Arul Kumar, an Indian security researcher found a vulnerability to Facebook which he could delete any image within a minute. The vulnerability was in Facebook’s support dashboard and they rewarded him with $12.500 for helping the security team to patch it. Basically the security hole was in the photo removal request where the attacker could change the profile id and the image id and so be able to delete any image on Facebook. Imagine if someone that hates you finds this and exploits it or pay someone else and delete all your images. There are people that have uploaded hundreds of photos and they can’t even imagine such a thing happening to them.
We all learned about NSA’s Prism and that user data is available to US government like any other public document. Tor is in general terms an anonymity tool for user internet activity. Since Snowden revealed the information about Prism Tor gained more than 600.000 new users and it now has about 1.2 million users. Tor is also used by hackers and web criminals to hide their activity. This is not Tor’s fault, almost any tool can be used for good and bad things. Some countries ban Tor network in order to be able to monitor their citizens easier. Some times I can’t believe why countries move backwards technology and progress.
Most of you know Lenovo, the biggest Chinese computer maker. It has recently been banned and it can’t supply equipment for several intelligence and security agencies. Mostly for government agencies in US, UK, Canada, Australia and New Zealand. This is because there are concerns that it contains serious hardware and firmware backdoor vulnerabilities. Even though a hardware backdoor is very hard to detect, it is very critical for agencies like NSA. Huawei should feel very lucky since it will most probably fill the gap with its equipment. Lenovo is the company that acquired the personal computer business from IBM when they decided to leave the PC business back in 2005.
During the creation of a Facebook account you must provide an email address which becomes your primary email address. A security researcher found a vulnerability in Facebook, yes another one, that reveals the primary address of any account. The flaw can be found in the invitation mechanism and hackers and spammers can exploit this vulnerability to get the primary email address of every account. The process can be easily automated so this is not an issue to someone with basic programming knowledge. I will not post the steps of how someone can get this information as it is already patched by Facebook and they awarded $3500 to the person that found the vulnerability. If you receive an email to your email address that you only used on Facebook then you know why.
According to Edward Snowden NSA and Isreal worked together to create Stuxnet, a computer worm that was used to attack Iran’s nuclear facilities. It was spread via Microsoft Windows and its target was industrial control systems by Siemens. After that, a more sophisticated virus called Flame was linked with Stuxnet. Kaspersky researchers concluded that the creators of the Flame were the same that also created Stuxnet due to the similarities in the code. So, if what the whistleblower says is true then NSA created both malicious software. I guess they created more than the ones we just learned about. But don’t worry, they create malicious software, worms and viruses to protect you, at least this is what they will say if you ask them. They don’t want to but they have to in order to protect the people.
Researches at Bluebox Security have discovered a vulnerability in Android core from version 1.6 (Donut). This means that almost all Android devices are vulnerable. The numbers are huge, it is about a billion devices. Apparently Samsung knew about this and its flagship, Galaxy S4, is patched and safe from this vulnerability. Bluebox will reveal details of this security hole during the Black Hat USA conference. To understand how serious this vulnerability is, a hacker can modify any application without breaking its cryptographic signature
Security researcher fin1te was able to find a way to gain access to any Facebook account by sending only one SMS. This is how secure you are, one SMS away from someone to hack into your account. Facebook, like many other websites, have added a new layer of protection. They added the phone number and you can use it to verify an access to your account or recover a lost password. In every new feature there are few vulnerabilities. For this process you fill a form and you submit it to their servers for processing. The two main parameters of that form are for the verification code and the user id. If you edit this form, replace your id with the victim’s id and put the verification code Facebook sent you, your number will be linked with that account. From now you can figure it out, you can visit the forgot password page and access the victim’s account.
Microsoft is giving the highest bounty to hackers and security experts if they find vulnerabilities and exploits in its new Windows 8.1, a major update to Microsoft’s latest operating system. Valid submissions of serious vulnerabilities that come also with ideas to defend Windows will be able to get the BlueHat bonus which is $50.000 but they very hard to find. It is clear that Microsoft is very serious about security, they also give up to $11.000 for Internet Explorer 11 preview in Windows 8.1 preview. Preview means that it is beta version and it is not yet finalized to be released. Microsoft is the first company to give bounty for hacking software in beta version and it is doing it to ensure that their stable release will be as secure as possible.
There are several ways for hackers to gain access to your computer but they need to somehow install a malware on your computer. Some times people make it easier for them, they install software with vulnerabilities and hackers can gain access to their computers by exploiting those vulnerabilities. In this way they skip the first part, to find a way to install their malware to your system. Many internet users have Google Chrome as their default web browser. Are you one of them? Guess what? you are vulnerable and hackers can access your web camera.
I like to read and get informed about vulnerabilities and malicious software for mobile devices. There are news on that field every day and those are the ones that are public. I can’t imagine what else is not known due to the fact that are not yet published or are found by black hat hackers and remain secret. University of Alabama’s researches have published a research paper with the title “Sensing-Enabled Channels for Hard-to-Detect Command and Control of Mobile Devices”. In this paper they show that it is possible to activate a malware hidden in your mobile device with sound, light or vibration.