Egunge

Quick security checklist for webmasters

2008-04-12T10:16:00.000+08:00

Check your server configuration.

Apache has some security configuration tips on their site and Microsoft has some tech center resources for IIS on theirs. Some of these tips include information on directory permissions, server side includes, authentication and encryption.

Stay up-to-date with the latest software updates and patches.

A common pitfall for many webmasters is to install a forum or blog on their website and then forget about it. Much like taking your car in for a tune-up, it's important to make sure you have all the latest updates for any software program you have installed. Need some tips? Blogger Mark Blair has a few good ones, including making a list of all the software and plug-ins used for your website and keeping track of the version numbers and updates. He also suggests taking advantage of any feeds their websites may provide.

Regularly keep an eye on your log files.

Making this a habit has many great benefits, one of which is added security. You might be surprised with what you find.

Check your site for common vulnerabilities.

Avoid having directories with open permissions. This is almost like leaving the front door to your home wide open, with a door mat that reads "Come on in and help yourself!" Also check for any XSS (cross-site scripting) and SQL injection vulnerabilities. Finally, choose good passwords. The Gmail support center has some good guidelines to follow, which can be helpful for choosing passwords in general.

Be wary of third-party content providers.

If you're considering installing an application provided by a third party, such as a widget, counter, ad network, or webstat service, be sure to exercise due diligence. While there are lots of great third-party content on the web, it's also possible for providers to use these applications to push exploits, such as dangerous scripts, towards your visitors. Make sure the application is created by a reputable source. Do they have a legitimate website with support and contact information? Have other webmasters used the service?

Try a Google site: search to see what's indexed.

This may seem a bit obvious, but it's commonly overlooked. It's always a good idea to do a sanity check and make sure things look normal. If you're not already familiar with the site: search operator, it's a way for you to restrict your search to a specific site. For example, the search site:googleblog.blogspot.com will only return results from the Official Google Blog.

Use Google's Webmaster Tools.

They're free, and include all kinds of good stuff like a site status wizard and tools for managing how Googlebot crawls your site. Another nice feature is that if Google believes your site has been hacked to host malware, our webmaster console will show more detailed information, such as a sample of harmful URLs. Once you think the malware is removed, you then can request a reevaluation through Webmaster Tools.

Use secure protocols.

SSH and SFTP should be used for data transfer, rather than plain text protocols such as telnet or FTP. SSH and SFTP use encryption and are much safer. For this and many other useful tips, check out StopBadware.org's Tips for Cleaning and Securing Your Website.

Read the Google Online Security Blog.

Here's some great content about online security and safety with pointers to lots of useful resources. It's a good one to add to your Google Reader feeds. :)

Contact your hosting company for support.

Most hosting companies have helpful and responsive support groups. If you think something may be wrong, or you simply want to make sure you're in the know, visit their website or give 'em a call.

We hope you find these tips helpful. If you have some of your own tips you'd like to share, feel free to leave a comment below or start a discussion in the Google Webmaster Help group. Practice safe webmastering!

http://googlewebmastercentral.blogspot.com/2007/09/quick-security-checklist-for-webmasters.html

My site's been hacked - now what?

2008-04-09T00:42:00.000+08:00

All right, you got hacked. It happens to many webmasters, even despite the hard work you devote to prevent this type of thing from happening. Prevention tips include keeping your site updated with the latest software and patches, creating an account with Google Webmaster Tools Quick Security Checklist we posted last year.)

Remember that you're not alone—hacked sites are becoming increasingly common. Getting hacked can result in your site being infected with badware (more specifically malware, one type of badware). Take a look at StopBadware's recently released report on Trends in Badware 2007 this post Google Online Security Blog which highlights the increasing number of search results containing a URL labeled as harmful. For even more in-depth technical reports on the analysis of web-based malware, see The Ghost in the Browser (pdf) and this technical report (pdf) on drive-by downloads. Read these, and you'll have a much better understanding of the scope of the problem. They also include some real examples for different types of malware.

The first step in any case should be to contact your hosting provider, if you have one. Often times they can handle most of the technical heavy lifting for you. Lots of webmasters use shared hosting, which can make it difficult to do some of the things listed below. Certain tips labeled with an asterisk (*) are cases in which webmasters using shared hosting will most likely require assistance from their hosting provider. In the case that you do have full control over your server, we recommend covering these four bases:

Getting your site off-line
to see what's being indexed, keeping tabs on your log files to make sure nothing fishy's going on, etc. (There's more information in the for a comprehensive analysis of threats and trends over the previous year. Check out on the

Take your site off-line temporarily, at least until you know you've fixed things.*
If you can't take it off-line, return a 503 status code to prevent it from being crawled.
In the Webmaster Tools, use the URL removal tool to remove any hacked pages or URLs from search results that may have been added. This will prevent the hacked pages from being served to users.

Damage Assessment

It's a good idea to figure out exactly what the hacker was after.

Were they looking for sensitive information?
Did they want to gain control of your site for other purposes?

Look for any modified or uploaded files on your web server.
Check your server logs for any suspicious activity, such as failed login attempts, command history (especially as root), unknown user accounts, etc.
Determine the scope of the problem—do you have other sites that may be affected?

Recovery

The absolute best thing to do here is a complete reinstall of the OS from a trusted source. It's the only way to be completely sure you've removed everything the hacker may have done.*
After a fresh re-installation, use the latest backup you have to restore your site. Don't forget to make sure the backup is clean and free of hacked content too.*
Patch any software packages to the latest version. This includes things such as weblog platforms, content management systems, or any other type of third-party software installed.
Change your passwords - https://www.google.com/accounts/PasswordHelp

Restoring your online presence

Get your system back online.
If you're a Webmaster Tools user, sign in to your account

If your site was flagged as having malware, request a review to determine whether your site is clean
If you used the URL removal tool on URLs which you do want in the index, request that Webmaster Tools re-include your content by revoking the removal.

Keep an eye on things, as the hacker may try to return.

Answers to other questions you may be asking:

Q: Is it better to take my site off-line or use robots.txt to prevent it from being crawled?
A: Taking it off-line is a better way to go; this prevents any malware or badware from being served to users, and prevents hackers from further abusing the system.

Q: Once I've fixed my site, what's the fastest way to get re-crawled?
A: The best way, regardless of whether or not your site got hacked, is to follow the Webmaster Help Center guidelines.

Q: I've cleaned it up, but will Google penalize me if the hacker linked to any bad neighborhoods?
A: We'll try not to. We're pretty good at making sure good sites don't get penalized by actions of hackers and spammers. To be safe, completely remove any links the hackers may have added.

Q: What if this happened on my home machine?
A: All of the above still applies. You'll want to take extra care to clean it up; if you don't, it's likely the same thing will happen again. A complete re-install of the OS is ideal.

Additional resources you may find helpful:

If your site's been flagged by Google as serving malware, we'll alert you when you visit Webmaster Tools.
Don't forget about the Google Webmaster Help Group; it's full of extremely knowledgeable users, and Googlers as well. For a nice, on-topic example, check out this thread. There's also a Stop Badware group.
Matt Cutts recently posted Three tips to protect your WordPress installation on his blog, and there are lots of great comments below the post as well.

Feel free to leave additional tips you have in the comments.

http://googlewebmastercentral.blogspot.com/2008/04/my-sites-been-hacked-now-what.html

Google's Android

2007-11-08T11:38:00.000+08:00

Google has launched an open operating system for mobile phones, called Android. It has also formed an Open Handset Alliance with 33 partners, promising "better, cheaper" mobile phones.

What is Android?

Android is a series of software tools built by Google designed to power a next generation of mobile phone handsets.

The tools are based on Linux - and so are open source and free to use. It means any one can develop software for the platform and that Android itself can be tailored for individual phones, networks and potentially users.

What is the Open Handset Alliance?

Thirty four companies, including Google, have formed an alliance to promote Android and to develop features and handsets to take advantage of the platform.

Companies include handset manufacturers such as LG, HTC, Motorola and Samsung, chip firms such as Qualcomm and mobile networks like T-Mobile and China Mobile.

What is different about Android?

Google is stressing the open nature of the platform. Operating systems on current phones - such as Windows Mobile, RIM, Symbian and Palm - are proprietorial and have to be licensed for use. Google believes it will be easier and quicker to develop new applications for Android than the other systems.

What kinds of features and phones will we see?

That is the big question. Google and its partners believe that the new phones will make the internet experience on a mobile "better than on a PC".

But they have given little details about how this will be achieved, except to say Android includes an advanced web browser.

Most mobile web experiences are hampered by the limitations of the browser and screen resolution of the handset.

But devices such as the Apple iPhone and Nokia N800 - which are not powered by Android - are already showing the potential for a PC-like experience on a mobile device.

Google and partners have said the new phones will be able to make web experiences, such as video, sharing content and social networking, much easier on a handset.

The first phones are not due until the second half of 2008 but developers will be able to get a look at the Android tools from next week.

Will my current phone work with Android?

No. You will have to buy a new phone that is running the Android platform.

Does that mean current phones are obsolete?

Not at all. Rival platform systems, such as Symbian, Palm, Windows Mobile and Blackberry, will continue to exist on an ever expanding array of devices. The companies behind all these platforms say they are also working on more accessible web experiences on future devices.

What has the reaction been to Google's big jump into mobiles?

Mixed. Analysts are emphasising the impressive partners Google has secured. But it is clear that none of the handset partners in the alliance are ditching deals with existing platforms in favour of Android. Google's system will be part of the mix.

Forrester analyst Charlie Golvin wrote: "Paradoxically, Android will increase complexity for developers initially since it represents yet another platform to support."

Technology writer Om Malik has described the move as a "massive PR move, with nothing to show for it right now".

He added: "The partners - with the exception of HTC and T-Mobile - are companies who are, in cricketing parlance, on the backfoot. Motorola, for instance is not exactly a bastion of handset excellence."

What are the business implications of the Google deal?

It is clear that Linux - the open source operating system - is going to be a big player in the mobile space. Android is based on Linux and there are other Linux-based mobile OSes in existence, such as OpenMoko, LiMo and Qtopia.

ABI Research predicts that Mobile Linux will be the fastest growing smartphone operating system over the next five years.

Linux-based smartphones will account for about 31% of such devices by 2012, the analysts have reported.

Why is Google doing this?

There are more people with mobile phones with access to the net right now than there are PCs with online connections.

This is a massive potential market for Google - and every other online firm - that is yet to be tapped and developed.

Improving the mobile web for all is a rising tide that will float all boats, including the Google battleship.

More people online means more people using Google's services, which means more advertising revenue for the firm.

http://news.bbc.co.uk/1/hi/technology/7080758.stm

Windows Seven: Think 2010

2007-10-21T20:07:00.000+08:00

Windows Seven now has an official ship target — 2010.

At Microsoft’s Global Exchange (MGX) annual sales conference in Orlando this week, Microsoft shared a bit more — albeit at a high level — on Windows Seven, according to a copy of a slide deck I saw that was distributed to the field sales force during the conference. Among the information shared was that Microsoft is anticipating it will take at least three years from now to get the next version of Windows client out the door.

Last time anyone got Microsoft to talk dates about Windows Seven, the next big Windows client release, a Windows exec slipped up and said something about 2009.

Microsoft officials told MGX attendees that the company is currently internally planning Windows Seven. So far, the company has determined Windows Seven will come in both 32- and 64-bit flavors. No word on how many SKUs or any kind of guidance on features was provided, but Microsoft did say it would address both consumer and business segments with Windows Seven. Microsoft is mulling the concept of how to extend Windows Seven with subscription-based services, according to the deck — more like Microsoft Desktop Optimization Pack (MDOP), which Microsoft currently offers to its Software Assurance customers, than Windows Live, however.

(MDOP builds on top of the Windows Vista Enterprise Centralized Desktop SKU — also only available to Software Assurance volume licensees. It includes: asset inventory, SoftGrid application virtualization, diagnostics and recovery toolset, advanced group-policy management and desktop error-monitoring capabilities.)

Maybe this talk of extending Windows with certain Software Assurance-only subscription services is what spurred the Gartner Group to predict this week that Microsoft plans to make Software Assurance mandatory? Not sure….

Before Microsoft delivers Windows Seven, it plans to roll out an update to its current MDOP offering, Vista Service Pack 1 and then another MDOP update, according to the deck. Microsoft made no dates — tentative or otherwise — available for these planned releases via the deck.

Microsoft officials confirmed the veracity of this Windows Seven information.

http://blogs.zdnet.com/microsoft/?p=592

China emerges as leader in cyberwarfare

2007-09-18T15:19:00.000+08:00

Paris; and Oakland, Calif. - When suspected Chinese hackers penetrated the Pentagon this summer, reports downplayed the cyberattack. The hackers hit a secure Pentagon system known as NIPRNet – but it only carries unclassified information and general e-mail, Department of Defense officials said.

Yet a central aim of the Chinese hackers may not have been top secrets, but a probe of the Pentagon network structure itself, some analysts argue. The NIPRNet (Non-classified Internet Protocol Router Network) is crucial in the quick deployment of US forces should China attack Taiwan. By crippling a Pentagon Net used to call US forces, China gains crucial hours and minutes in a lightning attack designed to force a Taiwan surrender, experts say.

China's presumed infiltration underscores an ever bolder and more advanced capability by its cybershock troops. Today, of an estimated 120 countries working on cyberwarfare, China, seeking great power status, has emerged as a leader.

"The Chinese are the first to use cyberattacks for political and military goals," says James Mulvenon, an expert on Chin's military and director of the Center for Intelligence and Research in Washington. "Whether it is battlefield preparation or hacking networks connected to the German chancellor, they are the first state actor to jump feet first into 21st-century cyberwarfare technology. This is clearly becoming a more serious and open problem."

China is hardly the only state conducting cyberespionage. "Everybody is hacking everybody," says Johannes Ullrich, an expert with the SANS Technology Institute, pointing to Israeli hacks against the US, and French hacks against European Union partners. But aspects of the Chinese approach worry him. "The part I am most afraid of is … staging probes inside key industries. It's almost like sleeper cells, having ways to [disrupt] systems when you need to if it ever came to war."

In recent weeks, China stands accused not only of the Pentagon attack, but also of daily striking German federal ministries and British government offices, including Parliament. After an investigation in May, officials at Germany's Office of the Protection of the Constitution told Der Speigel that 60 percent of all cyberattacks on German systems come from China. Most originate in the cities of Lanzhou and Beijing, and in Guangdong Province, centers of high-tech military operations.

German Chancellor Angela Merkel publicly raised the issue with Chinese Premier Wen Jiabao in Beijing last month. Mr. Wen did not deny China's activity, but said it should stop. President George Bush, prior to his meeting with Chinese President Hu Jintao in Sydney, Australia, at the APEC summit last week, stated that respect of computer "systems" is "what we expect from people with whom we trade."

The accusations, hard to prove conclusively, still illumine an emerging theater of low-level attacks among nations. This spring, presumed Russian hackers made headlines with a one-off cyberblitz of Estonia, shutting down one of the most wired countries in Europe for a week – blunt payback for removal of a Soviet war memorial.

source: http://www.csmonitor.com/2007/0914/p01s01-woap.html

'Hacker-proof' system? You be the judge

2007-09-18T15:17:00.000+08:00

Aerospace giant European Aeronautic Defence and Space has introduced a "hacker-proof" encryption technology that it claims will revolutionize Internet security and bring "cryptography into the 21st century."

The system, called "Ectocryp," was developed for military and business applications by researchers and engineers at EADS' Defence and Security Systems division in Newport, South Wales. The team relied on technology developed by the U.K.'s Government Communications Headquarters, sister agency to the NSA and formerly known as Government Code and Cypher School, of German Enigma fame.

The system owes its success to the "lightning speed with which the 'keys' needed to enter the computer systems can be scrambled and reformatted," reports the Telegraph. "Just when a hacker thinks he or she has broken the code, the code changes." (See related video.) The system is the first "Top Secret, Eyes Only" High Assurance Internet Protocol Encryptor (PDF) device in the U.K., according to the company.

How secure is it? Send your most excellent and sensitive Ectocryped data around the globe, and "all the computer technology in the world cannot break it," EADS sales manager Gordon Duncan boasted to the Telegraph.

Note to hackers of the Peeps Liberation Army: The gauntlet is officially down.

source: http://crave.cnet.com/8301-1_105-9778661-1.html

Major computer viruses over the last 25 years:

2007-09-13T06:02:00.000+08:00

Elk Cloner, 1982: Regarded as the first virus to hit personal computers worldwide, ''Elk Cloner'' spread through Apple II floppy disks and displayed a poem written by its author, a ninth-grade student who was designing a practical joke.

Brain, 1986: ''Brain'' is the first virus to hit computers running a Microsoft Corp. operating system – DOS. Written by two Pakistani brothers, the virus left the phone number of their computer repair shop.

Morris, 1988: Written by a Cornell University graduate student whose father was then a top government computer-security expert, the virus infected an estimated 6,000 university and military computers connected over the Internet. Although viruses had spread over the Internet before, until ''Morris'' none was widespread.

Melissa, 1999: ''Melissa'' was one of the first to spread over e-mail. When users opened an attachment, the virus sent copies of itself to the first 50 people in the user's address book, covering the globe within hours.

Love bug, 2000: Also spread via e-mail attachment, ''Love Bug'' exploited human nature and tricked recipients into opening it by disguising itself as a love letter.

Code Red, 2001: Exploiting a flaw in Microsoft software, ''Code Red'' was among the first ''network worms'' to spread rapidly because it required only a network connection, not a human opening an attachment. Although the flaw was known, many system operators had yet to install a software patch Microsoft made available a month earlier to fix it.

Blaster, 2003: ''Blaster'' also took advantage of a known flaw in Microsoft software and, along with the 2003 ''SoBig'' outbreak, prompted Microsoft to offer cash rewards to people who help authorities capture and prosecute the virus writers.

Sasser, 2004: ''Sasser'' exploited a Microsoft flaw as well and prompted some computers to continually crash and reboot, apparently the result of bad programming. Although ''Sasser'' is hardly the last malicious software, the ones since then have generally received less attention as networks install better defenses and profit-minded virus writers try to avoid detection and removal of their works.

Which superhero are you?

2007-08-24T00:34:00.000+08:00

I had to take the test. I cant help it. I was really curious on the outcome. hehehehehhehe. The Iron Man? hmmm.. not bad!

Your results:
You are Iron Man
Inventor. Businessman. Genius.

Click here to take the Superhero Personality Test

Google Hacking for Penetration Testers ebook

2007-08-08T19:53:00.000+08:00

Understanding the adversary mindset is an important element in designing and developing effective protective strategies."—Amit Yoran, Former Director of the National Cyber Security Division, Department of Homeland Security

"...Google Hacking exposes those with their pants down, so the whole Internet can see their skivvies."—Adrian Lamo, Special Project Editor, The American River Current

"This Book Rocks!"—Roelof Temmingh, Technical Director, SensePost (Creators of the Wikto Web Assessment Tool)

"You can use Google for something other than hacking? I only use Google for finding vulnerable servers."—Tim Mullen, CIO, AnchorIS.com

Explore the Dark Side of Googling

* Morph Google from “Directory Assistance Please” into a Rig Mounted Pneumatic Rock Drill
* See How Bad Guys Use Portscans, CGI Scans, and Web Server Fingerprinting to Stroll in the Back Door of Your Enterprise
* Slam the Door on Malicious Google Hacks That Expose Your Organization’s Information Caches, Firewalls, IDS Logs, and Password Databases

Can you guard against Google Hacking? Google’s advanced search capabilities are being used on an increasing basis by some to harvest information from the Web. Sensitive documents, stolen credit card information, even servers behind corporate firewalls can be found using Google searches.

Are you the type of person who needs to know how to torque Google to detect SQL injection points and login portals, execute port scans and CGI scans, fingerprint web servers, locate incredible information caches such as firewall and IDS logs, password databases, SQL dumps and much more – all without sending a single packet to the target! Then Google Hacking for Penetration Testers is for you. By reverse engineering the techniques of malicious "Google hackers," this book shows security practitioners how to properly protect their servers from this often overlooked and dangerous form of information leakage.

Contents of this Book

Google Searching Basics

Advanced Operators

Google Hacking Basics

Network Mapping

Locating Exploits and Finding Targets

Ten Simple Security Searches That Work

Tracking Down Web Servers, Login Portals, and Network Hardware

Usernames, Passwords, and Secret Stuff, Oh My!

Document Grinding and Database Digging

Protecting Yourself from Google Hackers

Automating Google Searches

Professional Security Testing

An Introduction to Web Application Security

Are You Safe? Learn the Queries that Hackers Use:

filetype:lit lit (books|ebooks) Online unprotected e-books!

inurl:root.asp?acs=anon Outlook Web Access Public Folders and the Exchange Address Books!

intitle:"Live View / - AXIS" | inurl:view/view.sht Axis Netcams Live View!

inurl:"ViewerFrame?Mode=" Live Panasonic Network Cameras!

SNC-RZ30 HOME Live Sony NC RZ30 web cameras!

intitle:"toshiba network camera - User Login" Live Toshiba network cameras!

aboutprinter.shtml Xerox printers on the web!

index.of.dcim Digital Camera Photo Dumps!

and hundreds more!

Johnny Long has spoken on network security and Google hacking at several computer security conferences around the world including SANS, Defcon, and the Black Hat Briefings. During his recent career with Computer Sciences Corporation (CSC), a leading global IT services company, he has performed active network and physical security assessments for hundreds of government and commercial clients. His website, currently the Internet's largest repository of Google hacking techniques, can be found at http://johnny.ihackstuff.com

Source: http://www.syngress.com/catalog/?pid=3150

I found this rapidshare link while surfing the net, I think the book is quite informative. Anyways, here is the link:

http://rapidshare.com/files/47026629/Google_Hacking_for_Penetration_Testers.exe

Yep. its ".exe" file and inside it is the ".pdf" file. NOD32 didnt detect anything. Probably this link will be dead in a few weeks or once detected for copyright issues or something.

PuTTY for Symbian OS

2007-08-08T19:47:00.000+08:00

PuTTY is a free SSH client developed by Simon Tatham and others. This page contains a port to the Symbian OS, with support for S60, Series 80 Communicators, and Nokia 7710. All Nokia devices based on Symbian OS and all S60 devices by all manufacturers are supported. Separate UIQs are available from Robert Horvath and MobilEyes AB for UIQ 1 and 2, and from Taneli Leppä for UIQ 3.

More info at: http://s2putty.sourceforge.net/

I think this is one of coolest mobile application available for free in the internet.

Trinux - Under active Development again

2007-08-08T19:23:00.000+08:00

What is Trinux?

Trinux was a ramdisk-based Linux distribution that boots from a single floppy or CD-ROM, loads it packages from an HTTP/FTP server, a FAT/NTFS/ISO filesystem, or additional floppies. Trinux contains the latest versions of popular Open Source network security tools for port scanning, packet sniffing, vulnerability scanning, sniffer detection, packet construction, active/passive OS fingerprinting, network monitoring, session-hijacking, backup/recovery, computer forensics, intrusion detection, and more. Trinux also provides support for Perl, PHP, and Python scripting languages. Remote Trinux boxes can be managed securely with OpenSSH.

Trinux gives you the power of Linux security tools without requiring a full-blown Linux install or the need to download, compile, install, and update a complete suite of security tools that are typically not found in mainstream distributions.

More info at: http://trinux.sourceforge.net/legacy/

This project is now under active development again! See ubuntutrinux page over on Google Code for more information. Development snapshots (meaning 10MB .iso's built on Linux 2.6.20.7 and Busybox 1.4.2) are also available at http://www.threatmind.net/ubuntutrinux.

Trinux: A Linux Security Toolkit was a ramdisk-based Linux distribution that was under active development from 1998-2003. This new project (i.e. ubuntutrinux) seeks to integrate elements (and code, where appropriate) of Trinux with the Debian/Ubuntu mkinitramfs infrastructure to allow easy development and packaging Ubuntu binary (and ultimately package and repository) compatible ramdisk distributions using recent 2.6.x kernels. As before, the most common use is network security monitoring and analysis. See this blog entry for more on philosophy and design principles.

Although there might be some overlap in the tools available, this project does not seek to provide a pen-testing distro along the lines of Backtrack or Knoppix-STD . If you are looking for a platform to run Nessus or Metasploit I encourage you to look elsewhere.

More info at: http://code.google.com/p/ubuntutrinux/

I'v been waiting for this for a while and finally its on active development again..talk about portable old school command line pentesting.. ^_^

For a list of included tools, http://www.threatmind.net/secwiki/UbuntuTrinux/CoreTools

A search engine for open source code

2007-06-02T12:22:00.000+08:00

A search engine for open source code
Krugle aims to help open source developers find needed pre-existing code and has partnered with sites such as SourceForge and CollabNet

Krugle aspires to be the Google of software code search, even referring to itself as a verb. And recently, Krugle has started to become the go-to search site for open source developers, partnering with key Web sites, including SourceForge.net, the leading repository for open source software projects, to embed Krugle search. Krugle also announced a similar partnership with CollabNet, a community of 1 million developers.

Co-founder and CTO Ken Krugler says Krugle soothes a pain point for developers: They spend 25 percent or more of their time searching for lines of code to perform certain functions that may already exist. There's no sense in writing code that's already been written, says Krugler.

How does Krugle simplify code search on SourceForge? Developers typically visit SourceForge to find a project similar to the one they're doing. But they end up having to download the whole project. Krugle lets them search through the project to see if it fits the bill without downloading it entirely.

Krugle gives software developers one thing they need most: time, says John Andrews, CEO of Evans Data, a research firm.

"If you could shave 10 percent of that [search] time off, that is a huge productivity improvement either in cost savings, revenue generation, or just spare time," Andrews says.

Google is still the first stop for many open source developers, but as the volume of open source code grows, as companies use more open source for development internally, and as more software companies open their previously proprietary code, Google may not be able to keep up, says Andrews.

Krugle's next venture will be search for open source development within enterprises. An enterprise product currently in beta is slated for general release in the second half of 2007.

http://www.infoworld.com/article/07/06/01/A-search-engine-for-open-source-code_1.html

krugle ->

Watch a video that documents Google AdWords attack

2007-05-03T16:01:00.000+08:00

Watch a video that documents Google AdWords attack Exploit Prevention Labs released a video documenting how attackers are using Google's popular AdWords advertising system to infect unsuspecting users with malware.

As the video shows, cyber criminals ran Google ads for legitimate, trusted organizations like The Better Business Bureau. When users clicked on the ads, they were redirected to a malicious web site that attempted to exploit a common security vulnerability in Internet Explorer. Users who hadn't installed Microsoft's latest security patches were infected with a so-called postlogger - malware that's designed to steal confidential account access information, in this case from customers of 100 different banks.

http://www.net-security.org/secworld.php?id=5089

Notes on Vista forensics

2007-04-22T09:15:00.000+08:00

In part one of this series we looked at the different editions of Vista available and discussed the various encryption and backup features which might be of interest to forensic examiners.

In this article we will look at the user and system features of Vista which may (or may not) present new challenges for investigators and discuss the use of Vista itself as a platform for forensic analysis.

User files and applications

One of the first things to note about users' data files is that they're not where they used to be! Instead of the familiar "Documents and Settings" folder we must instead look to a new folder called "Users". Other folders which typically fall under the scope of an examination have also moved so examiners running scripts which expect certain files or folders to be in specific locations may need to do some editing. Another interesting change is that Vista is configured by default to not update the last access time on files, a decision made to increase file system performance.

At the application level, much forensic work consists of reconstructing web browsing and email activity, so let's take a look at the relevant programs provided by Vista.

Vista ships with Windows Internet Explorer 7 for web browsing and, although forensic examiners will certainly encounter other browsers during Vista's lifetime, it seems reasonable to assume that IE7 and its Microsoft successors will represent the vast majority of browsers whose use comes under investigation. Familiarity with IE's usage of files and directories, together with experience using appropriate tools for recreating browsing activity (using the browser history, cache, cookies, favorites, etc), will continue to be essential components of every investigator's arsenal and most people currently working in the field will already be familiar with IE7 since its release last year. The version of IE7 included with Vista does include a number of additional features, however, which examiners should at least be aware of (such as Protected Mode, Parental Controls, and enhanced Network Diagnostics).

Windows Mail is the standard, standalone email client included with Vista. Functionally, if not aesthetically, similar to Outlook Express, Windows Mail is likely to be the focus of many investigations.

In terms of architecture, however, it should be noted that Windows Mail uses a JET database and messages, including newsgroup posts, are now stored in individual files (mail files have a .eml extension and newsgroup posts .nws).

These files have two "streams" - for mail messages the first stream consists of RFC compliant MIME data and the second stream holds XML metadata. Another change is that account information which used to be stored in the Registry is now also held in XML format within the Windows Mail folder of a user's profile.

However, Windows Mail is not the only email option likely to be available to Vista users at some stage in the future. Windows Live Mail Desktop, somewhat unfortunately abbreviated to "WLMd", is an email solution currently in beta which Microsoft describes as "an email client that can be downloaded onto Windows XP or Windows Vista...a rough super-set of Windows Mail in Windows Vista".

While the exact set of features is still being worked out, in broad terms this is an email client which will integrate with Windows Live Hotmail (previously known as Windows Live Mail), Microsoft's Web 2.0 mail client, and include a number of other features above and beyond those available in Windows Mail. Investigators already familiar with cases involving Hotmail usage will probably be well prepared for the challenges arising from WLMd but it will be interesting to see exactly what those challenges are once this client is released - those wishing to get a head start may wish to check out the beta.

In fact, situations where a user's data may no longer be stored on the local machine should come as no surprise to forensic examiners. Over the past few years most practitioners have come to realize that the hard disk is not the only source of potential evidence and have been forced to take a more holistic view of a suspect's computing environment whether that means a focus on the nearby, such as RAM or backup storage, or further afield, such as network devices or remote servers.

One last point which involves RAM, application usage and a new feature in Vista. As most computer users will know, there often comes a time when our machines slow to a crawl due to too many applications making demands on available memory. The most straightforward solution to this problem (other than running fewer programs at the same time, of course) is to add extra RAM but this can still be a daunting task for those with little technical knowledge.

Vista offers a solution to this problem in the shape of ReadyBoost, a new feature which allows attached flash memory devices to be used as extra memory. However, examiners should be aware of two important points.

irst, although strictly speaking ReadyBoost does provide extra memory the data held on the flash device is actually also present in the host machine's RAM - the intended benefit of the feature is that it provides faster access to this data for certain types of operations.

Second, the data on the device is AES-128 encrypted. It's too early to say how often examiners are likely to encounter ReadyBoost in practice (reports on its effectiveness appear mixed so its popularity may be limited) but with our attention being more and more focused on evidence sources beyond the hard drive it is at least something to be aware of.
System files and metadata

Log files are often a useful source of information and changes to the Event Viewer in Vista mean that log files are now created in an XML compliant .elf format (rather than as .evt files seen previously). Any scripts which are used to locate and parse log files may need to be updated.

The hidden file "thumbs.db" introduced in previous Windows versions which has been of such interest to investigators over the past few years has also undergone a significant change. In fact this file has been replaced by a number of "thumbcache_xxx.db" files which are now located within a user's profile at

\Users\\AppData\Local\Microsoft\Windows\Explorer

Another change to be aware of is that the Disk Cleanup Wizard included with Vista may be used to delete these thumbnails. (Note: in some cases Microsoft now refers to thumbnails as "icons" or "live icons".)

Metadata can be described as data about data. In the world of computer forensics, metadata is usually discussed in terms of information held about a file, a well known example of which is the information associated with a Word document which can include various details such as the author's name, comments and revision history (in fact, this particular example is so well known that Microsoft was forced to create a tool to help users remove the data in question!) Metadata on Windows systems becomes even more interesting when you examine multiple file streams, a concept first introduced in NT 3.51, which allow you to associate extra information with a file on an NTFS filesystem.

Although the information held in these streams may appear invisible to the typical user, it can be a rich source of information to the examiner. This potential repository for data could also be used to hide information and so it has become an essential area to cover during an investigation.

Although NTFS is the recommended file system for Vista Microsoft no longer believes that alternate data streams (ADS) are the best method for associating metadata with a file, primarily due to the fact that this extra information is not included when the file is transferred under certain circumstances (e.g. to a non-NTFS volume or when sent as an attachment).

Instead, Vista developers are being encouraged to include metadata within files themselves and this is another area where useful information may be uncovered by the examiner. It should be noted, however, that ADS functionality is still present within Vista so it should not be ignored during an investigation.

Returning to the user experience once again, another important develoment as far as metadata is concerned is that Microsoft is now encouraging users to add such data to their own files though the use of "tags" or "metatags". Primarily seen as a way to help users rate, organize and search through their content, user-generated tags may prove to be a useful source of information during certain types of investigation. However, the flip side of this potential benefit is that Vista also makes it relatively easy (through a file's Properties tab) for users to remove metadata.

Vista as an examination platform

Vista's much touted Aero interface may give the impression that "Minority Report" style crime-busting is just around the corner but, sadly, we're not quite there yet.

Perhaps unsurprisingly given the changes to some aspects of Vista of interest to forensic examiners (e.g. file structure, the Registry, the Recycle Bin, etc.) a number of issues with existing forensic software packages have already been identified and vendors continue to work on new releases in response.

Although many of the issues identified are directly related to the analysis of Vista on a suspect drive a number of other problems have been reported by those running Vista as the platform upon which the forensic package itself is running (it should be noted that in some cases Vista is not yet officially supported by the developer in these cases).

The problems are not only related to forensic software, however, and while some may be addressed with a simple driver update others may be considered even more fundamental as Scott A Moulton of Forensic Strategy Services, LLC. explains: "I still have major problems mounting large drives under Vista. I use many 1 terabyte or 2 terabyte drives and Vista is absolutely worthless on these drives - I'm lucky if Vista does not actually mess the drive up. Deleting files is a nightmare and sometimes takes days. Just simply copying files is so slow it is unbearable.

"I received quite a few responses from people who have had similar issues and it seems that DRM [Digital Rights Management] may be the most probable cause. They've found that Vista tries to check each file to see if there is a protection flag on it or not before even deleting the file."

Despite these issues, Vista retains much of previous versions of Windows and some third party tools are expected to function largely as before. Where changes do need to be made in some tools they may be minor. For example, most of the Sysinternals tools commonly used in many Windows live response scenarios are expected to work under Vista without modification. One exception is Process Explorer, a minor modification to which in order to enable full functionality is expected within the next few months.
Conclusions

Computer forensic examination does not only involve searching an individual's computer for evidence of their own wrongdoing but also includes situations where the system itself has been attacked, commonly resulting in data loss, alteration or a denial of service. In addition to the deliberate targeting of individual systems over a network the threats posed by malware downloaded through web browsing or email use are well documented.

One of Microsoft's goals with Vista is to significantly improve the security of the operating system and although the act of investigation is necessarily one which takes place after an incident has occurred, the effect of hardening the system against common attacks in the first place is one which may impact the number of incidents of this type which require investigation.

So, where does this leave us? I think the first thing to keep in mind is that the playing field hasn't changed overnight just because Vista has been released to the public.

In fact, there are a number of reasons to believe that the uptake of Vista amongst existing users might be relatively slow so whatever impact it does have may be fairly gradual (even Steve Ballmer, Microsoft's chief executive, has admitted that earlier sales forecasts may have been "overly aggressive").

Secondly, the changes in Vista most likely to affect forensic examiners are probably most accurately described as evolutionary rather than revolutionary. There really isn't much which we haven't seen before in some shape or other and already developed strategies to deal with. Undoubtedly there will be cases where new features do present difficulties but investigators will adapt their approach accordingly, perhaps moving towards a greater emphasis on live analysis or network-based evidence collection where appropriate.

And finally, taking a broader view, if Microsoft delivers on its promise to improve the security of our increasingly connected world then we all benefit. For the time being though, the fight between those with something to hide and those tasked with uncovering electronic evidence continues.

This article originally appeared in Security Focus.

Eight Faces of a Hacker

2007-04-08T13:21:00.000+08:00

You fight against them every day: hackers, attackers, insiders. You know what they do, but not who they are. They are often nameless, usually faceless. You'd like to be able to guess their next move, but that can be pretty difficult when you don't even know what motivates them or why they're attacking you.

Is there a way to "profile" a hacker, the way the police might profile an arsonist or a serial killer? Not exactly. But quietly, a collection of university researchers and law enforcement agencies has been developing a taxonomy of the hacker community, much as an entomologist studies and classifies insects. And police and security experts hope that taxonomy will eventually help them identify and root out the vermin.

"To address the problems created by hackers, it is apparent that we need more than just technical controls," says Marc Rogers, a professor at Purdue University and author of the industry's most widely-used taxonomy of the hacker community. "We also need to start understanding the individuals behind the attacks."

The effort to understand the psychology of hackers and attackers is nothing new. Psychological studies of "phone phreaks" can be found as far back as the early 1980s, and MessageLabs is publishing a study on internal "company devils" today. The idea behind most of the studies is the same: to break the stereotype of the hacker as a socially-inept male teenager sitting behind a PC in his parents' basement.

There is no single profile of a hacker, inside or outside the company, Rogers says in the most recent update of his taxonomy paper. In fact, the idea of lumping all hackers into a single group is "analagous to attempting to understand criminal activity by lumping the entire spectrum of traditional criminals (i.e., shoplifters to homicidal psychopaths) into one generic group," he says. "The idea seems ludicrous, yet this is what we are currently doing with the criminal domain of computer crimes."

There has been a "huge shift" in hacker profiles in the last few years, as motives shift from curiosity to financial gain, says Rogers, who has worked with law enforcement agencies on hacker profiling and computer forensics. But security managers should also be wary of oversimplifying the new threats as well, he advised.

"For years, vendors treated the 'cyber-punk' as the boogeyman, and they built at least some of their business on the fear that some brilliant teen would launch a virus," Rogers says. "Now some of them are painting organized crime as the boogeyman, spreading this notion that the Russian mafia is out to get every business."

In reality, there are lots of different types of attackers, Rogers states. His taxonomy breaks them up into eight different categories, each with different characteristics and motivations. The taxonomy is frequently used by law enforcement agencies and other researchers as a starting point for profiling computing attackers. "It's a long way from perfect, but I wanted to give people something to shoot at."

1. The Novice
Sometimes called "script kiddies," this group is typically young, with limited skills, whose primary motivation is thrill seeking and ego stroking. In order to prove their worth, they attempt to "rack up" trophies, often using pre-written software.

2. The Cyber Punk
This group comes closest to fitting the traditional view of the hacker -- young males with some skills and programming capabilities with a desire for attention and, sometimes, monetary gain. They typically choose high-profile targets, and they often choose vandalism over outright data theft.

3. The Internal
These are the insiders -- those who use their internal system privileges to gain access to unauthorized data. They generally fall into two subcategories: disgruntled employees seeking revenge and those who are looking to use the data for financial gain.

4. The Petty Thief
Traditional criminals who learn how to hack in order to expand their field of targets. They usually are not skilled at first, but they sometimes become skilled over time. Their sole motivation is money.

5. The Old Guard
Motivated by curiosity and the need for an intellectual challenge, these highly skilled individuals are capable of writing code and scripts. Espousing the ideology of the first-generation hackers, they usually have no criminal intent but will readily post the scripts and code they develop.

6. The Virus Writer
This group is still being defined, Rogers says. It is made up mostly of young males, who tend to age out of the group once they hit their mid to late twenties. This group differs from the Cyber Punks in that its motivation is more along the lines of revenge or curiosity than notoriety.

7. The Professional Criminal
Highly-trained IT experts who use their skills for financial gain. They tend never to be caught or even come to the attention of the authorities, Rogers says. These are the "hired guns" employed by organized criminal groups.

8. The Information Warrior
Motivated by patriotism, these individuals use their skills to disrupt the command and control of a rival nation. They are typically highly trained and highly skilled.

These categories have remained fairly stable since Rogers developed the taxonomy in 1999, but many subcategories are evolving all the time, Rogers says. "I expect this to develop like an ornithology, where people take the basic structure and develop taxonomies for the subgroups."

One category that has gotten a good deal of attention from researchers is the Internal group, which has been difficult to study because of companies' reluctance to share information about insider threats and break-ins. Several researchers have published studies on the topic in the last two years.

The Secret Service and Carnegie Mellon University in 2005 released a paper that says there are no common demographics among insiders who damage or steal customer data, but there are indicators of risk.

Thirty-three percent of subjects were perceived by management as 'difficult,' and 19 percent were viewed as disgruntled by other employees. Twenty-seven percent had come to the attention of a supervisor or a co-worker for behavior concerns, and another 27 percent had prior arrests, the study says. While 42 percent of those motivated by greed were female, only 4 percent of those motivated by disgruntlement were female.

In a study published last year, Eric Shaw, a professor at George Washington University, reported that most of the insiders they studied displayed four basic traits: a history of negative social and personal experience; a lack of social skills; a sense of entitlement; and ethical flexibility. These traits, combined with a right stress factors and opportunities, can lead to a higher incidence of insider attacks, he said.

But such studies may overlook the more frequent instance of accidental security exposure from inside the company. In a study being published today, MessageLabs found that the "devils" in most companies are not those that intentionally steal or damage company data, but who expose it to outsiders by breaking company security protocols.

According to MessageLabs, the danger comes from young, tech-savvy junior-level sales types who are under pressure to meet their quotas.

"The problem is that the more you lock down your systems, the less usable they become," notes Paul Wood, senior analyst at MessageLabs. "These people are under pressure to meet their objectives -- they are moving quickly and they don't have time for systems that aren't usable. So they'll use their technical skills to find a way around the policy."

These company "devils" are natural multi-taskers who will use any means necessary to get their jobs done -- including IM, wireless, VOIP, and email -- from any access point, and without regard for security policy, Wood explained. Their intent is not malicious, but they may create avenues for security breach without knowing it, he says.

— Tim Wilson, Site Editor, Dark Reading

Google: Advance Search

2007-02-20T00:57:00.000+08:00

Here's one of those videos on how to use google, pretty much basic but informative. Download video here.

The term "googledork" was coined by the author and originally meant "An inept or foolish person as revealed by Google." After a great deal of media attention, the term came to describe those who "troll the Internet for confidential goods." Either description is fine, really. What matters is that the term googledork conveys the concept that sensitive stuff is on the web, and Google can help you find it.

more information on googledorks

www.auction.ph

2007-02-15T23:43:00.000+08:00

check em out:

Auction.ph is giving away Php 30 Million worth of e-money to its members, making it the biggest online promo in the Philippines...

...Everyday, thirty (30) members shall win Php 3,000 worth of e-money. In the last seven (7) days, one thousand (1,000) winners shall be drawn daily. To start-off, ninety (90) lucky e-coupons will be drawn on August 28.

few days back,my girlfriend just won Php 3,000 worth of e-money. ^_^

http://www.auction.ph

SMART's MyISP

2007-02-09T16:40:00.000+08:00

PHILIPPINES, probably you guys have already heard about SMART's MyISP promo.

MyISPLoad is an internet SMS prepaid load system, wherein the user will no longer need to go to a retailer to buy internet credits. The user will just have to key in the keyword “Myisp” and send to “483″ for the service to be availed of by the customer; the corresponding username and password to be provided will be sent to the designated destination mobile number. The mobile subscriber SIM card of the one who sent the message will be debited the corresponding amount.

I believe that the promo is long dead already and only a few people know about this, but guess what; although not advertised anymore, it is still up and it is still vulnerable to shall I say fraud request for ISP accounts.

Summary, you key in myisp and send to 483 and after which you will receive the account information. It will then deduct PHP20 from your load and PHP1 for the sending out the request. The account will expire in 5 days unused and 24 hours once used.

For Dial-up Numbers text Myisp dialup to 483
For Contact Numbers text Myisp contact to 483
For Myisp keywords text Myisp help to 483

Good as FREE ISP?

I know this will sound ridiculous but sending the request multiple times and fast enough will trick the server and will give you as many accounts as you can send. In some case, the server is even tricked in sending out as many as 30 plus accounts (my record). This works best in phones having a "send to many option". The faster you can send, the more accounts you will get.

PHP20 more or so and you get a week's internet connection, you spend around less than a hundred for a month’s internet? Talk about savings. Back then (college years) I average around 8 accounts per request, thats more than enough for a week, I give out the extra accounts to friends.

Although broadband internet connections are getting cheaper today, dial up connections are till quiet useful for those who can’t afford.

FAQs on Egunge

2007-02-09T12:01:00.000+08:00

What is Egunge?

According to www.slangsite.com, Egunge is the disgusting detritus that falls out when you tip your computer keyboard upside down.

Why call the blog Egunge?

I think its a cool name. ('c',)

What is the blog all about?

Basically, anything under IT and whatever I can think of ^_^ , views, opinions, some tips, this and that on stuff in relation to information technology and of course, as much as possible keep it LEGAL. I dont want to get "account suspended" and start all over again!

Are your contents or posts worth reading?

I dont claim professional ideologies or comments on whatever I posts. Contents mentioned or posted in here are property and copyright of their respective owners, provided for educational or for entertainment purposes only.

Who are you?

Hmmm...so far, a jobless IT undergrad who has all the time in the world to blog.