Apple update Meltdown and Specter flaws resolved

Apple update Meltdown and Spectre flaws resolved. 2018 kicked off with a bang security-wise due to the announcement of the serious Meltdown and Spectre flaws found in processors widely used by a wide range of computing devices and smartphones.

Apple update

2018 kicked off with a bang security-wise due to the announcement of the serious Meltdown and Spectre flaws found in processors widely used by a wide range of computing devices and smartphones.

The story quickly developed from being a design flaw in Intel CPUs, that could allow malicious code to access information supposedly held in “protected” areas of your computer’s memory, to be also an issue for the ARM and AMD chips.

To Apple’s credit, they had already started to tackle the problems before the security issues were made public. MacOS 10.13.2, released last month, mitigated against the effects of Meltdown (which only affects only Intel processors), and iOS 11.2 tackled Spectre for iPad and iPhone users.

But the newly released macOS High Sierra 10.13.2 and iOS 11.2.2 updates take things an important step further – closing the door on the possibility of the Spectre vulnerability being exploited via a Javascript attack via the Safari browser.

 

ios-11-2-2

It really is important to keep browsers patched – as they are an obvious route through which an attacker could successfully execute code on your computer. That’s one of the reasons why I am also a strong advocate of users never venturing out onto the web without the added protection of an ad blocker.

It’s your computer, it’s your sensitive information, your passwords. Opening yourself up to some of the wildness that can lurk on websites and – in particular – poisoned ads, and allow them to run code willy-nilly is a very dangerous game to play.

Apple update, Even if Meltdown and Spectre have not been actively exploited as far as we know in malicious attacks, it still makes sense to protect against the problems as well as we can.

Apple update Meltdown & Spectre flaw resolved. So, iPhone and iPad users can rest a little more easily today (provided they’ve applied the update, of course!).

Which leaves me wondering about those hundreds of millions of Android users, many of whom have been neglected for years without seeing hide nor hair of a security update.

My guess is that the latest and most expensive Android devices from leading vendors will receive an update in due course, but many others will be left in the lurch.

Most Popular Training Courses at Indian Cyber Security Solutions

Summer Training for CSE, IT, BCA & MCA Students 

Network Penetration Tester Training

Ethical Hacking  training

Python Programming training

 RHCE  training

CEH V9  training

Diploma in Network Security Training

Secure Coding in Java

Diploma in Web Application Security 

Certified Web Application Penetration Tester 

Certified Android Penetration Tester 

Certified Python Programming 

Advanced Python Training 

Reverse Engineering Training  

Amazon Web Services Training  

VMware Training 

Digital marketing

CCNA training

Location tracking services vulnerabilities allow to access unauthorized GPS location data

Location tracking services vulnerabilities allow accessing unauthorized GPS location data. Security scholars have published a testimony on a series of errors that they termed “Trackmageddon” that distress many GPS and location tracking services. These security defects could permit cybercriminals to divulge delicate information on millions of online location tracking devices controlled by vulnerable GPS services.

Location tracking services vulnerabilities

Cybercriminals can use the Trackmageddon defects to uncover statistics such as GPS coordinates, location history, device model and type, serial number, mobile number and maybe private data —depending on the tracking service and device configuration.

They can attain entrance to information by using the default credentials (like “123456”), and uncertain uninterrupted object reference vulnerabilities, which enable an authenticated attacker to access other users’ accounts simply by modifying the value of a parameter in the URL.

The researchers tried to contact the hawkers behind the affected tracking services to informing them of the severity of these security flaws. They have published a list of services who patched or may have patched the vulnerabilities, a list of services still exposing data, and a list of vulnerable devices.

What’s more? On some online services, an unauthorized third party can also access photos and audio recordings uploaded by location tracking devices.

According to the researchers, one of the largest global vendors for GPS tracking devices, ThinkRace, may have been the original developer of the flawed location tracking online service software and seller of licenses to the software.

Most Popular Training Courses at Indian Cyber Security Solutions

Summer Training for CSE, IT, BCA & MCA Students 

Network Penetration Tester Training

Ethical Hacking  training

Python Programming training

 RHCE  training

CEH V9  training

Diploma in Network Security Training

Secure Coding in Java

Diploma in Web Application Security 

Certified Web Application Penetration Tester 

Certified Android Penetration Tester 

Certified Python Programming 

Advanced Python Training 

Reverse Engineering Training  

Amazon Web Services Training  

VMware Training 

Digital marketing

CCNA training

Opera browser update to combat cryptocurrency mining

Opera browser update to combat cryptocurrency mining. The last year has seen a rise in the number of websites hogging visitor’s CPU and browser resources by surreptitiously mining for cryptocurrencies while you surf.

Opera browser update to combat cryptocurrency mining

Due to Opera browser update, Sites like Pirate Bay have found themselves in hot water after visitors discovered it had added CoinHive’s crypto-mining tool which, according to the company’s marketing materials, allows you to “monetize your business with your users’ CPU power.”
Well, crypto-mining may be a way for websites to generate income if they’ve found alternative methods (such as advertising, subscriptions, or sponsorship) don’t work for them but the impact on visiting computers is typically too much for many users to bear – and is particularly unforgivable if the CPU-intensive calculations are being done without consent.
Some sites have even used the dirty trick of continuing to crypto-mine even after the user has left their site, after opening a “pop-under” window hidden beneath the browser.
Opera recently announced that its upcoming Opera 50 release (currently in beta) contains an anti-cryptocurrency mining feature that will surely be well-received by the majority of users.
“Bitcoins are really hot right now, but did you know that they might actually be making your computer hotter? Your CPU suddenly working at 100 percent capacity, the fan is going crazy for seemingly no reason and your battery quickly depleting might all be signs that someone is using your computer to mine for the cryptocurrency,” said Opera’s Kornelia Mielczarczyk.
As Opera explains, the new “NoCoin” cryptocurrency-mining protection is provided via the browser’s integrated ad blocker and can be enabled by simply selecting it under the recommended list of ad filters.comparisonOpera claims that having the feature enabled dramatically reduces the CPU usage when visiting sites containing crypto-mining code.

It’s worth bearing in mind that even if you don’t use the Opera browser it’s possible to block crypto-mining through third-party ad blockers that subscribe to the NoCoin filtering list.

Most Popular Training Courses at Indian Cyber Security Solutions

Summer Training for CSE, IT, BCA & MCA Students 

Network Penetration Tester Training

Ethical Hacking  training

Python Programming training

 RHCE  training

CEH V9  training

Diploma in Network Security Training

Secure Coding in Java

Diploma in Web Application Security 

Certified Web Application Penetration Tester 

Certified Android Penetration Tester 

Certified Python Programming 

Advanced Python Training 

Reverse Engineering Training  

Amazon Web Services Training  

VMware Training 

Digital marketing

CCNA training

Automatic autofill of credentials, is it really safe?

Automatic autofill of credentials, is it really safe? Nowadays, Trackers found silently grabbing your information as you surf the web.

Automatic autofill of credentials

Is your browser’s built-in login manager leaking your username (and possibly your password too)?

Researchers at Princeton’s Centre for Information Technology Policy have uncovered two third-party tracking scripts that can scoop up information provided by your browser’s login manager to create a persistent identifier tracking you as you move between web pages.

Here’s how it happens:

  • You visit a webpage and fill out a login form. Your browser asks you if you want to save the login details.
  • Later, you visit a different page on the same website, which includes the third-party tracking script. The tracking script inserts a login form that is invisible to the naked eye onto the webpage, and your browser’s password manager automatically fills in your credentials.
  • The third-party script snaffles up your email address from the invisible form’s field and sends a hash to a third-party server.

Automatic autofill of credentials

Fed up with Automatic autofill of credentials? What’s the solution? Simple. Don’t use a login manager that autofill’s forms without you giving it explicit permission to do so. You might be wiser using a product like 1Password, whose developers confirmed was designed to always insist on user approval before filling forms.

If you allow your browser to automatically submit your username and password into forms silently and invisibly, there is always the danger that a malicious site or script may steal the information.

The two scripts spotted by the Princeton researchers – Ad Think and On Audience – appear to have been designed to grab hashed usernames to identify web visitors for ad-tracking purposes, but there is no technical reason why the same approach couldn’t also be used to steal auto filled passwords.

The researchers have built an online demo, where you can test whether you might be vulnerable.

It should go without saying – don’t enter real credentials on that demo page!

Most Popular Training Courses at Indian Cyber Security Solutions

Summer Training for CSE, IT, BCA & MCA Students 

Network Penetration Tester Training

Ethical Hacking  training

Python Programming training

 RHCE  training

CEH V9  training

Diploma in Network Security Training

Secure Coding in Java

Diploma in Web Application Security 

Certified Web Application Penetration Tester 

Certified Android Penetration Tester 

Certified Python Programming 

Advanced Python Training 

Reverse Engineering Training  

Amazon Web Services Training  

VMware Training 

Digital marketing

CCNA training

phpMyAdmin – A critical security vulnerability has been reported

phpMyAdmin – A critical security vulnerability has been reported. One of the most popular applications for managing the MySQL database—which could allow remote attackers to perform dangerous database operations just by tricking administrators into clicking a link.

phpmyadmin-hacking

Discovered by an Indian security researcher, Ashutosh Barot, the vulnerability is a cross-site request forgery (CSRF) attack and affects phpMyAdmin versions 4.7.x (prior to 4.7.7).

Cross-site request forgery vulnerability, also known as XSRF, is an attack wherein an attacker tricks an authenticated user into executing an unwanted action.

According to an advisory released by phpMyAdmin, “by deceiving a user to click on a crafted URL, it is possible to perform harmful database operations such as deleting records, dropping/truncating tables, etc.”

phpMyAdmin is a free and open source administration tool for MySQL and MariaDB and is widely used to manage the database for websites created with WordPress, Joomla, and many other content management platforms.

Moreover, a lot of hosting providers use phpMyAdmin to offer their customers a convenient way to organize their databases.

Barot has also released a video, as shown above, demonstrating how a remote attacker can make database admins unknowingly delete (DROP) an entire table from the database just by tricking them into clicking a specially crafted link.

“A feature of phpMyAdmin was using a GET request and after that POST request for Database operations such as DROP TABLE table_name; GET requests must be protected against CSRF attacks. In this case, POST requests were used which were sent through URL (for bookmarking purpose may be); it was possible for an attacker to trick a database admin into clicking a button and perform a drop table database query of the attacker’s choice.” Barot explains in a blog post.

However, performing this attack is not simple as it may sound. To prepare a CSRF attack URL, the attacker should be aware of the name of targeted database and table.

“If a user executes a query on the database by clicking insert, DROP, etc. buttons, the URL will contain database name and table name,” Barot says. “This vulnerability can result in the disclosure of sensitive information as the URL is stored at various places such as browser history, SIEM logs, Firewall Logs, ISP Logs, etc.”

Barot reported the vulnerability to phpMyAdmin developers, who confirmed his finding and released phpMyAdmin 4.7.7 to address this issue. So administrators are highly recommended to update their installations as soon as possible.

Most Popular Training Courses at Indian Cyber Security Solutions

Summer Training for CSE, IT, BCA & MCA Students 

Network Penetration Tester Training

Ethical Hacking  training

Python Programming training

 RHCE  training

CEH V9  training

Diploma in Network Security Training

Secure Coding in Java

Diploma in Web Application Security 

Certified Web Application Penetration Tester 

Certified Android Penetration Tester 

Certified Python Programming 

Advanced Python Training 

Reverse Engineering Training  

Amazon Web Services Training  

VMware Training 

Digital marketing

CCNA training

Forever 21 payment card breached

Forever 21 payment card breached. First notified in November of a data breach incident, popular clothing retailer Forever 21 has now confirmed that hackers stole credit card information from its stores throughout the country for several months during 2017.

Forever 21

Although the company did not yet specify the total number of its customers affected by the breach, it did confirm that malware was installed on some point of sale (POS) systems in stores across the U.S. at varying times between April 3, 2017, and November 18, 2017.

According to the company’s investigation, which is still ongoing, the malware was designed to search for and likely steal sensitive customer credit card data, including credit card numbers, expiration dates, verification codes and, in some cases, cardholder names.

Forever 21 has been using encryption technology since 2015 to protect its payment processing systems, but during the investigation, the company found that some POS terminals at certain stores had their encryption switched off, which allowed hackers to install the malware.

However, according to the company, not every POS terminal in affected stores was infected with the malware and not every store was impacted during the full-time period (roughly 8 months) of the breach.

In fact, in some cases, payment card data stored in certain system logs before April 3rd were also exposed in the breach.

“Each Forever 21 store has multiple POS devices, and in most instances, only one or a few of the POS devices were involved. Additionally, Forever 21 stores have a device that keeps a log of completed payment card transaction authorizations,” the company said while explaining the incident.
“When encryption was off, payment card data was being stored in this log. In a group of stores that were involved in this incident, malware was installed on the log devices that was capable of finding payment card data from the logs, so if encryption was off on a POS device prior to April 3, 2017, and that data was still present in the log file at one of these stores, the malware could have found that data.”
The company also assured its online customers that payment cards used on its website (forever21.com) were not affected by the breach.

Since payment processing systems outside of the United States work differently, it should not be impacted by the security breach, but the retailer said it’s still investigating whether non-US stores were affected or not.

Forever 21 advised customers who shopped at its stores to stay vigilant and keep an eye on their credit transactions for any suspicious activity, and immediately notify their banks that issued the card if found any.

The company has promised to continue working with “security firms to enhance” their security measures.

This breach is yet another embarrassing incident disclosed recently, followed by Disqus’ disclosure of a 5-year-old breach of over 17.5 million Disqus users and Yahoo’s revelation that 2013 data breach affected all of its 3 Billion users.

The recent incidents also include Equifax’s revelation of a breach of potentially 145.5 million customers, U.S. Securities and Exchange Commission (SEC) disclosure of a data breach that profited hackers, and Deloitte’s disclosure of a cyber attack that led to the theft of its clients’ private emails and documents.

Most Popular Training Courses at Indian Cyber Security Solutions

Summer Training for CSE, IT, BCA & MCA Students 

Network Penetration Tester Training

Ethical Hacking  training

Python Programming training

 RHCE  training

CEH V9  training

Diploma in Network Security Training

Secure Coding in Java

Diploma in Web Application Security 

Certified Web Application Penetration Tester 

Certified Android Penetration Tester 

Certified Python Programming 

Advanced Python Training 

Reverse Engineering Training  

Amazon Web Services Training  

VMware Training 

Digital marketing

CCNA training

Password Managers can be exploited using Web Trackers

Password Managers exploited using web trackers. This type of abusive conduct is possible because of a configuration flaw in the login handlers included with all browsers, login managers that allow browsers to memorize a user’s username and password for particular sites and auto-insert it in login fields when the user revisits that site again.

Password Managers exploited

Experts say that web trackers can install hidden login forms on sites anywhere the tracking scripts are loaded. Because of the way the login handler’s work, the browser will fill these fields with the user’s login information, such as username and passwords.

Password Managers exploited using web trackers. The trick is an old one, identified for more than a decade, but until now it’s only been employed by hackers trying to collect login data during XSS (cross-site scripting) attacks.

Princeton researchers say they later found two web tracking settings that utilize hidden login forms to get login information.

Fortunately, none of the two services received password information, but only the user’s username or email address depending on what each area uses for the login process.

The two services are Adthink and On Audience, and Princeton researchers said they recognized scripts from these two that collected login info on 1,110 sites found on the Alexa Top 1 Million sites list.

In this particular case, the two corporations were extracting the username/email from the login field, creating a hash, and tieing that hash with the site visitor’s existing advocacy profile.

Email addresses are unique and persistent, and thus the hash of an email address is an excellent tracking identifier. A user’s email address will essentially never change clearing cookies, using private browsing mode, or switching devices won’t stop tracking. The hash of an email address can be used to attach the pieces of an online profile scattered across different browsers, devices, and mobile apps.

Researchers from the Princeton Center for Information Technology Policy (CITP) also produced a demo page that users can test using false credentials and see if their browser’s login supervisor fills in the hidden field.

 

Most Popular Training Courses at Indian Cyber Security Solutions

Summer Training for CSE, IT, BCA & MCA Students 

Network Penetration Tester Training

Ethical Hacking  training

Python Programming training

 RHCE  training

CEH V9  training

Diploma in Network Security Training

Secure Coding in Java

Diploma in Web Application Security 

Certified Web Application Penetration Tester 

Certified Android Penetration Tester 

Certified Python Programming 

Advanced Python Training 

Reverse Engineering Training  

Amazon Web Services Training  

VMware Training 

Digital marketing

CCNA training

Smartphones are hackable using sensors via guessing 4 digit smartphone PIN

Smartphones are hackable using sensors via guessing 4 digit smartphone PIN. NTU researchers have revealed that smartphones can now be hacked using the data accumulated from sensors.

Smartphones are hackable

Dr. Shivam, a scientist at NTU, who recently developed an app that can hack data from smartphones using sensors, found this recently and the news has sent shockwaves around the world.

As per a research published in Cryptology ePrint Archive, it is now possible for hackers to unlock smartphones using physical sensors such as an accelerometer, ambient light, and gyroscope.

Smartphones are hackable as these sensors are accessible by all apps that are downloaded on a smartphone and no permission is needed to access them.

What NTU’s developed Software Can Do?

In its test run, the app was successful in unlocking the phone with 99% accuracy and that too in just 3 tries. This app has increased the code crack possibility from 74% to 99%.

This app can guess ten thousand possible pin number combinations based on four digits.

How Can This App Figure A Pin Number?

As stated earlier, this app works on physical sensors and is developed on machine learning code. Therefore, when a user uses fingers or thumbs to enter a code, this app notes two factors regarding how the user did it which includes:

  • How was the phone tilted?
  • How much of light was blocked when a user pressed numbers to enter a code?

Why Should You Worry?

The director of NTU said that since a lot of apps require access to physical sensors, hackers can use it to their advantage and hack your phone to get access to your personal details.

What Should You Do?

Dr. Shivam has recommended all smartphone users to extend their 4 digit codes and also to use other phone locking methods, such as finger locking. This is a must if you do not want someone to hack your phone.

Most Popular Training Courses at Indian Cyber Security Solutions

Summer Training for CSE, IT, BCA & MCA Students 

Network Penetration Tester Training

Ethical Hacking  training

Python Programming training

 RHCE  training

CEH V9  training

Diploma in Network Security Training

Secure Coding in Java

Diploma in Web Application Security 

Certified Web Application Penetration Tester 

Certified Android Penetration Tester 

Certified Python Programming 

Advanced Python Training 

Reverse Engineering Training  

Amazon Web Services Training  

VMware Training 

Digital marketing

CCNA training

FBI’s biometric hacked?

FBIs biometric hacked. The allegations that Russia hacked the 2016 elections in the United States are known to many but now biometric data of millions of American citizens may or may not be at risk of being compromised as software used by the Federal Bureau of Investigation (FBI), the Transportation Security Administration (TSA) and 18,000 other American law enforcement agencies to store biometric data carries a code developed by a Russian company linked to the Russian government.

FBIs biometric hacked

According to the latest FBIs biometric hacked report by Buzz Feed, a French company called Sagem Sécurité (now known as Morpho) sold biometric software to the FBI but did not inform the agency that the code used in the software was developed by Russian firm Papillon AO.

Buzz Feed published the FBIs biometric hacked report after two French whistle-blowers who worked for Morpho spoke out and emphasized that authorities should be concerned about the presence of Russian code in a software since Papillon has close ties with several Kremlin security and intelligence agencies including KGB’s replacement Federal Security Service (FSB).

The NewYork based Buzz Feed also reviewed a 2008 contact between Papillon and Morpho regarding the purchase of the code which maintains that it does not carry any backdoor “or any “virus, ‘Trojan horse,’ ‘worm,’ or other software routines or hardware components designed to permit unauthorized access, to disable, erase, or otherwise harm the software, hardware, or data.”

Papillon, on the other hand, has also denied the presence of any backdoor in the code. The FBI, however, did not reply to questions asked by BuzzFeed although they did offer a statement in which the agency said: “As is typical for all commercial software that we operate, appropriate security reviews were completed prior to operational deployment.”

In October 2016 report it was revealed that one out of two American adults is part of the FBI’s facial recognition database. Therefore, the use of software provided by a Russian firm with links to the Kremlin should be concerning, cited BuzzFeed.

Recently, the cybersecurity giant and Internet security software provider Kaspersky was slapped with a ban from providing its product to the US military due to its alleged ties with Kremlin and its intelligence agency FSB. The report also claimed that Russia stole NSA hacking tools using Kaspersky software.

Most Popular Training Courses at Indian Cyber Security Solutions

Summer Training for CSE, IT, BCA & MCA Students 

Network Penetration Tester Training

Ethical Hacking  training

Python Programming training

 RHCE  training

CEH V9  training

Diploma in Network Security Training

Secure Coding in Java

Diploma in Web Application Security 

Certified Web Application Penetration Tester 

Certified Android Penetration Tester 

Certified Python Programming 

Advanced Python Training 

Reverse Engineering Training  

Amazon Web Services Training  

VMware Training 

Digital marketing

CCNA training

Security vulnerability found in ATM machines running on Windows XP in Russia

Security vulnerability found in ATM machines running on Windows XP in Russia. All ATMs that are still running on Microsoft’s 16-year-old Windows XP operating system are at the risk of getting hacked easily, as the OS is no longer supported by the Redmond giant except for emergency security patches (for instance, patch blocking the WannaCry ransomware released this year).

Security vulnerability found

An employee of Russian blogging platform Habrahabr recently discovered that the ATMs operated by the state-owned bank Sberbank running Windows XP has inherent security vulnerabilities that can be easily exploited by hackers.

According to the user, a full-screen lock that prevents access to various components of an ATM operating system could be bypassed by turning on the Sticky Keys when special keys like SHIFT, CTRL, ALT, and WINDOWS were pressed 5 times.

By pressing SHIFT key 5 times in a row, it allowed access to Windows settings and displaying the taskbar and Start menu of the operating system giving users to access deep within Windows XP from the touchscreen. This vulnerability allows hackers to deploy malicious software or modify ATM boot scripts.

According to the German website WinFuture, Sberbank had been informed of this vulnerability almost two weeks ago that there was a security breach at its ATM machine. While the bank promised to fix the problem immediately, the user who discovered the flaw claimed that when he visited the terminal again, he discovered that the bug hadn’t been fixed.

Since the security vulnerability found in ATM machines Microsoft has urged banks to update the latest version of Windows for ATMs to avoid scams or attacks.

Most Popular Training Courses at Indian Cyber Security Solutions

Summer Training for CSE, IT, BCA & MCA Students 

Network Penetration Tester Training

Ethical Hacking  training

Python Programming training

 RHCE  training

CEH V9  training

Diploma in Network Security Training

Secure Coding in Java

Diploma in Web Application Security 

Certified Web Application Penetration Tester 

Certified Android Penetration Tester 

Certified Python Programming 

Advanced Python Training 

Reverse Engineering Training  

Amazon Web Services Training  

VMware Training 

Digital marketing

CCNA training

×

Hello!

Click one of our representatives below to chat on WhatsApp or send us an email to [email protected]

× Hi How can we help you