h4ck3r _ N3w5

The Christmas spirit has finally arrived. It’s Christmas Day, a time for family and friends.

We have had another wonderful year here at ‘The Hacker News‘, so we not only want to wish you a Happy Holiday and Merry Christmas, but also thank you for reading our articles, commenting, sending tips and joining us for spreading Cyber awareness.

We really appreciate your support and engagement with THN and with same goal i.e. To provide the most up-to-date information on a wide variety of topics that relate to hackers and security experts worldwide, we will return back with new ideas, gifts and stories from 1st January, 2014.

Merry Christmas and a Blessed and Happy New Year to you and yours.

via The Hacker News http://thehackernews.com/2013/12/The-Hacker-News-Christmas-Thanks.html

According to media reports in September, documents released by whistleblower Edward Snowden have confirmed the existence of backdoor in some technologies RSA.
Last Friday, The Reuters News Agency accused the Security firm RSA for taking a $10 million ‘bribe’ from the National Security Agency (NSA) in order promote a flawed encryption by including it in its BSAFE product to facilitate NSA spying.
Today In a blog post, RSA has categorically denied accusation about any secret partnership with the National Security Agency to insert backdoor.

“Recent press coverage has asserted that RSA entered into a “secret contract” with the NSA to incorporate a known flawed random number generator into its BSAFE encryption libraries. We categorically deny this allegation.“

“We have never entered into any contract or engaged in any project with the intention of weakening RSA’s products” the company said.

The company gave the following reasons for choosing and promoting the flawed Dual EC DRBG:

“We made the decision to use Dual EC DRBG as the default in the BSAFE tool-kit in 2004, in the context of an industry-wide effort to develop newer, stronger methods of encryption. At that time, the NSA had a trusted role in the community-wide effort to strengthen, not weaken, encryption.”

However, a backdoor was discovered in the algorithm in 2007 detailed by security expert Bruce Schneier, which weakened the strength of any encryption that relied on it.

“The Dual EC DRBG was one of several different random number generators available and the customers was free to choose whichever one best suited their needs” RSA said.

Finally, in 2013 on National Institute of Standards and Technology (NIST) recommendations, RSA warned its customers not to use the algorithm at all.

Although the RSA’s argument appears solid, but an important point to be noted that, the RSA does not offer any comment on whether it accepted any money from the NSA for not for promoting their encryption, neither they have mentioned that, why RSA continued to use the flawed algorithm till 2013 as a default algorithm in BSAFE, rather than removing it completely.

via The Hacker News http://thehackernews.com/2013/12/rsa-denied-accusation-of-inserting.html

As the year draws to a close, we have seen the number of emerging threats like advance phishing attacks from the Syrian Electronic Army, financial malware and exploit kits, cyptolocker ransomware, bitcoin theft, extensive privacy breach from NSA and many more.

The financial malware’s were the most popular threat this year. Money is always a perfect motivation for attackers and cyber criminals who are continually targeting financial institutions.

On Tuesday, Antivirus firm Symantec has released a Threat report, called “The State of Financial Trojans: 2013”, which revealed that over 1,400 financial institutions have been targeted and compromised millions of computers around the globe and the most targeted banks are in the US with 71.5% of all analyzed Trojans.

Financial institutions have been fighting against malware for the last ten years to protect their customers and online transactions from threat. Over the time the attackers adapted to these countermeasures and sophisticated banking Trojans began to emerge.

According to the report, the number of infections of the most common financial Trojans grew to 337 percent in the first nine months of 2013. Nearly 1,500 institutions in 88 countries were potential targets during 2013.

The financial fraud marketplace is also increasingly organized and Cyber criminals are using advanced Trojans to commit large scale attacks.

Attackers of all skill levels can enter the arena of financial fraud, as the underground marketplace is a service industry that provides an abundance of resources. Those who lack expertise can simply purchase what they need. For as little as $100, an attacker can avail of a leaked Zeus or Spyeye equipped with Web-injects.

The modern financial Trojan is extremely flexible, supporting a range of functionality designed to facilitate fraudulent transactions across a variety of services.

Two dominant attack strategies are:

• Focused attack: This approach suits attackers with limited resources but also scales well to larger operations. If the distribution is accurate and the target institution has a sizeable client base, a focused attack can provide an adequate supply of targets. Shylock, Bebloh and Tilon all use this approach exclusively.
• Broad strokes: In this attack strategy, Trojans are set to target large numbers of institutions. Tilon, Cridex, and Gameover adopt these tactics and Zeus also uses this approach in its default configuration.

According to Symantec, the main reason for the surge is weak authentication practices:

Unfortunately, in many situations, security implementations adopted by financial institutions are inadequate to defend against the modern financial Trojan. Institutions are starting to adopt strong security measures like chipTAN, but the adoption rate is slow. Institutions that persist with weaker security measures will continue to be exploited by attackers.

They need to maintain constant vigilance, apply software updates, maintain an awareness of new threats and deploy complementary security solutions that can defend against evolving malware attacks.

via The Hacker News http://thehackernews.com/2013/12/more-than-1400-financial-institutions.html

If you love iPhone you are surely going to love this news. iOS 7 was released in 3 months before and today finally the evad3rs team has released untethered jailbreak for iPhone, iPad, and iPod devices running iOS 7.0 through iOS 7.0.4.
The evasi0n installer is compatible with Windows, Mac OS X and Linux so no matter what operating system you’re on, you should be able to jailbreak your device.

Jailbreaking is the procedure of modifying the iOS of your iPhone to remove the limitations imposed by Apple. This allows a user to access and install a lot of new applications, software and other similar content which otherwise are not made available to iPhone users through the Apple Store.

The process is very simple, and within five minutes you can jailbreak your device. According to the instructions, iTunes must be installed if you’re running Windows and the only prerequisite is that the device should be running iOS 7.0.4.

Team advice user to backup device data before using evasi0n tool. If something breaks, you’ll always be able to recover your data.

FAQ :- “Jailbreak is legal or not ?“, – Yes is legal, at least in the US, a rule was passed in July 2010 by the US government made it legal so whatever you are doing with your iPhone is completely legal.

Download Evasi0n for Windows

Once the installation will complete, the Cydia will appear on the home screen.

via The Hacker News http://thehackernews.com/2013/12/ios-7-untethered-jailbreak-released-for.html

Data breaches and security incidents are a constant in the headlines these days. Hackers and cyber criminals are motivated by status or money and finding new innovative and more creative attacks to achieve this.

One of them are, Digital Bank robbery – where the thieves didn’t need masks and guns to pull off the job, all they need are – Hacking Skills, a computer and the Internet. Another way is Cyber extortion – threat of attack against an enterprise or a bank, coupled with a demand for money to avert or stop the attack.

According to Haaretz news, A Hacker – who is the operator of a biggest botnet malware network in the Israel, has threatens 3 major Israeli banks, i.e. Israel Discount Bank, Bank Yahav and the First International Bank of Israel.

“Bank received an e-mail message threatening that unless they handed over a certain sum in Bitcoins by the end of next week, a list of customers’ details would be given to hostile elements.“

Banks database, network and websites were not breached in this case, rather the hacker claimed that he holds a huge financial trojan botnet network in Israel that have already infected millions of systems across the nation and collected a massive dump of stolen personal information, passwords, banking information and credit card numbers of 3.7 Million users.
The hacker has demanded the payoff in Bitcoin, a untraceable virtual currency, perfect for blackmailers and cyber criminals. Bitcoin is not backed by any central bank or government and can be transferred “peer to peer” between any two people anywhere.

Banks declined to comment on the report and immediately reported the threat to the Israel Police. According to the source, some of them do not see the threat as serious. Bank of Israel held a meeting on Tuesday on the issue, we will update you soon about their next step with a new article.

Cyber attacks are becoming more and more advanced and sophisticated, more or less any company in the world is on the list of targets to rob. You should keep updating your knowledge about the cyber world to Stay Safe from all threats.

via The Hacker News http://thehackernews.com/2013/12/hacker-Israeli-Bank-botnet-malware-extortion-bitcoin.html

If you own a world re-owed Security Product or a Service, National Security Agency (NSA) is ready to pay you 10 Million or more bribe for keeping intentional backdoor for them.
According to exclusive report published by Reuters, there is a secret deal between the NSA and respected encryption company RSA to implement a flawed security standard as the default protocol in its products.
Earlier Edward Snowden leaks had revealed that the NSA created a flawed random number generation system (Dual_EC_DRBG), Dual Elliptic Curve, which RSA used in its Bsafe security tool and now Snowden has revealed that RSA received $10 million from NSA for keeping Encryption Weak.

So, anyone who knows the right numbers used in Random number generator program, can decipher the resulting cryptotext easily.

Recommending bad cryptographic standard is one thing, but accepting 10 million to deliberately implement is something very shameful for a respected Security company.

The new revelation is important, cryptographer and Security expert Bruce Schneier said, because it confirms more suspected tactics that the NSA employs. “You think they only bribed one company in the history of their operations? What’s at play here is that we don’t know who’s involved,” he said.

RSA, now owned by computer storage firm EMC Corp, and has maintained its stand of not colluding with NSA to compromise the security of its products, “RSA always acts in the best interest of its customers and under no circumstances does RSA design or enable any back doors in our products,”

Both the NSA and RSA haven’t directly acknowledged the deal. But after Snowden revelations, What is the RSA’s credibility or of other American software and networking companies?

via The Hacker News http://thehackernews.com/2013/12/nsa-paid-10-million-bribe-to-rsa.html

Security experts at Mandiant intelligence firm have discovered a new intrusion into the network of The Washington Post, it is the third time in the last three years. In time I’m writing it is still not clear the extension of the attack neither an estimation of the losses.

Mandiant reported the incident to The Washington Post this week, confirming that exposed data include employees’ credentials hash.

“Hackers broke into The Washington Post’s servers and gained access to employee user names and passwords, marking at least the third intrusion over the past three years, company officials said Wednesday.” a post of the news agency said.
Early 2013 the New York Times has announced that during the previous months it was a victim of cyber espionage coordinated by Chinese hackers, similar attacks was conducted against principal Americans news agencies.

The hackers have tried to compromise the email account of journalists to steal sensitive information, they tried to infiltrate the network of news agencies using several dozen instances of malware, as revealed by forensics analysis conducted by the Mandiant security firm. The attackers obtained password data for all of the Washington Post reporters and other employees.

Regarding this last attack there is no evidence that subscriber information such as credit card data or home addresses was stolen neither the information of which offices of the popular media agency were impacted (e.g. Publishing system, employee e-mail databases, HR database).

The hackers in many cases targeted server used by the paper’s foreign staff to extend their operation to the entire company infrastructure.

Investigators believe the intrusion lasted at most a few days, but the news is very worrying considering that large international news organizations have become a privileged target for hacking campaigns. The Washington Post, NYT and Associated Press were subject to numerous attacks conducted by state-sponsored hackers including the popular group of hackers Syrian Electronic Army.

Waiting for more detailed results of investigation officials planned to ask all employees to change their user names and passwords on the assumption that a large number of them may have been compromised.

via The Hacker News http://thehackernews.com/2013/12/the-washington-post-compromised-3rd.html

World’s largest Bitcoin poker website ‘SealsWithClubs‘ has been compromised and around 42,000 users’ credentials are at risk.

Seals With Club has issued a Mandatory Password Reset warning to their users, according to a statement published on the website.

The service admitted their database had been compromised and revealed that the data center used until November was breached, resulting 42,020 hashed password theft.

“Passwords were salted and hashed per user, but to be safe every user MUST change their password when they next log in. Please do so at your earliest opportunity. If your Seals password was used for any other purpose you should reset those passwords too as a precaution.” and “Transfers may be disabled for a short period of time.”.

Seals With Clubs used SHA1 hash functions to encrypt the passwords, but SHA1 is outdated and easy to crack if not salted.
‘StacyM‘, a user then posted the hashed passwords on a web forum operated by commercial password cracking software ‘InsidePro’ and asked for them to be cracked for $20 in bitcoins per 1000 unique passwords. 2/3rd on the list were cracked by the next day and some cracked passwords are “bitcoin1000000”, “sealswithclubs”, “88seals88 ” and “pokerseals”.

The site also mentioned that they are working to improve security of the website and would implement additional security measures, including two-factor authentication and login from a limited number of IP addresses.

via The Hacker News http://thehackernews.com/2013/12/SealsWithClubs-bitcoin-poker-hacked-password-dump_20.html

‘RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis‘, is an interesting paper recently published by Three Israeli Security Researchers at Tel Aviv University.
They claimed that, they have successfully broken one of the most secure encryption algorithms, 4096-bit RSA, just by capturing Computer’s CPU Sound while it runs decryption routines.

Daniel Genkin, Adi Shamir (who co-invented RSA), and Eran Tromer, uses a side channel attack and through a process called “acoustic cryptanalysis”, they successfully extracted 4096-bit RSA key From GnuPG.

“We experimentally demonstrate that such attacks can be carried out, using either a plain mobile phone placed next to the computer, or a more sensitive microphone placed 4 meters away,”

The paper specifies some possible implementations of this attack. Some email-client softwares i.e. Enigmail can automatically decrypt incoming e-mail (for notification purposes) using GnuPG. An attacker can e-mail suitably-crafted messages to the victims, wait until they reach the target computer, and observe the acoustic signature of their decryption, thereby closing the adaptive attack loop.

“The acoustic signal of interest is generated by vibration of electronic components (capacitors and coils) in the voltage regulation circuit, as it struggles to maintain a constant voltage to the CPU despite the large fluctuations in power consumption caused by different patterns of CPU operations,”

“The relevant signal is not caused by mechanical components such as the fan or hard disk, nor by the laptop’s internal speaker.“

The security researchers listen to the high-pitched (10 to 150 KHz) sounds produced by your computer as it decrypts data and warned that a variety of other applications are also susceptible to the same acoustic cryptanalysis attack.

“We observe that GnuPG’s RSA signing (or decryption) operations are readily identified by their acoustic frequency spectrum. Moreover, the spectrum is often key-dependent, so that secret keys can be distinguished by the sound made when they are used. The same applies to ElGamal decryption.“

Here in the above picture, a mobile phone (Samsung Note II) is placed 30 cm (nearly 12 inches) from a target laptop. The phone’s internal microphone points toward the laptop’s fan vents. Full key extraction is possible in this configuration and distance.

They have notified GnuPG about the vulnerability and If you want to keep your data secure, please follow recommended countermeasures:

“One obvious countermeasure is to use sound dampening equipment, such as “sound-proof” boxes, designed to sufficiently attenuate all relevant frequencies. Conversely, a sufficiently strong wide-band noise source can mask the informative signals, though ergonomic concerns may render this unattractive. Careful circuit design and high-quality electronic components can probably reduce the emanations.“

GnuPG team has developed a patch for the vulnerability to defend against key extraction attacks and released GnuPG 1.4.16.

via The Hacker News http://thehackernews.com/2013/12/acoustic-cryptanalysis-extracting-rsa.html

If you own Apple’s MacBook, you should cover up it’s webcam, because there’s a possibility someone could be watching you.

Like most webcams, the MacBook also has a tiny green light lets you know that the webcam is active, but it’s possible for malware to disable this important privacy feature on older Mac computers (models released before 2008).

Matthew Brocker and Stephen Checkoway, students from Johns Hopkins University created a proof-of-concept app called “iSeeYou” that confirmed that MacBook iSight webcams can spy on their users without the warning light being activated.

A young man recently pleaded guilty in court to extortion after he performed a remote hack on Miss Teen USA’s webcam to secretly collect nude photos. It was revealed through court papers that the FBI has the ability to do the same thing with a variety of current laptops including Apple products.

To make it possible, they created a modified version of the iSight firmware and then re-programmed the camera with it. In order to disable the LED, they activated STANDBY mode, but also configure the image sensor to ignore it successfully through their modified firmware.

The software used to remotely control iSight was Remote Administration Tool (RAT), which is used by IT departments and educational institutions to administer large numbers of computers.

This type of hack doesn’t require the hacker to have physical possession of the laptop nor does it require administrator privileges.

The research focused on the MacBook and iMac computers released before 2008, but hackers could use the same techniques to compromise newer devices too.

Are you sure that your laptop’s camera is not turned on? .. Now put a small piece of tape across the camera.

via The Hacker News http://thehackernews.com/2013/12/your-macbook-camera-could-spy-on-you.html