Top 10 vulnerabilities in 2015 are due to Flash

The annual report of software exploits of 2015 is out and it gives some shocking results. Usually attacks were more focused on Java security flaws but in the past year, exploit kit makers have switched from targeting Java security flaws to exclusively exploiting weaknesses in the Adobe’s Product, a recent report from the NTT group shows.

According to the security firm, all of the top 10 vulnerabilities targeted by exploit kits during 2015 were Flash flaws. According to historical records kept by the NTT Group, 2015 was the first year when exploit kits used more Flash flaws compared to Java, which almost disappeared from exploit kits altogether. This change in trends comes after Java was 2012, 2013, and 2014’s most targeted technology via exploit kit vulnerabilities.

Besides this Adobe product, in 2015, the second and third most targeted technologies were Internet Explorer and Microsoft Windows.

The main reason behind this trend is because of the massive security updates Java received in 2014 which made exploitation much difficult. Hackers turned their focus on Flash, which saw four zero-days in 2015 only from the Hacking Team data breach alone.

A similar report released by Symantec two weeks ago also confirms this trend. Symantec says that Flash vulnerabilities accounted for 17 percent of all zero-days in 2015, with four of the top five most used zero-days in 2015 belonging to Flash.

With so much material to work with and with Java’s extremely hard-to-bypass security features and dwindling market share, it is to no surprise that Flash usage in exploit kits has grown so much. The security upgrades that contributed to Java’s downfall from exploit kit arsenals are the click-to-play feature and Oracle’s decision to block unsigned applets by default.

In order, the top 10 Flash vulnerabilities used in exploit kits last year are as follows: CVE-2015-0311, CVE-2015-5119, CVE-2015-5122, CVE-2015-0359, CVE-2015-0313, CVE-2015-2419, CVE-2015-3090, CVE-2015-3113, CVE-2015-0336, CVE-2015-7645, and CVE-2015-3105.

How to make a Walking Robot at home

Robots are the building blocks of Modern Technology. Either in Industries or Firm all are controlled by Bots. So why don,t we make at home 

Watch us making a bot at home :

USING KALI LINUX HIDING SECRET MESSAGES IN IMAGES

Steganography is the practice of concealing a file, message, image, or video within another file, message, image, or video. The word steganography combines the Greek words steganos, meaning ‘covered, concealed, or protected’, and graphein, meaning ‘writing’. The first recorded use of the term was in 1499 by Johannes Trithemius in Steganographia, a treatise on cryptography and steganography which was disguised as a book about magic (Wikipedia). 

The general concept is hiding messages that overtly appear to be (or be part of) something innocuous such as images, articles, shopping lists, or a cover text. For example, the hidden message may be in invisible ink between the visible lines of a private letter. Some implementations of steganography lack a shared secret key and are forms of security through obscurity, whereas key-dependent steganographic schemes adhere to Kerckhoffs’s principle. For more information about this please seehttps://en.wikipedia.org/wiki/Kerckhoffs%27s_principle. 

The advantage of steganography over cryptography is that the secret message does not attract attention to itself as an object of scrutiny. Plainly visible encrypted messages, no matter how unbreakable, arouse interest and may be incriminating in countries where encryption is illegal or encryption keys are required to be accessible 

Thus cryptography is the practice of protecting the contents of a message, whereas steganography is concerned with concealing the fact that a secret message is located within the message content. 

Steganography includes the concealment of information within computer files. In digital steganography, electronic communications may include steganographic coding within the transported medium, such as a document file, an image file, a program, or a protocol. Media files are ideal for steganographic transmission because of the potentially large size, which makes detection difficult. For example, a sender might start with an innocuous image file and adjust the color of every 100th pixel to correspond to a letter in the alphabet. This is a technique that is so subtle it would be almost impossible to notice unless looking directly for this adjustment. 

Part II: Steganography in Action Using Kali Linux 

NOTE: steghide only works with AU, BMP, JPEG, or WAV files. If you want to use a different file format, you will need to use a different tool. 

To hide your secret messages inside images, you will need to download some tools. A popular tool I like to use is Steghide which you can install on Kali Linux. 

Here are the steps to using the tool: 

Step 1: Installing Steghide 

You will need to install a tool that lets you hide messages. You only have to install the tool one time and it is not provided as an included module with Kali Linux. 

apt-get install steghide M11 

Step 2: Create a text file with your hidden message 

After you get comfortable with Steghide you can use more advanced command line features, but for now let’s simply create a text file with our hidden message. Feel free to use a text editor of your choice. I simply used vi to create a text file called my_secret.txt with the message, “My voice is my passport”.

My file is now saved along with the image file I am going to use.

Next we will use steghide to embed the hidden message into the graphic file. The graphic file I used was a simple drawing of my home lab network. As you can see it is an ordinary .jpg file. 

Step 3: Using Steghide to hide your message 

We will use a couple of basic options with Steghide:

1. embed –ef is option to embed the secret message txt 

2. -cf is image file we will use 

3. jpg is a pic file which obfuscates the message

You’ll see a line to input a password or passphrase within the terminal screen. Create one you can remember or do the unthinkable and write it down. We then successfully embed the message into our image, thus hiding secret the message. You can also compare the original file to the stenographic file, which is now considerably larger than the original. The hash values of the modified file and the original file are now different as well:

Step 4: Reading the embedded secret message 

Okay, now that we know how to hide a message, how do we read the message from the image file? We will use the extract –sf command: 

steghide extract –sf attack_lab.jpeg

Increase Your WiFi Speeds With These Simple Tweaks

Almost everyone have internet access these days and internet over WiFi is the most commonly used process. But what if your WiFi connectivity is not good ?. Here is how you can increase your WiFi speeds by some of these simple tweaks hope you like them 

Make sure that your router is in the right place 

If you have some dead zones in your house, your router may be in the wrong spot. The perfect place for a Wi-Fi router is in the center of your room at least a few feet above the ground. No matter what, do not hide it in the closet as it weakens the signal. 

Find an ideal Wi-Fi channel 

Choosing the right Wi-Fi channel will help you to reduce interference and improve the signal. The most frequently used channels that do not overlap with each other are 1, 6, and 11. If you are a Mac user, you have a special option called integrated Wireless Diagnostics feature that recommend the best channel depending on the connected router. 

To access it: 

1. Press the Option key. 

2. In the upper-right corner of the window, click the Wi-Fi icon. 

3. In the dropdown menu, find “Open Wireless Diagnostics”, and then select Utilities.

4. On the Wi-Fi Scan tab, click Scan Now to view the Wi-Fi channels that you should be using. 

Change your Wi-Fi channel 

You will need to login to your router as admin with the appropriate password, and then change the channel settings. The location depends on the type of router that you have. If a channel is already fixed, move five channels away, that is, if it is on channel 1, move to 6 or 11. You will then have to specify that fixed channel on all connecting devices. 

Switch to 5GHz band 

Usually routers have two frequency band settings: 2.4GHz (for long-range signal) and 5GHz (for short-range signal). If you pick the 5GHz band, it will reduce the number of people with unauthorized access. In this way you will prevent wide broadcasting. 

Reboot your router 

As in case with other electronics, when a router is on for a while, it will tend to stop performing at its best. Rebooting your router can fix Internet connection problems and improve slow moving connections. 

Comment below if I missed any points.

Any Android Phone Encryption Technique

Google introduced full-device encryption back in Android Gingerbread (2.3.x), but it has undergone some dramatic changes since then. On some higher-end handsets running Lollipop (5.x) and higher, it’s enabled out-of-the-box, while on some older or lower-end devices, you have to turn it on yourself.

Why to Encrypt a phone:

Encryption stores your phone’s data in an unreadable, seemingly scrambled form. (To actually perform the low-level encryption functions, Android uses dm-crypt, which is the standard disk encryption system in the Linux kernel. It’s the same technology used by a variety of Linux distributions.) When you enter your PIN, password, or pattern on the lock screen, your phone decrypts the data, making it understandable. If someone doesn’t know the encryption PIN or password, they can’t access your data. (On Android 5.1 and above, encryption doesn’t require a PIN or password, but it’s highly recommended since not having one would reduce the effectiveness of the encryption.)

Start by heading into the Settings menu and tapping on “Security,” again keeping in mind that the wording may be slightly different. If your device is already encrypted, it will show up here. Some devices will also allow SD card contents to be encrypted, but by default Android just encrypts on-board storage. If the device isn’t encrypted, you can start the process by tapping the “Encrypt phone” option.

he next screen will present a warning to let you know what to expect once the process is finished, most of which we’ve already talked about in this article. If you’re ready to proceed, hit the “Encrypt phone” button.

The phone will then reboot and start the encryption process. A progress bar and estimated time till completion will show up, which should at least provide an idea of how long you’ll be without your beloved handset. Just wait, it’ll all be okay soon. You can do this. You’re strong. Once it’s finished, the phone will reboot and you’re back in business. If you set up a lock screen password, PIN, or pattern, you’ll have to put it in now so the device will finish the boot process. If you haven’t set up a PIN or password, now is a good time to do so. Head into your device’s Settings > Security menu. From there, select the “Screen Lock” option (keep in mind that the wording may be slightly different for non-stock Android handsets, like Samsung Galaxy devices).

Choose Pattern, PIN, or Password to set your security.

You’ll be asked if you want to require the PIN, password, or pattern at startup. This is up to you, but we recommend choosing yes, since this increases the security of your device.

Note that even with a fingerprint reader, you can’t use a fingerprint to unlock a device on first boot—you’ll have to put in the password, PIN, or pattern. After the device has been decrypted with the correct security unlocking method, the fingerprint reader can be used to unlock the screen moving forward. From now on, your device will be encrypted, but if you ever want to disable it, you can do so by performing a factory reset. If you have a newer device that has encryption enabled out of the box, there’s no way to remove said encryption—not even with a factory reset.

Havij, an SQL Injection Interface

Havij SQL injection Tool 

1. There is a free version HERE, but your probably want to look around and see if you can get your hands on the full-version. 

2. A SQL vulnerable test site (we recommend something like DVWA).

3. A very important thing you will need: your mind.

Checking for SQL vulnerability 

Now to check is this site vulnerable to a verbose SQL injection, a hacker will simply add ‘ (apostrophe) after the site url like this: 

http://site.com/products.php?id=2′ 

and the hacker will get this error on the site 

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘\” at line 1.

It means that site is vulnerable to SQL injection.

Exploiting the vulnerable site 

1. Open Havij and paste site url in target field and hit enter. 

2. Now wait for Havij to get all the databases of the website. 

3. Now the hacker clicks on available database of site and click on Get Tables. 

Here, they select 535480_toyonorte for this site like in this image:

1. By clicking Get Tables Havij will look after the tables available in the database. 

2. Now after the scanning Havij will get all tables, now the main work will start , they must check if there table available with a name that has something to do with admin, users and something similar. Here, we have a table called usuario in this website. It is selected and then click on Get Columns.

1. Now after clicking Get Columns havij will get all the columns available in users table. 

2. In this case, the hacker found different columns like id, login, pass and many more. 

3. Now select the columns and click on Get Data like in pic given below.

Now havij will look after the data available in columns login and password i.e admin username and password like i getusername –> adminpassword–> 21232f297a57a5a743894a0e4a801fc3 (in encrypted form)Such as in the image below:

1. Now after they have found the username and password there is a problem. The password is encrypted in md5 language , so the hacker must crack it . 

2. To crack encrypted password the hacker copies the password click on MD5 tab in havij and paste the encrypted password in MD5 hash field and hit start. Now havij will try to crack the password.

1. Now they get the Password cracked for admin. 

2. The hacker will check for admin panel where they will login with username and password. 

3. To find admin panel click Find Admin tab in Havij and click start. 

Now havij will check the admin panel of website. In this case, they found http://site.com.co/admin/ as admin panel and open it in a web browser. They login with username and password and now they have control of the website

Java code for Screenshot

There might be a situation where you guys want to take screen shots programmatically. So I am sharing a program that help you to take screen capture of your screen and save it in PNG (Portable network graphic) picture format. 

The below program uses Java.awt.Robot class to capture the screen pixels and uses Imageio to save it as PNG image format. Just copy and paste the program in Notepad, save it and run the program to take screen shot.

import java.awt.Rectangle;

import java.awt.Robot;

import java.awt.Toolkit;

import java.awt.image.BufferedImage;

import java.io.*;

import javax.imageio.*;

class Snap

{

 public static void main(String args[]) throws Exception

 {

  Robot awt_robot = new Robot();

BufferedImage Entire_Screen = awt_robot.createScreenCapture(new Rectangle(Toolkit.getDefaultToolkit().getScreenSize()));

  ImageIO.write(Entire_Screen, "PNG", new File("Entire_Screen.png"));

 }

}

Note: The Screen shot image will be stored at the location where your program is stored.