It’s been a long time since I last posted in Zoiz’ blog. Still the same topic, and it’s already the fifth! Covering internet usage at public hotspots and sequenced passwords. Here are the tips for this time:

1. Log in first before you use it at a public hotspot.
   You don’t know if somebody is ready with his/her Cain&Abel and ready to harvest your usernames and passwords. So, you can log in first at home, put your notebook in standby mode, then bring your notebook where you want to use it.Wonder if somebody thinks of this too.
   Note: It’s not the same as the remember password feature. Remember password feature on your browser just make the username and password appear, it still sends your username and password.
2. Never do e-transaction such as e-banking or online shopping at a public hotspot.
   Crackers still can modify the data sent to the router, so I don’t recommend this activity.
3. Use your personal combination.
   A friend on Facebook posted a link to here: http://www.linux.com/articles/28057. It’s a good idea to combine your personal information like this: “NiKrV@1992!UA-blAcK”. Assume the password user’s name is NiKrad KreVchenko, born @1992, born in Ukraine (ISO country code), and his favorite color is black.
4. Using characters from a random phrase.
   Another good idea. Let’s try from this phrase: “Lorem Ipsum Dolor Sit Amet. The quick little brown fox jumps over a big lazy dog.” Take the first letters then you get LIDSATQLBFJOABLD. Or take per two letters, separate words with exclamation mark, then you get LRM!PU!DLR!I!AE! and so forth. Don’t forget to variate the case, or the symbols. Like changing the exclamation marks to the symbols sequence on your keyboard (~!@#$%^&*()_+`-={}|[]\:”;’<>?,./).
5. Use a Polybius Square.
   I’ve seen this technique somewhere but I forgot it where. Here is one example (you can make this thing by yourself):

   	1	2	3	4	5	6	7	8	9	0
   a	a	s	e	v	e	d	n	e	3	g
   b	!	@	d	3	d	%	e	&	f	3
   c	e	h	*	-	%	d	2	q	F	#
   d	s	!	#	$	%	d	E	2	5	8
   e	f	3	a	S	F	V	#	T	4	A

   This works like a Polybius square, one of the ancient cryptography technique. With this, you can only remember two letters for your password, and the length of your. For example, remembering d2 7 letters long, it is: s!#$%dE. Of course you can make this larger on your own. Or just make your own password, then hide it under your own Polybius square

6. Use the Polybius Square combined with chess moves.
   If you like to play chess, and you know some openings, this shouldn’t be a problem. All you have to do is to make an 8×8 Polybius square, with random letters and captions for chess boards. For example, the Sicilian Dragon Variant: 1. e4 c5 2. Nf3 d6 3. d4 cxd4 4. Nxd4 Nf6 5. Nc3 g6 6. Bg5 Bg7. That’s enough, a password with 12 characters. If there’s a repeat of letters it’s ok, don’t matter. I hope you understand what I mean.

   8	k	l	\	z	“	{	+
   7	j	;	]	x	;	}	=	!
   6	h	‘	[	c	“	|	-	#
   5	g	q	p	v	:	1	0	$
   4	f	w	o	b	?	2	9	%
   3	d	e	i	n	>	3	8	^
   2	s	r	u	m	<	4	7	&
   1	a	t	y	,	. /	5	6	*
   	a	b	c	d	e	f	g	h

   If it based on this square and using the Sicilian Dragon Variant, my password would be: ?p3cbbb|i-0=
   Go make your own! Print all your Polybius Squares, make cards of it, and put it into your wallet.

7. Use On Screen Keyboard.
   I always forgot to write this. If you’re lazy to do the previous tips about copy pasting letters from a text file, just use on screen keyboard. In case there is a keylogger logging coordinate of mouse clicks, before and after you type your password with this tool, move the keyboard to another spot.
8. Keyboard sequence isn’t always insecure.
   Yeah, it’s not always insecure. But of course, lame sequence like asdfghjkl, is insecure. Be creative with this one. Like this: !qAz@wSx#eDc. Figure out the sequence yourself. You can switch to another keyboard layout (other than QWERTY, like Dvorak) for awhile for entering passwords.
9. One-way encrypted password as your password.
   Just remember a word, or name, like John Doe. Then, encrypt it to md5. Resulting: 4c2a904bafba06591225113ad17b5cec. If it doesn’t fit because of the character limit (md5 is 25 character), just cut off the half to the limit character.
10. Using multi-level encryption.
    I found this idea when searching for an encryption tool. If you don’t get what I say, then I’ll give you an example:

    $pass = sha1(md5(md5(sha1(sha1(md5(md5(sha1($pass))))))));

    Add salt and different encryption ways if you please:

    $pass= sha1(md5(crypt(str_rot13(base64_encode(md5(1357, sha1($pass)))))))

    I’m not responsible for any server crash

That’s all for now. Enjoy securing.

Thu.1.29.2008
r3ck0rd

©2008 Calvin Limuel a.k.a. r3ck0rd. All rights reserved.
Original Link: http://reckord.info/password-security/303.account-security-v.html or http://reckord.info/?p=303

Dimana seperti yang telah kita ketahui bahwa Sunset Policy adalah sebuah kebijakan dari pemerintah untuk menghapuskan sanksi pajak. Misalnya seorang wajib pajak yang tidak melaporkan / membayar pajak atas penghasilannya di tahun sebelumnya, jika mereka melaporkan dan membayarkan kewajiban pajak mereka pada masa sunset policy, mereka tidak akan dikenai sanksi ataupun denda.

Dengan diundurnya / diperpanjangnya batas Sunset Policy, para wajib pajak yang berniat melakukan pembetulan namun tidak sempat, sebuah kesempatan yang bagus untuk melakukannya sekarang juga!

Ingat bahwa saja membayar pajak adalah sebuah kewajiban kita sebagai seorang warga negara! Milikilah NPWP Anda dan laporkan penghasilan Anda sekarang juga!

Different from the article before, this vulnerability may only be found in some game centers of TImeZone / Amazone (Not all vulnerable to this).

When Lebaran Holiday came, my mother suggested my grandma to go to Bandung and Puncak then asked all of my relatives to join us. On the 3rd day of our trip, we arrived in Puncak and go to one factory outlet that is called Brasco or Kampoeng Brasco. I only went there with my aunties, uncle and cousins.

My aunties asked us (me and my cousin) to just wait in a game center called Space Zone. “It will only take a few minutes”, my aunties said. My uncle joined my aunties to buys T-shirts and other things. So, my cousin and I was there, alone.

Ok, so we go around without doing anything (because we had no coin at that time) and just have a chat together. We keep talking and walking until we found two basketball game machines.

When my cousins keep talking, I thought a brilliant idea (because I was fed up with that place). I asked my youngest cousin to push the ball that is inside the web or wall with his small finger and It works! The ball started to move from its place! Here’s the pic:

Okay so now it has been out from its place then, my cousin that really likes basketball take the ball and throw it. So, we have nothing to do (again). So, I asked my cousin to do the same thing that he had done before. So, it was my turn! I shoot it and yeah, we’ve nothing to do (again).

Then, a man with his child played that game. We just looked at them who played it happily
They played that game for 2 times. After they had no coin anymore, without asking or did anything, my cousin pushed the wall that protects or keep the ball inside and they had one more chance to play it for free!

Wow! They just surprised then play together (without any thanks () and when I asked to push the wall again, it didn’t work anymore. I think it’s all because he didn’t push the wall on the right time .

Those vulnerabilities seem won’t work in all TimeZone (but it may work in other location of TimeZone). By the way, here’s the pic of my lovely cousin that helped a lot:

Thanks!
ymm0t

If you clicked on the URL / link it provided, the web browser will prompt you to download a so called “Adobe Systems Inc’s Flash Player Update”. Therein the facebook / myspace virus (worm) lies.

Once you installed the fake flash player update, your computer will be infected and become a zombie computer that will attempt to infect all your friends in your facebook / myspace friends list.

Facebook posted a notice regarding how to remove / get rid of the Koobface virus (worm) on their security page. They suggested that infected PC use an up-to-date virus scanner, and then reset their Facebook password. Some of the free online virus scanners suggested are Kaspersky, Symantec, McAfee and Microsoft Live OneCare.

After a couple of hours of walking (See that, couple of HOURS!!! Geez >.< you know why I hate shopping now? ), feeling bored and so I went to Time Zone (game arena) to see if there’s anything interesting there.

I noticed a group of teenager surrounding a game machine. Felt something amiss, so I walked closer to take a peep look. And this it what I saw :

Fire Fighter TimeZone Game Hacking

Went even closer, and this it what I saw :

Fire Fighter Time Zone Game Hacking

Look at the hand of the guy wearing white shirt and the score board. The score keeps going up when the guy keep holding the censor device. Any player can get the maximum tickets from that machine using this trick.

This Time-Zone Hacking to get maximum tickets from the game machine easily, was tested and working, and only for dummies! Cheers

Just like the Click-Jacking style Joomla CMS hijacking. CSRF and Automation are needed to infect blogs, CMS, forums, and etc. Possible? Yes indeed!

Scenario :

• Victim log in to his/her blog, and does not sign out from it.
• Victim visits a malicious site with Click-Jacking, any clicks there will trigger a CSRF attack which will attempt to insert a script into victims blog theme. (Just like Wordpress Theme Editor)
• The script will generate an iFrame containing Click-Jacking
• Now the victim’s blog become a zombie that will attempt to infect all his/her blog’s visitors blog.

Isn’t it lovely? Just a thought . . .

The Moon Smiles at you

Click The Image to Enlarge

See? Even the sky wants you to smile. Cheers

How it works :

- First a victim logged into his Joomla Powered site Administration Control Panel

- He didn’t logged out from the service

- He visited a malicious site

- He clicked on something (anything on the page)

- By the time he clicked, his Joomla Powered site password has been changed without his notice

Combining Click-jacking & CSRF, the clicked trigger a password change request to the Joomla site using the victim privilege. Thus the attack was success, the victim’s site admin password changed.

Here is the link : http://www.hackers.web.id/clickjacking-joomla.rar