. You can easily find an app that will allow you to do so.
  • Download and run anti-malware applications.

The X-Force team said the number of critical, non-mobile security vulnerabilities has tripled in 2011, and researchers particularly noted the practice of “whaling.” As opposed to “phishing,” a technique that casts a wide net to capture sensitive information, whaling implies that the criminal or criminals behind the attack are zeroing in on a “big fih,” a high-profile target. Phishing has lately been on the decline, but whaling, which targets those positioned in high levels of an organization with access to critical data, is on the rise.


“Although we understand how to defend against many of these attacks on a technical level, organizations don’t always have the cross-company operational practices in place to protect themselves,” said Cross.

Full commentary Report of Cross (IBM X-FORCE TEAM):-



-News Source (IBM X-Force Team & Mobile Beat)



SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

UK is Enhancing Cyber Security to fight Against Hackers

Posted by Avik Sarkar On 7/07/2011 12:11:00 am

The fight against cyber crime needs a stronger common international legal framework to enable perpetrators outside the country of their victims to be tracked down and punished, a British security official said on Tuesday.
James Brokenshire, a Home Office (Interior Ministry) Minister for Crime and Security, added in remarks to reporters that governments and companies had to work much more closely together to fight the "scammers, fraudsters and hackers" who were creating a truly global problem.
"Active international partnerships are central to tackling cyber crime," he said. "There needs to be an international response including international treaties, bilateral treaties and common agreements between countries." A priority for governments is to find ways of hunting criminals across borders and ensuring they are punished, but many nations lack a common definition of cyber crime or common legal standards that would enable prosecutions of criminals operating offshore. Security experts have long said the core problem has been that nations are thinking too parochially about their online security to collaborate on crafting global cyber regulation.
High-profile online assaults in recent weeks have targeted the International Monetary Fund, the U.S. Central Intelligence Agency and the U.S. Senate, and companies such as Citigroup and Lockheed Martin Corp. The raids have raised doubts about the security of government and corporate computer systems and the ability of law enforcement to track down hackers. Saying there should be "no safe haven" for online criminals, Brokenshire added that governments had to work with the private sector to provide technical expertise to police in those countries that lacked the resources to fight cyber criminals.

He was speaking at the launch of the International Cyber Security Protection Alliance (ICSPA), a global not-for-profit organisation that aims to channel funding, expertise and help directly to law enforcement cyber crime units around the world.The venture, which will seek funding from the European Union, governments of the United States, Canada, Australia, New Zealand and Britain, and private sector companies, plans to work in partnership with European police agency EUROPOL.
Rik Ferguson, Director of Security Research at Trend Micro said areas of concern to ICSPA included Brazil, which had expertise in banking malware, China, where computers were often used by criminals elsewhere to host attacks in third countries, and Russia and Ukraine.Companies supporting the venture include McAfee , Cassidian, Trend Micro, Yodel, Core Security Technologies, Visa Europe , Shop Direct group, A&REdelman, Transactis and Article10. Cyber crime costs the British economy some 27 billion pounds ($43.5 billion) a year and appears to be "endemic", according to the first official government estimate of the issue published in February 2011.
Brokenshire's call echoes remarks by U.S. Secretary of Homeland Security Janet Napolitano who said last week that cyber criminals were outwitting national and international legal systems that fail to embrace technological advances.

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Security experts can't verify Iran's claims of new worm

Posted by Avik Sarkar On 4/26/2011 08:45:00 pm

 
Without a sample of the new worm that an Iranian official says attacked the country's computers, it's impossible to verify his claims, a security researcher said Monday.
Kevin Haley, the director of Symantec's security response group, said that his team has not found an example of the worm, dubbed "Stars" by the Iranian military commander responsible for investigating Stuxnet, the sophisticated malware that attacked the country's uranium enrichment facilities beginning in June 2009.
"Generally, samples [of malware] do get traded among security vendors," said Haley, explaining that when one antivirus company lacks malware it wants to analyze, it asks other firms to share their samples. "[Iran'] makes this a little more difficult, because we have no direct relationships there," added Haley. "But perhaps someone else does."
Although Symantec has asked researchers in other companies if they have a sample, as of late Monday it has not been able to acquire one.
No other security vendor has stepped forward to say it has a copy of Stars.
Security experts need the malware to corroborate claims by Brigadier Gen. Gholam Reza Jalali, the head of Iran's Passive Defense Organization, the military unit that defends the country's nuclear program.
On Monday, Jalali told Iran's Mehr News Agency that the Stars worm had been detected and thwarted, but provided no information on its function or targets, or when it was discovered.
Jalali's claim came just a week after he blamed Siemens for helping U.S. and Israeli teams create Stuxnet.
Stuxnet, which targeted industrial control systems manufactured by Siemens, has been called a "groundbreaking" piece of malware because it used multiple "zero-day" vulnerabilities, hid while it wreaked havoc on Iran's uranium enrichment hardware, and required enormous resources to create.
It's possible that Stars was not a targeted attack aimed at Iran, but simply part of a more traditional broad-based assault, said Haley.
"It could be a mass attack that got through their defenses," he said. "That could have raised the alarm. They're already paranoid about attacks."
Symantec sees millions of threats every day, the vast majority of which are not targeted, Haley said.
If that's the case, trying to identify Stars would be impossible. "In the case of Stuxnet, we actually had samples, we just didn't understand the significance of the threat until later," Haley said. "Finding [Stars] in our database would be like finding a needle in a haystack" without more information from Iran.
"And even if we found something, we wouldn't know if it was the one they're talking about," said Haley.
Other antivirus vendors, including Helsinki-based F-Secure and U.K. securitycompany Sophos, also acknowledged that they could not verify Iran's claims.
"We can't tie this case to any particular sample we might already have," admitted Mikko Hypponen, F-Secure's chief research officer, in a blog post Monday. "We don't know if Iran[ian] officials have just found some ordinary Windows worm and announced it to be a cyber war attack."
Graham Cluley, a senior security technology consultant at Sophos, also said his company had not been able to identify the malware.

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Google Chrome OS Has Security Hole (Black Hat 2011)

Posted by Avik Sarkar On 8/05/2011 07:20:00 pm


Black Hat Google has billed its Chrome operating system as a security breakthrough that's largely immune to the threats that have plagued traditional computers for decades. With almost nothing stored on its hard drive and no native applications, there's no sensitive data that can pilfered and it can't be commandeered when attackers exploit common software vulnerabilities.
But according to two researchers who spent the past few months analyzing the Chrome-powered Cr-48 beta released in December, the browser-based OS is vulnerable to many of the same serious attacks that afflict people surfing websites. As a result, users remain susceptible to exploits that can intercept email, documents, and passwords stored on centralized servers, many of which are maintained by Google.
“Even though they put these awesome security protections in place, we're just moving the security problems to the cloud now,” Matt Johansen, a researcher with WhiteHat Security, told The Register. “We're moving the software security problem that we've been dealing with forever to the cloud. They're doing a lot of things right, but it's not the end all and be all for security.”
Virtually all of the threats identified by Johansen and his WhiteHat colleague Kyle Osborn stem from Chrome's reliance on extensions, which are essentially web-based applications. A fair number of the extensions they analyzed contain XSS, or cross-site scripting, bugs, which have the potential to inject malicious code and content into a visitor's browser and in some cases steal credentials used to authenticate user accounts.
As they went about testing what kind of attacks various XSS vulnerabilities could allow, Johansen and Osborn noticed something curious: a bug in one extension often allowed them to hijack the communications of a second extension, even when the latter one had no identifiable security flaws. At the Black Hat security conference in Las Vegas on Wednesday, they demonstrated this weakness by exploiting an XSS hole in one extension to steal passwords from an otherwise secure account on cloud password storage service LastPass.
“If any of the other vulnerable extensions have an XSS hole, we can utilize JavaScript to hijack that communication,” Johansen said. “LastPass is doing absolutely nothing wrong here. You can have an extension that's perfectly fine, but if you have another that has a cross-site scripting error in it we can still access information in secure applications.”
The discovery has generated a quandary for the researchers.
“Whose problem is this to fix?” Johansen continued. “We don't really have an answer for that. LastPass did everything correctly. It's the other extension developers that developed an extension with a vulnerability in it.”
After being informed of the specific attack, LastPass made changes to its Chrome extension that prevented it from being carried out, so it's reasonable to assume extension makers foot some of the responsibility for preventing their apps from being compromised by others. But Johansen couldn't rule out the possibility that vulnerabilities and other apps could probably make LastPass vulnerable again. He said Google might be able to fix the problem by overhauling the application programming interfaces extension developers use.
The researchers also demonstrated an XSS vulnerability in Scratchpad, a text-editor extension that's bundled with Chrome. By sharing files with names containing JavaScript commands stored on Google Docs they were able to obtain the Google session cookies of anyone who used a Chromebook to view the documents. An attacker could exploit the vulnerability to read a victim's email, or to send instant messages to everyone on the victim's contact list. If any of the contacts are using Chromebooks, they could be similarly vulnerable to booby-trapped filenames stored on Google Docs.
A Google spokeswoman defended the security of Chromebooks and said the vulnerabilities enumerated by the researchers weren't unique to the cloud-based OS. In an email, she issued the following statement:
This conversation is about the web, not Chrome OS. Chromebooks raise security protections on computing hardware to new levels. They are also better equipped to handle the web attacks that can affect browsers on any computing device, thanks in part to a carefully designed extensions model and the advanced security available through Chrome that many users and experts have embraced.
The researchers stressed Google engineers were extremely quick to fix the Scratchpad vulnerability and awarded them a $1,000 bounty for their report. But they remain convinced that the security of Chrome OS in many cases is only as strong as its' weakest extensions. They also pointed out that penetration-testing tools such as the Browser Exploitation Framework could be used to help streamline attacks in much the way Metasploit is used to manage exploits for traditional machines.
And, Johansen said, Chrome hacking through XSS may be only the beginning, since the flaws are among the easiest to find and exploit.
“Who knows what we're going to be looking for months or years from now when Google can figure out a way to thwart the cross-site scripting threat,” he said. “Why would we be trying to write buffer overflows when we can just write a simple JavaScript command.” 
-News Source (The Register)

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Hcon Security Testing Framework (HconSTF) v0.5 Codename 'Prime' Released

Posted by Avik Sarkar On 4/07/2013 05:20:00 pm

Hcon Security Testing Framework (HconSTF) v0.5 Codename 'Prime' Released

Previously we have discussed couple of times about HconSTF - a browser based security testing framework. Earlier in last year we got HconSTF version 0.4, now after almost 14 month, the author of Hcon, Mr. Ashish Mistry (Information Security Researcher) has proudly released the version 0.5 of HconSTF code named "Prime." No doubt that Hcon has already became a very popular and widely used browser based pen testing framework. Not only in hackers community but also several security experts and infosec researcher's prefers Hcon as one of their all time favorite pentesing tool as HconSTF is very flexible and very handy multipurpose tool for any IT Security Professionals, Web Bug bounty Hunters, Web Developers or any one interested in IT security. As expected this version of Hcon, came with enhanced features and more functionality, so lets take a glance of HconSTF v0.5 -

HconSTF is semi-automated but you still need your brain to work it out. It can be use in all kind of security testing stages, it has tools for conducting tasks like,
  • Web Penetration Testing
  • Web Exploits Development
  • Web Malware Analysis
  • Open Source Intelligence ( Cyber Spying & Doxing )
  • and much more with lots of hidden features

HconSTF v0.5 in Brief:-
  • Based on Firefox 17.0.1
  • Designed in Process based methodology
  • Less in size (40mb packed-80mb extracted), consumes less memory
  • More than 165+ search plugins
  • New IDB 0.1 release integrated
  • Underlined Logging for each and every request
  • More NEW scanners for DomXSS, Reflected XSS
  • New reporting features like note taking, url logging for easy report making
  • Smart searchbox - just select and it will copy it and just change search engine to search
  • Integrated Tor, AdvoR, I2p and more proxies
  • New Grease monkey scripts (18 scripts)
To Download HconSTF v0.5 Click Here [Download Type- Portable (no need to install , run from usb drive or any memory card) Platform : Windows XP , Vista , 7 both x32 & x64]





SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Washington D.C. Online Voting System Hacked in Less Than 48 hrs

Posted by Avik Sarkar On 3/16/2012 07:33:00 pm

Washington D.C. Online Voting System Hacked By Researchers Of Michigan University in Less Than 48 hrs
The security functions of a pilot project for online voting in Washington D.C. compromised. Researchers at the University of Michigan have reported that it took them only a short time to crack the security of the whole function. "Within 48 hours of the system going live, we had gained near complete control of the election server", the researchers wrote in a paper that has now been released. "We successfully changed every vote and revealed almost every secret ballot." - Said the researchers.
The hack was only discovered after about two business days – and most likely only because the intruders left a visible trail on purpose. In 2010, the developers of the municipal e-voting system that enables voters living abroad to vote via a web site, invited security experts to conduct tests. The university researchers say that the project was developed in cooperation with the Open Source Digital Voting Foundation (OSDV) and that other US states have also worked on services similar to Washington's "Digital Vote-by-Mail Service". They also praise the system's transparency as exemplary but point out that its architecture has fundamental security weaknesses and was not able to withstand a shell injection and other common hacker techniques. The security experts investigated common vulnerable points such as login fields, the virtual ballots' content and filenames, and session cookies – and found several exploitable weaknesses. Even the Linux kernel used in the project proved to have a well known vulnerability.

  



SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Most Organized Banking-Trojan Called 'Gozi Prinimalka' By Russian Hackers Targeting U.S. Banks

Posted by Avik Sarkar On 10/14/2012 06:25:00 pm

Most Organized Banking-Trojan Called 'Gozi Prinimalka' By Russian Hackers Targeting U.S. Banks

We all might be aware of massive attack which took place last month, targeted several leading banking and financial sector of United StatesThe attack came just after 'anti Islamic' video was posted online. The US National Security officials accused the Iranian government for engaging cyber attacks against US Banks mainly Bank of America. Sooner or later the situation came under control. But cloud of trouble for US Banking sector is not gone completely, recently security professionals unveiled that a cartel of Russian hackers is planning to launch a separate attack aimed at stealing money from about 30 U.S. financial institutions, an apparent attempt to piggyback and capitalize on the ongoing cyber attacks on U.S. banks. The emergence of Russian hackers suggests a potential shift in the motivation of the cyber attacks from ideological to financial and also points to a longer duration of the ongoing attacks. Security experts have picked up on chatter in the cyber underworld indicating Russian cyber hackers have set their sights on about 30 U.S. financial institutions. Dubbed “Operation Blitzkrieg,” the attack is planned for this fall on 30 U.S. banks, though it’s not clear which specific institutions will be targeted. In a blog post last week, RSA said it “believes this is the making of the most substantial organized banking-Trojan operation seen to date.”

So far it’s not clear who the specific Russian hackers are, but famous security professional & blogger Brian Krebs pointed to series of posts beginning in early September on Underweb forums by a Russian hacker who uses the nickname “vorVzakone,” which translates to “thief in law.” RSA said “underground chatter” indicates the gang plans to deploy a Trojan, called “Gozi Prinimalka,” in an effort to complete fraudulent wire transfers via Man-In-The-Middle (MiTM) manual session-hacking scenarios. Herberger said MiTM is a type of attack that aims to deceive targets by violating otherwise secure communications, similar to tapping into a landline phone conversation or breaching a VPN session. “If successfully launched, the full force of this mega heist may only be felt by targeted banks in a month or two,” RSA said. The Trojan is part of a family of malware used by a crime gang that has successfully siphoned at least $5 million from banks, RSA said. The Russian hackers are also offering to pay individuals who help them carry out the attacks, indicating a desire to monetize the intrusions.

So now the vows of hacker group named 'Izz ad-Din al Qassam Cyber Fighters' is proving to be more dangerous for US. The hacker group earlier said "These series of attacks will continue until the Erasing of that nasty movie from the Internet". For your reminder this hacker group was responsible for all the major DDoS attacks against US financial sector. “It’s not uncommon that people who have a financial motive may try to take advantage of nefarious techniques,” said Herberger. “They will jump in because they can take advantage of the fact banks are laboring and security departments are becoming overrun and softened for a different kind of motivated attack.” The emergence of the threat from Russian groups underscores the prolonged nature of the attacks against corporations, especially in the financial industry. “Security teams are coming to terms that these attacks are long,” often measured in days and weeks, said Herberger. However, security teams often aren’t “staffed for attrition.”

-Source (FOX Business)





SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Live Hacking Team Release Updated Linux Distro for Penetration Testing

Posted by Avik Sarkar On 4/25/2011 05:44:00 pm

The Live Hacking project, led by Dr. Ali Jahangiri, is pleased to announce an updated version of its security orientated Linux distribution the “Live Hacking DVD”. Designed for penetration testing and ethical hacking, the new release has updated over 140 packages including Metasploit and Firefox.
The Live Hacking Linux distribution is a ‘Live DVD’ meaning that it boots and runs directly from the DVD without needing to be installed on your hard disk. Once it starts you can use the included utilities to perform penetration tests and ethically hack on your own network to ensure that it is secure from outside intruders.
New in this release is Metasploit Framework 3.6 which can be used to test your network using the framework’s internal database of known weaknesses and exploits. New to V3.6 are post-exploitation modules that can be run on exploited systems to perform actions such as gathering additional information, pivoting to other networks and elevating system privileges. V3.6 also adds 15 new exploits making a total of 648 exploit modules, 342 auxiliary modules and 23 post modules.
“The Live Hacking Linux distribution has been a great success. It is downloaded on average 50 times per day and we have had over 4,500 downloads in the first three months of this year alone.” said Dr. Ali Jahangiri the project leader. “We are keen to keep the distro up to date and we are planning to add more features and tools in the future.”
The Live Hacking DVD is part of the Live Hacking family which includes the LiveHacking.com security and penetration testing website. LiveHacking.com is an essential resource for security professionals and those wishing to educate themselves about security. The web site has security related news, features and articles plus educational videos about using some of the security tools found on the Live Hacking DVD.

LiveHacking.com also has information about Dr. Jahangiri’s book “Live Hacking: The Ultimate Guide to Hacking Techniques & Countermeasures for Ethical Hackers & IT Security Experts”, as well as details of the Live Hacking Workshops which Dr Jahangiri runs internationally, to introduce IT professionals to the world of ethical hacking.

 

 

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

DARPA Implementing Biometrics With Passwords To Enhance Security For DOD

Posted by Avik Sarkar On 1/17/2012 12:50:00 am


Department of Defense (DOD) implementing more security. They are implementing a new technology which will blend biometric passwords without adding new hardware. DARPA on Friday issued a broad agency announcement (DARPA-BAA-12-06) for the initial phase of the Active Authentication program to develop software-based biometric approaches to verify the identities of authorized DOD computer users not only at login, but also throughout the courses of the users' computer sessions. 
Military information security experts at the U.S. Defense Advanced Research Projects Agency in Arlington,they are asking for industry's help in developing ways to blend biometrics into U.S. Department of Defense (DOD) military cyber security systems without installing new hardware. The intent is no only to save time and money, but also to help bolster existing DOD computer security that relies primarily on requiring uses to type in long and complex passwords. The Active Authentication program seeks to change the DOD's current cyber security focus from user passwords and common access cards when validating identity on DOD computer systems. Instead, the program seeks to focus on software-based user biometrics that does not require installation of new cyber-security software.

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Researchers Said Cars Equipped With Computers are Vulnerable to Hacking, Intel Investigating

Posted by Avik Sarkar On 8/27/2012 12:21:00 pm

Researchers Said Cars Equipped With Computers are Vulnerable to Hacking, Intel Investigating 

Security researchers have unveiled that cars equipped with electronic communications systems and computers are vulnerable to hacking and viruses, which could translate to crashes while on the road. According to a report of Reuters a special team employed by Intel is looking into software and hardware vulnerabilities in modern cars that could allow access to hackers to take control of vehicles. Barnaby Jack, a director of research at security consulting firm IOActive Labs, who became famous when he announced that he could make an ATM machine dispense money to anyone and to cause medical equipment to pump lethal doses of insulin to patients, is one of the members of the group.
Another research group demonstrated a simple method of infecting a car with a malware by using nothing but a CD. When the victim plays the CD,  the malware is activated and jumped from the CD to the computer system of the car. While infecting the car radio is not life threatening at all, the code executed after running the CD can gain access to other important systems of the car itself. Researchers also said that car viruses can be utilized for more subtle use. One example they mentioned was to use it to remotely listen on conversations inside the car. It’s like a Hollywood-style trick but could come in handy for use for government spying or corporate espionage. Modern automobiles are already considered “computers on wheels” by security experts and it’s only a matter of time before their vulnerabilities will be exploited widely. Today’s cars are filled with small computers known as electronic control units or ECUs that needs a very sophisticated set of codes to manage interconnected systems like brakes, engines, navigation, entertainment, and lighting. They are also employing technologies common to mobile devices such as Bluetooth headsets and cell phones, making them vulnerable to remote attacks widely known among black hats or criminal hackers.
Security experts fear that terrorists, criminals, and spies will turn their attention to embedded computers, which can be attacked using similar techniques as common computers. One particular issue for concern arises and that is how to fight the transfer of PC viruses that could affect the computers in a car when laptops and other devices are plugged into entertainment systems of cars??



-Source (The Droid Guy)










SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Security Experts are saying that China at Risk From Cyber Attacks

Posted by Avik Sarkar On 6/18/2011 05:34:00 pm



A report from the U.S. Department of Homeland Security has revealed that software systems used by China to run its weapons, utilities and chemical plants systems suffer from an inherent bug, leaving them vulnerable to hacker's cyber attacks. The report, which was first disclosed to Reuters, saw the department warn China over the vulnerabilities in its software. The software was designed by Beijing-based Sunway Force Control Technology Co. According to the department, hackers could exploit the bug to inflict an attack that could cause lasting damage on critical parts of the country's infrastructure.

Dillon Beresford, a researcher for NSS Labs -- the private security firm that discovered the bugs -- commented to Reuters, "These are vulnerabilities that hackers could leverage to cause destruction".The department's advice comes in the wake of numerous cyber attacks against several big-name companies and government departments and agencies. Sunway's products, widely used in China, are also deployed to a lesser extent in other countries including the United States, DHS's Industrial Control Systems Cyber Emergency Response Team said in its advisory  Since its advice, Sunway has reportedly  developed software patches to plug the security holes. Experts have since revealed that even with these fixes, it will take the software's users weeks, maybe months to install the new security fixes. In this month alone there have been reports of successful attacks on Citibank, The International Monetary Fund, the U.S. Senate and CIA.  The news comes a month after public attention turned to China after the search giant Google reported a hacking attempt on its Gmail email service. China was widely expected of involvement in the attack after Google traced the origin of the hackers to one of the country's provinces. There is as yet no firm date when the security fixes will be fully functional. Sunway's products, while most widely used in China, are also used by certain Western companies.  

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

DARPA Is Planning Future Cyber Security Strategies

Posted by Avik Sarkar On 8/20/2011 04:19:00 pm


The U.S. Defense Advanced Research Projects Agency (DARPA) Information Innovation Office (I2O) in Arlington, Va., is asking companies and colleges for ideas on technologies to safeguard U.s. Department of Defense (DOD) computer systems in the event of a cyber attack.
DARPA issued a request for information (DARPA-SN-11-55) this week entitled Future Directions in Cyber Security that poses three fundamental questions related to national information security:

1. At present, attackers in cyberspace seem to have the initiative and hence the advantage. What specific technologies should DARPA develop to address the imbalance?

2. Attacks on embedded computing systems have received much attention. What specific technologies should DARPA develop to secure embedded computing systems?

3. If DARPA could only invest in one cyber-security research area, what should that be and why?
 
DARPA is inviting the nation's cyber security experts to offer answers to these questions, and based on their answers, DARPA experts may invite them to a meeting on 7 Nov. 2011 called the DARPA Colloquium on Future Directions in Cyber Security, at which the DARPA director will give a keynote address, and leaders from government and industry, as well as DARPA program managers, will discuss current and future cyber research directions.

Attendance at the DARPA Colloquium is by invitation only and space is limited, officials say.

To respond to DARPA questions and become candidates for the DARPA Colloquium, e-mail answers as an attachment in a commonly used format to cybercolloquium@darpa.mil no later than Friday, 9 Sept. 2011. Representatives of DARPA and DARPA support contractors will review answers they receive.
 
For More information Click Here

-News Source (Military Aerospace)

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-

Related Posts Plugin for WordPress, Blogger...

Site search