Utilities of an Ethical hacking Course



Computer hacking involves various nuances. What prompts a hacker is an intent, benign or malicious, to hack a particular application. “Ethical hacking”, a term coined by the cyber industry, describes the actions of hacking that are purely ethical means a hacker exploits a network with the permission of its owner. This distinction keeps Ethical hackers aka white hat hackers separated from black-hatted bad guys.
 Why Use Ethical Hacking?
What can you expect to get when you pay to someone to hack into your application or website? Expose of security vulnerabilities! Being a part of the cyber world, you need to think like a criminal to prevent attacks. Ethical hackers use the same methods as their counterparts to test a security system, but they do it to report problems. The Federal government practices ethical hacking since the 1970s, and most companies employ white hat teams within their information security practice to attain the highest level of security. Other slang terms for ethical hackers are “sneakers,” “red teams”, and “tiger teams”. A variety of certification authorities train and certify your skills in implementing cybersecurity practices in an organization successfully.

Today, application security revolves around penetration testing. Companies perform “Pen tests” by artificially developing the scenarios of hacking and try to mimic what a bad hacker could achieve in reality. For manual application testing, cyber experts attempt to exploit the app and report the findings. From simple information-gathering exercises to outright attacks, different tests are performed which would cause damage if happened actually. Moreover, social engineering techniques have become an integral part of core ethical hacking, for example, tricking emailing staff for revealing passwords and other account details.
Free and Open Source Ethical Hacking Tools to Use:
A wide pool of ethical hacking tools is available to choose from according to challenges and requirements you have for cybersecurity. The tools mentioned below offer just a slice of the available offerings, but they are reliable and come for free. 
Armitage
Being one of the most preferred penetration testing frameworks for networks and IT infrastructure, Armitage is designed for more user-friendly front-end version for the Metasploit framework.
 NMap
Nmap or you can say Network Mapper is an open-sourced utility which works a security auditing tool. By finding a network services out, it hosts to develop a network map, which it further analyzes.
This tool is even featured as the go-to hacking tool in many movies and TV shows.
 WireShark
Its offerings include network protocol capture and real-time analysis which make it a standard tool amongst others. Using this tool gives you a wider look into network traffic and zoom in on individual packets while providing naives a detailed intro to TCP/IP.
 Faraday
This tool has transformed the way to perform pentesting. It has scored 6th rank on the top security tools list by ToolsWatch.org.  It plays a major role in analysis, indexation, and distribution of the data.
 International standards followed by ethical hackers
Being an ethical hacker, you are expected to follow industry trends to carry out penetration testing. An important trend is Payment Card Industry Data Security Standard. With a global set of recognised policies and procedures, this trend enhances the securities of credit, debit in addition to cash card transactions, and safeguards cardholders personal information.
Apart from having large teams of employees as ethical hackers, organizations own ethical hacking labs like Trustwave Holdings Inc., heading towards comprehensive cybersecurity which includes the tracking of vulnerabilities in ATMs, POS devices along with surveillance systems.
Hacking is a passion, but it must be ethical in all aspects. It’s a good career option, but only if you have good  knowledge of advanced tools and techniques. Proceeding with an ethical hacking course will make you think of, work for, and make decisions for like a professional hacker.

Popular restaurant search company Zomato Hacked, 17 Million Accounts Sold on Dark Web



From the last few years, dark web is getting popular for selling illegal stuff like  drugs, weapons, databases, fake documents etc. Recently, HackRead found out a vendor going by the online handle of “nclay” is claiming to have hacked Zomato and selling the data of its 17 million registered users on a popular Dark Web marketplace.



The database includes emails and password hashes of registered Zomato users while the price set for the whole package is USD 1,001.43 (BTC 0.5587). The vendor also shared a trove of sample data to prove that the data is legit. Here’s a screenshot of the sample data publicly shared by “nclay.”

Folks at Hackread tested the sample data on Zomato's login page and found that each and every account mentioned in the list exists on Zomato.




“The data was stolen this month and this year, May 2017,” hacker told HackRead.

Zomato do have a HackerOne page where hackers can report flaws but hackers who report vulnerabilities only receive Hall of Fame recognition or a certificate of acknowledgment. Personally speaking, I don't have a good experience reporting flaws in Zomato. I reported them a flaw last year and now its been more than 1 year but they did not reply me about it.


What can you do if you have an account in Zomato


  • If you have an account in zomato then you should change your password.
  • Also Do not use same password for online accounts, else if one of the account gets compromised hackers can get into other accounts as well.
  • Use a password manager

Hackers Can Figure Out Your Phone's Password by the Way You Tilt the Device



We often hear news about hackers bypassing phone locks, guessing passwords etc but can you imagine that hackers can now figure out your phone's password by the way you tilt the device with an accuracy of 70% in first attempt. Shocked right ?

According to a team of cyber researchers from the British Newcastle University, it's quite easy to steal a four-digit PIN by analyzing the way you tilt your phone and the way it moves as you type.

As they were testing things out to prove this theory, they were able to crack four-digit PINs on the first guess 70% of the time. Even better, or worse, depending how you look at it, 100% of all PINs were guessed by the fifth attempt.

"Most smart phones, tablets, and other wearables are now equipped with a multitude of sensors, from the well-known GPS, camera and microphone to instruments such as the gyroscope, proximity, NFC, and rotation sensors and accelerometer. But because mobile apps and websites don't need to ask permission to access most of them, malicious programs can covertly 'listen in' on your sensor data and use it to discover a wide range of sensitive information about you such as phone call timing, physical activities and even your touch actions, PINs and passwords," explains Dr. Maryam Mehrnezhad, the lead author of the paper.



More worryingly on some browsers it is found that if you open a page on your phone or tablet which hosts one of these malicious codes and then open, for example, your online banking account without closing the previous tab, then they can spy on every personal detail you enter.

The vulnerabilities have been shared with tech companies and browser makers. Apple and Firefox have already issued patches for this issue, while Google is looking for a fix.

My Experience at Nullcon 2017


NULLCON is one of the best information security conference in India and every year everyone from the InfoSec community attends it. I have a great interest in Security and hacking ( If you follow my blog you will probably know it already ) and yes I too look forward to the conference. Every year most of my friends who are into security attend NULLCON. I failed to go last year due to my Exams and last to last year i had my class 12 boards exam.

This time I wanted to attend it . But then the task is not so easy. I visited NULLCON's website to buy a pass but the cost was too much ( at least for students ) And since I'm from Northeast India there is no direct flight to Goa ( NULLCON venue ) and if i take train then it would take almost 4 days to reach goa and my college won't allow to take leave for such a long duration. So the total cost of travel and event pass was way too much so i thought I'll have to drop this time too.

But then i got to know about Garage4Hackers community providing free passes to those who have contributed to open source community. I was not sure if i should try or not but then i thought lets give it a try. So i provided them some of my contributions in InfoSec and and work and to my surprise I got selected and got the Indian student delegate pass for nullcon and i decided that I'LL GO TO NULLCON THIS YEAR.

On 2nd march 2017 i started my journey from guwahati and reached goa via mumbai. YES FINALLY GOA. I was damn excited for the next day.

Next day I reached hotel Holiday Inn at around 9am . Kaza and his friends were waiting for me and then we entered together. WOW the place was simply awesome. We directly went to the exhibition area and visited various booths that were set up there. I finally met Rahul Sasi sir. He is a great guy. He was representing his company Cloud Sec. He gave me a hackers cheat sheet and we clicked photos. 

With Rahul Sasi



Finally met these awesome people

There were a lot of CTFs going on in the exhibition area and I took part in few. I won a power bank, Pen drive, Lots of t-shirts from these CTFs. It was a great experience. After that I met a lot of people whom i earlier met online.

Most of the talk in nullcon were great and was very informative. i attended few talk like

1. How to be successful in azure bug bounty by michael Hendrickx.
2. Drone Hijacking and other IoT hacking with GNU Radio and SDR by Arthur Garipov.
3. Hacking medical device and infrastructure by anirudh duggal.
4. 7 sins of ATM protection against logical attacks by timur yunusov.

I did not attend much talks as i was busy meeting new people, taking part in CTFs and eating. A lot of companies who are related to security came to nullcon and it was a great opportunity to know what is the latest things that are going on in security. Also I got internship offer from few of the companies that visited nullcon.

I know a lot of people online who are into security and nullcon was the best platform to meet them in person also I made lots of friends there. 

With Himanshu sharma
With the Nullcon Crew and Govt. Officials
Also I made a small video about the overall experience of Nullcon, goa and meeting friends. Do watch it.

Conclusion


It was a great experience. Many people say that we can watch the talk online too why to spend so much money going to conference? the thing is the experience that we get when we visit conferences like is something that cannot be get just by watching the talk videos. I would like to thank all the awesome people of Garage4Hackers for giving me the pass as without it I might have not been able to make it this year too. THANK YOU

Adult Friend Finder hack Exposes 4 million Users



Email addresses, sexual orientations, and other sensitive details from about 3.9 Million Adult Friend Finder online hookup service are currently available for sale for 70 Bitcoins (around $16,800/€15,300) on an underground website.

Popular Adult Friend Finder website, with a tagline "Hookup, Find Sex or Meet Someone Hot Now," has been breached in which nearly 4 Million users have had their personal details compromised.

The files contained 3.9 million email addresses and in some cases the partner preference, gender, birth date, state, post code, language preference and IP address of users.



ROR[RG], the nickname of the person who claims to have breached the large online hookup site, wrote on Saturday in an underground forum that “I have had so many people ask me to buy the db today.”

Seeking to capitalize on the momentum, ROR[RG]—who claims to live in Thailand—also offered to break into any company or website for 750 bitcoins, worth about $170,000.

It’s suspected that credit card data may have also been compromised but was removed from data that was released. In the post, ROR[RG] did not indicate if the unredacted version contains payment card information. In older posts, ROR[RG] didn’t answer people who had asked if that data was also available.


 Response from Adult Friend Finder:


The sex hookup website's owner FriendFinder Networks, wrote that the company has taken steps to protect its users by disabling the username search and masking usernames of the individuals believed to be affected.

Subscribers can still open their accounts by login with their credentials. Also, the company says, "there is no evidence that any financial information or passwords were compromised."

How google malaysia was hacked



The popular Google Malaysia was hacked today and visitors of the site were taken to a defaced landing page made by the hackers. In seems to be  a case of DNS hijacking where attackers redirected the users to their own page. Visitors to the Malaysian site see a message telling them that “Google Malaysia Hacked by Tiger-Mate #Bangladeshi Hacker”.

According to google no data has been compromised and all their services are up and still running. Since it is a dns hijacking issue here generally an attacker compromises the DNS registrar and change the server address which takes the users to a different website or page, hence all data are safe.

The problem appears to have arisen from the organisation that manages the technology that allows URLs to point towards websites, according to a Google statement given to Reuters. The search giant is working with that organisation, MYNIC, to resolve the problem.

MYNIC is run by the country’s ministry of communications and multimedia. It runs all websites that end with the .my suffix, including google.com.my.

DNS attacks are comon in big websites like google because it is relatively easy to hack into the DNS provider then to hack into the server of these organizations. In the past years too we have seen many cases of DNS attacks. On 24th November 2012 Google Pakistan was hacked by this technique and on 26th august 2013 Google Palestine was hacked by DNS hijacking technique.

The defaced page can be viewed on  Zone-H, an archive of defaced websites, According to Zone-H TiGER-M@TE also defaced yahoo.com.my, translate.google.com.my and youtube.my today, however this was not independently confirmed. 

Tumblr asks users to change passwords to protect against ‘Heartbleed’ Virus



Social network Tumblr has asked its users to change their passwords in the emergence of a recent virus called Heartbleed, that has been exposing world's major websites to theft by hackers.

Tumblr said in a statement that the little lock icon (HTTPS) trusted by all to keep their passwords, personal emails, and credit cards safe, was actually making all that private information accessible to anyone who knew about the exploit.


This virus (Heartbleed), which represents one of the most serious global security flaws revealed in recent years, makes possible for hackers to retrieve code from websites that would give them access to other information, including user data and passwords.

Tumblr is trying hard to persuade users to take precautionary measures, the Website added that this might be a good day to call in sick and take some time to change passwords everywhere — especially high-security services like email, file storage, and banking, which may have been compromised by this virus.

While Tumblr claimed that it had taken measures to fix the security flaw, the company said that it had no proof to back its claim that its user data had been breached.

Dropbox website hack is hoax, hackers confirmed

Dropbox website hack is hoax, hackers confirmed


Today morning  Techcrunch published a news that hackers compromised the official website of dropbox. Following that many other news portal also reported the same . All started when Earlier today  a hacker using twitter handle 1775Sec claimed to have hacked DropBox website using a security vulnerability. The hacker claimed to have compromised database.

Installing DVWA on Backtrack



If you are visiting this site means you have an interest in hacking and security related things. Today in this post you will learn how to install Damn Vulnerable Web Application (DVWA) and build you own mini pen testing lab.

Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable. you can practice various attacks like SQL injection, XSS, CSRF, File upload etc using it. In this post i will show you how to setup DVWA in Backtrack the easy way and start learning various methods of web application attack without hacking into someone else's website.