CASH! CASH! Hacking ATM Machines with Just a Text Message

As we reported earlier, Microsoft will stop supporting the Windows XP operating system after 8th April, apparently 95% of the world’s 3 million ATM machines are run on it. Microsoft's decision to withdraw support for Windows XP poses critical security threat to the economic infrastructure worldwide.

MORE REASONS TO UPGRADE

Security researchers at Antivirus firm Symantec claimed that hackers can exploit a weakness in Windows XP based ATMs, that allow them to withdraw cash simply by sending an SMS to compromised ATMs.

"What was interesting about this variant of Ploutus was that it allowed cybercriminals to simply send an SMS to the compromised ATM, then walk up and collect the dispensed cash. It may seem incredible, but this technique is being used in a number of places across the world at this time." researchers said.

HARDWIRED Malware for ATMs

According to researchers - In 2013, they detected a malware named Backdoor.Ploutus, installed on ATMs in Mexico, which is designed to rob a certain type of standalone ATM with just the text messages.

To install the malware into ATMs machines, hacker must connect the ATM to a mobile phone via USB tethering and then to initiate a shared Internet connection, which then can be used to send specific SMS commands to the phone attached or hardwired inside the ATM.

"Since the phone is connected to the ATM through the USB port, the phone also draws power from the connection, which charges the phone battery. As a result, the phone will remain powered up indefinitely."

HOW-TO HACK ATMs

• Connect a mobile phone to the machine with a USB cable and install Ploutus Malware.
• The attacker sends two SMS messages to the mobile phone inside the ATM.
• SMS 1 contains a valid activation ID to activate the malware
• SMS 2 contains a valid dispense command to get the money out
• Mobile attached inside the ATM detects valid incoming SMS messages and forwards them to the ATM as a TCP or UDP packet.
• Network packet monitor (NPM) module coded in the malware receives the TCP/UDP packet and if it contains a valid command, it will execute Ploutus
• Amount for Cash withdrawal is pre-configured inside the malware
• Finally, the hacker can collect cash from the hacked ATM machine.

Researchers have detected few more advanced variants of this malware, some attempts to steal customer card and PIN data, while others attempt man-in-the-middle attacks.

This malware is now spreading to other countries, so you are recommended to pay extra attention and remain cautious while using an ATM.

http://www.flipkart.com/micromax-canvas-4-a210/p/itmdv6f6ft8zckfx?pid=MOBDMHJZZSE7P5YH&srno=t_1&query=micromax+4&affid=shailenja1

Microsoft Word Zero-Day Vulnerability is being exploited in the Wild

Microsoft warned about a zero-day vulnerability in Microsoft Word that is being actively exploited in targeted attacks and discovered by the Google security team. “At this time, we are aware of limited, targeted attacks directed at Microsoft Word 2010…” company said.

According to Microsoft's security advisory, Microsoft Word is vulnerable to  a remote code execution vulnerability (CVE-2014-1761) that can be exploited by a specially crafted Rich Text Format (RTF).

An Attacker can simply infect the victim's system with malware if a user opens a malicious Rich Text Format (RTF), or merely preview the message in Microsoft Outlook.

"The issue is caused when Microsoft Word parses specially crafted RTF-formatted data causing system memory to become corrupted in such a way that an attacker could execute arbitrary code."

Microsoft acknowledged that remote code execution flaw also exists in Microsoft Word 2003, 2007, 2013, Word Viewer and Office for Mac 2011.

Microsoft is working on an official patch, which will be released with the next Patch Tuesday security updates on April 8.

But in the meantime, Windows users can use temporary 'Fix It' tool to patch this vulnerability and also can install Enhanced Mitigation Experience Toolkit (EMET) tool that can mitigate this vulnerability.

Do not download .RTF files from the suspicious websites, and do not open or preview .RTF email attachments from strangers.

Snoopy Drone Can Hack Your Smartphones

The use of unmanned aerial vehicles (UAVS) called Drones is rapidly transforming the way we go to war. Drones were once used for land surveillance, Delivering Pizza's, then equipped with bombs that changed the way nations conduct war and now these hovering drones are ready to hack your Smartphones.

London-based Sensepoint security researchers have developed a drone called 'Snoopy' that can intercept data from your Smartphones using spoofed wireless networks, CNN Money reported.

The Drone will search for WiFi enabled devices and then using its built-in technology, it will see what networks the phones have accessed in the past and pretends to be one of those old network connections.

Spoofing WiFi networks that device has already accessed allows Snoopy Drone to connect with targeted Smartphone without authentication or interaction. In technical terms, The Drone will use 'Wireless Evil Twin Attack' to hack Smartphones.

Once connected, Snoopy Drone can access your WiFi enabled Smartphones, allowing the attacker to remotely capture login credentials, personal data, and more.

Snoopy is self-powered and extremely mobile and researchers have successfully stolen Amazon, PayPal, and Yahoo credentials while testing it out in the skies of London.

The collection of metadata, including Wireless Network Names and Device IDs is not illegal, but intercepting personal data would likely violate wiretapping and identity theft laws.

If the technology got in the hands of criminals, there are all kinds of things they could do. Researchers said they have no malicious intent in developing Snoopy Drone, they are demonstrating the technology to highlight how vulnerable Smartphone users can be.

WiFi hacking is very simple to execute and are becoming far more common these days. If you are concerned about such attacks, just turn off that automatic WiFi network-finding feature.

Android Privilege Escalation Flaws leave Billions of Devices vulnerable to Malware Infection

Android - a widely used Smartphone platform offered by Google is once again suspected to affect its users with malicious software that puts their android devices at risk. This time the vulnerabilities occur in the way Android handle the updates to add new flavors to your device.

Researchers from Indiana University and Microsoft have discovered [Paper PDF] a new set of Android vulnerabilities that is capable to carry out privilege escalation attacks because of the weakness in itsPackage Management Service (PMS) that puts more than one billion Android devices at risk.

The researchers dubbed the new set of security-critical vulnerabilities as Pileup flaws which is a short for privilege escalation through updating, that waylays inside the Android PMS and intensifies the permissions offered to malicious apps whenever an android update occurs, without informing users.

The research was carried out by Indiana University Bloomington researchers, Luyi Xing, Xiaorui Pan, Kan Yuan and XiaoFeng Wang, with the help of Rui Wang of Microsoft.

Six different Pileup vulnerabilities have been found by the researchers within the Android PMS, those are present in all Android Open Source Project versions, including more than 3,500 customized versions of Android developed by handset makers and carriers.

"Every few months, an update is released, which causes replacement and addition of tens of thousands of files on a live system. Each of the new apps being installed needs to be carefully configured to set its attributes within its own sandboxes and its privileges in the system, without accidentally damaging existing apps and the user data they keep," the researchers wrote. "This complicates the program logic for installing such mobile updates, making it susceptible to security-critical flaws."

The researchers also found that by exploiting the Pileup vulnerabilities, a hacker can not only control the system permission and signature but also their settings. Moreover an attacker could use the malicious app to access and steal the device data, including, sensitive user information such as activity logs, user credentials, Contacts, Messages etc.

“A distinctive and interesting feature of such an attack is that it is not aimed at a vulnerability in the current system. Instead, it exploits the flaws in the updating mechanism of the “future” OS, which the current system will be upgraded to,” the researchers wrote. “More specifically, though the app running on a lower version Android, the adversary can strategically claim a set of carefully selected privileges or attributes only available on the higher OS version.”

In short, it means that, if an attacker sends the malicious app update and if the permission don’t exist in the older version of the android that is added to the new version; the malicious app will silently acquire the permissions and when the device is upgraded to the newer version, the pileup flaws will be automatically exploited.

"A third-party package attribute or property, which bears the name of its system counterpart, can be elevated to a system one during the updating shuffle-up where all apps are installed or reinstalled, and all system configurations are reset," the researcher wrote. "Also, when two apps from old and new systems are merged as described above, security risks can also be brought in when the one on the original system turns out to be malicious."

During the update, first the PMS will install all new and existing system apps and then will proceed to install third party apps from the old OS and during the installation of malicious app packed inside PMS, the device will recognize and silently grants all the permissions that malicious app requests, as it supposes that these permissions are with an existing app and have already been approved by the user.

“With the help of a program analyzer, our research discovered 6 such Pileup flaws within Android Package Manager Service and further confirmed their presence in all AOSP (Android Open Source Project) versions and all 3,522 source code versions customized by Samsung, LG and HTC across the world that we inspected, which strongly indicates their existence in all Android devices in the market.”

Moreover detecting the critical flaws, the researchers have developed a new scanner app called SecUPthat search for malicious apps already on a device designed to exploit Pileup vulnerabilities. Scanning tool inspects already installed Android application packages (APKs) on the device, in an attempt to identify those that will cause privilege escalations during an update, the paper stated. 

The SecUP scanning tool consists of an automated vulnerability detector, a program verification tool for Java that discovers the Pileup flaws within the source code of different Android versions and a threat analyzer that automatically scans thousands of OS images.

“The detector verifies the source code of PMS (from different Android versions) to identify any violation of a set of security constraints, in which we expect that the attributes, properties (name, permission, UID, etc.) and data of a third-party app will not affect the installation and configurations of system apps during an update,” the researchers explained. “A Pileup flaw is detected once any of those constraints are breached.”

All the six vulnerabilities have been reported to Google by the researchers, from which one of it has been fixed by them.

http://www.flipkart.com/micromax-canvas-4-a210/p/itmdv6f6ft8zckfx?pid=MOBDMHJZZSE7P5YH&srno=t_1&query=micromax+4&affid=shailenja1

How to access Twitter in Turkey - #TwitterisBlockedinTurkey

Twitter, the biggest Social Media platform used for vital communication is now banned in Turkey from the last few days, after Prime Minister Recep Tayyip Erdoğan promised to root out the social media service during an election rally this week with the help of a court order.

“Twitter and so on, we will root them out. The international community can say this or that – I don’t care. They will see the power of the Turkish Republic.”

After the ban imposed on Twitter late on Thursday, millions of Turkey users began using Google’s DNS service to bypassing censorship, that briefly helped Turks stay connected to Twitter.

Turkey Government is trying to close all the possible loopholes that had allowed users to circumvent the ban and finally today the authorities have also blocked the Google DNS service (8.8.8.8 and 8.8.4.4), However the number of tweets jumped 138% in the last 24 Hours and almost 2.5 million tweets have been posted from the country after the ban imposed.

Why Turkey Government Banned Twitter?

According to media reports, Earlier this month a voice recording of the prime minister was leaked on YouTube and Twitter, which include the audio of Prime Minister Recep Tayyip Erdoğan instructing his son to dispose of large amounts of cash in the midst of a police investigation.

Erdogan has dismissed most of the audio recordings as a vile montage put together by his political rivals. Twitter reportedly refused to delete incriminating audio of him. s;“Twitter has been used as a means to carry out systematic character assassinations by circulating illegally acquired recordings, fake and fabricated records of wiretapping,” the prime minister’s office of public diplomacy said in a statement.

Turkey has blocked access to YouTube in the past, but this is the first ban on Twitter, which is hugely popular in the country.

USE VPN OR Tor: Besides the Google DNS, people in Turkey have been using Open DNS, VPN and SMS services to get the word out. Twitter is still accessible for the tech savvy via Virtual Private Networks (VPN) or by the Tor Browser Bundle. [How to install and use Tor].

Use alternate DNS: Turkey users can use following alternate DNS servers to access Twitter:

Level31 209.244.0.3 209.244.0.4
Google2 8.8.8.8 8.8.4.4
Comodo Secure DNS 8.26.56.26 8.20.247.20
OpenDNS Home3 208.67.222.222 208.67.220.220
DNS Advantage 156.154.70.1 156.154.71.1
Norton ConnectSafe4 199.85.126.10 199.85.127.10
GreenTeamDNS5 81.218.119.11 209.88.198.133
SafeDNS6 195.46.39.39 195.46.39.40
OpenNIC7 216.87.84.211 23.90.4.6
Public-Root8 199.5.157.131 208.71.35.137
SmartViper 208.76.50.50 208.76.51.51
Dyn 216.146.35.35 216.146.36.36
censurfridns.dk9 89.233.43.71 89.104.194.142
Hurricane Electric10 74.82.42.42
puntCAT11 109.69.8.51

or use can use DNSCrypt: http://dnscrypt.org/

Access Twitter via SMS: Turkish users can also send Tweets using SMS. "Avea and Vodafone text START to 2444. Turkcell text START to 2555."

#TwitterisblockedinTurkey is trending globally as free-speech supporters around the world voiced their concerns. Some related tweets are shown below:

UPDATE:

TWITTER Hired LAWYER to fight Turkey Government

However, President Abdullah Gul is also in talks with Twitter to reach a speedy resolution to the block on the website in Turkey.

Twitter has taken action against the Turkish government’s blocking of access to it and hired a lawyer expert 'Gönenç Gürkaynak' in litigations related to Cyberlaw, who met with officials from Turkey’s Telecommunications Authority (TİB) in Ankara on behalf of Tweeter.

Union of Turkish Bar Associations (TBB) filed a petition in an Istanbul court for the lifting of the ban. “A total ban on Twitter access is a violation of the European Convention on Human Rights, the Turkish Constitution and Law 5651 that includes Internet regulations. The TTB has applied to the courts for the immediate lifting of the ban. In addition, criminal complaints have been filed for those responsible for the ban ruling and the officials who applied the ban,” TBB head Metin Feyzioğlu said in a statement.

SHARE AND SPREAD THE WORD!

http://www.flipkart.com/micromax-canvas-4-a210/p/itmdv6f6ft8zckfx?pid=MOBDMHJZZSE7P5YH&srno=t_1&query=micromax+4&affid=shailenja1

HACK - A New Open Source Programming Language developed by Facebook

Facebook just released a new programming language called 'HACK', designed to build complex websites and other software quickly and without many flaws. The company has already migrated almost all of its PHP-based social networking site to HACK over the last year, but it has nothing to do with Hacking.

When Social Networking website Facebook was started 10 years ago, it was coded in PHP by Mark Zuckerberg and team, but as the company grew, PHP Programming platform became difficult to manage and bug-free.

Thus, Hack was born! Facebook Team decides to develop a new programming language that could combine elements of static-type programming languages such as C or C++ with dynamic-type languages like PHP, now called "HACK Programming Language".

"Hack has deep roots in PHP. In fact, most PHP files are already valid Hack files." Facebook said, "We have also added many new features that we believe will help make developers more productive."

HACK is a new version of PHP, requires Facebook’s HHVM (Hip Hop Virtual Machine) which is designed to execute programs written in Hack and PHP. The top 20 open source frameworks on Github run on HHVM.

"Traditionally, dynamically typed languages allow for rapid development, but sacrifice the ability to catch errors early and introspect code quickly, particularly on larger codebases." Facebook posted on itsengineering blog.

So Hack Programming Language offers a lot of potential for developers, enabling them to program faster and be able to catch errors more easily, among other things. "Conversely, statically typed languages provide more of a safety net, but often at the cost of quick iteration. We believed there had to be a sweet spot."

Beta code is open source and now available at Hacklang.org and you can also get Hack programming language tutorials from website to learn this new language. 

"This is just the first step, and we are dedicated to continuing to evolve this software to make development even easier for both our own engineers and the broader community." The public release is not just to encourage developers, but also to quickly spot errors in Hack.

How To Earn $100 Per Day With Google AdSense, And How Much Traffic You Need

Earning $100, $200 or even $300 per day with Google AdSense is not an impossible job.

Many bloggers and website owners are doing it, and you are not an exception. The only thing you need is better planning and execution, hard work, determination and passion for blogging about your topic or niche.

Before diving into the exact process, let’s know some terminology for better understanding of Google AdSense and how you can generate more revenue by selling your ad inventories on your blog.

What Is AdSense: It’s a monetization program by Google for online content from websites, mobile sites, and site search results with relevant and engaging ads.

CTR : Your ad Click-through Rate is the number of ad clicks divided by the number of individual ad impressions. Suppose you are showing 3 AdSense ads on every page, your 1 page view is equal to 3 ad impressions.

CTR = Clicks / Ad Impressions X 100

Suppose, you get 5 clicks out of 500 ad impressions, your CTR would be 1% (5/500X100).

CPC : Cost-Per-Click is the revenue you earn each time a visitor clicks on your ad. CPC is usually determined by the advertisers. In some competitive niches like finance, marketing, online products etc. advertisers may be willing to pay more per click than others.

CPM: CPM means “Cost Per 1000 Impressions.”

Sometimes advertisers opt for CPM ads instead of CPC and set their price for 1000 ad impressions. And they pay each time their ads appear on any website.

Let’s Make $100 Everyday With Google AdSense, Right?

For the convenience of calculation we assume that – You serve your AdSense ads on your blog or website, irrespective of showing your ads on your mobile site and added the site search results with AdSense.

Your CTR is 1% and your average CPC is $0.25. It’s quite achievable and lots of bloggers usually get it. We also assume that Page View = Ad Impression for easy calculation. You can manipulate the parameters on your own for desired results.

• To make $100 everyday you need 40,000 Page Views/day Or, 400 Clicks a day @ 1% CTR and $0.25 CPC. For 40,000 Page Views you have to produce 500 awesome articles or blog posts which attract at least 80 or more page views/article everyday.

• Apart from CPC, you will also earn from your CPM ad impressions. Irrespective of any niche, the average CPM earning is $1 to $1.5 per 1,000 impressions. You can make $40 to $60 per day easily from 40,000 page views.

• You can also sell your Ad space directly or via BuySellAds.com and generate $6,000 Per Month on an average from 40,000 page views. Check out how webmasters and bloggers are making $6,000 to $8,000 Per Month from BuySellAds with forty thousand page views per day. So your daily earning will be $200 (6000/30=200).

• A niche blog with high quality articles converts very well with affiliate marketing. You can easily earn $40 to $80/day from affiliate selling with correct implementation and execution.

Now your total earning per day is $100 + $40 + $200 +$40 = $380 from CPC, CPM, Direct Ad Sell, Affiliate Marketing for 40,000 page views per day. I’ve taken the lowest possible earnings from all the 4 sources.

$380 per day means $11,400 per month (380X30= 11,400) Or, $136,800 per year(11,400X12=136,800). Isn’t it a whooping amount to lead a lavish life?

Which is well above your desired earning of $100 per day from Google AdSense, right? 1000s of bloggers are making money this way, and you can also do it. The only thing I want to say is “Be Focused!”

WiFi Password

SecurityXploded team has released a free WiFi Password Decryptor that instantly recover Wireless account passwords stored on your system.

It automatically recovers all type of Wireless Keys/Passwords (WEP/WPA/WPA2 etc) stored by Windows Wireless Configuration Manager.

After the successful recovery you can save the password list to HTML/XML/TEXT file. You can also right click on any of the displayed account and quickly copy the password.

Under the hood, 'WiFi Password Decryptor' uses System Service method (instead of injecting into LSASS.exe) to decrypt the WiFi passwords. This makes it more safer and reliable. Also it makes us to have just single EXE to work on both 32-bit & 64-bit platforms.

It has been successfully tested on Windows Vista and higher operating systems including Windows 8.

Features & Benefits

• Instantly decrypt and recover stored WiFi account passwords
• Recovers all type of Wireless Keys/Passwords (WEP/WPA/WPA2 etc)
• Simple & elegant GUI interface makes it easy to use.
• Right click context menu to quickly copy the Password
• Sort feature to arrange the displayed passwords
• Save the recovered WiFi password list to HTML/XML/TEXT file.
• Integrated Installer for assisting you in local Installation & Uninstallation.
Earn money with Payza

Download WiFi password decryptor

http://www.flipkart.com/micromax-canvas-4-a210/p/itmdv6f6ft8zckfx?pid=MOBDMHJZZSE7P5YH&srno=t_1&query=micromax+4&affid=shailenja1

learn ethical hacking

What is computer hacking?
In a cyber security world, the person who is able to discover weakness in a system and managed to exploit it to accomplish his goal referred as a Hacker , and the process is referred as Hacking.

Now a days,  People started think that hacking is only hijacking Facebook accounts or defacing websites.  Yes, it is also part of hacking field but it doesn't mean that it is the main part of hacking.

So what is exactly hacking, what should i do to become a hacker?!  Don't worry, you will learn it from Break The Security. The main thing you need to become a hacker is self-interest.  You should always ready to learn something and learn to create something new. 


Now , let me explain about different kind of hackers exist in the cyber security world.

Script Kiddie

Script Kiddies are the persons who use tools , scripts, methods and programs created by real hackers.  In a simple word, the one who doesn't know how a system works but still able to exploit it with previously available tools.

White Hat Hacker:
White Hat hackers are good guys who does the hacking for defensing.  The main aim of a Whitehat hacker is to improve the security of a system by finding security flaws and fixing it.  They work for an organization or individually to make the cyber space more secure.

Break The Security only concentrates on white-hat hacking and help you to learn the Ethical Hackingworld.

Black Hat Hacker:
BlackHat hackers are really bad guys , cyber criminals , who have malicious intent.  The hackers who steal money, infect systems with malware,  etc are referred as BlackHat hackers.  They use their hacking skills for illegal purposes.

GreyHat hackers:

The hackers who may work offensively or defensively, depending on the situation. Hackers who don't have malicious intentions but still like to break into third-party system for fun or just for showing the existence of vulnerability.

Hacktivists
The hackers who use their hacking skills for protesting against injustice and attack a target system and websites to bring the justice.  One of the popular hacktivists is Anonymous and RedHack.