background preloader

Top 10 Web hacking techniques of 2010 revealed

Top 10 Web hacking techniques of 2010 revealed
Network World - A Web hack that can endanger online banking transactions is ranked the No. 1 new Web hacking technique for 2010 in a top 10 list selected by a panel of experts and open voting. Called the Padding Oracle Crypto Attack, the hack takes advantage of how Microsoft's Web framework ASP.NET protects AES encryption cookies. FROM THE SECURITY WORLD: Quirky moments at Black Hat DC 2011 If encryption data in the cookie has been changed, the way ASP.NET handles it results in the application leaking some information about how to decrypt the traffic. With enough repeated changes and leaked information, the hacker can deduce which possible bytes can be eliminated from the encryption key. That reduces the number of unknown bytes to a small enough number to be guessed. The developers of the hack -- Juliano Rizzo and Thai Duong -- have developed a tool for executing the hack. Here are the rest of the top 10 Web hacks voted in the competition: 2. 3. 4. 5. 6.

http://www.networkworld.com/news/2011/012411-top-web-hacking-techniques.html

Related:  Hacking & ExploitsHacking

How the NSA's Firmware Hacking Works and Why It's So Unsettling One of the most shocking parts of the recently discovered spying network Equation Group is its mysterious module designed to reprogram or reflash a computer hard drive’s firmware with malicious code. The Kaspersky researchers who uncovered this said its ability to subvert hard drive firmware—the guts of any computer—“surpasses anything else” they had ever seen. The hacking tool, believed to be a product of the NSA, is significant because subverting the firmware gives the attackers God-like control of the system in a way that is stealthy and persistent even through software updates. The Best Hacking Tutorial Sites - Learn Legal Hacking - StumbleUpon written by: Daniel Robson•edited by: Aaron R.•updated: 2/13/2011 Whether it's to understand potential attack vectors or simply for the fun of it, learning the basics of hacking is something that a lot of people aspire to. Here's our list of the top tutorial based hacking sites.

Malicious Linux Commands - From (This article was originally published in Ubuntu Forums but was removed there. Ubuntuguide feels that knowledge about these risks is more important than any misguided attempts to "protect the public" by hiding their potential dangers or protect the (K)Ubuntu/Linux image. The original article has therefore been re-created (and subsequently edited) here.) Top 6 Underground Search Engines You Never Knew About Advertisement I love Google, Bing and Yahoo just as much as the next Internet user, but sometimes you really want to dig down into a particular subject. In order to do that, you really need access to those underground search engines that may not be quite as well known, but they dig much more deeply into specialized areas of the Internet than the general search engines are capable of.

MD5 considered harmful today The bytes 0 - 473 in the real certificate (the fields up to the modulus, and the first 5 bytes of the modulus field which are a predictable header) are pretty much fixed by CA requirements. Those 474 bytes form the "chosen prefix" on the real certificate's side. For this certificate we chose to have a 2048 bit RSA key. Phone hacking Phone hacking is the practice of intercepting telephone calls or voicemail messages, often by accessing the voicemail messages of a mobile phone without the consent of the phone's owner. The term came to prominence during the News International phone hacking scandal, in which it was alleged (and in some cases proved in court) that the British tabloid newspaper the News of the World had been involved in the interception of voicemail messages of the British Royal Family, other public figures, and the murdered schoolgirl Milly Dowler.[1] Risks[edit] Although any mobile phone user may be targeted, "for those who are famous, rich or powerful or whose prize is important enough (for whatever reason) to devote time and resources to make a concerted attack, there are real risks to face."[2]

An Unprecedented Look at Stuxnet, the World's First Digital Weapon This recent undated satellite image provided by Space Imaging/Inta SpaceTurk shows the once-secret Natanz nuclear complex in Natanz, Iran, about 150 miles south of Tehran. AP Photo/Space Imaging/Inta SpaceTurk, HO In January 2010, inspectors with the International Atomic Energy Agency visiting the Natanz uranium enrichment plant in Iran noticed that centrifuges used to enrich uranium gas were failing at an unprecedented rate.

Exploiting Unexploitable XSS XSS that are protected by CSRF protection or where other mitigating factors are present are usually considered to be unexploitable or of limited exploitability. This post details real world examples of exploiting “unexploitable” XSS in Google and Twitter. While the XSS detailed in this post are site specific the methods that were used to exploit them could be applied to other websites with similar implementations.

70 Things Every Computer Geek Should Know. The term ‘geek’, once used to label a circus freak, has morphed in meaning over the years. What was once an unusual profession transferred into a word indicating social awkwardness. As time has gone on, the word has yet again morphed to indicate a new type of individual: someone who is obsessive over one (or more) particular subjects, whether it be science, photography, electronics, computers, media, or any other field. A geek is one who isn’t satisfied knowing only the surface facts, but instead has a visceral desire to learn everything possible about a particular subject.

Related:  Securityр-2-рSecurity