Replicate Real world Security Vulnerabilities with HackerOne Sandboxes for free

Popular bug bounty platform HackerOne is know to help the community in learning new skills and helping beginners get started. They already have Hacker101 where one can learn about security for free. Recently HackerOne tied up with cyber security training company HackEDU and offered five sandbox environment modeled after popular security bugs reported through their platform.

Its a very good step by them as most of the time when we are learning we don't get something like this and always trying things in live websites is a risk.

All the five hackboxes that they developed is very interactive and they guide you throughout.

Here are the five hackboxes

1. Worm Clickjacking in Twitter

This hackbox replicate a wormable clickjacking attack via playcards which was reported in May 2018 to twitter. You can access it here.

2. XXE flaw in Semrush

This attack challenges users to reproduce XML external Entity that could be exploited to at read arbitrary files from a server. This flaw was reported to SEMrush in March 2018. You can access it here.

3. Command Injection attack in Imgur

The third hackbox is for trying to get control of a server by using command injection attack. The real vulnerability was discovered in Imgur and reported in April 2017.

4. SQL Injection Grabtaxi

This flaw is about about a SQL injection that was discovered in Grabtaxi back in November 2017.

5. XSS in HackerOne

The final hackbox is about a Cross site scripting issue in a third party component used by hackerone to manage contact forms which was disclosed in August 2017.

The main purpose of these demos is to provide a safe and legal way to practice real case hacking techniques and best part is that it comes with explanations on how each bugs works and also they guide the uses in exploiting it.

Freelancers in Fiverr and are baited with job offers to download malwares and Fiverr are two of the most popular freelancer platform in the internet. Thousands of people visit the website to get job or get their work done. And wherever a lot of people gather, hackers make it their target. Cybercriminals are targeting freelancers in a new malware campaign sending malicious macros disguised as job offers.

Security researchers at MalwareHunter team have discovered a new piece of malware that is targeting freelancers.

In one example, the threat actors sent an email asking the intended victim to check the attached document and then get back to them with a “cost and time frame,” while in another example the threat actor sent over a document entitled “My details.doc,” which also contained malware.

Once clicked, The recipient is asked to enable macros which work as malware dropper. MalwareHunterTeam has urged users to refrain from enabling macros and keep their anti-virus software activated once digging into new files. For instance, one of the victims who had their anti-virus software enabled was able to detect the malicious document.

Here is how Gentoo Linux Github Account was hacked

If you are someone who are read lot of infosec news then i'm sure you must have heard of how Popular linux distribution Gentoo Linux official github account was hacked last week . After the account was hacked, hacker changed some codes and added some malicious scripts in it that delete’s all the user files.

Gentoo is a free operating system with Pre compiled binaries and it is an ideal secure server for development workstation, professional desktop, gaming system, embedded solution.

The incident took place on 28 June at approximately 20:20 UTC and Gentoo regained control by 2018-06-28 23:10 UTC.

According to gentoo, the hack has not affected the code hosted on the the gentoo infrastructure and the code hosted in github is just a mirror . was not compromised.

How they got hacked ?

Gentoo developers have revealed that the attackers were able to gain administrative privileges for its github account after guessing the account password. Its 2018 and i don't know why organisations like Gentoo does not use 2 factor authentication.

The organisation could have been saved if it was using a two-factor authentication, which requires an additional passcode besides the password in order to gain access to the account.

Steps taken to improve future attacks

After this incident, gentoo took the following steps to protect themselves from future attacks :

  • Making frequent backups of its GitHub Organization.
  • Enabling two-factor authentication by default in Gentoo's GitHub Organization, which will eventually come to all users the project's repositories.
  • Working on an incident response plan, particularly for sharing information about a security incident with users.
  • Tightening up procedures around credential revocation.
  • Reducing the number of users with elevated privileges, auditing logins, and publishing password policies that mandate password managers.
  • Introducing support for hardware-based 2FA for Gentoo developers

PoC Code published for instant Blue Screen of Death [ Flaw unfixed ]

If you are a windows user than I'm sure you are familiar with blue screen of death. A Romanian hardware expert has published a proof-of-concept code that crashes most of the Windows computer within seconds. , even if the computer is in a lock state.

This interesting code exploits a vulnerability in Microsoft's handling of NTFS filesystem images and was discovered by Marius Tivadar, a security researcher with Bitdefender.

Affected Systems

1. Windows 7 Enterprise
2. Windows 10 Pro
3. Windows 10 Enterprise

The researcher only tested on the above mentioned system so there is a high chance that other systems too are affected by it.

What exactly is the flaw ?

The  PoC contains a malformed NTFS image that users can take and place it on a USB thumb drive. Inserting this USB thumb drive in a Windows computer crashes the system within seconds, resulting in a Blue Screen of Death (BSOD).

"Auto-play is activated by default," Tivadar wrote in a PDF document detailing the bug and its impact.

"Even with auto-play [is] disabled, [the] system will crash when the file is accessed. This can be done for [example,] when Windows Defender scans the USB stick, or any other tool opening it."

Microsoft declined to fix !

Yes you read it right, Microsoft declined to fix the flaw stating that it requires physical access / social engineering. Tivadar contacted Microsoft about the issue in July 2017, but published the PoC code today after the OS maker declined to classify the issue as a security bug. What makes it more dangerous is that it works even when the PC is locked. So imagine the situation when you lock your system and so somewhere hoping no one can access or cause any damage to your PC, someone can come and plug their pendrive and crash your system completely.

"I strongly believe that this behavior should be changed, [and] no USB stick/volume should be mounted when the system is locked," the researcher said. "Generally speaking, no driver should be loaded, no code should get executed when the system is locked and external peripherals are inserted into the machine."

Online stored based on Magento hacked to steal card data, run cryptojacking scripts

Security researchers have identified 1000+ magento sites that have been hacked by hackers and infected them with malicious scripts which can be used to steal credit card data, deliver malware or run crypto mining scripts.

"The Magento sites are being compromised through brute-force attacks using common and known default Magento credentials," Flashpoint researchers say.

How the hacking took place ?

When users install magento they get a default credentials and in most of the cases brute force attack was sued to compromise the sites. Once attackers gain access to these sites, researchers say they've observed three main patterns of malicious activities.

The most common practice is to insert malicious code in Magento core files, code that logs payment card information entered inside the checkout process. Such malware is named a card scraper, and users should expect to find one on any e-commerce store that looks to have missed a few updates.

Second, attackers also deploy cryptojacking scripts that mine Monero on the computers of store visitors, a practice that has become quite common these days, across all sites, not just Magento stores.

Last but not least, hackers also use these compromised Magento stores to redirect some of the infected sites' visitors to malicious sites that attempt to trick users into downloading and installing malware on their computers. According to cases investigated by Flashpoint researchers, the most prevalent tactic was to redirect users to sites offering phony Adobe Flash Player update packages, which would infect users with the AZORult infostealers.

3 Interesting Ways Screen Recording Can Be Used

Simply put screen recording will allow you to record videos that consist of whatever may be on your screen. More often than not they are associated with video guides, tutorials, or demonstrations involving digital products – but there are a lot of other interesting ways in which they can be used as well.

If you want to explore the potential of screen recording, here are a few things that you should start with:

  • ‘Download’ online streaming videos
Nowadays online streaming videos are practically everywhere from social media to websites, video sharing platform, and even video-on-demand services. Very few platforms provide a way for their videos to be ‘downloaded’ however, which means that you need to be online to watch them and can’t transfer the videos to other devices. By using screen recording, you can record any online streaming videos from your screen – then save it and do with it as you please.

  • Save video calls
Between Skype, Facebook Messenger, Google Hangouts and other platforms, video calling has grown in popularity. Unfortunately most platforms don’t let you ‘save’ your calls – so you can’t refer to them or use their content once the call is done. If you record the call while it is on your screen however, you can save it – which can be extremely useful particularly if you conduct business meetings over video calls.

  • Record live or temporary content
Two of the most popular new types of content to appear online are ‘live’ video streams as well as temporary content that vanishes after a fixed duration (normally 24 hours or less). Being able to record your screen will give you the means to record that content, so you don’t miss out and can save it to watch at any point.

If you would like to use screen recording in any of the ways listed above, you should try using Movavi Screen Recorder. Because it will let you record any videos that you want from your screen, allowing you to effectively ‘download’ online streaming videos, save video calls or record live or temporary content.

Although at first you might feel that learning how to download movies from Netflix or using Movavi Screen Recorder to perform any of the other tasks listed above is complicated, nothing could be further from the truth. Even if you’ve never used it or any other screen recorder in the past, you should be able to set up and start recording your movie in just a couple of minutes.

Not only should you be able to set it up Movavi Screen Recorder easily, but the fact of the matter is you can use its features to fully adjust the recording parameters – which will open up even more possibilities. In short you should definitely try it out and see for yourself how it can be used.