PoC Code published for instant Blue Screen of Death [ Flaw unfixed ]

If you are a windows user than I'm sure you are familiar with blue screen of death. A Romanian hardware expert has published a proof-of-concept code that crashes most of the Windows computer within seconds. , even if the computer is in a lock state.

This interesting code exploits a vulnerability in Microsoft's handling of NTFS filesystem images and was discovered by Marius Tivadar, a security researcher with Bitdefender.

Affected Systems

1. Windows 7 Enterprise
2. Windows 10 Pro
3. Windows 10 Enterprise

The researcher only tested on the above mentioned system so there is a high chance that other systems too are affected by it.

What exactly is the flaw ?

The  PoC contains a malformed NTFS image that users can take and place it on a USB thumb drive. Inserting this USB thumb drive in a Windows computer crashes the system within seconds, resulting in a Blue Screen of Death (BSOD).

"Auto-play is activated by default," Tivadar wrote in a PDF document detailing the bug and its impact.

"Even with auto-play [is] disabled, [the] system will crash when the file is accessed. This can be done for [example,] when Windows Defender scans the USB stick, or any other tool opening it."

Microsoft declined to fix !

Yes you read it right, Microsoft declined to fix the flaw stating that it requires physical access / social engineering. Tivadar contacted Microsoft about the issue in July 2017, but published the PoC code today after the OS maker declined to classify the issue as a security bug. What makes it more dangerous is that it works even when the PC is locked. So imagine the situation when you lock your system and so somewhere hoping no one can access or cause any damage to your PC, someone can come and plug their pendrive and crash your system completely.

"I strongly believe that this behavior should be changed, [and] no USB stick/volume should be mounted when the system is locked," the researcher said. "Generally speaking, no driver should be loaded, no code should get executed when the system is locked and external peripherals are inserted into the machine."

Utilities of an Ethical hacking Course

Computer hacking involves various nuances. What prompts a hacker is an intent, benign or malicious, to hack a particular application. “Ethical hacking”, a term coined by the cyber industry, describes the actions of hacking that are purely ethical means a hacker exploits a network with the permission of its owner. This distinction keeps Ethical hackers aka white hat hackers separated from black-hatted bad guys.
 Why Use Ethical Hacking?
What can you expect to get when you pay to someone to hack into your application or website? Expose of security vulnerabilities! Being a part of the cyber world, you need to think like a criminal to prevent attacks. Ethical hackers use the same methods as their counterparts to test a security system, but they do it to report problems. The Federal government practices ethical hacking since the 1970s, and most companies employ white hat teams within their information security practice to attain the highest level of security. Other slang terms for ethical hackers are “sneakers,” “red teams”, and “tiger teams”. A variety of certification authorities train and certify your skills in implementing cybersecurity practices in an organization successfully.

Today, application security revolves around penetration testing. Companies perform “Pen tests” by artificially developing the scenarios of hacking and try to mimic what a bad hacker could achieve in reality. For manual application testing, cyber experts attempt to exploit the app and report the findings. From simple information-gathering exercises to outright attacks, different tests are performed which would cause damage if happened actually. Moreover, social engineering techniques have become an integral part of core ethical hacking, for example, tricking emailing staff for revealing passwords and other account details.
Free and Open Source Ethical Hacking Tools to Use:
A wide pool of ethical hacking tools is available to choose from according to challenges and requirements you have for cybersecurity. The tools mentioned below offer just a slice of the available offerings, but they are reliable and come for free. 
Being one of the most preferred penetration testing frameworks for networks and IT infrastructure, Armitage is designed for more user-friendly front-end version for the Metasploit framework.
Nmap or you can say Network Mapper is an open-sourced utility which works a security auditing tool. By finding a network services out, it hosts to develop a network map, which it further analyzes.
This tool is even featured as the go-to hacking tool in many movies and TV shows.
Its offerings include network protocol capture and real-time analysis which make it a standard tool amongst others. Using this tool gives you a wider look into network traffic and zoom in on individual packets while providing naives a detailed intro to TCP/IP.
This tool has transformed the way to perform pentesting. It has scored 6th rank on the top security tools list by ToolsWatch.org.  It plays a major role in analysis, indexation, and distribution of the data.
 International standards followed by ethical hackers
Being an ethical hacker, you are expected to follow industry trends to carry out penetration testing. An important trend is Payment Card Industry Data Security Standard. With a global set of recognised policies and procedures, this trend enhances the securities of credit, debit in addition to cash card transactions, and safeguards cardholders personal information.
Apart from having large teams of employees as ethical hackers, organizations own ethical hacking labs like Trustwave Holdings Inc., heading towards comprehensive cybersecurity which includes the tracking of vulnerabilities in ATMs, POS devices along with surveillance systems.
Hacking is a passion, but it must be ethical in all aspects. It’s a good career option, but only if you have good  knowledge of advanced tools and techniques. Proceeding with an ethical hacking course will make you think of, work for, and make decisions for like a professional hacker.

Online stored based on Magento hacked to steal card data, run cryptojacking scripts

Security researchers have identified 1000+ magento sites that have been hacked by hackers and infected them with malicious scripts which can be used to steal credit card data, deliver malware or run crypto mining scripts.

"The Magento sites are being compromised through brute-force attacks using common and known default Magento credentials," Flashpoint researchers say.

How the hacking took place ?

When users install magento they get a default credentials and in most of the cases brute force attack was sued to compromise the sites. Once attackers gain access to these sites, researchers say they've observed three main patterns of malicious activities.

The most common practice is to insert malicious code in Magento core files, code that logs payment card information entered inside the checkout process. Such malware is named a card scraper, and users should expect to find one on any e-commerce store that looks to have missed a few updates.

Second, attackers also deploy cryptojacking scripts that mine Monero on the computers of store visitors, a practice that has become quite common these days, across all sites, not just Magento stores.

Last but not least, hackers also use these compromised Magento stores to redirect some of the infected sites' visitors to malicious sites that attempt to trick users into downloading and installing malware on their computers. According to cases investigated by Flashpoint researchers, the most prevalent tactic was to redirect users to sites offering phony Adobe Flash Player update packages, which would infect users with the AZORult infostealers.

Everything we know about Samsung Galaxy S9

Samsung galaxy S series is one of the most awaited smartphone series every year. Samsung Galaxy S8 was a huge success for samsung and even after a year it stands strong. So the most exciting event of 2018 for samsung is happening on 25th February as they are going to launch Samsung Galaxy S9 and Galaxy S9+. Samsung Galaxy S9 and Galaxy S9+ will officially be unveiled on February 25 in Barcelona ahead of the Mobile World Congress (MWC) 2018. According to some reports, Samsung’s new Galaxy S9 and Galaxy S9+ are also expected to be priced higher than the previous year’s Galaxy S8 series.

The biggest change with the Samsung Galaxy S9 series is expected on the camera front and the company’s teasers have indicated this as well. The design will continue to remain the metal and glass one that we’ve seen on Samsung Galaxy S7, S8, Note8, etc. Samsung will also introduce a new version of the DeX Pad for the Galaxy S9 series, where a user can plug in the device and enjoy a desktop-like experience on the mobile itself. The DeX Pad was introduced last year with the Galaxy S8 series.

Just like any other phone, before the launch the internet is filled up with lots of leaks. Here are all the leaks of the Galaxy S9 as they happened

Specs: The US looks set to get a phone powered by the Qualcomm Snapdragon 845, and the rest of the world Samsung's own Exynos 9810 chipset. This means 30% improved power, albeit still with 4GB of RAM inside. This will be more than enough grunt, but those that lust after specs for the sake of them will be disappointed not to see 6GB,

Battery: While it looks like we're going to get a 3,000mAh power pack - the same as on the Galaxy S8 - the improved CPU inside will likely lead to a real boost in battery life. This means the Galaxy S9 should last easily over a day for more users than ever before.

Other key features: A recent promo conformed animated emoji, where faces are turned into cartoons, will be present on the Galaxy S9 as a response to Apple's Animoji.

Stereo speakers will also be a welcome addition for anyone tired of the mono-firing single outlet on previous phones - we don't expect this to be industry-leading in the same way as Sony and Apple, but at least using your phone to play music or movies will be more pleasant.

An improved iris scanner is rumored to be Samsung's play against Apple's Face ID too, but given the poor performance of the sensor last year we don't expect this to be a big feature.

5 Best External Hard Drives to Buy In 2018

Information is power and today everyone has increasingly important data that needs to be stored using safe and reliant devices. As the demands for the technology rises, new innovations that cater to every whim and fancy of the population are being created. The quest for the perfect hard disk ends only when you find one which is compatible with your device, fits your needs and falls within your estimates price range. Let’s take a look at top five must buy external hard drives that 2018 has given us till date.

1. Western Digital My Passport Wireless Pro:

The latest version of the Western Digital My Passport Pro does not compromise on quality, specifications or technology, even if it is a bit steeply priced at 25,490 INR. With a whopping 6400 mAh battery, the disk can be used completely free of wire, to do transfers. It has an on-board SD card slot, 2 TB capacities and a USB 3.0 support. However, the connections available for wired connectivity are type-A and B, the type-C port being very visibly absent.

Must Read: 2TB Hard Disks

2. OWC Thunder Bay 4 Mini

Priced close to 50,000 INR, this hard drive offers a huge range of space options as well as lightning speed transfers. However, the drawback comes in the form that it can be used only for Apple systems. The drive comes with options of 1TB, 2TB, 4TB and 8 TB. Two Thunderbolt-2 ports ensure that the extremely “high read and write speed” is well maintained. However, this also means the disk cannot be used with non-thunderbolt devices.

3. Buffalo MiniStation Extreme NFC

At just 8663 INR, the Ministation Extreme is a very enticing product. A very appealing design compounded with NFC security is what makes it so much more desirable than its predecessors. Compatible with both MAC and Windows systems, the drive has USB 3.0 interface and offers a storage space of 2TB. Even though the drive may not be the fastest one available, it makes up for the pitfalls in speed by being extremely user-friendly. On the plus side, the case it comes with is dust and waterproof as well.

4. Western Digital My Passport

The 4TB MyPassport offered by Amazon at 9,390 INR has great data transfer speeds and storage space for that price. Added features enabling cloud storage are available with this model. The storage size options start from 1TB – 4TB. Based on HDD’s you will get a high level of performance from the drive.

5.  Adata SD700 External SSD

The Adata SD700 boasts IP68 Rating and very high transfer speed. The disk in and of itself is very sturdy and comes to a maximum capacity of 1TB, which is all you need from a drive using SSD. All your needs will be taken care of by this drive at a very much affordable price beginning from 11,258 INR on Amazon.

It is important to find the right hard disk. However, it becomes increasingly difficult for us to figure out one that hits all the right notes. Not only regarding the features, but also the price and durability.

Experty ICO hacked ! Hacker tricked participants and received $120k+ in less than 15 hours

I have been investing ( wasting ) a lot of time in understanding crypto currency and everything involved with it. Yes by now i know the meaning of HODL, FUD, FOMO etc. Also I ended up creating a facebook group called : TheCoinMill where we help people get started with crypto currency.

After getting involved in it for few months call i can say is that in 2018 ICOs ( Initial Coin Offerings )  will become the next big thing and why not ? its beneficial for companies to get started by getting crowd fund and also it is beneficial for investors too. Here in ICOs anyone can invest from as little as $10 to and amount that you can afford.

Here are the details of few ICOs which gave excellent Returns in 2017 :

1. WABI - almost 21 times reutns in about 1 month. Means if you would have invested Rs 10,000 you would have got Rs 2.1 lacs in 1 month

2. ICON - 100 times  returns in 3 months. Do the calculation yourself.

Now because of all these reasons a lot of people are getting into ICOs as it is quick money ( most of the time ). I agree there are lot of scams going on in the name of ICO but these days we have experts who help people choose the genuine one.

One such ICO was Experty ICO. Here is a video which explains what they are trying to do

Now this ICO is a genuine one with an excellent team and roadmap. They have their sale on 31st January and they have a goal to rise $10,000,000. They earned a good reputation in the market and got around 20,000 members in their official telegram group.

But something terrible happened last night. Hackers hacked their server and they got access to details of all the participants who whitelisted to their ICO. 

The Impact

Generally when we take part in ICOs we need to first whitelist our-self where we need to give our name, email ID, password, ETH address where we will receive the tokens, Passport copy etc

When experty's website got hacked hackers got all the above mentioned details of all participants. Today they started sending mails to all the registered participants where they asked them to send their ETH to a specific address in order to take part in ICO. This address belonged to the Hacker and not Experty. Most of the participants believed it as it looked genuine and everyone started sending ETH to this address.

email with ETH address sent by the hacker to participants

In the last 12 hours the address ( hacker's address ) received almost 108 ETH which is almost $120,000

Hacker's ETH address : https://etherscan.io/address/0x82744Ba0766bDEe409885C2186c44A4A73b0c97F

This is something we really need to worry about. As ICOs are getting popular, a lot of scammers and hackers are getting into it as it is easy to scam people here. The biggest problem is that all these transactions happens in cryptocurrencies so it is almost impossible to catch the hacker and this is the reason why many scams takes place.

Also Companies doing ICOs should take these things seriously because it is seen that most of the time their sites are not that secure . They aim to get million dollars from ICOs but don't spend money in security and other stuffs. We have seen during TheKey ICO how they fail to handle traffic during the sale and their website was down for more than 10 hours during the sale. People give away their personal details like copy of passport, phone number etc so if these information are compromised then people might face a lot of trouble in future.