Archive for August 31, 2015

Teenager who hacked US and British government website faces jail

A British teenage hacker has been warned by the Birmingham Crown Court that he faces possible jail time for bringing down the FBI's and the Home Office's website.

Charlton Floate  (19) has pleaded guilty to three counts under the Computer Misuse Act and three charges for possessing prohibited images.

Charlton's lawyers argued that their client was only on the outside of the whole conspiracy and not deeply involved in the matter but the court has ruled out that possibility saying that Charlton is a very intelligent man who is an expert in computer marketing.

The judge quoted in the hearing, "A successful attack on the FBI.gov website is regarded by hackers as the Holy Grail of hacking. It was this which he attempted and, indeed, achieved.He was the person who instituted such attacks and assembled the tools and personnel for doing so."

The FBI site was down for about five hours where as the Home Office site crashed for 83  minutes.

Ola leaks personal information of its customer, claims a girl

A girl from Chennai claimed that OlaCabs, famous as Ola, a mobile app for personal transportation in India, had sent personal information of more than 100 customers to her via SMS.

Swapnil Midha posted on Facebook that the Ola, which started as an online cab aggregator in Mumbai, now based out of Bangalore and is among the fastest growing businesses in India, leaked personal details such as mobile numbers, locations of users.

However, the company regarded it as a technical fault and confirmed that it has been fixed now.

“About three weeks ago, I booked an Ola cab for a long distance drive. After the ride I received a few garbled texts from "VM-OLACAB" that I didn't think much of and ignored. These messages were alpha-numeric with hashes and made no sense to me whatsoever. I assumed there was some system error and did not anticipate the sleep deprivation that followed,” she wrote on Facebook.

She added, “My phone beeped throughout the night. 1:06, 2:34, 2:37, 2:38, 4:05, 5:17. I couldn't get my head around why these were coming at these times. I then called their call centre the next day to explain that there was probably some sort of bug and my number had somehow gotten into their highly cryptic message transmission systems, whatever secrets they were trying to transmit.”

Although, the Ola assured her to fix the problem soon, she had been receiving SMS after SMS. She received text between 300 and 400.

“I received no further communication from them, no update, no email, just more garbled messages,” she explained. I reached out to them through every channel possible. I called their call centre at least 5 times, demanded to speak to the senior managers, and had to explain my problem each time in great detail, answering the same annoying questions.”

She said that the company shared personal details of their customers throughout the day and throughout the night.

“What scares me the most, is that THIS should be their number one priority. I questioned their lack of concern for privacy and data protection. I threatened to report them to the authorities and TRAI. Nothing seemed to work which makes you think - do they even care about protecting customer information? If they are sending all this to me, who are they sending MY booking details to? Whose number is receiving all of my data? Which creepy criminal knows my full name, my mobile number, my door number, my account details, when I'm home and when I'm out?” she added.

The girl has raised a serious question which the company concerned need to answer as soon as possible. If this, one of the most trusted companies like the Ola does such careless, what do we expect from others?  

PayPal fixes serious vulnerability in its domain

Photo Courtesy: Security Down

A serious flaw in PayPal Holdings Inc, an American company which operates a worldwide online payments system, has been patched. The flaw could have allowed an attacker to trick users into handing over their personal and financial details.

The flaw, which was detected by Ebrahim Hegazy, was caused by a stored cross-site scripting (XSS) bug in the SecurePayments.PayPal.com domain, which is used for PayPal’s hosted solution that enables buyers to pay with a payment card or their PayPal account, eliminating the need to capture or store sensitive payment information

“I’ve found a Stored XSS vulnerability that affects the SecurePayment page directly which allowed me to alter the page HTML and rewrite the page content, An attacker can provide his own HTML forms to the user to fullfill and send the users data back to attacker’s server in clear text format, and then use this information to purchase anything in behave of users or even transfere the users fund to his own account,” the researcher posted in his blog.

According to the Egypt-based researcher, a malicious actor could have set up a rogue shopping site or hijacked a legitimate website, and alter the “Checkout” button with a URL designed to exploit the XSS vulnerability.

The flaw could allow the attacker to change the contents of the SecurePayments page and display a phishing page where the victim is instructed to enter personal and financial information. The collected data is then sent back to a server controlled by the attacker, the researcher explained.

The researcher, who had found a serious flaw in Yahoo domain last year, reported about the vulnerability to PayPal on June 19. The payment processor confirmed patching the flaw on August 25.


After that, the company concerned awarded Hegazy $750 for his findings, which is said to be the maximum bug bounty payout for XSS vulnerabilities. 

Facebook to bring “Video Matching Technology” to control Piracy


Here comes a good news for those video creator who are fed up with the video piracy especially on social networking sites as Facebook is planning to launch a “Video Matching Technology” which will inform the real video owners that those videos are uploaded by others. 

A news report published in ReCode, confirms that in order to control the video piracy on Facebook, the company has decided to come up with the technology.

“We’ve heard from some of our content partners that third parties too frequently misuse their content on Facebook,” Facebook posted in its blog. “It’s not fair to those who work hard to create amazing videos. We want creators to get credit for the videos that they own.”

It is said that the company and its partners have started testing the new technology, which requires content owners to upload the clips they want to protect into Facebook’s system.

“It is the first step to creating the equivalent of YouTube’s Content ID system, which the video giant built up over years as a response to its own copyright/piracy problems. After years of ignoring video, 
Facebook is now a major player, so this kind of effort was obvious and overdue,” the news report reads.

“Facebook’s response comes after video makers and distributors have grown increasingly vocal about pirated videos, which by one estimate accounted for more than 70 percent of Facebook’s most popular videos. In May, Jukin Media, a video licensing agency best known for “Fail” clips, described Facebook’s copyright problems as “massive.” In June, Fullscreen CEO George Strompolos, who runs one of the biggest YouTube video networks,tweeted that he was “getting very tired of seeing our videos ripped there with no way to monitor or monetize,” the news report reads.

Now Facebook says Jukin and Fullscreen are two of its initial launch partners for the new technology, along with Zefr, a service company that helps content owners track their clips on YouTube. Facebook says it is also working with major media companies on the effort, but won’t identify them.


$376,000 for Informer in Ashley Madison hacking case

Avid Life Media (ALM), parent company of Ashely Madison,  is offering a $500,000 (Canadian dollars) as a prize money for any information related to the “identification, arrest and prosecution” of those hackers,who all were responsible in recent hack of the website.

Avid Life Media confirmed that the data Impact Life stole is legit.

The legal investigation has been started. With the help of Toronto police department and “white hat “hackers, they are hoping to find the perpetrators.

During press conference, acting superintendent Bryce Evans said that hackers have "certain techniques to help us and assist us.” He also said that they would lean on its “good working relationship” with the US Security agency FBI and Homeland Security.

The Toronto police and AML motivated to find the hackers responsible for data breach, Evans  referred to  two suicides that appears to be reason related to the Ashley Madison breach, "spin-off crimes and further victimization" from people accessing the hacked data.

$500,000 canadian dollar accounts for $376,000 US dollars.