Latest Hacking News

Hacking with new Ideas provide Latest Hacking News.

Android Hacking tricks

Installing in your mobile tutorial and much more.

Black Hat Asia 2014 News

Watch and read the latest News detials.

Latest news and Tutorials

Latest hacking and tech news with tricks.

Secure yourself by hidden Attack

We will provide you best deals with news and tutorials.

22 Jan 2016

Samsung Get Sued for Failing to Update its Smartphones

samsung-security-update

One of the world's largest smartphone makers is being sued by the Dutch Consumers' Association (DCA) for its lack in providing timely software updates to its Android smartphones.

This doesn't surprise me, though.

The majority of manufacturers fail to deliver software updates for old devices for years.
However, the consumer protection watchdog in The Netherlands, The Dutch Consummated, filed a lawsuit against Samsung, due to the manufacturer's grip over the local market compared to other manufacturers.
Last year, the discovery of the scary Stagefright Security Bug, which affected over 1 Billion Android devices worldwide, forced Samsung to implement a security update process that "fast tracks the security patches over the air when security vulnerabilities are uncovered a security update process that "fast tracks the security patches over the air when security vulnerabilities are uncovered," and that the security updates will occur once per month.
However, the watchdog also blames Korean OEM Samsung for not being transparent regarding the critical security updates, like the update to fix Stagefright exploits, that are necessary to

 "protect [its] consumers from cyber criminals and the loss of their personal data."

Majority of Samsung Handsets Vulnerable to Issues

According to DCA's own research, at least 82 percent of Samsung smartphones available in the Dutch market examined had not received any software updates on the latest Android version in two years.
This failure in providing the software updates left the majority of Android devices vulnerable to issues on security and others.

The DCA says that the agency has previously contacted Samsung many times and discussed the matter privately with the manufacturer giant to resolve the situation, but it failed to reach an agreement with the company, and so it decided to go to court.

At this point, I should mention that these are entirely valid claims.

Like most other manufacturers, Samsung doesn't provide timely software updates to its devices.
No doubt, the Samsung Galaxy S6 series have received Stagefright patches on time, but the manufacturer failed to provide Stagefright fixes for its majority of midrange and entry-level Android devices.

Furthermore, none of Samsung's devices currently runs the latest Android 6.0 Marshmallow, three months after it officially launched.

DCA's Demands from Samsung

The agency has requested the manufacturer to update all of its smartphone devices to the latest version of Android operating system for two years since the handset is purchased (not launched).
In some ways, the agency wants Samsung to treat software updates as part of the warranty that has its length mandated at two years in the European Union.
"[We are] demanding that Samsung provides its customers with clear and unambiguous information about this," The DCA writes. "Also, [we are] demanding that Samsung actually provides its smartphones with updates."

Response by Samsung

In response to the lawsuit, Samsung released an official statement saying the company was working on improving its updates on software and security.
"We have made a number of commitments in recent months to better inform consumers about the status of security issues, and the measures we are taking to address those issues," reads the statement.
"Data security is a top priority and we work hard every day to ensure that the devices we sell and the information contained on those devices are is safeguarded."
-Source : TheHackerNews.com

10 Dec 2014

Microsoft Releases Security Updates - Known Vulnerabilities patched

Last week Microsoft discharged its Advance Notification for the month of Dec 2014 Patch weekday Updates, and at last nowadays discharged a complete of seven security bulletins, which is able to address many vulnerabilities in its product, out of that 3 ar marked \'critical\' and rest ar \'important\' in severity.

Last month once a giant pile of security patches, the corporate discharged associate associate uncommon emergency patch to repair a vital vulnerability in Microsoft Windows Kerberos KBC, authentication system utilized by default within the package, that cybercriminals exploited to compromise whole networks of computers.
Microsoft_secutiry_vulnerability_patch

The 3 vital bulletins have an effect on net person, workplace and Windows. All the versions of Microsoft net person (IE) ar affected except Server Core, that doesn\'t embrace i.e.. The vital zero-day i.e. vulnerability (CVE-2014-8967) was discovered by security investigator Arthur Gerkis of Zero Day Initiative (ZDI) in Gregorian calendar month this year.

By exploiting the vulnerability, a far off aggressor might execute discretional code on vulnerable installations of Microsoft net person so as to compromise a vulnerable system. However, to use this flaw, user interaction is required and to try and do that the target user should visit a malicious page or open a malicious file.

"The vulnerability relates to however net person uses reference tally to manage the lifetimes of the in-memory objects representing hypertext mark-up language components,\" reads the ZDI post. \"By applying a CSS kind of display:run-in to a page and acting explicit manipulations, associate aggressor will cause associate object\'s reference count to fall to zero untimely, inflicting the item to be freed. net person can then continue mistreatment this object once it\'s been freed. associate aggressor will leverage this vulnerability to execute code underneath the context of the present method."
ZDI warned Microsoft many days agone concerning the unfinished public revelation of the flaw once it completed one hundred eighty days as on Gregorian calendar month 2014. All the versions of i.e. ar rated vital on Windows desktop systems and moderate on Windows servers. Windows RT versions are affected and also the vulnerability is rated vital on that.
A second vital patch update affects solely Windows visual percept, Windows 7, Windows Server 2003 and Windows Server 2008, that is rated vital for the desktop versions and moderate for the servers. Another vital remote code execution update is anticipated in Microsoft workplace, beginning with Microsoft Word 2007 SP three, likewise as Microsoft workplace a pair of010 SP 2, Word a pair of010 SP 2, Word 2013 and Word 2013 RT.

Moreover, 2 additional security bulletins patch remote code execution vulnerabilities in Microsoft workplace net apps 2010 and 2013, however those vulnerabilities ar rated vital, which implies that there\'s some mitigating factors for attackers to use the flaw.
An elevation of privilege bug in Microsoft Exchange is listed among different security bulletins and is rated vital. The code affected ar Microsoft Exchange 2007, 2010 and 2013. the ultimate security update fixes associate data revelation vulnerability all told versions of Windows, together with Server Core.
If you have got Automatic Updates enabled on your machine, these fixes can all be created offered via Windows Update and can be applied mechanically for many users. however just in case users haven\'t enabled it, Microsoft is encouraging them to use the updates promptly. Some patches applied might need restarting the servers likewise.

2 Oct 2014

Microsoft Lunched New OS : Windows 10


Brad Chacos has already outlined the steps for downloading and installing the Windows 10 Technical Preview on a virtual machine or hard drive partition. I went the simpler route: I took an older machine (a Surface 2 Pro), wiped it clean, then reinstalled and updated Windows 8 to the present.
t’s a humbling and amazing thing to work on Windows, which is used by over 1.5 billion people in every country of the world. From kids playing with computers for the first time, to writers and journalists, to engineers, to gamers, to CEOs, at some point Windows has empowered all of us. In the Windows team, we’re proud of this – but we also know that the world today is very different from the one in which Windows grew up. 

Today, devices outnumber people. Connectivity is like oxygen. The tension between the desire for agility versus stability poses a huge challenge for IT Pros. Experiences – no matter what device you’re on – just need to work. The only thing that hasn’t really changed is the situation for developers – still too much to do, and not enough time. One way to look at it is that Windows is at a threshold  :-). It’s time for a new Windows. 

This new Windows must be built from the ground-up for a mobile-first, cloud-first world. This new Windows must help our customers be productive in both their digital work and their digital life. This new Windows must empower people and organizations to do great things.
That new Windows is Windows 10. Windows 10 represents the first step of a whole new generation of Windows. 

Windows 10 unlocks new experiences for customers to work, play and connect. Windows 10 embodies what our customers (both consumers and enterprises) demand and what we will deliver.

7 Aug 2014

FLICKR CROSS-SITE REQUEST FORGERY VULNERABILITY PATCHED

Yahoo-owned flickr


Yahoo-owned Flickr, one of the biggest online photo management and sharing website in the world was recently impacted by a web application vulnerability, which could allow an attacker to modify users’ profile image.
Flickr is one of the most popular photo sharing website with more than 87 billion users, therefore some top major target for cybercriminals. The site was vulnerable to the most common vulnerability known as Cross-Site Request Forgery (XSRF or CSRF), which is very easy to exploit by attackers.
Cross-Site Request Forgery is a method of attacking a Web site in which an intruder masquerades as a legitimate and trusted user. All the attacker need to do is get the target browser to make a request to your website on their behalf. If they can either:


  • Convince your users to click on a HTML page they’ve constructed
  • Insert arbitrary HTML in a target website that your users visit


Not too difficult, is it?
Abdullah Hussam, a 17 years old programmer from Iraq found that just by modifying parameters value of a Flickr HTTP request, one can trick the web service to modify users’ profiles.
When a user uploads a photo on Flickr, it will redirect the user to the page where they can add info on the photo like tags, description, and title. The request it make is as shown below:

edit_done=1&upload_ids=14401638983&just_photo_ids=&set_id=&magic_cookie=32e285e98bbef3aa6afd8c879891c01b&title_14401638983=XSRF+bug+POC1&description_14401638983=XSRF+bug+POC1&tags_14401638983=XSRF+POC1&tags_14401638983=XSRF+POC2&Submit=SAVE
According to Abdullah, the flaw resides in the “magic_cookie” parameter, which Flickr used to protect its website users from XSRF vulnerability.
In order to exploit Flickr XSRF vulnerability, an attacker can simply setup a webpage on his server with custom HTML form and custom parameter values, as shown. By keeping “magic_cookie” parameter value empty and changing Photo ID to the new image ID, the exploit will be able to bypass protection mechanism.
When the victim clicks a button on the web page, it generates a manipulated HTTP request to the server, which force the Flickr to replace victim’s profile image with new image.
The last thing I did it was delete the value of magic cookie, in the first try it failed but in the second it works!,” Abdullah told The Hacker News. “The all value (title, description, tags) got change and I got redirected to my photos.
He has also provided a video demonstration as a Proof of Concept:


The teen reported the vulnerability to Yahoo! and it was fixed in less than 12 hours by the Yahoo! security team. He got the reply from Yahoo! after more than a month and is still waiting for his bounty.Source : The Hacker News

12 Jun 2014

Top Five Artificial Intelligence Magic

As from Wikipedia  Artificial intelligence  (AI) is the intelligence exhibited by machines or software. It is also an academic field of study.

In 1950, Alan Turing invented a test for determining a machine's ability to exhibit intelligent behavior. At the time, some predicted that so-called "Strong A.I.," that is, artificial intelligence that matches or exceeds human intelligence, could be achieved in a few decades. Over sixty years later, every machine that has been tasked with simulating human intelligence has failed the so-called Turing Test.
And yet, scientists have become both impressed and alarmed by the tremendous leaps forward in A.I. capabilities in recent years. A.I. has been put into common use by financial institutions, and found promising applications in medical equipment, search technology, games and transportation systems. On the other hand, equal advances have been made in seemingly Frankensteinian creations such as computer viruses and predatory drones, which could prove  dangerous if they have achieved what The New York Times called the “cockroach stage of machine intelligence."
Artificial Intelligence
Artificial Intelligence
1. Autonomous Vehicles
Don't try this at home (you can only do it in Nevada): Take a ride in Google's Robocar, which is operated by a machine, not a human. A law passed in June, 2001 made Nevada the first jurisdiction in the world where autonomous vehicles can be legally operated on public roads.

 2. "Brute Force Computation"
AI programs are able to examine large numbers of possibilities, such as a move in a chess game or inferences by a theorem-proving program. Discoveries are continually made about how to do this more efficiently in various domains. Right now you can buy a machine to play "master level chess." A $200 purchase gets you 200 million positions analyzed per second.
The short documentary below is about computer chess history that focuses in particular on the 1997 chess match between Garry Kasparov and IBM's Deep Blue computer.