19-year-old man arrested in Heartbleed privacy breach, hacked SSNs from Revenue Agency Post By- Anand Garg

Right now, Internet world is facing a big security threat also known as Hearlbleed Bug, which has affected almost every popular website we use like facebook, google, yahoo…, and in this biggest security breach case one 19-year-old Canadian has been charged for using heartbleed bug to exploit taxpayer data of the Canada Revenue Agency website.

The Royal Canadian Mounted Police arrested that man named “Stephen Arthuro Solis-Reyes” at his home Tuesday, for now he has been released and is staying with his  parents in London’s north end.

Solis-Reyes faces charges related to one count of unauthorized use of a computer and one count of mischief in relation to data.

The arrested man is the son of a computer science professor at Western University, CTV News has confirmed.

According to the CRA, it had shutdown its services on April 8 after learning that their systems were vulnerable to the Heartbleed bug, after that on monday, it was announced by the officials at CRA that the Social Insurance Numbers of about 900 taxpayers were taken from the CRA systems over a six-hour period by someone who had exploited the Heartbleed bug.

“The RCMP treated this breach of security as a high priority case and mobilized the necessary resources to resolve the matter as quickly as possible,” Assistant RCMP Commissioner Gilles Michaud said in a statement.

The RCMP confiscated every computer in the London home and analyzed their contents.

Heartbleed bug was identified by Security company Codenomicon, this bug affects OpenSSL, which is one of the most widely used open-source software programs used to encrypt Internet Communications.

Your secure data can be exploited by hackers thorugh this bug. Right now at the time of publishing this post, not all of the websites affected by this flaw, fixed it.

Refrence by- hackersnewsbulletin

TARGETED ATTACK USES HEARTBLEED TO HIJACK VPN SESSIONS POST BY ANAND GARG

A targeted attack against an unnamed organization exploited the Heartbleed OpenSSL vulnerability to hijack web sessions conducted over a virtual private network connection.

Incident response and forensics firm Mandiant shared some details on a recent investigation of an incident that began April 8, one day after Heartbleed was publicly disclosed. Mandiant said the attackers exploited the security vulnerability in OpenSSL running in the client’s SSL VPN concentrator to remotely access active sessions.

This is just the latest in an escalating series of attacks leveraging Heartbleed, which is a problem in OpenSSL’s heartbeat functionality, which if enabled, returns 64KB of memory in plaintext to any client or server requesting a connection. Already, there have been reports of attackers using Heartbleed to steal user names, session IDs, credentials and other data in plaintext. Late last week came the first reports of researchers piecing together enough information to successfully reproduce a private SSL key.

Earlier this week, researchers in Sweden were able to exploit Heartbleed to extract private keys over OpenVPN, an open source VPN software package.

Mandiant’s report today is the first publicly known real-world attack on an organization providing remote access via Heartbleed.

Mandiant said the attacker was able to steal active user session tokens in order to bypass the organization’s multifactor authentication and VPN client software used to validate the authenticity of systems connecting to network resources.

“Specifically, the attacker repeatedly sent malformed heartbeat requests to the HTTPS web server running on the VPN device, which was compiled with a vulnerable version of OpenSSL, to obtain active session tokens for currently authenticated users,” wrote Mandiant investigators Christopher Glyer and Chris DiGiamo. “With an active session token, the attacker successfully hijacked multiple active user sessions and convinced the VPN concentrator that he/she was legitimately authenticated.”

Since Heartbleed exploits return only 64KB of memory for each heartbeat request, attackers would need to replay an attack over and over to steal any worthwhile data. In this case, Mandiant said an IDS signature specifically written for Heartbleed triggered more than 17,000 alerts during the attack.

While heartbeat requests don’t leave a trace, Mandiant said it was able to find evidence of the attacks not only from the IDS alerts, but also from the company’s VPN logs. Specifically, it said a malicious IP address triggered the IDS alerts as the attacker tried to reach the company’s SSL VPN. The key evidence was in the VPN logs, which showed active VPN connections changing rapidly—sometimes within seconds of each other—between the attacker’s IP address and the user’s legitimate one; geographically too, the IP addresses were distant, Mandiant said, and they belonged to different ISPs. Mandiant said it was also able to correlate those IDS alerts with the connection changes in the VPN logs.

“Once connected to the VPN, the attacker attempted to move laterally and escalate their privileges with the Heartbleed bug,” Glyer and DiGiamo wrote.

Refrence by- threatpost

162,000 WORDPRESS SITES USED IN DDOS ATTACK

More than 162,000 “popular and clean” WordPress sites were recently used in a large-scale distributed denial of service attack (DDoS) that exploited the content management system’s pingback feature.

While the WordPress team is aware of the issue it’s not expected to be patched as it’s a default feature on WordPress, not a flaw, meaning it’s a problem that will likely be left up to site developers to mitigate.

According to Cid the attack appears to have used the application-layer (Layer 7) HTTP Flood Attack style of DDoS, which are harder to detect as the requests look like they’re coming from legitimate sites.Daniel Cid, the CTO of security firm Sucuri, described the attack, which took down a undisclosed website belonging to one of the firm’s clients, in a blog post on Monday.

In this case they were legitimate sites, 162,000 of them, sending “random requests at a very large scale” to the site’s server, each one with a randomized value that bogged their site down by bypassing their cache and mandating a full page reload each time.

Unlike conventional DDoS attacks that use NTP and DNS, this attack, reflective in nature, used the websites as indirect source amplification vectors. While WordPress sites were the victim this time around, experts say any site could technically be tweaked to dole out this kind of flood attack.

“We would likely have detected a lot more sites, but we decided we had seen enough and blocked the requests at the edge firewall, mostly to avoid filling the logs with junk,” Cid wrote.

Since the POST requests were sent to “/xmlrpc.php request” they’re easy to find in logs, so Cid is encouraging WordPress developers to check theirs to ensure that their sites aren’t vulnerable and attacking other WordPress sites.

Users can look through logs for POST requests to a XML-RPC file like the one below:

93.174.93.72 – - [09/Mar/2014:20:11:34 -0400] “POST /xmlrpc.php HTTP/1.0″ 403 4034 “-” “-” “POSTREQUEST:\x0A\x0Apingback.ping\x0A\x0A\x0A\x0Ahttp://fastbet99.com/?1698491=8940641\x0A\x0A\x0A\x0A \x0A yoursite.com\x0A \x0A \x0A\x0A\x0A”

94.102.63.238 – – [09/Mar/2014:23:21:01 -0400] “POST /xmlrpc.php HTTP/1.0″ 403 4034 “-” “-” “POSTREQUEST:\x0A\x0Apingback.ping\x0A\x0A \x0A \x0A http://www.guttercleanerlondon.co.uk/?7964015=3863899\x0A \x0A \x0A \x0A \x0A yoursite.com\x0A \x0A \x0A\x0A\x0A”

Developers can also use a scanner the firm came up with this week to check its logs to tell if certain WordPress sites are DDoSing other websites.

If found, Cid claims users can remedy the situation by either disabling XML-RPC pingback or creating a plugin to add a filter to block these kind of pingbacks. Users interested in learning more on how to do that can head over to their blog.

As Johannes B. Ullrich, chief technology officer at the SANS Technology Institute adds, removing xmlrpc.php is not a recommended option as it will “break a number of other features that will use the API.”

Refrence by- threatpost

VBULLETIN ZERO DAY USED TO ATTACK POPULAR FORUMS by Anand Garg

A hacker group calling itself Inj3ct0r is taking responsibility for the compromise of more than 860,000 passwords at MacRumors.com as well as a separate attack on vBulletin.com, makers of the vBulletin software powering a number of high-profile forums including MacRumors and Ubuntu Forums.

The Inj3ct0r Team posted on its Facebook page that it had attacked the three sites and found a critical zero-day vulnerability on all versions of vBulletin 4.x.x and 5.x.x.

Vbulletin technical support lead Wayne Luke reported the breach late last week in an advisory, urging vBulletin users to change their passwords as well.“We’ve got upload shell in vBulletin server, download database and got root,” the post says.

“Very recently, our security team discovered sophisticated attacks on our network, involving the illegal access of forum user information, possibly including your password,” Luke wrote. “Our investigation currently indicates that the attackers accessed customer IDs and encrypted passwords on our systems. We have taken the precaution of resetting your account password.”

In the meantime, Black Hat and DEF CON founder Jeff Moss posted to Twitter that the DEF CON forums were temporarily shut down. Inj3ct0r also claims to have used the same zero-day vulnerability in vBulletin to infiltrate the DEF CON forum.

“You are late, we made a backup sites that we care about you too. LOL,” Inj3ct0r posted to Facebook this morning.

Inj3ct0r claims to run a database of exploits and vulnerabilities [www[.]1337day[.]com and acts as a resource for researchers and security professionals.

“The 1337day team specializes solely in bug research, not malicious actions,” the website says.

Inj3ct0r also claimed responsibility for the MacRumors Forum hack and used the zero-day to obtain a moderator’s password and steal the password database.

The hackers posted to the MacRumors Forum shortly after the attack that would not leak the password data. Editorial director Arnold Kim confirmed the legitimacy of the post to Threatpost last week; the hackers posted a portion of Kim’s password hash and salt as proof.

Kim quickly alerted users of the breach and he too advised his members to change their passwords, not only on the forum but anywhere else they might have used the same password.

“We’re not going to ‘leak’ anything. There’s no reason for us to. There’s no fun in that. Don’t believe us if you don’t want to, we honestly could not care less,” the hacker wrote. “We’re not ‘mass cracking’ the hashes. It doesn’t take long whatsoever to run a hash through hashcat with a few dictionaries and salts, and get results.”

In the same post last week, the hacker hinted too that version 3.x.x of vBulletin was more secure than later releases and that the blame should not put on outdated vBulletin software.

The attack on free Linux distribution Ubuntu in July affected close to 2 million of its forum account members as they were able to access every user’s email address and hashed passwords.

“Consider the ‘malicious’ attack friendly,” Inj3ct0r said of the MacRumors attack. “The situation could have been catastrophically worse if some fame-drive idiot was the culprit and the database were to be leaked to the public.”

Deep inside Windows 8.1's hidden new features by Anand Garg

After months of teasing and torture, the Windows 8.1 Developer Preview is finally here, ready to deliver us from many of Windows 8’s glaring flaws. You’ve no doubt already heard about Windows 8.1’s biggest new features: The Start button is back, Bing owns the Search charm, the split-screen Snap feature is customizable, yada yada yada. You know the drill.

What hasn’t been talked about much are the subtler changes—the hidden secrets tucked away in the dark corners of Windows 8.1, whispering and waiting for a turn to shine rather than shouting their proverbial presence from the proverbial rooftops.

No, these gems aren’t as flashy as Windows 8’s newfound ability to sync apps and Internet Explorer 11 tabs across multiple devices, but they’re arguably just as (if not more) handy. And there’s no way you’ll find them unless you dig deep...or read this enlightening guide.

Shut down from the Start button

Let’s start with something basic, but far from obvious.

Yes, the Start button is back...but the Start menu isn’t. So you still need to swipe through a multiclick process involving the charm bar if you want to shut down your PC—if you don’t know about the Start button’s secretmenu, that is.

Right-clicking the Start button that appears when you hover your mouse cursor in the lower-left corner of the screen brings up a bevy of powerful options, including quick links to deep stuff like Disk Management and Command Prompt tools.

Now, the menu itself isn’t new to Windows 8.1. What is new is the addition of a Shut Down option to said menu. Hovering over it for a second gives you options to shut down or restart your PC right then and there, no fiddling with hidden menus required.

Boot to desktop or All Apps, and more

The Taskbar Properties option is another old friend with a subtle new look—and a crucial one for desktop diehards. Did you hear that Windows 8.1 lets you boot directly to the desktop on start up? It does, but Microsoft clearly doesn’t reallywant you to do it, since the option is buried in this obscure corner of the OS.

Head to the desktop, right-click the taskbar, select Properties, and then open the brand-spankin’-new Navigationtab. There, you’ll find new options for disabling the uppermost hot corners. Those options are also available in the modern-style PC Settings, but many Start screen options can only be found here.

And how handy-dandy they are! Want to boot directly to the desktop or the All Apps screen? Here’s your chance, and the other selections are just as useful. (Show the desktop background on the Start screen? Yessssssss.)

OpenSUSE forums hack raises vBulletin zero-day exploit possibility by Anand Garg

A compromise of the community forums for the openSUSE Linux distribution Tuesday sparked concern that hackers have access to a previously unknown exploit for the popular vBulletin Internet forum software.

The attack resulted in hackers replacing some pages on the forums.opensuse.org website and gaining access to the site’s user database. The forums had almost 80,000 registered members at the time of the compromise.

The hacker responsible for the breach reportedly told The Hacker News that he used a private zero-day exploit for vBulletin, the software powering the site, to upload a PHP shell backdoor that allowed him to browse, read and write files on the server.

The possibility that hackers have access to a zero-day exploit for vBulletin is concerning, since the software powers very large forum sites, including some that have been targeted in the past like MacRumors with 867,000 members and UbuntuForums.org with 1.9 million members.

According to vBulletin Solutions, the software’s developer, over 100,000 community websites are running on vBulletin, including some operated by Zynga, Electronic Arts, Sony Pictures, NASA, Valve Corporation and other well known companies.

A statement from the openSUSE site maintainers Tuesday appeared to confirm the hacker’s claim: “A cracker managed to exploit a vulnerability in the forum software which made it possible to upload files and gave access to the forum database,” the openSUSE team said. “As the exploit is in the forum software we use and there are no known fixes or workarounds we have decided to take the forums offline for now, until we have found a solution.”

The openSUSE team noted that even though the hacker got access to the user database, no access credentials, hashed or otherwise, were compromised. That’s because the site uses an external single-sign-on (SSO) system for all of its services.

”This is a completely separate system and it has not been compromised by this crack,” the team said. “What the cracker reported as compromised passwords were indeed random, automatically set strings that are in no way connected to your real password.”

However, the hacker did obtain user email addresses that were stored in the database for convenience.

”Although we have not confirmed this with the vBulletin developers, I am inclined to believe the claim that this is a zero-day exploit,” said Matthew Ehle, an openSUSE representative, via email. “We were one patch level behind the current release, but I have not seen anything that indicates that the latest patch would have prevented an attack of this nature.”

The openSUSE forums site used the vBulletin 4.x branch of the software, which is still supported, but the hacker claimed the exploit also affects the latest version of vBulletin 5.x. At this time the latest versions of vBulletin are 4.2.2 and 5.0.5.

”The vulnerability was a remote file inclusion which allowed the attacker to open a shell into the forums Web system,” Ehle said. “He used this shell to set up the page and dump the database.”

VBulletin Solutions posted a security advisory Friday about a vulnerability in a third-party component called uploader.swf that’s part of the Yahoo User Interface (YUI) library included in vBulletin 4.

Yahoo does not plan to fix the vulnerability because it affects only YUI versions 2.5.0 through 2.9.0, which are no longer supported. As a result, vBulletin Solutions advised users to replace the uploader.swf with a dummy file of the same name, which forces vBulletin installations to fall back to an alternative JavaScript-based uploader.

It’s not clear if this is the vulnerability that led to the openSUSE forum compromise. According to the Yahoo advisory, the uploader.swf vulnerability is a cross-site scripting (XSS) one that allows the injection of arbitrary JavaScript.

This vulnerability does not allow arbitrary file uploads to the vBulletin site on its own, said Daniel Cid, chief technology officer at Web security firm Sucuri, via email. However, it could have been used together with social engineering or phishing to get access to a moderator or admin account and then upload a backdoor shell, he said.

”After the attack, we removed the uploader.swf file as a precaution,” Ehle said. “I am not sure if this was the vulnerability that was exploited, but it seems consistent with how the system was compromised. However, it is entirely possible that another, unknown, vector was used.”

VBulletin Solutions did not respond to an inquiry seeking information on whether it is aware of a different exploit in the software.

In the meantime, Ehle has some recommendations for other vBulletin site administrators.

”Be strict in your file permissions,” he said. “In our system, only the sitemap directories were writable by the web server, which is why only that portion of the site was altered,” he said.

The remote Web shell was uploaded in the only writable directories suggesting that tight file and directory permissions make the exploit much harder to execute, he said. “If you need legitimate file uploads and sitemap generation to work, allow writing to only those directories and set your web server to not execute PHP files in them,” he said.

Ehle also suggested using an alternative authentication system. The default one in vBulletin still uses MD5-based password hashing, which is inexcusable by today’s standards, according to Ehle.

The fact that openSUSE’s forums site used an external single sign-in system—except for a few administrative accounts whose passwords have since been reset—prevented the breach from being much worse, he said.

This is not the first time that the openSUSE forums were compromised as a result of a vBulletin exploit.

”We had a very similar breach last summer by the same attacker,” Ehle said. “It was also from a very new exploit, so this individual seems to have a very good understanding of vBulletin software and security.”

The new incident prompted the openSUSE site maintainers to look into alternative Internet forum platforms.

”VBulletin provides some highly functional software, which is of course why it is so popular,” Ehle said. “However, for some time I have had a number of concerns about the architecture and security of their software, and I believe the incidents that we have had and what others have experienced are beginning to confirm that.”

Refrence by- pcworld

Routers TCP 32764 Backdoor Vulnerability Secretly Re-Activated Again

At the beginning of this year, we reported about the secret backdoor ‘TCP 32764’ discovered in several routers including, Linksys, Netgear, Cisco and Diamond that allowed an attacker to send commands to the vulnerable routers at TCP port 32764 from a command-line shell without being authenticated as the administrator.

The Reverse-engineer from France Eloi Vanderbeken, who discovered this backdoor has found that although the flaw has been patched in the latest firmware release, but SerComm has added the same backdoor again in another way.

To verify the released patch, recently he downloaded the patched firmware version 1.1.0.55 of Netgear DGN1000 and unpacked it using binwalk tool. He found that the file ‘scfgmgr’ which contains the backdoor is still present there with a new option “-l”, that limits it only for a local socket interprocess communication (Unix domain socket), or only for the processes running on the same device.

On further investigation via reverse engineering the binaries, he found another mysterious tool called ‘ft_tool’ with “-f”option that could re-activates the TCP backdoor.

In his illustrated report (shown below), he explained that ‘ft_tool’ actually open a raw socket, that listens incoming packages and attackers on the local network can reactivate the backdoor at TCP port 32764 by sending the following specific packets:

• EtherType parameter should be equal to ‘0x8888’.
• Payload should contains MD5 hash of the value DGN1000 (45d1bb339b07a6618b2114dbc0d7783e).
• The package type should be 0x201.

So, an attacker can reactivate the TCP 32764 backdoor in order to execute the shell commands on the vulnerable SerComm routers even after installing the patched version.

Now question rises, why the routers manufacturers are adding intentional backdoors again and again?? May be the reason behind to be a helping hand for the U.S. intelligence agency NSA.

Currently there is no patch available for newly discovered backdoor. If you want to check your wireless router for this backdoor, you can download Proof-of-Concept (PoC) exploit released by the researcher from here or follow the below given steps manually:

1. Use 'binwalk -e' to extract the file system
2. Search for 'ft_tool' or grep -r 'scfgmgr -f
3. Use IDA to confirm.