Sunday, May 16, 2010

Easy Method: Blind SQL Injection

Blind SQL injection is identical to normal SQL Injection except that when an attacker attempts to exploit an application, rather than getting a useful error message, they get a generic page specified by the developer instead. This makes exploiting a potential SQL Injection attack more difficult but not impossible. An attacker can still steal data by asking a series of True and False questions through SQL statements.

The attacker provides your database application with some malformed data, and your application uses that data to build a SQL statement using string concatenation. This allows the attacker to change the semantics of the SQL query. People tend to use string concatenation because they don’t know there’s another, safer method, and let’s be honest, string concatenation is easy, but it’s wrong step. A less common variant is SQL stored procedures that take a parameter and simply execute the argument or perform the string concatenation with the argument and then execute the result.

Nowadays, it is very easy to perform Blind SQL injection compare to a few years ago because a lot of SQL injection tools available on the Internet. You can download it from security website or hacker website and use it to test for MySQL, MSSQL or Oracle. By using these automated tools, it is very easy and fast to find holes or bugs for SQL injection or Blind SQL injection from a website.

In this article, I will show you how to find and perform Blind SQL injection testing using several tools. By using these methods, you can complete your testing in less than 10 minutes and it is very useful method especially for penetration testers or security consultants who have to complete their penetration testing in certain period of time. You can finish your penetration testing and get the better results using the simple methods.

You can download my article from The Exploit Database:

Friday, May 14, 2010

Xplico 0.5.7: VoIP tapping and phone numbers

The goal of Xplico is extract from an internet traffic capture the applications data contained. For example, from a pcap file Xplico extracts each email (POP, IMAP, and SMTP protocols), all HTTP contents, each VoIP call (SIP), and so on. 

This release introduces improvements in the SIP and RTP dissectors. In this version was also added the RTCP dissector, with this dissector Xplico is able to obtain the phone numbers of the caller and called party (obviously only if present in the RTCP packets). DEFT 5.1 Live distribution contains this version.
You can download source code and Ubuntu 10.04 package here.

More about Xplico:

Suricata – Open Source Next Generation Intrusion Detection and Prevention Engine

The Suricata Engine is an Open Source Next Generation Intrusion Detection and Prevention Engine. This engine is not intended to just replace or emulate the existing tools in the industry, but will bring new ideas and technologies to the field.

Basically it’s a is a multi-threaded intrusion detection/prevention engine engine available from the Open Information Security Foundation. OISF is part of and funded by the Department of Homeland Security’s Directorate for Science and Technology HOST program (Homeland Open Security Technology), by the the Navy’s Space and Naval Warfare Systems Command (SPAWAR), as well as through the very generous support of the members of the OISF Consortium. More information about the Consortium is available, as well as a list of our current Consortium Members.The Suricata Engine and the HTP Library are available to use under the GPLv2.

The HTP Library is an HTTP normalizer and parser written by Ivan Ristic of Mod Security fame for the OISF. This integrates and provides very advanced processing of HTTP streams for Suricata. The HTP library is required by the engine, but may also be used independently in a range of applications and tools.
You can download Suricata v0.9 here:

For more details, please refer here:

Thieves Flood Victim’s Phone With Calls to Loot Bank Accounts

Bank thieves have rolled out a new weapon in their arsenal of tactics — telephony denial-of-service attacks that flood a victim’s phone with diversionary calls while the thieves drain the victim’s account of money.
A Florida dentist lost $400,000 from his retirement account last year in this manner, and the FBI said the attacks are growing.
A spokeswoman for the Communication Fraud Control Association — a telecom industry organization — told Threat Level that although fraudulent transfers have been halted in a number of cases, the losses are increasing.
“I know it’s in the millions,” said Roberta Aranoff, executive director of the CFCA. “It has exceeded a million dollars easily.”
Last November, Robert Thousand Jr., a semi-retired dentist in Florida, received a flood of calls to several phones. When he answered them, he heard a 30-second recording for a sex hotline, according to the St. Augustine Record.
In December, he discovered that $399,000 had been drained from his Ameritrade retirement account shortly after he’d received the calls. About $18,000 was transferred from his account on Nov. 23, with a $82,000-transfer following two days later. Five days after that, another $99,000 was drained, followed by two transfers of $100,000 each on Dec. 2 and 4. The thieves withdrew the money in New York.
Thousand’s son, who shares his name, received similar harassing calls, though his financial accounts were not touched.  Thousand did not respond to a request from Threat Level for comment.
The FBI says the calls were a diversionary tactic, meant to tie up Thousand’s line so that Ameritrade couldn’t reach him to authenticate the money transfer requests. FBI spokesman Bryan Travers said AT&T, Thousand’s phone carrier, contacted the agency’s New Jersey office to help investigate the matter. The agency has since seen at least 16 similar cases since November, most of them occurring in the last few weeks.
In some cases, the victims simply heard dead air when they answered their phone or heard a brief advertisement or other recorded message. Some victims had to change their phone numbers to halt the harassing calls.

The perpetrator who targeted Thousand created a number of VoIP accounts, which were used with automated dialing tools to flood the dentist’s home, business and cellphone with calls.
Generally in these cases, Travers said, the thief obtains the victim’s account information through some other means — perhaps through a phishing attack or other method — and then contacts the financial institution to change the victim’s contact information. In this way, the institution will call the thief instead of the victim to verify a money transfer request.
Many banks, however, now contact customers at their previous phone number when contact information on their account has changed.
But with these attacks, the institution’s calls are prevented from reaching the victim, whose phone is tied up with a flood of diversionary calls.
AT&T spokesman Marty Richter told Threat Level that the perpetrators then generally contact the financial institution posing as the victim to complain that a requested money transfer hasn’t gone through. When the institution discloses that it tried unsuccessfully to contact the victim to authenticate the transfer, the perpetrator says he’s been having phone troubles and verifies that the transfer should proceed.
Richter says that other telecommunication companies have been alerted to the problem and are warning customers when they call to complain about harassing calls that the issue may be related to their financial accounts. The victims are warned to place fraud alerts on their financial and credit bureau accounts and block any electronic fraudulent money transfers that may be in the works.
“This may appear to some people that they’re just having a connect issue with their phone carrier,” he said, “and we want to alert them that this may not be the case.”
Travers said that in most cases so far, the victims have acted quickly enough to prevent money from being drained from their accounts, but he says there may be many other cases that haven’t yet been reported to the FBI. He urged consumers who may have been victims to contact the FBI.

Facebook Rolls Out New Login Security Features

Facebook is now one of the most popular targets for phishers, hackers and scammers. According to the Associated Press, however, Facebook is in the process of rolling out some new security features that will protect its users from malicious attacks, spam and phishing scams. For a while now, Facebook already offered users the ability to be notified when an account was accessed from a computer or device they hadn't used before. Now, Facebook will also alert users of unusual activity on their accounts and allow users to register their devices with Facebook.

Update: Facebook just confirmed these new security updates on its blog. We have updated this post with more information.
Suspicious Logins

If somebody tries to access your account from the other side of the world, for example, Facebook will now notify you that something is amiss with your account and add an additional layer of authorization to the log-in process. According to Facebook, these additional verification methods could include asking for a your birth date (you did enter your real birth date on Facebook, didn't you?) or asking you to identify a friend in a picture and answering a standard security questions if you previously provided one.

To read more details, please refer here: