XSS and CSS : Whats the difference ?

I often used to read XSS and CSS being read in the same context when i knew that CSS stands for Cascading Style Sheets.There has been a lot of mixing up of Cascading Style Sheets (CSS) and cross site scripting. But actually when people are speaking of CSS in context of Cross site scripting what they actually mean is XSS only....its the same.....

CYBER SECURITY : ACTIVE ATTACKS

An active attack involves probing the netwrok to discover individual hosts to confirm the information gathered in the passive attack phase.A lsit of tools i recently read are listed below for info.These are small but great tools for experimenting....m doing it on a VMware machine......

arphound

arping

bing

bugtraq

dig

dnstracer

dsniff

filesnarf

findsmb

fping

fragroute

fragtest

hackbot

hmap

hping

httping

hunt

libwhisker

mailsnarf

msgsnarf

nbtscan

nessus

netcat

nikto

nmap

pathchar

ping

scanssh

smbclient

smtpscan

tcpdump

tcpreplay

thcamap

traceroute

urlsnarf

xprobe2

HDFC CLEAN BOWLED by Hidden SQL Injection Vulnerability

1.  Howoften do we find ourselves getting irritated with the constant reminders from banks to change passwords every 15 days...to include few small cases,few caps,few numbers and few special characters and more often then not 40% of the account holders forget keeping a tab on what was the last password.....Inspite of heavy claims by most of the banks that they have the highly secured banking netwrok here comes a boomrang for HDFC...inspite of ample number of warnings by zSecure , a firm committed in providing comprehensive and cost-effective Penetration Testing services Networks, Servers and Web application,HDFC had no inkling of what they were warned about and what was supposed to be done....simply banking on some third party solution and getting into a SURRENDER SITUATION.....the story goes like this

HDFC was warned about Hidden SQL Injection Vulnerability by the firm ZSECURE.The subject vulnerability was discovered on 15-July-2011 and was reported on 17-July-2011 (reminder sent on 24-July-2011). The HDFC Bank’s team took around 22 days to respond to our e-mail and their first response came on 08-August-2011 with a message:

“Thank you for sending us this information on the critical vulnerability. We have remediated the same.“

After their e-mail, we again checked the status of said vulnerability and found that the vulnerability was still active on their web portal. We immediately replied to their email with additional proof of vulnerability and asked them to fix the same asap. Later on, after 2 days we again received an e-mail from their team with a message:

“We have remediated all the vulnerability reported on our website. Also we have got the application vulnerability assessment performed through one of our third party service provider and they confirmed that there are no more SQL Injection vulnerability.“

Their above response left us with an unexpected surprise. We were not able to believe that such a big organization doesn’t have proper vulnerability assessment in place because we already reported the vulnerability to them and even after conducting vulnerability assessment from a third party (as claimed) they were not able to find the active vulnerability in their web-portal.Thereafter, we sent complete inputs about the vulnerability to their security team and finally the vulnerable file was removed from HDFC’s web-server.

2.  The story goes on to confirm how much vulnerable we all are to such holes.Not blaming the bank singly,but the policies and the measures supposed to be taken and adopted have no firm policies on date.It is entirely left to the third party dependency solution....its high time for all banks to constantly take measures and keep itself updated to all new vulnerabilities hanging around......

3.  Thanks http://www.zsecure.net

CHINA CAUGHT ON WRONG FOOT in its own MARCH

1. Across the globe ,across all the cyber attacks investigated one thing that comes out common is the source of attack ie CHINA.As always China has been always denying all claims and has been doing reverse propoganda of actually deep rooted spoofing and involvement of other countries.But recently it was caught on the wrong foot in front of the international nietizens....

2.   Below is the extract straight from FEDERAL COMPUTING WEEK penned as China provides smoking gun against itself in cyberattacks by John Breeden II

" But now, thanks to China itself, I have proof that the People’s Liberation Army does attack the United States, and likely does so on a regular basis.

China’s claims of innocence have come crashing down because of an apparent mistake in editing in a documentary on the country’s own state TV that should never have gone live. The PLA presentation demonstrated its military capabilities. Amid all the tanks and planes, the propaganda piece showed a mere four seconds inside the group's cyber warfare center.Without narration, one has to think that the cybersecurity part of the piece was only put into the video by accident, a technical background shot placed between segments for a bit of extra color. However, those four seconds are both telling and damning to the Chinese lie that they don’t attack the United States.

Here is the incredible part: During those four seconds, we clearly see a Chinese soldier use a drop-down list to choose from preset target websites around the world. Then he actually attacks a website in Alabama.

In this case, the website was setup to support Falun Gong, a spiritual movement outlawed in China that practices meditation and a philosophy that emphasizes moral responsibility.

Even though all the targets shown in the four-second video were Falun Gong sites around the world, the fact that they were in a drop-down menu is telling and appalling. You don’t set up drop-down menus with attack buttons unless you plan to use them. And the Chinese military did push the attack button in the video, so apparently it has no problem pulling the trigger.

So to all you people who wanted to know where my smoking gun was, watch the video. It’s clear to me that we are under attack from China right now.

It’s time for China to own up to what it is doing. Or it’s time for the United States to do something about it."

3. The video link is shown below for info of all.Watch it carefully!!!!

4. Thanks http://fcw.com

touched........20,000

thanks 2 all visitors.....

Now Aerial cyber attack!!!!r u safe anyway?

"Imagine sitting in a cofee house with your laptop and chatting with your dear friend.....and then calling a friend on your phone and then paying your bill and moving out for ur regular work"

1.    Now imagine some thing u never imagined.....all what you chatted and all what you spoke on phone in the cafe house is compromised....all saved at a location unknown to you....

2.    Two security professionals proved as much at the Black Hat cybersecurity convention in Las Vegas.This has been made possible after investing a few thousand bucks, a tool box and some technical skill like these two security professionals,Richard Perkins and Mike Tassey have done.These two guys have assembled a small, unmanned airplane that is capable of some truly remarkable and potentially disastrous hacks.

3.    Perkins is a security engineer supporting the U.S. government and Tassey is a security consultant for Wall Street firms. But after work, the long-time buddies would take off their cyber attack prevention hats, put on their evil hacker thinking caps, and build their airplane in Perkins' garage.

4.    The plane can wreak lots of havoc.

- For instance, it can fly over a Starbucks (SBUX, Fortune 500) and steal the personal information of everyone connected to the coffee shop's free Wi-Fi network. It can intercept your cell phone conversations and even reroute your calls to another number. It can trace the location of specific people and follow them home.

- Perkins and Tassey spent a total of just $6,190 to build the plane. They made a point to keep it relatively cheap and to buy components that were readily available to prove that literally anyone could make one."You don't need a Ph.D. from MIT to do this," said Perkins. "There are no custom parts, it was fabricated using hand tools, and very little coding is required. All you need is dedicated people."

5.    Thanks CNN

IBM developing PCs that may run 30 times faster

1.   A one-atom-thick layer of carbon has currently become the focus of interest of IBM and the U.S. military to build computers that function at near the speed of light.

2.  The focus is actually based on GRAPHENE, the thinnest and toughest material ever produced, that conducts electricity, a breakthrough that opens the door to its use in digital electronics

3.   Some key finding on GRAPHINE :

- Graphene is the basic structural element of some carbon allotropes including graphite, charcoal, carbon nanotubes and fullerenes.

- Graphene conducts electricity 30 times faster than silicon -- approaching the speed of light

- Until recently, use of graphene was limited to development of more-efficient batteries and foldable touch screens.

- Nokia, the world’s largest maker of mobile phones by volume, is investigating the material’s potential use in cell phones, touch screens, and printed electronics. 

- Graphene’s flexibility and strength is astonishingly 300 times tougher than steel - may lead to the Nokia Morph, the first foldable phone.

- “With a graphene battery the same amount of weight and volume as a current one, you could drive 300 miles instead of 100,” said Yuegang Zhang, a principal investigator at the lab. 

- Graphene has the ideal properties to be an excellent component of integrated circuits. Graphene has a high carrier mobility, as well as low noise, allowing it to be used as the channel in a FET.

4.     Thanks Wiki and electroiq

JAVA SE DEVELOPMENT KIT NOT FOUND!!!!

1.   On way to experiment with android application with the stand SDK toolkit....i got messed up with the installation procedure so much that i thought of just leaving it..... in spite of all java installed  i got this screen.....

2.   I read all trouble shoots of on JAVA site.....some diverted me to registry editors and what not.......till i got the correct answer...simply click BACK and then NEXT again......khatam...thats the end of it.....

ANDROID APPLICATIONS CLONED : Developers make it spam

1.    The latest to add on to the growing web of spams is repackaged android applications.....though till now most of the descried repackaged applications are not reported to have any malicious code in them and also like the genuine ones they are also made available for free. These effected applications have the same module as the original, but include an advertisement module ,thus developers of these apps try making money off the clicks on the advertisements.

2.   The thing is easy on part of the developers since it is easier on thier part to just fiddle with original Android apps which are written in Java and are, therefore, easily cloned.....

3.   Thanks www.f-secure.com

Your VOICE to charge your MOBILE

1.     Amazing as it may sound reading.....but here is the way thats gonna please us all to get resolved on issues of mobile charging...so many times it has happened that on our way out either we think the mobile is fully charged or when we talk too much on phone.....or just when one small query will resolve us of a standing problem...the mobile goes offffff......problem : MOBILE BATTERY IS DRAINED ....no more.....please read ahead for brief details on the subject....

2.   The new technique developed by Korean engineers for turning sound into electricity - technology that could allow cell phones to be charged while users chat(...bak bakk).Thus Phones equipt with the technology could generate power from any kind of background noise — meaning the phone could be charging even when you’re not speaking directly into the phone. The need to carry around an outlet charger could be supplanted by time spent listening to music, or perhaps even the sound of the wind roaring past your car window.The technology is made possible by tiny strands of zinc oxide that are sandwiched between two electrodes. As a sound-absorbing pad atop the device vibrates to ambient noise, causing the zinc oxide wires to compress and release. This movement is what generates the electrical current.A prototype has already converted sound of about 100 decibels into about 50 millivolts of electricity. That’s not enough to charge a phone, but it’s an encouraging test, and researchers are optimistic that the technology could soon be developed into something more powerful.

3. Thanks http://blogs.forbes.com/  and http://inhabitat.com