Wednesday 16 March 2016

SubGraph OS - Secure Linux OS For Normal Users


Information security and privacy are consistently hot topics after Edward Snowden revelations ofNSA's global surveillance that brought the world's attention towards data protection and encryption as never before.

Moreover, just days after Windows 10's successful launch last summer, we saw various default settings in the Microsoft's newest OS that compromise users' privacy, making a large number of geeks, as well as regular users, migrate to Linux.

However, the problem is that majority of users are not friendly to the Linux environment. They don't know how to configure their machine with right privacy and security settings, which makes them still open to hacking and surveillance.

However, this gaping hole can be filled with a Debian-based Security-focused Linux operating system called Subgraph OS: A key solution to your Privacy Fear.

Subgraph OS is a feather weighted Linux flavor that aims to combat hacking attacks easier, even on fairly low-powered computers and laptops.

Subgraph OS comes with all the privacy and security options auto-configured, eliminating the user's manual configuration.

Security-focused operating systems do exist, but they are often very resource intensive and can be run only on specific hardware. They are also a real technical challenge for users who don't know the advanced techniques required to get a secure operating system running.

Subgraph OS offers more than just kernel security. The Linux-based operating system comes with a slew of security and privacy features that its developers believe will be more accessible to non-technical users.

The OS also includes several applications and components that reduce the user's attack surface. Let's have a close look on important features Subgraph OS provides.

1. Automated Enhanced Protection with Application Sandboxing using Containers

2. Mandatory Full Disk Encryption (FDE)

3. Online Anonymity — Everything through Tor

4. Advanced Proxy Setting

5. System and Kernel Security

6. Secure Mail Services

7. Package Integrity


Comparison Between Subgraph OS and Qubes OS


Subgraph OS has some similarities to Qubes OS – Another Linux-based security-oriented operating system for PCs.

Unlike Subgraph OS that isolates individual applications on a more granular level, Qubes OS typically runs different isolated domains inside different virtual machines – one for your work, one for your personal use and more.

Subgraph OS doesn't isolate networking and USB stacks or other devices and drivers, but Qubes OS does.

Also, Subgraph OS uses Xpra for GUI virtualization, which is less secure than Qubes GUI protocol, but has some usability advantages like seamless working clipboard.

Subgraph makes use of Netfilter hooks to redirect app-generated traffic into TOR network and to allow the user to see and control app-generated traffic, but Qubes OS uses separate service Virtual Machines (Proxy VMs like TorVM) to intercept traffic.

As the list goes on... Subgraph would be a treasure for the privacy lovers.

How to Download Subgraph Os?


Subgraph Os will be available for download via its offical website. Let's wait for the operating system to get unveiled in Logan CIJ Symposium conference in Berlin on March 11-12.



Nude Pics of Over 100 Celebrities Stolen - Hacker Reveals How


Almost one and a half years ago after the massive leakage of celebrities' nude photographs — famous as "The Fappening" or "Celebgate" scandal — a man had been charged with the Computer Fraud and Abuse Act, facing up to 5 years in prison as a result.

The US Department of Justice (DOJ) announced on Tuesday that it charged Ryan Collins, 36, of Pennsylvania for illegally accessing the Gmail and iCloud accounts of various celebrities, includingJennifer Lawrence and Kim Kardashian, and leaked their nude photos onto 4chan.

Social Engineering Helped Hacker Stole Celebs' Nude Pics


Collins was trapped by the Federal Bureau of Investigation (FBI) and in the process of the trial, the hacker revealed that…

The Fappening did not involve Apple's iCloud services being compromised through password cracking or brute-forcing, but rather it was the result of simple Social Engineering, in the form of Phishing Attacks.


Yes, The Fappening scandal was the result of Social Engineering tricks, while we believed that Apple's iCloud services had targeted under brute-force password hacking attacks.

At the time when the celebrities' nude images were circulating online, Apple denied that its iCloud service was hacked and claimed that the hacks were more likely to be a phishing scam. So this was actually the case.

Collins was engaged in Phishing schemes between November 2012 and September 2014, when he hijacked more than 100 celebs' accounts using fake emails disguised as official notifications from Google and Apple, asking victims for their usernames and passwords.

Hacker Used iBrute to Download iCloud Backups


Once done, Collins then used this information to access 50 iCloud accounts and 72 Gmail accounts, most of which belonged to female celebs, and in most cases used specialized 'brute force' software program iBrute to illegally download the contents of their iCloud backups and look for more data, including nude photos of celebrities.

Collins admitted only to hacking celebrities accounts, but not to uploading their naked photos online.

However this does not mean Collins did not leak those photographs, but the hacker negotiated a lighter guilty plea, allowing United States authorities to close the investigation faster.

Collins has not been sentenced yet but faces a maximum sentence of 5 years in prison for his crime, along with fines of up to $250,000. However, according to a plea agreement, the prosecution will recommend the judge an 18-month prison sentence.

Tuesday 15 March 2016

Hacked a Credit Card in 3 Seconds-Exposed


Card Skimmers have been around for years, but the video posted below is a perfect example of the evolution of the technology used by thieves.

The video released by Miami Beach Police involved two men who work as a team to install a credit card Skimmer on top of a card terminal at a local gas station in LESS THAN 3 SECONDS.

Yes, in just less than 3 seconds hackers can turn a regular credit and debit card reader into a Skimmer – a device designed to secretly steal a victim's credit or debit card information.

The two men were caught on video by a security camera, but it all happened so fast that one might have to rewatch the video to actually catch the crime.


Miami Beach Police have published the video of the cyber crook and his partner, who was tasked with distracting the station's clerk, in the hopes that someone recognizes the criminals and helps track them down.

Here's What Happened:

The incident took place on Wednesday at around 9:30 PM at the gas station located at Chevron at 1453 Alton Road.

The two men entered the gas station store and approached the station's clerk to buy some items.

When one crook got busy distracting the clerk by paying for items and asking other items from nearby shelves, the other pulled a skimming device (in the form of the card terminal shape) from his bag and placed it on top of the payment card terminal in a matter of seconds.

Once placed, both the crooks casually walked out of the store.

Why Skimmers Are Dangerous Threat


Whenever customers swipe their credit cards on that terminal, the skimmer will record and store the card details in it. Later, either the two men will return and simply collect the skimmer, or they will use a Bluetooth device to transfer the collected data.

With the recorded payment card data, the crooks can clone credit and debit cards of affected victims, or use the stolen data to make online purchases.

Though the good news is that by the second day, the card skimmer moved slightly from its intended position and the station's clerk noticed it and called the police afterward.

The skimming device was then removed, giving the crooks no chance to affect more gas station's customers.



Since it takes just 2-3 seconds to install the skimmer, the crooks might have installed hundreds or thousands of such skimming devices to collect credit card details on hundreds of thousands of people, or even more.

So, you are advised to beware when swiping your cards on payment terminals. Moreover, if you notice any unusual payment or charge you do not recognize on your account statement, contact your bank as soon as possible.
How To Hack Any Facebook Account - Flaw Exposed

Hacking Facebook account is one of the major queries of the Internet user today. It's hard to find — how to hack Facebook account, but an Indian hacker just did it.

A security researcher discovered a 'simple vulnerability' in the social network that allowed him to easily hack into any Facebook account, view message conversations, post anything, view payment card details and do whatever the real account holder can.

Facebook bounty hunter Anand Prakash from India recently discovered a Password Reset Vulnerability, a simple yet critical vulnerability that could have given an attacker endless opportunities to brute force a 6-digit code and reset any account's password.

Here's How the Flaw Works


The vulnerability actually resides in the way Facebook's beta domains handle 'Forgot Password' requests.

Facebook lets users change their account password through Password Reset procedure by confirming their Facebook account with a 6-digit code received via email or text message.

To ensure the genuinity of the user, Facebook allows the account holder to try up to a dozen codes before the account confirmation code is blocked due to the brute force protection that limits a large number of attempts.

However, Prakash discovered that the social media giant had not implemented rate-limiting in its password reset process on the beta sites, beta.facebook.com and mbasic.beta.facebook.com, according to a blog post published by Prakash.

Prakash tried to brute force the 6-digit code on the Facebook beta pages in the 'Forgot Password' window and discovered that there is no limit set by Facebook on the number of attempts for beta pages.

Video Demonstration :

A proof-of-concept (POC) video demonstration that shows the attack in work. You can watch the video given below that will walk you through the entire procedure:

Here's the culprit:

As Prakash explained, the vulnerable POST request in the beta pages is:
lsd=AVoywo13&n=XXXXX
Brute forcing the 'n' successfully allowed Prakash to launch a brute force attack into any Facebook account by setting a new password, taking complete control of any account.

Prakash (@sehacure) discovered the vulnerability in February and reported it to Facebook on February 22. The social network fixed the issue the next day and had paid him $15,000 as a reward considering the severity and impact of the vulnerability.
Small Mistake Stopped Hackers To Steal $1 Billion

A typographical error (often shortened to typos) is a mistake made in the typing process (such as a spelling mistake) of printed material, during typing.

Typos are really embarrassing, but this time it saved the Bangladesh Central Bank and the New York Federal Reserve by preventing a nearly $1 Billion (£700 Million) heist.

Last month, some unknown hackers broke into Bangladesh's central bank, obtained credentials needed for payment transfers and then transfer large sums to fraudulent accounts based in the Philippines and Sri Lanka. But…

A single spelling mistake in an online bank transfer instruction prevented the full theft, according to Reuters.

Here’s what actually was happened:


Nearly three dozen requests hit the Federal Reserve Bank of New York on 5 February using the Bangladesh Bank's SWIFT code, out of which four resulted in successful transfers, for a total value of about $81 million.

However, when the hackers attempted to make their fifth transfer of $20 Million to a Sri Lankan non-governmental organization called the Shalika Foundation, they made a typo by attempting a transfer to the Shalika "Fandation."

Staff at Deutsche Bank, which was involved in routing funds, spotted this spell error and got asked the Bangladeshis for clarification on the typo. The Bangladesh bank then canceled the remaining transfers.

The Federal Reserve Bank of New York also queried the Bangladesh central bank after spotting a large number of transfer of funds to private accounts at around the same time.

The hackers, who are still unknown, had been attempting to steal a further $850 Million from the Bangladesh government’s reserve account, but a typo in the requests prevented the full theft.

The $81 Million of transfer that was successfully made has not been recovered, but the typo saved the Bangladeshis because if all the fund transfers were made successfully thieves would have made off with $950 Million.

The attack happened between February 4th-5th and originated from outside the country. Moreover, the hackers are still unknown, and officials said there is not much hope of catching them.

Meanwhile, the Bangladesh central bank says the Federal Reserve should have stopped the transactions. The bank is planning to file a lawsuit against the Federal Reserve in order to recover some of the funds that were lost.

Hackers Stole $80 Million from Bangladesh Bank

The recent cyber attack on Bangladesh's central bank that let hackers stole over $80 Million from the institutes' Federal Reserve bank account was reportedly caused due to the Malware installed on the Bank's computer systems.


Few days ago, reports emerged of a group of unknown hackers that broke into Bangladesh's central bank, obtained credentials needed for payment transfers from Federal Reserve Bank of New York and then transferred large sums to fraudulent accounts based in the Philippines and Sri Lanka.

The criminal group was able to steal a total value of about $81 Million from the Federal Reserve's Bangladesh account through a series of fraudulent transactions, but a typo in some transaction prevented a further $850 Million Heist.

However, the question was still there:

How the Hackers managed to transfer $80 Million without leaving any Trace?

Security researchers from FireEye's Mandiant forensics are helping the Dhaka investigators to investigate the cyber heist.

Investigators believe unknown hackers installed some type of malware in the Bangladesh central bank's computer systems few weeks before the heist and watched how to withdraw money from its United States account, Reuters reports.

Although the malware type has not been identified, the malicious software likely included spying programs that let the group learn how money was processed, sent and received.

The malware in question could be a potential Remote Access Trojan (RAT) or a similar form of spyware that gave attackers the ability to gain remote control of the bank's computer.


The investigators suspect the hack could have exploited a "zero-day" flaw as they are unknown to vendors as well.

After this, the hackers were able to steal the Bangladesh Bank's credentials for the SWIFT messaging system, a highly secure financial messaging system utilized by banks worldwide to communicate with each other.
"SWIFT and the Central Bank of Bangladesh are working together to resolve an internal operational issue at the central bank," Belgium-based SWIFT said in a statement Friday. "SWIFT's core messaging services were not impacted by the issue and continued to work as normal."
Security experts hope that the malware sample will be made available to the security researchers soon so that they can determine whether the sample was truly advanced, or if Bangladesh Central Bank's security protection was not robust enough to prevent the hack.

The Bangladesh Bank discovered weaknesses in its systems, which could take years to repair the issues though the Federal bank has denied any system compromise.

Sunday 13 March 2016

How To Keep Your Android Phone Secure

How To Keep Your Android Phone Secure


As the number of threats is on the rise, Android platform is no longer safe, which isn't a surprise to anyone.

Most of us are usually worried more about the security of our desktops or laptops and forget to think about the consequences our smartphones can make if compromised or stolen.

Unlike desktops, your smartphones and tablets carry all sorts of information from your personal photographs, important emails, messages to your sensitive financial details. And due to rise in mobile usage, the hackers have shifted their interest from desktops to the mobile platform.

Nowadays, nearly all possible threats that were previously attacking desktop platform are now targeting smartphone users.

Ransomware, Phishing, Spams, Spyware, Botnets, Banking Malware, OS and Software vulnerabilities, just to name a few examples, but users don't understand the potential threat when it comes to mobile devices.
Additionally, your smartphones and tablets are also subjectable more threats like, Smartphone Thefts and unnecessary app permissions that allow even legitimate & reputed companies to spy on you.

However, there are a number of solutions to solve all the above issues, but for that, you generally need to install multiple cumbersome and untrusted applications to your mobile devices.

Like a good antivirus to resolve malware and virus issues, an app to manage Android app permissions, a device tracking application in case your device is lost or stolen and lots more and installing all these apps consume lots of space, RAM, the battery of your device.

So I headed to Google Play Store and started searching for an app that offers a full suite of security and privacy tools. I came across some reputed apps, but they resolve few issues and some apps that address several issues but originate from some vendor I can’t trust.

Then I came across ESET Mobile Security app, which comes from one of the reputed antivirus vendors, that is offering protection for all the threats we discussed above.

As its primary role, ESET offers the best antivirus scanning for your smartphone devices with up-to-date threat database and clean mobile app interface.

According to the latest test and review conducted by AV-TEST, an independent lab, ESET mobile security antivirus detects 99.9% of latest threats with the protection and usability score 6 out of 6.

In short, I found ESET Mobile Security a package of security and privacy tools bundled into a single app.

The app is fast, provides a user-friendly interface, keeps you safe from malware, protects against phishing attacks, with numerous other tools to keep your smartphone safe even when it's out of your hands.

However, ESET Mobile Security app doesn't provide any Encrypted Cloud-based Backups, device encryption, which I will like to see in-built in the future.

Overall, ESET Mobile Security for Android is a solid choice for protecting your smartphone or tablet with its top-notch malware protection and huge array of anti-theft and privacy-protection features.

You can download and install ESET Mobile Security app for FREE for a lifetime from the Google Play Store if you are seeking for basic protection capabilities.

However, those seeking for Advanced security and privacy protection on their smartphones should upgrade to a premium subscription, via in-app purchase.