Man-in-the-Middle | Breaking Cybersecurity News | The Hacker News

TWITTER is taking users' privacy and security very seriously and in an effort to prevent Government snooping, the company has secured your Twitter emails with with TLS (Transport Layer Security). Twitter emails were previously using a plain text communication protocol, that now has been upgraded to an encrypted (TLS or SSL) connection using STARTTLS . In a blog post, Twitter announced : " Since mid-January, we have been protecting your emails from Twitter using TLS in the form of StartTLS. StartTLS encrypts emails as they transit between sender and receiver and is designed to prevent snooping. It also ensures that emails you receive from Twitter haven't been read by other parties on the way to your inbox if your email provider supports TLS. " " These email security protocols are part of our commitment to continuous improvement in privacy protections and complement improvements like our securing of web traffic with forward secrecy and always-on HTT

Facebook has several security measures to protect users' account, such as a user " access token " is granted to the Facebook application (like  Candy Crush Saga, Lexulous Word Game ), when the user authorizes it, it provides temporary and secure access to Facebook APIs. To make this possible, users have to ' allow or accep t' the application request so that an app can access your account information with the required permissions. The Access Token stores information about permissions that have been granted as well as information about when the token will expire and which app generated it. Approved Facebook apps can publish or delete content on your behalf using the access tokens, rather than your Facebook password. Access tokens are pretty sensitive, because anyone who knows the access token of a user can access the user's data and can perform any actions on behalf of the user, till the token is valid. In Past years, Many Security Researchers

Identities now transcend human boundaries. Within each line of code and every API call lies a non-human identity. These entities act as programmatic access keys, enabling authentication and facilitating interactions among systems and services, which are essential for every API call, database query, or storage account access. As we depend on multi-factor authentication and passwords to safeguard human identities, a pressing question arises: How do we guarantee the security and integrity of these non-human counterparts? How do we authenticate, authorize, and regulate access for entities devoid of life but crucial for the functioning of critical systems? Let's break it down. The challenge Imagine a cloud-native application as a bustling metropolis of tiny neighborhoods known as microservices, all neatly packed into containers. These microservices function akin to diligent worker bees, each diligently performing its designated task, be it processing data, verifying credentials, or

Just two days before Apple has disclosed a critical Security flaw in the SSL implementation on the iOS software that would allow man-in-the-middle attacks to intercept the SSL data by spoofing SSL servers. Dubbed as CVE-2014-1266 , the so-called ' goto  fail; ' vulnerability in which the secure transport failed to validate the authenticity of the connection has left millions of Apple users vulnerable to Hackers and Spy Agencies, especially like the NSA . Last Friday, Apple had also released updated version iOS 7.0.6 to patch the vulnerability, which was first discovered in Apple's iOS Devices, but later company had acknowledged its presence in Mac OSX also, that could allow hackers to intercept email and other communications that are meant to be encrypted in iPhone, iPad and Mac computer. Affected versions include iOS up to version 7.0.5 and OS X before 10.9.2. Security Researchers confirmed , ' Nearly all encrypted traffic, including usernames, passwords, and

Your LinkedIn profile is your digital resume. Yesterday, LinkedIn launched a new app for for iOS devices called Intro ' LinkedIn Intro '. With this feature an email on your iPhone will display a picture of the sender, with useful profile info from LinkedIn. Basically, to use the service, a LinkedIn user must route all of their emails (any provider i.e. Hotmail, Gmail, Yahoo, etc.) through LinkedIn's 'Intro' servers, which will inject fancy business centric HTML profile right in your emails, as shown. But this also means that LinkedIn is now able to read the complete content of your emails and also can store the passwords to users' external email accounts. The feature is enough to destroy the security and privacy of your mails. Another point to be noted that, Apple does not provide any APIs or frameworks for developers that would allow this kind of modification of its interface. Instead, LinkedIn is acting as a ' man in the middle ' by inter

A new hacking technique dubbed BREACH can extract login tokens, session ID numbers and other sensitive information from SSL/TLS encrypted web traffic in just 30 seconds. The technique was demonstrated at the Black Hat security conference in Las Vegas ( Presentation PDF  & Paper ) by Gluck along with researchers Neal Harris and Angelo Prado, which allows hackers to decodes encrypted data that online banks and e-commerce sites from an HTTPS channel. Neal, Yoel and Angelo ( From left to right) at BlackHat BREACH ( Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext ) is very targeted and don't decrypt the entire channel. BREACH manipulates data compression to pry out doses of information from HTTPS protected data, including email addresses, security tokens, and other plain text strings. Angelo Prado told The Hacker News , " We are using a compression oracle is leveraging the building blocks from CRIME , on a different compression c

T-Mobile devices having a default Wi-Fi Calling feature that keeps you connected in areas with little or no coverage using Wi-Fi connection. But according to new finding by students Jethro Beekman and Christopher Thompson from University of California Berkeley, that this feature lets millions of Android users vulnerable to Man-in-the-Middle attack . The simplest way to become a man-in-the-middle would be for the attacker to be on the same open wireless network as the victim, such as at a coffee shop or other public space. In a technical analysis of the exploit, The flaw could potentially allow hackers to access and modify calls and messages made by T-Mobile users on certain Android smartphones. Beekman and Thompson informed T-Mobile, a division of Deutsche Telekom, of the flaw in December and on March 18 T-Mobile was able to resolve the issue for all affected phone models. T-Mobile uses regular VoIP for Wi-Fi Calling instead of a connection that encrypted, somethin

It's time of stocktaking, principal security firm are proposing their analysis to synthesize actual situation on cyber security, 2012 is widely considered a year when the malware has increased significantly thanks to the contributions of various actors that we will analyze shortly. WebSense has published a new interesting study, 2013 Threat Report , that confirms an extraordinary growth of cyber threats, the data that most of all alert the security community is the increasing number of sophisticated attacks able to elude traditional defense mechanisms. The analysis revealed that technologies most exposed to cyber attacks continue to be mobile platforms and social media, internet is confirmed as primary channel for cyber menaces, let's consider in fact that number of malicious web sites grew nearly 600% and 85% are represented by legitimate web hosts. Another concerning phenomenon is the use of Email as vector for cyber menace, attackers consider this carrier as

A Dutch hacker was sentenced to 12 years in a US prison on Friday for trafficking over 100,000 credit card numbers stolen in a computer hacking conspiracy. David Benjamin Schrooten , 22,  known as "Fortezza" in the hacker world, pleaded guilty in November to criminal charges related to hacking, bank fraud, and identity theft, according to Western District of Washington US Attorney Jenny Durkan. At sentencing U.S. District Judge Ricardo S. Martinez asked him, " I don't think you would ever consider walking into someone's home, pulling out a gun and robbing them… Did it ever occur to you that you were doing that to all your victims? " Investigators estimate that tens of thousands of people were affected. The damage amounted to more than 63 million dollars. He is Sentenced to 12 years in prison for a computer hacking and credit card fraud scheme that victimized people around the world. A California man is set to go on trial by the middle of the year for his purported rol

It's the news of the day, a fraudulent digital certificate that could be used for active phishing attacks against Google's web properties. Using the certificate it is possible to spoof content in a classic phishing schema or perform a man-in-the-middle attack according Google Chrome Security Team and Microsoft experts. Microsoft has been immediately started the procedure to update its Certificate Trust list (CTL) and all versions of its OSs to revoke the certificate. Microsoft has also decided to revoke other two certificates for the same reason, it seems that some attacks using the first certificate have been already detected, fraudulent digital certificate that was mistakenly issued by a domain registrar run by a Turkish domain registrar. Microsoft has issued a security advisory " Microsoft Security Advisory ( 2798897 ) -Fraudulent Digital Certificates Could Allow Spoofing " that states: "Microsoft is aware of active attacks using one fraudulent digital certificate is

Egypt-based security researcher reported that Facebook Camera App for mobiles are Vulnerable to Man in The Middle Attack , that allow an attacker to tap the network and hijack Camera users accounts and information like email addresses and passwords can be stolen . Mohamed Ramadan trainer with Attack-Secure, who previously reported us about similar vulnerability in Etsy app for iPhone Mohamed explains " The problem is that the app accepts any SSL certification from any source, even evil SSL certifications, and this enables any attacker to perform man in the middle attacks against anyone who uses the Facebook Camera app for IPhone. This means that the application doesn't warn the user if someone in the same (Wi-Fi network) is trying to hijack his or her Facebook account. " Facebook suggest users to upgrade the Camera application To Version 1.1.2. A statement released by the company says " We applaud the security researcher who brought this bug to our attenti

Mohamed Ramadan from Attack-Secure discovered a critical vulnerability in Etsy's iPhone application. Etsy is a social commerce website focused on handmade or vintage items as well as art and craft supplies. Any attacker on the same network can sniff traffic (including user password) invisibly without any warning from Etsy app. Its is very similar to the man in the middle attack reported in iPhone Instagram app a few days back. Bug Hunting ! Because Etsy having a Security Bug Bounty Program , so first Mohamed was trying to find a vulnerability in Etsy website , later he found that they have enough good security. Because Etsy mobile apps are eligible in bug bounty program, so next try was on Mobile apps. Mohamed finally  downloaded the latest version 2.2 and installed that on his iPhone 4S with iOS 6 and also on his ipad. Then he configured his Burp Suite proxy 1.5 to listen on all interfaces on port 8080 in invisible mode.  He disabled any firewall and con

This Friday I was working with my co-security researcher " Christy Philip Mathew " in +The Hacker News  Lab for testing the Cookie Handling Vulnerabilities in the most famous email services i.e Hotmail and Outlook. Well, both are merged now and part of the same parent company - Microsoft, the software giant.  Vulnerability allows an attacker to Hijack accounts in a very simple way, by just exporting & importing cookies of an user account from one system to attacker's system, and our results shows that even after logout by victim, the attacker is still able to reuse cookies at his end. There are different way of stealing cookies, that we will discuss below. In May 2012, another Indian security researcher Rishi Narang claimed similar vulnerability in Linkedin website. Vulnerability Details Many websites including Microsoft services uses cookies to store the session information in the user's web browser. Cookies are responsible for maintainin

It's known, drones are privileged vehicles for reconnaissance and attacks, technology has achieved level of excellence and their use is largely diffused, that's why defense companies are providing new solution to make them increasingly effective. But the incredible amount of technological components could be itself a point of weakness, last year in fact an U.S. stealthy RQ-170 Sentinel drone was captured by Iranian military near the city of Kashmar. The vehicle was used in reconnaissance mission, it took off from near Afghanistan, exactly from Kandahar airfield. In this hours government of Teheran has announced to have captured a new drone, Iran's Islamic Revolution Guards Corps (IRGC) Navy Commander Rear Admiral Ali Fadavi reported that on Dec. 5th Iranian defense has captured a Scan Eagle drone that violated the fly zone over the Persian Gulf, around Kharg Island, in southern Iran. The zone is a strategic area, the place provides a sea port for the export o

Instagram - Facebook's popular photo sharing app for iOS, is currently has a vulnerability that could make your account susceptible to hackers. A security researcher Carlos Reventlov  published on Friday another attack on Facebook's Instagram photo-sharing service that could allow a hacker to seize control of a victim's account. " The Instagram app communicates with the Instagram API via HTTP and HTTPs connections. Highly sensitive activities, such as login and editing profile data, are sent through a secure channel. However, some other request are sent through plain HTTP without a signature, those request could be exploited by an attacker connected to the same LAN of the victim's iPhone. " Vulnerability Details --   The vulnerability is in the 3.1.2 version of Instagram's application, which is  susceptible to "eavesdropping and man in the middle attacks that could lead an evil user to delete photos and download private media without the victim's con

Symantec recently identified a database-corrupting piece of malware targeting systems mostly in Iran, but despite early speculation that it could be related to the likes of Stuxnet and Flame, it appears to be targeting small businesses rather than the country's infrastructure. Malware Dubbed W32.Narilam , is predominantly active in the Middle East, and it has also been detected in the USA and UK. The worm looks for particular words in Microsoft SQL databases and overwrites them. The worm specifically targets SQL databases with three distinct names, alim, maliran, and shahd. Once the targeted databases are found, Narilam looks for specific objects and tables and either deletes the tables or replaces items with random values. On Monday an alert was published on tarrahsystem.com warning of the W32.Narilam threat to its customers. The bulk of the infections thus far have been found in the Middle East, particularly Iran and Afghanistan. Kaspersky Lab took issue with repo

Paul F Renda  going to begin a series on hacking the politics in the united states and why India and china won the past Presidential election. This eclectic hacker look will use partial differential equations, game theory, the prisoner's dilemma, and fractals. I am going to show unequivalently that the true winner of the election is the expanding middle class in India and China. The losers are the middle class in the United States and, in particular, 19–34-year-old. Sometimes in history a confluence of unusual events occur every 100 years or 1,000 years; this is such a time. Dorothy, fasten your seatbelt. It is going to be a bumpy ride: You are not in Kansas anymore. In order for me to talk about politics and the election, I first have to introduce the Curley effect. This concept was developed by using empirical data and partial differential equations. It is mathematically sound, and mathematics is the language of the universe. I have copied the abstract and second paragraph of

Multiple malware attacks against both Israeli and Palestinian systems, likely to be coming from the same source, have been seen over the last year. Researchers in Norway have uncovered evidence of a vast Middle Eastern espionage network that for the past year has deployed malicious software to spy on Israeli and Palestinian targets. Israel has banned its police force from connecting to the Internet and from using memory sticks or disks in an effort to curb a cyberattack. The ban, enacted last week, is meant to prevent a malware program called Benny Gantz-55 named after Benny Gantz, Israel's Chief of General Staff from infecting the police's computer network  Trend Micro has obtained samples of malware implicated in a recent incident, The attack began with a spammed message purporting to come from the head of the Israel Defense Forces, Benny Gatz. The From field has the email address, bennygantz59(at)gmail.com and bore the subject IDF strikes militants in Gaza Strip following