Jun 28 2011

Groupon Leaks Entire Indian User Database

The entire user database of Groupon’s Indian subsidiary Sosasta.com was accidentally published to the Internet and indexed by Google.

The database includes the e-mail addresses and clear-text passwords of the site’s 300,000 users. It was discovered by Australian security consultant Daniel Grzelak as he searched for publicly accessible databases containing e-mail address and password pairs.

Grzelak used Google to search for SQL database files that were web accessible and contained keywords like “password” and “gmail”.

“A few hours and tweaks later, this database came up,” he said. “I started scrolling, and scrolling and I couldn’t get to the bottom of the file. Then I realised how big it actually was.”

Grzelak contacted Risky.Biz after the Sosasta discovery to seek advice on disclosure. This website contacted the CEO of Groupon, Andrew Mason, who called back personally within 24 hours of initial contact.

The database was removed immediately and the company has launched an internal investigation to find out how it wound up publicly accessible in the first place.

Groupon is notifying all its Sosasta users of the incident and is advising them that the passwords they used on the website are now compromised and cannot be relied upon to secure other accounts.

Source: Risky.Biz

Jun 21 2011

Zed Attack Proxy (ZAP) – Integrated Penetration Testing Tool

ZAProxyThe Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications.

It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing.

ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.

Features:

  • Intercepting Proxy
  • Automated scanner
  • Passive scanner
  • Brute Force scanner
  • Spider
  • Fuzzer
  • Port scanner
  • Dynamic SSL certificates
  • API
  • Beanshell integration

Characteristics:

  • Easy to install (just requires java 1.6)
  • Ease of use a priority
  • Comprehensive help pages
  • Fully internationalized
  • Under active development
  • Open source
  • Free (no paid for ‘Pro’ version)
  • Cross platform
  • Involvement actively encouraged

Download: ZAP 1.3.1

Jun 20 2011

LulzSec – Anonymous Teamed Up For “Operation AntiSec”

LulzSec Anonymous Hackers
Over the weekend, LulzSec has seemingly finally moved away from being in it “for the lulz” and has acquired a cause: it has announced it has teamed up with Anonymous and other “affiliated battleships” and that it is launching “Operation Anti-Security”.

“Top priority is to steal and leak any classified government information, including email spools and documentation. Prime targets are banks and other high-ranking establishments,” it says in the call-to-arms published on Sunday on pastebin.com. “We encourage any vessel, large or small, to open fire on any government or agency that crosses their path. We fully endorse the flaunting of the word “AntiSec” on any government website defacement or physical graffiti art. We encourage you to spread the word of AntiSec far and wide, for it will be remembered.”

It is widely speculated that the members of the LulzSec team have, at one time, been part of Anonymous, so this teaming up shouldn’t be wholly unexpected.

Another curious thing that happened over the weekend is that the group has released a press release following their 1000th tweet.

In it, they address the speculations that the real goal of their actions is to allow the passing of restrictive laws for Internet users, saying that users should be more worried about the hackers who don’t publish their exploits. “Do you feel safe with your Facebook accounts, your Google Mail accounts, your Skype accounts? What makes you think a hacker isn’t silently sitting inside all of these right now, sniping out individual people, or perhaps selling them off?”

“We’ve been entertaining you 1000 times with 140 characters or less, and we’ll continue creating things that are exciting and new until we’re brought to justice, which we might well be,” they pointed out. “But you know, we just don’t give a living f*ck at this point – you’ll forget about us in 3 months’ time when there’s a new scandal to gawk at, or a new shiny thing to click on via your 2D light-filled rectangle.”

Jun 16 2011

Hackers Disrupt 51 Malaysian Government Websites

51 Malaysian government websites were hacked into overnight but no personal or financial data was compromised, government officials said on Thursday, as the nation became the latest target of a cyber-war waged by online activists.

In the attacks, 91 websites were hit including 51 government websites, the industry regulator, the Malaysian Communications and Multimedia Commission, said on Thursday.

Access to 76 of the 91 websites attacked since shortly before midnight on Wednesday had been recovered, it said.
Anonymous Hackers
The attacks followed a warning by Internet vigilante group Anonymous, which said it would attack the government’s official portal to punish it for censoring WikiLeaks, the website that aims to expose governments and corporations by leaking secret documents.

It was not immediately clear if the attacks were launched by Anonymous or other hackers.

Anonymous is a grouping of global activists lobbying for Internet freedom who frequently try to shut down the websites of businesses and other organisations that they oppose.

In an earlier Internet posting, Anonymous said Malaysia’s censorship of films and television shows and its blocking of file-sharing websites amounted to a denial of human rights.

The communication commission last week banned 10 file-sharing sites and ordered Internet service providers such as Telekom Malaysia and Maxis to block access.

The restrictions have outraged ordinary Malaysians, and several people took to Twitter to express support for the cyber-attacks.

“Now to count how many sites have gotten whacked so far,” said a tweet posted by Rhyden. “I knew the government’s IT defense team was pathetic.”

Jun 15 2011

Google’s Web Mapping Can Track Your Phone

If you have Wi-Fi turned on, the previous whereabouts of your computer or mobile device may be visible on the Web for anyone to see.

Google publishes the estimated location of millions of iPhones, laptops, and other devices with Wi-Fi connections, a practice that represents the latest twist in a series of revelations this year about wireless devices and privacy, CNET has learned.

Android phones with location services enabled regularly beam the unique hardware IDs of nearby Wi-Fi devices back to Google, a similar practice followed by Microsoft, Apple, and Skyhook Wireless as part of each company’s effort to map the street addresses of access points and routers around the globe. That benefits users by helping their mobile devices determine locations faster than they could with GPS alone.

Only Google and Skyhook Wireless, however, make their location databases linking hardware IDs to street addresses publicly available on the Internet, which raises novel privacy concerns when the IDs they’re tracking are mobile. If someone knows your hardware ID, he may be able to find a physical address that the companies associate with you–even if you never intended it to become public.

Tests performed over the last week by CNET and security researcher Ashkan Soltani showed that approximately 10 percent of laptops and mobile phones using Wi-Fi appear to be listed by Google as corresponding to street addresses. Skyhook Wireless’ list of matches appears to be closer to 5 percent.

Source: CNET News