Disqus for Cyber Fort

Sunday 26 January 2014

Common Methods to Hack a Website

2 Comments
Gone are the days when website hacking was a sophisticated art. Today any body can access through the Internet and start hacking your website. All that is needed is doing a search on google with keywords like “how to hack website”, “hack into a website”, “Hacking a website” etc. The following article is not an effort to teach you website hacking, but it has more to do with raising awareness on some common website hacking methods.


The Simple SQL Injection Hack

SQL Injection involves entering SQL code into web forms, eg. login fields, or into the browser address field, to access and manipulate the database behind the site, system or application. 
When you enter text in the Username and Password fields of a login screen, the data you input is typically inserted into an SQL command. This command checks the data you've entered against the relevant table in the database. If your input matches table/row data, you're granted access (in the case of a login screen). If not, you're knocked back out.


In its simplest form, this is how the SQL Injection works. It's impossible to explain this without reverting to code for just a moment. Don't worry, it will all be over soon.
Suppose we enter the following string in a User name field:

' OR 1=1 double-dash-txt.png 

The authorization SQL query that is run by the server, the command which must be satisfied to allow access, will be something along the lines of:
SELECT * FROM users WHERE username =USRTEXT ' 
AND password = ‘PASSTEXT
…where USRTEXT and PASSTEXT are what the user enters in the login fields of the web form.
So entering `OR 1=1 — as your username, could result in the following actually being run:
SELECT * FROM users WHERE username = ‘' OR 1=1 — 'AND password = '
Two things you need to know about this:
['] closes the [user-name] text field.
'double-dash-txt.png' is the SQL convention for Commenting code, and everything after Comment is ignored. So the actual routine now becomes:
SELECT * FROM users WHERE user name = '' OR 1=1
1 is always equal to 1, last time I checked. So the authorization routine is now validated, and we are ushered in the front door to wreck havoc. 
Let's hope you got the gist of that, and move briskly on.

Brilliant! I'm gonna go to hack a Bank! 

Slow down, cowboy. This half-cooked method won't beat the systems they have in place up at Citibank,
evidentlyBut the process does serve to illustrate just what SQL Injection is all about — injecting code to manipulate a routine via a form, or indeed via the URL. In terms of login bypass via Injection, the hoary old ' OR 1=1 is just one option. If a hacker thinks a site is vulnerable, there are cheat-sheets all over the web for login strings which can gain access to weak systems. Here are a couple more common strings which are used to dupe SQL validation routines:
username field examples:
  • admin'—
  • ') or ('a'='a
  • ”) or (“a”=”a
  • hi” or “a”=”a
… and so on.

Cross site scripting ( XSS ):
Cross-site scripting or XSS is a threat to a website's security. It is the most common and popular hacking a website to gain access information from a user on a website. There are hackers with malicious objectives that utilize this to attack certain websites on the Internet. But mostly good hackers do this to find security holes for websites and help them find solutions. Cross-site scripting is a security loophole on a website that is hard to detect and stop, making the site vulnerable to attacks from malicious hackers. This security threat leaves the site and its users open to identity theft, financial theft and data theft. It would be advantageous for website owners to understand how cross-site scripting works and how it can affect them and their users so they could place the necessary security systems to block cross-site scripting on their website.

Denial of service ( Ddos attack )


A denial of service attack (DOS) is an attack through which a person can render a system unusable or significantly slow down the system for legitimate users by overloading the resources, so that no one can access it.this is not actually hacking a webite but it is used to take down a website.

If an attacker is unable to gain access to a machine, the attacker most probably will just crash the machine to accomplish a denial of service attack,this one of the most used method for website hacking




Cookie Poisoning:



Well, for a starters i can begin with saying that Cookie Poisoning is alot like SQL Injection

Both have 'OR'1'='1 or maybe '1'='1'

But in cookie poisoning you begin with alerting your cookies

Javascript:alert(document.cookie)

Then you will perharps see "username=JohnDoe" and "password=iloveJaneDoe"

in this case the cookie poisoning could be:

Javascript:void(document.cookie="username='OR'1'='1"); void(document.cookie="password='OR'1'='1");


It is also many versions of this kind... like for example

'

'1'='1'

'OR'1'='1

'OR'1'='1'OR'


and so on...

You may have to try 13 things before you get it completely right...

Password Cracking


Hashed strings can often be deciphered through 'brute forcing'. Bad news, eh? Yes, and particularly if your encrypted passwords/usernames are floating around in an unprotected file somewhere, and some Google hacker comes across it. 
You might think that just because your password now looks something like XWE42GH64223JHTF6533H in one of those files, it means that it can't be cracked? Wrong. Tools are freely available which will decipher a certain proportion of hashed and similarly encoded passwords.

Know more about Brute force attack

A Few Defensive Measures

* If you utilize a web content management system, subscribe to the development blog. Update to new versions soon as possible.
* Update all 3rd party modules as a matter of course — any modules incorporating web forms or enabling member file uploads are a potential threat. Module vulnerabilities can offer access to your full database.
* Harden your Web CMS or publishing platform. For example, if you use WordPress, use this guide as a reference.
* If you have an admin login page for your custom built CMS, why not call it 'Flowers.php' or something, instead of “AdminLogin.php” etc.?
* Enter some confusing data into your login fields like the sample Injection strings shown above, and any else which you think might confuse the server. If you get an unusual error message disclosing server-generated code then this may betray vulnerability.
* Do a few Google hacks on your name and your website. Just in case…
* When in doubt, pull the yellow cable out! It won't do you any good, but hey, it rhymes. 

hope u like this article...
Read More

Wednesday 22 January 2014

Apple Wins Big Against Samsung In Court in South Corea

Be The First To Comment
apple win aganist sumsang
Samsung lost its bid on Thursday to ban sales of Apple's older iPhone and iPad models in South Korea. A court dismissed a lawsuit, filed in March 2012, claiming the U.S. firm had infringed on three  of Samsung's mobile patents.
The lawsuit was another part of Samsung's global courtroom war with Apple dating back to 2011 when the iPhone company first sued Samsung for copying the look and feel of its products.
"We are glad the Korean court joined others around the world in standing up for real innovation and rejecting Samsung's ridiculous claims," Apple Korea spokesman Steve Park said.
A judge at the Seoul Central District Court said that Apple products did not violate Samsung patents on the display of short messages and group messaging features. The court ruled against a sale ban on the products and subsequently threw out Samsung's claim for $95,100 (£58,000, AU$105,000) in damages.
Necessary measures
Samsung said it would carefully review the ruling before deciding on whether to launch an appeal. "We are disappointed with the court's decision …. Apple has continued to infringe our patented mobile technologies [so] we will continue to take the measures necessary to protect our intellectual property rights," Samsung said in a statement.
Similar rulings in the past have gone in Samsung's favour. In August last year the same South Korean court ordered Apple to pay $38,000 (£23,100, $AU42,000) in damages for infringing on wireless technology patents.
Thursday's court ruling comes after a German court in Mannheim dismissed Apple's claim that Samsung infringed on a utility patent. Apple and Samsung have gone to trial twice in the past two years in California, where juries awarded Apple $930 million (£567 million, AU$1 billion) in damages.


Here’s the complete ruling courtesy of FOSS Patents:


Read More

How To Block PopUp Ads On Your Android Smartphone

Be The First To Comment

block popups ads on android


Ads and pop-up windows on your computer are one of the most annoying things in the world, and that's why practically everyone has a pop-up and ad blocker installed on their desktop. But for some strange reason not everyone bothers to do the same thing for their Android - and then suffers from various sites that pop up more windows and tabs than you can poke
a honey-covered stick at (for catching the pop-ups with, you see). Suffer no more! We'll show you the best way to block ads, including pop-ups, on your Android.
You can disable ads, video ads, sound ads and pop-ups (as well as all ads!). 


Instructions

Step 1:


Open the Web browser on your Android smartphone. Type the URL address, “market.android.com” in the “Search” text box. Tap on the magnifying glass icon (search button).

Step 2:

Tap on the “Gmail” link located near the top of the page. Use your Gmail account information to log on to Android Market. Enter your username in the “Username” text box. Enter your password in the “Password” text box and tap the “Sign In” button.

Step 3:

Type the keywords “ad blocker” in the “Search” text box on the homepage. Tap on the magnifying glass icon (search button). Browse the list of free ad-blocker applications. Scroll down the page until you see one that will block and prevent popup ads from appearing on your phone.

Step 4:

Tap on the “Install” or “Buy” button next to the name of the ad-blocker application that you want to download on your Android smartphone. If you want to buy an ad-blocker application, you will need to provide your credit card information to make the purchase. Follow the website's instructions for purchasing the ad-blocker application. 

Step 5:

Tap the “OK” button and confirm that you want to install the application. Follow the on-screen instructions for downloading the ad-blocker application. When the installation is complete, go to the “Application” list and tap the ad-blocker icon to launch the application.

Step 6:

Follow the ad-blocker application instructions on how to use the software to block popup ads. For example, if you're using “Ad Blocker” on your phone, tap on an application icon that you want the ad-blocker application to block popup ads. A popup menu will appear on your display screen. Select the “Block” option to add the application to the Ad Block list. To remove the application from the Ad Block list, tap on the “Unblock” option.


Step 7:

Go to “Menu” and then “Setting” to enable or disable the Ad Blocker service. If you want to disable your Internet connection to prevent popup ads from appearing on your phone, tap the “Home” key and use your finger to press down on an empty area on the Home screen. Select “Add to Home Screen Menu” and then select “Widgets” and “Network Toggle.” Tap on the network icon to turn the Internet connection on or off.



Read More

Tuesday 21 January 2014

How To Prevent cut, paste, copy, delete, re-naming of files & folders.

3 Comments

We are pleased to release Prevent v 1.0, a freeware app which runs on all Windows. If you don’t want anyone deleting or renaming or messing around with your data, maybe your younger sibling, then Prevent may be able to help you.
The downloaded zip file consists of:
1. Prevent.exe
2. Pre_1
3. Pre_2
4. Read Me file.
5. Uninstall
Run the Prevent installer setup. The installer only places the Prevent folder in the system Program Files folder. A desktop shortcut will also be created. To run the program, click on Prevent. Set your Hot key to stop Prevent. You may set it asCtrl+P if you wish. Hotkeys Win+F8 kills Pre_1 and Win+F9 kills Pre_2, too. But the single hotkey set by you will kill all Prevent processes at the same time.
Prevent :1. Stops Cut
2. Stops Paste
3. Stops Copy
4. Stops Delete
5. Stops Copy To
6. Stops Move to
7. Stops Send To
8. Prevents renaming
9. Disables Task Manager’s End Process button. Alsoit doesn’t allow you to right click on process name and click on end process. It also grays out the context menu items, disable Ctrl+C, Ctrl+X and Ctrl+V and/or stops the process.
To uninstall or remove Prevent, use the Uninstaller situated in the Prevent folder, or uninstall it via the Control Panel or simply delete its Program folder.
download1 Prevent cut, paste, copy, delete, re naming of files & folders.
Read More

Thursday 16 January 2014

Where the world’s biggest coffee drinkers live

3 Comments
Not all coffee drinkers are made equal. By Roberto A. Ferdman  January 15, 2014
America might be famous for running on coffee, but it doesn’t run on much. Not compared to a handful of other countries, anyway. When it comes to actual coffee consumption per person, the US doesn’t even crack the top 15.
For much of Europe, and especially Scandinavia, the story is quite different. In a review in 2010 about Stieg Larsson’s hit Swedish trilogy, the New York Times wrote incredulously about how the books’ scenes seemed to always revolve around endless servings of coffee:
…everyone works fervidly into the night and swills tons of coffee; hardly a page goes by without someone “switching on the coffee machine,” ordering “coffee and a sandwich” or responding affirmatively to the offer “Coffee?”
But as it turns out—and as the Times soon thereafter learned—the coffee obsession has much less to do with Larsson than it does with Sweden. Or really, with all of Scandinavia, the Benelux countries, and bits of Eastern Europe. The Netherlands’ per-capita consumption of 2.4 cups a day is almost the same as those of the US, UK, Spain, and France combined.

Read More

Monday 13 January 2014

MIT University website defaced by Anonymous hackers in honor of Aaron Swartz

1 Comment

Today is January 11, 2014 and the last year on the same day a 26-year-old, young hacker, Reddit cofounder and the digital Activist, Aaron H. Swartz committed suicide. He found dead in his Brooklyn, New York apartment, where he had hanged himself.
Swartz was indicted by a federal grand jury in July 2011, accused of hacking the MIT JSTOR database and stealing over four million documents with the intent to distribute them.

He could have prison for 50 years and $4 million in fines by the Court, but before that he committed suicide in fear. Swartz's father, Robert, later blamed the MIT and the judiciary system for his son's death.

On the first Anniversary of Aaron Swartz, today the Anonymous group of hackers defaced the sub-domain of the Massachusetts Institute of Technology (MIT) website (http://cogen.mit.edu/) for about an hour as part of #OPLASTRESORT.

Defacement page was titled 'THE DAY WE FIGHT BACK'. The message posted on it, “Remember The Day We Fight Back, Remember. We Never Forget, We Never Surrender, Expect Us.”
At the time of writing, the domain was down. The attack on the website of MIT is a part of the tragic suicide of hacker Aaron Swartz to give him tribute.

It was the MIT's role in the federal prosecution against an activist, which ultimately led to him committing suicide, but the U.S Government has not learned anything and they are planning to make laws stricter against hackers. Recently, The Senate Judiciary Committee Chairman 'Patrick Leahy' reintroduced a revamped version of the "Personal Data Privacy and Security Act" for tough criminal penalties for hackers. The new bill suggests 20 years in prison, rather than 10 years (currently) and also recommending to give same penalties for the hackers who even attempt to hack the systems, but doesn't succeed.
Read More

Thursday 9 January 2014

Recruitments at NHDC for 42 posts

Be The First To Comment
INDIA TODAY ONLINE  NEW DELHI, JANUARY 8, 2014 | UPDATED 16:05 IST
Narmada Hydroelectric Development Corporation Ltd. (NHDC Ltd.) invites applications for recruitment for various posts that include Trainee Engineer, Junior Engineer, Supervisor and Hindi Translator. The interested and eligible candidates can apply for the post through the prescribed format before 14th February, 2014. 
Posts: 42
1.    Trainee Engineer (Civil) / (E2): 3 posts
2.    Trainee Engineer (Electrical) / (E2): 10 posts
3.    Trainee Engineer (Finance) / (E2): 5 posts
4.    Trainee Engineer (HR) / (E2): 3 posts
5.    Trainee Engineer (PR) / (E2): 1 post
6.    Junior Engineer (Electrical) / (S1): 10 posts
7.    Junior Engineer (Mechanical) / (S1): 5 posts
8.    Supervisor (IT) / (S1): 4 posts
9.    Hindi Translator/ (W6): 1 post

Eligibility Criteria: 

1.    Age Limit: Age limit for all the posts mentioned above is 30 years as on 1st February 2014.
2.    Educational Qualifications:
  •     Trainee Engineer (Civil) / (E2): The candidate should have a full time regular bachelor's degree in Engineering/ Technology/ BSc. Engineering Degree in Civil Engineering from a recognized Indian University/ Institute approved by AICTE or AMIE in Civil engineering, with at least 60% marks or equivalent grade.
  •     Trainee Engineer (Electrical) / (E2): The candidate should have a full time regular bachelor's degree in Engineering/ Technology/ BSc. Engineering Degree in Electrical Engineering from a recognized Indian University/ Institute approved by AICTE or AMIE, with at least 60% marks or equivalent grade.
  •     Trainee Engineer (Finance) / (E2): The candidate should be a graduate with CA from Institute of Chartered Accountants of India/ CWA or CMA from institute of Cost Accountants of India (formerly known as ICWA)
  •     Trainee Engineer (HR) / (E2):The candidate should have a full time regular two years post graduate degree/ Post Graduate Diploma/ Post Graduate Program in Management with specialization in Human Resource/ Human Resource Management/ Human Resource Management and Labour Relations/ Industrial Relations/ Personnel Management/ Personnel Management & Industrial Relations.
  •     Trainee Engineer (PR) / (E2): The candidate should have a two year full time regular post graduate degree/ Post graduate diploma in Communication/ Mass Communication/ Journalism from a recognized Indian University or Institute approved by AICTE/ AIME in Civil Engineering with at least 60% marks or equivalent grade.
  •     Junior Engineer (Electrical) / (S1): The candidate should have a three years diploma in Electrical Engineering from a recognized Indian University/ Institute approved by AICTE with at least 60% marks or equivalent grade.
  •     Junior Engineer (Mechanical) / (S1): The candidate should have a three years diploma in Mechanical Engineering from a recognized Indian University/ Institute approved by AICTE with at least 60% marks or equivalent grade.
  •     Supervisor (IT) / (S1): The candidate should be a graduate with DOEACC 'A' Level/ Graduate with one year diploma in Computer Application or BCA/ BSc. (Computer Science) from a recognized Indian university/ Institute with at least 60% marks or equivalent grade.
  •     Hindi Translator/ (W6): The candidate should have a Master's degree from a recognized Indian University in Hindi with English as an Elective subject at the degree level or Master's degree from a recognized Indian University in English with Hindi as an Elective subject at the degree level.
How to apply:
The candidate should send completed applications in duplicate along with application fee and the attested copies of certificates in support of experience, age, qualification, caste / PWD and others as per applicability, with a recent passport size photographs duly signed and affixed at right upper corner of application. This should be sent in an envelope super-scribing the "name of the post applied for" and Advt. No. NHDC/HR/RECT-I/2013 to "SENIOR MANAGER (HR) - Rectt. NHDC Ltd., NHDC PARISAR, SHYAMALA HILLS, BHOPAL (M.P.) 462013 latest by 14th February 2014.

Application Fee:
SC/ST/PWD candidates do not have to pay any application fee. Others have to send an application fee of Rs.500/- in the form of crossed Demand Draft drawn in favour of "NHDC Ltd" payable at Bhopal, MP - along with an application.
Read More

Why You Should Learn to Run a Server Before You Learn to Code

1 Comment

server

To the disappointment of everyone who wants to learn to code so they can get rich or powerful, developer Dave Winer tells us that's probably not going to happen. He lists good reasons why you might want to learn to code, but recommends you learn to run a server first.


Learning to code is good if you have a calling, if you feel it's what you must do to express yourself. If you have ideas that you can implement in code that no one else is doing. Or if you just love the puzzles that programming is constantly presenting you with. You have to have a certain amount of self-hatred to love programming, between, because it's a grind. And to do it well you have to have a lot of all of these things.
You might think that by learning to code you get to be the Man Behind the Curtain, the all-powerful person who makes the digital world work. But that's not what coding is about. If you want power, and I've said this many times — rather than learn to code — first learn to run a server. That's real power. And it's far easier than programming.


Plus, running a server, Winer says is a gateway into programming. 
This advice echoes a previous perspective about learning to work with technology 
(only it's less dismissive of the benefits of learning to code).

Learning to code will not make you rich
 (or particularly powerful) | Scripting News

Photo by gruntzooki.

Read More

Thursday 2 January 2014

Top 10 Threat Predictions for 2014

1 Comment
During the past few years, security threats and actual breaches have grown exponentially. Malware has gone mainstream, social engineering has become far more sophisticated, high-profile database hacks have become disturbingly common, and distributed denial-of-service (DDoS) attacks have rocked businesses across a wide range of industries. These attacks have rendered countinue ...

Android Malware Will Expand

As the Android OS takes root in game consoles, wearable devices, home automation equipment and industrial control systems, malware will appear on these devices.

Use of Encryption Will Increase


Fears that critical data and intellectual property could be compromised or stolen through malware or government eavesdropping will lead to an uptick in the use of encryption.



Shutting Down Botnet Operators

Law enforcement will broaden its scope and focus on a broader set of global cyber-targets, including botnet operators and individuals selling cyber-crime services.

Battling for the Deep Web


Improved versions of anonymous services and file-sharing  applications will grow, and it will become more difficult to infiltrate and take down these systems.


Targetig Off-Net Devices
Cyber-crooks will target infrastructure over desktops. The first generic exploitation frameworks and mass malware agents for home devices will appear.



Becoming More Transparent

On the heels of an FTC crackdown in 2013, network security vendors will face increased scrutiny and accountability.



Botnets Will Migrate


Cyber crooks will transition from a traditional client-server botnet approach to a P2P strategy that makes it more difficult to dismantle and disrupt their activities.


Botnets Will Cross-Breed

Increasingly sophisticated botnets will seek out other botnets and cross-infect with them to more effectively increase their base of machines.


More Attacks on Windows XP

When Microsoft stops supporting Windows XP on April 8, newly discovered vulnerabilities will not be patched, and systems will become vulnerable.

Biometrics Will Increase

The use of two-factor authentication and biometric methods—including tattoos, iris scanning and facial recognition—will grow.
Read More

Wednesday 1 January 2014

Snapchat Got Hacked 4.6million Users Phone Numbers Leaked Online

Be The First To Comment
Snapchat Got Hacked 4.6million Users Phone numbers Leaked Online. First biggest hack starting with this New Year 2014. ZDnet has reported earlier that, "The Australian hackers announced its publication of Snapchat's API and the two exploits on the GibSec Twitter account on Christmas Eve ".
After this report hackers  use this trick and create a Video to access Snapchat hacks.

video



 Snapchat is a photo messaging application developed by Evan Spiegel and Robert Murphy, then Stanford University students. Using the app, users can take photos, record videos, add text and drawings, and send them to a controlled list of recipients. These sent photographs and videos are known as "Snaps".

When cyber security researcher submits website exploit report to companies, they didn't take it seriously. If Snapchat took action on these exploits before, then this was not happened.

As before True caller database was also hacked in July 2013. we hope other social network website will learn from these hacks and will more secure their servers.

Now SnapchatDB.info has been suspended after this leaked.

Read More