Hello Everybody………As promised in my previous post, I’m back with yet another topic of how search engines work. Almost all of us are well aware of this term “Search Engine”. Very few would be unaware of this terminology. With the help of search engines (like Google, Yahoo, AltaVista… etc), I could search any topic I want over the Internet. Ever wondered how these search engines work ??
Technology lines | Ne0 | October 9, 2008 | 
Comments (6)
Well Here I will not be providing some PoC to hack into these mailing accounts. I will be telling you the methodology that can be used to hack into any of these mailing accounts. The real effort will be yours. 
Lets start without any more disclaimer speech and sort.
That scary and the figure is expected to rise even further in coming years.
U.S. corporations, governments and universities reported a record 516 consumer data breaches in the first nine months of this year, incidents prompted chiefly by hackers and employee theft, according to a report released today by a nonprofit group that works to prevent fraud.The Identity Theft Resource Center, of San Diego, found that this year’s data breach tally has easily eclipsed 2007’s 446 incidents. At an average of 57 caches of consumer data reported lost or stolen each month, U.S. organizations are on track to divulge at least 680 breaches by the end of 2008.
About 80 percent of the breaches involved digital records, while the remainder stemmed from the loss, theft or exposure of paper-based records. A description of each incident is available in the Identity Theft Resource Center ’s 2008 Breach List. Some 30 million records on consumers have been exposed so far this year. But experts say that figure almost certainly masks a much larger problem, as there is currently no federal requirement for organizations that experience a data breach or loss to acknowledge precisely how many consumers nationwide may have been affected.
Well we discussed an overview about click-jacking previously. This time on same lines, a researcher has given a PoC about how can clickjacking be used to hack into victim’s audio and video device (webcam). Well this time GuyA.Net’s PoC preys on Adobe’s Flash Player Setting Manager.
He blogged:that “I’ve written a quick and dirty Javascript game that exploit[s] just that, and demonstrate[s] how an attacker can get… hold of the user’s camera and microphone. This can be used, for example, with platforms like ustream, justin and alike, or to stream to a private server to create a malicious surveillance platform”. The exploit essentially turns the browser into a “surveillance zombie,” he added.
Two researchers, Robert Lee and Jack Louis, claim to have found a major TCP/IP protocol vulnerability that it can cause a thrilling Denial of Service(DoS) attack. Well they are yet to reveal the details. A new article reads:
Robert Lee and Jack Louis recently went public claiming to have discovered a new and devastating denial of service (DoS) vulnerability in the core TCP/IP protocol stack used for almost all Internet communication. They refuse to release details before their talk at the T2 security conference in Finland on October 17. Yet they have given many alarming interviews, and the press is having a field day spreading fear and uncertainty. Articles have appeared on The Register (“DoS attack reveals (yet another) crack in net’s core”), Slashdot (“New Denial-of-Service Attack is a Killer”), Search Security (“TCP is fundamentally borked”), and many more publications. In the Register article, Robert Lee says “We haven’t found anybody who has a TCP stack that runs TCP based services that isn’t vulnerable” and that a target machine “basically self thrashes, and the only recovery after about two to four minutes worth of attack flow, even after the attack stops, is to reboot the machine”
Hi All !
I was browsing the net and stumbled across this article on ZDNet. Researchers have come across an open source tool that is capable of launching automated man-in-middle attacks against popular sites such as Gmail and Facebook. This tool, Middler, is designed to target users who access services via public networks in hotels, coffee shops and aeroplanes. Besides launching man-in-the-middle attacks, in which communications are intercepted so the attacker can pass his own data between the website and the client device, the tool can also compromise computers and even iPhones via their software-update mechanisms.
The tool is intended to demonstrate a particular weakness found in many popular online applications — the use of clear-text HTTP transmissions for much of the user session.
Application Security | Ne0 | October 8, 2008 | Comments (2)
Two researchers, Robert Hansen and Jeremiah Grossman were planning to present their research on Clickjacking @ OWASP , New York City but had to postpone their presentation because they figured out that the exploitation of this vulnerability can be worst. Affected Vendors requested them to postpone their disclosure so that they can fix it. Most of the times the vulnerability needs to be fixed by web application but this time browser owners have taken up the task of fixing the vulnerability. Microsoft, Adobe are few of those affected.
Well these attacks are sort of tedious and require precision as compared to other powerful attacks like CSRF, SQLi etc. Attacker needs to know the exact layout of page that victim would possibly be viewing. A small here-and-there can foil the whole attack. These attacks can be done on those pages whose button positions remain static. CSRF token solution will not work here.
Web Application Security | w0lf | October 6, 2008 | Comments (5)
Hey there !
I’m back with a new topic yet again. Today I’ll be discussing what is known as the “Dark Internet” of the “Invisible Web”… Many of you might wonder what is this all about. well then folks, read on………………….
Almost all of us are quite familiar with the term www or the World Wide Web. There are millions of web sites on the Internet that fulfill your search criteria. Say for example, if I want to see how many sites are related to information technology, then I would simply open any of the popular web search engines (Google, Yahoo, Altavista and there are a lot more !), and give my search string and the search engine gives me a long list of all websites related to information technology.
Technology lines | Ne0 | October 5, 2008 | Comments (4)
Gnucitizen has started a new project called Secapps which will be hosting all online web tools. Seems to be nice idea. As of now, they have hosted 2 tools: GHBD and CSRF. Both seem to be nice tool especially the GHDB tool. It has coded a huge DB of Goodle dorks from Johnny.ihackstuff.com.
The project is still in its beta version but looks promising.
Web Application Security | w0lf | October 3, 2008 | Comments (0)
HITBSecConf2008 - one of the biggest security conducted is scheduled on 30 Oct 08 in Malaysia. The event details are as below:
