ihackforfun

You could point out that this is indeed not the best practice, point them to this OWASP web site: https://www.owasp.org/index.php/Information_Leakage

Also when password protecting zip files, make sure you have a really strong password since you can try forever to guess the password, there is to my knowledge no way to self-destruct a zip files upon mis-guessing the password. Quote from the winzip website: "The security of your data depends not only on the strength of the encryption method but also on the strength of your password, including factors such as length and composition of the password, and the measures you take to ensure that your password is not disclosed to unauthorized third parties." (http://kb.winzip.com/kb/entry/80/) Literally every coder can write a password cracker for zip files, it is a common example when reading books on Python for hackers ... You can find one here if you look into the preview: http://www.amazon.com/Violent-Python-Cookbook-Penetration-Engineers/dp/1597499579 Conclusion: don't put pictures you do not want others to see on media that is frequently lost/stolen (USB, external HD, public dropbox folder, phone) :-)

Latest info is that there is no additional info :-) As soon as they open up (we should be informed via email) I will start creating a team and call for participants ...

If you would have built and programmed this system just to see if you could do it or to show benchmarks on how fast a WPA can be cracked I would think it was cool, in those cases you would not send back the cracked key nor charge money for it (although asking for donations might have been a good idea). In this case you are just advertising the fact you are selling a service that obviously will be used for illegal things just makes you a “lamer” in most real hackers view … just that you know …

@GuardMoony, I'm still in holidays ... I'll get back in touch with my collegues beginning of next week :-)

As a side note, all this technology means nothing if you can be identified in other ways ... Example: some people try to send an anonymous email (e.g. trow away email address) but are identified by their style, other by their browsing habits, others by aggregating data like cell phone and log in records together with hotel and flight registrations (e.g. the general-mistress thingy in the US)... Then of course there are people who will simply betray you or who are double agents or working for the gouvernement (e.g. lulzsec case) ... I still admire your will though and if you take note of these effects that could betray your identity you will be a lot more anonymous then most.

Also keep in mind that multiple levels of encryption do not always add security, I remember a (very rare) case where adding more encryption weakened the strongest algorithm used and the added encryption was not strong by itself so in total the plain text was easier to figure out ... I can't seem to find that article again though ... If you want to start in encryption, go for the eldest examples (Caesar cypher) and crack those, once you get to algorithms where frequency analysis cannot crack them things get really though unless you have a strong mathematical background. If you want to encrypt text an added layer of encryption can be the language itself, a language that is not spoken anymore and that is not linked to one of the known “old” languages can be great (e.g. the native American code speakers) to hide the meaning of a language. It will not help against evil companies like google or anything government related ;-)

I'm thinking about it but there is not yet a lot of info on their website. When I tried inviting some friends the mail functionality did not seem to work... I we start a team you are welcome to join :-) I'll let you know ...

Hey CompleteTech, Instead of "brushing up" on your skills to track them I think you have a better change of learning skills to defend yourself against criminals like this. First of all I doubt that you will find this "person" unless you can work with the police and even if you did, what then? I doubt thay will give you back your domains, it might even lead to an escalation of the situation. Preventing this from hapening is going to be easier, digininja already gave sound advice in that area and at least it ill make sure this never happens again, if you get your domians back now somebody else might again steal them tomorrow ... I know this is costing you money but I think in time it will be clear the domains are yours and you will get them back. Just count this as "learning money", I know it sucks but I think most of use had to pay it one way or the other ... If you really want to annoy these people then advocate good practices to prevent them to the people you know (e.g. also your customers), this might prevent these people to keep doing this to a couple of others and thus you make sure there business model breaks and they will go away and find something else to do ;-) (in a perfect world that is, I know they will probably find some other wau to extort people)

Did you file a police report/complaint? It might not do any good but it cannot hurt either ... What country are you in? If in the EU or US there should be a police branch that specialises in cases like this. Do your domains actually contain value like an online shop or something like that? If not then why are they holding it hostage? Take note that if you pay them, there is no guarantee you get your stuff back not that you will not be hacked again the next day ... Unless you are working with the governement/police you should not try to go after him/her/them, there is a very small chance that you are victim of organised crime, you cannot take these guys down yourself. If it is a kid doing it from home you will not be able to do anything either, you might even get arrested yourself.

I use bleach bit on both linux and windows, for windows I have a USB stick with some portable tools, bleach bit is one of the tools I always have on there (get the portable version here http://portableapps.com/apps/utilities/bleachbit_portable) together with Eraser (also portable edition). When I'm feeling paranoid I also run the Diskcleaner and Wise Registry cleaner portable tools although I have no proof that it removes things that bleach bit could have forgotten, sometimes it is better to be safe then sorry ;-)

The group anonymous is rumored to use the Havji tool a lot (http://www.danbuzzard.net/journal/lulzsec-and-anonymous-script-kiddie-sql-injection.html), SQLMap is a tool thought in most security courses like CeH and SANS 542 so I would start with those as a general rule. If you want to test your own application/website to see if someone could get in easily then I would start with these also …

And don't root your iPhone ... the number of malicious apps making it through the iStore is very low (almost non existent). There is a problem with apps sending out to much personal info but that is another problem all togehter ...

@Comodo I watched the slides but there was no technical info in them on how they are going to host systems. If more details are known I can re-evaluate my comments ;-) Also on the subject of knowing when a server is hacked, the hacker will let you know since he will want to claim his reward. I'm guessing he will need to provide detailed step by step instructions on how he got in and only after this is verified he will receive money ...

I agree with digininja, I would not like to see my server being attacked without my monitoring, if anyone gets in they just had a dry run to come and hack your real server with much less hassle ... companies like google have the resources to patch vulnerabilities fast, most other companies are not so lucky ... If I were to use this service I would: - make sure the DB is empty or filled with random values, I would not even trust randomising existing data - make sure the server nor any of the software indicates the company the server is from I am a great fan of the hackademy though, good courses are expensive and most info can be found on the net but you loose a lot of time searching/sorting/sifting through info before you get there, this initiative can be helpfull there ...

@0062: Speaking as a professional penetration tester, if in Europe you try to hack a site/webserver without signing a contract (your invitiation is by no means a contract, I cannot even validate you have the rights to a certain website) you will be in trouble (in case they find out who you are). Even with the correct contracts in place between the both of us and your hosting, I would not be safe, any ISP seeing traffic that is obviously malicious could cut off the connection (not that they are monitoring or even willing to do so) and in case something goes wrong (let's say I take the server off line by accident) all these legal documents are not guaranteed to keep me out of court ... I'm not claiming that many people get caught or are running into trouble with this but then again I don't want to be that one person they want to make an example from :-) If you want your wordpress install tested, a better way would be to install it in a virtualbox or other VM and make it available for download, that way anybody can test without risks and still report problems back to you ... The web server security is not tested this way but since that is up to your hosting you probably care less about that anyway ...

Securing WP, Joomla etc is relatively simple: 1. install it in a local virtual machine 2. create content 3. transform the website into a static html website (e.g. jekyll) 4. put the static html on your hosting This does not work for websites that absolutely need a lot of scripting like online shops ... btw, your reward is dangerous, I don't know how your hosting is but probably you are on a shared server with a bunch of others who will suffer is some script kiddie puts the server down ... A lot of shared hosting is not very well defended ... And of course they might come and blame you for it ... Since people might actually try something on your website withpout having a decent contract with you and your hosting firm I'm confident it will be considered illegal in most countries ...

I wrote an article on the anatomy of DOS and DDOS attacks with some examples of older attacks that should not work anymore, you can learn from that without breaking the law ... http://www.ihackforfun.eu/index.php?title=anatomy-and-mitigation-of-different If you want to read it in full you need to purchase a magazine ;-)

You might also want to have a look at EMET from Mircosoft, it is supposed to stop certain exploits from occurring: http://blogs.technet.com/b/srd/archive/2012/05/15/introducing-emet-v3.aspx There is a side effect though, it is claimed that some programs do not work with this technology because they need the behaviour that the tool blocks to function correctly. I do not have experience with this tool so if you use it perhaps let us know in a separate thread?

If you really want to keep using Windows XP I would also try to implement as much as you can from the NSA Windows hardening guide (http://www.nsa.gov/ia/mitigation_guidance/security_configuration_guides/operating_systems.shtml#microsoft), if you scroll down enough there are two documents concerning Windows XP. Even the NSA recommends you using something else then XP though ...

If you are up to it, why not change OS and install a linux distro, thse days most of them are very user friendly both in use and in installing. That way you remove a large threat surface since at the moment there are not a lot of virusses being written for linux (simply because not enough people make use of it to make ot profitable for the criminals) ... Since you are new to computer learning linus or windows is going to take you the same amount of time and most of the info on linux can be found online (free books, forums etc.). Also most of the software you need to secure yourself is going to be free ... As a side effect Linux often uses less resources then windows so your little netbook will feel really fast ... For this to happen you need of course to install the best distribution for you ...

As an extention on what Saelani said the GSM companies can track you without triangulation (i.e. using different antenna's) also (if they want), as your cell phone conmnects to an antenna they have a reasonable good idea of your signal strength (I can't remember the exact technical details) and from that they could 'guestimate' your probable location. If you happen to be on a 360 degree antenna then this is not to bad, if you are on a 120 degree antenna the area where you could be is a lot smaller already. Of course I live an a country that has practically no rural areas left so triangulation is almost always possbile here ...

I've been wondering, is the vol1 the predecessor of vol 2? And is it worthwhile to read both, I'm currently using the vol 2 to help me prepare for the SANS542 exam ... Sorry for this of topic reaction ;-)

I fully agree with you but there are some SQL Injection techniques that are very hard to do manually because they either require a lot of work (blind SQLi) or are time based attacks, here a good tool is the only solution ... Also when testing my own application I will always run any tool I can find (mostly just using default options) against it to make sure the script kiddies cannot get in easily ...

I believe this is the link you are looking for: http://www.imperva.com/docs/HII_a_CAPTCHA_in_the_Rye.pdf If it was not, this is a good article on the subject anyway ;-)