Showing posts with label Security. Show all posts
Showing posts with label Security. Show all posts

Wednesday 19 November 2014



Finally the wildly widespread electronic communication app WhatsApp has created end-to-end cryptography a default feature, stepping the simplest way forward for the net privacy of its users round the world.

WhatsApp, most well liked electronic communication app with 600 Million users as of October 2014, has partnered with Open Whisper Systems to spice up its privacy and security by implementing sturdy end-to-end cryptography on all text messages.

The sturdy end-to-end cryptography here implies that even Mark Zuckerberg himself cannot pry into your conversations, notwithstanding asked by enforcement officers. The app maker describe this move because the "largest preparation of end-to-end cryptography ever."

The Open Whisper System could be a non-profit computer code organisation started by security man of science sand hand tool, UN agency is behind the event of TextSecure app used for cryptography. Over the past 3 years, his team has been within the method of developing a 'modern, open supply, sturdy cryptography protocol' for electronic communication service, that is currently being incorporated into Whatsapp.

"We have a ways in which to travel till all mobile platforms area unit absolutely supported, however we tend to area unit moving quickly towards a world wherever all WhatsApp users can get end-to-end cryptography by default," Open Whisper System aforementioned during a journal post.
"We're excited to include what we've learned from this integration into our future style choices, and to bring this expertise involved on integrations that we tend to do with different firms and product within the future."

There area unit some limits to WhatsApp's end-to-end cryptography, as so far, it solely works on golem platform (with iOS returning soon) and covers solely text electronic communication. 

Conjointly the app is currently receptive potential man-in-the-middle (MitM) attacks as a result of there is no thanks to check or verify the identity of the person you're electronic communication.

WhatsApp was bought by Facebook for $19 billion in Feb. the favored app has been criticized over the years for a series of security and privacy problems. however once the announcement of this rollout, it's been praised over the web by security people.

"WhatsApp deserves huge praise for devoting goodish time and energy to the present project," reads the post. "Even although we're still at the start of the rollout, we tend to believe this already represents the most important preparation of end-to-end encrypted communication in history."

Other cryptography electronic communication apps do exist presently, together with Cryptochat, Silent Text and wire, however in step with the Verge, WhatsApp are going to be the most important to implement this kind of end-to-end cryptography ever.

Open Whisper Systems could be a company engineered from open supply contributors and a passionate team to advance "state of the the art" secure communication, and is best called the developer of the Signal, Redphone, and TextSecure apps.



WhatsApp traveller Adds End-to-End cryptography by Default



Around 5 million Gmail user names and related passwords have been leaked in Russian Bitcoin security forum.

Is Google got hacked?
No, the leak was not the result of a security breach of Google systems.  The dump is said to have been obtained from other websites.

So, if you have used the same password used anywhere else, your gmail account could be compromised.

Google's response
"We found that less than 2% of the username and password combinations might have worked, and our automated anti-hijacking systems would have blocked many of those login attempts. We’ve protected the affected accounts and have required those users to reset their passwords." Google wrote.



What You should do?

  • There are few websites available online to check whether your gmail ID have been compromised or not. 

  • My suggestion is don't use them.  I suggest everyone to change the password.(I believe most of the people keep the same password for years, so it's better to change now).

  • If you have not enabled 2-step-factor feature, it is good to enable it.

  • Never use the gmail password in any other websites.




About five million Gmail IDs and passwords leaked

Tuesday 18 November 2014



Security analysts from SektionEins have found a vital SQL Injection vulnerability in Drupal CMS that leaves an outsized range of internet sites that uses Drupal in danger.

Drupal introduced a information abstraction API in version seven. The aim of this API is to forestall SQL Injection attacks by sanitizing SQL Queries. 

But, this API itself introduced a replacement and demanding SQL Injection vulnerability.  The vulnerability allows attackers to run malicious SQL queries, PHP code on vulnerable websites.  A prosperous exploitation permits hackers to require complete management of the positioning. 

This vulnerability are often exploited by a non-authenticated user and has been classified as "Highly Critical" one.

SektionEins did not unharness the POC however discharged AN informative  with technical details.

The vulnerability exists within the expandArguments perform that is employed for increasing arrays to handle SQL queries with "IN" Operator.  

The vulnerability affects Drupal core seven.x versions previous.  Users of 7.x versions area unit suggested to update their CMS in real time. 

You can additionally directly modify the "includes database.inc" file to patch this vulnerability; amendment the "foreach ($data as $i => $value) {"  in 739 line.

An evidence of Concept has been discharged online that permits anybody to change the secret word of administrator record. In this way, better Hurry UP! Overhaul your Drupal CMS. 

One of the reddit client "fyukyuk" posted a HTTP post ask for that endeavors this helplessness. - 

The accompanying python Code changes the administrator secret key of powerless Drupal to "administrator" (Tested with Drupal forms 7.21,7.31).




Hacking News

SQL Injection attacks





Critical SQL Injection vulnerability in Drupal seven.x

© All Type of Security And Hacking Reviews Distributed By Blogspot Templates | Designed By Template Trackers