Uber knows where you go, even after ride is over

Enlarge / Uber's iOS popup asking for new surveillance permissions.

As promised, Uber is now tracking you even when your ride is over. The ride-hailing service said the surveillance—even when riders close the app—will improve its service.

The company now tracks customers from when they request a ride until five minutes after the ride has ended. According to Uber, the move will help drivers locate riders without having to call them, and it will also allow Uber to analyze whether people are being dropped off and picked up properly—like on the correct side of the street.

"We do this to improve pickups, drop-offs, customer service, and to enhance safety," Uber said. In a statement, the company said:

We're always thinking about ways we can improve the rider experience from sharpening our ETA estimates to identifying the best pick up location on any given street. Location is at the heart of the Uber experience, and we're asking riders to provide us with more information to achieve these goals.

Uber announced that it would make the change last year to allow surveillance in the app's background, prompting a Federal Trade Commission complaint. (PDF) The Electronic Privacy Information Center said at the time that "this collection of user's information far exceeds what customers expect from the transportation service. Users would not expect the company to collect location information when customers are not actively using the app." The complaint went nowhere.

However, users must consent to the new surveillance. A popup—like the one shown at the top of this story—asks users to approve the tracking. Uber says on its site that riders "can disable location services through your device settings" and manually enter a pickup address.

Uber and the New York Attorney General's office in January entered into an agreement to help protect users' location data. The deal requires Uber to encrypt location data and to protect it with multi-factor authentication.

Microsoft Pays $13,000 to Hacker for Finding Authentication Flaw

A security researcher has won $13,000 bounty from Microsoft for finding a critical flaw in its main authentication system that could allow hackers to gain access to a user's Outlook, Azure and Office accounts.

The vulnerability has been uncovered by UK-based security consultant Jack Whitton and is similar to Microsoft's OAuth CSRF (Cross-Site Request Forgery) in Live.com discovered by Synack security researcher Wesley Wineberg.

However, the main and only difference between the vulnerabilities is that: Flaw discovered by Wineberg affected Microsoft's OAuth protection mechanism while the one discovered by Whitton affected Microsoft's main authentication system.

Microsoft handles authentication across its online services including Outlook, Azure and Office through requests made to login.live.com, login.windows.net, and login.microsoftonline.com.

Now, for example, if a user browses to outlook.office.com, he/she redirects to a login.microsoftonline.com URL that contains 'wreply' parameter for specifying which domain the user wants to access.

How Does the Vulnerability Work?

If the particular user is already logged in, a POST request is made back to the domain specified in wreply with a value containing a login token for the user. The service the user wants to authenticate on consumes that token and logs the user in.

Whitton discovered that the authentication URL is vulnerable to cross-site request forgery (CSRF) attacks, allowing a malicious actor to create a specially crafted URL, which, when accessed by an authenticated user, would send the login token to a server controlled by the attacker.

The legitimate URL looks like this:

https://login.microsoftonline.com/login.srf?wa=wsignin1.0&rpsnv=4&wreply=https%3a%2f%2foutlook.office.com%2fowa%2f&id=260563

And the attacker could set the redirect to this:

https%3a%2f%2foutlook.office.com%252f@poc-ssl.fin1te.net%2fmicrosoft%2f%3f

The expert found that this would cause the login token to be sent to the attacker’s website, which in this case is poc-ssl.fin1te.net. Using the token, the attacker could have gained complete access to the targeted user’s account.

"The token is only valid for the service that issued it – an Outlook token can not be used for Azure, for example," Whitton noted in his blog post. "But it would be simple enough to create multiple hidden iframes, each with the login URL set to a different service, and harvest tokens that way."

The good news is that Microsoft patched the vulnerability within two days after Whitton reported it to the company on January 24. The company also paid out $13,000 to the researcher as part of its bug bounty program.

Kingston’s ‘Unhackable’ DataTraveler USB Drive Self-destructs With Incorrect PIN Entry

At CES 2016, Kingston has announced a new USB drive that’ll make the life easier for the privacy concerned users. This secure DataTraveler 2000 encrypted USB Flash drive is created to provide the best possible security measures to the IT professionals for carrying sensitive documents.


The USB drive looks impressive right from the outside. As you pull out the outer aluminum cover, a built-in keypad will be there to surprise you. When inserted into a computer, you’ll have to unlock the device by entering the correct PIN. Failing to do so in 10 attempts, the USB will self-destruct — sounds just like the pen drive from Hollywood flicks like Mission Impossible, right?

This USB 3.1 compatible thumb drive offers speeds of up to 135MBps read and 40MBps write. On the security front, DataTraveler 2000 comes with hardware-based full disk AES 256-bit encryption in XTS mode. The drive also protects your data from bruteforce attacks.

Also See:World's First Anonymous Communications Network Called "PrivaTegrity" Launched

Kingston DataTraveler 2000 USB — PIN protection, AES 256-bit data encryption, resists bruteforce attacks


For additional protection, Kingston’s super-secure USB drive features the option of auto-locking the drive by deleting key and password files after 10 invalid login attempts.

“We are excited to add DataTraveler 2000 to our existing lineup of fast and encrypted USB Flash drives for organizations and SMBs,” said Ken Campbell, Flash business manager, Kingston. “It is the perfect option to deploy in the workforce where a uniform encrypted data storage solution that works on many different OS’ are in use.”

This OS independent USB drive works with all popular operating systems, even Android and ChromeOS. The DataTraveler 2000 is available in 16GB, 32GB and 64GB capacities.

The DataTraveler 2000 is expected to hit the markets in the end of 2016 Q1.

Also See:Semantic Search Engine Omnity Claims That It Can Beat Google And Buy It

Facebook bug welcomes new year by telling users they have been friends for 46 years

Facebook bug Tells Users They’ve Been Friends for 46 Years

As the world was celebrating New Year, Facebook seemed to be having its own celebrations. A bug in Facebook was telling users that they’ve been friends for 46 years.

It is silly to think that Facebook remembers who were friends with 46 years ago because Facebook wasn’t around that many years ago in 1969. In fact millions of FB users were not even born while computers were used only for military purposes.

The date Dec. 31, 1969 carries special significance for computer software, according to the Daily Dot. That date is the first to appear in time tracking software for Unix computer systems called Unix Epoch. Although not confirmed by Facebook, many are suggesting the bug originates with what’s known as the Unix epoch.

What? How long have I been asleep? pic.twitter.com/qYT0OC53an

— Byron Tau (@ByronTau) December 31, 2015

Facebook said in a statement that the company is working to address the issue. “We’ve identified this bug and the team’s fixing it now so everyone can ring in 2016 feeling young again,” said Facebook spokesperson Chelsea Kohler in an email.

Users were quick to pounce on Facebook for this glitch as can be seen from the tweets below :

Congratulations to the 46 Years Facebook glitch for making New Year’s Facebook even more insufferable than usual

— Jason O. Gilbert (@gilbertjasono) December 31, 2015

weird glitch on Facebook has given me a glimpse into the future and i don’t love it.pic.twitter.com/srCI7gtBiQ

— corey thomas (@ifUseekcorey) December 31, 2015

The Sony PlayStation Network is down worldwide

Sony’s PlayStation network on PlayStation Vita, PlayStation 3 and PlayStation 4 are down and the irritating fact for gamers is that the company has not given any time frame when the service will be back online.

The PlayStation Network is down worldwide. I’m just back home trying to play with my son when I had the ugly surprise. It is the first massive outage of the year, I searched for information on the Internet and I have found that all the users are suffering the same problem.

Like many other users, I’m receiving an error message saying that the PSN is currently “undergoing maintenance”.

The PlayStation Network online service allows users to access online features of many games and to the official store.

Sony confirmed that the network was “experiencing issues” and its status page showed that the problems were affecting all of its major services, the company hasn’t provided further details on the problem.



Play Station Network also suffered technical issues over the Christmas period, some users reported difficulties in authenticating the online services.

Last year hackers belonging to the hacking group of the Lizard Squad took down at Christmas the online networks of both Microsoft Xbox Live and PlayStation network (PSN) highlighting security issues affecting the services of Sony and Microsoft.

This year another group known as Phantom Squad announced its intention to ruin Christmas for gamers. Phantom Squad also said that both platforms are vulnerable to attacks, and they add that they were able to take down Xbox live during the weekend.

At the time I was writing, the Sony’s “Network Service Status” confirmed the problems suffered by users accessing the Sony platform.



The Sony Play Station network is down, including the PlayStation 3 and 4 and web services.

A screenshot from status.playstation.com shows the service is down:

It is unclear what caused the outage worldwide nor any hacking group has accepted responsibility for targeting the PlayStation network with their usual DDoS attacks. However, one Twitter user shared an Interesting DDoS map showing cyber attacks on the US from Chinese side (That doesn’t mean there was an attack on PlayStation network by Chinese hackers).

Now Android Malware Uses Firewell Rules To Evade Detection From Antivirus Security Applicaion

Android Malware Uses Firewell Rules To Evade Detection From Antivirus

Researchers at Symantec have discovered a new piece of Android malware that drops and runs a firewall binary called DroidWall on compromised devices to prevent security applications from connecting to their services.

Dubbed Android.Spywaller by Symantec, the malware initially behaves like other mobile threats by hiding its icon in an attempt to cover its track and by releasing an encrypted payload containing the malware service logic and loading it into memory. As soon as the threat has been installed on a compromised device, it displays a “Google Service” icon on the device, although the Internet giant doesn’t offer such a product.

At the same time, the spyware is collecting data belonging to specific third-party communication applications, including 

• WhatsApp
• Wechat
• Skype
• BlackBerry Messenger
• Skype
• Oovoo
• Coco
• QQ
• SinaWeibo
• Talkbox
• TencentWeibo
• Voxer
• and Zello.

According to Symantec, the list of data gathered by this malware ranks it among the most comprehensive spyware to date.

The malware then attempts to root the device and start collecting sensitive information while running in the background. All of the information the malware collects from the device ,exfiltrate sensitive data from compromised devices and then sent to a backend server, Symantec explained in a recent blog post.

The Malware Collect the information including 

• Call logs(PII)
• SMS
• GPS readings
• Browser History
• Browser Saved PasswordE
• Emails
• Radio
• Images
• and contacts.

While this behavior has been seen before in mobile threats, Symantec’s researchers note that the new malware stands out because of another method discovered in its reverse payload which checks to see if the Qihoo 360 mobile security app is installed on the device and then block it.

The Qihoo 360 application is popular in China and has a unique identifier (UID) on each device, and the malware collects the identifier if the program is installed. Next, Android Spywaller drops and runs the DroidWall firewall binary, which is a customized version of iptables for Android. This allows it to create firewall rules that will block the targeted security application by referencing its UID.

Developed by Rodrigo Rosauro as an open source app to help users protect their devices, DroidWall was sold to AVAST in 2011, but its source code is still available from Google Code and Github. Although it was initially designed in the form of a security tool, DroidWall can be used by cybercriminals to compromise user security.

For the time being, the malware is targeted at users in China, where a higher proportion of devices are rooted and more exposed to malware since official Google services are not available in the country.

The infection numbers are currenty relatively low, but the threat is worth noting because its authors are using legitimate tools for malicious purposes. To stay protected, users should install a security solution that can block mobile threats, should keep their software updated at all times, and should make sure they install apps only from trusted sources.

MIT invents untraceable SMS text messaging system that is even more secure than Tor

Computer scientists at the Massachusetts Institute of Technology (MIT) have developed a new SMS text messaging system that is untraceable and apparently even more secure than the Tor anonymity network, in order to create truly anonymous communications.

In July, researchers from MIT and the Qatar Computing Research Institute (QCRI) succeeded in cracking a security vulnerability affecting the Tor anonymity network to make it possible to identify hidden servers with up to 88% accuracy.

The researchers did this by looking for patterns in the number of packets passing in each direction through Tor nodes, and they found that they could tell with 99% accuracy whether a circuit was for a regular web browsing request, an introduction point (which gives a user access to a hidden website) or a rendezvous point, which is used when another user wants to connect to the same hidden website at the same time as the first user.

Confusing would-be attackers with fake messages

Learning from this discovery, several researchers from MIT's Computer Science and Artificial Intelligence Laboratory (CSAIL) have developed a new system that permits the exchange of text messages between two parties at roughly once a minute.

Their open-access paper, titled Vuvuzela: Scalable Private Messaging Resistant to Traffic Analysis, was presented at the Association for Computing Machinery Symposium on Operating Systems Principles in October. Unlike Tor, the Vuvuzela system provides a strong mathematical guarantee of user anonymity by drowning out any visible traffic patterns that could lead to identification of the parties through issuing lots of spurious information.

Also See: How to Hack wpa wpa2-psk wifi using social engineering technique

To make the system work, one user leaves a message for another user at a predefined location, such as a memory address on an internet-connected dead-drop server, while the other user retrieves the message. So for example, if there were three people using the system but only two of them were sending text messages to each other, it would look obvious that the two people were talking to each other, as the only traffic on the server would come from exchanges between the two people.

To hide this, the system makes all the users send out regular messages to the dead-drop server, whether they contain any information or not, so then the traffic pattern makes it look like there is traffic going through the server from multiple locations at all times.

Using three servers to disguise the messages even more

But just sending out regular spoof messages is not enough to confuse the bad guys. If an attacker managed to infiltrate the dead-drop server, the criminal would instantly be able to see which users were actually communicating and where the messages were being sent by looking to see which users were accessing which memory addresses.

So to make it even harder for attackers to infiltrate Vuvuzela, the system uses not one but three different servers. All the messages, both real and fake, are sent through the system wrapped in three layers of encryption.

The first server peels off the first layer of encryption on a message and then passes the message onto the second server, but the first server also deliberately mixes up the order of the messages so they get to the second server in a different order, and the second server does the same, so only the third server can see which are the real messages which need to go to the memory address so a user pick it up.

MIT says that statistically, as long as one of the three servers is not compromised the system still works to protect the messages.

"Tor operates under the assumption that there's not a global adversary that's paying attention to every single link in the world," said Nickolai Zeldovich, an associate professor of computer science and engineering, and co-leader of the Parallel and Distributed Operating Systems group at CSAIL.

"Maybe these days this is not as good of an assumption. Tor also assumes that no single bad guy controls a large number of nodes in their system. We're also now thinking, maybe there are people who can compromise half of your servers."

Also See:

1. Mark Zuckerberg Quits His Job At Facebook, All Due To A Facebook Bug
2. Google patches critical media processing and rooting vulnerabilities in Android
3. Hacker-Friendly Search Engine that Lists Every Internet-Connected Device
4. Here's How Google Can "Remotely Bypass" Pattern Lock Of Android Device
5. Steam is 'hijacked' 77,000 times a month
6. Snowden Unveils NSA "God Mode" Malware That Lives On Your Motherboard And Can Not Be Traced
7. 6.1 Million smart devices at risk from 3 year old flaw
8. Critical Vulnerabilities Discovered in 3G/4G Modems Includes "Remote Code Execution,Cross-Site Request Forgery And Cross-Site Scripting"

Mark Zuckerberg Quits His Job At Facebook, All Due To A Facebook Bug

Mark Zuckerberg Quits His Job At Facebook,Finding it hard to believe, check his Facebook post yourself: Mark Zuckerberg Quits His Job.

Okay, now that you’ve seen his post – and you are surprised and shocked, searching for some more proof on Google – let me tell you that it’s all due to a bug in Facebook. Yes, you’ve been misguided.

Well, this couldn’t be called a real bug as there is no technicality involved in this issue. However, an independent hacker Sachin Thakuri, outlining the same, has uncovered this flaw that is enough to fool people into believing some fake news.

So, how did he fake this Facebook post?

Here’s the original URL of Mark Zuckerberg’s original life event.

https://www.facebook.com/zuck/timeline/story?ut=32&wstart=-2051193600&wend=2147483647&hash=971179541251&pagefilter=3&ustart=1&__mref=message_bubble

If you see the URL carefully and remove the ustart=1 parameter, the work status of ustart=1 parameter.

Take a look at the changed and misguiding Facebook post without ustart=1parameter:

https://www.facebook.com/zuck/timeline/story?ut=32&wstart=-2051193600&wend=2147483647&hash=971179541251&pagefilter=3&&__mref=message_bubble

As I mentioned above, this isn’t a technical flaw, but this must be fixed as it could be easily used for notorious purposes. “…although on a client side the post is coming from a valid user and there is no way to figure out that the post has been manipulated and  has not been posted by a user,” Sachin writes.

He has reported the bug to the Facebook security team, but Facebook hasn’t fixed this yet.

Also See:

• PHP 7:A New Version Of PHP With Biggest Update Released

• Bypass Windows Bitlocker Disk Encryption In A Few Seconds

• Large-Scale DDOS Attacks on TOR Exit Nodes

• Charge your smartphone to 50% in just five minutes

• 8 WayTo Hack Into Your Offline Computer and Phone

• #OpParis: 5,500 ISIS Twitter Accounts Taken Down By Anonymous Group
• Hackers Manipulate Barcodes to Execute Malicious Commands When Scanned

Just say no to Facebook's Free Internet Service "Internet.org", says inventor of "World Wide Web"

‘Just Say No’ To Internet.org, says Tim Berners-Lee, founder of World Wide Web

Attacking Facebook’s initiative known as Free Basics (formerly Internet.org), the English scientist, Tim Berners-Lee also widely known as the inventor of the World Wide Web said that consumers should say no to such initiatives. The initiative by Facebook aims at offering a limited set of websites and apps free of charge to users in developing countries. Berners-Lee added that if something is being offered in the name of the Internet that is not full Internet, then it’s not really free and public.

In an interview with The Guardian, Berners-Lee said people in prominent markets should “just say no” to the project. Speaking about the importance of privacy and the dangers of government snooping, he added that the initiative was not internet and that there were other ways of reducing the price of access.

“When it comes to compromising on net neutrality, I tend to say ‘just say no’,” he said.

According to the reports by The Guardian, Berners-Lee and the Web We Want festival came together to produce a Magna Carta for the 21st century on the 800th anniversary of the signing of Magna Carta. The Web We Want campaign is promoting five key principles for the future of the Web: freedom of expression online and offline, protection of user data and privacy, affordable access to the net, net neutrality, and a decentralised and open infrastructure.

“In the particular case of somebody who’s offering … something which is branded internet, it’s not internet, then you just say no. No it isn’t free, no it isn’t in the public domain, there are other ways of reducing the price of internet connectivity and giving something … (only) giving people data connectivity to part of the network deliberately, I think is a step backwards.”

Stored XSS vulnerability in "WordPress plugin" could allow attacker to completely take over site

Researchers with Sucuri have found a XSS vulnerability in the wordpress popular plugin "Jetpack ".

The cross site scripting vulnerability in wordpress plugin allow attacker to completely take the site. The vulnerability lies in the wordpress jetpack plugin version 3.7 or lower.The issue was fixed earlier this week with the release of Jetpack 3.7.1 and 3.7.2

The Jetpack plugin provide various features like website customization, Overview of traffic, Mobile v/s Desktop traffic, content and performance tools.More insecure part is ,millions of site owner still running the older version of Wordpress jetpack plugin.

According to a Sucuri post, published on Thursday, "an attacker can exploit this vulnerability by entering a specially crafted malicious email address into website's contact form pages".

“As the email is not sanitized properly before being output on the ‘Feedback' administrative section, bug allow attacker to execute JavaScript code on the administrator's end and provide full access to attacker on site.

In a Friday, Marc-Alexandre Montpas, vulnerability researcher with Sucuri,that Sucuri has not observed any instances of the stored XSS bug being exploited in the wild. However, he added that attackers may attempt to develop exploits now that the release is out.

According to Montpas, the bug is very easy to exploit.

“As it's a stored XSS bug, the attacker has to wait for an administrator to visit the plugin's Feedback section to silently trigger [the] attack payload,” Montpas said. “If this happens, nothing stops the malicious script from taking control of the site, which is extremely dangerous.”