The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

GateOne Beta - Terminal emulator for HTML5 web browsers The software makes use of WebSockets to connect a server backend written in Python and a frontend written for modern browsers in JavaScript, HTML5 and CSS. The frontend doesn't require any browser plug-ins to be installed.Gate One also supports HTTP over SSL (https) secure connections from the browser to the server and authentication technologies such as Kerberos. It has its own internal plug-in system (plug-ins can be written in Python, JavaScript and CSS); currently available plug-ins for Gate One include SSH client connections, session recording and playback, and a bookmark manager for storing terminal sessions. Top features: * No browser plugins required! * Supports multiple simultaneous terminal sessions. As many as your hardware can handle. * Users can re-connect to their running terminals whenever they like from anywhere. * Can be embedded into other applications. Add a terminal--running whatever appl...

Launching Wireless Hacking Series for Fun and Profit THN is launching a Wireless Hacking series of blog posts where we will talk about a lot of tools and techniques. We hope this will be fun and informational for all of our readers. The series will be based on the SecurityTube Wireless Security Expert (SWSE) course material. We spoke about it in previous blog posts and loved the course material, and also SecurityTube’s spirit of providing the entire course material free and only charging if you are interested in getting certified. As a responsible disclosure, we would like to inform you that we have subscribed to the SWSE course and certification. Once we registered we received the course slides and login to the student portal. This post is a short summary of the study path for the course. The student portal provides a structured path for learning: You can download the course slides, the full course material and watch the welcome video (embedded in the end). Each les...

Hcon’s Security Testing Framework (Hcon STF) v0.1beta After the first demo of Hfox, many people asked about a Chromium based framework for penetration testing/ethical hacking.  After 3 months of work and research, and some input from AJ, the following tool has been developed for the arsenal of Hcon’s tools: Specifications 1.         Based on Chromium Source (iron build) version 14. 2.         Works for ever need of hacking/penetration testing such as recon, enumeration, social engineering, exploitation, vulnerability assessment, anonymity, mobile tools, and reporting. 3.         More secure and tracking free from Google and Stable than other Chromium-based builds. 4.         Over 100 tools integrated with easy-to-use interface. 5.         Tested and heavily modified tools with suggestions contribute...

Operation Hackerazzi : FBI arrests alleged Hacker for Stealing naked photos of Hollywood stars FEDERAL officials on Wednesday arrested a 35-year-old Florida man, Christopher Chaney  and charged him with 26 counts of cyber-related crimes against Hollywood stars following an 11-month federal probe dubbed "Operation Hackerazzi". Twitter was ablaze earlier today with messages claiming to link to naked pictures of film actress Scarlett Johansson, which were allegedly stolen from her iPhone by a hacker earlier this year.The photographs may or may not be of Scarlett Johansson, but I would suggest that every hot-blooded male exercises some restraint as it's extremely possible that cybercriminals might exploit the interest to post dangerous links on the web designed to infect computers or steal information. To gain access to these email accounts, Chaney would search through details of celebrity lives within magazines as well as social media accounts like Twitter and figure ...

[Contest] Win " Ghost in the Wires " Book by Kevin Mitnick Some call him a saint, some a criminal, others adore him. Industry may loathe him but we here at The Hacker News say, “ Get ready, loyal subscribers! ” Enter our newest contest and win a copy of Kevin Mitnick’s new book titled, “ Ghost in the Wires .” Fellow hackers will be pleased to know that to celebrate the release of his book,  Kevin Mitnick  has teamed up with  The Hacker News  and is giving away 3 copies of the book to our readers who submit the coolest, keenest and most appealing comments or reviews about the book. Mitnick is no less than a genius as he knits a story of intrigue and suspense as he navigates through the mazes of high tech companies keeping them jumping and realizing they are not invincible……not even close. How you can be one of the Lucky Winners? Does this sound like something you might be interested in? All you need to do is head on over to the book page:   He...

Phoenix Exploit’s Kit 2.8 mini version Back in April of this year, we reported the leak of  Phoenix Exploit Kit 2.5 .  The version currently in circulation is 2.8, and despite its lower activity for the last half of this year, it remains one of the preferred exploit packs used by cyber-criminals. In comparison to the Black Hole Exploit Pack, the PEK has a similar licensing model.  The last version released offered an “alternative” to purchasing the exploit pack.  This “alternative” is the Phoenix Exploit’s Kit 2.8 mini. The current licensing model consists of the following: ·           Simple Domain (Closed) – USD $2,200.00 ·           Multithreaded Domain (Closed) – USD $2,700.00 ·           Extra-Encryption Service (ReFUDing) – USD $40.00 The mini version does not change the characteristics of the Exploit P...

Apple iOS 5 Released ! Apple’s iOS 5 has been released, with owners of the iPhone 4, iPhone 3GS, iPad and iPad 2, along with the third- and fourth-gen iPod touch all getting the latest version of the mobile platform as a free update. Available to download for existing devices via iTunes, iOS 5 will also be preloaded on the new iPhone 4S, Apple’s fifth-gen smartphone that goes on sale this Friday. " On non-mobile devices, our lives are quickly shifting from native applications [i.e. coded for a specific computer or smartphone's operating system] to Web applications, but by Apple dominating the consumer smartphone market first, and executing it beautifully, they have started to set some really unhealthy precedents that the rest of the industry is copying while simply trying to keep pace ," said Zeke Shore, the Co-Founder and Creative Director of design firm Type/Code. iOS 5 also brings with it iCloud, Apple’s new synchronization and backup system that promises to deli...

Sony hacked again - 93,000 accounts compromised with brute-force attack Sony has warned users against a massive bruteforce attack against PlayStation and Sony network accounts. The attack – which used password and user ID combinations from an unidentified third-party source – succeeded in compromising 60,000 PlayStation Network and 33,000 Sony Online Entertainment network accounts. These accounts have been locked and passwords reset. The attack took place between October 7 and 10 and succeeded in matching valid sign-in IDs. According to a blog post by Philip Reitinger, Sony's Chief Information Security Officer, credit card details were not compromised. Both the motive for the latest attack against Sony network users and the identity of the perpetrator(s) remains unclear. Sony shut down its PlayStation Network in April in the aftermath of a far more damaging hack attack. The service wasn't restored until a month later. Personal information on 77 million account-holders wa...

WineHQ database compromise - One More Linux Project Fail Jeremy White, Codeweavers Founder has announced that access to the WineHQ database has been compromised. " On the one hand, we saw no evidence of harm to any database. We saw no evidence of any attempt to change the database (and candidly, using the real appdb or bugzilla is the easy way to change the database). Unfortunately, the attackers were able to download the full login database for both the appdb and bugzilla. This means that they have all of those emails, as well as the passwords. The passwords are stored encrypted, but with enough effort and depending on the quality of the password, they can be cracked ." Anybody who has reused a password stored there probably wants to make some changes fairly soon. Attackers have used phpMyAdmin, an open source database administration tool, to access the WineHQ project's database and harvest users' appdb and bugzilla access credentials. Wine (Wine Is Not an Emu...

Your Browser Matters - Microsoft Launches Tool For Checking Browser Security Microsoft launched a website today designed to give users a detailed look at how secure their browser is. The site, called Your Browser Matters , automatically detects the visitor's browser and returns a browser security score on a scale of four points. When you visit the site, called Your Browser Matters, it allows you to see a score for the browser you’re using. Well, if you’re using IE, Chrome, or Firefox—other browsers are excluded. Not surprisingly, Microsoft’s latest release, Internet Explorer 9, gets a perfect 4 out of 4: If you visit the site with the most recent public releases of Firefox or Google Chrome, however, the results are less than perfect. Here, for example, are the detailed results for Chrome 14 and Firefox 7: Microsoft's new site is primarily intended to encourage users of older versions of Internet Explorer to upgrade. The bane of the existence of Web developers everywhere,...

iPad Finally Has a Facebook Application Facebook has just released its official iPad app . The tablet device was unveiled in January 2010, but development and negotiations with Apple stalled the release of Facebook’s app until now. Facebook for iPad is now available in App Store . We’ve been waiting for a Facebook iPad app almost as long as there’s been an iPad, and there has been talk that Facebook has been working on the app for more than a year. The lack of an app for Facebook has been a pretty massive hole in the functionality of the iPad, given the social network’s unrivaled popularity. And tons of third-party apps have sprung up to fill the void – but none of them were the official, sanctioned apps of Mark Zuckerberg, and none included the kind of power that Facebook has baked into its own native app. Here are some of the top Features of the new app: Bigger, better photos: Photos appear bigger and in high-resolution with easy to flip and rotate features in the photo album ...

blueHOMES hacked - 500k users data and Password in Plain text leaked Some Anonymous Hacker hack the French property and property Germany Dealers website blueHOMES.com  . About 500,000 Users data claim to be hacked by Hacker and also database include all customer passwords in plaintext, including full addresses, skype account, and mailboxes of bluehomes. Specified data leaked on pastebin  with sample data of some users.

VeriSign demands Power to takedown non-legitimate website VeriSign, which manages the database of all .com internet addresses, wants powers to shut down "non-legitimate" domain names when asked to by law enforcement. VeriSign should be able to shut down a .com or .net domain, and therefore its associated website and email, " to comply with any applicable court orders, laws, government rules or requirements, requests of law enforcement or other governmental or quasi-governmental agency, or any dispute resolution process ", according to a document it filed today with domain name industry overseer ICANN. The new powers would be international and, according to VeriSign's filing, could enable it to shut down a domain also when it receives " requests from law enforcement ", without a court order." Various law enforcement personnel, around the globe, have asked us to mitigate domain name abuse, and have validated our approach to rapid suspension of...

German Researchers Break RFID Smartcard Encryption Scientists have found a way to circumvent the encryption used to protect a smartcard used to restrict access to buildings and to process public transit system payments. A team of German scientists have demonstrated a hack that lets them make a perfect clone of the kind of magnetic security card used to give access to workers in corporate or government buildings -- including NASA -- and as a daily ticket replacement on buses and subways. The same team broke a previous version of contactless-ID cards from Mifare in 2008.  This prompted the company to upgrade its security to create a card able to be programmed only once and which contained a unique identifying number that could be checked against the programmed content on the card for extra security. The new hack is carried out using a side channel attack, which bypasses the defensive features intended to prevent attacks on the card. To achieve this, the researchers made repeat...

FBI shut down 18 Child Porn Websites A man was recently indicted on federal charges of running 18 Chinese-language child pornography websites out of his apartment in Flushing, New York. The websites were being advertised to Chinese-speaking individuals in China, in the U.S., and other countries. According to the FBI, " Virtually every day, children are lured away from their families by cyber sexual predators. We’re committed to stopping these crimes through our Innocent Images National Initiative. Based in Maryland, it joins FBI agents and local police in proactive task forces around the country that work online undercover to stop those who prey on our kids. " In late 2010, the FBI - through their legal attaché office in Beijing - received information from Chinese officials about their investigation of a large-scale child pornography website housed on U.S. servers. One of their main suspects, a Chinese-born man, was living in New York. The FBI's New York office op...

OWASP Mantra - c0c0n 11 and AppSecLatam 11 Release  The third beta of OWASP Mantra Security Toolkit has been released. One of the main features of this version is the multi-language support. Mantra now supports Hindi and Spanish, in addition to English. If you can give us a helping hand by translating Mantra into more languages, feel free to contact us and we will look forward to see you in Team Mantra. This version is based on Firefox 7.0.1 and comes with some new extensions which you will definitely find useful. One of the other changes is renaming the "Ayudha" menu back to "Tools". We all are comfortable with "Tools" and we decided to keep it intact. This is a collection of free and open source tools integrated into a web browser, which can become handy for students, penetration testers, web application developers, security professionals, etc. It is portable, ready-to-run, compact and follows the true spirit of free and open source software. Mantra...

111 Arrested for biggest identity theft and credit card fraud Case One of the biggest identity theft and credit card fraud cases in history has generated millions of dollars in losses to date. 111 individuals have been indicted in the largest identity theft takedown in U.S. history. " This is by far the largest--and certainly among the most sophisticated--identity theft/credit card fraud cases that law enforcement has come across ," said Richard A. Brown, the district attorney of Queens, N.Y., in a statement announcing the arrests. The defendants, members of five organized forged credit card and identity theft rings based in Queens County and having ties to Europe, Asia, Africa and the Middle East, are charged in ten indictments with stealing the personal credit information of thousands of unwitting American and European consumers and costing these individuals, financial institutions and retail businesses more than $13 million in losses over a 16-month period. As part...

U.S. drones affected by Keylogger Virus A keylogger of some sort has infiltrated classified and unclassified computer systems at Creech Air Force Base in Nevada, recording the keystrokes of pilots tasked with operating unmanned drone aircraft in Afghanistan and other international conflict zones. The virus, first detected nearly two weeks ago by the military's Host-Based Security System, has not prevented pilots at Creech Air Force Base in Nevada from flying their missions overseas. Nor have there been any confirmed incidents of classified information being lost or sent to an outside source. But the virus has resisted multiple efforts to remove it from Creech's computers, network security specialists say. And the infection underscores the ongoing security risks in what has become the U.S. military's most important weapons system. Tadd Sholtis, a spokesman for Air Combat Command, which oversees the drones and all other Air Force tactical aircraft said, “ We generally do...

SWSE - Most Advanced Wi-Fi Hacking and Security Course online We covered the launch of the SecurityTube Wi-Fi Security Expert in a previous article. As their entire courseware is available online free of charge to evaluate: , I took a look over the weekend and I was very impressed. The instructor assumes you are an absolute n00b to the subject and starts from the very basics of how to get started with creating your own lab for doing Wireless Hacking exercises. He then slowly gains momentum and touches upon a ton of topics - Honeypots, Hotspot attacks, MITM over wireless, WEP/WPA/WPA2 Cracking, WPA/WPA2-Enterprise hacking, PEAP, EAP-TLS, EAP-TTLS cracking, creating backdoors with wireless, Wi-Fi malware etc. All of this is covered in over 12+ hours of HD videos. I would strongly recommend you to download the full courseware here and see for yourself: http://securitytube.net/downloads If you are interested in using this for your job and desire to get a certification then, Security...

[ Call for Article ] The Hacker News Magazine - November 2011 Edition The Hacker News is starting to prepare the next issue of ' The Hacker News Magazine '. Submissions are invited for a 6th up coming special November Issue as " Anniversary Edition ". If you have something interesting to write, please drop us an email at : thehackernews@gmail.com Yes ! We are going to Celebrate ' The Hacker News '  1st Anniversary on 1 November, 2011 . Each Issue/Article of our Magazine and Website aims to spread Awareness and Knowledge about Cyber Security. We gather articles from young minds that deal closely with the topic of Security and Hacking Threats. Topics of interest include, but are not limited to the following: - New Attack and Defense Techniques - Vulnerability discovery - Small Tactics & Techniques - Big Attacks & Impact - Mobile Hacking - Professional Exploit Development - Security and Hacking Events Around The World ...

Optima DDOS 10a botnet leaked on Underground Forums On underground forums " Optima DDOS 10a Botnet " full version posted for all to download and use. Complete new version of the acclaimed DDoS bot Optima Darkness. In this new version 10a according to the author was raised in secrecy bot system and optimized grabber passwords. It cost about $ 600 worth. Features a bot: DDoS attacks of three types - http flood, icmp-flood, syn-flood. Theft of stored passwords from some applications installed on the victim's system, details below. Opening on the infected system proxy Socks5. The possibility of cheating various counters on the websites (http-access the sites). Hidden download and run the specified file to the affected systems. Installed in the system as a service Weight bot - 95.5 kb, written in Delphi. At the moment the following antivirus detected: [ Source ]

Apache Patch released for  Reverse proxy Bypass Vulnerability Security experts at Context have discovered a hole in the Apache web server that allows remote attackers to access internal servers. Security experts are warning firms running the Apache web server to keep up to date with the latest patches after the Apache Software Foundation issued a security advisory to all customers highlighting a new vulnerability. The weakness in 1.3 and all 2.x versions of the Apache HTTP Server can be exploited only under certain conditions. Reverse proxies are used to route external HTTP and HTTPS web requests to one of several internal web servers to access data and resources. Typical applications include load balancing, separating static from dynamic content, or to present a single interface to a number of different web servers at different paths. Context explained that the attack is based on an Apache web server using the mod_rewrite proxy function, and uses a common hacking...

Android malware - Works on remote commands form encrypted blog Researchers from Trend Micro have spotted a piece of malicious software for Android. This is the first known Android malware that reads blog posts and interprets these as commands. It can also download and install additional applications, therefore further compromising the affected device. Trend Micro calls the malware " ANDROIDOS_ANSERVER.A. " If the application is installed, it asks for a variety of permissions. If those are granted, it can then make calls, read log files, write and receive SMSes and access the Internet and network settings, among other functions. This backdoor may be unknowingly downloaded by a user while visiting malicious websites. It may be manually installed by a user. " This is a blog site with encrypted content, which based on our research, is the first time Android malware implemented this kind of technique to communicate, " wrote Karl Dominguez, a Trend Micro threat resp...

Microsoft FUSE Labs Sub-domain defaced by Hmei7 Hacker named " Hmei7 " defaced the official sud-domain of Microsoft FUSE Labs ( http://fuse.microsoft.com/ ) as shown above. He wrote a taunt on the home page with signature " are you microsoft?? , hackedby Hmei7 ". Mirror of hack at Zone-H is here .

Suzuki Official Website of Azerbaijan hacked by Co-cain Tm Suzuki Official Website of Azerbaijan today defaced by Co-cain Tm Hackers. The home page contain following lines: Cg 125 For Ever ! Co-cain Tm Sp Tnx 2 Skitt3r The Mirror of this hack also available on Zone-H . Reason of hack is unknown, supposed to be just for fun.

REMnux: A Linux Distribution for Reverse-Engineering Malware REMnux is a lightweight Linux distribution for assisting malware analysts in reverse-engineering malicious software. The distribution is based on Ubuntu and is maintained by Lenny Zeltser. REMnux is designed for running services that are useful to emulate within an isolated laboratory environment when performing behavioral malware analysis. As part of this process, the analyst typically infects another laboratory system with the malware sample and directs potentially-malicious connections to the REMnux system that's listening on the appropriate ports. REMnux is also useful for analyzing web-based malware, such as malicious JavaScript, Java programs, and Flash files. It also has tools for analyzing malicious documents, such as Microsoft Office and Adobe PDF files, and utilities for reversing malware through memory forensics. In these cases, malware may be loaded onto REMnux and analyzed directly on the REMnux system w...

Student Arrested for hacking Thailand Prime Minister Accounts Prime Minister Yingluck Shinawatra's personal Twitter account was hacked on October 2nd, 2011 in what officials said was possibly part of a conspiracy to embarrass the government. Police in Thailand have arrested a university student who is said to have admitted hacking into the Prime Minister's Twitter account and posting messages accusing her of incompetence. 22-year-old Aekawit Thongdeeworakul, a fourth year architecture student at Chulalongkorn University, could face up to two years in prison if found guilty of illegally accessing computer systems without authorization.

HashCodeCracker v1.2 Video Tutorials Available Hash Code Cracker V 1.2 was Released last week by BreakTheSecurity. This software will crack the MD5, SHA1,NTLM(Windows Password) hash codes. No need to install. Supports All platforms(windows XP/7,Linux,..). How to Run Hash Code Cracker Jar using Command Prompt~Password Cracking How to start Hash Code Cracker Jar with double Click~Password Cracking How to Crack the Password using Online Cracker Hash Code Cracker v1.2? Download  here  or from  here

WebCookiesSniffer - New cookies sniffer/viewer utility WebCookiesSniffer is a new packet sniffer utility that captures all web site cookies sent between the web browser and the web server and displays them in a simple cookies table. The upper pane of WebCookiesSniffer displays the cookie string and the web site/host name that sent or received this cookie. When selecting a cookie string in the upper pane, WebCookiesSniffer parses the cookie string and displays the cookies as name-value format in the lower pane. Except of a capture driver needed for capturing network packets, WebCookiesSniffer doesn't require any installation process or additional dll files. In order to start using it, simply run the executable file - WebCookiesSniffer.exe After running WebCookiesSniffer in the first time, the 'Capture Options' window appears on the screen, and you're asked to choose the capture method and the desired network adapter. The next time you use WebCookiesSniffer, it'...

BlackBerry Security Guide by Incident Response Team ( BBSIRT ) On September 30th, we reported that a Russian security company Elcomsoft , has upgraded a phone-password cracking suite with the ability to figure out the master device password for Research in Motion's BlackBerry devices. In response to this, BlackBerry Security Incident Response Team (BBSIRT) released a small Security guide for Blackberry users: The Elcomsoft tool uses a brute-force attack to guess the smartphone password by attempting to decrypt the contents of a media card that has been removed from the smartphone. For this tool to do what Elcomsoft claims, an IT administrator or the smartphone user must have chosen to encrypt the contents of the media card with the smartphone password only. Furthermore, an attacker must have access to the media card from the smartphone, and the tool would have to successfully guess the password. To then use the password to unlock the smartphone, that attacker would also have to...

NSS Labs offers Bounties for exploits ExploitHub, which operates a penetration-testing site and is run by NSS Labs, announced a bug-bounty program for researchers to develop exploits for 12 high-value vulnerabilities in Microsoft and Adobe products. The company, which has set aside $4,400 in reward money, plans to give $100 to $500 to the first people to submit a working exploit for the vulnerabilities. Ten of the vulnerabilities concern Microsoft's Internet Explorer browser and two were found in Adobe's Flash multimedia program. “ Client-side exploits are the weapons of choice for modern attacks, including spear-phishing and so-called APTs [advanced persistent threats]. Security professionals need to catch up ,” said Rick Moy, NSS Labs CEO. “ This program is designed to accelerate the development of testing tools as well as help researchers do well by doing good .” There is no time limit on entering a winning exploit; the first person who submits a working exploit receiv...

GPU cracks 6 character password in 4 seconds An nVidia GeForce GT220 graphics card, which costs about £30, is capable of cracking strong passwords in a matter of hours. Security experts were able to crack a  6 character password in 4 seconds, a 7 character password in less than 5 minutes, and 8 character password in four hours. " People have worked out that the processing power of graphics cards, due to the architecture of the chips, is more powerful than a normal processor for doing certain tasks ," said Neil Lathwood, IT director at UKFast.