Wednesday, 12 December 2012


Wordpress as being one the widely used CMS platform is one the favorite target of hackers now a days along with WHMCS, Instead of directly targeting wordpress fucntionalities and vulnerable plugins, it has been observed that the hackers are targeting a vulnerable website on the same server and using it they are able to bypass server restrictions in order to get the configuration file and hence hacking in to the wordpress. This method is commonly known asSymlink Bypassing in Black Hat World and server bypassing in White hat community.
Now it's a difficult task for an attacker to manually connect to the database and then manually replace the index file of worpdress for a successful defacement. Therefore hackers use Mass defacers. These are tools used by hackers to change the index files of all the websites present on the server with their own defacement page, This usually happens when the hacker has root level access on the server.

Recently, The admin of Team Root "Mauritania Attacker" mailed me his tool for the review, Which can be used by attackers to deface all the wordpress websites present on the same server.

How Does It Work?

For this tool to work the only requirement would be that the server is vulnerable to symlink bypass, This tool will automatically symlink all the wordpress websites on the server and replace their indexes with the page you will provide (.html or .PHP).

How To Use It?

The usage is extremely simple and i really don't see purpose of creating a tutorial, however this blog is mostly read by newbies, So I will add some screen shots.


1. Shell On The Server
2. The shell should not be secured from Symlink Bypassing.
3. Wordpress Mass Defacement Tool

Once you have completed all the above requirements, Just upload the Mass Defacement tool to the webserver, it will look some thing like this, Now replace the contents of index url with your own defacement page.

Next you will see the results for the websites, yo have been able to deface:

And finally you can view the list of all the websites, you were able to deface:

How To Protect Your Self?

In order to protect your website from being defaced, All you need to do is to change the permissions of your index files to 400. So no one will be able to change them, however if an attacker has root level access on the server, there is no way of protecting your website, since the attacker can manually change the permissions. 

Website Hacking With CSRF Attack

Cross Site Request Forgery Attack is also known as CSRF or XSRF in short. Do not confuse it with Cross Site Scripting attack because it is totally different from that. Like SQL injection andXSS, CSRF is also one in top 10 OWASP web vulnerabilities for many years.

What is Cross Site Request Forgery Attack?

Cross Site Request Forgery or CSRF is an attack method in which attacker exploit users' active session in the browser without the permission of innocent user. By using victim's browser session, attacker sends valid requests to a website that perform some action in users' account. User will not be able to know that the request has been sent from his browser. An Attacker uses some third party innocent websites to generate these valid requests from user’s browser.

EX: If a form on a website can also be submitted from some other website, It is vulnerable to CSRF. Suppose there is a form on a vulnerable website


<form action=”action.php” method=”post”>
And I made a duplicate form on my local host
<form action=”” method=”post”>

I am able to submit the form by using the form on my localhost, the website is vulnerable to the CSRF attack This attack uses user's session to perform malicious task, so it is also known as "Session Riding attack." Sometimes it is hard to understand how this attack works in real life. So I am explaining it with the help of a example.

Suppose if an online payment website like Paypal has CSRF vulnerability. Attacker A want to exploit CSRF vulnerability of this website and attack on victim B. For this he use some third party website. Innocent User B login into his account to do check the balance and then switch to a new tab without logging out from the older tab. Session is active on the browser.

Attacker A had posted a link or image in a website that on load submits the payment transfer form to transfer money to the attacker's account by using active session. As the request came from user's browser by his session, CSRF vulnerable website will transfer the fund.

How CSRF is different from XSS

Many people have confusion inn between CSRF and XSS attack. In XSS, attacker exploit the trust of users on website. So we inject malicious script and user believes on it just because he see a valid website URL. Unlike XSS, in CSRF attacker exploits the website's trust on the browser. In this, a website thinks tha a request camre from the user's browser is made by user itself.

Both vulnerabilities are dangerous enough.

Protection against CSRF attack:

Many people thinks that limiting against XSS also limits CSRF. But this is not true. We have to make so many things to limit the attack.
There are many ways to protect the CSRF attack. Some important ways are given below:

  • Checking the HTTP Referrer header website. If it is a different domain, deny the request.
  • Limiting the lifetime of authentication cookies. If user is inactive for some fixed time, the session must be expired.
  • Limit the damage by authenticating each request made by user. 
  • Use of random token for each session



A Self claimed leading IT security service website has become victim to hacking after hackers from a crew going by the handle @TheCrowsCrew gained access and left the site ( with a new main page.
The attack has happened within the last few hours and was carried out by the crows crew member @catalyst71_RJA and it appears that the “IT security experts” at @datadefence  are totally unaware of the systems breach as at time of publishing the website was still defaced.
Data Defence is a leading edge IT services company providing innovative solutions and services to help organisations guarantee the availability and security of their corporate data.
Data defence appears to have partnerships with some very high profile company’s such as Microsoft,Trend MicroWebrootSymantecCryptzone.Mimecast and Dell Appasure. So with the self claims of being a IT data security expert its any wonder how they have allowed this to happen but it might have something to do with using an outdated version of wordpress.
All attacks by The Crows Crew can be found on Hack DB which in total is over 3000 archive mirrors of past breaches. The defacement on the data defence website has no real message but does has a shout out list and a embedded song.



Facebook's Year in Review: Obama, Sandy, Whitney

The world's largest social network compiled data on the top trends, memes, and events of the last year
A look at the top Facebook trends of 2012.
A look at the top Facebook trends of 2012.
(Credit: Facebook)
Facebook has offered up the most popular trends across its service in 2012, as well as a new feature that lets users check out their last year.
Facebook's 2012 Trends, which the social network compiles by analyzing the most popular topics across its service this year, doesn't offer up many surprises. This year's top event on Facebook was the U.S. presidential election, followed by Super Bowl XLVI and Whitney Houston's death. Superstorm Sandy and the London Olympics rounded out the top five.
"We Are Young" by Fun was this year's top song, followed by "Somebody That I Used to Know" by Gotye and "Call Me Maybe" by Carly Rae Jepsen. The most-talked-about movies on Facebook were "The Hunger Games," "The Avengers," and "Magic Mike."

Facebook's 2012 Trends follows similar announcements from Google and Twitter. Not surprisingly given the popularity of the Election on Facebook, Twitter's top tweet of the yearwas President Obama's "Four more years" message to followers. Google announced today in its Zeitgeist 2012 that the death of Whitney Houston was its top search term for the year.With Facebook Places now in full swing, the social network also shared where most people told friends about their whereabouts. Not surprising to those who have been in the middle of thousands of people at one time, Times Square earned the most check-ins, followed by Disneyland and AT&T Park in California.
To add a bit more personalized fun for its users, Facebook has also launched a Year In Review feature for individual accounts. At the Year In Review page, Facebook users can see their personal 20 biggest events, "including life events, highlighted posts, and your most popular stories."



iPhone 5 Arrives in South Korea & More Than 50 Additional Countries in December

CUPERTINO, California—December 3, 2012—Apple® today announced iPhone® 5 will be available in South Korea on Friday, December 7, with more than 50 additional countries being added in December, including Brazil, Russia and Taiwan. iPhone 5 is the thinnest and lightest iPhone ever, completely redesigned to feature a stunning new 4-inch Retina™ display; an Apple-designed A6 chip for blazing fast performance; and ultrafast wireless*—all while delivering even better battery life.**

iPhone 5 is currently available in 47 countries around the world including the US, Australia, Canada, France, Germany, Hong Kong, Japan and the UK. iPhone 5 comes with iOS 6, the world’s most advanced mobile operating system with over 200 new features including: Shared Photo Streams, Facebook integration, all-new Maps app, Passbook® organization and even more Siri® features and languages.

iPhone 5 comes in either black & slate or white & silver for a suggested retail price of $199 (US) for the 16GB model, $299 (US) for the 32GB model and $399 (US) for the 64GB model. iPhone 5 will be available through the Apple Online Store (, Apple’s retail stores and select Apple Authorized Resellers.

iPhone 4S is available for just $99 (US) and iPhone 4 is available for free with a two-year contract from participating carriers.

iPhone 5 will be available in South Korea on Friday, December 7 and on Friday, December 14 in Albania, Antigua and Barbuda, Armenia, Bahamas, Bahrain, Bolivia, Brazil, Chile, China, Costa Rica, Cyprus, Ecuador, Grenada, Indonesia, Israel, Jamaica, Jordan, Kuwait, Macedonia, Malaysia, Moldova, Montenegro, Panama, Paraguay, Philippines, Qatar, Russia, Saudi Arabia, South Africa, Taiwan, Turkey, United Arab Emirates and Venezuela. iPhone 5 will also be available on Friday, December 21 in Barbados, Botswana, Cameroon, Central African Republic, Egypt, Guinea, Ivory Coast, Kenya, Madagascar, Mali, Mauritius, Morocco, Niger, Senegal, St. Kitts, St. Lucia, St.Vincent & the Grenadines, Tunisia, Uganda and Vietnam.

*Network speeds are dependent on carrier networks. Check with your carrier for details.
**Battery life depends on device settings, usage and other factors. Actual results vary.

Apple designs Macs, the best personal computers in the world, along with OS X, iLife, iWork and professional software. Apple leads the digital music revolution with its iPods and iTunes online store. Apple has reinvented the mobile phone with its revolutionary iPhone and App Store, and is defining the future of mobile media and computing devices with iPad..........



IBM Lights Up Silicon Nanophotonics for Big Data
IBM announced a major advance in the ability to use light instead of electrical signals to transmit information for future computing. Referred to as Silicon Nanophotonics, the technology allows the integration of different optical components side by side with electrical circuits on a single silicon chip, using sub-100 nanometer semiconductor technology.

Big, Fast Data – Without an Interconnect
Silicon Nanophotonics could provide answers to big data challenges by seamlessly connecting various parts of large systems, whether few centimeters or few kilometers apart from each other, and move terabytes of data via pulses of light through optical fibers.The technology uses pulses of light for communication and creates a “super highway” for large volumes of data to be exchanged at high speeds between computer chips in servers.  This alleviates the cost and bottlenecks presented by traditional interconnect technology. The research has potential ramifications for the cost and speed of future data center networks, and potential implications for design as well.
“This technology breakthrough is a result of more than a decade of pioneering research at IBM,” said Dr. John Kelly, Senior Vice President and Director of IBM Research. “This allows us to move silicon nanophotonics technology into a real-world manufacturing environment that will have impact across a range of applications.”
The challenge of manufacturing these chips was addressed by adding a few processing modules into a high-performance 90nm CMOS fabrication line.  A variety of silicon nanophotonics components, such as wavelength division multiplexers (WDM), modulators, and detectors are integrated side-by-side with a CMOS electrical circuitry. As a result, single-chip optical communications transceivers can be manufactured in a conventional semiconductor foundry, providing significant cost reduction over traditional approaches.
IBM’s CMOS nanophotonics technology demonstrates transceivers to exceed the data rate of 25Gbps per channel. In addition, the technology is capable of feeding a number of parallel optical data streams into a single fiber by utilizing compact on-chip wavelength-division multiplexing devices. The ability to multiplex large data streams at high data rates will allow future scaling of optical communications capable of delivering terabytes of data between distant parts of computer systems.
IN short--
It has developed a scalable, silicon nanophotonics chip to improve communications and processing for big data centers.
The chips use pulses of light to communicate between chips in servers, racks and supercomputers. With the new system in place, IBM’s chip can exceed next-gen standard data transfers of 25 Gbps.
These speeds are possible because the optical components on same chip as the processors. The processors still use electrical circuits, but the chips convert the electrical information to light pulses, which then transfer between chips. Upon arriving at a new chip, the light is then transformed into electricity again to be processed.
“We’re basically attacking a fundamental problem,” lead scientist Dr. Solomon Assefa told me. “Communication in computing systems. For example, look at how search is done. When someone queries, it goes to a big data center. It doesn’t just go to a single processor. You have to connect many racks and processors.”
The key innovation isn’t just the technology, though. It’s the fact that its commercial and scalable. The research team at IBM developed the chip so that it can be scaled using conventional manufacturing processes, which is what they’ve been working on for the past two years since their initial breakthrough.
“So they will be cheap,” said Assefa. “Especially if you compare them to what already exists, which requires more assembly of complex parts. We’re bringing cost of optics down to silicon level.”

Cross-sectional view of an IBM Silicon Nanophotonics chip combining optical and electrical circuits. An IBM 90nm Silicon Integrated Nanophotonics technology is capable of integrating a photodetector (red feature on the left side of the cube) and modulator (blue feature on the right side) fabricated side-by-side with silicon transistors. Silicon Nanophotonics circuits and silicon transistors are interconnected with nine levels of yellow metal wires.


post written by Tom Cross

Tom Cross is director of security research at Lancope, a security software firm.

State-sponsored espionage and sabotage of computer networks

With each passing year, the security threats facing computer networks have become more technically sophisticated, better organized and harder to detect. At the same time, the consequences of failing to block these attacks have increased. In addition to the economic consequences of financial fraud, we are seeing real-world attacks that impact the reliability of critical infrastructure and national security. With these observations in mind, here are five key challenges that computer security professionals face as we move into 2013.
Current security technologies and best practices are not effective at preventing sophisticated, targeted attacks from being successful. This fact was underlined earlier this year when a malicious program called Flame was discovered after evading detection by anti-virus software for years. Similarly, a recent study by Symantec Research Labs identified 18 undisclosed security vulnerabilities that were used to target computer networks in the wild for up to 30 months before they were discovered. The consequences of missing these attacks can be significant, as demonstrated by the Shamoon malware that recently hit several companies in the oil and energy sector. Shamoon erases data and renders machines unbootable.
New strategies are clearly needed to fight advanced attacks. Looking for known malware and attacks that target known vulnerabilities is not effective in this context because we don’t know exactly where the next vulnerability will be found or what the next attack will look like. Instead, we need to develop tactics that focus on the behavior of software, systems and actors on the network. By investigating both specific, suspicious behaviors that we know to be associated with malicious activity, as well as general anomalous behaviors that are unusual or unexpected, we can uncover evidence of attack activity even when we are not exactly sure what to look for at the outset.
The time to prepare for a DDoS attack is not the day that one’s website goes down. Firms that are effective at protecting their networks against these incidents have: Assessed the risk of several different kinds of DDoS attack scenarios well in advance; developed processes for responding in the event that one of those scenarios occurs; and have tested those processes with real drills in order to ensure that they work as expected when needed. Getting this right is a top priority for any firm with a large Internet presence in 2013.
  • The loss of visibility and control created by IT consumerization and the cloud
When workloads move into the cloud, organizations lose control over who can access the computer systems that those workloads are running on. They also often lose visibility into what resources were accessed, when they were accessed and from where. The providers of cloud services and technology tell us not to worry about all of that, but seasoned IT security professionals know better. And this problem isn’t limited to the cloud. With bring-your-own-device (BYOD) programs, IT is losing control over the software load, configuration and patch level of network endpoints. IPv6 is going to create its own visibility gaps, beginning with vulnerability assessment, as large address ranges are more difficult to scan.
Organizations have to start demanding their network visibility back. There is no reason that new information technologies cannot be designed with the capability of providing security controls and audit trails to people who need them. The best approach to providing those basic capabilities might be different than in legacy systems, but at the end of the day, it is not impossible to solve these problems. It is all a matter of exposing the right information and regaining control in the right way. 
  • The password debacle
2012 was rife with large disclosures of passwords and password hashes from major websites that were breached, including Zappos, LinkedIn, eHarmony,, Yahoo Voice and Formspring. In addition, attackers are constantly scanning the Internet for exposed, password-protected services like Secure Shell (SSH) and Remote Desktop Protocol (RDP). Accounts on these services are subject to brute-force cracking, and have a tendency to show up on the black market.
The fact is that passwords, as a security technology, are reaching the end of their useful life. Moving to a world where alternative authentication systems are the norm is incredibly difficult, and as a consequence we are entering into a period of time when we are going to have to continue to rely on a security control that doesn’t work. Encouraging users to pick longer passphrases, and proactively auditing networks for weak passwords are steps that can be helpful during this time. Increasingly, we are going to see attackers entering networks with legitimate access credentials without ever having to fire an exploit that would trigger an intrusion detection system. We need to be prepared for this type of attack activity.
  • The insider threat
The insider threat has traditionally been viewed as a high-consequence but low-frequency risk, and many IT organizations have found it challenging to develop effective programs that manage that risk. Even the concerns that were raised over WikiLeaks have failed to create much of a response, because security professionals don’t agree on the right approach. However, some good answers have finally started to appear.
For years, researchers at the CERT Insider Threat Center at Carnegie Mellon’s Software Engineering Institute have been collecting and studying data on real-world insider incidents. This year, they published a book cataloging the results of their research, called The CERT Guide to Insider Threats. This book is an invaluable guide to establishing effective processes for managing the risk of insider attacks, and it should be on every security professional’s wish list this year. In general, the insider threat drives home the point that perimeter defenses are no longer enough. IT organizations also need to be able to see into their internal networks to identify suspicious activity.
In a recent public comment, former U.S. Cybersecurity Czar Howard Schmidtspoke of the important role that security professionals are playing in keeping infrastructure up and running. “Security professionals day after day, not withstanding disruptions, still keep the machine running,” he said. “We are able to do online banking and shopping most of the time – and it’s a direct result of the security professionals…” To be sure, 2013 promises to be another challenging year for those professionals, but being adequately prepared to address the above threats will help keep businesses running and critical infrastructure secure.


Google ends small-biz  free ride on Google AppsGOOGLE ENDS SMALL-BIZ FREE RIDE ON GOOGLE APPS

Google ends small-biz free ride on Google Apps

Google will start charging small businesses to use its Google Apps productivity suite as the company taps previously free services for new revenue streams.
Businesses with 10 or fewer employees will now be charged $50 a year -- the same rate paid by larger businesses -- to use the Web-based tools, which include e-mail, word processor, spreadsheet and presentation graphics tools.
The move will allow the Web giant to focus on the quality of the business user's experience, Google explained today in a company blog post.
"When we launched the premium business version we kept our free, basic version as well," Clay Bavor, director of product management for Google Apps, said in the post. "Both businesses and individuals signed up for this version, but time has shown that in practice, the experience isn't quite right for either group. Businesses quickly outgrow the basic version and want things like 24/7 customer support and larger inboxes. Similarly, consumers often have to wait to get new features while we make them business-ready."
The paid package includes round-the-clock telephone support, a 25GB inbox, and the company's uptime guarantee.
Subscriptions to Google Apps and its separate mapping service for businesses and governments contributed about $1 billion to Google's bottom line last year, according to The Wall Street Journal. More than 40 million people use the free and paid versions of the suite, Google has said.
Before 2011, only businesses with more than 50 employees were charged for the suite of services.


Apple TV is in 'early stage of testing,' report says

It's not a formal project yet, but Apple and its suppliers are trying out designs for a large-screen, high-resolution TV, according to the Wall Street Journal

(Credit: CNET)
Apple has begun the early stages of television set testing, according to reports.
The Wall Street Journal says that manufacturers Sharp and Hon Hai -- otherwise known as Foxconn -- are collaborating with the tech giant to test designs for a large-screen, high-resolution TV, according to unnamed officials connected to Apple's suppliers.
The Cupertino, Calif.-based company, which tests ideas internally before bringing products to external suppliers, has been testing television set prototypes "for a number of years," according to the Journal's unnamed sources. The iPad and iPhone maker has already infiltrated the living room with its Apple TV box, which connects online media to traditional television sets.
"It isn't a formal project yet. It is still in the early stage of testing," one of the sources told the Journal.
The idea of Apple producing a television set was brought back to the stage this month by Apple CEO Tim Cook, who hinted in aninterview with NBC that a new product offering may be on the horizon. "When I go into my living room and turn on the TV, I feel like I have gone backwards in time by 20 to 30 years," Cook said. "It's an area of intense interest. I can't say more than that."
Although it remains to be seen how much impact Apple could have in the television and media industry, already entwined in long-standing broadcasting contracts and "smart TV" production by manufacturers, a survey from Morgan Stanley suggested that the brand name may be enough -- and consumers would be willing to pay a 20 percent premium for an Apple-branded set.
Meanwhile, famed technologist and venture capitalist Marc Andreessen speculated at the Dealbook conference this morning that an Apple TV is likely to arrive in 2014 or maybe 2015 at the latest, if it doesn't squeak out in 2013, according to Business Insider