Top 10 Security trends for 2011
Man in the browser (MITB) attacks are a new threat which consumers will face and the hacking industry is widely adopting, especially as many security products are not mature enough yet to deal with this problem.
File security. With Sharepoint being the fastest growing product in Microsoft history and data growing at a 60% annual rate, file security will become the top security issue. With PCI DSS being expanded to refer not only to databases and web apps but also to files, organisations will need to carefully consider how they protect their files.
Smartphones will be the new target in 2011. Hackers are using mobile devices (smartphones and tablets) as a new attack platform. With a number of applications on mobile devices (CRM, Salesforce, Access to work e-mails), these will become more susceptible to attack.
Hackers and security side-by-side in the cloud. As organisations' IT infrastructure moves to the cloud, so will their security controls. However these services will also become hot targets for hackers, with the popular ones being the most data-rich, the security on these services will need to be tightened immensely.
Insider threat. With more job losses set for 2011, there will be more disgruntled employees than ever. Employees are more likely to want to take information to help them with new jobs or as an act of revenge to pass on to competitors.
Social networks have started to blur the notions of privacy and security. 2011 will bring even more confusion when it comes to security and the trust people put in social networks.
Convergence of regulations over countries. Convergence of regulations amongst the OECD countries will lead to standardising laws on data security and privacy.
Security is becoming part of the business process. With the recent acquisitions of McAfee by Intel and Fortify by HP, suppliers are gaining an understanding of the need to apply security throughout the complete process of building a system. Today, cybersecurity can't be separated from business operations. Security teams need to become business process experts to keep the bad guys disarmed while keeping the good guys productive.
Hackers are feeling the heat. Proactive security seems to be the new approach for most security practitioners and due to this more hackers will get caught. However, due to the industrialisation of hacking, hackers will raise their professional bar by "buying" other smaller groups or merging, leaving the more sophisticated hackers in business.
Hacktivism meets industrialisation. Hacktivism as we know it has been very targeted. However, hacktivists are learning from the success of industrialised hackers and will soon follow in their footsteps. The attacks will transition from restricted targets to a wide range of targets.
---Like this post, Just leave a comment as your feedback. If you want us to post an article on some specific topic OR have a suggestions for us...you can also drop an email on amarjit@freehacking.net
SQL Injection Attack Step by Step Method
used by most hackers: Why SQLi still successful?
used by most hackers: Why SQLi still successful?
Well its hard to tell when SQL Injection has been started, but I can definitely say one thing that it became famous when the software world was caught up in Y2K. Software development shops did step up and perform heroics to rescue legacy systems from death by two-digit dating systems. They located the flaws in old code and either fixed them or found ways to work around the problems.
Now its still a BIG QUESTION that how this same IT industry of software developers failed to put a solution in place for the SQL Injection vulnerabilities. If they resolved the BIGGEST SOFTWARE BUG Y2K, then why still SQLi? WHY?
Or maybe it is not just the software industry to blame. Many software vulnerabilities have been fixed, patches and updates have been released, and secure configuration settings have been offered.
Are all the webmasters and site and database administrators out there paying attention?
When I think about what is really allowing SQL injection to remain so successful, four factors come to mind.
1. It is just so easy. Take a few minutes with Google searching for “guide to SQL injection” or “SQL injection how-to,” and you'll find a massive amount of detailed information on how such attacks work, along with lots and lots of examples. SQL injection becomes no more than a cut-and-paste job.
Best Example is: Use Google Dorks To Find Targets For SQL Injection. Google Dork queries that can help you find sites that might be vulnerable for SQL injection attacks. Once you find the target, use SQL Injection Strings to get the ADMIN access. To locate ADMIN PAGE of the site, you can use ADMIN CONTROL PAGE FINDER.
Change your search string to “SQL injection scanner,” and you'll quickly find your way to a myriad of free tools that you can download, then easily point at any website and pinpoint vulnerabilities. With the number of vulnerabilities that we believe are out there, there is almost no limit to the number of easy targets on the internet today.
HERE ARE THE BEST EXAMPLEs: HAVIJ SQLi SCANNER, SQL MAP & PANGOLIN
2. Organizations don't expeditiously apply security patches to their applications or databases. By running old code, organizations expose themselves to attack by leaving known vulnerabilities in their internet-facing applications or the databases that support them. These known vulnerabilities are typically well documented on the internet, complete with exploit code. If an attacker finds a system running unpatched software, it is a trivial exercise to download malware and hack their way in. Misconfigurations can also leave a system exposed to attackers.
3. Software developers continue to create vulnerable applications, and IT teams put them into production. Lack of awareness and education around secure coding practices, combined with a perception that building secure software takes longer and costs more was how SQL injection came to be in the first place. This continues today.
Groups such as OWASP have published excellent educational materials on how to code securely and cost justify the investment in secure coding practices. The group has made tremendous headway, but everyone in the software world needs to pay attention for the problem to stop growing.
4. Web application firewalls (WAF) have been broadly deployed as a once-and-for-all solution to SQL injection. While a WAF can be an effective component of a layered defense strategy, it is by no means impenetrable. Most WAFs require a tremendous amount of expert configuration and tuning before they provide much effective protection. If a WAF hasn't been configured to know about a specific vulnerability, it is unlikely to be effective preventing an exploit.
On top of the exposures created by poorly configured WAFs are the evasion techniques attackers have developed to bypass WAFs entirely. Dozens of evasion techniques have been documented with more popping up regularly, and it all comes right up when you search the internet for “WAF evasion."
SQL injection can come in many forms, and can take the form of a sophisticated attack, but the vast majority of successful attacks don't need to go beyond the basics. We have the techniques and technologies at our disposal to put a stop to SQL injection. The IT world must get educated on the threat and become disciplined about ensuring that all components of an application stack are locked down and secure before deployment.
Cyber Crime Investigation Cells across India ??Cyber Crime Investigation cell,Mumbai ??
Annex III, 1st floor, Office of the Commissioner of Police,
D.N.Road,Mumbai - 40001
Email: cybercell.mumbai@mahapolice.gov.in
Tel: +91 - 022 - 24691233
Cyber Crime investigation Cell works under the direct supervision and control of following superior officers 1.Mr. Himanshu Roy, Jt. Commissioner Of Police (Crime), Mumbai
?(+91)-022-22620406?(+91)-022- 22620557 (fax)
Mr. Deven Bharti, Addl.C.P(Crime) (+91)-022-22621220
Mr. B.K.Sonawane, D. C. P (preventive) C.B., C.I.D., Mumbai (+91)-022-22612090
Mr.Sanjay Jadhav, A.C.P. (Cyber Division), C.B., C.I.D., Mumbai (+91)-022-24691497, (+91)-022-26504008
Mr.Mukund Pawar , Inspector of Police, Cyber Crime Investigation Cell,C.B., C.I.D., Mumbai
(+91)-022-24691233 ?Mr.R.B. Mane, API ?Mr.S.Y. Mane, PSI
Delhi Police
Postal address-Superintendent of Police,
Cyber Crime Investigation Cell,
5th Floor, Block No.3, CGO Complex,
Lodhi Road, New Delhi – 110 003
Phone: 4362203, 4392424
e-mail- cbiccic@bol.net.in
Rest of Tamil Nadu,
Address: Cyber Crime Cell, CB, CID, Chennai
E-mail id: cbcyber@tn.nic.in
Bangalore (for whole of the Karnataka)
Address:Cyber Crime Police Station
C.O.D Headquarters,Carlton House,
# 1, Palace Road,Bangalore - 560 001
Contact Details:+91-80-2220 1026
+91-80-2294 3050 ,+91-80-2238 7611 (FAX)
Web site: http://www.cyberpolicebangalore.nic.in/
Email-id: ccps@blr.vsnl.net.in, ccps@kar.nic.in Hyderabad
Hyderabad
Cyber Crime Police Station
Crime Investigation Department,3rd Floor, D.G.P. office
Lakdikapool,Hyderabad – 500004
Contact Details:+91-40-2324 0663+91-40-2785 2274
+91-40-2329 7474 (Fax)
Web site:http://www.cidap.gov.in/cybercrimes.aspx
E-mail id: cidap@cidap.gov.in, info@cidap.gov.in
Thane Mumbai
3rd Floor, Police Commissioner Office
Near Court Naka,Thane West,Thane 400601.
Contact Details: +91-22-25424444
Web site: http://www.thanepolice.org/
E-Mail: police@thanepolice.org
Pune
Assistant Commissioner of Police Cyber Crime Investigation Cell
Police Commissioner Office of Pune 2, Sadhu Vaswani Road,
Camp,Pune 411001
Contact Details: 91-20-2612 7277 +91-20-2616 5396
+91-20-2612 8105 (Fax)
Website:
http://punepolice.com/crime branch.html
E-Mail: punepolice@vsnl.com
Gujarat
DIG, CID, Crime and Railways
Fifth Floor ,Police Bhavan
Sector 18, Gandhinagar 382 018
Contact Details:+91-79-2325 4384+91-79-2325 3917 (Fax)
No comments:
Post a Comment