h4ck3r _ N3w5

The increasing public attention of Bitcoin did not go unnoticed by Cyber Criminals who have begun unleashing Bitcoin Mining malware.
Security researchers at Malwarebytes warned about a new malware threat, in which Bitcoin Miners are bundled with third party potentially unwanted programs (PUPs) that come bundled with legitimate applications.
Malware allow cybercriminals to utilize systems’ computing resources for their own gain. “This type of system hijacking is just another way for advertising based software to exploit a user into getting even more cash.”
The malware is found to be using ‘jhProtominer’ a popular mining software that runs via the command line, to abuse the CPUs and GPUs of infected computers to generate Bitcoins.
Upon further investigation Malwarebytes found that the parent of the Bitcoin miner was “monitor.exe”, a part of YourFreeProxy application, which “beacons out constantly, waiting for commands from a remote server, eventually downloading the miner and installing it on the system.”
However, it seems that the company behind the application has a specific clause 3 in the EULA that talks about mathematical calculations similar to the Bitcoin mining operation. This means that the company behind the software can and will install Bitcoin miners and use system resources to perform operations as required to mine Bitcoins and keep the rewards for themselves.
The growing presence of Bitcoin-mining malware reinforced the increasing popularity of the currency. Cyber Criminals always try to find new ways to monetize their malicious activities. Bitcoin generation allows them to do just that.
To be safe, we highly recommend you use a professional Antivirus solution able to find and safely remove malware from your system. Safe computing habits can help prevent system infection and Bitcoin mining, so do not download and install applications from unknown sites.

via The Hacker News http://thehackernews.com/2013/11/dont-install-crap-bitcoin-mining.html

Today Vodafone Iceland was hacked by the Turkish group of hackers Maxn3y (@AgentCoOfficial) who in the past has stolen data from airports’ systems, electronic giants and fast food company.

The hackers announced via Twitter that he has successfully compromised Vodafone Iceland server and defaced the official website (Vodafone.is), including various other sub-domains including the company mobile site.

The hackers disclosed a compressed 61.7MB rar file which is locked with password TURKISH and that contains a collection of files including one titled users.sql that appears to contain the 77,000 user accounts.

The file includes user names, social security numbers, encrypted passwords as many other encrypted information. The portal CyberWarNews posted the list of files disclosed and provided information on their content.

Following the complete list of files leaked:

v2.sql

Multimedia database, nothing critical, 400K of user tracking and logging with user agents, refers etc.

greind.sql

Sms history with what appears to be full text messages to a from numbers with timestamps, all dated 2011-08-19

SMS logger sender id, sms id, user IP, date.

900k rows of user contact details related to an SMS plan.

users.sql

User names, ids, encrypted passwords, email addresses, social security numbers, dates, bank details (alot is incomplete)

77,25

sso_vodafone.sql

Account manager’s details

Full names, phone numbers, email addresses.

sms_history.sql and signup.sql explained above.

XLS files

6stodvar_signup.xls

kennitala (social security numbers), dates, ticket numbers, campaign ids(unknown campaign), email addresses

Count: 23,494

100mb_pakkar.xls

id, code(unknown), msisdn, sms, timestamp(ts)

Count: 1001

aukalykill_signup.xls

Id, full name (nafn), kennitala (SSN), pnr, confirmed, date, ticket, email, senda, receiver.

Count: 4305

env_users.xls

Id, IP addresses, user name, encrypted passwords, email addresses, first name, last name, phone, fax, Reg date, last active, user level, notes

Count: 334

ev_users.xls

Id, school. login. Clear text passwords, names, isadmin, active

Count: 18

gagnamaga_account.xls

Id, timestamp, IP, session id, social security numbers, email addresses

Count: 1491

registeration.xls

Id, phone, social security numbers, email addresses, ticket id, registration status, date, IP

Count: 1247

ris_site_users.xls

User names, clear text passwords, names, email addresses and permissions

Count: 12

shop_order.xls

cart_id, names, social security numbers, postal codes, email addresses, credit card names, nulled credit card numbers and dates, sale amounts.

Count: 3086

signup_buika.xls

Real name, email addresses, company’s, chairman name.

Count: 31

survey_registration.xls

Id, content, date, email addresses

Count: 1929

um_clients.xls

usernames, clear text passwords, active, company’s, full addresses, contact numbers, websites, nulled locations.

Count: 767

vodafonecup2010

User names, 5x full names, phone numbers, social security numbers

Count: 71

ris_world_zones.xls

Names, partner countries, to Iceland (nothing important)

Count: 10

shop_cart.xls

Session id and details encrypted, (nothing important)

Count: 49, 468

shop_cart_items.xls

File name says all, nothing of importance here.

shop_cart_plan

File name says all, nothing of importance here.
Vodafone Iceland website was rapidly restored, but at the time I’m writing it is not reachable.

via The Hacker News http://thehackernews.com/2013/11/vodafone-iceland-hacked-and-exposed.html

Google’s Nexus Smartphones are vulnerable to SMS-based DOS attack, where an attacker can force it to restart, freeze, or lose network connection by sending a large number of special SMS messages to them.

The vulnerability, discovered by Bogdan Alecu, a system administrator at Dutch IT services company Levi9, and affects all Android 4.x firmware versions on Google Galaxy Nexus, Nexus 4 and Nexus 5.

The problem is with how the phones handle a special type of text message, known as a flash SMS. By sending around 30 Flash SMS (Flash SMS is a type of message that normally is not stored by the system and does not trigger any audio alerts) messages to Nexus phone an attacker can cause the phone to malfunction.

He presented the vulnerability on Friday at the DefCamp security conference in Bucharest, Romania. In an email exchange with me, he said ‘I was testing different message types and for the class 0 messages I noticed that the popup being displayed also adds an extra layer which makes the background darker.”
“Then my first thought was: what happens if I send more such messages? Will it make the entire background go black? If so, wouldn’t this cause a memory leak? The answer is “Yes” for both of the questions. So, basically, by sending around 30 Class 0 messages, it will make the Google device behave strangely‘.”

According to the researcher, several possible outcomes can result from the overloading:

• It will either say that the Messaging application has stopped
• Cause a reboot – this is what happens in most of the cases
• Make only the Radio (mobile network communication) app restart, but then the device will no longer be able to use mobile data (it can not connect to the APN)

Android devices, by default, offer no easy way for users to send Flash messages, though there are several apps available to do so.

Alecu says that he discovered the issue more than a year ago and he contacted Google and was told back in July that the issue would be addressed in Android 4.3, though that proved not to be the case.

But now Google is aware of the situation, and says that it’s investigating things. Until the fix from Google lands, users can use the free Class0Firewall app to prevent such situations.

Mohit Kumar – Founder and Editor-in-Chief of ‘The Hacker News’. Cyber Security Analyst, Information Security Researcher, Developer and Part-Time Hacker. (Google+ Profile)

You might also like:

via The Hacker News http://thehackernews.com/2013/11/Flash-sms-dos-attack-Google-Nexus.html

A Symantec researcher has discovered a new Linux worm, targeting machine-to-machine devices, and exploits a PHP vulnerability (CVE-2012-1823) to propagate that has been patched as far back as May 2012.
Linux worm, which has been dubbed Linux.Darlloz, poses a threat to devices such as home routers and set-top boxes, Security Cameras, and even industrial control systems. It is based on proof-of-concept code released in late October and it helps spread malware by exploiting a vulnerability in php-cgi.

“Upon execution, the worm generates IP addresses randomly, accesses a specific path on the machine with well-known ID and passwords, and sends HTTP POST requests, which exploit the vulnerability. If the target is unpatched, it downloads the worm from a malicious server and starts searching for its next target.” the Symantec researchers explained.

The malware does not appear to perform any malicious activity other than silently spreading itself and wiping a load of system files.

So far the malware variant targets x86 systems, because the malicious binary downloaded from the attacker’s server is in ELF (Executable and Linkable Format) format for Intel architectures.

However, the Symantec researchers claim the attacker also hosts variants of the worm for other architectures including ARM, PPC, MIPS and MIPSEL.

No attacks have been reported in the wild, but warned that most users would not realize they were at risk as they would be unaware that their own devices ran on Linux.

To protect their devices from the worm, users are advised to update their software to the latest version, make device passwords stronger and block incoming HTTP POST requests to the -/cgi-bin/php* paths.

Mohit Kumar – Founder and Editor-in-Chief of ‘The Hacker News’. Cyber Security Analyst, Information Security Researcher, Developer and Part-Time Hacker. (Google+ Profile)

You might also like:

via The Hacker News http://thehackernews.com/2013/11/Linux-ELF-malware-php-cgi-vulnerability.html

Just now, The hacktivist group Syrian Electronic Army (SEA) briefly took over the Twitter account of the TIME Magazine.
Hacker tweeted from the TIME’s account, “Syrian Electronic Army Was Here via @Official_SEA16.. Next time write a better word about the Syrian president #SEA” with their logo, as shown above.
TIME Magazine is currently hosting voting for Who Should Be TIME’s Person of the Year? and on their website Syrian President Bashar al-Assad is described as, “Syria’s ruler presided over a bloody year, shrugging off international concerns over the use of chemical weapons as the death toll of his country’s civil war eclipsed 100,000.”
How they hacked into TIME’s account is not yet clear, the group is famous for using advanced phishing attacks to compromise high profile accounts.

The tweet is deleted by TIME’s staff just after 10 minutes of hack. In a separate tweet on their own twitter handle, the hackers said, “We think Bashar al-Assad should be @TIME’s Person of the Year.”

So far Syrian president is at 7th number with 2.7% votes only. Stay tuned to ‘The Hacker News’ for more updates on the story.

Wang Wei – Security consultant for the government, financial Securities & Banks. Malware Analyst, Penetration Tester, Security Researcher at ‘The Hacker News’. (Google+ Profile)

You might also like:

via The Hacker News http://thehackernews.com/2013/11/time-magazine-twitter-account-hacked-by.html

Skype has been targeted by cyber criminals again this week. Users are receiving a new Spam Email with subject “You received a new message from the Skype voice mail service.”, that actually leads to Zeus Malware.
Zeus is a Trojan horse that attempts to steal confidential information from the compromised computer. It specifically targets system information, online credentials, and banking details, but can be customized through the toolkit to gather any sort of information.
The email is sent from the spoofed address “Skype Communications” and seems to be genuine, it has similar body content and the official Skype logo that usually comes with a legitimate Skype voice mail alerts.

“This is an automated email, please don’t reply. Voice Message Notification. You received a new message from the Skype voice mail service.” the email reads. The fraudsters have also tried to make the emails look genuine by adding real links back to the Skype website.

According to MX Lab, the attached file (151 kB) is a variant of the Zeus Trojan:

i.e. Skype_Voice_M_497564___random_numbers___872345.wav.exe

If you receive one of these emails, delete it and don’t download.

Wang Wei – Security consultant for the government, financial Securities & Banks. Malware Analyst, Penetration Tester, Security Researcher at ‘The Hacker News’. (Google+ Profile)

You might also like:

via The Hacker News http://thehackernews.com/2013/11/warning-new-message-from-skype.html

Researchers at FireEye have discovered a new privilege escalation vulnerability in Windows XP and Windows XP and Windows Server 2003.
CVE-2013-5065, Local privilege escalation vulnerability is used in-the-wild in conjunction with an Adobe Reader exploit (CVE-2013-3346) that appears to target a patched vulnerability.
Microsoft has issued an advisory and warned that discovered bug in Windows XP’s NDPROXY.SYS driver could allow hackers to run code in the system’s kernel from a standard user account.

The exploit could allow a standard user account to execute code in the kernel, which may allow an attacker to gain privileges that would enable him to do various activities, including deleting or viewing data, installing programs, or creating accounts with administrative privileges.

“Our investigation of this vulnerability has verified that it does not affect customers who are using operating systems newer than Windows XP and Windows Server 2003,” Microsoft advised.

Last April, Microsoft announced that they will discontinue its support of Windows XP by April 2014, mean XP users will no longer receive security updates provided by Microsoft.

Users are advised to upgrade their system with latest Adobe Reader software and also upgrade to Microsoft Windows 7 or higher version.

Mohit Kumar – Founder and Editor-in-Chief of ‘The Hacker News’. Cyber Security Analyst, Information Security Researcher, Developer and Part-Time Hacker. (Google+ Profile)

You might also like:

via The Hacker News http://thehackernews.com/2013/11/CVE-2013-5065-Windows-XP-Privilege-escalation-Zero-Day-exploit.html

Ruby on Rails contains a flaw in its design that may allow attackers to more easily access applications. Websites that rely on Ruby on Rails’s default cookie storage mechanismCookieStore are at risk.

The vulnerability was actually reported two months ago, but still thousands of website are running a vulnerable version of Ruby on Rails that allows a malicious attacker to gain unauthorized access again and again without password, if someone manages to steal users’ cookies via via cross site scripting or session sidejacking or with physical access.

More than 10,000 websites are vulnerable to Ruby on Rails’s cookie storage mechanism flaw, but this vulnerability requires your user’s session cookies to be compromised in the first place.

Security researcher G.S. McNamara provided the details of the vulnerability in a blog post , he analyzed nearly 90,000 sites running specialized scripts and discovered 1,897 sites based on old versions of Ruby on Rails (version 2.0 to version 4.0) that stores users’ cookie data in plain text.

Another concerning issues related to the site analyzed is the lack, or wrong use, for SSL that allows communication eavesdropping.

The surprising fact that large companies such as crowdsourcing site Kickstarter.com, Paper.li, Simfy, Ask.fm and Audioboo, Warner Bros. are also vulnerable to this flaw.

Ruby on Rails implemented cookies encryption by default from version 4.0. The purpose of an encrypted, signed cookie is to make sure someone can’t forge a cookie to impersonate someone else, but the cookie management still exposes users at risk of attacks.

“Version 4.0 and beyond still have this problem,” “The attacker could save the encrypted cookie and send it to the server to log in as the victim without having to read the contents of the cookie.”

“The encryption does not protect against reusing the cookie after logout,” wrote McNamara.

This means that despite cookies are encrypted hacker could steal them to log-in to target vulnerable website that permit an attacker to reuse old session credentials or session IDs for the authorization process. The flaw is known as “Insufficient Session Expiration” and it is a serious issue for website management.

“Many of the websites and tools we use to store the session hash on the client side, including the applications Redmine, Zendesk, and Spiceworks.”

How to discover is a website is using an older version of Ruby on Rails using CookieStore cookie-based storage mechanism?

According McNamara it is quite simple, an attacker simply has to search for the string “Bah7” at the beginning of the value of the cookies, A SHODAN search for this code will reveal tens of thousands of these vulnerable websites.

Leaking your cookies equals to giving people a temporary password to your accounts. NcNamara already requested to Rails developers to switch to a different cookie storage mechanism to fix the vulnerability, storing for example session information on the server side.

Pierluigi Paganini – Researcher, Security Evangelist, Security Analyst. Founder of ‘Security Affairs‘ Author: The Deep Dark Web. (Google+ Profile)

You might also like:

via The Hacker News http://thehackernews.com/2013/11/thousands-of-websites-based-on-ruby-on_29.html

The breaking news is that, another Bitcoin exchange company gets hacked i.e. BIPS (bips.me), one of the largest European Danish Bitcoin payment processors.

On Friday evening, a bunch of cyber criminals just broke into BIPs -Bitcoin payment processor servers and wiped out around 1,295 Bitcoin from people’s wallets, currently worth $1 Million. More than 22,000 consumer wallets have been compromised and BIPS will be contacting the affected users.

Initially on 15th November, Hackers launched Distributed Denial of Service (DDoS) attack on BIPS, originate from Russia and neighboring countries and then hackers attacked again on 17th November. This time somehow they got access to several online Bitcoin wallets, which allowed them to steal the 1,295 BTC.

“As a consequence Bips will temporarily close down the wallet initiative to focus on real-time merchant processing business which does not include storing of Bitcoins.” company says.
“All existing users will be asked to transfer bitcoins to other wallet solutions” said Mr. Henriksen, BIPs founder. Even after the robbery, he told his customers, “Web Wallets are like a regular wallet that you carry cash in and not meant to keep large amounts in“. One of his customer replied to Henrickson’s post, “In fact, your website said: ‘Your data is secure at BIPS.’ So yeah, I felt pretty goddamn secure leaving my BTC balance there.” Saving thousands of dollars in a Bitcoin wallet that’s highly susceptible to hackers, so don’t store your Bitcoin on the internet.

Swati Khandelwal – Senior Editor at ‘The Hacker News’. Social Media Lover and Gadgets Girl. Speaker, Cyber Security Expert and Technical Writer.(Google+ Profile)

You might also like:

via The Hacker News http://thehackernews.com/2013/11/danish-bitcoin-exchange-bips-hacked-and_25.html

Two most important moments in the history of Bitcoin are : Its creation by Satoshi Nakamoto, and the burst of The Silk Road’s Founder Ross William Ulbricht. The silk Road’s black market was a Bitcoin economy.

According to a report published by two Israeli computer scientists, Ross William Ulbricht, aka Dread Pirate Roberts, may be financially linked to Satoshi Nakamoto.

Even if the Bitcoin buyers and sellers remained anonymous, but the transactions themselves are public, So the scientists were able to trace the interactions.

The Scientists, Ron and Shamir were exploring the connection between the operator of Silk Road who was recently arrested by the FBI for running the Internet blackmarket Silk Road and the entity that invented the bitcoin.

The bitcoin network was established in 2008 and it has been popularly believed that the first accounts in the early days of the bitcoin were of Satoshi Nakamoto, accumulated some 77,600 BTC as a result of ‘mining’ Bitcoins. The person who can generate 77,600 from mining in the first week of Bitcoin birth should be definitely its creator.

The Scientists discovered that the transfer of 1,000 Bitcoin was made just a week after the bitcoin network launched into an account controlled by Ulbricht from the same initial account, believed to be of the bitcoin currency inventor. However, the researchers could not prove that the said account really belonged to him or not.

When the Silk Road operator Ross William Ulbricht was arrested in October, he had more than USD 1.2 Billion from Sales and USD 80 Million from the commission.

Researchers believe that the commissions seized by the FBI comprised only 22% of the total while they themselves have also been able to track only a third of the said commissions. Possibly, the FBI had not recovered all Ulbricht’s bitcoin might be that he was using a second computer that has not been located.

Nakamoto’s real identity has never been uncovered despite attempts to figure out who has the cryptography and mathematical skills to create such a system.

No Surprise, even if Nakamoto and Ulbricht might be the same person… Just a thought.

Mohit Kumar – Founder and Editor-in-Chief of ‘The Hacker News’. Cyber Security Analyst, Information Security Researcher, Developer and Part-Time Hacker. (Google+ Profile)

You might also like:

via The Hacker News http://thehackernews.com/2013/11/Bitcoin-Satoshi-Nakamoto-Ross-William-Ulbricht-Silk-Road.html