Popular Post

Windows XP Flaw: Hackers withdraw money from any ATM by just sending a Text Message

By : Sarsti Saini

ATM theft and fraud is nothing new and culprits are coming up with new ways all the time to either get cash out of ATM in some way or steal ATM user’s card number and pin code. One expects the banks to stay vigilant and at top of the security game to cope with such notorious acts by keeping their ATMs up to date with cutting edge technology. However, this is not the case as over 95 percent of the ATMs run on an operating system which was released initially about 13 years ago that is Windows XP. Microsoft will stop supporting the historic operating system on April 8 this year after which it will be officially declared dead. According to Symantec researchers, this will affect the banks heavily. What can be the reason for banks to not upgrade to a new OS in ATMs? Clearly, shortage of funds is not something that is associated with banks.
The users and the banks have already been warned by Microsoft and hackers are eagerly waiting for the day when support will be withdrawn. Microsoft will neither issue any more patches nor will it investigate the flaws any further after that.
It could be as easy as to send an SMS through a mobile sharing the internet connection of the ATM machine to collect the cash from the ATMs. The Trojan threat named as “Backdoor.Ploutus.B” is an English variant of its earlier Mexican version called “Backdoor.Ploutus” which used an external keyboard to send commands. How does it work? The hacker attaches a mobile phone in the compromised ATM running on Windows XP using USB tethering which creates a shared Internet connection for ATM and mobile phone to connect to the servers of the bank. Then the hacker sends SMS commands to the connected phone which converts the commands in proper network packets that are sent through the ATM to the bank servers. The servers think that the request for cash is legitimately coming from a properly working ATM thus releases the cash to be collected by the hacker.

Two SMSs are required to carry out this hack successfully:
“SMS 1 must contain a valid activation ID in order to enable Ploutus in the ATM.”
“SMS 2 must contain a valid dispense command to get the money out.”
Symantec suggest a number of measures that can be taken to make the ATMs more secure from Ploutus attacks. Symantec writes:
“Upgrading to a supported operating system such as Windows 7 or 8
Providing adequate physical protection and considering CCTV monitoring for the ATM
Locking down the BIOS to prevent booting from unauthorized media, such as CD ROMs or USB sticks
Using full disk encryption to help prevent disk tampering
Using a system lock down solution such as Symantec Data Center Security: Server Advanced (previously known as Critical System Protection)”

Hackers create drone that can steal What’s inside your phone

By : Sarsti Saini
At this point of time, most of smartphones are loaded with an important function that requires Hackers of London have created a drone that is proficient in taking data consists of locations and passwords directly from your smartphone.
The drone uses a codename “Snoopy” that targets busy city streets and specific phones switched on while using the WiFi settings and it is also an advantage for the drone that it uses the common smartphone features and thus, it continuously searches for the networks that are already approved and accessed by a user.
The developer of Snoopy, Glenn Wilkinson said in a report of CNN that whenever users will connect their smartphones to Snoopy, they will be shouting and noisily. There shouting would be like this, are you there Starbucks? Are you there McDonald’s?

 Onboard software of snoopy then tries to be a part of the networks that are approved and connects to more than one secured devices at a time, acting as different networks. After connecting to the quadcopter, Snoopy seizes each transmission sent or received by a phone.
After stopping the individual media access control address of a phone, Snoopy is capable of seeing and recording data of sensitive nature such as location, username, passwords or even information about credit card that is more often accessed by accounts or websites.
“I can have a look at all of your traffic after your phone connects to me, “said by Wilkinson.” I’ve gone through the situation where somebody is searching for ‘Bank X’ cooperate Wi-Fi. In this way, we can be informed that that the concerned person is working at the bank.
While giving an interview to CNN, Snoopy revealed multiple users of smartphones about how they were attacked by the drone, and within the space of an hour gathered the sensitive information and real time GPS location of about 150 smartphones. It also collected their Yahoo, Amazon and PayPal accounts created for testing purpose.
Daniel Cuthbert and Wilkinson, both belong to SensePost Information security a London based company developed Snoopy, have a plan of presenting their achievements at the cybersecurity conference named as Black Hat Asia which to be held in Singapore at 25th March.
Like lots of other companies of information security, SensePost completed a test to show the weak points of the technology that we use on daily basis. It is an important research that is being considered as very helpful in preventing the attack of drones.
permission for the side of the user before entering into a network. It is needed that this function must certainly be switched on after the research of SensePost.

Share and Enjoy

Hackers have hacked 300000+ wireless routers, Check yours NOW!

By : Sarsti Saini
Hackers have hacked 300000+ wireless routers, Check yours NOW!
Hackers near by you could hack your router and redirect to the custom Malicious websites, according to a report at least 300,000 routers compromised by hackers.
Small Office/Home Office (SOHO) routers produced by TP-Link, D-Link, Micronet and Tenda affected through the Weak authentication and vulnerabilities in both the routers’ firmware and their web application interfaces were all exploited in the attacks, reported by security team Cymru.
Hackers attacking Routers:

To hack a router, one of the vulnerability used was a cross-site request forgery flaw- Whenever a user visited a malicious website, router authentication was hendled to the hackers. Image below helps you to describe the attack:
Some of the known flaw also exploited by hackers in ZyXEL ZynOS firmware on the routers, which meant to download the credentials directly from the device by using an unauthenticated web interface for the machines. Hackers also caught up that they changing the domain name system (DNS) configrautions on the devices, by which user easily rediercted to any of the Malicious URL that attacker wants to. Most of the victims of the attack were based in Vietnam, although other victims lived in Italy, India and Thailand. The attacks date back to at least mid-December. It appears the UK came away relatively unscathed, even though there were many victims across Europe

Main motive of hackers is still unclear, for what they are attacking routers because the IP addresses the victims were forwarded on to did not appear to contain anything obviously malicious. According to Team Cymru hackers using these type f techniques to send victims to fake sites, where they could get your financial information ‘n all. You should check yours NOW! 
Share and Enjoy 

Express Language(EL) Injection vulnerability in Paypal's subsidiary

By : Sarsti Saini

An Indian Security researcher Piyush Malik has discovered an Expression Language(EL) Injection security flaw in Zong, a subsidiary of Paypal.Sponsored LinksAccording toOWASP, EL Injection is a vulnerability that allows hacker to control data passed to the EL Interpreter.  In some cases, itallows attackers to execute arbitrary code on the server.Researcher Malik said in his blog that Zong wasrunning an outdated version of Clearspace(Nowknown as Jive software) on a subdomain."Clearspace is a Knowledge management tool and is Integrated with Spring Framework. EL Pattern was used in Spring JSP Tags which made Clearspace Vulnerable to this Bug." Malik explained in hisblog.He found two forms in the site which are vulnerable to this bug. He was able to performsome arithmetic operations using the vulnerable field.One of the vulnerable urls:https://clearspace.zong.com/login!input.jspa?unauth=${custom command here}An attacker can inject a Express Language command on the 'unauth' field which will be executed in the server.  In his demo, researcher inject an arithmetic command(https://clearspace.zong.com/login!input.jspa?unauth=${100*3}) and able to executed it.Paypal has offered some bounty amount for his finding.  Researcher didn't disclose the bounty amount.About EL Injection vulnerability is first documented by security researchers from Minded Security in 2011.  You can find the document here:https://www.mindedsecurity.com/fileshare/ExpressionLanguageInjection.pdf

Miley Cyrus, Taylor Swift and Britney Spears websites hacked by Ethical Spectrum

By : Sarsti Saini
Update :
The latest tweet from the hacker shows he compromised the database containing username and password details belong to these websites "The database of #MileyCyrus, #SelenaGomez......etc with 2,5 million users and pass is for sell, anyone interested email me at my mail"

Exclusive Information:
The hacker told E Hacking News that he found multiple vulnerabilities in the Groundctrl website and gained access to the database server.

He also gained access to the CMS panel which manages the celebrities' websites.
GroundCtrl CMS Panel

                                                                 Original Article:

A hacker going by online handle "Ethical Spectrum" has hacked into websites belong to several celebrities and defaced the sites.

The affected websites include Miley Cyrus official site(mileycyrus.com), Selena Gomez(selenagomez.com), Taylor Swift site(taylorswift.com), Britney Spears site(britneyspears.com).

Sponsored Links

We are able to confirm that these are official websites of the celebrities, as it is being linked from their twitter account.

According to hackers twitter account(@Eth_Spectrum), he hacked into the above mentioned websites on March 8th.  The website was restored after the breach.  However, hacker mentioned he once again managed to deface them.  ]

Other websites attacked by the hacker are Ground Ctrl(groundctrl.com), mypinkfriday.com, Chelsea Handler site (chelseahandler.com), Aaron Lewis(aaronlewismusic.com/), therealcocojones.com, christinagrimmieofficial.com, Kacey Musgraves(kaceymusgraves.com).

The defacement just reads "Why i hacked this site, you can ask this person greg.patterson@groundctrl.com".

Greg Patterson is the co-founder of the Groundctrl, an organization that build websites for artists.  It appears the security breach started from Groundctrl.

Other affected sites:
Pat Green(patgreen.com), 
Rob Thomas(robthomasmusic.com),
Rock Mafia(rockmafia.com  ),
ritawilson.com  ,
If you are not able to see the defacement, you can find the mirror here:

All of the affected websites are currently showing the maintenance error message except groundctrl official website.

Hacker didn't provide much information about the breach, so we are not sure how exactly he hacked into all of these websites, whether he found a zero-day exploit on the cms developed by groundctrl or all of the affected sites managed in a central place. 

Bug in Twitter could allow anyone to read tweets from protected accounts

By : Sarsti Saini
Twitter has fixed a bug in their website that could allow non-approved followers to read the tweets made by protected twitter accounts.

Normally, Tweets from protected accounts can't be seen by public user;  One should get approval from the account holder to view the protected tweets.

This bug could allow anyone to view hidden tweets by getting SMS or push notification from the accounts.  

The microblogging firm said a member of white hat security community helped them to discover and diagnose the bug.  According to its blog post, the bug is there since November 2013.

"As part of the bug fix, we’ve removed all of these unapproved follows, and taken steps to protect against this kind of bug in the future."

The bug affects around 93,788 protected accounts.  Twitter has sent mail to all affected users to inform about the bug and apologize.

Hacker breaches Johns Hopkins University website

By : Sarsti Saini
The database server contains information of current and former biomedical engineering students.  The stolen information includes name, phone number and email id of students.

The University says no information such as Social Security numbers and credit card numbers that would make identity theft a concert, is not involved in the breach.

According to the Baltimore Sun, the so-called anonymous hacker attempted to extort the university for further access to its database server, threatening to leak the stolen data unless university handed over the server password.

The breach reportedly occurred in last November, the vulnerability responsible for the breach has been patched.  The University is currently working with FBI and trying to remove the leaked data from online. 

Apple’s iPhone 5S tracks your every physical movement even after the battery dies

By : Sarsti Saini
Something serious about your privacy revealed in public by an user of Apple iPhone 5S, right now you just know-Apple has a motion co-processor called M7 Chip that tracks of your motion related data derived from the integrated accelerometer, gyroscope and compass sensors but you know if your ever died then-still all of your data collected by the M7 Chip.
The fact is when iPhone’s battery shuts down due to low battery, actually the battery isn’t completely drained. M7 designed to work in very tiny power also. So M7 analyzes your every physical activity even if the your battery dies.
M7 processor works  independently , so it doesn’t need any other components on the iPhone to be powered on.
This Privacy stuff revealed by a Reddit user, who wrote:
While traveling abroad, my iPhone cable stopped working so my 5s died completely.
I frequently use Argus to track my steps (highly recommended if you have any health bands or accessories) since it takes advantage of the M7 chip built into the phone.
Once I got back from my vacation and charged the phone, I was surprised to see that Argus displayed a number of steps for the 4 days that my phone was dead.
I’m both incredibly impressed and slightly terrified.
M7 only analyze physical activity, not your actual location.

Share and Enjoy

European Apple users targeted with phishing emails

By : Sarsti Saini
A new phishing campaign targeting European users of Apple store which promises to offer a discount.
Security researchers at Kaspersky have spotted a new spam mail targeting Apple users, tricks users into thinking that they can get discounts of 150 euros by just paying 9 euros.

"Apple is rewarding its long-term customers.  Your loyalty for our products made you eligible for buying an Apple discount card" The spam mail reads.

The spam mail asks users to download an attached HTML file and fill the form, where users are being asked to enter personal information as well as credit card information.

The scammers spoofed the email address such that it makes the email pretending to be from informs@apple.com.  They also promised to send the discount card within 24 hours, after filling the form.

If a recipient follows the instructions and fill the form, the phishing file will send the data to the attacker server.  The attacker will use the given financial data.

World’s Biggest Cyber Attack-360 Million email accounts credentials, 1.25 billion email addresses

By : Sarsti Saini
Do you know?-More than 360 Million accounts credentials and around 1.25 billion email addresses are put up on sale on the online Black Market by Hackers worldwide.
This is the world’s biggest cyber attack ever.
A company in London named ‘Hold Security’ researched and found this huge size of data .

Only one of the hacker attack stole more than 105 million records, which is a single largest data breach in the history.
“These credentials can be stolen directly from your company but also from services in which you and your employees entrust data. In October 2013, Hold Security identified the biggest ever public disclosure of 153 million stolen credentials from Adobe Systems. One month later we identified another large breach of 42 million credentials from Cupid Media,” the firm said.
The firm took three weeks to collect the data. Firm tracked over 300 million abused credentials that were not disclosed publicly (that is over 450 million credentials if one counts the Adobe find).
“But this month we exceeded all expectations. In the first three weeks of February we identified nearly 360 million stolen and abused credentials and 1.25 billion records containing only email addresses. These mind boggling numbers are not meant to scare you and they are a product of multiple breaches which we are independently investigating. This is a call to action,” it added.
“The sheer volume is overwhelming,” said Alix Holden, chief information security officer of Hold Security.
Email addresses include all the major providers like Google, Microsoft and Yahoo. Many non-profit organizations and all Fortune companies had been affected.
This is the biggest data breach after the Adobe one.

Share and Enjoy

YouTube ads serve Banking Trojan Caphaw

By : Sarsti Saini
Number of Malvertising attacks are appeared to be increasing day by day, even top websites fall victim to such kind of attacks - YouTube is to be the latest popular organization affected by malicious ads.
Security experts from Bromium have discovered that the cyber criminals were distributing a malware via YouTube ads.
According to researchers,  malicious ads attempt to exploit vulnerabilities in outdated Java.  It loads different malicious jar file, to ensure the exploit is compatible with the installed java version.
The Exploit kit used in this attack "Styx Exploit Kit" which was the same one used by cybercriminals to infect users of toy maker Hasbro.com.

If the user's machine is having vulnerable plugins, it will exploit the vulnerability and drops a Banking Trojan known as "Caphaw".  Researchers say they are working with Google Security team.

Why Use A Firewall? IP Tables In A Simple Way

By : Sarsti Saini
Readers, there are numerous reasons... It is well known that the Internet is an unmanaged a decentralized network, running under a set of protocols, which are not designed to ensure the integrity and confidentiality of information and access controls.
There are several ways to breach a network, but these ways do nothing more than take advantage of flaws within network protocols and services.

IPTABLES is an editing tool for packet filtering, with it you can analyze the header and make decisions about the destinations of these packets, it is not the only existing solution to control this filtering. We still have the old ipfwadm and ipchains, etc.
It is important to note that in Gnu / Linux, packet filtering is built into the kernel. Why not configure your installation in accordance with this article, since most distributions come with it enabled as a module or compiled directly into the kernel.


case "$1" in

Clearing Rules
iptables -t filter -F
iptables -t filter -X

Tips [ICMP ECHO-REQUEST] messages sent to broadcast or multicast
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

Protection against ICMP redirect request
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects

Do not send messages, ICMP redirected.
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects

(Ping) ICMP
iptables -t filter -A INPUT -p icmp -j ACCEPT
iptables -t filter -A OUTPUT -p icmp -j ACCEPT

Packages logs with nonexistent addresses (due to wrong routes) on your network
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians

Enabling forwarding packets (required for NAT)
echo "1" >/proc/sys/net/ipv4/ip_forward

SSH accepted
iptables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT

Do not break established connections
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

Block all connections by default
iptables -t filter -P INPUT DROP
iptables -t filter -P FORWARD DROP
iptables -t filter -P OUTPUT DROP

IP spoofing protection
echo "1" > /proc/sys/net/ipv4/conf/default/rp_filter
echo - Subindo proteção contra ip spoofing : [OK]

Disable sending the IPV4
echo 0 > /proc/sys/net/ipv4/ip_forward

SYN-Flood Protection
iptables -N syn-flood
iptables -A syn-flood -m limit --limit 10/second --limit-burst 50 -j RETURN
iptables -A syn-flood -j LOG --log-prefix "SYN FLOOD: "
iptables -A syn-flood -j DROP

# Loopback
iptables -t filter -A INPUT -i lo -j ACCEPT
iptables -t filter -A OUTPUT -o lo -j ACCEPT

Tips connections scans
iptables -A INPUT -m recent --name scan --update --seconds 600 --rttl --hitcount 3 -j DROP
iptables -A INPUT -m recent --name scan --update --seconds 600 --rttl --hitcount 3 -j LOG --log-level info --log-prefix "Scan recent"

Tips SYN packets invalid
iptables -A INPUT -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j LOG --log-level info --log-prefix "Packages SYN Detected"
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-level info --log-prefix "Packages SYN Detected"
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-level info --log-prefix "Packages SYN Detected"
# Tips SYN packets invalid
iptables -A OUTPUT -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP
iptables -A OUTPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A OUTPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j LOG --log-level info --log-prefix "Packages SYN Detected"
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-level info --log-prefix "Packages SYN Detected"
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-level info --log-prefix "Packages SYN Detected"

Certifies that new packets are SYN, otherwise they Tips
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

Discard packets with fragments of entry. Attack that can cause data loss
iptables -A INPUT -f -j DROP
iptables -A INPUT -f -j LOG --log-level info --log-prefix "Packages fragmented entries"

Tips malformed XMAS packets
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j LOG --log-level info --log-prefix "malformed XMAS packets"

DNS In/Out
iptables -t filter -A OUTPUT -p tcp --dport 53 -j ACCEPT
iptables -t filter -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 53 -j ACCEPT
iptables -t filter -A INPUT -p udp --dport 53 -j ACCEPT

iptables -t filter -A OUTPUT -p udp --dport 123 -j ACCEPT

iptables -t filter -A OUTPUT -p tcp --dport 43 -j ACCEPT

iptables -t filter -A OUTPUT -p tcp --dport 20:21 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 30000:50000 -j ACCEPT

iptables -t filter -A INPUT -p tcp --dport 20:21 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 30000:50000 -j ACCEPT
iptables -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -t filter -A OUTPUT -p tcp --dport 80 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 443 -j ACCEPT

iptables -t filter -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 443 -j ACCEPT

Mail SMTP:25
iptables -t filter -A INPUT -p tcp --dport 25 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 25 -j ACCEPT

Mail POP3:110
iptables -t filter -A INPUT -p tcp --dport 110 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 110 -j ACCEPT

Mail IMAP:143
iptables -t filter -A INPUT -p tcp --dport 143 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 143 -j ACCEPT

# Reverse
iptables -t filter -A INPUT -p tcp --dport 77 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 77 -j ACCEPT

iptables -t filter -A INPUT -p tcp --dport 7337 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 7337 -j ACCEPT

WEB Management Firewall
touch /var/log/firewall
chmod +x /var/log/firewall
/var/log/firewall -A INPUT -p icmp -m limit --limit 1/s -j LOG --log-level info --log-prefix "ICMP Dropped "
/var/log/firewall -A INPUT -p tcp -m limit --limit 1/s -j LOG --log-level info --log-prefix "TCP Dropped "
/var/log/firewall -A INPUT -p udp -m limit --limit 1/s -j LOG --log-level info --log-prefix "UDP Dropped "
/var/log/firewall -A INPUT -f -m limit --limit 1/s -j LOG --log-level warning --log-prefix "FRAGMENT Dropped "
/var/log/firewall -A INPUT -m limit --limit 1/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT INPUT packet died: "
/var/log/firewall -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT INPUT packet died: "
exit 0

echo "turning off the firewall "
iptables -P INPUT ACCEPT
iptables -t filter -F
exit 0

/etc/init.d/firewall stop
/etc/init.d/firewall start

echo "Use: /etc/init.d/firewall {start|stop|restart}"
exit 1

Logs available: /var/log/firewall
COMMANDS TO MONITOR LOGS: tail -f /var/log/messages
Save: /etc/init.d/firewall

I hope to help you in configuring your network security and remind you to choose only the best options available.

Allow me to add a few Advantages of using your firewall. Be sure to Block unknown and unauthorized connections. You can specify what types of network protocols and services to be provided and you may control the packets from any untrusted services... Your firewall also allows blocking websites with URL filters, access control, access logs for reports by user, protecting the corporate network through proxies, and Network Address Translation (NAT). Control services that can either be executed or not, on the network allowing for high performance in their duties with easy administration and reliability.

- Copyright © Virus Bhabhi - Date A Live - Powered by Blogger - Designed by Johanes Djogan -