Sunday, 13 April 2014

Do you want to learn computer or you want to improve your skills?

Do you want to learn computer or you want to improve your skills. Register now for our Professional Courses. Email not displaying correctly?
View it in your browser.


Information Security and Computer Intelligence

Certified Professional Ethical Hacker
Certified Digital Forensics Expert
Certified Malware Analyst
Certified Information Security Expert
Security Awareness Training
Cloud Computing Security
Certified Cyber Security & Intelligence Expert
Training Options:
Class Room
Corporate Training

Other Available Courses

Computer Application & Programming

1. C / C++Programming
2. Core Java
3. Advance Java
4. Web Development Technologies(HTML5, PHP, MYSQL )
5. .NET Technologies
6. Mobile Application Development

Computer Hardware, Telecommunication and Networking

1. Computer Engineering
2. Data Communication and Networking
3. Security +
4. Certified Telecommunication Associate Program
5. Virtualization and Cloud Computing
6. Network Operations Center  Engineering
7. VSAT Assembly, Installation & Configuration
10. MSCE 2010

Operating Systems

1. Linux Operating Systems
2. Window Operating Systems
3. Embedded Systems


1. Mysql Database
2. Oracle Database
3. Postgresql Database

Internet Technologies

1. Internet Marketing
2. Online Reputation Management
3. Search Engine Optimization

Computer Application Training

1. Microsoft Office and Internet Essentials
2. Security Awareness Training
3. Graphics Design and Video Editing
4. PMP

Registration in Progress: For further details Contact

Contact 07037288651
Commencement Date 12th May 2014
Copyright © 2014 Cyberinfocts, All rights reserved.

Our mailing address is:
Believe us your every single penny will be worth millions after completing your course from Cyberinfocts.

Appeals Court Overturns Conviction of AT&T Hacker ‘Weev’

Andrew “Weev” Auernheimer. Image: pinguino/Flickr
Andrew “Weev” Auernheimer. Image: pinguino/Flickr
A hacker sentenced to three and a half years in prison for obtaining the personal data of more than 100,000 iPad owners from AT&T’s unsecured website is about to go free, after a ruling today that prosecutors were wrong to charge him in a state where none of his alleged crimes occurred.
Andrew “Weev” Auernheimer was in Arkansas during the time of the hack, his alleged co-conspirator was in California, and the servers that they accessed were physically located in Dallas, Texas and Atlanta, Georgia. Prosecutors therefore had no justification for bringing the case against Auernheimer in New Jersey, a federal appeals panel ruled this morning.
The appeal was closely watched in cyber law and civil liberties circles, and Auernheimer had a powerhouse legal team that handled his case pro-bono.
“Venue in criminal cases is more than a technicality; it involves ‘matters that touch closely the fair administration of criminal justice and public confidence in it,’” the judges wrote in their opinion (.pdf). “This is especially true of computer crimes in the era of mass interconnectivity. Because we conclude that venue did not lie in New Jersey, we will reverse the District Court’s venue determination and vacate Auernheimer’s conviction.”
The vacation means that the larger issue raised by the conviction of Auernheimer and raised by his appeal attorneys — that the Computer Fraud and Abuse Act under which Auernheimer was convicted was wrongfully applied — may never be addressed.
It’s unclear if federal prosecutors in another state will attempt to try him again in a different venue.
Auernheimer, of Fayetteville, Arkansas, was found guilty in New Jersey in 2012 of one count of identity fraud and one count of conspiracy to access a computer without authorization.
He and Daniel Spitler, 26, of San Francisco, California, were charged after the two discovered a hole in AT&T’s website in 2010 that allowed anyone to obtain the email address and ICC-ID of iPad users. The ICC-ID is a unique identifier that’s used to authenticate the SIM card in a customer’s iPad to AT&T’s network.
AT&T provided internet access for some iPad owners through its 3G wireless network, but customers had to provide AT&T with personal data when opening their accounts, including their email address. AT&T linked the user’s email address to the ICC-ID, and each time the user accessed the AT&T website, the site recognized the ICC-ID and displayed the user’s email address.
Auernheimer and Spitler discovered that the site would leak email addresses to anyone who provided it with a ICC-ID. So the two wrote a script – which they dubbed the “iPad 3G Account Slurper” — to mimic the behavior of numerous iPads contacting the web site in order to harvest the email addresses of iPad users.
According to authorities, they obtained the ICC-ID and email address for about 120,000 iPad users, including dozens of elite iPad early adopters such as New York Mayor Michael Bloomberg, then-White House Chief of Staff Rahm Emanuel, anchorwoman Diane Sawyer of ABC News, as well as dozens of people at NASA, the Justice Department, the Defense Department, the Department of Homeland Security and other government offices.
The two contacted the Gawker website to report the hole, a practice often followed by security researchers to call public attention to security vulnerabilities that affect the public, and provided the website with harvested data as proof of the vulnerability. Gawker reported at the time that the vulnerability was discovered by a group calling itself Goatse Security.
AT&T maintained that the two did not contact it directly about the vulnerability and that the company learned about the problem only from a “business customer.”
Auernheimer later sent an email to the U.S. attorney’s office in New Jersey, blaming AT&T for exposing customer data.
“AT&T needs to be held accountable for their insecure infrastructure as a public utility and we must defend the rights of consumers, over the rights of shareholders,” he wrote, according to prosecutors. ”I advise you to discuss this matter with your family, your friends, victims of crimes you have prosecuted, and your teachers for they are the people who would have been harmed had AT&T been allowed to silently bury their negligent endangerment of United States infrastructure.”
Following his conviction in November 2012, Auernheimer tweeted to supporters that he had expected the guilty verdict but planned to appeal.
Auernheimer’s appeal was argued by Orin Kerr, a law professor at Georgetown University. Kerr had argued the appeal primarily on grounds that the CFAA was incorrectly applied in this case — since the information Auernheimer and Spitler obtained was made publicly available on the site by AT&T — and that even if Auernheimer was guilty of exceeding authorized access on the AT&T web site, he should have been convicted of a misdemeanor, not a felony.
“In the government’s view, visiting the URLs was an unauthorized access of AT&T’s website. But I think that’s wrong. At bottom, the conduct here was visiting a public website,” Kerr noted in the appeal. “The fact that AT&T would not have wanted Spitler to visit those particular URLs doesn’t make visiting the public website and collecting the information a criminal unauthorized access. If you make information available to the public with the hope that only some people would bother to look, it’s not a crime for other people to see what you make available to them.”
But Kerr had little chance to argue the finer points of his case during the appeal, when judges interrupted him to focus on the venue issue.
Ultimately, it was that simpler issue that got Auernheimer’s case vacated.
The judges noted in their ruling that Auernheimer had tried to get the initial charges dismissed when he was first indicted — on grounds that the CFFA was inappropriately applied and on grounds that the venue was incorrect — but his motion was denied by a U.S. District Court.
The district judge had held that venue was proper because Auernheimer’s disclosure of the email addresses of about 4,500 New Jersey residents affected these victims in New Jersey and violated New Jersey law.
Auernheimer’s defense attorney had broached the venue issue again near the end of his trial when he asked the judge to instruct the jury on the venue issue, but the judge declined, saying that prosecutors had adequately argued that New Jersey was the correct venue.
In their ruling to vacate, the appeals court judges acknowledged that there were other pressing issues in the case, but emphasized the importance of proper venue.
“The founders were so concerned with the location of a criminal trial that they placed the venue requirement … in the Constitution in two places,” the judges wrote. “They did so for good reason. A defendant who has been convicted ‘in a distant, remote, or unfriendly forum solely at the prosecutor’s whim,’… has had his substantial rights compromised.
“Auernheimer was hauled over a thousand miles from Fayetteville, Arkansas to New Jersey,” they continued. “Certainly if he had directed his criminal activity toward New Jersey to the extent that either he or his co-conspirator committed an act in furtherance of their conspiracy there, or performed one of the essential conduct elements of the charged offenses there, he would have no grounds to complain about his uprooting. But that was not what was alleged or what happened. While we are not prepared today to hold that an error of venue never could be harmless, we do not need to because the improper venue here — far from where he performed any of his allegedly criminal acts — denied Auernheimer’s substantial right to be tried in the place where his alleged crime was committed

Report: NSA Exploited Heartbleed to Siphon Passwords for Two Years

Image: Codenomicon
Image: Codenomicon
The NSA knew about and exploited the Heartbleed vulnerability for two years before it was publicly exposed this week, and used it to steal account passwords and other data, according to a news report.
Speculation had been rampant this week that the spy agency might have known about the critical flaw in OpenSSL that would allow hackers to siphon passwords, email content and other data from the memory of vulnerable web servers and other systems using the important encryption protocol.
That speculation appears to be confirmed by two unnamed sources who told Bloomberg that the NSA discovered the flaw shortly after it was accidentally introduced into OpenSSl in 2012 by a programmer.
The flaw “became a basic part of the agency’s toolkit for stealing account passwords and other common tasks,” the publication reports. [See NSA response below]
OpenSSL is used by many websites and systems to encrypt traffic. The vulnerability doesn’t lie in the encryption itself, but in how the encrypted connection between a website and your computer is handled. On a scale of one to 10, cryptographer Bruce Schneier ranks the flaw an 11.
The flaw is critical because it’s at the core of SSL, the encryption protocol so many have trusted to protect their data, and can be used by hackers to steal usernames and passwords — for sensitive services like banking, ecommerce, and web-based email.
There are also concerns that the flaw can be used to steal the private keys that vulnerable web sites use to encrypt traffic to them, which would make it possible for the NSA or other spy agencies to decipher encrypted data in some cases and to impersonate legitimate web sites in order to conduct a man-in-the-middle attack and trick users into revealing passwords and other sensitive data to fake web sites they control.
Heartbleed allows an attacker to craft a query to vulnerable web sites that tricks the web server into leaking up to 64kb of data from the system’s memory. The data that’s returned is random — whatever is in the memory at the time — and requires an attacker to query multiple times to collect a lot of data. But this means that any passwords, spreadsheets, email, credit card numbers or other data that’s in the memory at the time of the query could be siphoned. Although the amount of data that can be siphoned in one query is small, there’s no limit to the number of queries an attacker can make, allowing them to collect a lot of data over time.
Although some researchers have reported on Twitter and in online forums that they were able to siphon the private keys in some cases from servers that were vulnerable to the flaw, the security firm CloudFlare announced today in a blog post that it was unable to siphon a private key after multiple days of testing the flaw.
Cracking SSL to decrypt internet traffic has long been on the NSA’s wish list. Last September, the Guardian reported that the NSA and Britain’s GCHQ had been working to develop ways into the encrypted traffic of Google, Yahoo, Facebook, and Hotmail to decrypt the data in near-real time, and there were suggestions that they might have succeeded.
According to documents that Edward Snowden provided the paper, the spy agencies have used a number of methods under a program codenamed “Project BULLRUN” to undermine encryption or do end-runs around it — including efforts to compromise encryption standards and work with companies to install backdoors in their products. But at least one part of the program focused on undermining SSL. Under BULLRUN, the Guardian noted, the NSA “has capabilities against widely used online protocols, such as HTTPS, voice-over-IP and Secure Sockets Layer (SSL), used to protect online shopping and banking.”
Bloomberg does not say if the NSA or its counterparts succeeded in siphoning private keys using the Heartbleed vulnerability. The paper only mentions using it to steal passwords and “critical intelligence.”
Update: The NSA has issued a statement denying any knowledge of Heartbleed prior to its public disclosure this week. “NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private-sector cybersecurity report,” an NSA spokesperson wrote in a statement. “Reports that say otherwise are wrong.”
The White House National Security Council spokesperson Caitlin Hayden also denied that federal agencies knew about the bug. “If the Federal government, including the intelligence community, had discovered this vulnerability prior to last week, it would have been disclosed to the community responsible for OpenSSL,” Caitlin Hayden said in a statement.

9 charged for stealing millions of dollars with Zeus Malware

The Zeus malware is one of the most damaging pieces of financial malware that has helped the culprits to infect thousands of business computers and capture passwords, account numbers and other information necessary to log into online banking accounts.

U.S. Department of Justice unsealed charges against nine alleged cyber criminals for distributing notorious Zeus malware to steal millions of dollars from bank accounts.

Vyachesla V Igorevich Penchukov, Ivan Viktorvich Klepikov, Alexey Dmitrievich Bron, Alexey Tikonov, Yevhen Kulibaba, Yuriy Konov Alenko, And John Does are charged to devise and execute a scheme and artifice to defraud Bank Of America, First Federal Savings Bank, First National Bank Of Omaha, Key Bank, Salisbury Bank & Trust, Union Bank And Trust, And United Bankshares Corporation, all of which were depository institutions insured by the Federal Deposit Insurance Corporation.

They are also accused to use Zeus, or Zbot, computer intrusion, malicious software, and fraud to steal or attempt to steal millions of dollars from several bank accounts in the United States, and elsewhere.

It has also been reported that defendants and their co-conspirators infected thousands of business computers with software that captured passwords, account numbers, and other information necessary to log into online banking accounts, and then used the captured information to steal millions of dollars from account-holding victims' bank accounts.

Account holding victims include Bullitt County Fiscal Court, Doll Distributing, Franciscan Sisters Of Chicago, Husker Ag, Llc, Parago, Inc., Town Of Egremont, And United Dairy...

They have also been given notice by the United States of America, that upon conviction of any defendant, a money judgment may be imposed on that defendant equal to the total value of the property subject to forfeiture, which is at least $70,000,000.00.

The United States of America has also requested that trial of the case be held at Lincoln, Nebraska, pursuant to the rules of this Court. The Metropolitan Police Service in the U.K., the National Police of the Netherlands’ National High Tech Crime Unit and the Security Service of Ukraine are assisting the investigation.

NSA denies it knew about and USED Heartbleed encryption flaw for TWO YEARS

The tech world is aflutter over the Heartbleed encryption flaw in OpenSSL, but it seems that the bug was no surprise to the analysts of the NSA, since they have reportedly been using it for two years to spy on data traffic.
Two sources familiar with the matter told Bloomberg that NSA staff picked up on the fatal flaw shortly after the code was published, and added it into the agency's box of hacking tricks. One source said Heartbleed was used regularly for years, and that the agency decided not to warn US citizens and companies that their data was at risk.
One of the NSA's specific roles is to safeguard national communications and online security infrastructure; indeed, the agency states as much on its website. "We will protect national security interests by adhering to the highest standards of behavior," they write.
This appears to have been lacking if Friday's report is correct.
"It flies in the face of the agency's comments that defense comes first," said Jason Healey, director of the cyber statecraft initiative at the Atlantic Council and a former Air Force cyber officer. "They are going to be completely shredded by the computer security community for this."
News of the Heartbleed bug surfaced on April 7, and since then the biggest names in the technology industry have been scrambling to patch up their software and fix the flaw. Hackers have already started attacks using the vulnerability, and the internet has probably seen more password changes in the last week than at any point in its history.
Most websites have now upgraded to OpenSSL 1.0.1g, which fixes the problem, but the flaw will also affect software on PCs, phones, and tablets, according to the computer security folks at the SANS Institute. The open source community has been criticized for failing to spot the flaw, but it lacks the resources of the NSA, which employs hundreds of code checkers to find flaws in common code. ®


The NSA has now said it knew nothing about the Heartbleed bug in a brief statement on Twitter.

Sandroid Trojan; From Russia with Love

The smartphone revolution is enabling the harvesting of banking information and credit card numbers in new ways. There were almost 100,000 malicious modifications to mobile malware in 2013, with over 98% connected to the Android platform. Sandroid is the latest high-profile mobile Trojan, wreaking havoc amongst middle-east banking customers.
This botnet is spreading with the help of malicious Android apps. Reliable banks from the middle-east are being used as bait. These include Riyad Bank, SAAB, AlAhliOnline (NCB), Al Rajhi Bank and the Arab National Bank.
Almost 3000 mobile phones have already been infected by the malicious scheme, with an estimated 28,000 text messages intercepted for manipulative use. The Russian spyware was exposed by security expert Brian Krebs.

The hacking methodology is simple. Computers are contaminated with malware using traditional phishing techniques. Pop-up boxes creep up on the screen, asking the victims to download a banking security app on their mobile phone. This obviously is a scam, as these apps are actually spyware that are designed to harvest private information.
Nicknamed Sandroid, this malware intercepts all incoming SMS messages and harvests relevant banking information. The victim’s code, username and password are exposed without much trouble and are automatically transferred to the botnet-master. Krebs traced the botnet activity to a Russian Mobile Telesystems SIM card currently active in Moscow.
Fake Bank Messages
Intercepted Bank Messages. Courtesy – KrebsOnSecurity
The good news is that users with even basic Android anti-virus solutions can easily trace the aforementioned malware, which has a simple signature.  Besides adopting safe browsing habits on the computer, Android users have to beef up their mobile security awareness to combat malicious Trojans like Sandroid and other dangerous cyber-threats.
  • Use only official operating systems (Kernels & ROMs) provided by the manufacturer and make sure they are up-to-date with the latest security patches/fixes.
  • Stay away from underground app markets and refrain from installing software from unknown sources on your smartphone. Make Google Play your only app source.
  • Not all apps need system-level permissions. Be very careful during the app installation process and avoid apps that seem to be too intrusive or unusual.
  • Free WiFi hotspots are a tempting proposition, but pose a huge security risk. Use only recognized wireless networks and turn off your Bluetooth when possible.
  • Try not to use your mobile web browsing to perform financial activities. If really urgent, type the desired address into your mobile Chrome instead of clicking on links.
  • Scan your mobile device for viruses, just like on your personal laptops. Change all your passwords immediately if the scan finds and removes any sort of infection.
Sandroid is not a vulnerable app, but official apps do need to be vulnerability-free. This can be achieved by implementing the right tools to create a safe Software Development Life-Cycle (SDLC). Source Code Analysis (SCA), a SAST solution, can be fully integrated into the development process, shortening production times, saving resources and cutting costs.