Hacker Posts Bug Report on Zuckerberg’s Timeline

What if you find a bug on Facebook’s privacy feature and no one took you seriously? What is the best way to get Facebook’s attention. A great way is to post the bug report on Mark Zuckerberg’s wall. This is exactly what a Palestinian online security expert, Khalil Shreateh did when he found a vulnerability that allowed a Facebook user to post a message on any Facebook user’s timeline even if they were not in his timeline.

Facebook has a Bug Bounty program called Whitehat. It allows bug reporters to report a bug and pick up $500.

Khalil initially used Whitehat to send in a bug report. He was sent a reply by Facebook that it was not a bug. That is when the hacker decided to catch the attention of Facebook by posting the bug report on Mark Zuckerberg’s wall.

Not just that, he also took screenshots of it and posted them online in a blogpost.

Zuckerberg Wall Bug Report - Copy

 

Unfortunately the $500 bounty for the hacker was denied to Khalil because he had not followed terms and conditions of the White Hat program. They also ended up suspending his account for sometime before reinstating it.

This is actually very shabby treatment by Facebook of the hacker. Khalil could have posted about the vulnerability online for the general public to use and literally caused mayhem on Facebook. But he chose to do the right thing by reporting it to Facebook. Unfortunately the social network which likes to ‘break things’  and do things the ‘Hacker way’ did not appreciate it.

(via RT)

“Break In If You Can” – Real Online Hacking Contest from IIIT

“Break In If You Can” is official hacking contest organized by The International Institute of Information Technology, Hyderabad, India.

This hacking contest is organized as part of Felicity, the annual cultural and technical festival, to be held from 18th – 20th February, 2011.

Real Hacking Contest!

Most hacking challenges creates a dummy site/scenario where organizers know in advance how far you can go! In most of those challenges, once you uncover security holes, you are often encountered with a lame message congratulating you.

But in this real hacking contest, you are expected to hack into IIIT Hyderabad’s website itself i.e. http://iiit.ac.in/

They have promised not to sue you but make sure if you break-in successfully rather than damaging and creating havoc, you contact organizers to claim your prize. ;-)

Prizes:

As per official site 1st Prize is Rs. 5000. But I personally feel that this hacking contest itself is bigger than any other prize! ;-)

Though, you can see complete list of prizes here.

Event Date:

The test run will be on Jan 29th, 2010 i.e. tomorrow and main contest will be on Jan 30th 2010. Time will be 10PM IST.

Link: Break In If You Can

Ipad Hacking: FBI Investigation

FBI is investigating a security breach of ATT’s website that allowed hackers to obtain the email addresses of iPad owners.
‘The FBI is aware of these possible computer intrusions and has opened an investigation to address this potential cyberthreat,’ said Lindsay Godwin, an FBI spokeswoman.
ATT acknowledged on Wednesday there had been a data breach at the US telecom giant that allowed hackers to obtain the email addresses of owners of the 3G model of the iPad.
ATT’s 3G plan provides the mobile connectivity for the touchscreen tablet computer from Apple.

iPad
iPad

According to Silicon Valley website Valleywag, a shadowy hacking group called Goatse Security hacked into the ATT website and obtained the email addresses of over 114,000 iPad owners including those of business leaders, politicians and military officials.
Valleywag published the names of some on the list but not their full email addresses.
They included New York Times Co. chief executive Janet Robinson, New York Mayor Michael Bloomberg and White House chief of staff Rahm Emanuel.
Earlier Thursday, retired rear-admiral Jamie Barnett, chief of the Federal Communications Commission’s public safety and homeland security bureau, expressed concern about the incident.
‘I am concerned about the report of a security breach to ATT’s network that exposed the personal data of more than a hundred thousand iPad users,’ Barnett said in a statement.
‘This breach underscores the need for robust cyber security,’ he said. ‘The FCC will continue to work with all stakeholders to prevent future security breaches that violate consumer privacy and undermine trust in America’s communications infrastructure.’
ATT apologised for the disclosure and said it has ‘turned off the feature that provided the email addresses.’
Valleywag owner Gawker Media also runs the popular technology blog Gizmodo, which obtained a secret prototype of an Apple iPhone in April after it was lost in a California bar and published details and pictures of the device.

Biggest Technical Security Conference By Blackhat

A biggest technical conference is going to be held on this month in America and Europe. The event is organised by Black Hat and sponsored by big giants like Microsoft etc.

The Black Hat Briefings are a series of highly technical information security conferences that bring together thought leaders from all facets of the infosec world – from the corporate and government sectors to academic and even underground researchers.

blackhat_tech

So its the prime time for all technicians to learn more.

Its not at all a problem if you are not from Europe or US. Another option for Webcast or Webinar is available. Don’t lose time and have registrations at the earliest.

Black Hat Webpage

Chinese hackers target Indian government

A day after Google made public that they were under a well organized attack from Chinese hackers news has trickled in that certain Chinese hackers have targeted computers within the Government trying to snare many top level administrators. Apparently an email was sent to top level bureaucrats from a dormant email id. This allowed the hackers the opportunity to access a backdoor within the network for getting access to that computer’s hard disk.

According to the timing that these attacks coincided with the Copenhagen summit last year, there is a theory that Chinese hackers might have tried to get an idea of India’s stand before hand. The Prime Minister’s Office has confirmed about the attack on systems but noted that computers with sensitive material are sanitized and do not have access to the Internet.

hackers

Why China?

A lot of experts are saying China has a long term plan to use its cyber hackers to control the internet or atleast develop the ability to cause great harm. I think that idea is a little over stretched.  China does have one of the most comprehensive system of monitoring and censoring content on the internet. It might soon have the highest number of Internet users but the content is very controlled. To acheive this sort of monitoring mechanism would need a huge number of hackers who are working round the clock trying to monitor the massive internet population.

This essentially gives some of these Chinese hackers an ability to be trying their hands at attacking systems and networks outside China. Whereas there is nothing wrong in being aware and vigilant about cyber security, I do not think it is correct to be too carried away with conspiracy theories that will soon start floating on the internet along with some parts of the print and television media.

Link: India Today

Image Credit: Tech Shout

Passwords of Thousands of Hotmail Accounts Leaked Online!

Windows Live Hotmail LogoMicrosoft had a bad weekend as around 20,000 hotmail accounts were hacked and their passwords were posted on October 1 by an anonymous user on pastebin, a website used by programmers to share code snippets. The page was removed soon after (even the cached page by Google). Continue reading Passwords of Thousands of Hotmail Accounts Leaked Online!

Email Security – How Aware Are You?

The Messaging Anti-Abuse Working Group (MAAWG) surveyed consumer emailing behavior and security awareness amongst them and found out that almost a third of consumers accepted to responding to an email they suspected to be spam. Alarmingly, about 80 % of users doubted their computers were at risk of being infected with a “bot,” – a slyly planted virus that can send spam or cause other harm without the user’s cognition. Bots are responsible for generating much of today’s illegitimate email.

The study clearly points out a lack of awareness among consumers.

Highlights

[The report is based on 800 interviews with computer users in the United States and Canada who said they were not “security experts” and who used email addresses that were not managed by a professional IT department.]

  • About two-thirds of the consumers consider themselves “very” or “somewhat” knowledgeable in Internet security.
  • Most consumers use anti-virus software
  • Over half say they never click on suspected spam
  • 21 % take no action to prevent abusive messages from entering their inbox.
  • 63 % users would allow their network operator or anti-virus vendor to remotely access their computer to remove detected bots.

Internet and Email Usage

image

Virus Infections and Anti-Virus Software Usage

image

image

Awareness and Perceptions of Spam

image

Action Against Spam

image

image

image

image

image

image

It is interesting to note that while 82% of consumers are aware of “bots” and malware threats, only 20% believe there is a very good chance their computers could get infected. Even then a majority of junk email today originates from bot-infected computers. The picture seems to e clear after analyzing the report – users are familiar with general email based threats but are not necessarily as alert or cautious as they should be to proactively protect themselves against spam, online fraud and other email-related hazards.

So, how aware, alert and cautious are you? Comment on.

(Source: MAAWG)

Beware! Internet Explorer Vulnerability in Microsoft’s Video ActiveX Control

imageMicrosoft warns its users of Internet Explorer vulnerability in its Video ActiveX Control that affects computers running on Windows XP and Windows Server 2003. Microsoft says that they have been working on a security update to fix this. While that happens, Microsoft advises its users to prevent Microsoft Video ActiveX Control from running in Internet Explorer.

The Microsoft Video ActiveX Control connects DirectShow filters for video and is used in Windows Media Center. When the control runs in IE, it can corrupt the system so that a hacker can run arbitrary code.

What does it do?

This vulnerability can allow easy access to hackers to remotely control the victims’ machine. All one has to do is visit a website by clicking a link in spam e-mail, and that does it. This has been going on for a week now and over thousand sites have been hacked to serve up malicious software by the cyber criminals.

Work-around?

To implement the workaround that disables the Microsoft Video ActiveX Control automatically on a computer that is running Windows XP or Windows Server 2003, visit Microsoft’s “Fix it for me” option. This is recommended for users who have their computers running on Windows Vista and Windows Server 2008.

(Source: Microsoft TechNet)

Twitpic fixes vulnerability after Britney Spears dies on Twitter!

image This has been a week of tragic celebrity deaths (Michael Jackson, Billy Mays, Farrah Fawcett and Ed McMahon). And a couple of days back, it was the pop princess Britney Spears! Well, rather a Tweet (with a Twitpic) on her official Twitter page that read the following:

“Britney has passed today. It is a sad day for everyone. More news to come.”

Well… well… Pranksters get weird kicks hacking accounts and posting wicked stuff.

The Tweet was deleted in no time, but the message did make it to Britney’s account. A message was also sent out her fans through Twitter itself setting clarifying that the news wasn’t true.

“Britney’s Twitter was just hacked. The last message is obviously not true. She is fine and dandy spending a quiet day at home relaxing.”

Apparently, it was reported that several Twitter accounts of celebrities including Ellen DeGeneres and Diddy were hacked that day, which displayed fake death announcements.

clip_image002

Apart form the Twitter account of Britney Spears, others hacked were the accounts of George Clooney, Miley Cyrus, Ellen DeGeneres, Harrison Ford, Natalie Portman, Diddy, and Jeff Goldblum, etc. spreading their fake death reports.

Twitpic had discovered a vulnerability in their mobile posting system where someone can brute force someone’s twitpic email address (i.e. guess their PIN number by trying every combination). Twitpic seems to have patched the vulnerability now that saw Britney Spears’ Twitter account report her death.

This is the second time Britney Spears has fallen prey to the Internet hackers on Twitter. Last time it was in January when hackers posted a series of “adult-only” messages on her page.

Wonder what Britney has to say about this… Hit me baby one more time?

Unsafe Gmail email service putting users at risk

image

The 38 signatories including security experts, lawyers and privacy advocates have questioned Google in an open letter to explain why it is not making Gmail service more secure and needlessly putting Gmail users at risk.

Google apparently is not using the secure version of the HTTP protocol for privacy protection of its users, leaving them vulnerable to threats from cybercriminals.

The Problem

  • When someone signs in on to Gmail, their login and password are encrypted.
  • Then this data goes back and forth using the secure version of HTTP known as HTTPS.
  • This secure version is turned off once sign in process is complete.
  • Because of this, the risk from cybercriminals increases as they could easily use the unencrypted data passing back and forth to steal ID files called “session cookies” generated when these applications start being used.

Possible Threats

Criminals could use the cookies to

  • Hijack the account
  • Pose as the user himself
  • Change the password
  • Send false emails
  • Abuse owner’s identity

Says Ben Edelman, a signatory of the letter and assistant professor at Harvard Business School:

“As more of us end up using insecure internet access – such as wi-fi in coffee shops, libraries, and so forth – there’s a real risk of session hijacking,”

The Solution

Enabling HTTPS as a default option:

  • It is possible to use HTTPS at all times when signed on to Gmail, Docs, or Calendar.
  • However, the option is hard to find and few people would know how to use it.
  • Mostly people prefer to stick to default options that are available and end up leaving themselves at risk.

Hence, it is necessary that Google turns on HTTPS by default.

Google’s Response

  • Google boss Eric Schmidt has responded to this by saying that Google is considering trials of the secure system with a select group of users.
  • Google says it wanted to be sure that the user-experience of Gmail would not change by turning this feature on.
  • Google fears that by enabling the encryption, the response time would slow down.

Every email service should do more to protect its users online from potential risks. Let’s wait and watch what Google does to ensure more protection for its users.

Share you comments on what you think about this.

(Source: bbc)