The Famous Internet entrepreneur and former hacker Kim Dotcom, who introduced legendary Megaupload and MEGA file sharing services to the World, has came up with another crazy idea — To start his very own Internet that uses the "blockchain".
Just last month, Kim Dotcom, a German millionaire formerly known as Kim Schmitz, launched the public beta of its end-to-end encrypted video and audio chat service called "MegaChat", which it says gives better protection than alternatives such as Skype and Google Hangouts.
Now, his latest series of tweets referred to Kim Dotcom's supposed "MegaNet" which, he believes, would be immune to the global mass surveillance conducted by governments or corporations and would not be based on IP addresses.
MegaNet would be a decentralized, non-IP based network in which the blockchain used by Bitcoin will play an "important role". Decentralizing the Internet means to take the power of the Web away from powerful hands of governments and corporations and put it back in the hands of online users.
This move would offer users a truly free space, where they can communicate privately with anyone else without censorship.
Mr. Dotcom continued to inform his followers that they "would be surprised" about "how much idle storage and bandwidth capacity mobile phones have", adding that "MegaNet will turn that idle capacity into a new network".
Entrepreneur also assured its followers that the consumption of the battery won't be a problem for a large number of phones in the network carrying MegaNet.
"MegaNet won't rely exclusively on mobile networks at launch. But the more powerful phones become the more data & traffic they will carry."
meganet-decentralized-internet
There are a number of similar projects that lead to the change towards Decentralization.
MAIDSAFE — ANOTHER DECENTRALIZED INTERNET
One such is by David Irvine, dubbed MaidSafe — Massive Array of Internet Disks - Secure Access For Everyone. Maidsafe is an open-source program (hosted on GitHub) that enables a decentralized Internet platform.
The key part of MaidSafe is its SAFE network, powered by its participants' computers, which means, instead of specialized servers, data are stored and distributed by a network of internet-connected computers.
Anyone running MaidSafe program will become part of the SAFE Network. The MaidSafe system turns all connected devices into SAFE Network nodes that collectively store data for all MaidSafe users.
Data storage is automatically decentralized, which means a web application using MaidSafe does not store its user's data on any central server — rather the data is spread across many disks and devices owned and managed by many different MaidSafe users. Therefore, no one, whether it’s person or corporation, has an intact copy of a user's file.
PROJECT MAELSTROM — P2P NETWORK TO HOST WEBSITES
At the end of last year, BitTorrent announced Project Maelstrom which is "the first step toward a truly distributed web, one that does not rely on centralized servers."
"Truly an Internet powered by people, one that lowers barriers and denies gatekeepers their grip on our future," said BitTorrent. "If we are successful, we believe this project has the potential to help address some of the most vexing problems facing the Internet today."
According to BitTorrent, the distributed browser could help maintain a more neutral Internet. If an ISP can’t identify where traffic is originating from, then it can’t suppress certain sites accessed from a browser like Maelstrom.
ZeroNet — DECENTRALIZED WEBSITES HOSTING USING BIT TORRENT NETWORK
At the beginning of new year, a new open source project known as ZeroNet launched that aims to deliver a decentralized web platform using Bitcoin cryptography and the BitTorrent network.
ZeroNet uses a combination of BitTorrent, a custom file server and a web based user interface to do so and manages to provide a pretty usable experience. The main goal of this project is to host websites and provide anonymity for each site’s owner.
Source: The Hacker News
Just last month, Kim Dotcom, a German millionaire formerly known as Kim Schmitz, launched the public beta of its end-to-end encrypted video and audio chat service called "MegaChat", which it says gives better protection than alternatives such as Skype and Google Hangouts.
Now, his latest series of tweets referred to Kim Dotcom's supposed "MegaNet" which, he believes, would be immune to the global mass surveillance conducted by governments or corporations and would not be based on IP addresses.
MegaNet would be a decentralized, non-IP based network in which the blockchain used by Bitcoin will play an "important role". Decentralizing the Internet means to take the power of the Web away from powerful hands of governments and corporations and put it back in the hands of online users.
This move would offer users a truly free space, where they can communicate privately with anyone else without censorship.
Mr. Dotcom continued to inform his followers that they "would be surprised" about "how much idle storage and bandwidth capacity mobile phones have", adding that "MegaNet will turn that idle capacity into a new network".
Entrepreneur also assured its followers that the consumption of the battery won't be a problem for a large number of phones in the network carrying MegaNet.
"MegaNet won't rely exclusively on mobile networks at launch. But the more powerful phones become the more data & traffic they will carry."
meganet-decentralized-internet
There are a number of similar projects that lead to the change towards Decentralization.
MAIDSAFE — ANOTHER DECENTRALIZED INTERNET
One such is by David Irvine, dubbed MaidSafe — Massive Array of Internet Disks - Secure Access For Everyone. Maidsafe is an open-source program (hosted on GitHub) that enables a decentralized Internet platform.
The key part of MaidSafe is its SAFE network, powered by its participants' computers, which means, instead of specialized servers, data are stored and distributed by a network of internet-connected computers.
Anyone running MaidSafe program will become part of the SAFE Network. The MaidSafe system turns all connected devices into SAFE Network nodes that collectively store data for all MaidSafe users.
Data storage is automatically decentralized, which means a web application using MaidSafe does not store its user's data on any central server — rather the data is spread across many disks and devices owned and managed by many different MaidSafe users. Therefore, no one, whether it’s person or corporation, has an intact copy of a user's file.
PROJECT MAELSTROM — P2P NETWORK TO HOST WEBSITES
At the end of last year, BitTorrent announced Project Maelstrom which is "the first step toward a truly distributed web, one that does not rely on centralized servers."
"Truly an Internet powered by people, one that lowers barriers and denies gatekeepers their grip on our future," said BitTorrent. "If we are successful, we believe this project has the potential to help address some of the most vexing problems facing the Internet today."
According to BitTorrent, the distributed browser could help maintain a more neutral Internet. If an ISP can’t identify where traffic is originating from, then it can’t suppress certain sites accessed from a browser like Maelstrom.
ZeroNet — DECENTRALIZED WEBSITES HOSTING USING BIT TORRENT NETWORK
At the beginning of new year, a new open source project known as ZeroNet launched that aims to deliver a decentralized web platform using Bitcoin cryptography and the BitTorrent network.
ZeroNet uses a combination of BitTorrent, a custom file server and a web based user interface to do so and manages to provide a pretty usable experience. The main goal of this project is to host websites and provide anonymity for each site’s owner.
Source: The Hacker News
A Serious vulnerability in Facebook has recently been reported that could allow anyone to delete your complete Facebook photo album without having authentication.
Security Researcher Laxman Muthiyah told The Hacker News that the vulnerability actually resides in Facebook Graph API mechanism, which allows "a hacker to delete any photo album on Facebook. Any photo album owned by an user or a page or a group could be deleted."
DELETING FACEBOOK PHOTO ALBUMS
According to Facebook developers documentation, its not possible to delete albums using the Graph API, but Indian security researcher has found a way to delete not just his own, but also others Facebook photo albums within few seconds.
In order to delete a photo album from victim’s Facebook account, the attacker only needs to send a HTTP-based Graph API request with victim’s photo album ID and attacker’s own access token generated for ‘Facebook for android’ app.
SAMPLE REQUEST
Request :-
Facebook Bug Bounty program rewarded him with $12,500 USD for helping the Facebook Security team to patch this critical loophole.
source: The Hacker News
Security Researcher Laxman Muthiyah told The Hacker News that the vulnerability actually resides in Facebook Graph API mechanism, which allows "a hacker to delete any photo album on Facebook. Any photo album owned by an user or a page or a group could be deleted."
DELETING FACEBOOK PHOTO ALBUMS
According to Facebook developers documentation, its not possible to delete albums using the Graph API, but Indian security researcher has found a way to delete not just his own, but also others Facebook photo albums within few seconds.
I decided to try it with Facebook for mobile access token because we can see delete option for all photo albums in Facebook mobile application isn't it? Yeah and also it uses the same Graph API, he said.In general, Facebook Graph API requires an access token to read or write users data, which gives limited access to an app only. However, Laxman discovered that his own "access token" generated for mobile version of Facebook could be exploited to remove any photo albums posted by any Facebook User.
In order to delete a photo album from victim’s Facebook account, the attacker only needs to send a HTTP-based Graph API request with victim’s photo album ID and attacker’s own access token generated for ‘Facebook for android’ app.
SAMPLE REQUEST
Request :-
DELETE /<Victim's_photo_album_id> HTTP/1.1
Host : graph.facebook.com
Content-Length: 245
access_token=<Your(Attacker)_Facebook_for_Android_Access_Token>
Facebook Bug Bounty program rewarded him with $12,500 USD for helping the Facebook Security team to patch this critical loophole.
source: The Hacker News
Security researchers have warned of a pair of vulnerabilities in the Google Play Store that could allow cyber crooks to install and launch malicious applications remotely on Android devices.
Tod Beardsley, technical lead for the Metasploit Framework at Rapid7 warns that an X-Frame-Options (XFO) vulnerability – when combined with a recent Android WebView (Jelly Bean) flaw – creates a way for hackers to quietly install any arbitrary app from the Play store onto victims’ device even without the users consent.
USERS AFFECTED
The vulnerability affects users running Android version 4.3 Jelly Bean and earlier versions of Android that no longer receive official security updates from Android security team for WebView, a core component used to render web pages on an Android device. Also, users who have installed third party browsers are affected.
According to the researcher, the web browser in Android 4.3 and prior that are vulnerable to a Universal Cross-Site Scripting (UXSS) attack, and Google Play Store is vulnerable to a Cross-Site Scripting (XSS) flaw.
UNIVERSAL CROSS-SITE SCRIPTING FLAW
In UXSS attacks, client-side vulnerabilities are exploited in a web browser or browser extensions to generate an XSS condition, which allows the malicious code to be executed, bypassing or disabling the security protection mechanisms in the web browser.
"Users of these platforms may also have installed vulnerable aftermarket browsers," Beardsley explains in a blog post on Tuesday. "Until the Google Play store XFO [X-Frame-Options] gap is mitigated, users of these web applications who habitually sign in to their Google Account will remain vulnerable."
At the beginning of this month, a Universal Cross Site Scripting (UXSS) flaw was discovered in all the latest versions of Internet Explorer that allows malicious hackers to inject malicious code into users' websites and steal cookies, session and login credentials.
The security researcher demonstrated the issue with JavaScript and Ruby code that response from the play.google.com domain can be generated without the appropriate XFO header.
METASPLOIT MODULE IS PUBLICLY AVAILABLE
A Metasploit module has been created and made public on Github in order to help enterprise security bods test corporate-issued smartphones for exposure to the vulnerability. According to the advisory, the remote code execution is achieved by leveraging two vulnerabilities on affected Android devices:
First, the module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in versions of Android's open source stock browser (the AOSP Browser) as well as some other browsers, prior to 4.4 (KitKat).
Second, the Google Play store's web interface fails to enforce a X-Frame-Options: DENY header on some error pages, and therefore, can be targeted for script injection. As a result, this leads to remote code execution through Google Play's remote installation feature, as any application available on the Google Play store can be installed and launched on the user's device.
HOW TO PREVENT BEING EXPOSED
Use a web browsers that are not susceptible to widely known UXSS vulnerabilities – such as Google Chrome or Mozilla Firefox or Dolphin. This could help mitigate the lack of universal X-Frame-Options (XFO) for the play.google.com domain.
Another effective way is to simply logged out of the Google Play store account in order to avoid the vulnerability, although this practice is highly unlikely to be adopted by most of the users.
source: The Hacker News
Tod Beardsley, technical lead for the Metasploit Framework at Rapid7 warns that an X-Frame-Options (XFO) vulnerability – when combined with a recent Android WebView (Jelly Bean) flaw – creates a way for hackers to quietly install any arbitrary app from the Play store onto victims’ device even without the users consent.
USERS AFFECTED
The vulnerability affects users running Android version 4.3 Jelly Bean and earlier versions of Android that no longer receive official security updates from Android security team for WebView, a core component used to render web pages on an Android device. Also, users who have installed third party browsers are affected.
According to the researcher, the web browser in Android 4.3 and prior that are vulnerable to a Universal Cross-Site Scripting (UXSS) attack, and Google Play Store is vulnerable to a Cross-Site Scripting (XSS) flaw.
UNIVERSAL CROSS-SITE SCRIPTING FLAW
In UXSS attacks, client-side vulnerabilities are exploited in a web browser or browser extensions to generate an XSS condition, which allows the malicious code to be executed, bypassing or disabling the security protection mechanisms in the web browser.
"Users of these platforms may also have installed vulnerable aftermarket browsers," Beardsley explains in a blog post on Tuesday. "Until the Google Play store XFO [X-Frame-Options] gap is mitigated, users of these web applications who habitually sign in to their Google Account will remain vulnerable."
At the beginning of this month, a Universal Cross Site Scripting (UXSS) flaw was discovered in all the latest versions of Internet Explorer that allows malicious hackers to inject malicious code into users' websites and steal cookies, session and login credentials.
The security researcher demonstrated the issue with JavaScript and Ruby code that response from the play.google.com domain can be generated without the appropriate XFO header.
METASPLOIT MODULE IS PUBLICLY AVAILABLE
A Metasploit module has been created and made public on Github in order to help enterprise security bods test corporate-issued smartphones for exposure to the vulnerability. According to the advisory, the remote code execution is achieved by leveraging two vulnerabilities on affected Android devices:
First, the module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in versions of Android's open source stock browser (the AOSP Browser) as well as some other browsers, prior to 4.4 (KitKat).
Second, the Google Play store's web interface fails to enforce a X-Frame-Options: DENY header on some error pages, and therefore, can be targeted for script injection. As a result, this leads to remote code execution through Google Play's remote installation feature, as any application available on the Google Play store can be installed and launched on the user's device.
HOW TO PREVENT BEING EXPOSED
Use a web browsers that are not susceptible to widely known UXSS vulnerabilities – such as Google Chrome or Mozilla Firefox or Dolphin. This could help mitigate the lack of universal X-Frame-Options (XFO) for the play.google.com domain.
Another effective way is to simply logged out of the Google Play store account in order to avoid the vulnerability, although this practice is highly unlikely to be adopted by most of the users.
source: The Hacker News
A security researcher has publicly released a set of 10 Million usernames and passwords, which he collected from multiple data breaches over the last decade for the purpose of his research.
These 10 million usernames and passwords are collective of leaked database dumps those were already available publicly on the Internet. However, Mark Burnett, a well-known security consultant who has developed a specialty collecting and researching passwords leaked online, marked his decision to publish the password dump as legally risky, but necessary to help security researchers.
WHY THE RESEARCHER WILLING TO SHARE PASSWORDS ?
The researcher says the released set of passwords and usernames is like a sample data, which is important for other researchers to analyze and provide great insight into user behavior and is valuable for encouraging password security.
Also, the researcher was frequently receiving lots of requests from students and other security researchers to submit a copy of his password research data for their own analysis.
WHAT FEARS HIM OF SHARING HIS RESEARCH ?
At the time, he typically decline to share the passwords because he was worried that if he do so, it might harm him legally given the recent five-year sentence handed to former Anonymous activist and journalist Barrett Brown, for sharing the hyperlink to an IRC (Internet Relay Chat) channel where Anonymous members were distributing stolen information from the hack.
However, at the same time, Burnett wanted to share his password research data with the world in order to study the way people choose pass phrases.
"I think this is completely absurd that I have to write an entire article justifying the release of this data out of fear of prosecution or legal harassment," he wrote in his blog post published Monday. "I had wanted to write an article about the data itself but I will have to do that later because I had to write this lame thing trying to convince the FBI not to raid me."
FROM WHERE THE CREDENTIALS CAME ?
Burnett has collected the data from major data breaches at big companies including Adobe Data Breach and Stratfor hack, all of which have already been publicly available over the Internet, which could be easily found through Web searches.
According to the researcher, most of the leaked passwords were "dead," meaning they had been changed already, and he has scrubbed other information such as domain names to make it unusable for cyber criminals and malicious hackers. However, usernames or passwords found on the list that are still in use should be changed immediately.
Burnett also explains the fact that he is not supposed to be arrested by the law enforcement agencies.
'WHY THE FBI SHOULDN'T ARREST ME'
- See more at: The Hacker News
These 10 million usernames and passwords are collective of leaked database dumps those were already available publicly on the Internet. However, Mark Burnett, a well-known security consultant who has developed a specialty collecting and researching passwords leaked online, marked his decision to publish the password dump as legally risky, but necessary to help security researchers.
WHY THE RESEARCHER WILLING TO SHARE PASSWORDS ?
The researcher says the released set of passwords and usernames is like a sample data, which is important for other researchers to analyze and provide great insight into user behavior and is valuable for encouraging password security.
Also, the researcher was frequently receiving lots of requests from students and other security researchers to submit a copy of his password research data for their own analysis.
WHAT FEARS HIM OF SHARING HIS RESEARCH ?
At the time, he typically decline to share the passwords because he was worried that if he do so, it might harm him legally given the recent five-year sentence handed to former Anonymous activist and journalist Barrett Brown, for sharing the hyperlink to an IRC (Internet Relay Chat) channel where Anonymous members were distributing stolen information from the hack.
However, at the same time, Burnett wanted to share his password research data with the world in order to study the way people choose pass phrases.
"I think this is completely absurd that I have to write an entire article justifying the release of this data out of fear of prosecution or legal harassment," he wrote in his blog post published Monday. "I had wanted to write an article about the data itself but I will have to do that later because I had to write this lame thing trying to convince the FBI not to raid me."
FROM WHERE THE CREDENTIALS CAME ?
Burnett has collected the data from major data breaches at big companies including Adobe Data Breach and Stratfor hack, all of which have already been publicly available over the Internet, which could be easily found through Web searches.
According to the researcher, most of the leaked passwords were "dead," meaning they had been changed already, and he has scrubbed other information such as domain names to make it unusable for cyber criminals and malicious hackers. However, usernames or passwords found on the list that are still in use should be changed immediately.
Burnett also explains the fact that he is not supposed to be arrested by the law enforcement agencies.
'WHY THE FBI SHOULDN'T ARREST ME'
Although researchers typically only release passwords, I am releasing usernames with the passwords. Analysis of usernames with passwords is an area that has been greatly neglected and can provide as much insight as studying passwords alone, Burnett wrote.
Most researchers are afraid to publish usernames and passwords together because combined they become an authentication feature. If simply linking to already released authentication features in a private IRC channel was considered trafficking, surely the FBI would consider releasing the actual data to the public a crime.Almost 10 million passwords released by the researcher, for instance, could help other researchers to determine how often users include all or part of their usernames in their passwords. However, 10 Million is a very big number, but Burnett defended that all of the leaked data was already available online.
- See more at: The Hacker News
Is Your Smart TV Spying On You? You just need to make sure you don't hold any private conversations in front of the internet-connected TV.
IS SMART TV GETTING TOO SMART?
Smart TVs are connected to the Internet, and they are capable of collecting and transmitting our data.
Samsung's Smart TV uses voice recognition technology to enable voice commands, but its privacy policy defined by the company says "if your spoken words include personal or other sensitive information, that information will be captured and transmitted to a third party."
In other words, Samsung's Voice Recognition feature is always listening you, unless you deactivate it. So these internet-enabled smart devices can be exploited to reveal a wealth of personal.
"In addition, Samsung may collect and your device may capture voice commands and associated texts so that we can provide you with Voice Recognition features and evaluate and improve the features." Samsung Smart TV privacy policy says.
Samsung points out that the voice recognition feature can be turned off by the TV's owner, but even if you turn the feature off, Samsung can still collect enough of your data.
A spokesperson for the company told that Samsung "takes consumer privacy very seriously. In all of our Smart TVs we employ industry-standard security safeguards and practices, including data encryption, to secure consumers’ personal information and prevent unauthorized collection or use"
samsung-smart-tv-spying
This is not the first time Samsung Smart TV or other Internet of Things has set off alarms among privacy experts.
December 2012: Security researcher revealed a vulnerability in Samsung Smart TVs that allows an intruder to take control of the devices that are connected to the same network.
November 2013: Researchers found that LG's Smart TVs are sending personal information back to the company's servers about what channels you watch and viewing habits.
July 2013: Another vulnerability allowed hackers to remotely crash Samsung Smart TV without doing much efforts.
January, 2014: More than 100,000 Refrigerators and other internet-enabled home appliances were hacked to perform a massive cyber attack.
April 2014: We reported about cyber attacks and specialized malware targeting Internet of Things (IoT) such as TVs, Refrigerators, Microwave or dishwashers.
Internet-enabled devices and voice command technology is becoming more ubiquitous, and many consumers rely on those solutions. So it is advised that companies needs to address some elements of its privacy policy more properly.
IS SMART TV GETTING TOO SMART?
Smart TVs are connected to the Internet, and they are capable of collecting and transmitting our data.
Samsung's Smart TV uses voice recognition technology to enable voice commands, but its privacy policy defined by the company says "if your spoken words include personal or other sensitive information, that information will be captured and transmitted to a third party."
In other words, Samsung's Voice Recognition feature is always listening you, unless you deactivate it. So these internet-enabled smart devices can be exploited to reveal a wealth of personal.
"In addition, Samsung may collect and your device may capture voice commands and associated texts so that we can provide you with Voice Recognition features and evaluate and improve the features." Samsung Smart TV privacy policy says.
Samsung points out that the voice recognition feature can be turned off by the TV's owner, but even if you turn the feature off, Samsung can still collect enough of your data.
A spokesperson for the company told that Samsung "takes consumer privacy very seriously. In all of our Smart TVs we employ industry-standard security safeguards and practices, including data encryption, to secure consumers’ personal information and prevent unauthorized collection or use"
samsung-smart-tv-spying
This is not the first time Samsung Smart TV or other Internet of Things has set off alarms among privacy experts.
December 2012: Security researcher revealed a vulnerability in Samsung Smart TVs that allows an intruder to take control of the devices that are connected to the same network.
November 2013: Researchers found that LG's Smart TVs are sending personal information back to the company's servers about what channels you watch and viewing habits.
July 2013: Another vulnerability allowed hackers to remotely crash Samsung Smart TV without doing much efforts.
January, 2014: More than 100,000 Refrigerators and other internet-enabled home appliances were hacked to perform a massive cyber attack.
April 2014: We reported about cyber attacks and specialized malware targeting Internet of Things (IoT) such as TVs, Refrigerators, Microwave or dishwashers.
Internet-enabled devices and voice command technology is becoming more ubiquitous, and many consumers rely on those solutions. So it is advised that companies needs to address some elements of its privacy policy more properly.