An App-Controlled Drone That Delivers Beautiful 1080p Footage

Source: www.wired.com

The government may still be wary of them, but civilians, filmmakers, and wanna-be spies all clearly want more camera-wielding drones. Now Parrot, one of the companies responsible for the whole quadcopter craze, is finally announcing its own 1080p camera-totin’ model: The Bebop Drone.

Bebop comes with a built-in 14-megapixel camera that can shoot 180-degree footage with its fisheye lens. In a demo, its 3-axis image stabilization produced shake-free video (which is great, because that whole shaky cam fad always left me on the nauseous side). The quadcopter also has a gyroscope, accelerometer, altimeter, magnetometer, ultrasound, and vertical camera tucked inside its frame to keep actual flying super smooth as well.

This airborne camera-mobile also includes 802.11 AC Wi-Fi and dual 2.4GHz/5GHz antennas for connecting and streaming footage to Parrot’s new Skycontroller or your mobile device. (The latter can be used as a controller too with the Freeflight 3.0 iOS and Android app.) The Skycontroller is basically a fancy Android 4.2-running analog controller that connects to the Bebop Drone over a range up to 1.24 miles. It also includes a tablet mount so you can view its photos and videos while you navigate. The Freeflight app offers virtual, onscreen controls–as opposed to physical joysticks–as well as the ability to pre-program flight plans, including the option to schedule when and at what angle the Bebop will take a photo or video.

Bebop isn’t Parrot’s first time loading up a drone with a camera, but it weighs slightly less than its predecessor even with its bumper-like “hull” attached. Its Lithium Polymere 1200 mAh battery takes around 2.5 hours to charge and supports 12 minutes of flight time. That may sound paltry, but it’s on par with competitors’ capabilities.

The Bebop Drone doesn’t go on sale until the end of this year, and Parrot isn’t listing the price just yet. However, you can bet it won’t be cheap: DJI has a direct Bebop competitor with a built-in camera priced at $1,000. And GoPro toting drones from Helipal and DJI run around $400 (not including the cost of the GoPro).

Still, if you’ve got that kind of dough lying around, you’ll be able to take some pretty sweet drone selfies once this guy comes out.

Office for iPad Downloaded 27 Million Times in 46 Days: Microsoft

Source: http://gadgets.ndtv.com

It looks like Office for iPad has got an overwhelming response from users worldwide as Microsoft has revealed some download numbers and statistics of the applications, with the company’s Julia White announcing the statistics at the TechEd conference on Monday.

The figures were stated by White 46 days since the launch of Office for iPad on March 28, implying that the Microsoft Office suite for iPad users was additionally downloaded 15 million times over the 12 million figure that was reported in early April. This gives an average daily download rate since launch of 587,000.

Additionally, it has been known that Microsoft Word for iPad is the most popular among others and is currently ranked at 11th position in United States (as per Techcrunch) and is in the top 100 in 109 countries. As a rival, Google Docs sits at 23rd position in the US for iPad models.

Microsoft last month released its first update for the Office for the iPad suite, with a new printing feature. Users can now print Word documents, Excel spreadsheets and PowerPoint presentations on a printer connected to the iPad, using the inbuilt Apple AirPrint feature. In Word, users can choose to print a document with or without markup, and in Excel users can print a selected range, a single worksheet or an entire spreadsheet.

With the update, the company also introduced a SmartGuides feature for PowerPoint, AutoFit feature for Excel. Microsoft also included a few bug fixes and stability improvements in the update.

Microsoft’s Office apps are free, but users need an Office 365 subscription for making edits to documents. Microsoft recently introduced its Office 365 Personal subscription in India, priced at Rs. 330 per month, or Rs. 3,299 for an annual subscription.

Tata Motors website hacked by Pakistani Hackers

Source: http://www.ehackingnews.com/

The official website of Tata Motors, the Largest Indian multinational automotive manufacturing company, has been breached and defaced by a Pakistani Hacker who uses the online moniker “H4$N4!N H4XOR”.

The main website is not affected by this breach. The Hacker has defaced the ‘connect.tatamotors.com’, a sub-domain dedicated for the Auto Expo 2014.

“India B Ready I Am Coming  😛 ” The hacker wrote on the defaced page.

“Pakistan Haxors Crew is here to remind you of your security… Our fight is not against any individual but the system as a whole.. Should you choose to ignore security, it will reincarnate as your worst nightmare !  We just defaced your website to give you a chance to put your hands on it before others come and destroy it!”

At the time of writing, the Tata Motors’ sub-domain still showed the defacement page. The mirror of defacement is available here:  http://zone-h.com/mirror/id/22337776

Two Students arrested for hacking into School System to change Score

Source: http://www.ehackingnews.com

Two students from a college in Shanghai’s Songjiang District have been arrested for allegedly breaking into their school’s computer systems to change their grades.

The college students named Chen and Zhang didn’t attend the morning physical education class regularly.  So, they decided to break into the college’s system and change their scores in December 2013.

After students heard about their successful effort, other students turned to them for help.

According to Shanghai Daily report, they charged 15 yuan to 20 yuan for each change they made in school’s database.

They earned more than 80,000 yuan(more than $12,000) by helping over 200 students.

The school noticed the false records in March and fixed the vulnerability that allowed them to change the scores

Bitly website hacked, accounts credentials compromised

Brought to you by http://www.ehackingnews.com

 

Bitly(bit.ly), the Popular URL shortening service, has issued an urgent security warning about a security breach that exposed account’s credentials.

The company says they found no evidence suggesting that any accounts have been accessed by the intruders.  However, as a precaution, the company has disconnected users’ facebook and twitter accounts.

“We invalidated all credentials within Facebook and Twitter” the blog post reads.

Although the social media accounts appear to be connected with bitly account,  users won’t be able to publish anything until they reconnect the accounts.

Users are advised to take the following steps to reset their OAuth tokens and API Keys:

1) Log in to your account and click on ‘Your Settings,’ then the ‘Advanced’ tab.

2) At the bottom of the ‘Advanced’ tab, select ‘Reset’ next to ‘Legacy API key.’

3) Copy down your new API key and change it in all applications. These can include social publishers, share buttons and mobile apps.

4) Go to the ‘Profile’ tab and reset your password.

5) Disconnect and reconnect any applications that use Bitly. You can check which accounts are connected under the ‘Connected Accounts’ tab in ‘Your Settings.’

Bitly says “they have already taken proactive measures to secure all paths that led to the compromise”.

Syrian Electronic Army hacks 4 Wall Street Journal twitter accounts

Brought to you by http://www.ehackingnews.com/

Wall Street Journal was caught in the crossfire between the Syrian Electronic Army and Ira Winkler who is the CEO of security firm Secure Mentem.

The Syrian Electronic Army(SEA) hijacked four twitter accounts belong to WSJ : @WSJD,  WSJ Europe(@WSJPEurope), WSJ Africa(@WSJAfrica) and WSJ Vintage(@WSJVintage).

SEA posted the message “@Irawinkler is a cockroach” with a picture of Ira Winkler’s head on the body of a cockroach.

The attack was carried out in response to a RSA Conference presentation in which Winkler talked about the hacking methods of the SEA and made fun of them.

In his presentation, Winkler also commented that “these people are like cockroaches of the Internet”.

This is not the first attack carried out by SEA in response to this presentation.  Last month, the group also defaced the RSA Conference website and said “If there is a cockroach in the internet, it would be definitely you ”

Wall Street Journal seems to have recovered the hijacked twitter accounts posted in twitter “We have secured our compromised Twitter accounts and they are now functioning normally.”

Orange warns users of phishing attacks following 2nd security breach

Brought to you by http://www.ehackingnews.com/

France based Telecoms company Orange has been hacked second time this year, more than 1.3 Million customers are affected by this security breach.

In the mid of April, hackers gained access to the a platform used by Orange to send email and SMS to its subscribers, according to Connexion report.

The company sent an email to affected customers which contains a link to “click to call back” button. Users who clicks the link will receive call from Orange.

The personal data accessed by hackers includes names, email addresses, mobile and landline numbers, date of birth as well as names of mobile and internet operators.

No payment information or credit card numbers and no passwords have been compromised in this breach.

However, the main risk in this case is that the compromised data can be used by attackers to launch phishing attacks. Such attacks are claimed to be from the legitimate organizations and tricks users into provide their passwords and financial data.

Back in February 2014, Orange sent letters to 800,000 customers that hackers accessed personal data including email ids, phone numbers, names, mailing addresses.

France based Telecoms company Orange has been hacked second time this year, more than 1.3 Million customers are affected by this security breach.
Sponsored Links
In the mid of April, hackers gained access to the a platform used by Orange to send email and SMS to its subscribers, according to Connexion report.The company sent an email to affected customers which contains a link to “click to call back” button.  Users who clicks the link will receive call from Orange.

The personal data accessed by hackers includes names, email addresses, mobile and landline numbers, date of birth as well as names of mobile and internet operators.

No payment information or credit card numbers and no passwords have been compromised in this breach.

However, the main risk in this case is that the compromised data can be used by attackers to launch phishing attacks.  Such attacks are claimed to be from the legitimate organizations and tricks users into provide their passwords and financial data.

Back in February 2014, Orange sent letters to 800,000 customers that hackers accessed personal data including email ids, phone numbers, names, mailing addresses.

– See more at: http://www.ehackingnews.com/2014/05/orange-warns-users-of-phishing-attacks.html#sthash.xGMM1k5P.dpuf

Popular Remote Management Tool Allows Login Without Authentication (Courtesy of www.securityweek.com)

A remote management tool used in some enterprises can be exploited by attackers to remotely connect to a host without needing any passwords, according to a Trustwave researcher.

Many organizations use the NetSupport software to remotely manage and connect to PCs and servers from a central location. These systems normally are set up with either Domain or local credentials, and shouldn’t be accessible without the person logging in. However, if the system has NetSupport installed for remote desktop support, it most likely has the default configuration, which allows remote users to connect automatically without authentication, David Kirkpatrick, a principal consultant at Trustwave, wrote in a blog post. The software also leaks detailed information about the device, such as the hostname, version number, and the username.

With NetSupport’s default configuration, anyone can remotely connect to the system and bypass the login prompt altogether, Kirkpatrick said.

Kirkpatrick wrote a script using Nmap to check each endpoint on the network to determine if it has NetSupport installed, and whether it has the default configuration enabled. The script returns “useful NetSpport configuration settings,” such as hostname, username, and the NetSupport version number, among other things, Kirkpatrick said. An attacker could use the same script to search the network for vulnerable systems.

“I could run this script across the network and the clients would be unaware of my testing of their configuration,” Kirkpatrick said. Connecting to the system would be a little bit harder because the original user will see a pop-up on the computer indicating a new user was also connected to the system.

For an attacker to successfully compromise the machine, he or she would first need to have NetSupport Manager software installed, Kirkpatrick told SecurityWeek in an email. That isn’t difficult, as an evaluation copy is available for free. Once connected remotely, the attacker would be able to take over the systems as though he or she had control locally. The attacker could also send commands to the compromised system over the remote desktop connection and retrieve information from a Windows shell, he said. The mouse and keyboard can be shifted to the attacker’s control

It’s easier to dismiss the research as one affecting only insider threats. But the way NetSupport is wide open to abuse means its clear the software needs to be secured. The fact that a remote user can access the PC running one NetSupport product means the systems can be entirely compromised.

NetSupport has fixed the information leakage vulnerability in later versions to require that passwords are always required to connect to an endpoint, Kirkpatrick said.

“The lesson here is that greater care should be taken when installing such powerful software that can bypass all your domain security so easily,” Kirkpatrick warned, before adding, “Of course, software providers can help by securing their default installation configurations as well.”

Microsoft Issues Emergency Patch for IE, Covers XP (Courtesy of www.darkreading.com)

Out-of-band fix for Internet Explorer zero-day flaw now available — for XP, too.

That was fast: Microsoft today released an emergency patch for a previously unknown Internet Explorer vulnerability revealed over the weekend that was discovered being exploited by a cyber espionage group out of China.

In a surprise twist, Microsoft included a patch for IE on Windows XP, the older operating system it no longer supports as of last month.

Microsoft was under pressure for a quick fix to the flaw (CVE-2014-1776), which came just after it ended support for Windows XP, prompting advice from UK and US CERTs for users to consider using alternative browsers until IE got its patch. The bug, a “critical” memory corruption vulnerability, according to Microsoft, was spotted being used in drive by web attacks. It affects IE versions 6, 7, 8, 9, 10, and 11, and basically allows an attacker to remotely run code on a targeted machine.

“The security of our products is something we take incredibly seriously. When we saw the first reports about this vulnerability we decided to fix it, fix it fast, and fix it for all our customers,” said Adrienne Hall, general manager for Microsoft Trustworthy Computing.

Hall said in a blog post that Microsoft decided to include a patch for IE on the Windows XP as well. She downplayed the worries about widespread attacks using the 0day, noting that the number of actual attacks were minimal. Hall said:

Even though Windows XP is no longer supported by Microsoft and is past the time we normally provide security updates, we’ve decided to provide an update for all versions of Windows XP (including embedded), today. We made this exception based on the proximity to the end of support for Windows XP. The reality is there have been a very small number of attacks based on this particular vulnerability and concerns were, frankly, overblown. Unfortunately this is a sign of the times and this is not to say we don’t take these reports seriously. We absolutely do.

IE 10 and 11 users that had the Enhanced Protection Mode in place by default were safe from exploits of the bug, as well as users running Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) versions 4.1 and 5.0.

The exploit spotted in the wild used a Flash exploitation method, and bypassed Microsoft’s Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP) protections.

Trey Ford, global security strategist at Rapid7, applauded Microsoft’s quick turnaround for the patch. Ford says:

Out-of-band updates are a big deal. Major vendors like Microsoft, Oracle, Adobe and others have highly structured software testing workflows that are expensive in terms of time and resources.  To interrupt a scheduled development cycle for an emergency patch, or out of band release is a noteworthy event where a vendor is placing the public good ahead of their development and delivery lifecycle. One thing particularly of interest is that Microsoft made the decision to issue this patch for Windows XP, which is no longer officially supported. I think this underscores the importance of this patch, and the priority with which it should be deployed. Corporate and private users should prioritize downloading (testing, where required by change controls) and deploying this patch.

Meanwhile, Microsoft’s Hall noted that users with Windows Automatic Updates will automatically get the update. “If you are like most people, you have automatic updates turned on, and you’ll get this new update without having to do anything.  If you haven’t turned it on automatic updates yet, you should do so now.  Click the ‘Check for Updates’ button on the Windows Update portion of your Control Panel to get this going,” Hall said.

How To Avoid Sloppy Authentication (Courtesy of www.darkreading.com)

Viewing authentication as a process, not simply as an encryption or algorithm, is the key to defending corporate resources from attacks.

It’s always obvious in hindsight review of the impact of a major bug like Heartbleed that something was missed. Hackers like it when the authentication deployment and security experts build sloppy authentication. The sloppiness generates vulnerabilities and thus the vector(s) for attack.

Common myths state that website hacks are the result of the breaking of authentication algorithms or the stealing of authentication seeds. But none of the major notable hacks, such as Living Social, Target, SnapChat, or Heartbleed have provided any truth to these misconceptions.

Instead, hackers attack the enterprise rather than the algorithm. Hacks are not assaults on the authentication algorithms. Simply buying new tokens (or SMS systems or PUSH two-factor systems) is not going to remove hackers, because the attacks are on the entire authentication system. We must look at authentication as an entire process, not just as an encryption or algorithm. This way, any organization can confidently secure access to all of its resources.

When looking at authentication as an entire process, you find that it involves the issuance of authentication credentials, the collection of credentials, the validation of the credentials, and finally, the assertion to the target:

  • The issuance of authentication credentials. This is one of the sloppiest parts of the authentication process as it continually consists of embarrassing procedures, including extensive helpdesk assistance, contractors, and lack of automation. Instead, the two-factor credential should be distributed to the user without helpdesk involvement, without contractors, and as fully auditable and repeatable.
  • The collection of authentication credentials. How many reports of cross-site scripting and SQL injection do we need to occur until we finally realize that authentication collectors should not be coded? The coding of the collection credential providers, whether single or two-factor, is a constant source of hacker delight. Custom coding, by its very nature, is a target for hackers. By how many quality assurance tests, peer reviews, and hundreds of similar installs has that code segment been reviewed?
  • The validation of authentication credentials. The validation of authentication credentials is another point of implementation where authentication integration has been consistently sloppy. What does it matter if your authentication algorithm is the latest commercial or non-commercial algorithm (Silent Circle, Tails, OTR, TrueCrypt, etc.) if the way in which we are communicating with the membership/profile provider is handled in a careless manner? Enterprises simply should not allow multiple authentication parties to access the key data stores. Furthermore, synching and migration of user data, especially to offsite locations, adds to the mess.
  • The SSO assertion to the target. This is the last and most key point. Most solutions think that sending a red light/green light signal for the identity is enough; and that the problem of asserting via single sign on (SSO) to the final resource (web, network, cloud, or mobile) is some integration outside of the authentication flow. Looking at authentication in such a limited way has no foundation in logic, yet the majority of solutions in the marketplace do just that.

This key step in authentication is often left to a highly vulnerable form post or other sloppy form of SSO assertion. But why shouldn’t the authentication solution also include in its process the assertion to the web resource, the network gateway/VPN, the cloud resource, and the mobile application?

While there are technologies that combine all of the mechanisms of authentication into a single solution to ensure the integrity of the final authentication process (disclosure: SecureAuth offers one such solution), enterprises can also incorporate standalone two-factor/SSO solutions, or conduct the full code reviews, penetration tests, and crypto validation to refine their authentication process and deliver a complete solution to mitigate attacks.

The bottom line is that hackers will keep feeding off misguided and sloppy authentication deployments. It’s up to us in the security profession to start mandating and implementing authentication solutions that address, not just the authentication algorithm, but the process as a whole. By centralizing the authentication and assertion procedures and removing all untrusted human contact from the system, organizations can more efficiently mitigate hackers.