Archive for January 31, 2014

Canadian Spy agency with help of NSA tracked passengers who used free airport WiFi


Image Credits: Kaspersky
Here is another example why public WiFI networks pose a potential risk to your data.

A report from CBC News based on newly leaked secret document by former U.S. security contractor Edward Snowden reveals that Canadian spy agency was spying on the passengers who used free WiFi service in airports.

The Communications Security Establishment Canada (CSEC) is prohibited from spying on Canadians without a warrant.  However, they have collected metadata about all travelers passing through Airport including Canadians.

The document presented to the CBC shows the captured information from travelers' devices was then helped the spy agency to track them for a week or more as their wireless devices connected to any other Wi-FI hot spots in locations around Canada and event at US airports.

According to CBC, the leaked document suggests that operation was a trial run of a new software developed by CSEC with the help US's National security Agency(NSA).

Two largest Canadian airports - Toronto and Vancouver - and Boingo, a largest independent WiFi services supplier at other airports, have denied the involvement in providing any information of WiFi users.

Bug Bounty Programs: Github now offers $100 to $5000 for security vulnerability

Github is the latest organization to join the list of organizations offering Bounty to security researchers who find and report vulnerabilities.

Github has previously listed the name of those who report vulnerabilities in the 'Hall of fame' page, now offers bounty amount starting from $100 to $5,000. 

The exact bounty amount for each vulnerability is determined by GitHub based on actual risk and potential impact to their users.

Let us say, you find a non-persistent XSS vulnerability which only work in Opera browser(affects only 2% of its users) will get small bounty.  If you managed to find a Persistent(stored) XSS that will work in Chrome(affects 60% of its users), it will earn you larger reward. 

The bounty program currently covers the GitHub API, GitHub Gist and GitHub.com.  GitHub says its other applications are not part of the open bounty, but researchers may receive a bounty at its discretion.

So far, two researchers have received 1000 points for reporting 'Broken Authentication or Session Management' and 'Missing Function Level Access Control'

Critical Remote Code Execution vulnerability patched in MediaWiki, affecting WikiPedia

A Critical Remote Code Execution vulnerability has recently been patched the Mediawiki in its wiki Software.  Thousands of Wiki sites including WikiPedia have been impacted by this security bug.

Security researchers from Checkpoint identified this vulnerability(CVE-2014-1610) affecting all versions starting with version 1.8.  The websites are vulnerable only, if a specific non-default setting is enabled.

According to the security advisory, an attacker could have exploited this vulnerability to make file and system changes and gained complete control over the server.

Checkpoint said that an attacker could have injected malware code into every page WikiPedia.org which could have put millions of users' system at potential risk of malware infection.

Fortunately, Checkpoint immediately informed the WikiMedia foundation about the presence this security bug.  On 28th Jan., the foundation released patch for this bug.

The security advisory says that this is the third critical remote code execution vulnerability discovered in MediaWiki since 2006.

Hackers reportedly used stolen vendor credentials for hacking Target system


Target Corporation told Wall Street Journal that the massive data breach it suffered last month happened after cyber criminals compromised credentials from a vendor and used them for hacking into the Target system.

The company didn't provide much information.  It didn't say how hackers stole the credentials.  They also didn't specify in which portal hackers logged into.

Cyber security blogger Brian Krebs who brought the Target breach to the light, said in his blog that malware used in the breach had used username 'Best1_user' and password 'BackupU$r' to access the shared drive.  Krebs highlighted the fact that the username is same as the default password used in IT management software developed by BMC Software.

"According to BMC’s documentation, this account is normally restricted, but the attackers may have usurped control to facilitate lateral movement within the network." said in Dell SecureWorks report pointed out by Krebs.

The report also revealed that malware component installed a service called "BladeLogic", appeared to be mimicking the name of another product of BMC.

A Trusted source told Krebs that BMC's software is used by many major retailers.  He believes targets also use it.

Krebs also confirmed that cyber criminals known as Rescator are selling millions of cards stolen in the Target data breach.