Lakshya Dhillon

Lakshya Dhillon

Web Tests

Enter your email address to subscribe to Lakshya Dhillon.



The Hacker News - Cyber Security and Hacking News Community

Firefox os Malware Bitcoin ddos attack Apple iMessages CryptoLocker Ransomware
Newsletter Signup

Microsoft set to deliver Patches for three Critical flaws, but no patch for Office Zero-day vulnerability

Microsoft has released advanced notification for the November 2013 security updates that are scheduled to be released on November 12, 2013.
The company plans to deliver eight security bulletins for Windows 8.1, three of them are rated critical and five are important. But there's no relief in sight for a zero-day vulnerability (CVE-2013-3906) in how Office handles .TIFF graphics files.
The bulletins listed in Microsoft's advanced notification as critical are for remote code execution vulnerabilities in Windows operating system and the remaining vulnerabilities listed as important are said to be remote code execution, elevation of privilege, information disclosure and denial of service flaws affecting Windows operating system, as well as Microsoft Office.

A malicious zero day attack capable of hijacking your PC via a vulnerability found in Windows, Office, and Lync is being exploited more widely than originally thought. Some new reports of the security researchers at Fire Eye and Symantec claim that malware groups are actively using the TIFF flaw to hack into computers.
The majority of the exploits detected by Microsoft, Fire Eye, and Symantec have occurred in the Middle East and Asia.
Microsoft also explains that the fix for Security Advisory 2896666 could come at any time, which means it could release even before next Tuesday. However, the current Fix It solution is still the proposed deterrent at this point.

Google engineers over surveillance scandal: 'Fuck you NSA'

On Tuesday, the Washington Post revealed a few more NSA slides released by Edward Snowden, which revealed that the spy agency NSA was infiltrating the private data links between Google and Yahoo data centers as part of a program called MUSCULAR.
Chairman and former CEO of Google Eric Schmidt says the company’s executives are shocked by allegations that the National Security Agency has been collecting data from the search engine’s servers. “It’s really outrageous that the NSA was looking between the Google data centers, if that’s true,” he said.

Overnight, Two Google's Security engineers - Mike Hearn and  Brandon Downey expressed reasonable anger about the news on Google+, said "Fuck these guys", where these represent NSA and GCHQ.
I've spent the last ten years of my life trying to keep Google's users safe and secure from the many diverse threats Google faces.
Fuck You to the people who made these slides. I am not American, I am a Brit, but it's no different - GCHQ turns out to be even worse than the NSA.
We designed this system to keep criminals out.

These are their own opinion, not an official statement from Google. According to them, NSA, in its efforts to protect freedom and democracy, has in short order wholly compromised freedom and democracy.
Nobody at GCHQ or the NSA will ever stand before a judge and answer for this industrial-scale subversion of the judicial process. In the absence of working law enforcement, we therefore do what internet engineers have always done – build more secure software. The traffic shown in the slides below is now all encrypted and the work the NSA/GCHQ staff did on understanding it, ruined.

He also says “Thank you Edward Snowden. For me personally, this is the most interesting revelation all summer.

FBI offering $100,000 reward for information on Most Wanted Cyber Criminals

FBI offering $100,000 reward for information on Most Wanted Cyber Criminals
The US Federal Bureau of Investigation has added five new hackers to its Cyber most wanted list and is seeking information from the public regarding their whereabouts.
The men are wanted in connection with hacking and fraud crimes both within the US as well as internationally. Rewards ranging from up to $50,000 to $100,000 are being offered for information that leads to their arrest.
Two of them are Pakistani, Farnhan Arshad and Noor Aziz Uddin, who caused the damage of over $50 million after hacking business telephone systems between 2008 and 2012. Arshad and Uddin are part of an international criminal ring that the FBI believes extends into Pakistan, the Philippines, Saudi Arabia, Switzerland, Spain, Singapore, Italy, Malaysia, and other locations.
Syrian national Andrey Nabilevich Taame, wanted for his alleged role in Operation Ghost Click, a malware scheme that compromised more than four million computers in more than 100 countries between 2007 and October 2011; there were at least 500,000 victims in the United States alone.
Alexsey Belan, a Russian national, is wanted for alleged hacking of three US-based companies between 2012 and 2013.

Carlos Perez-Melara is wanted for his alleged involvement in manufacturing software that was used to intercept the private communications of hundreds of victims around September 2003. As part of the scheme, Perez-Melara ran a website offering customers a way to “catch a cheating lover” by sending “spyware” disguised as an electronic greeting card.

The rewards are being offered for each of the five fugitives, all of whom are believed to be living outside the U.S.

"The expansion of the Cyber’s Most Wanted list is a reflection of the FBI’s increased efforts in this area," FBI officials said in a statement.

China: 'We are ready for International cooperation to deal with cyber security Challenges'

Yesterday at Stanford University in the United States, Cyber Security Experts and Leaders from more than 40 countries gathered to talk about the cyberspace security problems and cooperation among countries.
The need for international cooperation in cybersecurity is evident, due to the nature of cyberspace itself. Cyberspace or the Internet is “borderless” in nature.
Cai Mingzhao, Minister of the State Council Information Office of China said that China is keen to continue working with other countries to deal with cyber security Challenges.
Interesting! When China is itself the culprit in major Cyber Threats and attacks.
To maintain cyber security, we need to strengthen international cooperation,” and "We are ready to expand our cooperation with other countries and relevant international organizations on the basis of equality and mutual benefit," he said.
He said that the China is a victim of cyber security breaches, where more than 80% of Chinese internet users have felt the effects of online hacking. The case for international cooperation is even stronger, when criminals take advantage of countries’ inability to coordinate, due to legal reasons or because authorities do not have the necessary technical expertise or resources to address the issue. Cybercrimes are not always clearly illegal in some jurisdictions.
"Between January to August this year, more than 20 thousand websites based in China were modified by hackers and more than 8 million servers, 14 percent more during the same period last year, were compromised and controlled by overseas computers via zombie and Trojan programs. These activities have caused severe damage to our economy and the everyday life of the people," Cai said.
or NSA is the real culprit ?
As cyber-threats and other information security and network security issues have become borderless, international cooperation should be based on partnership with organizations from other countries in areas such as information-sharing, early warning, monitoring and alert networks.

Due to the global nature of information networks, no policy on cybersecurity can be effective, if efforts are confined to national borders.

Smartphones, A Perfect Cyber Espionage and Surveillance Weapon

The use of mobile devices in government environments concerns the secret service of any states, cyber espionage more often exploits the mobile platforms.
Mobile devices are reason of great concern for governments, they have a great computational capability, huge memories to store our personal data, GPS to follow our movements and are equipped with a camera and microphone to increase our experience in mobility. But all those features could be exploited by attackers for cyber espionage, the problem is well known to governments that are adopting necessary countermeasures especially following the recent revelations about the U.S. Surveillance program.
The UK Government has decided to ban iPads from the Cabinet over foreign eavesdropper fears, it has been requested Ministers to leave mobile in lead-lined boxes to avoid foreign governments to spy on top level government meetings.
The news is reported by the Mail on Sunday, after the Cabinet Office minister Francis Maude made a presentation using his iPads last week (about how the Government Digital Service might save the UK £2bn a year) the Downing Street security staff has dismissed the mobile device to prevent eavesdropping of ongoing discussions.
The measure was adopted to avoid that foreign security services infecting mobile devices are able to capture audio and data from victims, it is known that hostile actors like China, Russia and Iran have the ability to use mobiles in powerful spy tools.
Ministers belonging to sensitive government departments were recently issued with soundproof lead-lined boxes to guard and isolate their mobile devices during official meetings.
The precautions have been taken due the high concern caused by news that German Chancellor Angela Merkel's personal mobile has been spied by the NSA for years. My personal opinion it that it is not acceptable that the German Federal Intelligence Service has allowed everything, missing the adoption of appropriate protective measures like crypto mobile devices, protected landline and similar. Other governments already have approached the problem to adopt secure devices to prevent bugging and eavesdropping, the British foreign secretary William Hague confirmed his phone has been armored by GCHQ.
Just a week ago it was published the news that delegates at the G20 summit in Russia received malicious computer memory sticks used to serve a malware to spy on the participants and steal sensitive information, let's remember also that the information leaked on the NSA FoxAcid platform revealed the existence of spy tool kits RADON and DEWSPEEPER able to exploit victims via USB.
Herman Van Rompuy, the President of the European Council, ordered tests to be carried out on the memory sticks and the results are shocking:
The USB pen drives and the recharging cables were able to covertly capture computer and mobile phone data,’ a secret memo said.
Overseas, the situation does not change, even the US fear that the use of the mobile devices can cause them problems, The Department of Homeland Security and FBI warn public safety departments that their out-of-date Android devices are a security risk, but updating them is not always easy or simple.
The alert cited unspecified "industry reporting" that, "44 percent of Android users are still using versions 2.3.3 through 2.3.7 (Gingerbread) which were released in 2011 and have a number of security vulnerabilities that were fixed in later versions."
Google's own figures on its site for Android developers estimate that percentage at about a third less — 30.7 percent. But it also showed 21.7 percent using versions 4.0.3-4.0.4, called Ice Cream Sandwich, which is also out of date. Less than half – 45.1 percent – are using the latest OS, called Jelly Bean, and of that group, 36.6 percent are using 4.1, and only 8.5 percent are using 4.2, which is the latest OS.
The DHS/FBI document address principal cyber threats to out-of-date Android mobile devices, including SMS Trojans, Rootkits and fake Google Play Domains.
Despite the alert recommends regular updates, running an "Android security suite" and downloading apps only from the official Google Play Store, the update for Android devices can reveal several problems.
"There is a wide variety of Android OEM versions rolled out to a huge number of different handsets, and not all carriers and handset OEMs will allow you to upgrade to the latest version," "So, the Android versions that can run are restricted per device. Even now it is possible to buy Gingerbread devices that cannot be upgraded to Jelly Bean." said Mario de Boer, research director, Security and Risk Management Strategies at Gartner for Technical Professionals.
De Boer suggested that the only solution for now is to block the use of Android devices that are not running the latest OS.
"Apply admission control,""If your Smartphones or tablet is running a vulnerable OS, you cannot get access to the specific service or data." "this is hard to accomplish for voice and text, and easier for email and access to files."
The principal problem related to the use of mobile devices in government environment is that almost every Smartphone is not designed following severe requirements in term of corporate or government security, let's add that wrong user's habits aggravate the situation.
It needs a change or mobile devices should be excluded from sensitive contexts.

CVE-2013-3906 : Zero Day Vulnerability in Microsoft Graphics Component

Microsoft has issued a temporary fix for a 0day vulnerability that can be exploited to install malware via infected Word documents.
A Zero-day Remote code execution flaw, which has been dubbed CVE-2013-3906, exploits a vulnerability in a Microsoft graphics component, to target Microsoft Office users running Windows Vista and Windows Server 2008."The vulnerability is a remote code execution vulnerability that exists in the way affected components handle specially crafted TIFF images," it said in the post.  Vulnerability was reported to Microsoft by McAfee Labs senior security researcher Haifei Li.
A successful infection can give an attacker complete control over a system. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Currently the company is only aware of targeted attacks mostly in the Middle East and South Asia, with attackers sending unsuspecting victims crafted Word documents with a tainted attachment.

"An attacker could exploit this vulnerability by convincing a user to preview or open a specially crafted email message, open a specially crafted file, or browse specially crafted web content."

According to Microsoft, the exploit combines multiple techniques to bypass exploit mitigation techniques such as ASLR (DEP) and address space layout randomization (ASLR). 
The affected products are:
  • Windows Vista x86, x64
  • Windows Server 2008 x86, x64, Itanium, Server Core
  • Microsoft Office 2003
  • Microsoft Office 2007
  • Microsoft Office 2010 x86, x64
  • Microsoft Office Compatibility Pack
  • Microsoft Lync 2010 x86, x64
  • Microsoft Lync 2010 Attendee
  • Microsoft Lync 2013 x86, x64
  • Microsoft Lync Basic 2013 x86, x64
Windows 7 and 8 and Office 2013 and Office 365 are not affected.

Microsoft released a temporary 'Fix it' workaround that could block the attack by blocking rendering of the vulnerable TIFF graphic format by way of a registry key.

The Enhanced Mitigation Experience Toolkit (EMET) helps mitigate the exploitation of this vulnerability by adding additional protection layers that make the vulnerability harder to exploit.

') }else{document.write('') } } // ]]>
This website was built using - try it yourself for free.(info & kontakt)
IMPORTANT FACTORS Welcome to the fastest services of Lakshya Dhillon Inc... ...--- Hi, friends this is <1c33e4b> and owner - Lakshya Dhillon.____ THIS IS PRODUCE OF LAKSHYA DHILLON INC... Welcome to the Website Biofo part this part can be hold by the owner for information presenting or official work document area because of WEBFOTO... ______________________________ BIOGRAPHY AREA ---- Hey I am Lakshya Dhillon Blogger, Author, Posterous, SEO Expert, FounderInc, a Head, Website Designer, Technologists, an smartmind boy , and focused on Internet when I was 11years started blogging, designing and other networks. I've learnt all these thing by own mind-fake studing and now I can handle as 20 years boy but I was only 11... That was thinked by me...!!! A BIG ?OUESTION? I have '' Can I '' ....... NOW I CANnnn.@ !!!I am Not so Smart but I can do just that I Do MySelf what can I Do!!! ~ Thanks for Visiting | © 2013 All Rights Reserved.