Welcome to HBH V2 ! If you had an account on hellboundhacker.org you will need to reset your password using the Lost Password system before you will be able to login.

Tech News

Irony alert. Newly discovered sudo vulnerability affects only the most secure Linux servers.

If you want your Linux server to be really secure, you defend it with SELinux. Many sysadmins do not bother because SELinux can be difficult to set up. But, if you really want to nail down your server, you use SELinux. This makes the newly discovered Linux security hole -- with the sudo command that only hits SELinux-protected systems -- all the more annoying. Sudo enables users to run commands as root or another user, while simultaneously providing an audit trail of these commands. It is essential for day-in, day-out Linux work. Qualys, a well-regarded security company, discovered this essential command -- but only on systems with SELinux enabled -- can be abused to give the user full root-user capabilities. Or, as they would say on the Outer Limits, We will control the horizontal, we will control the vertical. This is not what you want to see on your Linux server. In a note to the OpenWall open-source security list, Qualys explained, On an SELinux-enabled system, if a user is Sudoer for a command that does not grant him full root privileges, he can overwrite any file on the filesystem (including root-owned files) with his commands output, because relabel_tty() (in src/selinux.c) calls open(O_RDWR|O_NONBLOCK) on his tty and dup2()s it to the commands stdin, stdout, and stderr. This allows any Sudoer user to obtain full root privileges. Specifically, this works by enabling a trusted user to overwrite an arbitrary file by writing to the standard output or standard error. This can be escalated to full root access by rewriting a trusted file such as /etc/shadow or even /etc/sudoers. For attacks over this vector, CVE-2017-1000367, to work, a user must have server access and the ability to run sudo. Still, if you have gone to the trouble to protect a server with SELinux, you do not want there to be any chance that someone could run rampant over it. The security hole exists in sudo 1.7.10 through 1.7.10p9 inclusive and sudo 1.8.5 through 1.8.20p1 inclusive. Sudo 1.7.10 was released in September 2012. Thus, all Linux distributions released in the last five years are vulnerable to this attack. There was also a patch release, sudo 1.8.20p1, where the fix was incomplete. That is because it did not address malicious commands, which included a new line. That is the bad news. The good news is patches are available for almost all significant server Linux distributions. These include Debian, Red Hat, SUSE, and Ubuntu. If you have not patched your server yet, do so. Once Qualys believes sufficient time has passed for responsible sysadmins to have patched their systems, they will publish their sudo-to-root exploit, and a day or two later, hackers will release easy-to-run attack scripts.

Pirate Bay proxy users caught downloading could get 10 YEARS in JAIL

People caught downloading copyright-protected content from torrent websites – including popular repositories like The Pirate Bay,Torrentz, and more – could face up to 10 years in prison under UK law. The Digital Economy Act has received royal assent, meaning UK file-sharers could now be imprisoned for a decade. Following a recommendation from the International Property Office, IPO, the maximum prison sentence for copyright infringement in the UK has been increased from two years – to 10. The IPO had previously commissioned a study that suggested online copyright infringement should carry similar sanctions to those used for counterfeiting offences.

Bose headphones share your lstening habits with third parties.

When it comes to privacy concerns, the mind naturally drifts to the likes of Facebook, Microsoft and Google. But in reality, there is the potential for privacy issues with any connected device -- and that includes Bluetooth headphones from Bose. Illustrating this is a man from Illinois who has filed a lawsuit against the Massachusetts-based audio company for secretly collecting, transmitting, and disclosing its customers private music selections to third parties, including a data mining company.  Kyle Zak alleges that his Bose QuietComfort 35 wireless Bluetooth headphones and the associated Bose Connect app gathered information about him, and sold it on to third parties including Segment.io. Zaks lawsuit points out that the same problem probably exists with other Bose Bluetooth headphones that work in conjunction with the Bose Connect app. Other affected products include the Bose SoundSport wireless, SoundSport Pulse wireless, QuietControl 30 and SoundLink wireless II headphones, as well as its SoundLink Color II, SoundLink Revolve and SoundLink Revolve+ speakers. The allegation is that Bose is engaged in what amounts to wiretapping, but Bose denies that data is personally identifiable.

Hackers dump 1.7 million snapchat user accounts on Dark Web

The hackers are particularly upset after Evan Spiegel, Snapchat CEO, reportedly made a rather nasty remark regarding expansion plans. According to claims that emerged last week as an ex-employee filed a lawsuit against the company, Spiegel shut down suggestions to expand to certain international markets, saying Snapchat is for rich people and did not want to expand into poor countries like India or Spain. The allegations were slammed by the company. Obviously Snapchat is for everyone! It is available worldwide to download for free. these words were written by a disgruntled former employee. We are grateful for our Snapchat community in India and around the world! Snap said. After a widespread boycott campaign was launched, demanding Spiegel to apologize, hackers did their part. In fact, the Indian hackers claim the vulnerability they discovered in Snapchats database allowed them to siphon details on 1.7 million users sometime last year. To make matters worse, the database has been leaked on the dark web.

Smart dishwasher found connected to unsecured web server for months

A smart dishwasher has reportedly been found connected to an unsecured web server, giving experts further arsenal to warn about the dangers of IoT devices. A bug report by a security expert alleges that Miele, the manufacturer of the smart dishwasher, ignored the security issue despite having been notified of it, indicating that the smart device may have been left exposed to an unsecured server for months. According to Jens Regel of Schneider & Wulf, Mieles Professional PG 8528 PST10 devices were found to be prone to a directory traversal attack; therefore, an unauthenticated attacker may be able to exploit this issue to access sensitive information to aide in subsequent attacks. According to Regel, he was able to get his hands on the embedded systems shadow file, which in turn provided him access to all files in the system. We are not aware of an actual fix, Regel said. According to Mieles product description page, the ethernet connection is used to extract text reports from the dishwasher. The ethernet interface is the universal solution for data exchange, the description states. In comparison with other interfaces the user is offered a particularly high level of functionality. However, security experts have reportedly bemoaned such situations, warning about the potential dangers such security flaws could pose, and the IoT security situation is unlikely to get any better any time soon. The price of turning a dumb device into a smart device will be about 10 cents. It is going to be so cheap that vendors will put the chip in anything electronic they produce, even if the benefits are only very small. But those benefits will not be benefits to you, the consumer -- they will be benefits for the manufacturers because they want to collect analytics, and you will probably not even know that it is an IoT device.

Millions of accounts from 25 vBulletin forums for sale on dark web

The dark web has been flooded with millions of accounts from recently compromised vBulletin forums. A hacker using the name Cfnt claimed to have hacked 25 web forums, which were running on outdated versions of the vBulletin software. Among the compromised forums are subagames.com, rappers.in, forums.spybot.info, cashcrate.com, codingforums.com, dcemu.co.uk, asia-team.net, dbforums.com and forums.3dtotal.com. Around 38 million accounts from the 25 hacked forums are now up for sale in a popular dark web marketplace. The hacked forums were all running on vBulletin 4.x, which is vulnerable to SQL injection. The security issue with this version was reported in June 2016, according to vBulletin support forums. A warning to those using older vBulletin versions last year reads: A security issue was reported to us that affects vBulletin 4. We have released security patches for vBulletin 4.2.2 & 4.2.3 to account for this vulnerability. The issue could potentially allow attackers to perform SQL Injection attacks via the included Forumrunner add-on. It is recommended that all users update as soon as possible. If you are using a version of vBulletin four older than 4.2.2, it is recommended that you upgrade to the latest version as soon as possible. Lists of accounts from each of the forums are being sold for around $150. It is highly recommended that users with accounts on such vBulletin forums change their passwords now.