Friday, 17 May 2013

Lulzsec hacker group handed jail sentences

Mustafa al-Bassam 
British hackers who were behind a series of high profile cyber-attacks in 2011 have been sentenced.
The four men, Ryan Cleary, Jake Davis, Mustafa al-Bassam and Ryan Ackroyd, were part of the Lulzsec hacking group.
Cleary was jailed for 32 months, Davis for two years and Ackroyd for 30 months. Al Bassam was given a 20-month suspended sentence.
Targets included Sony Pictures, games maker EA, News International and the UK's Serious Organised Crime Agency.

Group effort

The actions of the group were "cowardly and vindictive", said Andrew Hadik, a lawyer for the Crown Prosecution Service.
"The harm they caused was foreseeable, extensive and intended," he said. "Indeed, they boasted of how clever they were with a complete disregard for the impact their actions had on real people's lives.
"This case should serve as a warning to other cybercriminals that they are not invincible," he said.
Each man filled a different role during their cyber-attack spree. Ackroyd was the ring leader of the small group choosing targets and directing the efforts of the others. Davis acted as its press secretary, Cleary provided the software to carry out attacks and al-Bassam posted stolen data online.
Some of the four could face extradition to the US as US law enforcement agencies have lodged indictments against them.
Cleary has also pleaded guilty to possession of images showing child abuse, which were found by police on his hard drive. The sentence for this offence will be given at another hearing.
During the trial Ackroyd, 26, from Mexborough, South Yorkshire, admitted stealing data from Sony.
The former soldier was also responsible for redirecting visitors trying to visit the Sun newspaper's site to a fake story about News Corp chairman Rupert Murdoch committing suicide.
He has pleaded guilty to carrying out an unauthorised act to impair the operation of a computer.
Bassam, 18, from south London, Davis, 20, from Lerwick, Shetland, and Cleary, 21, from Wickford, Essex, all pleaded guilty to two charges - hacking and launching cyber-attacks against organisations including the CIA and Soca.
In addition, Cleary pleaded guilty to a further four charges, including hacking into the US Air Force's computers and possession of indecent images of babies and children.
Prosecutor Sandip Patel said that unlike the others, Cleary was not a core member of Lulzsec although he had wanted to be.
"It's clear from the evidence that they intended to achieve extensive national and international notoriety and publicity," he said.
"This is not about young immature men messing about. They are at the cutting edge of a contemporary and emerging species of criminal offender known as a cybercriminal."

Botnet attack

Lulzsec's name is combination of the acronym Lol - meaning laugh out loud - and security.
It emerged as a splinter group from the hacking collective Anonymous two years ago.
LulzSec logo  
Lulzsec carried out a 50-day series of cyber-attacks in 2011. Mr Patel said the spin-off lacked the "libertarian" political agenda of the larger group. Instead, its stated goal was to laugh at others' flawed security measures "just because we could".
This involved stealing emails, credit card details and passwords from their targets' computer servers and crashing victims' websites with distributed denial of service (DDoS) attacks. This involved flooding organisations' web servers with requests sent from hijacked computers used as part of a botnet.
Lulzsec's original ringleader is alleged to be another man - US-based Hector Monsegur, also known as Sabu. He was arrested in June 2011 and later co-operated with the FBI to help it identify other members of Lulzsec. Monsegur has yet to be sentenced.
A 24-year-old Australian has also been arrested and accused of attacking and defacing a government website as part of Lulzsec's campaign.

Hacker Ag3nt47 breached Suzuki and Mazda Russia

The hacker with twitter handle Ag3nt47 who hits top university websites has breached the Suzuki and Mazda Russia websites.

The hacker tweeted links to the dump.  The database dumped( from the Japanese automobiles manufacturer Suzuki includes password hashes, email addresses.

The data( taken from Russian website of the Japanese-based automobiles manufacturer Mazda contains no interesting data.

There is no specific reason mentioned by the Ag3nt47 for the attack.  It appears the hacker randomly target high profile website.

Anonymous launched cyber attack on Saudi Government site

Saudi branch of Anonymous hacktivist has launched cyberattack on Saudi Government websites , the operation has been named as "#OpSaudi". Few government websites are facing heavy Distributed-denial-of-service(DDOS) attack from the Anonymous.

The affected government sites include Saudi Arabia and the Ministry of Foreign Affairs(, The Ministry of Finance(, General Intelligence Presidency( )., Riyadh Region Traffic(, are also being targeted by the hackers.

The Anonymous saudi also claimed they have gained access to the server of Qassim Region Traffic website( and deleted the database. 

General Directorate of Education in Jeddah website fell victim to the cyber attack.  Hackers identified and exploited the SQL Injection vulnerability in

"saudi people like slave for the gov , and 2 days ago a saudi prince kidnapped a girl & raped her . then killed her and throw her body naked" Anonymous Saudi stated as reason for the cyber attack

Governments and military flirting with SAP's HANA for security operations

Government and military agencies across the world are being won over by SAP HANA's inherent security and mobility benefits, according to co-CEO, Bill McDermott.
At Sapphire in Orlando on Wednesday, McDermott said that the interconnected nature of the world has led many public sector institutions to take an interest in the potential security benefits of big data analytics tools like HANA.
"On security, we're in some very interesting conversations now, not only in the public market, but in the defence, logistics and military markets all over the world. There's a tremendous amount of interest in SAP for its secure nature as a platform," he said.
The co-chief said that the interest is the latest stage of HANA's development, showing how it can be used for more advanced purposes by businesses. "It's about trying to talk about HANA in a business benefit conversation. We're no longer talking about the ability to read 520 billion records in 400 milliseconds, we're translating that speed to business value," said McDermott.
"It's an infrastructure conversation where you ask, 'How do you build a scalable, secure way of connecting enterprise quality systems featuring enterprise quality mobility in a way that doesn't create chaos?'. It took a lot of for us to convince customers that this is the real problem to solve."
McDermott highlighted HANA's predictive powers as a key feature that could be developed for security purposes. "Being able to do transactions is one thing, track the sentiment of the crowd is another thing, but being able to predict somebody's intentions is an entirely new thing. Today's enterprise on a disk can't do that," he said.
The SAP chief highlighted one recent application of the feature by a small airport security firm as a prime example of the feature's potential security applications. "I was talking to one innovator last night, a small venture-backed company who standardised his small business model on HANA. His business is essentially working to keep the largest airports in the world safe," said McDermott.
"To give you an example one application of HANA here: if the guy's a baggage handler and he doesn't swipe out at the end of his shift and he's swiped out at the end of his shift within five minutes of it ending for the last five years, that pattern is going to come out as an alert message to the manager. The manager's then going to say, ‘What's up with the baggage guy?'. They'll then go and find him and ask him some good questions. That's a whole new application and business model that's only made possible because of HANA."
McDermott's comments come during a wider security push by SAP. Prior to this, the firm unveiled its new Mobile secure technology. The feature is designed to make consumer Android and iOS devices secure enough for enterprise use.

Apple posts updates for OS X and Windows iTunes security holes

iTunes icon
Apple has posted an update to address multiple security vulnerabilities in its iconic iTunes media player platform.
The company said that the update will include fixes for multiple security vulnerabilities which could be exploited remotely by an attacker. The update will apply to both the OS X and Windows versions of the application.
According to Apple, the flaws include an HTTPS certificate validation error. An attacker could in theory craft a phony security certificate which would be accepted by itunes without warning, potentially allowing the attacker to establish a trusted connection with a targeted system.
Additionally, the update will address memory corruption errors in WebKit which place iTunes Store users in danger of a man-in-the-middle attack. Apple said that if an attacker had gained access to the iTunes store and targeted the flaw, users could have been subjected to remote code execution attacks while browsing. The company did not report any instances of attacks occurring in the wild.
Apple said that the iTunes 11.0.3 update will apply to users running Windows 7, Vista and XP SP2 and later. OS X users will require MacOS version 10.6.8 or later. Users can obtain the fix through Apple's Software Update utility.
The iTunes update comes just days after Microsoft released its May Patch Tuesday bundle. The monthly security update included fixes for major vulnerabilities in Internet Explorer which have been targeted in zero-day attacks.
The update comes as Apple celebrates 50 billion app downloads from its iTunes store on devices such as the iPad and iPhone

US Congress writes to Google over Glass privacy concerns

Google Project Glass
Google has been asked to address numerous security concerns with its Glass technology by committee of US Congress members.
Issues with the firm's yet-to-be-released Glass tool, which provides an augmented reality heads-up display, have surfaced with increasingly regularity this year, and the letter from the politicians in the Bi-Partisan Privacy Caucus adds to these concerns.
"Because Google Glass has not yet been released and we are uncertain of Google's plans to incorporate privacy protections into the device," the caucus said.
"There are still a number of unanswered questions that we share."
These questions include if and how data will be collected, in light of the WiFi incidents that have dogged its StreetView service. As such they have asked a number of questions of the firm about how it intends to avoid similar issues.
"What proactive steps is Google taking to protect the privacy of non-users when Google Glass is in use?"
Another reads: "Will Google Glass have the capacity to store any data on the device itself? If so, will Google Glass implement some sort of user authentication system to safeguard stored data? If not, why not? If so, please explain."
V3 contacted Google for comment on the letter but had not received a reply at the time of publication.
The Glass technology is being shown off at the firm's I/O conference this week as the firm prepares to launch the product before the end of the year.

Researchers spot OS X malware spoofing developer credentials

Apple OS X Mountain Lion
Researchers at a conference in Norway have uncovered a new piece of OS X malware which attempts to present itself to systems as a signed and authorised application.
The malware, spotted on the system of a conventiongoer from Africa, uses the credentials of an Apple Developer ID, allowing the program to appear authorised and possibly bypass Apple's GateKeeper security tool.
According to researchers from F-Secure, the malware functions as a spyware and backdoor tool, sitting on an infected system and collecting data such as screen shots, which are then stored on the compromised machine and later covertly transferred to a command and control server.
Additionally, the malware attempts to set itself as a startup item, displaying the name 'macs' within the Users and Groups control panel on OS X.
Experts are suggesting that the signature used in the attack was pulled from a legitimate application and re-purposed within the malware. Sans researcher Daniel Weseman noted that the process for extracting an Apple Developer ID from another application is relatively simple and that such 'signed' malware may in fact be more common than first believed.
News of the malware discovery comes as Apple is rolling out an update to its iTunes media player platform which includes fixes for remote code execution and man-in-the-middle attacks. The patch applies to both OS X and Windows systems

GoPro urges staff to use Mac and iOS over Windows and Android

In a telling example of the growing use of Apple products as core enterprise devices, extreme sports camera firm GoPro has revealed that it urges all staff members to use MacBook devices, rather than Windows PCs.
GoPro has been in existence since 2003, and has grown from five members of staff to just shy of 500. In that time, Apple devices have become the norm in the company.
Speaking exclusively to V3, the firm's chief technology officer, Stephen Baumer, explained that he has pushed the use of Mac devices over Windows for several reasons.
"There's always been this thing that it's cheaper to run your whole enterprise on Windows, but I don't believe that. If you look at the virus footprint alone and what that means for a company – that's non-existent for us," he said. "We give users the option and if they really want Windows we'll try and get them to take a Mac machine and we'll install Windows on it for them, but we try and encourage them to take a Mac."
Baumer, who started his career at Apple in sales engineering in 1995, also explained he'd been frustrated in the past by Windows' dominance in enterprises. "I'd worked at lots of companies where you were forced into having a PC and I always said if I ever had the opportunity to decide IT policy, I wouldn't force people onto Windows machines."
On the smartphone side, the firm operates a bring-your-own-device (BYOD) policy and the vast majority of its staff – around 93 percent according to Baumer – are iPhone users. The rest are a smattering of Android users, and even fewer Windows Phone advocates.
"We haven't pushed iPhones. I think for a lot of people the iPhone just works and our employees don't feel the need to do this configuration on an Android device, so they just default to iPhones," he said.
As a company that's just 10 years old, GoPro is also heavily based in the cloud, with Baumer claiming 98 percent of all its applications are cloud based. It's only process-heavy, and therefore bandwidth-heavy, video editing requirements that justify the need for on-premise servers, and Baumer said if it's possible in the future, this will be stored in the cloud too.
The tools in use include NetSuite for commerce, AtTask for project management, Arena for project lifecycle management, Workday for HR systems and Dell Boomi for data scheduling. The firm was also with Google's Gmail service for email but has moved to a hosted instance of Exchange due to perceived security concerns.
Baumer said the firm had never really considered on-premise services and added that he is surprised by other young firms that are not following a similar path.
"I always assumed everyone was doing that. Of course you have companies with established infrastructure where the move to cloud for them is not going to happen overnight, but even young companies, I'm taken aback when they say they have 25 percent of applications in the cloud and they consider that aggressive," he said. "I continued to be surprised at how many companies run stuff on premise. Economically it just doesn't seem to make any sense."
Apple's strength in the enterprise market is likely to increase in the coming weeks as both the US and most likely UK government agencies approve the iOS operating system for use by public sector workers

Kangaroo targeting Australian bank customers

Security researchers from Russian cybercrime investigations firm Group-IB have uncovered a cyberfraud operation that uses specialized financial malware to target the customers of several major Australian banks.
Over 150,000 computers, most of them belonging to Australian users, have been infected with this malware since 2012 and were added to a botnet that Group-IB researchers have dubbed “Kangaroo” or “Kangoo,” after a kangaroo logo used on the command-and-control server’s interface, Andrey Komarov, the head of international projects at Group-IB, said Wednesday via email.
The malware is a modified version of Carberp, a financial Trojan program that so far has been used primarily against Internet banking users from Russian-speaking countries. In fact, the same Carberp variant is used as part of a different operation targeting customers of Sberbank in Russia, Komarov said.
Like the majority of financial Trojan programs, Carberp supports the use of “Web injects”—special scripts that tell the malware how to interact with specific online banking websites. These scripts allow attackers to piggyback on a victim’s active online banking session, initiate rogue transfers, hide account balances and display rogue forms and messages that appear to originate from the bank.
The Carberp variant targeting Australian users contains Web injects for the Internet banking websites of Commonwealth Bank, Bank of Queensland, Bendigo Bank, Adelaide Bank and ANZ. The malware is capable of hijacking the destination of money transfers in real time and uses specific transfer limits to avoid raising red flags, Komarov said.
Group-IB believes that the cybercriminals behind this operation are located in former Soviet Union states. However, the group has contacts with money mule services in Australia as well as its own “corporate drops”—bank accounts registered to sham businesses—in the country, Komarov said.
The attackers create thousands of Web pages riddled with terms from the banking industry that later appear in Web search results for specific keywords, a technique known as black hat search engine optimization, Komarov said. Users who visit these pages get redirected to attack sites that host exploits for vulnerabilities in browser plug-ins like Java, Flash Player, Adobe Reader and others, he said.
The number of 150,000 infected computers is not the number of currently active botnet clients, but a historical count of unique infections since 2012 gathered from the botnet’s command and control server, Komarov said. Also, not all affected users actually use online banking, he said. The rate is roughly one in every three victims, he estimated.
Group-IB said that it is working with the targeted banks and has shared the information gathered from the botnet’s command and control server with them, including compromised account credentials and the Internet Protocol addresses of the infected computers.

Facebook Monitors Your Chats for Criminal Activity

Facebook and other social platforms are watching users' chats for criminal activity and notifying police if any suspicious behavior is detected, according to a report.
The screening process begins with scanning software that monitors chats for words or phrases that signal something might be amiss, such as an exchange of personal information or vulgar language.
The software pays more attention to chats between users who don't already have a well-established connection on the site and whose profile data indicate something may be wrong, such as a wide age gap. The scanning program is also "smart" — it's taught to keep an eye out for certain phrases found in the previously obtained chat records from criminals including sexual predators.
If the scanning software flags a suspicious chat exchange, it notifies Facebook security employees, who can then determine if police should be notified.
Keeping most of the scanned chats out of the eyes of Facebook employees may help Facebook deflect criticism from privacy advocates, but whether the scanned chats are deleted or stored permanently is yet unknown.
The new details about Facebook's monitoring system came from an interview which the company's Chief Security Officer Joe Sullivan gave to Reuters. At least one alleged child predator has been brought to trial directly as a result of Facebook's chat scanning, according to Reuters' report.
When asked for a comment, Facebook only repeated the remarks given by Sullivan to Reuters: "We've never wanted to set up an environment where we have employees looking at private communications, so it's really important that we use technology that has a very low false-positive rate."

Facebook works with law enforcement "where appropriate and to the extent required by law to ensure the safety of the people who use Facebook," according to a page on its site.
"We may disclose information pursuant to subpoenas, court orders, or other requests (including criminal and civil matters) if we have a good faith belief that the response is required by law. This may include respecting requests from jurisdictions outside of the United States where we have a good faith belief that the response is required by law under the local laws in that jurisdiction, apply to users from that jurisdiction, and are consistent with generally accepted international standards.
"We may also share information when we have a good faith belief it is necessary to prevent fraud or other illegal activity, to prevent imminent bodily harm, or to protect ourselves and you from people violating our Statement of Rights and Responsibilities. This may include sharing information with other companies, lawyers, courts or other government entities."
Indeed, Facebook has cooperated with police investigations in the past. In April, it complied with a police subpoena from the Boston Police Department by sending printouts of wall posts, photos and login/IP data of a murder suspect.

Armenian hackers VS Azerbaijani journalists

A group of Armenian hackers “Ananun” published on the website “” a new "portion" of correspondence of Azerbaijani journalists who are engaged in anti-Armenian propaganda and falsifications. This time it was the turn of Bahram Batiev, journalist of "" news agency, whose working correspondence concerning to Armenian issues, is made public and is being widely discussed in the network.
One of the notable points is the cooperation with the representatives of the Azerbaijani community of Israel, presenting themselves in media as independent and neutral experts. For example, the messages of Avigdor Eskin, offering their services to the Azerbaijani side, as well as subsequent reports for the fees are posted in the network.
It is also noteworthy that in the correspondence experts Arie Gut, Lev Spivak and Michael Agaronov admit openly that they are representatives of the Azerbaijani Diaspora in Israel: "The highest assessment of the work of our Diaspora is reflected in Akbar Hasanov’s article, the famous Azerbaijani journalist."
However, for example, Peter Lucksimson, the editor in chief of "News of the Week" Israeli newspaper rebukes the Azerbaijani adulterator for distorting his interview about the "dangers of the Armenian lobby."
The correspondence with well-known anti-Armenian Guram Markhuliya, who asks to call him Aliyev, is also interesting. He expresses his desire to learn Azerbaijani "to do a something pleasant to his brothers" and also alludes to the straitened financial conditions.
The correspondence with Georgi Vanyan the organizer of the failed Azerbaijani film festivals in Armenia can also be found in the network. Bahram Batiev and Rizvan Huseynov promise Vanyan to attend his event in Georgia.
Expert Oleg Kuznetsov suggests his services, "for voicing the disposition of the Azerbaijani side.” Batiev rejects his hints at covering the cost of his services. In the end he gets his satisfaction in his "appreciative audience" of his anti-Armenian interviews placed on news agency site.
Another interesting point is the cooperation of Ukrainian resource "Hvilya" with Azerbaijani propagandists; anonymous complaints of a teacher from Krasnodar region on his Armenian colleague Varvara Markarian, for example, or the testimony of retired serviceman Stanislav Razdobreev, whose interview was "corrected", and then completely removed from "" It is noteworthy that in his personal correspondence Russian military "gives" Batiev inconvenient questions of the Armenian journalists and recognizes that lied to the Armenians. Finally the proposal of actor Joseph Harry can be noted about sitting with Bahram in Tbilisi alone and drink a glass of Armenian cognac.

CSRF vulnerability in LinkedIn 2013

This security company has found an CSRF vulnerability in LinkedIn and they have uploaded an POC on Youtube to show the impact.
The Cross Site Request Forgery attack allows the attacker to access information from an contact without the consent/knowledge of the affected user.
Step 1: visit
Sign in with the profile you wish to use.
Step 2:  click add connections.
Step 3: Any e-mail
Step 4: Use an proxy like WebScarab.
Step 5: Delete parameters that are not used/validated:
  • csrfToken
  • sourceAlias
step 6: Use HTTP GET method instead of HTTP POST method.
step 7:

Step 8:

Step 9:

Vulnerability: CSRF Vulnerability in LinkedIn
Score: 4.3/10 (CVSSv2 Base Score)

Business impact: A malicious user can access to the information they share users that have been added to her contacts without his consent/knowledge.

Systema affected: LinkedIn Service

Credits: Vicente Aguilera Díaz