Perl Script to Fetch PNR Status reservation on train from Indian Railway

Just came across this interesting and innovative site - http://www.mypnrstatus.com/

That triggers my interest and little more googling reveals the following:

Perl Script to Fetch PNR Status reservation on train from Indian Railways - http://bit.ly/9rV1Aw

PCI DSS for Database Professionals

The Payment Card Industry Data Security Standard (PCI DSS) sets forth the security requirements for organizations that store, process and/or transmit credit or debit card transactions. These requirements stem from a series of significant security incidents affecting databases of consumer credit information over the past decade.

Few important points to consider in terms of PCI DSS for Databases:

• Place the database in an internal network zone, segregated from the DMZ. PCI requires that you place your database server on your internal network and that you deny attempts to directly access the database from untrusted networks. Additionally, you must use private IP addresses for the database server.
• Change vendor-supplied default passwords. You must ensure that your database uses strong passwords for all user accounts and that you change the passwords for any default accounts supplied by your database vendor.
• Encrypt all non-console administrative access. You’re required to use encryption technology (e.g. VPN, SSL, ssh) to encrypt any administrative connections to the database. This reduces the risk of an eavesdropper obtaining administrative credentials to the database.
• Keep cardholder data storage to a minimum. You should never store cardholder data that you no longer need. If you don’t need to store it, don’t. If you’re finished with it, purge it from your database. In all cases, you may never store data from the card’s magnetic stripe or the three digit security code on the back of the card.
• Encrypt card numbers that you do store. If your business requirements dictate that you store card numbers, you must encrypt them using a strong encryption algorithm. Furthermore, you must use sound key management practices to limit access to the encryption keys.
• Ensure that you patch your database regularly. A recent study revealed that many DBAs seldom, if ever apply security patches. PCI requires that you apply security updates within one month of their release.
• Develop web applications securely. Granted, DBAs seldom have control over the code written by developers, but it's important that we act as security evangelists, educating developers about the risk posed by database attacks such as SQL injection.
• Practice secure user management. In addition to the controls you'd expect, such as requiring individual user accounts with strong passwords, you also need to manage database roles and rights in a fashion that limits access to those with a need to know.
• Log everything. PCI requires that you record the name of the user, type of event, timestamp, and other technical information about any individual user access to cardholder data, administrator actions and failed authentication attempts.

This is just a high level overview. The entire standard document is available at: https://www.pcisecuritystandards.org/index.shtml.

[Source : http://databases.about.com/od/security/a/pcidss.htm]

"Bom Sabado! " A new worm Hits google's Orkut

A new worm has Hit Google's Orkut early today and its spreading fast, the Infection looks pretty stubborn .

This wierd worm appears to be similar to one that appeared in Dec' 2007 and the people behind are suspected to be the same. A Portuguese Greeter worm

It appears that the communities like "Somente você me COMPLETA!, O virus Que Contagia, ADA - Adoro Dormir Abraçado, Eu tenho um grande AMOR" and few more random Communities

This greets you in the scrap book "Bom Sabado! " which translates to "Good Saturday" in contrast to the earlier on with “2008 vem ai… que ele comece mto bem para vc.” This translates to “2008 is coming…I wish that it begins quite well for you”.
No external links are involved just viewing the scrap spreads the worm. Although no cases of account infringement are noticed yet . This worm look to be having only a intention of fairly "Spamming" with greets.

Once the user views the scrap the account gets infected and runs a Javascript to post the scrap to all persons in the victims contact.
The javascripts look to appear from TPTOOLS (http://tptools.org/)
meanwhile the browser looks to be freezed however the code is executed in the background.
No official reports are out yet in this matter on the statistics and its impact.

The best countermeasure is to stay away from viewing the scrap or use "Noscripts" addon or block the scripts on the browser.

Source : http://technozorgs.blogspot.com/2010/09/bom-sabado-new-worm-hits-googles-orkut.html

Read more: http://ibnlive.in.com/news/orkut-attacked-by-bom-sabado-worm/131714-11.html

Special investigation: It took just one hour for internet experts to find out almost every private detail of this woman's life

Steve Boggan challenged web experts to see how much they could discover about his partner. The results were chilling...

As I sit writing this, I am feeling vaguely grubby — guilty even — in the way a neurotic husband might after hiring a gumshoe to go trawling through his wife’s secrets.

There is a 15-page report in front of me chronicling virtually every aspect of my girlfriend’s life: past and present.

That includes her friends, education, embarrassing pictures, former boyfriends and long-forgotten relatives.

Much of the information is new to me. And the uses to which it could be put — uses I hadn’t dreamt of until this week — are chilling.

Armed with this information, criminals could use her identity to commit fraud or resurrect minute details of her past, her movements and friendships to lure her into scams or even dangerous liaisons.

It could be used to con her into revealing her bank details and credit card numbers.

Read more: http://www.mailonsunday.co.uk/news/article-1310965/Special-Investigation-It-took-just-hour-internet-experts-private-womans-life.html

Setting up a Network Pentest and Web Pentest Lab by Security Aegis

Network Pentest Lab

Remember those good ole days in the sandbox? Where you threw stuff around learned where the sand goes and… doesn’t go? Well we’ve graduated from the sandbox, but our hearts and minds are still wired to play there. Maybe that’s why we love offsec, let’s get to the point though… We made a lab.

We wanted to address pentest labs. In this post in particular, Network pentest labs (webapp will be a separate post, challenge sites will be as well)

We used an existing set of hack challenge ISO’s, sandbox VM’s, vulnerable software, and vulnerable OS’s to create a 6 target lab that can be expanded upon.

Props to @_laz3r_ for the video and research he did for the project. No longer an intern, that didn’t last long did it? ;P

READ MORE

Pentest Labs: Web Application Edition

Over the last week, we busted out our red plastic shovel and our bucket shaped like a castle to dig a little bit deeper into our sandbox. Recently, we addressed the flexibility and overall necessity of a virtual lab for network pentesting, practice, and testing.

Today, we plan to expand upon that to encompass Web App. Our setup includes 7 target sites hosted on 4 VM’s. It’s important to note, that we only showcase the tip of the iceberg. The possibility of expansion is limited only by your imagination.

This lab takes substantially more prep and organization than our network lab did, as each target site has different requirements. We hosted most of our targets on XP Pro SP3 boxes, though many should work on Vista or maybe even Win7 RC.

READ MORE

10 Everyday Items Hackers Are Targeting Right Now

"Just when you thought it was safe to use your computer, hackers have figured out how to attack everyday items. Your printer, your cellphone -- even the blender in your kitchen -- can be hacked and used against you.

And in the not-too-distant future, as the medical field makes advances with machine-to-human interfaces, even your own body and brain could be at risk.

Here are 10 everyday items that are open to fresh attacks from criminals.

1. Your Car

2. That New GPS Gizmo

3. Your Cellphone

4. The Front-Door Security System

5. Your Blender. Yes, Your Blender

6. Your Printer

7. Your New Digital Camera

8. The Power Sockets in Your Walls

9. The Human Body

10. Even the Human Brain "

Read More

10,000 XP machines attacked through 0-day flaw

"

Attacks on the Windows Help and Support Center Vulnerability (CVE-2010-1885)

mmpc

30 Jun 2010 1:35 PM

We've been monitoring for active attacks on the Windows Help and Support Center vulnerability (CVE-2010-1885) since the advisory was released on June 10th. At first, we only saw legitimate researchers testing innocuous proof-of-concepts. Then, early on June 15th, the first real public exploits emerged. Those initial exploits were targeted and fairly limited. In the past week, however, attacks have picked up and are no longer limited to specific geographies or targets, and we would like to ensure that customers are aware of this broader distribution. If you have not yet considered the countermeasures listed in the Microsoft Security Advisory (2219475), you should consider them.

As of today, over 10,000 distinct computers have reported seeing this attack at least one time. Here are some details on the attacks we're seeing.

Geolocation

• The largest targets in terms of attack volume have been the United States, Russia, Portugal, Germany, and Brazil.
• A regional saturation rate, the number of attacked computers per a population of monitored systems (counted using a unique identifier), shows a slightly different picture. In this aspect, Portugal has seen a much higher concentration of attacks - more than ten times the world-wide average per computer. Russia is second at eight times the world-wide rate.

"

Read More