The Hacker News

Firefox to block all plugins by Default in upcoming release, except Whitelist plugins

lundi 3 mars 2014 à 17:20

Mozilla to Block all Plugins by Default in upcoming release, except Whitelist Plugins

The Mozilla Firefox web browser is used by roughly 30% of all Internet users and the company is seriously concerned about the Security of its users for many years.

To Improve the Stability, Security and performance of Firefox web browser, Mozilla announced back in 2013 that it planned to enable ‘Click to Play’ feature in upcoming Firefox versions, which will block most vulnerable plugins like Java by default.

“Plugins are a significant source of poor performance, crashes and security vulnerabilities”, Mozilla said.

The Feature 'Click to play' blocks the execution of all plugins automatically, though this feature was annoying to the users, so to prevent all plugins from default blocking, Mozilla announced to maintain a whitelist of approved plugins.

"By allowing users to decide which sites need to use plugins, Firefox will help protect them and keep their browser running smoothly." ~Benjamin Smedberg, Engineering Manager.

Plugin authors can apply for inclusion in a whitelist. The developer has to submit their plugins using a template to Bugzilla and the application submitted till 31st March, 2014 will be reviewed by the Mozilla.

The Firefox web browser will only start blocking by default, no sooner than Firefox 30. If accepted, the plugin will be whitelisted for next 4 Firefox releases i.e. 30 weeks (6 weeks in beta version and 24 weeks in the general release channel), with the possibility to apply for a further extension later.

'Adobe Flash' is included in the whitelist by Mozilla, 'security and plugin teams work closely with Adobe to make sure that Firefox users are protected from instability or security issues in the Flash plugin', the company said; However, 'Java' plugin is excluded from the whitelist because of its continues security problems and slow performance.

Most widely used web browser Google Chrome is also working in this direction and last January it has blocked all NPAPI plugins except Silverlight, Unity, Google Earth, and Facebook Video.

Cisco Offers $300,000 Prize For 'Internet of Things' Security Apps

lundi 3 mars 2014 à 15:58

In the last few years, this emerging domain for the Internet of Things has been attracting the significant interest, and will continue for the years to come. It would be a $20 Trillion Market over the next several years, but Security and privacy are the key issues for such applications, and still face some enormous challenges.

Cisco has announced a global and industry-wide initiative to bring the Security community and Researchers together to contribute in securing the Internet of Things (IoT) and launched a contest called the "Internet of Things Grand Security Challenge", offering prizes of up to $300,000 for winners.

Since Smart devices are growing at an exponential pace with increase in connecting devices embedded in cars, retail systems, refrigerators, televisions and countless other things people use in everyday life and is expected to grow to 50 billion by 2020. So, in an effort to deliver the security solutions necessary to protect the increasing range of connected devices in the Internet of Things, Cisco has challenged security experts around the world.

"We're connecting more of our world every day through smart, IP-enabled devices ranging from home appliances, healthcare devices, and industrial equipment. These new connected devices are offering new ways to share information and are changing the way we live," reads the blog post.

The Contest was announced by the senior vice president of the security group at Cisco, Christopher Young, in his keynote at this week's RSA Conference, said "the idea is 'a contest of experts around the world to submit blueprints' for how security issues created by the Internet of Things could be addressed. It's expected that up to six winning entries would be selected and the prize money awarded at the Internet of Things Forum in the fall."

It's expected that up to six winning entries would be selected and the prize money from $50,000 to $75,000 would be awarded by Cisco to winning contestants at the Internet of Things Forum in the fall.

A Cisco team of security experts will evaluate proposals based on the following criteria:

Feasibility, scalability, performance, and ease-of-use
Applicability to address multiple IoT verticals (manufacturing, mass transportation, healthcare, oil and gas, smart grid, etc.)
Technical maturity/viability of the proposed approach
Proposers’ expertise and ability to feasibly create a successful outcome

About a month back, we already posted that how hundreds of thousands of Smart TVs, Refrigerator, and other smart household appliances were compromised by hackers to send out malicious spam emails.

So, in future the "Internet of Things" can become an easy weapon for cyber criminals to launch large scale of cyber attacks and to protect ourselves, we should have a good and effective security solution, in which Cisco is contributing a way.

The winners of the Internet of Things Security Grand Challenge will be named in the northern autumn of 2014, by The Evaluation Panel of Cisco.

Russia Today (RT) Hacked, "Russian" replaced with "Nazi" in News Headlines

dimanche 2 mars 2014 à 10:00

'Russia Today', Moscow based Russia's biggest news channel website (RT.com) has been hacked and defaced by an unknown group of hackers. Hackers have replaced “Russia” or “Russians” with “Nazi” or “Nazis” word from the headlines, as shown.

"RT website has been hacked, we are working to resolve the problem," Russia Today tweeted from the official Twitter account.

Modified headline, i.e.i.e. Russian Senators Vote To Use Stabilizing Nazi Forces on Ukrainian territory.

Another modified headline stated: “Up to 143,000 Nazis requested asylum in Russia in two weeks,”

The changes to the 'Russia Today' website remained in place for nearly 30 minutes and at the time of reporting, the hack was restored. "Hackers deface http://RT.com website, crack admin access, place "Nazi" in every headline. Back to normal now." RT acknowledged the issue.

Recently the Anonymous group has also announced '#OpRussia' in support of the Ukrainian protesters and under banner of #OpRussia, Anonymous hackers are hacking and defacing hundreds of Russian websites today.

The Hackers targeted the website after the Russian parliament approved the use of military force in Ukraine's Crimea. Russia Today is funded and supported by the Government of the Russian Federation and the website could be hacked by some pro-Ukraine group of hackers.

Yahoo vulnerability allows Hacker to delete 1.5 million records from Database

samedi 1 mars 2014 à 12:30

Yahoo! The 4th most visited website on the Internet has been found vulnerable multiple times, and this time a hacker has claimed to spot a critical vulnerability in the Yahoo! sub-domain 'suggestions.yahoo.com', which could allow an attacker to delete the all the posted thread and comments on Yahoo's Suggestion Board website.

Egyptian Cyber Security Analyst, 'Ibrahim Raafat', found and demonstrated 'Insecure Direct Object Reference Vulnerability' in Yahoo's website on his blog.

Exploiting the flaw escalates the user privileges that allow a hacker to delete more than 365,000 posts and 1,155,000 comments from Yahoo! Database. Technical details of the vulnerability are as explained below:

Deleting Comments: While deleting his own comment, Ibrahim noticed the HTTP Header of POST request, i.e.

prop=addressbook&fid=367443&crumb=Q4.PSLBfBe.&cid=1236547890&cmd=delete_comment

Where parameter 'fid' is the topic id and 'cid' is the respective comment ID. While testing, he found changing the fid and cid parameter values allow him to delete other comments from the forum, that are actually posted by another user.

Deleting Posts: Next, he also tested post deletion mechanism and found a similar loophole in that. A normal HTTP Header POST request of deleting a post is:

POST cmd=delete_item&crumb=SbWqLz.LDP0

He found that, appending the fid (topic id) variable to the URL allows him to delete the respective post, that was not posted by himself i.e.

POST cmd=delete_item&crumb=SbWqLz.LDP0&fid=xxxxxxxx

Ibrahim has reported the flaw to Yahoo Security team and also provided a Video Demonstration, as shown below:

A potential attacker with little knowledge of programming could write an automated script to delete all the comments and posts.

The vulnerability hunter claimed that he had received the Bug Bounty for reporting this security flaw to yahoo and which now has been fixed by the company.

Tor Instant Messaging Bundle - A New Anonymous and Encrypted messaging Software

samedi 1 mars 2014 à 11:40

Tor Instant Messaging Bundle - A New Anonymous and Encrypted Chat Software

We are living in an era of Mass Surveillance, conducted by the Government Agencies like the NSA and GCHQ, and we ourselves gave them an open invitation as we all have sensors in our pockets that track us everywhere we go i.e. Smartphone. Encryption and security are more important today than any other time in our history. So, the best proactive way to keep your tracks clear is - Always use only trusted privacy tools and services.

The same folks behind the Anonymity Tool, Tor Browser Bundle is currently working on a new Privacy tool called 'Tor Instant Messaging Bundle' (TIMB), that will help you with encrypted communication to keep your online conversations private.

The Tor is the free software that lets users browse the Internet anonymously and mostly used by activists, journalists and to conceal their online activities from prying eyes.

Tor Instant Messaging Bundle, or TIMB is a real time anonymous chat system, that will simply route all of your chat data through the Tor's encrypted network, which uses proxy servers to hide the identities of its users, according to the documents posted from the Tor Project's 2014 Winter Dev Meeting. The client itself will be built on top of Instantbird, an open source instant messaging service.

The Tor Instant Messaging Bundle will encrypt user messages multiple times, including destination IP, making it sufficiently difficult to trace the original source.

Since the governments are engaged in the widespread data collection and analysis, using various gateways such as Cell phone location information, the Internet, Camera observations, and Drones. As technology and analytics advance, mass surveillance opportunities continue to grow. In which, the Tor Instant Messaging Bundle can come out to be the world's most secure real-time communication tool.

"People in countries where communication for the purpose of activism is met with intimidation, violence, and prosecution will be able to avoid the scrutiny of criminal cartels, corrupt officials, and authoritarian governments," states the Tor TIMB project.

By the end of March, the experimental test builds of Tor Instant Messaging Bundle (TIMB) is expected to be available, but the first experimental release won't include 'Off The Record' (OTR) capability. OTR mode provides strong encryption for instant messaging conversations.

"Tor has grown popular over the past few years as a way of surfing the Web while blocking network surveillance, analysis of your traffic, or other monitoring that threatens personal freedom and privacy, confidential business activities and relationships, and state security," states the Tor Project founders. "The group's work is all the more significant following reports of NSA's foreign and domestic surveillance activities."

But, every technology has positive and negative aspects as well. Since, Tor is also a Deep Web friendly tool that allows hackers and cyber criminals to carry out illicit activities.

It's a matter of concern, but we have to adopt measures to protect our privacy now, as the former NSA contractor Edward Snowden said:

"A child born today will grow up with no conception of privacy at all. They’ll never know what it means to have a private moment to themselves an unrecorded, unanalyzed thought. And that’s a problem because privacy matters, privacy is what allows us to determine who we are and who we want to be. Together we can find a better balance, end mass surveillance and remind the government that if it really wants to know how we feel asking is always cheaper than spying."

The NSA has been trying to hack into the Tor network for years, and the FBI was recently caught seizing data from TorMail, an anonymous email service, and trying to use that data to catch hackers.