A vulnerability that would have enabled a hacker to completely bypass the authentication system in PayPal has been patched, resulting in a $10,000 bounty for the white-hat that found it.
Worth every penny, too: the flaw put 150 million PayPal customers in danger of having their account hijacked with a low-effort, simple gambit.
The flaw was publicly disclosed by Egyptian researcher Yasser Ali, after he saw that the cross-site request forgery (CSRF) Prevention System implemented by PayPal had a critical flaw. The CSRF token for authorization of users is changed with every request made by a user as a security precaution. But, Ali found that the ‘CSRF Auth’ token is reusable for a specific user email address or username, meaning that a hacker could intercept and take possession of the tokens, and then simply reuse them to access the account of the correlated, logged in user.
Ali detailed how the vulnerability could be exploited, in a blog. The essential problem lies with the fact that CSRF Auth verifies every single request of that user. So, if an attacker is not logged in and tries to make a ‘send money’ request then PayPal will ask the attacker to provide his email and password. When he plugs in an email and any type of password, valid or not, he can then capture the request, which will contain a valid CSRF Auth token, which is reusable and can authorize this specific user requests.
From there, the next hurdle is to get past the security questions, since an attacker cannot change the victim’s password without answering them. This boiled down to the fact that the initial process of setting security questions in the first place is not password-protected and is reusable, so it can simply be initiated to reset the security questions, without providing the password at all.
Taken in total, an attacker can conduct a targeted CSRF attack against a PayPal user and take a full control over his or her account. This involves requests including: Add/remove/confirm email address; add fully privileged users to business account; change security questions; change billing/shipping address; change payment methods; change user settings (notifications/mobile settings).
Given the level of havoc that the exploited flaw could wreak, it’s no wonder that “the vulnerability is patched very fast and PayPal paid me the maximum bounty they give ;),” Ali said.
Archive for the ‘Uncategorized’ Category
Posted by Anonymous on December 9, 2014
Posted by Anonymous on November 11, 2014
Posted by Anonymous on November 11, 2014
Posted by Anonymous on October 24, 2014
A sceptic of traditional Chinese medicine is challenging practitioners of the age-old craft to prove themselves by putting his own money on the line. One has accepted the challenge. At stake is the claim that practitioners can discern whether a woman is pregnant by her pulse.
Traditional Chinese medicine (TCM) is a point of contention in China. Although the government is keen to promote its use in the clinic and, in modernized form, as part of drug discovery, some feel that much of it is unproven and that the government is throwing its money away. There have also been high-profile cases of fraud linked to such research, and the practice is criticized for its dependence on endangered species such as the Saiga antelope (Saiga tatarica).
Ah Bao, the online nickname of a burn-care doctor at Beijing Jishuitan hospital, has been an adamant critic of TCM on Chinese social media, often referring to it as “fake”. He issued the challenge on 13 September, and Zhen Yang, a practitioner at the Beijing University of Traditional Medicine, took him up on it.
Ah Bao put up 50,000 yuan (more than US$8,000), and at his urging others have donated more than 50,000 yuan, making the prize worth more than 100,000 yuan total. Ah Bao turned down Nature‘s request to be interviewed, saying that he has been overwhelmed by media attention.
Yang will have to assess with 80% accuracy whether women are pregnant. The two are reportedly working out the terms of the contest, with a tentative set-up reportedly involving 32 women who would be separated by a screen from Yang.
Having 80% accuracy with 32 attempts would be getting at least 25 correct. I’m very curious to see how this goes. Rather than subtle energies, there is a basic difference that might be observed: A typical resting heart rate for a woman is 75 beats per minute and it would be faster, like 80, for a resting pregnant woman. So if the TCM doctor selects any woman over 79 BPM, would that net 80% correct choices? It might, depending on the variability. There may be considerable haggling over the pool having other conditions, their fitness, etc.
Posted by Anonymous on October 13, 2014
Americans should be “deeply skeptical” of government power, says FBI Director James Comey, adding that law enforcement should be able to access someone’s telephone only with a court order,
“I believe that Americans should be deeply skeptical of government power,” Comey told CBS News’ Scott Pelley in an interview for “60 Minutes” that will air on Sunday. “You cannot trust people in power.
“The Founders knew that,” he said. “That’s why they divided power among three branches, to set interest against interest.”
Comey, 53, who became FBI chief in September 2013, cautioned that courts must grant law-enforcement agencies permission to telephones if the information is deemed to be critical to a criminal case or national security.
His comments come in light of numerous leaks since last year by former NSA contractor Edward Snowden revealing that agency’s extensive telephone and Internet surveillance programs and cell phones introduced last month by Apple Inc. that were designed to avoid surveillance by law enforcement.
Apple’s new iOS8 operating system for its cellphones and other devices contains personal encoding software to prevent anyone outside of the phone’s owner from accessing its data. Apple will not be able to access the data, Arstechnica.com reports.
“The notion that we would market devices that would allow someone to place themselves beyond the law, troubles me a lot,” Comey said. “As a country, I don’t know why we would want to put people beyond the law.
“That is, sell cars with trunks that couldn’t ever be opened by law enforcement with a court order, or sell an apartment that could never be entered even by law enforcement,” he continued. “Would you want to live in that neighborhood? This is a similar concern.
“The notion that people have devices, again, that with court orders — based on a showing of probable cause in a case involving kidnapping or child exploitation or terrorism — we could never open that phone?” Comey asked. “My sense is that we’ve gone too far when we’ve gone there.”
Awesome. Let’s get back to checks and balances that work.
Posted by Anonymous on October 7, 2014
Organ by organ, we are learning how to regenerate body parts. Lab grown vaginas are already a success, as I previously posted. Now there’s this:
The engineered penises were developed by researchers at the Wake Forest Institute for Regenerative Medicine in North Carolina, USA, and are currently awaiting approval to be tested on humans.
The work is funded by the US Armed Forces Institute of Regenerative Medicine, which hopes to use the technology to help soldiers with battlefield injuries. Professor Anthony Atala, director of the institute, told the Observer the target is to get the organs into patients with injuries or congenital abnormalities. The penises would be grown using a patient’s own cells to avoid the risk of immunological rejection after organ transplantation.
Atala previously led a successful project engineering penises for rabbits in 2008. The previous work on rabbits showed that once the tissue was there the body recognises it as its own.
Who will make history by becoming the first joker to add on a second real penis for reasons of … entertainment? It will happen.
Posted by Anonymous on October 1, 2014
A man who took a commercial flight from Liberia that landed in Dallas on Sept. 20 has been found to have the Ebola virus, the Centers for Disease Control and Prevention reported on Tuesday. He is the first traveler to have brought the virus to the United States on a passenger plane and the first in whom Ebola has been diagnosed outside of Africa.
As the disease has swept across West Africa, many health experts said it would be only a matter of time before it reached the United States. Hospitals and health departments around the country have been preparing for it, and a number of false alarms have occurred. But this time, the case is real.
The man, who was visiting relatives in the United States, was not ill during the flight, health officials said at a news conference Tuesday evening. Indeed, he was screened before he boarded the flight and had no fever. Because Ebola is not contagious until symptoms develop, there is “zero chance” that the patient infected anyone else on the flight, said Dr. Thomas R. Frieden, director of the disease centers. Ebola is spread only by direct contact with body fluids from someone who is ill.
The plan to bring two Americans stricken by the Ebola virus back to the United States for treatment has sparked a backlash on social media from some people terrified that the incurable disease will spread here as it has in western Africa.
“Stop the EBOLA patients from entering the U.S.,” Donald Trump tweeted Friday. “Treat them, at the highest level, over there. THE UNITED STATES HAS ENOUGH PROBLEMS!”
This mystifies infectious disease experts, who consider the viruses that cause Middle East Respiratory Syndrome (MERS) and bird flu much more contagious — and therefore more dangerous to the public. Transmission of Ebola requires direct contact with an infected person’s blood, vomit or feces during the period that he or she is contagious, something that is extremely unlikely for anyone but health-care workers. The virus is not spread by coughing or sneezing. Nor do Americans bury their own dead family members or friends, as some residents of Sierra Leone, Liberia and Guinea must do with Ebola victims.
Posted by Anonymous on March 8, 2014
Earth can raise shields to protect itself against solar storms. For the first time, satellites and ground-based detectors have watched as the planet sends out a tendril of plasma to fight off blasts of charged solar matter. The discovery confirms a long-standing theory about Earth’s magnetic surroundings and offers us a way to keep track of the planet’s defences.
“It’s changed our thinking about how the system operates,” says Joe Borovsky at the Space Science Institute in Boulder, Colorado, who was not involved in the research. “Earth doesn’t just sit there and take whatever the solar wind gives it, it can actually fight back.”
Earth is always surrounded by a bubble of magnetism called the magnetosphere, which protects us from the bulk of the solar wind, a stream of high-energy particles constantly flowing from the sun.
But sometimes, the sun’s magnetic field lines can directly link up with Earth’s in a process called magnetic reconnection, which opens up cracks in the magnetosphere. Charged particles can flow along these lines into Earth’s atmosphere, leading to dazzling auroras as well as geomagnetic storms that can wreak havoc on navigation systems and power grids.
Gas in Earth’s upper atmosphere is ionised by ultraviolet light from the sun, and the resulting plasma becomes trapped by magnetic fields in a doughnut-shaped ring around the planet. Previous observations of this plasmasphere showed that plumes sometimes emerge from this region.
Theory had suggested that an extra-strong electric field from the sun can rip plasma away from the plasmasphere during reconnection, triggering a plume. If this plume reaches the boundary between the earthly and solar magnetic fields, it would create a buffer zone of dense material. This would make it harder for magnetic field lines to meet up and spark further reconnection.
But while ground-based measurements can see a plume forming, their resolution isn’t good enough to tell for sure whether the material reaches the magnetic boundary.
Brian Walsh at NASA’s Goddard Space Flight Center in Greenbelt, Maryland, and his colleagues have now clinched it. In January 2013, GPS sensors on the ground mapped electrons in the upper atmosphere and saw a tendril of increased electron density curling away from the north pole, indicating that a plume of plasma was veering off towards the sun.
At the same time, three of NASA’s THEMIS spacecraft, which are designed to study solar storms, crossed through the magnetic boundary during the event. The craft saw a 100-fold increase in the number of electrons at the boundary, which would probably have been deposited by the plume.
“For the first time, we were able to monitor the entire cycle of this plasma stretching from the atmosphere to the boundary between Earth’s magnetic field and the sun’s,” says Walsh. “It gets to that boundary and helps protect us, keeps these solar storms from slamming into us.”
Awesome, Earth. Good job.
Posted by Anonymous on March 1, 2014
A British man accused of hacking into U.S. government computer networks was charged in a new indictment unsealed Thursday with infiltrating the Federal Reserve’s computers.
Lauri Love, 28, of Stradishall, England, was charged with computer hacking and aggravated identity theft, which carry a potential penalty of up to 12 years in prison. He initially was arrested in Britain in October and released on bail after he was charged under a United Kingdom law that permits the arrest of anyone who starts attacks from the U.K. on computers anywhere in the world.
U.S. authorities in the fall had said Love cost the U.S. government millions of dollars by hacking into the computer systems of various agencies, including the U.S. Army, NASA and the Environmental Protection Agency. Those charges were brought in federal court in Newark, New Jersey. He also faced federal charges in Virginia for other alleged intrusions.
In the latest case, prosecutors said Love broke into the Federal Reserve network between October 2012 and February 2013 and then posted on a website the names, email addresses and phone numbers of users of the Federal Reserve computer system.
His lawyer did not immediately respond to a comment request.
“Cybercrime knows no boundaries, and justice will not stop at international borders,” said George Venizelos, head of the New York office of the FBI.
U.S. Attorney Preet Bharara said Love was “a sophisticated hacker who broke into Federal Reserve computers, stole sensitive personal information, and made it widely available, leaving people vulnerable to malicious use of that information.”
According to the indictment, Love bragged to other hackers in December 2012 that he controlled the server for the Federal Reserve Bank of Chicago. Using the moniker “peace,” Love told others in a chat room that he had “shelled,” or infiltrated, the Federal Reserve computer system and that he controlled several Federal Reserve websites, the indictment said.
It said he discussed possibly defacing the Federal Reserve website and sending fake emails to users of the Federal Reserve computer system.
The indictment said he informed other chat room members in February 2013 that he planned to publicly disseminate Federal Reserve computer system users’ passwords and phone numbers.
Then, it said, he later announced to his online chat room friends that he was about to “drop another little federal reserve bomb” by disclosing additional passwords and phone numbers. …
Isn’t it the last straw when U.S. Government wants to put Love in prison? :-/
Posted by Anonymous on February 27, 2014
Prepare for the UFO invasion folks. Darklore contributor Nigel Watson has uncovered a plot to fill our skies with illuminated flying craft, though the provenance is far from extraterrestrial – it’s a prank being designed by remote-control (RC) aircraft enthusiasts. Via Yahoo News:
Dozens of volunteers around the world have signed up for what may be the biggest prank in history – using decades of knowledge of ‘UFO sightings’ to time the launch perfectly.
The ‘aliens’ will be strips of LED lights, on remote-controlled multi-rotor drone aircraft – launched at 8pm, so there are plenty of people to see the ‘invaders’, and held at a distance where it’s difficult to see what’s behind the glowing lights.
Nigel Watson, author of theHaynes UFO Investigations Manual found plans to “cause a wave of UFO sightings around the world and an apocalypse-like idea in the media,” on forums frequented by drone fans.
Watson says, “‘The Big UFO Project’ was originally scheduled to run on April Fool’s Day, but they have changed it to 05 April 2014 so that it will not seem like an obvious prank. Anyone who has a multirotor drone (pictured below) or anything that can carry a strip of LED lights and hover is invited to join in this event.
I was pointed to discussion about the project on a remote-controlled aircraft forum a few days ago, though since the plan has made mainstream news the thread has been locked down (it can still be found for now in Google’s cache).
So, if any aliens *are* actually out there: April 5th would be a really good night to scout around without any witnesses being taken seriously…
There are many ways you can join in the fun, like this one:
Great night for military operations or actual aliens to make a move under cover of the fake UFO invasion. Stay alert for sightings and events not easily explained as RC craft, Chinese lanterns, kites with lights, etc.
Something at high altitude that streaks across the entire sky at high speed, maneuvers, comes to an abrupt stop, then streaks off at an incredible speed would still be of interest. Especially if it levitates a cow. Even a small cow.