News & Updates

(credit: BBC)

Briton Lauri Love is expected to learn on September 16 whether a judge will rule in favour of his extradition to the US to face charges of alleged hacking, Westminster Magistrates’ Court has heard.

According to his legal representative, Love—who faces charges of hacking as part of the Anonymous collective in 2013—could serve up to 99 years in prison in the US. He is accused of using a security flaw in ColdFusion to gain administrator-level access to servers.

Love is alleged to have been involved in the hack known as #OpLastResort, which targeted the US Army, the US Federal Reserve, the FBI, NASA, and the Missile Defense Agency in retaliation over the suicide, while awaiting trial, of Aaron Swartz.

Read 6 remaining paragraphs | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/

A team of researchers has found a couple of critical flaws in PHP and exploited them to hack PornHub, on one of the most popular adult websites.

Diclaimer: This article is written to discuss the security implications and technical aspects of a hack that was recently done. If you by anyway are offended by the topic please feel free move on to other articles. The article is written with an information security perspective with stats and data relating to use keeping in mind professionals are going to read it. It has no explicit content whatsoever.

Pornhub or what many of us may have known as Sex Education 101, had recently organised a bug bounty competition and hence paid three highly dedicated security researchers to find  two major zero-day vulnerabilities.

Dario Weißer (@haxonaut), cutz and Ruslan Habalov (@evonide), discovered two use-after-free vulnerabilities (CVE-2016-5771 and CVE-2016-5773) in PHP’s garbage collection algorithm when it interacts with other PHP objects.

“It all started by auditing Pornhub, then PHP and ended in breaking both…

  • We have gained remote code execution on pornhub.com and have earned a $20,000 bug bounty on Hackerone.
  • We have found two use-after-free vulnerabilities in PHP’s garbage collection algorithm.
  • Those vulnerabilities were remotely exploitable over PHP’s unserialize function.
  • We were also awarded with $2,000 by the Internet Bug Bounty committee (c.f.Hackerone).

wrote Habalov.

Back to how to hack PornHub, the duo used PHP’s unserialize function on the website that handles data uploaded by users, mainly NSFW pictures or videos on paths including :

The zero-day flaw allowed the researchers to reveal the server’s POST data, allowing them to plant a malicious payload and thereby executing it to gainRemote Code Execution (RCE) capability on PornHub’s server.

“It is well-known that using user input on unserialize is a bad idea. In particular, about 10 years have passed since its first weaknesses have become apparent. Unfortunately, even today, many developers seem to believe that unserialize is only dangerous in old PHP versions or when combined with unsafe classes. We sincerely hope to have destroyed this misbelief,” added Habalov.

The flaw allowed them to hack PornHub, they gained a view of the path “/etc/passwd file” that allowed them to execute commands and make PHP run malicious syscalls.

Pornhub paid the team $20,000 for their incredible efforts, and the Internet Bug Bounty HackerOne also awarded the researchers an additional $2,000 for discovering the PHP zero-days.

“Now why this sort of vulnerability matters to me ? ” , will definitely be a question you may ask yourself . Lets answer this “Sanskari “[cultured] side of you with some statistics.

 

hack PornHub

Pornhub is one of the biggest free porn sites on the surface web which got 21.2 billion visits in 2015, with 2.5 million visits per hour, 40,000 visits per minute and 6700 visits per second. It streams 75 GB per second of content and has a bandwidth use of 1892 PETABYTES.

That means one of us has definitely used it for “research” purposes at one point or another. Now how does this matter to the Internet ?

Well according to experts 37% the Internet is porn, which was quoted in 2010 and the number has gotten bigger with Mobile computing and Cloud getting in the mix. In fact, the numbers are so gargantuan that such domains have their own extensions like “.XXX “.

For those who still don’t believe me, please check out this article by Julie Ruvolo on Forbes.

And for those people who still question these numbers feel free to read  Ogi Ogas, one of the amazingly nerdy neuroscientists behind Billion Wicked Thoughts. He and co-author Sai Gaddam are sitting on what they think is “the most comprehensive collection of porn-use stats on the web.”

Happy Researching !!

About the Author: Joshua Bahirvani

Joshua Bahirvani 2Cyber Security Enthusiast and believer of Privacy in this Digital Age.

LinkedIn : https://in.linkedin.com/in/jbahirvani15

Peerlyst: https://www.peerlyst.com/users/joshua-bahirvani

Twitter : @B15joshua

Medium : @jbahirvani15

 

medianet_width=’300′; medianet_height= ‘250’; medianet_crid=’762221962′;

Pierluigi Paganini

(Security Affairs – hack PornHub, hacking)

The post Researchers exploited PHP Zero-Days to Hack PornHub appeared first on Security Affairs.

Source: Security affairs

Microsoft’s Terry Myerson details the Windows 10 Anniversary Update. (credit: Microsoft)

The final build of the Windows 10 Anniversary Update is build 14393. The update, which provides a range of new features and improvements, represents Microsoft’s last big push to get Windows 7 and 8.1 users to upgrade to Windows 10.

The update is available right now to those who have opted in to the Windows Insider program, and it will be pushed out to Windows 10 users on the current branch on August 2. The free upgrade offer from Windows 7 and 8.1 to Windows 10, however, ends on July 29, leaving Microsoft hoping that the promise of the new update will be enough to get people to make the switch.

For consumers, the big Anniversary Update improvements are in stylus support and Cortana. For as long as Microsoft has been pushing pen interfaces on Windows—the specs for Windows XP Tablet edition came out about 15 years ago—the company has done so as a mouse alternative, with the only major pen-specific feature being handwriting recognition. This never worked well. Finger-based touch interfaces dominated with the rise of the iPhone, but Windows has always retained its pen support, with devices like the Surface Pro 4 and Surface Book shipping with pens.

Read 8 remaining paragraphs | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/

Transistors will stop shrinking after 2021, but Moore’s law will probably continue, according to the final International Technology Roadmap for Semiconductors (ITRS).

The ITRS—which has been produced almost annually by a collaboration of most of the world’s major semiconductor companies since 1993—is about as authoritative as it gets when it comes to predicting the future of computing. The 2015 roadmap will however be its last.

The most interesting aspect of the ITRS is that it tries to predict what materials and processes we might be using in the next 15 years. The idea is that, by collaborating on such a roadmap, the companies involved can sink their R&D money into the “right” technologies.

Read 11 remaining paragraphs | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/

(credit: Clever Cupcakes)

Verizon has confirmed earlier reports that it will buy ailing Internet pioneer Yahoo in an all-cash deal with a price tag of nearly £3.7 billion (~$4.8 billion).

The sale doesn’t include Yahoo’s shares in Alibaba, Verizon said. Yahoo’s Japan shares, its non-core patents, and minority investments are also set to be cut loose from the planned takeover.

Those assets will form part of a new publicly traded company that will be spun out of Yahoo as a separate business. It’s unclear who will head up that firm, however.

Read 7 remaining paragraphs | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/

David S., the Munich gunman has purchased the weapon on the Dark Web, sincerely I was waiting for this title in the headlines, but …

In Germany, it is quite difficult to pay for weapons so how the Munich gunman got a 9mm Glock 17?

According to several German news outlets, the young man has bought the 9mm Glock 17 he used to kill nine innocents in Munich was a reactivated theater weapon . This information was shared by the president of the Bavarian Office of Criminal Investigation (LKA), Robert Heimberger, on a Sunday press conference.

It seems that the Munich gunman purchased the weapon on the Dark Web according to Heimberger.

This means that someone has converted the weapon from non-functioning to being a killing machine. Who and where? It is still a mystery, the German authorities are still investigating the case, the unique certainty is that the Glock carries a certification mark from Slovakia.

“[it is ]a parallel world to the network from Facebook, Amazon, and other news pages, which most users are familiar with.” are the words used by Heimberger to explain the dark web.

The president of the LKA highlighted that the dark web is a hidden place on the web where it is easy to find criminals offering weapons, drugs, and child pornography.

The investigators have found 57 shell casings belonging to the Munich gunman ‘s 9mm Glock 17.  A police officer fired at David in a parking deck but the shot missed. The police excluded the presence of other shooters in the Munich attack.

David was obsessed by mass shooting spree, he was inspired by cases like Anders Breivik’massacre and by the Winnenden school shooting attack in 2009.

David had been in psychological treatment for “social phobia” and depression last year.

But it is really so easy to find weapons on the dark web?

In May 2016, producers from the German broadcaster ARD have conducted an interesting experiment to demonstrate if it is really so simple to buy goods on the dark web. He tried to buy an AK-47 rifle, aka Kalašnikov and paid $800 worth of bitcoin.

The German journalists conducted an investigation for a show titled “Fear of terror—how vulnerable is Germany” with the intent to understand how criminals could access weapons offered for sale in the black markets.

The German channel ARD documented the threat posed by terrorism trying to explain how terrorists could exploit the technology for its activities.

“There is this experiment at the beginning of the broadcast.#Beckmann Ordered via middleman a Kalashnikov in the darknet.At the end comes out: $ 800 paid – and get nothing.” reported the German site Focus.

“Because, as a customs expert, it is not so easy to procure weapons. Sounds weird, but is so.Only that this #Beckmann not nearly as informative as “The program with the mouse”.

ak 47 dark web Black Market

The Beckmann attempt to buy a weapon failed, but it is not clear if the package had been intercepted by law enforcement or it the seller was a scammer.

Such kind of problems are not rare in the black marketplaces, in November Joseph Cox from MotherBoard wrote an interesting article to explain the difficulty acquiring a weapon from the dark web.

“One impetus for that is the heavy presence of scammers, who create fake accounts to dupe gullible gun hunters out of their money.” wrote Cox.

“I’m just kinda addicted to the scamming part. It’s too easy,” one scammer told Motherboard in an email chat. The scammer used to operate under the handle “Bartsmit” on AlphaBay, a popular market that sells stolen data, weapons, and drugs, among other goods. Today the scammer is still ripping people off, but under a different identity.”

Due to these difficulties, several black markets have stopped stocking weapons altogether.

medianet_width=’300′; medianet_height= ‘250’; medianet_crid=’762221962′;

Pierluigi Paganini

(Security Affairs – Dark Web, Munich gunman)

The post Munich Gunman purchased the weapon on the Dark Web appeared first on Security Affairs.

Source: Security affairs

Maureen Stronach, an employee at Diageo’s Dalwhinnie distillery, views whiskey drawn from a cask in the store room on April 21, 2011. (credit: Jeff Mitchell / Getty Images)

Almost every distillery tour follows the same format. First, you’re led by a display of raw materials. Then, the guide takes you around the fermentation tanks and by the still. But the magical part is what comes next. Once the whiskey is collected from the still, it’s put into barrels and stored in cool, shadowy warehouses called rickhouses. The air here smells of the vanilla and oak and grain from the spirit that’s evaporated. And since most rickhouses aren’t even wired for electricity, you almost feel like you’ve stepped back in time. Whatever comes from here will taste like pure wonder.

In reality, the spell was cast long before you stepped foot into these whiskey-scented buildings. Labels, websites, and other bits of marketing work together to paint pictures about things like generations of distillers, specific grain blends, or the surface details of aging. And within those first steps of any tour, a guide spins a narrative made of half myth and half fact, incorporating widely accepted statistics like the percentage of each barrel that evaporates each year. Despite the lack of published evidence to back such information up, these whiskey standards are often repeated as fact, especially by PR reps, bartenders, and enthusiastic consumers.

The truth is, most of the research being done on whiskey, especially about how and why it ages, will never be available to the public. With revenue from whiskey sales topping $2.7 billion in 2014 in the US and projected to keep rising, producers’ hesitance to share is somewhat understandable. In many cases, the data collected could give any company a competitive advantage.

Read 39 remaining paragraphs | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/

Enjoy my interview with the Zilla from GhostSquadHackers, I believe it is essential for cyber security experts to know how hackers work and why some of them are hunting the ISIS online.

Zilla is another member of the , one of the hacker crews most active against IS propaganda online.

Zilla

You are a popular talented hacker that has already participated in several hacking campaigns, could you tell me more about.

Well, I have taken part in a few operations such as OpIcarus, OpReverseCaliphate which is targeting ISIS And more recently OpTurkey.

Could you tell me which his your technical background and when you started hacking? Which are your motivations?

I started with an interest in hacking around 2012, I always wondered how hackers did the amazing things they did. I’m motivated by the drive to always be better at what I do and some of the operations I take part in have a certain meaning to me.

What was your greatest hacking challenge? Which was your latest hack? Can you describe me it?

My greatest challenge was probably staying focused during operations and never giving up until I achieved what I was trying to achieve. My latest hack involved hacking into an ISIS websites Database and finding a list of ISIS supporters names and emails.

What are the 4 tools that cannot be missed in the hacker’s arsenal and why?

I think it’s all about the way you use those tools and the hacker behind the tools. some type of DDos tool would be helpful. I think Kali Linux is another great tool as well. And hopefully, you should have some tools that you coded.

Which are the most interesting hacking communities on the web today, why?

There are a lot of interesting hacking communities on the web, but I think a good one is the well-known Hack Forums because it has a large community with a lot of helpful information.

Did you participate in hacking attacks against the IS propaganda online? When? How?

Yes, I have done most of my work in my career targeting ISIS, I have taken down a ton of websites and built lists of ISIS members and supporters.

Where do you find IS people to hack? How do you choose your targets?

It’s not very hard to find ISIS people online, on social media once you find one you can look through followers, following, and likes to find many more. I target anyone who supports ISIS in any way.

We often hear about cyber weapons and cyber attacks against critical infrastructure. Do you believe it is real the risk of a major and lethal cyber attack against a critical infrastructure?

Yes, I believe every system has some type of Vulnerability and is subject to some type of lethal cyber attack.

Thanks a lot!

medianet_width=’300′; medianet_height= ‘250’; medianet_crid=’762221962′;

Pierluigi Paganini

(Security Affairs –  Hacker, Zilla)

The post Hacker Interviews – Zilla from GhostSquadHackers appeared first on Security Affairs.

Source: Security affairs

Cyber attacks get bigger, smarter, more damaging.

PornHub launched its bug bounty program two months ago to encourage hackers and bug bounty hunters to find and responsibly report flaws in its services and get rewarded.

Now, it turns out that the world’s most popular pornography site has paid its first bounty payout. But how much?

US $20,000!
<!– adsense –>
Yes, PornHub has paid $20,000


Source: http://feeds.feedburner.com/TheHackersNews