Local News

World News

Monday, December 15, 2014

'SoakSoak' Malware Compromises 100,000 WordPress Websites

The users of WordPress, a free and open source blogging tool as well as content management system (CMS), are being informed of a widespread malware attack campaign that has already compromised more than 100,000 websites worldwide and still counting.
The news broke throughout the WordPress community earlier Sunday morning when Google blacklisted over 11,000 domains due to the latest malware campaign, that has been brought by, thus being dubbed the ‘SoakSoak Malware’ epidemic.
While there are more than 70 million websites on the Internet currently running WordPress, so this malware campaign could be a great threat to those running their websites on WordPress.

Once infected, you may experience irregular website behavior including unexpected redirects to web pages. You may also end up downloading malicious files onto your computer systems automatically without any knowledge.
The search engine giant has already been on top of this infection and has added over 11,000 websites to their blacklist that could have seriously affected the revenue potential of website owners, running those blacklisted websites.
The security team at the security firm Sucuri, which is actively investigating the potential vector of the malware, said that the infections are not targeted only at WordPress websites, but it appears that the impact seems to be affecting most hosts across the WordPress hosting spectrum.
SoakSoak malware modifies the file located at wp-includes/template-loader.php which causes wp-includes/js/swobject.js to be loaded on every page view on the website and this “swobject.js” file includes a malicious java encoded script malware.
If you run any website and are worried about the potential risk of the infection to your website, Sucuri has provided a Free SiteCheck scanner that will check your website for the malware. The exact method of intrusion has not been pointed out at this time, but numerous signals led to believe us all that many WordPress users could have fallen victim to this attack.
However, if you are behind the Website Firewall, CloudProxy, you are being protected from the SoakSoak malware campaign.

Wednesday, December 3, 2014

Pacquiao vs Algieri - Full Video Replay

Manny Pacquiao (56-5-2, 38 KOs) will defend his WBO welterweight title against rising WBO 140-pound titleholder Chris Algieri (20-0, 8 KOs) at the Venetian Macao’s Cotai Arena, Macau, China.

Why Binay is still the man to beat in 2016

MANILA - Despite all the corruption allegations being hurled against him, Vice-President Jejomar Binay is not likely to back down from his plan to run for President in 2016.
Political analyst Malou Tiquia, founder and general manager of Publicus Asia Incorporated, said Binay will still make a go for the presidency even if he is being pilloried in the Senate Blue Rribbon subcommittee, which is investigating allegations of corruption against him.
But given all the accusations being thrown against him, including allegedly hiding properties under the names of alleged dummies and benefiting from overpriced projects in Makati when he was still mayor of the city, is Binay, who has consistently topped surveys, still the man to beat in 2016?
According to Tiquia, Binay, who has repeatedly trumpeted his rise from poverty, has a "compelling story" to tell.
A compelling story is a major factor to win the presidency, University of the Philippines (UP) vice president for public affairs Prospero de Vera said.
De Vera, however, stopped short of saying that Binay will automatically win in the 2016 elections, noting that it is still a long stretch before the presidential polls.
He said the "defining development" would be the resolution of the Senate's investigation, which, he said, is also being awaited by other possible contenders.
"If they see the numbers of the vice-president going down, it will increase their hope and become more active in presenting themselves," de Vera said.
But for Dr. Grace Gorospe-Jamon of the UP political science department, there is no question that Binay is the "man to beat" in 2016.
Jamon said other candidates should have a "strategically well done" campaign to defeat Binay in the presidential polls.
"If we don't get a credible candidate that will oppose Binay, Binay will win," she said.
Dr. Antonio Contreras of the De La Salle University's (DLSU) political science department agreed. "If there is no miracle on the side of Mar [Roxas] and there is no better candidate, Binay will win."
He also believes that the more candidates run for president, the higher chances Binay will have of winning.
"The problem is 'pag bumaba masyado ang bilang niya, mas maraming lalakas ang loob na kumandidato. 'Yun ang irony dito... Dahil mas maraming gustong kumandidato, mas mape-preserve din 'yung probability na manalo siya kasi nga hati-hati na yung boto," he said.
"So you see he is in a very nice position right now," Contreras added. "Kaya nga, how do you solve a problem like him?"
University of Santo Tomas (UST) political science professor Edmund Tayao also pointed out that the two senators consistently "hitting and bamboozling" Binay do not seem to benefit from their attacks against the vice-president.
Senators Antonio Trillanes IV and Alan Peter Cayetano have been leading the Senate investigation on corruption allegations against Binay. The two, both from the Nacionalista Party (NP), have expressed intention to run for president.
Tayao said, "Look at what happened. Are their numbers going up? Not really."
"People are waiting for, 'Ano ba yan? Ano ba yang binebeneta mo sa amin?' Di pa malinaw," added Tiquia.
Tayao also said that so far, "none has formulated a really good strategy to have their names placed on the table and be considered by the public."
Meanwhile, de Vera said the idea that the endorsement of the President is a major factor in winning in the polls is "overrated."
He said an endorsement from President Benigno Aquino III for the 2016 elections will only be an "add-on" or a "bonus."
"You've got to be strong on your own merits... A weak candidate, even with all the resources, cannot simply overwhelm an opponent that is strong," he said.

Watch the video: here

Tuesday, December 2, 2014

Uber’s Android app is Literally Malware?

The popular ride-sharing service Uber has been hit by various controversies lately, but now the things gone even worse for the company when a security researcher made a worrying discovery this week and claims, "Uber’s app is literally malware."

The ride-hailing company is in disputes of handling privacy of its customers data. A Phoenix-based security researcher Joe Giron found that a surprising amount of users’ data is being collected by the company’s mobile application for Android.

Researcher, who runs a cyber security firm in Arizona, just reverse-engineered the code of Uber’s Android application and come to the conclusion that it is a malware. He discovered that the app "calls home" and sends data back to the company.

But this excessive amount of access to users’ data is not the sort of app data a taxi company should have access to in the first place. It really seems strange and unnecessary to collect.
"Christ man! Why the hell would it want access to my camera, my phone calls, my Wi-Fi neighbors, my accounts, etc?" Joe writes in his Security Blog. "Why the hell is this here? What’s it sending? Why? Where? I don’t remember agreeing to allow Uber accedes to my phone calls and SMS messages. Bad NSA-Uber."
Now one thing strikes in our mind that today a large number of Smartphone applications have access to users’ app data, so what’s the difference between others and Uber’s way of accessing your data??

Here we present you a long list of everything the Uber Android app can have about its users, revealed by a thread on Ycombinator:
  • Accounts log (Email)
  • App Activity (Name, PackageName, Process Number of activity, Processed id)
  • App Data Usage (Cache size, code size, data size, name, package name)
  • App Install (installed at, name, package name, unknown sources enabled, version code, version name)
  • Battery (health, level, plugged, present, scale, status, technology, temperature, voltage)
  • Device Info (board, brand, build version, cell number, device, device type, display, fingerprint, ip, mac address, manufacturer, model, os platform, product, sdk code, total disk space, unknown sources enabled)
  • GPS (accuracy, altitude, latitude, longitude, provider, speed)
  • MMS (from number, mms at, mmss type, service number, to number)
  • NetData (bytes received, bytes sent, connection type, interface type)
  • PhoneCall (call duration, called at, from number, phone call type, to number)
  • SMS (from number, service number, sms at, sms type, to number)
  • TelephonyInfo (cell tower id, cell tower latitude, cell tower longitude, imei, iso country code, local area code, meid, mobile country code, mobile network code, network name, network type, phone type, sim serial number, sim state, subscriber id)
  • WifiConnection (bssid, ip, linkspeed, macaddr, networkid, rssi, ssid)
  • WifiNeighbors (bssid, capabilities, frequency, level, ssid)
  • Root Check (root staus code, root status reason code, root version, sig file version)
  • Malware Info (algorithm confidence, app list, found malware, malware sdk version, package list, reason code, service list, sigfile version)
"Why the hell would they need this? I know I keep asking questions, but here’s some answers: Uber checks to see if your device is rooted. It doesn’t tell you of course, it just wants to know so it can phone home and tell them about it. I also saw checks for malware, application activity and a bunch of other stuff," the publication adds.
The ride-driving company might have some legitimate reason to make use of most of this collected information in the app, perhaps for fraud detection or an intelligence-gathering tool. But, the problem is that the information is being sent and collected by Uber’s servers without any knowledge or permission of the app user. Neither the extent of the data the Uber app collects seems to go beyond the data set shown on its permissions screen.
Uber responded to the issue and said in a statement to Cult of Mac, "Access to permissions including Wifi networks and camera are included so that users can experience full functionality of the Uber app. This is not unique to Uber, and downloading the Uber app is of 

Sony Pictures Hack — 5 Things You Need To Know

What a horrible start the holiday season in U.S. Over Thanksgiving weekend, Sony Pictures Entertainment suffered a massive data breach as "Guardians of Peace" hacked-into Sony Pictures' computer system that brought the studio's network to a screeching halt.

Following the hack, hackers leaked five unreleased Sony movies to Torrent file-sharing website during Black Friday. It's still not clear whether both the incident back to back with Sony Pictures belongs to same group of hackers or not, but here's what you need to know about the breach:

The U.S. Federal Bureau of Investigation (FBI) warned businesses that cyber criminals have used malicious software to launch destructive cyber-attacks in the United States, following the last week's massive data breach at Sony Pictures Entertainment, in which four unreleased films were stolen and pirate-shared.

In a five-page confidential 'flash' warning, FBI recommended users to strengthen the protection of their information systems and limit access to databases. But when asked if the same malicious software had been used against the Sony Pictures hack, FBI declined to comment.

This new "destructive" malware has capability to overwrite a victim host's master boot record and all data files. "The overwriting of the data files will make it extremely difficult and costly, if not impossible, to recover the data using standard forensic methods," according to Reuters who independently obtained the report.

As we reported earlier, Sony Pictures is investigating the possibility that hackers working on behalf of North Korea were behind the hacking incident.

Sony hack is the payback for upcoming Kim Jong assassination comedy film. It is because the hack comes just a month before the scheduled release of Sony's upcoming comedy "The Interview," a comedy about two journalists who are recruited by the CIA to assassinate North Korean leader Kim Jong Un.

The film became a source of international controversy, and the Pyongyang government denounced the film as "undisguised sponsoring of terrorism, as well as an Act of War" in a letter to U.N. Secretary-General Ban Ki-moon in June.

But pointing finger towards North Korea without any strong evidence would be wrong. So, we still won't confirm whether its cyber war by North Korea or some other unknown, sophisticated hacker.

Following the last weeks cyber-attack on Sony Pictures Entertainment, high-quality versions of five newest films – Annie, Fury, Still Alice, Mr. Turner and To Write Love on Her Arms – distributed by Sony Pictures leaked online during Black Friday.

Four of the leaked films have yet to hit the big screen. The remake of the 1982 released "Annie" is Sony's next big film, schedule to hit theaters on Dec. 19 with new stars Quvenzhané Wallis, Cameron Diaz and Jamie Foxx.

Two other new films, "Mr. Turner" and "Still Alice" are also considered possible Oscar contenders for their lead actors Timothy Spall and Julianne Moore.

Sony Pictures Entertainment has hired Mandiant incident response team of FireEye Inc to help clean-up the damage caused by the huge cyber attack on its network, which forced its employees to put pen to paper over the last few weeks.

In addition to the FireEye, FBI is also investigating the matter and is looking into the devastating leak of four of its upcoming movies, although it has not been confirmed that the leak of all the films came from the same data breach.

Mandiant is a well-known security incident response team of FireEye which deals in forensic analysis, repairs and network restoration. Mandiant is the same team that helped in the catastrophic security breach experienced by one of the world's largest retailer Target in 2013.

In August, Sony's PlayStation Network was completely taken down by a distributed denial-of-service (DDoS) attack, a common technique used by hackers to overwhelm a system with traffic and make the network temporarily inaccessible to users.

The gaming network also suffered a more severe hack in 2011, which led to the exposure of 77 million PlayStation and Qriocity accounts along with 25 million Sony Online Entertainment accounts, bringing the total to more than 100 million in one of the largest data breaches ever. The hack cost Sony 14 billion yen ($172 million), and it took the networks -- for downloading and playing games, movies, and music -- offline for about a month before bringing them back up.

Saturday, November 22, 2014

Billions of Android Devices Vulnerable to Privilege Escalation Except Android 5.0 Lollipop

A security weakness in Android mobile operating system versions below 5.0 that puts potentially every Android device at risk for privilege escalation attacks, has been patched in Android 5.0 Lollipop – the latest version of the mobile operating system.
The security vulnerability (CVE-2014-7911), discovered by a security researcher named Jann Horn, could allow any potential attacker to bypass the Address Space Layout Randomization (ASLR) defense and execute arbitrary code of their choice on a target device under certain circumstances. ASLR is a technique involved in protection from buffer overflow attacks.
The flaw resides in, which fails to check whether an Object that is being deserialized is actually a serializable object. The vulnerability was reported by the researcher to Google security team earlier this year.

According to the security researcher, android apps can communicate with system_service, which runs under admin privileges (UID 1000) and using Intents with the attached Bundles, these are "transferred as arraymap Parcels and arraymap Parcels can contain serialized data," in this way, any android app can attack the system_service.
After hearing a talk at a university about a vulnerability in a PHP web app involving deserialization of attacker-provided input data, Horn thought about serialization in other contexts, such as Android operating system.
Based on the assumption that Java ensures that the classes used are actually serialized and that ObjectInputStream may sometimes receive untrusted inputs, he figured out if the Android developers took the precaution to verify for deserialization possibility under this scenario. "Went home, checked, the [vulnerability] was there," Horn writes in a thread about the security vulnerability on Reddit.
"When ObjectInputStream is used on untrusted inputs, an attacker can cause an instance of any class with a non-private parameterless constructor to be created," the security advisory from Horn says. "All fields of that instance can be set to arbitrary values."
"The malicious object will then typically either be ignored or cast to a type to which it doesn't fit, implying that no methods will be called on it and no data from it will be used. However, when it is collected by the GC, the GC will call the object’s finalize method."
In order to explain the issue, the security researcher has provided technical details and also developed a proof-of-concept (PoC) that crashes system_service. Till now, a full exploit of the bug has not been created and also Horn is not entirely sure about how predictable the address layout of the system_server really is or how easy it is to write a large amount of data into system_server’s heap. However, in order to exploit this vulnerability on a vulnerable device, one need to get a malicious app onto the target device.
Horn disclosed the security bug to Android development team on June 22 and after addressing the bug, on November 3, a patch was delivered in Android Lollipop as part of the AOSP (Android Open Source Project) code release, but lower versions of Android OS are still vulnerable.
Android 5.0 Lollipop is the latest mobile operating system by Google, who describe Lollipop as "the largest Android release yet," with more than 5,000 new APIs. But users of Lollipop are warning others not to immediately upgrade their mobile OS, after experiencing broken apps, repeated crashes, and device slowdowns.

Firing Range — Open Source Web App Vulnerability Scanning Tool From Google

Google on Tuesday launched a Security testing tool "Firing Range", which aimed at improving the efficiency of automated Web application security scanners by evaluating them with a wide range of cross-site scripting (XSS) and a few other web vulnerabilities seen in the wild.
Firing Range basically provides a synthetic testing environment mostly for cross-site scripting (XSS) vulnerabilities that are seen most frequently in web apps. According to Google security engineer Claudio Criscione, 70 percent of the bugs in Google’s Vulnerability Reward Program are cross-site scripting flaws.

In addition to XSS vulnerabilities, the new web app scanner also scans for other types of vulnerabilities including reverse clickjacking, Flash injection, mixed content, and cross-origin resource sharing vulnerabilities.
Firing Range was developed by Google with the help of security researchers at Politecnico di Milano in an effort to build a test ground for automated scanners. The company has used Firing Range itself "both as a continuous testing aid and as a driver for our development, defining as many bug types as possible, including some that we cannot detect (yet!)."
What makes it different from other vulnerable test applications available is its ability to use automation, which makes it more productive. Instead of focusing on creating realistic-looking testbeds for human testers, Firing Range relies on automation based on a collection of unique bug patterns drawn from in-the-wild vulnerabilities observed by Google.
Firing Range is a Java application that has been built on Google App Engine. It includes patterns for the scanner to focus on DOM-based, redirected, reflected, tag-based, escaped and remote inclusion bugs.
At the Google Testing Automation Conference (GTAC) last year, Criscione said that detecting XSS vulnerabilities by hand “at Google scale” is like drinking the ocean. Going through the information manually is both exhausting and counter-productive for the researcher, so here Firing Range comes into play that would essentially exploit the bug and detect the results of that exploitation.
"Our testbed doesn't try to emulate a real application, nor exercise the crawling capabilities of a scanner: it’s a collection of unique bug patterns drawn from vulnerabilities that we have seen in the wild, aimed at verifying the detection capabilities of security tools," Criscione explained on the Google Online Security Blog.
Firing Range tool has been developed by the search engine giant while working on "Inquisition", an internal web application security scanning tool built entirely on Google Chrome and Cloud Platform technologies, with support for the latest HTML5 features and has a low false positive rate.
A deployed version ( of Firing Range is available on Google App Engine and since the tool is open source you can also find and check out the Source code on GitHub. Users are encouraged to contribute to the tool with any feedback.

Monday, November 10, 2014

VIRAL: Traffic Enforcer who sells Bibingka as sideline gains respect by Netizens

We were so used for police officer and traffic enforcers or men in uniforms wherein they're involve in some kind of "kotong" allegations and various kinds of negativity that surrounds bribing and power trip.

 Photo credit: Czes Rivera/Top Gear Philippines

That is why this certain police/traffic enforcer had been gaining a lot of attention and popularity as he is a breath of fresh air that revives a whole new image for officers in general

Mr. Gonzales, the officer who was seen selling bibingka and different types of kakanin gained a lot of attention and respect as he is one of those that made a difference and proved that not every officer are as what the nation perceived them to be.

It was obvious that Officer Gonzales is a father that would do things just to make ends meet in a rather hard but proudful way.

I'm sure his kids were very proud and dignified of what he is as a father, officer and person.

After 30 minutes of the news being posted it got viral not only on the locals but worldwide as well

Officer Gonzales received words of praises from netizens around the world comparing his ways to other corrupt officers in position nowadays.