Post has attachment
Learn How Mobile Application Hacking - Video Series (#Application, #Hack, #Mobile)
It’s Easier Than You Think!



Learn how mobile apps are getting attacked and what you can do about it. Jonathan Carter from Arxan shows real life examples of tools and approaches readily available in the market to hack into a mobile application.


These are 7 common techniques that hackers are using to exploit applications. Select from the playlist above to view short videos (1-2 minutes or less) that demonstrate how it’s done:

iTunes Code Encryption Bypass 

See how easy it is for hackers to bypass iOS encryption to progress a mobile app attack.


Android APK Reverse Engineering

Watch how hackers can easily reverse engineer binary code (the executable) back to source code — which is primed for code tampering


Algorithm Decompilation and Analysis 

See how “Hopper” is leveraged to initiate a static, springboard attack for counterfeiting and stealing information


Baksmali Code Modification

Learn how hackers can easily crack open and disassemble (Baksmali) mobile code.


Reverse Engineering String Analysis 

Watch how hackers use strings analysis as a core element for reverse engineering


Swizzle with Code Substitution 

Learn how hackers leverage infected code to attack critical class methods of an application to intercept API calls and execute unauthorized code, leaving no trace with the code reverting back to original form


Understanding application internal structures and methods via Class Dumps

Learn how hackers use this widely available tool to analyze the behavior of an app as a form of reverse engineering and as a springboard to method swizzling




Source


- Security Wize - Ahmad Alanazy - http://goo.gl/IbH2p0

Post has attachment

Post has attachment
Amazon AWS You Are Wide Open (#Amazon, #AWS) Amazon AWS servers reveal some sensitive customer documents and information, see the images below

 
I know I will regret this
everything here is searchable on google, god bless google

1 total views, 1 views today

- Security Wize - Ahmad Alanazy - http://goo.gl/nCjuUZ

Post has attachment
Yahoo Hacked And How To Protect Your Passwords (#Hack, #Yahoo) Yahoo announced that Yahoo mail has been the focus of a co-ordinated hack and that at this time it has confirmed a number of users e-mail accounts have been compromised – you may be one of them (and if you are see below for my top tips on how to secure your passwords going forward). It is not clear how many users have been compromised, or exactly how. Yahoo don’t have a history of providing much information but it would be prudent for any Yahoo mail users to take precautions (more on that below). Between the vague statements about malicious code and “a third party was probably to blame” Yahoo has been resetting the credentials of affected users via e-mail and SMS if your mobile is on file. Whilst details are scarce at this time this continues a trend of bad security and resilience news for Yahoo who experienced a multitude of issues in 2013. The company made clear in their announcement that a third party database with shared credentials was likely the source and that they had no evidence the usernames and passwords were taken directly form their systems. Whether the third party was one they provided data to, or whether it was a random third party with shared credentials is not particularly clear. There is insufficient detail to lay blame at this time, but certainly it would be prudent to take steps to secure yourself.


More broadly, the last couple of years have seen a significant spike in the theft of passwords (or their hashed or encrypted representations) from online services as cyber criminals moved beyond financial information as their sole form of profit. Whilst we all wait with bated breath for further details of the compromise now would be a very good time to upgrade your password. Many providers are very behind the time on password security, but at least you can take steps to minimise the risks. Here are a few tips on how to do it:

Avoid using the same password across multiple sites and services. That way, if Yahoo credentials are breached hackers won’t be able to jump across in to your Twitter, online banking, work accounts or alike. I know this presents a memory challenge for some users, but see the below tip on password managers.
Choose a password which is not easy to guess. Words with a dictionary root followed by numerals are very common choices and predictable patterns that cyber criminals can use to crack your password very fast. Passwords should be long, phrase based and involve a balance of different types of characters – numbers, letters, capitols and ideally a few symbols. See my fabulous example below.
Set up password change/reset mechanisms properly – not obviously. Password reset forms on many services ask questions like “Where did you go to school?” or “In which year were you born?”. These questions are easy to answer and can typically be mined from social media pages or the Internet — why would hackers guess your password if they can just tell a system where you went to school and how old you are (you did after all announce your birthday last year on Twitter and your age, didn’t you?). Instead I suggest lying on the Internet. Come up with a scheme of answers to these questions that you won’t forget (or store securely) or better still, if the service allows, specify your own difficult questions.
Bigger = better! When passwords are stolen from providers they are typically in a hashed or encrypted form, a bit like this ’5f4dcc3b5aa765d61d8327deb882cf99′. This is a hashed password representation and using clever techniques and computing power attackers can reverse the original password and log in to your account. When they steal these hashes it is only a matter of time and effort until they reveal the original. Short passwords might be guessed in second to minutes or hours (it depends on the implementation), where very long passwords could take years of work (and the cyber criminals are likely to go after someone else). Therefore making your password 60 characters makes life much harder for the cyber criminals if they do manage to break in to a service like Yahoo. This of course all assumes the provider isn’t just storing your password in clear text – in which case you will be very glad of tip number 1!
Use a password manager. Password managers generate strong unique passwords for each of your services and then store them in an encrypted database which you can unlock with one  good master password. It is a reasonable compromise for those that do not have an amazing memory but don’t want to fall in to the pitfall of repeating similar passwords across multiple sites.  See below for more information on how this works.
Register to a breach monitoring service. There are a variety of services on the Internet now which monitor for visible lists of stolen usernames/passwords. Of course, not all breaches are visible so it is far from a complete list. That said, if your username shows up it will e-mail you a notification and tell you it is time to change.

Despite numerous proposals of authentication mechanisms to replace the password it is still the cheapest, easiest to deploy ubiquitous form of authentication used. So we should all take some steps to make sure we are using them properly. A good password manager allows you to generate secure passwords for each of your sites and avoid duplication — luckily you don’t have to type these beastly long passwords out, the tools do that for you. Here is an example of a password recipe for a new password:

You can specify the length of the password (some providers don’t allow unlimited length but arbitrarily restrict you to say 16 characters e.g. Microsoft 365 exchange. Grumble grumble.) and the make up of symbols and numbers. You can even make it pronounceable for a situation where you might have to actually read the password out (though I don’t recommend this for obvious reasons). Each time you click the button you get a nice new secure password which the password manager automatically associates with the website in question so that you can auto log in each time remembering just one secure password you specify. Not all password managers are created equal so it is worth shopping around a little before you commit, but these tools can take the average users password security from poor to really rather good in an afternoon password changing party. Lastly, it is important you keep a back up of the password encrypted database (loosing all your passwords in one place would be painful) and you may want to think twice about putting the keys to your whole life in there – my banking details for example would not be in this application. So why not make something good from another password breach and share these tips with your friends, family and colleagues. I await with baited breath news from a reader that they’ve successfully made all their passwords over 128 characters.
Via Yahoo Hacked And How To Protect Your Passwords – Forbes.



1 total views, 1 views today

- Security Wize - Ahmad Alanazy - http://goo.gl/NmTILX

Post has attachment
FileZilla warns of large malware campaign (#Malware) Spoofed versions of the popular file transfer program FileZilla that steal data are circulating on third-party websites, the organization behind the software said Tuesday.
FileZilla is an open source application, and hackers have taken its source code and modified it in order to try to steal data for more than a decade. But this campaign, run on third-party websites, is one of the largest FileZilla has seen to date, it said.
“We do not condone these actions and are taking measures to get the known offenders removed,” FileZilla said.
The organization said it is difficult to prevent tainted versions of its software “since the FileZilla Project promotes beneficial redistribution and modifications of FileZilla in the spirit of free open source software and the GNU General Public License.”
The security vendor Avast found that the modified versions are nearly identical to the legitimate application. The icons, buttons and images are the same, and the malware version of the “.exe” file is just slightly smaller than the real one, Avast wrote on its blog.
Inside the tampered FileZilla versions, Avast found code that steals login credentials for servers users are accessing. The username, password, FTP server and port are encoded using a custom base64 algorithm and sent to the attacker’s server, according to Avast.
“The whole operation is very quick and quiet,” Avast wrote.
The stolen data goes to a server in Germany. The same IP address of that server hosts three other domains registered through Naunet.ru, which Avast wrote “is associated with malware and spam activities.”
FileZilla recommended its application be downloaded only from its website or SourceForge, one of its distribution partners. It also recommended to check the SHA-512 hashes of the unmodified version of FileZilla’s installer and executable, which it has published on its blog.
Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk
Via FileZilla warns of large malware campaign.

1 total views, 1 views today

- Security Wize - Ahmad Alanazy - http://goo.gl/1jee8Y

Post has attachment
A Java-Bot Cross-platform malware launching DDoS attacks from infected computers (#Bot, #DDoS, #Malware) These days botnets are all over the news. In simple terms, a botnet is a group of computers networked together, running a piece of malicious software that allows them to be controlled by a remote attacker.

A major target for most of the malware is still Windows, but the growing market of Mac OS X, Linux and Smartphones, is also giving a solid reason to cyber criminals to focus.

Recently, Kaspersky Lab has detected another cross-platform Java-Bot, capable of infecting computers running Windows, Mac OS X, and Linux that has Java Runtime Environment installed.

Last year, Zoltan Balazs – CTO at MRG Effitas submitted the samples of malicious Java application for analysis to Kaspersky Lab and they identified it as HEUR:Backdoor.Java.Agent.a.

According to researchers, to compromise computers, Java-Bot is exploiting a previously known critical Java vulnerability CVE-2013-2465 that was patched in last June. The vulnerability persists in Java 7 u21 and earlier versions.

CVE-2013-2465 description says:

An unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier, and OpenJDK 7, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D.

Once the bot has infected a computer, for automatic initialization the malware copies itself into the home directory, and registers itself with system startup programs. The Malware is designed to launch distributed denial-of-service (DDOS) attacks from infected computers.

It uses the following methods to start it based on the target operating system:

For Windows – HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
Mac OS – the standard Mac OS service launch is used
For Linux – /etc/init.d/



The malware authors used Zelix Klassmaster Obfuscator (encryption) to make the analysis more difficult.  It creates a separate key for the classes developed due to which analysis of all classes has to be done to get the decryption keys.

The botnet executable contains an encrypted configuration file for the Mac OS ‘launchd service‘. It also encrypts internal working methodology of malware.

The malware uses PricBot an open framework for implementing communication via IRC. Zombie computers, then report to an Internet relay chat (IRC) channel that acts as a Command-and-control server.

The Botnet supports HTTP, UDP protocols for flooding (DDoS attack) a target whose details i.e. Address, port number, attack duration, number of threads to be used are received from the IRC channel.
Users should update their Java software to the latest release of Java 7 update 51 of 14 January 2014, can be found on Oracle’s Java website. The next scheduled security update for Java is on 14 April 2014.

Via Java-Bot, a Cross-platform malware launching DDoS attacks from infected computers



1 total views, 1 views today

- Security Wize - Ahmad Alanazy - http://goo.gl/hzPXP6

Post has attachment
Edward Snowden nominated for Nobel Peace Prize 2014 (#Edward_Snowden, #Nobel_Peace_Prize) Now there is really great news for all the supporters of Former National Security Agency (NSA) contractor Edward Snowden, as he is nominated for the 2014 Nobel Peace Prize by two Norwegian lawmakers.

Snorre Valen and Baard Vegar Solhjell, parliamentarians from Norway’s Socialist Left Party said, “He has contributed to revealing the extreme level of surveillance by nations against other nations and of citizens,”

Edward Snowden revealed various widely extended NSA spying projects and responsible for handing over the material from one of the world’s most secretive organizations the NSA. He faces charges of theft and espionage and is in Russia on temporary asylum.

“Snowden contributed to people knowing about what has happened and spurring public debate” on trust in government, which he said was “a fundamental requirement for peace”.

He’s a high school dropout who worked his way into the most secretive computers in U.S. Intelligence as a defense contractor and identifies himself as the source of leaks about US surveillance programs like PRISM, DROPOUTJEEP, DISHFIRE, XKeyscore, MUSCULAR and many more.

Snorre Valen also added that, “There’s no doubt that the actions of Edward Snowden may have damaged the security interests of several nations in the short term”.

According to the Guardian, The five-member panel will not confirm who has been nominated, but those who submit nominations sometimes make them public.

The Nobel Committee accepts nominations from members of national assemblies, governments, international courts, professors and previous laureates. It received a record 259 nominations for last year’s prize.

Snowden is the one who created awareness among all of us when it comes to ‘PRIVACY’. Nominated for the 2014 Nobel Peace Prize is definitely being an honor for the 30 years old young man. Now let’s see if he will fetch the Prize or not.
Via Edward Snowden nominated for Nobel Peace Prize 2014.

2 total views, 2 views today

- Security Wize - Ahmad Alanazy - http://goo.gl/tEpVNa

Post has attachment
Silent Circle & Geeksphone Join Forces To Build Blackphone: A Pro-Privacy Android-Based Smartphone (#Blackphone, #Communications, #Encryption, #Privacy) As the reality of the extent and invasiveness of the security services’ dragnet surveillance programs hits home, the pro-privacy movement has been cranking up its own ideas to counter spy-tech with pro-privacy tech. The Lavabit founder’s recent Kickstarter for a secure end-to-end open source encrypted email project called Dark Mail is one example.
Today, here’s another: meet Blackphone, a smartphone that’s been designed to enable secure, encrypted communications, private browsing and secure file-sharing.


#gallery-4
margin: auto;

#gallery-4 .gallery-item
float: left;
margin-top: 10px;
text-align: center;
width: 25%;
#gallery-4 img
border: 2px solid #cfcfcf;

#gallery-4 .gallery-caption
margin-left: 0;



















The project is a joint venture between Silent Circle — which shuttered its own encrypted email service last summer in order to preemptively avoid having to comply with government requests to provide data — and Spanish smartphone startup Geeksphone, which has previously made more standard Android handsets, and more recently has been building phone hardware for Mozilla’s open web standards HTML5-based Firefox OS.
The pair said today they have established a new Switzerland-based joint venture to collaborate on technology projects, with Blackphone set to be the inaugural product. They describe the phone as “the world’s first smartphone placing privacy and control directly in the hands of its users”.
Despite that grand claim, Blackphone is by no means the first encrypted smartphone. For example, back in September TC’s John Biggs and I paid a visit to a German based secure phone maker, GSMK Cryptophone, which has been in the encrypted telephony business for 10 years.
Another recent project to build a phone designed with security, encryption and identity protection in mind is the Quasar IV, which is using a hybrid Android/Linux and Quatrix mobile OS called QuaOS as the foundation for secure telephony.
But while Blackphone is not the only secure phone game in town, there’s no doubt that last year’s revelations about security agencies’ consumer electronics and services powered data-harvesting habits — revealed by NSA whistleblower Edward Snowden — have accelerated interest in security and privacy. The fallout from Snowden’s big reveal is clearly attracting new players to what could potentially become a much more mainstream space.
Hence, presumably, the Blackphone makers’ reasoning about now being the right time to build a pro-privacy phone that doesn’t carry the stench of security geek. The tone and nomenclature of their announcement very much feels targeted at a mainstream smartphone user, not a security specialist.
Their press release includes a statement from Phil Zimmermann, the creator of PGP, who is also involved in the project, which sets this tone.
“I have spent my whole career working towards the launch of secure telephony products,” he says.  “Blackphone provides users with everything they need to ensure privacy and control of their communications, along with all the other high-end smartphone features they have come to expect.”
Blackphone’s website is also light on deep-dive security terminology which could alienate an average phone buyer. Instead there’s a slick marketing video and explainer text that takes a broad-brushstrokes approach to fleshing out the device.
Using the Blackphone is described as “the trustworthy precaution any connected worker should take, whether you’re talking to your family or exchanging notes on your latest merger & acquisition”.
The site goes on to add:
Blackphone is unlocked and works with any GSM carrier. Performance benchmarks put it among the top performers from any manufacturer.
It has the features necessary to do all the things you need, as well as all the things you want, while maintaining your privacy and security and giving you the freedom to choose your carrier, your apps, and your location.
The tools installed on Blackphone give you everything you need to take ownership of your mobile presence and digital footprints, and ensure nobody else can watch you without your knowledge.
You can make and receive secure phone calls; exchange secure texts; exchange and store secure files; have secure video chat; browse privately; and anonymize your activity through a VPN.
Details of Blackphone’s pro-privacy feature-set are relatively scant at this point, perhaps because they want to avoid it feeling too complex, but they do say it is being built atop a “security-oriented” Android build called PrivatOS.
Blackphone is due to be previewed at the Mobile World Congress tradeshow in Barcelona next month where the JV will also be taking pre-orders. There’s no word on exactly when the phone will ship to buyers, as yet.
It’s worth noting that making an encrypted phone call — or sending an encrypted email — requires the use of two encrypted devices/clients: both your own phone/email client and the phone/email client of the person you’re talking to. So the Blackphone’s security credentials will inevitably depend on how you use the device — who you place calls to and which device they use; who you email and which email client they use; and so on.
However, as with the Dark Mail initiative, the more encrypted products that are out in the market, the greater the number of secure channels that can be used for communications.
So the more mainstream security technology can become, and the more average Joes who can be encouraged to use locked-down products, the greater the chance for everyone’s privacy to survive the onslaught from overreaching governments.
Via Silent Circle & Geeksphone Join Forces To Build Blackphone: A Pro-Privacy Android-Based Smartphone | TechCrunch.

8 total views, 8 views today

- Security Wize - Ahmad Alanazy - http://goo.gl/H86tkT

Post has attachment

Post has attachment
Wait while more posts are being loaded