Goodbye To Bandgo.... (Closing On 31 July 2012)

R.I.P. 2012

Hello users! This is to inform that bandgo will be closing on 31 July 2012 

forever. So if you have any files download them now. Bandgo joins megaupload.

 

GoodBye Bandgo !

SQL Injection Attacks and Defense

SQL Injection is one of the most popular web attacks that the security world has ever witnessed since the evolution of Internet. Till date it remains one of the less understood vulnerability from web security perspective as indicated by growing number of SQL injection attacks.

In this direction, this book is set to clear apart those short comings and present real facts about the insecurities surrounding the  SQL Injection.

Here is the table of contents…

Chapter 1: What is SQL Injection?
Chapter 2: Testing for SQL Injection
Chapter 3: Reviewing Code for SQL Injection
Chapter 4: Exploiting SQL Injection
Chapter 5: Blind SQL Injection Exploitation
Chapter 6: Exploiting the Operating System
Chapter 7: Advanced Topics
Chapter 8: Code-Level Defenses
Chapter 9: Platform-Level Defenses
Chapter 10: References

The book starts with describing various SQL Injection attack scenarios from different angles covering multiple operating systems. Also it covers different type of SQL Injection attacks in detail which makes it easy to understand. Rest of the book deals with defenses at different level, starting from development to deployment. Chapter 8 explains static analysis of code using the tools for identifying and preventing SQL injection vulnerabilities at the root itself.  Chapter 9 focuses on putting up defenses on different operating systems and for various type of databases including MsSQL, MySQL, Oracle etc.

Compared to any of the books produced so far, this book does real justice to the subject by comprehensively explaining both sides of the game, the attacking & defending against the SQL injection.

Written by the experts the book covers from basic to advanced levels and it is highly recommended for any one involved in the web security.

69 percent increase in SQL attacks seen in recent months

The number of SQL attacks jumped by nearly two thirds earlier this year according to cloud hosting firm FireHost who recorded over 450,000 blocked SQL injection attacks between the first and second quarter this year. 

According to a report in ComputerWeekly, the firm claimed this week that it protected its users from 17 million cyber attacks from April to June 2012. 469,983 of those attacks were SQL injections, up from 277,770 attacks earlier this year, a 69 percent jump. 

While security statistics have an intrinsic ebb and flow to them, FireHost’s numbers mark a spike. In this year’s X-Force Trend and Risk Report, IBM noted a 46 percent drop in SQL injections last year while a study by WhiteHat Security earlier this year noted the number of SQL injections in sites was also decreasing. After analyzing 7,000 websites, the firm found (.PDF) that only 11 percent of the sites contained SQL injection vulnerabilities while only four percent of the sites carried at least one SQL injection flaw compared to the overall vulnerability population. 

A hacker group claimed to have used a SQL injection to infiltrate Yahoo earlier this month when 450,000 e-mail addresses and passwords belonging to the site’s Voices users were leaked online. 
 

A new Morto worm infection attacks exe files

 

A new strain of the Morto worm has added a file infection capability in addition to its existing ability to compromise remote desktop connections, according to new research from Microsoft. 

Now Morto is infecting files in the default RDP file share, ‘\\tsclient,’ after it determines which drives it can connect to. According to Microsoft's research, Morto is targeting all shared drives on the network. 

The worm is infecting .EXE files on default RDP and administrative shares as well as removable drives, and it marks each file it infects with the letters ‘PPIF.’ However, the worm is avoiding files that contain strings like ‘windows,’ ‘winnt,’ ‘qq,’ ‘outlook,’ ‘system volume information,’ or ‘recycler’ in their path. 

Morto is using a mutex (mutual exclusion) called ‘Global\_PPIftSvc’ to avoid multiple injections into the same processes. It stores its payload in the registry and has the capacity to download new or updated instructions from a remote host, which are decrypted and executed later. 

The Microsoft Malware Protection Center recommends that administrators use strong passwords to avoid this sort of infection. 

A previous iteration of the Morto worm popped up a year ago when it began infecting machines by running a brute-force password-attack on the remote desktop protocol (RDP) service. At the time, researchers said it was the first worm to use such a tactic. 

Russian Hacker 'Dmitry Zubakha' Arrested For DDoS Attacks on Amazon, eBay & Priceline

A twenty five years old hacker from Russia get arrested for allegedly perforimg two massive DDoS (Denial-of-Service) attacks on one of the most popular online shopping site Amazon.com and eBay in 2008.Dmitry Olegovich Zubakha also known as "Cyber bandit" in most of the hacker's underground community was indicted in 2011, but he was just arrested in Cyprus on Wednesday. The arrest of Zubakha took place under an international warrant and  currently he is in custody pending extradition to the United States. According to the indictment unsealed on Thursday said- Zubakha, with the help of another Russian hacker planned and executed DDoS attacks against Amazon.com, eBay, and Priceline in the middle of 2008. Zubakha and his co-conspirator launched the attack with the help of a DDoS botnetto generate a large number of traffic which interrupts the normal service of those online shopping sites. According to a press release by the U.S. Department of Justice (DOJ), the attacks made it "difficult for Amazon customers to complete their business on line."

He has been charged by law enforcement for stealing more than 28,000 credit cards in 2009 for that reason, Zubakha and his partner are also charged with aggravated identity theft for illegally using the credit card of at least one person. At present the charges in the indictment conspiracy, intentionally causing damage toa protected computer resulting in a loss of more than $5000, possession of more than15 unauthorized access devices (credit card numbers), and aggravated identity theft are just allegations. Zubakha faces up to five years in prison for conspiracy, up to teh years in prison and a $250,000 fine for intentionally causing damage to a protected computer, up to ten years in prison and a $250,000 fine for possessing unauthorized access devices, and an additional two years in prison for aggravated identity theft.

Mastering CSS for Web Developers

Mastering CSS for Web Developers
Smashing Media | 9783943075137 | PDF | 365 pages | 10.95 MB

Hack a Server - The man behind the idea

“Choose a job you love, and you will never have to work a day in your life” said Confucius. These would be the words that describe Marius Corîci the most. In 2003 he started doing business in the plumbing industry and co-founded ITS Group, a franchise for Romstal Company, the biggest plumbing installations retailer from South-Eastern Europe. In 2007 he moved into Artificial Intelligence field and founded Intelligentics, a group for Natural Language Processing. Now, he is very focused on infosec and got involved in all the biggest independent security projects in Romania: S3ntinel,Hack Me If You Can, Hack a Server and DefCamp.

Marius considers himself a serial entrepreneur and is very passionate about Artificial Intelligence. Never a quitter, always a perfectionist, looking for challenges that will change the world we live in. He believes in people and the power of great teams, and he intends to start blogging in the near future.

What determined you to shift your attention towards software development industry?

Besides the great opportunities, I am a guy who loves challenges. I started to like developing digital products and I belive that the online industry will increase growth in the near future.

Hacking Servers

What is Hack a Server?

HaS (Hack a Server) is a platform designed for conducting manual penetration tests using the power of crowdsourcing, covered by anonymity and confidentiality.

It's a fact that communities and individuals who love to discover and test security issues already exist. Whether they are called black, grey or white hackers, crackers, skiddies, PenTesters you name it, they love to find flaws and vulnerabilities. They love challenges and every flaw or vulnerability represents a challenge for them. This is the truth.

When your system or production server gets hacked in real life, peaceful intentions are the least to expect. Trust me, we’ve been there having our platform “tested” and tested. Thanks God we don’t keep any sensitive data about our users on the platform.

HaS brings security skilled people in the same place and gets them paid for what they love doing most: Hacking. Everybody can register to our platform, but only the best will have access to “Playground Arena”, where all the hacking happens.

In order to get access to the “Playground Arena”, they will first have to pass a test. We all know that the most important thing when someone finds holes into your system is not the penetration itself but the report that describes the security issues and the solutions. That report is the most important thing for a CTO, Sys Admin or web app developer.

The test that a HaS user has to pass in order to get access for hacking, is like any other tests that they should pass in order to get different security certificates (e.g. CPTC, OSPC, CEH, CEPT, CISSP etc). The only difference is that we give this opportunity to all our users and we don’t charge for it. This test ensures CTOs, Sys Administrators and web apps developers that whenever they will pay and receive a Penetration Test Report, it will comply Penetration Test Standard Reports.

How did you come up with the idea behind HaS platform?

I use to say: Solve a problem, then, build a product. There were two ingredients that make me come up with this idea:

• Gaming: I hate gaming because if you are not aware, it's like a drug.
• Security: Security is one big problem, believe me.

One day, being with my little daughter at a doctor and waiting to get in, I was thinking „how can you use gaming in such a way to solve a big problem?” And it strike it me. Online Security Gaming but in another way that it hasn’t been done before. Using the power of crowd source, and not for points (as was done until now), but for real money. After I figured out the outlines, I grabbed the phone, called a friend who’s Sys Admin and asked if he would use such platform and how much would pay for this service. He said yes, he would use such service and he would pay like 1000 Euros. …And here we are. If you think deeper, we solve a few other complementary problems, like hackers that ware black hats, can become grey and start earning real money for what they love most: Hacking Servers. Moreover we fill up a niche between companies that perform penetration tests with high rate cost for small and medium companies and those companies. In fact we don’t even compete with those companies and we complete them. And I can add at least two or three more good things like being sys admin or tester on our platform you get the opportunity if you are in „Hall of Fame” to become consultants on InfoSec issues.

Building the product

Who is currently working to bring out HaS platform to the world?

I’ve tried many, we left few.

Marius Chis is currently CFO and the first investor in this project. I tried to involve people that fall in love with the project because I’m a strong believer that money is a consequence of a “well done job” and not a purpose.

Andrei Nistor, is the CTO. He is the one who did the most of the coding part, based on relevant feedback from team members or testers. He worked day and night to get the project working flawless, and made crowdsourcing pentesting possible.

Alexandru Constantinescu, is the PR & Marketing Executive. He impressed me with his determination when he told me how much loves the project and wants to jump in on marketing side with no initial financial interest, because he understands the development stages of a bootstrap leanstartup company.

Cosmin Strimbu is our frontend developer. Although I didn’t meet him at the time I’m being interviewed, the same like Alexandru, he just asked me to take him on board. I love this kind of people driven by passion of what they doing and not by money.

Am I lucky? Yes and no.

Lucky because They find me (not otherwise) and They find the project. Not lucky because I worked hard to spread the word about me and my projects. No, this is not luck, this is hard work. I have spent over 3 years in online industry, and although I’ve meet a lot of people, I would recommend just a few.

What is the business model that will bring you revenue from HaS?

We had a few business models in mind, but since we are dealing with a two sided market place we have decided to charge at a decent percentage those who get paid. That means low rates costs at a fraction comparing with penetration test companies, and we are aiming towards a mass adoption price.

Who are your customers?

HaS customers are companies that wants to solve their security issues fast and with low costs. CTOs CIOs CISOs, Sys Administrators, Data Base Administrators, Web Apps Dev are also the professionals within companies that can use our product.

Other customers are the individual specialists, whether they are PenTesters, Sys Administrators, who want to verify the security of their innovative servers or applications, covered by what we value most, anonymity and confidentiality.

What are the current features of hackaserver?

Hack a Server is the next level solution to resolve critical security issues in a funny war game way.

Cost effective: What can be better for your business than The Power of Crowd Source at cost of a fraction?

It’s Fast, Reliable and Secure.

Fast: Within minutes you can setup your server with most popular OS and start to configure. I think we have like 7 clicks to have a machine up and running

Reliable: Our PenTesters must pass a test and complete a Penetration Test Report to see if they really can be PenTesters before they get access to hack into Playground Arena.

Secure: At Hack a Server, we encourage you not to disclose your real identity whatever you are a company representative or a pentester. In this way, we don’t keep sensitive data on our platform which means that no matter if someone will try to penetrate our system. They will find nothing.

What’s next?

Are there new features to be implemented into the platfom?

Ha! There are a lot of features that we want to implement. We have a top three features but better for us is to let our customers to decide what they want most. On the second thought we have one that we believe will help CTOs, sys administrators, web apps dev and companies: Finding the best way to automate the process to replicate a physical machine on our platform. Now this is a challenge and we will start as soon as we close this iteration (I think?!).

How you intend to penetrate the market?

Hack a Server will become official platform for gamming at DefCamp a premier InfoSec Conference that will held on September 6-8 in Cluj-Napoca City at Hotel Napoca.

The virtualization module we make it open source so everybody who wants to deploy fast a PenTest lab can free of charge.

The virtualization module we intend to implement within faculties so the students will have a funny way to learn security.

Those are a few directions, part of our market strategy.

17 years old hacker will demonstrate Linux ELF Virus at 'The Hackers Conference 2012'

The Biggest Hacking Mania has arrived - 'The Hackers Conference 2012'.  In this first of its kind conference in India, Blackhat hackers drawn from around the world will demonstrate how they access a victim's personal information, and even confidential data available on the Android cell phone. The conference will be held on July 29 at the India Habitat Centre in New Delhi.

The use of Linux as an operating system is increasing rapidly, thanks partly topopular distributions such as ‘RedHat’ and ‘Suse’. So far, there are very few Linuxfile infectors and they do not pose a big threat yet. However, with more desktopsrunning Linux, and probably more Linux viruses, the Linux virus situation couldbecome a bigger problem.

17 years old hacker,Aneesh Dogra will talk on "How to make a Linux ELF Virus (That works on your latest linux distribution)" at 'The Hackers Conference 2012' . Linux or Unix has the reputation of being "not so buggy", and of being a good maintainer of system sanctity via good protection mechanisms.

This talk will be focused on How to make a simple ELF virus in Linux. A virus is a program that infects other programs stored on permanent media. Usually this means to copy the executable code of the virus into another file. Other possible targets are boot sectors and programmable ROMs. 

The Executable and Linking Format (ELF) is meant to provide developers with a set of binary interface definitions that extend across multiple platforms. ELF is indeed used on several platforms, and is flexible enough to be manipulated creatively, as demonstrated by many. A virus could attach viral code to an ELF file, and re-route control-flow so as to include the viral code during execution.

Aneesh said,"We'll be starting with a basic idea of a Prepernder and using that we'll create a Virus which actually works on your latest linux distribution. There will a demonstration showing how this virus infects different files on the system, and How it can be dangerous."

The Hackers Conference 2012 is expected to be the first open gathering of Blackhat hackers in India who will debate latest security issues with the top itelligence echolons in India.

ChallenGe Security Team, which includes Sina Hatef Matbue, Farhad Miria and Arash Shirkhorshidifrom Iran will deliberate on the topic "GraVitoN: Cross Platform Malware". GraViton, they claim aspires to become an artificial creature which can move between world of windows, world of apples, and world of emperor penguins, etc., and remain stealth. “We believe as this project grows, security professionals will have a better and deeper understanding of how viruses, trojans, etc work, so they can fight and protect themselves against those, and they can even create 'white viruses', to spread and fight against malicious viruses, effectively,” the press release informed.

App Store bypassed by Russian hacker without jailbreaking

Apple is investigating yet another security breach in its iTunes app store . A Russian hacker worked out a way that allows people to bypass payment in the App Store and download products for free.

The hacker, dubbed ZonD80, posted a video of the crack on YouTube (Deleted by Youtube now) and claims that the technique makes it possible to beat Apple's payment systems by installing a couple of certificates and assigning a specific IP address to the device.

The new service, which has already been subject to attempts at shutting it down, requires no jailbreaking and only minimal configuration changes. It works by funneling purchase requests through a server operated by the hacker, rather than the legitimate one offered by Apple. As a result, charges that normally would be applied to a user's account are bypassed.

Below are the steps to the hack:

• Install two certificates: CA and in-appstore.com.
• Connect via Wi-Fi network and change the DNS to 62.76.189.117.
• Press the Like button and enter your Apple ID & password.
• Using the above hack, you are actually stealing in-app purchase content from developers, which is kind of disturbing and is of course against developer’s terms of service.

ZonD80 is now asking for donations to set up a website to promote the hack."Why you must to pay for content, already included in purchased app? I think, you must not," he said. 

Apple has responded with the following statement:“The security of the App Store is incredibly important to us and the developer community,” Apple representative Natalie Harrison. “We take reports of fraudulent activity very seriously and we are investigating.”

Hacker wanted by FBI held in India For Carding Crimes

 Nikhil Kolbekar, aka HellsAngel, was arrested on July 11 in Mumbai, India. Eric Bogle, known as Swat Runs Train, and Justin Mills, or xTGxKAKAROT, were taken into custody in Canada, respectively Colorado, US. HellsAngel and Bogle is suspected of selling complete credit card details, including names, addresses, social security numbers, birth dates, and bank account information. He also sold remote desktop protocol (RDP) access data that could be utilized to breach computers in countries such as Turkey, India, Czech Republic, Brazil, Germany, France, Italy, Spain, Sweden, and others.

The suspect, Nikhil Kolbekar, was produced before the Esplanade Court on Thursday and has been remanded in judicial custody. He will be produced before the Patiala House court in Delhi on July 25, with the US pressing for his extradition through the Interpol.

Carding refers to various criminal activities associated with stealing personal identification information and financial information belonging to other individuals including the account information associated with credit cards, bank cards, debit cards, or other access devices and using that information to obtain money, goods, or services without the victims’ authorization or consent.

Janice K. Fedarcyk, the assistant director in charge of the New York FBI, said the cross-border law-enforcement operation is targeting "highly organized cyber criminals" and is designed to "root out criminal behavior on the Internet."

FBI Assistant Director in- Charge Janice K Fedarcyk said, “These arrests in India, Canada, and the United States as part of Operation Card Shop are just another example that cyber criminals will be stopped even if they cross borders. Operation Card Shop is an international operation aimed at sophisticated, highly organized cyber criminals involved in buying and selling stolen identities, exploited credit cards, counterfeit documents, and sophisticated hacking tools. The FBI and all our law enforcement partners, here and abroad, will continue to root out criminal behavior on the Internet.”

The police have seized a computer, hard-disk, CPU, CDs and pen-drives from Kolbekar, which will be used as evidence against him.

NVIDIA Developer Forums Hacked, 400000 user accounts at Risk

Nvidia shut down its Developer Zone online forum today after hackers gained access to members' account details.A statement Nvidia posted on the forum reads, "Nvidia suspended operations today of the Nvidia Developer Zone. We did this in response to attacks on the site by unauthorised third parties who may have gained access to hashed passwords."

Users are also warned not to provide any personal, financial or sensitive information in response to any email purporting to be sent by an NVIDIA employee or representative. All user passwords will be reset when the system comes back online, though it wasn’t mentioned when that was going to be. NVIDIA insists it is “continuing to investigate this matter.

Nvidia forum hack follows the recent LinkedIn and Yahoo! hacks. Earlier 6.5 million LinkedIn hashed passwords were stolen and subsequently published on unauthorized websites

Android Forums hacked, User Credentials Stolen

Phandroid's Android Forums Web site is hacked and user account details stolen, according to a notice posted online. The data includes the user names, e-mail addresses, hashed passwords, and registration IP addresses of the forums' more than 1 million users.

If you are one of them, you should change your password: go to your UserCP or use theForgot your password?. Furthermore, if you use the same e-mail address and password combination elsewhere, you should change it there as well.

"I have some unfortunate news to pass along," the post reads. "Yesterday I was informed by our sever/developer team that the server hosting Androidforums.com was compromised and the website's database was accessed. While the breach is most likely harmless, there are important and potential pitfalls, and we want to provide as much helpful information to our users as possible (without getting too technical)."

Phandroid will continue to investigate what happened. The exploit used has been identified and resolved. All code that resides in the database and the file system has been thoroughly reviewed for malicious edits and uploads.

Recently, the social Q&A Web site Formspring said that it was the victim of a hack that yielded hashed passwords for around 420,000 of its users. Yahoo warned users of its Yahoo Voice service of a breach in which 400,000 plaintext passwords were stolen from the company and posted online

Yahoo Voice hacked, 400,000 yahoo passwords leaked

A list of over 450,000 email addresses and plain-text passwords, in a document marked "Owned and Exposed" apparently from users of a Yahoo! service, is in circulation on the internet.

The affected accounts appeared to belong to a voice-over-Internet-protocol, or VOIP, service called Yahoo Voices, which runs on Yahoo’s instant messenger. The Voices service is powered by Jajah, a VOIP platform that was bought by Telefonica Europe BV in 2010.

The dump, posted on a public website by a hacking collective known as D33Ds Company, said it penetrated the Yahoo subdomain using what's known as a union-based SQL injection. By injecting powerful database commands into them, attackers can trick back-end servers into dumping huge amounts of sensitive information.

Since all the accounts are in plain-text, anyone with an account present in the leak which also has the same password on other sites (e-mail, Facebook, Twitter, etc), should assume that someone has accessed their account.

In a statement in which Yahoo apologizes for the attack, Yahoo tells that the data came from an older file from the Yahoo! Contributor Network (which it picked up via its Associated Content acquisition). But it also noted that less than five percent of the emails had valid passwords, and that it is now working to fix the vulnerability that led to the disclosure.

At Yahoo! we take security very seriously and invest heavily in protective measures to ensure the security of our users and their data across all our products. We confirm that an older file from Yahoo! Contributor Network (previously Associated Content) containing approximately 400,000 Yahoo! and other company users names and passwords was stolen yesterday,July 11. Of these, less than 5% of the Yahoo! accounts had valid passwords. We are fixing the vulnerability that led to the disclosure of this data, changing the passwords of the affected Yahoo! users and notifying the companies whose users accounts may have been compromised. We apologize to affected users. We encourage users to change their passwords on a regular basis and also familiarize themselves with our online safety tips at security.yahoo.com.

If you use Yahoo Voices, you should probably change your password now.Don't forget to make sure that your password is unique, hard to guess, and that you use a different password on every website you use. If you use the same password in multiple places you are just asking for trouble.

New Nokia N1 Concept phone runs Android 4.0 with PureView 41MP Camera [Rumor]

 

 We all are waiting for the Android devices manufactured by the most popular mobile phone company Nokia, but there is no evidential sign of such event. There are many concept designs and rumors floating around on the internet already.

The new Nokia N1 (Concept Phone) seems to be a ideal deal. The rumor which goes along with the phone seems to close to the legit configuration what Nokia might have in their mind for their first phone featuring Android OS.

Nokia 808 PureView was the last phone which supports Sysbian OS as mentioned earlier -- with 41 MP camera and true to life image censor and processor, it was is a true admirer.

If rumors and concept designs comes to be ture, Nokia N1 will come with 41 Megapixels camera and PureView Carl Zeiss sensor, a HD ClearBlack display and the pure Google experience.

You will love taking shots with this handset as it has the 41 megapixel Nokia PureView camerasensor. Its HD ClearBlack display is also a high point. Also, "the potential future Nokia model" will sport an upgraded resolution. You can certainly say that the phone will tout the best pixel density throughout.

Since right now Nokia is teamed up with Microsoft there's no way you'll see something like this, but give it some time and maybe Nokia will come around and get rid of Windows Phone. It's interesting to see those capacitive buttons below the display on the device and they actually look pretty nice. The creator of this 41 megapixel Android cameraphone says that he took the Lumia 800 as inspiration.

We might get to see a 3.7 inch smartphone with upgraded resolution, probably the best pixel density out there since it's 720p on a smaller than usual diagonal.

We just need to wait until Nokia actually decides to manufacture the devices powered by Android OS.