Saturday, 13 April 2013

Minor flaw allows Hacker to hijack Avira Antivirus customers accounts

Minor flaw allows Hacker to hijack Avira Antivirus customers accounts
Cross site scripting vulnerabilities are mistakenly considered unimportant, but they could allow attackers to inject client-side script in web pages visited by victims.

A cross-site scripting (xss) vulnerability may be exploited by hackers to bypass access controls going beyond the exceptions.
An Egyptian information security advisor Ebrahim Hegazy (Zigoo) has found an XSS vulnerability in the Avira license daemon.
But instead of exploiting it in a normal way "alert('MyName')" stuff and then reporting, He decided to demonstrate it to Avira security team in a different mode with the purposes to show how could an XSS vulnerability allows the hackers to steal user accounts with a clear text data!
To demonstrate this attack he has created 4 files:
  • avira.html - the fake login page
  • log.php - the logger which will log the credentials as clear text into txt file
  • avira.txt - credentials will be found here
  • done.html - will show a congratulation message to fool the users

According to Ebrahim Hegazy, Avira team responded promptly and fixed the flaw in short time. For those who consider XSS vulnerability as low severity vulnerability, now you can change your opinion.
Credits: Ebrahim Hegazy is an information security advisor @Starware Group, acknowledged by Google, Microsoft and Ebay for finding and reporting multiple vulnerabilities in their applications.

FAA -- Hackers Probably Can't Hijack an Airplane with Software

An alarming dispatch from the Hack In The Box security conference in Amsterdam arrived on Wednesday: a hacker says he's found a way to take over airplane controls. That's probably not true. At least according to the Federal Aviation Administration (FAA), the European Aviation Safety Administration (EASA) and Honeywell, the maker's of the cockpit software, it's not. The FAA, for one, says, "The described technique cannot engage or control the aircraft's autopilot system using the FMS or prevent a pilot from overriding the autopilot." The agency assures America that this hack "does not pose a flight safety concern because it does not work on certified flight hardware."
So why did Hugo Teso, the German hacker in question, tell everybody at the conference as well as countless journalists who've latched on to the story that he could take over the software? Well, Teso says he's successfully taken over a plane's controls in a flight simulator on his desktop computer at home. Hoping to expose some of the security flaws in planes' flight management system (FMS), Teso bought some FMS hardware on eBay as well as some FMS software that, according to Forbes "was advertised as containing some or all of the same code as the systems in real planes" and gave it a go. And he did it! Teso said that his technique would send radio signals to the plane and hijack its controls. "You can use this system to modify approximately everything related to the navigation of the plane," Teso told Forbes. "That includes a lot of nasty things."

To recap that order of events: Hacker buys equipment from eBay, loads up software that may contain "some or all of the same code" that's on commercial jets and in a flight simulator hijacks a plane. Come to think of it, that does sound a little reach-y doesn't it? The whole thing seems even less believable if you check out the slides that he used during the presentation, complete with images from The Matrix and Japanese Manga cartoons. One reason why the story felt like it could be feasible is the fact that there have been warnings from all sides of the cyber security industry about vulnerabilities in air traffic control software. This has been happening for years, and the FAA has actually admitted to risks in that arena.

We're not trying to say that Teso's making all this up. But hacking into your desktop computer's flight simulator is something that middle school kids do in technology class. It's not reason to strike fear into the hearts of millions. But hey, at least Teso seems well intentioned. You certainly can't say that about all hacker-types these days.

Microsoft pulls security update over software conflicts

A security update issued by Microsoft on Tuesday isn't playing nicely with other software, prompting Microsoft to pull it from its download center.
Dustin Childs, group manager of Microsoft Trustworthy Computing, revealed the problem in a blog post late yesterday:
We are aware that some of our customers may be experiencing difficulties after applying security update 2823324, which we provided in security bulletin MS13-036 on Tuesday, April 9. We've determined that the update, when paired with certain third-party software, can cause system errors. As a precaution, we stopped pushing 2823324 as an update when we began investigating the error reports, and have since removed it from the download center.
Childs said the system errors don't affect all Windows users and don't cause any data loss. However, he advised all people who installed the update to uninstall it by following the steps outlined in a Knowledge Base article published after the problem was discovered.
The update in question fixes a moderate-level security hole that requires someone to have physical access to a computer in order to exploit it. Tuesday's overall security package is still available but no longer contains the buggy update, so Windows users who haven't yet applied the patches should install them.

Man traces stolen laptop to Iran, blogs photos of new owners

A stolen MacBook apparently goes on an epic journey from London to Iran, sending back goofy images of the new owners to the theft victim. A riveting story, unless it's a publicity stunt.It's a sad occasion when a laptop is stolen. All that money, time, and personal data just disappear into the night. This is the Tumblr story of a boy and his stolen laptop. Dom Deltorto lives in London. In early February, he says, someone broke into his flat and made off with his MacBook Pro and his iPad.
Deltorto was prepared for just such an incident. He had installed Hidden App on his laptop, a program that tracks the laptop's location and sends back images of the thief. However, Hidden App still needs to be connected to the Internet to work. After more than a month of radio silence, Deltorto reports that his MacBook suddenly came online, but it wasn't in a place where he could just call the London police and have them recover it.
Deltorto's laptop now appears to be a resident of Tehran, Iran, over 3,000 miles away from the comforts of home. Instead of crying itself to sleep, the MacBook is now apparently acting as a super-spy, sending back images of the woman who uses it, along with shots of her family and friends, music preferences, and sightseeing photos. The stolen laptop story is riveting. Here's hoping it's not just a publicity stunt for the app.
With his laptop all the way in Iran, Deltorto has few options for recovery. Just hopping on a plane and going to track it down isn't very practical. So instead, he's posting all those goofy spy photos on Tumblr along with commentary for each image. The laptop has captured everything from a Jenga game to a snack at the coffee table.
It could be that the laptop's new owner had nothing to do with the actual theft. She may have gotten a heck of a good deal on buying it used, though.
Perhaps what's most fascinating is the peek into the life of a stolen laptop owner. It all looks just normal and mundane. It would be nice to have a happy ending and see Deltorto reunited with his MacBook, but this is the real world, and sometimes lost dogs don't find their way home.
Update: Deltorto has changed his Tumblr to reflect new developments in his lost laptop saga. "It seemed to me that a laptop that went missing from London and turned up in Iran was like a space probe landing on a distant planet and beaming back proof of intelligent life," he writes.
He has since been in touch with the new owners of the laptop and apologized to them for what he feels is a breach of privacy for publishing their images online. As a gesture of good-will, Deltorto has asked them to keep the laptop, though they had offered to return it.
Deltorto hasn't shared information about how they came by the laptop, but it's an interesting conclusion to a story that went from a Tumblr shared among friends to a story that captured eyes from all over the Internet.

U.S. Air Force designates six cybertools as weapons

Six cybertools have been designated as weapons by the U.S. Air Force, allowing the programs to better compete for increasingly scarce Pentagon funding, an Air Force official said on Monday. Lt. Gen. John Hyten, vice commander of Air Force Space Command, told a conference held in conjunction with the National Space Symposium that the new designations would boost the profile of the military's cyberoperations as countries grapple with attacks originating from the Internet. "This means that the game-changing capability that cyber is, is going to get more attention and the recognition that it deserves," Hyten told conference attendees, according to a Reuters account of the speech. "It's very, very hard to compete for resources. ... You have to be able to make that case."
Hyten, who said the Air Force was working to integrate cybercapabilities with other weapons, offered no details on the new cyberweapons. The Air Force plans to increase its cyber workforce by 20 percent, adding 1,200 people to its current 6,000, he said. "We have to do this quickly. We cannot wait," he said.
It's widely believed that the United States and Israel created Stuxnet, a sophisticated computer virus that attacked a nuclear enrichment facility in Iran in 2010. Rather than steal data, Stuxnet left a backdoor, meant to be accessed remotely, to allow outsiders to stealthily knock the facility offline and at least temporarily cripple Iran's nuclear program.
U.S. officials have blamed Iran for creating the Shamoon virus, which was responsible for a cyberattack that infected more than 30,000 computers at Saudi Arabian oil company Saudi Aramco and Qatar's natural gas firm Rasgas in mid-August.