Sunday 28 September 2014

Shellshock bug could threaten millions as Compared to Heartbleed ~ Hack4friends


A programming flaw dubbed the “Bash Bug,” or more ominously “Shellshock,” is being described as potential threat to millions of computers, servers, medical devices, power plants and municipal water systems and even common objects such as refrigerators and cameras.
                                                              Image: just representation of shellshock                                    It is being compared to Heartbleed, a flaw in security software used by most of the Internet which allowed hackers to steal data such as passwords. Shellshock is similarly widespread and can be used to wreak more havoc. It allows hackers to take control of a vulnerable machine, steal data, shut down networks and cause other problems.
It was discovered Sep. 12 by Unix specialist Stéphane Chazelas and revealed on Wednesday.
According to Ars Technica, the bug is already being used to exploit Web servers. The initial fix for the bug was incomplete. Hours after news of the bug went public, security researchers detected evidence of hackers trying to exploit it.
The flaw affects a commonly used, free software system called Bash that has been around since 1989. According to the New York Times, it is built into 70 percent of machines that connect to the Internet.
Software-savvy people call it a “command shell.” It interprets instructions from users and programs so the computer knows what to do.
According to reports, it could affect your computer even if you’ve never heard of it. Bash is used in most Linux or Unix-based operating systems, including Apple’s Mac OS X, according to an alert from the Department of Homeland Security’s Computer Emergency Readiness Team (US-CERT).
The National Institute of Standards and Technology rated Shellshock a 10 on a 10-point severity scale. Heartbleed was rated five. Both flaws were rated low in terms of complexity, which means they can be easily exploited.
Discovered last spring, Heartbleed was a flaw in security technology used by thousands of Web sites that exposed passwords and other personal data to hackers for two years before it was discovered.
Shellshock has existed for 22 years, the Times noted. It doesn’t just expose your password — hackers can exploit the flaw to hijack your computer. Heartbleed only affected servers, while Shellshock affects many Internet-connected devices.
However, Shellshock could be harder to exploit, Christopher Budd, global threat communications manager at security firm Trend Micro, told theAssociated Press. Not all machines running Bash can be exploited. It’s not enough for Bash to be installed on your system; you have to be using it for a hacker to exploit the bug.
An Apple spokesman told the Web site iMore OS X systems are safe unless the user configured advanced UNIX services, something only advanced users would know how to do. If your Mac is vulnerable, you only have to worry if you are on a public WiFi network, according to the Times.
According to cybersecurity reporter Brian Krebs, the flaw does not affect Microsoft Windows. But the Times said it can affect Android phones.
The flaw affects embedded devices and systems. That includes things like digital watches, MP3 players and traffic lights. “In some areas this will be a challenge to fix, as many embedded devices are not designed with regular updates in mind and will never be able to be patched,” Joe Hancock, a cybersecurity expert with insurer AEGIS in London said in a statement reported by Reuters.
The bug could be exploited to take control of a Web server and steal passwords, Joe Siegrist, CEO of LastPass, a service that stores and protects passwords, told the AP. Though he said the threat of that happening is lower than with Heartbleed.
Shellshock is particularly dangerous because its “wormable,” a term that refers to self-replicating attacks that spread across devices and systems like a viral pandemic.
Power plants and water systems are less threatened if they have followed the advice of security experts and remain disconnected from the internet to avoid such risks, the AP reported.
“Who is at risk” is an open question, however. “Bash is embedded and accessed in so many ways that we cannot fully understand its depth of use,”wrote Securosis analyst and CEO Rich Mogull. “We cannot possibly understand all the ways an attacker could interact with Bash to exploit this vulnerability.”
There’s reportedly not much you can do about it, except check for software updates on the Web sites of companies that make your computer, router and other Internet-connected equipment. An open-source software company called Red Hat released a partial patch for Linux. Apple iscurrently working on a fix.
Google is also working on a fix, Reuters reported.
Five years after Bash was created by a programmer named Brian J. Fox, another programmer named Chet Ramey took over the job of maintaining the software in his free time, when he wasn’t working at his day job as a senior technology architect at Case Western Reserve University in Ohio, the Times reported.
Ramey told the Times he thinks he introduced the bug in a new Bash feature in 1992. After Chazelas, the security researcher that discovered it, contacted him on Sept. 12, they collaborated with other people who work with open-source security to create a patch within a few hours. They discreetly tipped off the major software makers so they could address the problem before hackers found out and exploited the bug.

Courtsey:WashingtonPost

Sunday 24 August 2014

Microsoft pulls Patch Tuesday kernel update - MS14-045 can cause Blue Screen of Death

Microsoft has pulled one of its August 2014 Patch Tuesday updates.

MS14-045, which fixes various security holes in the Windows kernel, can cause a Blue Screen of Death (BSoD), thus forcing a reboot.

Apparently, the BSoD is caused by incorrect handling of the Windows font cache file - and because that happens during boot-up, you end up stuck in a reboot loop.

(Yes, MS14-045 requires a reboot after you've applied it.)

The euphemistically-named "bugcheck" number that you'll see if you are affected is: 0x50 PAGE_FAULT_IN_NONPAGED_AREA.
The reason this problem didn't show up in testing is because it only happens under rather specific circumstances,

You need to have one or more OpenType Font (OTF) files, installed in non-standard font directories, that are recorded in the registry with fully-qualified filenames.

A default Windows 8.1 install, for instance, includes only TTF (TrueType Font), TTC (TrueType font Collection) and FON (Windows bitmap FONt) files, recorded without pathnames:

Microsoft has published a workaround that will get you up and running again, but it involves a fair amount of fiddling.

You need to:

Boot from installation media or go into Recovery Mode.
Delete the crash-triggering file %WINDOWS%\system32\fntcache.dat.
Reboot normally, which should now succeed.
Save the registry key (see image above) that enumerates your fonts.
Remove from the registry all OTF font references with pathnames.
Delete %WINDOWS%\system32\fntcache.dat again. (It will have been rebuilt.)
Uninstall the MS14-045 update.
Restore the registry key that enumerates your fonts.
Reboot again.
The sort of font entry you need to remove from the registry, if you have any like it, is shown in an example on Microsoft's Knowledgebase page:

As well as MS14-045, three other Microsoft updates may provoke this problem, so any of the following updates should be removed, if you've installed them, in step 7 above:
  • 2982791 MS14-045: security update for kernel-mode drivers
  • 2970228 New currency symbol for RUB
  • 2975719 Aug 2014 rollup for RT 8.1, 8.1, Server 2012 R2
  • 2975331 Aug 2014 rollup for RT, 8, Windows Server 2012
Unfortunately, and understandably, Patch Tuesday aftershocks of this sortleave sysamdins wondering if they should approach future updates more cautiously.
We regularly urge you to "patch early, patch often," so let's hope Microsoft's patch for the broken patch goes smoothly, lest even those who weren't affected this time get cold feet next month.

Author - Hack4friends

Apple iOS malware breached into millions i-products and steals ad. clicks ~ Hack4friends


You don't see a lot of malware for iPhones or iPads.

One reason for that is Apple's strict control over what you're allowed to install on your own device.

So it's intriguing to see an iOS malware analysis in specialist threat research publication Virus Bulletin (VB).

The malware, which Sophos products detect as iPh/AdThief-A, was apparently created with the express purpose of conducting online ad fraud.



Who is at risk?

Fortunately, AdThief only affects jailbroken devices.

Jailbreaking is where you go out of your way to remove Apple's security controls (ironically, usually by exploiting a security vulnerability) in order to win the freedom to do what you like with your iPhone or iPad.

Interestingly, to write a proper anti-virus for iOS that could block malware preventatively, you'd need to intercept important system calls such as "visit this URL," "open that file" and "run this app".

But to do that, you'd need to jailbreak.

And by jailbreaking, you'd also open up the risk of malicious apps intercepting system calls for criminal purposes.

According to VB, that's exactly what AdThief does, waiting for you to click on someone else's ad with someone else's affiliate code, and then putting the crook's affiliate code in there instead.

Affiliate codes are those curious looking text strings you put into advertisement URLs on your own website, so that if someone clicks on them, you get a referral fee from the ad network.

If a crook can switch out your affiliate code for his own, he essentially steals revenue that should have been yours.

The money in mobile ads

With lots of mobile apps, especially games, supported by in-app ads, there's plenty of money to be made if your app becomes popular.

For example, Dong Ngyuen, author of the erstwhile smash-hit game Flappy Bird, is said to have been pulling in up to $50,000 per day before he abruptly pulled the game from both the Apple App Store and the Google Play Store.

Ngyuen's revenues, of course, were helped by the enormous reach and brand power of Apple and Google, with millions of genuine users downloading his game.

That turned it into a cult classic almost overnight, which in turn fuelled yet more downloads, and yet more ad revenue.

Is jailbreak malware even worth it?

There isn't much iOS malware around, and most of it is for jailbroken devices only.

So, is money-making crimeware for the iPhone or iPad even worth it for the crooks?



The only true virus ever seen in the wild for iOS was Ikee, which Rickrolled you rather than trying to make money illegally.

Even though the author admitted that he tried to kickstart his virus by deliberately infecting a bunch of devices, and even though it could spread automatically by infecting across the network, Ikee fizzled out very quickly.

There were very few infections reported and little harm done in the end.

But AdThief has allegedly already infected about 75,000 jailbroken devices.

Even if the malware is only able to squeeze one cent a day in ad revenue out of 10% of its victims, that nevertheless comes out at a very handy $30,000 per year.

It might not be Flappy Bird territory, but it's not an amount to be sneezed at, either.

What to do?

We'd offer you a free copy of Sophos Anti-Virus and Security for iOS if we could; sadly, Apple says, "No."

Instead, we recommend that:

-->If you are a user, avoid jailbreaking your iDevice.
-->If you are a sysadmin, avoid letting jailbroken phones onto your network.
By the way, if you have jailbroken your iDevice, please be understanding if your sysadmin then says, "No."


Courtsey-- Naked Security

Sunday 17 August 2014

Russian PM's Twitter account hacked by Hackers ~ Hack4friends

Russian Prime Minister Dmitry Medvedev's Twitter account was apparently hacked on Thursday and used to criticize the Russian government and President Vladimir Putin.

Russian PM - Dmitry Medvedev
The first tweet, published on Medvedev's official Twitter account @MedvedevRussia, said -- via translation by The Interpreter -- that he was "resigning," and added that he was "ashamed of the actions of the [Russian] government." Not long after, Medvedev's account put out a series of tweets criticizing Putin and retweets from anti-Russia protesters, including praise of Yale attorney and activist Alexei Navalny, an influential anti-Putin activist.

The tweets were scrubbed from Medvedev's Russian account, which has more than 2.5 million followers, within an hour after they appeared. No tweets have since been published acknowledging that the account was hacked. Medvedev's English language account, @MedvedevRussiaE, does not appear to have been affected.

The Russian government has not commented on the supposed hack.

As prime minister, some see Medvedev as little more than another mouthpiece for Putin. In 2012, Putin appointed Medvedev, who previously served as president of Russia, as the prime minister and the official leader of the United Russia Party. Medvedev also acts as the international face for Russia at meetings with foreign governments.

It's not clear at this point how his account was hacked. Russia has increasingly become a focus for activist hackers as the government continues to tighten its control of the Internet. So far, no activist groups have taken credit for the hack.

Source:BusinessInsider

Sunday 10 August 2014

Google preferring HTTPS over HTTP in google ranking (SEO) ~ Hack4friends

Google announced that websites using HTTPS, the secure version of HTTP, will have a better chance of ranking well in Google searches than those that don't.

In the vernacular, HTTPS is now a ranking signal for SEO (Search Engine Optimisation). It could be an inflection point for web security.

Security is a top priority ... over the past few months we’ve been running tests taking into account whether sites use secure, encrypted connections as a signal in our search ranking algorithms. We've seen positive results, so we're starting to use HTTPS as a ranking signal.

By making HTTPS something that impacts search results Google are applying the stick to an enormous security push that's been all carrots up to now.

Everywhere you look, from better SSL to the tricky business of end-to-end email security, Google are busy rolling out encryption or giving people ways to encrypt things.

Anyone who doubts the energy and seriousness that Google applies to this kind of thing or the effect that it can have need only wind the clock back five years.

In 2009, Google announced they wanted to make the web faster.

Google HTTPSIt wasn't a soundbite, a speech, a project or a campaign - it was a sea change.

Since then Google has created, amongst many other things, a fast public DNS service, a faster web protocol, tools to speed up websites, tools to make code smaller, an image format to make images download faster and a global content distribution network for commonly used code.

They even built their own web browser with a very fast javascript engine and spent millions and millions of dollars banging on about how fast it was.

Most importantly of all they made speed a ranking signal for SEO.

Making speed a ranking signal punished slowness. It's what made organisations care.

To understand why, you need to understand a little of how search engines work and how companies approach getting their websites noticed.

Google uses computer programs (referred to as spiders) to read the world's web pages and index them. The spiders try to determine the subject and quality of each page by measuring a multitude of different factors, known as signals.

The strength of the signals determines where those pages will rank when somebody types a search into the Google search engine.

Good signals means high rankings, more traffic and more revenue. Poor signals can put you out of business.

There are hundreds of signals but they aren't all equally important - some have far more impact than others. To prevent people from gaming their system Google is deliberately vague about how many signals it cares about, what they are and how much each one matters.

Thanks to a lot of research and some vague pronouncements from Google we have a pretty good idea of what some of the signals are and some idea of their weighting.

According to their blog, HTTPS will start off as a weak signal:

For now it's only a very lightweight signal — affecting fewer than 1% of global queries, and carrying less weight than other signals such as high-quality content — while we give webmasters time to switch to HTTPS. But over time, we may decide to strengthen it, because we’d like to encourage all website owners to switch from HTTP to HTTPS to keep everyone safe on the web.

In reality, in my experience at least, even low strength signals get plenty of attention.

Because Google is cagey about what signals are worth, because organisations can't easily test and isolate their website's signals and because there is intense competition for good Google rankings those that care about SEO will generally act on any ranking factors that are well defined, regardless of how small their effect.

Companies like nothing better than lists with ticks next to them so if a ranking factor comes down to a simple yes or no choice it gets done.

Before Google made site speed a ranking factor I hardly ever had conversations with organisations about how fast their websites were. Now we always talk about it.

From now on they'll have something else to talk about - a simple binary choice: "Does our website use HTTPS?"

Increasingly the answer will be yes.

Source: compiled from online sources

Foursquare android app tracks your location by default everytime ~ Hack4friends

Foursquare, makers of the popular app that lets you "check in" wherever you go, unveiled a new version this week that the company hopes will make it the go-to service for local search.

In fact, Foursquare founder and CEO Dennis Crowley hopes the new Foursquare app will become indispensable, providing users with tips and recommendations - more like targeted ads - based on their location.

"To actually get an app to talk to you like a friend would talk to you. That's what we're going at here," Crowley tells Wired in an interview.

In order to make this vision become a reality, the Foursquare app tracks users' "background location" - using a combination of GPS, nearby Wi-Fi signals, and cell towers - even when the app is closed.

Gone is the old "check-in," which required you to tag yourself at a location (this formula has been shunted off to a separate app called Swarm).

Now the Foursquare app pushes out notifications based on where you are and what you like - if you've told the app you like vintage clothing, it will alert you to nearby thrift shops, for example.

Admittedly, this sounds kind of cool - an app that knows what you like and makes recommendations tailored to you and your location.

But there's a problem that should alarm anyone concerned about their privacy.

Giving up your location whenever your phone is on - even without the app running - is the default setting (versions of the app older than 8.0.0 required users to "opt in" to get this service).


If it makes you a little uncomfortable for Foursquare to track your every move, you have to "opt out" and disable the feature in the app's settings or in the privacy settings when you log into the Foursquare website.

Foursquare location settingsHow to opt out

When you download the Foursquare app or update to the new version, the app tells you that your phone's background location will be tracked, and points you to the settings to turn it off.

To opt out, open the app and go to  Settings | Location Settings and un-tick the box next to Location Services.

This screen tells you that the feature will be turned off automatically if your battery is running low, but it somewhat obscures the fact that the feature is otherwise always on.

Foursquare uses your phone’s background location to help you find great places, even when your phone is in your pocket. When you arrive at a place with interesting tips, we'll send you a notification. Your location is never shared.

To disable background location from the Foursquare website, go to Settings | Privacy settings.

Un-tick the box that says:

Allow Foursquare to use my device's background location, even when the app is closed, including for features like sending you notifications with local recommendations or tips.

Now that's pretty easy. So why not let users opt in instead of opting out?

Based on Foursquare's business model of giving businesses a way to share recommendations and deals with users, it's probably a good assumption that the answer is "money talks, [user] walks."

As Crowley told the Wall Street Journal, the constant collection of data on users can reveal trends that can be useful to advertisers, who "might be really excited about getting their hands on that data."

Opting in means having options

You might be thinking, "What's the big deal? Users of Foursquare choose to tell everyone their location anyway."

True. But in previous versions of the app, it was the user who made the choice to broadcast their location, and only when they wanted to check in.

Now, Foursquare assumes you want to share that information with the app all the time, and without asking for your permission.

In the current climate of government surveillance, data mining, and social media oversharing, there's a growing resistance to invasions of privacy - even among people who don't hesitate to share what they're doing and feeling at every possible moment.

Even if you're comfortable giving away your privacy for convenience, it's more than a little naive to assume your personal data is well-protected and only being used in your best interests.

Look at the current crop of mobile messaging apps like WhatsApp and Viber - both were storing your messages in unencrypted form, until security researchers discovered that anyone could use Wi-Fi sniffers to intercept messages and see everything that users shared via the apps.

Then there's the 800 pound gorilla of social networks, Facebook, which is under fire from regulators and the subject of lawsuits from users for its aggressive data mining.

Facebook even copped to an experiment on non-consenting users.

If we don't expect the apps and websites we've come to rely on to give us control over how our data is used, one day we may wake up and have no choice at all.

Thursday 7 August 2014

Website hacking using manual SQL injection explained by TheRootCoder [Video Tutorial]

Hello guys today i m posting some good stuff after a long time .. this tutorial is made by our friends TheRootCoder so all credits goes to him...

Last Updated : 07/08/2014

Just watch this video tutorial............ and it is Self-Explanatory so i think no need to write long text still if you face any problem then comment below i will resolve your problem..

Caution: This tutorial(video) is only for educational purposes so don't misuse it because it is illegal to penetrate into others system without their permission .And you are also bounded with your state/country's cyber laws.


Direct link to youtube videos  Click Here and also subscribe our channel.

Monday 21 July 2014

A complete guide to start programming with any language by Harpreet Sandhu ~ CodingBaba [Partner Blog]

Are you new to programming ?... And don't know how top start it ?... which language should be used at beginning time ..? 





Just Read this Article.... Click Here..

This article is of our partner blog ~~ CodingBaba

Saturday 7 June 2014

CHINA charges Microsoft windows 8 for backdoor-spying

Microsoft and China are at odds over the issue of cyberspying, with Windows 8 caught in the crossfire.

State-run broadcaster China Central Television lashed out Wednesday at the latest version of Windows and charged that it's capable of collecting a huge amount of data on Chinese society. In a transcript of the CCTV interview published by the Wall Street Journal, an academic shared his opinion on the type of data that Microsoft can allegedly collect through its OS.

"It's very easy for providers of operating systems to obtain various types of sensitive user information," Ni Guangnan, an academician at the Chinese Academy of Engineering, told the interviewer. "They can find out your identity, your account information, your contact list, your mobile phone number. With all that data together, using big data analysis, a party can understand the conditions and activities of our national economy and society."

Adding fuel to the fire, Guangnan pointed to the classified documents leaked by former National Security Agency contractor Edward Snowden as proof that Microsoft has worked with the US government to obtain encrypted data over the Internet.

In response, Microsoft used its own Weibo account to refute the charges and deny all allegations of backdoor spying in collaboration with the US government. As translated in a story by Neowin, Microsoft's denials break down into five points. According to Neowin, Microsoft said it has:


  • Never "assisted any government in an attack of another government or clients."
  • Never "provided any government the authority to directly visit...products or services."
  • Never provided a "backdoor" to products or services.
  • Never provided client data or information to the US government or the NSA.
  • Never "concealed any requests from any government for information about its clients."

Microsoft's war of words with China is part of a larger skirmish between the US and Chinese governments. Charges of cyberspying between the two countries is nothing new. But since the revelations of NSA spying activities were leaked last year, China has used the opportunity to accuse such companies as Microsoft, Google, and Apple of cooperating with the NSA to gather data and steal state secrets. Tech companies have acknowledged that they are required to share certain customer data at the request of the government but have denied that they collaborate with the government or build backdoors into their products and services to allow data to be siphoned.

Such charges can damage a company's reputation and bottom line. In the case of Microsoft, China last month announced a ban on Windows 8 for government computers. At the time, China's state-run Xinhua news agency said simply that the ban was designed to improve security. However, China likely has another motive for wanting to put the kibosh on Windows 8 beyond security fears.

Microsoft has long accused China of widespread piracy of Windows. In 2011, former CEO Steve Ballmer told employees that Microsoft's revenue in China represented only 5 percent of sales in the US although the two markets were about the same size, according to the Journal. As such, a significant number of the PCs in China still running the now-unsupported Windows XP may be using illegal copies.

Microsoft wants to implement a server-based licensing system in China as one way to fight software piracy, the Journal added. And since the software giant no longer sells or supports Windows XP, Chinese consumers would be forced to upgrade to a more modern operating system, such as Windows 8.

Thursday 29 May 2014

Bing servers more worst search engine services than Google

An independent testing lab in Germany has found that search engines are not 100 per cent effective at removing malicious sites from results — and Microsoft's Bing is much less effective than Google.

Although most search engines have measures in place to protect users against trojans, malicious sites still manage to crop up from time to time — even in the top search results. An independent testing lab in Germany by the name of AV-Test has just completed an 18-month survey (PDF) to find out which search engines are the worst offenders.

The lab tested 40 million websites across seven search engines — Google and Bing, the world's two most popular search engines; Yandex, Russia's biggest search engine; Blekko; peer-to-peer search engine Faroo; Teoma, better known as Ask.com; and Chinese search engine Baidu — and found only a very small number of malicious results returned: about 5000, or around 0.000125 per cent.

Google and Bing were both tested with around 10 million websites, and were the best at weeding out malware. However, it should be noted that there was quite a gap between the two: Bing turned up 1285 malicious sites to Google's 272.

AV-Test also cautioned that malware developers are getting sneaky, using search engine optimisation (SEO) to slip malicious websites into the top search results, since users tend to trust top results more.

Generally speaking, your chances of catching a trojan from a search engine are very low, but it never hurts to be prepared. Make sure your computer's operating system, your browser and your anti-virus software are up to date, and, if you're really worried, use AVG's Linkscanner to check URLs before you visit them.

Source : cnet news

Team Hack4friends,

Tuesday 25 February 2014

MTGOX world's largest bitcoin trading website turned OFFLINE ~ Hack4friends

MTGOX world's largest bitcoin trading website turned OFFLINE ~ Hack4friends


As we all know in recent days the virtual currency-Bitcoins gained much popularity among all countries's people. And its exchange value to US Dollars raised to 1200$. But now its going to smashed because its exchange values is also decreasing day by day and today its value downed to 425.304$(Biggest fall).




MTGOX got much popularity in few months and ranked as No. 1 online bitcoin trading website.But now website is disappeared from internet and a blank page is left on their website. People from all countries have invested so millions of Dollars($) for online trading with Bitcoins but MTGOX disappeared with all money.
Mark Karpeles, CEO of the pioneering but troubled Bitcoin exchange MtGox, has resigned his seat on the board of the Bitcoin Foundation, the organization that standardizes and promotes the cryptocurrency.

MtGox, which handled the bulk of Bitcoin transactions until fraudulent hacking forced it to freeze withdrawals earlier this month, has had serious liquidity problems since last year. Though others were subsequently hit too, Bitcoin Foundation chief scientist Gavin Andresen blamed the exchange rather than the core protocol for the episode, and MtGox’s systems have struggled to recover.
                                   
                              
                                           All tweets are deleted by MTGOX

The Tokyo-based company has repeatedly promised a fix but failed to deliver. Its most recent communication was on Thursday, claiming that “security problems” had forced it to relocate, slowing down its progress in fixing its records after the attack. It’s not clear whether this is a reference to the couple of angry bitcoiners who were camped outside the MtGox offices, demanding their money.

In a statement on Sunday, the Bitcoin Foundation said it was “grateful for [MtGox's] early and valuable contributions as a founding member in launching the Bitcoin Foundation.” A request for comment from MtGox itself had gone unanswered at the time of writing, though as many have noted the company has deleted its entire tweet history, so take from that what you will.

We also contacted to MTGOX via their old email addresses but till now we have not got any response from their side about it all.

Team Hack4Friends,
@E-Hackers

Friday 14 February 2014

Biggest DDos attack of the world with 400Gbps ~ Hack4Friends

Biggest DDos attack of the world with 400Gbps ~ Hack4Friends

A massive distributed-denial-of-service attack Monday reached more than 400Gbps at its peak, about 33 percent greater than last year's Spamhaus attack, the previous DDoS record-holder.
The attack was apparently directed at one of the customers of content delivery network and security provider CloudFlare, which first reported the attack. The company said it appeared that attackers leveraged a flaw in the Network Time Protocol (NTP), a network protocol used to synchronize computer clock times.


"Very big NTP reflection attack hitting us right now. Appears to be bigger than the #Spamhaus attack from last year. Mitigating," Cloudflare CEO Matthew Price said in a tweet. "Someone's got a big, new cannon. Start of ugly things to come," he wrote in a follow-up tweet.
Price did not identify the customer targeted by the attack but did say it was directed at servers in Europe, adding that "these NTP reflection attacks are getting really nasty."
The frequency of NTP reflection attacks has grown in recent months. After an NTP attack was used to take down game servers hosting EA's Origin service, Blizzard's Battle.net, and League of Legends, among others, US-CERT issued an alert warning companies of the attack technique's growing popularity.
The basic attack technique consists of attackers querying vulnerable NTP servers for traffic counts using the victim's spoofed address.
"Due to the spoofed source address, when the NTP server sends the response it is sent instead to the victim," CERT warned. "Because the size of the response is typically considerably larger than the request, the attacker is able to amplify the volume of traffic directed at the victim."

"Because the responses are legitimate data coming from valid servers, it is especially difficult to block these types of attacks," US-CERT said in its January advisory, which included suggestions on how administrators could mitigate vulnerability.
The technique's popularity has grown since the emergence of toolkits such as DNS Flooder v1.1, according to security vendor Prolexic, which said Tuesday it has observed the attack used on several clients during the past six months, sometimes with amplification factors of 50 times the originating bandwidth.
"This toolkit uses a unique method where attackers assign DNS servers with arbitrary names and utilize them as reflectors," according to Prolexic's report. "This new technique allows malicious actors to purchase, set up, and use their own DNS servers to launch reflection attacks, without the need to find open and vulnerable DNS servers on the Internet."
Monday's DDoS surpassed the attack last March that peaked with a 300Gbps torrent of traffic flooding spam fighter Spamhaus, CloudFlare, and key Internet switching stations in Amsterdam, Frankfurt, and London. That onslaught resulted, according to some reports, service slowdowns across the Internet.

Team Hack4Friends,
E-hackers

Flappy Bird fakes are hatching Android malware ~ Hack4friends

Flappy Bird fakes are hatching Android malware ~ Hack4friends

Flappy Bird's takedown by its creator has given malware creators a new outlet to exploit unsuspecting users.
According to security firm Sophos, it has discovered several applications claiming to be Flappy Bird in third-party Android app marketplaces. The trouble, however, is that the games in some cases contain malware and in others force users to send a text message to a given number, effectively giving the malware creators all they need to potentially exploit users.


Another security firm, Trend Micro, also chimed in on the issue, saying that it has discovered "a bunch of fake Android Flappy Bird apps spreading online." Every one of those it has discovered so far are "apps that send messages to premium numbers, thus causing unwanted changes to victims' phone billing statements."
Flappy Bird has become a hot-button issue in the mobile world after the game soared to popularity and was subsequently taken down by its creator, Dong Nguyen. That was the opening malware creators needed, the security firms say, to take advantage of users who didn't have a chance to try out the game and want to see what all the hype is about.
Both Trend Micro and Sophos said that users shouldn't attempt to download anything calling itself Flappy Bird, since the original version is "dead." They also warned users to "be wary of apps from alternative markets."

Team hack4friends,
E-hackers

Snapchat hack spams users with smoothie photos ~ Hack4Friends

Snapchat hack spams users with smoothie photos ~ Hack4Friends

Snapchat is combating yet another security issue, and it's a juicy one.
In a story posted late Tuesday, Wired editor Joe Brown said his Snapchat friends were asking why he was sending them messages with photos of fruit smoothies. That was a surprise to Brown because he hadn't sent any such messages. Other Snapchatters have since complained about receiving these same messages, according to a Twitter search.
The messages serve up a URL for a company called Snapfroot, which then redirects the recipient to an AllRecipes.com page for a "Berry Delicious" smoothie. The spam outbreak so far seems innocuous, albeit annoying, but it does point to yet another vulnerability for the photo-sharing site.

Snapchat


Snapchat told Brown that these messages have been bouncing around the past couple of days.
"It's mostly cases where someone has your e-mail address and password and gets in on the first try," an anonymous Snapchat spokesperson told Wired. "We're not seeing any evidence of brute-force tactics."
Snapchat is trying to plug the leak. In the meantime, site users may want to change their passwords. The spokesperson also advised people to stay away from third-party apps that ask for your Snapchat username and password.
"Yesterday a small number of our users experienced a spam incident where unwanted photos were sent from their accounts," a Snapchat representative told Reuters. "Our security team deployed additional measures to secure accounts. We recommend using unique and strong passwords to prevent abuse."

Team Hack4friends,
E-hackers

Saturday 8 February 2014

Adobe issues emergency Update for flash (Windows & MAC)

Adobe issues emergency Update for flash (Windows & MAC)

Adobe is recommending that users update their Flash Players immediately -- especially those who frequent Google Chrome and Internet Explorer. The company released an emergency security bulletin on Tuesday that addresses vulnerabilities in Flash, which could be exploited by hackers.


hack4friends, flash player

"This vulnerability could allow an attacker to remotely take control of the affected system," Adobe wrote in a blog post. "Adobe is aware of reports that an exploit for this vulnerability exists in the wild, and recommends users apply the updates referenced in the security bulletin."
Adobe assigned a Priority 1 rating to the vulnerabilities being exploited on Windows and Macintosh and advised users of both operating systems to install the update. That rating -- Adobe's highest threat level -- identifies "vulnerabilities being targeted, or which have a higher risk of being targeted, by exploit(s) in the wild." The bulletin also said that the Flash vulnerability faced by Linux users rated a Priority 3, which refers to "a product that has historically not been a target for attackers."
Adobe recommends users update to the latest versions:
Users of Adobe Flash Player 12.0.0.43 and earlier versions for Windows and Macintosh should update to Adobe Flash Player 12.0.0.44.
Users of Adobe Flash Player 11.2.202.335 and earlier versions for Linux should update to Adobe Flash Player 11.2.202.336.
Adobe Flash Player 12.0.0.41 installed with Google Chrome will automatically be updated to the latest Google Chrome version, which will include Adobe Flash Player 12.0.0.44 for Windows, Macintosh and Linux.
Adobe Flash Player 12.0.0.38 installed with Internet Explorer 10 will automatically be updated to the latest Internet Explorer 10 version, which will include Adobe Flash Player 12.0.0.44 for Windows 8.0.
Adobe Flash Player 12.0.0.38 installed with Internet Explorer 11 will automatically be updated to the latest Internet Explorer 11 version, which will include Adobe Flash Player 12.0.0.44 for Windows 8.1.

You can update your flash player from here Officially 

Team hack4friends,
E-hackers

Thursday 9 January 2014

France Govt. fined Google,Over data privacy

France's privacy regulatory organization served up a fine and a dose of embarrassment to Google on Wednesday.
As expected, the national committee on information and liberty (CNIL) served up a 150,000 euros fine (approximately $200,000). The amount won't mean much to Google financially. But in addition to the fine, the group demanded that Google post a warning on its French home page, Google.fr.

The warning must state that the company's unified privacy policy from March 1, 2012 does not comply with French law.
CNIL justified its demand that Google post the warning because of "the extent of Google's data collection, as well as by the necessity to inform the persons concerned who are not in a capacity to exercise their rights."
CNIL's Sanctions Committee said that while it did not have a problem with Google's intent to streamline its privacy policies into one, it found that the new policy had violated several provisions of the French Data Protection Act.
Google was found at fault for not sufficiently protecting its customers' personal data in four instances:
The company does not sufficiently inform its users of the conditions in which their personal data are processed, nor of the purposes of this processing. They may therefore neither understand the purposes for which their data are collected, which are not specific as the law requires, nor the ambit of the data collected through the different services concerned. Consequently, they are not able to exercise their rights, in particular their right of access, objection or deletion.
The company does not comply with its obligation to obtain user consent prior to the storage of cookies on their terminals.
It fails to define retention periods applicable to the data which it processes.
Finally, it permits itself to combine all the data it collects about its users across all of its services without any legal basis.
CNIL's announcement also noted that data protection regulatory groups in Spain and the Netherlands came to similar conclusions in November and December of last year.
Google took a noncommittal stance in its response to CNIL's demands. "We've engaged fully with the CNIL throughout this process to explain our privacy policy and how it allows us to create simpler, more effective services. We'll be reading their report closely to determine next steps," said a Google spokesperson.

Team Hack4friends

*****************************Thanks for Your kind Visit****************************

Receive All Free Updates Via Facebook.