Pinpointing your security risks



In the past few years these intentions have been turned around, to where scanning tools now give the guys in the white hats a good idea of where the vulnerabilities are and a chance to repair them before the hackers get there.

At least they provide the potential for that. The fact is, many companies don’t seem to be taking advantage of these tools or if they do have them, they are not making much use of them. Gartner Research believes as many as 85% of the network attacks that successfully penetrate network defenses are made through vulnerabilities for which patches and fixes have already been released.

Endless Exploits

Now there is the rapidly expanding universe of Web based applications for hackers to exploit. A recent study by security vendor Acunetix claimed that as many as 70% of the 3,200 corporate and non-commercial organization Web sites its free Web based scanner has examined since January 2006, contained serious vulnerabilities and were at immediate risk of being hacked.

A total of 210,000 vulnerabilities were found, the company said, for an average of some 66 vulnerabilities per web site ranging from potentially serious ones such as SQL injections and cross-site scripting, to relatively minor ones such as easily available directory listings.

“Companies, governments and universities are bound by law to protect our data,” said Kevin Vella, vice president of sales and operations at Acunetix. “Yet web application security is, at best, overlooked as a fad.”

Patch Patrol

Vulnerability scanners seek out known weaknesses, using databases that are constantly updated by vendors to track down devices and systems on the network that are open to attack. They look for such things as unsafe code, misconfigured systems, malware and patches and updates that should be there but aren’t.

They also have several plus factors. They can be used to do a “pre-scan” scan, for example, to determine what devices and systems there are on the network. There’s nothing so vulnerable as something no-one knew was there in the first place, and it’s surprising how often those turn up in large and sprawling enterprises.

Many scanners can also be set to scan the network after patches have been installed to make sure they do what they are supposed to do. What vulnerability scanners can’t do is the kind of active blocking defense carried out by such things as firewalls, intrusion prevention systems and anti-malware products though, by working in combination with them, vulnerability scanners can make what they do more accurate and precise.

Passive Aggressive

Vulnerability scanners come as either passive or active devices, each of which have their advantages and disadvantages. Passive scanners are monitoring devices that work by sniffing the traffic that goes over the network between systems, looking for anything out of the ordinary. Their advantage is that they have no impact on the operation of the network and so can work 24 x 7 if necessary, but they can miss vulnerabilities particularly on more quiet parts of a network.

Active scanners probe systems in much the way hackers would, looking for weaknesses through the responses devices make to the traffic the scanners send to them. They are more aggressive and in some ways more thorough than passive scanners, but they can cause service disruptions and crash servers.

Many people see the two as complementary and recommend using passive and active scanners alongside each other. The passive scanners can provide the more continuous monitoring, while active scanners can be used periodically to flush out the cannier vulnerabilities.

Software vs. Hardware

The scanners can also come as either software-based agents placed directly on servers or workstations, or as hardware devices. Host-based scanners can use up processor cycles on the system, but are generally considered more flexible in the kinds of vulnerabilities they can scan. The network-based scanners are plug-and-play hardware devices that are self-contained and need less maintenance than software agents.

The focus of vulnerabilities has been changing over the past several years. On the one hand, organizations have become savvier about protecting their networks and systems, and hackers have had a harder time penetrating those defenses. At the same time, as Web-based services have become the lifeblood of many witnesses, hackers have found a goldmine of potential exploits.

That’s because Web traffic flows back and forth primarily through Port 80 on a network, which has to be kept open if those Web-bases services are to be available to a company’s customers and business partners.

It’s a hard to defend weak spot in enterprise defenses, and once hackers gain access to Web applications they can use them to get information from databases, retrieve files from root directories, or use a Web server to send malicious content in a Web page to unsuspecting users.

Interpreting the Results

Vulnerability scanning works with Web applications by launching simulated attacks against those applications and then reports the vulnerabilities it finds with recommendations on how to fix or eliminate them.

However, as powerful an addition as vulnerability scanning can be to the overall security of an enterprise, some observers advise caution in interpreting those results.

Kevin Beaver, an independent security consultant with Atlanta-based Principal Logic, LLC, says it takes a combination of the vulnerability scanner and a human knowledge of the network and context in which the scans were carried out to accurately interpret the results.

Left to themselves, he says, scanners will tend to spit information that their vendors think is important. What’s also needed is an understanding of what was being tested at the time, how it was being tested, why the vulnerability is exploitable and so on. That will show whether vulnerabilities flagged as high priority actually are important in a particular user’s environment, and therefore whether it’s worthwhile putting in the effort to remediate them.

You absolutely need vulnerability scanners, Beaver said, because they take a lot of the pain out of security assessments.

“But you cannot rely on them completely,” he said. “A good tool plus the human context is the best equation for success.”

Sony Xperia devices secretly sending user data to servers in China.


If you own a Sony smartphone either the Android 4.4.2 or 4.4.4 KitKat firmware then inadvertently you may be transmitting your data back to the servers in China, even if you haven’t installed any application.
Quite surprising but it’s true. I know many of you haven’t expected such practices from a Japanese company, but reports popping up at several forums suggest that some new Sony Xperia handsets seem to contain the Baidu spyware.
About a month ago, a group of community users of Sony smartphone detected the presence of a strange folder, named “Baidu”, mysteriously appeared from among those present in various versions of Android for these handsets.
The creepy part is that the folder is created automatically without the owners permission and there is no way of deleting it. Even if someone tries to remove it, it instantly reappears as well as unticking the folder from device administrator equally seems to do nothing, neither does starting the phone in Safe Mode.
Just unpacked my Sony Z3 compact, haven’t installed a single app and its connecting to China. I am not so concerned about the folder itself but my phone now has a constant connection to an IP address in Beijing which I am not too happy about.” Reddit user commented.
The Baidu folder appears to be created by Sony’s ‘my Xperia’ service each time a connection is made and is reported to be sending pings to China. There is no further information known on what these pings are transmitting but nevertheless they do seem to be transmitting.


Dropbox Denies It Was Hacked, Says Passwords Stolen From Other Services


On Monday, a group of hackers posted a message on Pastebin claiming they have “hacked” nearly 7 million Dropbox accounts. The cloud storage giant said the data was stolen from other services, not from its own systems.

The hackers have already published hundreds of email addresses and associated passwords in clear text. They claim they will publish more as they get Bitcoin donations, but so far only 0.0001 BTC has been transferred to their address.

Reddit users have confirmed that at least some of the credentials are valid, but Dropbox says the information has been stolen from other services. In an effort to protect its customers from such attacks, the company is resetting the passwords for compromised accounts.

“Recent news articles claiming that Dropbox was hacked aren’t true. Your stuff is safe. The usernames and passwords referenced in these articles were stolen from unrelated services, not Dropbox. Attackers then used these stolen credentials to try to log in to sites across the internet, including Dropbox. We have measures in place to detect suspicious login activity and we automatically reset passwords when it happens,” Dropbox Security Engineer Anton Mityagin wrote in a blog post.

The company advises its customers to avoid using the same password on multiple online services. Dropbox also recommends the activation of two step verification for an extra layer of security.

“The recent Dropbox credentials leak shows once again how easy it is for cyber-criminals to seize personal user data at a massive scale. However, judging by the large number of accounts registered with specific e-free webmail providers, there is a small chance that the data was actually obtained via phishing,” Bogdan Botezatu, Senior E-Threat Analyst at Bitdefender, said via email. “However the data may have been obtained, the risk is still out there: these accounts have been exposed and anyone could have logged in to copy private files belonging to the user during the window of opportunity.”

Last week, in support of the National Cybersecurity Awareness Month, Dropbox published an advisory to warn its users about phishing and malware attacks.

Windows 10: Nine things you need to know


Windows 8 has had a bit of a tumultuous run, something Microsoft is hoping to turn around with Windows 10. We got a brief glimpse at a Microsoft event on Tuesday, and while it did prove to be a tantalizing look at what’s in store, there are still plenty of questions floating around, and a lot more to figure out before the final product is sitting on our hard drives.

If you’ve got questions, we’ve got some answers on the latest step for Windows.

1. When can I upgrade? And how much will it cost?

Microsoft expects to release the OS sometime in 2015, after the company’s Build developer conference in April. If you’re feeling adventurous, you can sign up for the Windows Insider Program on October 1 to get your hands on the early (and likely buggy) preview build. The cost for the retail version has yet to be determined.

2. Windows 10? What happened to Windows 9?

Windows 7 ate 9. (I kid.) Microsoft wants us to think of the latest version as a fundamental change to how Windows works, and the company is skipping a version number to show it.

Keyboards and mice take center stage on Windows 10. Nick Statt/CNET

3. I’ve got a desktop, and a tablet. How will that work?

Windows 10 isn’t just about PCs. The operating system will run on everything from desktops all the way down to smartphones, and the user interface will adjust accordingly.

4. What about apps?

Apps will be coming along for the ride too, though Microsoft hasn’t explained how that’s going to work. We do know that you’ll be able to buy one app from the Windows Store and expect it to run on all your devices. Developers will presumably need to make universal apps that will adjust their look and feel, depending on your devices size and capabilities.

5. Those full-screen “Modern” apps were a pain. Are they still around?

Those touch-friendly, full-screen apps that debuted with Windows 8 were alternately known as the “Metro” or “Modern” design. For Windows 10, full-screen apps will be optional. Let’s say you’re using a convertible 2-in-1 device, like the Surface Pro 3, for example. When the keyboard is docked, you’ll see the standard desktop with Windows 10’s “new” old-school Start menu. Once you take the device off of the keyboard base, the OS will allow you to switch to the finger-friendly full screen mode Windows 8 users are likely familiar with.

6. I actually liked those Modern apps, and bought a few. Are they still around?

It’s too soon to say how Windows 8 developers will react to the changes, but Microsoft did show some of its own full-screen Modern apps operating in a windowed mode.

Old is new again with the Windows 10 Start menu. Nick Statt/CNET

7. And the Start menu?

If you hated Windows 8’s full-screen Start screen, you’re in luck: the new Start menu harkens back to the good old days, sitting on the left side of the screen and presenting that familiar pop-up column of shortcuts. And if you liked Windows 8’s approach, there’s something here for you too: the new menu will incorporate Live Tiles and can be customized.

8. Never mind the apps — I need to get things done. Any improvements on that front?

Windows 10 beefs up Snap, the function that lets you quickly arrange apps side by side, with a new quadrant layout that lets you split your display up among up to four apps. There’s also support for multiple desktops (finally), so you can keep all your work apps in one place and quickly slide back to the desktop with your blogs and Reddit once your boss walks away. And then there’s the task view button that lives on the taskbar. Click it, and you’ll get a quick look at all of your open files, windows, and desktops.

We’re going to need bigger screens. Nick Statt/CNET

9. Will Windows 10 run on my machine?

It’s too early to say. Windows 8.1 did introduce 64-bit computing requirements that ruled out some ancient processors, but it otherwise played well with PCs that weren’t too old. Suffice to say, if you’re picking up a newer device any time between now and Windows 10’s release next year, you should be good to go. Once again, if you’re willing to take risks, you can check out the Windows Insider Program for an early look.

Hacking an eBay Account in just 1 minute


Four month ago, a massive data breach on the eBay website affected 145 million registered users worldwide after its database was compromised. Meanwhile, another critical vulnerability on the eBay website was reported, allowing an attacker to hijack millions of user accounts in bulk.
An Egyptian security researcher ‘Yasser H. Ali’ informed The Hacker News about this vulnerability 4 months ago, which could be used by the cyber criminals in the targeted attacks. At that time, Mr.Yasser secretly demonstrated the vulnerability step-by-step to ‘The Hacker News’ team and we confirmed – IT WORKS.
Since it was not addressed by the eBay security team, we kept the technical details of this vulnerability hidden from our readers. But, as we promised to share the technical details of this interesting flaw, once after eBay team patch it. So, Here we go!
The vulnerability Yasser found could allow you to Reset Password of any eBay user account and that too without any user interaction or dependency. The only thing you required is the login email ID or username of the victim you want to hack.
eBay Hacked


Basically to recover the forgotten password, user is first redirected to a password reset page, where eBay page first generates a random code value as HTML form parameter “reqinput”, which is visible to the attacker as well using Browser’s inspect element tool.


After the user provides his/her email id and presses the submit button, eBay generates a second random code, which is unknown to anybody else except the users themselves, and send the code along with a password reset link to the eBay user with the registered email address.
Once the user clicks on the password reset link provided in the email, user will be redirected to an eBay page with new password set option, where the user only needs to enter a new password twice and has to submit it, in order to reset his eBay account password.

Yasser noticed that instead of using the secret code, the new password HTTP request sends the same respective “reqinput” value that has been generated in the first request, when the user clicked on reset password and which is known to the attacker, as shown:
eBay Hacked 2

As Proof-of-Concept, the researcher targeted one of our team members’ temporary account with email address First he made a password reset request at eBay for the targeted email ID and saved the generated ‘reqinput’ value from the inspect element.

Then he directly crafted a new HTTP request to the eBay server at password reset form action with the known “reqinput” value, new password, confirm password and password strength parameters.
BANG!! He successfully able to reset our eBay account password without our team member’s interaction within a while.
A sophisticated hacker could had launched an automated mass password reset request attack for all those email accounts which were leaked in previously reported massive eBay data breach.
The company has already patched the vulnerability after Yasser responsibly disclosed the flaw to the eBay security team. But, this 4 months delay in delivering the patch could have compromised millions of eBay users’ accounts in a targeted attack, even if you had changed your password after the data breach.


About 5 million Gmail IDs and passwords leaked


Is Google got hacked?
No, the leak was not the result of a security breach of Google systems.  The dump is said to have been obtained from other websites.

So, if you have used the same password used anywhere else, your gmail account could be compromised.

Google’s response
“We found that less than 2% of the username and password combinations might have worked, and our automated anti-hijacking systems would have blocked many of those login attempts. We’ve protected the affected accounts and have required those users to reset their passwords.” Google wrote.

What You should do?

  • There are few websites available online to check whether your gmail ID have been compromised or not.  My suggestion is don’t use them.  I suggest everyone to change the password.(I believe most of the people keep the same password for years, so it’s better to change now).
  • If you have not enabled 2-step-factor feature, it is good to enable it.
  • Never use the gmail password in any other websites.



Top six steps for a secure Web server


Ensuring Web server security is one of the most thankless tasks facing information security pros. You need to balance the conflicting roles of allowing the public legitimate access to Web resources while trying to keep the bad guys out. You might even consider implementing two-factor authentication, such as RSA SecurID to obtain a high degree of confidence in your authentication system, but it wouldn’t be practical, or cost-effective to distribute tokens to all of your Web site users. Despite such conflicting goals, here are six tactics that can help lock down your Web servers.

  • Use separate servers for internal and external applications.
    Given that organizations typically have two, separate classes of Web applications, those serving internal users and those serving external users, it’s prudent to place those applications on different servers. Doing so reduces the risk of a malicious user penetrating the external server to gain access to sensitive internal information. If you don’t have the resources to implement this at your disposal, you should at least consider using technical controls (such as process isolation) to keep internal and external applications from interacting with each other.
  • Use a separate development server for testing and debugging apps.
    Testing applications on a stand-alone Web server sounds like common sense — and it is! Unfortunately, many organizations don’t follow this basic principle and, instead, allow developers to “tweak” code or even develop new applications on a production server. This is a horrible idea for both reliability and security reasons. Testing code on production systems could cause users to experience malfunctions (possibly, a complete outage) and could also introduce security vulnerabilities as developers post untested code that might be vulnerable to attack. Most modern version control systems (such as Microsoft’s Visual SourceSafe) can help automate the coding/testing/debugging process.
  • Audit Web site activity and store logs in a secure location.
    Every security professional knows the importance of maintaining server activity logs. Since most Web servers are public facing it’s critical that you perform this task for all Internet-based services. These audit trails will help you detect and react to attacks, and will enable you to troubleshoot server performance issues. In high-security environments, make sure that your logs are stored in a physically secure location — the safest (but least convenient) technique is to have a line printer print the trail as it gets logged, thereby creating a permanent paper record that can’t be modified by an intruder who doesn’t have physical access to the premises. You may also want to consider the use of electronic equivalents, such as logging to a secure host that implements encryption with digital signatures to prevent against log snooping and modification.
  • Educate developers on sound security coding practices.
    Software developers, focused on creating apps that meet business requirements, often overlook the fact that information security is a critical business requirement. As a security pro, it’s your role to educate developers on the security issues that affect Web servers. You should make developers aware of the security mechanisms in place on your network to ensure that the software they create doesn’t circumvent those mechanisms; also offer training on concepts such as buffer overflow attacks and process isolation — all of which will go a long way towards ensuring sound coding practices that result in secure applications.
  • Keep your operating system and Web server patched.
    This is another “common sense” item that often slips through the cracks when administrators become overburdened with other tasks. Security bulletins, such as those issued by CERT or Microsoft, are a constant reminder of how often software vendors release patches for specific security vulnerabilities. It’s critical to keep your Web servers patched with current security fixes. Tools like Microsoft’s Software Update Service (SUS) and RedHat’s up2date service can help to automate this task. After all, once a flaw is published, if you don’t fix it, someone will eventually find it and exploit it.
  • Use application scanners.
    If affordable, you might want to consider the use of an application scanner to validate internally developed code. Tools like Watchfire’s AppScan can help ensure that exploitable code doesn’t slip through the cracks and into a production environment.

Remember, security is a state of mind! Well-designed Web server architecture should be based on sound security principles. Implementing these six measures will help you build a strong foundation.

Apple CEO says iCloud security will be strengthened


Apple, still reeling from the nude celebrity photo incident, plans to soon strengthen security around its iCloud storage service, according to CEO Tim Cook in a news report Thursday.

The change consists primarily of new warnings when certain changes are made to an account, as well as implementation of two-factor authentication on iCloud accounts, Cook told The Wall Street Journal.

[ It’s time to rethink security. Two former CIOs show you how to rethink your security strategy for today’s world. Bonus: Available in PDF and e-book versions. | Stay up to date on the latest security developments with InfoWorld’s Security Central newsletter. ]

iCloud accounts for more than a dozen celebrities were compromised by hackers who obtained their login credentials, possibly by guessing security questions or using password-breaking tools. The subsequent release of nude photos put Apple on the defense, with the company maintaining that its systems were not breached.

Cook told the newspaper that Apple will begin sending email and push notifications within two weeks to users when a new device is used to restore or log into an iCloud account or an account’s password is changed.

With iCloud credentials, it is possible to download the entire contents of an account to a new device, including photographs, text messages, call logs, address books, calendars and other information depending on what a person has chosen to store on iCloud.

For iTunes, Apple has had a two-factor authentication feature, which involves entering a separate code to access an account. But that isn’t offered for iCloud, an apparent oversight.

“Signing into iCloud in order to access say, your backed up photos, does not require two-factor authentication,” wrote Marc Rogers, a principal security researcher with Lookout Mobile Security, in a blog post Wednesday. Besides, enabling Apple’s existing two-factor authentication would not have helped anyone involved in the latest leak, he added.

The next version of Apple’s mobile operating system, iOS, will have an option to use two-factor authentication for iCloud accounts, The Wall Street Journal reported.

Apple has maintained that the way its two-factor authentication mechanism is set up would have nonetheless still protected the accounts if it had been enabled by the victims.

If it was on, the hackers wouldn’t have been able to see the security questions used to verify someone’s account in case of a lost password. With two-factor authentication off, the hackers could guess the security questions and gain access.

But it has also been theorized that attackers used a password-guessing tool against Apple’s Find My Phone service. Apple didn’t acknowledge a security issue with Find My Phone, but a brute-force script posted on GitHub had a note indicating that an API for the service allowed unlimited guesses of passwords. The API problem was later fixed, it said.

In that scenario, two-factor authentication wouldn’t have mattered. The tool, called iBrute, might find the correct password, making it unnecessary for a hacker to get access to the security questions.

It is also possible the celebrities were victims of phishing attacks, where hackers try to trick people into revealing their credentials by sending them a link to a look-a-like but fraudulent Web service.

Microsoft may announce its biggest layoffs ever… July 17, 2014


Microsoft reportedly will announce the biggest round of layoffs in its history today as massive changes wrought by new CEO Satya Nadella start to take hold at the struggling IT giant.

The layoffs, which have been expected amid Nadella’s calls for transformation at Microsoft, will dwarf the 5,800 job cuts it announced in 2009, The New York Times reported Wednesday, citing unnamed sources briefed on the decision. It said human resources managers have reserved conference rooms for most of Thursday, presumably to meet with laid-off employees.

Most but not all of the cuts will be from businesses Microsoft took on through its acquisition of Nokia earlier this year, which added about 25,000 workers, the Times reported. Microsoft, founded in 1975 and based in Redmond, Washington, has about 130,000 employees.

In a long memo sent to employees last week and published online, Nadella said he would lead major changes in Microsoft’s culture. “Nothing is off the table,” he wrote. The company is set to announce its latest financial results on July 22.

Microsoft has floundered in recent years as it tries to shift from a reliance on its declining PC software business to mobile and other categories. Former CEO Steve Ballmer announced a reorganization around “devices and services” in 2012 before giving up his seat to Nadella in February. Microsoft had taken months to choose Ballmer’s successor.

Microsoft spokesman Frank Shaw said the company would not comment on the rumors.

Critical design flaw in Active Directory could allow for a password change


Microsoft’s widely used software for brokering network access has a critical design flaw, an Israeli security firm said, but Microsoft contends the issue has been long-known and defenses are in place.

Aorato used public information to craft a proof-of-concept attack that shows how an attacker can change a person’s network password, potentially allowing access to other sensitive systems, said Tal Be’ery, its vice president of research.

“The dire consequences we are discussing — that an attacker can change the password — was definitely not known,” said Be’ery in a phone interview Tuesday.

About 95 percent of Fortune 500 companies use Active Directory, making the problem “highly sensitive,” Aorato wrote [3] on its blog.

The company’s research focuses on NTLM, an authentication protocol that Microsoft has been trying to phase out for years. All Windows versions older than Windows XP SP3 used NTLM as a default, and newer Windows versions are compatible with it in combination with its successor, Kerberos.

NTLM is vulnerable to a so-called “pass-the-hash” attack in which an attacker obtains the login credentials for a computer and can use the mathematical representation of those credentials — called a hash — to access other services or computers.

It’s one of the most popular kinds of attacks since a computer that may not be valuable for the data it stores on its own could enable access to a more sensitive system. U.S.-based retailer Target fell victim to this kind of lateral movement that led to a data breach after hackers gained access to its network via a supplier.

The pass-the-hash attack is a long-known weakness around single sign-on systems (SSO), since the hash must be stored somewhere on a system for some amount of time. Other operating systems that accommodate SSO are also affected by the threat.

Disabling SSO would solve the problem, but it would also mean that users on a network would have to repeatedly enter their password in order to access other systems, which is inconvenient.

“It’s a trade-off,” Be’ery said.

Aorato contends that an attacker can snatch an NTLM hash using publicly available penetration testing tools such as WCE or Mimikatz. It built a proof-of-concept tool that shows how attackers can then change a user’s password to an arbitrary one and access other services such as RDP (remote desktop protocol) or the Outlook web application.

Although some enterprises try to limit the use of the NTLM protocol in favor of Kerberos, an attacker can force a client to authenticate to Active Directory using a weaker encryption protocol, RC4-HMAC, that uses the NTLM hash. That NTLM hash is then accepted by Kerberos, which issues a fresh authentication ticket.

Microsoft implemented Kerberos in order to move away from some of NTLM’s security issues, but Kerberos works with RC4-HMAC to allow for compatibility with older systems.

The company couldn’t immediately be reached for comment, but it acknowledged weaknesses in NTLM in a 2012 technical paper [4].

In May, Microsoft released a patch [5] which contained improvements that make it harder to steal NTLM hashes. The company has also suggested that organizations use smart cards or disable Kerberos RC4-HMAC support on all domain controllers, but it is possible that could break some functionality.

Be’ery said quirks in Active Directory can cause it to downgrade to NTLM, which makes it hard for organizations to shut it off.

“It’s not really a practical solution,” he said.

For example, if a person is trying to access a network resource using its IP address instead of its name, Active Directory will use NTLM even if the organization is on the latest version of Windows, Be’ery said.

Aorato contends that more could be done around logging events that might indicate malicious behavior, such as specifying the encryption algorithm used for a password change.

“Although Windows had created a relatively verbose Kerberos event logging system, it fails to show the pertinent attack information,” the company wrote. “As a result, the logs lack indication of something fishy going on.”