Jul 30 2011

Facebook To Start Paying Security Bug Bounty

Facebook Bug BountyFacebook is the most recent company to come to the bug-bounty party, officially announcing recently that-

To show our appreciation for our security researchers, we offer a monetary bounty for certain qualifying security bugs.”

Here’s how it works:

Eligibility:
To qualify for a bounty, you must:

  • Adhere to our Responsible Disclosure Policy
  • Be the first person to responsibly disclose the bug
  • Report a bug that could compromise the integrity or privacy of Facebook user data, such as: Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF/XSRF), Remote Code Injection.
  • Reside in a country not under any current U.S. Sanctions (e.g., North Korea, Libya, Cuba, etc.)

Facebook security team will assess each bug to determine if qualifies.

Rewards:

  • A typical bounty is $500 USD
  • We may increase the reward for specific bugs
  • Only 1 bounty per security bug will be awarded

Exclusions:
The following bugs aren’t eligible for a bounty:

  • Security bugs in third-party applications (e.g., http://apps.facebook.com/[app_name])
  • Security bugs in third-party websites that integrate with Facebook
  • Security bugs in Facebook’s corporate infrastructure
  • Denial of Service Vulnerabilities
  • Spam or Social Engineering techniques

Sign Up: Facebook Official Bug Bounty Page

Jul 27 2011

Half of SAP Systems on the Internet will be Hacked Next Week

SAP HackedOn the 4th of august at the world’s largest technical security conference – BlackHat USA 2011, which will take place in Las Vegas, SAP security expert and CTO of ERPScan Alexander Polyakov will show how any malicious attacker can get access to the systems running on SAP via Internet using new critical vulnerability.

SAP systems are used in more than 100 000 world companies to handle business-critical data and processes. Almost in each company from Forbes 500 system data are set for the handling of any process beginning from purchasing, human resources and financial reporting and ending with communication with other business systems. Thus receiving an access by the malicious attacker leads to complete control over the financial flow of the company, which can be used for espionage, sabotage and fraudful actions against hacked company.

The given attack is possible due to dangerous vulnerability of the new type, detected by Alexander in J2EE engine of SAP NetWeaver software, which allows bypassing authorization checks. For example it is possible to create a user and assign him to the administrators group using two unauthorized requests to the system. It is also dangerous because that attack is possible on systems, protected by the two-factor authentication systems, in which it is needed to know secret key and password to get access. To prove it researchers from ERPScan created a program, which detects SAP servers in the Internet with help of secret Google keyword and checks found servers on potential dangerous vulnerability. As the result, more than half of available servers could be hacked with help of found vulnerability.

“Danger is in that it is not only a new vulnerability, but a whole class of vulnerabilities that was theoretically described earlier but not popular in practice. During our research we only detected several examples in standard system configuration, and because each company customizes the system under its own business processes, new examples of vulnerabilities of the given class can be potentially detected at each company in the future. We have developed a free program which can detect unique vulnerabilities of such type in order to protect companies on time and it is also included in our professional product – ERPScan Security Scanner for SAP.” — noted Alexander.

Jul 26 2011

Anonymous Hit Peru, Colombia, Philippines Governments

Anonymous Hackers

Several hacker groups have mounted a fresh batch of cyber attacks against the Peruvian, Colombian and Philippines governments, all in the name of Anonymous’ ongoing AntiSec campaign.

The attacks were all first revealed on The Hacker News website before subsequently being publicised by Anonymous via one of its Twitter accounts, where the group tweeted:

“#AntiSec spreading everywhere, Phillipines [sic]: http://bit.ly/pjyMSx Columbia: http://bit.ly/n1WH80 Peru: http://bit.ly/q9sTQw Rock on, mateys!”

The attack on the Colombian Government saw the hackers target roughly 250 of the country’s police officials with “spam bombs”. Following the regular pattern of most hacker groups, the attackers went on to post a statement online containing the personal data of National Police employees.

The statement thanked the police, “for keeping us submitted and trampled” and invited all like-minded individuals to join the AntiSec movement.

The attack on the Philippians Government was enacted by the “BashCrew” hacker collective. The hack targeted the country’s Congress.gov.ph website. The group subsequently published the stolen data on pastebin. The data posted included government workers personal information, emails and contact numbers.

The hacks in Peru targeted 10 government owned sites and were perpetrated by an as yet unidentified group of hackers. The attack was still credited as being a part of the ongoing AntiSec campaign. The information taken from the 10 sites was then posted online, it again included filenames and employee details.

The attacks come just as Anonymous has mounted several fresh attacks against the Italian Cyber Police and NATO.

None of the targeted governments have yet released official statements regarding the attacks.

Jul 22 2011

Anonymous Won’t Publish Stolen NATO Documents

AntisecFollowing the arrest of 16 individuals in the U.S. and five in the U.K. and the Netherlands who are allegedly connected to the various cyber attacks organized by Anonymous, the hacktivist group continues its mission unabated.

According to the claims the group made on their Twitter account, they have managed to hack the servers of the North Atlantic Treaty Organization (NATO) and exfiltrate around one GB of its restricted and confidential documents.

To prove the veracity of their assertions, they have also published two of those documents – one classified as “NATO Restricted” – but said that they would not publish the rest of them as it would be irresponsible of them. NATO has said that its security experts are investigating the group’s claims.

In the meantime, the LulzSec hackers have stated that they are currently working with certain media outlets who have been granted exclusive access to some of the News of the World emails the group got their hands on, even though Anonymous has previously stated that they would not release The Sun emails because they might compromise the ongoing court case against the news corporation.

Sabu, one of the members of LulzSec, has also shared that the News International emails just part of the data the group has in its posession.

Both groups have not commented on whether the individuals arrested at the beginning of the week had anything to do with them, except for saying that they show respect for the “fallen anons”.

Jul 16 2011

Pentagon Discloses Largest Ever Cyber Theft

Pentagon Cyber Theft(AP) WASHINGTON – The Pentagon on Thursday revealed that in the spring it suffered one of its largest losses ever of sensitive data in a cyberattack by a foreign government. It is a dramatic example of why the military is pursuing a new strategy emphasizing deeper defenses of its computer networks, collaboration with private industry and new steps to stop “malicious insiders.”

William Lynn, the deputy secretary of defense, said in a speech outlining the strategy that 24,000 files containing Pentagon data were stolen from a defense industry computer network in a single intrusion in March. He offered no details about what was taken but said the Pentagon believes the attacker was a foreign government. He didn’t say which nation.

“We have a pretty good idea” who did it, Lynn said in an interview before the speech. He would not elaborate.

Read the full Defense Department strategy (pdf)
ZDNet’s Larry Dignan on the security breach

Many cyberattacks in the past have been blamed on China or Russia. One of the Pentagon’s fears is that eventually a terrorist group, with less at stake than a foreign government, will acquire the ability to not only penetrate U.S. computer networks to steal data but to attack them in ways that damage U.S. defenses or even cause deaths.

The Pentagon has long worried about the vulnerability of its computer systems. The concern has grown as the military becomes more dependent not only on its own computers but also on those of its defense contractors, including providers of the fuel, electricity and other resources that keep the military operating globally.

Lynn said intrusions in the last few years have compromised some of the Pentagon’s most sensitive systems, including surveillance technologies and satellite communications systems. Penetrations of defense industry networks have targeted a wide swath of military hardware, including missile tracking systems and drone aircraft, he said.