Tuesday, December 30, 2008

Pak hacker attacks E Rlys site, threatens cyber war on India.

In the first instance of cyber attack on Indian government websites, the attack on Eastern Railways site on Wednesday popped open vulnerability of government websites in the country. 

SBI shuts website after hackers break in!

The State Bank of India, the country’s largest bank, has had to shut down its corporate website after overseas hackers tried to break in.

While the bank said that transactions took place through www.onlinesbi.com, a senior SBI source said that the transactions were slow as the entire system was under watch.

The country’s largest bank decided to shut down its corporate website www.sbi.co.in on Wednesday evening when hackers blocked some of the pages. The bank also noticed unusually high traffic on its website on Wednesday.

Read More:http://www.business-standard.com/india/storypage.php?autono=344523

Monday, December 29, 2008

Frame Injection in Google!!

A frame injection attack is an attack on Internet Explorer 5, Internet Explorer 6 and Internet Explorer 7 to load arbitrary code in the browser. This attack is caused by Internet Explorer not checking the destination of the resulting frame, therefore allowing arbitrary code such as JavaScript or VBScript. This also happens when code gets injected through frames due to scripts not validating their input. This other type of frame injection affects all browsers and scripts that do not validate untrusted input.

Checkout the below link on which it worked

Saturday, December 27, 2008

The Five Coolest Hacks Of 2008!!!

Have a look at the five of the coolest hacks  covered  at Dark Reading in 2008 -- unusual and sometimes off-the-wall vulnerabilities that were exposed and exploited this past year by researchers who, driven by their curiosity and imagination, had some fun (possibly at your expense), but all for the ultimate purpose of making daily life more secure. So read more about this on below given link  -- and don't stop looking over your shoulder. Cheers!!!

Computer Security's Six Most Important Words Of 2008

Well, if you must know, 2008 was a year of tectonic shifts in IT security. The technologies changed, the economy changed, and the role of security changed. Even the people who make the laws about security changed. You could hardly swing a dead server without hitting some major security-shifting event, and most of those events will continue to have repercussions throughout the new year.

 If you need somebody to spell it out for you, Darkreading can do it!!!. Let's look more closely at the six words and what they meant for security in the past year on below given link.


Tuesday, December 23, 2008

2008's biggest tech crime stories!

As the year 2008 draws to a close, here are some of the biggest IT related crimes which i chanced up on in Network World site.

Thursday, December 18, 2008

OWASP Testing Guide V 3.0 is avilable now!

The Open Web Application Security Project (OWASP) is a worldwide free and open community focused on improving the security of application software. OWASP team mission is to make application security "visible," so that people and organizations can make informed decisions about application security risks. Everyone is free to participate in OWASP and all of OWASP materials are available under a free and open software license.

To download the latest version (V 3.0) of OWASP testing guide click on the below link:-



Fix for unpatched internet explorer flow

Fix for my previous blog related to internet explorer has been released

The patch details & download information can be found at :


American Express web bug exposes card holders!

XSS: Entrenched since November 2008

A glaring vulnerability on the American Express website has unnecessarily put visitors at risk for more than two weeks and violates industry regulations governing credit card companies, a security researcher says.
Among other things, the cross-site scripting (XSS) error on americanexpress.com allows attackers to steal users' authentication cookies, which are used to validate American Express customers after they enter their login credentials.
For more information related to this XSS attack refer below link:-

Wednesday, December 17, 2008

Unpatched Internet Explorer Flaw Allows Attacks!!!

A security flaw in all versions of Microsoft's Internet Explorer leaves users wide open for attack, with millions of computers already infected. Microsoft did not say when a patch might be available. Simply opening a Web page in IE can infect an unprotected computer. Proper security protection, not a browser switch, is the best defense.
The exploit doesn't require users to click on links or download software from the Internet. Rather, it infects users when they open a Web page. The goal is to steal passwords, according to security experts, gain access to financial data and otherwise steal the victim's identity.

To know more about this refer:-

Wednesday, November 19, 2008

Metasploit Framework 3.2 Released

The Metasploit Project announced today the free, world-wide availability of version 3.2 of their exploit development and attack framework. The latest version is provided under a true open source software license (BSD) and isbacked by a community-based development team.

Metasploit runs on all modern operating systems, including Linux,Windows, Mac OS X, and most flavors of BSD. Metasploit has been used on a wide range of hardware platforms, from massive Unix mainframes to the iPhone. Users can access Metasploit using the tab-completing console interface, the Gtk GUI, the command line scripting interface, or the AJAX-enabled web interface. The Windows version of Metasploit includes all software dependencies and a selection of useful networking tools.

The latest version of the Metasploit Framework, as well as screen shots, video emonstrations, documentation and installation instructions for many platforms, can be found online at :-


Friday, November 14, 2008

Social Engineering: 8 Common Tactics

Most articles I’ve read on the topic of social engineering begin with some sort of definition like “the art and science of getting people to comply to your wishes”, “an outside hacker’s use of psychological tricks on legitimate users of a computer system, in order to obtain information he needs to gain access to the system”, or “getting needed information (for example, a password) from a person rather than breaking into a system”. In reality, social engineering can be any and all of these things, depending upon where you sit. The one thing that everyone seems to agree upon is that social engineering is generally a hacker’s clever manipulation of the natural human tendency to trust. The hacker’s goal is to obtain information that will allow him/her to gain unauthorized access to a valued system and the information that resides on that system.

Security is all about trust. Trust in protection and authenticity. Generally agreed upon as the weakest link in the security chain, the natural human willingness to accept someone at his or her word leaves many of us vulnerable to attack. Many experienced security experts emphasize this fact. No matter how many articles are published about network holes, patches, and firewalls, we can only reduce the threat so much... and then it’s up to Maggie in accounting or her friend, Will, dialing in from a remote site, to keep the corporate network secured.

I was searching for some information related to social engineering in the net. I found some good interesting social engineering tactics at networkworld.com (A very good site, normally I refer to update myself).Thought of sharing with you guys...

Click on the below link to get an idea of the most prevalent social engineering tricks used by phone, e-mail and Web.


Tuesday, November 11, 2008

Three Plead Guilty in $2 Million Citibank ATM Caper

Three New Yorkers accused of using hacked Citibank ATM card numbers and PINs to steal $2 million from customer accounts in four months have pleaded guilty to federal conspiracy and access device fraud charges.
The defendants -- Ivan Biltse, Angelina Kitaeva and Yuriy Rakushchynets, aka Yuriy Ryabinin -- are among 10 suspects charged earlier this year in connection with a breach of a server that processes ATM transactions from 7-Eleven convenience stores. Those ATMs are branded Citibank, but they're owned by Houston-based Cardtronics.

For more information visit:-

Wednesday, November 5, 2008

Social Engineering - Palin Tricked Into Chat With Canadian Comic Posing as Sarkozy!

Republican vice presidential candidate Sarah Palin was tricked by two Canadian comedians into thinking she was having a telephone conversation with French President Nicolas Sarkozy.
The conversation, posted on the Internet, ranges from American politics to the perils of hunting with Vice President Dick Cheney, who accidentally shot and injured a hunting companion in 2006.
Comedian Marc-Antoine Audette, masquerading as Sarkozy, suggested he and Palin go hunting together, perhaps by helicopter. Palin said she would be ``a careful shot.''
The McCain campaign confirmed the telephone call. ``C'est la vie,'' said Palin spokeswoman Tracey Schmitt.
Palin was ``mildly amused to learn that she had joined the ranks of heads of state, including President Sarkozy, and other celebrities in being targeted by these pranksters,'' said Schmitt.
Audette asked Palin if Joe the Plumber was her husband, and she replied that, no, her husband was a ``normal American who works hard and doesn't want the government to take his money,'' according to the audio.

Courtesy: Bloomberg


Wednesday, October 29, 2008

Web-Harvest - Open Source Web Data Extraction tool

Web-Harvest is Open Source Web Data Extraction tool written in Java. It offers a way to collect desired Web pages and extract useful data from them. In order to do that, it leverages well established techniques and technologies for text/xml manipulation such as XSLT, XQuery and Regular Expressions. Web-Harvest mainly focuses on HTML/XML based web sites which still make vast majority of the Web content. On the other hand, it could be easily supplemented by custom Java libraries in order to augment its extraction capabilities.