Tuesday 20 December 2016

About Me | Sapna Juneja

Sapna Juneja|CEH

Ethical Hacker | Cyber Forensics Investigator | Information Security Consultant

With a 4 + years of experience in various domains of Information Security, I have been able to solve very complex security problems across many technologies and then teach and enable the clients to do the same. 

I have worked and gained expertise in various technical and business domains - Malware Analysis, Ethical Hacking, Social Engineering, Phishing, ISO Auditing Reverse Engineering, Infrastructure Configuration Security audit, Malware analysis , Cyber Crime Investigation, Spam Analysis .

I hold the Following Certifications : 

Certified Ethical Hacker by EC Council (CEH)
Cyber Forensics
Certified Spam Fighter

Friday 16 December 2016

Ubuntu App Crash Reporter Bug Allows Remote Code Execution


A security researcher has discovered a vulnerability in Ubuntu’s crash reporter that would allow remote code execution, making it possible for an attacker to compromise a system using just a malicious file.
Donncha O'Cearbhaill writes that the security bug resides in the Apport crash reporting tool on Ubuntu, which can be tricked into opening a malicious crash file that includes Python code executed on launch.
“The vulnerable code was introduce on 2012-08-22 in Apport revision 2464. This code was first included in release 2.6.1. All Ubuntu Desktop versions 12.10 (Quantal) and later include this vulnerable code by default,” the researcher notes.
A proof-of-concept shows that it’s possible to compromise a system using this vulnerability with the help of a malicious file, which allows for arbitrary code execution when clicked. In the demo, the researcher launched Gnome calculator with a simple crash report file, explaining that the code can be saved with the .crash extension or any other extension that is not registered on Ubuntu.
“Apport typically reads a subset of the fields in the crash file in order to prepare the GUI which prompts the user to submit a bug report. The CrashDB field is not parsed and executed until after the user agrees to submit the bug report. However when ProblemType: Bug is set in the crash file, Apport-GTK will switch to the streamlined Bug GUI which causes the CrashDB field to be parsed and executed without any further user interaction,” he explains.

Flaw already patched

The good thing is that the flaw has already been patched in Ubuntu on December 14, and the CrashDB code injection issue is listed as CVE-2016-9949 and the path traversal bug is CVE-2016-9950.
O'Cearbhaill ends his research note with an advice for security researchers to audit free and open-source software because vulnerabilities like this can still exist, allowing attackers to take control of unpatched systems.

He notes that researchers are often approached to sell the vulnerabilities they find, and only in this case, he was offered $10,000 to provide all the details of the crash reporting app bug. O'Cearbhaill emphasizes that companies need to offer bigger incentives to researchers for their work, explaining that Google and Microsoft are going in the right direction with their bug bounty programs.

Donncha O'Cearbhaill Said

I would encourage all security researchers to audit free and open source software if they have time on their hands. Projects such as Tor, Tails, Debian and Ubuntu all need more eyes for audits which can improve the safety of the internet for everyone. There are lots of bugs out there which don’t need hardcore memory corruption exploitation skills. Logic bugs can be much more reliable than any ROP chain.


Follow Link to watch the video Demonstration :



Wednesday 14 December 2016

Facebook Messenger Hijacked(Originnull Vulnerability)

Critical Issue found in Private Chats of Facebook which allowed attackers to read all your Private Conversations.

A Security Researcher has discovered this Vulnerability which is affecting the privacy of around 1.8 billion messenger users.


How Attackers targeting us?

All they are doing is redirecting us to a malicious website. Once we have clicked on the link. All private conversations either from Facebook messenger or a web browser, would be accessible to attacker including photos and video's as well.

Dubbed Origin-null Vulnerability as Facebook hats are linked to another servers {number}-edge-chat.facebook.com which is not on actual Facebook domain.

This Issue was discovered and reported to Facebook by Security Researcher Ysrael Gurt(Facebook has since fix this flaw.)


The Vulnerability discovered is a cross-origin bypass attack which allows the hacker to use an external website to access and read a use's private Facebook messages. Normally the Browser protects Messenger users from such occurrences by only allowing Facebook pages to access this information. However, Facebook opens a "bridge", in order to enable "subsites" of Facebook.com to access Messenger Information. A Vulnerability in the manner in which Facebook manages the identity of these subsites makes it possible for a malicious website to access private Messenger Chats.


"Communication between the JavaScript and the server is done by XML HTTP Request (XHR). In order to access the data that arrives from 5-edge-chat.facebook.com in JavaScript, Facebook must add the "Access-Control-Allow-Origin" header with the caller’s origin, and the "Access-Control-Allow-Credentials" header with "true" value, so that the data is accessible even when the cookies are sent," Gurt explained"

The root of this issue was misconfigured cross-origin header implementation on Facebook's chat server domain, which allowed an attacker to bypass origin checks and access Facebook messages from an external website.

This was a critical issue, not only due to high number of affected users, but also because if any victim sent their messages using another computer or mobile, they were still completely Vulnerable"


 Access-Control-Allow-Origin: null

Gurt has also release a proof-of concept video demonstration of Originnull vulnerability, which shows the cross-origin-bypass-attack in action.


The Researcher disclosed this critical Vulnerability to Facebook through Bug Bounty Program.

Facebook team has acknowledged the issue and patched the Vulnerable Component.

Tuesday 13 December 2016

More Firmware Backdoor Found in 26 Low-Cost Android Devices(Android is no more Safe)

Android is no more Safe.

Here's is some bad news about Android User's.

Security Researcher comes up with new malware(Backdoor) hidden in the firmware of Several low end Android Smartphones and tablets, which displays advertisements on the top of running applications and install unwanted applications on the devices of unsuspected users.

Security Researchers from Russian antivirus vendor Dr.Web explained that this malware appears to be added by  "dishonest outsources who took part in creation of Android system images decided to make money on users"


According to a report, the following 26 Android device models are affected:

  •     MegaFon Login 4 LTE
  •     Irbis TZ85
  •     Irbis TX97
  •     Irbis TZ43
  •     Bravis NB85
  •     Bravis NB105
  •     SUPRA M72KG
  •     SUPRA M729G
  •     SUPRA V2N10
  •     Pixus Touch 7.85 3G
  •     Itell K3300
  •     General Satellite GS700
  •     Digma Plane 9.7 3G
  •     Nomi C07000
  •     Prestigio MultiPad Wize 3021 3G
  •     Prestigio MultiPad PMT5001 3G
  •     Optima 10.1 3G TT1040MG
  •     Marshal ME-711
  •     7 MID
  •     Explay Imperium 8
  •     Perfeo 9032_3G
  •     Ritmix RMD-1121
  •     Oysters T72HM 3G
  •     Irbis tz70
  •     Irbis tz56
  •     Jeka JK103

These all are low cost devices, mostly marketed in Russia, and which run on MediaTek platform.

Malware Pushes to add Unwanted Applications


The Trojans, detected as Android.DownLoader.473.origin and Android.Sprovider.7, are capable of collecting data about the infected devices, contacting their command-and-control servers, automatically updating themselves, covertly downloading and installing other apps based on the instructions it receives from their server, and running each time the device is restarted or turned on.
Currently, this malware is forcibly downloading and installing the H5GameCenter app. This application is a Play Store-like app catalog that allows users to install other apps. The app is considered extremely intrusive because it shows its icon (an open blue box) floating above other apps non-stop, such as in the image below, and without an option to disable this behavior.
If users remove the H5GameCenter app, the firmware malware will reinstall it at a later point.

How to Identify


  • if you will see any unwanted application notification on current Running application and asking again and again to install apps identifies your android device is infected .

How to Prevent

  • Don't install any unwanted applicaions.
  • Don't Change Default settings of your Android  Device.
  • Read ever Terms and Conditions before installing any applicaion


Thursday 8 December 2016

Critical Yahoo Flaw Allowed Hackers to Read User Email's

YAHOO! has recently fixed its severe vulnerability in its email system which were allowing Hackers to read Emails of all users.

It was  a DOM Based persistent XSS ( Cross Side Scripting ) attack which was allowing attacker to read all victim emails and as well as allows attacker to send emails Embedded with malicious Scripts.

Researcher Juko Pynnonen has exposed this Flaw through HackerOne Bounty Programme.



He also explained that this is a flaw similar to last's years Email Bug, which also lets attacker to compromise a user's account.  Yahoo Filters HTML messages and ensures that malicious code won't infect or come through user's browser, but the researcher found the flaw that its not catching all the attributes.

He also demonstrated how victim is redirected to external site and created a virus and attached itself to all outgoing emails by secretly adding a malicious script to message signatures and as soon as the victim's open that malicious email and its hidden script it immediately submit victim's inbox content to an external website controlled by the attacker.

"Pynnonen says he found the vulnerability by force-feeding all Known HTML tags and attributes in order to filter Yahoo uses to weed out Malicious HTML, but certain malicious HTML code manage ed to pass through "


"Juko Pynnonen also awarded $10,000 for privately disclosing it through HackerOne Bounty Programme.

Monday 5 December 2016

People are critical to Email security! The Human Firewall



One of the biggest targets of Spammers/Cyber Criminals are Companies Email Systems which have larger Business. The reason being due to their greater surface area of Risk and opportunity to exploit.

According to Recent Survey, more than half of the Organization invest a big part of their profit in resources, time in building a strong email system, the System wouldn't be worth if Humans, Employees are not on Board --- The Human Firewall.

Your Human Firewall are the first one who should understand the best Security practices and how to handle that. As of now most of the organizations aren't not educating their employees.

Some Steps that Companies Should take to secure their data from Breach. 

It starts with focusing on both technology and people using it.



1. Put absolute security protocols in place and build partnerships with in Business.

Email Security System needs to work from the time the message was sent, to when it received, weather its coming in or going out of your network.

There are several important elements to put this foundation in place, including:

·         Encryption, such as Transport layer Security (TLS): it’s basically lets the Email Servers to communicate in a Secure manner over an encrypted channel, blocking bad actors from accessing the content of emails that they intercept.
·         Email Verification System: Domain-based Message Authentication, Reporting Conformance (DMARC) is an effective system that lets servers validate that lets servers validate that incoming mail actually comes from the organization that is listed as the sender. its build on both a Sender Policy Framework(SPF) and Domain Keys Identified Mail(DKIM), ties them together to verify email addresses and automatically discards any messages that fail the test.
·         DMARC/SPF records. In addition to testing inbound mail, you should publish DMARC/SPF records for your organization's domains, and sign outgoing messages with DKIM, to prevent the sending of fake emails that appear to come from your company.
·         The right role for security team. Administrative controls should allow the security team to have transparency and operational security oversight of the email platform. This includes using separate administrative accounts as well as monitoring access to these accounts, since they are often prime targets for hackers.

 2.  Educate and engage employees on how to use security tools properly and make them aware of their individual responsibilities and company policies with ongoing training and communications.

Implementing security best practices for all employees — i.e., policies for "bring your own device" and mandated password changes — plays an important role in employees making the right decisions around email security. However, these protocols should also resonate with employees. Creative communication techniques — such as webcasts and quizzes — can help employees realize the importance of security practices by linking important aspects of security from their private lives to their work lives.
Engaging employees will also help security teams overcome the challenge of employees viewing security as an obstacle that prevents them from doing their work. Instead, when security becomes personal, employees are encouraged to be active partners in helping to protect the organization.

3. Continually monitor and measure effectiveness of your security program and human firewall to manage your risk.

Monitoring and measuring the effectiveness of email security programs and the human firewall must be an ongoing effort. Employee security awareness must evolve with the constantly changing technology industry. This starts with keeping metrics that track the security awareness of employees over time. Metrics to use should include the number of reported incidents, visits to unapproved sites, email violations, phishing report rates, and insider threats, percentage of infections while employees are remote, and the average time it takes employees to report a lost device.
You can also monitor for employee compliance by testing your employees with simulations, such as periodic phishing awareness. Organizations should use this tactic to get a sense of whether communications, training, and policies are connecting with employees and are effective in securing the email system.  
Emails are accessed by every employee and contain confidential information about your company and customers, making them both difficult and crucial to secure. Because of the human element, a mix of comprehensive security protocols, educating and engaging employees, and continuous monitoring is needed to prevent emails from becoming a gateway for hackers.



Tuesday 4 October 2016

IoT(Internet Of things) Booming Technology is No more Safe

Source Code IoT Botnet Mirai is responsible for World's Largest DDoS Attack.

Mirai: Mirai is a piece of malware designed to target IoT devices in order to perform DDoS attacks This Botnet is used in the 620 Gbps DDoS attack on Brian Kreb’s blog and the 1.1 Tbps attack on OVH a few days before. It is responsible for the largest DDoS attack.

IoT: IoT is Internet of Things, a booming technology which used to describe the new generation of “smart” internet connected devices (fridges, toasters, CCTV)
It’s just text a message on your mobile if your fridge, CCTV any device connected to the IoT device used in questionable way.
Mirai propagates by bruteforcing telnet servers with a list of 62 horribly insecure default passwords, starting with the famous username passwd combination admin:admin. Although Mirai could technically infect any box upon successful login, it uses a busybox specific command which causes the infection to fail if busybox is not present. Once inside a box, the malware will attempt to kill and block anything running on ports 22, 23, and 80, essentially locking out the user from their own device and preventing infection by other malware. Despite Mirai killing most control panels, it is possibly to use Shodan to see which services of  the box was exposing prior to infection, giving us an idea of the type of boxes which are infected.

The source code that powers the “Internet of Things” (IoT) botnet responsible for launching the DDoS Attack against KrebsOnSecurity last month has been publicly released, virtually guaranteeing that the Internet will soon be flooded with attacks from several new botnets powered by insecure routers, IP cameras, digital video recorders and other easily targeted devices.
The leak of the source code was announced Friday on the English-language hacking community Hack Forums. The malware, dubbed “Mirai,” spreads to vulnerable devices by continuously scanning the Internet for IoT systems protected by  default username passwords or hard-coded usernames and passwords.
Brian Krebs, the popular cybersecurity researcher, reported the Unfortunate development and stated that it is the same botnet responsible for attack on his website (OVH’s). The botnet is based on the trojan malware ‘Mirai’, and utilizes vulnerable or compromised Internet of Things (IoT) devices. It continuously scans for smart home systems protected by default username and passwords or hard-coded login credentials and sends them to report to a centralized ‘control’ server.
The botnet is, thus, powered by a sum of insecure routers, IP cameras, digital video recorders and other easily targeted devices and has led to fears that it can now practically be used by anyone to flood the internet with a DDoS attack. Sources have reported to Krebs that Mirai is one of the two malware families (the other being Bashlight) being employed to quickly create IoT-based DDoS armies. Botnets based on Bashlight are currently exploiting data from about a million IoT devices to flood the attack site with gigs of traffic.
Hacker, In his post in Hack forums he says that:

When I first go in DDoS industry, I wasn’t planning on staying in it long. I made my money, there’s lots of eyes looking at IOT now, so it’s time to GTFO. So today, I have an amazing release for you. With Mirai, I usually pull max 380k bots from telnet alone. However, after the Kreb DDoS, ISPs been slowly shutting down and cleaning up their act. Today, max pull is about 300k bots, and dropping.

With the release of such a powerful malware, the hackers can now access the publically available code and add it to their arsenal. And since the code is available to all, it will become extremely difficult for the govt. authorities to put a halt to the chaos that’s upon them. It will become a little difficult for them to pin-point and track the ‘master’ operator of the malware. Link for source Code:

It is like two faces of the same coin that is morphing with each passing day. He’s also stated that infected systems can be cleaned up by simply rebooting them as it removes the malicious data from the memory. But to protect your IoT device from repeated scanning and intrusion, you’ll need to change your default login credentials.
If you’re unaware, KrebsonSecurity website was recently hit with one of the largest DDoS attacks and kncked offline. With traffic amounting to a total of 620 Gbps, the attackers flooded his website in retaliation of him uncovering the masterminds behind some of the largest DDoS attacks in the last decade. His DDoS protection provider Akamai — who provides pro-bono services — to the website pulled support amid the attack and Krebs had to seek support from the Google Shield Project to bring back their website from the dead.
And after this, OVH, a french hosting company was attacked with the world’s largest-known DDoS attack. It was a record-breaking attack, where two simultaneous attacks hit the server and one of the two attacks alone peaked to 799 Gbps of traffic. The hackers had targeted Minecraft servers hosted on the OVH network, and the attack was carried out using a botnet made up of arround 145,000 IoT devices.