will keep this updated when i can.


Samsung printer having secret admin account backdoor

US CERT warn about Some Samsung printers, including models the Korean company made for Dell, have a backdoor administrator account coded into their firmware.

This hard coded admin account in firmware could enable attackers to change their configuration, read their network information or stored credentials and access sensitive information passed to them by users.



Even if SNMP is disabled, this "backdoor administrator account" is still active and could be used by an attacker to access the printer. SNMP is an Internet protocol commonly used to monitor and read statistics from network-attached devices.

US-CERT did not provide a list with the exact printer models affected by the issue, but said that, according to Samsung, models released after Oct. 31, 2012, are not vulnerable. As for the Dell model, Samsung builds Dell printers such as the B1160w modeled after Samsung's ML-2165W compact all-in-one printer. It's unclear what other Dell branded printers may be affected.


Hardware based malware steals contacts from all mobile platforms using only the audio jack

Indian Security Research Atul Alex presented his surprise paper at the International Malware Conference, MalCon on what can be termed as the onset of next generation of hardware based malware that can target mobile devices irrespective of Platforms.

Typically, one of the largest challenges for malware coders are to target multiple platforms. A malware for Android will not work in Windows phone, Symbian or Apple iOS, which come in way of malware coders. Also, devices such as iPhone are extremely secure and there is little that can be extracted from a locked / secure iPhone, unless they are jailbroken.
Atul Alex's research abuses voice dialing feature which is enabled by default on all mobile platforms - and combines a bugged headset with a micro controller and code to steal private data. The bugged headset can also dial a pre-defined number by detecting if the device is in use or not and turn the phone into a spy device. Further, it can steal contacts from all devices - Blackberry, iphone, Symbian, Windows and Android, without putting a malware inside the mobile phone.

The bugged headset can in fact mimic voice commands and send it to the device discretely - and Alex mentioned that advanced software like SIRI can infact aid hackers in future in sending unauthorized text messages as well as extract personal data and device information.

Any mobile device running Google Android, Microsoft Windows Phone, Apple IOS 5, or Blackberry OS provides voice command capabilities. Some of the other possible things include knowing call duration and even record incoming and outgoing calls of users. And all this is possible just by plugging a bugged headset into the Audio jack.

This has long term future implications and provides a grim future with electronics warfare. Malwares can now target people across all platforms, irrespective of 0-days in browsers, OS etc present or not.. and the last thing one would suspect is a gifted headset or speaker dock for your device.


Algerian hacker hijack Romanian google and yahoo domains

Algerian Hacker today hijack DNS Yahoo, Microsoft or Google and Paypal redirect users to a deface page. Credit being taken by Hacker going by name MCA-CRB, a serial website defacer.

MCA-CRB is a prolific online graffiti artist who has defaced at least 5,000 sites, according to records kept by Zone-H. After Hijacking both domains resolve to an IP address located in the Netherlands,” at 95.128.3.172 (server1.joomlapartner.nl).



“When we heard about this incident, we were pretty skeptical about the attack. A site such as Google’s can be theoretically hacked, but it is very unlikely. Then we noticed that both domains were directed to an IP address in the Netherlands […], so it seemed more like a DNS poisoning attack,” said Stefan Tanase from Kaspersky Lab Romania.

"All we know is that Google's public DNS servers (8.8.8.8 and 8.8.4.4) were resolving requests for google.ro and other major .RO websites to the IP address hosting the defacement page," Tanase said.

Google Romania also explained it was a domain issue and the company is currently investigating the issue with the organization responsible for managing domain names in Romania, Romania Top Level Domain.

Shylock malware: Undetectable virus stealing bank account information

Shylock, a financial malware platform discovered by Trusteer in 2011, is a non-Zeus-based information-stealing trojan that improved methodology for injecting code into additional browser processes to take control of a computer, and an improved evasion technique to prevent malware scanners from detecting its presence.

Why this Name ? Shylock named after the ruthless money lender in Shakespeare's The Merchant of Venice, also deletes its installation files, runs solely in memory, and begins the process again once the infected machine reboots.
Shylock has gained a new trick: The ability to detect whether it's running in a virtual machine (VM) that is being analyzed by malware researchers.

What New ? Latest Shylock dropper detects a remote desktop environment by feeding invalid data into a certain routine and then observing the error code returned. It uses this return code to differentiate between normal desktops and other "lab" environments. In particular, when executed from a remote desktop session the return code will be different and Shylock won't install. It is possible to use this method to identify other known or proprietary virtual/sandbox environments as well.

However, it is unclear how long such a trick will help it evade detection, because evasion tactics aren't actually that effective. In February researchers found that none of the world's top 20 malware families except for Conficker try to detect virtual machines.


European space agency SQL vulnerability exploited


The European Space Agency (ESA) is an intergovernmental organisation dedicated to the exploration of space. Hacker going by name "SlixMe" find and exploit SQL Injection vulnerability on a sub domain of website.

Hacker upload dump on his website, http://slixme.me/dumps/ESAInt.txt, where he disclose the SQLi vulnerable link and Database tables also. Hacker also mention that other 5 domains are also hosted on same server, that can be exploited if he will be successful to exploit one site completely.

Exploited Domain : http://television.esa.int/

Method mentioned as "PostgreSQL AND error-based - WHERE or HAVING clause". In further discluse the PayLoad of injection also published.


Multiple MySQL database Zero-Day vulnerabilities published


Researcher discovered Multiple Zero-day vulnerabilities in MySQL database software including Stack based buffer overrun, Heap Based Overrun, Privilege Elevation, Denial of Service and Remote Preauth User Enumeration.

Common Vulnerabilities and Exposures (CVE) assigned as :
CVE-2012-5611 — MySQL (Linux) Stack based buffer overrun PoC Zeroday
CVE-2012-5612 — MySQL (Linux) Heap Based Overrun PoC Zeroday
CVE-2012-5613 — MySQL (Linux) Database Privilege Elevation Zeroday Exploit
CVE-2012-5614 — MySQL Denial of Service Zeroday PoC
CVE-2012-5615 — MySQL Remote Preauth User Enumeration Zeroday


Currently, all reported bugs are under review and most of the researchers believed that some of these can be duplicate of an existing bugs.

CVE-2012-5612 and CVE-2012-5614 could cause the SQL instance to crash, according to researchers. Where as another interesting bug CVE-2012-5615 allow attacker to find out that either any username exist on the Mysql server or not by reply- "Access denied".

Eric Posted MySQL Database Privilege Elevation 0day Exploit Demo:

New Linux RootKit attacks internet users

Security researchers have discovered what appears to be an experimental Linux rootkit designed to infect its highly select victims during a classic drive-by website attack. The malware allows hackers to inject code directly in any infected web page. The new malware, discovered on November 13 of this year, was written especially for servers that run Debian Squeeze and NGINX, on 64 bits.

About Rootkit : Rootkit.Linux.Snakso.a is designed to infect the Linux kernel version 2.6.32-5-amd64 and adds an iframe to all served web pages by the infected Linux server via the nginx proxy. Based on research, the rootkit may have been created by a Russia-based attacker.
The recently discovered malware is very dangerous because it does not infect a specific website. It infects the entire server and this can endanger all websites hosted on that server. Drive-by-downloads expose web surfers to malicious code that attempt to exploit unpatched software vulnerabilities in the web visitor's PC or handheld. Security holes in web browsers, Java and Flash plugins and the underlying operating system are typical targets.

Security researcher Georg Wicherski said that the code does not seem to be a variant of a publicly available rootkit, but a result of "contract work of an intermediate programmer with no extensive kernel experience". The malware is also likely to have been customized by the buyer, which introduced critical flaws.

The rootkit looks like a work in progress, and contains enough programming rough edges to mark it out as ‘in development’. The malware''s relatively large binary size of 500k, and the inclusion of debug code, is another giveaway that this might be a work in progress.


Remote Zero-Day exploit for Tectia SSH server released


Hacker @kingcope discovered critical vulnerability in Tectia SSH Server. Exploit working on SSH-2.0-6.1.9.95 SSH Tectia Server (Latest available version from www.tectia.com) that allow attacker to bypass Authentication remotely.

Description : An attacker in the possession of a valid username of an SSH Tectia installation running on UNIX (verified on AIX/Linux) can login without a password. The bug is in the “SSH USERAUTH CHANGE REQUEST” routines which are there to allow a user to change their password. A bug in the code allows an attacker to login without a password by forcing a password change request prior to authentication.

A default installation on Linux (version 6.1.9.95 of Tectia) is vulnerable to the attack. Eric Romang posted a Demo video on Youtube, hope you will like it



Sensitive information of 1 Million people breached at Nationwide Insurance

Nationwide Insurance was breached last week and Sensitive information of about 1 Million people is at risk. The FBI is investigating a breach, including policy and non-policy holders.

Nationwide mailed notices to all affected individuals last Friday. Insurance Commissioner Ralph Hudgens issued the following statement Monday concerning the unauthorized access of Nationwide Insurance‘s website.

Spokeswoman Elizabeth Giannetti confirmed a statement by the California Department of Insurance earlier in the day which said “names, social security numbers, and other identifying information” of one million policyholders and non-policy holders were exposed. No credit card details were revealed.
About 30,000 people in Georgia were affected, as well as more than 12,000 in South Carolina.

Are you affected ? call The Nationwide at number 800-760-1125. Affected members and applicants free credit monitoring and identity theft protection services from Equifax for at least one year.

The insurance company has not provided details on how a database on its computer system was compromised.


edit:: thats all for now ill be back in a few hours

This post was edited by AbDuCt on Dec 9 2012 10:22am

New Mac Malware 'Dockster' Found on Dalai Lama site

A new trojan horse app called Dockster is targeting Mac users by exploiting a known Java vulnerability CVE-2012-0507. The trojan is apparently being delivered through a website (gyalwarinpoche.com) dedicated to the Dalai Lama and once installed can collect user keystrokes and other personal information.
Mac in Danger ? Earlier this spring, a Russian security firm discovered a trojan piece of malware which took advantage of a Java vulnerability on many computers, Macs and PCs alike. This trojan, known as “Flashback,” was used to enlist some 600,000 infected computers into a botnet.

Malware also provides an interface that allows attackers to download and execute additional malware. Dockster has been found to use the same exploit code as the previous SabPab virus to gain access through a backdoor. Dockster is also said to launch an agent called mac.dockset.deman, which restarts each time a user logs in to their Mac.

Dockster is only the latest Mac-based threat to hit organizations and people sympathetic to Tibet's conflict with the Chinese government.

In April, another piece of malware, known as “Backdoor.OSX.SabPub,” or “SabPub” was found and distributed through Microsoft Office files sent to those who may sympathize with Tibet. The attackers behind SabPub used a technique known as “Spear-Phishing,” a practice used to target smaller groups of people as opposed to sending out mass emails in hopes that someone will click a link.

In September, security firm AlienVault said it had discovered the creator of the PlugX Remote Access Tool (RAT), which had been used by hackers from various countries to target Tibet. The creator hailed from China.


Necurs Rootkit infect 83,427 machines in November

Rootkit named as "Necurs" infect 83,427 unique machines during the month of November 2012. It is a multi-purpose rootkits capable of posing a threat to both 32 and 64-bit Windows systems. Distributed via drive-by download on the websites that host the BlackHole exploit kit.
Like other rootkits it is able to hide itself from detection and also capable of downloading additional malware from outside. Attackers can maintain remote access to a machine this way in order to monitor activity, send spam or install scareware.

Rootkit also stop security applications from functioning and hence no detection. Microsoft list this as Trojan:Win32/Necurs.

Trojan:Win32/Necurs is a family of malware that work together to download additional malware and enable backdoor access and control of your computer. The malware can be installed on its own or alongside rogue security software, such as Rogue:Win32/Winwebsec.



The malware downloads itself into the folder "%windir%\Installer\", where is a unique number that identifies your computer, for example "%windir%\Installer\{df3d9e18-342c-8c07-8dab-13e76d8b4322}".

Moreover, Some variants of Trojan:Win32/Necurs can inject code into all running processes. The injected code is known as a "dead byte"; certain system processes will cause your computer to restart if they are injected with this code.

Strong anti-security features are provided by the Necurs driver. The driver has a very clear goal: protecting every Necurs component from being removed.

This example shows that malicious software is growing more sophisticated and is starting to include various components that serve individual purposes. These threats may target various versions of operating systems or even different software platforms.


Tumblr Worm affects thousands blogs, spam offensive articles

A notorious group of Internet trolls says it has unleashed a worm that has littered Tumblr blogs with inflammatory and racist posts. A massive bug affecting some 8,600 unique Tumblr users. Gay Nigger Association of America, took responsibility for the attack.

The infected post begins: "Dearest 'Tumblr' users ,This is in response to the seemingly pandemic growth and world-wide propagation of the most fucking worthless, contrived, bourgeoisie, self-congratulating and decadent bullshit the internet ever had the fortune of faciliating."



How worm work ? Worm took advantage of Tumblr's reblogging feature, meaning that anyone who was logged into Tumblr would automatically reblog the infectious post if they visited one of the offending pages. Naked Security said.

In a message posted to the company’s official Twitter account, the blogging site said, “We are aware that there is a viral post circulating on Tumblr. We are working to resolve the issue as swiftly as possible. Thank you. “
The Gay Nigger Association of America (GNAA) is an anti-blogging Internet-trolling organization. They have trolled several prominent websites and Internet personalities including Slashdot, Wikipedia, CNN, Barack Obama's campaign website, Alex Jones, and prominent members of the blogosphere.

They have also released software products and leaked screenshots and information about upcoming operating systems. In addition, they maintain a wiki-based site dedicated to Internet commentary and a software repository.

The micro-blogging site says its engineers are working on a fix.

A bug in the code allows an attacker to login without a password by forcing a password change request prior to authentication.


ROFL

Facebook Helps FBI to shuts down Butterfly botnet theft $850 millions

The U.S. Department of Justice said on Tuesday that they’ve arrested 10 suspects from from Bosnia and Herzegovina, Croatia, Macedonia, New Zealand, Peru, the United Kingdom, and the United States involved in a global botnet operation that infected more than 11 million systems. The ring is said to have caused more than $850m in losses in one of the largest cyber crime hauls in history.

Officials said international cyber crime rings linked to Butterfly (aka Mariposa) botnet, first discovered in December 2008 and shut down a year later, infected over 12 million PCs worldwide and was spread primarily through file-sharing and instant messaging attacks. It also harvested financial information from over 800,000 victims.

FBI said, "Facebook’s security team provided assistance to law enforcement throughout the investigation by helping to identify the root cause, the perpetrators, and those affected by the malware. Yahos targeted Facebook users from 2010 to October 2012, and security systems were able to detect affected accounts and provide tools to remove these threats."

How Butterfly actually fly ? A botnet is a network of computers that have been infected by a virus that allows a hi-tech criminal to use them remotely. Butterfly botnet spread itself using variants of Yahos (virus that spreads itself by sending links via social networks and instant messaging), then victims clicked on that malicious link, launching Yahos attack. The malware which in some variants disguised itself as an NVIDIA video driver, then downloaded and installed the botnet controls and browser exploits that captured users' credit card and bank account information.

Variations on the Yahos malware have been infecting users for years, spreading initially via instant messenger platforms like AIM and Yahoo! messenger.

Experts say cybercrime is on the rise around the world as PC and mobile computing become more prevalent, and as more and more financial transactions shift online.

$36,000 USD reward for wanted hacker

Japan's National Police Agency has offered a monetary reward for a wanted hacker, use programming languages like C# to create a virus called "iesys.exe" and Hijack systems of innocent people to post aggressive messages on Internet on behalf of Users.

Method called a "Syberian Post Office" to post messages to popular Japanese bulletin board. Hacker use cross-site request forgery exploit, that allow hackers to making online postings via innocent users automatically. The messages included warnings of plans for mass killings at an elementary school posted to a city website.

It is the first time that Japan's National Police Agency has offered a monetary reward for a wanted hacker and will pay up to 3 million yen (US$36,000). The case is an embarrassing one for the police, in which earlier this year four individuals were wrongly arrested after their PCs were hacked and used to post such messages on public bulletin boards.

"Up until now this type of reward was reserved for cases involving crimes like murder and arson, but the policy has recently been changed to include more types of crimes," an agency spokeswoman said.

Cisco VoIP phone vulnerability allow eavesdropping remotely

Cui, a fifth year grad student from the Columbia University Intrusion Detection Systems Lab and co-founder of Red Balloon Security, has demonstrated an attack on common Cisco-branded Voice over IP (VoIP) phones that could easily eavesdrop on private conversations remotely.

The vulnerability Cui demonstrated was based on work he did over the last year on what he called ‘Project Gunman v2’, where a laser printer firmware update could be compromised to include additional, and potentially malicious, code.

The latest vulnerability is based on a lack of input validation at the syscall interface. Cui said, “allows arbitrary modification of kernel memory from userland, as well as arbitrary code execution within the kernel. This, in turn, allows the attacker to become root, gain control over the DSP , buttons, and LEDs on the phone.”

While he did not specify the precise vulnerability, Cui said it allowed him to patch the phone's software with arbitrary pieces of code, and that this allowed him to turn the Off-Hook Switch into what he called a funtenna.

According to Cui, once one phone is compromised, the entire network of phones is vulnerable. Cui later said he could also perform a similar exploit remotely, without the need to insert a circuit board at all.

He also said that routers, printers and phones are general-purpose computers without host-based intrusion systems or antivirus protection built in, so they make attractive targets. Further, they often lack encryption for data in motion or at rest.

Cui said affected models include Cisco Unified IP Phone 7975G, 7971G-GE, 7970G, 7965G, 7962G, 7961G, 7961G-GE, 7945G, 7942G, 7941G, 7941G-GE, 7931G, 7911G, and 7906. Models 7971G-GE, 7970G, 7961G, 7961G-GE, 7941G, 7941G-GE, and 7906 are also vulnerable.

In response to his findings, Cisco says that workarounds and a software patch are available to address the issue, and that successful exploitation requires physical access to the device serial port or a combination of remote authentication privileges and non default settings.

I am the guy who hacked HoN

The popular game Heroes of Newerth developed by S2 was recently breached by a hacker going by the alias RyanC and Ryan_HTP. He has gained access to the entire user database and has been selling accounts for many days until he posted a disclosure notice on reddit. It is advised all users change their passwords for anything that is linked to HoN including emails and accounts sharing the same password. Ryan_HTP has claimed that there is not only one security hole on HoN's website but rather quite a few and some more serious than others. One he claimed can allow him to run remote code on the servers itself and that the actual clients may be also easily exploitable. As for the passwords them self inside the database they were encrypted using a one-way hashing algorithm and a salt, butt he stated that the salts were so short that they didn't impede the speed of cracking the popular accounts of big league players and shoutcast streamers. He has contacted S2 about the breaches and he says they have still not patched any of the exploits and until they do he will not release the breach points into full disclosure.

http://www.reddit.com/r/HeroesofNewerth/comments/14zj2p/iamtheguywhohackedhon/

edit:: i did a small writeup to summarize this sorry if its bad this isnt released on news sites yet.

This post was edited by AbDuCt on Dec 17 2012 12:15pm

This is a great thread, subscribing. Thanks.

Been wondering what Happened to HON.

Yeah he got a hold of the database and he is selling peoples accounts at 35 a pop. Change your password if you play the game because he has access to everyones password, if you used the same password on league I suggest changing that as well. He grabbed a few good league accounts.