It’s been a long time since I last posted in Zoiz’ blog. Still the same topic, and it’s already the fifth! Covering internet usage at public hotspots and sequenced passwords. Here are the tips for this time:

1. Log in first before you use it at a public hotspot.
   You don’t know if somebody is ready with his/her Cain&Abel and ready to harvest your usernames and passwords. So, you can log in first at home, put your notebook in standby mode, then bring your notebook where you want to use it.Wonder if somebody thinks of this too.
   Note: It’s not the same as the remember password feature. Remember password feature on your browser just make the username and password appear, it still sends your username and password.
2. Never do e-transaction such as e-banking or online shopping at a public hotspot.
   Crackers still can modify the data sent to the router, so I don’t recommend this activity.
3. Use your personal combination.
   A friend on Facebook posted a link to here: http://www.linux.com/articles/28057. It’s a good idea to combine your personal information like this: “NiKrV@1992!UA-blAcK”. Assume the password user’s name is NiKrad KreVchenko, born @1992, born in Ukraine (ISO country code), and his favorite color is black.
4. Using characters from a random phrase.
   Another good idea. Let’s try from this phrase: “Lorem Ipsum Dolor Sit Amet. The quick little brown fox jumps over a big lazy dog.” Take the first letters then you get LIDSATQLBFJOABLD. Or take per two letters, separate words with exclamation mark, then you get LRM!PU!DLR!I!AE! and so forth. Don’t forget to variate the case, or the symbols. Like changing the exclamation marks to the symbols sequence on your keyboard (~!@#$%^&*()_+`-={}|[]\:”;’<>?,./).
5. Use a Polybius Square.
   I’ve seen this technique somewhere but I forgot it where. Here is one example (you can make this thing by yourself):

   	1	2	3	4	5	6	7	8	9	0
   a	a	s	e	v	e	d	n	e	3	g
   b	!	@	d	3	d	%	e	&	f	3
   c	e	h	*	-	%	d	2	q	F	#
   d	s	!	#	$	%	d	E	2	5	8
   e	f	3	a	S	F	V	#	T	4	A

   This works like a Polybius square, one of the ancient cryptography technique. With this, you can only remember two letters for your password, and the length of your. For example, remembering d2 7 letters long, it is: s!#$%dE. Of course you can make this larger on your own. Or just make your own password, then hide it under your own Polybius square

6. Use the Polybius Square combined with chess moves.
   If you like to play chess, and you know some openings, this shouldn’t be a problem. All you have to do is to make an 8×8 Polybius square, with random letters and captions for chess boards. For example, the Sicilian Dragon Variant: 1. e4 c5 2. Nf3 d6 3. d4 cxd4 4. Nxd4 Nf6 5. Nc3 g6 6. Bg5 Bg7. That’s enough, a password with 12 characters. If there’s a repeat of letters it’s ok, don’t matter. I hope you understand what I mean.

   8	k	l	\	z	“	{	+
   7	j	;	]	x	;	}	=	!
   6	h	‘	[	c	“	|	-	#
   5	g	q	p	v	:	1	0	$
   4	f	w	o	b	?	2	9	%
   3	d	e	i	n	>	3	8	^
   2	s	r	u	m	<	4	7	&
   1	a	t	y	,	. /	5	6	*
   	a	b	c	d	e	f	g	h

   If it based on this square and using the Sicilian Dragon Variant, my password would be: ?p3cbbb|i-0=
   Go make your own! Print all your Polybius Squares, make cards of it, and put it into your wallet.

7. Use On Screen Keyboard.
   I always forgot to write this. If you’re lazy to do the previous tips about copy pasting letters from a text file, just use on screen keyboard. In case there is a keylogger logging coordinate of mouse clicks, before and after you type your password with this tool, move the keyboard to another spot.
8. Keyboard sequence isn’t always insecure.
   Yeah, it’s not always insecure. But of course, lame sequence like asdfghjkl, is insecure. Be creative with this one. Like this: !qAz@wSx#eDc. Figure out the sequence yourself. You can switch to another keyboard layout (other than QWERTY, like Dvorak) for awhile for entering passwords.
9. One-way encrypted password as your password.
   Just remember a word, or name, like John Doe. Then, encrypt it to md5. Resulting: 4c2a904bafba06591225113ad17b5cec. If it doesn’t fit because of the character limit (md5 is 25 character), just cut off the half to the limit character.
10. Using multi-level encryption.
    I found this idea when searching for an encryption tool. If you don’t get what I say, then I’ll give you an example:

    $pass = sha1(md5(md5(sha1(sha1(md5(md5(sha1($pass))))))));

    Add salt and different encryption ways if you please:

    $pass= sha1(md5(crypt(str_rot13(base64_encode(md5(1357, sha1($pass)))))))

    I’m not responsible for any server crash

That’s all for now. Enjoy securing.

Thu.1.29.2008
r3ck0rd

©2008 Calvin Limuel a.k.a. r3ck0rd. All rights reserved.
Original Link: http://reckord.info/password-security/303.account-security-v.html or http://reckord.info/?p=303

Different from the article before, this vulnerability may only be found in some game centers of TImeZone / Amazone (Not all vulnerable to this).

When Lebaran Holiday came, my mother suggested my grandma to go to Bandung and Puncak then asked all of my relatives to join us. On the 3rd day of our trip, we arrived in Puncak and go to one factory outlet that is called Brasco or Kampoeng Brasco. I only went there with my aunties, uncle and cousins.

My aunties asked us (me and my cousin) to just wait in a game center called Space Zone. “It will only take a few minutes”, my aunties said. My uncle joined my aunties to buys T-shirts and other things. So, my cousin and I was there, alone.

Ok, so we go around without doing anything (because we had no coin at that time) and just have a chat together. We keep talking and walking until we found two basketball game machines.

When my cousins keep talking, I thought a brilliant idea (because I was fed up with that place). I asked my youngest cousin to push the ball that is inside the web or wall with his small finger and It works! The ball started to move from its place! Here’s the pic:

Okay so now it has been out from its place then, my cousin that really likes basketball take the ball and throw it. So, we have nothing to do (again). So, I asked my cousin to do the same thing that he had done before. So, it was my turn! I shoot it and yeah, we’ve nothing to do (again).

Then, a man with his child played that game. We just looked at them who played it happily
They played that game for 2 times. After they had no coin anymore, without asking or did anything, my cousin pushed the wall that protects or keep the ball inside and they had one more chance to play it for free!

Wow! They just surprised then play together (without any thanks () and when I asked to push the wall again, it didn’t work anymore. I think it’s all because he didn’t push the wall on the right time .

Those vulnerabilities seem won’t work in all TimeZone (but it may work in other location of TimeZone). By the way, here’s the pic of my lovely cousin that helped a lot:

Thanks!
ymm0t

A Password Security Related Article by Calvin Limuel a.k.a. r3ck0rd

Howdy ho! Has it been a loss since my previous post about Accounts Security? Did you enjoy my previous posts about your accounts’ security? Have you done those tips? You haven’t? OK I haven’t done those too (some, but not the same mistake hehe ). Well then, finally the fourth part, eh? And I hope you enjoy this post. Containing, maybe not so fresh, because may be discussed outside somewhere, or taken from a portion of an article in my blog, but helping tips for you to workout. Happy securing!

1. Non-ASCII Password

Password brute-force(r) usually scan only ASCII characters. Well, if allowed, you can use passwords with Cyrillic or Greek or any other text from other languages. This will be more secure (I suppose) and more memorable.

2. Multi-byte Password

Even better! On the previous post in Th0R’s blog, he showed an account secured by nature, their own language in Chinese characters. Well I can read Chinese, but I know some of you don’t. Well then I suppose, even harder to crack, because Kanji/Hanzi/Hangul and Hanja characters are numerous (Chinese Hanzi: more than 80k, Kanji, more than 6000)! I don’t know for exact how much characters supported by today’s encodings. What I know that the national encoding CNS (Chinese Standard Interchange Code) contains more than 13,000 Chinese Characters. Don’t know for UTF encodings.

3. Copy and Paste

Wait! This doesn’t mean I recommend you to store your password file in a plain text that you can copy paste the passwords! This trick is recommended if you suspect your computer too much, then prepare your notepad, and type all the characters on your keyboard, maybe with those non-ascii or multibyte characters. Then if you want to input passwords, just copy and paste them one by one. And, use your mouse.

4. Maximize robot.txt and .htaccess

It’s for keeping crawlers out of your restricted directories. You can password your directory too with this. There are tutorials about this in the internet a lot. Do google them (once again, google is a verb).

5. Sandboxes to protect you

Yes, it’s to protect you from crackers. And why do I insert this general security tips in a password security article? It’s between two answers, it’s related of course, and usually crackers hack your computer to steal important things or credentials for their profit. The second, I’m running out of idea? *take a laugh* OK. If you don’t know what sandboxes are, you can go to http://en.wikipedia.org/wiki/Sandbox_(computer_security).

Some may recommend you to use virtual machines like the famous VMWare. Yes for me it’s useful too if I want to test other OS or a hacking demo. But if it’s just for securing, just search a good sandbox program like Sandboxie (as recommended by y3dips), you can google that. But you can use other software of course, if you think it’s better.

6. Updating and Patches are important!

I recommend if a software has an automatic update feature, like Windows, or a browser like Firefox or Opera, turn it on, especially for security patches. If there is none, you can be a little diligent by checking the news from the vendor or security sites that provides advisories, like Secunia, milw0rm, SecurityFocus, and such. So you can aware with the new vulnerabilities found for your software.

7. Use salt!

Not that salty salt, but this salt. To avoid rainbow table attack and other reason. This is the example of usage:

// syntax: md5($pass, $salt);
$pass="ligx";
$salt=3147;
md5($pass, $salt);

8. WordPress Secret Keys!

You should know, as this holds the cookie hashing salt. This is the script you should input in your wp-config.php:

define('SECRET_KEY', 'whateverbebasfree');
// this ones below available in WP 2.6
define('AUTH_KEY', 'totally');
define('SECURE_AUTH_KEY', 'uptoyou');
define('LOGGED_IN_KEY', 'idontknow');

9. Delete credentials recorded in Google Cache

You may have a little mistake in the past that makes someone or even you, have a page in Googlebot’s cache containing your passwords. You can do this by removing the URL “howto”s here.

10. Friendster Security and Privacy

Friendster is known for many user abuse. And that must be one of the reason Th0R wrote “Friendster Hacking”. You already know this and this article, and about the filter of Friendster is off. So, attackers, can snoop in malicious code again. Yes it’s the way Friendster Team may want to know how much is the threata and where do they come from. So you can secure yourself by disabling auto-approve comment from your settings page. Still in your settings page, if you want to, disable all the automatics. All manual. And for the “add to be your friend”, choose require last name or e-mail address. Only friends can leave comment. Then if you still feel unsafe by just NoScript alone, choose safe mode option on.

For the privacy, yes Friendster is a social networking site, which you can provide your own data about yourself. You may not want other people who don’t know you to see those things. So all you have to do is to restrict profile views only to your friends. If you want to tolerate more, for 2nd degrees.

Thu.10.9.2008

r3ck0rd

©2008 Calvin Limuel a.k.a. r3ck0rd. All rights reserved.

Original Link: http://reckord.info/password-security/105.account-security-part-4.html or http://reckord.info/?p=105

Para pengunjung blog yang terhormat, pernah merasa bingung tidak pada saat memilih mobil? Misalnya memilih merek, memilih model, dan tentunya memilih harga. Pada saat ini, terdapat banyak sekali merek mobil seperti Toyota, Honda, Mitsubishi, Hyundai, dan lain sebagainya. Tetapi pilihan saya tetap mobil Toyota, selain sparepart gampang didapatkan, juga keawetan mesin sudah teruji. Dan paling penting harga resell (harga seken) juga ga jelek sekali lah

4 tahun lalu saya membeli mobil Toyota Corona, harganya sekitar Rp. 58.000.000 dan beberapa saat dulu saya jual, tau ga harga pasarannya berapa? Rp. 74.000.000,- Naik sekitar Rp. 16.000.000,-. Hehehe. Yup, karena pada saat saya membeli FTZ masih berlaku, sedangkan pada saat saya jual kemaren FTZ sementara dicabut, sehingga harga mobil Ex Singapore naik drastis. Lumayan kan?

Sekarang bingung juga nih karena ingin meng-kredit atau menyicil mobil baru tapi bingung mau pilih yang mana diantara 3. Ada 3 model mobil yang akan saya bahas disini, yaitu :

1. Toyota Avanza 2008
2. Toyota Rush 2008
3. Daihatsu Terios 2008

Setelah saya googling sana sini, ternyata banyak juga yang membahas tentang perbedaan Toyota Rush dan Daihatsu Terios.

Dari segi mesin, Toyota Rush dan Daihatsu Terios memiliki engine yang sama yaitu engine KS-VE DOHC VVT-i 1.500 cc (Sama juga dengan engine Toyota Avanza 1.5 S AT/MT). Oke, dari segi mesin ketiga-tiganya sama.

Dari segi keselamatan sih memang Toyota Rush menang dari Daihatsu Terios, dimana Toyota Rush memiliki ABS system dan double air bag, sedangkan Daihatsu Terios tidak. Tapi kalo masalah keselamatan sih saya rasa tergantung dari segi pengemudinya. Kalau karena memiliki double air bag dan ABS system membuat pengemudi berani membawa extra laju, i prefer not

Dari segi interior Toyota Rush juga memiliki keunggulan extra dibandingkan dengan Daihatsu Terios, yaitu CD Changer 6 Pcs. Dekorasi interios juga dimenangi oleh Toyota Rush. Cuma kalau Daihatsu Terios memiliki 2 seat extra di belakang dibanding Toyota Rush yang hanya memiliki 5 tempat duduk.

Dari segi kenyamanan sih Toyota Rush menang lagi Haha, tapi setelah saya cari informasi dari para pemilik Daihatsu Terios, mereka menyarankan untuk mengganti Shock Breaker. Kenyamanan Daihatsu Terios akan dapat mengimbangi Toyota Rush.

Sedangkan untuk Toyota Avanza, dari pengalaman saya membawa (mobil kantor), sih memang aga kurang. Tenaga yang kurang memadai beserta Shock Breaker yang kurang bagus, membuat saya memberikan nilai minus buat Toyota Avanza.

Tetapi jika dinilai dari segi pemakaian BBM, toyota Avanza jelas lebh irit dibandingkan dengan Toyota Rush maupun Daihatsu Terios.

Saya sempat tanya-tanya ke second hand market tentang harga Avanza, ternyata harga resell / seken-nya masih sangat tinggi. Kurang tau kalau soal harga re-sell Toyota Rush maupun Daihatsu Terios.

Well, setelah segi-segi kenyamanan, keselamatan, kehemetan BBM, dan ketahanan mesin. Tentu harga akan menjadi faktor yang sangat pending dalam memilih mobil. Informasi harga (hari ini :  10 September 200*) yang saya dapatkan dari situs vendor masing-masing adalah sebagai berikut :

Toyota Avanza 1.5 S AT : Rp. 147.700.000,-
Toyota Rush 1.5 S AT : Rp. 186.150.000,-
Daihatsu Terios 1.5 TX Elegant : Rp. 173.900.000,-

Well, saya masih tetap bingung mau pilih yang mana. Ada saran teman-teman? Hehe. Silahkan berdiskusi

OK to the point. Monday when I have a trip to Tanah Lot in Bali, my friend ymm0t called me and send me his advisory. It’s about Friendster’s log out problem. Well, I found it earlier than him, but never thought of writing this.

Have you ever given a link by someone, that is, http://profile.friendster.com/logout.php? Or it’s after you view someone’s profile (http://profile.friendster.com/r3ck0rd for example). After you click it, you’ll see the logout page. But when you go to the home page of Friendster, you’ll see you haven’t logged out from Friendster. What’s going on?

This is my deduction, and ymm0t may not know this. You were logged out. But not from www.friendster.com. Only from profile.friendster.com. It’s a fatal fault for the user if they log out after they view someone’s profile by clicking the link above right. It reset the cookie of profile.friendster.com, but did not reset the cookie of www.friendster.com.

So what’s all the babbling about? Haven’t get it? Right here’s a scenario. If you were browsing on Friendster, and viewing someone’s profile, then you were forced by your friend to press the log out link at the top bottom, or you were told by your friend to go to profile.friendster.com/logout.php, because your friend wants to use it. Well after the “You have been logged out” text showed up, then you give your friend turn to use the computer. The fact is, if your friendster… I mean if your friend is naughty, as you haven’t been logged out from www.friendster.com, he can still access your account. And do something bad. Like putting a bad code to your profile maybe to steal your friends’ cookies, and your account may be banned for containing that code.

This short? Yeah this short. Short and easy to take over one’s account right? Lucky you if you access Friendster from your own PC or notebook at home. What if, in the internet café? Where the computers you use are shared computer.  So, here are the problem solver:

• After you logout anywhere in Friendster, make sure you check out www.friendster.com too. Recheck always.
• It’s recommended to log out from the home page. friendster.com.
• If it’s not helping, just install a cookie editor plugin for your browser and just delete all the cookies from Friendster.
• Remember, “just click log out and good bye” may not enough.

It’s not reported yet, but I’ll be reporting it to the Friendster Team.

By the way, after Th0R read this, he mentioned about CSRF. I don’t know what he meant but I’m thinking about sending my friends this link or just put a CSRF in my FS Profile like this:
<img src=”http://profiles.friendster.com/logout.php” alt=”logout” />
It’ll be kinda annoying huh (may I implement it here?)

All credits to: ymm0t for reminding me this. And Th0R for the CSRF idea.

GreetZ to:
- All SATE, HackingForte, and Ha.ckwith.us members. You’re all my support in growing my hacking activity.
- IndoForum members. You may dislike me or not because I’m still one of them, but this forum is the place where I grow up too.
- BayPas staffs and members, thanks for entrusting me to be the technician.
- Most of all, Jesus for keep giving me my breath.

Original Link: http://reckord.info/friendster/friendster-bug/81.friendster-logout-problem.html

Update 05/07/2008:

Disclaimer: The copyright above is for the text, not the bug. We never claim this as my own bug found. I don’t know if someone has reported this anywhere, because it’s an easy thing to found.

Thu.2008.6.19
r3ck0rd

© 2008 r3ck0rd and ymm0t. Some rights reserved.

Hackers.web.id has a combining of 15 years of experience in IT Security Industries and their contribution to the security industries is acknowledgeable. Such as internal consulting to Yahoo7 Inc., the Biggest ever Zero-Day Vulnerability Report in Indonesia history, advisories to some of world’s biggest social community network such as Friendster,  and also Web Application Security Assessment to several International IT Companies.

Hackers.web.id provided an one-stop Web Application Security consultations and services to fit your company needs. Please visit their home page for more information.

Cookie SQL Injection

Yeah, insert your SQL query through your cookies editor. This can be done if a web application uses value from cookies without a proper sanitizing. Example of vulnerable code :

<?
$preference = $_COOKIE['pre'];
$color = mysql_query(‘SELECT color FROM settings WHERE color = $pre”);
?>

Unfiltered cookies will land you to trouble if you use the cookies string in a SQL command.

User-Agent SQL Injection

Some CMS stores their visitor IPs, browsers, and user-agent information to their database. So the problem is, user-agent can be modified easily. Without a proper sanitize, SQL Injection may occurs too via User-Agent Spoofing. The PoC is same as Cookies SQL Injection.
SQL Injection Via JS Injection

Some sites use javascript to perform data post. Thus, a Javascript + SQL Injection is not impossible.

Update on 2nd May 2008

SQL Injection Via Wap Site

A good security from a company web application doesn’t means that their WAP application is secure. A SQL Injection on WAP application is as critical as on web application. Some web developers neglected WAP application security as maybe they felt that it’s not as important as web application security. But once a SQL Injection is launched via WAP application : GAME OVER.

If you have some more techniques of SQL Injection, you can share it here via comments

Finally, third episode of this serial! Despite in the middle of home works, school projects, web design preparation for a competition, writing my own book “Behind the Scenes of XSS, RFI, and SQL Injection”, other Gastrote and hacking projects, Vocal Group Competition preparation, and any other things I have to do. But I still want to write more.

Yes in this third part, I changed the serial name and this is the final name: Accounts Security. And I’m extending this serial for web developers and programmers (marked with the 4 WDev&P™ or “For Web Developers and Programmers™” logo).

1. For Web Developers and Programmers™ Configuration File
Configuration file is where you put your sensitive data for a web application. Such as database login details. Don’t just save it in *.inc. Because .inc extension is just an extension and a standard, few people still doing this. .ini files too. So it can be downloaded directly, easily. I recommend give a protection like, adding an extra .php extension (like config.inc.php), forbid direct access through .htaccess and PHP, and encode the file.

2. For Web Developers and Programmers™ Filter, filter, filter!
The word “filter”, now, is not always to avoid HTML Injection and XSS only. You may have know how to filter SQL Injection, and so do RFIs. If not, I’ll write about it some other time. In Zoiz’ advisory page here: http://zoiz.web.id/xss-corner/useragent-xss.html or http://th0r.info/?p=77, he showed us that User Agent data from the browser, in this practice, Mozilla Firefox, can be modified. From Internet Explorer, you can do it from the registry editor. I’ll write about it in the next episode of Microsoft Windows Tweaks. I haven’t find out how to do it in Opera, Netscape, Safari, or any other browsers.
Back to that advisory. He found out that User Agent String Data can contain HTML codes. By the “mighty power” of XSS, we can even do what Th0R does in his first book: “Friendster Hacking”. Yes, we’re talking about Cookie Stealing. How can we do it? Next time, OK? ^^ Some programmers make programs for logging users. Some still display the raw string of the user agent data. You know what I mean next.
Read more about code injection.

3. For Web Developers and Programmers™ Password File and Database security
About putting passwords to files, it is risky enough. More risky than point 1. Because you know, it can be accessed by public individuals. The safest way I think is to put it into the database. However, these can be accessed if you have SQL Injection vulnerability in your web application. The solution is none other than encrypt it with one-way encryption method. Yes I know your web applications encrypts your passwords by default. And the usual method: Message Digest 5 (MD5). And you know by reading Th0R’s book, Zero-Knowledge Password, and part two of this serial, it can be cracked. With bruteforce (this is avoidable, not like what you think, the easiest way is through CAPTCHA, available in php class), rainbow table. So how to protect them? Try another encryption like SHA1. Or, use multiple encryption. MD5, SHA1, and ROT13. Or you can add PHPass (Portable PHP Password) hashing framework from www.openwall.com/phpass, a security foundation, that made John the Ripper password cracker, in your list.

4. Remember Password Feature
I forgot to write this in my earlier articles. Yes, don’t do this, especially if you’re accessing websites, including your messenger programs, even if it’s encrypted. It’s not about knowing your password, but someone can set the settings for not enabling password to be required to get in into his e-mail.

5. VBScript in web pages
Know VBScript? Yes, VBScript can be embedded in a HTML page. Client-side. But you have to know people can make worms/viruses with this. It’s not impossible for a coder to code a spyware, trojan horse, even a keylogger, then embed them in a HTML page. Best way I know to anticipate is: disable tags from your browser. But, it’ll be more comfortable if you just install Mozilla Firefox (latest one is 2.0.0.13 and 3.0 b5) and install NoScript plugin by Giorgio Maone.

6. For Web Developers and Programmers™ CSRF Attack: for users and WDev&P
Lists of links that may help you preventing CSRF:
- http://www.gnucitizen.org/blog/preventing-csrf/
- http://websecurity.ro/blog/2008/03/28/wordpress-233-probably-a-0day-exploit/
- http://christ1an.blogspot.com/2007/04/preventing-csrf-efficiently.html
- http://www.cgisecurity.com/articles/csrf-faq.shtml
More? Google them

7. Your browser’s address bar
Remember XSS? Right. I think I’ve told you about this, but if not, here are my tips. First of all, watch the address bar. This will be useful to avoid XSS contain phishing and any other malicious things. Previously, in Friendster, you can put a phising page through redirection, showing you a fake login page. And in World of Warcraft’s website, Th0R has showed us the p0f of it, in the preious SATE (Security Advisory Team) forum. But it’s alright when you watch the address closely. But if you don’t understand, I recommend NoScript plugin, has known to prevent XSS to be executed.

8. Seek secure web pages
This is very important if you’re messing up with e-banking or e-commerce sites. First, the protocol should be in https:// or port 443 (secure HTTP, HyperText Transfer Protocol). Second, verify the certificate, the encryption method, the digital signature and the certificate maker, like VeriSign or e-trust. Although there maybe a counterfeit, just cross check with the certificate maker’s site.

9. For Web Developers and Programmers™ PHP5, 6 and MySQL
As an subtopic of point 2, prevent SQL Injection by using magic_quotes. But since the news says it’ll be removed, you have to manually filter it yourself. Or if you’re using MySQL, you can use this function: mysql_real_escape_string().

10. Credit Card
It’s not impossible if someone like a cashier can do a fast remembering or has a photographic memory to remember your bank account number and your CVV2. Just for advice, either when you want to use your credit card to debit, swipe your card to their “skimmer” (I don’t know what’s its name) yourself, or don’t let the cashier see your credit card longer. If they want to cross check the signature, you show him/her. Or if you want to apply a new credit card, and the dealer require you to photocopy your current credit card, ask the them to cover the CVV2.

Hah OK, it’s finished. 2 weeks of work. Haha . Actually I suddenly came up with one more point. But let it be in the fourth part

This article was made by Calvin Limuel a.k.a. r3ck0rd with a help from Zoiz for few points. Thanks a lot Zoiz! It’ll be 3 weeks if you don’t point me some points.

Greet fliest to:
- Zoiz, Th0R, badkiddies, JKR, and all HackingForte members.
- Some of my chat friends: PusHm0v, th3sn0wbr4in, yamiza.
- My friends at my school: Arcsanctus, CH.

And thanks to Jesus for making me alive until today, so I can write this article ^^.

April 11, 2008

Calvin Limuel
© 2008 r3ck0rd
See here for more information if you want to copy this article.

Original URL: http://reckord.info/?p=36 or http://reckord.info/password-security/r3ck0rd/2008.04.11/36.accounts-security-part-iii.post

If you are one of the Indonesian ISP users, you might have problem accessing http://youtube.com. I am not sure what actually happened (as I know that YouTube.com have some videos that Indonesian Government ban).

From my small research, I found out that Indonesia ISP deletes youtube.com Name Server record from all DNS’. You can regain your access, of course by changing your secondary DNS into this : 12.127.17.83.

How to do it :

Open your Network Setting. Right click and select property. In Internet Protocol list menu, click configure. And type in the DNS I provided into the secondary DNS. Now you can access YouTube.com!

Note : Correct me if I am wrong

Update 8th April 2008 :

The DNS trick seems to be not working anymore, but you can still access those block sites by using HTTP Tunneling. If you don’t know how to do it, here’s a simple one :

1. Download PuTTy.exe from here : http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html
2. Open Command Prompt and change your directory to where you save the PuTTy.exe. And type this command :

putty -P 222 -N -D 9999 -C net@cepat.abangadek.com

3. A windows will pop up, and you are required to type in a password. Enter : cepat123
4. Follow the instruction from the image below :

The Instruction (Taken from : http://harry.sufehmi.com/)

Jobs Done!