Hurray!!!!! BBM for Android and Iphone is Here

We promised you'd be the first to know when BBM™ for Android™ and iPhone® is available. We’re excited to announce that the rollout has resumed! Due to incredible demand there is a line-up to start using BBM. But, since you took the time to sign up in advance, we'd like to give you the chance to start using BBM on Android or iPhone right away without having to wait in line.

Here's what to do to get past the line-up:

1. Visit BBM.com from your iPhone or Android browser to download BBM.

2. Once the BBM app has been installed, open it.

3. When asked to "Enter your email address to check if you can start using BBM", use the email address this message was sent to.

4. Get started with setting up BBM.

Note to iPhone users: Apps can take up to a few hours to appear in the App Store so if you don’t see it right away, it will be there soon.

Unbreakable Apple's iMessage encryption is vulnerable to eavesdropping attack

Though Apple claims iMessage has end-to-end encryption, But researchers claimed at a security conference that Apple’s iMessage system is not protected and the company can easily access it.

Cyril Cattiaux - better known as pod2g, who has developed iOS jailbreak software, said that the company’s claim about iMessage protection by unbreakable encryption is just a lie, because the weakness is in the key infrastructure as it is controlled by Apple: they can change a key anytime they want, thus read the content of our iMessages.

Basically, when you send an iMessage to someone, you grab their public key from Apple, and encrypt your message using that public key. On the other end, recipients have their own private key that they use to decrypt this message. A third-party won’t be able to see the actual message unless they have access to the private key.

Trust and public keys always have a problem, but the researchers noted that there's no evidence that Apple or the NSA is actually reading iMessages, but say that it's possible. "Apple has no reason to do so. But what of intelligence agencies?" he said.

The researchers were able to create a bogus certificate authority and then add it to an iPhone Keychain to proxify SSL encrypted communications to and from the device, and in the process discovered that their AppleID and password was being transmitted in clear text.

He says that since Apple controls the public key directory that gives you the public key for every user, it could perform a man-in-the-middle (MITM) attack to intercept your messages if asked to by a government agency.

A solution for Apple would be to store public keys locally in a protected database within iOS, as then the keys could be compared.

Read more: http://thehackernews.com/2013/10/unbreakable-apples-imessage-encryption.html#ixzz2iTITB6z7
Follow us: @TheHackersNews on Twitter | TheHackerNews on Facebook

Hacker stole $100,000 from Users of California based ISP using SQL Injection

In 2013 we have seen a dramatic increase in the number of hack attacks attempted against banks, credit unions and utility companies using various techniques including DDoS attack, SQL injection, DNS Hijacking and Zero-Day Flaws.

SQL Injection is one of the most common security vulnerabilities on the web and is successful only when the web application is not sufficiently secured.

Recently a hacking Group named 'TeamBerserk' claimed on Twitter that, they have stolen $100,000 by leveraging user names and passwords taken from a California ISP Sebastian (Sebastiancorp.com)to access victims' bank accounts.

A video proof was uploaded on the Internet, shows that how hackers used a SQL injection attack against the California ISP Sebastian to access their customers' database includes  e-mail addresses, user names and clear text passwords and then using the same data to steal money from those customers.

Let's see what SQL Injection is and how serious an attack like this actually can be.

SQL Injection is a type of web application vulnerability in which the attacker adds Structured Query Language (SQL) code to web inputs to gain access to an organization's resources. Using this technique, hackers can determine the structure and location of key databases and can download the database or compromise the database server.

Hackers took just 15 minutes to hack into the website using SQLmap (Automated SQL Injection Tool) -- stole customers' database and then immediately accesses the victim's Gmail account, linked PayPal accounts and Bank accounts also.

It's so hard to remember multiple passwords, some people just use the same one over and over. Is your Facebook password the same as your Twitter password? How about the password for your bank's website?

Now the hack explains that this us why it's extremely dangerous to use the same password on more than one Web site. In the POC video, hacker randomly chooses one Sebastian username and his relative password against Paypal, Gmail and even Citibank account logins and seriously that actually worked, because the victim is using the same passwords for all websites.

Now that you've control of the situation, don't let this happen again! If you have a bank account, a few credit cards, and several other important sensitive accounts, conduct a thorough security audit on them. Be sure that you know when you last logged in. Be sure to keep using different and Strong passwords for each website.

Windows 8.1 released

http://www.appy-geek.com/Web/ArticleWeb.aspx?regionid=3&articleid=14285837

Samsung to releaae phones with wireless resonance charging

http://www.appy-geek.com/Web/ArticleWeb.aspx?regionid=3&articleid=14248653

Hacker who exploits Windows 8.1 will get $100,000

Microsoft finally launched a security bug Bounty Programs, is now willing to pay researchers for reporting certain type of vulnerabilities and exploitation techniques, according to official blog post.
Security researcher who is able to bypass the upcoming Windows 8.1 preview version will get up to $100K USD.
Researcher who give “Defensive ideas that accompany a qualifying Mitigation Bypass submission” will get $50K USD.
Apart from the two Bounties, Microsoft also offers $11K USD “for critical vulnerabilities that affect Internet Explorer 11 Preview on Windows 8.1 Preview.”
Anyone who is willing to participate in the Microsoft’s Mitigation Bypass Bounty, you can register for BlackHat conference.  Researcher who successfully bypass the Windows 8.1 in the target laptop will get the reward.

New Zealand Government Forcing Internet Companies and Network Operators to provide Interception capability

In August the New Zealand has passed a bill that radically expands the powers of  The Government Communications Security Bureau (GCSB), an intelligence agency of the New Zealand government, equivalent of the National Security Agency (NSA).

The bill demands the companies and other network operators like Facebook, Microsoft, Google and Yahoo must allow New Zealand spy agencies a certain path to monitor user communications, but it will also violate the rights of New Zealand citizens.

Today afternoon the controversial of Telecommunications (Interception Capability and Security) Bill made progress in the House in its Second Reading. A number of minor changes were made in select committee. Labour Leader David Cunliffe said his party continued to strongly oppose the legislation as it did not provide protection for the privacy of communications from spying by the state.

In a supplementary order paper to the Telecommunications Bill, Amy Adams is proposing to dump Clause 39 which allows the Government to block an overseas-based company from offering services in New Zealand if they do not comply with the proposed law, but may face pecuniary penalties.

Earlier this month Facebook, Microsoft, Google and Yahoo wrote to Communications Minister Amy Adams to emphasise their concerns about the Telecommunications Interception Capability and Security Bill, encouraged New Zealand to consider an alternative approach to the new law, by engaging US counterparts for information and by setting up a single point of contact for information requests of overseas companies.

They said that making their systems interception capability for New Zealand spy agencies would present serious legal conflicts for companies headquartered in other countries.

However, in response, Communications Minister Amy Adams said there was a proper administrative process to follow before overseas-based companies would be obliged to provide an interception capability. That process would ensure that issues around conflicts of laws between New Zealand and companies' home jurisdictions were addressed.

Read more: http://thehackernews.com/2013/10/new-zealand-government-forcing-internet_15.html#ixzz2hskTK3ov
Follow us: @TheHackersNews on Twitter | TheHackerNews on Facebook

Aple releases lock screen bypass fix

Apple has released an update for iOS 7 – iOS 7.0.2. The update fixes a bug that let users bypass the passcode security lock screen. The issue was discovered in a matter of hours after iOS 7 was released to the public.
The OS update reads, “Fixes the bug that could allow someone to bypass the lock screen passcode. Reintroduces a Greek keyboard option for passcode entry.”
Passcode on the lock screen gives you a basic level of security. When the passcode is active, no one can access the content on your phone, unless they know the passcode. Bypassing the passcode on iOS 7 was a bit tricky. Users needed to access the control center by swiping up from the bottom of the display and accessing the alarm clock. After that, hold the power button for a while which will give you the option to switch off the phone. Cancel that option. After than you can double tap the home button to bring up the multitasking menu, which will give you access to the camera and stored photos along with any logged-in email and social networking accounts.
If you haven’t updated your iOS device to 7.0.2, you can do so by going into the settings option, then “General,” and selecting “Software Update.”

Apple sends invitations to next-gen iPad event scheduled for Oct. 22

New Apple products aren't as easy to come by as they used to be when Apple spread its device launches out a bit more, but as the saying goes, when it rains it pours. Hot off the record-smashing release of Apple's brand new iPhone 5s and iPhone 5c, Apple has sent invitations to newspapers and blogs for a press conference scheduled to take place on October 22nd at 1:00 p.m. EDT, 10:00 a.m. PDT. The company still has plenty in the pipeline, but the co-stars of next week's event are expected to be a completely redesigned fifth-generation iPad as well as an updated iPad mini with a brand new Retina display. Both of the new devices will launch soon after being announced at next week's event, and there's plenty more in store from Apple next week.
Apple's fifth-generation iPad is widely expected to be smaller and thinner than the current-generation model, and it will seemingly be redesigned to better match the look of the iPad mini. Photos of purported casings from the “iPad 5″ have been pictured a number of times, most recently in the new space gray color that Apple introduced on the new iPhone 5s.
Several unconfirmed reports also suggest that the fifth-generation iPad will be equipped with a Touch ID fingerprint scanner like Apple's new flagship iPhone.
The tinier iPad tablet is also expected to be refreshed next week. Among the iPad mini upgrades expected at the show are a faster Apple A7 processor, new space gray and gold color options and of course a high-definition Retina display.
Apple will likely show off a few other new products that will launch ahead of the holidays as well, possibly including an updated Apple TV set-top box and refreshed Mac computers. We should also see iOS 7.1 for the first time, and Apple will likely share OS X 10.9 Mavericks and Mac Pro release dates as well.
Tune into BGR next Tuesday at 1:00 p.m. EDT, 10:00 a.m. PDT for all the news as it breaks.

Vulnerability in WhatsApp allows decrypting user messages

A serious vulnerability in WhatsApp allows anyone who is able to eavesdrop on WhatsApp connection to decrypt users' messages.

Whatsapp, the mobile application for instant messaging platform has become one of the main communication tools of the present day and its popularity makes it attractive for security researchers and hackers.

This time it is debated in the protection of the messages exchanged through the application, thanks to a vulnerability in the crypto implementation they can be intercepted by an attacker.

Thijs Alkemade is a computer science student at Utrecht University in The Netherlands who works on the open source Adium instant messaging project, during its research activity he disclosed a serious issue in the encryption used to secure WhatsApp messages.

In the post titled "Piercing Through WhatsApp’s Encryption" Alkemade remarked that Whatsapp has been plagued by numerous security issues recently, easily stolen passwords, unencrypted messages and even a website that can change anyone’s status.

"You should assume that anyone who is able to eavesdrop on your WhatsApp connection is capable of decrypting your messages, given enough effort. You should consider all your previous WhatsApp conversations compromised. There is nothing a WhatsApp user can do about this but expect to stop using it until the developers can update it." states the researcher.

An attacker sniffing a WhatsApp conversation is able to recover most of the plaintext bytes sent, WhatsApp uses RC4 software stream cipher to generate a stream of bytes that are encrypted with the XOR additive cipher.

The mistakes are:

• The same encryption key in both directions
• The same HMAC key in both directions

Below the trick used by the researcher to reveal the messages sent with WhatsApp exploiting first issue:

WhatsApp adopts the same key for the incoming and the outgoing RC4 stream, "we know that ciphertext byte i on the incoming stream xored with ciphertext byte i on the outgoing stream will be equal to xoring plaintext byte i on the incoming stream with plaintext byte i of the outgoing stream. By xoring this with either of the plaintext bytes, we can uncover the other byte."

The technique doesn't directly reveal all bytes but works in many cases, another element that advantage the attacker is that messages follow the same structure and are easy to predict starting from the portion of plaintext that is disclosed.

The second issue related to the HMAC id more difficult to exploit, Alkemade said WhatsApp also uses the same HMAC key in both directions, another implementation error that puts messages at risk, but is more difficult to exploit.

The MAC is used to detect data alteration but it is not enough to detect all forms of tampering, the attacker potentially could manipulate any message.

"TLS counters this by including a sequence number in the plaintext of every message and by using a different key for the HMAC for messages from the server to the client and for messages from the client to the server. WhatsApp does not use such a sequence counter and it reuses the key used for RC4 for the HMAC."

Alkemade is very critical to the development team of the popular platform:

“There are many pitfalls when developing a streaming encryption protocol. Considering they don’t know how to use a xor correctly, maybe the WhatsApp developers should stop trying to do this themselves and accept the solution that has been reviewed, updated and fixed for more than 15 years, like TLS,” he said.

I agree with the thinking of the researcher, security for applications such as WhatsApp is crucial given its level of penetration, it is true that the interest of the scientific community and cybercrime will surely lead them to discover new vulnerabilities to which WhatsApp have to provide a quick solution.

Alkemade confirmed that there is no remediation for the flaw in this moment, that's why he suggest to stop using WhatsApp until developers produce a patch.

Beware ... This is a very serious risk to your privacy!

Read more: http://thehackernews.com/2013/10/vulnerability-in-whatsapp-allows.html#ixzz2hhfdxxyv
Follow us: @TheHackersNews on Twitter | TheHackerNews on Facebook

16-Year-Old Teenager arrested for World's biggest cyber attack ever

16-Year-Old Teenager has been arrested over his alleged involvement in the World's biggest largest DDoS attacks against the Dutch anti-spam group Spamhaus.

The teenager, whose name is unknown at this point, was arrested by British police in April, but details of his arrest were just leaked to the British press on Thursday.

He was taken into custody when police swooped on his south-west London home after investigations identified significant sums of money were flowing through his bank account. The suspect was found with his computer systems open and logged on to various virtual systems and forums.

The March 20 attack on Spamhaus has been dubbed as the “biggest cyber attack in the history of the Internet” which saw server of the Dutch anti-spam organization being bombarded with traffic in tune of 300 billion bits per second (300Gbps).

A DDoS attack takes place when hackers use an army of infected computers to send traffic to a server, causing a shutdown in the process.

It's unclear what role the teenager played in the massive distributed denial of service (DDoS) attack. The boy has been released on bail until later this year. A 35-year-old Dutchman was detained and his computers, data carriers and mobile phones were seized, local media speculates that the person is none other than CyberBunker spokesman Sven Olaf Kamphuis.

The attack on Spamhaus is believed to have started after the anti-spam organization blacklisted CyberBunker for allegedly spreading spam.

more silk road users arrested

Silk Road : 8 more suspected users arrested in US, UK, Sweden 

Authorities in Britain, Sweden, and the United States have arrested eight more people in the wake of the shutdown of the Silk Road, online illegal drug marketplace which helped dealers sell drugs under the cloak of anonymity. Millions of Dollars worth of Bitcoins (Electronic currency) had been seized and that other online drug dealer should expect a knock on their door by the National Crime Agency. The other suspects were arrested within hours after the FBI arrested 29-year-old Ross Ulbricht, the suspected creator of Silk Road also known as "Dread Pirate Roberts". Although, he denies charges that he operated the website. Ulbricht is separately accused in a federal indictment in U.S. District Court in Baltimore with a similar count of narcotics trafficking conspiracy and additional charges of soliciting an $80,000 murder-for-hire of a former Silk Road employee. A federal judge on Wednesday ordered that Ulbricht charged with operating a notorious online drug marketplace known as the Silk Road to be sent to New York to face charges. The so called - Hidden site, Silk Road used an online tool known as Tor to mask the location of its servers, that made it difficult for authorities to know who was using the website. The site generated about $1.2 billion in sales of heroin, cocaine, ecstasy, marijuana and other illegal substances in less than three years, with Silk Road's operators netting $80 million in commissions. People using the site to buy drugs also used the virtual currency Bitcoin to lessen the chances of being detected. But in its statement, the agency said the arrests sent a message to criminals that the anonymity touted by sites like Silk Road is an illusion. "The Hidden Internet isn't hidden and your anonymous activity isn't anonymous," it said. "We know where you are, what you are doing and we will catch you." Keith Bristow, director general of the NCA said hidden or anonymous online environments were a key priority for the NCA, which had 4,000 officers and the latest technology at its disposal to tackle the problem. Read more: http://thehackernews.com/2013/10/silk-road-8-more-suspected-users.html#ixzz2hQ8xgWo8 Follow us: @TheHackersNews on Twitter | TheHackerNews on Facebook

iPhone iOS 7.0.2 Sim Lock Screen Bypass vulnerability

If you're unlucky enough to lose your Smartphone or have it stolen, anyone who finds the device will also be able to access any content stored on the device, whether its contacts, music or documents.

But by implementing a SIM card PIN lock, everytime the device is powered down and subsequently switch back on again, the PIN will need to enter before the phone can be used.

Security Researcher - Benjamin Kunz Mejri from Vulnerability Laboratory claimed that he found a new vulnerability in the iOS v7.0.1 & v7.0.2, that allows a hacker to bypass the Sim lock Mode.

In a Proof of Concept video, he demonstrates that how an attacker can bypass the restricted section of the iPhone, when Sim Lock is enabled on a Stolen iPhone Device.

Flaw can be exploited without user interaction and successful exploitation results in the bypass of the SIM lock mode to the regular lock mode.

Follow Steps to bypass SIM Lock on stolen Devices:

1. Turn on your iPhone and ensure you have the iOS v7.0.1 installed and Sim Lock mode is activated.
2. You will see a black notification in the middle of the display - SIM Locked.
3. Open the Calendar, and scroll down to the two hyperlinks.
4. Press the Power button and wait 2 seconds and then press one of the two hyperlinks.
5. You will be redirected via hyperlink, because of the restriction to the passcode SIM lock.
6. Press Power button again for 3 seconds and then press the Home button
7. Click cancel again in the shutdown menu but hold the Home button.
8. Open up the Control center and go to the calculator. Now a message box appears automatically with the SIM lock
9. Press the shutdown button for 3 seconds + Unlock Key + Home button.
10. The Passcode screen will pop up, but you will be again redirected to Calculator.
11. Now again press the Power button for 3 seconds the  and then press Cancel, at last press the Home button one time.
12. The Restricted Sim Lock Screen will disappear.

This flaw does not cover Regular Passcode bypass. For that attacker need to use other ways. Shortly after the iOS 7 release date earlier this month, users discovered a lock screen flaw that allowed users to use a simple exploit in order to view private details on the iPhone, iPad or iPod touch.

Apple worked quickly to fix the issue and rolled out iOS 7.0.2, an update aimed at adding Greek keyboard support and tackling the lock screen security flaw. But Just after that another Screen Lock Bypass bug appeared on the Internet. The growing number of iOS 7.0.2 problems are now frustrating iPhone and iPad users.

Avg antivirus hacked!!!

Whatsapp and AVG Antivirus Website defaced by Palestinian Hackers

The Website of Word's most popular mobile messaging app and Antivirus Firm - AVG were hacked this morning and defaced by a new Palestinian Hacker group - KDMS Team, affiliated with Anonymous Group.

The Defacement page titled 'You got Pwned', with Anonymous Logo and playing Palestinian national anthem in the page background, says: 

we want to tell you that there is a land called Palestine on the earth
this land has been stolen by Zionist
do you know it ?
Palestinian people has the right to live in peace
Deserve to liberate their land and release all prisoners from israeli jails
we want peace

and "There Is No Full Security We Can Catch You !"

It seems that the hacker used DNS hijacking to point domains on a fake server with deface page. The Whatsapp has resolved the issue, but at the time of writing AVG is still defaced. It is not clear that if any user data was compromised from AVG or Whatsapp.

We have contacted WhatsApp and AVG for comment and will update this story when we hear back. Just two days before, KDMS Team hacked LeaseWeb, one of the world's biggest hosting company.

Update : Another Antivirus Firm 'AVIRA' website also defaced by hackers, just few minutes before.

Update: NETWORK SOLUTIONS, LLC is common Domain Registrar for AVG, Avira and Whatsapp . Possibly, hacker compromised the Domain Registrar and modifies the DNS settings to perform DNS Hijacking.