Tuesday, April 12, 2011
Submit News
We are "World Cyber News Organization" , Our team collects all information, resources and best hackers of world. Please support us ,All hacker friends please email (worldcybernews@yahoo
News Article Format
News Article Format
1.) Title
2.) Description
3.) Article + Suitable Images + Links
4.) Source Link (If any)
5.) Submitted By ( Name + website link + Codename )
Email Us you article in the form of a MS word file as attachment to : worldcybernews@yahoo.com
HDMC Website Hacked By Z-Hacking Crew.
Website Link: http://www.hdmc.gov.in/
Mirror: http://mirror.sec-t.net/deface
Barracuda Networks Hacking via SQL Injection !
Barracuda Networks Inc. combines premises-based gateways and software, virtual appliances, cloud services, and sophisticated remote support to deliver comprehensive content security, data protection and application delivery solutions. The company’s expansive product portfolio includes offerings for protection against email, Web and IM threats as well as products that improve application delivery and network access, message archiving, backup and data protection.
Barracuda Networks’ product portfolio includes: Barracuda Spam & Virus Firewall, Barracuda Web Filter, Barracuda IM Firewall, Barracuda Web Application Firewall, Barracuda SSL VPN, Barracuda Load Balancer, Barracuda Link Balancer, Barracuda Message Archiver, Barracuda Backup Service, and the BarracudaWaresoftware portfolio. Combining its own award-winning technology with powerful open source software, Barracuda Networks solutions deliver easy to use, comprehensive security, networking, and data protection products. Barracuda Central, an advanced 24x7 operations center manages data centers for all service-based offerings and works to continuously monitor and block the latest Internet threats.
LIST OF DATABASES:
new_barracuda
information_schema
Marketing
barracuda
black_ips
buniversity
bware
co-op
collections
cuda_car
cuda_stats
dev_new_barracuda
igivetest
igivetest_bk1_aug10
igivetestsucks
kb_solutions
leads
mysql
new_barracuda
new_barracuda_archive
php_live_chat
phpmyadmin
DB NAME: NEW_BARRACUDA
TABLE NAME: DEAL_REG
DATA COUNT: Count(*) of new_barracuda.deal_reg is 17549
SAMPLE DATA:
DB NAME: NEW_BARRACUDA
TABLE NAME: CMS_LOGINS
DATA COUNT: Count(*) of new_barracuda.cms_logins is 251
DATA:
DB NAME: NEW_BARRACUDA
TABLE NAME: BUNIVERSITY_USERS
DATA COUNT: Count(*) of new_barracuda.buniversity_users is 35
DATA:
DB NAME: MYSQL
TABLE NAME: USER
DATA COUNT: Count(*) of mysql.user is 23
DATA:
DB NAME: PHP_LIVE_CHAT
TABLE NAME: CHAT_ADMIN
DATA COUNT: Count(*) of php_live_chat.chat_admin is 30
DATA:
Source : http://hmsec.tumblr.com/
Monday, April 11, 2011
Defense Your Applications
Information technology continues to rapidly evolve and as the dependence on Internet technology increases, so are the risks to information systems. As such, information security professionals are required to stay up-to-date on the latest security technologies, threats and remediation strategies.
EC-Council's Center of Advanced Security Training (CAST) was created to address the need for highly technical and advanced security training for information security professionals.
CAST First Look Training Series
As part of the launch of CAST, we are pleased to present a First Look training series that will give an insight into the following programs, where we invite the authors of the respective courses to conduct a "LIVE" online training on a selected module from the program.
This highly technical and intensive course will center on thwarting off attackers by understanding how to defensively writing your code. A participant will learn the new techniques for case hardening your application from within. We will actually be attacking applications from the web, off the shelf binary applications as well as popular runtimes such as .net, Java and even adobe AIR (In a legal and Ethical Way), learning where mistakes were made and ensuring our own house is in order and we don't have these same faults internally. Read more.
Apr 7, 2011 - 9:00 A.M - 10:30 A.M (EDT)
Topic: Programming To Defend Against Cryptographic Errors
In this training, you will understand how SSL can help or hurt a programmer. Understand what is certification revocation list, and if you think your library is implementation it ... thing again. and also learn about Compelled Certificate Injection can be circumvented. Poland, the Russian Government, The Hong Kong post office all can watch our every move and we'll most likely never know it!
I usually ask 2 questions before a pen test. 1. Can I see your programmers/system admin's office. After a few strange looks they lead me to right outside the door. If I see papers all over the desk and floor, coming out the draws etc., I usually turn to the prospective client and nod "Yeah I can get in"
Question 2 from me to the person who hired me is asked: "Did you have an application that was written to be used internally, but it turned out to be so popular you were asked to put it out for our business partners or customers to use? If again his answer comes back in the affirmative I would again simply state: "Yeah I can get in".
A highly technical and intensive course that focuses attacking and defending highly secured environments. These environments simulate those found in government agencies and large corporations. In APT, you will be learning how to attack new operating systems such as Windows Vista, Windows 7, Windows Server 2008, and the latest Linux servers, all patched, and hardened. Both Network and Host-based Intrusion Detection/Preventions systems (IDS/IPS) will be in place as well. Read more.
Apr 13, 2011 - 10:00 A.M - 12:00 A.M (EDT)
Instructor: Joe McCray
Topic: SQL Injection To A Command Shell
In this training, you will learn how to probe a website to determine if it is vulnerable to SQL injection, go on all the way to actually getting a command shell on the host. This will be achieved using both SQLiX and SQLNinja.
Special Promotion! Sign up for any of the CAST training at TakeDownCon Dallas and get a FREE iPad 2!
Find out more at www.takedowncon.com/training
For more information about CAST, please visit: http://www.eccouncil.org/CAST
DUCAT Punjab Best Ethical Hacker Competition
Registration : http://www.dreamtechlabs.com/registration.php
Participants are requested to carry their personal laptops with Battery backup. A Test fees of Rs 100 has to be submitted on the spot.
Keeping your Third-Party Service Provider in Line
It seems that every time we turn around, another major security breach has occurred.
The latest was the data breach at Epsilon, which manages customer databases and provides third-party email marketing services to 2,500 corporate clients, including some of America's biggest firms.That breach has led to the loss of client data at more than 50 major companies, including the Hilton hotel chain, Victoria's Secret and Verizon.
It could endanger millions of consumers, who can now be targeted directly by hackers using spearphishing techniques such as the one that successfully cracked the defenses of IT security giant RSA.
The potential fallout for Epsilon clients is huge. They could not only lose money, but also may suffer from bad publicity, lawsuits filed by angry consumers, and the scrutiny of authorities.
What can corporations outsourcing various services to third-party providers do to protect themselves -- or at least try to ensure that the best security tools available are being used to safeguard their customers?
The Epsilon Caper
It's not yet known how Epsilon's systems were breached; neither the company nor its parent, Alliance Data, is disclosing any details.
Epsilon posted a notification on its website April 1, stating that it had detected a breach of its email systems March 30, and that only email addresses and customer names were stolen.
On Wednesday, Alliance Data confirmed on its website that only customer names and email addresses were stolen from Epsilon's systems.
About 2 percent of Epsilon's total client base was impacted, Alliance Data said. Epsilon has about 2,500 clients.
Epsilon spokesperson Jessica Simon declined to comment further to TechNewsWorld on the issue.
Questions Raised by the Breach
Given that many corporations are outsourcing various services to cut costs, the breach at Epsilon gives rise to many questions, David Meizlik, director of product and marketing communications at Websense, told TechNewsWorld.These include what controls Epsilon had put in place to protect its data, what controls it was contractually obligated to have in place, what data it had that it shouldn't have had, how the breach occurred, and how it was detected, according to Meizlik.
"These questions and many more will likely be the basis of many chief security officer discussions in the years to come," he remarked.
Risky Business
"Third parties like Epsilon don't ensure adequate protection," Ulf Mattsson, chief technology officer of Protegrity, told TechNewsWorld. "That became apparent when Epsilon declined to answer why the email addresses were not encrypted."Wouldn't it have been prudent on Epsilon's part to have encrypted email addresses and client names on the off chance that its systems could have been breached? After all, the conventional wisdom among IT security professionals now is that it's not a question of if your systems will be breached, but when.
Perhaps Epsilon, like other third-party service providers, is doing just what's needed under the law, and it's the laws that need revision.
"The states here in the U.S. currently have data breach notification laws in place and do establish the need for encryption, but they fail to specify what type of encryption or other security measures are adequate," Mattsson pointed out.
That leaves things open to interpretation, with possibly disastrous results.
"An organization may believe that its security solution complies with various laws and regulations, only to find out after a security breach that this is not the case," Mattsson said.
Dealing With Service Providers
Companies outsourcing functions to third-party service providers should have service level agreements that ensure the data being shared is being protected by the strongest measures appropriate to the level of sensitivity of that data, Meizlik suggested.Specific criteria for what that protection includes should also be defined as part of the agreement. Some service providers and cloud platforms let clients restrict access to their data, he said.
However, companies must first have controls in place in-house to ensure that only the right data is being exported, Meizlik warned. Further, they should conduct audits periodically and oversee security to ensure it's current.
Looking to the Payment Card Industry
Businesses could look to the Payment Card Industry Data Security Standards, or PCI DSS for guidance, Protegrity's Mattsson stated.Administered by the PCI Security Standards Council, PCI DSS adopts technologies such as tokenization, modern encryption approaches such as formatted encryption, and models for point-to-point-encryption, Mattsson noted.
The PCI DSS standards "represent a good best practice set of criteria for industries where data protection is critical," Julian Lovelock, senior director of product marketing at Actividentity, told TechNewsWorld.
The PCI Security Standards Council has certified Quality Security Assessors to audit companies against PCI DSS guidelines.
Managing the User
Further, corporations should ensure both they, and their third-party service providers, work to enforce security and help staff understand it better."Organizations trust internal people, but trust should not be a policy," warned Protegrity's Mattsson.
In addition to enforcing security rules, corporations should invest in training staff on security.
"Continuous, periodic training is the only way to bring down users' vulnerability and keep them at an acceptable level," Rohyt Belani, CEO at PhishMe, told TechNewsWorld.
That has to be combined with the technology to identify advanced malware and the ability to respond quickly to breaches, Belani added.
Source : TechNewsWorld
Draft Cyber Security Policy Stresses on Local IT Products
"Indigenous research and development is an essential component of national information security measures due to various reasons -- a major one being export restrictions on sophisticated products by advanced countries," the NCSP draft said.
"Second major reason for undertaking R&D is to build confidence that an imported IT security product itself does not turn out to be a veiled security threat," it said.
The draft has asked government to identify the most dangerous classes of cyber security threats to the nation, critical IT infrastructure vulnerabilities and the cyber security problems and use these findings to develop and implement a coordinated R&D effort focused on the key research needs.
The draft has even identified proprietary technologies at risk and asked for promotion of products that are based on open standard in the country.
"To minimise the risk of dependency on proprietary IT products, open standards need to be encouraged. A consortium of government and private sector needs to be created for enhancing the use of validated and certified IT products based on open standards," the draft states.
The draft has proposed creating a nationwide intranet for connecting strategic installations in the country and make National Cyber Response Centre - Indian Computer Emergency Response Team (CERT-In) nodal center to monitor this intranet.
The Department of Information Technology (DIT) is nodal agency for NCS policy and it has invited comments on this draft policy by May 15.
The draft had been prepared by 12 key government departments. Some of these names are National Information Board (NIB), National Crisis Management Committee (NCMC), National Security Council Secretariat (NSCS), Home ministry, Defence ministry and Department of Telecommunications.
Source : Times of India
Microsoft to Patch 64 Vulnerabilities in Windows, Office, Internet Explorer
The bulletins will be released during Microsoft Patch Tuesday on April 12. The number of bulletins ties a December 2010 record for security updates issued.
“This is a huge update and system administrators should plan for deployment as all Windows systems, including Server 2008 and Windows 7, which are affected by critical bulletins,” Amol Sarwate, manager of the Qualys Inc. vulnerability research lab, wrote on the company blog. “Frequently used office applications like Excel 2003 through 2010 and PowerPoint 2002 through 2010 are also affected.”
In its Advance Notification, Microsoft said it would address a MHTML protocol handler vulnerability in Windows, a flaw that it acknowledged in January. Proof-of-concept code surfaced, enabling attackers to target the vulnerability. The software giant issued a temporary workaround while engineers worked on a patch for the issue, which locks down the MHTML protocol.
In a message on the Microsoft Security Response Center blog, Pete Voss, senior response communications manager with Microsoft Trustworthy Computing, said engineers have been testing a patch to address the issue and have been keeping customers informed.
let people know we were aware of limited, targeted attacks.”
In addition, Microsoft indicated it would address a flaw in the Windows Server Message Block (SMB) network and file-sharing protocol that was publicly disclosed Feb. 15. Researchers said the vulnerability could be exploited by remote attackers or malicious users to cause a denial-of-service (DoS) attack or take control of a vulnerable system.
“Microsoft assessed the situation and reported that although the vulnerability could theoretically allow remote code execution, that was extremely unlikely,” Voss wrote. “To this day, we have seen no evidence of attacks.”
The Microsoft bulletins will be issued at 1 p.m., April 12.
After Breach at RSA, Two-Factor Authentication Options Abound
Normally companies offering alternative two-factor authentication options might hope, at best, to pick up some of the crumbs that fall from RSA’s bountiful table of customers; this time, they see an opportunity to win over customers in larger numbers.
“We have seen a massive fallout from what has happened at RSA,” said Jason Hart, a senior vice president at Bristol-based CRYPTOCard. “On a daily basis we are getting RSA customers calling. It’s not solely about the security problem, but it has made companies look at the alternatives.”
His company plans to launch a new cloud-based authentication service at Infosecurity that can work with a range of different hardware-based tokens, as well as soft tokens and SMS messages delivered to mobile devices. “We can have 6,000 users up and running in less than 15 minutes,” Hart said, adding that the cost of the service is “less than the price of a cup of coffee per month.”
For Cambridge-based Signify, which runs a hosted authentication service based on RSA’s SecurID, the main emphasis at Infosecurity will be on the value of a good service when things go wrong. CEO Dave Abraham said when news of the RSA breach broke, calls and emails started to come in from concerned clients.
“By lunchtime on the first day, around a third of customers had got in touch to ask what they should do,” he said. The company supports around 250 customers and their 65,000 users, with 85% of them using SecurID and the rest receiving one-time password via SMS.
He said Signify has followed RSA’s advice to keep a close eye on system logs to check for conditions that might indicate an unauthorised user trying to get in, but has seen no attacks thus far. The company has also decided to obfuscate part of the serial numbers of tokens in any of the management reports it provides for clients, thereby depriving any potential attacker of vital information.
“Only a couple of our client companies have asked about switching from SecurID, although others may be looking at alternatives,” Abraham said. “One of the things we’ll be gauging at Infosecurity is whether the world has changed and RSA is no longer the market leader. Or people may see it as a blip, and see that RSA handled it pretty well.”
For Berkshire-based SecurEnvoy, the show offers an opportunity to propose an interim solution for worried SecurID customers, based on its tokenless authentication product, which uses SMS messages to deliver one-time passcodes to users’ mobile phones.
“We don’t expect people to write off [RSA's] tokens without doing some research,” said the company’s sales director Steve Watts. “At Infosec, we’ll be explaining what the RSA breach means to them, and taking them through what their options really are longer term. We’re not going to be scaremongering.”
He will be suggesting the companies sign up for SecurEnvoy’s ICE (in case of emergency) service, which would allow them to move quickly to an SMS-based service while they appraise the situation with RSA. “We can be operational on your site within an hour, and deploy to 20,000 users per hour. It can be a cloud-based service, or locally hosted,” Watts said.
The company will also be using the show to launch a soft token for iPad and iPhone, which users will be able to download and install from the Apple AppStore. In the case of this product, the device creates six-digit passcodes rather than receiving them from the central server via SMS.
Alternative approaches
One company offering an alternative approach to two-factor authentication is Huntingdon-based GridSure. Rather than sending the user a passcode, Gridsure generates a matrix of numbers, usually 5 x 5, although it can be larger.
Having memorised a certain pattern on the matrix which only they know – such as an L-shape near the bottom righthand corner of the matrix – users key in the four digits that make up their secret pattern.
GridSure will be demonstrating its new GrIDsure Enterprise Login version 4, which can also be used in conjunction with common VPN platforms such as Juniper SA and Microsoft Forefront Unified Access Gateway, as well as Microsoft’s Direct Access VPN product. The company also plans to launch new versions for iPad and iPhone, downloadable from the Apple AppStore, which will allow those devices to use pattern-based authentication.
GridSure will be facing competition from newcomer Winfrasott, however, which is launching its own pattern-based authentication product, called pin+, which works on a 6 x 6 matrix.
Source : SearchSecurity.co.uk
Firefox 4 to Rescue Mozilla from Decline?
Mozilla reached upto 3.7% from 1.4% since March 22. On the first day of Firefox 4’s launch it was downloaded 7.1 million times and unofficially saw 8.75 million downloads on the second day, sources reported.
Firefox was losing share in the browser market but with version 4 it has progressed almost two and half times.
In comparison Internet Explorer’s newest version reportedly is off to a slow start as it only increased six tenths of a percentage point of usage share. But still IE9 too has done better with double the share in two weeks after its launch.
Though both the new versions of the browsers are doing well, experts are not sure if sure numbers have taken a toll on their older versions usage shares.
According to sources, Both Mozilla and Microsoft are losing to Google and Apple, and any good numbers comes as a ray of hope for them
What Every Engineer Must Know About Cisco -Series Servers
When Is a Server not Just a Server:
The answer to this one is easy; when a engineer recommends it. There are inexpensive servers, expensive servers and servers that just look good But what an engineer needs in a server is something that changes the game. Something that can give options to design networks in ways one could never design before. Cisco C-Series server is the actual engineering break through!
Cisco Servers currently hold 11 World Records for performance and offer design options that have made many engineers smile.
Join Cisco's TechWiseTV Chief Geek Jimmy Ray Purser as he dives into the intricate details of servers that every engineer should know and how the Cisco C-Series out performs every single competitor product in its class. We will dig into the new Intel Westmere chip, The Virtual Interface Card, Memory Mapping, competitive information to help understand the market, service level design tips and tricks straight out of the field!
This is not a 10 minute discussion on servers and 50 minutes on UCS software. No way! This is all about the deep details on server hardware. Want to know about servers? Join and understand Server Based Technologies like a True Engineer
Virtual seats are filling up FAST!!
Source :
http://www.endtoend.in/ETE2010/CISCO/Telemarketing/cisco_cseries_telemarketing.html