Welcome to nsane.forums

Welcome to nsane.forums, like most online communities you need to register to view parts of our community or to make contributions, but don't worry: this is a free and simple process that requires minimal information. Be a part of nsane.forums by signing in or creating an account.

  • Access special members only forums
  • Start new topics and reply to others
  • Subscribe to topics and forums to get automatic updates

Search the Community

Showing results for tags 'hacking'.



More search options

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Site Related
    • News & Updates
    • Site / Forum Feedback
    • Member Introduction
  • News
    • General News
    • FileSharing News
    • Mobile News
    • Software News
    • Security & Privacy News
    • Technology News
  • Downloads
    • nsane.down
  • General Discussions & Support
    • Filesharing Chat
    • Security & Privacy Center
    • Software Chat
    • Mobile Mania
    • Technology Talk
    • Entertainment Exchange
    • Guides & Tutorials
  • Off-Topic Chat
    • The Chat Bar
    • Jokes & Funny Stuff
    • Polling Station

Found 108 results

  1. UK-based activist group Privacy International has highlighted the international ramifications mass hacking operations. In February 2015, the FBI embarked on the largest known law enforcement hacking operation to date, targeting over 8,000 computers in 120 countries. Lawyers in the US have challenged the legality of the underlying warrant, arguing that the judge had no authority to greenlight searches outside of her district. Now, activist and legal group Privacy International has filed a brief in a related case, pushing back against the global nature of the FBI's operation. As Privacy International notes, 83 percent of the computer infections were outside of the United States. "Well-established international law prohibits the government from undertaking law enforcement functions in other countries, without those countries' consent, which the government did not seek here," the amicus brief signed by Privacy International's General Counsel Caroline Wilson Palow reads. Specifically this case concerns the FBI's investigation into a dark web child pornography site called Playpen. When the FBI seized the site in 2015, instead of shutting it down the agency kept Playpen running for 13 days. During this time, the FBI deployed a network investigative technique (NIT)—a piece of malware—in an attempt to identify visitors to the site. This NIT relied on a "non-public" vulnerability for the Tor Browser, and grabbed a target's IP address, MAC address, and other basic system information. The FBI ended up hacking over 8,000 computers across the world, including over 1,000 in the US. Although much attention has been paid to affected cases in the US, there has been relatively little focus on the international legal ramifications. (Motherboard reported the FBI hacked computers in Australia, Austria, Chile, Colombia, Denmark, Greece, and likely the UK, Turkey and Norway too.) In its brief, Privacy International argues that much of the same concerns around affected cases in the US extends to those outside of the country—that at the time of the Playpen operation, Rule 41, which governs when judges can authorize searches, did not allow for searches outside of the judge's own district. The group adds that these sort of international hacking operations, in which computers are targeted without the host country's permission, pose foreign relation risks. Such a move could lead to diplomatic conflict, or the possibility of breaking local laws. The brief points to a 2002 case, in which Russia's Federal Security Service (FSB) filed criminal charges against an FBI agent for remotely accessing and copying data from a Russian server. (Ahmed Ghappour, visiting assistant professor at UC Hastings College of Law, has made related arguments in a recent paper). "How will other countries react to the FBI hacking in their jurisdictions without prior consent? Would the U.S. welcome hacking operations on a similar scale carried out on U.S. residents by other countries? Is the FBI violating the laws of foreign jurisdictions by hacking devices located in them?" Scarlet Kim, legal officer at Privacy International wrote in a statement. However, things have shifted since the Playpen investigation. In December 2016, changes around remote searches came into effect. Today, US magistrate judges can sign global hacking warrants. By Joseph Cox https://motherboard.vice.com/en_us/article/activists-push-back-against-fbis-worldwide-hacking-operation
  2. Try These Cool Android Smartphone Hacks And Get The Best Out Of Your Mobile Here are some of the best Android smartphone hacking Apps Android is undoubtedly the world’s most popular mobile operating system. With over 1.5+ billion plus users, Android is way ahead of iOS. Similarly, in Apps space, Android hacking apps are also increasing. Many of these hacking Apps are meant for pros but some can become useful to you also. With such hacking Apps, you can remove unnecessary bloatware utilizing most of the internal storage memory. While other times, such hacking App may help you remove irritating ads or allow you to access blocked system Apps. We bring you such hacking Apps which let you get the best out of your Android smartphone. Remember most of these Apps require a rooted smartphone to try them out. INCREASE RAM Root your phone. Download ROEHSOFT RAM EXPANDER from Google Play Store. Convert desired amount of SD card space into system swap RAM. This will make apps perform better when you have lot of storage area in your SD card. Wi-Fi WPS/WPA TESTER Download WIFI PS/WPA Tester App from Google Play Store. It let’s you analyze your WiFi security and others in the vicinity and attempts to hack their password It only hacks WPS enabled WiFi networks. REMOVE UNWANTED SYSTEM APPS OR BLOATWARE Root your android phone and Download sSystem app remover (ROOT) from Google Play Store. Remove many unwanted inbuilt Apps which you don’t think are necessary from internal storage of your Android phone.\ HACKING HUB Download the app Linux Deploy from Google Play Store. This installs Linux Operating system on your Android phone. Then use use Aircrack and other hacking Apps on your phone to hack WiFi and website passwords. FREE STUFF Root your phone Download and install BusyBox App from Google Play Store. Install modded Play Store from Lucky Patcher. With Lucky Patcher App you hack in-App purchases and get free stuff or game coins ACCESS BLOCKED CONTENT Download CyberGhost App from Google Play Store. Use it to connect to a VPN of a country of your choice. Now you can download apps from Google Play Store which are blocked in your country and also use websites like torrent websites blocked in your country. BATTERY LIFE Root your phone Download Greenify App from Google Play Store Hibernate many user and system apps. Greenify allows you to hibernate apps that won’t use battery and memory in background. So, you can save battery life and RAM. BUILD PROP EDITING Most of the Android smartphones out promise you 8MP images but in fact deliver only 6MP picture quality on 8MP camera. If you are facing a similar issue, you can solve it using this hack. This also requires a rooted smartphone. Download BuildProp Editor App from Google Play Store. Goto –>add entry Ro.ril.max.jpeg.quality. And set it’s value to 100 so it looks like Ro.ril.max.jpeg.quality = 100 Once done, your 8MP smartphone camera will deliver you 8MP images TUBEMOTE Download Tubemote from Google Play Store. Now you can download any and all online videos, not just from YouTube but any website in your desired resolution and quality at high speeds. You can also download just mp3 or m4a sound files from videos. ANDROID ID CHANGER Root your phone. Download Android Device ID Changer App from Google Play Store. Change your Android ID, which apps use to identify you and restart the phone. Your Android smartphone has a new Android ID. DRIVEDROID Download Drivedroid App from Google Play Store. Once installed, open the App and download LINUX.iso file from the dropdown menu. Burn this image on your phone and use it as CD or USB drive to boot your PC. KABOOM THE SELF DESTRUCTING APP Download and install Kaboom App from Google Playstore This App lets you control the photos and messages you post online. You can use this App to make the images and posts disappear at a set time. FAKE LOCATION Download Fake Location GPS App from Google Play Store Go to —> Settings Tap on Build Number 7 times to unlock Developer Options. Enable Mock Locations. Open Fake Location GPS app and set your location to any place in the world you wish. Source
  3. Four in Five Britons Fearful Trump Will Abuse their Data More than three-quarters of Britons believe incoming US President Donald Trump will use his surveillance powers for personal gain, and a similar number want reassurances from the government that data collected by GCHQ will be safeguarded against such misuse. These are the headline findings from a new Privacy International poll of over 1600 Brits on the day Trump is inaugurated as the 45th President of the most powerful nation on earth. With that role comes sweeping surveillance powers – the extent of which was only revealed after NSA whistleblower Edward Snowden went public in 2013. There are many now concerned that Trump, an eccentric reality TV star and gregarious property mogul, could abuse such powers for personal gain. That’s what 78% of UK adults polled by Privacy International believe, and 54% said they had no trust that Trump would use surveillance for legitimate purposes. Perhaps more important for those living in the United Kingdom is the extent of the information sharing partnership between the US and the UK. Some 73% of respondents said they wanted the government to explain what safeguards exist to ensure any data swept up by their domestic secret services doesn’t end up being abused by the new US administration. That fear has become even more marked since the passage of the Investigatory Powers Act or 'Snoopers’ Charter', which granted the British authorities unprecedented mass surveillance and hacking powers, as well as forcing ISPs to retain all web records for up to 12 months. Privacy International claimed that although it has privately been presented with documents detailing the info sharing partnership between the two nations, Downing Street has so far refused to make the information public. The rights group and nine others are currently appealing to the European Court of Human Rights to overturn a decision by the Investigatory Powers Tribunal (IPT) not to release information about the rules governing the US-UK agreement. “UK and the US spies have enjoyed a cosy secret relationship for a long time, sharing sensitive intelligence data with each other, without parliament knowing anything about it, and without any public consent. Slowly, we’re learning more about the staggering scale of this cooperation and a dangerous lack of sufficient oversight,” argued Privacy International research officer, Edin Omanovic. “Today, a new President will take charge of US intelligence agencies – a President whose appetite for surveillance powers and how they’re used put him at odds with British values, security, and its people… Given that our intelligence agencies are giving him unfettered access to massive troves of personal data, including potentially about British people, it is essential that the details behind all this are taken out of the shadows.” Source
  4. Anonymous to Donald Trump: We Know What You Did Last Summer Hackers threaten to leak Donald Trump’s Russian ties The messages were published by Anonymous after Donald Trump took to Twitter to suggest that outgoing CIA head John Brennan might be involved in the spreading of fake news that made the headlines in the past few weeks, including “Syria, Crimea, Ukraine and the build-up of Russian nukes.” The @YourAnonCentral Twitter handle, which has some 150,000 followers, was one of the first to reply to Donald Trump’s tweet, accusing the President-elect of being directly involved in some pretty shady activities in Russia. “.@realDonaldTrump you have financial and personal ties with Russian mobsters, child traffickers, and money launderers,” Anonymous said in their first message. “This isn't the 80's any longer, information doesn't vanish, it is all out there. You are going to regret the next 4 years. We could care less about Democrats attacking you @realDonaldTrump, the fact of the matter is, you are implicated in some really heavy s**t. Roy Cohen and your daddy aren't here to protect you anymore. Oh and please tell your interns not to waste money hitting us with your Moldavian bot farm, stay frosty @realDonaldTrump.” Donald Trump tight-lipped on Anonymous’ accusations It goes without saying that Donald Trump didn’t response to Anonymous’ tweets, and there’s absolutely no chance he didn’t notice them since he’s such a big Twitter fan. In other news, Donald Trump said he would keep his personal Twitter account in the next four years, so expect similar messages to be posted occasionally during his tenure at the White House. As far as Anonymous is concerned, the hacking group hasn’t said anything about when and how it could leak the information about the new President of the United States. They did say, however, that the next four years will be very difficult for Donald Trump, so if the hackers do have evidence regarding the new President’s involvement in shady Russian activities, expect them to go online sometime in the coming years. Source
  5. Gmail Users Under Attack As Hackers Develop Sophisticated Phishing Technique New phishing attack launched against Gmail users Specifically, attackers are now sending emails to Gmail users with embedded attachments that look like images and which require just a click to launch what is supposed to be a preview of the picture. Instead, the attachment opens a new tab in your browser that requires a re-login. When inspecting the typical elements that could point to a phishing scam, such as the address bar, everything looks legit, as in this case the URL is the following: “data:text/html,https://accounts/google.com.” So naturally, most users would provide their Gmail credentials, but as WordFence reports, once you do that, the account is compromised. Surprisingly, the hacked Gmail account is almost instantly accessed in order to retrieve the contacts and then uses the same phishing email to spread the attack. Using email addresses from a person’s contacts can make emails look even more legitimate, thus helping compromise a bigger number of accounts. Most likely, the access is automatically performed by a bot, but there’s also a chance for attackers to do the whole thing manually in order to collect email addresses. How to detect the phishing attack The easiest way to determine that a message is a phishing attack or not is by looking in the address bar. As we’ve told you before, attackers were particularly focused on ways to make the URL look more legitimate, but in reality, there are a lot of white spaces that you can remove to check out the end of the address. If you do that, you can notice that the URL ends with a script that’s supposed to launch the new tab and point the browser to the phishing page used to steal login credentials. Google has already offered a response, according to the aforementioned source, but it’s not what you think, as the company doesn’t seem to be too keen on blocking the attacks. “The address bar remains one of the few trusted UI components of the browsers and is the only one that can be relied upon as to what origin are the users currently visiting. If the users pay no attention to the address bar, phishing and spoofing attack are - obviously - trivial. Unfortunately that’s how the web works, and any fix that would to try to e.g. detect phishing pages based on their look would be easily bypassable in hundreds of ways. The data: URL part here is not that important as you could have a phishing on any http(s) page just as well,” the firm said. The easiest way to keep your account secure, even if you fall for this phishing attack, is to enable two-factor authentication for Gmail, which means that in case you do provide your login credentials on the phishing website, the attacker shouldn’t be able to access your account anyway. Source Alternate Source - Don't Fall For This Dangerously Convincing Ongoing Phishing Attack
  6. Explained — What's Up With the WhatsApp 'Backdoor' Story? Feature or Bug! What is a backdoor? By definition: "Backdoor is a feature or defect of a computer system that allows surreptitious unauthorized access to data, " either the backdoor is in encryption algorithm, a server or in an implementation, and doesn't matter whether it has previously been used or not. Yesterday, we published a story based on findings reported by security researcher Tobias Boelter that suggests WhatsApp has a backdoor that "could allow" an attacker, and of course the company itself, to intercept your encrypted communication. The story involving the world's largest secure messaging platform that has over a billion users worldwide went viral in few hours, attracting reactions from security experts, WhatsApp team, and Open Whisper Systems, who partnered with Facebook to implement end-to-end encryption in WhatsApp. Note: I would request readers to read complete article before reaching out for a conclusion. And also, suggestions and opinions are always invited What's the Issue: The vulnerability relies on the way WhatsApp behaves when an end user's encryption key changes. WhatsApp, by default, trusts new encryption key broadcasted by a contact and uses it to re-encrypt undelivered messages and send them without informing the sender of the change. In my previous article, I have elaborated this vulnerability with an easy example, so you can head on to read that article for better understanding. Facebook itself admitted to this WhatsApp issue reported by Boelter, saying that "we were previously aware of the issue and might change it in the future, but for now it's not something we're actively working on changing." What Experts argued: According to some security experts — "It's not a backdoor, rather it’s a feature to avoid unnecessarily re-verification of encryption keys upon automatic regeneration." Open Whisper Systems says — "There is no WhatsApp backdoor," "it is how cryptography works," and the MITM attack "is endemic to public key cryptography, not just WhatsApp." A spokesperson from WhatsApp, acquired by Facebook in 2014 for $16 Billion, says — "The Guardian's story on an alleged backdoor in WhatsApp is false. WhatsApp does not give governments a backdoor into its systems. WhatsApp would fight any government request to create a backdoor." What's the fact: Notably, none of the security experts or the company has denied the fact that, if required, WhatsApp, on government request, or state-sponsored hackers can intercept your chats. What all they have to say is — WhatsApp is designed to be simple, and users should not lose access to messages sent to them when their encryption key is changed. Open Whisper Systems (OWS) criticized the Guardian reporting in a blog post saying, "Even though we are the creators of the encryption protocol supposedly "backdoored" by WhatsApp, we were not asked for comment." What? "...encryption protocol supposedly "backdoored" by WhatsApp…" NO! No one has said it's an "encryption backdoor;" instead this backdoor resides in the way how end-to-end encryption has been implemented by WhatsApp, which eventually allows interception of messages without breaking the encryption. As I mentioned in my previous story, this backdoor has nothing to do with the security of Signal encryption protocol created by Open Whisper Systems. It's one of the most secure encryption protocols if implemented correctly. Then Why Signal is more Secure than WhatsApp? You might be wondering why Signal private messenger is more secure than Whatsapp, while both use the same end-to-end encryption protocol, and even recommended by the same group of security experts who are arguing — "WhatsApp has no backdoor." It's because there is always room for improvement. The signal messaging app, by default, allows a sender to verify a new key before using it. Whereas, WhatsApp, by default, automatically trusts the new key of the recipient with no notification to the sender. And even if the sender has turned on the security notifications, the app notifies the sender of the change only after the message is delivered. So, here WhatsApp chose usability over security and privacy. It’s not about 'Do We Trust WhatsApp/Facebook?': WhatsApp says it does not give governments a "backdoor" into its systems. No doubt, the company would definitely fight the government if it receives any such court orders and currently, is doing its best to protect the privacy of its one-billion-plus users. But what about state-sponsored hackers? Because, technically, there is no such 'reserved' backdoor that only the company can access. Why 'Verifying Keys' Feature Can't Protect You? WhatsApp also offers a third security layer using which you can verify the keys of other users with whom you are communicating, either by scanning a QR code or by comparing a 60-digit number. But here’s the catch: This feature ensure that no one is intercepting your messages or calls at the time you are verifying the keys, but it does not ensure that no one, in the past had intercepted or in future will intercept your encrypted communication, and there is no way, currently, that would help you identify this. WhatsApp Prevention against such MITM Attacks are Incomplete WhatsApp is already offering a "security notifications" feature that notifies users whenever a contact's security code changes, which you need to turn on manually from app settings. But this feature is not enough to protect your communication without the use of another ultimate tool, which is — Common Sense. Have you received a notification indicating that your contact's security code has changed? Instead of offering 'Security by Design,' WhatsApp wants its users to use their common sense not to communicate with the contact whose security key has been changed recently, without verifying the key manually. The fact that WhatsApp automatically changes your security key so frequently (for some reasons) that one would start ignoring such notifications, making it practically impossible for users to actively looking each time for verifying the authenticity of session keys. What WhatsApp should do? Without panicking all one-billion-plus users, WhatsApp can, at least: Stop regenerating users' encryption keys so frequently (I clearly don't know why the company does so). Give an option in the settings for privacy-conscious people, which if turned on, would not automatically trust new encryption key and send messages until manually accepted or verified by users. ...because just like others, I also hate using two apps for communicating with my friends and work colleagues i.e. Signal for privacy and WhatsApp because everyone uses it. Source
  7. WhatsApp Security: Make This Change Right Now! Security researchers found a backdoor in the popular messaging application WhatsApp recently that could allow WhatsApp to intercept and read user messages. Facebook, the owner of WhatsApp, claims that it is impossible to intercept messages on WhatsApp thanks to the services end-to-end encryption. The company states that no one, not even itself, can read what is sent when both sender and recipient use the latest version of the application. It turns out however that there is a way for WhatsApp to read user messages, as security researcher Tobias Boelter (via The Guardian) found out. Update: In a statement sent to Ghacks, a WhatsApp spokesperson provided the following insight on the claim: WhatsApp has the power to generate new encryption keys for users who are not online. Both the sender and the recipient of messages are not made aware of that, and the sender would send any message not yet delivered again by using the new encryption key to protect the messages from third-party access. The recipient of the message is not made aware of that. The sender, only if Whatsapp is configured to display security notifications. This option is however not enabled by default. While WhatsApp users cannot block the company -- or any state actors requesting data -- from taking advantage of the loophole, they can at least activate security notifications in the application. The security researcher reported the vulnerability to Facebook in April 2016 according to The Guardian. Facebook's response was that it was "intended behavior" according to the newspaper. Activate security notifications in WhatsApp To enable security notifications in WhatsApp, do the following: Open WhatsApp on the device you are using. Tap on menu, and select Settings. Select Account on the Settings page. Select Security on the page that opens. Enable "show security notifications" on the Security page. You will receive notifications when a contact's security code has changed. While this won't prevent misuse of the backdoor, it will at least inform you about its potential use. Source Alternate Source - 1: WhatsApp Encryption Has Backdoor, Facebook Says It's "Expected Behaviour" Alternate Source - 2: WhatsApp Backdoor allows Hackers to Intercept and Read Your Encrypted Messages Alternate Source - 3: Oh, for F...acebook: Critics bash WhatsApp encryption 'backdoor' Alternate Source - 4: Your encrypted WhatsApp messages can be read by anyone Alternate Source - 5: How to protect yourself from the WhatsApp 'backdoor' Alternate Source - 6: 'Backdoor' in WhatsApp's end-to-end encryption leaves messages open to interception [Updated] Detailed Explanation of the Issue and Prevention/Alternatives:
  8. Secret CIA Assessment Says Russia Was Trying To Help Trump Win White House CIA officials told senators it is now “quite clear” that electing Donald Trump was Russia’s goal. In an interview on Fox News Sunday on Dec. 11, President-elect Trump denied the CIA's assessment. (Victoria Walker/The Washington Post) The CIA has concluded in a secret assessment that Russia intervened in the 2016 election to help Donald Trump win the presidency, rather than just to undermine confidence in the U.S. electoral system, according to officials briefed on the matter. Intelligence agencies have identified individuals with connections to the Russian government who provided WikiLeaks with thousands of hacked emails from the Democratic National Committee and others, including Hillary Clinton’s campaign chairman, according to U.S. officials. Those officials described the individuals as actors known to the intelligence community and part of a wider Russian operation to boost Trump and hurt Clinton’s chances. “It is the assessment of the intelligence community that Russia’s goal here was to favor one candidate over the other, to help Trump get elected,” said a senior U.S. official briefed on an intelligence presentation made to U.S. senators. “That’s the consensus view.” The Post's Ellen Nakashima goes over the events, and discusses the two hacker groups responsible. (Jhaan Elker/The Washington Post) The Obama administration has been debating for months how to respond to the alleged Russian intrusions, with White House officials concerned about escalating tensions with Moscow and being accused of trying to boost Clinton’s campaign. [U.S. government officially accuses Russia of hacking campaign to interfere with elections] In September, during a secret briefing for congressional leaders, Senate Majority Leader Mitch McConnell (R-Ky.) voiced doubts about the veracity of the intelligence, according to officials present. The Trump transition team dismissed the findings in a short statement issued Friday evening. “These are the same people that said Saddam Hussein had weapons of mass destruction. The election ended a long time ago in one of the biggest Electoral College victories in history. It’s now time to move on and ‘Make America Great Again,’ ” the statement read. Trump has consistently dismissed the intelligence community’s findings about Russian hacking. “I don’t believe they interfered” in the election, he told Time magazine this week. The hacking, he said, “could be Russia. And it could be China. And it could be some guy in his home in New Jersey.” The CIA shared its latest assessment with key senators in a closed-door briefing on Capitol Hill last week, in which agency officials cited a growing body of intelligence from multiple sources. Agency briefers told the senators it was now “quite clear” that electing Trump was Russia’s goal, according to the officials, who spoke on the condition of anonymity to discuss intelligence matters. Sen. Lindsey Graham (R-S.C.) says he wants to investigate whether Russia interfered with the 2016 U.S. election, amongst claims that Donald Trump's rhetoric on Russia and Vladimir Putin is too soft. (Peter Stevenson/The Washington Post) The CIA presentation to senators about Russia’s intentions fell short of a formal U.S. assessment produced by all 17 intelligence agencies. A senior U.S. official said there were minor disagreements among intelligence officials about the agency’s assessment, in part because some questions remain unanswered. For example, intelligence agencies do not have specific intelligence showing officials in the Kremlin “directing” the identified individuals to pass the Democratic emails to WikiLeaks, a second senior U.S. official said. Those actors, according to the official, were “one step” removed from the Russian government, rather than government employees. Moscow has in the past used middlemen to participate in sensitive intelligence operations so it has plausible deniability. Julian Assange, the founder of WikiLeaks, has said in a television interview that the “Russian government is not the source.” The White House and CIA officials declined to comment. On Friday, the White House said President Obama had ordered a “full review” of Russian hacking during the election campaign, as pressure from Congress has grown for greater public understanding of exactly what Moscow did to influence the electoral process. “We may have crossed into a new threshold, and it is incumbent upon us to take stock of that, to review, to conduct some after-action, to understand what has happened and to impart some lessons learned,” Obama’s counterterrorism and homeland security adviser, Lisa Monaco, told reporters at a breakfast hosted by the Christian Science Monitor. Obama wants the report before he leaves office Jan. 20, Monaco said. The review will be led by James Clapper, the outgoing director of national intelligence, officials said. During her remarks, Monaco didn’t address the latest CIA assessment, which hasn’t been previously disclosed. Seven Democratic senators last week asked Obama to declassify details about the intrusions and why officials believe that the Kremlin was behind the operation. Officials said Friday that the senators specifically were asking the White House to release portions of the CIA’s presentation. This week, top Democratic lawmakers in the House also sent a letter to Obama, asking for briefings on Russian interference in the election. U.S. intelligence agencies have been cautious for months in characterizing Russia’s motivations, reflecting the United States’ long-standing struggle to collect reliable intelligence on President Vladi­mir Putin and those closest to him. In previous assessments, the CIA and other intelligence agencies told the White House and congressional leaders that they believed Moscow’s aim was to undermine confidence in the U.S. electoral system. The assessments stopped short of saying the goal was to help elect Trump. On Oct. 7, the intelligence community officially accused Moscow of seeking to interfere in the election through the hacking of “political organizations.” Though the statement never specified which party, it was clear that officials were referring to cyber-intrusions into the computers of the DNC and other Democratic groups and individuals. Some key Republican lawmakers have continued to question the quality of evidence supporting Russian involvement. “I’ll be the first one to come out and point at Russia if there’s clear evidence, but there is no clear evidence — even now,” said Rep. Devin Nunes (R-Calif.), the chairman of the House Intelligence Committee and a member of the Trump transition team. “There’s a lot of innuendo, lots of circumstantial evidence, that’s it.” [U.S. investigating potential covert Russian plan to disrupt elections] Though Russia has long conducted cyberspying on U.S. agencies, companies and organizations, this presidential campaign marks the first time Moscow has attempted through cyber-means to interfere in, if not actively influence, the outcome of an election, the officials said. The reluctance of the Obama White House to respond to the alleged Russian intrusions before Election Day upset Democrats on the Hill as well as members of the Clinton campaign. Within the administration, top officials from different agencies sparred over whether and how to respond. White House officials were concerned that covert retaliatory measures might risk an escalation in which Russia, with sophisticated cyber-capabilities, might have less to lose than the United States, with its vast and vulnerable digital infrastructure. The White House’s reluctance to take that risk left Washington weighing more-limited measures, including the “naming and shaming” approach of publicly blaming Moscow. By mid-September, White House officials had decided it was time to take that step, but they worried that doing so unilaterally and without bipartisan congressional backing just weeks before the election would make Obama vulnerable to charges that he was using intelligence for political purposes. Instead, officials devised a plan to seek bipartisan support from top lawmakers and set up a secret meeting with the Gang of 12 — a group that includes House and Senate leaders, as well as the chairmen and ranking members of both chambers’ committees on intelligence and homeland security. Obama dispatched Monaco, FBI Director James B. Comey and Homeland Security Secretary Jeh Johnson to make the pitch for a “show of solidarity and bipartisan unity” against Russian interference in the election, according to a senior administration official. Specifically, the White House wanted congressional leaders to sign off on a bipartisan statement urging state and local officials to take federal help in protecting their voting-registration and balloting machines from Russian cyber-intrusions. Though U.S. intelligence agencies were skeptical that hackers would be able to manipulate the election results in a systematic way, the White House feared that Russia would attempt to do so, sowing doubt about the fundamental mechanisms of democracy and potentially forcing a more dangerous confrontation between Washington and Moscow. [Putin denies that Russia hacked the DNC but says it was for the public good] In a secure room in the Capitol used for briefings involving classified information, administration officials broadly laid out the evidence U.S. spy agencies had collected, showing Russia’s role in cyber-intrusions in at least two states and in hacking the emails of the Democratic organizations and individuals. And they made a case for a united, bipartisan front in response to what one official described as “the threat posed by unprecedented meddling by a foreign power in our election process.” The Democratic leaders in the room unanimously agreed on the need to take the threat seriously. Republicans, however, were divided, with at least two GOP lawmakers reluctant to accede to the White House requests. According to several officials, McConnell raised doubts about the underlying intelligence and made clear to the administration that he would consider any effort by the White House to challenge the Russians publicly an act of partisan politics. Some of the Republicans in the briefing also seemed opposed to the idea of going public with such explosive allegations in the final stages of an election, a move that they argued would only rattle public confidence and play into Moscow’s hands. McConnell’s office did not respond to a request for comment. After the election, Trump chose McConnell’s wife, Elaine Chao, as his nominee for transportation secretary. Some Clinton supporters saw the White House’s reluctance to act without bipartisan support as further evidence of an excessive caution in facing adversaries. “The lack of an administration response on the Russian hacking cannot be attributed to Congress,” said Rep. Adam B. Schiff (Calif.), the ranking Democrat on the House Intelligence Committee, who was at the September meeting. “The administration has all the tools it needs to respond. They have the ability to impose sanctions. They have the ability to take clandestine means. The administration has decided not to utilize them in a way that would deter the Russians, and I think that’s a problem.” Philip Rucker contributed to this report. Source Alternate Source - Intelligence Figures Fear Trump Reprisals Over Assessment Of Russia Election Role Also Read:
  9. After Spying Webcams, Welcome the Spy Toys “My Friend Cayla and I-Que” Privacy advocates claim both toys pose security and privacy threat for children and parents. Internet-connected toys are currently a rage among parents and kids alike but what we are not aware of are the associated security dangers of using Smart toys. It is a fact that has been acknowledged by the Center for Digital Democracy that smart toys pose grave privacy, security and similar other risks to children. There are certain privacy and security flaws in a pair of smart toys that have been designed to engage with kids. Last year, we reported how “Hello Barbie” toy spies on kids by talking to them, recording their conversations and send them to company’s servers which are then analyzed and stored in another cloud server. Now, the dolls My Friend Cayla and I-Que Intelligent Robot that are being marketed for both male and female kids are the objects of security concern. In fact the Federal Trade Commission’s child advocacy, consumer and privacy groups have filed a complaint [PDF] against these dolls. It is being suspected that these dolls are violating the Children’s Online Privacy Protection Act (COPPA) as well as the FTC rules because these collect and use personal data via communicating with kids. This feature of the dolls is being termed as a deceptive practice by the makers. The FTC has been asked in the complaint to investigate the matter and take action against the manufacturer of the dolls Genesis Toys as well as the provider of third-party voice recognition software for My Friend Cayla and I-Que, Nuance Communications. The complaints have been filed by these groups: the Campaign for a Commercial-Free Childhood (CCFC), Consumers Union, Center for Digital Democracy (CDD) and the Electronic Privacy Information Center (EPIC). According to complainers, these dolls are already creepy looking and the fact that these gather information makes them even creepier. Both these toys use voice recognition technology coupled with internet connectivity and Bluetooth to engage with the kids through answering questions and making up conversations. However, according to the CDD, this is done in a very insecure and invasive manner. The Genesis Toys claims on its website that while “most of Cayla’s conversational features can be accessed offline,” but searching for information would require internet connectivity. The promotional video for Cayla doll also focuses upon the toy’s ability to communicate with the kid as it stated: “ask Cayla almost anything.” To work, these dolls require mobile apps but some questions might be asked directly. The toys keep a Bluetooth connection enabled constantly so that the dolls could reach to the actions in the app and identify the objects when the kid taps on the screen. Some of the asked questions are recorded and sent to Nuance’s servers for parsing but it is yet unclear how much of the information is kept private. The toys’ manufacturer maintains that complete anonymity is observed. The toys were released in late 2015 but still these are selling like hot cakes. As per researchers’ statement in the FTC complaint, “by connecting one phone to the doll through the insecure Bluetooth connection and calling that phone with a second phone, they were able to both converse with and covertly listen to conversations collected through the My Friend Cayla and i-Que toys.” This means anyone can use their smartphone to communicate with the child using the doll as the gateway. Watch this add to see how Cayla works Watch this video to understand how anyone can spy on your child with Cayla and i-Que If you own a smart toy, keep an eye on the conversation between you and your kid. Courtesy: CDD Source
  10. Germany Warns Moscow Will Splash Cash On Pre-Election Propaganda And Misinformation Spree Top security agency issues warning ahead of 2017 poll Germany's intelligence agency has accused Russia of hacking its politicians and election systems under the guise of online activism. Federal Office for the Protection of the Constitution (BfV) chief Hans-Georg Maassen says Russia is intending to “weaken or destabilise the Federal Republic of Germany”. Germany's national election is expected in September 2017. Maassen says Russia is tipping money into misinformation campaigns in "aggressive and elevated" spying against "German Government officials, members of parliament, and employees of democratic parties". The BfV head says in a statement (PDF in German) that the Government is expecting more hacking in the run up to the elections. He says Russia has "enormous resources" and noted increased activity of known advanced hacking groups including Pawn Storm (Fancy Bear) said to be a state-sponsored entity. Maassen says citizen's reliance on social media makes them vulnerable to consuming fake news propaganda which he says is an "ideal gateway" for disinformation using bots to spread messages. Chief Hans-Georg Maassen It comes as US intelligence agencies accused Moscow of hacking and leaking information to deliberately discredit Democrat presidential contender Hillary Clinton, and compromising but withholding data stolen from the Republican National Committee. President-elect Donald Trump has rejected the "high confidence" assertion by the intelligence agencies. Russia has hit back with Dmitry Peskov, a spokesman for president Vladimir Putin, saying last month that the nation is also bracing for attacks during its next election, adding that Germany like all other European countries hacks other nation's infrastructure. Moscow has been blamed for the hacking and release of Democratic National Committee emails before the US presidential election. But Moscow has strongly denied involvement in orchestrating cyberattacks on foreign soil and hit back with allegations of its own against the West. Source
  11. Gone in 6 seconds: Credit cards can be hacked in a flash, researchers reveal (VIDEO) Cyber criminals can work out card numbers, expiry dates and security codes of any Visa credit or debit card in as few as six seconds using nothing more than simple guessing technology, a new study has revealed. The study, carried out by researchers from the University of Newcastle and published in the IEEE Security & Privacy journal, shows how a so-called ‘Distributed Guessing Attack’ can bypass every security feature put in place to protect online users in a matter of seconds. The guessing technique works by automatically generating different variations of the card security data across multiple websites until hackers are able to land on a ‘hit’ for each required piece of information. The team found that by spreading the guesses across multiple websites, neither the network nor the banks were able to detect all of the invalid attempts. “The current online payment system does not detect multiple invalid payment requests from different websites. This allows unlimited guesses on each card data field, using up to the allowed number of attempts – typically 10 or 20 guesses – on each website,” said Mohammed Ali, computer science PhD student in Newcastle University and lead author of the paper. Additionally, while websites seek to bolster online shopping security by asking for different variations of card info, this actually works to the hackers’ advantage, according to the researchers, because it makes it “quite easy to build up the information and piece it together like a jigsaw.” “The unlimited guesses, when combined with the variations in the payment data fields make it frighteningly easy for attackers to generate all the card details one field at a time,” Ali explained. For anyone concerned about how to keep their credit and debit cards safe, the fact is “there is no magic bullet” according the paper’s co-author Dr. Martin Emms. However, he added that there are some steps consumers can take to minimize their risk of becoming a victim of credit card fraud. “Use just one card for online payments and keep the spending limit on that account as low as possible. If it’s a bank card then keep ready funds to a minimum and transfer over money as you need it,” Emms advises. Source
  12. Uh oh, Yahoo! Data Breach May Have Hit Over 1 Billion Users The massive data breach that Yahoo! confirmed to the world last week is claimed by the company to have been carried out by a "state-sponsored actor" in 2014, which exposed the accounts of at least 500 Million Yahoo users. But, now it seems that Yahoo has downplayed a mega data breach and triying to hide it's own security blunder. Recently the information security firm InfoArmor that analyzed the data breach refuted the Yahoo's claim, stating that the data breach was the work of seasoned cyber criminals who later sold the compromised Yahoo accounts to an Eastern European nation-state. Over 1 Billion Accounts May Have Been Hacked Now, there's one more twist in the unprecedented data heist. A recent advancement in the report indicates that the number of affected Yahoo accounts may be between 1 Billion and 3 Billion. An unnamed, former Yahoo executive who is familiar with the company's security says that the Yahoo's back-end system's architecture is designed in such a way that all of its products use one main user database (UDB) to authenticate users, Business Insider reported Friday. So all usernames and passwords that users enter to log into services like Yahoo Mail, Sports or Finance goes to this one central database to ensure they are valid, allowing them access. This central database is what got compromised, and therefore, it's quite difficult to believe that the hackers who compromised the whole database walk away with just a small bunch of "the core crown jewels of Yahoo customer credentials." Whoever carried out the hack not only stole usernames and email addresses of affected users but also pilfered other personal information, including their dates of birth, phone numbers, hashed passwords, and unencrypted security answers. So, it's unclear how Yahoo come up with the 500 Million number. The company had not commented further on how the data breach happened or when it was discovered, citing an active investigation. Yahoo! could have saved you, but decided not to: A lengthy report published by the New York Times seemingly explains that the company did not reset the passwords of its users after the breach due to the decisions made by Yahoo's CEO Marissa Mayer, who seemed to prioritize developing new products over making security improvements. The reason sounds stupid, as the article reads: If Yahoo had reset the passwords of its affected users, proper security measures would have been taken by users to protect their personal data from hackers. Let's see what new advancements come to this unprecedented data breach. Already, the Yahoo hack is believed to be one of the biggest in history, and the company is still trying to negotiate a deal to sell its core business to Verizon for $4.8 Billion. Yahoo! has yet to respond to the recent revelation by the insider. Data breach news has already magnified company's problems, but if breach number reaches Billion, would the company be able to save its acquisition deal? Let us know in the comments below... Source
  13. UK Banking Chief Raises Concerns Over Security Of Biometric Authentication Kaspersky Lab research finds 12 skimmers for sale that steal fingerprints, could pose threats to ATM banking Biometric data is increasingly playing a strategic role in end-user authentication, and banking regulators in the UK are concerned just how secure it might be in light of a recent report by Kaspersky Lab. In an investigation into underground cybercrime, Kaspersky found at least 12 sellers offering ATM skimmers capable of stealing fingerprints. Furthermore, Kaspersky identified three underground sellers researching devices that could obtain data from palm vein and iris recognition systems. The report drew the attention of the UK's Treasury Select Committee, which oversees treasury, revenue and customs, and the Bank of England. The committee's chief, Andrew Tryie, is asking banking regulators to look into consequences surrounding stolen biometric data. In a letter to industry and government, he said, "Banks and regulators will need to plan for what they will do if biometric details are lost and/or illegally obtained by third parties." He asked regulators if they shared his concerns, and he went on to say plans would need to be developed to deal with customers who may be victims of biometric hacks. The main concern with biometric identifiers is that they cannot be revoked and replaced by a new identifier like in the case of a stolen password. The concern is real in the US where 5.6 million fingerprint records were stolen during the breach of the United States Office of Personnel Management in the summer of 2015. US agencies created a working group to see how cyber attackers could use fingerprint data. This group includes the FBI, Department of Homeland Security, Department of Defense, and other members of the intelligence community. "The problem with biometrics is that unlike passwords or pin codes, which can be easily modified in the event of compromise, it is impossible to change your fingerprint or iris image," Olga Kochetova, security expert at Kaspersky Lab, said in a release surrounding the Kaspersky investigation. "Thus, if your data is compromised once, it won't be safe to use that authentication method again. That is why it is extremely important to keep such data secure and transmit it in a secure way." Kaspersky Lab also reported discussions in underground communities regarding development of mobile applications that rely on placing masks over a human face. With such an app, attackers can take a person's photo posted on social media and use it to fool a facial recognition system, the report said. Source
  14. CatchApp Tool Can Siphon Encryption WhatsApp Messages From A Distance Israeli company claims it has developed CatchApp tool which can siphon encrypted WhatsApp data from a distance You may have seen in many Hollywood movies in which the main protagonist, an agent from the CIA or FBI placing his/her mobile besides the victim’s smartphone and copying data from it. Up to now, siphoning data from any smartphone just by being in its proximity was considered fiction but now an Israeli cyber surveillance company claims it has developed a sophisticated tool called CatchApp which can siphon off all WhatsApp chats, including encrypted communications, from phones within close proximity of a hidden Wi-Fi hacking device in a backpack. Haifa-based Wintego has released brochures for its CatchApp tool which it calls as a WhatsApp interceptor. Wintego promises that the Catchall App has an “unprecedented capability” to break through WhatsApp encryption and grab full data from a target’s account. It does so through a “man-in-the-middle” (MITM) attack; in theory, the traffic is intercepted between the app and the WhatsApp server and somehow the encryption is decoded by the device, though that may not be possible with the latest upgrades to the software’s cryptography. The company did not elaborate on how its CatchApp tool manages to decode/decrypt the WhatsApp encryption but Forbes has noted that the tool works on most versions of WhatsApp. The company has released the brochures of the App to advertise it to different police and law enforcement agencies around the globe. The CatchApp tool is a part of larger Wintego arsenal called WINT. According to the company, WINT hacking tool can fit into backpack. The company calls WINT a “data extraction solution” and says that it can can obtain “the entire contents of your targets’ email accounts, chat sessions, social network profiles, detailed contact lists, year-by-year calendars, files, photos, web browsing activity, and more” just by being near the victim’s PC/laptop/smartphone. It does that by acquiring login credentials for distinct accounts and then silently downloads “all the data stored therein”. Wintego claims WINT first gains access to a device by intercepting Wi-Fi communications, whether they’re open or private encrypted networks. WINT uses four separate Wi-Fi access points so it can track multiple targets and high-gain antennas to catch those at a distance. It’s small enough to fit into any backpack, said Wintego, so is ideal for stealthy operations. The details about Wintego dealings are top secret but reports indicate that it was founded by alumni of Verint, another Israeli firm. Verint itself was the top cyber surveillance tools supplier for America’s National Security Agency (NSA). According to Forbes, Yuval Luria acts as the face of the company, promoting the kit at major surveillance shows. He recently presented at the ISS World Training event in Prague (also known as the Wiretappers’ Ball), giving a talk on A Hybrid Tactical-Strategic Approach for Extracting Cyber Intelligence. Nhevo Kaufman appears to act as company chief, having set up the firm’s website back in 2011. Both the above tools are for sale only to police, law enforcement and spy firms but it is nowhere stated that the same can’t be bought by rogue actors. Source
  15. Yahoo Is Still Vulnerable The first thing you should do after getting your home or apartment robbed is, obviously, change the lock. Yahoo doesn’t seem to think so, as the same practices that were in place when it got breached are still being used according to a new report by Venafi. What’s more, its practices have for years been known as unsecure. Venafi puts it simply: if you’re a Yahoo user, you should be worried about this. Here’s what it did (or, didn’t do): most importantly, 27 percent of certificates on external Yahoo sites haven’t been changed since January 2015. "Replacing certificates after a breach is a critical mitigation practice; unless certificates are replaced breached organizations cannot be certain that attackers do not have ongoing access to encrypted communications", Venafi says. In the last 90 days, 519 certificates have been issued, which leads Venafi to conclude that Yahoo "does not have the ability to find and replace digital certificates", something it considers a common problem. Also, Venafi says that a "surprising" number of Yahoo digital certificates use MD5, a cryptographic hashing function which is known to be vulnerable to brute force attacks. Almost half (41 percent) of external Yahoo certificates use a hashing algorithm deemed unsecure. "In our experience major breaches, such as the one suffered by Yahoo!, are often accompanied by relatively weak cryptographic controls", says Alex Kaplunov, vice president of engineering for Venafi. "To confirm this assumption we took an in-depth look at external facing Yahoo! web properties and the details of how these sites are using cryptography. We found the encryption practices on these properties to be relatively weak. This is not surprising. In our experience most enterprises, even global brands with deep cyber security investments, have weak cryptographic controls". Source
  16. Yahoo: Information On At Least 500 Million Accounts Stolen Yahoo released an important message about Yahoo User Security on the official company blog a moment ago confirming that information on at least 500 million Yahoo accounts was stolen in late 2014. The company believes that a state-sponsored actor is behind the attack. According to the blog post, names, email addresses, telephone numbers, birth dates, hashed passwords, and in some cases encrypted or unencrypted security questions and answers were stolen. Yahoo states that there is no evidence currently that unprotected passwords, payment card data, bank account information or other financial information were among the stolen data. Yahoo plans to inform affected users starting doing. The message that the company plans to send out may differ from region to region. You can check the U.S. message here (PDF document). The email includes information on what happened, what information was involved, what Yahoo is doing, and what individual users can do about it. Yahoo will ask users that are affected to change their passwords and add alternate means of account verification to the account. The company has invalidated any unencrypted security questions and answers, and recommends that users who have not changed their Yahoo passwords since 2014 to do so immediately. To change the Yahoo password, do the following: Load the Yahoo Account page. Click Account Security, and then on change password. Enter and confirm your new password. Click on continue, and then on continue again to complete the process. Yahoo asks users furthermore to change account passwords and security questions/answers for any other account that has been associated with the Yahoo account, or where the same email address and password were used. Yahoo users should expect to get spam communications and emails that may be personalized. One option to strengthen the security of the Yahoo account is to use Yahoo Account Key. This is an authentication tool that is integrated into the Yahoo application for Android and iOS, and available for set up from a web browser as well. Additional information about Yahoo Account Access are available here. Closing Words It is rather frightening that information about year-old hacks that dumped millions of user account information come to light years later only, if at all. It is clear that anyone with access to the data had years to exploit the information and decrypt passwords. While it makes sense for Yahoo to inform users now that they need to change passwords on Yahoo and on third-party sites if username and password was shared, it may very well be too late for a lot of accounts. Now You: Are you affected by the security breach? Source
  17. The House of Representatives today passed the Modernizing Government Technology Act of 2016, a bill to authorize funds to replace legacy IT, on a voice vote. Lead sponsor Rep. Will Hurd (R-Texas), chairman of the Oversight and Government Reform Committee’s IT Subcommittee, cited the hack of Office of Personnel Management systems as a driving force behind the new bill. A yearlong investigation of the hack identified "a pressing need for federal agencies to modernize legacy IT in order to mitigate the cybersecurity threat inherent in unsupported, end-of-life IT systems and applications," Hurd said a speech on the House floor. "We have too many old things on our network." The bill combines a cloud funding measure that originated in the Senate and was pushed in the House by Hurd with an Obama administration-backed bill that calls for a $3.1 billion governmentwide revolving fund to retire and replace legacy systems. The MGT Act does not appropriate new money, but it does authorize working capital funds at the 24 agencies governed by the Chief Financial Officers Act to drive IT modernization and bank the savings achieved from retiring expensive legacy IT and shifting to managed services. It also authorizes a governmentwide revolving fund to be managed by the General Services Administration. "The federal government must come into the 21st century. We owe it to the people we serve," co-sponsor Rep. Gerry Connolly (D-Va.) said. "We need to streamline the management of IT assets. We need to make strategic and wise investments, and we need to have a schedule of replacement for legacy systems. We need to encrypt and protect against cyberattacks for the sake of the American people." The bill leaves it to appropriators to work out the dollars and cents of the agency and governmentwide funds. A spokesperson for Minority Whip Rep. Steny Hoyer (D-Md.) told FCW that the target for the governmentwide fund is still $3 billion. On the Senate side, the Modernizing Outdated and Vulnerable Equipment and Information Technology Act of 2016 still has not seen activity in the Homeland Security and Governmental Affairs Committee. When the combined House bill was introduced on Sept. 15, a staffer for sponsor Sen. Jerry Moran (R-Kan.) told FCW that work is underway to see how an IT modernization bill could pass the Senate. The spokesperson said Moran is "encouraged by the House's swift action on the bill." Source: https://fcw.com/articles/2016/09/22/mgt-act-passes-house.aspx
  18. Why Real Hackers Prefer Linux Over Windows And Mac Why do hackers prefer Linux over Mac, Windows, and other operating systems? We have published many tutorials for hackers and security researchers. You may have noticed that most tutorials are based on Linux operating systems. Even the hacking tools out there are based on Linux barring a few which are written for Windows and Mac. The moot question here is that why do hackers prefer Linux over Mac or Windows? Today we look at the reason why hackers always prefer Linux over Mac, Windows, and other operating systems. You may have your own reasons for choosing Linux but what do hackers really look forward to while working with Linux. Reason #1: Command line interface vs graphical user interface Linux was designed around a strong and highly integrated command line interface. Windows and Mac don’t have that. This grants hackers and Linux far greater access and control over their system and awesome customization. This is the reason that most hacking and pentesting tools are built into Linux have greater functionality above and beyond their windows counterparts. In contrast, Windows was built around the graphic user interface (GUI). This restrict user interaction to point-and-click navigation (slower) and application/system menu options for configuration. Windows has a command line structure, such as command prompt and Power Shell, however, these don’t give hackers/developers the complete functionality and integration compared with Linux. This hampers their work as hacking is usually going beyond the well-defined command lines. This is the reason that though hacking tools like Metasploit or nmap are ported for Windows, they don’t have capabilities like Linux. Compared to Windows, Linux is more granular. That means Linux gives users infinite amount of control over the system. In Windows, you only can control what Microsoft allows you to control. In Linux, everything can be controlled by the terminal in the most miniscule to the most macro level. In addition, Linux makes scripting in any of the scripting languages simple and effective. Reason #2: Linux is lighter and more portable This is arguably the best reason for choosing Linux over Mac and Windows. Hackers can easily create customized live boot disks and drives from any Linux distribution that they want. The installation is quick and its light on resources. To memory, I can only think of one program that lets you create Windows live disks and it wasn’t nearly as light or as quick to install. Linux is made even lighter as many distros are specifically customised as light-weight distros. You can read about the top lightweight Linux distros here. Reason #3: Linux is typically more secure Ask a pro hacker or security researcher which operating system is the most secure of them all, and perhaps 101 out 100 will unflinchingly swear by Linux. Windows is popular because of its reach among average users and popularity amongst programmers because it is more profitable to write a program for Windows. In more recent years, popularity has grown for UNIX based operating systems such as Mac OS, Android, and Linux. As a result, these platforms have become more profitable targets for attackers. Still, Linux is a great deal more secure than Windows and Mac out of the box. Reason #4: Linux is pretty much universal Just about everything runs some form of UNIX (Internet of Things, routers, web-servers, etc.). Doesn’t it make sense that you would target those systems from a device running the same platform? After all, the goal is to make things easier on yourself. You don’t want to worry about compatibility problems. Reson #5: Linux Is Open Source Unlike Windows or Mac, Linux is open source. What that means for us is that the source code of the operating system is available to us. As such, we can change and manipulate it as we please. If you are trying to make a system operate in ways it was not intended, being able to manipulate the source code is essential. Think of it this way. Could you imagine Microsoft giving us a plug-in/MMC or whatever to manipulate or change the kernel of Windows for hacking? Of course NOT! Reason #6: Linux Is Transparent To hack effectively, you must know and understand your operating system and to a large extent, the operating system you are attacking. Linux is totally transparent, meaning we can see and manipulate all its working parts. Not so with Windows. Actually, the opposite is true. Microsoft engineers work hard to make it impossible for users or hackers to find the inner workings of their operating system. On Windows, you are actually working with what Microsoft has given you rather that what you want. Here Linux differs philosophically from Microsoft. Linux was developed as an operating system to give users more control over it rather than make them do what the developers want. Summary : Linux vs Windows and Mac You have to understand that hackers and security researcher are here to make money. Hackers hack platforms that are profitable. Windows has been the preferred choice within enterprise environments and with the average consumer. It’s the preferred choice for developers (apple licensing costs and restrictions), which is why Windows is so compatible. Apple has been too expensive for consumers and Linux is frankly not that user-friendly (buggy, lack of GUI, etc.). You don’t have an average Joe just switching on a Linux PC/laptop and doing what he wants. However, this is changing. With the arrival of Android smartphones, there has been a paradigm shift in user’s preferences. As more users switch to Mac/iOS and Android/Linux, attackers will shift to targeting these platforms. With Internet of Things predicted to the next game-changer in tech, Linux will emerge as a formidable challenger to Microsoft’s Windows or Apple’s Mac. As of today, most Internet of Things connected devices are powered by Linux and given the transparency and control available in Linux, it will remain so. Hacking isn’t for the uninitiated. Hacking is an elite profession among the IT field. As such, it requires an extensive and detailed understanding of IT concepts and technologies. At the most fundamental level, Linux is a requirement for hackers and security researchers. Source
  19. Yahoo Preparing To Confirm Massive Data Breach, Affecting 200 Million Accounts Yahoo is now getting itself ready to confirm to the public a massive data breach that happened back in 2012, according to a report by Recode. It was reported back in August that the internet company suffered a data leak which led to the sale of 200 million Yahoo accounts on the dark web. Details that were reportedly leaked include usernames, passwords, birth dates, and other email addresses. Recode sources were not exactly sure about the extent of the breach, but they believe that it is "widespread and serious." The hacker, who was using a moniker 'Peace,' was selling people's account credentials for three Bitcoins, or equal to almost $2000 today. Back then, Yahoo only stated that it was aware of the claim, but had not yet confirmed anything about it. It also did not tell its users to change their passwords. Sources of Recode indicate that doing any sort of announcement today makes it "too little, too late" for it customers. The matter comes just months before Yahoo officially sells itself to Verizon for $4.83 billion. Marissa Mayer headed the company roughly four years ago, in an attempt to turn the company around as it was facing a decline. However, the company's collapse persisted, which then eventually led to the sale to Verizon Communications. At this point, we advise our readers who are not only holders of Yahoo accounts, but of other services as well, to use strong and unique passwords. While issues like this cannot be controlled by the victim, it still pays to be always ready for these types of attacks. Courtesy: Recode via Business Insider Source
  20. Trend Micro Offers $250K to Hack iPhone in Pwn2Own Contest A new iteration of the P2wn2Own mobile hacking contest takes aim at iOS and Android. The mobile Pwn2Own hacking contest is back for 2016, this time offering top prize of $250,000 to any security researcher who forces an Apple iPhone to unlock. The Pwn2Own contest has undergone a bit of a transition as Hewlett Packard Enterprise sold the Zero Day Initiative (ZDI) group that sponsors the event to Trend Micro earlier this year. The browser edition of the Pwn2Own event was held in March and was jointly sponsored by HPE and Trend Micro. The mobile Pwn2Own 2016 contest being held next month will be the first time a Pwn2Own event doesn't benefit from HPE sponsorship. "To us, it's still Pwn2Own," Brian Gorenc, senior manager of vulnerability research at Trend Micro, told eWEEK. "We always hope each contest brings us something new we haven't seen before, but if you've seen the contest, it should look very familiar." During the 2016 Pwn2Own browser event, which was held at the CanSecWest conference in Vancouver, ZDI awarded a total of $460,000 in prize money to researchers for publicly demonstrating new zero-day exploits in web browsers. The mobile Pwn2Own event will be held Oct. 26-27 at the PacSec Security Conference in Tokyo, and the total available prize pool is set to top $500,000. For the 2016 mobile event, ZDI is asking researchers to target three specific mobile devices: the Apple iPhone 6x, the Google Nexus 6p and the Samsung Galaxy Note7. Across all of the targeted devices, ZDI is tasking researchers with a number of challenges. The first is to obtain sensitive information from a device. ZDI is awarding $50,000 to those who exploit a device to get access to sensitive information on the iPhone or the Google Nexus. A researcher who is able to get sensitive information off a Galaxy will be awarded $35,000. Another challenge at mobile Pwn2Own 2016 is to install a rogue application on a targeted device. A $125,000 prize will be awarded for the installation of a rogue app on the iPhone; on the Google Nexus, the reward is $100,000; and on the Samsung Galaxy, $60,000. "Each phone will be running the latest operating system available at the time of the contest, and all available patches will also be applied," Gorenc said. "This can lead to some late nights as ZDI researchers update phones in the days leading up to the contest, but we feel it's best to have the latest and greatest targeted." Gorenc said all of the targeted devices will be in their default configuration. On iOS, that means Pwn2Own contestants must target Safari, as this is the default browser and most common, realistic scenario for users of that device. In the past, Pwn2Own contestants have demonstrated many WebKit browser rendering engine related vulnerabilities. WebKit is the core rendering engine behind Safari and has many components that are also used in Google's Chrome. "The threat landscape shifts so much from contest to contest that it's hard to predict what component will be targeted," he said. "WebKit will likely make an appearance, but we're hoping to see some new techniques and research as well." For the installation of the rogue application, Gorenc said that ZDI has no requirements for the app. "We will leave it up to the contestant to express their creativity during the public demonstration," he said. iPhone Unlock The biggest single prize at the mobile Pwn2Own 2016 event goes to the researcher who is able to successfully force an iPhone to unlock. The challenge of unlocking an iPhone has been a hot topic in recent months. The FBI reportedly paid as much as $1.3 million to bypass the iPhone lock screen. And Apple started its own bug bounty program, with a $200,000 prize, while security firm Exodus Intelligence will pay a top prize of $500,000 for an iOS zero-day flaw. Gorenc believes offering $250,000 for an iPhone unlock exploit is a good size prize. "We feel this amount is not a bad payday for what will clearly be a significant amount of research needed to accomplish this hack," he said. "Along with the money, the researcher will get the recognition that comes with winning Pwn2Own." In the end, Gorenc said, it's the marketplace that will let ZDI know if $250,000 is a fair price; he's optimistic that someone will actually attempt to publicly force an iPhone to unlock. "Finally, by reporting this through ZDI, the bugs will actually get fixed by the vendor," Gorenc said. "That's better than some of the alternatives." Source
  21. Tonight Mr. Robot is Going to Reveal ‘Dream Device For Hackers’ Mr. Robot is the rare show that provides a realistic depiction of hacks and vulnerabilities that are at the forefront of cyber security. This is the reason it’s been the most popular TV show of its kind. Throughout season 1 and season 2, we have seen that connected devices are the entry point of choice of Elliot and fsociety to breach networks and traditional security controls. Pwn Phone On Mr. Robot Show In this week’s episode, Elliot uses a Pwnie Express Pwn Phone, which he describes as “a dream device for pentester,” to run a custom script he has written to take over someone else’s phone. Security pros have long know about the Pwn Phone as a powerful mobile platform for penetration testing and security assessments, so it is not surprising to see it on Mr. Robot. The coolest part is that Pwnie Express is giving away a Pwn Phone, just like the one used in the show. The Pwn Phone is a mobile pentesting device that makes it incredibly easy to evaluate wired, wireless and Bluetooth networks. It is built on Kali Linux that comes pre-packaged with over 100 built-in and ‘one-click’ tools, and it can run third-party scripts. The Pwn Pad exists for security pros who want a tablet version, and it’s also available via the Android Open Pwn Project. The Pwn Phone is the latest in a series of connected device hacks on Mr. Robot that have included a Femtocell, a Raspberry Pi, and Bluetooth sniffers, along with the hack of an E-Corp exec’s connected home and the crucial meltdown of E-Corp’s data center by using a connected HVAC system. These are real threats that are being exploited by criminals to gain unauthorized access and steal data from companies today. In the past, Pwnie has made it clear that they do not condone the criminal use of penetration testing tools and devices. But pentesting is important, and having the tools to do it properly is part of that process. Sometimes you need to break things to find and fix serious security vulnerabilities in the devices and networks that permeate nearly every facet of our daily lives. The bad guys have every tool available to them; white hats should be equally well-equipped. And as for what Elliot does in the show? He’s a pretty well-established gray character. Is he good? Or is he bad? Either way, it was pretty cool. Source
  22. Google Just Agreed to Pay $5.5 Million to Settle Claims It Hacked Apple's Browser But consumers get none of the money. Google agreed to a settlement on Monday that could finally end the legal fall-out from a scheme by the search giant to circumvent privacy settings on Apple’s Safari browser. The tactic, discovered by security researchers in 2012, involved Google tricking consumers’ browsers into accepting ad-tracking software. Under the terms of the proposed settlement, filed in Delaware federal court, Google (GOOG v -0.05%) will pay $5.5 million to resolve a long-running class action lawsuit—but affected consumers will see none of that money. Instead, some of the cash will go to legal fees and settlement expenses while the rest will go to a handful of privacy groups. (You can read a copy of the settlement here.) The deal will also permit Google to deny any fault over the browser hacking, which caused a major controversy when it was discovered, and raised questions about the extent to which tech companies track consumers’ online behavior. The hack itself involved a default setting on Apple’s (AAPL ^ 0.19%) desktop and mobile Safari browser that rejected so-called “cookies”—small bits of software code that keep track of the websites a consumers visits in order to serve them ads. Google got around the setting by disguising their cookies in a way that qualified for a loophole in the Safari settings. (You can read a technical explanation here.) After Google’s practice came to light, the company agreed to pay $17 million to state attorneys general over privacy violations, and another $22.5 million to the Federal Trade Commission for violating the terms of an earlier settlement. In both cases, Google denied any wrong-doing—an outcome an FTC Commissioner then described as “inexplicable.” The effect of Monday’s deal is that it could put an end to the related class action litigation, which has bounced around the courts for years. Last year, the Third Circuit Court of Appeals revived parts of a case a lower court judge had dismissed, leading the parties to ask Supreme Court earlier this year to review parts of the appeal. The proposed settlement, however, must be approved by a judge and that outcome is not a sure thing. While judges are typically quick to bless class action settlements, some have decided to reject arrangements—like the one involving Google—in which the settlement money is paid to outside groups rather than consumers. Google declined to comment about the settlement, and lawyers for the plaintiffs did not respond to a request for comment. News of the settlement came in June, but its details were only filed this week. Source
  23. U.S. Developers Have The Numbers, But China And Russia Have The Skills A report from HackerRank finds that while the U.S. and India have lots of developers, Chinese and Russian programmers are the most talented While the United States and India may have lots of programmers, China and Russia have the most talented developers according to a study by HackerRank, which administers coding tests to developers worldwide. The study looked at the results of 1.4 million of HackerRank's coding test submissions, called "challenges," during the last few years. "According to our data, China and Russia score as the most talented developers. Chinese programmers outscore all other countries in mathematics, functional programming, and data structures challenges, while Russians dominate in algorithms, the most popular and most competitive arena," said Ritika Trikha, a blogger at HackerRank. The United States and India provide the majority of competitors on HackerRank but only manage to rank 28th and 31st, respectively. "If we held a hacking Olympics today, our data suggests that China would win the gold, Russia would take home a silver, and Poland would nab the bronze," Trikha said. "Though they certainly deserve credit for making a showing, the United States and India have some work ahead of them before they make it into the top 25." HackerRank's coding challenges cover aspects of computing ranging from languages to algorithms, security and distributed systems. Developers are scored based on a combination of accuracy and speed. The algorithms category has nearly 40 percent of developers competing, featuring tests on sorting data, dynamic programming, keyword searches and other logic-based tasks. Following algorithms were Java and data structure tests, with 10 percent of developers participating. Distributed systems and security were the least popular tests, although thousands still took them. To determine which nation had the highest-scoring programmers, HackerRank looked at each country's average score across domains. Data was restricted to the top 50 countries with the most developers on HackerRank. Following China and Russia with the top developers were Poland, Switzerland, Hungary, Japan, Taiwan, France, Czech Republic, and Italy. "Since China scored the highest, Chinese developers sit at the top of the list with a score of 100," Trikha said. The 100 score does not mean Chinese developer had a perfect score on the tests but represents the country's being first in the rankings. "But China only won by a hair. Russia scored 99.9 out of 100, while Poland and Switzerland round out the top rankings with scores near 98. Pakistan scores only 57.4 out of 100 on the index, (ranking 50th)." Poland was tops in Java testing, France led in C++, Hong Kong in Python, Japan in artificial intelligence, and Switzerland in databases. Ukrainian programmers led in security, while Finland was top in Ruby coding challenges. Source
  24. Hacker Wins Bug Bounty After Exposing Critical Facebook Security Flaw A hacker from California has revealed a trick which could allow him to hack into a user’s Facebook account and gain complete access to it. Learning to hack a Facebook account is one of the first things people want to learn. Many try their hand at this to gain complete access to someone’s Facebook profile. One California-based hacker tried his method, and subsequently discovered a method that exploits Facebook’s password reset mechanism to hack into anyone’s Facebook profile. Gurkirat Singh has revealed that he discovered a way to gain access to anyone’s Facebook profile using a flaw in the social networking site’s password reset mechanism. He said that the only way for anyone to reset their Facebook password is to use a randomly generated 6-digit code which Facebook provides them with once they request a password reset. The algorithm behind it produces a truly random number. But the fact that it is a 6-digit code means that there are a possible 106 = 1,000,000 combinations. These remain the same until they are used. Gurkirat exploited this fact. According to him, Facebook needs to store duplicate codes for multiple users if more than 1,000,000 users request a password reset. This means that more than two people have the same passcode. To use this for his purpose, Gurkirat Singh devised a way to send in 2 million password change requests to Facebook He mentions that doing so is not simple, for it requires a way to change your IP to avoid being blocked by the company, as well as access to 2 million Facebook IDs. Since Facebook IDs are 15-digit long, Singh used 1,00,000,000,000,000 and made queries to Facebook Graph API to see which IDs were valid. This can only be done through authorized apps, and once a match is found, you can enter the ID in the URL like www.facebook.com/[ID]. The URL then automatically changes the ID to the username. This data was compiled into a JSON by Singh. To handle the problem of IP changing, Gurkirat Singh simply used a proxy server that listened to HTTP Requests and then assigned a random IP address to each request. He used a multithreaded script to simulate user behaviour when a passcode is required. The script requests a passcode to every user in the JSON file created earlier. Then the scripts were run to make the requests. It looked like this: After doing so, the 6-digit passcode needs to be matched using the Brute force technique. Singh added ID to the key ‘u’ and the successfully matched passcode to the key ‘n’ in the URL as www.beta.facebook.com/recover/password?u=…&n=… Doing so returned a match. Doesn't get any simpler! #Hacking #Facebook https://t.co/2vi14s1Qtp — Gurkirat Sin @GurkiratSpeca) August 25, 2016 Once this was done, Singh added this matched passcode to the URL and was redirected to the password reset page. Therefore, he was successful in gaining access to a user’s account using this method. Singh said that the bounty offered to him was a mere $500, as Facebook considered this as a low priority finding. Source
  25. Did you know that Dick Cheney, former US Vice President who held that office from 2001 to 2009, had the wireless telemetry on his implantable cardioverter-defibrillator disabled during his time in office for fear of political assassination? That was in 2007, and already the fear of what hackers could do to implanted medical electronic devices was real. Now, almost ten years later, the fear must be even bigger for those who need to use implants, as the realization that all electronic devices can be tampered with by a motivated attacker is slowly becoming widespread knowledge. Researchers have already proven that attackers could mess with people’s insulin pumps and implantable defibrillators. With the increased use of electronic brain implants, we can assume some of them will begin testing the security of those devices, as well. Brainjacking A group of researchers, neurosurgeons, and doctors of philosophy from Oxford Functional Neurosurgery and several Oxford University departments have recently published a paper exploring the issue of brain implant hacking (“brainjacking”). Neuroimplants are used to treat a wide range of neurological and psychiatric conditions – Parkinson’s disease, chronic pain, depression, etc. – and will likely be used for an even wider range of ailments, as well as a way to correct “abnormal moral behaviour,” in the future. “Until recently the risk of neurological implants being used against their users was firmly in the realm of fantasy. However, the increasing sophistication of invasive neuromodulation, coupled with developments in information security research and consumer electronics, has resulted in a small but real risk of malicious individuals accessing implantable pulse generators (IPGs),” they noted. Attack scenarios These implants, therefore, have the potential of being switched off or made to function in undesired ways by unauthorized persons, leading to tissue damage, increased pain, altered impulse control, unwanted mental conditioning, and more, all to the detriment of the people who need these implants. “The current risk of brainjacking is low,” the group has noted, but “it is better to consider this issue seriously now, rather than in a several years’ time when the sophistication of these implants is far greater, as would be the harm that an attacker may cause by subverting them.” In the paper, they addressed a number of attack scenarios that might be pulled off even now, but added that there is no evidence that any of them has ever been attempted. Although, even if they had been successfully performed, it’s likely that they might not have been noticed. “Wireless exploitation of implants is also likely to be subtle – device failures are a somewhat common eventuality and post-failure device diagnostics are rarely performed. Even if an attack were detected, tracking down the attacker would be a highly challenging task,” they noted. Secure implant design The group has delved into the current secure implant design, and the different factors that manufacturers have to weigh when adding features to these implants. The balance between usability and security is rarely so crucial to achieve. “It may be valuable to develop codes of best practice for neurosecurity, or to formulate overall guidelines for medical device security that can be tailored to the specific requirements of neural implants. Any such code should be formulated to encourage cooperation between stakeholders and be sufficiently flexible to adapt to the rapid pace of change in neurological implant design,” they pointed out. “Device manufacturers must strive to improve upon recent advances, ensuring that security concerns are considered throughout the design process and not relegated to an afterthought, and should cooperate with security researchers who seek to responsibly disclose design flaws. Regulatory bodies must balance use of their powers to encourage good neurosecurity practices with the risk of impairing real-world security through overly burdensome regulations.” “Given that neurosecurity is not an immediate concern, there is sufficient time for manufacturers and regulatory agencies to carefully consider methods of risk mitigation. While there is a responsibility for manufacturers to make their devices secure, the expected value of any novel security features should be carefully weighed against other clinically relevant factors, and innovation should not be unduly stifled by the demands of neurosecurity,” they concluded. Article source