Monthly Archives: March 2017

How to protect your Apple iCloud account

Maybe the London-based hacker group — which goes by the name “Turkish Crime Family” — doesn’t have access to 250-million Apple iCloud account names and passwords. But they do have access to some indeterminate number of accounts, and that’s more than enough reason to exercise caution: Protect your iCloud password and data today or risk losing it tomorrow.

 

Back up vulnerable data

First, you need to back up your iCloud data. Yes, I know Apple’s idea was you could use iCloud to back up your Apple device data, and that’s fine, but it’s iCloud itself we’re worried about today.

For your iPhone, iPad, or iPod, the easiest way to do this is to back up your device’s files to your Mac or PC with an iTunes backup.

  • Plug your device into your Mac or PC with iTunes on.
  • In iTunes’ top left-hand corner, under the play controls, there’s a tiny phone icon. Click here and it will take you to your device’s menu.
  • Click on Summary in the left-hand column.
  • You will be presented with three boxes. Choose Select Backups.
  • Choose to automatically or manually back-up your device. If you choose automatic, every time you plug your gadget in, iTunes will start to back it up.
iPhone Backup

Backing up your Apple device locally, and not just to iCloud, is a good idea.

The only problem here is that iTunes doesn’t back everything up. For example, it won’t back up your Apple Pay information and settings, photos already on iCloud, or purchased iTunes and App Stores content.

So, to be safe, you really must change and secure your password.

Change your passwords

Apple could help here — and not just by paying off the Turkish Crime Family. Other major sites — like Amazon, Netflix, and LinkedIn — buy cracked password lists, and use one-way hashing matches to check for existing passwords. They then reset vulnerable passwords and ask users to switch passwords. Apple hasn’t done that, but it should consider doing it, given just how large the threat appears to be.

Since Apple isn’t doing this, it’s up to you.

 

One thing that has always annoyed me is that Apple talks as if your Apple ID and iCloud ID are different. They’re not. They’re the same, and they use the same password.

To change your Apple ID password, sign in to your Apple ID account page with any web browser and follow the instructions to reset your password. I changed mine using Google Chrome from a Mint Linux system.

Your new Apple ID password must contain at least eight characters, a number, an uppercase letter, and a lowercase letter. You also can’t use spaces, the same character three times in a row, your Apple ID, or a password you’ve used in the last year.

Whatever you do, do NOT use dumb passwords such as “abcdefgh,” “qwerty,” or “password.” The easiest way to create a secure password that won’t try your memory is to use passphrases instead of passwords.

Instead of working your nerves into a frenzy trying to memorize what the cat wrote when he jumped on the keyboard (e.g. “sdf9usdf”), use an easy-to-remember but nonsensical phrase instead. For example, “Plump/Trotting Pups:” or “UNC?Win!Duke?Lose!” or “AC!DC!Tesla!Edison?” These are easy to recall and hard for crackers to break.

Once you’ve changed your password, you’ll need to change it on all your Apple devices.

Then, you’re going to want to add another layer of protection: Two-factor authentication (2FA).

2FA

Apple’s 2FA is clunky, but it still does a great job of protecting your account.

Apple 2FA

For additional protection, turn on Apple’s two-factor authentication.

When you activate 2FA, you can access your account only from trusted devices such as your iPhone, iPad, or Mac. When you want to sign in to a new device for the first time, you’ll need to provide two pieces of information. These are your Apple ID password and the six-digit verification code that’s automatically displayed on your trusted devices.

To use Apple 2FA, you’ll also need a trusted phone number so you can receive verification codes. To add a trusted phone number, take the following steps:

  1. Go to your Apple ID account page
  2. Sign in with your Apple ID
  3. Go to the Security section and click Edit
  4. Click Add a Trusted Phone Number and enter the phone number

Now, you’re ready for 2FA. For a trusted device, you need an iPhone, iPad, or iPod touch with iOS 9 and later, or you need a Mac running OS X El Capitan or later that you’ve already signed into with 2FA.

To turn on Apple 2FA, take the following steps.

On your iPhone, iPad, or iPod touch with iOS 9 or later:

  1. Go to Settings > iCloud > tap your Apple ID
  2. Tap Password & Security
  3. Tap Turn on Two-Factor Authentication

On your Mac with OS X El Capitan or later:

  1. Go to Apple menu > System Preferences > iCloud > Account Details
  2. Click Security
  3. Click Turn on Two-Factor Authentication

Yes, this can be a lot of work. On the other hand, how much work would it take you to replace your important photos, music, books, or documents if your Apple iCloud account goes up in smoke? Take the time, do it now. You’ll be glad you did.

NetCraft Tool – Way Of Examining a Site – Before Attacking Website

Learn more about your target by finding out what they are running, additional IP information, server data, and DNS information.1. In your web browser, open the website www.netcraft.com.

2. In the box labeled What’s That Site Running? enter the name of a website.

3. On the results page, note the list of sites that appear. The results may include a list of subdomains for the domain you entered. Not every site will have subdomains, so if you don’t see any don’t be alarmed. In some cases if there is only a single result for a domain name, you may in fact go directly to a page with details about the domain.

4. On the results page, click the Site Report icon next to a domain name to go to the Site Report page for that domain.

5. On the Site Report page, note the information provided. This includes data such as email addresses, physical addresses, OS and web server information, and IP information.

Question / Comment > Below

Using Whois From Command Prompt In Windows

Here We Will See How To Use Whois From Command Prompt In Windows

Step1 : Download Whois From Here

Alternate Link : https://technet.microsoft.com/en-us/sysinternals/whois.aspx

Step 2 Go To The Path Where You Extract The Zip Of Whois In Our Case It Is C:\tools\WhoIs

Step 3 : Enter Ip Address Or Website Name Followed By Whois

Example :  “Whois yahoo.com” And Press Enter

For Queries Comment Below

Using Google Hacking To Access Public Webcams

Use Google For Footprinting

How to use Google hacking to uncover information about a target. To do this exercise, you can use any browser and just go to www.google.com.

1. In the search box enter the phrase Site:www.websitename.com FindingQuery. This will search the website and return any references that include the findingquery.

2. In the search box enter the phrase Allinurl: network camera. This will return a list of web-enabled cameras that are attached to the Internet.

3. In the search box enter the phrase Link: itpro.tv. This will return a list of websites that link to the website itpro.tv.

How to lock up your digital life

Taking individual responsibility for your own privacy and safety in a world full of data breaches, vulnerabilities, and hacking is becoming paramount.

Hardly a week goes by when you don’t hear of yet-another-company admitting to a data breach, and the consequences of being compromised can be extreme. In 2016, Linux Mint to Swift, the Trump Towers to strings of hotel chains all lost customer account information, which paved the way for potential identity theft and fraudulent transactions.

 

As we rely on different online services to do everything from check our bank statements to purchase our groceries, it can sometimes be difficult to keep on top of the security of our accounts, but now, we have to consider our digital assets, accounts, and services as important to protect as our physical bank card and IDs.

However, you don’t need to spend hours upon hours to improve your personal security practices on the Internet and tighten up controls for both your accounts and information as a whole — if you know where to begin.

To get started, follow the steps below, which should take you little more than an hour or so — a worthwhile investment when you consider how much frustration can be caused by compromised accounts, fraudulent transactions, and identity theft.

A database of 1.4 billion Leaked From Biggest Spam Network

A database of 1.4 billion email addresses combined with real names, IP addresses, and often physical address has been exposed in what appears to be one the largest data breach of this year.

What’s worrisome? There are high chances that you, or at least someone you know, is affected by this latest data breach.

The database contains sensitive information about the company’s operations, including nearly 1.4 Billion user records, which was left completely exposed to anyone – even without any username or password.

According to MacKeeper security researcher Vickery, RCM, which claims to be a legitimate marketing firm, is responsible for sending around a billion unwanted messages per day.

Besides exposing more than a billion email addresses, real names, IP addresses and, in some cases, physical addresses, the leak exposed many documents that revealed the inner workings of RCM’s spam operation.

“The situation presents a tangible threat to online privacy and security as it involves a database of 1.4bn email accounts combined with real names, user IP addresses, and often physical address,” Vickery said. “Chances are that you, or at least someone you know, is affected.”

Vickery wasn’t able to fully verify the leak but said he discovered addresses he knew were accurate in the database.

Illegal Hacking Techniques Used by RCM

The company employed many illegal hacking techniques to target as many users as possible. One of the primary hacking methods described by the researchers is the Slowloris attacks, a method designed to cripple a web server rather than subvert it in this manner.

“[Slowloris is] a technique in which the spammer seeks to open as many connections as possible between themselves and a Gmail server,” Vickery writes in a blog post published today.

“This is done by purposefully configuring your own machine to send response packets extremely slowly, and in a fragmented manner, while constantly requesting more connections.”

The researchers have reported that details of RSM’s operations and its abusive scripts and techniques have been sent to Microsoft, Apple, Salted Hash, Spamhaus, and others affected parties.

Meanwhile, the researchers have also notified law enforcement agencies, which they says, have expressed keen interest in the matter.

FCC blocks rules that stop internet providers from secretly selling your data

Federal officials have moved to block rules set out by the Obama administration requiring internet providers to protect customer data — a day before they were expected to come into effect.

The rules would have prevented internet providers, such as AT&T, Comcast, and Verizon, from selling customer data without their consent.

Advertisers are increasingly pushing to gather more information on consumers, such as gender and race, as well as browsing history and the websites they visit, to better target advertising,

The rules, set out in October 2016, would impose stronger restrictions on internet providers who wish to provide customer information and data to advertisers. The rules also carve out data security requirements and compel internet providers to inform customers of data breaches. The rules say that customers have to explicitly opt-in to allow sharing of web browsing data, geolocation data, and health and financial information.

But FCC chairman, Ajit Pai, a Republican who previously served as a top Verizon lawyer, moved to prevent those rules from coming into effect.

In a brief statement last month, Pai said that one of the previous administration’s privacy rules “is not consistent” with the Federal Trade Commission’s privacy standards.

His argument was that the rules gave websites the ability to collect more customer data than internet providers, giving websites the edge in advertising.

Last year, when he voted against the rules under former Obama-appointed FCC chairman Tom Wheeler, Pai said in his dissenting opinion that consumers “should not have to be network engineers to understand who is collecting their data and they should not have to be lawyers to determine if their information is protected.”

Pai got his way when the FCC voted on Friday in favor of staying the rules.

The FCC said that the decision “will maintain a status quo that has been in place for nearly two years with respect to ISPs and nearly a decade with respect to other telecommunications carriers.”

While consumer advocates were in favor of the rules, internet providers and telcos pushed back.

Automatic SQL injection and database takeover tool

Automatic SQL injection and database takeover tool http://sqlmap.org

 

Installation

You can download the latest tarball by clicking here or latest zipball by clicking here.

Preferably, you can download sqlmap by cloning the Git repository:

git clone --depth 1 https://github.com/sqlmapproject/sqlmap.git sqlmap-dev

sqlmap works out of the box with Python version 2.6.x and 2.7.x on any platform.

Usage

To get a list of basic options and switches use:

python sqlmap.py -h

To get a list of all options and switches use:

python sqlmap.py -hh

You can find a sample run here. To get an overview of sqlmap capabilities, list of supported features and description of all options and switches, along with examples, you are advised to consult the user’s manual.