Author - systemdigits.com

Bill Gates Sponsored Giant Fans Will Soon Suck CO2 From Air and Recycle it as Fuel

Carbon-Engineering-Plant; CO2 is the major cause of climate change and global warming. As of now, sustainable development is just in speeches and when an immediate solution was seeming unlikely, Carbon Engineering came up with a technology that would reduce and recycle the CO2 present in the atmosphere instantaneously.
The rate of climate change today, and its effects on the planet’s future, incite some of the strongest opinions and anxiety among the people. While the world acknowledges it, yet no one wants to share the responsibility. No wonder Elon Musk calls this as humanity’s dumbest experiment.

Carbon emission is the biggest contributor to the increase in global temperatures worldwide, and it will continue to do so until an immediate solution is panned out. Planting trees can do the trick, but it would require vast amounts of fertile land to absorb even a small volume of CO2. But what if we could build something that does the same as forests- suck CO2 out of the atmosphere?

Carbon Engineering, a company sponsored by Bill gates, is working on technologies to take CO2 directly out of the atmosphere. It sounds amazing but not easy as CO2 represents just one molecule out of 2500 molecules in the air.

Carbon Engineering has built the prototype contactor that converts 100 kilos of carbon dioxide present in the atmosphere every day into harmless carbonates. Now just imagine the extent of their full-scale system.

At its maximum capacity, the full-scale system by the Carbon Engineering team is expected to capture the emissions from 300,000 cars every year. Air capture doesn’t require any exotic technology and can be scaled in size and installed anywhere on the Earth (since CO2 is present everywhere) depending on the economic and industrial needs of the place.

And, it doesn’t end here. The pure CO2 can be combined with H2 and form hydrocarbon fuels such as gasoline and jet fuel, thus continuing the above process.

Air-capture-forming-hydrocarbon-fuel

Air capture seems quite a promising technology, a solution that could provide sustainable development at a lower cost. The conventional cars are not going out anytime soon and nor the industries going to slow their pace, so air capture could be a game changer without affecting the development agenda of the countries.

3 Easy Steps that Protect Your Website From Hackers

As a webmaster, is there anything more terrifying than the thought of seeing all of your web-developed work being altered or wiped out entirely by a nefarious hacker?  You’ve worked hard on your website – so take the time to protect it by implementing basic hacking protections!

In addition to regularly backing up your files (which you should already be doing, for various reasons), taking the following three easy steps will help to keep your website safe:

 

Step #1 – Keep platforms and scripts up-to-date

One of the best things you can do to protect your website is to make sure any platforms or scripts you’ve installed are up-to-date.  Because many of these tools are created as open-source software programs, their code is easily available – both to good-intentioned developers and malicious hackers.  Hackers can pour over this code, looking for security loopholes that allow them to take control of your website by exploiting any platform or script weaknesses.

As an example, if you’re running a website built on WordPress, both your base WordPress installation and any third-party plugins you’ve installed may potentially be vulnerable to these types of attacks.  Making sure you always have the newest versions of your platform and scripts installed minimizes the risk that you’ll be hacked in this way – though this isn’t a “fail safe” way to protect your website.

 

Step #2 – Install security plugins, when possible

To enhance the security of your website once your platform and scripts are up-to-date, look into security plugins that actively prevent against hacking attempts.

Again, using WordPress as an example, you’ll want to look into free plugins like Better WP Security and Bulletproof Security (or similar tools that are available for websites built on other content management systems).  These products address the weaknesses that are inherent in each platform, foiling additional types of hacking attempts that could threaten your website.

Alternatively – whether you’re running a CMS-managed site or HTML pages – take a look at SiteLock.  SiteLock goes above and beyond simply closing site security loopholes by providing daily monitoring for everything from malware detection to vulnerability identification to active virus scanning and more.  If your business relies on its website, SiteLock is definitely an investment worth considering.

site lock hacking protection

 

 

 

Step #3 – Lock down your directory and file permissions

Now, for this final technique, we’re going to get a little technical – but stick with me for a moment…

All websites can be boiled down to a series of files and folders that are stored on your web hosting account.  Besides containing all of the scripts and data needed to make your website work, each of these files and folders is assigned a set of permissions that controls who can read, write, and execute any given file or folder, relative to the user they are or the group to which they belong.

On the Linux operating system, permissions are viewable as a three digit code where each digit is an integer between 0-7.  The first digit represents permissions for the owner of the file, the second digit represents permissions for anyone assigned to the group that owns the file, and the third digit represents permissions for everyone else.  The assignations work as follows:

4 equals Read
2 equals Write
1 equals Execute
0 equals no permissions for that user

As an example, take the permission code “644.”  In this case, a “6” (or “4+2”) in the first position gives the file’s owner the ability to read and write the file.  The “4” in the second and third positions means that both group users and internet users at large can read the file only – protecting the file from unexpected manipulations.

So, a file with “777” (or 4+2+1 / 4+2+1 / 4+2+1 )permissions would then readable, write-able, and executable by the user, the group and everyone else in the world.

As you might expect, a file that is assigned a permission code that gives anyone on the web the ability to write and execute it is much less secure than one which has been locked down in order to reserve all rights for the owner alone.  Of course, there are valid reasons to open up access to other groups of users (anonymous FTP upload, as one example), but these instances must be carefully considered in order to avoid creating a security risk.

For this reason, a good rule of thumb is to set your permissions as follows:

  • Folders and directories = 755
  • Individual files = 644

To set your file permissions, log in to your cPanel’s File Manager or connect to your server via FTP.  Once inside, you’ll see a list of your existing file permissions (as in the following example generated using the Filezilla FTP program):

chmod 1

The final column in this example displays the folder and file permissions currently assigned to the website’s content.  To change these permissions in Filezilla, simply right click the folder or file in question and select the “File permissions” option.  Doing so will launch a screen that allows you to assign different permissions using a series of checkboxes:

chmod 2

Although your web host’s or FTP program’s backend might look slightly different, the basic process for changing permissions remains the same.

Shocking!!! Instagram hacked. Researchef hacked into instagram server and Admin panel.


how-to-hack-instagram
Ever wonder how to hack Instagram or how to hack a facebook account? Well, someone just did it!

But, remember, even responsibly reporting a security vulnerability could end up in taking legal actions against you.

An independent security researcher claims he was threatened by Facebook after he responsibly revealed a series of security vulnerabilities and configuration flaws that allowed him to successfully gained access to sensitive data stored on Instagram servers, including:

    Source Code of Instagram website
    SSL Certificates and Private Keys for Instagram
    Keys used to sign authentication cookies
    Personal details of Instagram Users and Employees
    Email server credentials
    Keys for over a half-dozen critical other functions

However, instead of paying him a reward, Facebook has threatened to sue the researcher of intentionally withholding flaws and information from its team.

Wesley Weinberg, a senior security researcher at Synack, participated in Facebook's bug bounty program and started analyzing Instagram systems after one of his friends hinted him to a potentially vulnerable server located at sensu.instagram.com

The researcher found an RCE (Remote Code Execution) bug in the way it processed users’ session cookies that are generally used to remember users' log-in details.
wesley-weinberg-security-researcher
Remote code execution bug was possible due to two weaknesses:

    The Sensu-Admin web app running on the server contained a hard-coded Ruby secret token
    The host running a version of Ruby (3.x) that was susceptible to code execution via the Ruby session cookie

Exploiting the vulnerability, Weinberg was able to force the server to vomit up a database containing login details, including credentials, of Instagram and Facebook employees.

Although the passwords were encrypted with ‘bcrypt’, Weinberg was able to crack a dozen of passwords that had been very weak (like changeme, instagram, password) in just a few minutes.

Exposed EVERYTHING including Your Selfies

Weinberg did not stop here. He took a close look at other configuration files he found on the server and discovered that one of the files contained some keys for Amazon Web Services accounts, the cloud computing service used to host Instagram's Sensu setup.

These keys listed 82 Amazon S3 buckets (storage units), but these buckets were unique. He found nothing sensitive in the latest file in that bucket, but when he looked at the older version of the file, he found another key pair that let him read the contents of all 82 buckets.
Instagram-admin-hacking
Weinberg had inadvertently stumbled upon almost EVERYTHING including:

    Instagram's source code
    SSL certificates and private keys (including for instagram.com and *.instagram.com)
    API keys that are used for interacting with other services
    Images uploaded by Instagram users
    Static content from the instagram.com website
    Email server credentials
    iOS/Android app signing keys
    Other sensitive data

    "To say that I had gained access to basically all of Instagram's secret key material would probably be a fair statement," Weinberg wrote in his blog. "With the keys I obtained, I could now easily impersonate Instagram, or any valid user or staff member. While out of scope, I would have easily been able to gain full access to any user’s account, [personal] pictures and data."

Instagram-admin-hacking
Responsible Disclosure, but Facebook Threatens Lawsuit

Weinberg reported his findings to Facebook's security team, but the social media giant was concerned he had accessed private data of its users and employees while uncovering the issues.

Instead of receiving a reward from Facebook for his hard work, Weinberg was unqualified for the bug bounty program by Facebook.

In early December, Weinberg claims his boss Synack CEO, Jay Kaplan, received a scary call from Facebook security chief Alex Stamos regarding the weaknesses Weinberg discovered in Instagram that left Instagram and Facebook users wide open to a devastating attack.

Stamos "stated that he did not want to have to get Facebook's legal team involved, but that he was not sure if this was something he needed to go to law enforcement over," Weinberg wrote in his blog in a section entitled 'Threats and Intimidation.'

In response, Stamos issued a statement, saying he "did not threaten legal action against Synack or [Weinberg] nor did [he] ask for [Weinberg] to be fired."

Stamos said he only told Kaplan to "keep this out of the hands of the lawyers on both sides."

    "Condoning researchers going well above and beyond what is necessary to find and fix critical issues would create a precedent that could be used by those aiming to violate the privacy of our users, and such behavior by legitimate security researchers puts the future of paid bug bounties at risk," Stamos added.


Facebook Responds

After the original publication by the researcher, Facebook issued its response, saying the claims are false and that Weinberg was never told not to publish his findings, rather only asked not to disclose the non-public information he accessed.

The social media giant confirmed the existence of the remote code execution bug in the sensu.instagram.com domain and promised a bug bounty of $2,500 as a reward to Weinberg and his friend who initially hinted that the server was openly accessible.

However, the other vulnerabilities that allowed Weinberg to gain access to sensitive data were not qualified, with Facebook saying he violated user privacy while accessing the data.

Here's the full statement by Facebook:

    We are strong advocates of the security researcher community and have built positive relationships with thousands of people through our bug bounty program. These interactions must include trust, however, and that includes reporting the details of bugs that are found and not using them to access private information in an unauthorized manner. In this case, the researcher intentionally withheld bugs and information from our team and went far beyond the guidelines of our program to pull private, non-user data from internal systems.

    We paid him for his initial bug report based on the quality, even though he was not the first to report it, but we didn't pay for the subsequent information that he had withheld. At no point did we say he could not publish his findings — we asked that he refrain from disclosing the non-public information he accessed in violation of our program guidelines. We remain firmly committed to paying for high quality research and helping the community learn from researchers' hard work.

Chinese hacker Steals $170,000 by hacking airline website and offering ticket booking:


Chinese Hacker Pockets Cool $170,000 After Hacking Airline Website
Chinese hacker defrauds hundreds of passengers by cancelling the flights and sending them re-booking offers

A 19-year-old man in Dalian, China has been arrested by the police after he was caught hacking into an airline’s website, stealing booking information from 1.6 million ticket orders, and ripping off hundreds of travelers. Using the information, the teen went on to make hundreds of fraudulent transactions that pocketed him 1.1 million Yuan ($170,000 / €156,000).

The teenager, identified as Zhang from Heilongjiang, north-east China hacked the website of a yet unnamed Chinese airline company by exploiting vulnerabilities in its B2B system. He illegally downloaded 1.6 million passengers booking details such as names, flight details, ID card numbers, email addresses, and mobile phone numbers.

He also used his access to the website to cancel some current bookings, and later, using the stolen information, he sent out groups texts, telling them that the “the plane is out of order and the flight is cancelled”. They needed to pay extra fees if they wanted to rebook. This is how the hacker made his money, by offering a re-booking link that pocketed him re-booking fees.

It took the airline three weeks to notice the data breach. The airline lost more than 80,000 yuan ($12,365 USD) from people demanding a refund.

The hack lasted from July 31 to August 20, and by August 22, the airline announced the breach after several fraud complaints from customers, and also on the same day alerted Guangzhou police.

“The suspect coded the hacking software himself,” a police officer said.

According to People’s Daily Online, authorities eventually tracked down Zhang and arrested him in Dalian, a city in North China, on November 11. A police officer said the hack was a result of a loophole in the airline’s computer system and was not highly sophisticated.

5 ways to find what Google knows about you


Five ways in which you may find out what information does Google possess about you

Since Google has become the synonyms with Internet, the whole science of advertisement has somewhat changed. But one thing has remained unaffected-Threats of your personal information being leaked or sold to some ad-company. We are here with some ways you can know upto which extent your details are being kept.
1.Account Login Details

Using Google you can actually check all your account login details that will include all the device details with which your account is logged in. And also the location of the device where your account is logged in. And your can use this service at the page Google Security with your account.
2.Google Dashboard

This is one of the cool feature of Google where you can see all the summary of your Google account in a single place. This will include all yours calendar records, your contacts details, your sync bookmark, your cloud printed documents and lots of things that you will get to know when you use this. So visit the Dashboard to see all these details.
3.Google Ads you clicked

This is one of the cool thing that keeps track on your internet ads interest activities, with this you will get to know about the ads that you had clicked and all these will be categorized according to their type and you can see all your clicks interest. So visit Google Ads page today.
4.Recent activity on Web or Apps

This is the another cool feature that allow user to check out their searches keyword that they had used in some of apps and with that you can have a look on the most used or searched keyword by visiting the Web & App Activity Page.
5.Location History

One of the best feature that provided by the search engine website to user is the location history. This feature can be really helpful when you want to find any missing person by checking its location history. You can manage each and everything easily. You may like to visit Google Location History.
 

You Can Hack Into a Linux System by Pressing Backspace 28 Times. Here’s How to Fix It


Grub Vulnerability : You can Hack into a Linux PC/laptop just by pressing ‘Backspace’ 28 times

Most of us swear by Linux as a super secure operating system but two security researchers from Spain have discovered a unique vulnerability in Linux which could give even a noob access to a Linux powered PC.
Here’s How to Exploit the Linux Vulnerability
If your computer system is vulnerable to this bug:
Just hit the backspace key 28 times at the Grub username prompt during power-up. This will open a “Grub rescue shell” under Grub2 versions 1.98 to version 2.02.
This rescue shell allows unauthenticated access to a computer and the ability to load another environment.
From this shell, any potential attacker could gain access to all the data on a Linux computer, and can misuse it to steal or delete all the data, or install persistent malware or rootkit, according to researchers Ismael Ripoll and Hector Marco, who published their research on Tuesday.
According to Ripoll and Marco, the Grub vulnerability affects Linux systems from December 2009 to the present date. They have stated that even some older Linux PCs may be affected by this bug.
Patch
The good news is the researchers have made an emergency patch to fix the Grub2 vulnerability. So if you are a Linux user and worried your system might be vulnerable, you can apply this emergency patch, available here.
Meanwhile, many major distributions, including Ubuntu, Red Hat, and Debian have also released emergency patches to fix the issue.

A single email can give hackers access to the entire network:


Google researchers find code-execution bug in FireEye threat-prevention devices which can give hackers complete access to networks

Almost all companies install cyber security solutions to safeguard their networks against malicious vectors like hacking, spamming etc. Imagine what happens if there is a vulnerability in once such security device meant to protect your network.

Now, researchers say they have uncovered a critical vulnerability in such a product from security firm FireEye that can give attackers full network access.

According to Tavis Ormandy from Google, they have discovered an vulnerability in the NX, EX, AX, FX series of FireEye products. Ormandy says that the vulnerability makes it possible for attackers to penetrate a network by sending one of its members a single malicious e-mail, even if it’s never opened.

Ormandy, who has already uncovered bugs in many anti-virus solutions in the past says that they have informed FireEye about the bug. Ormandy has explained in a blog post published Tuesday:

For networks with deployed FireEye devices, a vulnerability that can be exploited via the passive monitoring interface would be a nightmare scenario. This would mean an attacker would only have to send an email to a user to gain access to a persistent network tap—the recipient wouldn’t even have to read the email, just receiving it would be enough.

‘A network tap is one of the most privileged machines on the network, with access to employee’s email, passwords, downloads, browsing history, confidential attachments, everything. In some deployment configurations* an attacker could tamper with traffic, inserting backdoors or worse. Because FireEye devices typically have a secondary internet-connected interface for updates and management, the issue could even be wormable across the internet.’

The devices are supposed to passively monitor network traffic from HTTP, FTP, SMTP connections. In instances where there’s a file transfer, the security appliance will scan it for malware. Ormandy and fellow Project Zero researcher Natalie Silvanovich found a vulnerability that can be exploited through such a passive monitoring interface. The researchers used the JODE Java decompiler to reverse engineer Java Archive files used by the FireEye devices. They then figured out a way to get the appliance to execute a malicious archive file by mimicking some of the same features found in legitimate ones.

“Putting these steps together, an attacker can send an e-mail to a user or get them to click a link, and completely compromise one of the most privileged machines on the network,” the researchers reported. “This allows exfiltration of confidential data, tampering with traffic, lateral movement around networks and even self-propagating internet worms.”

In a statement, a FireEye spokesman wrote:

On Friday December 4, FireEye was informed of and confirmed a Remote Code Execution (RCE) vulnerability impacting our NX, EX, AX, and FX products by Google Project Zero’s Tavis Ormandy. FireEye had been engaged with and was supporting the Google Project Zero team prior to this discovery around the testing of our products.

We released an automated remediation to customers just 6 hours after notification, mitigating any customer exposure by Saturday morning, December 5th and released a full, automated fix on Monday, December 7. In addition, we will be releasing a fix to support our out-of-contract customers.

We are thankful for the opportunity to support researchers in the testing of our products and will continue to support their efforts and fully support their efforts to improve our products.

Facebook dispute results in a 14 year old girl being shot dead

Birmingham teenager shot dead after a dispute on Facebook

An argument on Facebook took a ghastly turn of events when it ended in gunfire that killed 14 year old Kierra’onna Rice.

The online Facebook brawl between two groups of friends spilled out into the streets with a fistfight and later ended in gunfire that killed a 14-year-old girl and wounded two others in Alabama on Friday, authorities said. The fistfight between the girls was to be recorded for posting online according to th police.

Birmingham police said 14-year Kierra’onna Rice was shot and killed at around 5 p.m. in Birmingham after two males opened fire after Rice and several other girls met at a park to fight. Birmingham Police Chief A.C. Roper told the NBC reporter that some in the Facebook group planned to record the fight so video could be posted online.

Those who knew Rice say they never dreamed something like this would happen to her. They say she was loving and would lend a helping hand to anyone. Her classmate, Diamond Davis said,, “She was a good person. She, she never had any trouble. She was never in anything. She was a good person. She liked to help people.”

These top ten progamming languages have most vulnerable apps on the Internet.

web-apps
A new research showed that Scripting languages, in general, give birth to more security vulnerabilities in web applications, which raised concerns over potential security bugs in millions of websites.

The app security firm Veracode has released its State of Software Security: Focus on Application Development report (PDF), analyzing more than 200,000 separate applications from October 1, 2013, through March 31, 2015.

A new research showed that Scripting languages, in general, give birth to more security vulnerabilities in web applications, which raised concerns over potential security bugs in millions of websites.

The app security firm Veracode has released its State of Software Security: Focus on Application Development report (PDF), analyzing more than 200,000 separate applications from October 1, 2013, through March 31, 2015.

The security researchers crawled popular web scripting languages including PHP, Java, JavaScript, Ruby, .NET, C and C++, Microsoft Classic ASP, Android, iOS, and COBOL, scanning hundreds of thousands of applications over the last 18 months.

Researchers found that PHP – and less popular Web development languages Classic ASP and ColdFusion – are the riskiest programming languages for the Internet, while Java and .NET are the safest.

Here's the Top 10 List:

The Veracode research report used a unique metric, Flaw Density per MB, which means the number of security bugs in each MB of source code.
Programming-Language
Here's the list of unlucky winners:

    Classic ASP – 1,686 flaws/MB (1,112 critical)
    ColdFusion – 262 flaws/MB (227 critical)
    PHP – 184 flaws/MB (47 critical)
    Java – 51 flaws/MB (5.2 critical)
    .NET – 32 flaws/MB (9.7 critical)
    C++ – 26 flaws/MB (8.8 critical)
    iOS – 23 flaws/MB (0.9 critical)
    Android – 11 flaws/MB (0.4 critical)
    JavaScript – 8 flaws/MB (0.09 critical)


Web Apps in PHP are Most Vulnerable, Here's Why:

PHP, which is on third, is actually leading the ranking because ColdFusion is a high-end niche tool and Classic ASP is almost dead.

Taking a closer look at PHP:

    86% of applications written in PHP contained at least one cross-site scripting (XSS) vulnerability.
    56% of apps included SQLi (SQL injection), which is one of the dangerous and easy-to-exploit web application vulnerabilities.
    67% of apps allowed for directory traversal.
    61% of apps allowed for code injection.
    58% of apps had problems with credentials management
    73% of apps contained cryptographic issues.
    50% allowed for information leakage.

From above issues, SQLi and XSS are among the Open Web Application Security Project's (OWASP) Top 10 most critical web application security risks.
And the Title of "Most Vulnerable Programming Language of Year 2015" Goes to…
SQL injection bugs – which allow hackers to directly interact with a Web site's database – are the ones that have been blamed for the massive data breaches at kiddie toymaker VTech and telecom firm TalkTalk.

According to the report, the risk size of the above vulnerabilities can be measured by the volume of PHP apps developed for the Top 3 CMS (Content Management Systems) – WordPress, Drupal and Joomla – that represent over 70% of the CMS market.

Choose Your Scripting Language Wisely

Less than a quarter of Java applications contain SQL injection flaws, compared to more than three-quarters of those applications written in PHP.

    "When organizations are starting new development projects and selecting languages and methodologies, the security team has an opportunity to anticipate the types of vulnerabilities that are likely to arise and how best to test for them," Veracode's CTO Chris Wysopal advised.

Hacker has built a $10 device that can predict and store hundreds of American Express credit card numbers

Imagine you have lost your credit card and applied for a fresh credit card from your bank. What if some criminal is using your new credit card before you have even received it?

Yes, it's possible at least with this $10 device.

Hardware hacker Samy Kamkar has built a $10 device that can predict and store hundreds of American Express credit card numbers, allowing anyone to use them for wireless payment transactions, even at non-wireless terminals.

The device, dubbed MagSpoof, guesses the next credit card numbers and new expiration dates based on a cancelled credit card's number and when the replacement card was requested respectively.

This process does not require the three or four-digit CVV numbers that are printed on the back side of the credit cards.


The tiny gadget would be a dream of any card fraudster who can pilfer cash from the stolen credit cards even after they have been blocked or cancelled by their owner.

What's MagSpoof?

MagSpoof is a device that can…

    Spoof any magnetic stripe or credit card entirely wirelessly, even on standard magstripe/credit card readers
    Disable chip and PIN (EMV) protection
    Switch between different credit cards
    Accurately predict the card number and expiration date

…on American Express credit cards.


Here's How MagSpoof Works

The wireless function of MagSpoof works by emitting a strong "electromagnetic field" that emulates a traditional magnetic stripe card as if it is physically being swiped.
magspoof-hacking-credit-card

    "What is incredible is that the magstripe reader requires no form of wireless receiver, RFID, or NFC – MagSpoof works wirelessly, even with standard magstripe readers," Kamkar says in his blog. "You can put it up to any traditional point of sales system, and it will believe that a card is being swiped."

After losing an American Express cards, Kamkar noticed that the replacement card's number appeared to have a relationship with his previous three American Express cards.

Kamkar recorded all the numbers and worked out a global pattern that allowed him to accurately predict up to 20 American Express card and replacement card numbers shared with him by his friends for his research.

Kamkar has also provided the necessary code that you can download from Github by following the instructions to build your own MagSpoof device, but…

…the code will be somewhat altered because Kamkar has removed the code's ability to deactivate EMV and hasn't released the AMEX prediction algorithm.


American Express has been notified of the issue and says the company is working on a fix.