Microsoft pulls Patch Tuesday kernel update - MS14-045 can cause Blue Screen of Death

Microsoft has pulled one of its August 2014 Patch Tuesday updates.

MS14-045, which fixes various security holes in the Windows kernel, can cause a Blue Screen of Death (BSoD), thus forcing a reboot.

Apparently, the BSoD is caused by incorrect handling of the Windows font cache file - and because that happens during boot-up, you end up stuck in a reboot loop.

(Yes, MS14-045 requires a reboot after you've applied it.)

The euphemistically-named "bugcheck" number that you'll see if you are affected is: 0x50 PAGE_FAULT_IN_NONPAGED_AREA.
The reason this problem didn't show up in testing is because it only happens under rather specific circumstances,

You need to have one or more OpenType Font (OTF) files, installed in non-standard font directories, that are recorded in the registry with fully-qualified filenames.

A default Windows 8.1 install, for instance, includes only TTF (TrueType Font), TTC (TrueType font Collection) and FON (Windows bitmap FONt) files, recorded without pathnames:

Microsoft has published a workaround that will get you up and running again, but it involves a fair amount of fiddling.

You need to:

Boot from installation media or go into Recovery Mode.
Delete the crash-triggering file %WINDOWS%\system32\fntcache.dat.
Reboot normally, which should now succeed.
Save the registry key (see image above) that enumerates your fonts.
Remove from the registry all OTF font references with pathnames.
Delete %WINDOWS%\system32\fntcache.dat again. (It will have been rebuilt.)
Uninstall the MS14-045 update.
Restore the registry key that enumerates your fonts.
Reboot again.
The sort of font entry you need to remove from the registry, if you have any like it, is shown in an example on Microsoft's Knowledgebase page:

As well as MS14-045, three other Microsoft updates may provoke this problem, so any of the following updates should be removed, if you've installed them, in step 7 above:

• 2982791 MS14-045: security update for kernel-mode drivers
• 2970228 New currency symbol for RUB
• 2975719 Aug 2014 rollup for RT 8.1, 8.1, Server 2012 R2
• 2975331 Aug 2014 rollup for RT, 8, Windows Server 2012

Unfortunately, and understandably, Patch Tuesday aftershocks of this sortleave sysamdins wondering if they should approach future updates more cautiously.

We regularly urge you to "patch early, patch often," so let's hope Microsoft's patch for the broken patch goes smoothly, lest even those who weren't affected this time get cold feet next month.

Author - Hack4friends

Read More

Apple iOS malware breached into millions i-products and steals ad. clicks ~ Hack4friends

You don't see a lot of malware for iPhones or iPads.

One reason for that is Apple's strict control over what you're allowed to install on your own device.

So it's intriguing to see an iOS malware analysis in specialist threat research publication Virus Bulletin (VB).

The malware, which Sophos products detect as iPh/AdThief-A, was apparently created with the express purpose of conducting online ad fraud.



Who is at risk?

Fortunately, AdThief only affects jailbroken devices.

Jailbreaking is where you go out of your way to remove Apple's security controls (ironically, usually by exploiting a security vulnerability) in order to win the freedom to do what you like with your iPhone or iPad.

Interestingly, to write a proper anti-virus for iOS that could block malware preventatively, you'd need to intercept important system calls such as "visit this URL," "open that file" and "run this app".

But to do that, you'd need to jailbreak.

And by jailbreaking, you'd also open up the risk of malicious apps intercepting system calls for criminal purposes.

According to VB, that's exactly what AdThief does, waiting for you to click on someone else's ad with someone else's affiliate code, and then putting the crook's affiliate code in there instead.

Affiliate codes are those curious looking text strings you put into advertisement URLs on your own website, so that if someone clicks on them, you get a referral fee from the ad network.

If a crook can switch out your affiliate code for his own, he essentially steals revenue that should have been yours.

The money in mobile ads

With lots of mobile apps, especially games, supported by in-app ads, there's plenty of money to be made if your app becomes popular.

For example, Dong Ngyuen, author of the erstwhile smash-hit game Flappy Bird, is said to have been pulling in up to $50,000 per day before he abruptly pulled the game from both the Apple App Store and the Google Play Store.

Ngyuen's revenues, of course, were helped by the enormous reach and brand power of Apple and Google, with millions of genuine users downloading his game.

That turned it into a cult classic almost overnight, which in turn fuelled yet more downloads, and yet more ad revenue.

Is jailbreak malware even worth it?

There isn't much iOS malware around, and most of it is for jailbroken devices only.

So, is money-making crimeware for the iPhone or iPad even worth it for the crooks?



The only true virus ever seen in the wild for iOS was Ikee, which Rickrolled you rather than trying to make money illegally.

Even though the author admitted that he tried to kickstart his virus by deliberately infecting a bunch of devices, and even though it could spread automatically by infecting across the network, Ikee fizzled out very quickly.

There were very few infections reported and little harm done in the end.

But AdThief has allegedly already infected about 75,000 jailbroken devices.

Even if the malware is only able to squeeze one cent a day in ad revenue out of 10% of its victims, that nevertheless comes out at a very handy $30,000 per year.

It might not be Flappy Bird territory, but it's not an amount to be sneezed at, either.

What to do?

We'd offer you a free copy of Sophos Anti-Virus and Security for iOS if we could; sadly, Apple says, "No."

Instead, we recommend that:

-->If you are a user, avoid jailbreaking your iDevice.
-->If you are a sysadmin, avoid letting jailbroken phones onto your network.
By the way, if you have jailbroken your iDevice, please be understanding if your sysadmin then says, "No."


Courtsey-- Naked Security

Read More

Russian PM's Twitter account hacked by Hackers ~ Hack4friends

Russian Prime Minister Dmitry Medvedev's Twitter account was apparently hacked on Thursday and used to criticize the Russian government and President Vladimir Putin.

Russian PM - Dmitry Medvedev

The first tweet, published on Medvedev's official Twitter account @MedvedevRussia, said -- via translation by The Interpreter -- that he was "resigning," and added that he was "ashamed of the actions of the [Russian] government." Not long after, Medvedev's account put out a series of tweets criticizing Putin and retweets from anti-Russia protesters, including praise of Yale attorney and activist Alexei Navalny, an influential anti-Putin activist.

The tweets were scrubbed from Medvedev's Russian account, which has more than 2.5 million followers, within an hour after they appeared. No tweets have since been published acknowledging that the account was hacked. Medvedev's English language account, @MedvedevRussiaE, does not appear to have been affected.

The Russian government has not commented on the supposed hack.

As prime minister, some see Medvedev as little more than another mouthpiece for Putin. In 2012, Putin appointed Medvedev, who previously served as president of Russia, as the prime minister and the official leader of the United Russia Party. Medvedev also acts as the international face for Russia at meetings with foreign governments.

It's not clear at this point how his account was hacked. Russia has increasingly become a focus for activist hackers as the government continues to tighten its control of the Internet. So far, no activist groups have taken credit for the hack.

Source:BusinessInsider

Read More

Google preferring HTTPS over HTTP in google ranking (SEO) ~ Hack4friends

Google announced that websites using HTTPS, the secure version of HTTP, will have a better chance of ranking well in Google searches than those that don't.

In the vernacular, HTTPS is now a ranking signal for SEO (Search Engine Optimisation). It could be an inflection point for web security.

Security is a top priority ... over the past few months we’ve been running tests taking into account whether sites use secure, encrypted connections as a signal in our search ranking algorithms. We've seen positive results, so we're starting to use HTTPS as a ranking signal.

By making HTTPS something that impacts search results Google are applying the stick to an enormous security push that's been all carrots up to now.

Everywhere you look, from better SSL to the tricky business of end-to-end email security, Google are busy rolling out encryption or giving people ways to encrypt things.

Anyone who doubts the energy and seriousness that Google applies to this kind of thing or the effect that it can have need only wind the clock back five years.

In 2009, Google announced they wanted to make the web faster.

Google HTTPSIt wasn't a soundbite, a speech, a project or a campaign - it was a sea change.

Since then Google has created, amongst many other things, a fast public DNS service, a faster web protocol, tools to speed up websites, tools to make code smaller, an image format to make images download faster and a global content distribution network for commonly used code.

They even built their own web browser with a very fast javascript engine and spent millions and millions of dollars banging on about how fast it was.

Most importantly of all they made speed a ranking signal for SEO.

Making speed a ranking signal punished slowness. It's what made organisations care.

To understand why, you need to understand a little of how search engines work and how companies approach getting their websites noticed.

Google uses computer programs (referred to as spiders) to read the world's web pages and index them. The spiders try to determine the subject and quality of each page by measuring a multitude of different factors, known as signals.

The strength of the signals determines where those pages will rank when somebody types a search into the Google search engine.

Good signals means high rankings, more traffic and more revenue. Poor signals can put you out of business.

There are hundreds of signals but they aren't all equally important - some have far more impact than others. To prevent people from gaming their system Google is deliberately vague about how many signals it cares about, what they are and how much each one matters.

Thanks to a lot of research and some vague pronouncements from Google we have a pretty good idea of what some of the signals are and some idea of their weighting.

According to their blog, HTTPS will start off as a weak signal:

For now it's only a very lightweight signal — affecting fewer than 1% of global queries, and carrying less weight than other signals such as high-quality content — while we give webmasters time to switch to HTTPS. But over time, we may decide to strengthen it, because we’d like to encourage all website owners to switch from HTTP to HTTPS to keep everyone safe on the web.

In reality, in my experience at least, even low strength signals get plenty of attention.

Because Google is cagey about what signals are worth, because organisations can't easily test and isolate their website's signals and because there is intense competition for good Google rankings those that care about SEO will generally act on any ranking factors that are well defined, regardless of how small their effect.

Companies like nothing better than lists with ticks next to them so if a ranking factor comes down to a simple yes or no choice it gets done.

Before Google made site speed a ranking factor I hardly ever had conversations with organisations about how fast their websites were. Now we always talk about it.

From now on they'll have something else to talk about - a simple binary choice: "Does our website use HTTPS?"

Increasingly the answer will be yes.

Source: compiled from online sources

Read More

Foursquare android app tracks your location by default everytime ~ Hack4friends

Foursquare, makers of the popular app that lets you "check in" wherever you go, unveiled a new version this week that the company hopes will make it the go-to service for local search.

In fact, Foursquare founder and CEO Dennis Crowley hopes the new Foursquare app will become indispensable, providing users with tips and recommendations - more like targeted ads - based on their location.

"To actually get an app to talk to you like a friend would talk to you. That's what we're going at here," Crowley tells Wired in an interview.

In order to make this vision become a reality, the Foursquare app tracks users' "background location" - using a combination of GPS, nearby Wi-Fi signals, and cell towers - even when the app is closed.

Gone is the old "check-in," which required you to tag yourself at a location (this formula has been shunted off to a separate app called Swarm).

Now the Foursquare app pushes out notifications based on where you are and what you like - if you've told the app you like vintage clothing, it will alert you to nearby thrift shops, for example.

Admittedly, this sounds kind of cool - an app that knows what you like and makes recommendations tailored to you and your location.

But there's a problem that should alarm anyone concerned about their privacy.

Giving up your location whenever your phone is on - even without the app running - is the default setting (versions of the app older than 8.0.0 required users to "opt in" to get this service).

If it makes you a little uncomfortable for Foursquare to track your every move, you have to "opt out" and disable the feature in the app's settings or in the privacy settings when you log into the Foursquare website.

Foursquare location settingsHow to opt out

When you download the Foursquare app or update to the new version, the app tells you that your phone's background location will be tracked, and points you to the settings to turn it off.

To opt out, open the app and go to  Settings | Location Settings and un-tick the box next to Location Services.

This screen tells you that the feature will be turned off automatically if your battery is running low, but it somewhat obscures the fact that the feature is otherwise always on.

Foursquare uses your phone’s background location to help you find great places, even when your phone is in your pocket. When you arrive at a place with interesting tips, we'll send you a notification. Your location is never shared.

To disable background location from the Foursquare website, go to Settings | Privacy settings.

Un-tick the box that says:

Allow Foursquare to use my device's background location, even when the app is closed, including for features like sending you notifications with local recommendations or tips.

Now that's pretty easy. So why not let users opt in instead of opting out?

Based on Foursquare's business model of giving businesses a way to share recommendations and deals with users, it's probably a good assumption that the answer is "money talks, [user] walks."

As Crowley told the Wall Street Journal, the constant collection of data on users can reveal trends that can be useful to advertisers, who "might be really excited about getting their hands on that data."

Opting in means having options

You might be thinking, "What's the big deal? Users of Foursquare choose to tell everyone their location anyway."

True. But in previous versions of the app, it was the user who made the choice to broadcast their location, and only when they wanted to check in.

Now, Foursquare assumes you want to share that information with the app all the time, and without asking for your permission.

In the current climate of government surveillance, data mining, and social media oversharing, there's a growing resistance to invasions of privacy - even among people who don't hesitate to share what they're doing and feeling at every possible moment.

Even if you're comfortable giving away your privacy for convenience, it's more than a little naive to assume your personal data is well-protected and only being used in your best interests.

Look at the current crop of mobile messaging apps like WhatsApp and Viber - both were storing your messages in unencrypted form, until security researchers discovered that anyone could use Wi-Fi sniffers to intercept messages and see everything that users shared via the apps.

Then there's the 800 pound gorilla of social networks, Facebook, which is under fire from regulators and the subject of lawsuits from users for its aggressive data mining.

Facebook even copped to an experiment on non-consenting users.

If we don't expect the apps and websites we've come to rely on to give us control over how our data is used, one day we may wake up and have no choice at all.

Read More

Website hacking using manual SQL injection explained by TheRootCoder [Video Tutorial]

Hello guys today i m posting some good stuff after a long time .. this tutorial is made by our friends TheRootCoder so all credits goes to him...

Last Updated : 07/08/2014

Just watch this video tutorial............ and it is Self-Explanatory so i think no need to write long text still if you face any problem then comment below i will resolve your problem..

Caution: This tutorial(video) is only for educational purposes so don't misuse it because it is illegal to penetrate into others system without their permission .And you are also bounded with your state/country's cyber laws.

Direct link to youtube videos  Click Here and also subscribe our channel.

Read More