LastPass Bug Lets Hackers to Steal Your Passwords


A critical zero-day flaw has been discovered in the popular cloud password manager LastPass that could allow any remote attacker to compromise your account completely.

LastPass is a password manager that also available as a browser extension that automatically fills credentials for you.

All you need is to remember one master password to unlock all other passwords of your different online accounts, making it much easier for you to use unique passwords for different sites.

Hackers

Google Project Zero Hacker Tavis Ormandy discovered several security issues in the software that allowed him to steal passwords stored with LastPass.

Are people really using this LastPass thing? I took a quick look and can see a bunch of obvious critical problems. I’ll send a report asap,”

Once compromise a victim’s LastPass account, hackers would be able to access a treasure trove of passwords for victim’s other online services.

Since LastPass is working on a fix to the zero-day vulnerability, technical details about the issues have not been disclosed by the researcher.

Coincidentally, another security researcher Mathias Karlsson also announced that he had uncovered some issues in LastPass, that has already been patched by the company.

A specially crafted URL is enough to take complete control of its user’s accounts.

As Karlsson explained in a blog post published today, an attacker could send a specially-crafted URL to the victim in order to steal passwords from his/her vault.

This specific vulnerability resided in the autofill functionality of the LastPass browser extension, where a faulty regular expression for parsing the URL was allowing an attacker to spoof the targeted domain.Therefore, by abusing form auto-fill functionality, a hacker could steal victim’s, let’s say, Facebook password, by sending the POC URL containing facebook.com to the victim.

This particular flaw has already been patched by the company within a day, and Karlsson has even been awarded with a bug bounty of $1,000.

Well, the issues in password managers are really worrying, but this doesn’t mean that you should stop using password managers. Password managers still encourage you to use unique and complex passwords for every single site.

In wake of the latest issue, users can avoid browser-based password managers and instead switch to offline versions, like KeePass.

Update: LastPass has quickly patched the vulnerability reported by Tavis Ormandy and pushed an update with fix for all Firefox users using LastPass 4.

How Website Backdoor Scripts Leverage the Pastebin Service


Compromising a website and then hosting malware on it has become an old tactic for hackers, and now they are trying their hands in compromising vast majority of users in a single stroke. Researchers have discovered that hackers are now using Pastebin to spread malicious backdoor code.
According to a blog post published yesterday by a senior malware researcher at Sucuri, Denis Sinegubko, the hackers are leveraging the weakness in older versions of the RevSlider, a popular and a premium WordPressplugin. The plugin comes packaged and bundled into the websites’ themes in such a way that many website owners don’t even know they have it.

Continue reading

How OnionDuke APT Malware served through Tor Network


The malicious Russian Tor exit node, which was claimed to be patching binary files, is actually distributing a malware program to launch cyber-espionage attacks against European government agencies.The group behind the rogue Tor exit node had likely been infecting files for more than a year, causing victims to download and install a backdoor file that gave hackers full control of their systems.Last month Josh Pitts of Leviathan Security Group uncovered a malicious Tor exit node that wraps Windows executable files inside a second, malicious Windows executable. But when Artturi Lehtiö of F-Secure carried out an in-depth research, he found that the exit node was actually linked to the notorious Russian APT family MiniDuke. Continue reading

How New BlackEnergy Crimeware Enhanced to Target “Linux Systems” and “Cisco” Routers


Security researchers at Kaspersky Lab have unearthed new capabilities in the BlackEnergy Crimeware weapon that has now ability to hacking routers, Linux systems and Windows, targeting industry through Cisco network devices.The antivirus vendor’s Global Research & Analysis Team released a report Monday detailing some of the new “relatively unknown” custom plug-in capabilities that the cyber espionage group has developed for BlackEnergy to attack Cisco networking devices and target ARM and MIPS platforms.The malware was upgraded with custom plugins including Ciscoapi.tcl which targets The Borg’s kit, and According to researchers, the upgraded version contained various wrappers over Cisco EXEC-commands and a punchy message for Kaspersky, which reads, F*uck U, Kaspersky U never get a fresh B1ack En3rgy. So, thanks C1sco 1td for built-in backdrops & 0-days.

Continue reading

How The Pirate Bay Co-Founder Found Guilty in Denmark’s Largest Hacking Case


The co-founder of The Pirate Bay torrent site Gottfrid Svartholm Warg (Anakata) and his 21-year-old Danish co-defendant have been found guilty by a Danish court of hacking into systems operated by American IT giant CSC and illegally downloading files. It was the biggest hacking case ever conducted in the history of Denmark.
By breaking into the servers maintained by CSC, Svartholm Warg illegally accessed police email accounts and stolen email addresses and passwords of over 10,000 policemen, explored the European border control database, and downloaded millions of social security numbers belonging to Danish citizens. The initial hack attack took place for about six months.Gottfrid Svartholm allegedly committed the crime along with his his 21-year-old co-defendant between February and August 2012. His co-defendant is only known by the alias of JKT as the Judge Kari Sørensen, who presided over the case, ordered media outlets not to publish his name in order to protect the man’s privacy.The defence team argued that although the hack attacks were carried out using a computer owned by Svartholm, but he was not the person that used it to steal the files as, they said, his entire group of developers had access to the computer. So, any one of them could be responsible for the hacking. Continue reading

Dropbox Accounts Passwords leaked online nearly 7 Million


Drop-box  the popular online locker service, appears to have been hacked by an unnamed hacker group. It is still unclear how the account details of so many users were accessed and, indeed, if they are actually legitimate or not. However, the group claims to have accessed details from nearly 7 million individual accounts and are threatening to release users’ photos, videos and other files.

HACKERS CLAIMED TO RELEASE 7 MILLION USERS’ PERSONAL DATA

A thread surfaced on Reddit today that include links to files containing hundreds of usernames and passwords for Drop-box accounts in plain text. Also a series of posts with hundreds of alleged usernames and passwords for Drop-box accounts have been made to Pastebin, an anonymous information-sharing site.

Continue reading

How “Windows10” Technical Preview watching your every move to get feedback…


Microsoft announced the next version of its Operating system, dubbed Windows 10, providing “Windows 10 Technical Preview” release under its Insider Program in order to collect feedback from users and help shape the final version of the operating system, which is said to be coming sometime in summer 2015. The Technical Preview requires users to register with the Windows which allows users to submit their own feedback about the operating system.

Well, how many of you actually read the Terms of Service and Privacy Policy documents before downloading the Preview release of Windows 10? I guess none of you, because most computer users have a bad habit of ignoring that lengthy paragraphs and simply click I Agree and then next, which is not at all a good way.According to the Privacy Policy the company is collecting things like text inputted into the operating system, the details of any/all files on your system, voice input and program information. Continue reading