Showing posts with label Security News. Show all posts
Showing posts with label Security News. Show all posts

Thursday 20 November 2014



Google on Tues launched a Security testing tool "Firing Range", that geared toward up the potency of automatic internet application security scanners by evaluating them with a good vary of cross-site scripting (XSS) and a couple of alternative internet vulnerabilities seen within the wild.

Firing Range primarily provides an artificial testing atmosphere largely for cross-site scripting (XSS) vulnerabilities that area unit seen most often in internet apps. in line with Google security engineer Claudio Criscione, seventy p.c of the bugs in Google’s Vulnerability Reward Program area unit cross-site scripting flaws.

In addition to XSS vulnerabilities, the new internet app scanner additionally scans for alternative kinds of vulnerabilities together with reverse clickjacking, Flash injection, mixed content, and cross-origin resource sharing vulnerabilities.

Firing Range was developed by Google with the assistance of security researchers at Politecnico di metropolis in an endeavor to create a take a look at ground for automatic scanners. the corporate has used target range itself "both as endless testing aid and as a driver for our development, shaping as several bug varieties as potential, as {well as|together with} some that we cannot observe (yet!)."
What makes it completely different from alternative vulnerable take a look at applications offered is its ability to use automation, that makes it additional productive. rather than specializing in making realistic-looking testbeds for human testers, target range depends on automation supported a set of distinctive bug patterns drawn from in-the-wild vulnerabilities determined by Google.

Firing Range may be a Java application that has been designed on Google Play. It offers behaviour with the scanner to be able to specialise in DOM-based, redirected, reflected, tag-based, at liberty and remote inclusion bugs.

At the Google Testing Automation Conference (GTAC) last year, Criscione same that sleuthing XSS vulnerabilities by hand “at Google scale” is like drinking the ocean. longing the data manually is each exhausting and counter-productive for the research worker, therefore here target range comes into play that might basically exploit the bug and observe the results of that exploitation.

"Your testbed doesn't seek to copy an authentic application, nor exercise the creeping capabilities of a scanner: it’s a set of distinctive bug patterns drawn from vulnerabilities that we've seen within the wild, geared toward corroboratory the detection capabilities of security tools," Criscione explained on the Google on-line Security diary."

Firing Range tool has been developed by the programme large whereas functioning on "Inquisition", an interior internet application security scanning tool designed entirely on Google Chrome and Cloud Platform technologies, with support for the most recent HTML5 options and encompasses a low false positive rate.

A deployed version (public-firing-range.appspot.com) of target range is on the market on Google App Engine and since the tool is open supply you'll be able to additionally notice and examine the ASCII text file on GitHub. Users area unit inspired to contribute to the tool with any feedback.





Firing Range — Open supply internet App Vulnerability Scanning Tool From Google

Wednesday 19 November 2014



Finally the wildly widespread electronic communication app WhatsApp has created end-to-end cryptography a default feature, stepping the simplest way forward for the net privacy of its users round the world.

WhatsApp, most well liked electronic communication app with 600 Million users as of October 2014, has partnered with Open Whisper Systems to spice up its privacy and security by implementing sturdy end-to-end cryptography on all text messages.

The sturdy end-to-end cryptography here implies that even Mark Zuckerberg himself cannot pry into your conversations, notwithstanding asked by enforcement officers. The app maker describe this move because the "largest preparation of end-to-end cryptography ever."

The Open Whisper System could be a non-profit computer code organisation started by security man of science sand hand tool, UN agency is behind the event of TextSecure app used for cryptography. Over the past 3 years, his team has been within the method of developing a 'modern, open supply, sturdy cryptography protocol' for electronic communication service, that is currently being incorporated into Whatsapp.

"We have a ways in which to travel till all mobile platforms area unit absolutely supported, however we tend to area unit moving quickly towards a world wherever all WhatsApp users can get end-to-end cryptography by default," Open Whisper System aforementioned during a journal post.
"We're excited to include what we've learned from this integration into our future style choices, and to bring this expertise involved on integrations that we tend to do with different firms and product within the future."

There area unit some limits to WhatsApp's end-to-end cryptography, as so far, it solely works on golem platform (with iOS returning soon) and covers solely text electronic communication. 

Conjointly the app is currently receptive potential man-in-the-middle (MitM) attacks as a result of there is no thanks to check or verify the identity of the person you're electronic communication.

WhatsApp was bought by Facebook for $19 billion in Feb. the favored app has been criticized over the years for a series of security and privacy problems. however once the announcement of this rollout, it's been praised over the web by security people.

"WhatsApp deserves huge praise for devoting goodish time and energy to the present project," reads the post. "Even although we're still at the start of the rollout, we tend to believe this already represents the most important preparation of end-to-end encrypted communication in history."

Other cryptography electronic communication apps do exist presently, together with Cryptochat, Silent Text and wire, however in step with the Verge, WhatsApp are going to be the most important to implement this kind of end-to-end cryptography ever.

Open Whisper Systems could be a company engineered from open supply contributors and a passionate team to advance "state of the the art" secure communication, and is best called the developer of the Signal, Redphone, and TextSecure apps.



WhatsApp traveller Adds End-to-End cryptography by Default



Around 5 million Gmail user names and related passwords have been leaked in Russian Bitcoin security forum.

Is Google got hacked?
No, the leak was not the result of a security breach of Google systems.  The dump is said to have been obtained from other websites.

So, if you have used the same password used anywhere else, your gmail account could be compromised.

Google's response
"We found that less than 2% of the username and password combinations might have worked, and our automated anti-hijacking systems would have blocked many of those login attempts. We’ve protected the affected accounts and have required those users to reset their passwords." Google wrote.



What You should do?

  • There are few websites available online to check whether your gmail ID have been compromised or not. 

  • My suggestion is don't use them.  I suggest everyone to change the password.(I believe most of the people keep the same password for years, so it's better to change now).

  • If you have not enabled 2-step-factor feature, it is good to enable it.

  • Never use the gmail password in any other websites.




About five million Gmail IDs and passwords leaked

Tuesday 18 November 2014



Security analysts from SektionEins have found a vital SQL Injection vulnerability in Drupal CMS that leaves an outsized range of internet sites that uses Drupal in danger.

Drupal introduced a information abstraction API in version seven. The aim of this API is to forestall SQL Injection attacks by sanitizing SQL Queries. 

But, this API itself introduced a replacement and demanding SQL Injection vulnerability.  The vulnerability allows attackers to run malicious SQL queries, PHP code on vulnerable websites.  A prosperous exploitation permits hackers to require complete management of the positioning. 

This vulnerability are often exploited by a non-authenticated user and has been classified as "Highly Critical" one.

SektionEins did not unharness the POC however discharged AN informative  with technical details.

The vulnerability exists within the expandArguments perform that is employed for increasing arrays to handle SQL queries with "IN" Operator.  

The vulnerability affects Drupal core seven.x versions previous.  Users of 7.x versions area unit suggested to update their CMS in real time. 

You can additionally directly modify the "includes database.inc" file to patch this vulnerability; amendment the "foreach ($data as $i => $value) {"  in 739 line.

An evidence of Concept has been discharged online that permits anybody to change the secret word of administrator record. In this way, better Hurry UP! Overhaul your Drupal CMS. 

One of the reddit client "fyukyuk" posted a HTTP post ask for that endeavors this helplessness. - 

The accompanying python Code changes the administrator secret key of powerless Drupal to "administrator" (Tested with Drupal forms 7.21,7.31).




Hacking News

SQL Injection attacks





Critical SQL Injection vulnerability in Drupal seven.x

© All Type of Security And Hacking Reviews Distributed By Blogspot Templates | Designed By Template Trackers