Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Security researcher. Show all posts

Attackers Gained Access to the Systems of the National Games of China

 

China has recently had its own national sporting event: the National Games of China began on September 15, 2021, in the Chinese city of Shaanxi. This is a comparable event to the Olympics, however, it only features athletes from China. The National Games of the People's Republic of China, also known as the All-China Games, are China's biggest national sporting event. It is typically held every four years. 

David Álvarez, an Avast security researcher, discovered a malware sample with a peculiar file extension in early September and started to examine where it came from. Following that, he discovered a report submitted to VirusTotal by the National Games IT team on an attack against a server associated with the Games.

The data suggests that the attackers acquired initial code execution on September 3, 2021, about 10:00AM local time, and deployed their first reverse shell executing scripts called runscript.lua. Researchers believe this occurred as a result of an arbitrary file-read vulnerability targeting either route .lua which, according to the API (Application User Interface) extracted from various JavaScript files, is a LUA script containing a lot of functionality ranging from login authentication to file manipulation or index.lua in combination with index.lua?a=upload API that was not used by anyone else in the rest of the network log. It's also worth noticing that runscript.lua was not included in the report or among the files uploaded by the attacker. 

After gaining initial access, the attackers uploaded numerous other reverse shells, such as conf.lua, miss1.php, or admin2.php, to gain a more permanent foothold in the network in the event that one of the shells was found. Because these reverse shells receive commands via POST requests, the data is not contained in the logs attached to the report, which simply show the URL path. Furthermore, the logs in the report do not contain enough information about network traffic for researchers to understand how and when the attackers obtained their initial web shell. 

The method used by the attackers to hack the 14th National Games of China is not novel. They got access to the system by taking advantage of a flaw in the webserver. This highlights the importance of updating software, correctly configuring it, and being aware of potential new vulnerabilities in apps by employing vulnerability scanners.

The most essential security countermeasure for defenders is to maintain the infrastructure patched up to date (especially for the internet-facing infrastructure). The primary priority for both internal and internet-facing infrastructure should be prevention. According to the researchers, in order to fight against this type of attack, more layers of protection must be deployed so that users can identify and respond immediately when a successful breach occurs.

Ransomware Gang Offered a Decryptor After Realizing they Hit a US Government Agency

 

After discovering that they had encrypted a US government agency, the AvosLocker ransomware operation offered a free decryptor. AvosLocker infiltrated a US police department last month, encrypting devices and stealing data during the attack. 

Sophos researchers investigating AvosLocker ransomware deployment discovered that the main process begins with attackers utilising PDQ Deploy to run and execute a batch script on targeted workstations called "love.bat," "update.bat," or "lock.bat." The script issues and executes a series of commands that prepare the machines for the ransomware's release before rebooting into Safe Mode. Windows Safe Mode is an IT support solution for resolving IT issues in which most security and IT administration capabilities are disabled. 

The command sequence takes about five seconds to execute and includes disabling Windows update services and Windows Defender, attempting to disable the components of commercial security software solutions that can run in Safe Mode, installing the legitimate remote administration tool AnyDesk and configuring it to run in Safe Mode while connected to the network, ensuring continued command and control by the attacker, setting up a new account with auto-login details, and then connecting to the target's domain controller in order to remotely access and run the ransomware executable, called update.exe.

“The techniques used by AvosLocker are simple, but very clever. They ensure that the ransomware has the best chance of running in Safe Mode and allow the attackers to retain remote access to the machines throughout the attack,” said Peter Mackenzie, director of incident response at Sophos. 

According to a screenshot released by security researcher pancak3, when they learned the victim was a government entity, they offered a free decryptor. While providing a decryptor to the police department, the ransomware organization declined to offer a list of stolen files or details on how they gained access to the department's network. According to an AvosLocker operation member, they have no strategy on who they target but typically avoid encrypting government agencies and hospitals.

"You should note, however, that sometimes an affiliate will lock a network without having us review it first," the AvosLocker operator said. 

Over the last year, international law enforcement activities have resulted in numerous indictments or arrests of ransomware members and money launderers. These arrests include members of the ransomware groups REvil, Egregor, Netwalker, and Clop. This increased pressure has been proved to have a positive effect, resulting in the shutdown of various ransomware operations, including DarkSide, BlackMatter, Avaddon, and REvil.

Multiple Flaws Detected in GOautodial

 

Several vulnerabilities have been uncovered in an open-source call centre software suite that is used all around the world, as per a cybersecurity researcher. 

The Synopsys Cybersecurity Research Center (CyRC) issued a warning disclosing two GOautodial API vulnerabilities. While GOautodial is sold as a paid cloud service by a variety of providers, it is available as a free download. 

Researchers in the GOautodial advisory stated, "The vulnerabilities discovered can be exploited remotely to read system settings without authentication and allow arbitrary code execution by any authenticated user via an unrestricted file upload." 

One of the vulnerabilities discovered by Synopsys is the broken authentication issue CVE-2021-43175, which enables attackers with access to the internal network hosting GOautodial to obtain sensitive configuration information, such as default passwords, from the GOautodial server without credentials. A threat actor could use this information to link to other systems on the network, such as VoIP phones. 

CVE-2021-43176 is another recently discovered flaw that lets any authorised user at any level conduct remote code execution. 

CyRC alerted, "This would allow them to gain complete control over the GOautodial application on the server, steal the data from fellow employees and customers, and even rewrite the application to introduce malicious behaviour such as stealing passwords or spoofing communications (sending messages or emails that look like they come from someone else)." 

Vulnerable versions of the GOautodial API comprises the latest publicly available ISO installer, GOautodial-4-x86 64-Final-20191010-0150.iso, which was created before September 27, 2021. 

The vulnerabilities were discovered by Scott Tolley of the Synopsys Cybersecurity Research Center using the interactive application security testing (IAST) tool Seeker, which automatically tests for security vulnerabilities throughout the software development life cycle (SDLC). 

On September 22, Tolley revealed the vulnerabilities to GOautodial for the first time. On October 20, the firm responded, claiming that the flaws had been addressed. Synopsys validated the patch by November 17 and issued a security advisory about the flaws. 

CVE-2021-33177, CVE-2021-33178, and CVE-2021-33179 are SQL injection, path traversal, and XSS vulnerabilities in the popular application, service, and network monitoring software Nagios XI, respectively, identified by bug-hunter Tolley.

Linux System Service Bug Allows You to Gain Root Access

 

An authentication bypass vulnerability in the polkit auth system service, which is installed by default on many recent Linux distributions, allows unprivileged attackers to gain a root shell. On June 3, 2021, the polkit local privilege escalation flaw (CVE-2021-3560) was officially identified, and a fix was released. Polkit is used by systemd, hence it's included in any Linux distribution that uses systemd. 

Kevin Backhouse, a GitHub security researcher, detailed how he discovered the bug (CVE-2021-3560) in a systemd service called polkit in a blog post on Thursday. The problem, which was first introduced in commit bfa5036 seven years ago and first shipped in polkit version 0.113, took various pathways in different Linux distributions. Despite the fact that many Linux distributions did not ship with the vulnerable polkit version until recently, any Linux machine with polkit 0.113 or later installed is vulnerable to attacks. 

Polkit, formerly known as PolicyKit, is a service that determines whether certain Linux tasks require more privileges than there are currently available. It comes into play when you want to establish a new user account, for example. According to Backhouse, exploiting the issue is shockingly simple, needing only a few commands utilizing common terminal tools such as bash, kill, and dbus-send. 

"The vulnerability is triggered by starting a dbus-send command but killing it while polkit is still in the middle of processing the request," explained Backhouse. Polkit asks for the UID of a connection that no longer exists, therefore killing dbus-send — an interprocess communication command – in the middle of an authentication request creates an error (because the connection was killed). 

"In fact, polkit mishandles the error in a particularly unfortunate way: rather than rejecting the request, it treats the request as though it came from a process with UID 0," explains Backhouse. "In other words, it immediately authorizes the request because it thinks the request has come from a root process."

Because polkit's UID query to the dbus-daemon occurs numerous times throughout different code paths, this doesn't happen all of the time. According to Backhouse, those code pathways usually handle the error correctly, but one is vulnerable, and if the disconnection occurs while that code path is running, privilege escalation occurs. It's all about timing, which varies in unanticipated ways due to the involvement of various processes. Backhouse believes the bug's intermittent nature is why it went unnoticed for seven years.

This Malware that Uses Steam Profile Images to Hide Itself

 

In May 2021, a researcher tweeted about a new malware that hides itself inside Steam profile photos. Except for a warning that the length of the ICC profile data is not acceptable, common online EXIF tools don't provide anything significant about the image. Because the malware is stored in encrypted form inside the PropertyTagICCProfile value instead of an ICC profile. The goal of an ICC profile is to appropriately map colours for output devices like printers. 

Valve's Steam is a video game digital distribution platform. In September 2003, it was released as a separate software client as a mechanism for Valve to give automatic updates for their games, and it was later expanded to include games from third-party publishers. Digital rights management (DRM), server hosting, video streaming, and social networking services are all available through Steam. It also includes community features such as friends lists and groups, cloud storage, and in-game voice and chat functions, as well as game installation and automatic updates.

While concealing malware in the metadata of an image file is not a novel concept, leveraging a gaming platform like Steam has never been done before. This strategy makes sense from the attacker's perspective: It's as simple as updating a profile image file to remove the infection. There are also a lot of valid accounts, and blacklisting the Steam platform would have a lot of unintended consequences. 

It should be emphasised that no installation of Steam – or any other game platform – is required to become a target for this strategy. The Steam platform only acts as a medium for the malicious file to be distributed.  

An external component, which only sees the profile image on one Steam profile, does the hard lifting in terms of downloading, unpacking, and executing the malicious payload. This payload can be transmitted by a variety of methods, including manipulated emails and infected websites. 

The Steam profile image is neither contagious or executable in any way. It acts as a vehicle for the malware itself. It requires the extraction of a second malware. This malware sample's second component is a downloader. It uses TripleDES to decode the payload from the picture and has the password "PjlDbzxS#;8@x.3JT&4MsTqE0" hardcoded.

Google Security Researcher Banned From COD: Modern Warfare For Reverse Engineering


A security researcher from Google has been banned from Call of Duty: Modern warfare for attempting to reverse engineer its networking code while studying the security to hunt memory corruption vulnerabilities. 
 
Almost a week later, after getting his account suspended by Call of Duty's developer, Activision Blizzard, Google Project Zero's Williamson, who carried out the research in his personal capacity, published a blog post telling that the research he conducted required him to reverse engineer the networking code in COD'e executable ( For reviewing the code for memory corruption vulnerabilities). However, as the executable was heavily obfuscated, IDA failed to examine it, forcing him to as he said in the blog, "dump the unobfuscated code from the memory of a running game process." 
 
It was at that point when the developers of the game suspected him as a cheater and consequently, his activities were flagged for being suspicious in nature. To ensure he doesn't affect any players in the process, Williamson tried to read memory while he was in the main menu; he attached WinDbg debugging tool – in consequence to which the game exited, the incident was attributed to the flagging event as per Williamson who also attempted to pause the process prior to dumping memory from it. He dumped an image of the game from memory in the main menu and exited normally, as explained in his blog post. 
 
The researcher who was saddened by the ban for multiple reasons, told, "after spending a few days reviewing the binary, I decided that the binary was so large and unwieldy to deal with that I would table the project for a later date. But unfortunately, I was banned about a month later, losing over a year of progress on my account." 
 
"The ban saddens me on a personal level as I’ve reconnected with family and friends from throughout my life playing this game during the pandemic. But more importantly, this sends a clear signal: this research is not welcome. I believe I had a reasonable expectation that it would be. I had done similar work during a CTF, where I reverse engineered and fuzzed CS:GO without ever risking a ban," he further added. 
 
Williamson, while scaling the magnitude of 'cheating' as a threat to online gaming, said that, "I understand that the developers shoulder an impressive burden in preventing cheat development and use. They need to leverage a variety of signals to detect cheat development and use. I’m guessing that because they may not have seen security researchers reviewing their platform before, they interpret any attempt to reverse engineer as a sign of malicious behavior. No typical player would attach a debugger to the game, and therefore they probably assume they don’t need much more evidence beyond this to issue a ban." 
 
While voicing his concerns regarding the ban for security researchers, he said, "Let me be clear: at no point did I intend to develop or use a cheat, and at no point did I manipulate any aspect of the game for another player or even myself. To this day, I don’t know what exactly caused the ban, and there’s no process to appeal it. What if using a reversing tool as part of my job gets me flagged? This fear is in the back of my mind for all games with anti-cheat, not just Warzone."

VLC player has ‘critical’ security flaw

Popular media software VLC Media Player has a critical software vulnerability that could put millions of users at risk, security researchers have warned.

Researchers from German firm CERT-Bund say they have detected a major safety flaw in the video player, which has been downloaded billions of times across the world, which could allow hackers access to compromise users' devices.

Although the vulnerability is yet to be exploited by hackers publicly to date, it poses an increasing threat for users of the popular software.

- VLC for Nintendo Switch and PS4 could be on the way
- How to convert videos with VLC
- VLC Media Player is about to hit 3bn downloads, with new features on the way

Hijacked

According to CERT-Bund, the flaw enables remote code execution (RCE), unauthorised modification and disclosure of data/files, and overall disruption of service, meaning users could see their devices hijacked and made to run malicious code of software.

Known as CVE-2019-13615, the vulnerability is found in the latest edition of the software, VLC Media Player version 3.0.7.1, and is rated at 9.8 in NIST's National Vulnerability Database, meaning it can be labelled as 'critical'.

The issue has been detected in the Windows, Linux and UNIX versions of VLC, however the macOS version appears to be unaffected.

VideoLAN, the not-for-profit organisation beind VLC Media Player, says it has been working on a patch for the flaw for the last four weeks, and is 60 percent through.

Last month, VideoLAN released the biggest single security update for VLC Media Player in the history of the programme. The update included fixes for 33 vulnerabilities in total, of which two were marked critical, 21 medium and 10 rated low.

Apple pushes out silent update for Mac users to remove Zoom web server

Earlier this week, a US-based security researcher named Jonathan Leitschuh had publicly disclosed a major vulnerability in the Zoom video conferencing software for Apple’s Mac computers which could make any website start a video-enabled call by hacking the webcam of the system. Now, according to a report by TechCrunch, Apple has pushed out an update silently to the macOS which removes the Zoom web server.

As per the report, the US-based technology giant has confirmed the said update has been released and it is installed automatically and does not require any interaction with the user. The purpose of the update is only to remove the local web server installed by the Zoom app. The company said that it pushed the update to protect its users from the risks posed by the exposed web server.

According to Leitschuh’s claims earlier this week, even if Mac users uninstall the Zoom app from their system, the web server continues to persist and it can reinstall Zoom without the user’s permission.

In a statement to The Verge and ZDNet, Zoom had said that it developed the local web server to save Mac users from too many clicks, after Apple changed their Safari browser in a way that requires Zoom users to confirm that they want to launch Zoom every single time. Zoom also said that it will tweak the app such that it will save the user’s and administrator’s preferences for whether the video will be turned on, or not, when they first join a call.

However, it seems Apple took it upon itself to rescue its users from the security vulnerability posed by Zoom app. The silent update was all the more needed because Zoom had installed a local web server that could reinstall the app even if the user had previously uninstalled it.

Ransomware found exploiting former Windows flaw

Researchers at cybersecurity firm Kaspersky have uncovered new encryption ransomware named Sodin (Sodinokibi or REvil) that exploits a recently discovered Windows vulnerability to get elevated privileges in an infected system. The ransomware takes advantage of the architecture of the central processing unit (CPU) to avoid detection - functionality that is not often seen in ransomware.

"Ransomware is a very popular type of malware, yet it's not often that we see such an elaborate and sophisticated version: using the CPU architecture to fly under the radar is not a common practice for encryptors," said Fedor Sinitsyn, a security researcher at Kaspersky.

"We expect a rise in the number of attacks involving the Sodin encryptor, since the amount of resources that are required to build such malware is significant. Those who invested in the malware's development definitely expect if to pay off handsomely," Sinitsyn added.

The researchers found that most targets of Sodin ransomware were found in the Asian region: 17.6 percent of attacks have been detected in Taiwan, 9.8 percent in Hong Kong and 8.8 percent in the Republic of Korea.

However, attacks have also been observed in Europe, North America and Latin America, Kaspersky said, adding that the ransomware note left on infected PCs demands $2500 worth of Bitcoin from each victim.

The vulnerability CVE-2018-8453 that the ransomware uses was earlier found to be exploited by the FruityArmor hacking group. The vulnerability was patched on October 10, 2018, Kaspersky said.

To avoid falling victim to Sodin threats, make sure that the software used in your company is regularly updated to the most recent versions, said Kaspersky researchers.

Security products with vulnerability assessment and patch management capabilities may help to automate these processes, they added.

Bulgarian security expert arrested for demonstrating a vulnerability in software for kindergartens


Recently, the Bulgarian police detained an information security specialist Petko Petrov, who published a video about the vulnerability in the IT system of the municipality used in local kindergartens.

Bulgarian security researcher Petko Petkov discovered a vulnerability in the software used in local kindergartens. Petkov made a video demonstrating the vulnerability and posted it on Facebook about a week ago, on June 25. The video shows an automated attack on the portal of the local municipality, through which parents apply for admission of their child to kindergarten. The security expert was able to download the data of almost 236 thousand inhabitants of the Bulgarian city of Stara Zagora where more than 330 thousand people live using such vulnerability.

The specialist wrote a comment to the video that he tried to contact the software developer Information Services AD and the municipal authorities, but his reports about the vulnerability were ignored. Therefore, Petkov published a video to draw attention to the problem. Also, the man posted in the same comment a link to GitHub with PoC-code, opening access to it to everyone.

Even worse, the research explains that the same system is used in other Bulgarian cities, which means that hackers can freely obtain personal data of residents, including passport, information about their marital status, nationality, their relatives, etc.

Shortly after the public disclosure of information about the vulnerability, Bulgarian law enforcement officers arrested Petkov. He was arrested for 24 hours, but the researcher was later released.

According to the Bulgarian Media, the Prosecutor's office intends to charge the man under the article "illegal access to computer information protected by law". Petkov faces from one to three years in prison and a fine of about $ 2,900.

Although the man is now in trouble with the law, he achieved his goal - the problem was noticed, and after the incident the municipality refused to use vulnerable software, as they also failed to contact its developers and get official comments. The Mayor of Stara Zagora Zhivko Todorov told the media that the developer will eliminate the vulnerability at their own expense.

Hidden for 5 years, complex ‘TajMahal’ spyware discovered

It's not every day that security researchers discover a new state-sponsored hacking group.

Spyware is inherently intriguing primarily because of the complexity that allows it to carry out its malicious plans, and breaking them down is something that security researchers have to do on a regular basis. However, a unique form of spyware with a phenomenal 80 different components and all kinds of tricks has been discovered by a group of analysts after it. Also, this spyware had been under wraps for more than five years.

A technically sophisticated cyberespionage framework that has been active since at least 2013 has been outed by security researchers.

In a recent talk at the Kaspersky Security Analyst Summit in Singapore, researcher Alexey Shumin shed light on the firm’s groundbreaking discovery of an adaptable Swiss Army spyware framework called TajMahal.

Security researchers still aren't sure who's behind the versatile TajMahal spyware—or how they went undetected for so long. ‘TajMahal’ modules and bundles functionality which have never been before seen in an advanced persistent threat, such as the ability to steal information from printer queues and to grab previously seen files from a USB device the next time it reconnects. And that unique spyware toolkit, Kaspersky says, bears none of the fingerprints of any known nation-state hacker group.

The 80 distinct modules include not just the standard ones like keylogging and screen-grabbing but also completely new tools.

TajMahal include two main packages: ‘Tokyo’ and ‘Yokohama’. Tokyo contains the main backdoor functionality, and periodically connects with the command and control servers.

TajMahal is a wonder to behold.

"Such a large set of modules tells us that this APT is extremely complex," Shulmin wrote in an email interview ahead of his talk, using the industry jargon—short for advanced persistent threat—to refer to a sophisticated hackers who maintain long-term and stealthy access to victim networks. "TajMahal is an extremely rare, technically advanced and sophisticated framework, which includes a number of interesting features we have not previously seen in any other APT activity. Coupled with the fact that this APT has a completely new code base—there are no code similarities with other known APTs and malware—we consider TajMahal to be special and intriguing."

LTE vulnerabilities could allow eavesdroping


There are new vulnerabilities discovered with the 4G network used by smartphones. South Korean researchers discovered 36 new flaws using a technique called 'fuzzing'.

It turns out that our mobile networks may not be the safest. As LTE gets ready to make way for 5G, researchers have discovered several flaws in the Long-Term Evolution (LTE) standard, which could allow an attacker to intercept data traffic or spoof SMS messages.

The 4G LTE standard has vulnerabilities that could allow a hacker to intercept data that is being transferred on the networks. Although there has been plenty of research about LTE security vulnerabilities published in the past,  what's different about this particular study is the scale of the flaws identified and the way in which the researchers found them.

Researchers at the Korea Advanced Institute of Science and Technology Constitution (KAIST) have discovered 51 vulnerabilities with the 4G LTE standard—this includes 15 known issues and 36 new and previously undiscovered flaws with the standard.

LTE, although commonly marketed as 4G LTE, isn’t technically 4G. LTE is widely used around the world and often marketed as 4G. LTE can be more accurately described as 3.95G.

Given the widespread use of LTE, the latest findings have massive implications and clearly show wireless networks that consumers often take for granted aren't foolproof.

In their research paper [PDF], the researchers claim to have found vulnerabilities enabling attackers to eavesdrop and access user data traffic, distribute spoofed text messages, interrupt communications between base station and phones, block calls, disconnect users from the network and also access as well as manipulate data that is being transferred. The researchers are planning to present these at the IEEE Symposium on Security and Privacy in May.

“LTEFuzz successfully identified 15 previously disclosed vulnerabilities and 36 new vulnerabilities in design and implementation among the differ- ent carriers and device vendors. The findings were categorized into five vulnerability types. We also demonstrated several attacks that can be used for denying various LTE services, sending phishing messages, and eavesdropping/manipulating data traffic. We performed root cause analysis of the identified problems by reviewing the related standard and interviewing collaborators of the carriers,” said the researchers in the report.

An Interesting Interview with Security Researcher & CTO of Defencely.com : Atul Shedage

E Hacking News had an interesting Interview with Atul Shedage, a Security researcher and CTO of Defencely.com. Here we go,

1. Please Introduce yourself to EHN's readers

Hello EHN World let me take this fragment of a moment to thank you all for this interview. That being said, I’m Atulkumar Hariba Shedage from Maharashtra – Pune. But you can call me “Atul”, as I am mostly known for my short name in the online world.

I am currently assigned as the CTO (Chief Technology Officer at Defencely.) It is an online platform for detecting, reporting and fixing website vulnerabilities for clients from all over the globe. Nothing pleases us more than being able to render our skills for popular companies, such as;

  • Google
  • GitHub
  • ZenDesk
  • RedHat
  • PayPal
  • Apple
  • Zendesk
  • Zynga

At the moment, I am in the middle of pursuing my academic career in Masters of Computer Science from Pune University. Besides pushing in boring assignments and taking notes, hacking and critically analyzing online security vulnerabilities is my second passion.

2. Why did you choose to become a security researcher?

Hmmm… this security researcher field wasn’t really planned. I’d say it was my destiny to become known in the online security field. Upon enrollment in the Bachelor Degree program, I had hopes of being one of the best web designers or programmers for that matter.

Back in 2008, I met this guy: Anil, who, later on, befriended me. He gave me the idea of giving online security a shot. As they say, “You ain’t got nothing to lose if you are going to try.” I put my hunches ahead of me and started taking introductory tutorials from every possible source.

Before you know it, I was drenched in the passion of creating or doing something worthwhile in this field, which is why we are having this interview. Fate and hard work brought me here; destiny brought us face to face

3. Tell me something about www.Defencely.com

Defencely is completely different than any automated website scanning or monitoring service. That’s because we take steps to secure your website before something goes wrong, rather than trying to pinpoint and clean up the mess after the fact. Our security experts have been trusted by dozens of top corporations, Fortune 500 companies and small businesses around the world to provide flexible, lightning-fast responses to security threats the moment they’re found.
What really matters is how we operate and render our services – these two elements are the crux of helping us signify ourselves. Defencely believes that nothing on the Internet is secure, which is the first and the foremost rule of online security services.

Secondly, we not only detect vulnerabilities, but we also provide long lasting solutions / fixes to them. On common grounds, any web security company can detect vulnerabilities. They can get small time scanner software to take the sting out of “manual labor”, if you’d like to put it that way. Defencely team, on the other hand, is able to fix and detect vulnerabilities because of robust knowledge base and real life experience of dealing with such situations.

4. What's your research that makes you especially proud?

Something that has made me proud…? Hmmm <scratching my chin>. I can’t or maybe I don’t want to say for sure about what has made me truly proud… yet. I believe that one can only feel proud when he or she has indeed achieved a lifelong goal.

However, I did stumble upon moments of happiness and rejoice. For instance, being able to talk to big online companies about gaping holes in their security system, contacting big shots such as; “Adam” from Google’s security panel, getting acknowledgements from ZenDesk security team and vice versa – this is what is taking the Defencely team and myself to an unknown destiny in the skies above.

Overall, it is a killer experience.

5. What advice would you give a website admin to secure their site?

As stated a little while ago, there is no such thing as security. Once your product or website has gone live, it is always exposed to unknown threats from all over. I would implore web admins to secure their websites by hiring able security researchers to help stop any possible damages.

Yes, it is true that you can never secure anything to a 100% extent. But, if adequate steps are taken, you can prevent a great deal of hassle in the long run. Also, your security levels will reach a point where so called hackers would have a hard time breaching all the parameters.

6. How did you step in the Information Security field?

It was year 2008; I was freshly enrolled in the BSC 1st Year Degree Program. Within a few months of meeting new people, the subject of online security piqued my interest way too much. I had to do something about it.

I joined forums, read stuff at Google, trained myself through various web security tutorials and never looked back. It was those hours of sheer self-motivation, endless nights of reading, watching and self-mentoring, which eventually paid off in huge dividends.

I also followed a couple of security researchers at Twitter, and made friends with some very interesting individuals. I am thankful to everyone for believing in me and supporting me throughout those tumultuous times.

7. What vulnerabilities have you discovered so far in your career as a Security Researcher?

I have gone through the OWASP Top 10 vulnerabilities, ClickJacking incidents, WASC 26 Vulnerability Classes and etc. Practically speaking, I don’t limit my knowledge to a particular set of vulnerabilities, as I try to learn and discover something new each day.

These days, I’m mostly focusing on collaborating with Defencely and 0 Day Vulnerabilities. So far, the result and the feedback have been quite good. We also reported some vulnerabilities in WordPress Plugin and a Gallery Project that was patched right after we sent notifications to the developers.

8. Where do you see Defencely in a few years?

Right now, it is still too early to say where Defencely would be in a few years. Things look very bright and there are no worse case scenarios to foresee. The reason being is that Defencely excels where others don’t. We are all backed up by very supportive individuals and a set of minds that are extremely proficient in their relevant fields.

Like I said before, it takes knowledge of the unknown and vast experience to report those vulnerabilities that aren’t even discovered yet. We don’t work a lot with scanners. Manual man hours and lots of hard work are going to take Defencely to new heights of stardom in the tech niche industry. The next few years are absolutely going to be rewarding, and awesome.

I have strong faith in Leadership of Ritesh Sarvaiya, who is CEO of Defencely.com & with his vision I look forward to see Defencely growing leaps and bounce in coming years to come.

9. What is your advice to newbie who interested in PenTesting field?

Newbie testers and ethical hackers are strongly advised to stay motivated. As a friend, I am telling you guys to never give up on your dreams. Keep learning and keep looking for answers. I know it is very easy to partake in words of wisdom but I have experienced adversity in my life.

The key to remaining successful in online security field or anything is to believe in what you’re doing. Believe in your goals wholeheartedly as if your entire life depends on them. By the way, join forums, engage in talking to security panel members and start by reporting vulnerabilities for the sake of helping other individuals on the internet.

Soon you will start getting recognition.

If you guys need any kind of extended support from my end do not hesitate to connect with me on FaceBook, Twitter & LinkedIn

10. It is nice to talk to you. What do you think about E Hacking News?

I think that with a staggering 18K + Facebook users, a constantly updated content database and lots of interesting information, ‘E Hacking News’ is aggressively doing the right thing. You guys are one of the few who believe in creating a buzz with actual reports and not just filler articles.

I’d love for ‘E Hacking News’ to go beyond the horizon and get more recognition from the entire World Wide Web Community. Thank you Sabari and two thumbs up to you for undyingly pursuing your goals on the internet.

11. Is there anything else you like to add?

I’m glad you asked this question. Without mentioning a few names, I would be feeling ethically impugned, which is why I need to give credit where it is due.

Let me thank Mr. Ritesh A. Sarvaiya; CEO and Founder of Defencely. With his ingenious thinking skills and a drive to find new talent, Ritesh is always at the verge of creating something new. I believe that he has a brain of a whizz kid because of the way he has been creating teams and helping people discover their true potential.

Followed by that, I’d like to thank Mr. Rahul Varshneya. He is Defencely Advisory Board Member. But trust me; Rahul’s position goes beyond as that of an advisor. He has more than a decade of pure entrepreneurial skills, a knack for mentoring and aiding startup businesses get up on their feet.

Rahul is currently administering several ongoing projects and businesses. There is Arkenea Technology, a partner to entrepreneurs and clients, who seek professional help concerning mobile apps and businesses. Then there is his invite only membership to the ‘YEC – Young Entrepreneurs Council’, which he is using to guide bright minds.

Mr. Rahul Varshneya is also a writer, and a pretty good one at that. He is a published author at ‘Under30CEO’, Entrepreneur.Com and VentureBeat. His experience is indeed enlightening way for digital marketers and various internet based brands.

Finally, there’s Bilal Malik, who is designated at Defencely as our ‘Lead Content Manager’. Mr. Ritesh scooped him up after believing in his talents at the break of their first online encounter.

Anything that needs to go down in written form, it is always run by this guy. Be it documentation, haphazard survival guides for security service seekers, PRs – I mean anything. Merely calling Bilal: a writer, would probably be unnerving for us.

All other members of Defencely; and people from technical departments are equally acknowledged. Without you guys, and without an amazing team, I wouldn’t have been here today working together as brothers in arms.

Sabari, it was fun answering all your questions. My regards to you and your loved ones. Have a great day

An Interview with Bug Bounty Hunter M.R. Vignesh Kumar ,from TamilNadu


Hello E Hackers, today E Hacking News interviewed One of the Best Bug Bounty hunters, Vignesh Kumar, who got listed on all Hall of Fame pages that includes Google, Twitter and rewarded by lot of companies for his findings.

1. Introduce yourself
Hi, I am Vignesh Kumar from TamilNadu, INDIA. I hold a Bachelor of Engineering in Electrical Engineering and in addition an Information Security Enthusiast, budding Bug Bounty Hunter.

2. You are an Electrical Engineer, How did you get interest in Information security field?
Yes, I am. But I am more obsessed with Electronics and Networking. Also I have a huge passion for Information security too. I was introduced and inspired into "Bug Bounty Hunting" by one of my close friend Ahamed Nafeez(@skeptic_fx).

3. When did you start Bug hunting?
Around 5 months ago. But started in full swing from the last 3 months.

4. I have seen your name in lots of Hall of Fame, I am really proud to have you as my friend. How did your Parents/Friends react when you got rewards?
Thank you so much for your compliments. At the outset, I would like to thank my Family and all my Friends for all their support and encouragement. Well, when i received my first Bug Bounty (Cash reward), I told my friends about it and they looked at me like I was a Cyber Criminal. After I explained about “Bug Bounty Program” to them with “Proof of Concept”, I could see smiley faces. . No wonder!! Even many IT Geeks aren’t aware of the term “Bug Bounty”. Awareness is necessary.

5. What vulnerabilities have you discovered so far in your career as a Bug Hunter?
The vulnerabilities categorized by The OWASP Foundation.

6. What is your first finding, how did you feel at that time?
I can barely remember the exact first one. But whatever it was, it really had driven me to dig more deeply into it.

7. What is the favorite vulnerability found by you?
Each and every one of the vulnerabilities I found in Top Ranked Sites which includes Facebook, Twitter, is my favorite. As you know, finding bugs in Top Internet Giant sites like Google, Facebook, Twitter would be really hard in upcoming days since thousands of researchers are into it. I would like to rephrase a nice quote said by some researchers. “Not only Ninja Skills, but also you must have an Eagle Eye to hunt for Bugs”. Well said.

8. You're hunting bugs for fun, for profit?
Actually, bit of both. Beyond those you could gain more knowledge from around and develop your own skill set which is primary. Also I am glad that I have earned good friends around the world from this Bug Bounty program.

9. What are your future plans? Electrical Engineer or Information Security Researcher?
Obviously, Electrical/Network Engineer it is. And I believe I have the potential to handle multitasks. So I would continue my InfoSec Research too, either as an Independent or as a Team.

10. What is your advice for new bug hunters?
Well, that question is for Experts which I am not. I am a Beginner too. But from my experience, I may have few things. “Bug Bounty Hunting” is totally competitive. You shouldn’t jump into this one just by aiming on money. Have thirst of gaining knowledge which will fetch you HOFs, money and all. Don’t feel depressed when you fail for the first few times. Learn to the core and keep hunting which will definitely fetch you the rewards. Follow the InfoSec experts in Twitter /Facebook and try learning new hunting methodologies from their personal blog. Moreover, patience is highly recommended if you are a beginner. Once you jump in, you will get used to it.

11. What do you think about E Hacking News?
E Hacking News (EHN) is doing a great job and it is one of the Best IT Security/Hacking News Portal I have ever come across. I must appreciate your efforts in bringing up the real news on IT Security from around the world to all the Readers. Also must mention BreakTheSecurity.com which is with a hand full of Tutorials on Penetration Testing & Ethical Hacking for Beginners. Kudos to your efforts!! I would suggest continuing the publication of monthly Security Magazine from EHackerNews.

12. Is there anything else you want to add?
Nothing else I have. I wish all Bug Hunters very Good Luck for their hunting and have a bright future. Thank you, Mr.Sabari Selvan for this opportunity to share my experience with all. Thanks everyone!!

Cross Site Scripting Vulnerability In Times of India and NDTV


A Security Researcher Vedachala from ICD, has identified Cross site scripting security flaw in one of the famous news paper web site Times of India.

Times of India is one of leading news paper which brings brings the Latest & Top Breaking News on Politics and Current Affairs in India & around the World, Cricket, Sports, Business, Bollywood News etc.

POC [Unfixed] :
http://epaper.timesofindia.com/Daily/skins/TOI/welcome.asp?QS="><iframe src="http://www.breakthesecurity.com" width=2000 height=900>

The researcher also found XSS Vulnerability in NDTV goodtimes website ..NDTV Good Times is the flagship channel of NDTV Lifestyle, part of the NDTV Group.

POC [Unfixed] :
 http://goodtimes.ndtv.com/video/video.aspx?id=52733"><iframe src="http://www.breakthesecurity.com" width=2000 height=900>

Recently the researcher also found a xss vulnerability in popular sites like Airtel, ooowebhost,IBN CNN  etc.

Time Now Tv & Shiksha Official Websites Vulnerable To XSS Security Flaw

An 21 Years Old Information Security Expert, Narendra Bhati(R00t Sh3ll The Untracable) From Sheoganj Rajasthan ,Who Recently Acknowledge By Acquia.com and also find Many Persistent XSS And One SQL Injection In A Bank Website has discovered a non-persistent XSS security flaw in the official website of Shiksha.com,Times Of India, News Bullet Sub Domain Of Start News Channel.

Narendra Says- Kailash Bhayya ,Ravi Sir & Sabari Sir This Is For You :-)

Shiksha.com is part of the naukri.com group-Indias No.1 job portal. Other portals owned by our parent company Info Edge are 99acres.com, JeevanSathi.com, Brijj.com and AskNaukri.com.


TIMES NOW(timesnow.tv) is a Leading 24-hour English News channel that provides the Urbane viewers the complete picture of the news that is relevant, presented in a vivid and insightful manner, which enables them to widen their horizons & stay ahead.

In all these websites search fields are found to be vulnerable to the XSS injection.

POC code for Times Of India Tv:
http://www.timesnow.tv/videosearchresult.cms?query="/><iframe+src="http://www.breakthesecurity.com"+width="1000px"+height="1000px"></iframe>&srchcombo=1&x=0&y=0




POC FOR Shiksha.com :
http://www.shiksha.com/search/index?keyword="/><iframe+src="http://www.breakthesecurity.com"+width=1000+height=1000></iframe>&start=0&institute_rows=-1&content_rows=-1&country_id=&city_id=&zone_id=&locality_id=&course_level=&course_type=&min_duration=&max_duration=&search_type=&search_data_type=&sort_type=&utm_campaign=site_search&utm_medium=internal&utm_source=shiksha&from_page=homepage&autosuggestor_suggestion_shown=5
 Narendra also found that shiksha.com is also vulnerable to CSRF that allow attacker to change mobile no. of victim by a malicious web page .

Narendra also claimed that he try a lot to contact these all website by email,facebook page etc. But they not replied him from 1 month. After this he decided to disclose this vulnerability and reported to EHN. 

An Interview with Rafay Baloch - Security Researcher and Famous Bug Hunter

Today, E Hacking News interviewed a Security Researcher and Famous Bug Hunter Rafay Baloch who got listed on a number of Hall of fame and received rewards from Google, PayPal, Nokia and more companies which conduct Bug Bounty programs.

1. Introduce yourself

Well, Name is "Rafay Baloch", I am the admin of http://rafayhackingarticles.net, My primary interests include Security Research, Penetration Testing and Blogging. Right now i am doing my bacehlors in computer science from Bahria University karachi.

2. How did you get into Information security field?

Well, From my childhood days i was interested in Information security, however if you are asking about the serious part, it has been around 3 years. Since I have started researching in this field.

3. When did you start Bug hunting?

I started bug hunting at the end of July 2012, when I saw Microsoft's resposnible disclosure page, that's where i started hunting bug.

4. What vulnerabilities have you discovered so far in your career as a Bug Hunter?

There are so many i cannot remember as i hunt for them every day, Almost all vulnerability types related to web application security i.e. RCE, LCE, RFI, LFI, Arbitary file upload, SQL Injection, XSS etc.

 Usually, i find zero days and keep it private for testing purposes, however, i do release some of them periodically, you can check out my packet storm profile.

5. What is your first finding , how did you feel at that time?

I really don't remember, but my first big finding was an XSS vulnerability inside Microsoft India. I also reported Http parameter pollution vulnerability along with it.

6.What is the favorite vulnerability found by you?

My favorite vulnerability was a the remote code execution vulnerability i found last year inside paypal, i had access to very sensitive stuff, the paypal subdomain was behind a JBOSS server, I was able to bypass the authentication and upload my backdoor to execute commmands, Paypal paid me 10,000$ for it, though if i had found it inside Google they would have payed me 20,000$.

Along with it they offered me a job as a senior security Pentester. I was not able to go there due to my studies as i mentioned before that i am still doing bachelors.

7. How much have you earned so far from Bug hunting?

I would prefer to keep it confidential. But it's some where between 5 digits.

8. You're hunting bugs for fun, for profit, or to make the world a safer place?

Well, honestly, Little of every thing, First of all, I don't only hunt vulnerabilites on websites having bug bounty programs, I also report to websites that do not have them. Some to get listed in responsible disclosures and ofcourse to make the world a better place.

9.What is your future plans?

I am currently working on http://services.rafayhackingarticles.net, where i would be launching my own Penetration Testing company, along with it, I would be soon conducting some workshops related to Ethical hacking and Penetration testing, From educational perspective, i am planning to give my CCNP Switch paper this month.

10. What is your advice for new bug hunters?

For new bug hunters, i would say that the competition now is very high, almost every site having a bug bounty program has been researched by lots of researchers, so therefore you won't be lucky with tools automated tools like acunetix, netsparker. Therefore, try to look for the acquisitions and subdomains and go into places where no one has probably been before and try to do some unexpected things. You would have much much more chances of

11. What do you think about E Hacking News?

E Hacking News brings up with good content, however, what i would suggest you is to be more frequent with the website, it seems that you are alone doing the work, Any successful news website would have tons of authors to write the content, In this way, more people would subscribe to you.

12. Thanks for the advice , Is there anything else you want to add?

Just one thing that lots of companies have came up with responsible disclosures and hall of fames attracting security researchers to look at their websites for free, however, this would be decreasing the scope of Paid Penetration tests hence it would de-value it. Hence, i think we should all come up with a thing called "No-FREE BUGS".

5 Months old XSS vulnerability in AOL and DMoz still not fixed

An Indian Security Researcher , Suriya has discovered A reflected xss vulnerability in the AOL website, an American global brand company that develops, grows, and invests in brands and web sites. 

Initially , the researcher discovered the xss vulnerability in Dmoz. After notifying the "In partnership with AOL search" text in the Dmoz website, he decided to test the AOL also for the vulnerability and got success.

According to Researcher, the vulnerability was discovered five months ago.  He immediately tried to contact the AOL Security team.  Unfortunately, he is not able to find the contact address for the security team, so he tried to contact some emails provided in the site but they failed to respond properly.

AOL xss

After few months, he published the vulnerability details in his own blog on October 2012.  But the XSS vulnerability is still there and unfixed.

POC code for the AOL xss:
 http://www.aol.com/?icid=';alert(String.fromCharCode(69, 32, 72, 97, 99, 107, 105, 110, 103, 32, 78, 101, 119, 115))//'
POC code for the Dmoz:
 http://www.dmoz.org/search?q="><script>alert("E Hacking News")</script>


Dmoz XSS

"You might be wondering why I included the alexa.com rank for the site’s, that’s cause I wanted to show you all how even a small site has more instinctive to fix a vulnerability but AOL with its hundreds of workers could not even bother giving me a proper reply." Suriya said.

"Well I really dint know. But I think I wanted to show the world how people treat us and to tell AOL to follow the path of Paypal , Microsoft etc allowing people to at least securely report vulnerabilities ,even if you are not paying them at least acknowledge the people who give time and resources out of their lives to help you!"

Nir Goldshlager found vulnerability in Facebook Employees Secure Files Transfer service

A Web Application PenTester , Nir Goldshlager, has identified a Security flaw in the Facebook's Employee Secure File Transfer that allowed him to reset the password of accounts.

The Secure File Transfer service provider "Acellion" provide service to Facebook's Employee for transferring files.  The Acellion had removed the registration page to prevent unauthorized users from creating accounts.

However, the Researcher discovered that the registration page could still be accessed by someone who know exact direct location of registration form.

After he created the account, he started to analyze the service for a security flaw. He successfully managed to find a critical vulnerability. There is a html file "wmPassupdate.html" which is used for a Password Recovery in Accellion Secure Files Transfer.

Facebook Security Flaw

He identified that there is referrer parameter used in the cookie that encoded with base64. By changing the values of this parameter, he could change the password of any account.

Facebook and Accellion fixed the issue after being notified by the Researcher.  The also claimed to have reported 20+ different bugs in Accellion Secure File Transfer Service. They fixed all of those bugs.

The POC for the vulnerability:


Clickjacking vulnerability in Microsoft Social Network Socl

clickjacking

An Indian Security Researcher , Nikhil P Kulkarni, has discovered Clickjacking vulnerability in the Microsoft's Social network SOCL(so.cl).
Clickjacking, also referred as "User Interface redress attack" and "UI redress attack", is one type of website hacking technique where hacker use multiple transparent layers to trick a user into clicking on something different to what the user perceives they are clicking on.


In a POC provided to EHN, the researcher demonstrated the clickjacking vulnerability.  In a html file, the top layer says "click below to win your prize money". But , in background, the SOCL page was loaded. When a user click the "click here" button, it will post message in the victim's wall.

The researcher discovered the vulnerability in August and sent notification to Microsoft. Initially, Microsoft rejected it nearly 5 times and told researcher that it was not a vulnerability.

But recently, they realized that all his POC's were right and have rectified that vulnerability. They have decided to put his name in their hall of fame page.