Welcome to HellBound Hackers. The hands-on approach to computer security.
Learn how hackers break in, and how to keep them out.
Please register to benefit from extra features and our simulated security challenges.

Note: Registration Issue Resolved

We've had a lot of members asking about the status of HBH v2 ... and rightly so!

I just got off the phone with Mordak. Sadly he's had some health issues which have taken priority over development. He's now got a colleague working on it along side him and it's sounding totally kick ass!

Theres been considerable re-writes to his previous version and slight restructures which makes it much easier to develop with. Now theres a good framework and core in place, you should be seeing a lot more hbh v2 updates.

Keep up to date and even get involved in the coding here!

Please be aware that some challenges that require database functionality are offline.

If at a certain point in the challenge you get mysql_select_db errors please report these to Mordak and leave the challenge for another day as you won't be able to complete it.

We will get this resolved shortly.

Real 7 & Basic 12 have been fixed.

Hey guys, we've had a lot of people asking for updates on the new system.. and rightly so! Turns out its actually quite a big job! Here are a few things we've done already and things we intend to add.

DONE:
- User voice voting system for new developments
- revamp registration and forgot password systems
- new development log and management system
- announcement system
- new EM features
- much much more

TO ADD:
- super slick profile pages
- svn system for development teams
- development documentation for all you people itching to be developers

ONCE WE LAUNCH:
weekly lessons
monthly newsletters
massive surge in community driven content

READ MORE for info on new logo competition
UPDATED

There's been some question into Mordaks sudden appearance and status in HBH. This news post should answer some of those questions.

Who is Mordak?
What is HBH v2?
What does all this mean for HBH?

Click read more for the full post!

Iran's oil ministry today confirmed that it was the target of malware attacks over the weekend, adding to reports by state-run media that the country's oil industry was hit by hackers.

The Mehr News Agency, which is a semi-official arm of the Iranian government, reported Monday that the country's principal oil terminal on Kharg Island was disconnected from the Internet as part of the response to the attacks. Email systems associated with the targets were also pulled offline.

Kharg Island, which is in the Persian Gulf off the western coast of Iran, handles the bulk of the country's oil exports.

A spokesman for the Ministry of Petroleum acknowledged the attacks, but said that critical servers at the reported targets -- the ministry, Iran's national oil company and Kharg Island -- were not affected because they are isolated from the Internet.

The ministry spokesman also said that the malware, which he did not identify, resulted in the theft of some user information from websites and some minor damage to data stored on the web servers. According to the ministry, no data was actually lost because backups were available.

Later Monday, Mehr reported that the attacks had prompted authorities to create a crisis management committee to counter the threats.

Those reports were echoed Monday by the Fars News Agency, which also has ties to the Iranian government.

The attacks immediately brought to mind Stuxnet, the worm that targeted Iran's nuclear fuel enrichment project in 2009, and reportedly set back the program after damaging hundreds of gas centrifuges.

Google today dramatically raised the bounties it pays independent researchers for reporting bugs in its core websites, services and online applications.

The search giant boosted the maximum reward from $3,133 to $20,000, and added a $10,000 payment to the program.

The Vulnerability Reward Program (VRP) will now pay $20,000 for vulnerabilities that allow remote code execution against google.com, youtube.com and other core domains, as well as what the company called "highly sensitive services" such as its search site, Google Wallet, Gmail and Google Play.

Remote code flaws found in Google's Web apps will also be rewarded $20,000.

The term "remote code execution" refers to the most serious category of vulnerabilities, those which when exploited allow an attacker to hijack a system and/or plant malware on a machine.

A $10,000 bounty will be paid for SQL injection bugs or "significant" authentication bypass or data leak vulnerabilities, Google said in the revised rules for the program.

Other bugs, including cross-site scripting (XSS) and cross-site request forgery (XSRF) flaws, will be compensated with payments between $100 and $3,133, with the amount dependent on the severity of the bug and where the vulnerability resides.

Apple's Mac platform has long been promoted as safer than the competition, but as Mac sales and market share grow, it's become a bigger target.

Nowhere is that clearer than with the Flashback Trojan, a gnarly piece of malware designed to steal personal information by masquerading as very mainstream browser plug-ins. Yesterday Russian antivirus company Dr. Web said that an estimated 600,000 Macs are now infected as a result of users unknowingly installing the software.

So here's a quick FAQ on the Flashback Trojan, including information on what it is, how to tell if you have it, and steps you can take to get rid of it.

What exactly is Flashback?
Flashback is a form of malware designed to grab passwords and other information from users through their Web browser and other applications such as Skype. A user typically mistakes it for a legitimate browser plug-in while visiting a malicious Web site. At that point, the software installs code designed to gather personal information and send it back to remote servers. In its most recent incarnations, the software can install itself without user interaction.


Flashback as we know it now appeared near the end of September last year, pretending to be an installer for Adobe's Flash, a widely used plug-in for streaming video and interactive applications that Apple no longer ships on its computers. The malware evolved to target the Java runtime on OS X, where users visiting malicious sites would then be prompted to install it on their machine in order to view Web content. More advanced versions would install quietly in the background with no password needed.

Following the release of two prominent reports advancing the federal government's policy for online privacy, members of a House subcommittee on Thursday again took up consideration of whether new legislation is needed to protect consumers on the Internet.

At a hearing before the Energy and Commerce Committee's technology subcommittee, top officials with the Department of Commerce and the Federal Trade Commission walked a thin line in their remarks to lawmakers who at times appeared skeptical. Both officials expressed support for baseline privacy legislation that would implement consumer safeguards while avoiding burdensome mandates that could hinder the online economy. At the same time, they emphasized that their recent reports -- the consumer bill of rights that the Commerce Department developed in concert with the White House and the FTC's new report on best practices -- contain no new regulatory mandates.

"These are to some extent aspirational," FTC Chairman Jon Leibowitz told the panel. "We wanted to make it very clear that this isn't a regulatory document or an enforcement document."

Similarly, Lawrence Strickling, the Commerce Department's assistant secretary for communication and information, affirmed that the administration is backing a largely self-regulatory approach.

Both officials expressed support for a rudimentary privacy law, though neither endorsed any specific proposal.

The FTC and Commerce Department now plan to continue their collaboration with industry stakeholders to develop codes of conduct and implementation strategies to apply high-minded privacy concepts such as transparency and choice into practice.

If the FTC wins formal commitments from industry players to adhere to certain behavior, such as abiding by the rules of the do-not-track mechanism it is endorsing, those firms would then be subject to agency oversight under its authorities relating to unfair and deceptive practices. But in the event that the FTC finds a company to be in violation of those standards and reaches a consent order, as it did last year with Google and Facebook, the agency has no authority to issue financial penalties for civil offenses, a power that it is seeking from Congress.

Microsoft said on Monday it and several partners had disrupted several cybercrime rings that used a notorious piece of malicious software called Zeus to steal US$100 million over the last five years.

The company said a consolidated legal case has been filed against those allegedly responsible that for the first time applies the Racketeer Influenced and Corrupt Organizations (RICO) Act.

Zeus has been a thorn in the side for financial institutions due to its stealthy nature and advanced spying capabilities that center around stealing online banking and e-commerce credentials for fraud.

According to a complaint filed under seal on March 19 in the U.S. District Court for the Eastern District of New York, Microsoft accused the defendants of infecting more than 13 million computers and stealing more than US$100 million over the last five years.

The civil complaint lists 39 "John Doe" defendants, many of whom are identified only by online nicknames, such as "Gribodemon" and "Harderman."

It marks the latest action led by Microsoft against botnet operators. The company has gone to court before to gain permission to take control over domain names associated with the command-and-control infrastructure of botnets such as Kelihos, Rustock and Waledac.

The company has also initiated civil proceedings against unnamed operators but has had little success due to jurisdiction issues.

Mark Debenham, senior manager of investigations for Microsoft's Digital Crimes Unit, said the creators of Zeus -- as well as related malware such as SpyEye and Ice-IX -- sold "builder kits" to other would-be cybercriminals. Simple versions sold for as little as $700, while more advanced versions could cost $15,000 or more, according to Debenham's affidavit.

On Tuesday, Microsoft issued a patch to plug a critical hole in Windows’ Remote Desktop Protocol. Fearing the possibility of an exploit being developed in the “next 30 days,” the company “strongly” advised the immediate deployment of this patch in a blog post detailing the said RDP vulnerability (CVE-2012-0002). Well, it seems that Microsoft was right about the vulnerability being highly attractive to hackers.

Chinese hackers are said to have already published proof-of-concept (PoC) exploit code for the RDP hole. But there seems to be something even more troubling here than the exploit code itself. It’s feared that the hackers who published the code on a Chinese language forum might have had access to data from MAPP ( Microsoft Active Protections Program), which provides vulnerability information to security software partners prior to Microsoft's monthly installment of security updates “so partners can build enhanced customer protections.”

Luigi Auriemma, the security researcher who first discovered the vulnerability, has alleged that the Chinese PoC is the “exact one” he provided to TippingPoint ZDI (Zero Day Initiative). He suspects a leak at either ZDI or Microsoft. “The packet I gave to ZDI wasn’t just a simple fuzzed packet. I modified at some points to make it unique,” Auriemma told ZDNet in an interview.

If it’s indeed a MAPP leak than Microsoft has a huge problem on its hands. This is what Microsoft’s site says about MAPP: “You will receive advance vulnerability information for those vulnerabilities to be addressed in Microsoft’s regularly scheduled monthly security update releases. This information package will provide documents that outline our information on the vulnerability. These documents outline the steps used to reproduce the vulnerability as well as the steps used to detect the issue.”

Six suspected leaders of the international hacking organization known as Anonymous were charged by U.S. authorities of computer crimes, dealing a major blow to the loose-knit group that has wreaked havoc on the websites of government agencies and major corporations.

Among those charged was Hector Xavier Monsegur, known as "Sabu," who took responsibility for attacks on the websites of eBay's PayPal, MasterCard and Visa between December 2010 and June 2011, according to federal prosecutors and the FBI. The attacks were in retaliation for the refusal of those companies to process donations to Wikileaks, the group that leaked confidential diplomatic cables in 2010.

The charges against Monsegur, in a case that was opened last summer, were filed in federal court in New York via a criminal information. Such a document typically means a suspect has been cooperating with the government.

"Sabu was seen as a leader ... Now that Anonymous realizes he was a snitch and was working on his own for the Fed, they must be thinking: 'If we can't trust Sabu, who can we trust?' " said Mikko Hypponen, chief research officer at Finnish computer security company F-Secure.

"It's probably not going to be the end of Anonymous, but it's going to take a while for them to recover, especially from the paranoia," Hypponen said.

Monsegur pleaded guilty last August to 12 charges, including computer hacking and conspiracy, according to documents unsealed in New York federal court on Tuesday. He is free on a $50,000 bond. The charges carry a possible maximum prison term of 10 years.