now browsing by tag


#hacking | Gopinath Munde memorial to claim 110 trees

Source: National Cyber Security – Produced By Gregory Evans

Aurangabad: More than 100 trees may face the axe for a proposed memorial to BJP stalwart Gopinath Munde here in Maharashtra, the latest in a series of controversial projects requiring hacking of trees.

The government’s public works department (PWD) has sought permission from the local civic body for felling 110 trees for construction of late Munde’s memorial in Aurangabad in central Maharashtra, an official said on Friday.

Soon after coming to power last month, the Shiv Sena- led government stayed construction of a Metro carshed in Mumbai’s Aarey Colony, a green belt where over 2,000 trees have already been cut for the project.

Then reports emerged that some 1,000 trees need to be felled for a proposed memorial to Shiv Sena founder Bal Thackeray here. This memorial has been planned at Priyadarshini Garden in the Cidco area of the city.

Early this week, Sena leader and former Aurangabad MP Chandrakant Khaire said Chief Minister and party chief Uddhav Thackeray had given “oral orders” against felling of trees for the proposed memorial of his father.

Munde’s memorial has been planned on Jalna Road on a piece of land belonging to the state government’s milk scheme department. “We have received a letter from the public works department in which they have asked for permission to cut down 110 trees.

They have mentioned the place where memorial of Gopinath Munde is planned,” said Garden Superintendent Vijay Patil adding, “We will forward the application to the tree committee of the Aurangabad Municipal Corporation.”

Source link

The post #hacking | Gopinath Munde memorial to claim 110 trees appeared first on National Cyber Security.

View full post on National Cyber Security

#hacking | Offering software for snooping to governments is a booming business

Source: National Cyber Security – Produced By Gregory Evans ON OCTOBER 2ND 2018 Jamal Khashoggi, a Saudi journalist and critic of the kingdom’s government, visited its consulate in Istanbul in order to secure documents needed for his upcoming marriage. He did not come out alive. After initially denying responsibility, the Saudi government admitted that Mr […] View full post on AmIHackerProof.com

#hacking | ‘Alexa, hack my serverless technology’ – attacking web apps with voice commands

Source: National Cyber Security – Produced By Gregory Evans

Amazon’s voice assistant wisecracks her way through SQL injection attacks on serverless environments at Black Hat Europe

Developers in serverless environments must heed the threat posed to their applications by voice command inputs, an industry expert has warned.

Speaking at the Black Hat Europe conference in London last week, researcher Tal Melamed took control of vulnerable applications hosted on serverless environments using Alexa-guided SQL injection attacks.

‘Sounds like a dream’

Serverless architecture, which allows developers to build applications without provisioning a server, is becoming an increasingly popular choice among developers, said Melamed, who is leading the OWASP Serverless Top 10 project.

Code is executed only when needed and “you don’t pay for what you don’t use”, the researcher noted, adding that the approach is a boon for “experimentation and scaling up”.

Serverless application development “sounds like a dream,” he said. But if organizations are liberated from the burdens of server management, it does not follow that security concerns are fully outsourced to service providers like AWS, Azure, and Google Cloud Platform.

This is because serverless applications still execute code, said Melamed – and insecure code is vulnerable to application-level attacks.

Melamed, head of research at Protego Labs, told The Daily Swig that all too many developers are unaware that serverless environments demand a different security posture to their traditional counterparts.

Read more of the latest news on hacking techniques from The Daily Swig

Outsourcing the perimeter

Outsourcing server architecture might reduce workload, but it also tears down the security perimeter.

“Serverless is an event-driven architecture where code is triggered via different events in the cloud,” Melamed told The Daily Swig.

Unlike monolithic applications, developers are not limited to APIs.

“Code can now be executed due to an email that was received, a file that was uploaded or a database table that was changed. The ‘connection’ between those events to your code is transparent and is controlled by the cloud provider.”

All too many developers “are unaware of the adjustments” they need to make “to attend [to] those risks.”

Those adjustments include never trusting inputs, which should be validated before data is processed.

“However, [developers] need to get used to the fact that the input could come from unexpected sources, like Alexa voice commands,” added Melamed.

Alexa, what is my balance?

Melamed’s final demonstration, in which he stole data from a hypothetical user account, illustrated how a voice-command injection attack requires only “code [that’s] vulnerable to SQL injection, which accepts inputs from Alexa (or any other voice-enabled devices) and processes the input as part of the database queries without validating it first.”

Alexa translated his voice commands – such as “what is my balance?” – into code.

“I designed it so it would translate words of numbers into actual numbers,” he told attendees.

The voice-delivered code that cracked the user’s secret ID, unlocking the cash balance, was .

The lesson to “organizations that develop voice-enabled applications” is clear, Melamed told The Daily Swig: they “should consider voice-commands as [an] input to their application.”

Melamed also launched event injection attacks through a third-party app using rest API, against cloud storage, and via email.

Melamed said his demos – coming soon to GitHub – evidenced the importance of shrinking “the attack surface by following the least-privilege principle: narrowing down the permissions of every serverless function as much as possible.”

Attendees were also urged to automate their defensive processes wherever possible.

Telling it like it is, Alexa clearly assigned blame for successful injection attacks: “In short, the problem isn’t the cloud – it’s you [the developer]”.

RELATED The best hacks from Black Hat Europe 2019

Source link

The post #hacking | ‘Alexa, hack my serverless technology’ – attacking web apps with voice commands appeared first on National Cyber Security.

View full post on National Cyber Security

#hacking | Snatch ransomware reboots PCs in Safe Mode to skirt antivirus defenses

Source: National Cyber Security – Produced By Gregory Evans Russian-speaking gang are big fans of Mockney heist caper. Blimey! Cybercriminals have developed a strain of ransomware that circumvents security protections by rebooting Windows machines in the middle of its infection routine. The Snatch ransomware forces a compromised Windows machine to reboot into Safe Mode before […] View full post on AmIHackerProof.com

#hacking | Andrew Little says probe into foreign interference has arrived too late

Source: National Cyber Security – Produced By Gregory Evans

Sweeping law changes proposed by an official inquiry into last year’s election and foreign interference have taken too long to be of use for next year’s election, Justice Minister Andrew Little says.

Parliament’s Justice Select Committee on Tuesday released the findings of its long-delayed report into the 2017 election and 2016 local body elections.

Major recommendations in a lengthy list of 55 include handing control of local elections from councils to the Electoral Commission and giving the Commission powers to enforce and investigate minor breaches of electoral law (major breaches would stay with the police).

They also cover changes to foreign donations, a ban on foreign Government’s owning New Zealand media organisations, changes to advertising laws, stricter requirements on parties to properly check the source of donations and recommendations aimed at defending against misinformation and hacking during the next election.

But Justice Minister Andrew Little, who has already introduced a series of changes to electoral laws in this term in Government, says the report has come back too late to be of any use before voters head to the polls in 2020.

“The inquiry has been going for over 18 months … It’s unfortunate that the delay means that we pretty much won’t be able to take anything else out of the report to make changes,” Little told reporters.

“When you leave it to two weeks before Christmas before an election year to recommend changes to the Electoral Act it’s pretty hard to make changes.”

Little has already introduced legislation based on the Electoral Commission’s recommendations and says he couldn’t wait any longer.

Changes already put forward by the Government include a ban on most foreign donations announced last week, and allowing voting at supermarkets on election day, revealed earlier this year.

National MP Nick Smith as blamed the Government for taking too long to get the inquiry going in the first place. Photo / Mark Mitchell

The Select Committee process has been fraught, having gone through six different chairs this year and prompted National MP Nick Smith to describe it as a farce.

The committee is split between National and Labour Party members.

It wasn’t started until September, 2018, – a year after the election – and later expanded to also cover foreign interference risks – although intelligence agencies said their security protocols for dealing with foreign and cyber-security threats weren’t necessary in 2017. Two National and two Labour members also left the during the process.

The committee’s first chair, Labour’s Raymond Huo, stood down in April this year after a debate over whether to let China expert and University of Canterbury professor Anne-Marie Brady be heard.

In its response to Tuesday’s report, National said the process had also been turned into a “sham” by Little introducing electoral laws before the recommendations were out, and without consensus with the Opposition.

“I don’t think the Government took the inquiry seriously,” Smith said.

“It’s very disappointing and dismissive of the Minister. There’s many recommendations in there that are important.”

Smith said the Government had taken too long to begin the process.

“It’s peculiar for the Minister to be criticising the delay,” he said.

“They didn’t even start the inquiry until 12 months after the election. The extension of the terms of reference did not occur until late last year and we didn’t even hear submissions on the foreign interference issue until April this year.”

But Labour’s Meka Whaitiri, the committee’s last chair, said while she shared Little’s regret at the delay, she dismissed Smith’s criticism and said “a lot of diplomacy” had been required to get the report over the line.

“If it was just a single, stand-alone inquiry, but it was complicated that it was really three substantive inquiries in one,” she said.

“Put it this way, the fact that it’s a split Select Committee you are going to get robust debate. And that’s exactly what we got.”

Source link

The post #hacking | Andrew Little says probe into foreign interference has arrived too late appeared first on National Cyber Security.

View full post on National Cyber Security

#hacking | HackerOne awards $20,000 bug bounty after leaking session cookie to hacker

Source: National Cyber Security – Produced By Gregory Evans

Account takeover issue flagged through bug bounty platform’s own bug bounty program

Bug bounty platform HackerOne this week paid out a $20,000 bounty after a researcher was able to access other users’ vulnerability reports.

Haxta4ok00, a HackerOne community member who apparently has a track record of discovering vulnerabilities in the bug bounty platform, was engaged in a conversation with one of HackerOne’s security analysts.

In one message, the analyst copied a cURL command from a browser console and sent it to the hacker.

The analyst accidentally included a valid session cookie that gave the ability to read the data that they had access to. This included report titles, a certain amount of metadata, and some report contents.

HackerOne paid out a $20,000 bounty after leaking a session cookie to hacker

“Less than five per cent of HackerOne programs were impacted, and within two hours of receiving the vulnerability report, the risk was eliminated and additional preventative measures were deployed shortly after,” a HackerOne spokesperson tells The Daily Swig.

“All customers impacted were notified the same day.”

However, it took HackerOne two hours to read the report, thanks to lower staffing levels over the weekend.

The $20,000 cookie

Haxta4ok00 reported the vulnerability, which was treated as ‘critical’, on November 24. The bounty was awarded three days later.

“The team looked into the amount of sensitive information that could have been accessed by the account and took that under advisement when deciding on the bounty amount,” HackerOne explains in its incident report.

“This led to the decision to treat the submission as a critical vulnerability and award a $20,000 bounty.”

HackerOne says it’s carried out an audit, and that this is the first time that session cookies have been leaked.

It’s also released an update that limits HackerOne employees and HackerOne security analyst sessions to the IP address that they started the session with – a move that should prevent similar incidents in future.

Read more of the latest bug bounty news from The Daily Swig

“We’re also planning to roll out a number of smaller changes, such as warning the user when a comment seems to contain sensitive information and clarification in our policy about what to do when someone gains access to other people their account,” explains HackerOne co-founder Jobert Abma.

Craig Young, senior security researcher at Tripwire, was one of those to be informed that their reports had been disclosed.

“While I commend HackerOne for their response, this incident is yet another reminder of a distinct risk organizations take by using managed vulnerability reporting services like Bugcrowd or HackerOne,” he says.

“The consolidation of valuable data by such vendors creates a hugely attractive attack target for intelligence agencies – or even criminal actors – to fill their arsenal.”

Though perhaps better known for facilitating bug bounty payouts on behalf of other organizations, HackerOne is no stranger to the vulnerability disclosure process.

Since going live in November 2013, the organization has awarded more than $330,000 in bounties through its own bug bounty program.

READ MORE Bug Bounty Radar // November 2019

Source link

The post #hacking | HackerOne awards $20,000 bug bounty after leaking session cookie to hacker appeared first on National Cyber Security.

View full post on National Cyber Security

#hacking | Accel’s new India fund, Slowing growth of AePS & more, Technology News, ETtech

Source: National Cyber Security – Produced By Gregory Evans Accel’s new India fund What’s the news? Accel India, backer of leading technology startups such as Flipkart, Freshworks and Swiggy, has raised about $550 million for its sixth India fund, taking its assets under management to $1.5 billion. This makes Accel VI among the largest corpuses […] View full post on AmIHackerProof.com

#hacking | CISA Wants a Vulnerability Disclosure Program At Every Agency

Source: National Cyber Security – Produced By Gregory Evans

The Homeland Security Department on Wednesday released a draft of a binding operational directive that would require every federal agency to create a vulnerability disclosure policy.

Under the measure, each civilian agency would need to create a formal process for security researchers to share vulnerabilities they uncover within the organization’s public-facing websites and other IT infrastructure. Agencies must also develop a system for reporting and closing the security gaps that are uncovered through the program.

Despite the growing popularity of public cyber initiatives like bug bounties, security researchers often find themselves in a legal gray area when reporting cyber weaknesses to the government. By creating vulnerability disclosure policies, agencies can set clear guardrails on legal hacking.

“A [vulnerability disclosure policy] allows people who have ‘seen something’ to ‘say something’ to those who can fix it,” Jeanette Manfra, assistant director for cybersecurity within the Cybersecurity and Infrastructure Security Agency, said in a blog post. “It makes clear that an agency welcomes and authorizes good faith security research on specific, internet-accessible systems.”

The BOD would bring the rest of the government up to speed with the Pentagon and the General Services Administration’s tech office, which have already established vulnerability disclosure programs. DHS is also in the process of finalizing its own policy.

CISA will accept public feedback on the proposed directive through Dec. 27.

Specifically, the measure would give agencies six months to create a web-based system for receiving “unsolicited” warnings about potential vulnerabilities. They must also develop and publish a vulnerability disclosure policy, outlining the systems and hacking methods that are authorized under the program and describing the process for submitting vulnerabilities. 

The directive would require agencies to consistently add new systems to the program over time. Within two years, “all internet-accessible systems and services” must be in scope of the policy, according to the measure. Every system launched after the directive is issued must automatically be considered in scope.

Agencies would also need to set procedures for handling submissions and report both specific vulnerabilities and program metrics directly to CISA.

While the directive gives agencies some latitude in the metrics and policies around their own policies, the measure could ultimately lay the foundation for a standardized, government-wide vulnerability disclosure program, Manfra said. 

“We think a single, universal vulnerability disclosure policy for the executive branch is a good goal … but we expect that goal to be an unrealistic starting place for most agencies,” she said. “The directive supports a phased approach to widening scope, allowing each enterprise–comprised of the humans and their organizational tools, norms, and culture–to level up incrementally.”

Source link

The post #hacking | CISA Wants a Vulnerability Disclosure Program At Every Agency appeared first on National Cyber Security.

View full post on National Cyber Security

#hacking | Hacking should be taught in schools ‘like sport’ to stop children becoming criminals, says Lauri Love 

Source: National Cyber Security – Produced By Gregory Evans

Hacking and other cybersecurity skills should be taught in schools in a similar way to sports, said alleged hacker Lauri Love.

The activist, who won a legal battle in 2018 to block his extradition to the US over allegations that he hacked into computer networks including NASA, the Federal Reserve and the US Army, said schools in the UK need to be more sophisticated in the way they teach technical skills to students.

“We need to treat this a bit like we treat sport,” Mr Love said at an event in London run by cybersecurity business Redscan.

Mr Love said that students should be given a “structured, controlled environment” to learn cybersecurity skills in order to stop them engaging in criminal behaviour….

Source link

The post #hacking | Hacking should be taught in schools ‘like sport’ to stop children becoming criminals, says Lauri Love  appeared first on National Cyber Security.

View full post on National Cyber Security

#hacking | Donald Trump and His Insane Clown Posse

Source: National Cyber Security – Produced By Gregory Evans Chaos is a pit, the all-knowing eunuch Lord Varys warns in Game of Thrones, “a gaping pit waiting to swallow us all.” The conniving Peter Baelish, known as Littlefinger, disagrees: “Chaos isn’t a pit,” he replies. Too few realize, he says, that, “Chaos is a ladder… […] View full post on AmIHackerProof.com