Latest Hacking News

Hacking with new Ideas provide Latest Hacking News.

Android Hacking tricks

Installing in your mobile tutorial and much more.

Black Hat Asia 2014 News

Watch and read the latest News detials.

Latest news and Tutorials

Latest hacking and tech news with tricks.

Secure yourself by hidden Attack

We will provide you best deals with news and tutorials.

10 Dec 2014

Microsoft Releases Security Updates - Known Vulnerabilities patched

Last week Microsoft discharged its Advance Notification for the month of Dec 2014 Patch weekday Updates, and at last nowadays discharged a complete of seven security bulletins, which is able to address many vulnerabilities in its product, out of that 3 ar marked \'critical\' and rest ar \'important\' in severity.

Last month once a giant pile of security patches, the corporate discharged associate associate uncommon emergency patch to repair a vital vulnerability in Microsoft Windows Kerberos KBC, authentication system utilized by default within the package, that cybercriminals exploited to compromise whole networks of computers.
Microsoft_secutiry_vulnerability_patch

The 3 vital bulletins have an effect on net person, workplace and Windows. All the versions of Microsoft net person (IE) ar affected except Server Core, that doesn\'t embrace i.e.. The vital zero-day i.e. vulnerability (CVE-2014-8967) was discovered by security investigator Arthur Gerkis of Zero Day Initiative (ZDI) in Gregorian calendar month this year.

By exploiting the vulnerability, a far off aggressor might execute discretional code on vulnerable installations of Microsoft net person so as to compromise a vulnerable system. However, to use this flaw, user interaction is required and to try and do that the target user should visit a malicious page or open a malicious file.

"The vulnerability relates to however net person uses reference tally to manage the lifetimes of the in-memory objects representing hypertext mark-up language components,\" reads the ZDI post. \"By applying a CSS kind of display:run-in to a page and acting explicit manipulations, associate aggressor will cause associate object\'s reference count to fall to zero untimely, inflicting the item to be freed. net person can then continue mistreatment this object once it\'s been freed. associate aggressor will leverage this vulnerability to execute code underneath the context of the present method."
ZDI warned Microsoft many days agone concerning the unfinished public revelation of the flaw once it completed one hundred eighty days as on Gregorian calendar month 2014. All the versions of i.e. ar rated vital on Windows desktop systems and moderate on Windows servers. Windows RT versions are affected and also the vulnerability is rated vital on that.
A second vital patch update affects solely Windows visual percept, Windows 7, Windows Server 2003 and Windows Server 2008, that is rated vital for the desktop versions and moderate for the servers. Another vital remote code execution update is anticipated in Microsoft workplace, beginning with Microsoft Word 2007 SP three, likewise as Microsoft workplace a pair of010 SP 2, Word a pair of010 SP 2, Word 2013 and Word 2013 RT.

Moreover, 2 additional security bulletins patch remote code execution vulnerabilities in Microsoft workplace net apps 2010 and 2013, however those vulnerabilities ar rated vital, which implies that there\'s some mitigating factors for attackers to use the flaw.
An elevation of privilege bug in Microsoft Exchange is listed among different security bulletins and is rated vital. The code affected ar Microsoft Exchange 2007, 2010 and 2013. the ultimate security update fixes associate data revelation vulnerability all told versions of Windows, together with Server Core.
If you have got Automatic Updates enabled on your machine, these fixes can all be created offered via Windows Update and can be applied mechanically for many users. however just in case users haven\'t enabled it, Microsoft is encouraging them to use the updates promptly. Some patches applied might need restarting the servers likewise.

2 Oct 2014

Microsoft Lunched New OS : Windows 10


Brad Chacos has already outlined the steps for downloading and installing the Windows 10 Technical Preview on a virtual machine or hard drive partition. I went the simpler route: I took an older machine (a Surface 2 Pro), wiped it clean, then reinstalled and updated Windows 8 to the present.
t’s a humbling and amazing thing to work on Windows, which is used by over 1.5 billion people in every country of the world. From kids playing with computers for the first time, to writers and journalists, to engineers, to gamers, to CEOs, at some point Windows has empowered all of us. In the Windows team, we’re proud of this – but we also know that the world today is very different from the one in which Windows grew up. 

Today, devices outnumber people. Connectivity is like oxygen. The tension between the desire for agility versus stability poses a huge challenge for IT Pros. Experiences – no matter what device you’re on – just need to work. The only thing that hasn’t really changed is the situation for developers – still too much to do, and not enough time. One way to look at it is that Windows is at a threshold  :-). It’s time for a new Windows. 

This new Windows must be built from the ground-up for a mobile-first, cloud-first world. This new Windows must help our customers be productive in both their digital work and their digital life. This new Windows must empower people and organizations to do great things.
That new Windows is Windows 10. Windows 10 represents the first step of a whole new generation of Windows. 

Windows 10 unlocks new experiences for customers to work, play and connect. Windows 10 embodies what our customers (both consumers and enterprises) demand and what we will deliver.

7 Aug 2014

FLICKR CROSS-SITE REQUEST FORGERY VULNERABILITY PATCHED

Yahoo-owned flickr


Yahoo-owned Flickr, one of the biggest online photo management and sharing website in the world was recently impacted by a web application vulnerability, which could allow an attacker to modify users’ profile image.
Flickr is one of the most popular photo sharing website with more than 87 billion users, therefore some top major target for cybercriminals. The site was vulnerable to the most common vulnerability known as Cross-Site Request Forgery (XSRF or CSRF), which is very easy to exploit by attackers.
Cross-Site Request Forgery is a method of attacking a Web site in which an intruder masquerades as a legitimate and trusted user. All the attacker need to do is get the target browser to make a request to your website on their behalf. If they can either:


  • Convince your users to click on a HTML page they’ve constructed
  • Insert arbitrary HTML in a target website that your users visit


Not too difficult, is it?
Abdullah Hussam, a 17 years old programmer from Iraq found that just by modifying parameters value of a Flickr HTTP request, one can trick the web service to modify users’ profiles.
When a user uploads a photo on Flickr, it will redirect the user to the page where they can add info on the photo like tags, description, and title. The request it make is as shown below:

edit_done=1&upload_ids=14401638983&just_photo_ids=&set_id=&magic_cookie=32e285e98bbef3aa6afd8c879891c01b&title_14401638983=XSRF+bug+POC1&description_14401638983=XSRF+bug+POC1&tags_14401638983=XSRF+POC1&tags_14401638983=XSRF+POC2&Submit=SAVE
According to Abdullah, the flaw resides in the “magic_cookie” parameter, which Flickr used to protect its website users from XSRF vulnerability.
In order to exploit Flickr XSRF vulnerability, an attacker can simply setup a webpage on his server with custom HTML form and custom parameter values, as shown. By keeping “magic_cookie” parameter value empty and changing Photo ID to the new image ID, the exploit will be able to bypass protection mechanism.
When the victim clicks a button on the web page, it generates a manipulated HTTP request to the server, which force the Flickr to replace victim’s profile image with new image.
The last thing I did it was delete the value of magic cookie, in the first try it failed but in the second it works!,” Abdullah told The Hacker News. “The all value (title, description, tags) got change and I got redirected to my photos.
He has also provided a video demonstration as a Proof of Concept:


The teen reported the vulnerability to Yahoo! and it was fixed in less than 12 hours by the Yahoo! security team. He got the reply from Yahoo! after more than a month and is still waiting for his bounty.Source : The Hacker News

12 Jun 2014

Top Five Artificial Intelligence Magic

As from Wikipedia  Artificial intelligence  (AI) is the intelligence exhibited by machines or software. It is also an academic field of study.

In 1950, Alan Turing invented a test for determining a machine's ability to exhibit intelligent behavior. At the time, some predicted that so-called "Strong A.I.," that is, artificial intelligence that matches or exceeds human intelligence, could be achieved in a few decades. Over sixty years later, every machine that has been tasked with simulating human intelligence has failed the so-called Turing Test.
And yet, scientists have become both impressed and alarmed by the tremendous leaps forward in A.I. capabilities in recent years. A.I. has been put into common use by financial institutions, and found promising applications in medical equipment, search technology, games and transportation systems. On the other hand, equal advances have been made in seemingly Frankensteinian creations such as computer viruses and predatory drones, which could prove  dangerous if they have achieved what The New York Times called the “cockroach stage of machine intelligence."
Artificial Intelligence
Artificial Intelligence
1. Autonomous Vehicles
Don't try this at home (you can only do it in Nevada): Take a ride in Google's Robocar, which is operated by a machine, not a human. A law passed in June, 2001 made Nevada the first jurisdiction in the world where autonomous vehicles can be legally operated on public roads.

 2. "Brute Force Computation"
AI programs are able to examine large numbers of possibilities, such as a move in a chess game or inferences by a theorem-proving program. Discoveries are continually made about how to do this more efficiently in various domains. Right now you can buy a machine to play "master level chess." A $200 purchase gets you 200 million positions analyzed per second.
The short documentary below is about computer chess history that focuses in particular on the 1997 chess match between Garry Kasparov and IBM's Deep Blue computer.


2 Jan 2014

How to Upload Shell in Wordpress Sites

Hello Friends ,Today i'm gonna show you how to upload shell in WordPress Sites... :D

Many of you know how to upload shell in WordPress,
But still Few are their who don't know. Lets Started.......
 In This Post I will Tell You the Two Successfully ways For Uploading Shell On WordPress.
1) By Editing The WordPress Theme.
2) By Uploading New Theme.
Most Of The Times  , For Security Reasons The Website admin Changes  the Permissions Of Theme Editing Option , So That IT cant Be edited Or Changed .
In That Case We will use The Next Option That is Theme Uploading.
So Lets Start ....
1) Upload  Shell By Editing The existing  WordPress Theme :-
>  After you login in to word press site as admin you see Dashboard ,something like this.
Uploading Shell

> In The Left Hand Site Take Your Mouse Pointer At Appearance , In That Click On Editor.

WP SHell

> When you will click on Editor you will some like this ,
WP shell


> On y0ur Right Side..Select The Theme .
( Note:- There are More Other Themes Activated By Admin , But It Will be Better That You don't Upload Your Shell On Activated Theme ,Always Upload Shell On Unactivated Theme .)
> Now Select 404.php ,
Remove all the Source code There And Paste Y0ur Shell Code in 404.php and Update It .
> Now Its Shell Execution Time , To Execute The Shell ,
URL will be :-
http://www.site.com/wp-content/themes/themename/404.php
So I will Execute Shell by

http://www.site.com/wp-content/themes/twentyten/404.php
yehh..!! , We Got The Shell.....
 2) Upload Shell By Uploading New Theme .
As I Already Tell You Above , Most Of the Time Website Security Is High , Admin Change The CHMOD Permissions Of the Theme or Any Other Settings , Like Plugins Editing All That Shit .
So You Cant Edit Anything On Site.
So Here Comes The Second way Is Uploading.
Here We will Upload the WordPress Theme , Hiding Our Sh3ll In It .
Steps :-
Now choose new theme and download it as .ZIP file...Now Add your Shell in it by dragging a shell into .ZIP file .  > Now This Time Go To Themes

> Then Click On Install Themes as shown above in image.
>Now you can see Upload option.Click on that .

> Now Browse The  Theme in Which You added your Shell , and Click On Install Now.After Successfully
Install You Will Get This Screen Below .

wordpress5

> Great , Our Shell uploaded Successfully .Now Its Execution Time ..
URL For Execution :-
www.site.com/wp-content/themes/news/shell_name.php
yeehh...We Got The Shell....(y)