HSBC UK Hit By DDOS Attack

Online banking services was unavailable for customers of HSBC UK this Friday morning. According to the several statements the bank published via their official Twitter account, they suffered a DDOS attack but successfully defended their system.

Another Tweet stated that HSBC is working with law enforcement to find the cyber criminal who conducted this attack.
According to their latest Tweet, IT guys of the bank are monitoring the situation closely. They are still seeing the DDOS attack but they are gradually recovering from it.

Cisco Patches Critical Vulnerability In Firewall Devices

Cisco has released a firmware update for its Wireless Network Security Firewall RV220W to patch a critical flaw that allows remote attackers to get administrative privileges on the device.
An unauthenticated attacker can send specially crafted http requests containing malicious SQL statements to the device and bypass the authentication to get administrative priviledge. This attack can be carried out only if the remote management feature is enable on the targeted device.

To read more about the vulnerability and what measures can be taken [Click Here]

Beware of New iPhone Crashing Bug

Pranksters are spreading a URL via social networks which direct people clicking on it to crashsafari.com. This particular website crashes your safari browser and if you're an iPhone user, it will be rebooted. This is not the first time that such a bug is discovered. In May 2015, users were crashing each other's phones by sending a specially crafted message via the iMessage app. This issue was fixed in iOS 8.3.1.

If a person visits the website from an Android or a desktop computer, the bug will only crash the browser, even if it is Chrome or Firefox. Crashsafari.com generates very long and increasing string of characters,all via JavaScript code, which overloads the text string in the address bar.

According to Google's statistics, over 400,000 users have already accessed the link,among which 325654 are iPhone users. [Click Here!]

POC:

Mauritian Linux Expert Ish Sookun Arrested

Ish Sookun, the young Mauritian Linux enthusiast has been arrested by the CCID of Mauritius on Saturday evening 23rd January 2016 in relation to an anonymous e-mail on terrorist threats sent to the Prime Minister’s Office. 20 police officers landed at his place around 16.45. During this operation, two laptops, one computer, some drives and a USB stick were seized. The police suspects that the e-mail comes from an Internet café operated by Mr Sookun situated at Curepipe. Mr Kishan Sooklall, the business partner who was operating the cyber cafe has also been arrested.

Both Mr Sookun and his business partner have been presented before the Bail and Remand Court Sunday 24th 2016 and were refused bail. They have been provisionally charged under the Prevention of Terrorism Act and will appear before the Curepipe Court tomorrow. Social workers, Dr Maharajah Madhewoo ,Eddy Sadien and many other member of the No to Biometric ID Card platform along with Mr Sookun's family were present at the Court. Ish retained the service of Mr Sanjeev Teeluckdharry and Mr Eriksson Moneeapillay.

Source: Local News

Apple Fixed Shared Cookie Vulnerability In iOS 9.2.1


Earlier this week, Apple pushed out iOS 9.2.1 which fixed a vulnerability which has been in the wild for nearly 3 years. This vulnerability was discovered by security researchers from Skycure, Yair Amit and Adi Sharabani.

When a user connects to a public network or a captive-enabled network, the iOS device displays a pop-up window that enable the user to use the embedded browser to login the network via HTTP.  The embedded browser shares the same cookie stored with Safari. If a user connect to a rogue network, these cookies, which contains credentials can be stolen by attackers.

The impact of this vulnerability:
  • Steal users’ (HTTP) cookies associated with a site of the attacker’s choice. By doing so, the attacker can then impersonate the victim’s identity on the chosen site.
  • Perform a session fixation attack, logging the user into an account controlled by the attacker–because of the shared Cookie Store, when the victims browse to the affected website via Mobile Safari, they will be logged into the attacker’s account instead of their own.
  • Perform a cache-poisoning attack on a website of the attacker’s choice (by returning an HTTP response with caching headers). This way, the attacker’s malicious JavaScript would be executed every time the victim connects to that website in the future via Mobile Safari.

We advise our readers to update their iOS as soon as possible.


Source:[Skycure]

W^X Security Feature Added to Firefox

Developers of Mozilla have added a security feature to Firefox aimed at protecting against buffer overflow and memory corruption. The security feature,W^X (Write XOR Execute), is present in the OpenBSD operating system and was added inside Firefox's JIT (Just-in-Time) code compiler.

This feature affects how code executed inside the browser interacts with the OS's memory. Starting with the latest Firefox 46 Nightly build, WebPages will either be allowed to write code to the memory or execute code in the memory, not both at the same time. By doing so, the W^X prevents some types of buffer overflow attacks and makes sure that when dynamic arbitrary codes are injected into the process execution stack, Firefox will crash. This will prevent it from blindly running these malicious codes.

This feature was added by Jan De Mooij and core can be read from his blog post [Click Here!]

Visitors

Free counters!

Translate

MauriHackerS - Providing Latest IT Security and Hacking News !