Archive | September 12, 2014
Video

hacking 80211 basics

Benjamin Hussein Smith (thex1le) at Defcon Wireless Village 2014 talks about Hacking 802.11 Basics / for Beginners. Here is a list of terms uesd within the video: Wireless Term List.

Video

F*ck These Guys: Practical Counter Surveillance – Lisa Lorenzin

We’ve all seen the steady stream of revelations about the NSA’s unconstitutional, illegal mass surveillance. seems like there’s a new transgression revealed every week! I’m getting outrage fatigue. So i decided to fight back… by looking for practical, realistic, everyday actions i can take to protect my privacy and civil liberties on the internet, and sharing them with my friends.

Join me in using encryption and privacy technology to resist eavesdropping and tracking, and to start to opt out of the bulk data collection that the NSA has unilaterally decided to secretly impose upon the world. Let’s take back the internet, one encrypted bit at a time.

Bio:
Lisa Lorenzin is a network security geek; in her day job, she’s worked in a variety of internet-related roles since 1994, with the past 15 years focused on network and information security. she’s currently interested in free speech, privacy, digital rights, and global internet freedom.

Image

Every Airline Flight in the World Over 24H

 

via: http://counselingadvice.tumblr.com/

Google Dorking is a threat to Gov sensitive data according to a Feds memo

On July 7th, the FBI and the National Counterterrorism Center issued a memo to warn law enforcement and private security agencies about the practice of Google Dorking  and its capabilities.

The FBI warns the recipients of the memo on the possible use of Google Dorking to  “locate information that organizations may not have intended to be discoverable by the public or to find website vulnerabilities for use in subsequent cyber attacks.”

The Bureau is concerned about the possibility that information gathered with Google Dorking could be used to gather sensitive information to use in cyber attacks, a common practice in the hacking and the intelligence community.

“Malicious cyber actors are using advanced search techniques, referred to as ‘Google dorking,’ to locate information that organizations may not have intended to be discoverable by the public or to find website vulnerabilities for use in subsequent cyber attacks,”  “By searching for specific file types and keywords, malicious cyber actors can locate information such as usernames and passwords, e-mail lists, sensitive documents, bank account details, and website vulnerabilities.” states the memo.

The memo mentions the Advanced Operators for Web Search and their possible use to locate specific contents based on site, file type, URL and much more.

The FBI isn’t the unique agency interested to Google Dorking, in May 2013 it was revealed the existence of the book written by Robyn Winder and Charlie Speight for the NSA, titled Untangling the Web: A Guide to Internet Research, which also includes a specific session on the Google Hacking. NSA reserved an entire chapter to instruct its agents on how to conduct complex research thanks to queries composed with advanced operators.

The memo highlights an incident occurred in 2011 when a group of hackers discovered Social Security numbers of 43,000 people affiliated with Yale University using to Google Dorking.

Another similar incident mentioned in the memo occurred in October 2013, when nearly 35,000 websites compromised by hackers that used Google Dorking to locate vulnerable vBulletin installations.

The memo explains how it is possible to retrieve content and documents indexed in the government space, data that an attacker could use for various kinds of attacks like spear phishing.

Using the following query is possible to discover Government documents containing confidential data:

filetype:"xls | xlsx | doc | docx | ppt | pptx | pdf" site:gov "FOUO" | "NOFORN" | "Confidential"

there FOUO states for “For Official Use Only” and NOFORN states means “Not for release to foreign nationals“.

The memo also provides the following suggestions to prevent Google Dorking used to search sensitive information:

» (U//FOUO) Minimize putting sensitive information on the web. If you must put sensitive information on the web, ensure it is
password protected and encrypted.
» (U//FOUO) Use tools such as the Google Hacking Database, found at http://www.exploit-db.com/google-dorks, to run pre-made
dork queries to find discoverable proprietary information and website vulnerabilities.
» (U//FOUO) Ensure sensitive websites are not indexed in search engines. GoogleUSPER provides webmaster tools to remove entire
sites, individual URLs, cached copies, and directories from Google’s index. These can be found at:
https://www.google.com/webmasters/tools/ home?hl=en.
» (U//FOUO) Use the robots.txt file to prevent search engines from indexing individual sites, and place it in the top-level directory of
the web server.
» (U//FOUO) Test your website using a web vulnerability scanner.

 

via: http://securityaffairs.co/wordpress/27862/hacking/feds-memo-google-dorking.html

Leave a Comment