Yearly Archives: 2014

by -
0 3
Alibaba Group has patched a major security vulnerability in one of its e-commerce portals that exposed account details of tens of millions of Merchants and shoppers to cyber criminals.
An Israeli application security firm, AppSec Labs, found a Cross site scripting (XSS) vulnerability in AliExpress, the company’s English language e-commerce site that was found vulnerable to similar flaw a week ago that compromised personal information of Alibaba customers. The flaw was fixed shortly after Cybermoon security firm disclosed it to Alibaba.
AliExpress is an online marketplace owned by Chinese E-Commerce giant, also known as Google of China. The company serves more than 300 Million active users from more than 200 countries including the U.S., Russia and Brazil. But the critical vulnerability found by the researcher could allow an attacker to hijack merchant’s account.

Using AliExpress XSS vulnerability an attacker can inject any malicious payload script as value into the message parameter, and when the seller will browse to the message center in AliExpress website using his account, the malicious script will be executed on his browser. XSS Payload can be lead to several attacks such as perform actions on behalf of a seller, phishing attacks, steal the victim’s sessions identifier, etc.

The vulnerability was discovered by Barak Tawily, a 21 year old Application security researcher at AppSec Labs. Exploiting the vulnerability allowed him to change product prices, delete goods, and even close the merchant’s shop on the site.
Barak has also provided a Proof-of-Concept (PoC) video to The Hacker News via an email, explaining the full hack attack on AliExpress website, which you can watch below:

Skilled hacker might exploit this vulnerability and perform ranged attack by sending malicious messages to all AliExpress sellers and will cause a huge damage to AliExpress website,” Tawily said.

AppSec Labs immediately reported the vulnerability to the the Chinese e-commerce giant, Alibaba team through emails and phone calls, providing full details of the flaw. The company didn’t respond immediately, but last week, when AppSec Labs spoke to the Israeli media about the issue, Alibaba contacted the security firm.


The vulnerability has now been patched by the company and it is urging its customers to update their accounts immediately.


We are aware of the issue and took immediate steps to assess and remedy the situation,” said Candice Huang, manager of International Corporate Affairs for Alibaba Group. “We have already closed the potential vulnerability and we will continue to closely monitor the situation. The security and privacy of our customers is our highest priority and we will do everything we can to continue to ensure a secure trading environment on our platforms.

Source : THN

by -
0 10

The Delhi High court has just declared a ban on the sale of Xiaomi handsets in India after Ericsson accused the latter of infringing upon its patents. The court has restrained Xiaomi and its agents from making, assembling, importing or selling  its devices which infringe the mobile phone technology patented by Ericsson.

In less than a year after their launch in India, Xiaomi has become one of the biggest players in the smartphone industry, posing as a tough competitor to Samsung and Micromax. India has also become the second largest market for Xiaomi after its home country China. The Delhi court’s judgement will be huge blow for Xiaomi that’s vowing the top position in India with a range of best-selling smartphones including the Redmi 1s, Mi 3 and the Redmi Note.

So does this mean an end of the Xiaomi era in India? Sorry Samsung, but the chances of a complete ban seem to be quite slim.

As the injunction was taken on an ex parte basis, Xiaomi was not given a chance to defend itself in court. But if we’ve learnt anything from past instances, Xiaomi is likely to reject the charges and file an appeal with the Delhi High Court, giving it the chance to negotiate terms with Ericsson.

Not only has the Delhi court taken a harsh action against Xiaomi by banning its devices in India, it’s done that by looking at just one side of the story. Instead of investigating the matter, the court has ordered a probe after the judgement has been made. Chances are that the ban would be applicable only until authorities finish the inspection and nail down the devices that infringe Ericsson’s patents or, the ban would be applied only on specific Xiaomi handsets.

Infringing upon Ericsson’s patents is not unique to Xiaomi. Big players including Micromax, Gionee, Intex and even Samsung and Acer have also been sued by Ericsson for using its patented technologies and yet, they continue to sell their devices freely across the globe.

In early 2013, Ericsson sued Micromax for infringing eight of its patents for a range of wireless technologies, including 3G, AMR and Edge. The Delhi High Court had then granted an ex-parte interim injunction similar to how it has handled the case with Xiaomi. Instead of a ban, the Delhi High court ordered Micromax to pay a percent of sales in the form of royalties for each phone that uses Ericsson’s technologies until December 2015.

In its defence, Micromax accused Ericsson of failing to adhere to global commitments on providing its industry-essential patents to handset makers under its fair, reasonable and non-discriminatory (FRAND) terms. Considering the fact that Ericsson is no longer a player in the handset industry, it has a lot to gain from the royalties it earns from manufacturers using its patented technologies. So a complete ban on Xiaomi in India would also hurt Ericsson’s chances of earning through royalties.

Similarly, Ericsson also sought a ban on Samsung products in the US two years ago for 24 patent infringements. One of these include the technology used in translating speech into digital information and back, which is now basic for every mobile phone. These essential technologies are governed by patents that come under Standard, Essential Patents (SEPs). As with most companies, Samsung refused to pay the fees because Ericsson was reportedly asking for unreasonable amounts as royalties.

Xiaomi’s case is no different. The company is said to have infringed upon SEPs, which are subject to Fair, Reasonable and Non-Discriminatory(FRAND) terms. Big players, including Apple and Samsung have both become victims as well been guilty of SEP abuse, which are used to stymie one another in the highly competitive mobile market.

We hope that the Delhi High court revisits its decision to ban Xiaomi devices, while also making sure that tech firms do not use SEPs as weapons to bully manufacturers into paying obscene amounts in royalties.


Source : FirstPost

The Pirate Bay — an infamous Torrent website predominantly used to share copyrighted material such as films, TV shows and music files, free of charge — went dark from the internet on Tuesday after Swedish Police raided the site’s server room in Stockholm and seized several servers and other equipment.
The piracy site knocked offline worldwide on Tuesday morning and remained unavailable for several hours, but the site appeared back online in the late hours with a new URL hosted under the top-level domain for Costa Rica.
Paul Pintér, national coordinator for IP enforcement for the Swedish police, issued only a brief statement on Tuesday, saying that the operation was “a crackdown on a server room in Greater Stockholm” that was “in connection with violations of copyright law.
The raid was also confirmed by Fredrik Ingblad, a prosecutor who specializes in file-sharing cases on behalf of the Swedish government, although he would not share further details or even confirm that The Pirate Bay was the target.

There were a number of police officers and digital forensics experts there,” Ingbland told Sveriges Radio (SR), the local media. “This took place during the morning and continued until this afternoon. Several servers and computers were seized, but I cannot say exactly how many. I can’t say exactly what the crime is yet.

However, this is not first time when the site went dark, The Pirate Bay has previously been shut down number of times and had its domain seized, prompting the BitTorrent site to change its top level domain many times. Back in September, The Pirate Bay claimed that it ran the notorious website on 21 “raid-proof” virtual machines, which means if one location is raided by the police, the site would hardly took few hours to get back in action.
The raid comes almost a month after the arrest of Fredrik Neij, the third and final founder of The Pirate Bay, at the border between Laos and Thailand on November 3. He was convicted by Swedish courts for sharing copyrighted material more than five years ago.
Not just The Pirate Bay, the torrent portal’s forum,, image-hosting website, and text-hosting website, along with a number of other torrent-related sites including EZTV, Zoink, Torrage and the Istole tracker, have also been knocked offline in this most recent crackdown on the sharing of copyrighted material.
It has also been reported that at least one man may have been detained by police in connection with this Tuesday’s raid, according to file-sharing news site TorrentFreak. But, Fredrik Ingland did not confirm or deny that one person had been detained.
Since its launch in 2003, The Pirate Bay (TPB) becomes the world’s largest torrent tracker site which handles requests from millions of users everyday and is in the top 100 most visited websites on the Internet. Generally, it is infamous for potentially hosting illegal contents on its website.
Source : THN

by -
0 5
Security researchers have discovered a number of critical vulnerabilities in the Java environment of the Google App Engine (GAE) that enables attackers to bypass critical security sandbox defenses.
Google App Engine is Google’s PaaS (Platform as a Service) Cloud computing Platform for developing and hosting web applications in Google-managed data centers. GAE offers to run custom-built programs using a wide variety of popular languages and frameworks, out of which many are built on the Java environment.
The vulnerabilities was reported by Security Explorations, the same security research company that carried out multiple researches related to Java in past. The discovery was announced on the Full Disclosure security mailing list by Adam Gowdiak, founder and CEO of Security Explorations.
According to the security firm, the flaws can be exploited by attackers to achieve a complete Java VM security sandbox escape, as well as to execute an arbitrary code. The researchers estimate that the number of issues is “30+ in total.
By exploiting the vulnerabilities, security researchers were able to bypass Google App Engine whitelisting of JRE Classes and gain access to full JRE (Java Runtime Environment). They discovered 22 full Java VM security sandbox escape issues and were able to exploit 17 of them successfully.
Moreover, the researchers were able to execute native code, specifically to issue arbitrary library/system calls and to gain access to the files (binary/classes) comprising the JRE sandbox. They even siphoned off DWARF information from binary files, PROTOBUF definitions from Java classes and PROTOBUF definition from binary files among others.
However, the researchers have been unable to finish their research because Google suspended their test Google App Engine account.

Unfortunately, we cannot complete our work due to the suspension of the “test” GAE account that took place today,” Gowdiak wrote. “Without any doubt this is an opsec failure on our end (this week we did poke a little bit more aggressively around the underlying OS sandbox / issued various system calls in order to learn more about the nature of the error code 202, the sandbox itself, etc.).

As Google has generally been supportive and helpful to the security research community, Researchers at the security firm believes that Google will allow them to complete their research and re-enable their Google App Engine account.
Source : THN

Motorola has started rolling out the Android 5.0 Lollipop update for the first-generation Moto G – aka Moto G (2013), Moto G (XT1033), and Moto G (Gen 1) – in India.
The Android 5.0 Lollipop update for the dual-SIM enabled Moto G (XT1033) is now available OTA (over-the-air) and comes with build number 220.21.16.en.03.


The Moto G (Gen 1) users will either receive a notification for the OTA update to Android 5.0 Lollipop, or they can also check manually for the update by visiting Settings>About phone>System updates. With either method, users will have to then select ‘Yes, I’m in’, to authorise the download of the update, and then click ‘Install now’.

An XDA Developers’ forum member also posted a screenshot of the Android 5.0 Lollipop update for the Moto G (Gen 1), showing the build number and changelog.

Notably, the company has also posted the changelog for the update on ‘Release Notes’ support page and it includes the new Material Design UI with fluid animations to new application and system themes, colours and widgets, as well as the new notifications UI that will now appear on the lock screen. Other new features part of the Android 5.0 Lollipop update for the first generation Moto G include Smart Lock; new interruptions and downtime settings that will offer the option to tailor how interruptions behave; redesigned multitasking; Ambient Display now showing notifications without turning on the full display; revamped Motorola Assist, and the new flashlight option as part of Quick settings in Lollipop.

Also listed are smarter Internet connections and performance improvements via new the Android Runtime (ART) to help optimise app performance.

The Lenovo-owned company had last week updated its ‘Motorola Update Services’ app in Google Play ahead of an impending Android 5.0 Lollipop update for the first-generation Moto G. Users last week were also reporting that Motorola had started the Android 5.0 Lollipop ‘soak test’ in India with members of the Moto Feedback Network.

Last month, the company officially announced the OTA rollout of the latest Android update for the Moto G (Gen 2) and Moto X (Gen 2) smartphones.


Source : NDTV

A cyber security firm investigating the hacking of Sony Pictures Entertainment has called the attack on the studio’s technology systems “unprecedented,” Michael Lynton, Sony chief executive, told employees Saturday in an email.

Sony Entertainment CEO Michael Lynton told employees of the embattled studio Saturday that the hack attack that has resulted in the leak of employees’ personal information and internal business documents is unprecedented in nature.

Lynton’s email message was obtained by Variety and includes a note from Kevin Mandia, the founder of the cyber security firm Mandiant that Sony has tapped in recent weeks to help it respond to the breach.

Mandia argues that Sony could not have been fully prepared for the assault because “the scope of this attack differs from any we have responded to in the past, as its purpose was to both destroy property and release confidential information to the public. The bottom line is that this was an unparalleled and well planned crime, carried out by an organized group.”

The investigation into the incident is ongoing, and Sony has been working with law enforcement officials to try to figure out the cause of the attack and to stop the dissemination of its business information. Mandia’s words also serve to combat any criticism that Sony was inadequately protected against a cyber assault of this nature.

The hacking has left Sony reeling. Personal information of its 3,803 employees has leaked online, along with a spreadsheet purportedly listing salaries of top studio executives. Five of the studio’s films, including “Annie” and “Still Alice,” turned up on the Internet, where they have been widely pirated. On Friday, a threatening email was sent to employees warning them and their families of “danger.”

A group calling itself Guardians for Peace has taken credit for the attack, and there has been speculation that North Korea might be involved in the hacking as retaliation for “The Interview,” an upcoming Sony comedy about a plot to assassinate the country’s leader Kim Jong-un starring Seth Rogen and James Franco.

Here’s the full text of Lynton and Mandia’s messages:

Over the last week, some of you have asked about the strength of our information security systems and how this attack could have happened. There is much we cannot say about our security protocols for obvious reasons, but we wanted to share with you a note we received today from Kevin Mandia, the founder of the expert cybersecurity firm that is investigating the cyber-attack on us. The investigation is ongoing, but Mr. Mandia’s note is helpful in understanding the nature of what we are dealing with. Full text below.

We also want to thank you once again for your resilience and resourcefulness in carrying out our critical day-to-day activities under incredibly stressful circumstances. As a result of your efforts, we have made great progress moving our business forward, and we will continue to do so.

— — —
Dear Michael,

As our team continues to aid Sony Pictures’ response to the recent cyber-attack against your employees and operations, I wanted to take a moment to provide you with some initial thoughts on the situation.

This attack is unprecedented in nature. The malware was undetectable by industry standard antivirus software and was damaging and unique enough to cause the FBI to release a flash alert to warn other organizations of this critical threat.

In fact, the scope of this attack differs from any we have responded to in the past, as its purpose was to both destroy property and release confidential information to the public. The bottom line is that this was an unparalleled and well planned crime, carried out by an organized group, for which neither SPE nor other companies could have been fully prepared.

We are aggressively responding to this incident and we will continue to coordinate closely with your staff as new facts emerge from our investigation.

Kevin Mandia

The massive hacking attack against Sony Pictures Entertainment have reached a totally unbelievable and scary phase as multiple media sources are saying that Sony Pictures employees received e-mails from hackers threatening to harm them and their family members.

Said one employee, “It’s really crazy and scary.

It seems like matters for Sony Pictures is getting worse with time. Last month hacking attack on Sony Pictures Entertainment made the studio’s internal corporate systems offline and spewed confidential information onto the Internet. Hackers group that identifies itself as #GOP (Guardians of Peace) claimed responsibility for the hack and apparently stolen reams of internal corporate data as well.
The ongoing hacking nightmare that Sony Pictures has been suffering for over a week now seemingly has gotten very personal. An email allegedly from the Guardians of Peace hackers showed up in the inboxes of a number of Sony employees this afternoon threatening them, their families, and saying the company will “collapse.” It also implied the action was an inside job, adding in broken English that “one beside you can be our member.”
“Please sign your name to object the false (sic) of the company at the email address below, if you don’t want to suffer damage. If you don’t, not only you but your family will be in danger.”

Sony had already been working with the FBI over the hacking that shut down the company’s computer system, revealed executive, employee and talent info and apparently leaked online five films including the still-in-theaters Fury and the yet-to-be-released Annie. In an email to staff Tuesday, Sony bosses Michael Lynton andAmy Pascal, who had details of their financial arrangements with the company made public, called the hacking ““malicious criminal acts.”

Here is the email Sony employees received today:

I am the head of GOP who made you worry.

Removing Sony Pictures on earth is a very tiny work for our group which is a worldwide organization. And what we have done so far is only a small part of our further plan. It’s your false if you if you think this crisis will be over after some time. All hope will leave you and Sony Pictures will collapse. This situation is only due to Sony Pictures. Sony Pictures is responsible for whatever the result is. Sony Pictures clings to what is good to nobody from the beginning. It’s silly to expect in Sony Pictures to take off us. Sony Pictures makes only useless efforts. One beside you can be our member.

Many things beyond imagination will happen at many places of the world. Our agents find themselves act in necessary places. Please sign your name to object the false of the company at the email address below if you don’t want to suffer damage. If you don’t, not only you but your family will be in danger.

Nobody can prevent us, but the only way is to follow our demand. If you want to prevent us, make your company behave wisely.

Many a time we deal with those strange words and phrases that ask us to type them back in plaintext while signing up for an account. Yes, those increasingly annoying CAPTCHAs !!, which are both time-consuming and sometimes very difficult to read. If you really are tired of these distorted series of characters then there is a good news for you.
For the convenience of people, Google has re-introduced a new CAPTCHA system with full makeover called reCAPTCHA, in order to make it easy for users who squint their eyes and make errors while typing. This new CAPTCHA-like system will allow people into websites with only a single click.

What is reCAPTCHA?

reCAPTCHA is a free service to protect your website from spam and abuse. reCAPTCHA uses an advanced risk analysis engine and adaptive CAPTCHAs to keep automated software from engaging in abusive activities on your site. It does this while letting your valid users pass through with ease.

reCAPTCHA offers more than just spam protection. Every time our CAPTCHAs are solved, that human effort helps digitize text, annotate images, and build machine learning datasets. This in turn helps preserve books, improve maps, and solve hard AI problems.

CAPTCHA actually stands for “Completely Automated Public Turing test to tell Computers and Humans Apart” which is used by online services and websites only to verify that you’re not a robot and restricts various automated programs to sign-up Email accounts, cracking passwords, spam sending, privacy violation etc.
However, now we’ll have a one-click solution for telling websites that we are, in fact, a human being. In place of CAPTCHA, now we’ll have “No CAPTCHA reCAPTCHA” – just one checkbox that will say “I’m Not a Robot” next to it.
The search engine giant recently conducted a test which showed that sophisticated computer programs could fool the typical CAPTCHA 99.8 percent of the time, which means that it’s been broken for a long time and most spammers are happy to run their scripts knowing just one in ten will slip through.

While the new reCAPTCHA API may sound simple, there is a high degree of sophistication behind that modest checkbox,” reads Google blog post. “CAPTCHAs have long relied on the inability of robots to solve distorted text. However, our research recently showed that today’s Artificial Intelligence technology can solve even the most difficult variant of distorted text at 99.8% accuracy. Thus distorted text, on its own, is no longer a dependable test.

So, Google is rolling out the next generation of CAPTCHA, which doesn’t resemble a CAPTCHA at all. Instead of seeing the old generation clunky CAPTCHA you’re used to like this:
Users will now be presented with a checkbox that they can click with their mouse or, if they’re on a mobile device, tap with a finger.
But here’s a Trick! After asking if you’re a bot, the “No CAPTCHA reCAPTCHA” API decides if it’s happy with your answer and if not, then you might be asked to input a CAPTCHA. So, No CAPTCHA is basically asking, and reCAPTCHA is, well, CAPTCHA itself.
The system uses image recognition as the method for thwarting bots. You might be met with a picture of a cat, then asked to select similar photos from a grid to verify you’re a human. The images on the grid araren’the same cat, but there are cats and humans understand cats are cats, and “match”. Bots don’t.
No-CAPTCHA reCAPTCHA” is a powerful back-end algorithm, according to Google and the company is encouraging every websites that uses CAPTCHAs to switch to this new CAPTCHA system. The old API will remain active, and many sites may decline to upgrade, but the overall effect will be a great.
Already, many online services including Snapchat, WordPress and Humble Bundle have begun deploying the new No CAPTCHA reCAPTCHA to speed up humans through the verification process. Also given Google’s reach, the move is likely to be widely adopted by hundreds of thousands of websites over the coming months.I have written a PHP code example How to use Google reCAPTCHA within your website. Simply rename it to .php and use.
Source : THN

Truecaller received a funding of USD 60 million (over Rs 368 crore) from a group of investors, including Atomico and Sequoia Capital in October.

The company will use the Series C round of financing to fuel product development, hire new talent and expand the company’s global footprint, including in its largest market India.

“We have over 200,000 new users joining daily and almost half of this are from India. About 40 million of our userbase is from India. The number of smartphone users is growing strongly here,” TrueCaller chief executive officer and co-founder Alan Mamedi had said.

He added that looking at the importance of the Indian market, the company had set up an office here last year.

“We will add 3-5 people more at the office in Gurgaon,” he had said.

Truecaller also runs another app, Truedialer, to offer users details of a person before the outgoing call is connected. Launched in October, Truedialer already has more than two million users.

Truecaller has launched an update for its app on Google Play. The new update focuses on predictive style features, which suggests who to contact based on call history, time of day, and place.

Truecaller has surpassed 100 million users globally, and has doubled its daily new users in less than three months. Consumers use Truecaller to identify unknown numbers, block unwanted calls, and search contact information among people and businesses. In addition to the surge in the user base, Truecaller also receives more than 1.5 billion search requests per month.

New features

Receive Suggested Contacts: Truecaller can now predict who you may want to reach and make relevant suggestions based on call history, time, or location.

Complete Contact Profiles: Truecaller keeps the phonebook up to date with relevant information by adding social media profiles and photos.

Smarter Search and Discovery: Now you can search within your contacts as well as names and numbers beyond your existing phone book with an extensive list of more than 1.5 billion contacts.

Easily Place Calls and Send Texts: Once a user profile is pulled, you just need to swipe left to text or swipe right to place a call.

by -
0 6

Android Lollipop has been around for a while now, and now that the first rush of excitement has subsided, we’re down to answering the most fundamental question. What is it like to actually live with Lollipop?

The answer – not so great actually.

In the thrill of receiving Lollipop on the Nexus 4 device (I wrote about that here), it was easy to get caught up in just how pretty the whole OS was. The notifications are clean, the revamped colours are exciting, the contacts section looks awesome and the new keypad (white instead of black) is much clearer and better.

However despite the appearance and some other obvious benefits – like the ‘battery saver’ feature that can effectively drag out the last dregs of your battery – there have been a few bugs with the OS that are simply too glaring to ignore.

Getting stuck on the start animation

This has happened a number of times. While starting, the phone gets stuck on the Lollipop animation, which is essentially four coloured dots looping around each other. The phone is supposed to pass from this screen into another that says ‘android’ before it finally opens up your home screen. Instead you’re stuck watching those dots looping around and around till you feel vaguely dizzy. And according to this report in the Android Central forum, there are others who are facing this issue as well.

We were able to resolve it by performing a ‘hard reset’ – that is holding down the power button and the ‘down’ volume button together for a few seconds. But other users on Android forums have said that they had to perform a full factory reset before the issue was resolved. This is an extreme step given that you will lose everything on your phone once you do this.

Google clearly needs to release a fix for this… and fast.

Camera performance

The camera on the device is almost unusable now. Firstly, it takes forever to open on the phone, and another eternity before it begins to focus. And on a number of occasions, it has just completely crashed the entire device. The pictures it does take are often fuzzy and unclear. So if you’re hoping to capture a few of those special moments, be prepared to watch your phone shut down instead.

And like the previous problem, this is not one that is unique to just this phone.

According to this report in Gizmodo, ‘lagging and crashing’ is one of the ‘biggest’ problems with the new OS.

Network issues

This has been a widely documented issue with the OS upgrade and our device has not been spared either. More often than not, the network symbol will have a little exclamation mark next to it which means that one has no internet access. Restarting the device does the trick sometimes, but you don’t always realise that you have lost connectivity. Given that this happens more than once a day, one has to now obsessively check, but obviously you should not have to.

Laggy Keyboard

The space bar on the keyboard doesn’t always seem to work and sometimes it just can’t seem to keep up with the pace of our typing. Now we were not in a speed typing contest, so this is not in any way a reflection of skills. But compared to some other users, we got off easy. For example, a colleague has to contend with seeing this:


All this of course begs the question – why was Google in such a hurry to release Lollipop ahead of time when it was still clearly buggy? The number of complaints on common forums for Android and Nexus are testimony to the fact that there are a lot of disgruntled Lollipop users out there, and there is no word from Google on fixes and updates yet.

Some tech help sites suggest a factory reset and even the extreme step of rolling back to Android KitKat until the situation improves. While we wouldn’t go that far as yet, one wouldn’t blame someone who would.

Source : FirstPost