TechKranti

Norton Internet Security 2012: More than a Review

noreply@blogger.com (Rahul Sachin Amey) — Wed, 14 Dec 2011 18:00:00 +0000

What is it that thing that reminds you, that you have an Anti-virus installed on your system? Is it the alerts? Naa. You can actually go without being exposed to malware for quite a number of weeks. I think the thing that reminds you that is the constant performance degradation of your machine when it runs the scheduled scans on your system. If that is how you would define an Anti-virus, then my dear friends, I can irrefutably say that Norton Internet Security 2012 (NIS 2012) is not an anti-virus although it functions like one :).

Symantec with its latest addition NIS 2012 presents to you a new era of anti-virus software which won't eat up your processing power in return for securing your system. NIS really secures your system from all sorts of threats, may it be from the internet or from infected flash drives. I have been using NIS 2012 for about 3 months now and I should say that paying adieu to my old Kaspersky was a pretty good decision. Fun fact about Kaspersky: I had set a daily full scan at 12 pm and when I am at the peak of my work it would eat up all my memory which probably belongs to me :). Here I am gonna explain some really cool features that NIS 2012 offers without depleting your precious memory.

1. Download Insight:

The most innovative feature that comes with NIS 2012 is Download insight(DI). It takes care that the file you just downloaded from the Internet is safe from any malware. As soon as you download an executable on your system, NIS 2012 initiates DI to analyze the trustworthiness of the file and within seconds it pops up an alert giving an 'Insight' on the downloaded file.

This is a really cool way to save yourself from threats for which signatures have not yet been downloaded by your AV. This brings us to the concept of 'Cloud-based Scanning'. Cloud-based scanning is the new buzzword in the security industry and a few security vendors are using the term although they often mean something very different.

The obvious advantage of cloud scanning is that the turnaround time for a definition to be available is extremely fast – as soon as a definition is available in the cloud, it is available to the user. What Symantec has done is to build a system that analyzes the reputation of the new software and files across the Internet and then calculates a reputation score for each of them. This system receives feeds from tens of millions of customers that anonymously participate in the Norton Community Watch program. The technology automatically starts working on calculating the reputation score as it becomes aware of new files.

We got in touch with Mr. David Hall, Consumer Product Marketing, Asia Pacific for Syamtec for more clarity about Download Insight. Mr. David says, "Now this is powerful – we have a system that can receive knowledge of new files worldwide and use a Symantec “secret sauce” algorithm to calculate the reputation score automatically! This information is immediately available to Download Insight through the cloud, but quite a bit different than just moving the old signature model to the cloud."

But How is the reputation score of a file determined?

A reputation score is calculated using a complex algorithm based on various parameters. Remember, the main feed in to the Reputation system is the information received from the Norton Community Watch program.   Here’s a list of a few parameters that are used to calculate the reputation score: 

How many instances of a particular file are seen?
How long has that file been around? 
From which URLs were they downloaded? 
What is the basic health of the system that is submitting the data? 
Which software vendor does the file belong to?

Download Insight in action  :

Download Insight monitors when new files are downloaded, and once the download is complete it goes into action:

This is the flow where the user chooses to save the application to a folder on the computer.  

Download Insight observes that the file download from the Internet is complete. 
It calculates the SHA256 hash of that file and immediately asks the online servers for a reputation score. 
Based on the reputation score, Download Insight will:

Prevalence – How widely used is this file is in the Norton Community? It can range from very few instances to millions of machines.
Age – How long has this file been around?
Reputation Rating – What does Norton think of this file? It provides an indication on how trustworthy the file is. 
URL – This provides the website from which this file was downloaded.

Run the download file:

2. SONAR

SONAR provides real-time protection against threats and proactively detects unknown security risks on your computer and identifies emerging threats based on the behavior of applications. SONAR identifies threats quicker than the traditional signature-based threat detection techniques. SONAR detects and protects you against malicious code even before virus definitions and monitors your computer for malicious activities through heuristic detections. In fact, improved SONAR technology in the Norton 2012 products monitors running applications for suspicious behavior to quickly detect and disable previously unknown threats.

Some significant changes were made to SONAR when Symantec launched the Norton 2011 products last year, which included the latest SONAR 3 that built upon the successful, effective and efficient SONAR 2 behavioral security engine. With SONAR 2, Symantec has a proven track record of being able to convict malware and secure Norton users from malware designed to evade most other security features. According to Symantec, "In nine months we prevented upward of 4.2 million infections out of about 140 million incidents that we analyzed for Norton users. Most of these incidents were never-before-seen malware and infection scenarios, thus truly providing "zero-day" protection! The effectiveness of our technology was repeatedly confirmed by external 3rd-party tests and reviews (specifically behavioral security tests and reviews), where we performed at or near 100% detection rates."

Behavioral security is a critical security solution, especially in this era of server-side polymorphic malware where each and every infection can have a unique piece of malware file (unique from the file fingerprint perspective) downloaded on the victim's machine.

SONAR aggregates and correlates information from a number of engines within the product like the Firewall, AV Engine, Intrusion Prevention Engine, etc. All this information is then used by the classifier to improve efficacy and this is a big differentiator for Norton. Most other security products simply don’t have this depth and breadth of information to make a good classifier. In SONAR 3 we have further enhanced our integration with the network component in order to classify, convict, and remediate malware on the basis of its malicious network activity. With this feature in place, we will continue to block and remove many new variants of malware that leave their network footprint unchanged.

3. How does NIS 2012 assure Security without compromising Performance?

NIS 2012 performs quick scans only when the system is in idle mode. So your system would be scanned only when you are away from it. We asked Symantec, "How does NIS select areas for performing quick scans?". Symantec's reply: "Norton will use idle time to scan against a list of files most commonly at risk. This varies dependant on the actual level of trust on the PC and other variables."

But quick scans are not enough to completely secure your system. NIS 2012 is scheduled to perform full system scans weekly. The Full scans too are so silent that you'll hardly notice them. You can see the logs of Full Scans by visiting the Security History

4. Intrusion Prevention

The intrusion prevention capabilities of NIS 2012 are good. It identifies all kinds of network-level attacks. I tried running a Nessus Scan against a virtual host where NIS was installed and the scan did not return any helpful results.

5. Some more miscellaneous yet useful features:

i. Performance Monitoring NIS 2012 provides performance alerts if an application is eating a big chunk of your memory.

ii. Safe Search
This has been a prevalent feature in many modern day anti-viruses. NIS 2012 also ships with IE, Firefox and Chrome plugins for verifying the health of locations of links from a search page. Image below is self-explanatory.

iii. Browser Protection
If NIS 2012 detects malicious content on an HTML page trying to exploit a vulnerability on your browser (especially when you are using IE ;)), it immediately discontinues the connection and pops up a malicious site banner.

iv. Identity Safe
Identity Safe is a password management plugin for your browser where you can set a master password and save all your logins for saving from the nuisance of typing your credentials at every authentication page you visit.

6. Graphical User Interface
The interface provided with NIS 2012 is very intuitive and easy to use. Highlighting some key aspects you can do using the GUI..

The huge world map there shows you the worldwide cybercrime activity for the past 24 hours. Also provides latest viruses that have been discovered and a link that will provide more information on the same.

If you dig deeper into the Advanced tab, you get to see your recent History of threats and ratings of applications installed on your system

7. Minds its own Business
Me being in the security field have to deal with a lot of tools which any Anti-Virus will report as a threat. But it is my choice to use them for my research. So when I tell NIS 2012, not to touch a certain location, it obeys like a very faithful companion, also reminding me about the risks I am exposed to by making this exclusion.

Moral:
NIS 2012 is a product made for all... From the Noob to the Geek... It kinda protects you at every step of your online life.

Lets take a scenario:
Suppose I am the dumbest person on this planet, the biggest n00b ever born. I have NIS 2012 installed. Let's see how NIS 2012 protects me from any possible malware:

1. I open my browser, google for "Some random executable". NIS 2012 tells me which search results are good and which are malicious.

2. I visit some random website and download a the file. NIS 2012 initiates Download Insight and checks the trustworthiness of the file.

3. I execute the downloaded file. NIS 2012 initiates its scanning engine to check for any viruses on the file.

4. The file has been executed. NIS 2012's SONAR functionality will check the application activity for any suspicious actions.

So NIS 2012 has made sure that my PC is secure at every phase of my online and offline activity. So, effectively, along with it being a good Anti-virus, it is also Stupidity-proof ;).

On an ending note: Auditing servers is a part of my job. I see a lot companies using cheap Anti-viruses which provide no real value add to the security infrastructure. It would be my humble recommendation to all those admins out there to use NIS 2012 as their AV (If you really wanna keep your data secure. If you just want to show compliance, use Any.. doesn't matter)

If you want to make a choice on buying an AV... I don't see any other than wise decision than Norton Internet Security 2012.

Key Logger for Android

noreply@blogger.com (Rahul Sachin Amey) — Sun, 21 Aug 2011 06:40:00 +0000

Computer scientists from UC Davis university have developed an Android app named TouchLogger that logs keystrokes using a smartphone's sensors to measure the locations a user taps on the touch screen.

Researchers have demonstrated that it is possible to log individual keystrokes entered on a smartphone's on-screen keyboard using device's built-in accelerometer (also known as the gyroscope). The researches were able to correlate the movements of the phone with individual keystrokes on an all-numeric keypad with an accuracy of about 70%. With minor refinements, the researchers believe they can expand the effectiveness of TouchLogger.

Applications like these can be potentially dangerous as an application does not require special privileges to access the device's accelerometer. Major smartphones, like Apple's iPhone, RIM's Blackberry, etc. give a user the freedom to define special permissions for applications to define their level of access. Usually within these permissions not much importance is given to those pertaining to the device's movements.

The developers of TouchLogger created this application for a PoC to be presented at HotSec'11, San Francisco. Presentation video available here (mp4) and the paper can be downloaded from here. A preliminary evaluation of the tool was done using HTC Evo 4G smartphone.

Following table shows the distribution of inference results which are evident for the app being correct 70% of the time.

The scientists noted that the W3C recently published a specification for web applications to access accelerometer and gyroscope sensors using JavaScript. They are in the process of extending their work into a full research project.

A less original, but rather more effective approach is taken by Android malware called GingerMaster. It uses a root exploit called GingerBreak to permanently compromise the smartphone. According to security researcher Xuxian Jiang, GingerMaster is the first piece of malware to deploy a root exploit for Android 2.3.3 "Gingerbread". It is concealed in repackaged legitimate apps and registers a receiver which will be
notified when the smartphone has finished booting. Once installed, it then launches a background service.

Subscribe to Techkranti feeds
To recieve updates on your mobile, Click here

WiFi Hacking Basics Part 3

noreply@blogger.com (Rahul Sachin Amey) — Fri, 20 May 2011 07:54:00 +0000

So in last post we learned the basic terminology,channels and frequencies of WLAN.
In this post we'll see about Beacon frames and authentication in Wifi.
Ther are two terms you should know about wifi.

ESSID-Name of connection

BSSID- MAC of AP

There are three important packets types we need to care about

Management packets:Used for connection management for ex assocation request,association resonse

Data packets:there is no need to explain data packets .

Control Packets: this packets are used for effective trasmission of data for ex. CTS,RTS

We are here concerned here with Management frames:

Authentication frame: 802.11 authentication is a process whereby the access point either accepts or rejects the identity of a radio NIC. The NIC begins the process by sending an authentication frame containing its identity to the access point. With open system authentication (the default), the radio NIC sends only one authentication frame, and the access point responds with an authentication frame as a response indicating acceptance (or rejection). With the optional shared key authentication, the radio NIC sends an initial authentication frame, and the access point responds with an authentication frame containing challenge text. The radio NIC must send an encrypted version of the challenge text (using its WEP key) in an authentication frame back to the access point. The access point ensures that the radio NIC has the correct WEP key (which is the basis for authentication) by seeing whether the challenge text recovered after decryption is the same that was sent previously. Based on the results of this comparison, the access point replies to the radio NIC with an authentication frame signifying the result of authentication.

Deauthentication frame: A station sends a deauthentication frame to another station if it wishes to terminate secure communications.
Association request frame: 802.11 association enables the access point to allocate resources for and synchronize with a radio NIC. A NIC begins the association process by sending an association request to an access point. This frame carries information about the NIC (e.g., supported data rates) and the SSID of the network it wishes to associate with. After receiving the association request, the access point considers associating with the NIC, and (if accepted) reserves memory space and establishes an association ID for the NIC.
Association response frame: An access point sends an association response frame containing an acceptance or rejection notice to the radio NIC requesting association. If the access point accepts the radio NIC, the frame includes information regarding the association, such as association ID and supported data rates. If the outcome of the association is positive, the radio NIC can utilize the access point to communicate with other NICs on the network and systems on the distribution (i.e., Ethernet) side of the access point.

Disassociation frame: A station sends a disassociation frame to another station if it wishes to terminate the association. For example, a radio NIC that is shut down gracefully can send a disassociation frame to alert the access point that the NIC is powering off. The access point can then relinquish memory allocations and remove the radio NIC from the association table.
Beacon frame: The access point periodically sends a beacon frame to announce its presence and relay information, such as timestamp, SSID, and other parameters regarding the access point to radio NICs that are within range. Radio NICs continually scan all 802.11 radio channels and listen to beacons as the basis for choosing which access point is best to associate with.
Probe request frame: A station sends a probe request frame when it needs to obtain information from another station. For example, a radio NIC would send a probe request to determine which access points are within range.
Probe response frame: A station will respond with a probe response frame, containing capability information, supported data rates, etc., when after it receives a probe request frame.

Ok lets move on to actual process.The time you switch on your wifi how does the card knoew if there's any network?
In WALAN environment with multiple AP's there are frames called Beacon frames.The beacon announces the network, not the individual access point. . If the network consists of just one access point, these are one and the same. Somewhat larger wireless networks will have more than one access point with the same SSID. The beacon offers insufficient information to differentiate between multiple AP's with the same SSID
I assume you have just one AP,still AP will use Beacon frames to broadcast presence of networks.
The client sends a null broadcast packet called 'Probe Request' to AP's in vicinity asking 'Send me connection you have'.Ap reply with Probe Response' client then send 'Authentication Request' to AP.AP respond with 'Auhentication Success'

There are two types of Authentication

Open Authentication
Shared Key Authentication

We'll see about this in more details in seperate post.After authentication,association phase start.Clent send 'Association Request'AP reply with 'Association Response'.

One important thing client store the SSID of networks in a list called PML to which it has connected in past.So whenever wifi is turned on client send Probe Request for these SSID specifically.After these phases atual data communication starts.If you want more info on any of these phases check IEEE 802.11 standard.

Vulnerability in Android has put 99% android handsets at Risk

noreply@blogger.com (Rahul Sachin Amey) — Wed, 18 May 2011 18:04:00 +0000

This risk pertains to using your Android to connect to Facebook, Twitter and some Google services over unencrypted wireless networks. The apps for this services communicate over clear text which can intercepted by an eavesdropper. Google services which are vulnerable to eavesdropping are Google Calendar and Google Contacts. The attack is possible to all Google services using the ClientLogin authentication protocol for access to its data APIs.

ClientLogin is meant to be used for authentication by installed applications and Android apps. Basically, to use ClientLogin, an application needs to request an authentication token (authToken) from the Google service by passing an account name and password via a https connection. The returned authToken can be used for any subsequent request to the service API and is valid for a maximum duration of 2 weeks. However, if this authToken is used in requests send over unencrypted http, an adversary can easily sniff the authToken (e.g. with Wireshark, see screenshot below). Because the authToken is not bound to any session or device specific information the adversary can subsequently use the captured authToken to access any personal data which is made available through the service API. For instance, the adversary can gain full access to the calendar, contacts information, or private web albums of the respective Google user. This means that the adversary can view, modify or delete any contacts, calendar events, or private pictures.

What can the attacker do?
The attack is similar to session stealing(Sidejacking). It is similar to what FireSheep had done.
The attacker can setup a rogue access point and get the victims to connect through his access point. The attacker can then attempt to impersonate the users and modify the information stored in their accounts.

Google has released a patch to solve the ClientLogin protocol problem, but the patch only works for Android 2.3.4 and Android 3.0, meaning that about 99 percent of Android phones don’t have access to the updated code !!!!
Courtesy: Ashish Kumar

WiFi Hacking Basics Part 2

noreply@blogger.com (Rahul Sachin Amey) — Wed, 18 May 2011 08:02:00 +0000

In last post we saw how to setup and capture traffic on moniter mode.Second part of the series is about wifi bands channels.
Noarmally Wifi operate in radio frequency range of 2.4Ghz.This 2.4 Ghz band is divided in channels like 1,2,3.... upto 14.Most important thing any wireless card can be on only one channel at a time because there is only one radio present in each card.
There are following 802.11 standards in Wireless LAN

802.11a : operating frequency 5Ghz
802.11b : operating frequency 2.4 Ghz
802.11g : operating frequency 2.4 Ghz
802.11n : operating frequency 2.4 Ghz

This are standard specified on AP and WLAN card.AP with 802.11a can support and create network of 802.11a and so on.WLAN card need hardware support to operate in different channels.

Source:Wikipedia
In table above you can see various channels along with frequencies.Countries apply their own regulations to both the allowable channels, allowed users and maximum power levels within these frequency ranges.

This was theory lets try some demo..
So how to put a WLAN card on a specific channel ?First verify the current status by command
#iwconfig wlan0
To put card on say channel 1 use following command..
#iwconfig wlan0 channel 1
Now you put card on channel 1 so wlan card can now sniff traffic on ch 1.Same can be done for 802.11 b/g band but you we need to use a tool Airodump-ng.So your card suport 802.11b/g and you want to toggle between these bands use following simple command
#airodump-ng --band {band }
for ex.#airodump-ng --band g
In next post we will cover some terminology of Wifi world and its meaning ..

'Enable Dislike Button' scam on Facebook

noreply@blogger.com (Rahul Sachin Amey) — Tue, 17 May 2011 18:58:00 +0000

Whenever I hated a status message or a shared link on Facebook, I said to myself - "I wish this thing had a dislike button to express my distress".. This must have come to your mind also, specially after disliking some video on Youtube. Well this urge of disliking posts on FB is what hackers are targetting next.. So beware!!! A quick overview of how the hackers get you to click on the link follows:

Following is a screenshot of how the message would be posted on your wall..

Pay close attention to the 'Enable Dislike Button' link besides the 'Comment' in place of the usual share link. The hackers have done so to fool users in believing it to be a Genuine feature added by FB. There is no official dislike button on FB.

Clicking on the link will cause same consequences whcih you might have experienced with the WTF video or Check who is visiting your profile link. The link will be posted on walls of random friends and the cycle will continue. It is believed that the link contains obfuscated javascript which is used by spamsters to study browsing behavior.

Another example relating to the Dislike Button:

This link tricks you into pasting a javascript to your browser. *Not at all recommended.

Repeating Again - "FB does not provide a Dislike feature"

How To Setup a Wi-Fi Hotspot

noreply@blogger.com (Rahul Sachin Amey) — Sun, 15 May 2011 17:20:00 +0000

Creating a Wi-Fi Internet hotspot service from scratch can seem like a daunting task. I had many sleepless nights trying to get to grips with FreeRadius, DD-WRT, Chillispot etc. I hope that this How To helps you to avoid some of the problems I encountered along the way.

********Warning ********

Following these instructions may invalidate your Linksys warranty. You do so at your own risk. These instructions assume that you have an understanding of Linux, PHP MySQL and Apache. If you brick your AP you might get it back by holding down the reset pin for 20 seconds, unplug the power while still holding down the reset button for another 20 seconds and then plugging the power back in while still keeping the reset button held in for a further 20 seconds. This should bring it back to the defaults of whatever firmware you have installed. You should be able to login to 192.168.1.1

*******End of Warning********

Feel free to copy or use this information in any way you like.

What you will need:-

a) DD-WRT
Download the latest version here http://dd-wrt.com

b) FreeRadius
Download the latest version here http://freeradius.org/

c) phpMyPrepaid
Download the latest version here http://sourceforge.net

d) Linsys WRT54GL AP

e) You will also need PHP, Apache, MySQL amd MySql Delopment Modules,(These need to be setup first.) some patience, plenty of coffee and cigarettes.

Step 1 : DD-WRT/Chillispot Configuration

Configure the WRT-54G with the standard Linksys software and the use the upgrade firmware module to install the dd-wrt package on the AP.
*******IMPORTANT******* Use your cable connection to do the upgrade. NOT the wireless connection.
Reboot the AP and login to your new firmare.
Set Dynamic configuration DHCP
Disable DHCP (Chillispot will manage DHCP for your clients.)
Change the Local IP of the AP to 192.168.10.1.
Set your gateway and DNS addresses.
Update changes and log back in to the new IP address.

Go to the administration page.
Enable Chillispot
Enter the IP address of your Radius server.
Enter the DNS.
Enter the redirect URL eg HTTPS://123.123.123.123/cgi-bin/hotspotlogin.cgi/ (MAke sure that the address ends in / and is https.)
Enter a shared key. (This can be anything you like, but keep a note of it you will need it later.)
Set DHCP Interface to Lan+Wlan
Enter a NAS id (Your name for your AP)
Enter a UAM secret (This is the password that Chilli will use to talk to hotspotlogin.cgi)
Save your settings and reboot the AP. Please give the AP about 10 minutes to reboot and initialise all the new services.

Step 2: FreeRadius Configuration.

Untar the FreeRadius tar file and enter its directory.
Type ./configure --with-experimental-modules
make
login as root and type make install
When this is finished copy the radiusd.conf file that you downloaded earlier to /usr/local/etc/raddb/
You should not need to edit radiusd.conf
Edit /usr/local/etc/raddb/sql.conf and in the SQL section make these changes.

# Database type
# Current supported are: rlm_sql_mysql, rlm_sql_postgresql,
# rlm_sql_iodbc, rlm_sql_oracle, rlm_sql_unixodbc, rlm_sql_freetds
driver = "rlm_sql_mysql"

# Connect info

server = "localhost"

login = "yourlogin"

password = "your password"

# Database table configuration
radius_db = "radius"

Edit the /usr/local/etc/raddb/clients.conf file and enter the details of your NAS (AP)

client xxx.xxx.xxx.xxx { (This is the address of your NAS or WRT54G )
secret = xxxxxxx (The secret you entered in the Chilli Config)
shortname = private-network-9 (This can be any name)
nastype = other
( If you want to set up several AP's with one secret the IP address above should be 0.0.0.0/0 )
}

Step 3 : hotspotlogin.cgi
Copy hotspotlogin.cgi from http://chillispot.org to /var/www/cgi-bin
Edit the file and change the secret to the UAM secret that you entered in the Chillispot configuration on the WRT54G.

ou can also use a php script. It is not as secure as the cgi script but easier to personalise. If you want a copy email me at sean@swarmhotspots.com

Step 4 : phpMyPrepaid and MySQL

Extract the phpMyPrepaid file to a directory on your webserver eg /var/www/html/myprepaid
Create a MySQL database called radius and create a user and password for it. Use a script called db_mysql.db that you will find in the phpMyPrepaid download to create the database tables.
Edit the dbconnect.php file in the phpMyPrepaid directory and enter the username and password for your MySQL radius database. IMPORTANT Save this file behind your web directory or your passwords will be easy to hack.
Edit config.inc.php and change the line that points to dbconnect to wherever you have saved dbconnect.php
In your web browser got to http://yoursite.com/whereveryouputphpmyprepaid/ and create some tickets. Check your database to see if the users have been setup in radcheck. Launch FreeRadius as root with this command radiusd -xxyx -l stdout. Pick a user and password from your database and try to login from a wireless client. If you can then it is time for step 5. If not go back to step 1 and check everything.

Step 5 : Have a cup of coffee and unwind. If all is well you have finished. I'll keep an eye on this post and do my best to help anyone with problems.
I have setup a free Radius test area for people that have no access to a Radius server. You can use this service to test your Chillispot configuration. The address is http://swarmhotspots.com/Chilli-Test-Area
Source:Howtoforge.com

WiFi Hacking Basics Part 1

noreply@blogger.com (Rahul Sachin Amey) — Sun, 15 May 2011 17:10:00 +0000

If your are reading this you must have used WiFi atleast once or may be you have your own WiFi network at home.Wifi is cool and hacking wifi is a lot more interesting.Here i am gonna tell you the basics of Wireless Network and how it is hacked so that you get a grasp of what is going on with your Wifi.
I am using a informal term for Wireless Network as Wifi because its more familiar to public.My aim would be to show how Wifi is hacked.You can try yourself this attacks for this
What will you need ,

Laptop with Backtrack installed or Backtrack in VM
Access Point(AP)
USB WiFi Adapter Card which support packet injection(I recommend Alpha Card)
A Smartphone or another laptop with Wifi (as a Victim)

For those who don't know Backtrack,its a Pentest Linux Distro with all tools necessary.Access point can be any SOHO wifi router.USB Wifi Adapter is for packet injection because normal Laptop wifi card chiset don't support Packet Injection.
So lets get started with basics or theory.
Normally your wifi card sniff all wireless network around it but only accepts packets destined to it if its connected to it at all. AP (Access Point) is broadcasting networks SSIDs all the time.SSID means name given to wireless network.This network can be open or closed.Open network don't require any authentication on the other hand closed network require a shared key to connect to it.More on closed network in later posts.
So how to sniff which which network are there?
For this we use a tool in Backtrack called Aircrack-ng suite.To sniff the packets we create a virtual interface called Moniter Mode Interface (mon 0).Mon 0 is created on top wireless interface on your laptop,say wlan 0.
First task would be to create Mon 0.
Goto backtrack open terminal type airmon-ng start wlan0
now mon0 is created, to verify it type in terminal ifconfig you will notice mon0 interface and MAC address same as your wifi card.
Now there is another tool we are going to use to see actual packets Wireshark.Next step fire up Wireshark by typing wireshark & on terminal.You will see in interface mon0 listed start capture on mon0.

then you will see lots of packets if there is any wifi connection in your vicinity,if you dont see any traffic create a network using your AP and check the SSIDs.
What we learned : How to create mon0 and sniff traffic.
Contd.. part 2

Iran is getting paranoid over new cyber-attack 'Stars'

noreply@blogger.com (Rahul Sachin Amey) — Tue, 26 Apr 2011 05:51:00 +0000

After discovering an attack on its SCADA systems willing to take down their nuclear facility, Iran is probably getting paranoid over the whole malware cosmos. It seems that every other abnormal behavior on Iran's critical facility is viewed by them as an attack or a threat to their nuclear reactors. Yesterday Iran's Mehr News Agency reported that the country is under a new kind of cyber attack after Stuxnet, know as 'Stars'. Iran does not yet have complete information what adverse effects of this new so called 'Cyber Attack' is having on its systems.

Excerpts from Mehr's report:

“(However), certain characteristics about the Stars worm have been identified, including that it is compatible with the (targeted) system and that the damage is very slight in the initial stage, and it is likely to be mistaken for executable files of the government,” Senior Iranian lawmaker Jalali stated.

It is not very sure from the official's statement, which operating system is being targeted by Stars. We have to wait for any official announcements from Iran's cyber experts before we or they reach a conclusion of Stars being a reality or is it just a hoax arising out of concern.

Elsewhere in his remarks, Jalali said that although the United States and Israel have flouted international law in their cyber attacks against Iran, this matter can still be pursued through legal channels. He also stated that Siemens, the supplier of SCADA systems used by Iran's facilities, should be held responsible for Stuxnet.

Well Siemens might not be fully responsible, but partially yes. How can one even think of using an OS like Windows which is constantly under new attacks, no matter which AV you install on it, for administration of such critical systems. Windows is liked by all for its user-friendliness and as a way of attracting more clients Siemens had introduced Windows compatible application for administration of its SCADA systems which had a drastic consequence as it was targeted by Stuxnet.

It is indeed "A Little World"

noreply@blogger.com (Rahul Sachin Amey) — Fri, 11 Mar 2011 18:14:00 +0000

I would like to share my views or rather I should say my feelings for a beautiful technology I have encountered lately. What is Information Technology? This question always irritated me in college although I was doing my engineering from the same stream. To this question, the answer that I found, according to my view is: "Information Technology is the APPLICATION of computer systems or computer science in various fields". Application- Yes, that's the word. It is not the sophistication of the technology that matters, it is its application. A few months earlier I had posted about the Sixth Sense Technology. Almost an year after Sixth Sense, this is something that really moved me.

Well not wasting much of your time, I should come straight to the point. It is about an organization I visited a week back. The name of the organization is exactly how I am feeling while writing this - It is indeed "A Little World" . I'll try to explain here how it functions.

The objective of the organization is to expand banking services to the remote villages of India where the average daily income of a person is not more than a few hundred rupees. In finance terms, it is called "Financial Inclusion". Here's how they work:-

First, ALW("A Little World") gets into an agreement with some bank which allows ALW to open accounts and provide a way for transacting funds to the remote villagers.

Once into an agreement, ALW appoints willing representatives from remote villages who are given a self-employment opportunity. These representatives are called "Customer Service Points" or "Customer Service Providers"(ALW, correct me if I am wrong). These CSPs are provided a CSP kit which contains a Nokia Mobile Phone with a Camera and NFC and bluetooth technology and a fingerprint reading and receipt printing equipment.

Now if a villager wants to open an account with the CSP, he approaches the CSP for the same. The joining customer fills up a form and chooses to one of the following forms of identification means:
1. The Joining Form itself
2. A ID card bearing a Barcode or
3. An NFC which stores all customer data in eletronic format

After filling the form, as a means of authentication, fingerprints of six different fingers are scanned and stored in the customer database using the equipment(:( My bank does not provide Biometric authentication ). Finally a picture of the customer is taken using the provided mobile phone. All this data is then transferred over GPRS immediately or at the end of the day to ALW customer database, which is then used to create an account with the bank.

The bank then provides ALW with the account numbers of the enrolled accounts. ALW then creates the identification means for the customer i.e. Barcode Card or NFC card which are sent to the corresponding CSP for the customer.

This was about enrollment. Now let us see how a transaction takes place. The minimum transaction amount for customers with ALW is Rs. 10 and maximum is Rs. 10000. Not too small, not too large for a villager. We are going look at the transaction with NFC card(It is very interesting). If a farmer needs to deposit Rs. 100 to his account, he visits the CSP with his card. To identify the customer, CSP uses the phone which has a custom built application to read the data from the NFC card. The card is read by placing it close to the mobile phone. Once the customer is identified, CSP enters the amount to be deposited, accepts the payment and prints the receipt from the equipment. The communication between the equipment and mobile phone is done over Bluetooth.

While withdrawing an amount, Biometric authentication is done. ALW has constant communication with the bank it holds account to sync the transactions. What less does the CSP provide than a bank branch? Safe, Secure and easily accessible banking is all that we require and yes, ALW is providing it. When a demonstration of this was given to me, it really moved me. It was then when I felt the name of the organization really suits its purpose.

I wish "A Little World" all the very best for their future plans and hope that RBI also blesses them with decent subsidies for their betterment.

How to combine multiple GFI scans into a single report

noreply@blogger.com (Rahul Sachin Amey) — Fri, 17 Dec 2010 07:04:00 +0000

One of TechKranti's regular readers Vinesh Redkar from Mumbai, India requested us to solve a problem he was facing while using GFI Languard. Here's what his query is:

"My compoany has recently bought GFI Languard for scanning the network for vulnerabilities and missing patches. I scanned 25 computers in my office network individually each time entering the credentials for the respective machine. Now I need a statistical report mentioning the percentage of High security vulnerabilities, missing patches and so on. How can I combine the results so that all of them depict one single scan."

Hey Vinesh, we are happy you raised this query. We are glad to attend to it. Here's the solution to your problem-
First of all, for those who have not used GFI Languard ever, lemme tell you that GFI Languard is not any usual port scanning software like nmap. GFI is mostly liked by security admins as it is the perfect tool for performing a security audit of a network without actually having to hire a security consultant. GFI is actually a proprietary tool, but it's trial version is available.

So while scanning a machine using GFI Languard, you need to enter the administrator credentials for that machine as it facilitates the tool to go deep inside the OS to find missing patches and vulnerabilities. It also detects unsecured settings configured on the system, status of your antivirus software and application vulnerabilities too.

You can save GFI scans in XML format. This is the format which will help us combining the results to one aggregate. If you have not saved the scans in XML format after scanning, you can still do it by loading the scan form GFI database(Ctrl+O) and then doing a save operation(Ctrl+S). Following is the structure of a GFI XML result.

<Scan>
<hosts>
<host>
</host>
</hosts>
</Scan>

There are many more nodes within the host node, but we are not interested in it. GFI Languard is there to interpret it for us. So each Scan root node has a hosts child node node, which has many host child nodes. The host node contains all the information about the scan for a specific host. If you understood this all you need is simply a copy and paste job. Well you can edit these XML files using notepad.

Make a copy of any XML result file in which you will be saving the final result. This is your master file. Now find the </host> tag in the file. This is the end of your result for one particular host. If the master file you have selected contains multiple hosts, find the last occurrence of </host> tag. Now open the other scans one by one which you want to integrate in the final result. Copy the text from <host> to </host> which actually contains the result of your scan and paste it after the last occurrence of </host> tag in the master file. Do this for all the individual scans and save the master file. You can open the saved master file in Firefox to confirm if it's error free. You think it's done?? Well, almost.

Here's the catch. Even after doing this when you open the final result in GFI on the same PC from which you had run the scans it will only show the scans that were originally present in our master file. If it has ever happened to you, and you have been wondering why doesn't it work here's the solution.

GFI languard stores all it's scan results in one MS Access database file(.mdb) It is less time consuming for GFI to extract the scan results from the Access file than it is to extract it from an XML file. To lower the computation required while loading an XML scan result, GFI keeps track of scans using a session ID. This session id can be found in the attributes of the <Scan> root node. Here's what it looks like(highlighted):

<Scan UIScan="" Session="145244609" Profile="Full Scan" CreatedOn="11/26/2010 02:52:46 PM" ReadOnly="0" ScansEnded=" 1" profilesenabled=" 1" ScanDuration=" 61" ScheduledScan=" 0" ScannedItemsCount=" 1642" AutoremediationEnabled_MissingPatches=" 0" AutoremediationEnabled_MissingServicePacks=" 0" AutoremediationEnabled_UninstallApplications=" 0">

When you create the master file and paste all the scans into the XML file and try to load the file, GFI first looks for the Session attribute, to determine if the scan exists in its database. So the solution to your problem is simple. Just change the Session attribute to anything you like and you are done. GFI will treat this as one single scan, and you can create aggregated reports for presenting to your management.

I hope that solves your problem Vinesh. Keep writing in. We would be glad to address your problems. Hey readers, if you too are looking for solutions to some problems feels free to post your queries to amey [at] techkranti [dot] com and we would be happy to help you.

Get Security Tips n Tricks on your mobile.

Subscribe to TechKranti's SMS channel

Subscribe to TechKranti's feeds

Nuisance of the Conficker Worm

noreply@blogger.com (Rahul Sachin Amey) — Sun, 12 Dec 2010 11:03:00 +0000

An year back, we had posted about the nuisance of the Conficker Worm in THIS POST. An year later, my colleague Mr. Gaurav Benjamin had a live experience with the havoc Conficker can create. Here is his experience in his own words:

"Hello Everybody,

Just wanted to update you with an Issue which happened at Client site and how was it remediated.

Issue: Domain user accounts getting locked out automatically. When users would lock their terminals and go out for break after coming back their accounts were disabled automatically.

Investigations Done:

1. Checking of domain controller policies for any inconsistencies.

2. Checking of presence of any virus by their antivirus. (McAfee) Result: Nothing was found. (Was not updated)

3. Systems & Server were not patched regularly with Latest patches.

4. Checking of security logs on Server. Result: No information was found.

Client Environment Information:

User Desktops: Windows 7

Server: Windows 2008

Alternative Solutions Recommended:

1. Installing of free ware of AVG and run SCAN on affected machines.

2. Installing Nessus and scan the network for any vulnerabilities.

Issues Found: Detection of virus named “Conficker.B” .

Summary on Functioning of Virus:

Conficker primarily spreads through a Windows Vulnerability (MS08-067), which if un patched allows the worm to attack the Windows file sharing service. Conficker is a type of computer virus called a computer worm. Computer worms take advantage of un patched computer systems to automatically spread themselves.

Once a computer is infected, the infected system begins to scan the Internet, or its local network for un patched computers to infect.

Capabilities of this Virus:

1. Even if you have a backup service in case you get hit by a virus, Conficker Virus instantly disables this backup service so you will definitely be left with nothing.

2. Conficker Virus will also not allow you to enter security websites.

3. It will erase all your recently saved important and official documents.

4. Conficker Virus will also not give you access to security sites and services.

5. It will make your computer vulnerable to infected machines making you get more programs from the malware's creator.

Conficker virus comes in below mentioned versions:

* Win32/Conficker.A was reported to Microsoft on November 21, 2008.

* Win32/Conficker.B was reported to Microsoft on December 29, 2008.

* Win32/Conficker.C was reported to Microsoft on February 20, 2009.

* Win32/Conficker.D was reported to Microsoft on March 4, 2009.

* Win32/Conficker.E was reported to Microsoft on April 8, 2009.

Win32/Conficker.B might spread through file sharing and via removable drives, such as USB drives (also known as thumb drives). The worm adds a file to the removable drive so that when the drive is used, the AutoPlay dialog box will show one additional option.

The Conficker worm can also disable important services on your computer. In the screenshot of the Auto play dialog box below, the option Open folder to view files — Publisher not specified was added by the worm. The highlighted option — Open folder to view files — using Windows Explorer is the option that Windows provides and the option you should use.

If you select the first option, the worm executes and can begin to spread itself to other computers.

The option Open folder to view files — Publisher not specified was added by the worm.

Illustration of working :

Quick Remedies and Information for such Situations:

1. If your computer is infected with the Conficker worm, you may be unable to download certain security products, such as the Microsoft Malicious Software Removal Tool or you may be unable to access certain Web sites, such as Microsoft Update. If you can't access those tools, try using the Windows Live safety scanner.

2. Alternatively you can also try downloading AVG Antivirus and scan the machines.

3. Also you might want to update the antivirus at client site with latest information. And also the patches on desktops & servers to the latest ones.

4. Scan your Computers with Both Anti-Virus and Anti-Spyware software.

We thank Gaurav for sharing his valuable experience with us and expect to receive many such articles from other people reading this post too.

If you've got to say something on Ethical Hacking or Information Security mail us your articles at amey [at] techkranti [dot] com and we'll publish them for you.

Wi-fEye - An automated network penetration testing tool

noreply@blogger.com (Rahul Sachin Amey) — Mon, 15 Nov 2010 09:30:00 +0000

Wi-fEye is designed to help with network penetration testing, Wi-fEye will allow you to perform a number of powerful attacks Automatically, all you have to do is to lunch Wi-fEye, choose which attack to perform, select your target and let Wi-fEye do the magic !!

Wi-fEye is divided to four main menus:
1. Cracking menu: This menu will allow you to:

Enable monitor mode
View avalale Wireless Networks
Launch Airodump-ng on a specific AP
WEP cracking: this will allow you to perform the following
attacks automatically:
Interactive packet replay.
Fake Authentication Attack.
Korek Chopchop Attack.
Fragmentation Attack.
Hirte Attack (cfrag attack).
Wesside-ng.
WPA Cracking: This contains the following attacks:
Wordlist Attack
Rouge AP Attack.

2. Mapping: this menu will allow you to do the following:

Scan the network and view the connected hosts.
Use Nmap Automatically.

3. MITM: this menu will allow you to do the following Automatically:

Enable IP forwarding.
ARP Spoof.
Launch ettercap (Text mode).
Sniff SSL/HTTPS traffic.
Sniff URLs and send them to browser.
Sniff messengers from instant messengers.
Sniff images.
DNS Spoof.
HTTP Session Hijacking (using Hamster).

4. Others: this menu will allow you to o the following automatically:

Change MAC Address.
Hijack software updates (using Evilgrade).

Official Website: http://wi-feye.za1d.com/t
Download page: http://wi-feye.za1d.com/Download.html

Get Updates for Hacking Tools on your mobile.

Subscribe to TechKranti's SMS channel

Subscribe to TechKranti's feeds

SQLninja - An SQL Server injection & takeover tool

noreply@blogger.com (Rahul Sachin Amey) — Mon, 15 Nov 2010 09:01:00 +0000

Fancy going from a SQL Injection on Microsoft SQL Server to a full GUI access on the DB? Take a few new SQL Injection tricks, add a couple of remote shots in the registry to disable Data Execution Prevention, mix with a little Perl that automatically generates a debug script, put all this in a shaker with a Metasploit wrapper, shake well and you have just one of the attack modules of sqlninja!
Sqlninja is a tool targeted to exploit SQL Injection vulnerabilities on a web application that uses Microsoft SQL Server as its back-end.
Its main goal is to provide a remote access on the vulnerable DB server, even in a very hostile environment. It should be used by penetration testers to help and automate the process of taking over a DB Server when a SQL Injection vulnerability has been discovered.

Fingerprint of the remote SQL Server (version, user performing the queries, user privileges, xp_cmdshell availability, DB authentication mode)
Bruteforce of 'sa' password (in 2 flavors: dictionary-based and incremental)
Privilege escalation to sysadmin group if 'sa' password has been found
Creation of a custom xp_cmdshell if the original one has been removed
Upload of netcat (or any other executable) using only normal HTTP requests (no FTP/TFTP needed)
TCP/UDP portscan from the target SQL Server to the attacking machine, in order to find a port that is allowed by the firewall of the target network and use it for a reverse shell
Direct and reverse bindshell, both TCP and UDP
DNS-tunneled pseudo-shell, when no TCP/UDP ports are available for a direct/reverse shell, but the DB server can resolve external hostnames (check the documentation for details about how this works)
Evasion techniques to confuse a few IDS/IPS/WAF
Integration with Metasploit3, to obtain a graphical access to the remote DB server through a VNC server injection
Integration with churrasco.exe, to escalate privileges to SYSTEM on w2k3 via token kidnapping

Platforms supported

Sqlninja is written in Perl and should run
on any UNIX based platform with a Perl interpreter, as long as all
needed modules have been installed. So far it has been successfully
tested on:

Linux
FreeBSD
Mac OS X

Download Page: http://sqlninja.sourceforge.net/

Get Security News on your mobile.

Subscribe to TechKranti's SMS channel

Subscribe to TechKranti's feeds

Protect your data in the cloud says Priya Nayak, Consumer Operations, Google Accounts

noreply@blogger.com (Rahul Sachin Amey) — Mon, 18 Oct 2010 11:56:00 +0000

Like many people, you probably store a lot of important information in your Google Account. I personally check my Gmail account every day (sometimes several times a day) and rely on having access to my mail and contacts wherever I go. Aside from Gmail, my Google Account is tied to lots of other services that help me manage my life and interests: photos, documents, blogs, calendars, and more. That is to say, my Google Account is very valuable to me.

Unfortunately, a Google Account is also valuable in the eyes of spammers and other people looking to do harm. It’s not so much about your specific account, but rather the fact that your friends and family see your Google Account as trustworthy. A perfect example is the “Mugged in London” phishing scam that aims to trick your contacts into wiring money — ostensibly to help you out. If your account is compromised and used to send these messages, your well-meaning friends may find themselves out a chunk of change. If you have sensitive information in your account, it may also be at risk of improper access.

As part of National Cyber Security Awareness month, we want to let you know what you can do to better protect your Google Account.
Stay one step ahead of the bad guys

Account hijackers prey on the bad habits of the average Internet user. Understanding common hijacking techniques and using better security practices will help you stay one step ahead of them.

The most common ways hijackers can get access to your Google password are:
* Password re-use: You sign up for an account on a third-party site with your Google username and password. If that site is hacked and your sign-in information is discovered, the hijacker has easy access to your Google Account.
* Malware: You use a computer with infected software that is designed to steal your passwords as you type (“keylogging”) or grab them from your browser’s cache data.
* Phishing: You respond to a website, email, or phone call that claims to come from a legitimate organization and asks for your username and password.
* Brute force: You use a password that’s easy to guess, like your first or last name plus your birth date (“Laura1968”), or you provide an answer to a secret question that’s common and therefore easy to guess, like “pizza” for “What is your favorite food?”

As you can see, hijackers have many tactics for stealing your password, and it’s important to be aware of all of them.
Take control of your account security across the web
Online accounts that share passwords are like a line of dominoes: When one falls, it doesn’t take much for the others to fall, too. This is why you should choose unique passwords for important accounts like Gmail (your Google Account), your bank, commerce sites, and social networking sites. We’re also working on technology that adds another layer of protection beyond your password to make your Google Account significantly more secure.
Choosing a unique password is not enough to secure your Google Account against every possible threat. That’s why we’ve created an easy-to-use checklist to help you secure your computer, browser, Gmail, and Google Account. We encourage you to go through the entire checklist, but want to highlight these tips:

* Never re-use passwords for your important accounts like online banking, email, social networking, and commerce.

* Change your password periodically, and be sure to do so for important accounts whenever you suspect one of them may have been at risk. Don’t just change your password by a few letters or numbers (“Aquarius5” to “Aquarius6”); change the combination of letters and numbers to something unique each time.

* Never respond to messages, non-Google websites, or phone calls asking for your Google username or password; a legitimate organization will not ask you for this type of information. Report these messages to us so we can take action. If you responded and can no longer access your account, visit our account recovery page.

We hope you’ll take action to ensure your security across the web, not just on Google. Run regular virus scans, don’t re-use your passwords, and keep your software and account recovery information up to date. These simple yet powerful steps can make a difference when it really counts.
SOURCE: Google Online Security Blog

How to change MAC (Medium Access Control) address of NIC

noreply@blogger.com (Rahul Sachin Amey) — Fri, 01 Oct 2010 12:27:00 +0000

As you probably know every NIC (Network Interface Card) has unique address and has various aliases like BIA,Hardware address,Physical address.So, why on Earth we need to change the MAC address?
Let me explain a little bit of networking funda, most of the packet Switches has facility known as port security which allows network admin to limit access to ports by monitoring the MAC address.Which means it can be set to allow only certain MAC address or first 2-3 MAC addresses learned dynamically.
If your ISP has turned on this feature then you can connect only one or two devices to Internet.What if you want more? Now you got why to change , in this case fake, MAC address.You can do this by following ways,

By changing network address field in properties of NIC:
Go to Control Panel>Network Connection(XP) or similar in WIndows 7
then right click on the NIC >Properties> Configure >Advance >Network Address enter the allowed MAC address

Or by using free utility Technitium MAC Address Changer
download here

Follow steps ,images are self explanatory

ASP.Net Web flaw being exploited in the wild

noreply@blogger.com (Rahul Sachin Amey) — Thu, 23 Sep 2010 16:45:00 +0000

Source: TheRegister
Attackers have begun exploiting a recently disclosed vulnerability in Microsoft web-development applications that opens password files and other sensitive data to interception and tampering.

The vulnerability in the way ASP.Net apps encrypt data was disclosed last week at the Ekoparty Conference in Argentina. Microsoft on Friday issued a temporary fix for the so-called “cryptographic padding attack,” which allows attackers to decrypt protected files by sending vulnerable systems large numbers of corrupted requests.

Now, Microsoft security pros say they are seeing “limited attacks” in the wild and warned that they can be used to read and tamper with a system's most sensitive configuration files.

“There is a combination of attacks that was publicly demonstrated that can leak the contents of your web.config file, including any sensitive, unencrypted, information in the file,” Microsoft's Scott Guthrie wrote on Monday night. “You should apply the workaround to block the padding oracle attack in its initial stage of the attack.”

Microsoft personnel also warned about ASP.Net applications that store passwords, database connection strings or other sensitive data in the ViewState object. Because such objects are accessible to the outside, the Microsoft apps automatically encrypt its contents.

But by bombarding a vulnerable server with large amounts of corrupted data and then carefully analyzing the error messages that result, attackers can deduce the key used to encrypt the files. The side-channel attack can be used to convert virtually any file of the attacker's choosing.

The temporary fix involves reconfiguring applications so that all error messages are mapped to a single error page that prevents the attacker from distinguishing among different types of errors A script to identify the oracles that needlessly reveal important cryptographic clues is here.

Thai Duong, one of the researchers who disclosed the vulnerability last week, said here that simply turning off custom error messages was not enough to ward off exploits because attackers can still measure the different amounts of time required for certain errors to be returned.

Microsoft's Guthrie said versions 3.5 SP1 or 4.0 of the .Net platform on which the applications run have protections to prevent such timing analysis. They include an option in the customErrors feature that introduces a random delay in the error page. He recommends turning it on and configuring apps to return precisely the same error response regardless of the error encountered on the server.

Microsoft hasn't said when it plans to issue a permanent fix. Its next regular patch release is scheduled for October 12.

Get Security News on your mobile.

Subscribe to TechKranti's SMS channel

Subscribe to TechKranti's feeds

0-day: Buffer overflow in Adobe Reader and Acrobat

noreply@blogger.com (Rahul Sachin Amey) — Fri, 10 Sep 2010 15:54:00 +0000

Adobe reports a vulnerability in Adobe Reader and Acrobat:

A critical vulnerability exists in Adobe Reader 9.3.4 and earlier versions for Windows, Macintosh and UNIX, and Adobe Acrobat 9.3.4 and earlier versions for Windows and Macintosh. This vulnerability (CVE-2010-2883) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild.
Adobe is in the process of evaluating the schedule for an update to resolve this vulnerability.

Affected software versions:
Adobe Reader 9.3.4 and earlier versions for Windows, Macintosh and UNIX, and Adobe Acrobat 9.3.4 and earlier versions for Windows and Macintosh.

Details on the security advisory HERE

Get Security News on your mobile.

Subscribe to TechKranti's SMS channel

Subscribe to TechKranti's feeds

Is your information in safe hands? Customer database threatened by insider leakages

noreply@blogger.com (Rahul Sachin Amey) — Fri, 10 Sep 2010 02:36:00 +0000

Have you ever received promotional calls by companies you have never heard of? Or are you sure that you have never agree to give your phone number to these companies? Customer database is the answers to these questions. Companies acquire your information by buying the database.

Personal information values especially in market-driven economy. Who buy what kinds of products, formulates the marketing and promotion strategies of the companies. A list of personal date do value.

Data could be sold everywhere, by everyone, even from the insiders. Cisco conducted a global study on data security and leakage in businesses in 2008. The study showed ”insider threat” is the major threat to customer data. It means data loss or leakages resulting from employee behavior. It could be due to carelessness, such as forget to log off, share passwords among colleagues, or even fail to return company devices when quitting the job. The internal factor poses a greater threat to the data security far more than external factors such as hackers do.

The above excerpt is taken from hackinthebox.org. To add to it, I would like to describe an incidence with my friend.

I recently joined a technical course which had a tenure of 14 days. In the same batch was a guy named Shella from Italy. He had come to India to just pursue the course. And he had only visited Bangalore and Mumbai. He had bought a Vodafone SIM from Bangalore and no one had his number except two organisations, one, the institute where we were pursuing this course, and two, VODAFONE. One fine day he gets a promotional SMS on his cell from some college offering an MBA course. He narrates to me about this and says "I haven't given my number to anyone in India, except %#Solutions(The institute where we pursued our course), so I think these people might have provided my number to this promoter". But, the SMS was from a college from Bangalore and there is no question of an institute in Mumbai to provide details to some college in Bangalore. So by now we should be pretty sure from where the data had been leaked. Yes, it could be Vodafone, Bangalore.

This was just an example of insider data breaches. Organizations trust their employees to handle sensitive data and they need to do that because employees are the primary assets a company owns. In DEFCON this year a social engineering competition was held to see how creative hackers can be. Hackers demonstrated the idea of a fake interview to siphon information from a rival organization's employee. First the employee in the rival company is called and told that we have a better offer for you than your current one. Then a fake interview is setup with the hacker who poses to be the employer. The place could be a plush lounge or restaurant where the employee feels that the employer is real and not making it all up. After all organizations can go to any extent to get their rival's sensitive information. The hacker then starts siphoning information from the employee and it can be well understood that a human can be most vulnerable when in an interview, because we generally tend to look at the interviewer being superior to us and we are very cautious about our speech. A normal human mind might think that If I am getting a better job just by giving out some information, then it won't harm much. We recommend that the hacker be accompanied with a psychiatrist for better results.:-)

Customer data breaches have been prevalent in India since many years. In a sting operation about 5-6 years ago on a news show I heard that one contact number sells for Rs 7. I am sure the price must have at least been doubled now looking at the competition for better marketing.

Information:
(For Indian Subscribers)If you want to stop receiving promotional SMS' and calls send an SMS as:
'START DND' without quotes and send it to 1909. This is a Do Not Disturb service and has been initiated by TRAI(Telecom Regulatory Authority of India).

Get Security News on your mobile.

Subscribe to TechKranti's SMS channel

Subscribe to TechKranti's feeds

DllHijackAuditor: Check an application's vulnerability to DLL hijacking

noreply@blogger.com (Rahul Sachin Amey) — Thu, 09 Sep 2010 15:52:00 +0000

Earlier we had posted about loads of applications being found vulnerable to DLL hijacking(DLL Hijacking). Without any tools available for checking the integrity of an application, very large number of applications were found vulnerable by security researchers. But now securityxploded has released a tool to check an application's vulnerability to DLL hijacking. More information about the tool and download at the link mentioned below.

http://securityxploded.com/dllhijackauditor.php

Get Security News on your mobile.

Subscribe to TechKranti's SMS channel

Subscribe to TechKranti's feeds

Google introduces Google Instant

noreply@blogger.com (Rahul Sachin Amey) — Thu, 09 Sep 2010 15:22:00 +0000

We all love Google and are just fascinated by the innovations it offers in search as well as other fields. Google is here with yet another awesome feature added to its search, Google Instant. Google had this very cool option of search suggestions as we typed our search query. Going a step further, now as you type your query you get to see your search results along with suggestions. We need not say more about this. Try it for yourself. Here is a screenshot of our experience.

Get Google News on your mobile.

Subscribe to TechKranti's SMS channel

Subscribe to TechKranti's feeds

How To Make XP System a Router

noreply@blogger.com (Rahul Sachin Amey) — Wed, 08 Sep 2010 06:54:00 +0000

IP Forwarding is a very good feature in Windows XP using which a XP machine can be made to act like a router. So, next time you set up home network do consider this. So how to do it?
You will require at least 2 or more NIC(commonly known as LAN Cards) to setup this. OR alternatively on second NIC you can connect a switch. Why multiple NIC's? Its obvious,
1st: NIC that directly connect to internet.
Other: NIC which will act just any other interface of router holding other network.(It will also act as default gateway)

Lets take an example, see fig below,

In the figure as you can see there are 3 NIC one of which connects directly to Internet other two are used as router interface to create different networks.Lets start,

First we have to enable IP forwarding, to do that
Go to Run> type regedit
then follow path
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TcpipParameters

.

Right click IPEnableRouter registry object, and click Modify

In the value data field enter 1. Its done click OK.

Now configure the network cards on the XP machine (router) with following info,
NIC-2
Network Card A (connect to network A):
IP: 10.10.10.1
Netmask: 255.255.255.0
Gateway (GW): [leave it blank]

NIC-3
Network Card B (connect to network B):
IP: 192.168.20.1
Netmask: 255.255.255.0
Gateway (GW): [leave it blank]

NIC-1
Network Card C (connect to Internet via cable/dsl connection)
This information will be based on the Internet connection service which you have subscribed.

Configure all the computers in network A with following information.
Network A
IP: 10.10.10.2-254
Netmask: 255.255.255.0
Gateway (GW): 10.10.10.1

Configure all the computers in network B with following information.
Network B
IP: 192.168.20.2-254
Netmask: 255.255.255.0
Gateway: 192.168.20.1

Image Courtesy: http://www.home-network-help.com/ip-forwarding.html

Get Networking Tips on your mobile.

Subscribe to TechKranti's SMS channel

Subscribe to TechKranti's feeds

Epic Browser - The first-ever web browser for India

noreply@blogger.com (Rahul Sachin Amey) — Sat, 04 Sep 2010 21:33:00 +0000

An Indian startup company Hidden Reflex has launched first ever web browser from India. Epic has been stuffed with many features and applications. It has something which we have never heard of before, an integrated antivirus protection in a browser. The built in antivirus and antispyware is powered by ESET. The browser has a sidebar with lot of widgets already installed such as skins, maps, jobs, news, gmail, yahoo, games and many more. Epic claims to have around 1500 free applications which can be added in the browser. Social networking sites such as Facebook, Twitter, and Orkut are also included in the sidebar. You can log in to your account and on the same time continue working on other things. There are many utility functions in the Epic Browser which I liked. It has a free word processor, a to do tool, snippet app, timer and most importantly it allows you to access your files and folder from the browser itself. It also has an application called Indic which allows you to type in many Indian languages. Hidden Reflex claims that the browser supports 12 Indian languages currently. The browser also allows you to watch videos from YouTube in a small window, so that you can browse other websites while watching videos.

The Epic Browser is the first-ever web browser for India and the first product from the software company Hidden Reflex.

Hidden Reflex is a software product startup founded by Alok Bhardwaj in 2007 and based in Bangalore. Alok, who was raised in the U.S., was inspired by the success of open source software and web 2.0 innovations. Hidden Reflex began as a team of three but soon progressed and now has dedicated teams working on two products simultaneously – the Epic Browser and NewsDrink. The company also has three patents pending related to its product innovations.
The company’s vision is to become the first globally recognized, consumer-oriented software product company in India. According to Alok Bhardwaj, CEO and Founder of Hidden Reflex, “We want to prove that India can be a hub for innovation in software and technology."
Our mission with the Epic browser is to create the most secure, most productive and most “Indian” browsing experience of any web browser!

Get Security News on your mobile.

Subscribe to TechKranti's SMS channel

Subscribe to TechKranti's feeds

Scan, Attack, Detect & Protect on LAN: Download WinArpAttacker

noreply@blogger.com (Rahul Sachin Amey) — Sat, 04 Sep 2010 20:34:00 +0000

Scan, Attack, Detect & Protect on LAN: Download WinArpAttacker by Harsh Daftary

WinArpAttacker is a program that can scan,attack,detect and protect computers on local area network.

The features as following:

1.1 Scan

-. It can scan and show the active hosts on the LAN within a very short time (~2-3 seconds).

It has two scan mode, one is normal scanning, the other is antisniff scanning. The later is to find who is sniffing on the lan.

-. It can save and load computer list file.

-. It can scan the Lan regularly for new computer list.

-. It can update the computer list in passive mode using sniffing technology, that is, it can update the computer list from the sender's address of arp request packets without scanning the lan.

-. It can perform advanced scanning when you open advanced scanning dialg on menu.

-. It can scan a B class ip range in advanced scan dialg.

-. It can scan acthost listed in event listview.

1.2 Attack

-. It can pull and collect all the packets on the LAN.

-. It can perform six attacking actions as following:

(1) Arp Flood - Send ip conflict packets to target computers as fast as possible, if you send too much, the target computers will down. :-(

(2) BanGateway - Tell the gateway a wrong mac address of target computers, so the targets can't receive packet from the internet. This attack is to forbid the targets access the internet.

(3) IPConflict - Like Arp Flood, send ip conflict packets to target computers regularly, maybe the users can't work because of regular ip conflict message. what's more, the targets can't access the lan.

(4) SniffGateway - Spoof the targets and the gateway, you can use sniffer to collect packets between them.

(5) SniffHosts - Spoof among two or above targets, you can use sniffer to collect packets among all of them. (dangerous!!!!)

(6) SniffLan - Just like SniffGateway, the difference is that SniffLan sends broadcast arp packets to tell all computers on the lan that this host is just the gateway, So you can sniff all the data between all hosts with the gateway.(dangerous!!!!!!!!!!!!!!)

-. While spoofing ARP tables, it can act as another gateway (or ip-forwarder) without other users' recognition on the LAN.

-. It can collect and forward packets through WinArpAttacker's ipforward function, you had best check disable system ipforward function because WinArpAttacker can do well.

-. All data sniffed by spoofing and forwarded by WinArpAttacker ipforward function will be counted, as you can see on main interface.

-. As your wish, the arp table is recovered automatically in a little time (about 5 seconds). Your also can select not to recover.

1.3 Detect

-. What is the most important function, it can detect almost all attacking actions metioned as above as well as host status. the event WinArpAttacker can detect is listed as following:

SrcMac_Mismath - Host sent an arp packet, its src_mac doesn't match,so the packet will be ignored.

DstMac_Mismath - Host recv an arp packet, its dst_mac doesn't match,so the packet will be ignored.

Arp_Scan - Host is scanning the lan by arp request for a hosts list.

Arp_Antisniff_Scan - Host is scanning the lan for sniffing host,thus the scanner can know who is sniffing.

Host_Online - Host is online now.

Host_Modify_IP - Host modified its ip to or added a new IP.

Host_Modify_MAC - Host modified its mac address.

New_Host - New gost was found.

Host_Add_IP - Host added a new ip address.

Multi_IP_Host - Host has multi-ip addresses.

Multi_Mac_Host - Host has multi-mac addresses.

Attack_Flood - Host sends a lot of arp packets to another host ,so the target computer maybe slow down.

Attack_Spoof - Host sends special arp packets to sniff the data two targets , so the victims' data exposed.

Attack_Spoof_Lan - Host lets all host on the lan believe that it's just a gateway, so the intruder can sniff all hosts' data to the real gateway.

Attack_Spoof_Ban_Access - Host told host that host has a inexist mac,so the targets can't communicate with each other.

Attack_Spoof_Ban_Access_GW - Host told host that the gateway has a inexist mac, so the target can't access the internet through the gateway.

Attack_Spoof_Ban_Access_Lan - Host broadcast host's mac as a inexist mac, so the target can't communicate with all hosts on the lan.

Attack_IP_Conflict - Host found another host has same ip as its, so the target would be disturbed by ip conflict messages.

Local_Arp_Entry_Change - now WinArpAttacker can watch local arp entry, when a host's mac address in local arp table is changed, WinArpAttacker can report.

Local_Arp_Entry_Add - When a mac address of a host is added to local arp table, WinArpAttacker can report.

-. It can explain each event which WinArpAttacker detected.

-. It can save events to file.

DOWNLOAD HERE

Source: freehacking.net

Islamic hackers invade website of Belvoir Castle in protest over Israeli foreign policy

noreply@blogger.com (Rahul Sachin Amey) — Sat, 04 Sep 2010 20:26:00 +0000

Computer hackers left tourists bemused after replacing a stately home's website with a message protesting Israeli foreign policy. Since about 4.30pm on Friday afternoon, visitors searching for details on Belvoir Castle, near Grantham, have instead found a black page displaying the Algerian flag and lines of text in Arabic.

Last night, IT experts for the castle, the ancestral home of the Duke of Rutland, were still trying to remove the unwanted homepage – although the rest of the site appeared to still be accessible via Google.

A spokesman for the castle said they had no idea why the early 19th century property had been targeted in such a manner.

The number of so-called "defacement" attacks has risen in recent years, with hackers from countries such asEgypt, Turkey, Iran, Syria, Iraq, Saudi Arabia and Morocco hijacking sites.

The Bank of Israel has previously been targeted with hackers posting anti-Israeli, anti-American and pro-Palestinian messages.

The number of such attacks rocketed during the Israel-Lebannon conflict last year, with a number of sites seemingly unrelated to the conflict caught up in the digital vandalism.

On this occasion, the hacker behind the attack appears to be someone who operates under the alias Blackhunter.dz and claims to be part of an Algerian subversive group called the Dz-SeC Team.

He wrote the following, in Arabic, on the Belvoir Castle website: "The cause of this hack is Israel's presence in the 'Serfor'.

"Internet law does not protect the ignorant.

"Thank you to all the pirates of Algeria."

He then went on to thank 13 of his fellow hackers and post the web address of the collective's discussion forum.

Internet expert Gary Warner, speaking to SC magazine in the aftermath of the Gaza conflict, said: "People are wanting to participate and support Palestine and they're finding ample opportunities through tools being created by hackers.

"You can have almost no skills on the computer and take one of these hacker tools and start using it.

"Anything on the internet that might get traffic is a valid target."

Source: freehacking.net