Thursday, March 17, 2011

  You have high speed ADSL broadband at PC,but still facing low speed in IE (INTERNET EXPLORER )
so here are few steps that will help your to get better speed in IE
1. Click start > Run
2. Type regedit > Enter
3. Browse folder HKEY_CURRENT_USERSoftwarem*cro$oftWindowsCurrentVersion
InternetSettings
4. Right click @ windows right > New > DWORD
5. Type MaxConnectionsPerServer > you can set value (the more higher the no., the more good
speed you get, eg : 99)
6. Create another DWORD >type MaxConnectionsPer1_0Server
7. Then enter any higher values in that section
8. Then, restart IE รข€¦ ur finished.
This Trick will increase your browsing speed as well as downloading speed.
Friends, all of us want to send fake mail with others mail id here i’m posting the method which is used to send the fake mail using the Simple Mail Transfer Protocol(SMTP)

SMTP is the protocol which is used to send mail over the internet.
When we login to our account and send a mail the smtp protocol will send it to the smtp server which will send it to the pop3 server and then it gets to the receiver email account.
The main bug in this system is that the SMTP server access dosen’t need any authentication, means when u want to send data to any of the email account you need not to provide the your identification or the email id and password you can just login with any email id and send email.
But the receiver has to give his e mail id and password as the pop3 server needs a authentication.
thus, using this bug even a leyman can send a fake mail with any user id and fool the receiver.
This kind of java script are already available on net so u can get it from any where.
Now the main crux here is that the mail can be trace and the ip can be known to the tracer, now a days terrorist are using such bugs to send email and may be traced. So please dont use this method for any destructive or negative purpose.

As per the indian laws it may be punishable to send fake mail via internet bus there is no such juridiction in law for sending fake mail through GPRS and this the loop hole.

So once you got the site from web for fake mail use it to send fake mail via GPRS and enjoy.
Want to Spoof a identity of caller,we have brought some intresting trick.

Call Forging is the trick by which you can spoof the identity of the
caller and misguide the caller.

By call forging the caller identity is spoofed and can be easily done
by the folllowing way.

This post is written for educational purpose and dont misuse it.

Basics of Call Forging

Firstly the voip is used to call via internet PC to a telephone.
In the VOIP there is a loop hole which allow a intruder to spoof
a call.

There are many website on the net which provide the facility of the
internet calling.

This website work as follows, first the call the source phone no. then
the destiation number and then bridge them together.

Here there is no authentication done by the website and server are
normally located in US and so tracing of the intruder is not possible.

Thus, the intruder logs on to this server and gives a wrong source number
and then place a call over internet which is actually a spoofed call
which shows wrong identity.

Also there a no laws regarding the call spoofing in India and so a intruder
if gets traced is easily backed by the loophole of no laws for it.

Thus, if you get calls from other numbers dont trust it they may be spoofed
calls.

This post is written only for awareness and for educational purpose.
MySpace: Since this site relies on Web mail to solicit and accept friends and the blog moderating functions have been known to have XSS vulnerabilities in the past, it is recommended that to use this site for CDC communications, it be done so from specially designated hardware off the CDC network following guidelines developed in conjunction with OCISO.

Facebook: Since this site allows blog posts and there is limited or no control over which of your friends appear on your home page, it is recommended that to use this site for CDC communications, it be done so from specially designated hardware off the CDC network following guidelines developed in conjunction with OCISO.

Twitter: An interesting site in terms of social networking in that comments and posts are allowed, but are limited to 140 characters with no HTML or JS allowed. Hyperlinks are allowed and are automatically converted to the actual HTML code by the system. Eg – http://www.cdc.gov becomes http://www.cdc.gov automatically. Comments are designed to be sent by SMS messaging, which is text based. Requests for followers come through email and can be accepted without Web mail. Whereas it does seem to be secure against XSS exploits, the site does rely on AJAX technologies and can be used to post links to malicious sites. In order to vet these links, they must be followed, which would put the system at risk. It is recommended that to use this site for CDC communications, it be done so from specially designated hardware off the CDC network following guidelines developed in conjunction with OCISO.

DailyStrength: This site relies on Web mail to solicit and accept friends, allows blog comments and has limited to no control over which of your friends show up on your main profile page. It is recommended that to use this site for CDC communications, it be done so from specially designated hardware off the CDC network following guidelines developed in conjunction with OCISO.

YouTube: This site allows comments on videos and has limited to no control over which of your friends show up on your main profile page. It is recommended that to use this site for CDC communications, it be done so from specially designated hardware off the CDC network following guidelines developed in conjunction with OCISO.

Flickr: This site allows comments and has limited to no control over which of your friends show up on your main profile page. It is recommended that to use this site for CDC communications, it be done so from specially designated hardware off the CDC network following guidelines developed in conjunction with OCISO
 

Caller ID Forging the practice of causing the telephone network to display a number on the recipient's caller ID display which is not that of the actual originating station; the term is commonly used to describe situations in which the motivation is considered nefarious by the speaker. Just as e-mail spoofing can make it appear that a message came from any e-mail address the sender chooses, caller ID forging can make a call appear to have come from any phone number the caller wishes. Because people are prone to assume a call is coming from the number (and hence, the associated person, or persons), this can call the service's value into question.

To use a typical service, a customer pays in advance for a PIN allowing them to make a call for a certain amount of minutes. To begin, the customer dials from any phone the toll free number given to them by the company and enters their PIN. They are then asked to enter the number they wish to call and the number they wish to appear on the caller ID. Once the "customer" selects the options, the call is then bridged and the person on the other end assumes someone else is calling them.

Many Caller ID forging service providers also allow customers to initiate spoofed calls from a web-based interface in addition to calling a toll free number and entering the ten digit number you want to display followed by the ten digit number you want to call. Some providers allow you to enter the name you would like to display along with the spoofed Caller ID number but in most parts of the United States for example, whatever name the local phone company has associated with the spoofed Caller ID number is the name that shows up on the Caller ID display.

Using a web-based spoofing form involves creating an account with a provider, logging in to their website and completing a form. Most companies require the following basic fields:

1: Source number 2: Destination number 3: Caller ID number

Once the user completes this form and clicks a button to initiate the call, the source number is first called. Once the source number line is picked up, the destination is then called and bridged together.

Some providers also offer the ability to record calls, change your voice and send SMS text messages.

Methods:

Caller ID is forged through a variety of methods and different technology. The most popular ways of spoofing Caller ID are through the use of Voice over IP or PRI lines.

Another method of spoofing is that of emulating the Bell 202 FSK signal. This method, informally called orange boxing, uses software that generates the audio signal which is then coupled to the telephone line during the call. The object is to deceive the called party into thinking that there is an incoming call waiting call from the spoofed number, when in fact there is no new incoming call. This technique often also involves an accomplice who may provide a secondary voice to complete the illusion of a call waiting call. Because the orange box cannot truly spoof incoming caller ID prior to answer, and relies to a certain extent on the guile of the caller, it is considered as much a social engineering technique as a technical hack.

Other methods include switch access to the SS7 network, and social engineering telephone company operators into placing calls for you from the desired phone number. Another method that is not used as often is VXML which was gaining popularity before VoIP took over.

History:

Many people do not realize that Caller ID Forging has been around since Caller ID was created. For over a decade Caller ID forging was used mainly by businesses with access to expensive PRI (Primary Rate Interface) telephone lines provided by local telephone carriers. A single PRI line can provided businesses with up to 23 telephone lines and all of these lines are capable of having unique telephone numbers. Caller ID forging, in it’s most basic form, was typically used by businesses to display one main telephone number on all outgoing calls, even though those calls were not really originating from those numbers.

In the early 2000’s phone hackers, also known as “phone phreaks” or “phreaks”, began using Orange boxing to attempt to spoof Caller ID. Orange boxing is done by using a device, usually special computer software, to send a series of tones down the line during the first few seconds of a phone call, attempting to emulate the Caller ID signal sent from the telephone office. Orange boxing is very crude and unreliable, as it has to be done within a short timeframe at the beginning of a call. Phone phreaks, without access to PRI lines or blind line services at the time, thought the technique was clever.

In late 2003 and early 2004 the same phone phreaks began to explore a relatively new platform for developing voice applications, known as VoiceXML or VXML, which was offered by companies such as Voxeo.

In 2005 a handful of new sites allowing you to spoof your Caller ID were quietly launched. Some of the sites were PiPhone.com, CallNotes.net, SecretCalls.net, StayUnknown.com, SpoofTech.com, SpoofTel.com, and SpoofCard.com.

Towards the end of May, another site, TheZeroGroup.com, launched offering Caller ID spoofing, amongst it's other phone related services. TheZeroGroup's site claims they are hosted off-shore to avoid any legal issues that may arise.

On June 13th the U.S. House of Representatives passed the "Truth in Caller ID Act of 2007" which would make it "unlawful for any person within the United States, in connection with any telecommunications service or VOIP service, to cause any caller identification service to transmit misleading or inaccurate caller identification information with the intent to defraud or cause harm." A similiar bill was passed onto the Senate in April, but the Senate hasn't acted on either of the bills yet.

In India,we do not have any law which is related to the crime made by hoaxters by spoofing caller id.







Orkut Server Side Session Handling Problems:

Overview:

1. Orkut fails to expire the orkut_state session cookie from the server side even when the
user logs off from Orkut upon clicking "Sign-Out" from the application. The cookie is
cleared from the client side (browser), but is not cleared from the server side. If reused,
it provides access to the user's Orkut account.

2. Upon logging in again, a new orkut_state session cookie is created, but the old session
cookies still stay active on the server side. Therefore, any session cookie can be reused
to gain access to the user's Orkut account.

Details:

When any user logs into “orkut.com” . data of cookie will be generated on server and it will be sent back to user after successful authentication process on server. If I come to know about cookie data of any victim remotely then I can access victim’s account without password ( and even user id).


After an access to victim's account, I can edit his/her social,personal,professional,contact profiles,i can also have an access to his/her albums,videos,testimonials.i can even stop victim to access his/her account by editing the contact email.

My aim is not to hack the orkut account and damaged any victim's data, but to create awareness among the people about the security risks over social networking websites.

Recently I had been interviewed by HEADLINES TODAY and I have proved live that any orkut account can be hacked. I am also going to do half an hour live show on AAJTAK.

More Details will be covered in LIVE demonstration.

Gmail Server Side Session Handling Problems:

Overview:

1. Gmail fails to expire the GX session cookie from the server side even when the user
logs off from Gmail upon clicking "Sign-Out" from the application. The cookie is
cleared from the client side (browser), but is not cleared from the server side. If reused,
it provides access to the user's Gmail account.

2. Upon logging in again, a new GX session cookie is created, but the old session cookies
still stay active on the server side. Therefore, any session cookie can be re-used to
gain access to the user's Gmail account.

The above article given by http://gprsinformation.blogspot.com/2010/08/call-forging-caller-id-forging-practice.html


SMS forging is a relatively new kind of high-tech felony, which uses the short message service (SMS), which is available on most mobile phones and personal digital assistants, to spoof or impersonate another user. The spoofing is often used to send viruses that can be carried from phone to phone and which can cause destructive behavior.

SMS spoofing became possible after many mobile/cellular operators had integrated their network communications with/in the Internet. So anybody could send SMS from the Internet using forms at the websites of mobile operators or even through e-mail. Unfortunately, the Internet forms designed to send SMS may have vulnerabilities that could lead hackers to be able to break the tunneling protocol that links the phones with the Internet.

Surprisingly, one can use legitimate SMS tools available on the market for spoofing. For instance, Clickatell, a provider of carrier-grade bulk SMS messaging solutions and applications that can be integrated and used immediately within a global environment, developed various software allowing users to send bulk and personalized SMS messaging to existing databases, Lotus Domino and other integrated SMS solutions. Therefore any person can purchase or even download evaluation software that would allow the individual to send a spoof SMS. Other providers such as FakeMyText and CloakText actually sell an anonymous texting service as their main service which can be used to spoof a SMS message from any international number.

There is also dedicated Open Source tool called SMS Spoof, which is a Palm OS application that allows individuals to send spoofed SMS messages. It uses a dialup connection to any EMI/UCP-compatible short message service center (SMSC) which supports the EMI/UCP protocol, as long as no authentication is required.

Details:
Every SMS sent from sender to receiver is in PDU format which is of 7bit .
07917283010010F5040BC87238880900F10000993092516195800AE8329BFD4697D9

Octet(s)Description:-

07Length of the SMSC information (in this case 7 octets)

91Type-of-address of the SMSC. (91 means international format of the phone number)

72 83 01 00 10 F5Service center number(in decimal semi-octets). The length of the phone number is odd (11), so a trailing F has been added to form proper octets. The phone number of this service center is "+27381000015".

04First octet of this SMS-DELIVER message .

0BAddress-Length. Length of the sender number (0B hex = 11 dec)

C8Type-of-address of the sender number

72 38 88 09 00 F1Sender number (decimal semi-octets), with a trailing F, By changing this format at the sender side,we can spoof sender ID of the SMS.