Facebook Introduced Open Source Detection Tool For Windows.

Screenshot 2016-09-28 12.24.48.png

Facebook successfully ported its SQL-powered detection tool, osquery, to Windows this week, giving users a free and open source method to monitor networks and diagnose problems.

The framework, which converts operating systems to relational databases, allows users to write SQL-based queries to detect intrusions and other types of malicious activity across networks.

Facebook debuted the open source tool in 2014 as cross-platform, but for the last two years it was only supported on Ubuntu, CentOS, and Mac OS X operating systems. Facebook isn’t the biggest Windows shop, but the company confirmed in March that because so many users were asking for it, it was building a version of the tool for Windows 10.

The tool reimagines running processes – concepts such as loaded kernel modules and open network connections – as SQL tables to better assist in visualizing data. Nick Anderson, a security engineer at Facebook who announced the news on Tuesday, said the security team regularly uses the framework to gather information on browser extensions used on its corporate network. The tool makes it easier for them to single out and remove malicious extensions.

“As adoption for osquery grew, a strong and active community emerged in support of a more open approach to security,” Anderson wrote, “We saw the long-held misconception of ‘security by obscurity’ fall away as people started sharing tooling and experiences with other members of the community.”

Screenshot 2016-09-28 12.25.59.png

Mike Arpaia, a former Facebook engineer who worked on osquery’s development team announced initial plans for the Windows osquery version in March and promised it would have cross-platform support, a monitoring daemon, and an active development system. Arpaia left Facebook this summer and co-founded Kolide, a Boston-based startup that uses osquery to help companies better monitor their infrastructure.


These are Top 10 Stupid Passwords Used to Hijack IoT Devices


Malware targeting Internet of Things or IoT devices is becoming more and more prevalent, with new families discovered every month, all working in the same way.

IoT malware, usually targeting various Linux flavors used to power these devices, is rarely a danger to the people or companies behind these devices, but everyone else.

All IoT malware discovered in the past two years has been seen doing the same thing. The infection starts with a crook or automated service employing brute-force attacks, trying to guess the IoT device’s admin password by trying thousands of username-password combinations.

If users haven’t changed their device’s default credentials, then crooks usually get access to the device after a few seconds. At this point, the malware alters the device by adding special code to communicate with one of its command and control servers, ensnaring it into a worldwide botnet, mainly used to execute DDoS attacks, relay proxy traffic for crooks, and brute-force other IoT devices.

In August, Kaspersky discovered that Linux-based botnets had become the most popular DDoS botnets on the market.

Only in targeted attacks, you’ll see someone use many IoT device as a pivot point inside a network, but generally, in the vast majority of cases, IoT devices are used as bots for DDoS attacks.

All of this is simplified by device owners who don’t secure their devices with custom passwords. According to Symantec, the table below shows the most often encountered passwords in IoT devices around the world.

Top usernames Top passwords
root admin
admin root
DUP root 123456
ubnt 12345
access ubnt
DUP admin password
test 1234
oracle test
postgres qwerty
pi raspberry

As you can see for yourself, most are easy guesses and are the standard passwords for equipment running on Raspberry Pi platforms, Ubuntu, or others.

According to Symantec, most of today’s IoT-malware comes with cross-platform support, and can target all major IoT hardware platforms such as x86, ARM, MIPS, and MIPSEL platforms. In some cases, there were malware families that went beyond these popular platforms and also targeted PowerPC, SuperH and SPARC architectures.

How to Scan for Vulnerabilities Using Nessus.


Welcome back guys. Today we will see how you can check for vulnerabilities using Nessus.

Usually vulnerability scans are done before doing the penetration tests. The database of Vulnerability scanners contains the list of all the knows vulnerabilities and checks if your system or network is vulnerable to those. Later pentesters check if the scan results are true or not.

Vulnerability scanners are quite known for being inaccurate. And it is fair right, if vulnerability scan can give you complete vulnerability list who needs a pentester ?

Nessus is one of the famous vulnerability scanners  out there and it has become a standard for pentesting.  Recently even the U.S government has switched to Nessus and now all of their federal office and U.S. military bases use Nessus to check for vulnerabilities.

If you want to be a white hat hacker/pentester, you have to be familiar with vulnerability scanners.

Step 1:

First  download Nessus( Free version ) from the Tenable website. You can find it right here. You have to be registered to download, so give your mail to receive the activation code and start downloading process by selecting your Operating system.


Step 2:

Once your download is completed, install Nessus. Your default browser will open and shows something like the one below. Nessus uses a client and server architecture. Your server on localhostand the browser represents the client.


You are very likely to receive a warning like the one below which says “Your connection is not secure.”


Now  you have to enter an exception for the Nessus connection on the port 8834.


Step 3:

Now we are ready to use Nessus and find vulnerabilities. You have to first set up an account. This is the account which you will be using to log into the Nessus server.

Once you activated the user you are good to go.

Step 4:

Now you will receive  a screen like that below. Select “New Scan.”


This opens a screen, which asks you to name your scan and enumerate your targets.

For simplicity sake I named it “First Scan” and had it scan my local network at You can name yours whatever you like, but make certain to use the IPs on your network, then click “Save.”


Now click on the “Launch” button.

Step 5:

When the vulnerability scan is complete, it will list each of the hosts by IPs scanned, and the associated risks to each. The risks are color coded, with the burnt orange being the most critical.


Click on “Vulnerabilities” in the top-line menu to display all the vulnerabilities found on the network.


When an individual vulnerability is selected, it displays more detail on that particular vulnerability.

Finally, results can be saved in several different formats for reporting purposes. Click on the “Export” tab to pull down a menu with:

  • Nessus
  • PDF
  • HTML
  • CSV

Nessus DB


In my case, I chose PDF a menu pops up with the name of the file, and asks which program to open it up with.


Nessus has become the de facto standard in vulnerability scanners, and every white hat hacker should be familiar with it.

Hope this tutorial helped. Share your opinion in the comments below

Researcher finds a way to Delete and Modify Facebook Messages Sent to Other Users.


Sometimes I receive emails from our readers who wanted to know how to hack Facebook account, but just to delete some of their messages they have sent to their friends or colleagues mistakenly or under wrong circumstances like aggression.

How to hack a Facebook account? It is probably the biggest “n00b” question you will see on the Internet.

The solution for this query is hard to find — but recently researchers have shown that how you can modify or alter your messages once you have pressed the SEND button in Facebook Messenger.

According to the researcher Roman Zaikin from cyber security firm Check Point, a simple HTML tweak can be used to exploit Facebook online chat as well as its Messenger app, potentially allowing anyone to modify or delete any of his/her sent message, photo, file, and link.

Though the bug is simple, it could be exploited by malicious users to send a legitimate link in a Facebook chat or group chat, and later change it to a malicious link that could lead to a malware installation, tricking victims into infecting their systems.

Here’s How the Exploit Works:

The exploit works on the way Facebook assigns identities to chat messages. Each chat message has a unique “message_id” identifier that could be revealed by sending a request to http://www.facebook.com/ajax/mercury/thread_info.php.

Once message_id is identified, an attacker could alter its respective message content and send it back to Facebook servers which accept the new content as legitimate and push it back to the victim’s PC or mobile device.

“By exploiting this vulnerability, cyber criminals could change a whole chat thread without the victim realizing,” said Oded Vanunu, Head of Products Vulnerability Research at Check Point.

“What’s worse. The hacker could implement automation techniques to continually outsmart security measures for long-term chat alterations. We applaud Facebook for such a rapid response and putting security first for their users.”

Researchers discovered the vulnerability earlier this month and notified Facebook about the flaw.

The social networking giant promptly moved to fix the vulnerability, though Facebook explained that the flaw only affected its Messenger app on Android.

Based on our investigation, this simple misconfiguration in the Messenger app on Android turned out to be a low-risk issue, and it’s already been fixed,” Facebook wrote in its blog post published Tuesday.

Additionally, Facebook claims the vulnerability could not be exploited to infect its users’ PCs with malicious software, as the company is using anti-spam and anti-virus filters to detect malware and spams.

Hackers Selling Unpatched Microsoft Windows Zero-Day Exploit for $90,000



How much a Windows zero-day exploit that affects all versions of Windows operating system costs on the black market?

It’s $95,000, at least, for the one recently spotted by security researchers.

Researchers from Trustwave’s SpiderLabs team have uncovered a zero-day exploit on Russian underground malware forum exploit.in, affecting all versions of Microsoft Windows OS from Windows 2000 all the way up to a fully patched version of Windows 10.

The zero-day exploit for the previously unknown vulnerability in “every version” of Windows is openly sold for $90,000 (over £62,000).The security team originally discovered the zero-day exploit last month when the firm saw its ad on a Russian hacking forum for $95,000. However, the price has now been dropped to $90,000.

The zero-day vulnerability in question claims to be a Local Privilege Escalation (LPE) bug in Windows that offers admin access to run malicious code on a victim’s PC and is less dangerous than Remote Code Execution flaws that allow attackers to compromise systems remotely.

In other words, the zero-day exploit by itself will not be able to compromise a system, but as Trustwave explained, would nonetheless be used in almost any scenario as “a very much needed puzzle piece in the overall infection process.”

The seller, who goes by the name “BuggiCorp,” claims the flaw is located in the win32k.sys kernel driver, and exists through the way Windows handles objects “with certain properties,” saying:

“The exploit successfully escapes from ILL/appcontainer (LOW), bypassing (more precisely: doesn’t get affected at all [by]) all existing protection mechanisms such as ASLR, DEP, SMEP, etc. [The zero-day exploit] relies solely on the KERNEL32 and USER32 libraries [DLLs].”

Additional zero-day exploit capabilities include the installation of a rootkit, use on a POS systems and steal credit card data, limited control over a web server and installation of malware on systems, according to Trustwave.

The author went to prove the authenticity of his claims by providing two videos of the exploit on YouTube, from which one can be viewed below.

Trustwave alerted Microsoft of the potential Windows exploit.

“Windows is the only platform with a customer commitment to investigate reported security issues, and proactively update impacted devices as soon as possible,” Microsoft said in a statement. “We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection. Our standard policy is to provide solutions via our current Update Tuesday schedule.”

Warning Over 900 Million Android Phones Vulnerable to New ‘QuadRooter’ Attack


Android has Fallen! Yet another set of Android security vulnerabilities has been discovered in Qualcomm chipsets that affect more than 900 Million Android smartphones and tablets worldwide.
What’s even worse: Most of those affected Android devices will probably never be patched.
Dubbed “Quadrooter,” the set of four vulnerabilities discovered in devices running Android Marshmallow and earlier that ship with Qualcomm chip could allow an attacker to gain root-level access to any Qualcomm device.
The chip, according to the latest statistics, is found in more than 900 Million Android tablets and smartphones.That’s a very big number.
The vulnerabilities have been disclosed by a team of Check Point researchers at the DEF CON 24 security conference in Las Vegas.

Critical Quadrooter Vulnerabilities:

The four security vulnerabilities are:
CVE-2016-2503 discovered in Qualcomm’s GPU driver and fixed in Google’s Android Security Bulletin for July 2016.
CVE-2016-2504 found in Qualcomm GPU driver and fixed in Google’s Android Security Bulletin for August 2016.
CVE-2016-2059 found in Qualcomm kernel module and fixed in April, though patch status is unknown.
CVE-2016-5340 presented in Qualcomm GPU driver and fixed, but patch status unknown.
Qualcomm is the world’s leading designer of LTE (Long Term Evolution) chipsets with a 65% share of the LTE modem baseband market. If any one of the four flaws is exploited, an attacker can trigger privilege escalations for gaining root access to an affected device.
All an attacker needs is to write a piece of malware and send it to the victim. When installed, the malware offers the attacker privilege escalation on the affected devices.
According to the researchers, the attack can also be conducted through a malicious app. An attacker needs to trick a user into installing a malicious app that, unlike other malware, would execute without requiring any special permission checks.
“Such an app would require no special permissions to take advantage of these vulnerabilities, alleviating any suspicion users may have when installing,” Check Point researchers write in a blog post.
If any of the four vulnerabilities are successfully exploited, an attacker could gain root access to an affected device, giving the attacker full access to the device, including its data, camera and microphone.
List of Affected Devices (Popular)
More than 900 Million Android devices that ship with Qualcomm chip are vulnerable to the flaws.

Here’s the list of some of the popular affected devices, though there are far more devices that are impacted by one or more Quadrooter vulnerabilities.

1.Samsung Galaxy S7 and Samsung S7 Edge
2.Sony Xperia Z Ultra
3.OnePlus One, OnePlus 2 and OnePlus 3
4.Google Nexus 5X, Nexus 6 and Nexus 6P
5.Blackphone 1 and Blackphone 2
6.HTC One, HTC M9 and HTC 10
7.LG G4, LG G5, and LG V10
8.New Moto X by Motorola
9.BlackBerry Priv
How to Check if Your Device is Vulnerable?
You can check if your smartphone or tablet is vulnerable to Quadrooter attack using Check Point’s free app.
Since the vulnerable software drivers, which control communication between Qualcomm chipset components, come pre-installed on these devices at the time of manufacturing, they can only be fixed by installing a patch from the devices’ distributors or carriers after receiving fixed driver packs from Qualcomm.
“This situation highlights the inherent risks in the Android security model,” the researchers say. “Critical security updates must pass through the entire supply chain before they can be made available to end users.”
Three of the four vulnerabilities have already been fixed in Google’s latest set of monthly security updates, and a patch for the remaining flaw will be rolled out in the upcoming September update.
Since Qualcomm has already released the code, the phone manufacturers could be able to issue patches to the individual devices as soon as possible.
Android Nexus devices are already patched via the over-the-air updates, but other smartphone models will need to wait until their lazy phone manufacturers integrate the fixes into their own custom Android ROMs.

Warning! Just an Image Can Hack Your Android Phone — Patch Now

Own an Android smartphone? Beware, as just an innocuous-looking image on social media or messaging app could compromise your smartphone.

Along with the dangerous Quadrooter vulnerabilities that affected 900 Million devices and other previously disclosed issues, Google has patched a previously-unknown critical bug that could let attackers deliver their hack hidden inside an innocent looking image via social media or chat apps.

In fact, there is no need for a victim to click on the malicious photo because as soon as the image’s data was parsed by the phone, it would quietly allow a remote attacker to take control over the device or simply crash it.

The vulnerability is similar to last year’s Stagefright bug (exploit code) that allowed hackers to hijack Android devices with just a simple text message without the owners being aware of it.

The Stagefright flaw affected more than 950 Million Android devices and resided in the core Android component Stagefright — a multimedia playback library used by Android to process, record and play multimedia files.

However, the recent vulnerability (CVE-2016-3862) resided in the way images used by certain Android applications parsed the Exif data in an image, SentinelOne’s Tim Strazzere, the researcher who uncovered the vulnerability, told Forbes.

Any app using Android’s Java object ExifInterface code is likely vulnerable to the issue.

An Image Received…? Your Game is Over

Making a victim open the image file within an affected app like Gchat or Gmail, a hacker could either cause a victim’s phone to crash or remotely execute malicious code to inject malware on the phone and take control of it without victim’s knowledge.

“Since the bug is triggered without much user interaction – an application only needs to load an image a specific way – triggering the bug is as simple as receiving a message or email from someone,” Strazzere said. “Once that application attempts to parse the image (which was done automatically), the crash is triggered.”

According to Strazzere, attackers could develop a simple exploit inside an image to target a large number of vulnerable Android devices.

Strazzere crafted exploits for the affected devices and found that it worked on Gchat, Gmail and most other messenger and social media apps, though he did not disclose the names of the other non-Google apps affected by the flaw.

When will I expect a Fix?

All versions of Google’s operating system from Android 4.4.4 to 6.0.1 are vulnerable to the image-based hack, except today’s update that fixed the vulnerability.

The researcher even successfully tested his exploits on a handful of phones running Android 4.2 and Amazon devices and found that the devices remain unpatched, leaving a large number of users of older Android devices exposed.

So, if you are not running an updated version of operating system and/or device, you probably are vulnerable to the image-based attack.

Google has delivered a patch to fix the issue, but given the shaky history of handset manufacturers and carriers rolling out security patches, it is not known how long the companies will take to update vulnerable Android devices.

Google rewarded Strazzere with $4,000 as part of the company’s Android bug bounty program and another $4,000 as, Forbes reports; Strazzere had pledged to give all his reward money to Girls Garage, a program and workspace for girls aged 9-13.

Using ‘Signal’ for Encrypted Chats? You Shouldn’t Skip Its Next Update


Two Researchers have discovered a couple of vulnerabilities in Signal, the popular end-to-end encrypted messaging app recommended by whistleblower Edward Snowden.

One of those vulnerabilities could allow potential attackers to add random data to the attachments of encrypted messages sent by Android users, while another bug could allow hackers to remotely crash vulnerable devices.

The vulnerabilities have just been patched, but the updated version of Signal is yet available on the Github open source repository, and not on the Google’s official Play Store for Android apps, leaving millions of privacy conscious people vulnerable to attacks.

That means, if you have installed Signal messaging app via Google Play Store, like other millions of Android users, you are still vulnerable to hackers.

Developed by open source software group Open Whisper System, Signal is a free and open source messaging application specifically designed for Android and iOS users to make secure and encrypted messages and voice calls.

The flaws in Android version of Signal includes:

  • Message authentication-bypass vulnerability
  • Remote crash bug

The Message Authentication-Bypass Flaw in Signal

Researchers Jean-Philippe Aumasson and Markus Vervier have discovered the message authentication-bypass vulnerability while reviewing the Java code used by Signal for Android.

The vulnerability is not easily exploitable. Only the attackers with the ability to compromise a Signal server or monitor data passing between Signal users (Man-in-the-Middle attack) would be able to append pseudorandom data to the legitimate attachment.

The flaw is due to an integer overflow bug, which is triggered only if an extremely large file, at least 4 gigabytes in size, is attached to a Signal message. But, what does it mean?

Actually, as a part of standard encryption schemes, encrypted messaging services make use of Message Authentication Code (MAC) to authenticate a message — in other words, to confirm that the message came from the sender has not been changed in transit.

However, in the case of attachments, Signal does not verify the authenticity of the entire file; instead it just checks a small portion of it, making it possible for hackers to attach pseudorandom data to the legitimate attachment that wouldn’t be detected by the MAC.

For a successful attack, an attacker could make use of Signal’s file compression feature to reduce the size of his malicious attachment to a manageable 4 megabytes.

While talking to Ars Technica, Aumasson said he found the integer overflow bug in the following line of code:

int remainingData = (int) file.length() – mac.getMacLength();

  • The value ‘file.length()’ is a number encoded on 64 bits (of type ‘long’).
  • The receiving variable ‘remainingData’ is a number encoded on 32 bits (of type ‘int’).

“Therefore, when ‘file.length()’ is longer than what fits in a 32-bit number, the value of ‘remainingData’ (the number of bytes left to process) will be incorrect, as it will be much smaller than the real size of the file,” Aumasson explained. “Consequently, a large part of the file will be ignored when Signal will verify the cryptographic authenticity. Signal will only check the (small) beginning of the file, whereas the user will actually receive the much larger file.”

Although Signal uses end-to-end encryption to encrypt the messages on the sender’s device and decrypt it only on the receiver’s end, the encrypted messages still pass through a server, allowing attackers to carry out the message authentication bypass attack by hacking or impersonating as a server and then tampering with legitimate message attachments.

While the attack is trivial to carry out, it is not too difficult for state-sponsored attackers to impersonate as a trusted certificate authority (CA) or trick victims into installing a rogue certificate on their devices and, thereby, successfully circumvent transport-layer security (TLS) protections.

Moreover, Since Signal has been used by a large number of security professionals and privacy advocates, the app has always been on the priority list of nation-state actors. Although, it seems like they are not likely to exploit this kind of flaw.

“This was a really great bug report, but we consider its impact to be low severity at this time. It does not allow an attacker who has compromised the server to read or modify attachments, only to append a *minimum* of 4GB of unpredictable random data to the end of an attachment in transmit,” Moxie Marlinspike, Founder of Open Whisper System said.

“While that causes a denial of service, effectively corrupting a file in an unpredictable way and making it too large to open on any Android device, an attacker that has compromised the server could more easily deny service just by blocking your request for the attachment.”

The second flaw discovered by the researchers could allow attackers to remotely execute malicious code on the victim’s device, while the third one makes it possible for attackers to just carry a simple remote crash.

The researchers privately disclosed all the vulnerabilities to Open Whisper System on September 13, and the company has already issued an update on Github, though it still has to appear on Play Store.

“The results are not catastrophic, but show that, like any piece of software, Signal is not perfect,” Aumasson said. “Signal drew the attention of many security researchers, and it’s impressive that no vulnerability was ever published until today. This pleads in favor of Signal, and we’ll keep trusting it.”

Aumasson and Vervier are now testing the same bugs in WhatsApp and Facebook Messenger that also relies on Signal code.

Cisco finds new Zero-Day Exploit linked to NSA Hackers



Network equipment vendor Cisco is finally warning its customers of another zero-day vulnerability the company discovered in the trove of NSA’s hacking exploits and implants leaked by the group calling itself “The Shadow Brokers.”

Last month, the Shadow Brokers published firewall exploits, implants, and hacking tools allegedly stolen from the NSA’s Equation Group, which was designed to target major vendors including, Cisco, Juniper, and Fortinet.

A hacking exploit, dubbed ExtraBacon, leveraged a zero-day vulnerability (CVE-2016-6366) resided in the Simple Network Management Protocol (SNMP) code of Cisco ASA software that could allow remote attackers to cause a reload of the affected system or execute malicious code.

Now Cisco has found another zero-day exploit, dubbed “Benigncertain,” which targets PIX firewalls.

Cisco analyzed the exploit and noted that it had not identified any new flaws related to this exploit in its current products.

But, further analysis of Benigncertain revealed that the exploit also affects Cisco products running IOS, IOS XE and IOS XR software.

Benigncertain leveraged the vulnerability (CVE-2016-6415) that resides in the IKEv1 packet processing code and affects several Cisco devices running IOS operating system and all Cisco PIX firewalls.

IKE (Internet Key Exchange) is a protocol used for firewalls, to provide virtual private networks (VPNs), and even manage industrial control systems.

A remote, unauthorized attacker could use this vulnerability to retrieve memory contents from traffic and disclose critical information such as RSA private keys and configuration information by sending specially crafted IKEv1 packets to affected devices.

The vulnerability is due to insufficient condition checks in the part of the code that handles IKEv1 security negotiation requests. An attacker could exploit this vulnerability by sending a crafted IKEv1 packet to an affected device configured to accept IKEv1 security negotiation requests,” Cisco said in its advisory.

Cisco’s IOS operating system XR versions 4.3.x, 5.0.x, 5.1.x and 5.2.x, as well as PIX firewalls versions 6.x and earlier, are vulnerable to this flaw, though the company has not supported PIX since 2009.

Neither Cisco has developed a patch for the flaw, nor any workarounds are available.

The company said the vulnerability is currently under exploit, advising its customers to employ intrusion detection system (IDS) and intrusion prevention systems (IPS) to help stop the attacks.

Cisco promised to release software updates to patch CVE-2016-6415 but did not specify a time frame.

iPhone 7 Jailbreak Has Already Been Achieved In Just 24 Hours.


It has only been a few days since the launch of Apple’s brand new iPhone 7 and iPhone 7 Plus, but it appears that the new iPhone has already been jailbroken.

That didn’t take long. Right?

Security researcher and well-known hacker Luca Tedesco shared an image of his jailbroken smartphone on his Twitter account to show off the world that the new iPhone 7 has been jailbroken.

The image posted by Tedesco on Wednesday clearly shows an iPhone 7 running both iOS 10.0.1 as well as the Cydia app store, which allows jailbreakers to install apps and other software that Apple does not officially support.

Unfortunately, Tedesco has not publically released the exploit, nor he has provided much information about it. So, right now, it is hard to say if and when he will release the iPhone 7 jailbreak to the public.

It is also not clear whether the exploit is an untethered jailbreak.

The untethered jailbreak is a jailbreak where your device doesn’t require any reboot every time it connects to an external device capable of executing commands on the device.

Eventually, there is no tool available yet that you can use to jailbreak your device, but the good news is that a jailbreak has already been developed, which suggests that it’s indeed possible to jailbreak iPhone 7.

So, early buyers looking to jailbreak their iPhone 7 or iPhone 7 Plus and install unauthorized Cydia tweaks have to wait until firms like Pangu or someone else come up with the same exploit.

Pangu is the same Chinese jailbreak team that released the first untethered jailbreak for iOS 9.

Since it is not good news for Apple, the company would likely block the vulnerability used to develop iPhone 7 jailbreak in its next iOS update, of course.