Hackers breach PureVPN website by exploiting a zero-day WHMCS vulnerability

Customers of the Virtual Private network provider "PureVPN" over the weekend started receiving a fake email claiming to be from the founder saying that "due to an incident we had to close your account permanently".

"We are no longer able to run an anonymization service due to legal issues we are facing" The fake email reads.

"We had to handover all customer’s information to the authorities unfortunately. They might contact you if they need any details about the case they are working on. The following information was handed over: your name, billing address and phone number provided during purchase and any documents we had on file (for example scan of your ID or driver’s license if you have provided these to our billing department)."

However, the Co-founder ,Uzair Gadit, said in the official blog post that the email is fake and confirmed the purevpn website hit by a security breach.

Hackers exploited a vulnerability in 3rd party application WHMCS and compromised the email IDs and names of registered users.

"We repeat no billing information such as Credit Card or other sensitive personal information was compromised." The blog post reads.

Vulnerability in WhatsApp allows decrypting user messages

A serious vulnerability in WhatsApp allows anyone who is able to eavesdrop on WhatsApp connection to decrypt users' messages.

Whatsapp, the mobile application for instant messaging platform has become one of the main communication tools of the present day and its popularity makes it attractive for security researchers and hackers.

This time it is debated in the protection of the messages exchanged through the application, thanks to a vulnerability in the crypto implementation they can be intercepted by an attacker.

Thijs Alkemade is a computer science student at Utrecht University in The Netherlands who works on the open source Adium instant messaging project, during its research activity he disclosed a serious issue in the encryption used to secure WhatsApp messages.

In the post titled "Piercing Through WhatsApp’s Encryption" Alkemade remarked that Whatsapp has been plagued by numerous security issues recently, easily stolen passwords, unencrypted messages and even a website that can change anyone’s status.

"You should assume that anyone who is able to eavesdrop on your WhatsApp connection is capable of decrypting your messages, given enough effort. You should consider all your previous WhatsApp conversations compromised. There is nothing a WhatsApp user can do about this but expect to stop using it until the developers can update it." states the researcher.

An attacker sniffing a WhatsApp conversation is able to recover most of the plaintext bytes sent, WhatsApp uses RC4 software stream cipher to generate a stream of bytes that are encrypted with the XOR additive cipher.

The mistakes are:

• The same encryption key in both directions
• The same HMAC key in both directions

Below the trick used by the researcher to reveal the messages sent with WhatsApp exploiting first issue:

WhatsApp adopts the same key for the incoming and the outgoing RC4 stream, "we know that ciphertext byte i on the incoming stream xored with ciphertext byte i on the outgoing stream will be equal to xoring plaintext byte i on the incoming stream with plaintext byte i of the outgoing stream. By xoring this with either of the plaintext bytes, we can uncover the other byte."

The technique doesn't directly reveal all bytes but works in many cases, another element that advantage the attacker is that messages follow the same structure and are easy to predict starting from the portion of plaintext that is disclosed.

The second issue related to the HMAC id more difficult to exploit, Alkemade said WhatsApp also uses the same HMAC key in both directions, another implementation error that puts messages at risk, but is more difficult to exploit.

The MAC is used to detect data alteration but it is not enough to detect all forms of tampering, the attacker potentially could manipulate any message.

"TLS counters this by including a sequence number in the plaintext of every message and by using a different key for the HMAC for messages from the server to the client and for messages from the client to the server. WhatsApp does not use such a sequence counter and it reuses the key used for RC4 for the HMAC."

Alkemade is very critical to the development team of the popular platform:

“There are many pitfalls when developing a streaming encryption protocol. Considering they don’t know how to use a xor correctly, maybe the WhatsApp developers should stop trying to do this themselves and accept the solution that has been reviewed, updated and fixed for more than 15 years, like TLS,” he said.

I agree with the thinking of the researcher, security for applications such as WhatsApp is crucial given its level of penetration, it is true that the interest of the scientific community and cybercrime will surely lead them to discover new vulnerabilities to which WhatsApp have to provide a quick solution.

Alkemade confirmed that there is no remediation for the flaw in this moment, that's why he suggest to stop using WhatsApp until developers produce a patch.

Antivirus firm ESET and BitDefender website defaced by Pro-Palestinian Hackers

A pro-Palestinian hacktivist group 'KDMS Team', who recently managed to briefly hijack the Metasploit website of security firm Rapid7 and become popular after Hacking World's largest Web Hosting Network Leaseweb website and antivirus vendors AVG, Avira as well as mobile messaging service WhatsApp's websites.

Now even I have to say that - Security is just an Illusion, because just now the group aligned with Anonymous has successfully hijacked another two Antivirus firm website - ESET and Bitdefender.

The KDMS Team successfully changed the DNS records of both sites to redirect people to a website playing the Palestinian national anthem and displaying a political message under the title "You Got Pwned".

Message posted on Bitdefender and Eset website says:

Hello bitdefender
Touched By KDMS team
We was thinking about quitting hacking and disappear again ..!
But we said : there is some sites must be hacked
You are one of our targets Therefore we are here ..
And there is another thing .. do you know Palestine ?
There is a land called Palestine on the earth This land has been stolen by Zionist Do you know it ?
Palestinian people has the right to live in peace Deserve to liberate their land and release all prisoners from israeli jails We want peace Long Live Palestine

Both affected domains are registered from REGISTER.COM, INC. by companies, which is also a domain registrar for Metasploit website -- was hijacked yesterday via a spoofed change request faxed to Register.com. But the technical details on how hackers managed to hijack the ESET and Bitdefender website is not yet available, we are in contact with hackers.. Will update the article in a few hours. Stay Tuned !

Defacement of Security companies is really embarrassing and hacker's tactics allowed them to get their political message to millions of users. One of their team members tweeted, "When it's a matter of resistance no one will blame you. . Free Palestine .. Fight for Palestine"

Silk Road taken down by FBI

Notorious online marketplace "Silk Road" has been taken down by the FBI and the owner "Ross Ulbricht" a.k.a (Dread Pirate Roberts) has been arrested . Proving that "Perfect security is impossible"

He has been charged with  conspiracy to traffic narcotics, conspiracy to hack computers, and conspiracy to launder money.

The website now shows a "This Hidden Site Has Been Seized" message

Silk Road was the drug dealing website in the world .It used the "TOR hidden network" to hide itself and its users.It seems Ross Ulbricht was caught due to his own mistakes and NOT due to a vulnerability in the TOR network.


This site had been a major point used lawmakers and politicians to try to curtail the growth of the TOR
 network.And now the recent actions by the FBI against many hidden sites in the TOR network is indeed a very big setback for it.

All the transactions in silkroad were done using Bitcoins and since the news of Ross Ulbricht's arrest bitcoin value has dropped quite a bit (Due to paranoid selling). But this is just the currency stabilizing itself, when it stabilizes BTC value will rise again. And the removal of association from such illigal market places might actually be a good thing for bitcoins.

Jordan's PM's website hacked by Anonymous hacktivist

Anonymous hacktivists have hacked into official website of Jordan's Prime ministry in a protest against raising taxes and prices.  The website was defaced with a message in Arabic to Prime Minister Abdullah Nsur.

"Hi uncle, how are you? We are sorry, we hacked your website. Are you upset? We feel much worse when you raise prices. The people know this feeling but you do not," the defacement message reads.

According to Voice of Russia report, the website has been restored after it was hacked for several hours.  The official claimed to have identified the attackers.

At the time of writing, the website(pmo.gov.jo) is offline.  You can still view the defacement in Google cache: http://webcache.googleusercontent.com/search?q=cache:http://pmo.gov.jo/PMO_Images/635159460595068250.htm

Anonymous hacktivists have hacked into official website of Jordan's Prime ministry in a protest against raising taxes and prices.  The website was defaced with a message in Arabic to Prime Minister Abdullah Nsur.

"Hi uncle, how are you? We are sorry, we hacked your website. Are you upset? We feel much worse when you raise prices. The people know this feeling but you do not," the defacement message reads.

According to Voice of Russia report, the website has been restored after it was hacked for several hours.  The official claimed to have identified the attackers.

At the time of writing, the website(pmo.gov.jo) is offline.  You can still view the defacement in Google cache: http://webcache.googleusercontent.com/search?q=cache:http://pmo.gov.jo/PMO_Images/635159460595068250.htm - See more at: http://www.ehackingnews.com/2013/09/jordans-pms-website-hacked-by-anonymous.html#sthash.jNlmt3gn.dpuf

Anonymous hacktivists have hacked into official website of Jordan's Prime ministry in a protest against raising taxes and prices.  The website was defaced with a message in Arabic to Prime Minister Abdullah Nsur.

"Hi uncle, how are you? We are sorry, we hacked your website. Are you upset? We feel much worse when you raise prices. The people know this feeling but you do not," the defacement message reads.

According to Voice of Russia report, the website has been restored after it was hacked for several hours.  The official claimed to have identified the attackers.

At the time of writing, the website(pmo.gov.jo) is offline.  You can still view the defacement in Google cache: http://webcache.googleusercontent.com/search?q=cache:http://pmo.gov.jo/PMO_Images/635159460595068250.htm - See more at: http://www.ehackingnews.com/2013/09/jordans-pms-website-hacked-by-anonymous.html#sthash.jNlmt3gn.dpuf

FBI demands SSL Keys from Secure-Email provider Lavabit in Espionage probe

During the summer, The Secure email provider 'Lavabit' and preferred service for PRISM leaker Edward Snowden decided to shut down after 10 years to avoid being complicit in crimes against the American people.

The U.S. Government obtained a secret court order demanding private SSL key from Lavabit, which would have allowed the FBI to wiretap the service’s users, according to Wired.

Ladar Levison, 32, has spent ten years building encrypted email service Lavabit, attracting over 410,000 users. When NSA whistleblower Edward Snowden was revealed to be one of those users in July, Ladar received the court orders to comply, intended to trace the Internet IP address of a particular Lavabit user, but he refused to do so.

The offenses under investigation are listed as violations of the Espionage Act and Founder was ordered to record and provide the connection information on one of its users every time that user logged in to check his e-mail.

The Government complained that the Lavabit had the technical capability to decrypt the information, but that Lavabit did not want to defeat its own system, So on the same day, U.S. Magistrate Judge Theresa Buchanan ordered Lavabit to comply, threatening Lavabit with criminal contempt.

FBI's search warrant also demanded all information necessary to decrypt communications sent to or from the Lavabit email account redacted including encryption keys and SSL keys.

But because Lavabit hadn’t complied till August 5, and a court ordered that Levison would be fined $5,000 a day beginning August 6, for every day he refused to turn over the key. 

On August 8, Levison finally decided to shut down Lavabit. “I’m taking a break from email,” said Levison. “If you knew what I know about email, you might not use it either.”

Code-sharing site GitHub now offers two-factor authentication to its users

Code repository GitHub offers two-factor authentication to beef up security around its users’ accounts. Github is a coding repository where developers used to build their projects projects that may turn out to be valued knowledgeable assets.

Two-Factor Authentication adds another layer of authentication to the login process, Now users have to enter their username and password, and a secret code in the second step, to complete the sign in. If a hacker manages to steal a user's credentials through phishing or trojans, cannot do anything, as they do need a second key to enter.

“We strongly urge you to turn on 2FA for the safety of your account, not only on GitHub, but on other websites that support it,” the company says. This two-factor authentication for Githu can be turned on in your account settings.

GitHub hit 3.5 million users’ landmark along with 6 million repositories deposited on its 5th anniversary in April. Two-factor authentication can protect you from phishing attacks, where hackers try to trick you into giving over your information.

For receiving the second authentication factor, users can either choose to receive it via a text message or can use dedicated authentication mobile app i.e. Google Authenticator for Android/iPhone/BlackBerry or Duo Mobile for Android/iPhone or Authenticator for Windows Phone 7.

Fear of NSA PRISM : Indian Government may ban US email services for official communication

The Indian Government is planning to ban the use of US based email services like Gmail for official communications to increase the security of confidential government information.

The recent disconcerting reports that that India was being spied upon by American intelligence agencies has opened an all new chapter in the cyber security space. As leaked by former US National Security Agency contractor Edward Snowden, that NSA involved in widespread spying and surveillance activities across the globe.

The Government plans to send a formal notification to about 500,000 employees across the country, asking them to stick to the official email service provided by India's National Informatics Centre, Time of India Reported.

The fact that several government officers in top positions use their Gmail IDs for official communications i.e. Several senior government officials in India, including ministers of state for communications & IT Milind Deora and Kruparani Killi, have their Gmail IDs listed in government portals as their office email.

Last week, India's IT minister Kapil Sibal revealed that the new policy will enforce rules such as use of static IP addresses, virtual private networks and one-time passwords for accessing Indian government email services on all Indian officials who are stationed abroad.

“All Indian missions will use NIC servers which are directly linked to a server in India and that will keep government information safe.” Sibal said.

China hit by DDoS attack causes Internet inaccessible for hours

During the weekend China's Internet was taken down by a powerful distributed denial of service (DDoS) attack on the .cn domain slowed and blocked Internet access inaccessibility for hours.

Security expert clarified that China could have been perpetrated by sophisticated hackers or by a single individual. The China Internet Network Information Center [CINIC] reported that the attack began at 02:00 local time on Sunday with a peek at 04:00 that made it the largest DDoS attack the country’s networks have ever faced. The CCINIC is responsible for registering sites in the .cn domain.

Before malicious coders can launch a DDoS attack, they must infect the computers of unsuspecting users, often by tricking people into installing malware on their computers.

The China Internet Network Information Center confirmed the attack with an official statement informing internet users that it is gradually restoring web services and that will operate to improve the security level of the Internet infrastructure of the country to prevent and mitigate further attacks.

Following the translated announcement: "8 May 25 at 0:00 or so, the State DNS node Denial of Service attacks, the China Internet Network Information Center disposal, to 2 pm, the service is restored to normal, early morning 3 through the official micro notice. Morning four o'clock, the state once again under DNS node biggest ever denial of service attacks, some websites analytical affected, leading to slow or interrupt access. 

In the notice, the attack continues, national domain name resolution services have been gradually restored. Ministry of Industry and Information Technology launched the "Domain Name System Security specific contingency plans" to further the protection of national domain name resolution services. China Internet Network Information Center, the affected user apologized to launch cyber attacks on the Internet stable behavior affect condemned. China Internet Network Information Center will work with the sector to work together to continue to enhance the service capabilities."

The Wall Street Journal was the first media agency that reported the important outage, the official source of Chinese Government confirmed that its network suffered the biggest distributed denial-of-service attack ever.

It's not currently known who attacked the Chinese domain or the motivations, CloudFlare CEO Matthew Prince said that there is no certainty that behind the attack there is a group of hackers, he added that "it may have well been a single individual".

Java 6 vulnerable to #0day exploit; added to Neutrino exploit kit

Hackers are using a new exploit for a bug in the out-of-date but popular Java 6 platform to attack victims, and has been added to a commercially available Neutrino exploit kit.

The use of Java 6 still is prevalent, opening up a significant number of users to the threat. F-secure analyst Timo Hirvonen warned about the exploit over Twitter, advising that he had found an exploit in the wild actively targeting an unpatched vulnerability in Java 6, named CVE-2013-2463.

The exploit's proof-of-concept was made public last week, prior to in-the-wild attacks surfacing on Monday. Oracle is aware of the hole but, since Java 6 is no longer supported, the company will not patch the issue.

The vulnerability lies in Java Runtime Environment's 2D sub-component, which is used to make two-dimensional graphics. Because no patch is available, the exploits provides cybercriminals and other attackers an effective vehicle to launch attacks targeting users and organizations using Java 6.

The Neutrino crimeware kit was first spotted in March 2013, when it was identified as the source of a series of attacks that were exploiting Java vulnerabilities to install ransomware on victims' PCs, freezing them until users paid a fine that was supposedly being levied by the FBI and other law enforcement agencies.

The impact of this threat may be less for usual Internet users than for organizations/entities, who may not be quick to migrate to the latest software version due to business and/or operational continuity issues. 

Users should update their Java installations to the latest revision of version 7, which does not suffer from the issue. Users who don’t need Java in their everyday tasks should uninstall the software altogether.

Hacker reported vulnerability in Kaspersky website, Demonstrated malware spreading technique

The cyber Security Analyst  'Ebrahim Hegazy' (@Zigoo0) Consultant at Q-CERT has found an "Unvalidated Redirection Vulnerability" in the website of the giant security solutions vendor "Kaspersky".

Ebrahim, who found a SQL Injection in "Avira" website last month, this time he found a Unvalidated Redirection Vulnerability that could be exploited for various purposes such as:

• Cloned websites (Phishing pages)
• It could also be used by Black Hats for Malware spreading

In the specific case what is very striking is that the link usable for the attacks is originated by a security firm like Kaspersky with serious consequences.

Would you trust a link from your security vendor? Absolutely Yes! But imagine your security vendor is asking you to download a malware!

To explain how dangerous the situation is when your security vendor is vulnerable, Ebrahim Hegazy sent me a video explaining the malware spreading scenario to simulate a Black Hat's exploiting Unvalidated Redirection Vulnerability in Kaspersky website to serve a malware.

"Since I'm working on Cyber security analysis, I've seen many methods of black-hats to spread links, maybe this link is for Exploit kits, Java Applet, flash exploits, or maybe a direct link to their EXE file. Let's take an example on the Facebook spreading techniques of the attackers, you may notice that "Mediafire" website was used lately in wide Malware spreading attack on Facebook.com,Which caused a wide infection, as the infected user will start to send links from Mediafire.com to his friends and since "Mediafire" is a trusted website/source for users so they simply click it and download the file!

But what if the links are coming from a very well known Security solutions vendor such as Kaspersky? For sure people will trust the links. So, through "Unvalidated Redirection Vulnerability" in Kaspersky, attackers will be able to spread a link coming from Kaspersky.com but when the user clicks on that link, he will get redirected to the attacker's website which would download at Malware on their machines or even download a "Rogue Antivirus" to steal financial information such as credit card information!" explained Ebrahim Hegazy.

After the researcher reported the vulnerability to Kaspersky team, it took about 2 months to fix the vulnerability, it is really a long time considering that if a hacker had found this flaw before Hagazy he could spread links using Kaspersky.com.

The consequences of unfixing of such vulnerability are critical

• Wide infection - since the redirection is coming from a trusted source especially if the attacker registered a domain name similar to Kaspersky.com
• Very bad reputation for Kaspersky company.
• Your most trusted resource "Your Antivirus" will be your worst enemy! Would you trust anything else!