This is the presentation from Null/OWASP/g4h Bangalore December MeetUp by Vandana Verma.
technology.inmobi.com/events/null-owasp-g4h-december-meetup
Outline:
Security news from November and December 2014.
2. Disclaimer
12/18/2014 2
• The information contained in this presentation does
not break any intellectual property, nor does it
provide detailed information that may be in conflict
with any laws
• Registered brands belong to their legitimate owners
• The opinion here represented are my personal ones
and do not necessary reflect my employer’s views.
• This presentation doesn't teach you how to hack into
any system nor it encourages one to do without prior
permission .
• All the information has been collected from different
Security news sites(public domain).
3. • Arrests
• Data Breach
• Hack
• Mobile Security
• General
• Tools
• Acquisitions
• Stats
• Jobs
• Trends
• Hackable devices
• Acquisitions
• New Hardware
Agenda
12/18/2014 3
5. The Straits Times reports that Mohammad
Azhar Tahir defaced the prime minister's
website in 2013 with messages and images
from the hacktivist group Anonymous, including
a Guy Fawkes mask. Tahir ultimately received a
sentence of six months after tacking on
separate sentences he'd received previously.
Tahir used a cross-site scripting (XSS) attack to
alter the prime minister's website. He inputted
HTML code into a Google search bar
embedded on the site.
12/18/2014 5
7. 12/18/2014 7
Taiwanese Security Expert found
zero-day vulnerability in Xiaomi
website that allowed him to obtain
credentials of millions of Xiaomi
accounts and logs from the servers.
Xiaomi devices provide ‘Mi Account’
to its customers through which users
gain access to their Mi Cloud, Mi
Talk, MIUI Forum, Mi Market and
other Xiaomi services. These online
Xiaomi Mi Accounts store users’
personal information including mobile
numbers, email addresses and
account credentials.
9. • This began with a skull appearing on screens, and then a strange message telling users they’d been
hacked by something called #GOP (Guardians of Peace).
• The cryptic message appeared on staff machines claims that it stole internal corporate data and this is
just the beginning and then threatens to release internal data by 11 PM this evening. One of the Sony
Sources has announced- “We are down, completely paralyzed”. As a precaution, computers in Los
Angeles were shut down while the corporation deals with the breach.
• Just a week after the cyber-attack on Sony Pictures Entertainment, high-quality versions of five newest
films – Annie, Fury, Still Alice, Mr. Turner and To Write Love on Her Arms – distributed by Sony Pictures
leaked online during Black Friday.
• Just last week, the massive data breach at Sony appeared to have exposed more sensitive documents,
revealing the US Social Security numbers of more than 47,000 celebrities, freelancers, and current and
former Sony employees.
• The gaming network also suffered a more severe hack in 2011, which led to the exposure of 77 million
PlayStation and Qriocity accounts along with 25 million Sony Online Entertainment accounts, bringing the
total to more than 100 million in one of the largest data breaches ever.
12/18/2014 9
10. • The Syrian Electronic Army hacked a
popular web service, Gigya, which manages
the comments and social logins of prominent
media and entertainment websites.
• DNS redirect that pointed Gigya's content
delivery network to a server run by the SEA.
• The SEA confirmed the attack via their
Twitter account, which was accompanied by
a screenshot of the backend control panel
for the Gigya.com domain at GoDaddy.com
• Gigya’s Top official said “"Rather, the attack
only served other JavaScript files instead of
those served by Gigya."
10
12. A security researcher made a worrying discovery this week and
claims, "Uber’s app is literally malware."
The ride-hailing company is in disputes of handling privacy of its
customers data. A Phoenix-based security researcher Joe Giron
found that a surprising amount of users’ data is being collected
by the company’s mobile application for Android.
Researcher, who runs a cyber security firm in Arizona, just
reverse-engineered the code of Uber’s Android application and
come to the conclusion that it is a malware. He discovered that
the app "calls home" and sends data back to the company.
There is a long list of everything the Uber Android app can have
about its users
• Accounts log (Email)
• App Activity (Name, PackageName, Process Number of
activity, Processed id)
• App Data Usage (Cache size, code size, data size, name,
package name)
• App Install (installed at, name, package name, unknown
sources enabled, version code, version name)
12/18/2014 12
13. • A Vulnerability has been discovered in the wildly
popular messaging app WhatsApp, which allows
anyone to remotely crash WhatsApp just by
sending a specially crafted message.
• Two India based independent security
researchers, Indrajeet Bhuyan and Saurav Kar
demonstrated the WhatsApp Message Handler
vulnerability on how a 2000 words (2kb in size)
message in special character set can crash
Whatsapp messenger app.
• The worried impact of the vulnerability is that the
user who received the specially crafted message
will have to delete his/her whole conversation and
start a fresh chat, because opening the message
keeps on crashing WhatsApp unless the chat is
deleted completely.
• It has not been tested on iOS, but it is sure that all
versions of WhatsApp including 2.11.431 and
2.11.432 are affected with this bug.
12/18/2014 13
15. 12/18/2014 15
The Pirate Bay — an infamous Torrent website
predominantly used to share copyrighted material such
as films, TV shows and music files, free of charge — went
dark from the internet on Tuesday after Swedish Police
raided the site's server room in Stockholm and seized
several servers and other equipment.
It remained unavailable for several hours, but the site
appeared back online in the late hours with a new URL
hosted under the top-level domain for Costa Rica
The Pirate Bay has previously been shut down number of
times and had its domain seized. Back in September, The
Pirate Bay claimed that it ran the notorious website on
21 "raid-proof" virtual machines.
16. • . A new mobile Trojan horse infection has been discovered by
security researchers that masquerades as a ringtone app and
comes pre-loaded with Android smartphones.
• DeathRing malware app cannot be uninstalled or removed by
the end user or by antimalware software
• Though the malware pretends to be a genuine ringtone app,
but actually downloads SMS and WAP content from its
command-and-control server to the victim’s handset, which
gives it potential to phish user’s sensitive data through fake
text messages.
AFFECTED SMARTPHONE HANDSETS
Counterfeit Samsung GS4/Note II A variety of TECNO devices
Gionee Gpad G1 Polytron Rocket S2350
Gionee GN708W Gionee GN800
Hi-Tech Amaze Tab Karbonn TA-FONE A34/A37
Jiayu G4S – Galaxy S4 clones, Haier H7
a i9502+ Samsung clone by an unspecified manufacturer
12/18/2014 16
17. December 02, 2014 17
Fixes were issued for several critical
memory safety bugs in the browser
engine used by Firefox, as well as other
Mozilla-based products.
Disabling support for SSL 3.0 will
address POODLE, a severe
vulnerability in SSL 3.0 that was
discovered by Google researchers in
October and could enable an attacker to
intercept plaintext data from secure
connections.
Fallback to SSL 3.0 was removed in
Chrome 39 when the Google browser
was promoted to the stable channel in
November
18. 18
Attackers are freely distributing pirated
Joomla, WordPress and Drupal themes
and plugins that are packaged with a
backdoor being referred to as CryptoPHP.
Fox-It released a whitepaper on
CryptoPHP and revealed that most of the
command-and-control domains had been
sinkholed or taken down.
Fox-It mentioned the number of
connections to the sinkholes is declining,
but threat is not over since the attackers
are still distributing the compromised
plugins and themes via their websites.
20. LusyPOS malware, a new malware point-of-sale (PoS) uncovered by CTBS
reverse engineers early this month. This malware clocks in around 4.0 MB in size,
so it’s not small. The malware will also create the mutex “prowin32Mutex” and
injects code into iexplore.exe. This was a strange mix of dexter-like behavior
mixed with Chewbacca-like techniques.
It comes in freeware, toolbar, games, and other downloadable apps that are
costless. Some people may install the programs packed with LusyPOS malware
code intentionally by agreeing to the terms and conditions of the downloaded
program.
22. • Google launched a new "Devices and
Activity dashboard" with additional insight
over the devices which will allow Google
Apps users to identify every single active
device that has been used to access their
account in the last 28 days as well as those
currently signed in.
• The company also launched a new security
wizard to help secure Google for Work
accounts by walking users through functions
to tighten security features including
recovery settings, and the ability to review
account permissions and access.
12/18/2014 22
30. • TLS is very strict about how its padding is formatted, it turns out that
some TLS implementations omit to check the padding structure after
decryption. Such implementations are vulnerable to the POODLE
attack even with TLS.
• The attacks are mainly targeted at browsers as the attacker has to
inject malicious JavaScript to begin the attack.
• A successful attack will use about 256 requests to uncover one
cookie character, or only 4096 requests for a 16-character cookie.
This makes the attack quite practical,” he argued.
• So far F5 load balancers have been found to be impacted by the
threat. The firm has issued this advisory on how to patch any
affected kit.
12/18/2014 30