Ubuntu Linux Forum Hacked! Once Again

Ubuntu Linux Forum Hacked! Once Again

No software is immune to being Hacked! Not even Linux.

The Ubuntu online forums have been hacked, and data belonging to over 2 Million users have been compromised, Canonical just announced.

The compromised users’ data include their IP addresses, usernames, and email addresses, according to the company, who failed to apply a patch to secure its users' data.

However, users should keep in mind that the hack did not affect the Ubuntu operating system, or it was not due to a vulnerability or weakness in the OS.

Instead, the breach only affected the Ubuntu online forums that people use to discuss the OS, said BetaNews, who initially reported the news.

"There has been a security breach on the Ubuntu Forums site," Jane Silber, Chief Executive Officer at Canonical wrote in a blog post. "We take information security and user privacy very seriously, follow a strict set of security practices and this incident has triggered a thorough investigation."

"Corrective action has been taken, and full service of the Forums has been restored. In the interest of transparency, we’d like to share the details of the breach and what steps have been taken. We apologize for the breach and ensuing inconvenience."

After deeply investigating the incident, the company came to know that it left a known SQLi (SQL injection) vulnerability unpatched in the Forumrunner add-on in its Forums that exposed its users data.

Sounds really awful. This again proves that the Weakest Link in the security is still – Humans.

The SQL injection (SQLi) attack is an attack used to inject malicious SQL commands (malicious payloads) through the input data from the client to the application in order to breach the database and get access to the user's personal data.

The vulnerability is one of the oldest, but most powerful and most dangerous flaw that could affect any website or web application that uses an SQL-based database.

According to Silber, here’s what the attackers were able to access:

• The attackers were able to inject formatted SQL to the Forums database on the Forums database servers, which gave them access to read from any table.
• The attackers then used the above access to download portions of the ‘user’ table containing usernames, email addresses, and IP addresses for 2 Million users.

Since the passwords stored in this table were random strings (which were Hashed and Salted) as the Ubuntu Forums rely on Ubuntu Single Sign On for logins, the company said that no active passwords were accessed by the attackers.

Although Canonical responded fast and had since patched the flaw, it is still disappointing that the firm's silly mistake to not installing a patch for a known bug caused exposure of its users personal data.

Warning!!!!!!!! For xiaomi operator......

Warning: Millions of Xiaomi Phones Vulnerable to Remote Hacking

Millions of Xiaomi smartphones are vulnerable to a dangerous remote code execution (RCE) vulnerability that could grant attackers complete control of handsets.

The vulnerability, now patched, exists in MIUI – Xiaomi's own implementation of the Android operating system – in versions prior to MIUI Global Stable 7.2 which is based on Android 6.0.

The flaw, discovered by IBM X-Force researcher David Kaplan, potentially allows attackers with privileged network access, such as cafe Wi-Fi, to install malware remotely on the affected devices and fully compromise them.

Researchers found some apps in the analytics package in MIUI, which can be abused to provide malicious ROM updates remotely through a man-in-the-middle attack.

"The vulnerability we discovered allows for a man-in-the-middle attacker to execute arbitrary code as the highly privileged Android 'system' user," researchers say.

Researchers say they discovered vulnerable analytics packages in at least four default apps provided by Xiaomi in its MIUI distributions, one of those apps being the default browser app.

The flaw allows an attacker to inject a JSON response to force an update by replacing the link and MD5 hash with a malicious Android application package containing malicious code, which is executed at the system level.

Since there is not any cryptographic verification of the update code, the analytics package (com.xiaomi.analytics) will replace itself with "the attacker-supplied version via Android's DexClassLoader mechanism."

In order words, the analytics package neither uses HTTPS to query an update server for updates, nor it downloads the package over HTTPS, thus allowing attackers to modify the updates.

The custom ROM ships on devices manufactured by developer Xiaomi – World's third largest smartphone maker with over 70 Million devices shipped just last year alone – and is also ported to over 340 different handsets including Nexus, Samsung, and HTC.

Since the company has patched the flaw and released a over-the-air update, users are strongly recommended to update their firmware to version 7.2 as soon as possible in order to ensure they are not vulnerable to this issue that plagues Millions of Xiaomi devices

Oops! TP-Link forgets to Renew and Loses its Domains Used to Configure Router Settings

To make the configuration of routers easier, hardware vendors instruct users to browse to a domain name rather than numeric IP addresses.

Networking equipment vendor TP-LINK uses either tplinklogin.net ortplinkextender.net for its routers configuration. Although users can also access their router administration panel through local IP address (i.e. 192.168.1.1).

The first domain offered by the company is used to configure TP-LINK routers and the second is used for TP-LINK Wi-Fi extenders.

Here's the Blunder:

TP-Link has reportedly "forgotten" to renew both domains that are used to configure its routers and access administrative panels of its devices.

Both domains have now been re-registered using an anonymous registration service by an unknown entity and are being offered for sale online at US$2.5 Million each.

This latest TP-Link oversight, which was first spotted by Cybermoon CEO Amitay Dan, could lead its users to potential problems.

However, it seems like TP-Link is not at all interested in buying back those domains, as Dan claims that the hardware vendor is updating its manuals to remove the domain name references altogether.

In recent years, the hardware vendor has started replacing its tplinklogin.net domain with tplinkwifi.net domain, which is currently under its control. So, there is no direct threat to TP-Link users.

But unfortunately, the tplinklogin.net and tplinkextender.net usually came printed on the back of the devices. So, users accessing this domain on devices could end up on a domain under a third-party's control.

If malicious actors get their hands on these domains, they could use them to distribute malware, serve phishing pages instructing users to "download new firmware to your router," and request device or social media credentials from users before redirecting them to the router's local admin panel IP.

The bottom line:

Users are advised to avoid accessing their TP-Link routers using the tplinklogin.net domain; instead, use local IP address.

Dan has also recommended Internet Service Providers (ISPs) to block the affected domain names in order to prevent its customers from being hijacked.

This Android Hacking Group is making $500,000 per day

Own an Android smartphone?

Hackers can secretly install malicious apps, games, and pop-up adverts on your smartphone remotely in order to make large sums of money.

Security researchers at Cheetah Mobile have uncovered one of the world's largest and most prolific Trojan families, infecting millions of Android devices around the world.

Dubbed Hummer, the notorious mobile trojan stealthily installs malicious apps, games, or even porn apps onto victim's phones and yields its creators more than $500,000 (£375,252) on a daily basis.

First discovered in 2014 by Cheetah Mobile, Hummer gained traction in early 2016 when the Trojan family was infecting "nearly 1.4 Million devices daily at its peak" with 63,000 infections occurring daily in China, according to researchers at Cheetah Mobile Security Research Lab.

"This Trojan continually pops up ads on victims' phones, which is extremely annoying," researchers wrote in a blog post. "It also pushes mobile phone games and silently installs porn applications in the background. Unwanted apps appear on these devices, and they are re-installed shortly after users uninstall them."

Even after the number of phones infected has declined, Hummer is still infecting nearly 1 Million new devices per day, making it the most widespread trojan family in the world.

Every time Hummer installs a new app on the infected devices, it's developers make 50 cents. Therefore, the group behind this Trojan is believed to be making more than half a million dollars (over $500,000) daily.

...and over $15 Million per month.

Here's How Hummer Work:

Once a device is infected with Hummer, the Trojan proceeds to root the phone to gain administrator privileges, which allowed it to discreetly install unwanted apps, games, porn apps as well as malware in the background.

These apps and malware end up consuming large amounts of network traffic, potentially affecting the victims with large bills from their Internet providers.

"In several hours, the trojan accessed the network over 10,000 times and downloaded over 200 APKs, consuming 2 GB of network traffic," the researchers noted.

Hummer is almost Impossible to Uninstall

The bad news for affected Android users is that Hummer is extremely difficult if not impossible to get rid of, because the Trojan takes control of the phone at admin level, making it impossible for traditional antivirus tools to uninstall Hummer.

The dangerous part: It is impossible to delete the Trojan through a factory reset due to the fact Hummer comes equipped with up to 18 different separate rooting exploits that allow it to root itself on a phone, the researchers said.

Recently, Trend Micro researchers also detected a similar threat known asGodless that came with Android rooting exploits, affecting 90 percent of all Android devices available in the market today.

Hummer spreads itself using a different number of domain names and third-party app stores, tricking users into downloading malicious apps or fake versions of popular apps like Facebook or Twitter.

The researchers claim to have traced the source of the Trojan family to an"underground internet industry chain"in China, based on an email address linked to the domain names used by the malware.

India (154,248), Indonesia (92,889), Turkey (63,906), China (63,285) and Mexico (59,192) are the top five countries where Hummer has made most of its victims, but the Trojan is also infecting Android users in the U.S. and Europe.

Google’s Android mobile platform has been a primary target of attackers, so it's better for you to avoid downloading apps from outside of the Google Play Store or untrusted sources. Moreover, always "review the developer" even if downloading apps from official app store.

How to Crack Android Full Disk Encryption on Qualcomm Devices

There may not be a full fix available for current Android handsets in the market.

Google started implementing Full Disk Encryption on Android by default with Android 5.0 Lollipop. Full disk encryption (FDE) can prevent both hackers and even powerful law enforcement agencies from gaining unauthorized access to device's data.

Android's disk encryption, in short, is the process of encoding all user's data on an Android device before ever written to disk using user's authentication code. Once encrypted, the data is decrypted only if the user enters his/her password.

However, after thoroughly analyzing Android's full disk encryption implementation, a security researcher came to the conclusion that the feature is not as secure as the company claims it is, and he has a working code to prove it.

Cracking Android Full Disk Encryption: Exploit Available Online

Security researcher Gal Beniamini hasdiscovered  issues (CVE-2015-6639 and CVE-2016-2431) in how Android devices handle its full disk encryption, making it easier for attackers to gain access to the user's sensitive data.

Beniamini also published a detailed step-by-step guide this week on how one can break down the encryption protections on Android smartphones powered by Qualcomm Snapdragonprocessors.

You can find the full source of the exploit on GitHub.

Basically, Android's disk encryption on devices with Qualcomm chips based only on your password. However, in real, Android uses your password to create a strong 2048-bit RSA key (KeyMaster) derived from it instead.

Qualcomm runs in the Snapdragon TrustZone to protect critical functions like encryption and biometric scanning, but Beniamini discovered that it is possible to exploit an Android security flaw to extract the keys from TrustZone.

Qualcomm runs a small kernel in TrustZone to offer a Trusted Execution Environment known as QSEE (Qualcomm Secure Execution Environment) that allows small apps to run inside of QSEE away from the main Android operating system. KeyMaster is also a QSEE app.

The researcher has detailed how attackers can exploit an Android kernel security flaw to load their own version of QSEE app inside this secure environment, thereby exploiting privilege escalation flaw and hijacking of the complete QSEE space, including the keys generated for full disk encryption.

Once getting hold of this key, an attacker could perform a brute-force attack to grab the user password, PIN or lock, cracking Android's full disk encryption.

Moreover, Qualcomm or OEMs can comply with government or law enforcement agencies to break the FDE.

"Since the key is available to TrustZone, Qualcomm, and OEMs [Original Equipment Manufacturers] could simply create and sign a TrustZone image which extracts the KeyMaster keys and flash it to the target device," Beniamini wrote. "This would allow law enforcement to easily brute force the FDE password off the device using the leaked keys."

Beniamini has provided all the technical bits of the analysis on this blog, so you can go through this blog if you are interested in having highly technical details on the issue with Android's FDE.

Although Beniamini is working with both Qualcomm as well as Google, the core of the issue might not be completely fixable and might even require new hardware changes to fix.

Oculus CEO's Twitter gets Hacked; Hacker declares himself new CEO

Twitter account of another high profile has been hacked!

This time, it is Facebook-owned virtual reality company Oculus CEO Brendan Iribe who had his Twitter account hacked Wednesday.

Iribe is the latest in the list of technology chief executives to have had their social media accounts hacked in recent weeks.

Recently, Google's CEO Sundar Pichai, Twitter's ex-CEO Dick Costolo, and Facebook's CEO Mark Zuckerberg, have all fallen victim to similar hacks.

The hacker, who has not been identified yet, changed Iribe's cover photo and replaced his bio to "im not testing ya security im just having a laugh."

The hack became apparent when a tweet from Iribe Twitter account was made saying: "We here @Oculus are very excited to announce our CEO. @Lid ! :)."

This tweet was followed by another saying:

"Imagine creating the coolest s*** to ever be introduced to gaming and technology but using the same pass for 4 years lol... silly mr CEO!"

All the tweets in question have since been removed from Iribe's Twitter feed, and the account has now been restored.

The hacker later told Tech Crunch that he was able to get the hold on Iribe's Twitter account by using his credentials exposed in recent MySpace data breach.