Jump to content

Search the Community

Showing results for tags 'users'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Informatii generale
    • Anunturi importante
    • Bine ai venit
    • Proiecte RST
  • Sectiunea tehnica
    • Exploituri
    • Challenges (CTF)
    • Bug Bounty
    • Programare
    • Securitate web
    • Reverse engineering & exploit development
    • Mobile security
    • Sisteme de operare si discutii hardware
    • Electronica
    • Wireless Pentesting
    • Black SEO & monetizare
  • Tutoriale
    • Tutoriale in romana
    • Tutoriale in engleza
    • Tutoriale video
  • Programe
    • Programe hacking
    • Programe securitate
    • Programe utile
    • Free stuff
  • Discutii generale
    • RST Market
    • Off-topic
    • Discutii incepatori
    • Stiri securitate
    • Linkuri
    • Cosul de gunoi
  • Club Test's Topics
  • Clubul saraciei absolute's Topics
  • Chernobyl Hackers's Topics
  • Programming & Fun's Jokes / Funny pictures (programming related!)
  • Programming & Fun's Programming
  • Programming & Fun's Programming challenges
  • Bani pă net's Topics
  • Cumparaturi online's Topics
  • Web Development's Forum
  • 3D Print's Topics

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


Website URL


Yahoo


Jabber


Skype


Location


Interests


Biography


Location


Interests


Occupation

  1. Summary: If you are looking for a web conferencing solution that is simple enough to use but complex enough to cope with commercial or educational web conferences (whether they are webinars, training sessions, live seminars, etc.) that is easy to use, accessible and affordable, have a look at a hidden, highly-underrated gem from Adobe: Adobe Connect (AC). Having dozens, perhaps hundreds of competitors, Adobe Connect (AC) stands out through its details that give the solution a flavour hard to resist. Context: Have been using Adobe Connect for a variety of purposes (teaching, learning, commercial, meetings) since 2012 when I carried out a little bit of research to see what solution would tick all (or most of) the boxes for my job at the time. Currently working and using it in an educational setting. Not employed nor paid/incentivized by Adobe. Description: AC is a web conferencing platform hosted by Adobe (with options for internal deployment for institutions) which allows users to participate in an online meeting without installing anything on local machines. It simply requires Flash Player (which most computers already have) or a free mobile app for tables and mobile phones. To join a meeting, a user can simply click on the invitation link, type their name and join. For those with poor internet connection, AC has an additional option of audio telephony (at extra cost) where the user can dial a landline number or a toll-free 0800 number and use that instead of the PC headset for listening and communicating. The platform is extremely flexible and caters for most needs and scenarios of usage. Whether one wishes to use AC for discussion, collaboration, separate classrooms, desktop sharing and remote control, presentation with Q&A, webinar, etc. they can do so by selecting from the menu what they want to use it for. All such meetings can be recorded and made available to specific users or public straight after the recording has finished. There is also a small editor for such recordings and hosts can edit out the recordings before releasing them. The main platform is very powerful customisation-wise: users can drag and move the interaction blocks (pods) and also new customised pods can be added freely (some are premium, paid). For example if one has a Flash application (game, countdown timer, etc.) they can add it to the platform. In the past I have used such Flash applications to embed YouTube video within it, add visitors lounge with countdown timer for next session and background music (while waiting), messages, voting apps, etc. Furthermore, participants can have a complete experience whilst using Adobe Connect. If there is a need for a teaching environment, a whiteboard facility is available and the presenter can make available for students files to download, PowerPoint with annotations, other notes, polls, live chat. If there is a formal meeting environment needed, participants can use a live interactive agenda, notes, webcams, etc. The whole experience from access to netiquette is taken care of. Finally, content can be uploaded and set-up in advance so that when the presenter (or guest speaker) joins, everything is ready to run. This saves the last-minute problems and delays and gives the opportunity for presenters to prepare in a timely fashion and test everything before the live event. In my current workplace, Adobe Connect is being used by Human Resources department for interviewing remote candidates unable to be here physically, it is being used to deliver online postgraduate courses and it also supports and facilitates blended learning programmes. We are using the on-cloud solution, hosted with Adobe. At the moment, as a negative point, it seems that their servers are quite overloaded and there hasn’t been much investment recently towards a) infrastructure and codecs and audio processing so that sound is as clear as some of the other competitors (Google, Skype, etc.) Also, on the same negative note, the maximum video resolution supported is 480p. It is understandable to have limits on video (for bandwidth and quality) for large groups of participants but on a small number of participants it would be good to have a higher resolution for video, given the current market trends. If one were to deploy the hosted version of Adobe Connect, they can adjust and with some hard work “hack” some parts of the product to improve call and video quality. However, the pricing for hosted solutions is quite prohibitive and its maintenance may become a burden in the long run. However, what makes Adobe Connect so attractive and better than its competitors? (The likes of Google, Skype, WebEx, Lync, Blackboard Collaborate, etc.) It’s pricing of about £27.50/month/license (based on annual subscription) or £600 for 5 licenses per year, excluding set-up fees, audio telephony (if applicable) and VAT. Users don’t need to install anything to join. Simply click on the URL and join Meetings can be recorded and made available Flexible layouts, small features and functionality that helps any host run smooth meetings Free mobile app versions which allows users to attend meetings on the go 24/7/365 support via phone, live chat or email in multiple languages Overall good value for money for an easy to use system that delivers. Verdict: A web conferencing platform that can be used in a variety of ways to facilitate communication, learning and collaborative work. It bridges certain gaps and their support is fantastic. They do need some investment in audio and video quality and perhaps more customer interaction with a clear and good marketing strategy in providing roadmap, truly listening to feedback and engaging users but overall, it is an excellent solution for a low-budget good-quality web conference set-up. 8.5/10
  2. Snapchat has deployed two factor authentication as part of its push to increase security across the popular selfie slinging app. The sexting swap shop allows users to set up SMS log-in verification that makes en-masse account hijacking more difficult, and better protects Snapchat's Snapcash money transfer system. The additional security measures are welcome, but devoted targeted attackers can still break into accounts by exploiting telecommunications providers' weak security identity checks to port phone numbers. Users of Snapchat version 9.9 will be able to activate the Login Verification feature on Android and iOS platforms. The extra security features are the latest efforts in a push to increase the platform's security chops which includes the launch of a HackerOne bug bounty, a regular transparency report, and the hiring of former Google social network security boss Jad Boutros as infosec head. Boutros has already said he aimsto build a "culture of security" at the company. The push follows Snapchat's legal trouble with the Federal Trade Commission stemming from incorrect claims photos and videos would "disappear forever" when it had remained on devices. The company also ran into trouble when some 4.6 million names and email addresses were breached in December 2013 after it dismissed that attack vector as theoretical. Source
  3. Apple iOS 9 users will be required to use six-digit passwords instead of four-digit codes when logging in to a device. The tech giant also announced it would be using two-factor authentication for users signing into Apple services from a new device or browser. The updates will apply to all Apple devices enabled with TouchID. With the new authentication process, users will receive a verification code sent to their device after submitting their password. They will then have to enter the code in the new device or browser in order to gain access to apps and services. Apple unveiled the new features on Monday at its 2015 World Wide Developers Conference in San Francisco. The company also introduced new features including: Apple Music, Apple Car Play, Wallet and a public transit option in Apple Maps, available later this year. Source
  4. Today anywhere you go, you will come across Free or Public WiFi hotspots -- it makes our travel easier when we stuck without a data connection. Isn’t it? But, I think you’ll agree with me when I say: This Free WiFi hotspot service could bring you in trouble, as it could be a bait set up by hackers or cyber criminals to get access to devices that connects to the free network. This is why mobile device manufacturers provide an option in their phone settings so that the device do not automatically connects to any unknown hotspot and asks the owner for approval every time it comes across a compatible WiFi. Hackers can grab your Credit Card Data. Here’s How? Recently, security researchers from mobile security company 'Wandera' have alerted Apple users about a potential security flaw in iOS mobile operating system that could be exploited by hackers to set up a rogue WiFi spot and then fool users into giving up their personal information, including credit card details. The loophole leverages the weakness in the default behaviour of iOS devices, including iPhones, iPads and iPods, with WiFi turned on, Ars reported. This could let attackers create their malicious wireless hotspots and inject a fake "captive portal" page mimicking the genuine Apple Pay interface asking users to enter their credit card details. A hacker nearby a customer connecting an Apple Pay transaction could launch an attack in an attempt to force the victim’s mobile to connect to evil hotspot and then display a popup portal page which is designed in such a way that users could be fooled into believing Apple Pay itself is requesting to re-enter their Credit Card details. According to the researchers, spoofers can loaf around a point-of-sale (POS) machine with an Apple Pay terminal and could continuously launch the attack in order to victimize more people. However, the attack may not trick a large number of people because the fake captive portal page imitating Apple Pay interface is displayed under a fairly prominent "Log In" title bar, the report says. The simple and easiest workaround to prevent such attacks is to turn your device's Wi-Fi simply OFF if you are not intentionally connecting to a known Wireless network. Security researchers have warned Apple about the loophole and meanwhile recommended that Apple and Google should "consider adopting a secure warning when displaying captive portal pages to users so that users exercise caution." Source
  5. Today everybody wants to know — Who visited my Facebook profile?, Who unfriended me from the Facebook Friend list?, Who saw my Facebook posts?, and many other features that isn't provided by Facebook by default. So most Facebook users try to find out a software and fall victim to one that promises to accomplish their desired task. Hackers make use of this weakness and often design malicious programs in order to victimize broad audience. Following I am going to disclose the realities behind one such software designed cleverly to trick Facebook users to make them believe it is genuine. UnfriendAlert, a free application that notifies you whenever someone removes you from the Facebook friend list, has been found collecting its users' Facebook credentials. UnfriendAlert Stealing your Facebook Credentials: Security researchers at Malwarebytes have warned users of the UnfriendAlert app saying that the notorious app asks users to login with their Facebook credentials to activate unfriends monitoring and alert service for your Facebook profile. Facebook has provided API OAuth login system for third party applications, where users don't need to provide their Facebook credentials to them. So you should never submit your Facebook password to any third party service or desktop software in any case. Once you enter your login credentials, UnfriendAlert will send it to the website "yougotunfriended.com" owned by attackers. Late last month, UnfriendAlert was also classified as potentially unwanted program (PUP) which often displays unwanted advertisements and deceptively installs other malicious software and free apps when visiting some web pages in your Chrome, Firefox, and Internet Explorer, making you fail to block them. Uninstall UnfriendAlert and Change your Password Now! So users are recommended to uninstall UnfriendAlert App from your computer, and besides removing this, you are also advised to change your Facebook password as soon as possible. You can do this under "Settings —> Password —> Edit." Always do some research before installing any third party application as your one single mistake could compromise your online security and privacy in various ways. Source
  6. GitHub has revoked an unknown number of cryptographic keys used to access accounts after a developer found they contained a catastrophic weakness that came to light some seven years ago. The keys, which allow authorized users to log into public repository accounts belonging to the likes of Spotify, Yandex, and UK government developers, were generated using a buggy pseudo random number generator originally contained in the Debian distribution of Linux. During a 20-month span from 2006 to 2008, the pool of numbers available was so small that it made cracking the secret keys trivial. Almost seven years after Debian maintainers patched the bug and implored users to revoke old keys and regenerate new ones, London-based developer Ben Cartwright-Cox said he discovered the weakness still resided in a statistically significant number of keys used to gain secure shell (SSH) access to GitHub accounts. "If you have just/as of late gotten an email about your keys being revoked, this is because of me, and if you have, you should really go through and make sure that no one has done anything terrible to you, since you have opened yourself to people doing very mean things to you for what is most likely a very long time," Cartwright-Cox wrote in a blog post published Monday. "It would be safe to assume that due to the low barrier of entry for this, that the users that have bad keys in their accounts should be assumed to be compromised and anything that allowed that key entry may have been hit by an attacker." Cartwright-Cox told Ars that he found about 94 keys on GitHub that contained the Debian-derived weakness. He said that after he reported his finding to GitHub officials in March he learned the actual number of site users was much higher. GitHub revoked the keys early last month, he said. GitHub officials didn't respond to a request to comment. Separately, the UK developer said he found nine GitHub SSH keys that contained woefully insufficient numbers of bits. Two of them had only 256 bits, making it possible for him to factor them and clone the private key in less than an hour. The remaining seven had only have 512 bits. During the time the Debian bug was active, the pool of bits available when generating OpenSSH keys was so limited that there were only 32,767 possible outcomes for a given architecture, key size, and key type. Cartwright-Cox said attackers could have used the same methods he employed to find weak keys and then used several techniques to gain unauthorized access to the accounts the keys protected. The task would have been aided by obtaining the list of insecure Debian SSH keys off one or more public sites, such as this one. In an e-mail, he elaborated: If I wanted to be more noisy I could have just done what I said [in the blog post] and looped though the keys, that may or may not have set off alarms at Github itself (I'd give it a 25% chance that it would). So the breakdown of how this could have been done is the following: Grab the bad key list. It contains the public and private parts of all the SSH keys that would have been made if the user had a version of OpenSSH that had Debian RNG bug, then get each private key on the list, and try to log into GitHub's ssh with them. Depending on what key you succeed with it will tell you what user name it matches up with, in the example I provided since my key is loaded it tells me "Hi benjojo! You've successfully authenticated, but GitHub does not provide shell access." but if I was to try with a weak key that matched up with another user it would say "Hi {user}! You've successfully authenticated, but GitHub does not provide shell access." and then I know what user I can compromise with that. Technically, attackers don't even need the private key to see if a site accepts authentication from a user, HD Moore, chief research officer at Rapid7 and co-founder of the Metasploit hacking framework, told Ars. Just the public key and this Metasploit module will do. "This trick can also be used to see what internet-facing servers allow logins from what public keys, even if the private key is not available, which is a neat reconnaissance/opsec technique," Moore said. The randomness bug was introduced in late 2006, when Debian maintainers removed two lines of code in the OpenSSL code base in an attempt to fix warnings received by some users. In the process, the maintainers wiped out almost all of the entropy that OpenSSL relied on for its randomness engine. The epic mistake, which eventually migrated to the Ubuntu distribution of Linux as well, wasn't diagnosed for 20 months, and by that time an untold number of cryptographic keys had been generated. The bug was unusual in that installing a patch was only the beginning of the healing process. To fully recover, users had to revoke any keys made during that 20-month period and generate new ones using the updated OS. The discovery that GitHub users continued to rely on these hopelessly weak keys eight years after they came to light is testament to just how monumental the Debian debacle was and how hard it is for users to mop up after the mess it created. Source
  7. Virtual private network Hola has downplayed concerns that its 47 million users could become part of a botnet. A botnet is a network of hijacked computers that can be used for criminal activity without the knowledge of their owners. Hola says it has always been open about sending other data via users' devices when they are not in use. However, in a blog post chief executive Ofer Vilenski acknowledged the firm had "made some mistakes". The Israeli company offers a free service but on the condition it can use customers' bandwidth "securely". Mr Vilenski said he had wrongly assumed that describing the network as "peer-to-peer" had made that clear. It also operates a commercial network called Luminati, which can be used to "route data through any of our millions of IPs [computer addresses] that are located in every city around the world", according to its website. The website goes on to say the Luminati network consists of "personal PCs, laptops and mobile devices of participating users". They are the private devices of Hola users, it has been claimed. "The concern with Hola is that it appears to operate like a botnet, and one that is potentially insecure at that," said cybersecurity expert Prof Alan Woodward, from Surrey University. "There is mounting anecdotal evidence that the network is being used as a real botnet. "I haven't seen that in practice but the way in which the service can use your machine appears to have the potential to do something like that." People often use virtual private networks to access internet content that is unavailable in their home country - such as video streaming services Netflix and the BBC iPlayer - but most VPNs are not free. Ofer Vilenski said in his blog post that Hola generated revenue by offering the VPN for "legitimate commercial purposes" only. "We have a record of the real identification and traffic of the Luminati users, such that if a crime is committed, we can report this to the authorities, and thus the criminal is immediately identified," he wrote. Last week, the founder of message board 8Chan said the site had suffered a distributed denial of service (DDOS) attack - when a website is overwhelmed by false requests from computers - that could be traced back to the Luminati network. Mr Vilenski accepted that a spammer had "passed through our filters" to use the service but added that the account had been terminated and "necessary measures" put in place. He said that the firm would shortly begin a "bug bounty programme" offering rewards for people who identified security weaknesses in Hola and Luminati products. Prior to the blog post hundreds of people had already posted on community site Reddit, calling for users to uninstall the network over fears that their devices could unintentionally be used for criminal activity, and Android users have been leaving warning messages in the review section of the app on Google's Play Store. In the FAQ section on its website, updated on 29 May, Hola explains how its "peer-to-peer" model works. "When your device is not in use, other packets of information from other people may be routed through your device," it says. "Hola does this securely, not allowing any access to any of your information. Your device is used only as a router." It also says that users of its premium service, for a monthly fee of $4.99 (£2.28), are not part of the network. Source
  8. Document Title: =============== Facebook #26 - Filter Bypass & Exception Handling Redirect Web Vulnerability References (Source): ==================== http://www.vulnerability-lab.com/get_content.php?id=1483 http://www.vulnerability-lab.com/get_content.php?id=1484 Video View: https://www.youtube.com/watch?v=I65zFWF-pMg Release Date: ============= 2015-05-09 Vulnerability Laboratory ID (VL-ID): ==================================== 1483 Common Vulnerability Scoring System: ==================================== 5.1 Product & Service Introduction: =============================== Facebook is an online social networking service, whose name stems from the colloquial name for the book given to students at the start of the academic year by some university administrations in the United States to help students get to know each other. It was founded in February 2004 by Mark Zuckerberg with his college roommates and fellow Harvard University students Eduardo Saverin, Andrew McCollum, Dustin Moskovitz and Chris Hughes. The website`s membership was initially limited by the founders to Harvard students, but was expanded to other colleges in the Boston area, the Ivy League, and Stanford University. It gradually added support for students at various other universities before opening to high school students, and eventually to anyone aged 13 and over. Facebook now allows any users who declare themselves to be at least 13 years old to become registered users of the site. Users must register before using the site, after which they may create a personal profile, add other users as friends, and exchange messages, including automatic notifications when they update their profile. Additionally, users may join common-interest user groups, organized by workplace, school or college, or other characteristics, and categorize their friends into lists such as `People From Work` or `Close Friends`. As of September 2012, Facebook has over one billion active users, of which 8.7% are fake. According to a May 2011 Consumer Reports survey, there are 7.5 million children under 13 with accounts and 5 million under 10, violating the site`s terms of service. In May 2005, Accel partners invested $12.7 million in Facebook, and Jim Breyer added $1 million of his own money to the pot. A January 2009 Compete.com study ranked Facebook as the most used social networking service by worldwide monthly active users. Entertainment Weekly included the site on its end-of-the-decade `best-of` list, saying, `How on earth did we stalk our exes, remember our co-workers` birthdays, bug our friends, and play a rousing game of Scrabulous before Facebook?` Facebook eventually filed for an initial public offering on February 1, 2012, and was headquartered in Menlo Park, California. Facebook Inc. began selling stock to the public and trading on the NASDAQ on May 18, 2012. Based on its 2012 income of USD 5.1 Billion, Facebook joined the Fortune 500 list for the first time, being placed at position of 462 on the list published in 2013. (Copy of the Homepage: http://en.wikipedia.org/wiki/Facebook ) Abstract Advisory Information: ============================== The Vulnerability Laboratory Core Research Team discovered a filter bypass and open redirect web vulnerability in the official Facebook online-service framework. Vulnerability Disclosure Timeline: ================================== 2015-05-01: Researcher Notification & Coordination (Benjamin Kunz Mejri - Evolution Security GmbH) 2015-05-09: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== Facebook Product: Framework - Content Management System 2015 Q2 Exploitation Technique: ======================= Remote Severity Level: =============== High Technical Details & Description: ================================ A filter validation issue is existant in the exception-handling that normally redirects to the original facebook source. Ever if an error comes up the website will show the context in the secure exception and redirects on okey click to the original valid source. In case of terminating the string (%00%00_%3F) with extended <_ it is possible to bypass the exception-handling filter exception to redirect invalid source to an external target. The video demonstrates how to bypass the filter validation by confusing the context copying with the non encoded url that invalid. By generating a payload that is ahead in the display value and atleast in the url ref the target exception redirect can be manipulated. Proof of Concept (PoC): ======================= https://www.facebook.com/dialog/send?app_id=102628213125203&display=F%00%2F%00%00%3C%uFFFD/%uFFFD%uFFFD%3C_popup&link=http%3A%2F%2Fwww.ebay.com%2Fcln%2F%00%2F%00%00%3C_&{alert%28%27XSS%27%29}%3B%3E%3%00%3C_&{alert%28%27XSS%27%29}%3B%3E%3Froken%3DcUgayN&description=%00%40eBayF%00%2F%00%00%3C%uFFFD/%uFFFD%uFFFD%3C_&redirect_uri=http%3A%2F%2F%EF%BF%BD/%EF%BF%BD%EF%BF%BD%3C%uFFFD/%uFFFD%uFFFD%3C_popup%2Fsoc%2Fshareclose&__mref=F%00%2F%00%00%3C%uFFFD/%uFFFD%uFFFD%3C_message_bubble https://www.facebook.com/dialog/send?app_id=102628213125203&display=F%00%2F%00%00%3C%uFFFD/%uFFFD%uFFFD%3C_popup&link=http%3A%2F%2Fwww.ebay.com%2Fcln%2F%00%2F%00%00%3C_&{alert%28%27XSS%27%29}%3B%3E%3%00%3C_&{alert%28%27XSS%27%29}%3B%3E%3Froken%3DcUgayN&description=%00%40eBayF%00%2F%00%00%3C%uFFFD/%uFFFD%uFFFD%3C_&redirect_uri=http%3A%2F%2F%EF%BF%BD/%EF%BF%BD%EF%BF%BD%3C%uFFFD/%uFFFD%uFFFD%3C_popup%2Fsoc%2Fshareclose&__mref=F%00%2F%00%00%3C%uFFFD/%uFFFD%uFFFD%3C_message_bubble Payload: 3A%2F%2F%EF%BF%BD/%EF%BF%BD%EF%BF%BD%3C%uFFFD/%uFFFD%uFFFD%3C_ F%00%2F%00%00%3C%uFFFD/%uFFFD%uFFFD%3C_message_bubble F%00%2F%00%00%3C%uFFFD/%uFFFD%uFFFD%3C_message_bubble<_ PoC Video(s): The video demonstrates how to evade the filter validation of the message context that is delivered by a url link. The researcher demonstrates how to bypass the basic encoding by preparing a valid exception with unauthorized redirect. Security Risk: ============== The security risk of the filter bypass and exception redirect web vulnerability is estimated as medium. (CVSS 5.1) The same payload to evade the filter validation can be used to other sections and exceptions that redirect the ref with the same conditions. Credits & Authors: ================== Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com] Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/ Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission. Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com CONTACT: research@vulnerability-lab.com PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt Source
  9. Security researchers are warning PC users in Australia to beware of new Breaking Bad-themed ransomware demanding up to $1000 AUD ($796 USD) to decrypt essential computer files. The attacks typically arrive in the form of a malicious zip archive which takes the name of a famous delivery firm as its file name, according to Symantec. The AV giant continued in a blog post: “This zip archive contains a malicious file called ‘PENALTY.VBS’ (VBS.Downloader.Trojan) which when executed, downloads the crypto ransomware onto the victim’s computer. The threat also downloads and opens a legitimate .pdf file to trick users into thinking that the initial zip archive was not a malicious file. Based on our initial analysis, the threat appears to be using components or similar techniques to an open-source penetration-testing project, which uses Microsoft PowerShell modules. This allows the attackers to run their own PowerShell script on the compromised computer to operate the crypto ransomware.” The ransom demand message that flashes up to victims uses the Los Pollos Hermanos brand, as seen in Breaking Bad – demanding they pay $450 within a specified time or else the charge will rise to $1000. The email provided for “support-related enquiries” also references lead character Walter White’s description of himself in season four as “the one who knocks.” The victim’s images, videos, documents and other important files are encrypted using a random AES key which is in turn encrypted with an RSA public key. This requires them to obtain the corresponding private key from the attackers to effectively get their files back. Also included is a handy video tutorial on how to buy bitcoins – in order to help victims pay the ransom. Symantec said its customers were protected from Trojan.Cryptolocker.S and referred worried netizens to its dedicated blog on ransomware. Cyber-criminals are increasingly turning to ransomware as an easy way to make a fast buck – sometimes with tragic results. In January it was reported that a 17-year-old student from Windsor committed suicide after receiving messages that he’d visited illegal sites and that indecent images had been found on his computer. Source
  10. Google has been obliged to revise its Password Alert anti-phishing protection just hours after releasing it when security researchers showed how the technology was easily circumvented. Security consultant Paul Moore (@Paul_Reviews) has published a proof-of-concept JavaScript exploit that skirted the defensive technology with just seven lines of code. The Password Alert for Chrome browser plug-in is meant to trigger alerts for users in cases when they are induced to hand over their password to counterfeit sites impersonating Google (other online services aren't covered). The extension only kicks into action after users have signed into their Google account; thereafter it puts up warnings to reset Gmail passwords in cases where users are taken in by a phish. The problem is these alerts can be shut down with minimum effort and a few lines of JavaScript planted on counterfeit sites. More specifically, Moore's script looks for a warning banner every five milliseconds before removing anything it detects. Other approaches aimed at preventing humans actually seeing a warning – effectively killing off alerts kill as soon as they are generated – might also have been possible. Moore posted a short video on YouTube to highlight his concerns. Bypassing Google's Password Alert "Protection" Chris Boyd, a malware intelligence analyst at security software firm Malwarebytes, backed up worries about how easily Password Alert might be bypassed in a blog post that explains the issue in greater depth here. To its credit, Google responded promptly to the issue, updating its technology hours after El Reg flagged up the problem and requested a comment. "[The] issue is now fixed and the current version of Password Alert includes the patch," a spokesman told El Reg by email on Friday morning. Google's anti-phishing tech was only released on Wednesday so early teething troubles are arguably to be expected. Relying on Password Alert is, in any case, maybe not enough and users should consider turning on two-step authentication and/or using a full fat password manager such as LastPass to protect them from phishing attacks. Google researchers and a team from University of California, San Diego recently warned (PDF) that the most effective phishing attacks can succeed 45 per cent of the time. Source
  11. Keeping personal information secure and protected remains a top priority for computer users who now rely heavily on information systems to manage a large part of their personal and business lives. One of the ways to make sure only authorized users have access to information is the use of encryption, a process that transforms data from “cleartext to ciphertext” and back as a means to keep it secret from others. This is done through a combination of hardware- and software-based encryption. The scope is always the prevention of unintended data leakage. The wide variety of types of encryption available (e.g., symmetric- and asymmetric encryption, hardware-based or software-based) can make a person uncertain on which one is best to suit their needs. Each of the cryptographic systems addresses specific aspects of keeping systems secure, so it is important to identify which one is the most appropriate for the situation. This article surveys how to gain cryptographic data protection with a variety of methods and mechanisms for the sake of digital privacy as well as solutions for data-at rest and data-in-motion. It also discusses new encryption techniques. The Need of Encryption for Data Protection Encryption is a necessity for organizations and users that handle sensitive data. Data ought to be secured for the entire duration of their lifecycle (at-rest, in-transit and in-use). Whether they are at rest in storage and databases on site or backed up in a cloud, whether they are sent to end users within organizations or remotely accessed through mobile devices, all data need proper protection and ad-hoc solutions. The growing use of mobile devices to access sensitive data and corporate applications along with the use of cloud solutions for software, storage, hardware and services has opened a new world of security problems. Data loss prevention, security practices and strategies employed (firewalls, IDS, coupled with authentication and access controls) in addition to encryption tools are more important than ever as information are no longer being stored and processed in the safety of companies’ on-site servers and behind firewalls, but are actually being manipulated and transferred through a variety of communication channels. Data protection is nothing new, but it remains a significant challenge for organizations and businesses needing to find better ways to protect user data from unauthorized use. Be it corporate-, personal-, customer- or transaction-data, the risk of theft or loss throughout the lifecycle is massive. With data theft caused by employees and external parties on the rise, businesses risk their reputation, lack of regulatory compliance, and, ultimately, loss of clients. Lack of Encryption Why encrypting? Since a complex password by itself is no longer good enough as a means to protect corporate or personal data, by encrypting the data exchanged between the client and server, any sensitive information can be sent over a network, such as the Internet, with less risk of being intercepted during transit. Plaintext can be easily intercepted by prying eyes and eavesdroppers when transiting in data streams; information can be stolen or altered. Encryption is an effective way of making sure data remain secure. Data, however, is not just vulnerable when in transit. Some of the worst data security breaches noted in the 21st century and pertaining to lack of encryption go far back as 2005 when CardSystems Solutions’ system was hacked and was victim of an SQL Trojan attack; hackers gained access to names and accounts numbers of more than 40 million card holders. Security reports noted that the company never encrypted the data, thus exposing personal info on all its clients. Another noteworthy incident occurred in 2006 with a group of hackers taking advantage of a weak data encryption system at TJX Companies Inc. Poor security on the company’s wireless networks had resulted in massive data theft, and 94 million credit cards were exposed. Another instance that shows the human element being the weakest link in the security chain is the case of the U.S. Department of Veterans Affairs’ unencrypted national database theft. Names, social security numbers and other sensible information were found on a laptop and external hard drive that were both stolen. This episode, also in 2006, affected some 26.5 million veterans, whose personal data was taken in a burglary from a VA analyst’s Maryland home. A more recent event involved Sony’s PlayStation Network that had 12 million unencrypted credit card numbers hacked. In 2012, a NASA laptop was stolen; it contained records of sensitive personal identifiable information of employees and contractors. Lately, news has reported of an unencrypted, password-protected laptop that was stolen at the Community Technology Alliance containing social security numbers and names of 1,177 people. Another device containing data for 2,800 patients was stolen from Northwestern Memorial Health Care. Encryption Solutions As the need for encryption is clear to attempt ensuring the integrity and confidentiality of data, the first decision security professionals need to make is between software-based or hardware-based encryption. Both have pros and cons to be considered and can definitely be applied in a combination of ways to ensure maximum protection according to the users’ needs. Software-based encryption can be extended to all data, devices, and users in an organization. It works well to secure e-mails, instant messaging, data in transit and web sites. These solutions are normally cheaper and easy to customize and update. Common drawbacks are performance degradation and vulnerabilities linked to those of the operating systems in which they operate. Risks are linked also to the ease of being turned off by users. Hardware-based solutions are specific to the device they protect. Full drive encryption (FDE) or solutions like self-encrypted drives (SEDs) are an effective approach that simplifies the deployment of security for data at rest and makes it easier for organizations to manage security of data when stored. The advantage of hardware-based solutions is that they bypass many of the typical drawbacks of software-based solutions like performance degradation or vulnerability to attacks aimed at the encryption key stored in memory. Being encryption available at drive-level, this hardware solution also is perfectly independent by any software or operating system used, and usually cannot be turned off by users. Drawbacks are obvious. Hardware solutions are specific to the devices they protect, and updates can normally be performed only by substituting the device. The Encryption Process & Protecting Data Today One of the basic concepts of encryption is the need for keys to encrypt and decrypt the message. The process of encryption is done with two individual keys – a private key and a public key; this is referred to as asymmetric encryption, while symmetric encryption requires using one key for both steps. Encryption simply acts as a form of digital lock that prevents unauthorized users from accessing data. In addition, by adding a signature with a private key, a person can prove his or her own identity and make tampering with the message more difficult. Just like sensitive messages, the key must also be adequately protected, secured and kept hidden from unauthorized users. A number of encryption methods can be employed to secure data especially when in transit, since that is when they are more vulnerable. The content can be intercepted through some effort of wiretapping or eavesdropping by an intruder. In link-to-link encryption, for example, the message is decrypted at each host as it travels so it is vulnerable if any of the hosts is not secure. This method works well within an organization, for internal use, where all communication nodes security is well known, but might not be the safest method when the message is out in the open. Lately, much attention has been given to end-to-end encryption. This system allows safety of data by ensuring that only the people that are communicating are able to read the message. No one except the sender and the receiver is able to decrypt the message (not even the Internet provider) which is passed from host to host still encrypted. A renowned German e-mail provider, for example, has implemented the use of this methodology for all its users in an attempt to secure their communication from eavesdropping and intrusion. As securing information in a datacenter that requires protection for a multi-vendor infrastructure or the cloud is becoming a widespread need, new solutions and techniques had to be developed to render the transmission of data more secure. In most cases, solutions are needed to be deployed simultaneously on network shares, file services, application and web servers as well as database servers. Techniques like tokenization have been deployed to make sure that data exchanged from different servers and sent to onsite, cloud and mobile end users are still safely handled. In the case of tokenization, for example, data are safely stored and replaced by tokens that are used within an organization to process the information, trigger action and perform tasks. The data never leave their safe storage place and cannot be compromised even if the token is intercepted. This method is extremely helpful when dealing with credit card numbers and financial info in general. Honey encryption, instead, is a technique that can provide additional security when passwords are used as keys. This is particularly effective against conventional brute-force attacks. The concept is simple; in normal circumstances, when intruders intercept a message and attempt to guess the key that encrypts it, all they can get is a manifestly non-usable response. The result is that the malicious hacker continues to attempt until successful. Honey encryption, devised by Juels and Ristenpart, produces a ciphertext that when decrypted with a number of wrong keys gives a “honey message”, a fake plaintext that satisfies the attacker but does not relinquish any real data. Although effective, honey encryption, obviously, is not helpful when the attacker already has a few of the puzzle pieces (for example the public key associated with the private key) and therefore is useless in the protection of HTTPS certificate keys. The method is, however, effective when protecting, for example, password vaults, collections of passwords protected by one master key. An interesting technique for the handling of sensitive data in a cloud environment has been designed by Craig Gentry, a researcher from IBM: Homomorphic encryption. This form of encryption allows users to store data in a cloud encrypted while still being able to analyze and mine data. In fact, computations can be performed on the encrypted data in the cloud server, and only the results are decrypted by the end user. This can be used for any data, including, for example, entire collections of e-mails and messages that could be securely worked on without exposing the messages contained within. Although homomorphic encryption has been explored for 30 years, it is thanks to the work of Gentry (since 2008) that finally the system is being perfected and getting close to having practical applications. Although still too slow and requiring a larger-than-practical number of computations, this type of encryption could soon be applied. DNA Cryptography is another method being explored; it can be defined as hiding data as a DNA Sequence. This technique is based on DNA computing designed by the work of Leonard Max Adleman (the A in RSA) beginning in the year 1994. This modus operandi is still in the initial phases of development, but results are promising. One more is for Quantum Cryptographic tasks and, in particular, QKD (Quantum Key Distribution). Secure communication is ensured by a random key shared by sender and receiver. The advantage of this method is that, as for all quantum systems, a third party that enters it creates a disturbance that can be noted by the sender and receiver. An eavesdropper would cause the communication to be aborted, as the key would not be shared. Conclusion According to data collected by BreachLevelIndex, more than 2 million records per day were breached in the year 2014. It is clear that more and more attention needs to be given to the security of data both at rest and in transit. Coupled with users’ access control, encryption is an effective means of securing sensitive information. Multiple techniques of cryptography are important to ensure data integrity in the three components of the CIA (Confidentiality, Integrity, Availability). Encryption is not just for companies and organizations. Individual users also should consider protecting their own data. With mobile devices now allowing users’ access to all their sensitive information (personal, financial, even medical) and with the growing use of cloud solutions, it is paramount that encryption is adopted and new techniques developed. Currently, many encryption products are available on the market, some are free, and can suit everyone’s needs. With today’s encryption technologies constantly being developed to deliver enhanced security across a range of channels for private communication and storage, there is no reason why this protective measure should not be applied to safeguard data from hackers who continue to develop sophisticated techniques in the attempt to steal information. Whatever the data are and wherever they reside, they ought to be safeguarded: password protected and encrypted. Business data needs to be safe and placed in a secure environment. Failure to apply authentication and end-to-end encryption for limited access to data could lead to possible exposure by intruders. Whatever protection may be necessary depends on the assets that are being protected. Often, businesses requirements and regulatory considerations will dictate what approach is best. Users need to analyze their needs and apply the right products to prevent unauthorized access to information and opt to utilize software and hardware technologies to facilitate the encryption of computer, mobile devices and media. References Allen, L. (2012, August 3). Securing Data on a Moving Target: Self-Encrypting Drives Deliver Top Security, Performance and Manageability. Retrieved from Securing Data on a Moving Target: Self-Encrypting Drives Deliver Top Security, Performance and Manageability | StorageReview.com - Storage Reviews Juels, A. (2014, January 29). Honey Encryption: Security Beyond the Brute-force Bound. Retrieved from http://pages.cs.wisc.edu/~rist/papers/HoneyEncryptionpre.pdf Naone, E. (2011, May/June). Homomorphic Encryption – Making cloud computing more secure. Retrieved from Homomorphic Encryption - MIT Technology Review Olzak, T. (2010, May 7). Choose Encryption Wisely. Retrieved from What is Encryption and When Should You Use it to Protect Data and Computers Paganini, P. (2015, February 20). The Future of Data Security: DNA Cryptography and Cryptosystems. Retrieved from The Future of Data Security: DNA CryptographySecurity Affairs Schneier, B. (2010, June 30). Data at Rest vs. Data in Motion. Retrieved from https://www.schneier.com/blog/archives/2010/06/data_at_rest_vs.html Simonite, T. (2014, January 29). “Honey Encryption” Will Bamboozle Attackers with Fake Secrets. Retrieved from http://www.technologyreview.com/news/523746/honey-encryption-will-bamboozle-attackers-with-fake-secrets/ Source
  12. With the increasing use of smartphones, QR codes are becoming popular. Recently, WhatsApp launched its web version, which needs QR code scanning to access the web version of WhatsApp. So, many people now know what QR code is, but still more are unaware. It is very similar to a bar code we see in products, but it does not need a different reader. Our smartphone camera can easily read it with the help of a QR code scanner app. Due to fast readability, it is now widely accepted. And the use of QR codes is increasing. With the scan of a QR code, we can perform various tasks which would otherwise need a lot more effort. For example, scan a QR code and save the business card details in your smartphone. This is why people like to use QR code scanning for general tasks. But most users are not aware that QR codes can also be malicious. This is why scammers are now using malicious QR codes for tricking users. In this article, I will discuss QR codes in details. I will also try to cover all the potential security issues related to QR codes. QR Codes QR code (or Quick Response code) is a matrix bar code which can be read by an imaging device (camera) and then processed to read its data. It was initially developed for the automotive industry in Japan, but now it is being used by many companies. You will be surprised to know that the QR code was invented back in 1994 by Denso Wave. Nowadays QR codes are being used to display text to users, to save a vCard contact information to the user’s smartphone, to open a website URL, to code payments, for website login (ex: WhatsApp web login) or to compose an e-mail or text message just by scanning a QR code. QR codes are really useful and help us to complete tasks faster in smartphones. You can quickly open a website just by scanning a QR code and you do not need to manually type the URL in your smartphone. This is why many websites’ poster ads now contain QR code. Another popular use is on a business card. Now people also include QR code in their business cards. So, other persons can simply scan the QR code to save the contact details in their smartphone. See the sample QR code below. This is for opening a website. QR code for: IT Security Training & Resources by InfoSec Institute Scanning the above QR code will open IT Security Training & Resources by InfoSec Institute. How to Generate QR Codes There are various tools available for this. If you want to generate a QR code with specific information, you can use these tools, which let you create QR code for URL, text, vCard, SMS, call, geo-location, event, email and login. Different tools have different abilities. A few good QR code generator tools are: https://www.the-qrcode-generator.com/ QR Code Generator – create QR codes for free (Logo, T-Shirt, vCard, EPS) QR Code Generator - Create QR codes here http://www.qrstuff.com/ https://scan.me/qr-code-generator You can use any of the above tools to generate your own QR code. Lifespan of QR codes This is a question about QR code people generally ask. QR code does not need any platform for redirection, but it has data within it. Once a QR code is generated, it can be used anytime, anywhere. The lifespan of the QR codes is unlimited, so you do not need to worry about lifespan. Generate and then use. Can QR codes be hacked? A QR code is the square matrix with small black square dots arrangement. Hacking a QR code means manipulation of the action without modifying the QR code. This is not possible. QR codes can be malicious and can trigger malicious action. But that QR code will not be the same as the legitimate QR code. Two QR codes with different actions will never be the same. You will certainly see different patterns in both QR codes. So, QR codes cannot be hacked. But It can be malicious and hackers can use a QR code for various malicious purposes. And there are various reports in which we have seen the malicious acts. Security Risks Involved with Use of QR Codes As I already discussed, QR codes can be malicious. So, there are various security risks involved with QR codes. In this section, I will discuss all the security risks involved with QR codes. Phishing Phishing is a popular way of hacking web accounts. Attackers send a fake web login page which pretends to be the original login page of the website it’s claiming to be. When an innocent user use this fake page to login, his/her login information is sent to the attacker. And now, his/her password is in the hands of the attacker. Phishing is the main security issue involved with QR codes. It is also described as QRishing by some security researchers. QR codes are generally scanned by a smartphone camera to visit a website. Now, many website ads put QR code along with a URL so users can quickly scan QR code to visit the website. This is where scammers try to trick users. As I already told you, QR codes cannot be hacked. So, hackers or scammers try to change the QR code added in the poster. They can also print the similar kind of fake posters and put in public places. Innocent customers will scan these fake QR codes to visit the websites but they will be redirected to phishing websites. Most people judge a website by its look and feel, and phishing pages look exactly similar to legitimate websites. In mobile devices, it is hard to check the full address in the browsers. Due to limited space, browsers do not show the full address in the URL field. And most people never try to check the full address. This makes users more vulnerable. When they use this phishing page to login, their passwords are compromised. Although this phishing trick has limited scope, it is most effective. There are various case studies which clearly confirm that people generally trust QR codes and become the victim of QRishing at public places. Malicious software distribution Scammers generally use malicious websites to distribute malware via drive by download attack. Nowadays, most of the drive by download attacks are being done against Android users. Drive by download attacks are attacks in which a website forcefully downloads software in your device when you visit the website. It does not need any action from the user’s side. Visiting the website is enough to trigger the download action. Scammers try to install malicious apps and then exploit that device. These infected devices can join an existing botnet or can send SMS to premium numbers. It can also leak your data. By using QR codes to point to this kind of malicious websites, we can easily trick users. Users cannot see the URL, so there is no point of doubt. In QR codes, there is no need to enter the URL manually, users only scan QR code. And they only know what you will write about the QR code. In Russia, a malicious QR code on scanning sent SMS to premium numbers costing $5 USD per SMS. Most of these kinds of attacks have been seen against Android devices. Pointing to potentially harmful websites This is similar to what we learned in the previous point, but it is not about serving malware. Sometimes websites have browser exploits which can do lot more harm. Browser exploits can enable microphone/camera access, access browser data, send emails or join a botnet to perform a DDOS attack on any legit website. All these actions occur in the background, so users never know about this. They will only see a website, but they are being tricked. How to Protect Yourself from Malicious QR Codes Malicious QR codes have limited scope, but may be harmful. So, you need to be protective and always take care of your security while using QR codes. If you are going to use it from banners at public places, you need to be selective. There are few things which you can do to protect yourself from malicious QR codes and its attacks. Observe before use: If you find a QR code in any banner advertisement in a public place, look at it closely. Most of the times, scammers stick their fake QR code above the legitimate QR code in a legitimate poster. So try to see if it is real or not. You can check by touching the poster. If it does not look like it’s actually printed on the poster, do not use it. Follow this guideline for QR codes in public places. Your observation can save you from attacks. If you are not sure, never scan that QR code. Be suspicious and never giver personal or login info: Always be suspicious of the page you land on via QR code. Never share your personal information on these pages. Only do this if the QR code is from a very trusted source and you trust the website. And yes, avoid entering your login information. It may be a phishing page. So for login, always enter the URL manually on the browser’s address bar. Entering login information on the pages you land on via QR code means putting yourself in big trouble. So, why take the risk just to avoid a little extra effort? Open a browser, type the address and login directly on the website. Look at URL before proceeding: A few QR code scanners also show the actual URL before proceeding and ask to confirm whether you want to visit the URL. You can use these QR code scanners to know what URL the QR code will send you. This will help you to know if the QR code is malicious or not. Looking at the QR code does not confirm whether it is malicious or not. So, I recommend use of safe QR code scanners. Norton Snap is a nice QR code scanner app with built-in security features. This app is available for both Android and iOS platforms. You can use this QR code scanner app to prevent any malicious activity in your smartphone. It not only shows the URLs but also checks the URLs within its database of malicious links. If it finds any malicious URLs within the QR code, it will warn you. Conclusion Although QR codes are not new, their use is still very limited. With the increasing use of smartphones, we have seen sudden a rise in the use of QR codes. Now various websites and apps let users use a QR code to login or complete other tasks. But there are still very few users who use QR codes. This is the reason why there is little reporting on malicious QR codes. Nobody wants to waste time on things which have low impact. But this will change very soon. With the launch of WhatsApp for web, now many users know how to use QR codes. So, we can expect another sudden rise in the use of QR codes. And when it is used by a greater number of users, attackers will surely find new ways to exploit its weaknesses. As of now, QR code risks have limited scope, but when there are more users, there will surely become a bigger risk. In the near future, we will also see the use of QR codes for payments and money transfer. At that time, it will be very important to follow security rules. As of now, we only need to use a good and secure QR code scanner app and then relax. Having a good anti-virus and Internet security app is also recommended. This will warn if a website is a phishing website or trying to install a dangerous app in your smartphone. I hope you have found this article interesting. If you use QR code, do not forget to be safe. References http://usa.kaspersky.com/about-us/press-center/press-blog/malicious-qr-codes-attack-methods-techniques-infographic https://www.andrew.cmu.edu/user/nicolasc/publications/Vidas-USEC13.pdf http://en.wikipedia.org/wiki/QR_code Source
  13. Google is preparing to release new research on the prevalence of ad injectors, the often-unwanted browser extensions that inject ads onto Web pages, and the numbers will show just how widespread and problematic the software is. Ad injectors belong to that great, amorphous pile of applications that aren’t necessarily classed as malware but exhibit behavior that is unwanted by users. They’re designed to push ads onto the pages that users visit and they typically come in the form of browser extensions. Users sometimes install them purposely, but often ad injectors come bundled with other applications and can be difficult to remove. Google has been adjusting the way that it handles deceptive and unwanted software and its Chrome browser will display a warning when a user is going to download an ad injector from the Chrome Web store. The company doesn’t ban all ad injectors across the board, but will remove deceptive apps from the Web store. Google said that it has received more than 100,000 complaints from Chrome users about ad injectors in just the past three months. In a few weeks, Google plans to release some joint research on ad injectors it did with the University of California at Berkeley. Some of the findings that came out of the research make it clear that ad injectors represent a fairly large-scale problem for users: Ad injectors were detected on all operating systems (Mac and Windows), and web browsers (Chrome, Firefox, IE) that were included in our test. More than 5% of people visiting Google sites have at least one ad injector installed. Within that group, half have at least two injectors installed and nearly one-third have at least four installed. Thirty-four percent of Chrome extensions injecting ads were classified as outright malware. Google’s Nav Jagpal said in a blog post that the research found nearly 200 deceptive extensions in the Chrome Web store, which have been disabled. Jagpal said Google plans to release the full results of the research on May 1. Source
  14. Facebook is in violation of EU data laws owing to its overly complex privacy policies and persistent tracking of users, even if they have opted out of such systems. This was the key claim in a report by researchers at the University of Leuven and the Free University of Brussels on behalf of the Belgian Privacy Commission. “Our analysis indicates [that] Facebook is acting in violation of European law,” the report said. Specifically, the researchers are concerned that almost all data tracking and monitoring done by Facebook, such as for advertising purposes or gathering location data, is done without giving users adequate control over their privacy. “Its current default settings with regards to behavioural profiling and advertising (essentially 'opt-out') remain problematic,” the report said. “According to the Article 29 Working Party, consent cannot be inferred from the data subject’s inaction with regard to behavioural marketing. “As a result, Facebook’s opt-out system for advertising does not meet the requirements for legally valid consent. In addition, opt-outs for 'Sponsored Stories' or collection of location data are simply not provided.” The way Facebook combines data from its other services, specifically Instagram and WhatsApp, to build a more complete picture of a user was also cited as another way in which Facebook does not adhere to EU privacy and data laws. “Facebook only offers an opt-out system for its users in relation to profiling for third-party advertising purposes. The current practice does not meet the requirements for legally valid consent,” the report said. The report also criticised Facebook for “leveraging its dominant position” in the social networking market to effectively force users to accept its conditions. “The choices Facebook offers to its users are limited. For many data uses, the only choice for users is to simply 'take it or leave it'. If they do not accept, they can no longer use Facebook and may miss out on content exclusively shared on this platform,” the researchers said. Another interesting area raised in the report relates to the rights, or lack of, that Facebook provides to delete an account and have all data removed from the firm's databases. "Facebook fails to provide (sufficient) granularity in exercising data subject’s rights. For example, the right to erasure can only be exercised with regard to the user’s profile and only relates to self-posted content," it said. V3 contacted Facebook for its response to the report but had received no reply at the time of publication. The damning allegations come just a few months after Facebook updated its terms and conditions in an effort to make it easier for people to "take charge" of how their data is used on the site. Source
  15. Google is continuing to refine its Safe Browsing API and now is giving users warnings about not just malicious software on sites they’re attempting to visit, but also about unwanted software. Google’s Safe Browsing API is designed to help protect users from a variety of threats on pages across the Internet. The functionality is built into Chrome, as well as Firefox and other browsers, and when a users tries to visit a page that Google’s crawlers or other users have reported to be hosting malware, phishing links or other types of threats it will throw up a warning dialog. Depending upon the type of threat found on the target page, the browser will give the user various types of information and options. Google started showing Chrome users warnings about deceptive or unwanted software last month, but now that information will be fed into the Safe Browsing API so that other browser vendors, as well as app developers, can pull it into their offerings. “In addition to our constantly-updated malware and phishing data, our unwanted software data is now publicly available for developers to integrate into their own security measures. For example, any app that wants to save its users from winding up on sites that lead to deceptive software could use our API to do precisely that,” Emily Schechter, safe browsing program manager at Google, said in a blog post. “We continue to integrate Safe Browsing technology across Google—in Chrome, Google Analytics, and more—to protect users.” Deceptive, or unwanted, software is a fairly broad category of applications that includes things such as browser extensions that change your home page or modify the settings in your browser. These applications sometimes are bundled with other software or downloaded in the background, sometimes without a user’s knowledge. They can also include spyware or adware that collect users’ data and pretend to be something other than what they really are. Google defines deceptive software broadly as “programs disguised as a helpful download that actually make unexpected changes to your computer”. Image from Flickr photos of Parkesmj. Source
  16. When a company is breached, the typical reaction is to increase security across the board. But Twitch, the Amazon-owned game streaming company, has decided to reduce the minimum number of characters in user passwords, thereby allowing users to have less secure logins, in response to customer complaints. The attack was announced yesterday on a company blog, whilst emails were also sent to concerned users. There’s little detail on the extent of the attack; Twitch simply said all user passwords were to be reset after it detected possible unauthorized access to some Twitch user account information. According to the email sent to users, some cryptographic protections were used on passwords, but it wasn’t clear how strong they were. And it said it was possible passwords could have been captured in plain text by malicious code when users logged into the site on 3 March. Various kinds of data could have been compromised, including credit card information, in particular card type, a truncated card number and the expiration date. Usernames and associated email addresses, passwords, the last IP address users logged in from, phone number, address and date of birth were also potentially stolen. With all that information, a hacker would have a good chance of stealing a victim’s identity. Users started to complain en masse across Twitch’s social networks, however. Some said they couldn’t remember their password, others said when they tried to change their passwords to anything less than 20 characters they weren’t allowed, due to the site’s restrictions. Texan Twitch customer Corbin Ellis told the company on their Facebook page that “if users want to use bad passwords, that’s their problem, not yours”. Twitch caved to customer demands, announcing it would reduce the limit on minimum password length to eight characters minimum. Web security expert Troy Hunt told FORBES more than eight was surprisingly restrictive. “But what’s disheartening about this is that users have apparently baulked at creating passwords longer than eight characters so are clearly not getting the message on what constitutes a strong ‘secret’.” Authentication expert Per Thorsheim said it didn’t make sense to lower the length requirement after a breach. “I’d say on the contrary in many cases. In this specific case they have dramatically lowered their requirements. From a security perspective this could be justified by new and better ways of sending, [encrypting] and storing your passwords.” If any more evidence was needed that the username-password paradigm is a flawed form of authentication, the Twitch breach has provided. sursa: Amazon's Twitch Hacked, Caves To Angry User Demands For Less Secure Passwords - Forbes si-au cam luat la mumu twitch...
  17. A cross-site request forgery (CSRF) vulnerability in the website of hotel chain Hilton Worldwide could have inadvertently compromised much of its users’ personal information. Ironically the since-fixed issue stemmed from a promotion the chain was offering to users if they changed their passwords on a benefits service it runs. As part of the offer, users who changed passwords associated with their Hilton Honors account before April 1 would be given 1,000 free awards points. According to Krebs on Security, until Hilton fixed a loophole in its system, the same promotion could have let anyone hijack the account of someone who switched his or her password as long as the attacker could guess their nine-digit account number correctly. By reconfiguring the site’s HTML and reloading the page, attackers could have gleaned additional information, like the customers’ email address, physical address, and the last four digits of any credit card number they may have had on file. Attackers basically would have had complete access to the person’s account. They could have changed the password associated with it, viewed upcoming and past trips, and allowed them to use the victim’s points to book future trips. The vulnerability could have even let the attackers liquidate the user’s account and funnel their points into prepaid debit cards or into another user’s account. Researchers Brandon Potter and JB Snyder at the security firm Bancsec logged into Krebs’ Hilton account and forwarded him screenshots as proof they had found a vulnerability. It was only after Krebs contacted the hotel company that it stopped allowing users to reset their passwords and fixed the issue. “Hilton Worldwide recently confirmed a vulnerability on a section of our Hilton Honors website, and we took immediate action to remediate the vulnerability,” Hilton said in statement, according to Krebs. On top of the CSRF vulnerability, apparently Hilton didn’t enforce users to re-enter their current passwords when changing to a new one. Its site even told users whether each nine-digit number they entered was valid, according to Krebs, something which could have compounded the issue further. Attackers could have rigged the PIN reset page checker to determine users’ PINs, Snyder told Krebs. “There are a billion combinations but this… could be easily automated,” Snyder said. Hilton Hotels did fix the issue and now forbids users from using a PIN as their password. Instead users are prompted to pick a password that consists of at least eight characters, one uppercase, and a number or special character. Users can apparently still change their password without entering their current password however. Source
  18. When it comes to search on mobile devices, users should get the most relevant and timely results, no matter if the information lives on mobile-friendly web pages or apps. As more people use mobile devices to access the internet, our algorithms have to adapt to these usage patterns. In the past, we’ve made updates to ensure a site is configured properly and viewable on modern devices. We’ve made it easier for users to find mobile-friendly web pages and we’ve introduced App Indexing to surface useful content from apps. Today, we’re announcing two important changes to help users discover more mobile-friendly content: 1. More mobile-friendly websites in search results Starting April 21, we will be expanding our use of mobile-friendliness as a ranking signal. This change will affect mobile searches in all languages worldwide and will have a significant impact in our search results. Consequently, users will find it easier to get relevant, high quality search results that are optimized for their devices. To get help with making a mobile-friendly site, check out our guide to mobile-friendly sites. If you’re a webmaster, you can get ready for this change by using the following tools to see how Googlebot views your pages: If you want to test a few pages, you can use the Mobile-Friendly Test. If you have a site, you can use your Webmaster Tools account to get a full list of mobile usability issues across your site using the Mobile Usability Report. 2. More relevant app content in search results Starting today, we will begin to use information from indexed apps as a factor in ranking for signed-in users who have the app installed. As a result, we may now surface content from indexed apps more prominently in search. To find out how to implement App Indexing, which allows us to surface this information in search results, have a look at our step-by-step guide on the developer site. source: Google Webmaster
  19. Following up on a promise it made during last summer’s Black Hat, Yahoo on Sunday said it’s on track to deliver end-to-end encryption for its email users this year. And to that end, it released the early source code for the Yahoo encryption browser extension to GitHub. Chief information security officer Alex Stamos made the announcement at the South by Southwest Festival, where he said he hopes the security community will pore over the code and submit any vulnerabilities to Yahoo’s Bug Bounty program. He also said that he hopes other email providers will build compatible solutions. “Just a few years ago, e2e encryption was not widely discussed, nor widely understood. Today, our users are much more conscious of the need to stay secure online,” Stamos wrote on Yahoo’s Tumblr. He said that Yahoo’s extension will satisfy users’ needs to share sensitive information securely. “Wherever you land on the spectrum, we’ve heard you loud and clear: We’re building the best products to ensure a more secure user experience and overall digital ecosystem.” Yahoo also released a video, below, demonstrating the ease with which its encryption is deployed compared to GPG, a free and open source encryption implementation. Stamos hopes the solution, which he called “intuitive” would be available by the end of the year. “Anybody who has the ability to write an email should have no problem using our email encryption,” he said to AFP. Yahoo has made huge strides with its efforts to encrypt its web-based services beyond email, turning on HTTPS by default in January 2014 and four months later, encrypting traffic sent between its data centers. This was a weak spot known to be exploited by the National Security Agency, which was copying data from Yahoo and Google’s fiber-optic cables outside the United States. Last August during Black Hat, Stamos announced that Yahoo had partnered with Google on its efforts to encrypt email end to end in a fashion that would be transparent to users. Stamos said Yahoo would use the browser extension Google released in June that enables end-to-end encryption of all data leaving the browser. Stamos said at the time that Yahoo was working to ensure that its system works well with Google’s so that encrypted communications between Yahoo Mail and Gmail users will be simple. “I think anybody who uses email in the center of our life needs encryption,” Stamos said to AFP. “If you send emails to your spouse or your lawyer or family members, you want to have these messages be confidential.” Yahoo is also carrying over that same type of simplicity and intuitiveness to authentication. In addition on Sunday, it also announced a plan to ease the pain associated with passwords with the introduction of on-demand passwords. Director of product management Chris Stoner said in making the announcement that Yahoo users would no longer need to remember complex passwords to access their Yahoo accounts. Instead, once a user opts in to the on-demand password service, a verification code will be sent to the user’s mobile device that can be used to access their account. “It’s important for our products to be safe as used by normal people,” said Stamos. “Our users face a very diverse set of threats. The biggest threat is probably someone stealing their password, and their account taken over.” This article was corrected, correcting references of a plug-in to a browser extension. Source
  20. The administrators of one of the darknet’s most popular markets for drugs and bespoke carjacking services may have just scammed its customers out of untold sums of money. Evolution, the site in question, rose to prominence after the fall of Silk ?Road and its unassuming founder, Ross U?lbricht, with a promise of less fra?ud and greater trust due to its centralized “escrow” system. It was exactly this system that allowed the site’s owners to make off with its users’ bitcoin. The escrow system means that Evolution’s administrators must sign off on transactions before they go through, and the funds are held in escrow before they do. According to a post on the r/darknets? subreddit made by a user named NSWGreat who claimed to have access to the site’s back end, Evolution’s administrators—Verto and Kimble—have shut down the market and taken everyone’s funds stored in the market’s “escrow” vaults. This is a version of the “exit sca?m,” a known darknet scam that involves a seller collecting a user’s Bitcoin without mailing their packages and then disappearing without a trace. "This may fuck my business pretty good” If the Evolution administrators did scam the site's users, posts on Agora and Reddit indicate that the amount could be in the millions, with users having tens of thousands of dollars worth of bitcoin in escrow. “I am so sorry, but Verto and Kimble have fucked us all. I have over $20,000 in escrow myself from sales,” wrote NSWGreat. “I can't fucking believe it, absolute scum. I am giving this warning to you all as soon as I possibly could of.” A similar sc?am was carried out at another one of Silk Road’s successors, a market called Sheep, in 2013. Sheep administrators announced that the site had been robbed of bitcoin by a vendor, and shut itself down. Of course, there was no way of telling whether the site was really taken advantage of, or if the administrators hadn’t taken off with the bitcoin themselves. Although Evolution’s forums are currently down—along with the site, lending weight to NSWGreat’s claims—on the forum of Evolution’s competitor market, Agora, users were upset. One vendor, TheRealNurseJoy, posted that they were “enthusiastically accepting donations since Evolution just stole a shite load of money” from them. Another vendor, Trust-In-Us, wrote, “Looks like I am out a good amount of money. This may fuck my business pretty good.” The responses from redditors ranged from shock and awe to bitter desperation. One user who claimed to have 50 bitcoin in escrow on Evolution, the equivalent of roughly $14,000, commented, “I OWE MONEY AND CANT PAY IF THIS IS TRUE. MY LIFES IN DANGER. PLEASE DONT BE TRUE PLEASE.” Some users were more skeptical, however, despite vendors claiming to be out Bitcoin and everyone having a general meltdown. The only solid proof, some redditors noted, was NSWGreat’s word. When several users asked for screenshots or suggested that they would be nice to have, NSWGreat responded by saying they “don’t take screenshots anyway.” Who you believe depends on who you trust, and on the darknet, trust matters more than you’d think. Topics: evolution, market, darknet, scam, exit scam, reddit, Agora Original Article: One of the Darknet’s Biggest Markets May Have Just Stolen All Its Users' Bitcoin | Motherboard
  21. Are you aware of everything that your users are accessing from your environment? While most of the time, non-work-related Internet browsing is harmless (looking at pictures of cats, online shopping, social media, etc.) there are some instances where you could be an unknowing and unwilling participant in criminal activity. That is, when users hide that activity via the Tor network, or the Dark Net. The Onion Router, better known as "Tor", an open source project, launched in 2002, is designed to allow a user to browse the Internet anonymously via a volunteer network of more than 5000 relays. It doesn't share your identifying information like your IP address and physical location with websites or service providers. A user that navigate Internet using Tor, it's quite difficult to trace its activities ensuring his online privacy. There are arguably legitimate uses for this technology, such as providing Internet access in repressively regulated countries. Tor has been a favorite target of intelligence agencies. NSA targeted the Tor users, using a zero-day vulnerability in Firefox browser, bundled with Tor, that allowed them to get the real IP address of the anonymous Tor users. Using same techniques, FBI was also able to track the Owner of 'Freedom Hosting', the biggest service provider for sites on the encrypted Tor network, hosted many child pornography sites. However, Mozilla has then fixed that Firefox flaw exploited by government law enforcement officials. Moreover, Tor is often associated with illicit activity (child pornography, selling controlled substances, identity theft, money laundering, and so on). Most admins will want to prohibit their users from using the Tor network due to its association with nefarious activity. Since the point of origin is nearly impossible to determine with conventional means, many bad actors leverage the Tor network to hide the location of Command & Control servers, machines taking ransomware payments, etc. This makes identifying these them and their malware that much harder. Users browsing the Tor network (for illicit purposes or not) from your environment can open you up to hosting malicious/illegal content, Ransomware infection, or unknowingly participating in other malicious activity. Therefore it is also known as DeepNet or Deep Web. To know more detail about the Deep Web you can read our detailed article, "What is the Deep Web? A first trip into the abyss". WHAT I CAN DO ABOUT TOR? AlienVault Unified Security ManagementTM (USM) can help. USM provides asset discovery, vulnerability assessment, threat detection (IDS), behavioral monitoring and SIEM in a single console, plus weekly threat intelligence updates developed by the AlienVault Labs threat research team. The correlation directives and IDS signatures in AlienVault Unified Security Management (USM) can detect when a system is attempting to resolve a Tor domain, and allow you to take corrective action. Plus, new & updated correlation directives developed by the experts at AlienVault Labs are pushed to USM weekly, enabling detection of emerging threats. Learn more about AlienVault USM: Download a free 30-day trial Watch a demo on-demand Play with USM in our product sandbox (no download required) Source
  22. Google is prepping a fix for Android users that addresses a meddlesome memory leakage issue that’s plagued some device users since the end of last year. The issue, present in versions 5.0.1 and 5.1 of the mobile operating system code-named Lollipop, has been causing irregular application activity on several Nexus devices for weeks. In some instances, users have apparently experienced issues launching apps and seen apps randomly restarting, often without opening or changing any application. The most prevalent issue users have witnessed has been a massive surge in memory usage. On an issue tracker for the for the bug on Android’s Open Source Project (AOSP) late last week some users reported seeing their RAM bloat to over 1 gigabyte and leave as little as 150 megabytes free, before their phones ultimately crashed. Users claim they’ve seen their phone’s system memory swell, usually after opening a game, then dismissing it. Even if apps are closed however, the phone will go on to gobble up memory until there’s no more space and the device stops responding. The issue – mostly seen in Nexus 5 devices – has lingered since December 2014, when Google pushed 5.0.1 to Nexus devices, but resurfaced in 5.1, which was rolled out last week. “Memory leak not fixed,” one user wrote on AOSP last week, “I’ve had system RAM bloated over 1GB, processes restarting and launcher redraws.” The issue was closed at Android’s Issue Tracker on Friday when a Google project member acknowledged the issue had been “fixed internally,” but added that the company did not have a timetable for public release. The bug’s status was also changed from “New” to “FutureRelease” on Friday, suggesting a fix is forthcoming, perhaps in 5.1.1, but emails to Google inquiring exactly when that fix would come were not immediately replied to on Monday Android’s security team has been busy over the past several months addressing issues that have popped up in Lollipop. In November it fixed a vulnerability that could have allowed an attacker to bypass ASLR and run arbitrary code on a target device under certain circumstances. In January the company took some heat for not fixing a bug in the WebView component of the OS on Jelly Bean 4.3, or older. Security engineers for Android later clarified that the issue would really be best fixed by OEMs and that it’s not practical for Google to push patches for older vulnerabilities. Source
  23. Yahoo has launched an on-demand password service that lets forgetful customers tie their account security to their mobile phone. Yahoo director of product management Chris Stoner announced the service, which US users can opt into now. The 'On-demand passwords' feature can be activated in the security section of Yahoo accounts' settings menu. Once activated, the user will be instructed to enter their mobile phone number. From this point on, whenever the customer attempts to open their account Yahoo will send a custom unlock code to their phone, removing the need for them to remember a password. Stoner said the service is part of Yahoo's ongoing efforts to make account security easier for users. "We've all been there. You're logging into your email and you panic because you've forgotten your password. After racking your brain for what feels like hours, it finally comes to you. Phew," he said. "Today, we're hoping to make that process less anxiety-inducing by introducing on-demand passwords, which are texted to your mobile phone when you need them. You no longer have to memorise a difficult password to sign in to your account - what a relief." The service is available to US users now. There is no confirmed UK release date and at the time of publishing Yahoo had not responded to V3's request for comment on when it will roll out the service in Europe. The release follows reports that many users are still failing to take even basic cyber defence measures to protect their personal data. Yahoo CEO Marissa Mayer controversially revealed she does not lock her smartphone with a password or gesture, as it made unlocking the device "too time-consuming". Yahoo is one of many companies to experiment with alternative password security services. Apple and Samsung added biometric fingerprint scanners to their latest iPhone 6 and Galaxy S6 smartphones. Source
  24. While WhatsApp is very reserved to its new calling feature, cyber scammers are targeting WhatsApp users across the world by circulating fake messages inviting users to activate the new 'WhatsApp calling feature for Android' that infects their smartphones with malicious apps. If you receive an invitation message from any of your friend saying, "Hey, I’m inviting you to try WhatsApp Free Voice Calling feature, click here to activate now —> http://WhatsappCalling.com", BEWARE! It is a Scam. The popular messaging app has begun rolling out its much-awaited Free Voice Calling feature — similar to other instant messaging apps like Skype and Viber — to Android users which allows users to make voice calls using Internet. However, for now, the free WhatsApp calling feature is invite-only and only appears to work for people running the latest version of WhatsApp app for Android on a Google Nexus 5 phone running the latest Android 5.0.1 Lollipop. HOW TO ENABLE WHATSAPP CALLING FEATURE Company has not announced the WhatsApp calling feature officially, but some users claim to have used it. The report broke two months ago, when a Reddit user (pradnesh07) from India reported that the WhatsApp calling feature was activated on his Android device after he received a WhatsApp voice call from a friend. The user also posted its image on the discussion forum. Because it’s invite only, what we all believe, Millions of users across the world are eagerly waiting to access the free voice calling feature on WhatsApp and searching over the Internet that How to enable WhatsApp calling feature for Android or iOS, and this is what scammers are taking advantage of. Cyber scammers have allegedly started circulating fake invitations containing malicious links through Social Media, phishing emails, WhatsApp messages and Scam websites in order to spread creepy malware and adware apps. Once users click on the link, they land to another website where they are asked to take a survey on behalf of WhatsApp. The survey forces users to download unknown applications and software that might contain malware. With more than 70 million users, WhatsApp is the widely popular and preferred chat service worldwide, both for us as well as scammers. LEARN HOW TO PROTECT YOURSELF In order to protect yourself from 'WhatsApp calling feature' scam, you need to learn that at time of writing: WhatsApp calling feature feature is currently available for Android Lollipop 5.0 version and was successfully accessible via the new version 2.11.508 of the WhatsApp. WhatsApp calling feature feature is still in the beta version. WhatsApp calling feature is not available through Google Play Store, but can be downloaded only from the official WhatsApp website on INVITE. Source
×
×
  • Create New...