Category Archives: Latest Articles

Mobile Ad Network Get Abused On DDoS Attack

mobile ads4

CloudFlare firms revealed that one of its customers was recently hit by a Distributed Denial of Service(DDoS) attack that appeared to leverage a mobile ad network and malicious JavaScript.

JavaScript-based attacks have been classified as Layer 7 attacks, because they rely on legitimate HTTP requests. Experts have been warning about the possibility of such attacks were introduced since 2010, at the Black Hat conference by the experts Jeremiah Grossman and Mat Johansen. But they have recently become a reality and are becoming increasingly problematic.

Unfortunately, this kind of attack is being popular in the hacking community. Hence, the security researchers from the University of California at Berkeley and the University of Toronto have uncovered a powerful weapon of the Chinese Government cyber arsenal. The tool is dubbed as the “Great Canon”, that issued to hit websites with powerful DDoS attacks. The Great Cannon has been used by Chinese Authorities to knock out two anti-censorship GitHub pages. It can also be used as a hacking tool to silently install malware on the targeted machine.

The experts explained that the Great Cannon relies on malicious JavaScript injected into unencrypted traffic in order to carry on these attacks against targeted websites.

Another similar DDoS attacks was uncovered few days ago, experts at Imagur discovered that a vulnerability in the platform was exploited by attackers to target the imageboards 4chan and 8 chan.

Hence, now it had been noticed by CloudFlare that a large number of HTTP requests aimed at one of its customer’s website, its attacked had peaked at over 1 billion requests per hour. The experts observed a total of 4.5 billion requests reaching the content delivery network’s servers on the day of the attack.

mobile ads3

The overall number of unique IP addresses originating the requests is 650,000, 99.8 % of them being traced to china. But it was discovered by Experts that nearly 80% of the requests were originated from mobile devices, in many cases from mobile apps and browsers that are popular in China.

“Attacks like this form a new trend,” states a blogspot published by CloudFlare. “ they present a great danger in the Internet – defending against this type of flood is not easy for small website operators.”

“There is no way to know for sure why so many mobile devices have visited the attack page, but the most plausible distribution vector seems to be an ad network, “Majkoswiki wrote.” It seem probable that users were served advertisements containing the malicious JavaScript. These ads were likely showed in frames in mobile apps, or mobile browsers to people casually browsing the Internet.” explained by great researcher Marek Majkowski.

The experts discovered that the websites from the “Referer” header pointed to an aggregator or a link farm. This attack relies on a JavaScript hosted on these pages and that was able to generate a large number of XMLHttp Request(XHR) requests.

CloudFlare researchers excluded that the DDoS attack was conducted by injecting TCP packets like observing in this attack that were conducted by Great Canon.

mobile ads6

Researcher believed that users generally surfing the Web from mobile devices were served an iframe containing an advertisement. The content was requested from an advertising network that served the attacker’s ads with the real-time bidding model. Hence, at this point, the malicious actors either served the attack page directly or they forwarded victims to it. Thus, finally, the malicious JavaScript on the page was executed and it launched a flood of XHR requests towards CloudFlare’s servers.

Few months ago, F5 Networks’ David Holmes explained a SecurityWeek column why mobile DDoS never materialized. One of the main reasons, according to the experts, is that mobile users mostly rely on dedicated apps to connect to various online services instead of using web browser as they do on desktop computers. This makes it less likely for a mobile device to be affected by a malvertising campaign.

Here, at this article providing some description for the attack scenario:-

  • A user was casually browsing the Internet or opened an app on the Smartphone.
  • The user was served an iframe with an advertisement.
  • The advertisement content was requested from an ad network.
  • The ad-network forwarded the request to the third-party that won the ad auction.
  • Either the third-party website was the “attack page”, or it forwarded the user to an “attack page”.
  • The user was served an attack page containing a malicious JavaScript which launched a flood of XHR requests against CloudFlare servers.

“It seems the biggest difficulty is not in creating the JavaScript – it is in effectively distributing it. Since an efficient distribution vector is crucial in issuing large floods, up until now I haven’t seen many sizable browser- based floods”, added by Majkowski.

Facebook’s Messenger And The Challenge To Google’s Search Dominance:-

nn

It has been announced by Facebook that M, Artificial Intelligence powered personal assistant that had works along with its messenger had fired up a “massive shell”, across Google’s bow. Apparently it can scale M successfully to its wide market even with WhatsApp. This new Artificial Intelligence product signifies a direct assault on AdWords and search, which is the main thing or life-blood of Google’s business. To Know how this virtual personal assistant works inside a mobile messaging app symbolizes a great threat to Google Incorporation, so, its better to check why the company is in this scenario. It means, we have to look why Google is in this situation in the first place.

Google confronts the common innovator’s challenges:-

images (1)

The previously spelled out technology or recently Alphabetized technology behemoth has established a mega-market around AdWords, and for most of the history of this businesses’ records or existence, it has been making a billions and billions of U.S dollars of lucrative gains. Apparently, the search engine giant’s core business is so profitable that it can independently fuels all of Google’s wildly-ambitious and occasionally-awesome elements into perspective like self-driving cars, Internet Infrastructure, augmented reality and life extension.

Of course, the massive AdWords money machine, is of course, made on top of significant or remarkable search product that works very well and so quickly that most of web-connected population of Earth depends or lies on it every day to extract the information, goods and services they need or want from the vast expanses of the web. This is based on current data from comScore, a digital media analytics firm, it’s information shows that Facebook Messenger has about 59.5% reach with America’s smart phone mobile media consumers ranges from 18 years old and above, Facebook at 73.3% and YouTube in third position at 59.3%.

images (2)

But therein lies the rub: somewhere in the recesses of its collective corporate mind, Google knows that keyword search the current foundation of its empire, is not the futureIndeed, as former Googler and current Yahoo CEO, Marissa Mayer, told John Battelle when he was writing a book on your friendly neighborhood search giant years ago, “search is only 5% solved”.

Major Consequences of Google’s search:-

While Google’s search technology has incorporated YouTube, Maps and Knowledge since Mayer said this, the statement is as true today as it was then: Goggle’s fundamental product experience still involves entering a few words into a search box and getting back a list of relevant links.
Because Larry Page and Sergey Brin are visionaries, they know that the next-generation solution to the problem of search looks less like a click able list of links and more like a primitive Star Trek computer or an early version of the Artificial Intelligence from the movie Her. But massive ships with hundreds of billions of dollars in market capitalization are hard to turn.

images (3)

Apparently, as one former Google Now engineer recently told Mark Bergen at Re:code after political infighting and corporate shuffling lead to Google Now losing prominence, “This is how big companies work”.

The subsequent exodus of Google Now’s team doesn’t portend well for Google’s stake in the future of search, because Now was closest thing in the future of search that the company has produced to date.

The future of search is an intelligent digital assistant that can complete tasks. Like Google today, the search engine of the future will be able to mine the vast expanses of the Internet for relevant information and deliver it to you in milliseconds. But much unlike today’s Goggle, the future’s search engine will behave like a digital personal assistant that can understand and predict your needs, then deliver on them without requiring you to navigate to any web pages or tap around a bunch of apps.

download (3)

When you do ask for something, this search engine will not respond with a list of blueish links,. Instead, it will respond with a definitive result or a completed task. When it doesn’t have the definitive result or can’t complete the task on the first pass, it will ask you further questions to get closer, until the machine gets it right.

To make this concrete, here’s a couple of sample interactions with the search engine of the future:-

Scenario 1: The Upcoming flight

download

Future Search Bot: Hello Dan! You have a flight to New York that boards in 90 minutes, and traffic to SFO from your current locations is usually bad right now. Would you like me to call you a Lyft now so you get there on time? Future Dan : Yes, it sound good.
Search Bot: Great, it looks like you are at the office. Is that where I should send the car?
Dan: That’s the perfect
Search Bot: Great, Shall I put it on your personal AmEx, then?
Dan: Actually, use my debit card.
Search Bot: Done. Your car will arrive in 2 minutes.

Scenario 2 : The Car Repair

download (1)

Future Search Bot: Hey Dan, your car is reporting that your brake pads need replacement. Would you like me to schedule a service appointment? Future Dan : Good call. Please Do.
Search Bot: Sure thing, Dan. There are five mechanism within a 1.5 mile radius of your house that have good reputations. Shall I get you quotes from them?
Dan: Sure.

The future of Search looks a lot like Facebook’s M:

We have known for a while that Fb has been investing heavily in deep learning and other forms of Artificial Intelligence. But until last month, we didn’t know what all the rumpus was about.

But now we do: Facebook is testing an A.I powered assistant inside of Messenger, itself. This assistant can book appointments, order gifts, make restaurant and travel reservations, and more. Without search and mapping technologies and access to your calendar and inbox, Fb’s A.I. Assistant wont’ be able to do all the things in the scenarios above, but M is officially a contender. To understand why M pose a threat to Google, it helps to consider why AdWords became such a valuable asset in the first place:

facebook-M

On the web, search has long been the most direct bridge between someone’s intent and the transaction where that intent is fulfilled. This transaction could be something free, like reading an article, where attention is the currency being exchanged.

It could be something in between free and paid : like downloading a piece of contents in exchange for contract information. It could also just be paid: buying a product or service right from the web. Because Goggle controls the middle of the bridge between your attention to transact and the final transaction, it can charge businesses who want a piece a very high toll. Want to capture that lucrative intent? Pay me.”
But an A.I that goes out and completes transactions for you disrupts that entire process. If you can simply tell a digital assistant to buy tickets to movie, or even get your insurance quote, there’s no longer any need to click or navigate to a web page.Without a page of links between your Internet and the transaction, there’s nowhere for AdWords to show up!

The whole model of search changes forever.

Script Injection Vulnerability Discovered In SalesForce

SalesforceXSSVulnerability_PressRelease-Blog_Header

Elastica (www.elastica.net),  the leader in Data science Powered Cloud Application Security released a details about an injection vulnerability disclosed to SalesForce which opened the door for attackers to use its trusted application as a platform to conduct phishing attacks to steal end-user’s login credentials and hijack accounts. Just one day before, it had patched the vulnerability, which were found and validated by Elastica.

As its vulnerability existed in the actual SalesForce domain, end-users receiving phishing emails with the URL that had no way of identifying it as a malicious one and there is high possibility that such URL would have not been detected by Spam filters or others anti-phishing solutions. Hence, these could have been used to attack its end-users, steal their credentials and ultimately hijack their accounts. Therefore, Elastica researchers considered this to be a threat, as most of the users log into SalesForce every day.

What is Salesforce.com ? 

salesforce1

Salesforce.com is a cloud computing and Social Enterprise Software as a Service (SaaS) provider based in San Francisco. It was founded in March 1999, in part by former Oracle executive Marc Benioff.

Due to its cloud platforms and applications, the company is best known for its Customer Relationship Management (CRM)  product, which is composed of Sales Cloud , Service Cloud, Marketing Cloud, Chatter and Work.com, Force.com.

Sales Cloud:- It manages contact information and integrates social media and real-time customer collaboration through Chatter. It includes a call center-like case tracking feature and a social network plug-in for conversation and analytics.

Marketing Cloud:- It offers Radian6, a social media monitoring and marketing application.

Force.com:- The company’s platform as a service(Paas) product, that allows software developers to create its add-on applications.

Work.com:- It offers Ryplle, a social Human Resource (HR) performance management platform.

Moreover, in addition to its products and platforms, SalesForce.com has created AppExchange, a custom application building and sharing platform. This company also have consulting, deployment and training services.

Elastica Report:-

Elastica reported that, following are the standard guidelines for giving the company appropriate time to respond and address this issue. It also provide details on how to fix this vulnerability. Because this vulnerability existed in a subdomain versus its primary website, hence, SalesForce considered it a low-impact threat.

images (20)

According to report, Elastica Cloud Threat Labs discovered the vulnerability in “admin.salesforce.com”, a subdomain which were used by SalesForce for blogging purposes. Hence, according to its researchers, this particular subdomain was susceptible to reflected Cross-Site scripting (XSS) vulnerability, where a specific function in the deployed application failed to filter the arbitrary input passed by the remote user as part of HTTP request. The use of its trusted server provided an opportunity for attackers to execute JavaScript to steal cookies and session identifiers, even force its user to visit phishing sites that extract credentials, and distribute malicious code to users machine.

As proceeding for details, the flaw enabled the attackers to :-

  • Execute JavaScript to steal cookies and session identifiers, which could led to potential SalesForce account takeover, which depends upon Same Origin Policy (SOP).
  • Force its users to visit phishing sites to potentially extract credentials through social engineering tricks, attackers could also have injected pop-up windows to facilitate phishing attacks.
  • Force its users to download malicious code on their machines by executing unauthorized scripts on the context of the browser running a vulnerable application.

Logo-Elastica-Horizontal-3000-e1427280841726

Hence, “Exploitation of XSS vulnerability is among the most prolific methods of Web application hacking today”- said by Dr. Aditya K. Sood, a leader architect of Elastica Cloud Threat Labs. “Although this particular flaw was only present in a Sales Force subdomain, therefore, exploiting the trust of the company’s primary domain that could have allowed its attackers to easily implement phishing attacks to again access to user credentials. With the help pf stolen credentials, its attackers can access user’s accounts and will filtrate its sensitive data that were undetected for long period of time.”

SalesForce uses Single Sign On (SSO), enabling users to easily access a variety of integrated applications through a central login. If these phishing attacks implemented through this vulnerability were successful, then attackers who secure login credential will gained access to a host of other services, including cloud applications, which will potentially multiplying the effects of the breach significantly.

salesforce

The use of SSO makes this vulnerability a legal threat to all SaaS applications. If user login credentials are compromised, the attackers have the ability to infiltrate a variety of cloud applications that were accessible through the service. Hence, the Elastica Cloud Solution found this risk by using advanced data science to detect malicious behavior that were occurring within these apps and enables organizations to take immediate action if get detected.

Google Vs Microsoft:€“ Google Reveals Third Zero-Day Vulnerability in Windows OS (7 and 8.1)

Google’s Team of Zero Day security research have once again puts windows users’ data at risk by revealing its third unpatched Zero-day vulnerability. It’s third time in a month when Google has defeated Microsoft by its 90-day public disclosure deadline policy of project Zero’s Disclosure. And this a big loop found by Google in Windows 7 and 8.1. According to experts the Vulnerability found by Google, might invite hackers and attack on windows based computer. The windows third zero-day vulnerability was found by Google before many days but it is publicly announced on 15 January 2015. because Microsoft has crosses its 90 days disclosure agreements.

What is Google’s Zero Day Project and 90 Days Discloser?

It is a project on which a team of experts work on newly launched softwares. The team members analyze at deep level of any application and then finds out vulnerabilities if the application has. If any fault found then the vendor will get notification from the Google’s’ Zero Day project team to fix the founded issues soon. It has also an 90 day disclosure agreements which works when the Vendor of any particular application false to fix the founded issues. Google gives maximum 90 days to fix the particular issues, launch bags or patched solution for the problem. But if the vendor crosses the time period then the Zero Day Project team reveal the vulnerability of the particular program.

The same this happened with Microsoft. The loophole the windows 7 and 8.1 is found by Google team in july 2014 but they notified Microsoft on 17 October 2014 for the vulnerabilities to fix it within public discloser deadline. although Microsoft is claiming that, they had idea about this loophole of windows and they will launch a patch to fix the issues. But the matter has become controversial because it has crossed the deadline of Google, that’s why the news has been published.

What is Windows 7 & 8.1 Vulnerabilities Found By Google?

The third zero day vulnerabilities are about to CryptProtectMemory and CRYPTPROTECTMEMORY_SAME_LOGON flag. Function of windows computer. CryptProtectMemory is an inbuilt function which allows users to encrypt a particular file or folder or complete memory on various circumstances. Microsoft allows to its users to create encryption codes and password for every separate folder and also you can set a key password while logon to windows. Files sharing of encrypted memory depended on the logon of windows with authenticate user.

According to Google Research team, the loophole of this CryptProtectMemory features is that when user login by implementing CNG.sys process. Because it does not check the authorization level and even allow users to act like as an admin. The third party users or those user who are in the same network can easily access the encrypted memory data and folders.

The vulnerability of windows 7 and 8.1 was confirmed by Google researchers but in mid of October 2014. Even, A team member of Google called James Forshow has found this loophole in windows. As far as this person is concerns he has also discovered “privilege elevation flaw” in windows 8.1 which is recently revealed. And this vulnerability is related to CNG.sys features implementation feature which fails to run and check token properly.

Microsoft has accepted it that Google is right, there is a loophole in windows 7 and 8.1 in CryptProtectMemory features. And Microsoft has announced that it will release a patch to fix the issues in the mid of February 2015. But here is the matter of Google 90 days disclosure policy that’s why Google reveals this Zero-Day Vulnerability of Windows 7 and 8.1 publicly. Actually, the team of Google research set a bug of 90 days after intimating vendors about the vulnerability of their products and it the vendor does not shout out problem in given time period then the report will automatically get published publicly.

Microsoft has criticized Google for this step and mentioned in their note that there is no need to publish it publicly while we know about this vulnerability and ours experts are trying to developed a patch to resolve the issues which will be available soon. Even the Senior director of Microsoft Mr. Chris Betz mentioned a lines in their speech about Google that, even after suffering the problem if the users are using windows 7 and 8.1 happily, then why Google is going to take such kinds of steps. Although we are trying to resolve the issue soon.

And about the windows OS vulnerabilities, the director says that, nothing is perfect, and it also made by human being and we will deliver the patch to fix these all issues soon in February. Microsoft is promising to their customers to provide the perfect solution for its soon.

But, according to Google here is the matter of it 90 day disclosure policy and users security. The team of Google always research on every new OS and application and find vulnerabilities if have and protects users from any kinds of losses. And it is really good to make you all aware with this lack on windows 7 and 8.1. It really becomes a controversial discussion between Google researchers and Microsoft team. But being a windows users you must be aware and visit our update or Microsoft update to get latest updates daily. In this ways you will be able to get the patch to fix CryptProtectMemory vulnerability easily.