Donate to us!
It is the path of least resistance that makes rivers and men crooked. - Bj Palmer
Monday, December 18, 2017
Navigation
Home
 Find:
 Information:
Learn
Communicate
Submit
Shop
Challenges
 Exploit:
 Programming:
 Think:
 Track:
 Patch:
 Other:
 Need Help?
Other
Members Online
Total Online: 44
Guests Online: 44
Members Online: 0

Registered Members: 103447
Newest Member: mahdiess
Latest Articles
Welcome to HellBound Hackers

Welcome to HellBound Hackers. The hands-on approach to computer security.
Learn how hackers break in, and how to keep them out.
Please register to benefit from extra features and our simulated security challenges.




Latest Features:

Latest Challenges:

Stegano 27 by Euforia33.
Stegano 26 by Euforia33.
Stegano 25 by Euforia33.
Application 17 by 4rm4g3dd0n.

Information:



: : Website News : :

A few HBH Updates

We have pushed some fixes out to some of the broken challenges.

Real7 is now back online!

Please check the status page before asking if a challenge is down.

We will have some big news about HBH coming soon, If you want to help out with beta testing this big news please let rex_mundi know so we can add you to the list.

Any EM members are already on the list :)


If you have questions about this big news feel free to post them in the following thread.

~ Mordak

Forward Secrecy & Strict Transport Security

Today we implemented Forward Secrecy in order to improve the security and privacy of HBH. Forward Secrecy "should" make it "impossible" to eavesdrop on data being transmitted from your browser to HBH's servers. We also have Strict Transport Security enabled.

You can check the report on our SSL here. The SSL report is provided by Qualys SSL Labs

Also we have updated PHP so a few page may be offline, if you find any please report them here.

We have also updated the Development page so you can all see what we are working on and things we would like to do. Feel free to post your thoughts on the current projects.

Also we have updated the Change Log to reflect these changes.

Points for Creating Challenges & Points for Hall of Fame entries have been returned to the accounts that lost them.

Ranking System Changes

Since the points reset, We have had a lot of complaints about administrators being in the top ten on the rankings page. The current Admin staff have been here for a while and had already completed the challenges BUT to keep everyone happy, Administrators will no longer be included in the points rankings and will be unranked in their profiles.

On another note Real 15 IS up and running fine.

UPDATE: Real 9 an 10 are also now back up.

korg

Changes to HBH

All Members Read This!

There has been a few changes to HBH over the past few weeks. Here are a list of changes and some reason why:

We have removed the old database tables and reset the points. This is due to old and corrupted accounts and no way for other members to get on the score board, Points cannot and will not be reinstated. We have also removed user accounts that haven\'t logged in in over a year.

We have two new staff members Euforia33 & rex_mundi they have been a great help to HBH over the years!

We also have improved the forum and replaced some old code which should make things faster.

Thanks

HBH Staff

PHP Upgrade and New Challenges

Due to the recent upgrade in the PHP on the server, Some pages may not display properly and a few challenges will be offline. Basic 26, Real 7, 9 Will be Offline till I get them recoded.

Realistic 17 is back up and running.

On the other hand, The Application page is completely redone to make it easier to submit your answers.

I\'m going to upload a few new challenges to keep everyone occupied while I work on the site.

Any bugs you see please submit them, Any Vulnerabilities Pm me them directly.

UPDATE: Application 17 by 4rm4g3dd0n released today.

UPDATED UPDATE: Stegano 25, 26 and 27 by Euforia33 released also!

UPDATED UPDATE UPDATE: Mordak has bought HBH a proper SSL Cert.

UPDATED UPDATED UPDATE UPDATE: HBH Change log is now active.

korg

: : Computer News : :

Your Every Keystroke Recorded by Over 400 Top Websites.

Some of the webs most popular sites could be tracking your every move, a shocking new study has found.

Hundreds of homepages, including Microsoft, Adobe, Wordpress, Godaddy, Spotify, Skype, Samsung and Rotten Tomatoes, use secret code called session replay scripts, to monitor your online activity.
Hidden strings of data are used to record everything you do while visiting a page, including what you type and where you move your mouse.

This could be used by third parties to reveal everything from credit card details to medical complaints, as well as putting you at risk of identity theft and online scams,  as well as other unwanted behavior.

The findings were made as part of Princeton Universitys Web Transparency and Accountability Project, which monitors websites and services to find out what user data companies collect, how they collect it, and what they do with it.

Researchers found that 482 of the top 50,000 websites by numbers of visitors use session replay scripts.
They are used to record your keystrokes, mouse movements, and scrolling behaviour, along with the entire contents of the pages you visit, and send them to third-party servers.

OnePlus preinstalls app that can be used as a backdoor

With just days left before its final hurrah for the year, OnePlus seems to be involved yet again in a controversy surrounding privacy and security. No, it is not a rehash of last months data collection scandal. This one is potentially more harmful, especially since OnePlus itself may be unaware of its existence until now. The startup apparently left a diagnostic app preinstalled on its smartphones since the OnePlus 3 that, with just some simple nudging, can be used to gain root access to the device, with or without the users knowledge.

To be fair to OnePlus, the app in question is not even made by the company. It is, instead, Qualcomms EngineerMode, which the chip maker provides OEMs to test their processors on devices. As one can imagine, it is not meant for consumers use and OnePlus fault is that it did not remove the app before it shipped the OnePlus phones.

As a diagnostic app, EngineerMode has a few tricks to gain entry into parts of the file system and OS functionality unavailable to most apps. Curiously, it had the power to run ADB, the Android Debug Bridge tool, as root, which would then allow it to practically do anything. And while access to that is blocked by a password, it did not take too long for skilled developers to figure that out.

This means that Qualcomms EngineerMode app, which comes pre-installed in all OnePlus 3, OnePlus 3T, and OnePlus 5 phones running the default OxygenOS, acts as a backdoor that could let anyone gain root access or root the phone fully. Twitter user fs0c131y, who discovered the app, intends to release a proof-of-concept app that will do just that.

On the one hand, it does mean that it will be dead simple to root those three OnePlus phones without even having to unlock the bootloader. On the other hand, it is a security nightmare waiting to happen, and users are better off having this closed quickly and using tried and testing, not to mention safer, rooting methods instead.

BankBot Malware Hits Google Play Store Yet Again.

The Google Play Store is unintentionally distributing a particular form of Android banking malware for the third time this year.

BankBot first appeared in the official Android marketplace in April this year, was removed, and then was discovered to be have returned in September before being removed again. Now BankBot has appeared in the Google Play store yet again, having somehow bypassed the application vetting and security protocols for a third time.

BankBot is designed to steal banking credentials and payment information. It tricks users into handing over their bank details by presenting an overlay window which looks identical to a banks app login page.

 The malware is capable of identifying a variety of financial and retail mobile apps on the infected devices and tailors the phishing attack to display a fake version of the banking app the victim uses, if the target bank is recognized by the malware.