Authors Posts by Ayush Saraswat

Ayush Saraswat

426 POSTS 1 COMMENTS
Founder and Editor-in-Chief of 'Professional Hackers India'. Technology Evangelist, Security Analyst, Cyber Security Expert, PHP Developer and Part time hacker.

by -
0 61

The cases of e-commerce companies being duped has increased in the past at an alarming rate in India. This Friday, two techies were arrested by the police in Hyderabad for cheating the Indian e-commerce portal Flipkart and claiming the refund even after receiving the iPhone they ordered.

In his best news of 2105 list, Bill Gates listed the growth of mobile commerce at 5th position. This could be directly attributed to an unprecedented growth observed in developing nations. As a result, we are witnessing a similar rise in the business of online retailers in India. Websites like Flipkart, Amazon, Snapdeal, and eBay are competing with each other to capture a larger chunk of the nascent user base.In the past, we have read multiple reports about these websites getting duped by Indian e-commerce buyers. Recently, two techies were arrested by the police in Hyderabad for cheating the e-commerce portal Flipkart as they tried to steal an iPhone worth Rs. 51,590 ( about $800).

The accused Naveen Kumar earlier worked with Amazon India, while his partner in crime Atul Sharma is still working with the company.

The duo ordered an iPhone 6 and it was delivered to them within 2-3 days. However, even after receiving the handset, they claimed that the package contained garbage. By showing the faith in their customers, Flipkart immediately refunded the entire amount back to Atul Sharma.

“On January 21, Naveen called up Flipkart and complained that when he opened the parcel, instead of an iPhone, he found paper and rubber inside the box. The company refunded the entire amount and the duo shared it among themselves,” Detective Inspector Chikkadpally P. Balvanthaih said.

But they didn’t know that Flipkart had lodged a police complaint to find the phone. Bad luck on their part, police acted swiftly and traced the phone back to a person named Manish Sharma, a friend of the fraudster duo.

“The present case is case in a point to show that several customers are taking advantage of the return and refund policy of e-commerce companies to indulge in theft and cheating,” Flipkart issued a statement, after the arrest.

The number of such instances has grown at a rapid pace in recent times in India. Abusing the faith of e-commerce companies and making fake claims could harm the Indian industry by blurring this trust.

Have something to add about this story from Indian e-commerce scene? Tell us in the comments below.

by -
0 22
A sign hangs at the Grand Hyatt Hotel at the Dallas-Fort Worth International Airport in Dallas, Texas, U.S., on Thursday, Nov. 5, 2009. Hyatt Hotels Corp., the chain controlled by Chicago's Pritzker family, climbed in its first day of trading as it raised $1.09 billion in the second-largest U.S. initial public offering this year. Photographer: Matt Nager/Bloomberg
Hyatt Hotels data is the latest to fall prey to hackers.

The company said Wednesday, December 23, that it is investigating malware it found on computers used to process customers’ payments, and Hyatt was consulting with cyber security experts.

The data breach only affected properties managed by Hyatt and not franchise locations, the company said. As of Sept. 30, that included 318 properties.

Hyatt Hotels’ current portfolio contains 627 properties in 52 countries.

“We have taken steps to strengthen the security of our systems, and customers can feel confident using payment cards at Hyatt hotels worldwide,” the company posted on a website for updates about the hack.

A spokeswoman for the company said, “the malware has been identified on computers that operate the payment processing systems for Hyatt-managed locations, which is a subset of the total Hyatt properties.”

Customers in the U.S. and Canada can contact Hyatt with questions at 1-877-218-3036 or +1-814-201-3665 from all other countries.

Data breaches have become a prolific problem, and everything from children’s selfies to troves of government personnel records have been targeted this year.

“As soon as Hyatt discovered the activity, the company launched an investigation and engaged leading third-party cyber security experts,” Hyatt wrote in a statement.

Hyatt joins a number of other hotel businesses that have recently been compromised by hackers, including Hilton Worldwide, Mandarin Oriental, and Starwood Hotels & Resorts Worldwide. A recent study actually found that most big hotel chains have vulnerable computer systems.

If you have stayed with Hyatt, review your credit-card statement right away for any unusual activity. Most card companies won’t hold you liable for fraudulent charges—and even if they do, the maximum you could get dinged is only $50, by law.

Hyatt will be posting updates regarding its investigation athyatt.com/protectingourcustomers. Concerned customers can also call 1-877-218-3036. The chain says it “has taken steps to strengthen the security of its systems” since the hacking.

by -
0 68

Ever wonder how to hack Instagram or how to hack a facebook account? Well, someone just did it!

But, remember, even responsibly reporting a security vulnerability could end up in taking legal actions against you.

An independent security researcher claims he was threatened by Facebook after he responsibly revealed a series of security vulnerabilities and configuration flaws that allowed him to successfully gained access to sensitive data stored on Instagram servers, including:

  • Source Code of Instagram website
  • SSL Certificates and Private Keys for Instagram
  • Keys used to sign authentication cookies
  • Personal details of Instagram Users and Employees
  • Email server credentials
  • Keys for over a half-dozen critical other functions

However, instead of paying him a reward, Facebook has threatened to sue the researcher of intentionally withholding flaws and information from its team.

Wesley Weinberg, a senior security researcher at Synack, participated in Facebook’s bug bounty program and started analyzing Instagram systems after one of his friends hinted him to a potentially vulnerable server located at sensu.instagram.com

The researcher found an RCE (Remote Code Execution) bug in the way it processed users’ session cookies that are generally used to remember users’ log-in details.

Remote code execution bug was possible due to two weaknesses:

  1. The Sensu-Admin web app running on the server contained a hard-coded Ruby secret token
  2. The host running a version of Ruby (3.x) that was susceptible to code execution via the Ruby session cookie

Exploiting the vulnerability, Weinberg was able to force the server to vomit up a database containing login details, including credentials, of Instagram and Facebook employees.

Although the passwords were encrypted with ‘bcrypt’, Weinberg was able to crack a dozen of passwords that had been very weak (like changeme, instagram, password) in just a few minutes.

Exposed EVERYTHING including Your Selfies

Weinberg did not stop here. He took a close look at other configuration files he found on the server and discovered that one of the files contained some keys for Amazon Web Services accounts, the cloud computing service used to host Instagram’s Sensu setup.

These keys listed 82 Amazon S3 buckets (storage units), but these buckets were unique. He found nothing sensitive in the latest file in that bucket, but when he looked at the older version of the file, he found another key pair that let him read the contents of all 82 buckets.

Weinberg had inadvertently stumbled upon almost EVERYTHING including:

  • Instagram’s source code
  • SSL certificates and private keys (including for instagram.com and *.instagram.com)
  • API keys that are used for interacting with other services
  • Images uploaded by Instagram users
  • Static content from the instagram.com website
  • Email server credentials
  • iOS/Android app signing keys
  • Other sensitive data

“To say that I had gained access to basically all of Instagram’s secret key material would probably be a fair statement,” Weinberg wrote in his blog. “With the keys I obtained, I could now easily impersonate Instagram, or any valid user or staff member. While out of scope, I would have easily been able to gain full access to any user’s account, [personal] pictures and data.”

Responsible Disclosure, but Facebook Threatens Lawsuit

Weinberg reported his findings to Facebook’s security team, but the social media giant was concerned he had accessed private data of its users and employees while uncovering the issues.

Instead of receiving a reward from Facebook for his hard work, Weinberg was unqualified for the bug bounty program by Facebook.

In early December, Weinberg claims his boss Synack CEO, Jay Kaplan, received a scary call from Facebook security chief Alex Stamos regarding the weaknesses Weinberg discovered in Instagram that left Instagram and Facebook users wide open to a devastating attack.

Stamos “stated that he did not want to have to get Facebook’s legal team involved, but that he was not sure if this was something he needed to go to law enforcement over,” Weinberg wrote in his blog in a section entitled ‘Threats and Intimidation.’

In response, Stamos issued a statement, saying he “did not threaten legal action against Synack or [Weinberg] nor did [he] ask for [Weinberg] to be fired.”

Stamos said he only told Kaplan to “keep this out of the hands of the lawyers on both sides.”

“Condoning researchers going well above and beyond what is necessary to find and fix critical issues would create a precedent that could be used by those aiming to violate the privacy of our users, and such behavior by legitimate security researchers puts the future of paid bug bounties at risk,” Stamos added.

Facebook Responds

After the original publication by the researcher, Facebook issued its response, saying the claims are false and that Weinberg was never told not to publish his findings, rather only asked not to disclose the non-public information he accessed.

The social media giant confirmed the existence of the remote code execution bug in the sensu.instagram.com domain and promised a bug bounty of $2,500 as a reward to Weinberg and his friend who initially hinted that the server was openly accessible.

However, the other vulnerabilities that allowed Weinberg to gain access to sensitive data were not qualified, with Facebook saying he violated user privacy while accessing the data.

Here’s the full statement by Facebook:

We are strong advocates of the security researcher community and have built positive relationships with thousands of people through our bug bounty program. These interactions must include trust, however, and that includes reporting the details of bugs that are found and not using them to access private information in an unauthorized manner. In this case, the researcher intentionally withheld bugs and information from our team and went far beyond the guidelines of our program to pull private, non-user data from internal systems.

We paid him for his initial bug report based on the quality, even though he was not the first to report it, but we didn’t pay for the subsequent information that he had withheld. At no point did we say he could not publish his findings — we asked that he refrain from disclosing the non-public information he accessed in violation of our program guidelines. We remain firmly committed to paying for high quality research and helping the community learn from researchers’ hard work.

Many Windows 7 and Windows 8.1 users don’t want to upgrade their machines to Microsoft’s newest Windows 10 operating system now or anytime soon. Isn’t it?
But what if you wake up in the morning and found yourself a Windows 10 user?

That’s exactly what Microsoft is doing to Windows 7 and 8.1 users.

Windows 10 Upgrade Becomes More Aggressive

Ever since Microsoft launched its new operating system over the summer, Windows 7 and 8.1 users have been forced several number of times to upgrade their machines to Windows 10.
It was relatively inoffensive at first, but as days have passed, Microsoft has become increasingly aggressive to push Windows users to upgrade to Windows 10.
Microsoft has left very little choice over whether to upgrade their systems to Windows 10 or not. At last, the users end up upgrading their machines to the latest Windows operating system.
Users now see a pop up on their computers, as InfoWorld reports, that displays only two choices for you:
Upgrade Now ‘OR’ Upgrade Tonight

But, What’s the Catch?

Yes, there is a catch to get rid of Windows 10 upgrade, temporarily, anyways.

What users will see is the above two options but what they’ll not see is the third option hiding in plain sight: The ‘X’ button in the top-right corner of the upgrade window.
While you can click the ‘X’ button to make the upgrade go away, the less knowledgeable users would end up upgrading to Windows 10 either then and there or at that night.

Moreover, since the dialog box warns that “Upgrading to Windows 10 is Free for a Limited Time”, some users could interpret that if they close the pop-up window, they may not be able to upgrade their machines Free at a later date.

Microsoft silently started pushing Windows 10 installation files on PCs running Windows 7 or Windows 8.1 over a month after its launch, even if users have not opted into the upgrade.

Almost two months ago, some Windows 7 and 8.1 users also claimed that Windows 10 had begun to install itself automatically on their PCs, which Microsoft later called it a mistake.

Although there is nothing we could predict what tweaks Microsoft has planned for future upgrades, the next time you may get a pop-up window with a single button that says “Upgrade Now.”

Meet an all-new Hacker’s Search Engine similar to  – Censys.

At the end of last month, security researchers from SEC Consult found that the lazy manufacturers of home routers and Internet of Things (IoT) devices have been re-using the same set of hard-coded cryptographic keys, leaving around 3 millions of IoT devices open to mass hijacking.

But how did the researchers get this number?
Researchers uncovered these devices with the help of Censys – a new search engine that daily scans the whole Internet for all the vulnerable devices.

Censys Maintains Complete Database of Everything on The Internet

Censys is similar to hacker’s search engine Shodan, which is designed specifically to locate any devices that have been carelessly plugged into the Internet without much attempt at preventing unauthorized access.

However, Censys employs a more advanced method to find vulnerabilities in the devices and make the Internet a safer place.

Censys is a free search engine that was originally released in October by researchers from the University of Michigan and is powered by the world’s biggest search engine Google.

Censys is part of an open source project that aims at maintaining a “complete database of everything on the Internet,” helping researchers and companies unearth Online security mishaps and vulnerabilities in products and services.

How Does Censys Work?

Censys collects information on hosts and websites via daily scans of the IPv4 address space – the internet protocol version 4 that routes the majority of the Internet traffic today.
In order to do so, the new search engine uses two companion tools:
ZMap – an open-source network scanner
ZGrab – an application layer scanner

Censys then maintains a database of how hosts and websites are configured, allowing researchers to query the data through a search interface, report builder, and SQL engine.

ZMap scans over 4 Billion IP addresses on the Internet and collects new data every day. It also helps determine whether the machines on the internet have security vulnerabilities that should be fixed before being exploited by the hackers.

“We have found everything from ATMs and bank safes to industrial control systems for power plants. It’s kind of scary,” said Zakir Durumeric, the researcher leading the Censys project at the University of Michigan.

Obvious flaws in addition to issues caused by IT administrator failures can also be found.
Here’s the MIT Technology Review on Censys, titled “A Search Engine for the Internet’s Dirty Secrets.”
More details on the Censys architecture and functionalities are available in the team’s research paper.
If you would like to give Censys a try, you can follow the step-by-step tutorial offered by the developers.

WordPress.com, the fully hosted version of WordPress, has a received one of its biggest updates ever today. Codenamed Calypso, Automattic rewrote WordPress.com from scratch — everything is new under the hood. Here are the big changes.

First, WordPress.com is now fully separated from the WordPress core. WordPress.com is now an admin interface that interacts with the WordPress core just like any other third-party interface and app out there. It uses a REST API to fetch your posts, publish new ones, upload photos and more.

Second, the team behind WordPress.com switched to an entirely new stack. Instead of using PHP and MySQL, the developers built everything using JavaScript and API calls. It means that when you go to the website, the server will distribute a fully working WordPress client that mostly runs in your browser.

It’s a Single Page Application, meaning that you will get very few loading screens when you interact with the interface. It should work well on your phone and tablet as well — everything is responsive. If you were using the WordPress admin backend, you can still go directly to your backend. But you also have another option now on WordPress.com if you are using a hosted WordPress.com blog, a self-hosted WordPress with the Jetpack plugin or a WordPress VIP site (like TechCrunch).

Finally, everything is open source and on GitHub. You can look at the code, fork it and reuse it as long as you comply with the GNU General Public License version 2.

But the team didn’t stop there. You can also download a new Mac app to access WordPress.com. In many ways, this app works like the Slack desktop app. It leverages web technologies and desktop features so that you get more or less the exact same thing as on the WordPress.com website, but with a few goodies, such as notifications. Windows and Linux apps are in the works.

I downloaded the app and played with it for a few minutes. If you’re familiar with the WordPress.com interface, you’ll feel right at home as it looks exactly the same. But it’s always nice to have an app icon in the Dock.

So why did Automattic, the company behind WordPress.com, go through this painful rewriting process? WordPress.com now feels and works like a modern web app. It’s back in the game against newcomers, such as Medium.

While the editor lacks many features that WordPress power users make use of (including TechCrunch writers), WordPress.com is a clean, efficient writing interface that should appeal to many people who are writing today on Medium.

25 percent of the web today runs on WordPress. This is no small feat, and WordPress isn’t the young, hustling startup working against bigger companies — it’s a web giant. With today’s move, Automattic proves that it is still aware of its environment and potential threats. It’s an encouraging sign for the future of WordPress.

by -
0 45

It’s been a bad weekend for Aamir Khan. Today his website http://aamirkhan.com was down much of the day after a dedicated distributed denial-of-service (DDoS) attack by online attackers, which left the website inaccessible to users.

Aamir Khan ( born Mohammed Aamir Hussain Khan on 14 March 1965) is an Indian film actor, director, producer, television personality, social worker, screenwriter and philanthropist. Through his successful career in Hindi films, Khan has established himself as one of the most popular and influential actors of Indian cinema. He is the recipient of numerous awards, including four National Film Awards and seven Filmfare Awards. He was honoured by the Government of India with the Padma Shri in 2003 and the Padma Bhushan in 2010.

Bollywood superstar Aamir khan’s said at the Ramnath Goenka Awards function that there is an increased sense of despondency over the past 6-8 months and that he was alarmed by it. He also said – that his wife Kiran Rao had suggested that they should move out of the country as she feared for the safety of her children.

At the time of writing this post website is still not accesible due to DDOS attacks and displaying this message

Coinbase has introduced the first U.S.-issued bitcoin debit card, the Shift Card, in partnership with Shift Payments. The Shift Card is a Visa debit card that currently allows Coinbase users in 24 states to spend bitcoin both online and at physical points of sale at more than 38 million merchants worldwide.

“Merchant adoption has come a long way over the past few years, but it’s still difficult for people to make regular purchases with bitcoin,” notes the Coinbase announcement. “Buying gas at a local gas station or groceries at a neighborhood grocery store with bitcoin has not been possible in most cities in the U.S. Thanks to Shift Payments, it’s now possible to use bitcoin to buy gas, groceries, and much more. With the Shift Card, you can now spend bitcoin anywhere in the world that Visa is accepted.”

Coinbase users living in the states where the service is available can order a Shift debit card for $10 and link it to a Coinbase wallet. When the Shift debit card is used to make a purchase, the equivalent value of bitcoin (based on the current spot price of bitcoin on Coinbase) is debited from the user’s Coinbase bitcoin wallet. For certain transactions, such as gas purchases and dinner bills, Shift will debit more than the purchase amount, and refund the remainder to the user when the final payment amount is settled.

There are no annual fees, no bitcoin-to-dollar conversion fees, and no domestic transaction fees. Coinbase says there are no domestic transaction fees “for a limited time,” which seems to indicate that domestic transaction fees could be added in the future. There is a $2.50 ATM fee and a 3 percent international transaction fee. The daily ATM withdrawal limit is $200, and the default daily spending limit is $1,000.

The card isn’t available to users in New York, Florida, and many other states. Coinbase and Shift Payments say that they are working through legal and regulatory matters in the states where the Shift Card is not yet available.

Shift Payments wants to integrate all payment options available to a user in one debit card. Users can connect a Shift Card to multiple accounts to seamlessly spend all supported payment means, including digital currencies, with the same card.

“The Shift Card works like any debit card today,” notes the Shift website. “Connect your existing accounts and spend Coinbase or Dwolla, immediately and directly, everywhere Visa is accepted.”

The Shift card isn’t the first bitcoin debit card, but the availability of a Visa-branded bitcoin debit card from a major bitcoin exchange and wallet operator is likely to represent a quantum leap in the space.

“At the end of the day, what we’re trying to do is make bitcoin easy to use,” Coinbase vice president of business development and strategy Adam White, told Wired. “We want to make it easy to buy and sell bitcoin, and we want to make it easy to spend. A mainstream debit card based on bitcoin is a key element.”

Of course all U.S. bitcoin users already can spend their bitcoin by converting them to dollars and sending the dollars to their bank accounts, but the process is lengthy and probably overly complex for some users.

Therefore, the Shift Card is likely to make Bitcoin much more useful in daily life.

Wired notes that existing Coinbase customers are now likely to start spending more of their bitcoin, rather than just speculating, and new customers will be attracted to the digital currency because they can more easily spend it. Then, merchants will be more motivated to start accepting bitcoin, which could start a runaway feedback loop that will boost the Bitcoin ecosystem.

Source : Bitcoin Magazine

 

by -
0 7

Junaid Hussain – a hacker turned ISIS cyber mastermind who was killed in a US drone strike in August this year.

But something has emerged what we don’t know about the death of Hussain.

The infamous hacker who in the past hacked the Anonymous pseudo-official Twitter accounts, now claims he served as an FBI informant to help the US government track down Junaid Hussain.

The hacker, goes by the online alias Shm00p (@5hm00p), is a member of the hacking collective Rustle League and believes he is “99.9% sure” that the information given by him to the FBI agents led to the extrajudicial killing of Hussain.

“What the fuck have I done,” Shm00p tweeted early Sunday morning.

Over 15 hours later after his first tweet, Shm00p made a series of tweets at the FBI Twitter account.

“I lost a lot of good friendship and my fucking honor,” Shm00p tweeted at the FBI. You can see an archived copy of his now deleted tweets here. “I am so embarrassed to show my face in public now because of this,” he continued.

Shm00p, who lives in Las Vegas, knew the British–born Hussain from their mutual affiliation with a notorious hacktivist group called Team Poison.

In 2014, Hussain reached out to Shm00p via the encrypted chat service Jabber. Shm00p was able to determine Hussain’s location and then passed on the information to the FBI.

Shm00p said that he was very much sure this information led to the death of Junaid “TriCk” Hussain, who left the United Kingdom and joined ISIS in 2013.

“I fucking helped you MURDER him [Junaid]. Do you know how I feel now when I sleep at night?”Shm00p tweeted. “Regardless that he was a terrorist and an animal I sure as fuck felt betrayed.”

Based on his tweets, Shm00p was forced to help the FBI agents who threatened the livelihood of his family.

The FBI officials had him attempt to catch two of his friends while they were partying at the hacker conference DefCon in 2015, with the aim to get information on Hussain’s whereabouts.

Although the FBI has declined to comment on the disclosure by Shm00p, a source with knowledge of the facts told Motherboard that Shm00p did indeed help the US federal agents locate Hussain.

Source : THN

by -
0 3

SAN FRANCISCO: The online social network devoted to making the world more connected will now help couples break up.

Facebook began testing tools that curtail how much ex-partners see of one another and their posts at the social network, according to product manager Kelly Winters.

“We are testing tools to help people manage how they interact with their former partners on Facebook after a relationship has ended,” Winters said.

“When people change their relationship status to indicate they are no longer in a relationship, they will be prompted to try these tools.”

The breakup tools are being tested in Facebook mobile device applications in the United States.

People can use the tools to see less of a former partner’s name and profile picture at Facebook without have to “unfriend” or block the person, according to Winters.

Posts by an ex won’t show up in News Feed, and their name won’t be suggested when people write messages or tag photos, Facebook said.

The tools also limit pictures, videos or status updates that an ex can see, and let people “untag” themselves from posts with former partners.

“We hope these tools will help people end relationships on Facebook with greater ease, comfort and sense of control,” Winters said.

SOCIAL CONNECTIONS

1,074FansLike
10Subscribers+1
1,000FollowersFollow
542FollowersFollow