RSS

Conferencia Vigilancia Invisible

Friday, May 25, 2007

Con este titulo el próximo sábado 29 de septiembre voy a impartir una conferencia en la UNED (Universidad Nacional de Educación a ... todos » Distancia) sobre “La vigilancia invisible en el ciberespacio”

“Este Programa Modular de TECNOLOGÍAS DIGITALES Y SOCIEDAD DEL CONOCIMIENTO tiene por objetivo acercar las tecnologías digitales a todos los sectores sociales. Busca superar la brecha digital marcada por cuestiones económicas o barreras físicas, así como democratizar el uso de las tecnologías. Asimismo, se pone al alcance de todos los ciudadanos y ciudadanas un diseño para todos, el gran objetivo de la Unión Europea.

Test vulnerabilidad online

Wednesday, November 09, 2005

Antes de instalar nada en nuestras máquinas podemos probar algunas herramientas de prueba para ver lo eficaces que puedens ser.

PC Vulnerability Testing

BrowserSpyThis tool will tell you all sorts of information that can be obtained about you and your browser! It's free.

HackerWhacker™See your computer the way hackers do! Run a free security check, and get tons of information.

ShieldsUP!™Can anyone crawl into your computer while you're connected to the Internet? Check and see here! It's free.

WinNuke Test PageThis page allows you to test your PC (free) for vulnerability to the "WinNuke" attack, which is a Denial of Service (DOS) attack that completely disables networking on many Win95 and WinNT machines. Try this at your own peril.

Sygate Online ServicesMany different kinds of security scans are offered here.

Security Space Security CheckThis site offers many different security tests. Any number of individual tests may be run free; however, if you want to run a complete audit, there's a fee.

Port Scan Security CheckThe Secure Design Port Scan Security Check can give you a free report of open ports that may put you at risk to the security threats on the SANS Institute's "Top Ten Most Critical Internet Security Threats" list.

CyberCop ASaP Online Vulnerability Assessment Service McAfee's CyberCop ASaP is an online vulnerability assessment service that you can try for free.

IRCBot DetectorThis tool will tell you if you have an IRCBot running on your system without your permission.

Free ibh Online NETBIOS Vulnerability CheckHere is another free online vulnerability check which includes NetBus und BO checks.

Test Your E-mail DefensesIf you wish, you will be sent an e-mail with a harmless .VBS file attached in order to see if your system detects it.

PCWorld's PC Pit Stop Run all sorts of diagnostics on your machine here.

Virus/Trojan InformationBe sure to also check your system for viruses and trojans here.

Spyware InformationBe sure to also check your system for spyware here.

As with all software, etc., try it at your own peril, and it is always wise to make a backup of your systerm before installing anything new.

google y sus búsquedas....

Tuesday, November 08, 2005

Hack con google, hackear con google, hacking

cosas que se pueden hacer en google:

Prueba a escriber lo que aparece abajo en el buscador de google podras acceder a base de datos, contraseñas, webs con bugs, hasta a numeros de targeta de credito. Practica un poco y prueba los distintos comandos, luego crea tus propias lineas para buscar. Un buen sitio de información de como hackear con google es http://johnny.ihackstuff.com/ está en inglés, pero no llegarás a nada si no visitas páginas como esta

filetype:htpasswd htpasswd
intitle:"Index of” “.htpasswd” -intitle:"dist” -apache -htpasswd.c
index.of.private (algo privado)
intitle:index.of master.passwd
inurl:passlist.txt (para encontrar listas de passwords)
intitle:"Index of..etc” passwd
intitle:admin intitle:login
“Incorrect syntax near” (SQL script error)
intitle:"the page cannot be found” inetmgr (debilidad en IIS4)
intitle:index.of ws_ftp.ini
“Supplied arguments is not a valid PostgreSQL result” (possible debilidad SQL)
_vti_pvt password intitle:index.of (Frontpage)
inurl:backup intitle:index.of inurl:admin
“Index of /backup”
index.of.password
index.of.winnt

inurl:"auth_user_file.txt”
“Index of /admin”
“Index of /password”
“Index of /mail”
“Index of /” +passwd
Index of /” +.htaccess
Index of ftp +.mdb allinurl:/cgi-bin/ +mailto
allintitle: “index of/admin”
allintitle: “index of/root”
allintitle: sensitive filetype:doc
allintitle: restricted filetype :mail
allintitle: restricted filetype:doc site:gov
administrator.pwd.index
authors.pwd.index
service.pwd.index
filetype:config web
gobal.asax index
inurl:passwd filetype:txt
inurl:admin filetype:db
inurl:iisadmin
inurl:"auth_user_file.txt”
inurl:"wwwroot/*.”
allinurl: winnt/system32/ (get cmd.exe)
allinurl:/bash_history
intitle:"Index of” .sh_history
intitle:"Index of” .bash_history
intitle:"Index of” passwd
intitle:"Index of” people.1st
intitle:"Index of” pwd.db
intitle:"Index of” etc/shadow
intitle:"Index of” spwd
intitle:"Index of” master.passwd
intitle:"Index of” htpasswd
intitle:"Index of” members OR accounts
intitle:"Index of” user_carts OR user _cart

_vti_inf.html
service.pwd
users.pwd
authors.pwd
administrators.pwd
test-cgi
wwwboard.pl
www-sql
pwd.dat
ws_ftp.log

Algunas herramientas...

Siempre es bueno disponer de buenas herramientas, por lo que pueda hacer falta:
tomado de:
http://www.cert-in.org.in/securitytools.htm

Attack & Penetration tools:

Nessus:
http://www.nessus.org/

The premier Open Source vulnerability assessment tool
Nessus is a remote security scanner forWindows, Linux, BSD, Solaris, and other Unices. It is plug-in-based, has a GTK interface, and performs over 1200 remote security checks. It allows for reports to be generated in HTML, XML, LaTeX, and ASCII text, and suggests solutions for security problems

Hping2
http://www.hping.org/

A network probing utility like ping on steroids
hping3 assembles and sends custom ICMP/UDP/TCP packets and displays any replies. It was inspired by the ping command, but offers far more control over the probes sent. It also has a handy traceroute mode and supports IP fragmentation. This tool is particularly useful when trying to traceroute/ping/probe hosts behind a firewall that blocks attempts using the standard utilities.

DSniff
http://naughty.monkey.org/~dugsong/dsniff/

A suite of powerful network auditing and penetration-testing tools
This popular and well-engineered suite by Dug Song includes many tools. dsniff, filesnarf, mailsnarf, msgsnarf, urlsnarf, and webspy passively monitor a network for interesting data (passwords, e-mail, files, etc.). arpspoof, dnsspoof, and macof facilitate the interception of network traffic normally unavailable to an attacker (e.g, due to layer-2 switching). sshmitm and webmitm implement active monkey-in-the-middle attacks against redirected SSH and HTTPS sessions by exploiting weak bindings in ad-hoc PKI. A separately maintained partial Windows port is available here.

GFI LANguard
http://www.gfi.com/lannetscan/

A commercial network security scanner for Windows
LANguard scans networks and reports information such as service pack level of each machine, missing security patches, open shares, open ports, services/applications active on the computer, key registry entries, weak passwords, users and groups, and more. Scan results are outputted to an HTML report, which can be customised/queried. Apparently a limited free version is available for non-commercial/trial use.

Sam Spade
http://www.samspade.org/ssw/

SamSpade provides a consistent GUI and implementation for many handy network query tasks. It was designed with tracking down spammers in mind, but can be useful for many other network exploration, administration, and security tasks. It includes tools such as ping, nslookup, whois, dig, traceroute, finger, raw HTTP web browser, DNS zone transfer, SMTP relay check, website search, and more. Non-Windows users can enjoy online versions of many of their tools.

ISS Internet Scanner:
Application-level vulnerability assessment
http://www.iss.net/products_services/enterprise _protection/vulnerability_assessment/ scanner_internet.php

Internet Scanner started off in '92 as a tiny Open Source scanner by Christopher Klaus. Now he has grown ISS into a billion-dollar company with a myriad of security products. ISS Internet Scanner is pretty good, but is not cheap. So companies on a tight budget may wish to look at Nessus instead. A March 2003 Information Security magazine review of 5 VA tools (including these) is available here. Note that VA tools only report vulnerabilities. Commercial tools for actually exploiting them include CORE Impact and Dave Aitel's Canvas. Free exploits for some vulnerabilities can be found at sites like Packet Storm and SecurityFocus

Nikto
http://www.cirt.net/code/nikto.shtml

Nikto is a web server scanner which looks for over 2600 potentially dangerous files/CGIs and problems on over 625 servers. It uses LibWhisker but is generally updated more frequently than Whisker itself.

SuperScan: Foundstone's Windows TCP port scanner
http://www.foundstone.com/index.htm?subnav= resources/navigation.htm&subcontent=
/resources /proddesc/superscan.htm

A connect-based TCP port scanner, pinger and hostname resolver. No source code is provided. It can handle ping scans and port scans using specified IP ranges. It can also connect to any discovered open port using user-specified "helper" applications (e.g. Telnet, Web browser, FTP).

Retina:
http://www.eeye.com/html/Products/Retina/index.html

Commertial vulnerability assessment scanner by eEye Like Nessus and ISS Internet Scanner mentioned previously, Retina's function is to scan all the hosts on a network and report on any vulnerabilities found.

SAINT
http://www.saintcorporation.com/saint/

Security Administrator's Integrated Network Tool
Saint is another commercial vulnerability assessment tool (like ISS Internet Scanner or eEye Retina). Unlike those Windows-only tools, SAINT runs exclusively on UNIX. Saint used to be free and open source, but is now a commercial product.

SARA: Security Auditor's Research Assistant
http://www-arc.com/sara/

SARA is a vulnerability assessment tool that was derived from the infamous SATAN scanner. They try to release updates twice a month and try to leverage other software created by the open source community (such as Nmap and Samba).

N-Stealth: Web server scanner
http://www.nstalker.com/nstealth/

N-Stealth is a commercial web server security scanner. It is generally updated more frequently than free web scanners such as whisker and nikto, but do take their web site with a grain of salt. The claims of "20,000 vulnerabilities and exploits" and "Dozens of vulnerability checks are added every day" are highly questionable. Also note that essentially all general VA tools such as nessus, ISS, Retina, SAINT, and SARA include web scanning components. They may not all be as up-to-date or flexible though. n-stealth is Windows only and no source code is provided.

Firewalk: Advanced traceroute
http://www.packetfactory.net/projects/firewalk/

Firewalk employs traceroute-like techniques to analyze IP packet responses to determine gateway ACL filters and map networks. This classic tool was rewritten from scratch in October 2002. Note that much or all of this functionality can also be performed by the Hping2 --traceroute option.


XProbe2:
Active OS fingerprinting tool
http://www.sys-security.com/html/projects/X.html

XProbe is a tool for determining the operating system of a remote host. They do this using some of the same techniques as Nmap as well as many different ideas. Xprobe has always emphasized the ICMP protocol in their fingerprinting approach.


SolarWinds Toolsets: A plethora of network discovery/monitoring/attack tools
http://www.solarwinds.net/

SolarWinds has created and sells dozens of special-purpose tools targetted at systems administrators. Security related tools include many network discovery scanners and an SNMP brute-force cracker. These tools are Windows only, cost money, and do not include source code.


THC-Amap:
An application fingerprinting scanner
http://www.thc.org/releases.php

Amap (by THC) is a new but powerful scanner which probes each port to identify applications and services rather than relying on static port mapping.


Hunt: An advanced packet sniffing and connection intrusion tool for Linux
http://lin.fsid.cvut.cz/~kra/index.html#HUNT

Hunt can watch TCP connections, intrude into them, or reset them. Hunt is meant to be used on ethernet, and has active mechanisms to sniff switched connections. Advanced features include selective ARP relaying and connection synchronization after attacks. If you like Hunt, also take a look at Ettercap and Dsniff.

Achilles: A Windows web attack proxy
http://achilles.mavensecurity.com/

Achilles is a tool designed for testing the security of web applications. Achilles is a proxy server, which acts as a man-in-the-middle during an HTTP session. A typical HTTP proxy will relay packets to and from a client browser and a web server. Achilles will intercept an HTTP session's data in either direction and give the user the ability to alter the data before transmission. For example, during a normal HTTP SSL connection a typical proxy will relay the session between the server and the client and allow the two end nodes to negotiate SSL. In contrast, when in intercept mode, Achilles will pretend to be the server and negotiate two SSL sessions, one with the client browser and another with the web server. As data is transmitted between the two nodes, Achilles decrypts the data and gives the user the ability to alter and/or log the data in clear text before transmission.

Brutus: A network brute-force authentication cracker
http://www.hoobie.net/brutus/

This Windows-only cracker bangs against network services of remote systems trying to guess passwords by using a dictionary and permutations thereof. It supports HTTP, POP3, FTP, SMB, TELNET, IMAP, NTP, and more. No source code is available. UNIX users should take a look at THC-Hydra.

Fragroute: IDS systems' worst nightmare
http://www.monkey.org/~dugsong/fragroute/

Fragroute intercepts, modifies, and rewrites egress traffic, implementing most of the attacks described in the Secure Networks IDS Evasion paper. It features a simple ruleset language to delay, duplicate, drop, fragment, overlap, print, reorder, segment, source-route, or otherwise monkey with all outbound packets destined for a target host, with minimal support for randomized or probabilistic behaviour. This tool was written in good faith to aid in the testing of intrusion detection systems, firewalls, and basic TCP/IP stack behaviour. Like Dsniff, and Libdnet, this excellent tool was written by Dug Song.

SPIKE Proxy: HTTP Hacking
http://www.immunitysec.com/resources-freesoftware.shtml

Spike Proxy is an open source HTTP proxy for finding security flaws in web sites. It is part of the Spike Application Testing Suite and supports automated SQL injection detection, web site crawling, login form brute forcing, overflow detection, and directory traversal detection.

Shadow Security Scanner: A commercial vulnerability assessment tool
http://www.safety-lab.com/en2/products/1.htm

nmap
http://www.insecure.org

A popular tool used for portsscaning and OS finger printing

Sonrie te estamos grabando

Tuesday, October 18, 2005

Alguna vez has tenido la sensación de que te observan, pués es verdad si te observan, cada vez que entras en un local sea de ocio o de compras te controlan, se extiende cada vez mas la sensación de que todos somos sospechosos hasta que se demuestre lo contrario, en los locales comerciales y de ocio la nueva moda es dejar el vigilante a la entrada vigilando los clientes, lo que suena como una nota de aviso a posibles "cacos" el caso es de quién controla al controlador, hats aque punto la vigilancia puede entrar en la intimidad de un comprador . Se puede ver muchas veces los clientes seleccionado este o aquel producto como si de un reality show se tratara. Todo televisado en directo a la vista de los clientes que entran en el local o simplemente se quedan esperando en la puerta. Cada día nos habituamos más y cada día cedemos un poquito más nuestra libertad y intimidad en pro de un " gran, gran hermano" televisado en vivo y en directo.

para saber más:

http://www.igsap.map.es/cia/dispo/11926.htm

http://www.francispisani.net/2005/08/el_auge_de_la_v.html

1984

Mil novecientos ochenta y cuatro

Fuente: Wikipedia, la enciclopedia libre.

http://es.wikipedia.org/wiki/1984_(novela)

Mil novecientos ochenta y cuatro (más conocida como 1984) (en inglés Nineteen Eighty-Four) es el título de una novela de política ficción distópica escrita por George Orwell en 1949. En la novela el estado omnipresente obliga a cumplir las leyes y normas a los miembros del partido totalitario mediante el adoctrinamiento, la propaganda, el miedo y el castigo despiadado. La novela introdujo los conceptos del siempre presente y vigilante Gran Hermano, de la notoria habitación 101, de la ubicua policía del pensamiento y de la nueva lengua de políticos y burócratas. Muchos comentaristas detectan paralelismos entre la sociedad actual y el mundo de 1984, sugiriendo que estamos comenzando a vivir en lo que se ha conocido como sociedad Orwelliana. El término Orwelliano se ha convertido en sinónimo de las sociedades u organizaciones que reproducen actitudes totalitarias y represoras como las representadas en la novela. La novela fue un éxito en términos de ventas y se ha convertido en uno de los más influyentes libros del siglo XX.

Se la considera como una de las obras cumbre de la llamada ciencia ficción distópica, junto a Un mundo feliz (A brave new world en inglés), de Aldous Huxley. El libro se ha traducido a numerosos idiomas. Algunos consideran a esta novela un plagio de la obra Nosotros escrita por Evgeny Zamiatin en 1921 aunque Orwell reconoció su influencia en su novela.

Algunos conceptos básicos

Panopticón

Fuente: Wikipedia, la enciclopedia libre.

http://es.wikipedia.org/wiki/Pan%C3%B3ptico

El panopticón es un centro penitenciario ideal diseñado por el filósofo Jeremy Bentham en 1791. El concepto de este diseño permite a un vigilante observar (-opticón) a todos (pan-) los prisioneros sin que éstos puedan decir si están siendo observados o no.

Diseño del panopticón de Bentham
Diseño del panopticón de Bentham

La estructura de la prisión incorpora una torre de vigilancia en el centro de un edificio anular que está dividido en celdas. Cada una de estas celdas comprende una superficie tal que permite tener dos ventanas: una exterior para que entre la luz y otra interior dirigida hacia la torre de vigilancia. Los ocupantes de las celdas se encontrarían aislados unos de otros por paredes y sujetos al escrutinio colectivo e individual de un vigilante en la torre que permanecería oculto. Para ello, Bentham no sólo imaginó persianas venecianas en las ventanas de la torre de observación, sino también conexiones laberínticas entre las salas de la torre para evitar destellos de luz o ruido que pudieran delatar la presencia de un observador. [1]

De acuerdo con el diseño de Bentham, este sería un diseño más barato que el de las prisiones de su época, ya que requiere menos empleados. Puesto que los vigilantes no pueden ser vistos, no sería necesario que estuvieran trabajando todo el tiempo, dejando la labor de la observación al observado.

Aunque el diseño tuvo efectos limitados en las cárceles de la época de Bentham, se vio como un desarrollo importante. Así, Michel Foucault (en "Disciplina y castigo") consideró el diseño como un ejemplo de una nueva tecnología de observación que trascendería al ejército, a la educación y a las fábricas. Un ejemplo de panopticón en España fue la Cárcel Modelo de Madrid.

Quién controla y como controla la economía

La revista Forbes, es mundialmente conocida por ser la revista de los mas ricos sobre el planeta, a nosotros esto nos vale para denunciar quién controla la economía y con ello la forma de pensar y actuar sobre nuestro entorno.



the Forbes Global 2000
A World Of Big Companies
04.18.05

America




Eurasia, Africa & Oceania






Si comparamos la distribucción entre las empresas del norte y del sur vemos claramente la enorme diferencia que existen tan solo 87 grandes empresas en el sur frente a 1992 del norte, son datos para pensar, Como ejercicio busca que paises del sur faltan y mira que población tienen.




Fuente: http://www.forbes.com/free_forbes/2005/0418/200.html