The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

Android facial recognition based unlocking can be fooled with photo Another Android Feature Exploited, Funny that Android facial recognition based unlocking can be fooled with photo . Check out the video below, courtesy of Malaysia’s SoyaCincau : He said " While some of you think that it is a trick and I had set the Galaxy Nexus up to recognise the picture, I assure you that the device was set up to recognise my face. I have a few people there watching me do the video and if any one of them is watching this video I hope you can confirm that this test is 100% legit .".

#Anonymous : Now is the Time to evolve or Die Anonymous was formed and birthed on the internet message board 4chan in 2003. The moniker Anonymous was derived as homage to 4chan. At the time, if someone posted to 4chan’s forums and no name was given then the post was credited to "Anonymous". Seizing onto the premise or the idea that actions can be taken anonymously by the lesser or powerless “Anonymous” moved beyond 4Chan and morphed into sometime larger and more potent. The original premise of “Anonymous” appeared to be a limited but noble idea; attempting to keep the internet open and free because governments and corporations were earnestly trying and demanding limits and restrictions to the freedom of expression on the internet. To date “Anonymous” has remained a banner that many channers, as well as hacktivists and IRC users, post under and are loosely grouped together. Allied under the umbrella of “Anonymous” with no real command structure in the group, “Anonymous” rem...

Bangladesh Supreme Court website hacked The official website of the Supreme Court was hacked yesterday.Information technology experts of the court, however, recovered it around 8:00pm. According to the message posted on the site, the hackers identified themselves as " Bangladeshi UnderGround Hacker 3xp1r3 Cyber Army ".They, however, claimed that all the data is safe and not being tampered with or deleted." Some other hackers are trying to hack Bangladeshi sites!! And delete all the data !! (sic), " they warn. Head of IT department of the apex court Quddus Zaman confirmed the restoration of the site, www.supremecourt.gov.bd. Earlier, Supreme Court registrar A K M Shamsul Islam told , " A person from Singapore called me up in the morning and said the website of the Supreme Court has been hacked. Several others also phoned me later and complained about it ."

Burp Suite Pro v1.4.03 released - CSRF generator, SSL strip Added There is a new CSRF generator, which produces proof-of-concept HTML for generating virtually any HTTP request. You can access this feature by right-clicking any item within Burp, and using the engagement tools context menu to select "generate CSRF PoC". Some useful features are: Support for all form encoding types: standard URL encoding, multipart encoding, and plain text encoding. Auto-detection of the optimal encoding type, with manual override. Ability to edit both the request and response in-place, to fine tune attacks. In-browser testing, by pasting a URL into your browser that will cause Burp Proxy to serve up the CSRF PoC in its response. Download/Buy from here

Possible Credit Card Theft in Steam Website Hacking Valve CEO Gabe Newell has contacted all users of the Steam game distribution platform to let them know that the company has suffered a security breach. Right before going offline, users saw a new category in the forum that directed them to open a site named "Fkn0wned." Many users also complained that their email ids related to Steam accounts were "spammed with ads for the web site. Valve recommends all users to keep closely watched the activity of their credit cards because the hackers had access to that information during the attack. Forums Steam are closed for the moment, but the program itself is running. " We have no evidence that the numbers encrypted credit card or personal identifying information was taken by intruders, or the protection of card numbers or passwords have been cracked . We are still investigating , "Newell wrote. " At the moment we have no evidence of misuse of credit cards b...

Operation Ghost Click by FBI - Online advertising scam taken Down A gang of internet 'cyber bandits' who stole $14 million after hacking into at least 4 million computers in an online advertising scam have been arrested following a joint investigation by the FBI and Nasa. Six men are in custody in Estonia, pending extradition to the United States, following a two-year investigation into an “ intricate international conspiracy ” that “ hijacked ” millions of computers around the world and stole more than US$14-million. The FBI's two-year investigation was dubbed "Operation Ghost Click". Computers in more than 100 countries were infected by the “DNSChanger” malware, which redirected searches for Apple’s iTunes store to fake pages pretending to offer Apple software for sale, as well as sending those searching for information on the U.S. Internal Revenue Service to accounting company H&R Block, which allegedly paid those behind the scam a fee for each visitor...

myOpenID XSS : One of the Largest OpenID provider is Vulnerable One of the One of the Largest Independent OpenID provider " myOpenID " is Vulnerable to Cross Site Scripting (XSS) ,Discovered by " SeeMe " - Member of Inj3ct0r Team. Cross Site Scripting (or XSS) is one of the most common application-layer web attacks. What Hacker can do - "The attackers can steal the session ID of a valid user using XSS. The session ID is very valuable because it is the secret token that the user presents after login as proof of identity until logout. If the session ID is stored in a cookie, the attackers can write a script which will run on the user's browser, query the value in the cookie and send it to the attackers. The attackers can then use the valid session ID to browse the site without logging in. The script could also collect other information from the page, including the entire contents of the page". Proof Of Concept - Click Here

CrySyS Duqu Detector Open source Toolkit Released Two weeks ago Researchers at the Laboratory of Cryptography and System Security (CrySyS) in Hungary confirmed the existence of the zero-day vulnerability in the Windows kernel , according to security researchers tracking the Stuxnet-like cyber-surveillance Trojan. The Laboratory of Cryptography and System Security (CrySyS) has released an open-source toolkit that can find traces of Duqu infections on computer networks.The open-source toolkit, from the Laboratory of Cryptography and System Security (CrySyS), contains signature- and heuristics-based methods that can find traces of Duqu infections where components of the malware are already removed from the system. They make a release that " The toolkit contains signature and heuristics based methods and it is able to find traces of infections where components of the malware are already removed from the system.The intention behind the tools is to find different typ...

w3af v.1.1 - Web Application Attack and Audit Framework Released w3af is a Web Application Attack and Audit Framework. The project's goal is to create a framework to find and exploit web application vulnerabilities that is easy to use and extend. To read our short and long term objectives. w3af is much more than a piece of software, w3af is a community that breathes Web Application Security. Change Log: * Considerably increased performance by implementing gzip encoding * Enhanced embedded bug report system using Trac's XMLRPC * Fixed hundreds of bugs * Fixed critical bug in auto-update feature * Enhanced integration with other tools (bug fixed and added more info to the file) Download Here Get Video Tutorial and Help to Use w3af here

Cross Site Scripting Vulnerability in Speed Bit Search Engine Debasish Mandal, A hacker from India , Found that there is a XSS through JavaScript Injection vulnerability in the Home page of Speed Bit Search Engine.The XSS filter is filtering normal html /script /iframe tags but XSS can be achieved by injecting JavaScript event "onmouseover()".Technical Description is below. Debasish have reported the vulnerability to the Speed Bit Team but haven't yet got any response from their side. Proof Of Concept: 1) Visit this URL http://search.speedbit.com/?aff=grbr" onmousemove="alert(document.cookie) 2) Bring mouse cursor over the hyperlink shown in the image and you should see a POP up box showing the browser cookies. Submitted By :  Debasish Mandal, India.