The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

Microsoft BlueHat Security contest - Mega Prize $250,000 Microsoft today launched a $250,000 contest for researchers who develop defensive security technologies that deal with entire classes of exploits. The total cash awards for Microsoft's " BlueHat Prize " contest easily dwarfs any bug bounty that's been given by rivals. The company announced the contest as this year's Black Hat security conference got under way today in Las Vegas. " We want to make it more costly and difficult for criminals to exploit vulnerabilities, " said Katie Moussouris, a senior security strategist lead at Microsoft, in a news conference today. " We want to inspire researchers to focus their expertise on defensive security technologies. "  " Overall, it seemed to us that to take an approach to block entire classes was the best way to engage with the research community and protect customers ," said Moussouris. WHAT IS THE CONTEST? The inaugural Microsof...

British police issue warning to Anonymous , Lulzsec and other internet hacktivists The Metropolitan Police have taken the unusual step of using Twitter to send a message to anyone considering supporting internet attacks against companies and governments.A message posted on the Met Police's official Twitter account cautioned would-be hacktivists that engaging in denial-of-service (DDoS) attacks, defacing websites or breaking into corporate databases is illegal.In the past, hacktivists have compared their activities to legitimate civil disobedience - but such a view is not a defence if suspected hackers are brought to court. Sophos Notice this tweet first. The full warning posted by the Met Police reads as follows: The investigation into the criminal activity of so-called "hacktivist" groups #Anonymous and #LulzSec continues. We want to remind people of the law in this area: The Law Against Computer Misuse Anyone considering accessing a computer without autho...

Cross Application Scripting vulnerability in Android browser  Recently IBM researchers detected a security vulnerability in Android’s Browser which can be exploited by a non-privileged application in order to inject JavaScript code into the context of any domain.This vulnerability has the same implications as global XSS, albeit from an installed application rather than another website. Android 2.3.5 and 3.2 have been released, which incorporate a fix for this bug. Patches are available for Android 2.2.* and will be released at a later date. The complete advisory can be found here . The browser holds sensitive information such as cookies, cache and history, and injected JavaScript could make it possible to extract that information, indirectly breaking the Android sandbox architecture. The attack exploits flaws in how the browser reacts to calls to view web pages from other applications. IBM demonstrates the proof of concept for Android Cross Application scripting ...

Operation Shady RAT - Biggest Cyber Attacks in history uncovered When the history of 2011 is written, it may well be remembered as the Year of the Hacks. McAfee publish a new report that it says is one of the most comprehensive analysis ever revealed of victim profiles from a five-year long targeted operation by a specific actor dubbed Operation Shady RAT. McAfee released a 14-page report that details the largest coordinated cyber attack recorded to date. This particular attack, possibly orchestrated by China, broke into 72 organizations over the course of five years.The targets include the US, Canada, Taiwan, India, South Korea, and Vietnam. The attack also hit the UN, the International Olympic Committee, the World Anti-doping agency, defense contractors, tech companies and more. Most attacks lasted less than a month, but some, like that on the UN Secretariat, lasted for almost two years. McAfee say learned of the extent of the hacking campaign in March this year, when it...

PythonLOIC - Python Low Orbit Ion Cannon Ddos Tool Released Low Orbit Ion Cannon for all platforms to test the resistance of the server or ddos servers.  Presentation of pythonloic running on iphone os: Download PythonLOIC

Operation Defense - Anonymous shut down Colombia's president website Anonymous and Colombian Hackers shut down the websites of Colombia's president , the interior and justice ministry, the intelligence service DAS and the governing U party. According to hacker's Twitter page, the hacker attack was meant as a protest against government censorship. The DoS attack on the government websites named " Operation Defense ". On the website of the U Party, the hackers posted a fake biography of President Juan Manuel Santos in which the hackers talk about the break-in of the President's facebook page carried out on July 20, Colombia's Independence Day.

Zero-day flaw in WordPress image utility allows to upload files and execute codes Mark Maunder , CEO of Seattle-based technology firm Feedjit, discovered the flaw after his own blog was hacked to load advertising content. He ended up tracing the issue back to TimThumb, which he uses on his blog. Hackers are exploiting a zero-day vulnerability affecting TimThumb, a free image resizing utility widely used on the blogging platform WordPress. Vulnerability in brief : An image resizing utility called timthumb.php is widely used by many WordPress themes. Google shows over 39 million results for the script name. If your WordPress theme is bundled with an unmodified timthumb.php as many commercial and free themes are, then you should immediately either remove it or edit it and set the $allowedSites array to be empty. The utility only does a partial match on hostnames allowing hackers to upload and execute arbitrary PHP code in your timthumb cache directory. I haven’t audited the rest...

CA security finds Android Trojan which records phone calls A new Android Trojan is capable of recording phone conversations, according to a CA security researcher . The trojan is triggered when the Android device places or receives a phone call. It saves the audio file and related information to the phone's microSD card, and includes a configuration file with information on a remote server and settings used by the trojan. The malware also " drops a 'configuration' file that contains key information about the remote server and the parameters ," CA security researcher Dinesh Venkatesan writes in a blog, perhaps suggesting that the recorded calls can be uploaded to a server maintained by an attacker. According to the post, the trojan presents itself as an " Android System Message " that requires users to press an "Install" button for it to insert itself in the phone. Once installed, the trojan records all incoming and outgoing calls to a di...

Sun website 1000's users data stolen Britain's Rupert Murdoch-owned tabloid The Sun has sent a message to readers warning them that computer hackers may have published their data online after an attack on the paper's website last month. News International, News Group's parent company, issued a statement that said: " We take customer data extremely seriously and are working with the relevant authorities to resolve this matter.We are directly contacting any customer affected by this. " Hacking group LulzSec claimed responsibility for the cyber attack, which forced Murdoch's British papers to pull their websites and culminated in The Sun's site being replaced with a hoax story reporting the mogul had died. The company said it had reported the matter to the police and the Information Commissioner. The stolen information is believed to include names, addresses, dates of birth, email addresses and phone numbers. No financial or password data was comprom...

Italian Intelligence Agency CNAIPIC steals sensitive data from Indian Embassy Sensitive defence information appears to have been stolen from the Indian embassy here by an Italian intelligence agency during the past two years. If the documents released by Anonymous Hackers are to be believed, the Italian cyber police - National Anti-Crime Computer Centre for Critical Infrastructure Protection (CNAIPIC) - was widely hacking Indian embassy's letters with Russian defence firms. Leaked Data which include the letters between the Indian embassy's Air Wing and a local company supplying spares for military aircraft. Izvestia said Italian cyber police had hacked on June 22, 2010 Deputy Air Attache D S Shekhavat's correspondence with Aviazapchast, a company specialising in the supply of aviation spares, complaining about delays in the shipment of 15 helicopter engines. A reply from the Aviazapchast representative in India written on the same day was also hacked by the CNAIPIC...

On 4th August SAP systems will be hacked on internet in BlackHat USA 2011 On the 4th of august at the world largest technical security conference - BlackHat USA 2011, which will take place in Las Vegas, SAP security expert and CTO of ERPScan Alexander Polyakov will show how any malicious attacker can get access to the systems running on SAP via Internet using new critical vulnerability. SAP systems are used in more than 100 000 world companies to handle business-critical data and processes. Almost in each company from Forbes 500 system data are set for the handling of any process beginning from purchasing, human resources and financial reporting and ending with communication with other business systems. Thus receiving an access by the malicious attacker leads to complete control over the financial flow of the company, which can be used for espionage, sabotage and fraudful actions against hacked company. The given attack is possible due to dangerous vulnerability of the new type, ...

30 China Government Sites Hacked By Hitcher Pakistani Hacker with code name " Hitcher " today hit 30 China Government websites as listed below : Hacker deface all these domains and Mirror of every defacement is available  here .  In past,  LUMS University Database was also Hacked By Hitcher.

Anonymous and Lulzsec stand for Jake Davis with #FreeTopiary Operation Two Days before Accused LulzSec hacker "Topiary" was got arrested and today he released on bail . Jake Davis, an 18-year-old from the Shetland Islands, was released on bail after being charged with five offences relating to computer attacks and break-ins by the LulzSec and Anonymous hacking groups. In his support today all Anonymous and Lulzsec hackers stand together once again with a new operation #FreeTopiary on Twitter. Anonymous Call everyone for Show their support to @atopiary  on IRC Chat . Anonymous also call for Anonymous Legal Help also. Quotes from Various Supporters : 1.) FreeTopiary an idea is the seed of human kind. 2.) Make no mistake, Topiary is a political prisoner. 3.) I love how kids are the ones showing multimillion/billion security companies how insecure they are... 4.) You cannot arrest an idea. UPDATE : Press Release for Opearation #FreeTopiary...

Another Government contractor - PCS Consultants (USA) got Hacked Another Government contractor - PCS Consultants (USA) got hacked by Anonymous Hackers & #Antisec operation Hackers. Database of website has been extracted and leaked on internet via tweeter on Pastebin .The leaked Data extracted Includes Admin's and 110 users emails, passwords in encrypted hashes. According to PCS website " PCS Consultants, Inc is a full-service Human Resources and Risk Management Compliance Company, offering support in recruitment and internal placement, position classification, employee relations, OSHA compliance programs, worker's compensation administration, and training for a variety of HR/Safety and EEO-related subjects.Providing support to all levels of government, our team of consultants are carefully selected to ensure they have the necessary knowledge and understanding of relevant Public Sector Acts and Standards and high level oral and written communication skills, excell...

Accused LulzSec hacker Topiary released on bail Jake Davis, an 18-year-old from the Shetland Islands, was released on bail after being charged with five offences relating to computer attacks and break-ins by the LulzSec and Anonymous hacking groups. Davis was granted bail to stay with his mother at their new home in Spalding, Lincolnshire, on condition that he does not access the internet either directly or through anyone else. He also has to wear a tag to ensure a 10pm to 7am curfew. Davis, whom police believe used the online nickname " Topiary " and was a member of the LulzSec and Anonymous hacking groups, was arrested at 2.10pm last Wednesday in Mid Yell, an northern island of the Shetlands. Jake Davis allegedly had the login passwords of 750,000 people on his computer. He was charged on Sunday night with offences under the Computer Misuse Act, the Serious Crime Act, and the Criminal Law Act. Davis is accused of gathering data from National Health Service co...

Vimeo (Brazil) Video Sharing site got hacked by Terminal_pk Today a hacker with codename "Terminal_pk" Hack and Deface the Brazilian Domain of Famous Video Sharing site " Vimeo ". Mirror of Defacement Can be seen here .

7000 law enforcement officers details leaked by Anonymous Hackers AntiSec and Anonymous Hackers announced via Twitter that they absconded with up to 10 Giga Bytes of confidential information, including protected witnesses. They have posted more than 7,000 law enforcement officials’ private information online including: their social security numbers; email accounts and passwords; phone numbers and home addresses on Pastebin . Also Today  77 Law Enforcement websites hit in mass attack by #Antisec Anonymous.

ZCompany Pakistani Hackers deface big Indian Websites Pakistani Hackers - ZCompany Hacking Crew again hit some big Indian Websites and Deface them. Hacked Sites: Indian Testing Board (ITB) is the International Software Testing Qualifications Board (ISTQB) : http://www.istqb.in/ http://payment.istqb.in/ Alpha Capital provides Multi Family Office ,Management , Private Wealth Management , Family Office , Private Banking , Financial Advisor http://alphacapital.in/ Asia's Largest Collection of Antique Carpets in Delhi and India. http://antiquecarpet.in/ http://www.bookswagon.com/ Indian National Science Academy, INSA, National Science, Indian Science, Fellowship, FNA, international Science http://insaindia.org/index.php http://www.indiapedia.org/ CPAI endeavors to put forth new & innovative ideas for smooth functioning and the growth of the commodity market operations http://commoindia.com/ Department of Financial Studies : University of Delhi, South Camp...

77 Law Enforcement websites hit in mass attack by #Antisec Anonymous Because of FBI’s actions against Anonymous and Lulzsec including several arrests, Now AntiSec supporters have targeted 77 law enforcement domains and walked away with everything on them. 77 domains were hosted on the same server. Few weeks before AntiSec targeted Arizona police departments, leaking personal information and other sensitive data, in response to immigration laws passed by the state. This time however, the latest law enforcement raid by AntiSec is in response to actions taken by the FBI. 77 US law enforcement institutions were attacked including : 20jdpa.com, adamscosheriff.org, admin.mostwantedwebsites.net,alabamasheriffs.com, arkansassheriffsassociation.com,bakercountysheriffoffice.org, barrycountysheriff.com, baxtercountysheriff.com,baxtercountysherifffoundation.org, boonecountyar.com, boonesheriff.com,cameronso.org, capecountysheriff.org, cherokeecountyalsheriff.com,cityofgassville.org, ...

Italy's Police IT network vitrociset.it Database Hacked and Leaked by #Antisec After Hack of  Italy's Police IT network, Anonymous Hackers Just now Release the Database of  vitrociset.it  via a pastebin link on Twitter. The Leak include the Administrator's Password and 100's of other users Login Details.

#RefRef - Denial of Service ( DDoS ) Tool Developed by Anonymous Anonymous is developing a new DDoS tool which is said to exploit SQL vulnerabilities to support the group's future campaigns. So far, what they have is something that is platform neutral, leveraging JavaScript and vulnerabilities within SQL to create a devastating impact on the targeted website. Previously, Low Orbit Ion Canon (LOIC) was the go to weapon for Anonymous supporters during various Operations .However, LOIC is also the reason scores of people have been arrested in the last year, so many feel its time is at an end. According to Developer " RefRef is a revolutionary DoS java site. Basically, by using an SQL and .js vulnerability, you can send a page request packet from your home computer with embedded .js file, because of the vulnerability in the SQL/Javascript engine on MOST websites, the site actually TEMPs the .js file on its own server. So now the .js is in place on the host of the site. Next s...

Department of Homeland Security (DHS) Emails leaked by #Antisec Anonymous One of the Anonymous - @AnonWorldUnite today leaked the DHS emails on internet. He tweeted “ A Wild Leak Has Appeared! : http://wp.me/p1JyTn-f #AntiSec #AnonOps #Leak #LulzSec #Anonymous http://wp.me/p1JyTn-f ” The link given in the Twitter post is a link to a WordPress blog . The blog post said : You Asked – And You Shall Recieve #DHS Emails – *all emails and files were obtained legally. - http://www.mediafire.com/?zidv26ppown4u0s <3″ The article shows a Mediafire link download link with a PDF file ogc ap redacted foia process 301 350.pdf (8.04 MB) , in which the e-mails are capsuled in. UPDATE: As Anonymous Said that, They got this File in Legal Way, We try to find out and Get that this PDF is available on the DHS site at  http://www.dhs.gov/xlibrary/assets/foia/ogc_ap_redacted_foia_process_301-350.pdf  and  http://www.dhs.gov/xlibrary/assets/foia/ogc_ap_redacted_foia_p...

Nicolas Sarkozy 's official Elysee Palace website Hacked for ' Get Him Out ' Game Hackers have attacked Nicolas Sarkozy's official Elysee Palace website to create a game video game called ' Get Him Out '. Under the formal banner introducing the site, a cartoon image of the French president was pictured on a go-kart heading towards the gates of the palace. For each click on a Facebook 'like' button beside the game, the French leader moved one step closer out into the street. The instructions to the game read: " The more you click, the faster we can get little Nicolas out! ". The Elysee palace confirmed a hacking attack had taken place on Tuesday night, but that the 'problem' had been fixed by 7am on Wednesday. A spokesman added: " The hackers took advantage of an old software system to temporarily re-route the welcome page. " [ Source ]

South Korean social network hacked, 35 million users Data at risk 35 million users Personal information of a South Korean social network site may have been exposed. Local authorities were quick to blame hack attacks against the Cyworld social networking website and the Nate web portal – both of which are run by SK Telecom – on Chinese hackers. Names, phone numbers, email addresses, and other details may have been exposed through the Cyworld hack, which follows previous attacks against South Korean government sites and financial service firms. North Korea has been implicated in some of these hacks. South Korean police are reportedly investigating the cyberattack against Cyworld – a social network with a SIMS-like environment featuring avatars and virtual apartments – and Nate, which offers webmail. Mark Darvill, director at security appliance firm AEP Networks, commented: " By any standard this is a massive attack and one of many in recent months where the finger...

SQueRT 0.9.0 - New version released CHANGELOG: * tabbed interface * date ribbon * CSS/JS fixes and cleanup * Bunch of new stuff Download SQueRT 0.9.0

Window AutoPwn (WINAUTOPWN) - Auto Hacking/shell Gaining Tool Autohack your targets with least possible interaction. winAUTOPWN Features : - Above 500 vulnerability exploits for softwares applications. - Custom-compiled executables of famous and effective exploits alongwith a few original exploits. - Exploits available in the form of PE-exe, ELF, php, perl, python. - A smart multi-threaded PortScanner. - A exploit loading framework to test effectiveness of IDS/IPS winAUTOPWN is a set of exploits wich are publicly available. The source of these exploits is modified only when required to enable a missing feature or to remove hard-coded limitations. winAUTOPWN would otherwise maintain the original exploit writer's source code intact just as it was and uses it. winAUTOPWN preserves the exploit writer's credits and originality in the source, keeps the Names, Website/Blogs, emails, other contact details intact. Binaries of perl, php, python and cygwin DLLs (included) ...

ICQ vulnerable to account theft using JavaScripts In security advisories for ICQ ( http://noptrix.net/advisories/icq_cli_xss.txt )and the ICQ web site ( http://noptrix.net/advisories/icq_web_xss.txt ), security researcher Levent Kayan warns that both the ICQ instant messenger for Windows and the ICQ web site contain vulnerabilities that potentially allow attackers to take control of a user's ICQ account. According to Kayan ICQ doesn't adequately check user's profile information and fails properly to analyse status messages, which can be freely chosen by users, to see if they contain executable code. Kayan recently discovered a similar hole in the Skype client. Heise Security was able to reproduce the flaw discovered by Kayan using the current 7.5 version of ICQ. ICQ told that it was in the process of developing and testing a security fix.

Paypal gives FBI the list of IP Address of 1,000 Anomymous hackers Paypal collected 1000 IP addresses of those carrying out Anonymous' DDoS attacks against PayPal last December. To be fair the names on the list will probably be the bottom feeding script kiddies rather than the hackers at the top of Anomymous's greasy pole. The clever hackers know to mask their IP addresses first. An FBI affidavit suggests the Untouchables may have lots more people to arrest. FBI agent Chris Thompson says PayPal security officials were in close contact with the bureau beginning 6 December, two days after PayPal froze WikiLeaks' donation account and the first day it began receiving serious denial-of-service traffic. FBI agents began monitoring Anonymous press releases while PayPal collected traffic logs on a Radware intrusion prevention system installed on its network. Paypal gave the feds a USB thumb drive containing the Radware reports, which documented " approximately 1,000 ...

SPINN - Secure Personal Information Notification Network Hacked By Inj3ct0r Official website of  SPINN - Secure Personal Information Notification Network has been hacked and Defaced by Team Inj3ct0r. Screenshot is as shown above.

War Texting : Hackers Unlock Car Doors Via SMS Don Bailey and Mathew Solnik, Two hackers have found a way to unlock cars that use remote control and telemetry systems like BMW Assist, GM OnStar, Ford Sync, and Hyundai Blue Link. These systems communicate with the automaker’s remote servers via standard standard mobile networks like GSM and CDMA — and with a clever bit of reverse engineering, the hackers were able to pose as these servers and communicate directly with a car’s on-board computer via “ war texting ” — a riff on “war driving,” the act of finding open wireless networks. Don Bailey and Mathew Solnik, both employees of iSEC Partners, will deliver their findings at next week’s Black Hat USA conference in Las Vegas in a briefing entitled “ War Texting: Identifying and Interacting with Devices on the Telephone Network. ” The exact details of the attack won’t be disclosed until the affected manufacturers have had a chance to fix their systems, and the hackers are not expected ...

Iframe Injection Vulnerability on FileHippo - Popular software download site One of the most Popular Freeware Software download website "FileHippo" is Vulnerable to Iframe Injection. This Vulnerability is Found and submitted by  n3t phir3 . Here is the  Vulnerable Link  and Screenshot as shown above.

Apache Log Extractor tool Apache Log Extractor is a quick script to export URL information from Apache access logs. The thought behind this script was to provide a list of known URL’s on a remote server by analysing the logs. This list could then be used as the input for further testing tools e.g Burp Suite – Intruder . The script accepts an Apache access file as the input and creates an output file containing one URL per line. The list is unique and should only contain the URL without parameters (incomplete directory names are not extracted). It also takes these URLs and creates a wordlist output of all valid directoy names for use with brute-forcing tools. This fingerprinting tool can reduse the realm of password cracking. How to use ./apache_log_extractor.py access.log.1 Output [ ] Extracting URLs from logfile : access.log.1 [ ] Extracted URL : / [ ] Extracted URL : /Signed_Update.jar [ ] Extracted URL : /ajax/bottomnavinfo.ashx [ ] Extracted URL : /MetaAdServ...