Chrome, Firefox, Safari and IE – All Browsers Hacked at Pwn2Own Competition

The Annual Pwn2Own Hacking Competition 2015 held in Vancouver is over and participants from all over the world nabbed $557,500 in bug bounties for 21 critical bugs in top four web browsers as well as Windows OS, Adobe Reader and Adobe Flash.

During the second and final day of this year’s hacking contest, the latest version of all the four major browsers including Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, and Apple Safari, were compromised by the two security researchers.

Sponsored by HP's Zero Day Initiative program, the Pwn2Own Hacking Competition ran two days at a security conference in Vancouver, Canada. The final highlights for Pwn2Own 2015 are quite impressive:

5 bugs in the Windows operating system

4 bugs in Internet Explorer 11

3 bugs in Mozilla Firefox

3 bugs in Adobe Reader

3 bugs in Adobe Flash

2 bugs in Apple Safari

1 bug in Google Chrome

$557,500 USD bounty paid out to researchers

The star of the show was South Korean security researcher Jung Hoon Lee, nicknamed "lokihardt," who worked alone and nabbed the single highest payout of the competition in the Pwn2Own history, an amazing bounty of $110,000 in just two minutes.

Lee was able to take down both stable and beta versions of Google Chrome browser by exploiting a buffer overflow race condition bug in the browser and nabbed $75,000 as bug bounty.

For this same bug, Lee also nabbed an extra $25,000 for gaining system access by targeting an information leak and a race condition in two Windows kernel drivers. To hack the beta version of Chrome, Google’s Project Zero rewarded Lee by an extra $10,000. So, he earned a grand total of $110,000.

"To put it another way, lokihardt earned roughly $916 a second for his two-minute demonstration," HP's security research team wrote in a blog post Thursday. "There are times when 'Wow' just isn't enough."

Earlier in the day, Lee also earned $65,000 for hacking the 64-bit Internet Explorer 11 with a time-of-check to time-of-use (TOCTOU) vulnerability that gained him read/write privileges on the browser. He used a sandbox escape via JavaScript injection to evade Windows defenses mechanism.

By using a use-after-free exploit and a separate sandbox escape, Lee also took down Apple's Safari browser. The hack earned him $50,000 and brought his total winnings to $225,000 from the contest.

                                -- Assembled by S.K

Hacking Facebook Account with 'Reconnect' Tool

"Signup or Login with Facebook" ?? You might think twice before doing that next time. A security researcher has discovered a critical flaw that allows hackers take over Facebook accounts on websites that leverage 'Login with Facebook' feature.

The vulnerability doesn't grant hackers access to your actual Facebook password, but it does allow them to access your accounts using Facebook application developed by third-party websites such as Bit.ly, Mashable, Vimeo, About.me, Stumbleupon, Angel.co and possibly many more.

FLAW EXPLOITS THREE CSRFs PROTECTION

Egor Homakov, a researcher with pentesting company Sakurity, made the social network giant aware of the bug a year ago, but the company refused to fix the vulnerability because doing so would have ruined compatibility of Facebook with a vast number of websites over the Internet.

The critical flaw abuses the lack of CSRF (Cross-Site Request Forgery) protection for three different processes —

Facebook log in -

Facebook log out -

Third-party account connection -

The first two issues "can be fixed by Facebook," Homakov said, but have not done yet. However, the third one needs to be fixed by the website owners those who have integrate "Login with Facebook" feature into their websites.

TOOL TO HACK FACEBOOK ACCOUNTS

Therefore, blaming Facebook for dismal security in 'Login with Facebook' feature, the researcher publicly released a tool, dubbed RECONNECT, that exploits the bug and lets hackers to generate URLs that can be used to hijack accounts on third-party websites that use 'Login with Facebook' button.

"Go blackhats, don’t be shy!" Homakov wrote on his Twitter, allegedly encouraging hackers and cyber criminals to take benefit from his ready to use tool.

Homakov also published a blog post which gives hackers a step-by-step process for setting up rogue Facebook accounts that victims are redirected to when they tricked into clicking on malicious URLs provided by the attackers.

"Now our Facebook account is connected to the victim account on that website and we can log in that account directly to change email/password, cancel bookings, read private messages and so on," Homakov wrote in a blog post.

RECONNECT Facebook hacking tool can generate malicious URLs to hijack Facebook accounts on third-party website including Booking.com, Bit.ly, About.me, Stumbleupon, Angel.co, Mashable and Vimeo.
However, any website that supports 'Login with Facebook' can be hacked by manually inserting its link into the tool that generates Facebook login requests on behalf of its users.

HOW TO PROTECT YOURSELF ?

One could realize the dangerous consequences of RECONNECT Facebook hacking tool by calculating how many number of websites over Internet use that blue color ' f ' button of Facebook login. And once a hacker makes a way to get into you account, they could access your private information and use them to hack into your other online accounts.

So, in order to prevent your accounts from malicious hackers, Do Not click on any suspicious URLs provided to you via online messages, emails or social media accounts. And always be careful while surfing over the Internet.

FACEBOOK RESPONDS TO THE ISSUE

Facebook says it has been aware of the issue for some time now and that third-party sites can protect their users by utilizing Facebook's best practices when using the Facebook sign-in feature.

A Facebook spokesperson released a statement saying, "This is a well-understood behaviour. Site developers using Login can prevent this issue by following our best practices and using the 'state' parameter we provide for OAuth Login."

The company also added that they have also made various changes in order to help prevent login CSRF and are evaluating others while "aiming to preserve necessary functionality for a large number of sites that rely upon Facebook Login."

                              -- Assembled by S.K

China Finally Admits It Has Army of Hackers

"It means that the Chinese have discarded their fig leaf of quasi-plausible deniability," McReynolds said. "As recently as 2013, official PLA [People's Liberation Army] publications have issued blanket denials such as, 'The Chinese military has never supported any hacker attack or hacking activities.' They can't make that claim anymore."

China finally admits it has special cyber warfare units — and a lot of them.

From years China has been suspected by U.S. and many other countries for carrying out several high-profile cyber attacks, but every time the country strongly denied the claims. However, for the first time the country has admitted that it does have cyber warfare divisions – several of them, in fact.

In the latest updated edition of a PLA publication called The Science of Military Strategy, China finally broke its silence and openly talked about its digital spying and network attack capabilities and clearly stated that it has specialized units devoted to wage war on computer networks.

An expert on Chinese military strategy at the Center for Intelligence Research and Analysis, Joe McReynolds told TDB that this is the first time when China has explicit acknowledged that it has secretive cyber-warfare units, on both the military as well as civilian-government sides.

CHINESE CYBER WARFARE UNITS

According to McReynolds, China has three types of operational military units:

Specialized military forces to fight the network -- The unit designed to carry out defensive and offensive network attacks.

Groups of experts from civil society organizations -- The unit has number of specialists from civilian organizations – including the Ministry of State Security (its like China’s CIA), and the Ministry of Public Security (its like FBI) – who are authorized to conduct military leadership network operations.

External entities -- The unit sounds a lot like hacking-for-hire mercenaries and contains non-government entities (state-sponsored hackers) that can be organized and mobilized for network warfare operations.

According to experts, all the above units are utilized in civil cyber operations, including industrial espionage against US private companies to steal their secrets.

CHINESE CYBER UNIT 61398

In 2013, American private security firm Mandiant published a 60-page report that detailed about the notorious Chinese hacking group 'Unit 61398', suspected of waging cyber warfare against American companies, organizations and government agencies from or near a 12-story building on the outskirts of Shanghai.

The UNIT 61398 also targeted a number of government agencies and companies whose databases contain vast and detailed information about critical United States infrastructure, including pipelines, transmission lines and power generation facilities.

MOST WANTED CHINESE HACKERS

Last year, the United States filed criminal charges against five Chinese military officials, named Wang Dong, Sun Kailiang, Wen Xinyu, Huang Zhenyu, and Gu Chunhui, for hacking and conducting cyber espionage against several American companies.

The alleged hackers were said to have worked with the PLA’s Unit 61398 in Shanghai. Among spying on U.S companies and stealing trade secrets, they had also accused for stealing information about a nuclear power plant design and a solar panel company’s cost and pricing data.

Hacking Facebook source code is surprisingly easy

A bunch of tech commentators on Hacker News are talking about how easy it is to read Facebook source code, which they say could pose a risk to the social media site.

A bunch of tech commentators on Hacker News are talking about how easy it is to read Facebook source code, which they say could pose a risk to the social media site.

Users can literally look inside snapshots of Facebook's digital world because its engineers dumped a load of information in Pastebin, which is a platform for storing and sharing text.

The discussion is a reaction to a recent post on the Sinthetic Labs blog. A guy called Nathan Malcolm explains how, in 2013, he was fixing "a few bugs" while using software development tools and "ended up finding about a lot more about Facebook's internals that I intended". Sinthetic Labs is a security research group.

Malcolm says all he did was Google an error message and ended up finding a specific link to a Pastebin post. As he investigated further, he stumbled across various pieces of data that paint a picture of what Facebook looks like behind the scenes -- in a digital sense, anyway.

He found what looked to be names, commands, and other "interesting information". As you'll see in an example below, the code probably won't mean much to most people, but letting it roam free on the internet "probably wasn't the smartest move," Malcolm says.

When discussing some of the files (not the image below), Malcolm explains:

"The person who, likely, posted this was "emir". This may be the person's first name, or it could be their first initial and then their surname (E. Mir). It's clear this output was intended to be seen by another engineer at Facebook, so posting it on Pastebin probably wasn't the smartest move. This person may have made other slip ups which could make them a target if an attacker sees an opportunity."

Malcolm concedes that his findings don't really pose a direct threat to Facebook, but suggests the resources could in extreme circumstances.

He even found Facebook's password for MySQL -- the open source database management system. Crucially, Malcolm says Facebook's servers are heavily firewalled, so the information is effectively useless unless "you manage to break into Facebook's servers," he notes.

Overall, lots of people appear simply amazed at how easy it is to see this stuff. One comment on Hacker News says that "while some leaks may not even be effective outside Facebook's internet network, having actual code that may be in production does pose a risk. The possibility to see where, for instance, data isn't fully sanitized, or where information being fetched might not require proper authentication is more worrying".

Another person mentions another source of files. They say: "I'm amazed at how many username or passwords are freely available via github search." The bottom line is, "If you do not want someone to find it - do not publish it online."
                                      -- Assembled by S.K

A hack that leaves no iPhone safe

The iPhone passcode is considered fairly secure, but apparently,its security can be tampered with a cheap IP box.

I've always thought of an iPhone passcode as being fairly secure - it's a 4-digit number, with a lockout that prevents just mashing buttons until you find the right answer. But apparently, there's a cheap box that can hack your security, no matter what.

According to MDSec, there's a $300 device called an IP Box that brute-forces iPhones over USB. Rather than trying each passcode physically on the screen, it uses USB to enter the passcode.

If the attempt is incorrect, the box cuts power to the phone, preventing it from recording the failed passcode attempt, and thereby granting the box unlimited guesses at your passcode.

Each PIN entry takes 40 seconds, which means that bypassing the passcode will take around 4-5 days. That might seem like a long time, but if it means that stolen iPhones can be sold as legitimate devices, it's probably worth the wait.

Just another reminder that the data on your phone is never really truly safe.

Infosys putting together crack team of coders.

Why do infosys need crackers?

While Infosys' elite programmers will typically be deployed on challenging, futuristic projects and new areas of technology -- which also works as a retention strategy -- they can be called upon to solve complex problems arising at traditional outsourcing projects handled by normal programmers.

BENGALURU: A software glitch threatens to disrupt the launch of a cutting-edge product by a leading global mobile phone-maker with just hours to go. The company turns to its technology vendor's team of programmers, but for an immediate fix, the vendor decides to parachute in one from its elite team of ace coders.

In a few hours, the glitch is resolved and order is restored. The scenario isn't overstretched. It's just the kind of problem-solving ability Infosys is building, putting together a crack team of code writers to break tough programming and software challenges for its top clients.

The team will also focus on new technologies such as analytics and cloud computing and work in futuristic projects in areas such as artificial intelligence.

These ace programmers, with the ability to use complex software algorithms to crack business problems, will be given top billing and incentivised based on metrics specific to them, according to two people familiar with the developments, who requested anonymity.

The idea is to create a system akin to how "Navy Seals or Swat teams are deployed by the US government to help regular troops and quickly resolve tough battle or combat situations," one of the people mentioned above said. "These coders will be quintessential geeks who can solve problems on the fly and will obviously be different and more scholarly than your average programmer."

To be sure, the concept of having an elite programming team within an IT company is not new. Top companies such as Accenture have deployed ace coders to solve complex problems for quite some time now.

But this is the first known instance of such programmers being singled out for their talents and rewarded for their expert skills, at a time when outsourcing projects are getting increasingly commoditized and IT firms are anxiously looking to differentiate themselves from competition, amid slowing growth in software export revenues.

"Indian IT service providers are good at the services part but they need to provide solutions and products for specific industries," Roland Schuetz, Lufthansa's senior vice-president and chief information officer, said in a recent interview with ET.

While Infosys' elite programmers will typically be deployed on challenging, futuristic projects and new areas of technology -- which also works as a retention strategy -- they can be called upon to solve complex problems arising at traditional outsourcing projects handled by normal programmers.

"Any programmer who's really good and talented would probably end up joining these new-age ecommerce companies, like Flipkart or Snapdeal, unless these traditional IT firms can keep up in terms of the quality of work and assignments that they give to these programmers," said Viral B Shah, co-inventor of the Julia programming language. "Just money won't be enough to lure away these talented coders."

The initiative, called Infosys Expert Track, "is set up with the objective of encouraging technologists who are ace programmers. The intent is to create expert coders who will focus on current and future technologies. It is the path for those employees who want to focus exclusively on programming that can solve complex problems for Infosys' clients," an Infosys spokeswoman said in an email. "The track will have a flat structure with minimal people management responsibilities."

Dozen programmers identified
Infosys has identified around a dozen top programmers for the 'expert track'.

These coders have already undergone a rigorous test where each of them was given three problems to solve. For each of the problems, the coders had to develop a programming solution from the ground up within a few hours.

The process is still ongoing and within the next 2-3 months, shortlisted candidates will go through a final round of interview, before being selected into this firefighting team.

Infosys is not the only Indian IT company hunting for top talent in the world of coders. India's top software firm, Tata Consultancy Services, held a worldwide coding competition called CodeVita last month to handpick star programmers.

"What's happening is that the requirements of the clients of top IT firms are changing - they're coming back to Infosys/TCS, and saying, 'Hey, our engineering challenges are more diverse and bigger than what they were a decade ago, we need people who have broader skill sets and exposure to newer technologies," said Sachin Gupta, co-founder and CEO of Bangalore-based startup HackerEarth.

                                 -- Assembled by S.K