xSQL Scanner: Security Audit Tool For MS-SQL & MySQL & Database Password Cracker

xSQL Scanner is a advanced SQL audit tool that allows users to find weak passwords and vulnerabilities on MS-SQL and MySQL database servers.

The objective of xSQLScanner is to assist the Security Analyst or Penetration Tester in auditing the security of MS-SQL and MySQL database servers.

Features

Test for weak password fast;
Test for wear/user passwords;
Wordlist option;
Userlist option;
Portscanner
Range IP Address audit and more.

Windows – xsqlscanner-1.2.zip
Linux – xsqlscan-mono.tgz

Google Exploits Safari Flaw to Track Users Online

The Wall Street Journal has caught Google with its hand in the cookie jar of Apple’s Safari users, after manipulating Safari browser flaws to enable tracking users behaviours when browsing via cookies.

Search giant Google has been accused by the Wall Street Journal of bypassing the browser’s security settings by allowing a site to set tracking cookies.

Safari for Mac and PC, as well as Safari in-built into iOS devices, are thought to be affected. The browser was subject to tests by the Journal which show that Google used code in its advertisements to bypass Safari’s security, which by default blocks such tracking activity.

The aim of the code was to allow users who had signed into Google+ in Safari to access the ‘+1′ button within ads, provided by Google’s DoubleClick network.

“Don’t be evil,” the company said. While this may not classify as evil per se, it has already gained the attention of the online privacy advocacy group, the Electronic Frontier Foundation (EFF), reiterating the need for ‘Do Not Track’ rules on the Web.

Safari’s security would normally prevent ads from dropping a tracking cookie in such a case because it blocks cookies coming from advertising networks. But the code Google is accused of using ’tricked’ the browser into thinking the code was submitting a web form to Google; form cookies are not blocked, as it allows the browser to see whether the form was in fact sent.

The exploit isn’t new. It was first discovered in 2010 by Stanford researcher Jonathan Mayer and confirmed web developer and researcher Anant Garg.

But Google, while the biggest name on the list of the accused, was not the only one to do it. The Journal says that other advertising networks do similar things, such as the Media Innovation Group, Gannet’s PointRoll, and Vibrant.

Google’s DoubleClick adverts containing the privacy-circumventing code were found on major websites, including AOL.com, Match.com, TMZ.com and YellowPages.com, according to CNET reports. The Journal’s outside advisor found that 22 of the top 100 websites had Google’s Safari-busting tracking code, and that 23 different sites install the same code on Safari’s iOS browser.

The cookies were set to expire after 12 to 24 hours, but Safari can add even more cookies to a users’ browser once the first cookie as been left.

After Google was caught with its hand in the cookie jar, it said that “the Journal mischaracterizes what happened and why,” after it disabled the code. ”We used known Safari functionality to provide features that signed-in Google users had enabled. It’s important to stress that these advertising cookies do not collect personal information,” the company said.

Apple, however, was quoted as saying that it is “working to put a stop” to the circumvention of its privacy settings and security features.

Microsoft has weighed in, taking a cheap shot at its closest rival, by saying that “this type of tracking by Google is not new”. The Internet Explorer blog continued: “The novelty here is that Google apparently circumvented the privacy protections built into Apple’s Safari browser in a deliberate, and ultimately, successful fashion.”

Rachel Whetstone, senior vice-president for communications and public policy at Google, expanded on the Journal’s findings:

“Unlike other major browsers, Apple’s Safari browser blocks third-party cookies by default. However, Safari enables many web features for its users that rely on third parties and third-party cookies, such as “Like” buttons. Last year, we began using this functionality to enable features for signed-in Google users on Safari who had opted to see personalized ads and other content — such as the ability to “+1” things that interest them.

To enable these features, we created a temporary communication link between Safari browsers and Google’s servers, so that we could ascertain whether Safari users were also signed into Google, and had opted for this type of personalization. But we designed this so that the information passing between the user’s Safari browser and Google’s servers was anonymous — effectively creating a barrier between their personal information and the web content they browse.

However, the Safari browser contained functionality that then enabled other Google advertising cookies to be set on the browser. We didn’t anticipate that this would happen, and we have now started removing these advertising cookies from Safari browsers. It’s important to stress that, just as on other browsers, these advertising cookies do not collect personal information.”

Anonymous Launches a DDOS Attack on Internet's root DNS Server

Summary: The Anonymous hacktivist movement is planning to launch a distributed denial of service attack (DDoS) on the Internet’s root DNS servers, using a Reflective DNS Amplification DDoS tool.

According to a note left by members of the Anonymous hacktivist movement on Pastebin.com, the group is planning to launch a distributed denial of service attack (DDoS) on the Internet’s root DNS servers, using a Reflective DNS Amplification DDoS tool specifically created for ‘Operation Global Blackout’.

We have compiled a Reflective DNS Amplification DDoS tool to be used for this attack. It is based on AntiSec’s DHN, contains a few bug fix, a different dns list/target support and is a bit stripped down for speed.

The principle is simple; a flaw that uses forged UDP packets is to be used to trigger a rush of DNS queries all redirected and reflected to those 13 IPs. The flaw is as follow; since the UDP protocol allows it,we can change the source IP of the sender to our target, thus spoofing the source of the DNS query.The DNS server will then respond to that query by sending the answer to the spoofed IP. Since the answer is always bigger than the query, the DNS answers will then flood the target ip. It is called an amplified because we can use small packets to generate large traffic. It is called reflective because we will not send the queries to the root name servers,instead, we will use a list of known vulnerable DNS servers which will attack the root servers for us.

Since the attack will be using static IP addresses, it will not rely on name server resolution, thus enabling us to keep the attack up even while the Internet is down. The very fact that nobody will be able to make new requests to use the Internet will slow down those who will try to stop the attack. It may only lasts one hour, maybe more, maybe even a few days. No matter what, it will be global. It will be known.

Based on a message update issued by Anonymous, the group has said that it still has the capability to target the Root Internet Servers.

Despite the fact that current Internet infrastructure allows the execution of DNS amplification attacks, the Anonymous hacktivist movement is surely lacking the capabilities to execute such an attack, despite the high number of recruited users that may be participating in the attack.

For the time being, the Low Orbit Ion Cannon (LOIC) ICMP flooder, and the RefRef web script remain the primary attack tools used by the Anonymous hacktivist collective.

Learn more about DNS Amplification attacks, what they are, how they work, and how can Internet Service Providers mitigate the threat posed by them.

How to Know a Malicious Link Without Clicking It

Even the best security software can’t protect you from the headaches you’ll encounter if you click an unsafe link. Unsafe links appear to be shortcuts to funny videos, shocking news stories, awesome deals, or “Like” buttons, but are really designed to steal your personal information or hijack your computer. Your friends can unknowingly pass on unsafe links in emails, Facebook posts, and instant messages. You’ll also encounter unsafe links in website ads and search results. Use these link-scanning tips to check suspicious links. All of these solutions are free, fast, and don’t require you to download anything.

Hover Over the Link

Sometimes a link masks the website to which it links. If you hover over a link without clicking it, you’ll notice the full URL of the link’s destination in a lower corner of your browser. For example, both of these links connect you to PCWorld’s home page, but you wouldn’t know that without hovering:

Click Here!

http://www.prohackingtricks.blogspot.com/

Use a Link Scanner

Link scanners are websites and plug-ins that allow you to enter the URL of a suspicious link and check it for safety. There are many free and reliable link scanners available; I suggest you try URLVoid first. URLVoid scans a link using multiple services, such as Google, MyWOT, and Norton SafeWeb, and reports the results to you quickly.

URLVoid scans several security databases for information on sketchy Web domain names.

Check Out Shortened Links

URLVoid can’t properly handle shortened URLs from services such as bitly, Ow.ly, and TinyURL (URLVoid will scan the shortening service website instead of the link to which it points). To scan the mysterious shortlinks you’ll often find on Twitter and Facebook, use Sucuri. Sucuri automatically expands the shortlink and draws upon a handful of services, such as Google, Norton SafeWeb, and PhishTank, to determine if the real link is safe. You can also use Sucuri for scanning nonshortened links, but URLVoid checks more sources.

Sucuri can help you determine whether shortened links are safe or not.

Copy a Link--Safely

Services like URLVoid and Sucuri require you to type in or paste a suspicious link—but how do you quickly and safely grab the URL without opening anything? Easy. Just right-click the link to bring up a context menu, then click Copy shortcut (in Internet Explorer), Copy Link Location (in Firefox), or Copy Link Address (in Chrome). The URL is now copied to your clipboard and you can paste it into any search field.

Anonymous Attacks CIA, State of Alabama Website

Hackers are on a spree again with the latest infiltration of websites run by the CIA and the state of Alabama, an alarming trend that lays bare the ease and frequency with which they seem to be able to cause mischief.

Computer hackers claiming affiliation with the hacking group on Friday penetrated several websites, including those run by the U.S. spy agency, the state of Alabama and a large number of sites in Mexico. The day before, the United Nations website was also hit, although Anonymous doesn’t appear to be involved with that attack.

According to CNN, messages on Twitter and Tumbler Feb. 10 indicated members of the loosely-structured hacking network were celebrating the shutdown of the CIA's website. While the site is working now, it was out of commission for several hours Friday night.

Anonymous also accessed Alabama state servers, and said in a press release that it did so in retaliation for "racist" immigration legislation. In its diatribe against the state, Anonymous said it had gained information about more than 46,000 citizens, including full legal names, Social Security Numbers, license plate numbers, dates of birth, phone numbers, addresses and criminal records, although the group said it deleted the data.

Anonymous said its goal with the Alabama hack attack also was to point out "the amount of incompetence that is taking place within the state government in Alabama." It said "this data was not securely segregated from the Internet, nor was it properly encrypted. This is what happens when not enough resources are spent on proper design and the training that comes with it."

The U.N. has also been criticized for its lax security protocols that allowed a hacker to infiltrate its website on Thursday and release a list of the organization's potential vulnerabilities.

According to MyFox New York, the security firm Identity Finder says it looks like the U.N. was not using basic web security and that a simple SQL injection attack (SQLIA) was what enabled the hacker to gain access to the U.N.'s database.

And Friday night, one Twitter account associated with Anonymous indicated the group was responsible for taking down scads of websites in Mexico in protest of anti-piracy laws.

Google will pay you $25 for your Web Privacy

The search giant is promising up to $25 in Amazon gift cards if you let it track the Web sites you visit and how you use them. Through a new project known as Screenwise, you install a browser extension that monitors every site you check out.

Google's stated goal is to find out how everyday people use the Internet in an attempt to help it improve its own products and services.

Those of you not shy about sharing your Web sites can score a $5 Amazon gift card when you sign up and download the Screenwise browser extension. You're then eligible for another $5 card for every three months that you stick with the program until the $25 max kicks in. However, the company is thinking about what further amounts it could add for people who last more than 12 months.

According to Google, "it's our way of saying 'Thank you.'"

To launch the project, Google is teaming up with Knowledge Networks, a company that rounds up panels of people to conduct online research.

To grab the deal, you have to be 13 or older, have a Google account, and use the Chrome browser. But before you try to jump on it right now, Google says it's already overwhelmed with interest and is advising people to come back to the Screenwise page at a later date for more details.

But apparently there's more to Screenwise than just the $25 browser extension project. A more extensive and expensive option asks you to set up a data collector router and then install the Chrome extension on each computer you use, says Ars Technica.

In return for collecting Web site data on every PC in your home, Google will pay you $100 just for signing up and $20 a month for as long as you participate, maxing out at a full year. Though similar to the $25 project, this one will look at different types of data.

Though Screenwise is strictly opt-in, the project comes at an odd time when Google is on the hot seat over changes to its privacy policies.

Swagg Security hackers hit Foxconn, release usernames and passwords

A group of hackers known as Swagg Security is taking credit for a breach of Foxconn network security, resulting in the theft of usernames, passwords, and other private information.

In a series of Twitter posts yesterday, the group boasted that it publicly released the information on the Pirate Bay Web site as well as on Pastebin. The attack grabbed the credentials of every Foxconn employee, according to 9to5Mac, including Terry Gou, CEO of parent Hon Hai Industries.

Beyond damaging Foxconn internally, the stolen information could also create trouble for some of the company's technology partners.

"The passwords inside these files could allow individuals to make fraudulent orders under big companies like Microsoft, Apple, IBM, Intel, and Dell," Swagg Security said on its Pastebin page. Be careful ; )"

In response, Foxconn has taken down a Web site (Google cached version) explaining the services it provides to some of its key partners, including Apple, HP, Cisco, and Acer.

The group apparently was able to sneak past Foxconn's security by taking advantage of vulnerabilites in an outdated version of Internet Explorer used by one of the company's workers. Swagg Security even warned its intended victim on January 26 to make sure its browsers were up-to-date though it didn't name Foxconn as that victim.

Accessing some of the log-in information, 9to5Mac confirmed that the usernames and passwords did provide access to several Foxconn servers, most of them hosting intranet sites for company clients.

Why Foxconn? Simple answer.

Swagg Security staged its attack in response to all the reports of poor and demeaning working conditions at the manufacturer's factories across China.

"So Foxconn thinks they got 'em some swagger because they work with the Big Boys from Intel, Microsoft, IBM, and Apple? Fool, You don't know what swagger is," the group boasted on its Pastebin page. "They say you got your employees all worked up, committing suicide 'n stuff. They say you hire chinese workers 'cause you think the taiwanese are elite. We got somethin' served up good...real good. Your not gonna' know what hit you by the time you finish this release. Your company gonna' crumble, and you deserve it."

How to Prevent Google from tracking you

Much has been made of Google's new privacy policy, which takes effect March 1. If you're concerned about Google misusing your personal information or sharing too much of it with advertisers and others, there are plenty of ways to avoid Web trackers.

The Electronic Frontier Foundation offers the Panopticlick service that rates the anonymity of your browser. The test shows you the identifiable information provided by your browser and generates a numerical rating that indicates how easy it would be to identify you based solely on your browser's fingerprint.

According the the entropy theory explained by Peter Eckersley on the EFF's DeepLinks blog, 33 bits of entropy are sufficient to identify a person. According to Eckersley, knowing a person's birth date and month (not year) and ZIP code gives you 32 bits of entropy. Also knowing the person's gender (50-50, so one bit of entropy) gets you to the identifiable threshold of 33 bits.

In some ways, Google's explanation of personalized ads is more informative than the company's privacy policy. Of course it's in Google's best interest to keep you in the personalized-ads fold, but the company does its best to present personalization as a boon to users. It certainly does help pay for the "free" services we've come to rely on.


Use Google's own tools to opt out of ad networks

Prominent in the Google privacy policy are links to services that let you view and manage the information you share with Google. Some of this personal data you volunteer, and some of it is collected by Google as you search, browse, and use other services.

To view everything (almost) Google knows about you, open the Google Dashboard. Here you can access all the services associated with your Google account: Gmail, Google Docs, YouTube, Picasa, Blogger, AdSense, and every other Google property. The dashboard also lets you manage your contacts, calendar, Google Groups, Web history, Google Voice account, and other services.

More importantly, you can view and edit the personal information stored by each Google service, or delete the service altogether. To see which other services have access to the account's information, click "Websites authorized to access the account" at the top of the Dashboard. To block an authorized service from accessing the account, click Revoke Access next to the service name.

The Google Ads Preferences Manager lets you block specific advertisers or opt out of all targeted advertising. Click the "Ads on the web" link in the left column and then choose "add or edit" under "Your categories and demographics" to select the categories of ads you want to be served or to opt out of personalized ads.

Another option is to use Google's Keep My Opt-Outs extension for Chrome. Google also participates in the Network Advertising Initiative's opt-out program. Select some or all of the dozens of online advertisers from the NAI program and then click Submit to place a cookie in your browser instructing the ad networks not to serve personalized ads.

Free add-on for Firefox and Google Chrome targets tracking cookies

Several free browser extensions help you identify and block the companies that are tracking you on the Web. For example, Ghostery (available in versions for Firefox and Chrome) adds an icon to your browser toolbar showing the number of trackers on the current page. Click the icon to see a list of the trackers and view options for blocking or white-listing specific ones.

The free Disconnect extension (also available for Facebook and Chrome) takes a more direct approach to wiping your Web tracks. Disconnect blocks tracking by Google, Facebook, Twitter, Yahoo, and Digg. It also has an option for depersonalizing searches.

As with Ghostery, Disconnect places an icon in the browser toolbar that shows the number of elements it has blocked on the current page. Click the icon to open a window showing the number of trackers blocked for each service. To unblock tracking for one of the services, click its entry. (Note that I tested Disconnect only with Google; also, blocking of international Google domains is not yet available, according to Disconnect's developers.)

When I tested Disconnect, I had to sign into Gmail, Google Docs, and other Google services every time I returned to or refreshed one of those pages, which is understandable considering that blocking the cookie prevents Google from keeping you signed in. Otherwise I was able to use Google services without a problem, including search, viewing and sending Gmail, and accessing, creating, uploading, and downloading Google Docs files.

While people are rightly concerned about who is watching and recording their Web activities, at least Google makes it possible to use the company's services without being too forthcoming with your personal information. ISPs and other Web services do as much tracking as Google--or more--but garner far fewer headlines. For a detailed look at the state of privacy in the digital world, read about the Electronic Frontier Foundation's Surveillance Self-Defense project.

After all, the true threat to privacy is from the trackers we don't know about, and who aren't household names.