Archive for November, 2014

Mozilla,TOR join forces to improve online privacy

Mozilla, the developer of the internet browser Firefox, has teamed up with Center for Democracy & Technology (CDT) and the Tor Project (The Onion Router) to provide internet users with greater privacy through their new initiative—Polaris, according to the company’s privacy blog.Polaris, launched two days ago, is focused on anti-censorship technology, anonymity and cross-site tracking protection.It is “designed to allow us to collaborate more effectively, more explicitly and more directly to bring more privacy features into our products,” says the Mozilla It will have many privacy features including the company’s already introduced features such as Do Not Track preference; Private and Guest Browsing; high levels of encryption with Firefox Sync; an individual approach to apps permissions; and a Forget button.

The company is currently evaluating the Tor Project’s changes to Firefox’s codebase to see effectiveness of Tor, which works by bouncing its way randomly around servers manned by volunteers globally. This feature makes it difficult for the surveillance companies to track a user’s activities online. However, its only drawback being its speed which can be pretty annoying if the connection is less than ideal. The two companies plan to integrate best features of both—Mozilla’s speed and Tor’s security.It is also working towards providing a feature that can protect its users from invasive tracking without penalizing the advertisers and content sites that respect user’s preferences.It has taken a cue from the 2014 Harris Poll that concluded that people are concerned about the reduced privacy of their personal information on the web.The company also wants to change the perception of internet privacy as something too complex for a layman to understand. It said on its website

 

Add comment November 13th, 2014

A Bug in Bug Tracker called Bugzilla exposes Private Bugs

A critical vulnerability in the popular web-based Bug tracking tool “Bugzilla” allows hackers to view the details of any undisclosed vulnerabilities.
A critical vulnerability in the popular web-based Bug tracking tool “Bugzilla” allows hackers to view the details of any undisclosed vulnerabilities. – See more at: http://www.ehackingnews.com/2014/10/http-parameter-pollution-bugzilla-vulnerability.html#sthash.

Bugzilla is an open source bug tracking program developed by Mozilla and being used by many large organizations including RedHat, Linux Kernel, Gnome, Apache.

Vulnerability researchers at Check Point Software Technologies reported the bug to Mozilla that allows anyone to register with email address of the targeted domain (for example, admin@mozilla.com) and bypass email validation.

Researcher exploited the vulnerability and managed to create administrator accounts for the Mozilla.org, Mozilla.com and Bugzilla.org. – See more at: http://www.ehackingnews.com/2014/10/http-parameter-pollution-bugzilla-vulnerability.html#sthash.OCqj8Ewi.dpuf

 

Add comment November 13th, 2014

Apple i Phone iOS weakness allows hackers to replace iPhone apps

A new iOS attack that works even on non-jailbroken iPhones allows hackers to replace apps with their own versionsMasque attacks can replace installed apps, letting hackers steal personal data. Photograph: Eduardo Barraza/Eduardo Barraza/Demotix/CorbisA weakness in newer versions of iOS lets hackers install apps on iPhones or iPads by sending users an email or text message.The attack can be used to steal personal information, eavesdrop on communications or potentially track the user’s physical location with the GPS chip in the Apple devices.Discovered by security researchers FireEye who named it “Masque”, the attack takes advantage of similar enterprise-focused tools to Wirelurker, a previous iOS bug that let an attacker use a compromised Mac to install software on an iPhone.

Before they can be infected, the user must be tricked into clicking a link in a text or email, and then accepting a prompt to install an app. Typically, an app installed this way requires a security certificate signed by Apple to work on iPhones that have not been modified to install unofficial apps, and so malware cannot get past the gate.However, Masque uses a vulnerability that lets an iOS app with the same file name replace a real one, regardless of developer. Users might think they are installing the new Flappy Bird, but in reality they are downloading an app that silently replaces their Gmail app with a fake one. Their iPhone does not prevent this happening because it does not realise the Gmail app has been replaced.FireEye says that Masque is an application of the same principle used in the WireLurker attack, but on a much grander scale. “After looking into WireLurker, we found that it started to utilise a limited form of Masque attacks to attack iOS devices through USB. Masque attacks can pose much bigger threats than WireLurker,” according to the company’s researchers Hui Xue, Tao Wei and Yulong Zhang.

“Masque attacks can replace authentic apps, such as banking and email apps, using attacker’s malware through the internet. That means the attacker can steal a user’s banking credentials by replacing an authentic banking app with an malware that has identical user interface.

“Surprisingly, the malware can even access the original app’s local data, which wasn’t removed when the original app was replaced. These data may contain cached emails, or even login-tokens which the malware can use to log into the user’s account directly.”

Users can avoid infection if they do not install apps from third-party sources other than the official App Store or their own company. Yet the existence of the flaw still poses risks if users can be tricked into accepting the installation anyway.

FireEye notes that there aren several mitigating factors: “An attacker would have to obtain an enterprise provisioning profile or steal one, neither of which are trivial. There would also always be a warning to the user, which should look suspicious because it’s not something you would normally see in iOS. As long as you select ‘don’t install’, you will be protected from this vulnerability.”

In the long run, the vulnerability looks more likely to be employed as a “spear phishing” attack: highly focused attacks aimed at stealing the personal data of a specific target. Such attacks have been the basis of many wider hacking successes, such as those carried out by the Syrian Electronic Army

Add comment November 13th, 2014

USA weather system hacked ,affecting the satellites

The National Oceanic and Atmospheric Administration, NOAA, said that four of its websites were hacked in recent weeks. To block the attackers, government officials were forced to shut down some of its services.
This explains why satellite data was mysteriously cut off in October, as well as why the National Ice Center website and others were down for more than a week. During that time, federal officials merely stated a need for “unscheduled maintenance.”Still, NOAA spokesman Scott Smullen insisted that the aftermath of the attack “did not prevent us from delivering forecasts to the public.”
Little more is publicly known about the attack, which was first revealed by The Washington Post. It’s unclear what damage, if any, was caused by the hack.But hackers managed to penetrate what’s considered one of the most vital aspects of the U.S. government. The nation’s military, businesses and local governments all rely on nonstop reports from the U.S. weather service. The impact of the hack was real: Scientists at Atmospheric and Environmental Research in Lexington, Massachusetts were unable to send a preliminary report about weather patterns to traders and investors earlier this year.
We were shut out entirely. That’s our one source of data,said Rutgers climatologist David Robinson, whose global snow lab also relies on the satellite data. The cyberattack on the U.S. weather system is only the latest one on the United States. The White House was hacked last month. Shortly before that, hackers breached USIS, a federal contractor that knows who has top security clearances for the U.S. government — because it provides background checks.
Typically, cybersecurity experts blame Russia for hacks on the nation’s infrastructure or sometimes other countries.

Add comment November 13th, 2014

Ground Zero Summit 13,14 nov 2014.

Ground Zero Summit 2014
Asia’s Foremost Information Security Summit

Ground Zero Summit is the largest collaborative platform in Asia for Cyber security experts and researchers to address emerging cyber security challenges and demonstrate cutting-edge technologies. Ground Zero Summit is the exclusive platform in the region providing opportunities to establish and strengthen relationships between corporate, public sector undertakings (PSUs), government departments, security and defense establishments.

Living on from the huge successes of Ground Zero Summit 2013, New Delhi and Ground Zero Summit 2014, Colombo,Ground Zero Summit 2014, New Delhi promises to bring hackers and information security experts from all over Asia under one roof. It will showcase indigenous products and ingenious brains working in the field of information security to the world.

Ground Zero Summit (G0S) is being organised by the Indian Infosec Consortium (IIC) ,which is an independent not-for-profit organisation formed by leading cyber experts.

Who will attend?

Ground Zero Summit 2014 will be attended by Join Security Experts, Practitioners, thought leaders, Hackers, Cyber security taskforce members, Scientists, CTO‘s, IT Managers, Senior VPs, CISO’s and Aspiring information Security Professionals and students. Be a part of the initiative, pushing Information Security to the next level. The largest Information Security gathering in India is on its way – Witness, Participate & Deliver.

Summit Highlights

  • Keynote by top dignitaries of India
  • 1,500 + delegates from India and around the globe
  • Active support from the government of India and its Information Security Establishment
  • 36 talks from renowned hackers and cyber security researchers
  • Cyber Chankya – Panel discussion on India’s Cyber Security and Foreign Policy
  • Large number of executives from global corporations and federal agencies will attend
  • Hack – A- Goal – Robo Football Hacking Competition

G0S Partners 2014:Innefu the gold sponsor


INNEFU is a research oriented Information Security consulting group specializing in meeting the Information Security needs of the consumer via specialized products and services. We believe in innovating and creating the latest technologies to combat the rapidly growing menace of hacking and reduce dependency on human factors. We offer a complete gamut of Information Security services under one roof which includes our patented and patent pending products like 99% Secure – Cyber Cafe Surveillance, Tactical Internet interception, Multi Factor Authentication, Link analysis and Pattern Matching and services like complete corporate security process management, web application security and managed security services.

Venue:

The Ashok Hotel, Niti Marg, Chanakyapuri, New Delhi, DL 110021.

Add comment November 13th, 2014


Calendar

November 2014
M T W T F S S
« Oct    
 12
3456789
10111213141516
17181920212223
24252627282930

Posts by Month

Posts by Category