Mozilla,TOR join forces to improve online privacy

Mozilla, the developer of the internet browser Firefox, has teamed up with Center for Democracy & Technology (CDT) and the Tor Project (The Onion Router) to provide internet users with greater privacy through their new initiative—Polaris, according to the company’s privacy blog.Polaris, launched two days ago, is focused on anti-censorship technology, anonymity and cross-site tracking protection.It is “designed to allow us to collaborate more effectively, more explicitly and more directly to bring more privacy features into our products,” says the Mozilla It will have many privacy features including the company’s already introduced features such as Do Not Track preference; Private and Guest Browsing; high levels of encryption with Firefox Sync; an individual approach to apps permissions; and a Forget button.

The company is currently evaluating the Tor Project’s changes to Firefox’s codebase to see effectiveness of Tor, which works by bouncing its way randomly around servers manned by volunteers globally. This feature makes it difficult for the surveillance companies to track a user’s activities online. However, its only drawback being its speed which can be pretty annoying if the connection is less than ideal. The two companies plan to integrate best features of both—Mozilla’s speed and Tor’s security.It is also working towards providing a feature that can protect its users from invasive tracking without penalizing the advertisers and content sites that respect user’s preferences.It has taken a cue from the 2014 Harris Poll that concluded that people are concerned about the reduced privacy of their personal information on the web.The company also wants to change the perception of internet privacy as something too complex for a layman to understand. It said on its website

 

Add comment November 13th, 2014

A Bug in Bug Tracker called Bugzilla exposes Private Bugs

A critical vulnerability in the popular web-based Bug tracking tool “Bugzilla” allows hackers to view the details of any undisclosed vulnerabilities.
A critical vulnerability in the popular web-based Bug tracking tool “Bugzilla” allows hackers to view the details of any undisclosed vulnerabilities. – See more at: http://www.ehackingnews.com/2014/10/http-parameter-pollution-bugzilla-vulnerability.html#sthash.

Bugzilla is an open source bug tracking program developed by Mozilla and being used by many large organizations including RedHat, Linux Kernel, Gnome, Apache.

Vulnerability researchers at Check Point Software Technologies reported the bug to Mozilla that allows anyone to register with email address of the targeted domain (for example, admin@mozilla.com) and bypass email validation.

Researcher exploited the vulnerability and managed to create administrator accounts for the Mozilla.org, Mozilla.com and Bugzilla.org. – See more at: http://www.ehackingnews.com/2014/10/http-parameter-pollution-bugzilla-vulnerability.html#sthash.OCqj8Ewi.dpuf

 

Add comment November 13th, 2014

Apple i Phone iOS weakness allows hackers to replace iPhone apps

A new iOS attack that works even on non-jailbroken iPhones allows hackers to replace apps with their own versionsMasque attacks can replace installed apps, letting hackers steal personal data. Photograph: Eduardo Barraza/Eduardo Barraza/Demotix/CorbisA weakness in newer versions of iOS lets hackers install apps on iPhones or iPads by sending users an email or text message.The attack can be used to steal personal information, eavesdrop on communications or potentially track the user’s physical location with the GPS chip in the Apple devices.Discovered by security researchers FireEye who named it “Masque”, the attack takes advantage of similar enterprise-focused tools to Wirelurker, a previous iOS bug that let an attacker use a compromised Mac to install software on an iPhone.

Before they can be infected, the user must be tricked into clicking a link in a text or email, and then accepting a prompt to install an app. Typically, an app installed this way requires a security certificate signed by Apple to work on iPhones that have not been modified to install unofficial apps, and so malware cannot get past the gate.However, Masque uses a vulnerability that lets an iOS app with the same file name replace a real one, regardless of developer. Users might think they are installing the new Flappy Bird, but in reality they are downloading an app that silently replaces their Gmail app with a fake one. Their iPhone does not prevent this happening because it does not realise the Gmail app has been replaced.FireEye says that Masque is an application of the same principle used in the WireLurker attack, but on a much grander scale. “After looking into WireLurker, we found that it started to utilise a limited form of Masque attacks to attack iOS devices through USB. Masque attacks can pose much bigger threats than WireLurker,” according to the company’s researchers Hui Xue, Tao Wei and Yulong Zhang.

“Masque attacks can replace authentic apps, such as banking and email apps, using attacker’s malware through the internet. That means the attacker can steal a user’s banking credentials by replacing an authentic banking app with an malware that has identical user interface.

“Surprisingly, the malware can even access the original app’s local data, which wasn’t removed when the original app was replaced. These data may contain cached emails, or even login-tokens which the malware can use to log into the user’s account directly.”

Users can avoid infection if they do not install apps from third-party sources other than the official App Store or their own company. Yet the existence of the flaw still poses risks if users can be tricked into accepting the installation anyway.

FireEye notes that there aren several mitigating factors: “An attacker would have to obtain an enterprise provisioning profile or steal one, neither of which are trivial. There would also always be a warning to the user, which should look suspicious because it’s not something you would normally see in iOS. As long as you select ‘don’t install’, you will be protected from this vulnerability.”

In the long run, the vulnerability looks more likely to be employed as a “spear phishing” attack: highly focused attacks aimed at stealing the personal data of a specific target. Such attacks have been the basis of many wider hacking successes, such as those carried out by the Syrian Electronic Army

Add comment November 13th, 2014

USA weather system hacked ,affecting the satellites

The National Oceanic and Atmospheric Administration, NOAA, said that four of its websites were hacked in recent weeks. To block the attackers, government officials were forced to shut down some of its services.
This explains why satellite data was mysteriously cut off in October, as well as why the National Ice Center website and others were down for more than a week. During that time, federal officials merely stated a need for “unscheduled maintenance.”Still, NOAA spokesman Scott Smullen insisted that the aftermath of the attack “did not prevent us from delivering forecasts to the public.”
Little more is publicly known about the attack, which was first revealed by The Washington Post. It’s unclear what damage, if any, was caused by the hack.But hackers managed to penetrate what’s considered one of the most vital aspects of the U.S. government. The nation’s military, businesses and local governments all rely on nonstop reports from the U.S. weather service. The impact of the hack was real: Scientists at Atmospheric and Environmental Research in Lexington, Massachusetts were unable to send a preliminary report about weather patterns to traders and investors earlier this year.
We were shut out entirely. That’s our one source of data,said Rutgers climatologist David Robinson, whose global snow lab also relies on the satellite data. The cyberattack on the U.S. weather system is only the latest one on the United States. The White House was hacked last month. Shortly before that, hackers breached USIS, a federal contractor that knows who has top security clearances for the U.S. government — because it provides background checks.
Typically, cybersecurity experts blame Russia for hacks on the nation’s infrastructure or sometimes other countries.

Add comment November 13th, 2014

Ground Zero Summit 13,14 nov 2014.

Ground Zero Summit 2014
Asia’s Foremost Information Security Summit

Ground Zero Summit is the largest collaborative platform in Asia for Cyber security experts and researchers to address emerging cyber security challenges and demonstrate cutting-edge technologies. Ground Zero Summit is the exclusive platform in the region providing opportunities to establish and strengthen relationships between corporate, public sector undertakings (PSUs), government departments, security and defense establishments.

Living on from the huge successes of Ground Zero Summit 2013, New Delhi and Ground Zero Summit 2014, Colombo,Ground Zero Summit 2014, New Delhi promises to bring hackers and information security experts from all over Asia under one roof. It will showcase indigenous products and ingenious brains working in the field of information security to the world.

Ground Zero Summit (G0S) is being organised by the Indian Infosec Consortium (IIC) ,which is an independent not-for-profit organisation formed by leading cyber experts.

Who will attend?

Ground Zero Summit 2014 will be attended by Join Security Experts, Practitioners, thought leaders, Hackers, Cyber security taskforce members, Scientists, CTO‘s, IT Managers, Senior VPs, CISO’s and Aspiring information Security Professionals and students. Be a part of the initiative, pushing Information Security to the next level. The largest Information Security gathering in India is on its way – Witness, Participate & Deliver.

Summit Highlights

  • Keynote by top dignitaries of India
  • 1,500 + delegates from India and around the globe
  • Active support from the government of India and its Information Security Establishment
  • 36 talks from renowned hackers and cyber security researchers
  • Cyber Chankya – Panel discussion on India’s Cyber Security and Foreign Policy
  • Large number of executives from global corporations and federal agencies will attend
  • Hack – A- Goal – Robo Football Hacking Competition

G0S Partners 2014:Innefu the gold sponsor


INNEFU is a research oriented Information Security consulting group specializing in meeting the Information Security needs of the consumer via specialized products and services. We believe in innovating and creating the latest technologies to combat the rapidly growing menace of hacking and reduce dependency on human factors. We offer a complete gamut of Information Security services under one roof which includes our patented and patent pending products like 99% Secure – Cyber Cafe Surveillance, Tactical Internet interception, Multi Factor Authentication, Link analysis and Pattern Matching and services like complete corporate security process management, web application security and managed security services.

Venue:

The Ashok Hotel, Niti Marg, Chanakyapuri, New Delhi, DL 110021.

Add comment November 13th, 2014

Backdoor found in Netis or Netcore Routers, Check for yours NOW!

Home / Safety Tips / Backdoor found in Netis or Netcore Routers, Check for yours NOW!

Backdoor found in Netis or Netcore Routers, Check for yours NOW!Share2

Netis Routers

Maybe you are using a router of the Chinese company Netcore, which is also known as Netis outside the china and if yes you are using the same router device that I am talking about, so beware from now, as your network can be hacked by an attacker any time.

Router manufactured by the company named Netcore or Netis has a backdoor that can easily run arbitrary code on these routers, rendering it vulnerable as a security device.

According to the Trend Micro, after successfully gaining access inside the router, an attacker can easily run malicious code on routers and change settings.

If we talk more about the company speciality, so it is the best known company that is providing the best wireless transfer speed up to 300Mbps, offering a better performance on online gaming, video streaming, and VoIP phone calling.

In simple words, the vulnerability in the router is an open UDP port listening at port 53413 in the router. This port is accessible from the WAN side of the router. This means that if the router in question has an externally accessible IP address (i.e., almost all residential and SMB users), an attacker from anywhere on the Internet can access this backdoor:
netstat

Upon further more research on this issue, Trend Micro found that This backdoor is “protected” by a single, hardcoded password located in the router’s firmware, which is remain same for all the routers and the scary thing is— users cannot modify or disable this backdoor.

Add comment October 13th, 2014

Police spent $2.5 MILLION on hacking software to track phones and computers

spying
This is not the old story that “NSA is spending lots of money on softwares that spying on the people,” and here is a latest example of this, when it was revealed by the documents leaked by WikiLeaks that Police has spent $2.5 MILLION on advanced spyware and hacking software to track phones and computers.

WikiLeaks named The New South Wales Police Force, which is using advanced hacking software to keep on eye on the users during investigations, according to the document published Monday.

The documents show that Police has spent $2.5 MILLION on a software which is able to spy on the users machine, that after installation able to log keystrokes and take screenshots.

Home / News / Police spent $2.5 MILLION on hacking software to track phones and computers

Police spent $2.5 MILLION on hacking software to track phones and computers

  • Share3

Before reading any posts on HNB, we would like to tell you that every post here is for your online security, safety or for awareness, and we do not teach hacking through our articles, if you find something which is being used to damage your online property or something like that, REPORT HERE.

spying
This is not the old story that “NSA is spending lots of money on softwares that spying on the people,” and here is a latest example of this, when it was revealed by the documents leaked by WikiLeaks that Police has spent $2.5 MILLION on advanced spyware and hacking software to track phones and computers.

WikiLeaks named The New South Wales Police Force, which is using advanced hacking software to keep on eye on the users during investigations, according to the document published Monday.

The documents show that Police has spent $2.5 MILLION on a software which is able to spy on the users machine, that after installation able to log keystrokes and take screenshots.

It is also said that some of the versions of the software able to remotely capture Skype and instant-messenger conversations and also able to access microphones and web-cam.

NSW Police have nine licences for different kind of softwares which includes FinSpy and FinFly, in the past three years, according to the documents.

You know one thing, Five of the Nine licences are remain valid.

Police spokesperson decline to comment upon this issue. For your general information, NSW police able to remotely monitor the victim computer under warrant.

Home / News / Police spent $2.5 MILLION on hacking software to track phones and computers

Police spent $2.5 MILLION on hacking software to track phones and computers

  • Share3

Before reading any posts on HNB, we would like to tell you that every post here is for your online security, safety or for awareness, and we do not teach hacking through our articles, if you find something which is being used to damage your online property or something like that, REPORT HERE.

spying
This is not the old story that “NSA is spending lots of money on softwares that spying on the people,” and here is a latest example of this, when it was revealed by the documents leaked by WikiLeaks that Police has spent $2.5 MILLION on advanced spyware and hacking software to track phones and computers.

WikiLeaks named The New South Wales Police Force, which is using advanced hacking software to keep on eye on the users during investigations, according to the document published Monday.

The documents show that Police has spent $2.5 MILLION on a software which is able to spy on the users machine, that after installation able to log keystrokes and take screenshots.

It is also said that some of the versions of the software able to remotely capture Skype and instant-messenger conversations and also able to access microphones and web-cam.

NSW Police have nine licences for different kind of softwares which includes FinSpy and FinFly, in the past three years, according to the documents.

You know one thing, Five of the Nine licences are remain valid.

Police spokesperson decline to comment upon this issue. For your general information, NSW police able to remotely monitor the victim computer under warrant.

None of the other security agencies named in the documents. It is believed that these documents are the result of the hacking attack in August.

The software has previously been criticised for enabling oppressive regimes to spy on dissidents.

Add comment October 13th, 2014

Shellshock: A ‘Bash’ Bug which leaves almost every user on Internet vulnerable

Home / News / Shellshock: A ‘Bash’ Bug which leaves almost every user on Internet vulnerable

Shellshock: A ‘Bash’ Bug which leaves almost every user on Internet vulnerable

  • Before reading any posts on HNB, we would like to tell you that every post here is for your online security, safety or for awareness, and we do not teach hacking through our articles, if you find something which is being used to damage your online property or something like that, REPORT HERE.

bash bug
This is a bug which is said to be very much bigger than the previous flaw called Heartbleed, which left all the secure SSL systems vulnerable, but this time a bug is found which able to compromise your system and then able to run commands or execute any malicious program onto your computer or device.

This harmful bug dubbed as ‘Shellshock’. As I said above this is a superbug, so here is, why it is called the SuperBug:

  • Shellshock is a Bash bug and able to exploit any operating system.
  • This Bug able to send a command to the exploited system through a code.
  • The particular area, which is able to exploit the system is generally blocked, but the Bash opens all doors to the system
  • Apple Mac OS X users able to run it from their terminal, others people linux operating systems
  • simple words, The flaw is ‘Bash’ which contained in a piece of software and that software used by the operating systems and other website servers.

    At this time, there is not any critical update or any idea found by the security researchers to save millions of users online, and the the UK and US governments also have issued national alerts in response to the bug, warning that it may compromise organisations responsible for “critical national infrastructure” such as power stations if it is not rapidly dealt with.

    Statement issued by The Information Commissioner’s Office (ICO):

    The Shellshock flaw “could be allowing criminals to access personal data held on computers or other devices”, which “should be ringing real alarm bells” for British businesses which are legally obliged to keep their customers’ details secure.

Add comment October 13th, 2014

Google may be fined $100 Million for not removing celebrities nude images

last month, a series of “The Fappening” is being released with its different versions, which contained nude images of some of the high profile actresses.

The event, which media outlets and Internet users referred to under names such as “Celebgate” and “The Fappening”, was met with a varied reaction from the media and fellow celebrities.

Actresses: including Jennifer Lawrence, Kate Upton, Amber Heard, Rihanna,Ariana Grande, Selena Gomez and Cara Delevingne nude images are being distributed online on various sites, including some of the torrent sites.

wyers from the celebrities side threatening to sue Google for $100 million for allegedly failing to remove the images and “making millions from the victimization of women,” The New York Post reports.

Well, this all started from Apple iCloud security, but after the results of inspection, Apple notified that there is not such a iCloud hack type issue, nude and some personal pics of the celebrities were hacked in a targeted hack attack to the victim.

Hollywood lawyer Marty Singer, who is representing all the hacked nude images actreess written a letter to the Google founders Larry Page and Sergey Brin, as well as Eric Schmidt and Google lawyers accusing them of “blatantly unethical behavior” – and comparing their alleged lack of action to the NFL leadership’s handling of the Ray Rice affair.

It has been also claimed by the lawyer that instead of removing the images from the search engine, Google is earning profit, as recently Reddit did.

ust six days, Reddit earned enough money from the nude pics scandal to power its servers for roughly a month, says John Menese, the 33-year-old creator of a Reddit sub-forum.

According to the letter, Google has failed, “to act expeditiously, and responsibly to remove the images, but in knowingly accommodating, facilitating, and perpetuating the unlawful conduct. Google is making millions and profiting from the victimization of women.”

 

Add comment October 13th, 2014

Flaw allows to Loot cash from ATMs without Cards

Home / News / Flaw allows to Loot cash from ATMs without Cards

Flaw allows to Loot cash from ATMs without Cards

  • Share3

Before reading any posts on HNB, we would like to tell you that every post here is for your online security, safety or for awareness, and we do not teach hacking through our articles, if you find something which is being used to damage your online property or something like that, REPORT HERE.

atm
I reported about various ATM hacks, in which hackers use cloned or theft cards at the door and loot the cash easily, but this time hackers found something different, they actually now able to loot cash without any of the ATM Card.

One of the security firm named Kaspersky Lab from Moscow reported about this new flaw of the ATM on its blog, explaining about the ATM scams on the rise worldwide.

Russia is at the No.1 in this ATM Scam and 2nd one is United States.

How hackers cracking the Machines?
Hackers able to get inside the ATM Machines by unlocking an ATM’s enclosure (By default master key,) and then infect the machine with a CD that contains a piece of malware known as Backdoor.MSIL.Tyupkin. After some days, attacker or Hacker returns to the ATM machine and use Tyupkin to dispense up to 40 bills without the need for verification.

Which ATMs are infected?
You can’t find out yourself manually, but the ATMs admin knows this for sure, as the virus able to infect machines running Windows 32-bit operating system. Furthermore, Tyupkin accepts commands only in the dead of night on certain days of the week, keeping the exploit well-hidden most of the time.

For a successful run of the program, he or she needs a special PIN, which is generated via an algorithm unique to the malware. After that, one can able to withdraw 40 bills at a time directly from the ATM: no user account required.

Are you affected by this Hack Attack on ATMs?
Nope, this is not possible, as the ATM is vulnerable, Not your account, so users who do use machines on daily basis no need to worry about the hack.

Add comment October 13th, 2014

Previous Posts


Categories

Links

Feeds