Use third party DNS servers instead of BSNL DNS servers or run your own one like djbdns. The easiest options is to use OpenDNS. Just reconfigure your network to use the following DNS servers:
208.67.222.222
208.67.220.220
Detailed instructions specific to operating system or your BSNL modem are available in the OpenDNS website itself. After I reconfigured my BSNL modem to use the above 2 IP addresses, my DNS problems just vanished! Other ‘freebies’ that come with OpenDNS are phishing filters and automatic URL correction. Even if your service provider’s DNS servers are working fine, you can still use OpenDNS just for these two special features.After you hack BSNL DNS servers, you will see improvement in your broadband speed.
Friday, November 5, 2010
DISK WIPING
The secure way of erasing the hard disk is called Disk Wiping.Disk wiping is a secure method of ensuring that data, including company and individually licensed software on your computer and storage devices is irrecoverably deleted before recycling or donating the equipment. Because previously stored data can be brought back with the right software and applications, the disk wiping process will actually overwrite your entire hard drive with data, several times. Once you format you’ll find it all but impossible to retrieve the data which was on the drive before the overwrite. The more times the disk is overwritten and formatted the more secure the disk wipe is.
There are a variety of disk wiping products available that you can purchase, or freely downloaded online to perform more secure disk wipes.One of my favorite disk wiping software is
WipeDrive
You have to use this tool by burning the iso image file onto a CD or by using a floppy disk.After burning this tool you have to boot your PC and follow the screen instructions to completely erase the hard disk.
There are a variety of disk wiping products available that you can purchase, or freely downloaded online to perform more secure disk wipes.One of my favorite disk wiping software is
WipeDrive
You have to use this tool by burning the iso image file onto a CD or by using a floppy disk.After burning this tool you have to boot your PC and follow the screen instructions to completely erase the hard disk.
Change your i/p in Windows.
This article will help you to change your IP address within a minute. Just follow the following step and you will be thru.
1. Click on "Start" in the bottom left hand corner of screen
2. Click on "Run"
3. Type in "command" and hit ok
You should now be at an MSDOS prompt screen.
4. Type "ipconfig /release" just like that, and hit "enter"
5. Type "exit" and leave the prompt
6. Right-click on "Network Places" or "My Network Places" on your desktop.
7. Click on "properties"
You should now be on a screen with something titled "Local Area Connection", or something close to that, and, if you have a network hooked up, all of your other networks.
8. Right click on "Local Area Connection" and click "properties"
9. Double-click on the "Internet Protocol (TCP/IP)" from the list under the "General" tab
10. Click on "Use the following IP address" under the "General" tab
11. Create an IP address (It doesn't matter what it is. I just type 1 and 2 until i fill the area up).
12. Press "Tab" and it should automatically fill in the "Subnet Mask" section with default numbers.
13. Hit the "Ok" button here
14. Hit the "Ok" button again
You should now be back to the "Local Area Connection" screen.
15. Right-click back on "Local Area Connection" and go to properties again.
16. Go back to the "TCP/IP" settings
17. This time, select "Obtain an IP address automatically"
tongue.gif 18. Hit "Ok"
19. Hit "Ok" again
20. You now have a new IP address
With a little practice, you can easily get this process down to 15 seconds.
This only changes your dynamic IP address, not your ISP/IP address. If you plan on hacking a website with this trick be extremely careful, because if they try a little, they can trace it back.
1. Click on "Start" in the bottom left hand corner of screen
2. Click on "Run"
3. Type in "command" and hit ok
You should now be at an MSDOS prompt screen.
4. Type "ipconfig /release" just like that, and hit "enter"
5. Type "exit" and leave the prompt
6. Right-click on "Network Places" or "My Network Places" on your desktop.
7. Click on "properties"
You should now be on a screen with something titled "Local Area Connection", or something close to that, and, if you have a network hooked up, all of your other networks.
8. Right click on "Local Area Connection" and click "properties"
9. Double-click on the "Internet Protocol (TCP/IP)" from the list under the "General" tab
10. Click on "Use the following IP address" under the "General" tab
11. Create an IP address (It doesn't matter what it is. I just type 1 and 2 until i fill the area up).
12. Press "Tab" and it should automatically fill in the "Subnet Mask" section with default numbers.
13. Hit the "Ok" button here
14. Hit the "Ok" button again
You should now be back to the "Local Area Connection" screen.
15. Right-click back on "Local Area Connection" and go to properties again.
16. Go back to the "TCP/IP" settings
17. This time, select "Obtain an IP address automatically"
tongue.gif 18. Hit "Ok"
19. Hit "Ok" again
20. You now have a new IP address
With a little practice, you can easily get this process down to 15 seconds.
This only changes your dynamic IP address, not your ISP/IP address. If you plan on hacking a website with this trick be extremely careful, because if they try a little, they can trace it back.
Error
SQL Server 2000
Syntax
@@ERRORReturn Types
integerRemarks
When Microsoft® SQL Server™ completes the execution of a Transact-SQL statement, @@ERROR is set to 0 if the statement executed successfully. If an error occurs, an error message is returned. @@ERROR returns the number of the error message until another Transact-SQL statement is executed. You can view the text associated with an @@ERROR error number in the sysmessages system table.Because @@ERROR is cleared and reset on each statement executed, check it immediately following the statement validated, or save it to a local variable that can be checked later.
Examples
A. Use @@ERROR to detect a specific error
This example uses @@ERROR to check for a check constraint violation (error #547) in an UPDATE statement.USE pubs
GO
UPDATE authors SET au_id = '172 32 1176'
WHERE au_id = "172-32-1176"
IF @@ERROR = 547
print "A check constraint violation occurred"B. Use @@ERROR to conditionally exit a procedure
The IF...ELSE statements in this example test @@ERROR after an INSERT statement in a stored procedure. The value of the @@ERROR variable determines the return code sent to the calling program, indicating success or failure of the procedure.USE pubs
GO
-- Create the procedure.
CREATE PROCEDURE add_author
@au_id varchar(11),@au_lname varchar(40),
@au_fname varchar(20),@phone char(12),
@address varchar(40) = NULL,@city varchar(20) = NULL,
@state char(2) = NULL,@zip char(5) = NULL,
@contract bit = NULL
AS
-- Execute the INSERT statement.
INSERT INTO authors
(au_id, au_lname, au_fname, phone, address,
city, state, zip, contract) values
(@au_id,@au_lname,@au_fname,@phone,@address,
@city,@state,@zip,@contract)
-- Test the error value.
IF @@ERROR <> 0
BEGIN
-- Return 99 to the calling program to indicate failure.
PRINT "An error occurred loading the new author information"
RETURN(99)
END
ELSE
BEGIN
-- Return 0 to the calling program to indicate success.
PRINT "The new author information has been loaded"
RETURN(0)
END
GOC. Use @@ERROR to check the success of several statements
This example depends on the successful operation of the INSERT and DELETE statements. Local variables are set to the value of @@ERROR after both statements and are used in a shared error-handling routine for the operation.USE pubs
GO
DECLARE @del_error int, @ins_error int
-- Start a transaction.
BEGIN TRAN
-- Execute the DELETE statement.
DELETE authors
WHERE au_id = '409-56-7088'
-- Set a variable to the error value for
-- the DELETE statement.
SELECT @del_error = @@ERROR
-- Execute the INSERT statement.
INSERT authors
VALUES('409-56-7008', 'Bennet', 'Abraham', '415 658-9932',
'6223 Bateman St.', 'Berkeley', 'CA', '94705', 1)
-- Set a variable to the error value for
-- the INSERT statement.
SELECT @ins_error = @@ERROR
-- Test the error values.
IF @del_error = 0 AND @ins_error = 0
BEGIN
-- Success. Commit the transaction.
PRINT "The author information has been replaced"
COMMIT TRAN
END
ELSE
BEGIN
-- An error occurred. Indicate which operation(s) failed
-- and roll back the transaction.
IF @del_error <> 0
PRINT "An error occurred during execution of the DELETE
statement."
IF @ins_error <> 0
PRINT "An error occurred during execution of the INSERT
statement."
ROLLBACK TRAN
END
GOD. Use @@ERROR with @@ROWCOUNT
This example uses @@ERROR with @@ROWCOUNT to validate the operation of an UPDATE statement. The value of @@ERROR is checked for any indication of an error, and @@ROWCOUNT is used to ensure that the update was successfully applied to a row in the table.USE pubs
GO
CREATE PROCEDURE change_publisher
@title_id tid,
@new_pub_id char(4)
AS
-- Declare variables used in error checking.
DECLARE @error_var int, @rowcount_var int
-- Execute the UPDATE statement.
UPDATE titles SET pub_id = @new_pub_id
WHERE title_id = @title_id
-- Save the @@ERROR and @@ROWCOUNT values in local
-- variables before they are cleared.
SELECT @error_var = @@ERROR, @rowcount_var = @@ROWCOUNT
-- Check for errors. If an invalid @new_pub_id was specified
-- the UPDATE statement returns a foreign-key violation error #547.
IF @error_var <> 0
BEGIN
IF @error_var = 547
BEGIN
PRINT "ERROR: Invalid ID specified for new publisher"
RETURN(1)
END
ELSE
BEGIN
PRINT "ERROR: Unhandled error occurred"
RETURN(2)
END
END
-- Check the rowcount. @rowcount_var is set to 0
-- if an invalid @title_id was specified.
IF @rowcount_var = 0
BEGIN
PRINT "Warning: The title_id specified is not valid"
RETURN(1)
END
ELSE
BEGIN
PRINT "The book has been updated with the new publisher"
RETURN(0)
END
GOThursday, November 4, 2010
Microsoft issues advisory on Internet Explorer drive-by attack
"The exploit code was discovered on a single website that is no longer hosting the malicious code," said Jerry Bryant, group manager of response communications in the Microsoft Trustworthy Computing Group.
In a blog entry, Bryant said engineers were working on an automated "fix-it" repair until a permanent patch could be released. Currently, the issue "does not meet the criteria for an out-of-band release," Bryant said.
Drive-by attacks have become an increasingly common method of attack. Users are often lured to visit a malicious website in an email message, an instant message or through poisoned search engine results. Often times legitimate websites are compromised to host attack code. Blogs, social networks and Web forums can also be used to host drive-by attacks.
The Microsoft Security Advisory outlined a number of workarounds to mitigate the threat posed by the vulnerability, which include reading email messages in plain text, applying a customer cascading style sheet as an override when reading html data, enabling data execution prevention (DEP) in IE 7 and deploying the Enhanced Mitigation Experience Toolkit. (EMET).
Microsoft said the vulnerability could be targeted by attackers using drive-by attack websites or by compromising websites that accept or host user-provided content, such as blogs and social networks. In addition, website display advertisements can be compromised to trigger an exploit that targets the flaw.
"In all cases, however, an attacker would have no way to force users to visit these websites," Microsoft said. "Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or in an instant messenger message that takes users to the attacker's website."
A successful attack could give cybercriminals complete control of a victim's machine and the ability to download additional malware or attempt to gain access to the network.
 |
GOOGLE EXTENDS BOUNTY PROGRAM FOR WEB APPLICATION BUGS
The move is an expansion of Google's current bounty program, which was launched in February to reward security researchers who reported Chrome browser flaws. Google said it would reward as much as $3,133.70 for significant flaw finds. The number pays homage to "eleet," sometimes identified as 31337, an alternative alphabet used by coders on the Internet.
"Any Google Web properties that display or manage highly sensitive authenticated user data or accounts may be in scope," Google said in an announcement on its security blog. "For now, Google's client applications (e.g. Android, Picasa, Google Desktop, etc.) are not in scope. We may expand the program in the future."
Google said it is difficult to provide a definitive list of vulnerabilities eligible for a reward, but added a number of categories that would be rewarded, including cross-site scripting errors, cross-site request forgery flaws and authorization bypass bugs. To be eligible for a reward, researchers must privately report the bugs using Google's security contact list.
Google says:-
"It's our job to fix serious bugs within a reasonable time frame, and we in turn request advance, private notice of any issues that are uncovered," Google said. "Vulnerabilities that are disclosed to any party other than Google, except for the purposes of resolving the vulnerability (for example, an issue affecting multiple vendors), will usually not qualify. This includes both full public disclosure and limited private release."
The base reward for qualifying bugs is $500. At each bug hunter's discretion, Google will publicly credity the finds if the flaws are deemed legitimate. Google said each submission will be evaluated by a security expert panel, which "may also decide a single report actually constitutes multiple bugs requiring reward, or that multiple reports constitute only a single reward." In addition, bug hunters can donate rewards to charity, through Google.
Google said it chose to extend the bounty program for Web application bugs because it received a sustained increase in the number of high-quality reports from researchers on bugs found in the Chromium browser, the open source browser on which Google Chrome is based. Those bugs can be reported using the Chromium bug tracker system and include flaws discovered using plug-ins shipped with the Chrome browser by default.
Some other software makers offer similar programs. Mozilla announced its Security Bug Bounty Program in 2004, funded by Linux distributor Linspire (now owned by Xandros Inc.) and Mark Shuttleworth, the founder of the Ubuntu Project. Under Mozilla's program, reporters of valid, critical security bugs nowreceive a $3,000 cash reward and a Mozilla T-shirt. The maximum cash reward was increased from $500 in July.
By contrast, Microsoft refuses to reward bug hunters with cash prizes. In an announcement in July regarding responsible disclosure, Dave Forstrom, director of Microsoft's Trustworthy Computing Program, said such programs run counter to Microsoft's vulnerability research efforts and ultimately don't help the customer.
"We don't think it's in the customer's best interest to offer a per-vulnerability bounty," Forstom said in an earlier interview. "There are a number of ways that we work with the researcher community that we think best serves the community: everything from acknowledging our work together, to all of the sponsorships of conferences that we do further develops the community."
"Any Google Web properties that display or manage highly sensitive authenticated user data or accounts may be in scope," Google said in an announcement on its security blog. "For now, Google's client applications (e.g. Android, Picasa, Google Desktop, etc.) are not in scope. We may expand the program in the future."
Google said it is difficult to provide a definitive list of vulnerabilities eligible for a reward, but added a number of categories that would be rewarded, including cross-site scripting errors, cross-site request forgery flaws and authorization bypass bugs. To be eligible for a reward, researchers must privately report the bugs using Google's security contact list.
Google says:-
"It's our job to fix serious bugs within a reasonable time frame, and we in turn request advance, private notice of any issues that are uncovered," Google said. "Vulnerabilities that are disclosed to any party other than Google, except for the purposes of resolving the vulnerability (for example, an issue affecting multiple vendors), will usually not qualify. This includes both full public disclosure and limited private release."
The base reward for qualifying bugs is $500. At each bug hunter's discretion, Google will publicly credity the finds if the flaws are deemed legitimate. Google said each submission will be evaluated by a security expert panel, which "may also decide a single report actually constitutes multiple bugs requiring reward, or that multiple reports constitute only a single reward." In addition, bug hunters can donate rewards to charity, through Google.
Google said it chose to extend the bounty program for Web application bugs because it received a sustained increase in the number of high-quality reports from researchers on bugs found in the Chromium browser, the open source browser on which Google Chrome is based. Those bugs can be reported using the Chromium bug tracker system and include flaws discovered using plug-ins shipped with the Chrome browser by default.
Some other software makers offer similar programs. Mozilla announced its Security Bug Bounty Program in 2004, funded by Linux distributor Linspire (now owned by Xandros Inc.) and Mark Shuttleworth, the founder of the Ubuntu Project. Under Mozilla's program, reporters of valid, critical security bugs nowreceive a $3,000 cash reward and a Mozilla T-shirt. The maximum cash reward was increased from $500 in July.
By contrast, Microsoft refuses to reward bug hunters with cash prizes. In an announcement in July regarding responsible disclosure, Dave Forstrom, director of Microsoft's Trustworthy Computing Program, said such programs run counter to Microsoft's vulnerability research efforts and ultimately don't help the customer.
"We don't think it's in the customer's best interest to offer a per-vulnerability bounty," Forstom said in an earlier interview. "There are a number of ways that we work with the researcher community that we think best serves the community: everything from acknowledging our work together, to all of the sponsorships of conferences that we do further develops the community."
Can a UID number be misused?
The UID project will create a unique number for every citizen of India and build a UID database of individuals, associated with 12 parameters of identity. For the initial two to three years, UIDAI will focus only on creating the ‘unique number’ and not on the instrument that holds the ‘ID card’. A biometric record of each individual’s 10 fingerprints or iris scan will be collected and tagged to his unique 16 digit number (UID). Chandiramani believes that just having a UID is much more secure than having a physical card, which can be duplicated, stolen or misused; however, stealing someone’s biometric identity is not an easy task.
Na Vijayashankar (also known as Naavi), an independent cyberlaw consultant and founder of Ujvala Consultants who has issued a draft on ‘Reasonable Security Practices for UID Project’ informed that a UID database would be used by making a query. The query will provide the UID number along with one of the parameters such as name. The answer returned will either be ‘true’ or ‘false’. The users will mostly be service providers who check the ID of a prospective client. According to Naavi, return of false information by the database or its inability to find the match of a genuine query could be security threats. Another important UID security concern is can somebody’s UID number be misused by another individual? Naavi retorts, “If a person has access to someone else’s UID number, it can be misused in all cases where the biometric check is not done.” Chandiramani agrees, “To confirm if a UID number and person are the same, the biometric data should match.”
Securing the central database
UIDAI is expected to build one of the largest centralized database consisting of UID numbers, biometric records, and other personal details. Unauthorized access to UIDAI servers, organized attack from cyber terrorists or cyber warriors, and stealing or leaking of sensitive personal information are some of the prominent security threats to UID centralized database. Naavi suggests strong role-based access control, firewall, intrusion detection system, manpower training, and background check, as critical measures to ensure security of UID centralized database. Chandiramani also informs about strong encryption mechanism that will be deployed by UIDAI during all processes and IT operations. UIDAI is already implementing strong security policies, monitoring mechanism and penalties for security breach.
Naavi further notes that as UIDAI will have a repository of sensitive personal data, it will have to maintain reasonable security practices under the IT amendment act, 2008. “The global standards of data protection and privacy ought to be applied. Many of the security requirements should be at par with National Institute of Standards and Technology guidelines in USA or appropriate derivatives from such standards,” observes Naavi.
Security during transmission
The UID authentication process is expected to authorize an individual by matching the fresh biometric scan with the existing image in the centralized server. If a hacker tries to breach UID security by manipulating data during the transmission, it may directly affect the matching process at the centralized server and a genuine person may be denied services. Naavi informs that according to preliminary indications (subject to confirmation from UIDAI), during the creation of the original database, registrars would capture UID data in a portable media such as an USB drive and bring it to the UID center to upload to the central database through the Internet. “Hopefully, UIDAI will develop an application, which transmits the data in encrypted form so that transmission security can be managed. However, while the data is in the USB drive, it is exposed to the risk of being stolen or modified,” cautions Naavi. Chandiramani suggested that the transmission would happen on a private network for the moment, but will ultimately take place over a secure cloud. Hence, irrespective of the network, you will be able to connect to UIDAI server securely.
Internal threats
There could be serious internal threats to UID security. Chandiramani opines, “Internally, someone could attempt to sabotage the system, crash it or steal some information. Segregation of duties, roles, limited access, audit monitoring mechanism, physical security, and background checks are some key measures to be implemented on this front.”
Naavi points that this could involve corruption and other motivations. This is the most sensitive issue because political considerations could dilute the security to meet various “reservations” involved in selection of personnel.
UID data privacy
As a country, we lack specific laws on data privacy and hence, some feel that we may be ill-equipped to deal with disclosure or leakage of personal information if UID security is weak. Chandiramani mentions that currently UIDAI is capturing limited data (like father’s name, age, DOB and not things like height, weight or cast) and even at the time of authentication, only the UID number is verified. However, he feels that privacy will become a major issue after service providers start tracking a unique ID and tag it to everything to understand a person’s purchase decision. Chandiramani also adds that as this will happen outside the UIDAI environment, it may not be held responsible.
A UID system requires elaborate security, which takes care of technology, law and human resources.
Na Vijayashankar (also known as Naavi), an independent cyberlaw consultant and founder of Ujvala Consultants who has issued a draft on ‘Reasonable Security Practices for UID Project’ informed that a UID database would be used by making a query. The query will provide the UID number along with one of the parameters such as name. The answer returned will either be ‘true’ or ‘false’. The users will mostly be service providers who check the ID of a prospective client. According to Naavi, return of false information by the database or its inability to find the match of a genuine query could be security threats. Another important UID security concern is can somebody’s UID number be misused by another individual? Naavi retorts, “If a person has access to someone else’s UID number, it can be misused in all cases where the biometric check is not done.” Chandiramani agrees, “To confirm if a UID number and person are the same, the biometric data should match.”
Securing the central database
UIDAI is expected to build one of the largest centralized database consisting of UID numbers, biometric records, and other personal details. Unauthorized access to UIDAI servers, organized attack from cyber terrorists or cyber warriors, and stealing or leaking of sensitive personal information are some of the prominent security threats to UID centralized database. Naavi suggests strong role-based access control, firewall, intrusion detection system, manpower training, and background check, as critical measures to ensure security of UID centralized database. Chandiramani also informs about strong encryption mechanism that will be deployed by UIDAI during all processes and IT operations. UIDAI is already implementing strong security policies, monitoring mechanism and penalties for security breach.
Naavi further notes that as UIDAI will have a repository of sensitive personal data, it will have to maintain reasonable security practices under the IT amendment act, 2008. “The global standards of data protection and privacy ought to be applied. Many of the security requirements should be at par with National Institute of Standards and Technology guidelines in USA or appropriate derivatives from such standards,” observes Naavi.
Security during transmission
The UID authentication process is expected to authorize an individual by matching the fresh biometric scan with the existing image in the centralized server. If a hacker tries to breach UID security by manipulating data during the transmission, it may directly affect the matching process at the centralized server and a genuine person may be denied services. Naavi informs that according to preliminary indications (subject to confirmation from UIDAI), during the creation of the original database, registrars would capture UID data in a portable media such as an USB drive and bring it to the UID center to upload to the central database through the Internet. “Hopefully, UIDAI will develop an application, which transmits the data in encrypted form so that transmission security can be managed. However, while the data is in the USB drive, it is exposed to the risk of being stolen or modified,” cautions Naavi. Chandiramani suggested that the transmission would happen on a private network for the moment, but will ultimately take place over a secure cloud. Hence, irrespective of the network, you will be able to connect to UIDAI server securely.
Internal threats
There could be serious internal threats to UID security. Chandiramani opines, “Internally, someone could attempt to sabotage the system, crash it or steal some information. Segregation of duties, roles, limited access, audit monitoring mechanism, physical security, and background checks are some key measures to be implemented on this front.”
Naavi points that this could involve corruption and other motivations. This is the most sensitive issue because political considerations could dilute the security to meet various “reservations” involved in selection of personnel.
UID data privacy
As a country, we lack specific laws on data privacy and hence, some feel that we may be ill-equipped to deal with disclosure or leakage of personal information if UID security is weak. Chandiramani mentions that currently UIDAI is capturing limited data (like father’s name, age, DOB and not things like height, weight or cast) and even at the time of authentication, only the UID number is verified. However, he feels that privacy will become a major issue after service providers start tracking a unique ID and tag it to everything to understand a person’s purchase decision. Chandiramani also adds that as this will happen outside the UIDAI environment, it may not be held responsible.
A UID system requires elaborate security, which takes care of technology, law and human resources.
Subscribe to:
Posts (Atom)
