Pro Hack

Increasing Reliance Netconnect speed, Online Transaction failure and Customer Care woes

2012-02-01T00:37:00.001+05:30

Since my data card limit was over, so i got Reliance Netconnect from a colleague, thought it might come handy while posting “IP Subnetting - The easy way” at Prohack and some simple surfing, I was already skeptic of taking the data card actually as I previously had a very bad experience with Reliance Netconnect and doubted if their broadband services are any good. I bet my MTS Mblaze makes it eat dirt any day ,but I had no option at that moment and thought , lets give the fucker another chance.

Ah well..you can say it was more than bad. Firstly, the data card has pretty bad speeds (~30 KBps) and then connection dropping issues. Mind you, I live in Delhi NCR and get full signal bars all the time on Reliance Netconnect Broadband + but still it barely managed to load Facebook. I thought, why not to change the DNS, on experimenting, I found Open DNS and Verizon DNS to be the most stable of all and I got a speed boost of 90-100 KBps : ]]

Here is how you can Increase speed of Reliance Netconnect Broadband + datacard -

Plugin your data card, launch application, go to settings, click on edit.

Click on advanced and put DNS server IPs. I found Verizon 4.2.2.2 //4.2.2.1 and Open DNS 208.67.222.222 // 208.67.220.220 work best for me. You can also try Google DNS 8.8.8.8 // 8.8.4.4 . Experiment and pick your choice.

Once done, click OK, save it and connect. you will get improved speeds..The whole process makes me wonder why Reliance’s default DNS is so slow . Do they even use their datacards at their home ? :|

On to my story, Since, even after changing DNS, the speeds were not good enough for me, so I thought, why not to recharge my MTS Data card online and then use it. Instantly I opened MTS website and after entering required details, transferring money to MTS from my online account, the page hanged and session was timed out. Responding to my sense of deja vu, I checked the data card and found it was not sending/receiving any data. the fucker dropped the connection just I when i was about to get my transaction completed.

I guess it took its revenge :X

I immediately emailed to MTS customer care/RechargeItNow/Bank customer care and I have *yet* to receive a helpful followup message on email. I contacted MTS customer care on phone and entered 1,1,1,1,<datacard MDN number>,1 waited for 2 minutes 46 seconds (yeah..i timed it) , the automated IVR said “after several tries you have not entered any number, so we are transferring your call to our expert” . Well..it wasn't my fault, again, there is some fault in their system as I tried 3 different valid MDN numbers later on and I got the same result. Nevertheless, I was put on call with an *expert* to whom I explained my issue and asked for escalation matrix, the details of email ID and in simple words, “what to do in case of transaction failure, the MTS way ? ”

The result was flabbergasting, the CCE spoke in an english which by all means was incomprehensible to me, I politely disconnected the call and then fumed for 2-3 minutes while looking at the Reliance datacard.

Protip : If you hate someone, gift him a Reliance datacard and watch him cry tears of blood :P

In the meantime i am still waiting for a positive response from my bank/MTS/rechargeitnow.

That was last night and I guess i have been outsmarted by a pathetic Reliance Netconnect.

IP Subnetting – The easy way

2012-01-29T23:23:00.001+05:30

Is network subnetting driving you crazy ? Does binary math gives you headaches ? well..fear not, since the time i have delved into networks, i have gone through all the oohs and aaahs and the NAH’s of the logical crescendo , and I present you the easiest way to do subnetting. Generally,3 questions are being addressed when subnetting an IP-

No of subnets
No of valid hosts and
Host range/block size

We will tackle them one by one. First you need to know about IP addresses and their classes.

Class A includes 0-127 where 0 and 127 are reserved, the default subnet mask for this class is /8 .

Class B includes 128-191 in their first octet, and the default subnet mask for this class is /16

Class C deals with 192-224 in their first octet and the default subnet mask for this class is /24

Also, also, understand a simple concept, subnet masks lying between 8- 15 are A class masks, from 16- 23 are B class and 24-32 are C class masks. Furthermore, a subnet mask can be expressed as this where (N)etwork value and (H)ost values-

Class A : 255.0.0.0 = NNNNNNNN.HHHHHHHH.HHHHHHHH.HHHHHHHH
Class B : 255.255.0.0 = NNNNNNNN.NNNNNNNN.HHHHHHHH.HHHHHHHH
Class C : 255.255.0.0 = NNNNNNNN.NNNNNNNN.NNNNNNNN.HHHHHHHH
Class mask value 8 16 24 32

Now once you see it, lets tackle some real life questions. Lets find the no of subnets and valid hosts for 192.168.10.10/18

See this ? its a C class IP address having a mask of B class (as the mask lies between 16-24) now, in order to find the number of subnets, use the following formulae -

2 ^ (What mask you have been provided – default mask of the IP address given)

putting the values here..

2^(18-16) –> 2^(2) –> 4 subnets

simple : )

Now for calculating the no.of hosts, use the below formulae -

2^(32- what mask you have been provided) –2

Putting values here..

2^(32-18)-2 -> 2^(14)-2 –> 16384-2 –> 16382 hosts

piece of cake ..

now to find the block size, see the provided mask lies between which next default mask value , which in this case is 24 (as 18 is greater than 16 and less than 24) . So ..

Subtract the provided mask with the class mask value which is greater than it.

2^(Next class mask value – provided mask)

which on putting values will be

2^(24-18) –> 2^6 –> 64

So, the block size will be of 64 . So, the IP addresses will be divided into 4 subnets (which we already calculated above) above as -

192.168.0.0 - 192.168.63.255

192.168.64.0 – 192.168.127.255

192.168.128.0 - 192.168.191.255

192.168.192.0 – 192.168.255.255

And the best part, its applicable to all classes : )

Happy Subnetting : ]

Chinese Hackers Trojan-ize US Access Card - The curious case of Sykipot Trojan

2012-01-14T22:27:00.001+05:30

Researchers at AlientVault have uncovered a new strain of Sykipot Trojan which has been used to compromise the Department of Defense-sanctioned smart cards used to authorise network and building access at many US government agencies, the Trojan has been adapted by Chinese hackers in order to lift credentials from compromised systems in order to access classified military networks. The Trojan inadvertently targets PCs attached to smart card readers running ActivClient, the client application of ActivIdentity, in what's been described as a 'smart card proxy' attack.

Read the full Story at the Register

WiFi Protected Standard vulnerability – Cracked, Bruteforced and Documented

2012-01-03T16:05:00.001+05:30

A new critical flaw in Wi-Fi Protected Standard (WPS) has recently been uncovered by Security researcher Stefan Viehböck that leaves wireless routers open to attack. The inherent vulnerability lies in the design protocol that splits the 8 digit PIN in two halves which reduces its complexity and henceforth the time required to crack it. Simple permutations and combinations deduce that an 8 digit pin will create 100 million possible combinations and during his testing Stefan found it takes 2 seconds to test each combination, so bruteforcing was not a feasible option.

Unfortunately, after entering the first 4 digits of a pin, the protocol used by WPS confirms if they are correct or not, which means the pairs can be attacked separately. Also, the remaining 4 digits is just a checksum, so if an attacker has the first 4 digits, he just have to try ~1000 combinations to crack it open , which brings it to a total of 11000 different combinations to the correct pin which reduces the attack time into a matter of hours. You can find the documented PDF here and read the awesomeness.

I guess router manufacturers are up for a software fix, till then , I guess we all have to go back to MAC address .

You can also read how to Hack Wifi using Backtrack , How to detect if someone is using your WiFi or how to detect WiFi hotspots . If you are having an Android, you can also read about how to use your Android for Wardriving.

Happy New Year 2012

2011-12-31T16:25:00.001+05:30

Okay folks :) Its that time of the year again when you can get high (me on red bull) and celebrate like there is no tomorrow (literally..2012 anyone ? ). Happy New Year everyone..I have taken a lot of resolutions for 2012, and I will make them true .. that's one more resolution for me.

As a roundup of 2011, I got hired at Tulip Telecom and now oversee the good, the bad and the nerdy side of security there along with network operations,ranted about the current security scene,wrote about Top Indian Hackers, I got my HTC wildfire (rooted and still kicking ass), got myself a new laptop , got interested into networking, hacked routers and did a lot of research on exotic fields if you have been following the Prohack FB page lately. I am sorry for absence of posts though, which can be attributed to me getting busy on a lot of side projects and on my Job. One of resolutions for 2012 includes giving more time to Prohack and I will see it through .
Nevertheless, stay awesome ! and Have a safe, sane and awesome 2012 .

-Rishabh Dangwal

5 software I cant live without on my laptop (Windows) – A look inside the self confessed geeks laptop and mindset

2011-11-14T22:53:00.001+05:30

Hello fellas,

I purchased a new HP DM-3210AU machine in October, an amazing piece of hardware and one of the highest rated netbook/sub notebook of all time, and yes, I am quite impressed with its performance and capabilities. I finished my share of Call of Duty 4 on it, prepared GNS3 Topologies over it with ease and the machine chomped away everything like a no brainer. In case, ou have been wondering where I had been, you might like to read about it or want to join the Facebook page where I post more frequently .

Well..continuing to my desktop,here is how it looks : ) .

Well..then out of blue (and I think it was Redbull) I decided to write an article on 5 software I cant live without on my new machine , which allows me to simultaneously multitask on it with ease and efficiency. Consider it as a follow up of Top 10 software I cant live without on my PC.

Windows Live Mail

Now here is one of the good things Microsoft has invented, the next generation of Outlook express, simple, easy to use, intuitive and FAST. Though you will argue why I don't use Mozilla Thunderbird over it , well..Mozilla thunderbird is almost takes the same amount of memory as its Windows counterpart, but is twice as slow in terms of interface, and speed matters to me much while checking emails, I do hope you will agree with me. Although I do hate the calendar feature of live (which is a pain due to various issues) but still, it does the primary job it was conceived for.

Download it from here.

Virtual Wifi Router

Again, an amazing piece of software that frees you from the headaches of Android Adhoc wifi patching and the likes of purchasing buggy paid software like Connectify for creating wifi network with ease. I was fed up of creating adhoc networks on Windows 7 and check that my HTC Wildfire (Cyanogen mod 7, version 2.3.7) was not able to properly detect it, there came Virtual Wifi Router to the rescue and trust me, its the best Wifi Network sharing software you will ever get. Highly recommended !!

Download Virtual Wifi Router

K-Lite Mega Codec Pack

Power user friendly yet easy to install , this codec pack will just blow you away, no need to install any other x-y-z player to do the job if your windows media player can play everything (i actually like to keep my laptop clean and use it with minimum software) from the most popular formats to arcane ones..and even allows for great amount of tweaking using its ffdshow interface. link it up with Virtualdub and you have a true gem. Included tools like Gspot, mediainfo and more add the cherry to the already delicious cake . Again, no need of VLC (unless you are into multicast streaming, to confess, i am not much of a VLC fan) and no need of anything else, one codec pack to rule them all : ) .

Download from here

GNS3

I dont think I need to elaborate upon it, since the time I have joined Tulip Telecom, it has been a part and parcel o my life, simulation of complex network topologies and whacky late night experiments (you know about them if you have been following the facebook page) are all possible because of this open source tool. Be it Cisco or juniper, it handles it with ease and the best part is that its hackable, configurable and programmable till the last drop. I have my custom version running over windows (self compiled :) ), pair it with putty connection manager and you are good to go. Also, you might want to look at sample GNS3 tutorials I posted at Prohack or more at the Facebook page.

Download it from here

Google Chrome

Now again..love it or hate it, yet I find chrome as indispensible as a browser, I had issues with Mozilla Firefox (old memory bastard) and Internet Explorer 9 (old bastard), Opera is a favourite but again, I had some issues with it again (opera link issues, broken plugins) , so I finally settled on chrome for general browsing and acceptable response times, but when it comes to testing some web based apps, i jump to Opera for the same for its intuitiveness. Trust me, when it comes to choose a browser, i call it as a choice between evils. So go with the lesser one . You might also want to look at Google Chrome Easter eggs

Download it from here

Well..that sums it up I will be back with some more ramblings of mine.

Till then,

Stay Gold..

Rishabh Dangwal

Diwali Celebrations and Answers to common questions (which people have been asking me)

2011-10-26T23:07:00.002+05:30

First of all..Happy Diwali to everyone :) The festival of light , may it brings the best out of you .

Happy Diwali Everyone :)

In the mean time, there have been a lot of commotion going behind the scenes .. lots of emails asking whether I have gone into some kind of digital hibernation .. So, I will be answering the most common questions here ..

Question : What are you doing these days ?

Answer : Networks..Networks..Networks..and lots of exotic research on some exotic devices..plus some thing related to android,android service codes,gns,cisco,juniper and random stuff about explosives.

Question : Explosives ?

Answer : No typo :) i am into it actually for quite a long time. Home made stuff rocks if you ask me. (and if you are careful)

Question : Okay..so, why no updates ?

Answer : Call it , lack of time (dedicated internet included) .. I am sooo busy in company work that I am not able to post some wonderful findings I have dug up.

Question : Why dont you reply to mails ?

Answer : I reply to each and every mail I get, no matter how "flabbergasting" it may seem to me and only if it gets past my "SPAM" filters.

Question : When you will be back in fulltime writing

Answer : Cant say, I write when I am free..and I will stick to it till I get on a vacation.

Stay Amazing..
Rishabh Dangwal

I too Intended to join a Security NGO (period) and I was proved wrong.

2011-09-22T00:56:00.000+05:30

I came to know about HANS when one of my friends joined it,and eventually I was interested. Hence I thought some research shall suffice before joining one.

PS : bear with me, I am on my android and my thumbs hurt :| Also, in some places, the formatting might not be correct, android blogging issues .

I actually visited their site http://www.indianhans.org had a look at it and found that it had -

A non working Facebook login api system which actually logs you out when you do try to log in, tested it on chrome 14.0.835.163 m / Windows 7 (office PC after hours). Also, a flawed login system that allows you to login inside the side without email confirmation, also PHP code is vulnerable.
Some outdated references to outdated CVE's and nothing of particular interest.
Some 0days which have been patched up long time ago
Whitepapers that on google hacking and mobiles which have been published like wildfire in late 2000's, again nothing of particular interest here
The "Team" that comprises less of experts and more of management folks. No one with any background of security here.
Link to Indian HANS youtube channel.
Pretty crap and old flash games about hacking. LAME !
Backtrack introduction (mainly) and no technical tutorials in short
Zero original research.

Disillusioned, I wrote a mail to Indian HANS team and queried Indian HANS team regarding the services they provide and what they do -

Subject : Queries for Indian Hans team from a Security Enthusiastic
Dear Indian HANS Team,

I have some queries which I would like to be answered -

What is the ultimate motive of HANS ? Are you consultants ? If YES then on what grounds ? If NO, then ,

Can you provide links to your -

Original research

ORIGINAL technical advisories/papers

Tools that you wrote

Code that you released

Configurations of exotic software

Exploits and modules

0day/0hour vulnerabilities

Vulnerabilities what you found

Cases of complexity that were solved

CVE

Documentation of exploits

Original findings

Which fellow infosec researchers are working at HANS? All i found was more of management guys (seriously?) volunteers,executives,technical experts,naive girls,inexperienced folks but no security folks or self confessed hackers with known security experience and expertise.

What is the symbiotic influence of joining Indian Hans ? Or Why SHALL we join HANS ?

--
Warm Regards,

Rishabh Dangwal
Network Security Analyst
TheProhack.com | Rish.co.in
India

"0x72697368 was here, 2620796f75206172652077617374696e6720796f75722074696d65202e2e2064756d62617373"

and waited.
A day passed and the reply came.

Subject : reply to an abuse mail

Warm Greets,

First of all I would like to say thanks, for being so concerned about our organization.

Following are the thoughts I would like to share about our organization.

1) Our motive is to fill the gap between the cyber victims and the security experts, as many times we felt that in spite of availability to many security experts in market still victims are not able to get there answers.
2) Yes, we are consultants/Knowledge Sharers as we guide the common measures to cyber victims and government bodies [maharasthra/Punjab police]such that they can overcome a cyber crime rate.
3) I have written 2 International Papers :
· In response to Google Hacking
· Future Email Security

And 2 national papers:
· Mobile Security and upcoming challenges
· Acknowledgement based System for Mobile Security.
4) I have not written any security tool/configurations yet But, I write other Business applications for Accenture as an Associate Software Engineer.
5) We have solved numerous cases which deals with daily cyber problems including ATM cloning case [chandigarh], Source code theft case [Pune], Abuse email, fake profiles, email threatening and other hundreds. www.youtube.com/theindianhans
6) Ya, you are right 90% of our Organization members have managerial skills, because we strongly believe that having only technical knowledge is not enough to cease the cyber crime rate, because solving a cyber crime is thinking out of the box process.
7) Joining a HANS, shows your commitment towards our society, that you have a zeal to help others with your knowledge and skills.

I also wish to bring to your notice without hurting your ego and sentiments that,

We are not competitors of any private owned body who work only for money. Many times we get such mails which prove that really HANS is doing a greats job. These kinds of mails show our Power of being united and our influence on other private organization. It is my humble requests kindly don’t compare our NGO with other private organizations as our motto is different. we don’t believe in writing the viruses, exploits, tools and other stuff because these things wont help a common man who is not IT literate, to overcome a cyber problem. I wont ask you same the questions as I have nothing to do with same. I hope I have given your answers without hurting you and your team members feelings. I highly apologize if I did so.

Thanks

Happy Hacking

HANS TEAM.

Now that was interesting, my mail has been treated as an abuse email, well..nevermind. A rather to-the-point approach may be confused with that. Well, what they said -

1) Our motive is to fill the gap between the cyber victims and the security experts, as many times we felt that in spite of availability to many security experts in market still victims are not able to get there answers.2) Yes, we are consultants/Knowledge Sharers as we guide the common measures to cyber victims and government bodies [maharasthra/Punjab police]such that they can overcome a cyber crime rate. I actually expected that HANS shall justify itself as a for-profit/not-for-profit organisation and why it requires money to join it when the elite organisations for example Null is a self sustained, free and aimed at the very thing HANS intends to achieve. helping naive people ? Ofcourse..thats why a lot of organisations has been growing like mushrooms (kaizen ?) and making money from it by joining it. The core thing is that i am 100% sure that volunteers / infosec reserachers wont learn anything new and will waste their time here.

moving on ,

3) I have written 2 International Papers :·In response to Google Hacking·Future Email Security And 2 national papers:·Mobile Security and upcoming challenges·Acknowledgement based System for Mobile Security.Great..i disregard them as recycled content, already checked it. 4) I have not written any security tool/configurations yet But, I write other Business applications for Accenture as an Associate Software Engineer. that was fine with me. 5) We have solved numerous cases which deals with daily cyber problems including ATM cloning case [chandigarh], Source code theft case [Pune], Abuse email, fake profiles, email threatening and other hundreds. www.youtube.com/theindianhansAgain, they have solved a lot of cases and hundreds , i would regard it as weasel terms. no journal on how they were solved, the method, instrumental techniques, research employed, tools/techniquies deployed, the collaboration, nothing covered, nothing said, just distorted videos at youtube. Again..no references to it. 6) Ya, you are right 90% of our Organization members have managerial skills, because we strongly believe that having only technical knowledge is not enough to cease the cyber crime rate, because solving a cyber crime is thinking out of the box process.7) Joining a HANS, shows your commitment towards our society, that you have a zeal to help others with your knowledge and skills.

How management can help decrease cybercrime rates is beyond me unless they really have the skills to get it in their heads. All aboard the failboat here.

I also wish to bring to your notice without hurting your ego and sentiments that,

We are not competitors of any private owned body who work only for money. Many times we get such mails which prove that really HANS is doing a greats job. These kinds of mails show our Power of being united and our influence on other private organization. It is my humble requests kindly don’t compare our NGO with other private organizations as our motto is different. we don’t believe in writing the viruses, exploits, tools and other stuff because these things wont help a common man who is not IT literate, to overcome a cyber problem. I wont ask you same the questions as I have nothing to do with same. I hope I have given your answers without hurting you and your team members feelings. I highly apologize if I did so.

thats nice of you,and encouraging, but since you dont write viruses,exploits,0days or anything remotely related with it, then -

Why they are linked in your website at http://www.indianhans.org/index-4.html ?
How do you decipher complex hack jobs them when most of your team is management one with no background of security

Anyways..i fired up my android and wrote a reply.

Subject - Re: reply to an abuse mail
Dear Indian Hans,

The email was not an intended as an abuse email as indicated by your subject, I would rather pass your defenses as plain excuses for hiding underlying incompetence since it requires Money to join and still no viable, updated information/code/application (as you said you develop it as associate software engineer for organisations , yet saying that you bridge the gap) , accurate information (I studied the Google hacking and mobile whitepaper, the stuff has been published before a million times, hence I would just regard it something to enhance resume) and would consider your organization nothing but a money making enterprise run by homebrew entrepreneurs without any credible research, what you solved in cases what nothing I shall say of technical callibre or "hacking ", its in more generic sense called as tech support for those who know nothing about cyber security, while earning fame and money in the process.
I earlier thought to join it, hence inquired about it in a rather direct & to the point manner,but your response, links, references and treatment of it as an abuse email (?) makes me guess its in my best interest to stay away and convey the same to intended audience.
Stay superb

-sent from my android-

call me harsh, but that is the reality. And I am waiting for the reply. Now, I can say that I too Intended to join a Security NGO (period) and I now I am thinking otherwise.

Training on Unified Threat Management and Corporate Security

2011-09-09T15:23:00.001+05:30

A while back I gave training on UTM devices and Security Issues with Amarjit Singh at Tulip Telecom , here are the slides of the session. It was an enjoyable session with emphasis on security awareness and discussing network security as a whole, and how we can protect them by deploying UTM devices and configuring them for maximum security. You can also read my previous posts on Unified Threat management Systems if you haven't read them already -

Corporate Security Issues and countering them using Unified Threat Management Systems and SSL VPN

As usual , the presentation is uploaded at Slideshare and Scribd...Hope you enjoy it.

GNS 3 Tutorial - configuring Static VRRP over Cisco router and testing it

2011-08-24T21:38:00.000+05:30

Hi all,
I was working over 7200 routers for HSRP and VRRP implementation, and thought why not to cover an article over it. I will be covering Static VRRP over Cisco routers in GNS3 and will be showing you how to test it. you can also read my basic GNS3 tutorial over Cisco routers if you wish

GNS 3 Tutorial – Basic Router password Configuration

A bit about VRRP from Cisco Documentation.

The Virtual Router Redundancy Protocol (VRRP) is an election protocol that dynamically assigns responsibility for one or more virtual routers to the VRRP routers on a LAN, allowing several routers on a multiaccess link to utilize the same virtual IP address. A VRRP router is configured to run the VRRP protocol in conjunction with one or more other routers attached to a LAN. In a VRRP configuration, one router is elected as the virtual router master, with the other routers acting as backups in case the virtual router master fails.

In layman's terms, it allows for switching of routers in case a link fails or flaps. I have left some advanced parts from this tutorial, this is completely for those who have a general idea of Cisco CLI and want to learn how to configure fault tolerant VRRP over cisco routers.

Here is the GNS3 topology I will be using for this tutorial

Now, fire up your GNS3 and start by configuring all the routers. Click on the console button over titlebar to start putty terminal.the first step is to configure telnet over routers R3.

(PS: I have kept the passwords simple for the sake of simplicity, don't try this habit in an actual scenario.)

Router R3

Router>en
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#line vty 0
Router(config-line)#password r3
Router(config-line)#login
Router(config-line)#exit

Once done, Lets configure the R3 router and assign IP address over it.

Router(config)#int s0/0
Router(config-if)#ip add
Router(config-if)#ip address 1.1.1.1 255.255.255.252
Router(config-if)#no sh
Router(config)#int s0/1
Router(config-if)#ip address 2.1.1.1 255.255.255.252
Router(config-if)#no sh
Router(config-if)#
Router(config-if)#exit
Router(config)#

So far, router R3 has been configured. Do the same for all others. make sure to assign R4 and R5 same lan IP.

Router R4

Router>en
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#line vty 0
Router(config-line)#password r4
Router(config-line)#login
Router(config-line)#exit

and Interface IP's

Router(config)#int s0/0
Router(config-if)#ip add
Router(config-if)#ip address 1.1.1.1 255.255.255.252
Router(config-if)#no sh
Router(config)#int e1/0
Router(config-if)#ip address 192.168.1.1 255.255.255.0
Router(config-if)#no sh
Router(config-if)#
Router(config-if)#exit
Router(config)#

Router R5

Router>en
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#line vty 0
Router(config-line)#password r5
Router(config-line)#login
Router(config-line)#exit

and Interface IP's

Router(config)#int s0/0
Router(config-if)#ip add
Router(config-if)#ip address 1.1.1.1 255.255.255.252
Router(config-if)#no sh
Router(config)#int e1/0
Router(config-if)#ip address 192.168.1.2 255.255.255.0
Router(config-if)#no sh
Router(config-if)#
Router(config-if)#exit
Router(config)#

Once done, its time to add some routes to the routers. After doing it, Ping everything to every lan/wan just to be safe and sure.

Router R3

Router(config)#ip route 192.168.1.0 255.255.255.0 1.1.1.2
Router(config)#ip route 192.168.1.0 255.255.255.0 2.1.1.2 20

Router R4

Router(config)#ip route 2.1.1.0 255.255.255.0 192.168.1.2 20
Router(config)#ip route 2.1.1.0 255.255.255.0 1.1.1.1

Router R5

Router(config)#ip route 1.1.1.0 255.255.255.0 2.1.1.1 20
Router(config)#ip route 1.1.1.0 255.255.255.0 192.168.1.1

If it doesnt pings, then you might have screwed up some where.

Run "sh ip route" over router to check configuration.

Router 3

Router#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
1.0.0.0/30 is subnetted, 1 subnets
C 1.1.1.0 is directly connected, Serial0/0
2.0.0.0/30 is subnetted, 1 subnets
C 2.1.1.0 is directly connected, Serial0/1
S 192.168.1.0/24 [1/0] via 1.1.1.2

Router R4

Router#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
1.0.0.0/30 is subnetted, 1 subnets
C 1.1.1.0 is directly connected, Serial0/0
2.0.0.0/24 is subnetted, 1 subnets
S 2.1.1.0 [1/0] via 192.168.1.2
[1/0] via 1.1.1.1
C 192.168.1.0/24 is directly connected, Ethernet1/0

Router R5

Router#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
1.0.0.0/24 is subnetted, 1 subnets
S 1.1.1.0 [1/0] via 192.168.1.1
2.0.0.0/30 is subnetted, 1 subnets
C 2.1.1.0 is directly connected, Serial0/0
C 192.168.1.0/24 is directly connected, Ethernet1/0

Till here, basic configuration has been done. now we will configure VRRP over R4 on ethernet interface.

Now in very very simple terms,

We will be tracking an interface (by giving it a track id) which in case if goes down the router shall switch states, in this case its the serial link from Router R3 to R4 (serial 0/0)
We will be creating a group of routers (here R4 and R5),
Assign a group ID to them (which is "1" btw) ,
After that, we will create a Virtual gateway over both routers which will be always up in case any router goes down (and thats why we gave both routers IP's from same lan) .
Then will select one of them as Master router and Rackup router (R4 in this case and R5 as Backup) and assign priority to them (higher is important, default is 100, 200 to R4, default to R5).
We will specify a decreasing value which shall be subtracted from priority which will preempt it to switch to router with higher priority, which in this case is 110. As serial link from R3 to R4 fails, 110 will be subtracted from 200 and hence R5 will have a higher priority 100 > then priority of R4 which is 90, hence it will become the Master router.
Test it :)

Router R4

Assign track id to Serial interface, which will be monitored by R4 .

Router(config)#track 1 interface serial 0/0 line-protocol
Router(config-track)#exit

Then configuring VRRP over it.

Router(config)#int e1/0
Router(config-if)#vrrp 1 ip 192.168.1.3
Router(config-if)#vrrp 1 priority 200
Router(config-if)#vrrp 1 preempt
Router(config-if)#vrrp 1 track 1 decrement 110
Router(config-if)#exit

Hence the final configuration upon "sh vrrp" will be

Ethernet1/0 - Group 1
State is Master
Virtual IP address is 192.168.1.3
Virtual MAC address is 0000.5e00.0101
Advertisement interval is 1.000 sec
Preemption enabled
Priority is 200
Track object 1 state Up decrement 110
Master Router is 192.168.1.1 (local), priority is 200
Master Advertisement interval is 1.000 sec
Master Down interval is 3.218 sec

Now we need to configure VRRP over Router 5

Router 5

Not much to do here except to enable preempt and VRRP..

Router(config)#int e1/0
Router(config-if)#vrrp 1 ip 192.168.1.3
Router(config-if)#vrrp 1 preempt
Router(config-if)#exit

hence final configuration of Router 5 will be

Ethernet1/0 - Group 1
State is Backup
Virtual IP address is 192.168.1.3
Virtual MAC address is 0000.5e00.0101
Advertisement interval is 1.000 sec
Preemption enabled
Priority is 100
Master Router is 192.168.1.1, priority is 200
Master Advertisement interval is 1.000 sec
Master Down interval is 3.609 sec (expires in 3.201 sec)

Congrats :) you have configured VRRP over your routers. Now to check , if its working or not, first traceroute your packet to 192.168.1.0 lan from Router R3

Router#traceroute 192.168.1.1
Type escape sequence to abort.
Tracing the route to 192.168.1.1
1 1.1.1.2 56 msec 88 msec *

Its going through our primary router :) now telnet from Router R3 to virtual gateway.

Router#telnet 192.168.1.3
Trying 192.168.1.3 ... Open

User Access Verification
Password:
Router>

If the password which gives you access is r4, then its configured correctly as of now. Now , lets shut unshut the primary serial interface from Router R3 .

Router#
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#int s0/0
Router(config-if)#sh
Router(config-if)#exit
Router(config)#
*Mar 1 00:57:27.927: %LINK-5-CHANGED: Interface Serial0/0, changed state to administratively down
*Mar 1 00:57:28.927: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to down
Router(config)#exit
Router#
*Mar 1 00:57:38.483: %SYS-5-CONFIG_I: Configured from console by console
Router#

Good, now ping virtual gateway

Router#ping 192.168.1.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/49/80 ms

its working fine, now traceroute the packet to 192.168.1.0 lan from Router R3

Router#traceroute 192.168.1.1
Type escape sequence to abort.
Tracing the route to 192.168.1.1
1 2.1.1.2 64 msec 68 msec 64 msec
2 192.168.1.1 44 msec 68 msec *

:)) its working too..now finally we login into virtual gateway from Router R3 and i assume we will login into Router R5, and then lets check out the VRRP configuration by running "sh vrrp" command.

Router#
Router#telnet 192.168.1.3
Trying 192.168.1.3 ... Open

User Access Verification
Password:
Router>sh vrrp
Ethernet1/0 - Group 1
State is Master
Virtual IP address is 192.168.1.3
Virtual MAC address is 0000.5e00.0101
Advertisement interval is 1.000 sec
Preemption enabled
Priority is 100
Master Router is 192.168.1.2 (local), priority is 100
Master Advertisement interval is 1.000 sec
Master Down interval is 3.609 sec

which works :) as Router R5 is the Master Router for now. Now disconnect from Router R5 and unshut the serial interface from Router R3, login into virtual gateway again and then check out the VRRP configuration by running "sh vrrp" command.

Router#exit
[Connection to 192.168.1.3 closed by foreign host]
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#int s0/0
Router(config-if)#no sh
Router(config-if)#exit
Router(config)#
*Mar 1 01:08:41.739: %LINK-3-UPDOWN: Interface Serial0/0, changed state to up
*Mar 1 01:08:42.743: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0, changed state to upexit
Router#
*Mar 1 01:08:46.955: %SYS-5-CONFIG_I: Configured from console by console
Router#telnet 192.168.1.3
Trying 192.168.1.3 ... Open

User Access Verification
Password:
Router>sh vrrp
Ethernet1/0 - Group 1
State is Master
Virtual IP address is 192.168.1.3
Virtual MAC address is 0000.5e00.0101
Advertisement interval is 1.000 sec
Preemption enabled
Priority is 200
Track object 1 state Up decrement 110
Master Router is 192.168.1.1 (local), priority is 200
Master Advertisement interval is 1.000 sec
Master Down interval is 3.218 sec
Router>

Excellent..VRRP has been fully configured as the Router R4 is again the Master Router :)

Congrats..you have successfully configured the VRRP over Static on Cisco Routers and fully tested it for fault tolerance .

till then

Stay Gold :))

BSNL router hacking and possibility of running custom code over it

2011-08-15T13:18:00.011+05:30

Hi all,

I am sorry I have been inactive due to my job, i actually got free this weekend and there we go, i was at home. At home I am having BSNL connection, and for those who dont know what BSNL is, its the AT&T of India, bad service , too much blank spots and connections which flap/drop/disconnect like there is no tomorrow. Worst, I was on my android, trying to get the latest of cyanogen nightlies . I was frustrated by the services of BSNL. Hence I decided to mess with the router itself.

BSNL router on closer inspection is manufactured by SemIndia and distributed by ITI. It follows the tracks of using firmware of different routers (Broadcom to be specific, BCM6338 stands for Broadcom router firmware version 96338, deployed in US robotics ones and some other popular routers). mine is DNA-A211-1 , one of most popular ones in India.

and then its just configured accordingly wrt ISP. This time, I left the network part, as i do it all the time in my office with Cisco, focused more on the router and firmware itself.

Warning :

I am not responsible for getting your router trashed, getting wings and trying to kill you. try on your own risk, I am not responsible for your stupidity.

I didn't had a PC (trashed due to burnt ram), so I have to do everything on my android, so pardon for small screen area, understand my plight. T-netted into Router

(PS : screencaps of android may be a bit distorted as shootme app was not working properly over nightly #120)

the first step was to know what was into it, so typed the usual help.

lots of commands :) ran swversion to get the version and see what was this upto.

With some hunting , i came to know that "sh" command runs over my router , ran it and voila, familiar interface of busybox snaps in.

great..now thats worth something. My android has it too :)) seeing the version made me tick , it was running an older version of busybox. For those who don't know hat busybox is, its a multicall binary. Tried ls, but it didnt worked, hence tried echo *, listed everything :)

bingo..tried cat /etc/passwd and there we go again.

after that, i thought why not to check what other directories have. got into CVS and got information regarding CVS and pserver, noteworthy one is the credentials of pserver

pserver:sunila@192.168.128.19:/home/cvsroot

not much of an interest as they are of a private LAN, googled to find it was configured by Sunil A, employee at SIEMIndia. Again,opened Repository

SemIndia/Engineering/Products/ADSL2Plus/Integ_Source/targets/fs.src

maybe a private repo at SIEM. neverthless..

moved on to /etc

lots of directories here..as a rule of thumb I opened default.cfg

Generic stuff, but what caught my eye was this

&amp;amp;amp;lt;ppp_conId1 userName="multiplay" password="bXVsdGlwbGF5"

This might come in handy (use your creativity :)) ) . But then I thought that why not to access the router from web interface. I did it.

Went to management and downloaded the backupsettings.conf file,

opened it and there we go,

I was not able to find the above credentials in it, hence I came to a conclusion that they must be somewhat of higher privilege level.

Moving on..I thought why not to try to create an arbitrary file . Tried

echo ‘rishrockz’ &amp;amp;amp;gt;&amp;amp;amp;gt; rdx

on every directory (I was not able to determine the file permissions as the version of busybox doesn’t has ls or stat ) Finally came to know that /var is writable. Tried creating a file there

echo ‘rishrockz’ &amp;amp;amp;gt;&amp;amp;amp;gt; rdx

file was created : )))))

and then

cat /var/rdx

: ))))

Congrats, you have run/done it :) )

Now I thought why not to upgrade busybox/upgrade firmware/upload scripts over the router, tried tftp

didn’t worked. Then I checked if the tftp daemon was running as a service, it was. yet somehow I was not able to run it. :(

Strange. I thought forget it (small screen keyboard and android research limitation -&amp;amp;amp;gt; frustration) . Well.. next time I will be thinking of going to compile programs (http://people.debian.org/~debacle/cross/) and copying over them using echo (once I get a PC) , I have got some nice ideas and will be deploying them .

In the mean time, for those who are wondering what this machine has, here is the bootup log.

Observation 1 # - code can be run over the router , but files must be copied using echo (-ne with append option) or tftp. Since busybox is there, we can easily insert a kernel module to be run.
Observation 2# - the webs directory has a lot of html files, maybe manipulated for xss attacks (i didnt covered it as its not my domain, some better guys can do it)
Observation 3# - private CVS credentials of Siemindia pserver. insider attack ? :D kidding. pserver is already much insecure, but since i have seen a lot of organisations using stock/easily guessable passwords for their outer router/firewalls/vpn servers, its not a tough nut to crack.
Observation 4# (most important) - BSNL SUCKS !

Till then .. Stay Gold

Rishabh Dangwal

winAUTOPWN v2.7 Released - Vulnerability Testing on Windows

2011-07-22T10:53:00.000+05:30

winAUTOPWN and bsdAUTOPWN are minimal Interactive Frameworks which act as a frontend for quick systems vulnerability exploitation. It takes inputs like IP address, Hostname, CMS Path, etc. and does a smart multi- threaded portscan for TCP ports 1 to 65535. Exploits capable of giving Remote Shells, which are released publicly over the Internet by active contributors and exploit writers are constantly added to winAUTOPWN/bsdAUTOPWN. A lot of these exploits are written in scripting languages like python, perl and php. Presence of these language interpreters is essential for successful exploitations using winAUTOPWN/bsdAUTOPWN.

Exploits written in languages like C, Delphi, ASM which can be compiled are pre-compiled and added along-with others. On successful exploitation winAUTOPWN/bsdAUTOPWN gives a remote shell and waits for the attacker to use the shell before trying other exploits. This way the attacker can count and check the number of exploits which actually worked on a Target System.

Download
Read more here

Sorry for Blog downtime - Stupid Android experiments lead to it

2011-07-21T12:25:00.003+05:30

Hi Friends
Last night I had some stupid stupid experiments with my Android, the blogger client for it and Blogger Draft. Which led to the blog open for invitations only. In the morning I found my mistake and I am sorry for the inconvenience it caused to you.
Truely sorry for that :((

It wont happen again (and next time I am going to test apps and changes on temporary blog first. Point jotted and duly taken).

Cheers and stay gold

Rishabh Dangwal
"Always outnumbered, never outgunned :P "

Angry Hacker Rant version 2.0 - Dear Corporate Infosec, You are getting Pathetic Day by Day!

2011-07-19T15:13:00.002+05:30

It didn't took me too long to realise the actual scenario at infosec, at all leading MNC's. And here I am ranting about it and mind it, everything is appropriately correct.It all started with me applying for a job at a leading MNC, and those guys instead of heeding what I had done (with some powerful references) asked me if I had my CISSP/CISA/CEH/ECSA-LPT/BULLSHIT. Read on..as I conclude these points -

Any respectably responsible guy who has passion for Infosec has no chances at doing well at corporate unless he sells his soul to Satan of commercialization of security. Those guys (the management and HR) need guys who have certifications which are purely theoretical in nature and has no or little affilitation with hands on security. Worse, once you get in,be prepared to lie, a lot.
The running gag among my security circle (dedicated guys who care about their network and do their best to save your assess) was that you can never be the security guy by researching, practicing and making your bones in the Infosec jungle. You can be one by getting certified.
The best a CISSP/CISA does is to write the mails creating security awareness among company, create pie charts for the management while making sure those looked best while presenting himself , NOTHING REMOTELY RELATED TO HANDSON SECURITY and collect the easiest pay cheque on earth. Sad, but true.
The condition is a result of HR's and guys who are what i call security illiterate, so the best they need a guy who is certified (by cramming notes,taking mocktests, bribing, praying and God knows what else) by some standard and would take the hotshot in just for the sole reason without even testing if he knows anything, and the best part is at the end of the day that guy creates bar graphs of security framework and audit infra of the MNC.
At the end of the day, these certifications are nothing but to double your salary package, doesn't matter if you know anything or not.

Bottomline :

Dear Corporate Infosec, your minions are rotting you, and its not long when someone will pwn your ass like SONY because you hired some douche'bag who had a cert but was a skid.

inspired by personal experiences and J. Oquendo's wonderful post at Infosec Island

Jugaad Se Ukhaad : The Hacking Challange 2011 Results

2011-06-28T11:23:00.002+05:30

We announced Jugaad se Ukhaad challange 1.5 Months ago and it was a good deal of joy to see the attacks come in. The server was running on a modified version of Linux patched with gresec and some custom patches. It was out in the wild, with server signature changed to Optinet, one of the UTM products we were testing at the time. So, here are our attack statistics on IP 110.235.1.130 IP are :

10 Measured attacks
2 LOIC DDos (small scale)
ZERO Success Rate

So, all in all, we havent got anyone who has successfully exploited the server. We will be back with more challanges in future with some pretty cool prizes next time.

Till Then

Stay gold..

Rishabh Dangwal & Amarjit Singh

Why Android rocks and why I like android ...

2011-06-14T23:09:00.000+05:30

Buying an Android was one of the most amazing decisions I ever made, buying and HTC android (a333, 2.2.1 modded to 2.3.4) was even better,with fantastic support by the community and the HTC hacking commmunity at the pinnacle of eveything else (though I tend to remember the original nokia/symbian hackers who dct flashed-patched-disassembled their devices to connect their patchcodes to overwrite and override the flash protection and enter into debug modes of even the most trivial handsets...always makes me nostalagic.Infinity box anyone ?)

Well..onto my android, how life has changed since I moved over it -

Always connected to social networking services and Email.
Phone call logs/SMS dumped into my gmail account for quick reference.
gesture based replys to anyone (for eg and inverted "U" will input "goodnight tc :) " to those late night sms and conversations which you want to end since the next morning you have to catch up for office..sigh..)
Calender sync in realtime , call logs sync to calender and make an entry for subsequent calls , duration and name (if available) with autorecord and dumping recording to gmail if necessary. No more life threatning calls.
Exploring the endless possiblities of application porting over the inherent Linux kernel.
Old school games using emulators. I can now play Contra:hardcorps all the time any where ..or even can listen to chiptunes of castlevania/super c. Although i am looking forward to Mame emulation (tiger arcade works super slow..) over android but CPU is a bottleneck as of now. Need to get a new android soon :|
Wifu and wardriving while i am on bus..here is a sample packet capture -

BSSID;LAT;LON;SSID;Crypt;Beacon Interval;Connection Mode;Channel;RXL;Date;Time
00:08:5C:EF:08:F0;28.56602;77.22951;Adiva;WpaPsk;-93;Infra;11;-92;2011/03/17;18:52:01
00:08:9F:81:8F:C4;28.56944;77.20531;Car0baR;WPA2;-96;Infra;6;-95;2011/03/17;18:58:30
00:0F:61:F2:D1:40;28.56866;77.21955;OZone WiFi;Open;-97;Infra;1;-95;2011/03/17;18:54:16
00:0F:61:F2:D1:4F;28.56866;77.21955;Aircel_OZone WiFi;Open;-95;Infra;1;-93;2011/03/17;18:54:16
00:14:78:EB:20:E4;28.56936;77.20624;Plutos Network;Wep;-86;Infra;6;-85;2011/03/17;18:58:05
00:17:9A:09:D1:79;28.56813;77.22440;WebunivM;Wep;-93;Infra;6;-91;2011/03/17;18:53:05
00:18:02:87:02:8F;28.56845;77.22306;RT2561_6;Wep;-94;Infra;6;-93;2011/03/17;18:53:18
00:18:02:92:A2:73;28.56955;77.20365;mtnlbb;Wep;-90;Infra;6;-89;2011/03/17;19:00:21
00:18:EB:01:4D:02;28.55103;77.24771;ICON EROS;Open;-94;Infra;1;-91;2011/03/17;18:40:44

tcpdump/shark/nmap..need i say more ? (PS: you can always install shark over your GF's phone :P)
Samba server :)
Penetration testing using the nessus client and reading reports over it when I am on bus.
Connected to like minded geeks ( who like to be pesked for technicalities ) even when I am on DTC and getting bored by the ongoing travels (i am looking at you : prateek singla, rahul sasi, prashant uniyal, chin tu/faku chand,raghu sharma and those who know I cant mention their names here :P )
Taking remote control of remote computers and network devices using vnc/rfb (wrote bit.che for my college project, interested may see a demo at my college). Hell , if all else fails, you can always move with android vnc and team viewer.
ssh to a machine having metasploit.
24x7 connectivity using openvpn...or vidalia..lemme summarise it in one image
Overclocking :) although its a matter of only installing setcpu, but then, who doesnt likes the power it brings to slower devices.
ninjamorph
and much much much more (including 2 way authentication using timed key generation)

I am androidified .. Are you ?

Modern Warfare 3 trailer | World War 3 with Call of Duty

2011-05-24T21:29:00.001+05:30

Have you fu*kin watched it ? Its World war 3 with Call of Duty : Modern Warfare 3. Infinity ward showcases amazing trailer with topnotch hallmark COD style gameplay and kickass action. Amazing I must say, I will finish it once it launches, dying to get my hands over it. In the mean time, you can watch the trailer and enjoy every moment of it…

Drooool…

Jugaad se Ukhaad 2011: The Hacking Challenge

2011-05-24T15:35:00.000+05:30

We happily invite all the hackers, n00bs, developers, 1337s, jugaadus & all those who think they are worthy for the attack based testing of our server, which is jointly developed by our valued in-house developers.

CONDITIONS:

We need root access on the server.
If you get traced by our scanners, you will be disqualified.
If successful, you need to disclose the technique used.
DDOS welcome :)
The only rule is, there are no rules except the above 4.

This challenge will be closed on 10th June, 2011 12 midnight(IST).

NOTE: What if you hacked the server successfully?

We won't lose any thing & you won't get any thing. You only will get a free target for honing your skills. C'MON, where do you get it now a days? :)

You can contact us on mail@amarjit.info & admin@theprohack.com

ROOT IF YOU CAN: An open challenge for an open community.

Keeping fingers crossed....here is the IP 110.235.1.130

Good Luck guys....

Securitybyte Conference | Information Security Conference | Securitybyte 2011

2011-05-22T16:46:00.001+05:30

And we have got one more security conference – Securitybyte 2011. This 4-day event features two days of conferences and two days of post-conference hands-on Trainings & Certifications covering every aspect of Information Security. The Securitybyte conference features some of the most respected names in the Security space and is focused around new research and innovation. The Securitybyte Conference 2011 is planned for Sept 6th through 9th, 2011 at The Sheraton Hotel in Bangalore, India.
The two-day conference (Sept 6th & 7th) will have the following three
tracks:

Basic
Deep Technical
Manager

Submission Deadline: The first round of submission of papers for conference talks and trainings should be done no later than June 15th, 2011. Please send all your submissions to cfp@securitybyte.org <mailto:mailto:cfp@securitybyte.org> , keeping subject line as "SB 2011 CFP Submission".

TOPICS

Got a new attack against any technology or device? We want to see it.Topics of interest include, but are not limited to, the following:

Technology-Focused

Application & Web Security
SOA & Cloud Security
Electronic Device Security (Cell Phones / PDA's)
Defeating Biometrics
3G/4G Cellular Network Security
WLAN, RFID and Bluetooth Security
Data Recovery and Incident Response
Virtualization Security
Satellite Hacking
Hacking Electronic Voting systems
Next-gen BOTNets
Worms & Malware
Protocol exploits
Database Security
Forensic & Cyber security
Social Engineering
Hacker media/film presentations
Firmware & Hardware hacking
Physical Security
Embedded systems hacking
Smartcard technologies
Credit card and financial instrument technologies

Regulatory & Law

Copyright infringement and anti-copyright infringement enforcement technologies
Critical infrastructure issues
Data security and privacy issues
Identity theft, identity creation & identity fraud
Corporate Espionage

Management

Enterprise Risk management framework
SOA Governance
Understanding the true value of GRC
Information Security Governance
Cloud Computing
Unified Compliance Framework
Security Metrics

National Security

Cyber forensics
Cyber warfare
Cyber Espionage
Next hyphenGen Cyber threats
Critical Infrastructure protection
Surveillance & counter-surveillance

Speaker Submission:

Please use the following submission form template to respond:

Name, title, address, email, and phone/contact number
Short biography, qualifications, occupation, achievements, and affiliations (limit 250 words.)
Summary or abstract of your presentation (limit 1250 words.)
Technical requirements (video, internet, wireless, audio, etc.)
References (Contact name, title, and email address of two
conferences you have spoken at or comparable references.)

Training Submission: (Sept 8th & 9th, 2011)

Please include the following information for your training proposal:

Name, title, address, email, and phone/contact number
Short biography, qualifications, occupation, achievements, and affiliations (limit 250 words)
Training Overview
Who should attend
Course Syllabus
Length
Proposed Pricing
Technical Requirements (Videos, internet, wireless, audio, laptop,etc.)
Hands-on/ Demo-based/ labs
References (Contact name, title, and email address of two conferences you have taught at or comparable references)

Please note, product or vendor pitches are not accepted. If your talk involves an advertisement for a new product or service your company is offering, please do not submit a proposal.

Nintendo Wii 2 | Wii 2 console demonstration leaked video

2011-05-21T18:06:00.001+05:30

A recent leak of the demonstration regarding Nintendo Wii 2 provides viewers with a glimpse of the console and a detailed diagram of the much talked about controller. The new Nintendo Wii 2 is expected to have a built-in HD touch screen and a camera.

Nintendo will officially unveil Wii 2 on June 6th at E3 2011 and in the meantime, speculation on hardware specs, features and design for the Wii 2 (codenamed ‘Project Café’) continues. You can see the video -

via gamesradar

Ruxcon Call For Papers | Ruxcon 2011

2011-05-21T15:34:00.001+05:30

The Ruxcon team is pleased to announce the call for papers for the seventh annual Ruxcon conference. This year the conference will take place over the weekend of 19th and 20th of November at the CQ Function Centre, Melbourne, Australia. The deadline for submissions is the 30th of July.

What is Ruxcon?

Ruxcon is the premier technical computer security conference in the Australia-Pacific region. The conference aims to bring together the individual talents of the best and brightest security folk in the region, through live presentations, activities and demonstrations.

The conference is held over two days in a relaxed atmosphere, allowing attendees to enjoy themselves whilst networking within the community and expanding their knowledge of security.

Live presentations and activities will cover a full range of defensive and offensive security topics, varying from previously unpublished research to required reading for the security community.

For more information, please visit

http://www.ruxcon.org.au

Presentation Information

Presentations are set to run for 50 minutes, and will be of a formal nature, with slides and a speech.

Presentation Submissions

Ruxcon would like to invite people who are interested in security to submit a presentation.

Topics of interest include, but are not limited to:

Mobile Device Security
Virtualization, Hypervisor, and Cloud Security
Malware Analysis
Reverse Engineering
Exploitation Techniques
Rootkit Development
Code Analysis
Forensics and Anti-Forensics
Embedded Device Security
Web Application Security
Network Traffic Analysis
Wireless Network Security
Cryptography and Cryptanalysis
Social Engineering
Law Enforcement Activities
Telecommunications Security (SS7, 3G/4G, GSM, VOIP, etc)

Submissions should thoroughly outline your desired presentation subject.

If you have any enquiries about submissions, or would like to make a submission, please send an e-mail to

presentations (at) ruxcon (dot)org(dot)au

The deadline for submissions is the 30th of July. If approved we will additionally require:

A brief personal biography (between 2-5 paragraphs in length).
A description on your presentation (between 2-5 paragraphs in length).

Contact Details

Presentation Submissions: presentations (at) ruxcon (dot)org(dot)au

Best Security Magazine | Top IT Security Magazine and Zines Reviewed | Best Hacking Magazines Listed

2011-05-03T13:11:00.004+05:30

Hi folks, consider this article the follow-up of the original series, this time I will be blogging about some really good magazines and zines where you can learn about computer and IT security. If you want to go through the previous articles in the series, you are welcome to give them a read -

Anyways, on to the topic, here

Phrack

Its so obvious that I dont think I need to repeat it again, and again. Phrack is an ezine written by and for hackers first published November 17, 1985. Described by Fyodor as

"the best, and by far the longest running hacker zine,"

the magazine is open for contributions by anyone who desires to publish remarkable works or express original ideas on the topics of interest. It has a wide circulation which includes both hackers and computer security professionals. The zine includes interviews of Blackhats and celebrates the most advanced security articles of the time. Stephen Wyatt or The_ut once commented that he was proud of -

“ Reading the last 5 issues of Phrack without learning anything new“

its that good :) If you are that good, I salute you teh_hax0r…for the lesser mortals, Phrack remains the wet dream of the security minded.

What you can learn here : Hacking in Pure Sense
Price : Free
you can visit phrack here

2600 & Cult of the Dead Cow

Again, two of the old school crews which are still highly active ,specializes in publishing technical information on a variety of subjects including telephone switching systems, Internet protocols and services, as well as general news concerning the computer "underground" and left wing, and sometimes (but not recently), anarchist issues. The content is focused on DIY projects for a more motivated approach.
2600 is the more sober of the two and is a must read for anyone into pure pleasure of security, Cult of the Dead Cow is more devoted to the hactivism and anarchist issues, but nevertheless, are a must read for any budding hacker or expert alike :)

What you can learn here : Hactivism, hacking at hardware level in the form of DIY projects
Price : Free
you can Visit 2600 here
you can Visit CDC zine here

Free Software Magazine (FSM), Also known as The Open Voice

Relatively new on the scene, FSM devotes itself to the FOSS, GNU, technical code and features regular technical columns. Also the magazine runs its own webcomic “the Bizzare Cathedral” which is a satire on Linux, open source and technology in particular. The magazine is the only magazine worldwide that is dedicated to the promotion of free software as a whole and has 2 primary goals -

to promote free software and its use; and
to educate the global community in the use of free software.

What you can learn here : Code, Linux , FOSS and Open Source in general
Price : Free
you can visit FSM here

Linux Journal/ Linux Format / Linux Magazine

Now we have some hardcore Linux Magazines which are highly targeted to the professional Linux User. When it comes to computer security and hacking, Linux is the heart and soul of hacking and hackerdom in general. These magazines focus on Linux on a whole and explore the OS with respect to articles on all levels of developing and using Linux and the software that runs on it, including everything from how to write device drivers to how to edit photos with GIMP.

What you can learn here : Linux Linux and More Linux
Price :

Linux Journal : 8$ (approx 354 INR)

Linux Format : 6.49£ (approx 477 INR)

Linux Magazine: 12.99$ (approx 576 INR)

you can visit

Linux Journal here

Linux Format here

Linux Magazine here

HITB Magazine

One of the best security magazines around, the HITB magazine aims to deliver their goal of giving researchers further recognition for their hard work, and to provide the security community with beneficial technical material . Born as the side project of Hack-In-The-Box community, the magazine covers exploits , loopholes, latest security insights and technical papers for the determined.

What you can learn here : Exploits, vulnerabilities, Technical articles, code and insights in the latest of
Price : Free
you can visit HITB here

Hakin9

The famed Hakin9 is a free, online, monthly publication on IT Security. The magazine is published in English and is available in the Internet as a free download.
Hakin9 is a source of advanced, practical guidelines regarding the latest hacking methods as well as the ways of securing systems, networks and applications.

What you can learn here : Securing systems, exploits, at par with HITB mag
Price : Free
you can visit hakin9 here

InfoSecurity/Chmag (India)

As a special nod to Indian security scene, these two magazines are doing a very good job in demystifying the “security” buzzword for the new and discusses corporate security and security in general . Clubhack Magazine is the venture of Clubhack which focuses on making hacking and information security a common sense for a common man. InfoSecurity is more targeted at security at corporate level and focuses on latest security trends.

What you can learn here : Beginning with security to the corporate level
Price : Free
you can visit :

InfoSecurity here

chmag here

I guess you will be more than happy to feast on the knowledge these fabulous sources above.

*update* : I will be reviewing Insecure magazine soon along with Darkread.

./EOF

Best Security Magazine | Top IT Security Magazine and Zines Reviewed | Best Hacking Magazines Listed

Scroogled – Google Tracks Spies You | Amazing Story by Cory Doctorow

2011-05-02T15:48:00.001+05:30

Scroogled - by Cory Doctorow

"Give me six lines written by the most honorable of men, and I will find an excuse in them to hang him."

— Cardinal Richelieu

"We don't know enough about you."

— Former Google CEO Eric Schmidt

Greg landed at San Francisco International Airport at 8 p.m., but by the time he'd made it to the front of the customs line, it was after midnight. He'd emerged from first class, brown as a nut, unshaven, and loose-limbed after a month on the beach in Cabo (scuba diving three days a week, seducing French college girls the rest of the time). When he'd left the city a month before, he'd been a stoop-shouldered, potbellied wreck. Now he was a bronze god, drawing admiring glances from the stews at the front of the cabin.

Four hours later in the customs line, he'd slid from god back to man. His slight buzz had worn off, sweat ran down the crack of his ass, and his shoulders and neck were so tense his upper back felt like a tennis racket. The batteries on his iPod had long since died, leaving him with nothing to do except eavesdrop on the middle-age couple ahead of him.

"The marvels of modern technology,"

said the woman, shrugging at a nearby sign: Immigration — Powered by Google.

"I thought that didn't start until next month?"

The man was alternately wearing and holding a large sombrero.

Googling at the border. Christ. Greg had vested out of Google six months before, cashing in his options and "taking some me time" — which turned out to be less rewarding than he'd expected. What he mostly did over the five months that followed was fix his friends' PCs, watch daytime TV, and gain 10 pounds, which he blamed on being at home instead of in the Googleplex, with its well-appointed 24-hour gym.

He should have seen it coming, of course. The U.S. government had lavished $15 billion on a program to fingerprint and photograph visitors at the border, and hadn't caught a single terrorist. Clearly, the public sector was not equipped to Do Search Right.

The DHS officer had bags under his eyes and squinted at his screen, prodding at his keyboard with sausage fingers. No wonder it was taking four hours to get out of the god damned airport.

"Evening," Greg said, handing the man his sweaty passport. The officer grunted and swiped it, then stared at his screen, tapping. A lot. He had a little bit of dried food at the corner of his mouth and his tongue crept out and licked at it.

"Want to tell me about June 1998?"

Greg looked up from his Departures. "I'm sorry?"

"You posted a message to alt.burningman on June 17, 1998, about your plan to attend a festival. You asked, 'Are shrooms really such a bad idea?'"

The interrogator in the secondary screening room was an older man, so skinny he looked like he'd been carved out of wood. His questions went a lot deeper than shrooms.

"Tell me about your hobbies. Are you into model rocketry?"

"What?"

"Model rocketry."

"No," Greg said, "No, I'm not." He sensed where this was going.

The man made a note, did some clicking. "You see, I ask because I see a heavy spike in ads for rocketry supplies showing up alongside your search results and Google mail."

Greg felt a spasm in his guts. "You're looking at my searches and e-mail?" He hadn't touched a keyboard in a month, but he knew what he put into that search bar was likely more revealing than what he told his shrink.

"Sir, calm down, please. No, I'm not looking at your searches," the man said in a mocking whine. "That would be unconstitutional. We see only the ads that show up when you read your mail and do your searching. I have a brochure explaining it. I'll give it to you when we're through here."

"But the ads don't mean anything," Greg sputtered. "I get ads for Ann Coulter ring tones whenever I get e-mail from my friend in Coulter, Iowa!"

The man nodded. "I understand, sir. And that's just why I'm here talking to you. Why do you suppose model rocket ads show up so frequently?"

Greg racked his brain. "Okay, just do this. Search for 'coffee fanatics.'" He'd been very active in the group, helping them build out the site for their coffee-of-the-month subscription service. The blend they were going to launch with was called Jet Fuel. "Jet Fuel" and "Launch" — that would probably make Google barf up some model rocket ads.

They were in the home stretch when the carved man found the Halloween photos. They were buried three screens deep in the search results for "Greg Lupinski."

"It was a Gulf War-themed party," he said. "In the Castro."

"And you're dressed as...?"

"A suicide bomber," he replied sheepishly. Just saying the words made him wince.

"Come with me, Mr. Lupinski," the man said.

By the time he was released, it was past 3 a.m. His suitcases stood forlornly by the baggage carousel. He picked them up and saw they had been opened and carelessly closed. Clothes stuck out from around the edges.

When he returned home, he discovered that all of his fake pre-Columbian statues had been broken, and his brand-new white cotton Mexican shirt had an ominous boot print in the middle of it. His clothes no longer smelled of Mexico. They smelled like airport.

He wasn't going to sleep. No way. He needed to talk about this. There was only one person who would get it. Luckily, she was usually awake around this hour.

Maya had started working at Google two years after Greg had. It was she who'd convinced him to go to Mexico after he cashed out: Anywhere, she'd said, that he could reboot his existence.

Maya had two giant chocolate labs and a very, very patient girlfriend named Laurie who'd put up with anything except being dragged around Dolores Park at 6 a.m. by 350 pounds of drooling canine.

Maya reached for her Mace as Greg jogged toward her, then did a double take and threw her arms open, dropping the leashes and trapping them under her sneaker. "Where's the rest of you? Dude, you look hot!"

He hugged her back, suddenly conscious of the way he smelled after a night of invasive Googling. "Maya," he said, "what do you know about Google and the DHS?"

She stiffened as soon as he asked the question. One of the dogs began to whine. She looked around, then nodded up at the tennis courts. "Top of the light pole there; don't look," she said. "That's one of our muni WiFi access points. Wide-angle webcam. Face away from it when you talk."

In the grand scheme of things, it hadn't cost Google much to wire the city with webcams. Especially when measured against the ability to serve ads to people based on where they were sitting. Greg hadn't paid much attention when the cameras on all those access points went public — there'd been a day's worth of blogstorm while people played with the new all-seeing toy, zooming in on various prostitute cruising areas, but after a while the excitement blew over.

Feeling silly, Greg mumbled, "You're joking."

"Come with me," she said, turning away from the pole.

The dogs weren't happy about cutting their walk short, and expressed their displeasure in the kitchen as Maya made coffee.

"We brokered a compromise with the DHS," she said, reaching for the milk. "They agreed to stop fishing through our search records, and we agreed to let them see what ads got displayed for users."

Greg felt sick. "Why? Don't tell me Yahoo was doing it already..."

"No, no. Well, yes. Sure. Yahoo was doing it. But that wasn't the reason Google went along. You know, Republicans hate Google. We're overwhelmingly registered Democratic, so we're doing what we can to make peace with them before they clobber us. This isn't P.I.I." — Personally Identifying Information, the toxic smog of the information age — "It's just metadata. So it's only slightly evil."

"Why all the intrigue, then? "

Maya sighed and hugged the lab that was butting her knee with its huge head. "The spooks are like lice. They get everywhere. They show up at our meetings. It's like being in some Soviet ministry. And the security clearance — we're divided into these two camps: the cleared and the suspect. We all know who isn't cleared, but no one knows why. I'm cleared. Lucky for me, being a dyke no longer disqualifies you. No cleared person would deign to eat lunch with an unclearable."

Greg felt very tired. "So I guess I'm lucky I got out of the airport alive. I might have ended up 'disappeared' if it had gone badly, huh?"

Maya stared at him intently. He waited for an answer.

"What?"

"I'm about to tell you something, but you can't ever repeat it, okay?"

"Um...you're not in a terrorist cell, are you?

"Nothing so simple. Here's the deal: Airport DHS scrutiny is a gating function. It lets the spooks narrow down their search criteria. Once you get pulled aside for secondary at the border, you become a 'person of interest' — and they never, ever let up. They'll scan webcams for your face and gait. Read your mail. Monitor your searches."

"I thought you said the courts wouldn't let them..."

"The courts won't let them indiscriminately Google you. But after you're in the system, it becomes a selective search. All legal. And once they start Googling you, they always find something. All your data is fed into a big hopper that checks for 'suspicious patterns,' using deviation from statistical norms to nail you."

Greg felt like he was going to throw up. "How the hell did this happen? Google was a good place. 'Don't be evil,' right?" That was the corporate motto, and for Greg, it had been a huge part of why he'd taken his computer science Ph.D. from Stanford directly to Mountain View.

Maya replied with a hard-edged laugh. "Don't be evil? Come on, Greg. Our lobbying group is that same bunch of crypto-fascists that tried to Swift-Boat Kerry. We popped our evil cherry a long time ago."

They were quiet for a minute.

"It started in China," she went on, finally. "Once we moved our servers onto the mainland, they went under Chinese jurisdiction."

Greg sighed. He knew Google's reach all too well: Every time you visited a page with Google ads on it, or used Google maps or Google mail — even if you sent mail to a Gmail account — the company diligently collected your info. Recently, the site's search-optimization software had begun using the data to tailor Web searches to individual users. It proved to be a revolutionary tool for advertisers. An authoritarian government would have other purposes in mind.

"They were using us to build profiles of people," she went on. "When they had someone they wanted to arrest, they'd come to us and find a reason to bust them. There's hardly anything you can do on the Net that isn't illegal in China."

Greg shook his head. "Why did they have to put the servers in China?"

"The government said they'd block us otherwise. And Yahoo was there." They both made faces. Somewhere along the way, employees at Google had become obsessed with Yahoo, more concerned with what the competition was doing than how their own company was performing. "So we did it. But a lot of us didn't like the idea."

Maya sipped her coffee and lowered her voice. One of her dogs sniffed insistently under Greg's chair.

"Almost immediately, the Chinese asked us to start censoring search results," Maya said. "Google agreed. The company line was hilarious: 'We're not doing evil — we're giving consumers access to a better search tool! If we showed them search results they couldn't get to, that would just frustrate them. It would be a bad user experience.'"

"Now what?" Greg pushed a dog away from him. Maya looked hurt.

"Now you're a person of interest, Greg.

You're Googlestalked. Now you live your life with someone constantly looking over your shoulder. You know the mission statement, right? 'Organize the World's Information.' Everything. Give it five years, we'll know how many turds were in the bowl before you flushed. Combine that with automated suspicion of anyone who matches a statistical picture of a bad guy and you're — "

"Scroogled."

"Totally." She nodded.

Maya took both labs down the hall to the bedroom. He heard a muffled argument with her girlfriend, and she came back alone.

"I can fix this," she said in an urgent whisper. "After the Chinese started rounding up people, my podmates and I made it our 20 percent project to fuck with them." (Among Google's business innovations was a rule that required every employee to devote 20 percent of his or her time to high-minded pet projects.) "We call it the Googlecleaner. It goes deep into the database and statistically normalizes you. Your searches, your Gmail histograms, your browsing patterns. All of it. Greg, I can Googleclean you. It's the only way."

"I don't want you to get into trouble."

She shook her head. "I'm already doomed. Every day since I built the damn thing has been borrowed time — now it's just a matter of waiting for someone to point out my expertise and history to the DHS and, oh, I don't know. Whatever it is they do to people like me in the war on abstract nouns."

Greg remembered the airport. The search. His shirt, the boot print in the middle of it.

"Do it," he said.

The Googlecleaner worked wonders. Greg could tell by the ads that popped up alongside his searches, ads clearly meant for someone else: Intelligent Design Facts, Online Seminary Degree, Terror Free Tomorrow, Porn Blocker Software, the Homosexual Agenda, Cheap Toby Keith Tickets. This was Maya's program at work. Clearly Google's new personalized search had him pegged as someone else entirely, a God-fearing right winger with a thing for hat acts.

Which was fine by him.

Then he clicked on his address book, and found that half of his contacts were missing. His Gmail in-box was hollowed out like a termite-ridden stump. His Orkut profile, normalized. His calendar, family photos, bookmarks: all empty. He hadn't quite realized before how much of him had migrated onto the Web and worked its way into Google's server farms — his entire online identity. Maya had scrubbed him to a high gloss; he'd become the invisible man.

Greg sleepily mashed the keys on the laptop next to his bed, bringing the screen to life. He squinted at the flashing toolbar clock: 4:13 a.m.! Christ, who was pounding on his door at this hour?

He shouted, "Coming!" in a muzzy voice and pulled on a robe and slippers. He shuffled down the hallway, turning on lights as he went. At the door, he squinted through the peephole to find Maya staring glumly back at him.

He undid the chains and dead bolt and yanked the door open. Maya rushed in past him, followed by the dogs and her girlfriend.

She was sheened in sweat, her usually combed hair clinging in clumps to her forehead. She rubbed at her eyes, which were red and lined.

"Pack a bag," she croaked hoarsely.

"What?"

She took him by the shoulders. "Do it," she said.

"Where do you want to...?"

"Mexico, probably. Don't know yet. Pack, dammit." She pushed past him into his bedroom and started yanking open drawers.

"Maya," he said sharply, "I'm not going anywhere until you tell me what's going on."

She glared at him and pushed her hair away from her face. "The Googlecleaner lives. After I cleaned you, I shut it down and walked away. It was too dangerous to use anymore. But it's still set to send me e-mail confirmations whenever it runs. Someone's used it six times to scrub three very specific accounts — all of which happen to belong to members of the Senate Commerce Committee up for reelection."

"Googlers are blackwashing senators?"

"Not Googlers. This is coming from off-site. The IP block is registered in D.C. And the IPs are all used by Gmail users. Guess who the accounts belong to?"

"You spied on Gmail accounts?"

"Okay. Yes. I did look through their e-mail. Everyone does it, now and again, and for a lot worse reasons than I did. But check it out — turns out all this activity is being directed by our lobbying firm. Just doing their job, defending the company's interests."

Greg felt his pulse beating in his temples. "We should tell someone."

"It won't do any good. They know everything about us. They can see every search. Every e-mail. Every time we've been caught on the webcams. Who is in our social network...did you know if you have 15 Orkut buddies, it's statistically certain that you're no more than three steps to someone who's contributed money to a 'terrorist' cause? Remember the airport? You'll be in for a lot more of that."

"Maya," Greg said, getting his bearings. "Isn't heading to Mexico overreacting? Just quit. We can do a start-up or something. This is crazy."

"They came to see me today," she said. "Two of the political officers from DHS. They didn't leave for hours. And they asked me a lot of very heavy questions."

"About the Googlecleaner?"

"About my friends and family. My search history. My personal history."

"Jesus."

"They were sending a message to me. They're watching every click and every search. It's time to go. Time to get out of range."

"There's a Google office in Mexico, you know."

"We've got to go," she said, firmly.

"Laurie, what do you think of this?" Greg asked.

Laurie thumped the dogs between the shoulders. "My parents left East Germany in '65. They used to tell me about the Stasi. The secret police would put everything about you in your file, if you told an unpatriotic joke, whatever. Whether they meant it or not, what Google has created is no different."

"Greg, are you coming?"

He looked at the dogs and shook his head. "I've got some pesos left over," he said. "You take them. Be careful, okay?"

Maya looked like she was going to slug him. Softening, she gave him a ferocious hug.

"Be careful, yourself," she whispered in his ear.

They came for him a week later. At home, in the middle of the night, just as he'd imagined they would.

Two men arrived on his doorstep shortly after 2 a.m. One stood silently by the door. The other was a smiler, short and rumpled, in a sport coat with a stain on one lapel and a American flag on the other. "Greg Lupinski, we have reason to believe you're in violation of the Computer Fraud and Abuse Act," he said, by way of introduction. "Specifically, exceeding authorized access, and by means of such conduct having obtained information. Ten years for a first offense. Turns out that what you and your friend did to your Google records qualifies as a felony. And oh, what will come out in the trial...all the stuff you whitewashed out of your profile, for starters."

Greg had played this scene in his head for a week. He'd planned all kinds of brave things to say. It had given him something to do while he waited to hear from Maya. She never called.

"I'd like to get in touch with a lawyer," is all he mustered.

"You can do that," the small man said. "But maybe we can come to a better arrangement."

Greg found his voice. "I'd like to see your badge," he stammered.

The man's basset-hound face lit up as he let out a bemused chuckle. "Buddy, I'm not a cop," he replied. "I'm a consultant. Google hired me — my firm represents their interests in Washington — to build relationships. Of course, we wouldn't get the police involved without talking to you first. You're part of the family. Actually, there's an offer I'd like to make."

Greg turned to the coffeemaker, dumped the old filter.

"I'll go to the press," he said.

The man nodded as if thinking it over. "Well, sure. You could walk into the Chronicle's office in the morning and spill everything. They'd look for a confirming source. They won't find one. And when they try searching for it, we'll find them. So, buddy, why don't you hear me out, okay? I'm in the win-win business. I'm very good at it." He paused. "By the way, those are excellent beans, but you want to give them a little rinse first? Takes some of the bitterness out and brings up the oils. Here, pass me a colander?"

Greg watched as the man silently took off his jacket and hung it over a kitchen chair, then undid his cuffs and carefully rolled them up, slipping a cheap digital watch into his pocket. He poured the beans out of the grinder and into Greg's colander, and rinsed them in the sink.

He was a little pudgy and very pale, with the social grace of an electrical engineer. He seemed like a real Googler, actually, obsessed with the minutiae. He knew his way around a coffee grinder, too.

"We're drafting a team for Building 49..."

"There is no Building 49," Greg said automatically.

"Of course," the guy said, flashing a tight smile. "There's no Building 49. But we're putting together a team to revamp the Googlecleaner. Maya's code wasn't very efficient, you know. It's full of bugs. We need an upgrade. You'd be the right guy, and it wouldn't matter what you knew if you were back inside."

"Unbelievable," Greg said, laughing. "If you think I'm going to help you smear political candidates in exchange for favors, you're crazier than I thought."

"Greg," the man said, "we're not smearing anyone. We're just going to clean things up a bit. For some select people. You know what I mean? Everyone's Google profile is a little scary under close inspection. Close inspection is the order of the day in politics. Standing for office is like a public colonoscopy." He loaded the cafetière and depressed the plunger, his face screwed up in solemn concentration. Greg retrieved two coffee cups — Google mugs, of course — and passed them over.

"We're going to do for our friends what Maya did for you. Just a little cleanup. All we want to do is preserve their privacy. That's all."

Greg sipped his coffee. "What happens to the candidates you don't clean?"

"Yeah," the guy said, flashing Greg a weak grin. "Yeah, you're right. It'll be kind of tough for them." He searched the inside pocket of his jacket and produced several folded sheets of paper.

He smoothed out the pages and put them on the table. "Here's one of the good guys who needs our help." It was a printout of a search history belonging to a candidate whose campaign Greg had contributed to in the past three elections.

"Fella gets back to his hotel room after a brutal day of campaigning door to door, fires up his laptop, and types 'hot asses' into his search bar. Big deal, right? The way we see it, for that to disqualify a good man from continuing to serve his country is just un-American."

Greg nodded slowly.

"So you'll help the guy out?" the man asked.

"Yes."

"Good. There's one more thing. We need you to help us find Maya. She didn't understand our goals at all, and now she seems to have flown the coop. Once she hears us out, I have no doubt she'll come around."

He glanced at the candidate's search history.

"I guess she might," Greg replied.

The new Congress took 11 working days to pass the Securing and Enumerating America's Communications and Hypertext Act, which authorized the DHS and NSA to outsource up to 80 percent of intelligence and analysis work to private contractors. Theoretically, the contracts were open to competitive bidding, but within the secure confines of Google's Building 49, there was no question of who would win. If Google had spent $15 billion on a program to catch bad guys at the border, you can bet they would have caught them — governments just aren't equipped to Do Search Right.

The next morning Greg scrutinized himself carefully as he shaved (the security minders didn't like hacker stubble and weren't shy about telling him so), realizing that today was his first day as a de facto intelligence agent for the U.S. government. How bad would it be? Wasn't it better to have Google doing this stuff than some ham-fisted DHS desk jockey?

By the time he parked at the Googleplex, among the hybrid cars and bulging bike racks, he had convinced himself. He was mulling over which organic smoothie to order at the canteen when his key card failed to open the door to Building 49. The red LED flashed dumbly every time he swiped his card. Any other building, and there'd be someone to tailgate on, people trickling in and out all day. But the Googlers in 49 only emerged for meals, and sometimes not even that.

Swipe, swipe, swipe. Suddenly he heard a voice at his side.

"Greg, can I see you, please?"

The rumpled man put an arm around his shoulders, and Greg smelled his citrusy aftershave. It smelled like what his divemaster in Baja had worn when they went out to the bars in the evening. Greg couldn't remember his name. Juan Carlos? Juan Luis?

The man's arm around his shoulders was firm, steering him away from the door, out onto the immaculate lawn, past the herb garden outside the kitchen. "We're giving you a couple of days off," he said.

Greg felt a sudden stab of anxiety. "Why?" Had he done something wrong? Was he going to jail?

"It's Maya." The man turned him around, met his eyes with his bottomless gaze. "She killed herself. In Guatemala. I'm sorry, Greg."

Greg seemed to hurtle away, to a place miles above, a Google Earth view of the Googleplex, where he looked down on himself and the rumpled man as a pair of dots, two pixels, tiny and insignificant. He willed himself to tear at his hair, to drop to his knees and weep.

From a long way away, he heard himself say, "I don't need any time off. I'm okay."

From a long way away, he heard the rumpled man insist.

The argument persisted for a long time, and then the two pixels moved into Building 49, and the door swung shut behind them.

./EOF

Scroogled – Google Tracks Spies your Privacy | Amazing Story by Cory Doctorow | Google Big Brother

Top Indian Hackers | Real Hackers of India

2011-04-30T14:55:00.007+05:30

There has been a lot of commotion in the Indian Hacking scene lately, and I expressed some pretty strong views regarding that. When it comes to hacking, every other guy tends to tape the "hacker" word with his name/codename without even realizing its significance. Then there is Facebook ...Have a look at it -

Seriously guys..what were they thinking ?! I am still counting the number of “Indian Cyber Army” India has and the number of groups tend to increase recycling all the content, same VIP forums, same deface techniques, zero original research.
Then there is Ankit Fadiya...dont let me even get started...

In the end tired of all the bullshit around, I decided to cover an article on the REAL INDIAN HACKERS (or Hackers of Indian Origin), folks who are actually dedicated to security and are hackers in real sense. Lets start, shall we ?

Pranav Mistry

The famed 6th sense developer,Pranav Mistry is a research assistant and a PhD candidate at MIT Media Lab. SixthSense has recently attracted global attention. Among some of his previous work, Pranav has invented Mouseless - an invisible computer mouse; intelligent sticky notes that can be searched, located and can send reminders and messages; a pen that can draw in 3D; and a public map that can act as Google of physical world. Pranav has commercialized his invention, the sixth sense and SixthSense is now being actively used at NASA. It is rumored that Facebook tried to acquire the technology from Pranav for a reportedly $2 billion and 5% ownership of Facebook, but Pranav decided to open source it instead.

Thats what any real hacker do. Hats Off to him.
Here you can read more about him at Amarjit’s Blog

Koushik Dutta or “Koush”

“Set Your Phone Free..”

Rings a bell ? Koushik Dutta or “Koush” is responsible for Clockworkmod recovery and Rom Manager for Android rooting and the core member of famed UnrEVOked team. He has been a .net developer from heart and had his internship initially at Microsoft and is a former MVP. He decided to leave Microsoft and hack Android cellphones like there was no tomorrow. Sony approached him after geohot humped them like anything but he politely declined .

Bravo for his efforts, we are able to root painlessly using UnREVOked.
Now only if UnrEVOked can release UnrEVOked 3.33 soon :)

Vivek Ramchandran

Vivek Ramachandran has been working in the computer and network security domain, in some form or the other, for the past 7 years and has worked with Industry giants like Reliance, Cisco, Microsoft. He was among the Top 10 Indian finalists in the Microsoft shootout competition among the list of 65000 participants. Then he decided to join Airtight Networks and there discovered Caffe Latte attack attack along with his colleague MD Sohail Ahmad from Airtight Networks ,the wifi hacking technique that doesn't required you to be in active vicinity of the wifi zone.

That said, he is one of the researcher to lookout.

Almost everybody at NULL Security Community & Garage4hackers
I said it before and I will say it again, the Only active Indian hacking community is NULL community, and the best Indian Hacking Forum where real hackers meet is garage4hackers.com hands on.

Shoutz to garage crew :)

Folks at Indian Honeynet Chapter
Now we are talking..Indian Honeynet chapter is the collaborative effort of the best geeks and hackers .The focus of honeypot is on Worms and Botnets and developing an Open Source tool to study and counter brute force attacks/ phishing through wifi. Its also being setup as potential web-app honeypot,and aims on improving detection and forensic techniques. Heading the ship are L Shriram, K K Mookhey, Amit Chugh, Asim Jakhar and a lot of professionals who are dedicated in the field of computer security.

Hari Prasad

The famed security researcher Hari Prasad is the winner of EFF Pioneer award, as he along with Alex Halderman, and Rop Gonggrijp were able to study an electronic voting machine (EVM) and found significant vulnerabilities that would not be difficult to execute. For his troubles, Prasad was arrested and jailed in August, held without bail in Mumbai for a week. Though he is now out on bail and in the United States, he still faces criminal prosecution for alleged theft of the EVM and other charges.

The genius of the Indian system is that instead of making machines tamper proof and more efficient, they arrested him.

According to the Indian news agency PTI, the magistrate who released Prasad on bail noted that "no offence was disclosed with Hari Prasad's arrest and even if it was assumed that [the electronic voting machine] was stolen it appears that there was no dishonest intention on his part...he was trying to show how [electronic voting] machines can be tampered with."

Jayant Krishnamurthy

Jayant Krishnamurthy is a Ph.D. candidate in Computer Science, CMU and his interests include are machine learning, machine reading, common sense reasoning, information extraction, knowledge representation, and their applications in AI and NLP (shamelessly taken from his website). He is one of the researchers who are behind designing MD6 algorithm (yeah you heard it right, the evolution of MD5). He is a top level computer theorist and researcher and is a real life hacker. He teaches computer and network security and you must ahve a look at the problems and solutions at the given link.

For the lighter side,you can have a look at the funny flash movie based on his real life experiences at high school.

I guess, you now have an actual idea of the Indian hackers now :) These guys are real and are deemed worthy of having the hacker emblem with them.

How to Sync Facebook Calendar on Google Calendar & Android

2011-04-29T21:56:00.001+05:30

One of the things that have been pesking me since the time I moved on to Android Cyanogenmod 7 was that I was not able to sync Facebook Calendar with Google Calendar or Outlook. Also since I was unable to sync Facebook Calender with Google Calendar hence the I was not able to sync Facebook birthdays on Android . That make me thinking and I got some nifty methods to do the same.

Method 1 (Sync Facebook Birthdays on Google)

Install Ebobirthday application on Android

Open it and click on

menu – > Import – > Facebook

and let it connect to it.

Once connected enter your username and password, and allow it to access data. The it will start importing birthdays. Once done, click on

menu –> settings

and then choose calendar which you want to update.

then go to

menu –> export –> update calendar

and then it will connect and will update your google calendar :)

Once done, sync your Android and Google. Alternatively you can sync outlook calendar with Google

Congrats..you have synced Facebook calendar with Google and Outlook !

I will discussing the method 2 on my next post :)