Security News Bytes

Vandana Verma

12/18/2014 1

Null/ OWASP / G4H Bangalore December Meet

Disclaimer

12/18/2014 2

• The information contained in this presentation does

not break any intellectual property, nor does it

provide detailed information that may be in conflict

with any laws

• Registered brands belong to their legitimate owners

• The opinion here represented are my personal ones

and do not necessary reflect my employer’s views.

• This presentation doesn't teach you how to hack into

any system nor it encourages one to do without prior

permission .

• All the information has been collected from different

Security news sites(public domain).

• Arrests

• Data Breach

• Hack

• Mobile Security

• General

• Tools

• Acquisitions

• Stats

• Jobs

• Trends

• Hackable devices

• Acquisitions

• New Hardware

Agenda

12/18/2014 3

Arrests

12/18/2014 4

The Straits Times reports that Mohammad

Azhar Tahir defaced the prime minister's

website in 2013 with messages and images

from the hacktivist group Anonymous, including

a Guy Fawkes mask. Tahir ultimately received a

sentence of six months after tacking on

separate sentences he'd received previously.

Tahir used a cross-site scripting (XSS) attack to

alter the prime minister's website. He inputted

HTML code into a Google search bar

embedded on the site.

12/18/2014 5

Data Breach & Hacks

12/18/2014 6

12/18/2014 7

Taiwanese Security Expert found

zero-day vulnerability in Xiaomi

website that allowed him to obtain

credentials of millions of Xiaomi

accounts and logs from the servers.

Xiaomi devices provide ‘Mi Account’

to its customers through which users

gain access to their Mi Cloud, Mi

Talk, MIUI Forum, Mi Market and

other Xiaomi services. These online

Xiaomi Mi Accounts store users’

personal information including mobile

numbers, email addresses and

account credentials.

8

• This began with a skull appearing on screens, and then a strange message telling users they’d been hacked by something called #GOP (Guardians of Peace).

• The cryptic message appeared on staff machines claims that it stole internal corporate data and this is just the beginning and then threatens to release internal data by 11 PM this evening. One of the Sony Sources has announced- “We are down, completely paralyzed”. As a precaution, computers in Los Angeles were shut down while the corporation deals with the breach.

• Just a week after the cyber-attack on Sony Pictures Entertainment, high-quality versions of five newest films – Annie, Fury, Still Alice, Mr. Turner and To Write Love on Her Arms – distributed by Sony Pictures leaked online during Black Friday.

• Just last week, the massive data breach at Sony appeared to have exposed more sensitive documents, revealing the US Social Security numbers of more than 47,000 celebrities, freelancers, and current and former Sony employees.

• The gaming network also suffered a more severe hack in 2011, which led to the exposure of 77 million PlayStation and Qriocity accounts along with 25 million Sony Online Entertainment accounts, bringing the total to more than 100 million in one of the largest data breaches ever.

12/18/2014 9

• The Syrian Electronic Army hacked a

popular web service, Gigya, which manages

the comments and social logins of prominent

media and entertainment websites.

• DNS redirect that pointed Gigya's content

delivery network to a server run by the SEA.

• The SEA confirmed the attack via their

Twitter account, which was accompanied by

a screenshot of the backend control panel

for the Gigya.com domain at GoDaddy.com

• Gigya’s Top official said “"Rather, the attack

only served other JavaScript files instead of

those served by Gigya."

10

Mobile Security

12/18/2014 11

A security researcher made a worrying discovery this week and claims, "Uber’s app is literally malware."

The ride-hailing company is in disputes of handling privacy of its customers data. A Phoenix-based security researcher Joe Gironfound that a surprising amount of users’ data is being collected by the company’s mobile application for Android.

Researcher, who runs a cyber security firm in Arizona, just reverse-engineered the code of Uber’s Android application and come to the conclusion that it is a malware. He discovered that the app "calls home" and sends data back to the company. There is a long list of everything the Uber Android app can have about its users• Accounts log (Email)• App Activity (Name, PackageName, Process Number of

activity, Processed id)• App Data Usage (Cache size, code size, data size, name,

package name)• App Install (installed at, name, package name, unknown

sources enabled, version code, version name)

12/18/2014 12

• A Vulnerability has been discovered in the wildly popular messaging app WhatsApp, which allows anyone to remotely crash WhatsApp just by sending a specially crafted message.

• Two India based independent security researchers, Indrajeet Bhuyan and Saurav Kardemonstrated the WhatsApp Message Handler vulnerability on how a 2000 words (2kb in size) message in special character set can crash Whatsapp messenger app.

• The worried impact of the vulnerability is that the user who received the specially crafted message will have to delete his/her whole conversation and start a fresh chat, because opening the message keeps on crashing WhatsApp unless the chat is deleted completely.

• It has not been tested on iOS, but it is sure that all versions of WhatsApp including 2.11.431 and 2.11.432 are affected with this bug.

12/18/2014 13

General

12/18/2014 14

12/18/2014 15

The Pirate Bay — an infamous Torrent website predominantly used to share copyrighted material such as films, TV shows and music files, free of charge — went dark from the internet on Tuesday after Swedish Police raided the site's server room in Stockholm and seized several servers and other equipment.

It remained unavailable for several hours, but the site appeared back online in the late hours with a new URL hosted under the top-level domain for Costa Rica

The Pirate Bay has previously been shut down number of times and had its domain seized. Back in September, The Pirate Bay claimed that it ran the notorious website on 21 "raid-proof" virtual machines.

• . A new mobile Trojan horse infection has been discovered by security researchers that masquerades as a ringtone app and comes pre-loaded with Android smartphones.

• DeathRing malware app cannot be uninstalled or removed by the end user or by antimalware software

• Though the malware pretends to be a genuine ringtone app, but actually downloads SMS and WAP content from its command-and-control server to the victim’s handset, which gives it potential to phish user’s sensitive data through fake text messages.

AFFECTED SMARTPHONE HANDSETS

Counterfeit Samsung GS4/Note II A variety of TECNO devicesGionee Gpad G1 Polytron Rocket S2350Gionee GN708W Gionee GN800Hi-Tech Amaze Tab Karbonn TA-FONE A34/A37Jiayu G4S – Galaxy S4 clones, Haier H7a i9502+ Samsung clone by an unspecified manufacturer

12/18/2014 16

December 02, 2014 17

Fixes were issued for several critical

memory safety bugs in the browser

engine used by Firefox, as well as other

Mozilla-based products.

Disabling support for SSL 3.0 will

address POODLE, a severe

vulnerability in SSL 3.0 that was

discovered by Google researchers in

October and could enable an attacker to

intercept plaintext data from secure

connections.

Fallback to SSL 3.0 was removed in

Chrome 39 when the Google browser

was promoted to the stable channel in

November

18

Attackers are freely distributing pirated

Joomla, WordPress and Drupal themes

and plugins that are packaged with a

backdoor being referred to as CryptoPHP.

Fox-It released a whitepaper on

CryptoPHP and revealed that most of the

command-and-control domains had been

sinkholed or taken down.

Fox-It mentioned the number of

connections to the sinkholes is declining,

but threat is not over since the attackers

are still distributing the compromised

plugins and themes via their websites.

Malwares

12/18/2014 19

LusyPOS malware, a new malware point-of-sale (PoS) uncovered by CTBS

reverse engineers early this month. This malware clocks in around 4.0 MB in size,

so it’s not small. The malware will also create the mutex “prowin32Mutex” and

injects code into iexplore.exe. This was a strange mix of dexter-like behavior

mixed with Chewbacca-like techniques.

It comes in freeware, toolbar, games, and other downloadable apps that are

costless. Some people may install the programs packed with LusyPOS malware

code intentionally by agreeing to the terms and conditions of the downloaded

program.

Tools

12/18/2014 21

• Google launched a new "Devices and

Activity dashboard" with additional insight

over the devices which will allow Google

Apps users to identify every single active

device that has been used to access their

account in the last 28 days as well as those

currently signed in.

• The company also launched a new security

wizard to help secure Google for Work

accounts by walking users through functions

to tighten security features including

recovery settings, and the ability to review

account permissions and access.

12/18/2014 22

Statistics

12/18/2014 23

• Google Dorks - 6

• Remote Exploits – 18

• Local Exploits - 16

• Web Application Exploits - 34

• Denial of Service Attacks - 10

• Shell Code - 1

• Whitepapers - 5

12/18/2014 24

Jobs

12/18/2014 25

12/18/2014 26

Trends

12/18/2014 27

World-wide Karnataka

12/18/2014 28

Hackable Devices

12/18/2014 29

• TLS is very strict about how its padding is formatted, it turns out that some TLS implementations omit to check the padding structure after decryption. Such implementations are vulnerable to the POODLE attack even with TLS.

• The attacks are mainly targeted at browsers as the attacker has to inject malicious JavaScript to begin the attack.

• A successful attack will use about 256 requests to uncover one cookie character, or only 4096 requests for a 16-character cookie. This makes the attack quite practical,” he argued.

• So far F5 load balancers have been found to be impacted by the threat. The firm has issued this advisory on how to patch any affected kit.

12/18/2014 30

References

12/18/2014 31

• www.google.com

• www.thehackernews.com

• www.ehackingnews.com

• www.news.cnet.com/security/

• http://cve.mitre.org/

• https://www.indiegogo.com

• http://www.scmagazine.com/

• http://www.infosecurity-magazine.com/

• http://jobs.null.co.in/

• http://www.hackersnewsbulletin.com

• http://www.shodanhq.com/

• http://threatpost.com/

• http://www.securityweek.com/

• http://www.infosecurity-magazine.com

12/18/2014 32

Thank You !!

12/18/2014 33