Windows zero day vulnerability publicly exposed by Google engineer

A Google security engineer has not only discovered a Windows zero-day flaw, but has also stated that Microsoft has a knack of treating outside researchers with great hostility.

Tavis Ormandy, a Google security engineer, exposed the flaw on Full Disclosure, that could be used to crash PCs or gain additional access rights. The issue is less critical than other flaws as it's not a remotely exploitable one.

Ormandy said on Full Disclosure, "I don't have much free time to work on silly Microsoft code, so I'm looking for ideas on how to fix the final obstacle for exploitation.".

He's been working on it for months, and according to a later post, he has now a working exploit that "grants SYSTEM on all currently supported versions of Windows."

 "I have a working exploit that grants SYSTEM on all currently supported versions of Windows. Code is available on request to students from reputable schools," Ormandy adds.

Microsoft acknowledged the vulnerability late Tuesday. "We are aware of claims regarding a potential issue affecting Microsoft Windows and are investigating"

Ormandy also insulted Microsoft on Full Disclosure, saying "As far as I can tell, this code is pre-NT (20+ years) old, so remember to thank the SDL for solving security and reminding us that old code doesn't need to be reviewed ;-)."

Security company Secunia has also picked up on the flaw, saying it could be used in a privilege escalation attack, or a denial of service hit. “The vulnerability is confirmed on a fully patched Windows 7 x86 Professional (win32k.sys version 6.1.7601.18126) and reported on Windows 8. Other versions may also be affected.”

Ormandy had first published information about the vulnerability in March to GitHub in an effort to solicit help or entice other researchers to investigate.

New Android malware forwards incoming messages to hacker

A new type of Android malware that can intercept text messages and forwarding to hackers is discovered by  the Russian firm Doctor Web. This is a very serious threat to users, because using this malware attackers can easily get two factor authentication code of your Email or bank accounts.

The malware, dubbed as Android.Pincer.2.origin, is the second form of the original Android.Pincer malware and is distributed as security certificates that the user must install.

Upon launching Android.Pincer.2.origin, the user will see a fake notification about the certificate’s successful installation but after that, the Trojan will not perform any noticeable activities for a while. 

Android.Pincer.2.origin connects to a server and send text messages in addition to the other information as the smartphone model, serial, IMEI and phone number and the Android version is used.

To malware then receive instructions from commands in the following format: 

• start_sms_forwarding [telephone number] - begin intercepting communications from a specified number 
• stop_sms_forwarding - stop intercepting messages 
• send_sms [phone number and text] - send a short message using the specified parameters 
• simple_execute_ussd - send a USSD message 
• stop_program - stop working 
• show_message - display a message on the screen of the mobile device 
• set_urls - change the address of the control server 
• ping - send an SMS containing the text 'pong' to a previously specified number 
• set_sms_number - change the number to which messages containing the text string 'pong' are sent. 

The command start_sms_forwarding is of particular interest since it allows attackers to indicate the number from which the Trojan needs to intercept messages. This feature enables criminals to use the Trojan for targeted attacks and steal specific messages.

Reporters legally threatened after revealing vulnerability that exposes sensitive data of 170,000 customers

For millions of low income families, the federal government's Lifeline program offers affordable phone service. But an online security lapse has exposed tens of thousands of them to an increased risk of identity theft, after their Social Security numbers, birth dates and other pieces of highly sensitive information were included in files posted publicly online.

Reporters with Scripps were investigating Lifeline, a government benefit-program that provides low-income Americans with discounted phone service, when they came across the sensitive data. They discovered 170,000 Lifeline phone customer records online through a basic Google search that contained everything needed for identity theft.

They asked for an interview with the COO of TerraCom and YourTel, which are the telcos who look after Lifeline,but they threatened reporters who found a security hole in their Lifeline phone system with charges under the Computer Fraud and Abuse Act. Then, the blame-the-messenger hacker accusations and mudslinging began.

The Scripps reporters videotaped the process showing how they found the documents. Attorney Jonathon Lee, acting for both telecoms outfits, threatened the hacks with violating the Computer Fraud and Abuse Act (CFAA).

Lee wrote a letter telling Scripps that the intrusions and downloading of sensitive records were associated with Scripps IP addresses.  The company asserts that the personal data was only accessible to the reporter using sophisticated computer techniques.

Jonathan Lee, “by gaining unauthorized access into confidential computer files maintained for the Companies by Vcare, and by digitally transferring the information in these folders to Scripps. I request that you take immediate steps to identify the Scripps Hackers, cause them to cease their activities described in this letter and assist the companies in mitigating the damage from the Scripps Hackers’ activities.”

The Scripps case bears some resemblance to a separate similar incident involving Andrew weev Auernheimer, who was sentenced in March to 41 months in prison after he found a security flaw in AT&T’s public website and used it to harvest the email addresses of over 114,000 iPad users.

But what is interesting is how a corporation can use the Computer Fraud and Abuse Act to try and cover up security cock-ups.

Hack Battle at 'The Hacker Conference 2013' with CTF365

The Hacker Conference partnered up with CTF365 to provide the best CTF experience during the conference. While trying to find out more about their product and also about their CTF surprise, I got an interview with Marius Corici Co-founder and CEO for CTF365.

Q: November 2012 was when you first announced about this project which was supposed to start at the begin-ning of 2013. What happened that made you delay the starting date?

A: Well, we’re definitely enthusiastic about making CTF365 the greatest CTF platform out there, and this proves to be much more difficult than initially anticipated. I won’t get into detail, because, as it happens, the story is like something pulled out from the theater of the absurd. If we would ever get a chance to make a making-of- CTF365 movie, I’m sure it would be amusing and tragic at the same time.

What I will say [and repeat], is that we are putting our best efforts into making CTF365 work, we are a small and committed team, which is a problem [for us] but not an excuse [for everyone else], and… yeah, we’re definitely trying to get this done and work.

Q: How did security enthusiasts receive the CTF365 project?

A: The response so far has been more than great. We haven’t started yet, and already we have over 5000 registered users and about 300 teams ready to play the game. This is great and scary at the same time, because it’s putting pressure on us to get this ready asap, and also to make this work as great as possible.

Q: What's next? When it'll be ready to launch?

A: We’re not keen on giving exact dates, because of our first attempt at setting an exact date. We’re preparing a first CTF campaign; I won’t go into details yet about that. We’re aiming with this campaign to also see how the platform works in a production setup; as we’ve already said, one of goals is to also emulate real-life internet scenarios, where anything goes. We also know that most of our current users prefer offensive roles instead of defensive, so we took that into consideration as well for our first campaign. We’re also keen to see what happens.

Q: What makes your CTF special and different than what exist at this time on the internet?

A: Well, that’s an easy one really:

1. The real life internet. Beside different campaigns for fun, we'll have networks the users will be able to play/attack hundreds and thousands of VMs. Also that means to let security enthusiasts to train as would be in real scenarios DoS and DDoS included.
2. Pushing CTF to last 365 days.
3. Make it easy for everybody to setup their own CTF using our platform. This will help InfoSec vendors and security training companies to better train their students, market and testing their products through gamification.

Q: What do you mean by “...setup their own CTF”?

A: We will offer this service to all companies that want to setup a CTF competition. Imagine that you are a infosec training company. Offering a CTF to your students will increase learning retention rate not to mention the entertaining side of the game.

Q: What do you have in mind for The Hacker Conference CTF competition?

A: Keeping in mind that the event (THC) will take place in India, we'll build a custom storyline tailored for the Asia-Pacific region.

Q: Any particular message for our readers?

A: We think that learning security through gamification is the best way to learn security and that's why we urge everybody to start play CTFs.

About 'The Hackers Conference', It is an unique event, where the best of minds in the hacking world, leaders in the information security industry and the cyber community along with policymakers and government representatives on cyber security meet face-to-face to join their efforts to co-operate in addressing the most topical issues of the Internet Security space.

 This is the second edition of the Conference. Following the huge success of the conference last year the current edition of the conference brings back to you all the knowledge, all the fun in a better, grander way! The Conference will be held in New Delhi, on the 25 of August 2013, and will get together industry leaders, Government representatives, Academia and underground Black-hat hackers to share knowledge and leading-edge ideas about information security and everything related to it.

Venue : India Habitat Center, New Delhi, India
Timing: August 25, 2013 Sunday, 9am - 6pm.

Chinese hackers who breached Google in 2010 gained access to thousands of surveillance orders

In 2010, as part of what has been dubbed as Operation Aurora, Chinese hackers infiltrated a special database within Google’s systems and gained access to a sensitive database worth of information about American surveillance targets. 

Google reported the hack publicly years ago, saying that the sophisticated attack resulted in the theft of Google intellectual property and the partial compromise of some human rights activists' email accounts.

When the news first surfaced in 2010, Google said hackers stole the source code behind its search engine, and targeted email accounts of activists critical of China's human rights record. But recently discovered that the hackers also obtained surveillance information, including emails belonging to suspected spies, diplomats and terrorists which law enforcement officials had been monitoring. Google reported this breach to the FBI, resulting in a national security investigation.

According to the sources, hackers were after the names of Chinese intelligence operatives who were the target of American surveillance. The extent of the compromise is not known. An FBI investigation did not uncover any evidence that the information had been used to hurt national security, and Google tightened its defenses in the aftermath.

Last month, a senior Microsoft official suggested Chinese hackers had targeted the company's servers about the same time Google's system was compromised. The official said Microsoft concluded that whoever was behind the breach was seeking to identify accounts that had been tagged for surveillance by US national security and law enforcement agencies.

The Operation Aurora attacks reportedly targeted at least 34 companies, including Adobe, Juniper, Rackspace, Symantec, Northrop Grumman, Morgan Stanley and Yahoo.

However, as with the 2010 attacks, the Chinese government has flatly denied it is involved with any of the recent hacking or cyber espionage.

FBI sponsored Ragebooter DDoS attack service

A website that can be described as "DDoS for hire" is perfectly legitimate, according to the owner. Malicious sites that offer attack services are not strangers on the Internet, but web sites sponsored by law enforcement is another story altogether.

Ragebooter, is one of many sites that accepts payment through PayPal in order to flood sites with junk traffic, overloading servers and denying others access. The service uses a technique called DNS reflection to flood a website and amplify the amount of traffic directed at an address.

Unlike other existing sites that offer similar services, the Ragebooter have particularly interesting back door leading directly to the FBI. It seems that the Federal Investigation Bureau uses the site to monitor the activity of users on the network, and that added to the site IP Logger that keeps the IP addresses of all users coming to the site.

Investigation shows the site operator is a guy named Justin Folland located in Memphis Tennessee. "Since it is a public service on a public connection to other public servers this is not illegal. Nor is spoofing the sender address. If the root user of the server does not want that used they can simply disable recursive DNS. My service is a legal testing service. How individuals use it is at their own risk and responsibilities. I do not advertise this service anywhere nor do I entice or encourage illegal usage of the product. How the user uses it is at their own risk. I provide logs to any legal law enforcement and keep logs for up to 7 days."

He claimed that his service was not used to attack people, but only for legitimate stress-testing, then he changed his story and said he was only managing the service for someone else. It is not clear if it is a guy who works with the FBI, but what is certain is that the service is alive and kicking. An FBI spokesman would neither confirm nor deny the claim.