Sunday, 28 September 2014

Shellshock bug could threaten millions as Compared to Heartbleed ~ Hack4friends

A programming flaw dubbed the “Bash Bug,” or more ominously “Shellshock,” is being described as potential threat to millions of computers, servers, medical devices, power plants and municipal water systems and even common objects such as refrigerators and cameras.
                                                              Image: just representation of shellshock                                    It is being compared to Heartbleed, a flaw in security software used by most of the Internet which allowed hackers to steal data such as passwords. Shellshock is similarly widespread and can be used to wreak more havoc. It allows hackers to take control of a vulnerable machine, steal data, shut down networks and cause other problems.
It was discovered Sep. 12 by Unix specialist St├ęphane Chazelas and revealed on Wednesday.
According to Ars Technica, the bug is already being used to exploit Web servers. The initial fix for the bug was incomplete. Hours after news of the bug went public, security researchers detected evidence of hackers trying to exploit it.
The flaw affects a commonly used, free software system called Bash that has been around since 1989. According to the New York Times, it is built into 70 percent of machines that connect to the Internet.
Software-savvy people call it a “command shell.” It interprets instructions from users and programs so the computer knows what to do.
According to reports, it could affect your computer even if you’ve never heard of it. Bash is used in most Linux or Unix-based operating systems, including Apple’s Mac OS X, according to an alert from the Department of Homeland Security’s Computer Emergency Readiness Team (US-CERT).
The National Institute of Standards and Technology rated Shellshock a 10 on a 10-point severity scale. Heartbleed was rated five. Both flaws were rated low in terms of complexity, which means they can be easily exploited.
Discovered last spring, Heartbleed was a flaw in security technology used by thousands of Web sites that exposed passwords and other personal data to hackers for two years before it was discovered.
Shellshock has existed for 22 years, the Times noted. It doesn’t just expose your password — hackers can exploit the flaw to hijack your computer. Heartbleed only affected servers, while Shellshock affects many Internet-connected devices.
However, Shellshock could be harder to exploit, Christopher Budd, global threat communications manager at security firm Trend Micro, told theAssociated Press. Not all machines running Bash can be exploited. It’s not enough for Bash to be installed on your system; you have to be using it for a hacker to exploit the bug.
An Apple spokesman told the Web site iMore OS X systems are safe unless the user configured advanced UNIX services, something only advanced users would know how to do. If your Mac is vulnerable, you only have to worry if you are on a public WiFi network, according to the Times.
According to cybersecurity reporter Brian Krebs, the flaw does not affect Microsoft Windows. But the Times said it can affect Android phones.
The flaw affects embedded devices and systems. That includes things like digital watches, MP3 players and traffic lights. “In some areas this will be a challenge to fix, as many embedded devices are not designed with regular updates in mind and will never be able to be patched,” Joe Hancock, a cybersecurity expert with insurer AEGIS in London said in a statement reported by Reuters.
The bug could be exploited to take control of a Web server and steal passwords, Joe Siegrist, CEO of LastPass, a service that stores and protects passwords, told the AP. Though he said the threat of that happening is lower than with Heartbleed.
Shellshock is particularly dangerous because its “wormable,” a term that refers to self-replicating attacks that spread across devices and systems like a viral pandemic.
Power plants and water systems are less threatened if they have followed the advice of security experts and remain disconnected from the internet to avoid such risks, the AP reported.
“Who is at risk” is an open question, however. “Bash is embedded and accessed in so many ways that we cannot fully understand its depth of use,”wrote Securosis analyst and CEO Rich Mogull. “We cannot possibly understand all the ways an attacker could interact with Bash to exploit this vulnerability.”
There’s reportedly not much you can do about it, except check for software updates on the Web sites of companies that make your computer, router and other Internet-connected equipment. An open-source software company called Red Hat released a partial patch for Linux. Apple iscurrently working on a fix.
Google is also working on a fix, Reuters reported.
Five years after Bash was created by a programmer named Brian J. Fox, another programmer named Chet Ramey took over the job of maintaining the software in his free time, when he wasn’t working at his day job as a senior technology architect at Case Western Reserve University in Ohio, the Times reported.
Ramey told the Times he thinks he introduced the bug in a new Bash feature in 1992. After Chazelas, the security researcher that discovered it, contacted him on Sept. 12, they collaborated with other people who work with open-source security to create a patch within a few hours. They discreetly tipped off the major software makers so they could address the problem before hackers found out and exploited the bug.


Sunday, 24 August 2014

Microsoft pulls Patch Tuesday kernel update - MS14-045 can cause Blue Screen of Death

Microsoft has pulled one of its August 2014 Patch Tuesday updates.

MS14-045, which fixes various security holes in the Windows kernel, can cause a Blue Screen of Death (BSoD), thus forcing a reboot.

Apparently, the BSoD is caused by incorrect handling of the Windows font cache file - and because that happens during boot-up, you end up stuck in a reboot loop.

(Yes, MS14-045 requires a reboot after you've applied it.)

The euphemistically-named "bugcheck" number that you'll see if you are affected is: 0x50 PAGE_FAULT_IN_NONPAGED_AREA.
The reason this problem didn't show up in testing is because it only happens under rather specific circumstances,

You need to have one or more OpenType Font (OTF) files, installed in non-standard font directories, that are recorded in the registry with fully-qualified filenames.

A default Windows 8.1 install, for instance, includes only TTF (TrueType Font), TTC (TrueType font Collection) and FON (Windows bitmap FONt) files, recorded without pathnames:

Microsoft has published a workaround that will get you up and running again, but it involves a fair amount of fiddling.

You need to:

Boot from installation media or go into Recovery Mode.
Delete the crash-triggering file %WINDOWS%\system32\fntcache.dat.
Reboot normally, which should now succeed.
Save the registry key (see image above) that enumerates your fonts.
Remove from the registry all OTF font references with pathnames.
Delete %WINDOWS%\system32\fntcache.dat again. (It will have been rebuilt.)
Uninstall the MS14-045 update.
Restore the registry key that enumerates your fonts.
Reboot again.
The sort of font entry you need to remove from the registry, if you have any like it, is shown in an example on Microsoft's Knowledgebase page:

As well as MS14-045, three other Microsoft updates may provoke this problem, so any of the following updates should be removed, if you've installed them, in step 7 above:
  • 2982791 MS14-045: security update for kernel-mode drivers
  • 2970228 New currency symbol for RUB
  • 2975719 Aug 2014 rollup for RT 8.1, 8.1, Server 2012 R2
  • 2975331 Aug 2014 rollup for RT, 8, Windows Server 2012
Unfortunately, and understandably, Patch Tuesday aftershocks of this sortleave sysamdins wondering if they should approach future updates more cautiously.
We regularly urge you to "patch early, patch often," so let's hope Microsoft's patch for the broken patch goes smoothly, lest even those who weren't affected this time get cold feet next month.

Author - Hack4friends

Apple iOS malware breached into millions i-products and steals ad. clicks ~ Hack4friends

You don't see a lot of malware for iPhones or iPads.

One reason for that is Apple's strict control over what you're allowed to install on your own device.

So it's intriguing to see an iOS malware analysis in specialist threat research publication Virus Bulletin (VB).

The malware, which Sophos products detect as iPh/AdThief-A, was apparently created with the express purpose of conducting online ad fraud.

Who is at risk?

Fortunately, AdThief only affects jailbroken devices.

Jailbreaking is where you go out of your way to remove Apple's security controls (ironically, usually by exploiting a security vulnerability) in order to win the freedom to do what you like with your iPhone or iPad.

Interestingly, to write a proper anti-virus for iOS that could block malware preventatively, you'd need to intercept important system calls such as "visit this URL," "open that file" and "run this app".

But to do that, you'd need to jailbreak.

And by jailbreaking, you'd also open up the risk of malicious apps intercepting system calls for criminal purposes.

According to VB, that's exactly what AdThief does, waiting for you to click on someone else's ad with someone else's affiliate code, and then putting the crook's affiliate code in there instead.

Affiliate codes are those curious looking text strings you put into advertisement URLs on your own website, so that if someone clicks on them, you get a referral fee from the ad network.

If a crook can switch out your affiliate code for his own, he essentially steals revenue that should have been yours.

The money in mobile ads

With lots of mobile apps, especially games, supported by in-app ads, there's plenty of money to be made if your app becomes popular.

For example, Dong Ngyuen, author of the erstwhile smash-hit game Flappy Bird, is said to have been pulling in up to $50,000 per day before he abruptly pulled the game from both the Apple App Store and the Google Play Store.

Ngyuen's revenues, of course, were helped by the enormous reach and brand power of Apple and Google, with millions of genuine users downloading his game.

That turned it into a cult classic almost overnight, which in turn fuelled yet more downloads, and yet more ad revenue.

Is jailbreak malware even worth it?

There isn't much iOS malware around, and most of it is for jailbroken devices only.

So, is money-making crimeware for the iPhone or iPad even worth it for the crooks?

The only true virus ever seen in the wild for iOS was Ikee, which Rickrolled you rather than trying to make money illegally.

Even though the author admitted that he tried to kickstart his virus by deliberately infecting a bunch of devices, and even though it could spread automatically by infecting across the network, Ikee fizzled out very quickly.

There were very few infections reported and little harm done in the end.

But AdThief has allegedly already infected about 75,000 jailbroken devices.

Even if the malware is only able to squeeze one cent a day in ad revenue out of 10% of its victims, that nevertheless comes out at a very handy $30,000 per year.

It might not be Flappy Bird territory, but it's not an amount to be sneezed at, either.

What to do?

We'd offer you a free copy of Sophos Anti-Virus and Security for iOS if we could; sadly, Apple says, "No."

Instead, we recommend that:

-->If you are a user, avoid jailbreaking your iDevice.
-->If you are a sysadmin, avoid letting jailbroken phones onto your network.
By the way, if you have jailbroken your iDevice, please be understanding if your sysadmin then says, "No."

Courtsey-- Naked Security

Sunday, 17 August 2014

Russian PM's Twitter account hacked by Hackers ~ Hack4friends

Russian Prime Minister Dmitry Medvedev's Twitter account was apparently hacked on Thursday and used to criticize the Russian government and President Vladimir Putin.

Russian PM - Dmitry Medvedev
The first tweet, published on Medvedev's official Twitter account @MedvedevRussia, said -- via translation by The Interpreter -- that he was "resigning," and added that he was "ashamed of the actions of the [Russian] government." Not long after, Medvedev's account put out a series of tweets criticizing Putin and retweets from anti-Russia protesters, including praise of Yale attorney and activist Alexei Navalny, an influential anti-Putin activist.

The tweets were scrubbed from Medvedev's Russian account, which has more than 2.5 million followers, within an hour after they appeared. No tweets have since been published acknowledging that the account was hacked. Medvedev's English language account, @MedvedevRussiaE, does not appear to have been affected.

The Russian government has not commented on the supposed hack.

As prime minister, some see Medvedev as little more than another mouthpiece for Putin. In 2012, Putin appointed Medvedev, who previously served as president of Russia, as the prime minister and the official leader of the United Russia Party. Medvedev also acts as the international face for Russia at meetings with foreign governments.

It's not clear at this point how his account was hacked. Russia has increasingly become a focus for activist hackers as the government continues to tighten its control of the Internet. So far, no activist groups have taken credit for the hack.


Sunday, 10 August 2014

Google preferring HTTPS over HTTP in google ranking (SEO) ~ Hack4friends

Google announced that websites using HTTPS, the secure version of HTTP, will have a better chance of ranking well in Google searches than those that don't.

In the vernacular, HTTPS is now a ranking signal for SEO (Search Engine Optimisation). It could be an inflection point for web security.

Security is a top priority ... over the past few months we’ve been running tests taking into account whether sites use secure, encrypted connections as a signal in our search ranking algorithms. We've seen positive results, so we're starting to use HTTPS as a ranking signal.

By making HTTPS something that impacts search results Google are applying the stick to an enormous security push that's been all carrots up to now.

Everywhere you look, from better SSL to the tricky business of end-to-end email security, Google are busy rolling out encryption or giving people ways to encrypt things.

Anyone who doubts the energy and seriousness that Google applies to this kind of thing or the effect that it can have need only wind the clock back five years.

In 2009, Google announced they wanted to make the web faster.

Google HTTPSIt wasn't a soundbite, a speech, a project or a campaign - it was a sea change.

Since then Google has created, amongst many other things, a fast public DNS service, a faster web protocol, tools to speed up websites, tools to make code smaller, an image format to make images download faster and a global content distribution network for commonly used code.

They even built their own web browser with a very fast javascript engine and spent millions and millions of dollars banging on about how fast it was.

Most importantly of all they made speed a ranking signal for SEO.

Making speed a ranking signal punished slowness. It's what made organisations care.

To understand why, you need to understand a little of how search engines work and how companies approach getting their websites noticed.

Google uses computer programs (referred to as spiders) to read the world's web pages and index them. The spiders try to determine the subject and quality of each page by measuring a multitude of different factors, known as signals.

The strength of the signals determines where those pages will rank when somebody types a search into the Google search engine.

Good signals means high rankings, more traffic and more revenue. Poor signals can put you out of business.

There are hundreds of signals but they aren't all equally important - some have far more impact than others. To prevent people from gaming their system Google is deliberately vague about how many signals it cares about, what they are and how much each one matters.

Thanks to a lot of research and some vague pronouncements from Google we have a pretty good idea of what some of the signals are and some idea of their weighting.

According to their blog, HTTPS will start off as a weak signal:

For now it's only a very lightweight signal — affecting fewer than 1% of global queries, and carrying less weight than other signals such as high-quality content — while we give webmasters time to switch to HTTPS. But over time, we may decide to strengthen it, because we’d like to encourage all website owners to switch from HTTP to HTTPS to keep everyone safe on the web.

In reality, in my experience at least, even low strength signals get plenty of attention.

Because Google is cagey about what signals are worth, because organisations can't easily test and isolate their website's signals and because there is intense competition for good Google rankings those that care about SEO will generally act on any ranking factors that are well defined, regardless of how small their effect.

Companies like nothing better than lists with ticks next to them so if a ranking factor comes down to a simple yes or no choice it gets done.

Before Google made site speed a ranking factor I hardly ever had conversations with organisations about how fast their websites were. Now we always talk about it.

From now on they'll have something else to talk about - a simple binary choice: "Does our website use HTTPS?"

Increasingly the answer will be yes.

Source: compiled from online sources

Foursquare android app tracks your location by default everytime ~ Hack4friends

Foursquare, makers of the popular app that lets you "check in" wherever you go, unveiled a new version this week that the company hopes will make it the go-to service for local search.

In fact, Foursquare founder and CEO Dennis Crowley hopes the new Foursquare app will become indispensable, providing users with tips and recommendations - more like targeted ads - based on their location.

"To actually get an app to talk to you like a friend would talk to you. That's what we're going at here," Crowley tells Wired in an interview.

In order to make this vision become a reality, the Foursquare app tracks users' "background location" - using a combination of GPS, nearby Wi-Fi signals, and cell towers - even when the app is closed.

Gone is the old "check-in," which required you to tag yourself at a location (this formula has been shunted off to a separate app called Swarm).

Now the Foursquare app pushes out notifications based on where you are and what you like - if you've told the app you like vintage clothing, it will alert you to nearby thrift shops, for example.

Admittedly, this sounds kind of cool - an app that knows what you like and makes recommendations tailored to you and your location.

But there's a problem that should alarm anyone concerned about their privacy.

Giving up your location whenever your phone is on - even without the app running - is the default setting (versions of the app older than 8.0.0 required users to "opt in" to get this service).

If it makes you a little uncomfortable for Foursquare to track your every move, you have to "opt out" and disable the feature in the app's settings or in the privacy settings when you log into the Foursquare website.

Foursquare location settingsHow to opt out

When you download the Foursquare app or update to the new version, the app tells you that your phone's background location will be tracked, and points you to the settings to turn it off.

To opt out, open the app and go to  Settings | Location Settings and un-tick the box next to Location Services.

This screen tells you that the feature will be turned off automatically if your battery is running low, but it somewhat obscures the fact that the feature is otherwise always on.

Foursquare uses your phone’s background location to help you find great places, even when your phone is in your pocket. When you arrive at a place with interesting tips, we'll send you a notification. Your location is never shared.

To disable background location from the Foursquare website, go to Settings | Privacy settings.

Un-tick the box that says:

Allow Foursquare to use my device's background location, even when the app is closed, including for features like sending you notifications with local recommendations or tips.

Now that's pretty easy. So why not let users opt in instead of opting out?

Based on Foursquare's business model of giving businesses a way to share recommendations and deals with users, it's probably a good assumption that the answer is "money talks, [user] walks."

As Crowley told the Wall Street Journal, the constant collection of data on users can reveal trends that can be useful to advertisers, who "might be really excited about getting their hands on that data."

Opting in means having options

You might be thinking, "What's the big deal? Users of Foursquare choose to tell everyone their location anyway."

True. But in previous versions of the app, it was the user who made the choice to broadcast their location, and only when they wanted to check in.

Now, Foursquare assumes you want to share that information with the app all the time, and without asking for your permission.

In the current climate of government surveillance, data mining, and social media oversharing, there's a growing resistance to invasions of privacy - even among people who don't hesitate to share what they're doing and feeling at every possible moment.

Even if you're comfortable giving away your privacy for convenience, it's more than a little naive to assume your personal data is well-protected and only being used in your best interests.

Look at the current crop of mobile messaging apps like WhatsApp and Viber - both were storing your messages in unencrypted form, until security researchers discovered that anyone could use Wi-Fi sniffers to intercept messages and see everything that users shared via the apps.

Then there's the 800 pound gorilla of social networks, Facebook, which is under fire from regulators and the subject of lawsuits from users for its aggressive data mining.

Facebook even copped to an experiment on non-consenting users.

If we don't expect the apps and websites we've come to rely on to give us control over how our data is used, one day we may wake up and have no choice at all.


*****************************Thanks for Your kind Visit****************************

Receive All Free Updates Via Facebook.