knowledge

Hack Attacks Revealed

2009-04-05T09:23:00.001-07:00

Take a technogothic journey inside the world of a hacker as seen by security expert John Chirillo. Drawing on his own experience as a hacking consultant for Fortune 1000 companies, Chirillo shows how hackers can exploit network security holes and how you can recognize an oncoming threat to your security. The book features details of the powerful Tiger Box® system, used by hackers to penetrate vulnerable networks, and teaches you how to use that same tool to your advantage.

In this highly provocative work, you’ll discover:

• The hacker’s perspective on networking protocols and communication technologies

• A complete hacker’s technology handbook, illustrating techniques used by hackers, crackers, phreaks, and cyberpunks

• Information discovery and scanning tools for hacking into known and unknown ports and service vulnerabilities

• Detailed instructions for customizing the Tiger Box for your needs and using it to search hack attacks
Download:
click here to download

Hacker's Challenge

2009-04-05T09:18:00.000-07:00

Hacker's Challenge : Test Your Incident Response Skills Using 20 Scenarios by Mike Schiffman (Conductor)
Publisher: McGraw-Hill Osborne Media (October 1, 2001) | ISBN-10: 0072193840 | PDF | 19,3 Mb | 300 pages

Mike Schiffman has hit upon a great formula for Hacker's Challenge. Rather than try to research, fully understand, and adequately explain attacks that have taken place on other people's networks--the approach taken by too many writers of books about computer security--Schiffman lets network administrators and security experts tell their stories first-hand. This is good. What's better is that Schiffman has edited each of their war stories into two sections: one that presents the observations the sysadmin or security consultant made at the time of the attack, and another (in a separate part of the book) that ties the clues together and explains exactly what was going on. The challenge in the title is for you to figure out what the bad guys were doing--and how best to stop them--before looking at the printed solution. Let's call this book what it is: an book for people with an interest in network security.

It doesn't really matter, from a value-for-money standpoint, whether your skills are up to the challenge or not. The accounts of intrusions--these are no-kidding, real-life attacks that you can probably learn from, by the way--are written like chapters from a novel (though log file listings, network diagrams, and performance graphs appear alongside the narrative text). Recall every time you've seen a movie or read a book with computer scenes so technically inaccurate they made you wish for a writer with a clue. Schiffman and Hacker's Challenge is what you wished for. --David Wall
Download:
click here to download

Installing a VPN client in Windows XP

2009-04-04T02:51:00.000-07:00

Installing a VPN client in Windows XP
To let a client connect to your VPN server, you need to define all the connection settings (server address, protocols to be used, etc.) The new connection wizard available from the Network connections icon in the control panel enables this configuration:

Then click Next:

Out of the three choices offered in the window, select "Connect to the network at my workplace":

On the next screen select "Virtual private network connection":

Then enter a name that best describes the name of the virtual private network you want to connect to:

The next screen lets you determine whether a connection needs to be established before connecting to the virtual private network. Most of the time (if you are on a permanent connection or ADSL or cable access), it will not be necessary to establish the connection since the computer is already connected to the Internet; if this is not the case select the connection to be established from the list:

To access the remote access server (VPN server or host), you must specify its address (IP address or host name). If it does not have an IP address, you will need to equip it with a dynamic naming system (DynDNS) capable of assigning it a domain name and specify this name in the following field:

Once you have finished defining the VPN connection, a connection window opens asking you for a login and password:

Before connecting, you need to define some settings by clicking the Properties button at the bottom of the window. A window featuring a certain number of tabs then lets you more narrowly configure the connection. In the Network management tab, select the PPTP protocol from the scrollable list; select the (TCP/IP) Internet protocol and click Properties:

The window that appears lets you define the IP address the client machine will have when connecting to the remote access server. This lets you have addressing that is consistent with the remote addressing. As such, the VPN server is capable of acting as a DHCP server, that is, of automatically providing the VPN client with a valid address. To do so, simply select the "Obtain an address automatically" option:

In the event that the client uses the DHCP, if the server assigns an internal IP address, the client will be connected to the workplace network and will benefit from its services but will no longer have Internet access via the interface used since the IP address is not routable. In order to let the client be connected to the VPN and still have Internet access via this connection, the VPN server must be configured such that it shares its connection! The Advanced button lets the client use the VPN server's gateway in the event that the latter shares it connection:

To be able to set up the VPN connection, intermediary firewalls, and particularly XP's native firewall, need to be configured to let the connection be established. You therefore need to disable Windows XP's native firewall by doing the following:
1. In the control panel click Network connections,
2. Right-click the connection you use,
3. Select the Advanced settings tab,
4. Make sure the Internet connection firewall option is disabled.

Installing a VPN server in Windows XP

2009-04-04T02:36:00.000-07:00

Setting up a VPN in Windows XP

Windows XP makes it possible to natively manage small virtual private networks; this feature is particularly suitable for small business or family networks (called SOHO, for Small Office/Home Office). To set up a virtual private network, you simply need to install a remote access server (VPN server) on your local area network that can be accessed from the Internet and configure each client to enable it to connect.
Installing a VPN server in Windows XP

In our example we will assume that the machine to be used as VPN server on the local area network has two interfaces - one to the local area network (a network card for example) and one to the Internet (an ADSL connection or a cable connection for example). It will be via its Internet-connected interface that VPN clients will connect to the local area network.

To make it possible for this machine to manage virtual private networks, simply open Network Connections in the Control panel. In the now open window, double-click New connection wizard:

Then click Next:

Out of the three choices offered in the window, select "Set up an advanced connection":

On the next screen select "Accept incoming connections":

The next screen presents devices you can select for a direct connection. It is possible that no devices will be proposed. Unless you have a special need, you won't need to select one:

From the next window select "Allow virtual private connections":

A list of the system's users appears; simply select or add users authorized to connect to the VPN server:

Then select the list of protocols authorized via the VPN:

Click the Properties button associated with the TCP/IP protocol to define the IP addresses the server assigns to the client for the entire session. If the local area network the server is on does not have specific addressing you can let the server automatically determine an IP address. However, if the network has a specific addressing plan, you can define the range of addresses to be assigned:

Configuration of the VPN server is now complete; you can click the Finish button:

Finish

Ten Tips for writing a blog post

2009-03-17T03:30:00.001-07:00

Here are ten tips that help me with my blog writing.

1. Make your opinion known
2. Link like crazy
3. Write less
4. 250 Words is enough
5. Make Headlines snappy
6. Write with passion
7. Include Bullet point lists
8. Edit your post
9. Make your posts easy to scan
10. Be consistent with your style
11. Litter the post with keywords

1. Make your opinion known
People like blogs, they like blogs because they are written by people and not corporations. People want to know what people think, crazy as it sounds they want to know what you think. Tell them exactly what you think using the least amount of words possible.

2. Link like crazy.
Support your post with links to other web pages that are contextual to your post.

3. Write Less
Give the maximum amount of information with the least amount of words. Time is finite and people are infinitely busy. Blast your knowledge into the reader at the speed of sound.

4. 250 is enough
A long post is easier to forget and harder to get into. A short post is the opposite.

5. Make Headlines snappy
Contain your whole argument in your headline. Check out National newspapers to see how they do it.

6. Include bullet point lists
We all love lists, it structures the info in an easily digestible format.

7. Make your posts easy to scan
Every few paragraphs insert a sub heading. Make sentences and headlines short and to the point.

8. Be consistent with your style
People like to know what to expect, once you have settled on a style for your audience stick to it.

9. Litter the post with Keywords.
Think about what keywords people would use to search for your post and include them in the body text and headers. make sure the keyword placement is natural and does not seem out of place.

10. Edit your post
Good writing is in the editing. Before you hit the submit button, re-read your post and cut out the stuff that you don’t need.

I hope you enjoyed my tips for writing a blog post - feel free to share your own blog writing tips below.

Install LOCALHOST

2009-03-16T21:41:00.000-07:00

When you are making a web page, the easiest way of view a page stored in your hard disk is double-clicking in the file, which usually results in the page being opened in your default browser. Although this method (which I still use sometimes) it's good enough for simple static pages, it's not useful if you you are using server side languages (PHP, Perl, ASP...), or even for pages that are static but use links relative to the server root (like "/index.html" or "/css/styles.css"). In this situations the solution is either upload the files to the server of your web host (quite cumbersome, and not feasible or desirable if the site is already open to the public) or set up a test server in your local network/computer, which is the quick and safe way of testing your design changes.

I'll try to describe in a simple way how to set up an Apache server on Windows for testing purposes, with the option of include PHP and MySQL. This can be useful even if your web host runs on Linux/FreeBSD/Unix, since the funtionality will be more or less the same (unless you use specific OS/server features). It can also be useful for learning and/or testing popular Apache modules like mod_rewrite that are not directly available for other servers (e.g. IIS)

Only PHP is covered since is free and widely used nowadays (ASP is tied to IIS and Perl users probably prefer Linux :-). The same reasons apply to MySQL. I'm going to describe how to set up a standalone Apache server and then how to add PHP and MySQL, so people that don't need PHP or MySQL can skip those steps.

Security considerations
Since testing is the primary goal here, I won't discuss the security practices related to Windows+Apache+MySQL+PHP. But with a simple step you can secure your test server from external attacks: configure your firewall to block all Internet access to the server, as only your computer (or your local network) needs access to it.

On other hand, don't think that test servers doesn't need any protection. If you leave the server open to Internet, you'll be exposed in the same way as production web sites, since hackers/crackers usually scans ranges of IP numbers looking for known vulnerabilities instead of targeting specific web sites.

Getting the installation files
Among all the versions available I'm going to use Apache2, PHP 4.4.x and MySQL 4.0.x for this tutorial. Apache2 because it's designed for working more efficiently on Windows than Apache 1.3.x while maintaining the compatibility, PHP 4.4.x because most production environments haven't migrated to PHP 5.x yet, and MySQL 4.0.x because versions 4.1 and higher only works with PHP 5.x . I don't provide the direct links to the files since these sites rely on mirrors for the downloads, and they release frequent minor updates/fixes, and therefore the file names change.

Apache: http://httpd.apache.org/download.cgi
Download the Win32 Binary (MSI Installer) (apache_2.0.xx-win32-x86-no_ssl.msi).

PHP: http://www.php.net/downloads.php
Download the Windows binaries, both the ZIP package (php-4.4.x-Win32.zip) and the Installer (php-4.4.x-installer.exe).

MySQL: http://dev.mysql.com/downloads/mysql/4.0.html
Download the Windows (x86) package (mysql-4.0.xx-win32.zip).

phpMyAdmin: http://www.phpmyadmin.net/home_page/downloads.php
A popular MySQL administration tool. Download the ZIP package (phpMyAdmin-2.x.x-plx.zip).

Setting up Apache

2009-03-16T19:46:00.000-07:00

Installation
Double-click in the .MSI file to launch the installation of Apache (Windows 98/Me users may need to install previously the MS Windows Installer). After accepting the license, you'll be prompted for some information: Network domain, Server name and Administrator's email. Since this will be a test server, you can enter whatever you want, but I recommend using your computer network name as server and domain, since this allows accessing the server from other computers in the local network by name instead of by IP number only. Then enter a dummy email direction like "admin@networkname" (we don't need that feature). Regarding the options of the bottom, use the recommended option even if you want to start the server manually (we'll see how to change this later). Windows 98/Me users must select the second option since that versions of Windows doesn't support system services.

Then choose Custom install and remove Build Headers and Libraries, since they are needed only for developing server extensions. You can remove the Apache Documentation if you don't need it. Also, you can change here the installation folder.

Press Next for starting the installation. If all goes well, the Apache service will be started and you'll notice a new icon in your system tray: the Apache Service Monitor. This is a handy tool for managing the Apache service: you can start, stop and restart the service from here.

Note for Windows 98/Me users: You need to use the shortcut Start Apache in Console for starting the server. To close the server, press Ctrl+C on the Apache console window.

Firewall permissions
At this point, if you have running a firewall in your computer (if not, you really should) you probably will get a notification about letting "Apache HTTP Server" or "Apache.exe" run as a server. My recommendations are:

* Access/outbound permissions.
You should allow Apache outbound access to both the local network/trusted zones and to Internet, since you could need external access for some PHP scripts (e.g. a script that fetch an XML from another web site file for processing it).
* Server/inbound permissions.
You have to give Apache server permissions in the local network/trusted zones (or the firewall will block any connection attempts), but you should block the inbound access from Internet. Since the server is only intended for doing local tests, you don't need to expose yourself to hackers without reason.

Note about routers/NAT: If your Internet access is provided through a router (using NAT), all inbound traffic from Internet is automatically blocked, unless you configure the router to allow inbound access on some ports. This is great from the point of view of security but terrible if you want to allow access to the server from Internet. If for some reason you need external access to your test server, check your router documentation about how to map the port used by Apache (by default port 80) to your computer.
Now if you open "http://localhost/" in your browser you should get the welcome page of Apache.

Now let's see how you can configure some basic server options to suit your needs.

Server configuration file
Most of the Apache configuration is stored in the httpd.conf file located inside the "conf" subfolder of the Apache installation folder. There is also another file, httpd.default.conf, that contains the default configuration of the server (very useful if you mess something in the configuration and the server stops working).

Changing the server root folder
By default, the Apache uses as the server root the "htdocs" folder located inside its installation folder. This is the folder in which you need to put the files that are going to be served by Apache. If you want to use another one, locate in httpd.conf the DocumentRoot option and put the folder that you want to use as server's root (surrounded by double quotes). Then move a few lines below until you find the comment that reads "This [the following line] should be changed to whatever you set DocumentRoot to", and follow its advice. For example, if you want to change the server root to "D:\Web server" you have to use the following configuration lines:

DocumentRoot "D:/Web server"

and several lines below:

Directory "D:/Web server"

Note that in the Windows version of Apache you can use slashes or backslashes indistinctly for path names, it would work the same (I use slashes since it's the usual way).

Finally, restart the server to apply the changes. The next time you access to "http://localhost/" you should see listed the contents of new root folder. Here you can see two captures of the server root of one of my test machines, one from the same machine in which the server is installed, and the other from another machine in the same local network:

Activating Apache modules
Apache uses a series of modules to extend the server capabilities (like mod_ssl for adding support to secure connections or mod_rewrite for URL rewriting). By default, not all the modules are loaded. If you need to activate some of them, look for the modules section of httpd.conf (the one that contains a lot of LoadModule lines). If the line describing the module is commented (i.e. it begins with a "#") that module is not active, and you need to remove the comment character to activate it.

For example, if you want to activate the mod_rewrite module, first you need to find the line describing that module:

#LoadModule rewrite_module modules/mod_rewrite.so

and then remove the "#" to activate it:

LoadModule rewrite_module modules/mod_rewrite.so

After this, restart the server to apply the configuration changes.

Other configuration changes
Changing the server to manual start. If you don't want to have the server always loaded, double click in Apache Service Monitor tray icon to open the main window and press the Services button. Look for "Apache2" in the list and double-click it to get the service properties. In the properties dialog change the start type from Automatic to Manual and click OK. From now, the server will only be started when you use the Start button of the Apache Service Monitor, or the equivalent shortcut located in the Apache 2.0.xx folder of the Start Menu.
Activating .htaccess files. By default, Apache doesn't allow modify the server configuration using .htaccess files. If you want to activate this behaviour, yo need to find in the httpd.conf the following line:
AllowOverride None

and change it to:

AllowOverride All

Note that there is another line with the same text "inside" of a tag. You have to change the line that is not surrounded by other configuration parameters.
Addign a default character set. Although you can do this in your .htaccess file, if you want to put a default character set for all your pages, you can do it adding to the httpd.conf file a line like one of this:
AddDefaultCharset ISO-8859-1
AddDefaultCharset ISO-8859-15
AddDefaultCharset UTF-8
...

or whatever character set you need to use.
A bit of troubleshooting
Port 80 already in use. If you receive an error message like this:

ERROR 1
Only one usage of each socket address is normally permitted. : make_sock: could not bind address 0.0.0.0.:80 no listening sockets available, shutting down
Unable to open logs
Note the errors or messages above, and press key to ext. ...

ERROR2
[Sat Oct 09 14;22:48 2004] [error] The system cannot find the specific
ed. : no installed service named "Apache2".
Note the errors or messages above, and press key to exit

it means that there is another server already running on port 80 (the default port used for HTTP connections). Only one application can listen for connections in a given port at the same time, so if you have active another server (like IIS), Apache can't use that port.

The solution for this is as simple as close or disable the other program when you need to use Apache. If you don't know what program is using that port, you can use an utility like Active Ports or TCPView for getting the list of programs associated to any active port in the system.

If for some reason you need to maintain the other program running in the port 80, you can change the port number in which Apache will listen for connections. You can use any port number that is not already used by another program between 1024 and 65535 (e.g. 8080, 8000, 10080, 12345...). For doing that open the httpd.conf file and find the following lines (they are located in different parts of the file):

Listen 80

ServerName your-server-name:80

and then replace the 80 with the port number you want to use:

Listen 8080

ServerName your-server-name:8080

After this you can access to the server using the host name plus the port number separated by a colon, like in this examples:

http://localhost:8080/
http://your-server-name:8080/

Setting up PHP

2009-03-16T18:48:00.000-07:00

Installation

The installation of PHP is bit odd since instead of using a single installation package you need the ZIP package and the installer package, since the installer doesn't contain the full PHP package (but it's useful for creating a working php.ini file easily). Also, the part of the PHP installer for configuring Apache hasn't been finished yet for versions 4.x, so we'll need to add some lines to httpd.conf.

First, unpack the contents of the ZIP file to the folder in which you want to install PHP. Note that the ZIP package already contains a folder named "php-4.4.x-Win32", so if you unpack the file in "C:\Program Files\PHP\" the PHP files will be stored in "C:\Program Files\PHP\php-4.4.x-Win32\". Don't use the option of not extracting folders/pathnames or PHP won't work.

Then run the installer and select the Standard installation. In the next panel select the folder in which you unpacked the PHP package (the folder that contains the php.exe file). Left unchanged the panel about SMTP configuration (SMTP won't run on Windows unless you install an SMTP server) and in the next panel select Apache from the list of servers. Finally, press Next to start the installation. If all goes fine, the installer will create a php.ini file in the Windows folder with the PHP configuration, and some directories in the PHP folder.

Changes to the Apache configuration

Before enabling the Apache module for PHP, you need to copy the file php4ts.dll located in the PHP installation folder to the System folder (usually "C:\Windows\System" for Windows 98/Me, "C:\Winnt\System32" for Win2000 and "C:\Windows\System32" for WinXP).

Then you need to enable PHP in the Apache server. Supposing that you installed PHP in "C:\Program files\PHP", you need add the following lines at the end of the modules section of httpd.conf:

LoadModule php4_module "c:/Program files/PHP/sapi/php4apache2.dll"
AddType application/x-httpd-php .php

Finally, locate the DirectoryIndex option and add "index.php" at the end of that line. The resulting line should be:

DirectoryIndex index.html index.html.var index.php

After restarting the Apache server, you should note that the index of the server root now shows "Apache/2.0.xx (Win32) PHP/4.4.x" at the bottom of the page. If you want to test the new configuration, create a file named "index.php" in the server root folder and put inside the following line:

After saving the file, if you open "http://localhost/" in your browser you should get something like this:

Activating useful PHP extensions
As well as Apache, PHP use extensions to extend its capabilities. By default, all of the extensions of PHP are disabled. If you need to activate a extension, look for the extensions section of the php.ini file (it begins with Windows Extensions). Then locate the line with the module you want to activate and remove the comment (the ";" character) present at the beginning of the line.

Some of the extensions require additional DLL's to work. That DLL'S are located in the "dlls" subfolder inside of the PHP folder and must be copied your System folder prior to activating that extensions. In the table below you can see a list of the most common extensions that need additional DLL's:

For example, if you want to activate the extensions "php_domxml.dll" (for DOM XML functions) and "php_gd2.dll" (for image functions), you need to uncomment the following lines:

extension=php_domxml.dll
extension=php_gd2.dll

And since "php_domxml.dll" requires "iconv.dll", you need to copy that file to your System folder.

"Hey, my old PHP code doesn't work!"
If after setting up your local server you fing that some of your code doesn't work on it, is highly probable that you are still relying in the deprecated register_globals option of the php.ini file. This option has been disabled by default in PHP for more than three years due to security issues, and consequently very few hosting providers enable it nowadays. Anyway, a few administrators still enable it in order to support legacy code (which is an invitation to having your site hacked if the hosted PHP code doesn't make the proper security checks).

The typical example of code that rely on register_globals is when you use the data posted by a form in this way:

In the same way, if you need to get the document root you have to use $_SERVER['DOCUMENT_ROOT'] instead of $DOCUMENT_ROOT. For more information, take a look to the following pages of the PHP manual:

Superglobals variables: http://www.php.net/variables.predefined
Security issues of Register Globals: http://www.php.net/register_globals

Exploiting Software, How to Break Code

2009-03-16T07:12:00.000-07:00

Exploiting Software: How to Break Code (Paperback)
by Greg Hoglund, Gary McGraw
Paperback: 512 pages
Publisher: Addison-Wesley Professional (February 17, 2004)
Language: English
ISBN: 0201786958

Software security is gaining momentum as security professionals realize that computer security is really all about making software behave. The publication of Building Secure Software in 2001 (Viega and McGraw) unleashed a number of related books that have crystallized software security as a critical field. Already, security professionals, software developers, and business leaders are resonating with the message and asking for more. Building Secure Software (co-authored by McGraw) is intended for software professionals ranging from developers to managers, and is aimed at helping people develop more secure code. Exploiting Software is useful to the same target audience, but is really intended for security professionals interested in how to find new flaws in software. This book should be of particular interest to security practitioners working to beef up their software security skills, including red teams and ethical hackers. Exploiting Software is about how to break code. Our intention is to provide a realistic view of the technical issues faced by security professionals. This book is aimed directly toward software security as opposed to network security. As security professionals come to grips with the software security problem, they need to understand how software systems break. Solutions to each of the problems discussed in Exploiting Software can be found in Building Secure Software. The two books are mirror images of each other. We believe that software security and application security practitioners are in for a reality check. The problem is that simple and popular approaches being hawked by upstart "application security" vendors as solutions--such as canned black box testing tools--barely scratch the surface. This book aims to cut directly through the hype to the heart of the matter. We need to get real about what we're up against. This book describes exactly that. What This Book Is About This book closely examines many real-world software exploits, explaining how and why they work, the attack patterns they are based on, and in some cases how they were discovered. Along the way, this book also shows how to uncover new software vulnerabilities and how to use them to break machines. Chapter 1 describes why software is the root of the computer security problem. We introduce the trinity of trouble--complexity, extensibility, and connectivity--and describe why the software security problem is growing. We also describe the future of software and its implications for software exploit. Chapter 2 describes the difference between implementation bugs and architectural flaws. We discuss the problem of securing an open system, and explain why risk management is the only sane approach. Two real-world exploits are introduced: one very simple and one technically complex. At the heart of Chapter 2 is a description of attack patterns. We show how attack patterns fit into the classic network security paradigm and describe the role that attack patterns play in the rest of the book. The subject of Chapter 3 is reverse engineering. Attackers disassemble, decompile, and deconstruct programs to understand how they work and how they can be made not to. Chapter 3 describes common gray box analysis techniques, including the idea of using a security patch as an attack map. We discuss Interactive Disassembler (IDA), the state-of-the-art tool used by hackers to understand programs. We also discuss in detail how real cracking tools are built and used. In Chapters 4, 5, 6, and 7, we discuss particular attack examples that provide instances of attack patterns. These examples are marked with an asterisk. Chapters 4 and 5 cover the two ends of the client-server model. Chapter 4 begins where the book Hacking Exposed McClure et al., 1999 leaves off, discussing trusted input, privilege escalation, injection, path tracing, exploiting trust, and other attack techniques specific to server software. Chapter 5 is about attacking client software using in-band signals, cross-site scripting, and mobile code. The problem of backwash attacks is also introduced. Both chapters are studded with attack patterns and examples of real attacks. Chapter 6 is about crafting malicious input. It goes far beyond standard-issue "fuzzing" to discuss partition analysis, tracing code, and reversing parser code. Special attention is paid to crafting equivalent requests using alternate encoding techniques. Once again, both real-world example exploits and the attack patterns that inspire them are highlighted throughout. The whipping boy of software security, the dreaded buffer overflow, is the subject of Chapter 7. This chapter is a highly technical treatment of buffer overflow attacks that leverages the fact that other texts supply the basics. We discuss buffer overflows in embedded systems, database buffer overflows, buffer overflow as targeted against Java, and content-based buffer overflows. Chapter 7 also describes how to find potential buffer overflows of all kinds, including stack overflows, arithmetic errors, format string vulnerabilities, heap overflows, C++ vtables, and multistage trampolines. Payload architecture is covered in detail for a number of platforms, including x86, MIPS, SPARC, and PA-RISC. Advanced techniques such as active armor and the use of trampolines to defeat weak security mechanisms are also covered. Chapter 7 includes a large number of attack patterns. Chapter 8 is about rootkits--the ultimate apex of software exploit. This is what it means for a machine to be "owned." Chapter 8 centers around code for a real Windows XP rootkit. We cover call hooking, executable redirection, hiding files and processes, network support, and patching binary code. Hardware issues are also discussed in detail, including techniques used in the wild to hide rootkits in EEPROM. A number of advanced rootkit topics top off Chapter 8. As you can see, Exploiting Software runs the gamut of software risk, from malicious input to stealthy rootkits. Using attack patterns, real code, and example exploits, we clearly demonstrate the techniques that are used every day by real malicious hackers against software. How to Use This Book This book is useful to many different kinds of people: network administrators, security consultants, information warriors, developers, and security programmers. If you are responsible for a network full of running software, you should read this book to learn the kinds of weaknesses that exist in your system and how they are likely to manifest. If you are a security consultant, you should read this book so you can effectively locate, understand, and measure security holes in customer systems. If you are involved in offensive information warfare, you should use this book to learn how to penetrate enemy systems through software. If you create software for a living, you should read this book to understand how attackers will approach your creation. Today, all developers should be security minded. The knowledge here will arm you with a real understanding of the software security problem. If you are a security programmer who knows your way around code, you will love this book. The primary audience for this book is the security programmer, but there are important lessons here for all computer professionals. But Isn't This Too Dangerous? It's important to emphasize that none of the information we discuss here is news to the hacker community. Some of these techniques are as old as the hills. Our real objective is to provide some eye-opening information and up the level of discourse in software security. Some security experts may worry that revealing the techniques described in this book will encourage more people to try them out. Perhaps this is true, but hackers have always had better lines of communication and information sharing than the good guys. This information needs to be understood and digested by security professionals so that they know the magnitude of the problem and they can begin to address it properly. Shall we grab the bull by the horns or put our head in the sand? Perhaps this book will shock you. No matter what, it will educate you.
link download:
http://rapidshare.de/files/27479868/Addison.Wesley.Pub.Exploiting.Software.How.to.Break.Code.eBook-kB.pdf

Hacking Exposed fifth edition

2009-03-16T07:10:00.000-07:00

A lot of computer-security textbooks approach the subject from a defensive point of view. “Do this, and probably you’ll survive a particular kind of attack,” they say. In refreshing contrast, Hacking Exposed, Second Edition talks about security from an offensive angle. A Jane’s-like catalog of the weaponry that black-hat hackers use is laid out in full. Readers see what programs are out there, get a rundown on what the programs can do, and benefit from detailed explanations of concepts (such as wardialing and rootkits) that most system administrators kind of understand, but perhaps not in detail. The book also walks through how to use the more powerful and popular hacker software, including L0phtCrack. This new edition has been updated extensively, largely with the results of “honeypot” exercises (in which attacks on sacrificial machines are monitored) and Windows 2000 public security trials. There’s a lot of new stuff on e-mail worms, distributed denial-of-service (DDoS) attacks, and attacks that involve routing protocols.

The result of all of this familiarity with bad-guy tools is a leg up on defending against them. Hacking Exposed wastes no time in explaining how to implement the countermeasures–where they exist–that will render known attacks ineffective. Taking on the major network operating systems and network devices one at a time, the authors tell you exactly what Unix configuration files to alter, what Windows NT Registry keys to change, and what settings to make in NetWare. They spare no criticism of products with which they aren’t impressed, and don’t hesitate to point out inherent, uncorrectable security weaknesses where they find them. This book is no mere rehashing of generally accepted security practices. It and its companion Web site are the best way for all of you network administrators to know thine enemies. –David Wall

Topics covered:
Security vulnerabilities of operating systems, applications, and network devices
Administrative procedures that will help defeat them
Techniques for hacking Windows 95, Windows 98, Windows Me, Windows NT 4.0, Windows 2000, Novell NetWare, and Unix
Strategies for breaking into (or bringing down) telephony devices, routers, and firewalls
link download:
link:http://rapidshare.com/files/37093636/Hacking_Exposed_5th_Ed_0072260815.rar

Hacking RSS and Atom

2009-03-16T07:08:00.000-07:00

Hacking RSS and Atom
Wiley | ISBN: 0764597582 | 602 pages | September 9, 2005 | PDF

Now you can satisfy your appetite for information
This book is not about the minutia of RSS and Atom programming. It's about doing cool stuff with syndication feeds-making the technology give you exactly what you want the way you want. It's about building a feed aggregator and routing feeds to your e-mail or iPod, producing and hosting feeds, filtering, sifting, and blending them, and much more. Tan-talizing loose ends beg you to create more hacks the author hasn't thought up yet. Because if you can't have fun with the technology, what's the point?

A sampler platter of things you'll learn to do
* Build a simple feed aggregator
* Add feeds to your buddy list
* Tune into rich media feeds with BitTorrent
* Monitor system logs and events with feeds
* Scrape feeds from old-fashioned Web sites
* Reroute mailing lists into your aggregator
* Distill popular links from blogs
* Republish feed headlines on your Web site
* Extend feeds using calendar events and microformats
Link download:
http://rapidshare.com/files/21590434/0764597582.rar

Practical Hacking Techniques and Counter measures (Hardcover)

2009-03-16T07:06:00.000-07:00

Book Description
Practical Hacking Techniques and Countermeasures examines computer security from the hacker's perspective, demonstrating how a computer system can be successfully attacked and compromised. This book shows how an attack is conceptualized, formulated and performed. With the VMware® Workstation software package available on the accompanying CD, it uses virtual computers to illustrate how an attack is executed, including the script, compilation, and results. It offers examples of attacks on Windows and Linux. It also covers such topics as footprinting, scanning, sniffing, passwords, and other attack tools. This text provides valuable information for constructing a system to defend against attacks.

link download: http://rapidshare.com/files/22709075/Auerbach.Practical.Hacking.Techniques.and.Countermeasures.rar

Malicious Cryptography: Exposing Cryptovirology (Paperback)

2009-03-16T07:04:00.000-07:00

Book Description
Hackers have uncovered the dark side of cryptography—that device developed to defeat Trojan horses, viruses, password theft, and other cyber-crime. It’s called cryptovirology, the art of turning the very methods designed to protect your data into a means of subverting it. In this fascinating, disturbing volume, the experts who first identified cryptovirology show you exactly what you’re up against and how to fight back.

They will take you inside the brilliant and devious mind of a hacker—as much an addict as the vacant-eyed denizen of the crackhouse—so you can feel the rush and recognize your opponent’s power. Then, they will arm you for the counterattack.

This book reads like a futuristic fantasy, but be assured, the threat is ominously real. Vigilance is essential, now.

* Understand the mechanics of computationally secure information stealing
* Learn how non-zero sum Game Theory is used to develop survivable malware
* Discover how hackers use public key cryptography to mount extortion attacks
* Recognize and combat the danger of kleptographic attacks on smart-card devices
* Build a strong arsenal against a cryptovirology attack
Link download:
http://rapidshare.com/files/20156844/John.Wiley.and.Sons.Malicious.Cryptography.Exposing.Cryptovirology.pdf

Pro PHP Security (Pro) (Paperback)

2009-03-16T07:01:00.000-07:00

Book Description

Pro PHP Security is one of the first books devoted solely to PHP security. It will serve as your complete guide for taking defensive and proactive security measures within your PHP applications. (And the methods discussed are compatible with PHP versions 3, 4, and 5.)

The knowledge you'll gain from this comprehensive guide will help you prevent attackers from potentially disrupting site operation or destroying data. And you'll learn about various security measures, for example, creating and deploying "captchas," validating e-mail, fending off SQL injection attacks, and preventing cross-site scripting attempts.

Link download:
http://rapidshare.com/files/19592461/Apress.Pro.PHP.Security.Aug.2005.pdf

The Art of Computer Virus Research and Defense

2009-03-16T07:00:00.000-07:00

Category: Other
Language: English
FileType: CHM
File size: 13773 KB
Preface Preface Who Should Read This Book Over the last two decades, several publications appeared on the subject of computer viruses, but only a few have been written by professionals ("insiders") of computer virus research.
Although many books exist that discuss the computer virus problem, they usually target a novice audience and are simply not too interesting for the technical professionals.
There are only a few works that have no worries going into the technical details, necessary to understand, to effectively defend against computer viruses.
Part of the problem is that existing books have little if any information about the current complexity of computer viruses.
For example, they lack serious technical information on fast-spreading computer worms that exploit vulnerabilities to invade target systems, or they do not discuss recent code evolution techniques such as code metamorphism.
If you wanted to get all the information I have in this book, you would need to spend a lot of time reading articles and papers that are often hidden somewhere deep inside computer virus and security conference proceedings, and perhaps you would need to dig into malicious code for years to extract the relevant details.
I believe that this book is most useful for IT and security professionals who fight against computer viruses on a daily basis.
Nowadays, system administrators as well as individual home users often need to deal with computer worms and other malicious programs on their networks. Unfortunately, security courses have very little training on computer virus protection, and the general public knows very little about how to analyze and defend their network from such attacks.
To make things more difficult, computer virus analysis techniques have not been discussed in any existing works in sufficient length before.
I also think that, for anybody interested in information security, being aware of what the computer virus writers have "achieved" so far is an important thing to know.

For years, computer virus researchers used to be "file" or "infected object" oriented.
To the contrary, security professionals were excited about suspicious events only on the network level.
In addition, threats such as CodeRed worm appeared to inject their code into the memory of vulnerable processes over the network, but did not "infect" objects on the disk.
Today, it is important to understand all of these major perspectives the file (storage), in-memory, and network views and correlate the events using malicious code analysis techniques.
During the years, I have trained many computer virus and security analysts to effectively analyze and respond to malicious code threats.
In this book, I have included information about anything that I ever had to deal with.
For example, I have relevant examples of ancient threats, such as 8-bit viruses on the Commodore 64.
You will see that techniques such as stealth technology appeared in the earliest computer viruses, and on a variety of platforms.
Thus, you will be able to realize that current rootkits do not represent anything new! You will find sufficient coverage on 32-bit Windows worm threats with in-depth exploit discussions, as well as 64-bit viruses and "pocket monsters" on mobile devices.
All along the way, my goal is to illustrate how old techniques "reincarnate" in new threats and demonstrate up-to-date attacks with just enough technical details.
I am sure that many of you are interested in joining the fight against malicious code, and perhaps, just like me, some of you will become inventors of defense techniques.
All of you should, however, be aware of the pitfalls and the challenges of this field! That is what this book is all about.
What I Cover The purpose of this book is to demonstrate the current state of the art of computer virus and antivirus developments and to teach you the methodology of computer virus analysis and protection.
I discuss infection techniques of computer viruses from all possible perspectives: file (on storage), in-memory, and network. I classify and tell you all about the dirty little tricks of computer viruses that bad guys developed over the last two decades and tell you what has been done to deal with complexities such as code polymorphism and exploits.
The easiest way to read this book is, well, to read it from chapter to chapter. However, some of the attack chapters have content that can be more relevant after understanding techniques presented in the defense chapters.
If you feel that any of the chapters are not your taste, or are too difficult or lengthy, you can always jump to the next chapter.
I am sure that everybody will find some parts of this book very difficult and other parts very simple, depending on individual experience.
I expect my readers to be familiar with technology and some level of programming.
There are so many things discussed in this book that it is simply impossible to cover everything in sufficient length.
However, you will know exactly what you might need to learn from elsewhere to be absolutely successful against malicious threats.
To help you, I have created an extensive reference list for each chapter that leads you to the necessary background information.
Indeed, this book could easily have been over 1,000 pages. However, as you can tell, I am not Shakespeare. My knowledge of computer viruses is great, not my English.
Most likely, you would have no benefit of my work if this were the other way around.
What I Do Not Cover I do not cover Trojan horse programs or backdoors in great length.
This book is primarily about self-replicating malicious code. There are plenty of great books available on regular malicious programs, but not on computer viruses.
I do not present any virus code in the book that you could directly use to build another virus.
This book is not a "virus writing" class. My understanding, however, is that the bad guys already know about most of the techniques that I discuss in this book.
So, the good guys need to learn more and start to think (but not act) like a real attacker to develop their defense! Interestingly, many universities attempt to teach computer virus research courses by offering classes on writing viruses.
Would it really help if a student could write a virus to infect millions of systems around the world? Will such students know more about how to develop defense better? Simply, the answer is no...
Instead, classes should focus on the analysis of existing malicious threats. There are so many threats out there waiting for somebody to understand them and do something against them. Of course, the knowledge of computer viruses is like the "Force" in Star Wars .
Depending on the user of the "Force," the knowledge can turn to good or evil. I cannot force you to stay away from the "Dark Side," but I urge you to do so. /> class="navigation"> Copyright Pearson Education. All rights reserved.
Link Download:
http://dl65l32.rapidshare.com/files/9609180/The.Art.of.Computer.Virus.Research.and.Defense.zip

Setting up MySQL

2009-03-16T04:58:00.001-07:00

Installation

The MySQL installation is pretty straightforward since you doesn't need to modify anything in the Apache or PHP configuration. To begin the installation, run the setup program and select the destination folder if you don't want to use the default one. Then choose Custom and deselect Examples, Libraries, Includes and Script files. You can deselect also the MySQL Documentation if you already have it.

Press Next for starting the installation. After it finish, you need to install the MySQL service, since the setup program of versions 4.0.x doesn't install it. Fortunately, the MySQL package includes an utility that simplifies greatly this task.

First you need go to the MySQL installation folder, as the setup doesn't create either any shortcuts in the Start Menu (don't ask me why). In the "bin" subfolder locate the file winmysqladmin.exe and execute it. The first time this tool is executed, it'll ask you for an user name & password, enter the one you want to use. You don't need this user & password for your scripts, but the tool use it for polling the server status and display detailed information about it.

After pressing OK the tool will create a new configuration file for the MySQL server in the Windows folder (my.ini), and a semaphore icon will appear in the taskbar. Also, the program will install the MySQL service using the values of the configuration file. If the semaphore shows the red light on, right click on that icon and select Win NT -> ShuDown this tool for closing the program, and then launch it again (with some system configurations it doesn't install the service in the first run). This time it should show the green light on, indicating that the MySQL service is installed an running. The tool will create also a shortcut for it in the Start folder of the Start Menu.

Note for Windows 98/Me users: Since these OS doesn't support services, you need to run mysqld.exe for starting the server. To close the server, press Ctrl+C on the MySQL console window.
Installing phpMyAdmin

phpMyAdmin is a very popular tool for managing the MySQL server and the databases. Since it's a PHP based application, installing it is as simple as unpacking the ZIP file in a folder inside the document root of Apache (note that the ZIP file already contains a folder). To access the application open your browser and navigate to that folder: supposing that your web root is "D:\Web server" and the folder in which you stored the script files is "D:\Web server\phpMyAdmin", you need to go to "http://localhost/phpMyAdmin/".

If both Apache & MySQL servers are running, you should see the welcome screen without any further configuration, since phpMyAdmin is preconfigured to use the default configuration of MySQL.

A few notes about MySQL users

* By default, MySQL 4.0.x comes with the predefined user "root" with no password. You can use this user for the mysql_connect() function.
* If you want or need to create another user for your scripts, you can do it from phpMyAdmin using the Privileges section. You can also add a password for the root user, but if you modify it you need to update the phpMyAdmin configuration. For doing that, go to the phpMyAdmin folder, locate the file config.default.php and copy it as config.inc.php. Then find following lines:

$cfg['Servers'][$i]['user'] = 'root'; // MySQL user
$cfg['Servers'][$i]['password'] = ''; // MySQL password
and modify the last values with the new user & password. You can use here any other user you have created with admininstrator privileges.

.NET Security and Cryptography

2009-03-14T20:11:00.000-07:00

Peter Thorsteinson, G. Gnana Arun Ganesh

.NET Security and Cryptography

Prentice Hall PTR - ISBN: 013100851X - Year 2003 - 496 pages - CHM - 3.1 MB
Learn how to make your .NET applications secure!

Security and cryptography, while always an essential part of the computing industry, have seen their importance increase greatly in the last several years. Microsoft's .NET Framework provides developers with a powerful new set of tools to make their applications secure. NET Security and Cryptography is a practical and comprehensive guide to implementing both the security and the cryptography features found in the .NET platform. The authors provide numerous clear and focused examples in both C# and Visual Basic .NET, as well as detailed commentary on how the code works. They cover topics in a logical sequence and context, where they are most relevant and most easily understood.

This book will allow developers to:

Develop a solid basis in the theory of cryptography, so they can understand how the security tools in the .NET Framework function
Learn to use symmetric algorithms, asymmetric algorithms, and digital signatures
Master both traditional encryption programming as well as the new techniques of XML encryption and XML signatures
Learn how these tools apply to ASP.NET and Web Services security

Download:
http://rapidshare.com/files/4488122/Pren_Hall_-_Dot_Net_Security_And_Crypto_ertu.rar

Computer Viruses and Malware

2009-03-14T20:07:00.000-07:00

John Aycock, «Computer Viruses and Malware» (Advances in Information Security)
ISBN: 0387302360 | Publisher: Springer | Publication Date: 2006-07-20 | 227 Pages | PDF | 9,4 Mb

Our Internet-connected society increasingly relies on computers. As a result, attacks on computers from malicious software have never been a bigger concern. Computer Viruses and Malware draws together hundreds of sources to provide an unprecedented view of malicious software and its countermeasures. This book discusses both the technical and human factors involved in computer viruses, worms, and anti-virus software. It also looks at the application of malicious software to computer crime and information warfare.

Computer Viruses and Malware is designed for a professional audience composed of researchers and practitioners in industry. This book is also suitable as a secondary text for advanced-level students in computer science.

Download:
http://dl32tl.rapidshare.com/files/6153249/Computer.Viruses.and.Malware.rar

The Database Hacker’s Handbook: Defending Database Servers

2009-03-14T20:03:00.000-07:00

Databases are the nerve center of our economy. Every piece of your personal information is stored there—medical records, bank accounts, employment history, pensions, car registrations, even your children’s grades and what groceries you buy. Database attacks are potentially crippling—and relentless.

In this essential follow-up to The Shellcoder’s Handbook, four of the world’s top security experts teach you to break into and defend the seven most popular database servers. You’ll learn how to identify vulnerabilities, how attacks are carried out, and how to stop the carnage. The bad guys already know all this. You need to know it too.

- Identify and plug the new holes in Oracle and Microsoft SQL Server
- Learn the best defenses for IBM’s DB2, PostgreSQL, Sybase ASE, and MySQL servers
- Discover how buffer overflow exploitation, privilege escalation through SQL, stored procedure or trigger abuse, and SQL injection enable hacker access
- Recognize vulnerabilities peculiar to each database
- Find out what the attackers already know

Download:
http://rapidshare.com/files/2226538/The_DBH_Handbook.rar.html

Hacker Disassembling Uncovered

2009-03-14T19:51:00.000-07:00

A-List Publishing | ISBN: 1931769222 | 600 pages | 4.8MB | CHM

Going beyond the issues of analyzing and optimizing programs as well as creating the means of protecting information, this guide takes on the programming problem of, once having found holes in a program, how to go about disassembling it without its source code. Covered are the hacking methods used to analyze programs using a debugger and disassembler. These methods include virtual functions, local and global variables, branching, loops, objects and their hierarchy, and mathematical operators. Also covered are methods of fighting disassemblers, self-modifying code in operating systems, and executing code in the stack. Advanced disassembler topics such as optimizing compilers and movable code are discussed as well.

Download: http://rapidshare.com/files/5845428/Hacker_Disassembling_Uncovered.rar

Cryptography for Developers

2009-03-14T19:49:00.000-07:00

Tom St Denis, «Cryptography for Developers»
Publisher: Syngress Publishing | English | ISBN: 1597491047 | PDF | 5.01 MB | 400 Pages

Developers tasked with security problems are often not cryptographers themselves. They are bright people who, with careful guidance, can implement secure cryptosystems. This book will guide developers in their journey towards solving cryptographic problems. If you have ever asked yourself "just how do I setup AES?" then this text is for you. ASN.1 Encoding The chapter on ASN.1 encoding delivers a treatment of the Abstract Syntax Notation One (ASN.1) encoding rules for data elements such as strings, binary strings, integers, dates and times, and sets and sequences. Random Number Generation This chapter discusses the design and construction of standard random number generators (RNGs) such as those specified by NIST. Advanced Encryption Standard This chapter discusses the AES block cipher design, implementation trade-offs, side channel hazards, and modes of use. It concentrates on the key design elements important to implementers and how to exploit them in various trade-off conditions. Hash Functions This chapter discusses collision resistance, provides examples of exploits, and concludes with known incorrect usage patterns. Message Authentication Code Algorithms This chapter discusses the HMAC and CMAC Message Authentication Code (MAC) algorithms, which are constructed from hash and cipher functions. Encrypt and Authenticate Modes This chapter discusses the IEEE and NIST encrypt and authenticate modes GCM and CCM. Both modes introduce new concepts to cryptographic functions. Focus is given to the concept of replay attacks, and initialization techniques are explored in depth. Large Integer Arithmetic This chapter discusses the techniques behind manipulating large integers such as those used in public key algorithms. Public Key Algorithms This chapter introduces public key cryptography, including the RSA algorithm and its related PKCS #1 padding schemes. It also introduces new math in the form of various elliptic curve point multipliers.

Download:
http://dl43tl2.rapidshare.com/files/5874805/Cryptography_for_Developers_EBook_ISBN-1597491047.rar

Hacking - The Art of Exploitation

2009-03-14T19:47:00.001-07:00

This text introduces the spirit and theory of hacking as well as the science behind it all; it also provides some core techniques and tricks of hacking so you can think like a hacker, write your own hacks or thwart potential system attacks.

Download:
http://rapidshare.com/files/5882606/Hacking_-_The_Art_of_Exploitation.rar

Gray Hat Hacking, Second Edition (Paperback)

2009-03-14T19:34:00.001-07:00

Prevent catastrophic network attacks by exposing security flaws, fixing them, and ethically reporting them to the software author. Fully expanded to cover the hacker's latest devious methods, Gray Hat Hacking:
The Ethical Hacker's Handbook, Second Edition lays out each exploit alongside line-by-line code samples, detailed countermeasures, and moral disclosure procedures. Find out how to execute effective penetration tests, use fuzzers and sniffers, perform reverse engineering, and find security holes in Windows and Linux applications. You'll also learn how to trap and autopsy stealth worms, viruses, rootkits, adware, and malware.

- Implement vulnerability testing, discovery, and reporting procedures that comply with applicable laws
- Learn the basics of programming, stack operations, buffer overflow and heap vulnerabilities, and exploit development
- Test and exploit systems using Metasploit and other tools
- Break in to Windows and Linux systems with perl scripts, Python scripts, and customized C programs
- Analyze source code using ITS4, RATS, FlawFinder, PREfast, Splint, and decompilers
- Understand the role of IDA Pro scripts, FLAIR tools, and third-party plug-ins in discovering software vulnerabilities
- Reverse-engineer software using decompiling, profiling, memory monitoring, and data flow analysis tools
- Reveal client-side web browser vulnerabilities with MangleMe, AxEnum,and AxMan
- Probe Windows Access Controls to discover insecure access tokens, security descriptors, DACLs, and ACEs
- Find and examine malware and rootkits using honeypots, honeynets, and Norman SandBox technology
Download:
http://rapidshare.com/files/95223553/McGraw.Hill.Gray.Hat.Hacking.2nd.Edition.Dec.2007.pdf

Hacking Exposed Web 2.0: Web 2.0 Security Secrets and Solutions

2009-03-14T19:31:00.000-07:00

"This book concisely identifies the types of attacks which are faced
daily by Web 2.0 sites, and the authors give solid, practical advice on
how to identify and mitigate these threats." --Max Kelly, CISSP, CIPP,
CFCE, Senior Director of Security, Facebook Protect your Web 2.0
architecture against the latest wave of cybercrime using expert tactics
from Internet security professionals. Hacking Exposed Web 2.0 shows how
hackers perform reconnaissance, choose their entry point, and attack Web
2.0-based services, and reveals detailed countermeasures and defense
techniques. You'll learn how to avoid injection and buffer overflow
attacks, fix browser and plug-in flaws, and secure AJAX, Flash, and
XML-driven applications. Real-world case studies illustrate social
networking site weaknesses, cross-site attack methods, migration
vulnerabilities, and IE7 shortcomings.

- Plug security holes in Web 2.0 implementations the proven Hacking
Exposed way
- Learn how hackers target and abuse vulnerable Web 2.0 applications,
browsers, plug-ins, online databases, user inputs, and HTML forms
- Prevent Web 2.0-based SQL, XPath, XQuery, LDAP, and command
injection attacks
- Circumvent XXE, directory traversal, and buffer overflow exploits
- Learn XSS and Cross-Site Request Forgery methods attackers use to
bypass browser security controls
- Fix vulnerabilities in Outlook Express and Acrobat Reader add-ons
- Use input validators and XML classes to reinforce ASP and .NET
security
- Eliminate unintentional exposures in ASP.NET AJAX (Atlas), Direct
Web Remoting, Sajax, and GWT Web applications
- Mitigate ActiveX security exposures using SiteLock, code signing,
and secure controls
- Find and fix Adobe Flash vulnerabilities and DNS rebinding attacks

Download
http://rapidshare.com/files/95219435/McGraw.Hill.Hacking.Exposed.Web.2.0.Dec.2007.pdf

Writing Security Tools and Exploits

2009-03-14T19:29:00.001-07:00

Writing Security Tools and Exploits
December 21, 2005 | ISBN: 1597499978 | 664 pages | December 21, 2005 | PDF | 6 Mb

Writing Security Tools and Exploits will be the foremost authority on vulnerability and security code and will serve as the premier educational reference for security professionals and software developers. The book will have over 600 pages of dedicated exploit, vulnerability, and tool code with corresponding instruction. Unlike other security and programming books that dedicate hundreds of pages to architecture and theory based flaws and exploits, this book will dive right into deep code analysis. Previously undisclosed security research in combination with superior programming techniques will be included in both the Local and Remote Code sections of the book.

The book will be accompanied with a companion Web site containing both commented and uncommented versions of the source code examples presented throughout the book. In addition to the book source code, the CD will also contain a copy of the author-developed Hacker Code Library v1.0. The Hacker Code Library will include multiple attack classes and functions that can be utilized to quickly create security programs and scripts. These classes and functions will simplify exploit and vulnerability tool development to an extent never before possible with publicly available software.

* Provides readers with working code to develop and modify the most common security tools including Nmap and Nessus
* Learn to reverse engineer and write exploits for various operating systems, databases, and applications
* Automate reporting and analysis of security log files

Download: http://rapidshare.com/files/59583021/1597499978.rar

Hacking Exposed Windows: Microsoft Windows Security Secrets and, Solutions, Third Edition (Hacking Exposed) (Paperback)

2009-03-14T19:24:00.000-07:00

Meet the challenges of Windows security with the exclusive Hacking
Exposed "attack-countermeasure" approach. Learn how real-world malicious
hackers conduct reconnaissance of targets and then exploit common
misconfigurations and software flaws on both clients and servers. See
leading-edge exploitation techniques demonstrated, and learn how the
latest countermeasures in Windows XP, Vista, and Server 2003/2008 can
mitigate these attacks. Get practical advice based on the authors' and
contributors' many years as security professionals hired to break into
the world's largest IT infrastructures. Dramatically improve the
security of Microsoft technology deployments of all sizes when you learn
to:

- Establish business relevance and context for security by highlighting
real-world risks
- Take a tour of the Windows security architecture from the hacker's
perspective, exposing old and new vulnerabilities that can easily be
avoided
- Understand how hackers use reconnaissance techniques such as
footprinting, scanning, banner grabbing, DNS queries, and Google
searches to locate vulnerable Windows systems
- Learn how information is extracted anonymously from Windows using
simple NetBIOS, SMB, MSRPC, SNMP, and Active Directory enumeration
techniques
- Prevent the latest remote network exploits such as password grinding
via WMI and Terminal Server, passive Kerberos logon sniffing, rogue
server/man-in-the-middle attacks, and cracking vulnerable services
- See up close how professional hackers reverse engineer and develop
new Windows exploits
- Identify and eliminate rootkits, malware, and stealth software
- Fortify SQL Server against external and insider attacks
- Harden your clients and users against the latest e-mail phishing,
spyware, adware, and Internet Explorer threats
- Deploy and configure the latest Windows security countermeasures,
including BitLocker, Integrity Levels, User Account Control, the updated
Windows Firewall, Group Policy, Vista Service Refactoring/Hardening,
SafeSEH, GS, DEP, Patchguard, and Address Space Layout Randomization

Code: http://www.amazon.com/exec/obidos/tg/detail/-/007149426X/

Download:
http://rapidshare.com/files/93030576/McGraw.Hill.Hacking.Exposed.Windows.3rd.Edition.Dec.2007.pdf

Securing IM and P2P Applications for the Enterprise (2005)

2009-03-14T19:22:00.001-07:00

This book is for system administrators and security professionals who need to bring now ubiquitous IM and P2P applications under their control. Many businesses are now taking advantage of the speed and efficiency offered by both IM and P2P applications, yet are completely ill-equipped to deal with the management and security ramifications.

These companies are now finding out the hard way that these applications which have infiltrated their networks are now the prime targets for malicious network traffic. This book will provide specific information for IT professionals to protect themselves from these vulnerabilities at both the network and application layers by identifying and blocking this malicious traffic.

* A recent study by the Yankee group ranked "managing and securing IM and P2P applications" as the #3 priority for IT managers in 2004

* The recently updated SANS/FBI top 10 list of vulnerabilities for computers running Microsoft Windows contained both P2P and IM applications for the first time

* The recently released Symantec Threat Assessment report for the first half of 2004 showed that 19 of the top 50 virus threats targeted IM or P2P applications. Despite the prevalence of IM and P2P applications on corporate networks and the risks they pose, there are no other books covering these topics

Code http://www.amazon.com/Securing-Im-P2P-Applications-Enterprise/dp/1597490172

Download:
http://www1.vista-server.com/uploadfile/6/3/16/20355883672.zip
http://www2.vista-server.com/uploadfile/6/3/16/20355883672.zip
http://www3.vista-server.com/uploadfile/6/3/16/20355883672.zip

Hacker Attack (Mass Market Paperback)

2009-03-14T19:16:00.000-07:00

Hacker Attack is the only book about computer security that is at once entertaining, understandable, and practical. You'll be fascinated as you read about hackers, crackers and whackers--people who spend their time trying to break into your computer, spreading computer viruses, or peeping (and recording what they see!) as you surf the Internet or send email. Best of all, this book provides simple but powerful solutions to all these security needs. It's all on the book's CD. Protect yourself right now with firewalls, anonymisers, and virus-guards. This is without doubt the most readable and interesting book about computer security ever written. You'll enjoy reading it, and you'll be safe after you've followed its advice.

code: http://www.amazon.com/Hacker-Attack-Richard-Mansfield/dp/0782128300

Download: http://mihd.net/f6ntms

CBT Nuggets Cisco CCNA/CCENT - Exam-Pack 640-822: ICND1

2009-03-14T07:18:00.000-07:00

Wouldn't it be cool to walk into a small business that has no network and configure a fairly advanced network from the ground up using Cisco gear? Let the CBT Nuggets' Cisco CCNA/CCENT - Exam-Pack 640-822: ICND1 video series teach you the essential skills for passing the CCENT certification exam and meeting the network support needs of employers and clients.

Successful networking careers begin with Cisco CCENT certification and the fundamental knowledge it represents. Trainer Jeremy Cioara carefully explains the certification process by walking you through CCENT networking basics and mapping those basics directly to the exam. His organized and captivating presentation prepares new users for junior administrator positions and provides managers of any description with a sound understanding of what their technicians are talking about.

You proceed at your own pace, watching videos that break down the CCENT certification process and basic Cisco networking into bite-sized nuggets. Video by video you learn how to install, operate and troubleshoot a small enterprise branch network -- including basic network security.

Cisco CCNA/CCENT - Exam-Pack 640-822: ICND1 shows you how to be a subnetting master, teaches you about switches and routers, helps you understand essential protocols like TCP and UDP, explains cabling and networking, and covers exciting topics like wireless networking and Cisco's SDM graphic interface.

These videos go beyond simply prepping you for the CCENT test (although they're great test prep!). They also teach you skills you'll need day-in and day-out as a networking technician professional. Over and over again you'll draw on these videos as an indispensable reference tool. They also lay a terrific foundation for the follow-up CCNA exam and certification.

Here's what you'll learn from the Cisco CCNA/CCENT - Exam-Pack 640-822: ICND1 videos:

Video 1 - Welcome to the CBTNuggets CCENT video series! - This opening video sets the expectations for the entire CCENT series as well as reviewing the Cisco certification track. Because Jeremy gives many certification exam tips and advice, it is recommended that you view this video once more after finishing the series.

Video 2 - Foundations: What is a Network? - This video answers the question of why. Why do we need a network? What does the network accomplish for us? Without understanding this foundation, the rest of the Cisco certification track will not make much sense.

Video 3 - Foundations: Living in the OSI World - If someone told you, "My car is broken," but was unable to expand on what exactly was broken, you wouldn't know where to begin looking for a solution. In the same sense, networks are an extremely complex system of communicating. The OSI Model holds the key to understanding the layers of network functionality. This video walks through both a logical and practical presentation of the OSI Model.

Video 4 - Basic TCP/IP: Addressing Fundamentals - We live in a TCP/IP world. Having a thorough understanding of this protocol is critical to your success in any network environment. This video breaks down the basics of TCP/IP and discusses concepts such as IP address format, public and private addressing, and address classes. Jeremy also walks you through the reasons why having TWO addresses is the key to successful network communication.

Video 5 - Basic TCP/IP: TCP and UDP Communication - Every network-aware application has a choice to make when it communicates across the network: TCP or UDP. This decision determines how reliable the data transfer will be. This video walks through the discussion of TCP and UDP, focusing specifically on TCP windowing, sequence numbers, and acknowledgements.

Video 6 - TCP/IP: Understanding Port Numbers - Imagine that you wanted to see your friend Dave who lived in a house with 100 other people. As soon as you reached the house, you would open the door and yell, "I'M LOOKING FOR DAVE!!!" Port numbers do exactly the same thing for network communication between devices, allowing you to dictate what service you are trying to reach. This video gives practical examples of using TCP and UDP port numbers when communicating.

Video 7 - Basic TCP/IP: The Tale of Two Packets - To wrap up the section on Basic TCP/IP communication, Jeremy walks you through the "Tale of Two Packets." This gives a big picture perspective on local network communication (the Bob packet) and remote network communication (the Sally packet).

Video 8 - LANs: Welcome to Ethernet - Ethernet defines the standard for LAN communication around the world. Because of this, it is critical to understand the fundamentals of how this "fabric of networks" operates. This video walks through the origins of the Ethernet standard, CSMA/CD (the rules of communication), and the architecture of a MAC address.

Video 9 - LANs: Understanding the Physical Connections - If you've never experienced calloused fingers from crimping Ethernet cables, this video is for you. In it, Jeremy walks through the two primary physical standards of Ethernet: UTP and Fiber Optics, straight-through vs. crossover cables, and an end-to-end picture of cabling in a corporate environment.

Video 10 - LANs: Understanding LAN Switches - Ethernet's use of CSMA/CD allowed it to obtain much faster speeds than its competitor (token ring); however, it also led to many problems with collisions in larger networks. This video walks through the solution to those problems and lays the foundation understanding of how the network switch fits into our network environments.

Video 11 - LANs: Working with the Cisco Switch IOS - Before you can jump right into setting up Cisco switches, you must understand how to work with Cisco's operating system: the IOS. This video walks you through the general navigation and help features of the IOS.

Video 12 - LANs: Initial Setup of a Cisco Switch - With the IOS foundations in place, this video jumps straight into the initial configuration of a Cisco switch. In this video you will see the meaning of the physical LEDs on a switch, the initial boot process and configuration dialog, and the configuration of a VLAN interface.

Video 13 - LANs: Configuring Switch Security, Part 1- Network security has become such a major topic that Cisco has moved much of what used to be considered a CCSP (security professional) topic into the CCENT and CCNA certifications. This video discusses the initial security of your switch, primarily focusing on configuring passwords, logon banners, and SSH.

Video 14 - LANs: Configuring Switch Security, Part 2 - The network security topics continue. In this video, Jeremy walks you through enabling port security for your network, which gives you complete control of the number and type of devices that attach to your network.

Video 15 - LANs: Optimizing and Troubleshooting Switches - It's time to wrap up the world of LAN switching with optimization and troubleshooting. In this video, Jeremy walks through common problems you may encounter when working in a LAN environment. He also interjects a "bonus section" dealing with improving your efficiency on Cisco devices.

Video 16 - Wireless: Understanding Wireless Networking - Wireless networking technology has changed the LAN landscape very quickly. As one of the newest technologies added to the CCENT/CCNA certifications, wireless is almost guaranteed to pop up in organizations of any size. This video discusses the foundations of wireless networks including radio frequency, wireless channels and standards, and the best way to design wireless for your organization.

Video 17 - Wireless: Wireless Security and Implementation - Understanding the foundations of wireless is never enough! Security vulnerabilities have proven more than once that wireless can be devastating to an organization. This video walks through the steps to take to successfully implement and secure a wireless network.

Video 18 - Advanced TCP/IP: Working with Binary - This video begins the move to the world of advanced TCP/IP addressing. More specifically, you will learn the skill of IP subnetting. One of the most foundational skills in subnetting is converting from decimal to binary and back. This video carefully explains this skill and provides many examples to practice.

Video 19 - Advanced TCP/IP: IP Subnetting, Part 1 - The first style of subnetting you'll need to learn is the ability to separate IP addresses into subnets based on the number of networks an organization needs. This video walks through the initial style.

Video 20 - Advanced TCP/IP: IP Subnetting, Part 2 - The second style of subnetting you'll need to learn is the ability to separate IP addresses into subnets based on the number of hosts an organization needs in each network. This video explains this style.

Video 21 - Advanced TCP/IP: IP Subnetting, Part 3 - The final style of subnetting you'll need to learn is the ability to reverse engineer subnets based on the IP address and subnet mask that has been given. This video discusses this final style.

Video 22 - Routing: Initial Router Configuration - Routers are the device that made Cisco famous (as a company). Unlike a switch, when you initially pull a Cisco router out of the box, it is non-operational; that is, you must initially configure the router before it works properly. This video walks through the boot process and initial configuration of a Cisco router.

Video 23 - Routing: SDM and DHCP Server Configuration, Part 1 - For the first time in Cisco certification history, a graphic user interface (GUI) is now used to configure Cisco devices. It's known as the Cisco Security Device Manager, or SDM for short. This video walks through preparing your Cisco router to be managed through the SDM.

Video 24 - Routing: SDM and DHCP Server Configuration, Part 2 - Manually configuring IP addresses on every device in your network can eat up a ton of time. That's why some brilliant individual created the Dynamic Host Configuration Protocol (DHCP). In this video, Jeremy walks through configuring your router to be a DHCP server by using our newly configured SDM.

Video 25 - Routing: Implementing Static Routing - Once the router is initially configured with IP addresses and passwords it will effectively...well, sit there. The router has IP addresses, but it is not routing yet. In this video, Jeremy configures the foundational form of routing known as static routing.

Video 26 - Routing: Implementing Dynamic Routing with RIP - Static routing is great if you are paid by the hour, but dynamic routing works much better when you want to get the job done fast. The RIP routing protocol has definitely been around for quite some time and has proven itself as a stable routing protocol for small network environments. This video walks through the description and configuration of the RIP routing protocol.

Video 27 - Routing: Internet Access with NAT and PAT - Because nearly every organization uses a private IP addressing scheme, routing can occur within the company network, but fails when attempting to access the Internet. That's where Network Address Translation (NAT) comes in to save the day. In this video, Jeremy explains how to use the Cisco SDM to configure your router to support NAT Overload (also known as PAT).

Video 28 - Routing: WAN Connectivity - In addition to providing access between networks, routers also allow us to connect to the Wide Area Network (WAN). This video discusses the types of WAN connections that exist along with the interfaces and configuration used to make that connection possible.

Video 29 - Management and Security: Telnet, SSH, and CDP - At this point, we've wrapped up router-specific discussion and can now move into management and security strategies for all Cisco devices. The key management protocols we use to configure and monitor our devices are Telnet and SSH. This video discusses how you can navigate between Cisco devices using these protocols and also how the Cisco Discovery Protocol (CDP) can help unveil an undocumented network.

Video 30 - Management and Security: File Management - Having the ability to copy files to and from your routers and switches is key to successfully being able to back up configurations and IOS versions. In this video, Jeremy discusses the key file systems of Cisco devices and demonstrates moving files to and from these file systems.

Video 31 - Last Words for Test Takers - To wrap up the CCENT series, Jeremy gives some last words to test-takers on how best to prepare for the ICND1, ICND2, and CCNA certification exams.

On-the-job Cisco network support skills plus prep for the CCNA/CCENT Exam

The CBT Nuggets' Cisco CCNA/CCENT - Exam-Pack 640-822: ICND1 shows you the hands-on skills you need to meet the network support needs of employers and clients. This video series also teaches you the essential skills for passing the CCENT certification exam. Successful networking careers begin with Cisco CCENT certification and the fundamental knowledge it represents.

Prerequisites

A fundamental understanding of computers and networking, such as the CompTIA A+ or Network+ or equivalent knowledge is recommended before viewing this training.

The Cisco CCNA/CCENT - Exam-Pack 640-822: ICND1 contains:

- Welcome to Cisco CCENT! (free video!)
- Foundations: What is a Network?
- Foundations: Living in the OSI World
- Basic TCP/IP: Addressing Fundamentals
- Basic TCP/IP: TCP and UDP Communication
- Basic TCP/IP: Understanding Port Numbers
- Basic TCP/IP: The Tale of Two Packets
- LANs: Welcome to Ethernet
- LANs: Understanding the Physical Connections
- LANs: Understanding LAN Switches
- LANs: Working with the Cisco Switch IOS (free video!)
- LANs: Initial Setup of a Cisco Switch
- LANs: Configuring Switch Security
- LANs: Configuring Switch Security, Part 2
- LANs: Optimizing and Troubleshooting Switches
- Wireless: Understanding Wireless Networking
- Wireless: Wireless Security and Implementation
- Advanced TCP/IP: Working with Binary
- Advanced TCP/IP: IP Subnetting, Part 1
- Advanced TCP/IP: IP Subnetting, Part 2
- Advanced TCP/IP: IP Subnetting, Part 3
- Routing: Initial Router Configuration
- Routing: SDM and DHCP Server Configuration
- Routing: SDM and DHCP Server Configuration, Part 2
- Routing: Implementing Static Routing
- Routing: Implementing Dynamic Routing with RIP
- Routing: Internet Access with NAT and PAT
- Routing: WAN Connectivity
- Management and Security: Telnet, SSH, and CDP
- Management and Security: File Management
- Last Words for Test Takers

All trademarks and copyrights are the property of their respective holders.

code:http://www.cbtnuggets.com/webapp/product?id=411

Download:
http://rapidshare.com/files/107574919/CBT.NUGGETS.CISCO.CCNA.CCENT.EXAM-PACK.640-822.ICND1-AG.part1.rar
http://rapidshare.com/files/107578419/CBT.NUGGETS.CISCO.CCNA.CCENT.EXAM-PACK.640-822.ICND1-AG.part2.rar
http://rapidshare.com/files/106624725/CBT.NUGGETS.CISCO.CCNA.CCENT.EXAM-PACK.640-822.ICND1-AG.part3.rar
http://rapidshare.com/files/107584579/CBT.NUGGETS.CISCO.CCNA.CCENT.EXAM-PACK.640-822.ICND1-AG.part4.rar

TrainSignal Windows Vista Training

2009-03-14T07:14:00.001-07:00

path1
http://www.megaupload.com/?d=V1892PZW
http://www.megaupload.com/?d=GN90LIDR
http://www.megaupload.com/?d=19HK9SV8
http://www.megaupload.com/?d=LNZT6GL0
http://www.megaupload.com/?d=HJZ40H6T

path2
http://www.megaupload.com/?d=OSOATSY0
http://www.megaupload.com/?d=TRJQ6CLX
http://www.megaupload.com/?d=VXDX8LET
http://www.megaupload.com/?d=TN20R0K3
http://www.megaupload.com/?d=08IC25IJ

password join: manhnd

Windows 2003 Clustering CBT

2009-03-14T06:51:00.000-07:00

Server cluster presentations
Cluster Management Presentations
Cluster Technologies Overview
Chris Whitaker
Installing Clusters
Jim Teague
New Features: Cluster Configuration Wizard
Galen Barbee
Cluster Service Account Password Support
Charlie Wickham
Cluster WMI Provider
George Potts
Presentation Lab

Cluster Automation Server
Ozan Ozhan
Presentation Lab

Autoconfiguring Applications in a Cluster
David Potter
Cluster Backup and Restore
Chittur Subbaraman

Cluster Internals
Failure Detection
Jonathan Fisher, David Dion
Cluster Database Management
Chittur Subbaraman
Registry Checkpointing
Chittur Subbaraman
Regroup and Arbitration process
Raj Das
Changes to the Network Name Resource in Server 2003
Charlie Wickham
Building Highly Available Applications
Jim Teague
Using SDK and MSDN
Roy Hirst

Writing Cluster-Aware Applications
Cluster API
George Potts
Presentation

Writing Cluster Resource Type DLLs, Part 1
George Potts
Presentation Lab

Writing Cluster Resource Type DLLs, Part 2
George Potts
Presentation Lab

Generic Script Resource Type
Ozan Ozhan
Managed Code and Clustering
Ozan Ozhan
Writing Resource Types in Managed Code
Davide Potter & Ozan Ozhan
Debugging Cluster Resource Type DLLs
George Potts
Presentation Lab

Writing Cluster Administrator Extension DLLs
George Potts

Testing and Support
Cluster Qualification Program
Zubair Ansari
Testing MSCS
Murtaza Hakim
Product Support Services
Dave Nestor

Download:
http://rapidshare.com/files/22693280/cluster.part01.rar
http://rapidshare.com/files/22699343/cluster.part02.rar
http://rapidshare.com/files/22704096/cluster.part03.rar
http://rapidshare.com/files/22717374/cluster.part04.rar
http://rapidshare.com/files/22721304/cluster.part05.rar
http://rapidshare.com/files/22725396/cluster.part06.rar
http://rapidshare.com/files/22742247/cluster.part07.rar
http://rapidshare.com/files/22742201/cluster.part08.rar
http://rapidshare.com/files/22748904/cluster.part09.rar
http://rapidshare.com/files/22966432/cluster.part10.rar
http://rapidshare.com/files/22755009/cluster.part11.rar
http://rapidshare.com/files/22756014/cluster.part12.rar
http://rapidshare.com/files/22761553/cluster.part13.rar
http://rapidshare.com/files/22762386/cluster.part14.rar
http://rapidshare.com/files/22768252/cluster.part15.rar
http://rapidshare.com/files/22769251/cluster.part16.rar
http://rapidshare.com/files/22774753/cluster.part17.rar
http://rapidshare.com/files/22775556/cluster.part18.rar
http://rapidshare.com/files/22816797/cluster.part19.rar
http://rapidshare.com/files/23204422/cluster.part20.rar
http://rapidshare.com/files/23211184/cluster.part21.rar
http://rapidshare.com/files/23225370/cluster.part22.rar
http://rapidshare.com/files/23227624/cluster.part23.rar
http://rapidshare.com/files/23233050/cluster.part24.rar
http://rapidshare.com/files/22728997/cluster.part25.rar

VTC Linux Professional Institute Level 1

2009-03-14T06:49:00.000-07:00

Linux Professional Institute Level 1: Understanding the Linux operating system is absolutely essential to any IT professional who wishes to add breadth to their resume. Linux has placed itself, strategically, all around us, and understanding the basic and inner workings of it can prove extremely valuable. VTC authors Brad Causey and Bobby Rogers will take you though the basics of Linux with the LPI 101 course, explaining each piece step-by-step

Linux Professional Institute: Level 1
Course Overview

Introduction to Linux
Introduction to Linux
Linux Features
Open Source & the GNU License
The Linux Kernel
Linux Distributions

Planning a Linux Installation
Pre-Installation Planning
Hardware Recommendations
Partitioning Requirements
Dual Booting With Windows

Linux Installation
Installation Modes
Initial Installation & Hardware Setup
Boot Manager & Package Selection
Lab - Install RedHat Pt.1
Lab - Install RedHat Pt.2
Lab - Install RedHat Pt.3

The Linux Boot Process
Boot Loaders
LILO
GRUB
The FSTAB File
User Login Profiles
Troubleshooting the Boot Process

Linux Commands
Shells
Command Structure & Syntax
Assistance & MAN Pages
Directory Navigation Commands

File Management
File Naming Convention
File Types
Basic File Management
Hard & Symbolic Links
Searching for FIles

Text Processing
Viewing Text Files
Process Text Streams
Searching Text Files

Basic Text Editing with vi
Basic Editing
Inserting & Editing Text
Searching in vi
Setting Options

Configuring Hardware
BIOS Settings
Gathering Hardware Information
Configuring Peripherals
Configuring Communication Devices
Configuring Storage Devices
Configuring Plug & Play Devices

Software & Package Management
Installing Software From Source Code
Red Hat Package Management
Debian Package Management

The X Window System
Install & Configure XFree86
Window Manager Environment

General Administration
Managing Processes
Modifying Process Execution Priorities
Managing Disk Quotas

File Ownership & Permissions
Managing File Ownership
File permissions
Setting Permissions with chmod

The LPI Exam
Exam Objectives

Download: http://rapidshare.com/files/92071281/VTC.Linux.Professional.Institute.Level.1.part1.rar
http://rapidshare.com/files/92060186/VTC.Linux.Professional.Institute.Level.1.part2.rar

Joomla! - The Beauty in Design (Tutorial Videos)

2009-03-14T04:55:00.000-07:00

Tutorial Videos of :

•A Joomla! for Beginners
•B Building a CSS Template for JOOMLA
•C Increasing User Experience with Javascript
•D Template Migration for Joomla Tutorial Series
•E MooTools for the Rest of Us
COURSES OUTLINE :

A. Joomla! for Beginners
01. Introduction
02. Downloading Joomla!
03. Creating your Database
04. Uploading Joomla! to your site
05. Installing and Configuring Joomla!
06. A Walk around the Front End
07. It's all about Content
08. The Back End - Administrator
09. Creating Sections
10. Creating Categories
11. Creating Content Items
12. Linking to Menus
13. Installing Templates
14. Worked Example - An online shop
15. Worked Example - A membership site
16. Worked Example - A magazine
17. Support and Conclusion
Download
http://rapidshare.com/files/92093216/BBQthisSunDay.part1.rar
http://rapidshare.com/files/92247282/BBQthisSunDay.part2.rar
http://rapidshare.com/files/92250546/BBQthisSunDay.part3.rar
http://rapidshare.com/files/92252153/BBQthisSunDay.part4.rar

B. Building a CSS Template for JOOMLA
1. Lesson One – Slicing a Photoshop Image
• Planning the Layout
• Slicing Images
• Naming Slices
• Saving for the Web

2. Lesson Two – Creating the Foundation
• Files and Folders
• Linking the CSS into the PHP Document
• Getting Setup in Style Master
• Creating the DIV tags

3. Lesson Three – CSS Layout I
• Styling the Body
• Styling the Container
• Styling the Header

4. Lesson Four – CSS Layout II
• Styling the content DIV
• Working through browser bugs

5. Lesson Five – Finishing up and JOOMLA Integration
• Install JOOMLA Plug-in from
• Placing the Header Code
• Placing the Content Code
• Prepare the XML file
• Zip and Upload

Download
http://rapidshare.com/files/85149003/Building_a_CSS_Template_for_JOOMLA_LessonOneFinal.rar
http://rapidshare.com/files/85184743/Building_a_CSS_Template_for_JOOMLA_LessonTwoFinal.rar
http://rapidshare.com/files/85175840/Building_a_CSS_Template_for_JOOMLA_LessonThreeFinal.rar
http://rapidshare.com/files/85142309/Building_a_CSS_Template_for_JOOMLA_LessonFourFinal.rar
http://rapidshare.com/files/85131583/Building_a_CSS_Template_for_JOOMLA_LessonFiveFinal.rar

C. Increasing User Experience with Javascript
1. Introduction
• Overview of the series
• Showcasing the javascript effects

2. Lesson Two - De-Cluttering the Membership Page
• Attaching scripts
• Considering MooTools as a solution to a cluttered layout
• Using the Fx.Styles of Mootools to change element properties

3. Lesson Three - Using MooTabs to Condense Related Products
• Understanding how MooTabs works
• Implementing MooTabs to condense the related products of a shopping cart

4. Lesson Four - Using a MooTools 'Light Box' to Create a Friendly Gallery
• Understanding the problem with the existing gallery
• Fixing the gallery with the MooTools Light Box

5. Lesson Five - Using Fx.Styles to Control Font Size
• Selecting an area to change
• Implementing Fx.Styles to change fonts

6. Lesson Six - Creating a Sliding Sub Menu with MooTools
• Analyzing the main menu and sub-menu for implementation
• Implement some simple MooTools effects to reveal sub-links

7. Lesson Seven - Implementing Reflection Javascript for Images
• Downloading and using reflection.js for images

8. Lesson Eight - Creating a Sliding Image Menu
• Understanding how the Sliding Image Menu works
• Implementing the Sliding Image Menu

9. Lesson Nine - Using AJAX with the Sliding Image Menu
• Creating an updated area for changing content
• Implementing AJAX links with the Sliding Image Menu

Download
http://rapidshare.com/files/85307651/Increasing_User_Experience_With_Javascript_lessonOne.rar
http://rapidshare.com/files/85311636/Increasing_User_Experience_With_Javascript_lessonTwo.rar
http://rapidshare.com/files/85310107/Increasing_User_Experience_With_Javascript_lessonThree.rar
http://rapidshare.com/files/85307101/Increasing_User_Experience_With_Javascript_lessonFour.rar
http://rapidshare.com/files/85306394/Increasing_User_Experience_With_Javascript_lessonFive.rar
http://rapidshare.com/files/85311095/Increasing_User_Experience_With_Javascript_lessonSix.rar
http://rapidshare.com/files/85311553/Increasing_User_Experience_With_Javascript_lessonSeven.rar
http://rapidshare.com/files/85313226/Increasing_User_Experience_With_Javascript_lessonEight.rar
http://rapidshare.com/files/85308358/Increasing_User_Experience_With_Javascript_lessonNine.rar

D. Template Migration for Joomla Tutorial Series
1. Lesson One - Introduction and Re-Ordering the File Structure
• Introduction to the Template
• Moving the template files to the correct location for Joomla

2. Lesson Two - Optimizing the Template
• The Dreamweaver extension from Joomlasolutions.com
• Inserting the php tags, header code, and various other code

3. Lesson Three - The Template Details XML File
• How the template_details.xml works
• Assigning files, images, css, etc.

4. Lesson Four - Re-naming and Styling the Main Menu
• Understanding how the Main Menu is styled
• Re-assigning existing menu styles with the Joomla selectors

5. Lesson Five - Migrating Styles for Use with Modules
• Latest news module changes
• Main menu module stylings in other positions

6. Lesson Six - Custom Module Styling Using Class Suffixes
• Styling the Newsflash module similar to the static template
Using class suffixes in Joomla

7. Lesson Seven - Styling Various Joomla Elements
• Style matching the titles, paragraphs, etc. in the template
• News component styling

Download:
http://rapidshare.com/files/92075508/Template_Migration_for_Joomla_Tutorial_Series_lessonTwo.rar
http://rapidshare.com/files/92079933/Template_Migration_for_Joomla_Tutorial_Series_lessonThree.rar
http://rapidshare.com/files/92082577/Template_Migration_for_Joomla_Tutorial_Series_lessonFour.rar

E. MooTools for the Rest of Us
1. Lesson One - Ideas and Resources
• The Purpose and Format of this series
• Where to get ideas from/documentation
• Getting MooTools

2. Lesson Two - Setting up the Document
• Javascript insertion
• Testing out an effect

3. Lesson Three - Creating a "Drag & Resize"-able Window
• Finding ideas
• Implementing an idea
• Duplicating several windows

4. Lesson Four - Opacity Fades for various windows
• Recognizing windows to fade
• Implementing the code
• Custom Options

5. Lesson Five - Using Moo.Ajax for the JoomlaOS Template
• Some benefits
• Creating an Ajax link for the JoomlaOS Template

Download:
http://rapidshare.com/files/92257949/MooTools_for_the_Rest_of_Us_Tutorial_Series_LessonOne.rar
http://rapidshare.com/files/92263185/MooTools_for_the_Rest_of_Us_Tutorial_Series_LessonTwo.rar
http://rapidshare.com/files/92267265/MooTools_for_the_Rest_of_Us_Tutorial_Series_LessonThree.rar
http://rapidshare.com/files/92275240/MooTools_for_the_Rest_of_Us_Tutorial_Series_LessonFour.rar
http://rapidshare.com/files/92493151/MooTools_for_the_Rest_of_Us_Tutorial_Series_LessonFive.rar

SUSE Linux Toolbox: 1000+ Commands for openSUSE and SUSE, Linux Enterprise

2009-03-14T04:47:00.001-07:00

Aimed squarely at aspiring Linux power users and professional
administrators, the SUSE Linux Toolbox offers more than 1000 examples of
useful Linux command lines. This compact, handy reference is made to
carry with you, whether you are maintaining hundreds of Linux systems or
just want to dig beneath the surface of your SUSE desktop system. This
is the Linux reference book you need to step up to the next level.

Code http://www.amazon.com/exec/obidos/tg/detail/-/0470082925/

Download: http://rapidshare.com/files/92021386/Wiley.SUSE.Linux.Toolbox.1000.plus.Commands.for.openSUSE.and.SUSE.Linux.Enterprise.Dec.2007.pdf

OReilly Knoppix Hacks 2nd.Edition

2009-03-14T04:40:00.000-07:00

If you think Knoppix is just a Linux demo disk, think again. Klaus
Knopper created an entire Linux distribution on a bootable CD (and now a
DVD) so he could use his favorite open source tools on any computer.
This book includes a collection of tips and techniques for using the
enormous amount of software Knoppix offers-not just to work and play,
but also to troubleshoot, repair, upgrade, and disinfect your system
without having to install a thing. Knoppix Hacks is just like the
distribution it covers: a veritable Swiss Army knife packed full of
tools. Scores of industrial-strength hacks-many of them new to this
second edition-cover both the standard Knoppix CD and the feature-rich
DVD "Maxi" distribution, which is included with this book. Discover how
to use Knoppix to its full potential as your desktop, rescue CD, or as a
launching point for your own live CD. With Knoppix Hacks, you can:

- Investigate features of the KDE desktop and its Internet
applications
- Save your settings and data between reboots with persistent storage
- Employ Knoppix as a system administration multitool to replace
failed servers and more
- Use the CD/DVD as a rescue disc to repair filesystems or a system
that won't boot
- Rescue Windows systems with Knoppix to back up files and settings,
hack the registry, and more
- Explore other live CDs based on Knoppix that could augment your
system
- Easily install the popular Debian GNU/Linux distribution with all of
your hardware detected and configured
- Remaster Knoppix to include your favorite software and custom
branding
Whether you're a new Linux user, power user, or system administer, this
book helps you take advantage of Knoppix and customize it to your needs.
You may just find ways to use Knoppix that you never considered.

Code: http://www.amazon.com/exec/obidos/tg/detail/-/059651493X/

Download: http://rapidshare.com/files/87593530/OReilly.Knoppix.Hacks.2nd.Edition.Nov.2007.pdf

Windows Vista(r): Home Networking (Epg - Other) (Paperback)

2009-03-14T04:36:00.000-07:00

With more than one Windows Vistabased PC in your home, and all of your
digital memories, music and media, and other data stored on one
computer, you know that its time to connect your home with a simple home
network. Youll get the straightforward, approachable information you
need (without the jargon!) to find what kind of network is right for you
and get started setting up, configuring, and maintaining your local area
network (LAN), wireless network, or remote network. Easy-to-follow
procedures teach you how to help secure your network with firewalls and
Windows Defender, plus control what your family can do online with
parental controls. Youll even start to explore the advantages of Windows
Home Server, including how to back up all of your precious data.

Code http://www.amazon.com/exec/obidos/tg/detail/-/073562500X/

Download:http://rapidshare.com/files/99895738/Microsoft.Press.Windows.Vista.Home.Networking.Oct.2007.chm

Windows Home Server: Protect and Simplify your Digital Life, (Paperback)

2009-03-14T04:33:00.001-07:00

* Windows Home Server (WHS) simplifies the process of backing up PCs,
and this complete reference brings the power of WHS to everyday PCs
users
* Windows and networking expert Rick Hallihan shows readers how to
develop a strategy for organizing a digital lifestyle, including their
documents, photos, movies, and music
* Walks readers through the process of selecting a pre-built hardware
solution and setting up the WHS software package
* Provides step-by-step instructions for creating user accounts,
installing the connector software, configuring backups, and making use
of WHS's recovery features
* Covers setting up and using the remote access features as well as
how third party applications (backup, home automation, and integration
with security systems) can enhance and extend the abilities of WHS

Code http://www.amazon.com/exec/obidos/tg/detail/-/0470186259/

Download: http://rapidshare.com/files/93666164/Wiley.Windows.Home.Server.Protect.and.Simplify.your.Digital.Life.Jan.2008.pdf

Windows Vista Annoyances: Tips, Secrets, and Hacks, [ILLUSTRATED] (Paperback)

2009-03-14T04:25:00.000-07:00

Windows Vista may be the next big thing, but it still contains enough
quirks and unaccountable behaviors to vex anyone. This unique guide not
only discusses the most irritating features of the latest Microsoft
operating system and how to get around them, but also explains how to
improve Windows and do more with the software than Microsoft intended.
You'll find information on setup, installation, upgrade from other
Windows versions, the revamped interface, new security features, user
accounts, troubleshooting, and the markedly improved Internet Explorer
7. Other chapters cover a wide range of key topics: Media Center - tips
on photos, videos, music, TV tuners, HD, and the media center engine The
Registry - explains the background and tools for working with Windows'
database of settings Tinkering Techniques - offers hacking-style
customization and problem-solving topics Networking and Wireless -
includes LAN setup, WiFi sniffers and access points, connection sharing,
firewalls, routers, and FTP Scripting and Automation - introduces simple
programming using the Windows Scripting Host for automating repetitive
tasks No other book takes our patented cranky, solutions-oriented
approach. Our collection of tips, tools and techniques will improve your
experience with Windows Vista, so you can control the OS -- rather than
the other way around.

Code: http://www.amazon.com/exec/obidos/tg/detail/-/0596527624/

Download: http://rapidshare.com/files/99936323/OReilly.Windows.Vista.Annoyances.Tips.Secrets.and.Hacks.Jan.2008.pdf

100 Things You Need to Know about Microsoft Windows Vista

2009-03-14T04:22:00.000-07:00

Tired of clawing your way through computer books that start at the
beginning of recorded history just to find one tiny nugget of
information you need? Tired of wrenching your back to pull that massive
Windows tome off your bookshelf? Tired of wishing you could find a
simple answer to what should be a simple problem? If you answered yes to
any of these questions, then 100 Things You Need to Know about
Microsoft(r) Windows Vista™ is just the book you’ve been looking for.
Chock full of timesaving tips, heady solutions, and expert know-how,
this book doesn’t break the bank nor does it require a Bowflex body to
hoist it around. Inside you’ll find step-by-step help for the 100 things
every Windows user needs to know when making the big switch between
Windows XP and Vista. Even if you’re brand new to Windows (meaning Vista
is your first-ever operating system), you’ll find the advice here
indispensable. In this book, we assume, for instance, that you really
don’t give a hoot about what TCP/IP is. We’re betting you just want to
get your Internet connection up and running, and leave the techy muck to
the propeller heads.

• Want all the cool new cutting-edge features and interface Windows
Vista offers? Well, before you run out and buy the software, you need to
ensure your system will support it! We walk you through, step-by-step,
how to manually check if your PC and other hardware and software are
supported for use with Windows Vista. We show you how to perform common
upgrade tasks, if needed, before you install Vista. In addition, we
provide tips and procedures on backing up your data.
• Having to choose between five different versions (yes, Vista comes
in FIVE flavors!) can be confusing! Don’t sweat it, though--we’ve got
you covered. We show you how to decide which flavor of Vista is best
suited to you! Then we walk you through installing and setting up Vista
for the very first time.
• Next we dig into the new Vista interface, which is quite a change
from the old XP! Then we give you a tour of the many new and enhanced
features. While you might fancy yourself a wicked-smart Windows user,
don’t skip this section! We’re positive you’ll find things you didn’t
know that will help you make Vista do thy bidding.
• Don’t like the slick new Vista interface? (Macintosh, anyone?) We
show you how to harness the power of Vista while keeping the look and
feel of your XP. Who says change has to be painful?
• After you have the basics nailed, we then show you some of the cool
things you can do with Vista, from customizing its performance, to
disabling annoying security controls, to connecting to a wireless
network.

Code http://www.amazon.com/exec/obidos/tg/detail/-/0789737272/

Download: http://rapidshare.com/files/106152833/Que.100.Things.You.Need.to.Know.about.Microsoft.Windows.Vista.Dec.2007.chm

Administering Windows Server 2008 Server Core (Paperback)

2009-03-14T04:19:00.000-07:00

Microsoft's new GUI-less Server Core is a command line version of
Windows Server 2008 that offers better security, reduced size, and
faster access. Inside this comprehensive guide, you'll find everything
you need to quickly master this sleek new version. Packed with
instructions and practical examples, this book teaches you how to
operate in a windowless environment, including using all the commands,
creating BAT files, working with scripts, using registry hacks, managing
remote systems, and more. Includes best practices, 52 indispensable
command line tricks, and an alphabetical list of all the commands.

Code http://www.amazon.com/exec/obidos/tg/detail/-/0470238402/

Download:http://rapidshare.com/files/99741867/Sybex.Administering.Windows.Server.2008.Server.Core.Jan.2008.pdf

Microsoft Windows Server 2008: A Beginner's Guide (Paperback)

2009-03-14T04:10:00.001-07:00

Get up and running on Microsoft Windows Server 2008 with ease

This hands-on guide covers all the essentials of deploying and
administering the latest release of Microsoft's powerful, versatile
network operating system. Using clear screenshots and step-by-step
instructions, Microsoft Windows Server 2008: A Beginner's Guide shows
you how to set up the server, migrate from earlier versions, and handle
networking, administration, storage, and security. You'll also get
details on the new Web tools and management utilities available in
Windows Server 2008.

- Install, configure, and deploy Windows Server 2008
- Set up and manage a network
- Work with Active Directory and Domains
- Set up communications features and an Internet connection
- Install, customize, and maintain Internet Information Services (IIS) 7
- Configure a VPN server and client
- Set up Terminal Services and Remote Desktop
- Manage storage and file systems
- Secure your Windows Server environment
- Set up and manage printing and faxing
- Use the built-in management tools, including Server Manager and
group policies

Code: http://www.amazon.com/exec/obidos/tg/detail/-/0072263512/
Download: http://rapidshare.com/files/97129594/McGraw.Hill.Microsoft.Windows.Server.2008.A.Beginners.Guide.Feb.2008.pdf

Windows Xp: Command Line (Paperback)

2009-03-14T04:02:00.000-07:00

Chapter 1 Getting Started with the Operating System

Chapter Overview

Most people who use computers are really interested in application software. They want programs that are easy to use
and that help them solve specific problems. However, before you can use application software, you must know at least
the basics of using the operating system. No computer can work without an operating system in RAM. The Windows perating system takes care of mandatory functions for computer operations such as handling the input and output of the computer, managing computer resources, and running application software. It enables the user to communicate with the computer. In this chapter you will learn about loading the operating system into the computer, use some basic commands, make a copy of the ACTIVITIES disk to use in future activities, learn your system configuration, and identify the version of Windows you are using.

code http://www.amazon.com/Windows-Xp-Carolyn-Z-Gillay/dp/1887902821/ref=pd_sim_b_njs_img_4/103-3246681-6375002

Download: http://mihd.net/csl65d

Networking with Microsoft Windows Vista: Your Guide to Easy and Secure Windows Vista Networking (Paperback)

2009-03-14T03:57:00.001-07:00

Your Guide to Easy and Secure Windows Vista Networking is a complete
beginner's guide to creating, configuring, administering, and using a
small network using Windows Vista computers. Inside you'll find
comprehensive coverage of networking hardware, including Ethernet
(wired) hardware (from NICs to cables to switches to routers) and
wireless Hardware--from wireless NICs to access points to range
extenders.

We include handy “buyer's guides” that tell you how to make smart
choices when purchasing network hardware. With hardware in hand, we then
show you how to roll up your shirtsleeves and put everything together,
including configuring a router, laying cable, and connecting the
devices. Next, we then show you how to wrangle with Windows Vista's
networking features. These techniques include using the Network and
Sharing Center, managing wired and wireless connections, accessing
shared network resources, sharing local resources on the network, and
working with network files offline. And if you are a music and video
aficionado, we've got you covered with a special chapter that shows you
just how to set up a networked Vista PC as your digital media hub!

No networking book would be complete without extensive coverage of
security issues that affect anyone connected to the Internet. We show
you how to secure each computer, secure your global networking settings,
and batten down your wireless connections. The last part of the book
includes intermediate networking tasks such as
making remote connections, monitoring the network, troubleshooting
network problems, and setting up Vista's built-in web server and FTP
server.

- No longer is networking a topic that only geeks need to understand.
If you have even one computer on the Internet or if you use wireless
in your home or office, you need this book!
- Extensive hardware coverage that shows you what equipment to
buy and how to set it up!
- Easy to follow buyer's guides that enable anyone to make smart
and informed choices when purchasing networking hardware.
- Complete and comprehensive coverage of Windows Vista's
networking features.
- Thwart hackers, crackers, thieves and other Internet malefactors
by following our easy to understand chapters on security!
- Loaded with tips, tricks, and shortcuts to make networking easier
and more secure.
- Chock full of real-world examples and network configurations that
you can put to work today!

code: http://www.amazon.com/exec/obidos/tg/detail/-/0789737779/

Download: http://rapidshare.com/files/85302744/Que.Networking.with.Microsoft.Windows.Vista.Dec.2007.pdf

Microsoft Windows Vista Administration (Paperback)

2009-03-14T03:41:00.000-07:00

Your Hands-On Microsoft Windows Vista Administration Guide
Set up and manage Windows Vista in the enterprise using the detailed
information contained in this authoritative resource. Microsoft Windows
Vista Administration shows you how to leverage Vista's powerful new
productivity, security, and management tools to give your business the
competitive edge. Inside, you'll learn to design and implement Windows
Vista installation and migration plans, create network connections,
configure Internet services, and utilize Vista's remote access features.
You'll also learn to secure your Windows Vista environment, proactively
prevent performance problems, and tune Vista PCs.

- Plan and execute enterprise Windows Vista installations and migrations
- Implement Vista's next-generation TCP/IP and DNS features
- Connect to and navigate wired and wireless networks
- Enable enterprise-wide collaboration and communication
- Configure Remote Assistance and Remote Desktop
- Create and manage users, accounts, privileges, rights, and permissions
- Secure Vista PCs and networks
- Customize and use Internet Explorer 7 and Internet Information Server 7
- Set up and configure Vista on mobile devices, laptops, and tablet PCs
- Monitor, tune, and troubleshoot Vista machines

Code: http://www.amazon.com/exec/obidos/tg/detail/-/0071493034/

Download: http://rapidshare.com/files/85673077/McGraw.Hill.Microsoft.Windows.Vista.Administration.Jul.2007.pdf

PHP and Security - Tutorial

2009-03-14T02:04:00.000-07:00

This is my first contribution in the form of a PSC tutorial, so please bear with me. In this tutorial I am going to discuss security as it relates to protecting your PHP scripts from preying eyes, as well as protecting your system and your web pages from would-be assailants. This tutorial walks through some exploits regarding PHP, as well as fixes for them. This article, this site, or I do not condone using any of this knowledge in a devious or malicious manner.

The rest of this tutorial will be laid out in the following sections:
1. PHP and Security
2. Site Defacement
3. Externally working with variables
4. File Access
5. Encryption
6. Cookie Encryption
7. Protecting Scripts
8. One-way Password Authentication

Section 1: PHP and Security

While most of the world focuses on crackers gaining access to websites from bugs in the web server amongst other things, the major flaws that simply running PHP on your system can cause go unnoticed. Most new PHP users, and probably some veteran ones, don't fully understand the holes that can be readily opened by a single ill-written PHP script. You may think opening a local file on your system is secure, but is it? We'll explore this and other exploits later in this tutorial.

PHP is a very forgiving language, and with this (if not because of it), it is very easy to design PHP programs that have bugs or undesirable consequences. Bugs are easier to implement in PHP programs mainly because of the way it handles variables. Not only can different types of variables be loosely assigned to one another, but also PHP doesn’t really care where a variable has come from, which leads to large security holes.

Section 2: Site Defacement

Site defacement is a common occurrence on the Internet. Site defacement is where a person, by various means, is able to edit the HTML code of a web page and use it to display their own content. This attack is usually more embarrassing than it is harmful, but this is not always the case. A person with access to the source of a web page can do obvious things like link to URLs containing malicious software or not-so-obvious things such as display false statements on a company’s website, thus embarrassing the organization and possibly ruining its reputation.

Site defacement is just one of the many threats web server administrators have to deal with every day that they run their site, but it is also one of the most common. You may be surprised to learn just how easy it is to set yourself up for site defacement in PHP.

PHP is commonly used to develop guest books, web bulletin boards, or just about anything else that requires some form of input from users. This is where most people get into trouble. Examine the following piece of hypothetical code:

print(“$MsgAuthor[27]
”);
print(“$MsgDate[27]
”);
print(“$MsgSubject[27]
”);
print(“$MsgBody[27]
”);
?>

This code, taken from a bulletin board, sends the Author name, Date, Subject, and Body of the 27th entry to anyone that clicks on the link to it. This code will function perfectly; in fact, it will do exactly what you want it to. But what you want is probably not what is best. Suppose that when the person who originally created the 27th entry he put some HTML code of his own in $MsgBody. What will happen to the next person who reads that message? Basically, whatever the creator wanted. It could be anything from displaying harmless images to malicious things such as repetitive loading of java script pop-up windows.

There are instances where you would users to be able to enter HTML into their message bodies, but I don’t. (And since I am writing this tutorial, you have to go along). In case you don’t want to allow this either, PHP provides you with a function that will take care of this problem for you. Let’s take a look at it:

print(“$MsgAuthor[27]
”);
print(“$MsgDate[27]
”);
print(“$MsgSubject[27]
”);
print(htmlspecialchars($MsgBody[27]) . “
”);
?>

The htmlspecialchars() function strips all of the HTML parsing symbols (<, >, &) and replaces them with their equivalents as html entities (< > &). This prevents the execution of any HTML you don’t want.

In addition to the htmlspecialchars() function there is also a htmlentities() function that will strip out all special characters and replace them with their respective HTML entity equivalents.

This does not fix all possibilities for site defacement, but it fixes a major one within PHP that not many people seem to know exist.

Section 3: Externally Working With Variables

This is a large issue with PHP and can have an even larger number of results depending on what the script does. This flaw relies on the fact that variables in PHP do not need to be defined, and can be created directly from the URL. Examine the following piece of code:

If ($Password == “root”) {
$AdminPass = TRUE;
}

If ($AdminPass == TRUE) {
print(“Welcome to the system. Enjoy yourself.”);
} else {
print(“Password refused. Try again.”);
return;
}

?>

What’s wrong with this script? Besides the fact that it is poorly written, nothing is wrong with it, right? PHP will still interpret and execute this script. If we were to hypothetically assume that $AdminPass contains whether the administrator password was accepted or not, it appears fine. Now lets pretend that this script is entitled “admin.php” and was called from the URL: http://www.thesite.com/admin.php?AdminPass=1. What happens? You can bypass the test and access the site without even having to enter a password.

Now remind yourself that this is a purely hypothetical situation and that hopefully no one would write such a script. But the fact that variables can be set from the URL string is quite dangerous and can have completely unexpected and unintended results that your program isn’t prepared to handle.

In the above example, there isn’t a good way to check whether or not the variable is set with the URL string or not, but by using explicit type checking you can usually predict if it is a variable you had defined or came from an external source. A good method to try is the “===” operator which checks if the arguments are equal to each other and are of the same type. The “===” operator makes sure that the values are the same and that PHP identifies them as the same type. This prevents expressions like “TRUE == 1” from returning a TRUE value.

What if the $AdminPass was set to TRUE in the URL string though? It would match even with specific type checking. The best solution to the above problem is to initialize all of the used variables in our PHP script to a null value.

$AdminPass = FALSE;

If ($Password == “root”) {
$AdminPass = TRUE;
}

If ($AdminPass == TRUE) {
print(“Welcome to the system. Enjoy yourself.”);
} else {
print(“Password refused. Try again.”);
return;
}
?>

In the above example $AdminPass was initialized to FALSE as no operations have yet to be performed on it and we know that changing its value at the beginning of our program will not affect the results of the script. If there was a URL string variable supplied as $AdminPass, it will be cleared and set to FALSE, fixing a large hole.

Section 4: File Access

There are a number of holes in PHP when it is used to access files. One of the most devious is using the external variable method described above in conjunction with a script that supposedly opens “safe” files.

In browsing the World Wide Web you have undoubtedly come across URLs that are formed like this: www.thesite.com/loadpicture.php?file=butterfly.jpg. It’s obviously a script that is used to load pictures, and it is calling the file “butterfly.jpg” to load. What’s so wrong with this? Nothing as long as you know exactly what files this script can call. What if some malicious person were to edit that URL and replace it with “file=/etc/passwd”? If you are unlucky enough to allow access to /etc/passwd your password file has now been sent out over the Internet. Good work.

The unfortunate solution to this hole is that there isn’t really a good one. Included with PHP is a configuration known as open_basedir which allows you to specify which directories your PHP scripts can access, but if you intend to work with password files or any sensitive data you must be able to access it to use it, and therefore the file must be within one of the specified directories. Note that open_basedir is still a valid option to protect parts of your system which you have no need to access. For the rest of your system, however, we must use encryption.

Section 5: Encryption

Encryption. It’s the buzzword of the Internet recently. If you aren’t encrypting all of your web traffic, e-mail messages, telnet sessions, and about everything else you use online, you just aren’t cool anymore. Seriously though, encryption is a highly valuable tool, especially if you are dealing with important things like password files.

Encryption is the process of taking a file, usually referred to as plaintext, and encrypting that file into an unrecognizable form known as ciphertext. Decrypting the file backwards from cipher to plaintext usually requires a key of some sort. Without the key it is very difficult to reconstruct the original plaintext message.

There are two main categories of encryption: one-way and two-way. A two-way encryption scheme will allow the encryption and decryption of text and usually requires some form of key. A one-way encryption scheme will only encrypt data and, having no key to decrypt it, will remain that way. One-way encryption is typically used for password files because it is more secure to simply encrypt attempted passwords and compare the encrypted version against encrypted passwords already inside the password file.

PHP will often gracefully handle this task for you, but you must remember that if you use a two-way password encryption scheme, the encrypted file is only as safe as the access to your decryption routines. A better way to handle encryption, and one that is commonly used to encrypt the /etc/passwd file on Unix, is one-way encryption. PHP allows for this form of encryption in it’s crypt() function.

Section 6: Cookie Encryption

The biggest proponent of cookies is commercial websites, though this isn’t always the case. Whether you are using a cookie to keep track of someone’s buying habits, or just to more specifically tailor your site to fit their personal needs, your cookies should always be encrypted.

If you do not encrypt your cookies they are viewable as plain text by the user and thus, he or she can then easily modify the cookie’s data. Not only can this have bad results for your site, as PHP automatically loads cookies into variables (and thus their modifications), but they could LIE to you about their buying habits or their household income, now isn’t that terrible?

Seriously now, the main flaw is that the modified cookies are automatically loaded into PHP and have basically the same effect as creating variables from the URL string (shown in Section 3). If you don’t encrypt your cookies your PHP program must be set up to distinguish variables that you set from variables that the user may set by modifying their cookies, it’s not an easy task.

Cookie encryption is as easy as:

setcookie(base64_encode($cookie));
?>

That’s it. Using the built-in base64_encode() function, the cookie will be encrypted before being sent to the user. It’s such an easy hole to fix; it’s amazing that not more people do. Using just the base64_encode() function should provide sufficient security, but if someone were to know what method you had used to encrypt it, decrypting it would be as easy as loading the cookie into PHP and running base64_decode(). If you handle highly sensitive data with cookies and want better security, there are other encryption functions you can use that are supplied by PHP.

Section 7: Protecting Scripts

Unfortunately there isn’t a lot you can do to protect your script from people who have physical access to your system. The scripts must be readable or else the web server will not be able to load them, meaning that anyone who has security clearance at or above the level of the web server can potentially access your scripts. This is rather dangerous because anyone who has access to your scripts can see how you have encrypted your scripts, see where you store the passwords, modify the scripts content, and do basically whatever they want to them. The good news to this, however, are that the chances of your script being released by the web server are slim, and doubly so if you have installed PHP as a module.

Section 8: One-way Password Authentication

When a script works with passwords unfortunately it is common to see some of them work like this (Note that the decrypt() function is not a PHP function, but merely a hypothetical representation of some user-created functions):

$userpass = decrypt($userpass);
if ($attemptedpass == $userpass) {
print(“Welcome to the system.”);
} else {
print(“Wrong. Try again.”);
}
?>

The problem with the script is that you decrypt the password at all. The decrypted version of the users password is stored in memory, even if only temporarily, and is being passed around inside your script. It is not safe. A much safer version of this is to use one-way encryption to compare the passwords.

Compare the above script with this one:

If(crypt($attemptedpass) == $userpass) {
print(“Welcome to the system.”);
} else {
print(“Wrong. Try again.”);
}
?>

This script is much safer. The attempted password is encrypted, and if it is the same as the $userpass, the encrypted versions of both will match. This makes sure that no unencrypted passwords are being passed around throughout your PHP script.

---

That’s the end of the tutorial. If you had the stomach to read this much of my writing, and liked it, vote for it. :)

About PHP

2009-03-14T01:33:00.000-07:00

PHP is a scripting language originally designed for producing dynamic web pages. It has evolved to include a command line interface capability and can be used in standalone graphical applications.

While PHP was originally created by Rasmus Lerdorf in 1995, the main implementation of PHP is now produced by The PHP Group and serves as the de facto standard for PHP as there is no formal specification. PHP is free software released under the PHP License, however it is incompatible with the GNU General Public License (GPL), due to restrictions on the usage of the term PHP.

PHP is a widely-used general-purpose scripting language that is especially suited for web development and can be embedded into HTML. It generally runs on a web server, taking PHP code as its input and creating web pages as output. It can be deployed on most web servers and on almost every operating system and platform free of charge. PHP is installed on more than 20 million websites and 1 million web servers.

History
Rasmus Lerdorf, who wrote the original Common Gateway Interface binaries, and Andi Gutmans and Zeev Suraski, who rewrote the parser that formed PHP 3 Rasmus Lerdorf, who wrote the original Common Gateway Interface binaries, and Andi Gutmans and Zeev Suraski, who rewrote the parser that formed PHP 3 Rasmus Lerdorf, who wrote the original Common Gateway Interface binaries, and Andi Gutmans and Zeev Suraski, who rewrote the parser that formed PHP 3
Rasmus Lerdorf, who wrote the original Common Gateway Interface binaries, and Andi Gutmans and Zeev Suraski, who rewrote the parser that formed PHP 3

PHP originally stood for Personal Home Page. It began in 1994 as a set of Common Gateway Interface binaries written in the C programming language by the Danish/Greenlandic programmer Rasmus Lerdorf. Lerdorf initially created these Personal Home Page Tools to replace a small set of Perl scripts he had been using to maintain his personal homepage. The tools were used to perform tasks such as displaying his résumé and recording how much traffic his page was receiving. He combined these binaries with his Form Interpreter to create PHP/FI, which had more functionality. PHP/FI included a larger implementation for the C programming language and could communicate with databases, enabling the building of simple, dynamic web applications. Lerdorf released PHP publicly on June 8, 1995 to accelerate bug location and improve the code.This release was named PHP version 2 and already had the basic functionality that PHP has today. This included Perl-like variables, form handling, and the ability to embed HTML. The syntax was similar to Perl but was more limited, simpler, and less consistent.

Zeev Suraski and Andi Gutmans, two Israeli developers at the Technion IIT, rewrote the parser in 1997 and formed the base of PHP 3, changing the language's name to the recursive initialism PHP: Hypertext Preprocessor. The development team officially released PHP/FI 2 in November 1997 after months of beta testing. Afterwards, public testing of PHP 3 began, and the official launch came in June 1998. Suraski and Gutmans then started a new rewrite of PHP's core, producing the Zend Engine in 1999. They also founded Zend Technologies in Ramat Gan, Israel.

On May 22, 2000, PHP 4, powered by the Zend Engine 1.0, was released. On July 13, 2004, PHP 5 was released, powered by the new Zend Engine II. PHP 5 included new features such as improved support for object-oriented programming, the PHP Data Objects extension (which defines a lightweight and consistent interface for accessing databases), and numerous performance enhancements. The most recent update released by The PHP Group is for the older PHP version 4 code branch. As of August, 2008 this branch is up to version 4.4.9. PHP 4 is no longer under development nor will any security updates be released.

In 2008, PHP 5 became the only stable version under development. Late static binding has been missing from PHP and will be added in version 5.3. PHP 6 is under development alongside PHP 5. Major changes include the removal of register_globals, magic quotes, and safe mode. The reason for the removals was because register_globals had given way to security holes, and magic quotes had an unpredictable nature, and was best avoided. Instead, to escape characters, Magic quotes can be substituted with the add_slashes() function.

PHP does not have complete native support for Unicode or multibyte strings; Unicode support will be included in PHP 6. Many high profile open source projects ceased to support PHP 4 in new code as of February 5, 2008, due to the GoPHP5 initiative, provided by a consortium of PHP developers promoting the transition from PHP 4 to PHP 5.

It runs in both 32-bit and 64-bit environments, but on Windows the only official distribution is 32-bit, requiring Windows 32-bit compatibility mode to be enabled while using IIS in a 64-bit Windows environment. There is a third-party distribution available for 64-bit Windows.

Usage

PHP is a general-purpose scripting language that is especially suited for web development. PHP generally runs on a web server, taking PHP code as its input and creating web pages as output. It can also be used for command-line scripting and client-side GUI applications. PHP can be deployed on most web servers, many operating systems and platforms, and can be used with many relational database management systems. It is available free of charge, and the PHP Group provides the complete source code for users to build, customize and extend for their own use.

PHP primarily acts as a filter, taking input from a file or stream containing text and/or PHP instructions and outputs another stream of data; most commonly the output will be HTML. It can automatically detect the language of the user. From PHP 4, the PHP parser compiles input to produce bytecode for processing by the Zend Engine, giving improved performance over its interpreter predecessor.

Originally designed to create dynamic web pages, PHP's principal focus is server-side scripting, and it is similar to other server-side scripting languages that provide dynamic content from a web server to a client, such as Microsoft's Active Server Pages, Sun Microsystems' JavaServer Pages,^[33] and mod_perl. PHP has also attracted the development of many frameworks that provide building blocks and a design structure to promote rapid application development (RAD). Some of these include CakePHP, Symfony, CodeIgniter, and Zend Framework, offering features similar to other web application frameworks.

The LAMP architecture has become popular in the web industry as a way of deploying web applications. PHP is commonly used as the P in this bundle alongside Linux, Apache and MySQL, although the P may also refer to Python or Perl.

As of April 2007, over 20 million Internet domains were hosted on servers with PHP installed, and PHP was recorded as the most popular Apache module.^[34] Significant websites are written in PHP including the user-facing portion of Facebook,^[35] Wikipedia (MediaWiki),^[36] Yahoo!, MyYearbook,, Digg, Wordpress and Tagged.

In addition to server-side scripting, PHP can be used to create stand-alone, compiled applications and libraries, it can be used for shell scripting, and the PHP binaries can be called from the command line.

Speed optimization

As with many scripting languages, PHP scripts are normally kept as human-readable source code, even on production web servers. In this case, PHP scripts will be compiled at runtime by the PHP engine, which increases their execution time. PHP scripts are able to be compiled before runtime using PHP compilers as with other programming languages such as C (the language PHP and its extensions are written in).

Code optimizers aim to reduce the computational complexity of the compiled code by reducing its size and making other changes that can reduce the execution time with the overall goal of improving performance. The nature of the PHP compiler is such that there are often opportunities for code optimization,^[41] and an example of a code optimizer is the Zend Optimizer PHP extension.

Another approach for reducing overhead for high load PHP servers is using PHP accelerators. These can offer significant performance gains by caching the compiled form of a PHP script in shared memory to avoid the overhead of parsing and compiling the code every time the script runs.

Security

The National Vulnerability Database stores all vulnerabities found in computer software. The overall proportion of PHP-related vulnerabilities on the database amounted to: 12% in 2003, 20% in 2004, 28% in 2005, 43% in 2006, 36% in 2007, and 35% in 2008. Most of these PHP-related vulnerabilities can be exploited remotely: they allow hackers to steal or destroy data from data sources linked to the webserver (such as an SQL database), send spam or contribute to DOS attacks using malware, which itself can be installed on the vulnerable servers.

These vulnerabilities are caused mostly by not following best practice programming rules: technical security flaws of the language itself or of its core libraries are not frequent. Recognizing that programmers cannot be trusted, some languages include taint checking to detect automatically the lack of input validation which induces many issues. However, such a feature has been rejected for PHP because of performance concerns.

Hosting PHP applications on a server requires a careful and constant attention to deal with these security risks. There are advanced protection patches such as Suhosin and Hardening-Patch, especially designed for web hosting environments. Installing PHP as a CGI binary rather than as an Apache module is the preferred method for added security.

With respect to securing the code itself, PHP code can be obfuscated to make it difficult to read while remaining functional.

Syntax

Main article: PHP syntax and semantics

Syntax-highlighted PHP code embedded within HTML

PHP only parses code within its delimiters. Anything outside its delimiters is sent directly to the output and is not parsed by PHP. The most common delimiters are and ?>, which are open and close delimiters respectively. delimiters are also available. Short tags can be used to start PHP code, or (which is used to echo back a string or variable) and the tag to end PHP code, ?>. These tags are commonly used, but like ASP-style tags (<% or <%= and %>), they are less portable as they can be disabled in the PHP configuration. For this reason, the use of short tags and ASP-style tags is discouraged. The purpose of these delimiters is to separate PHP code from non-PHP code, including HTML.

Variables are prefixed with a dollar symbol and a type does not need to be specified in advance. Unlike function and class names, variable names are case sensitive. Both double-quoted ("") and heredoc strings allow the ability to embed a variable's value into the string. PHP treats newlines as whitespace in the manner of a free-form language (except when inside string quotes), and statements are terminated by a semicolon.^[53] PHP has three types of comment syntax: /* */ serves as block comments, and // as well as # are used for inline comments.^[54] The echo statement is one of several facilities PHP provides to output text (e.g. to a web browser).

In terms of keywords and language syntax, PHP is similar to most high level languages that follow the C style syntax. If conditions, for and while loops, and function returns are similar in syntax to languages such as C, C++, Java and Perl.

Data types

PHP stores whole numbers in a platform-dependent range. This range is typically that of 32-bit signed integers. Unsigned integers are converted to signed values in certain situations; this behavior is different from other programming languages. Integer variables can be assigned using decimal (positive and negative), octal, and hexadecimal notations. Floating point numbers are also stored in a platform-specific range. They can be specified using floating point notation, or two forms of scientific notation.PHP has a native Boolean type that is similar to the native Boolean types in Java and C++. Using the Boolean type conversion rules, non-zero values are interpreted as true and zero as false, as in Perl and C++. The null data type represents a variable that has no value. The only value in the null data type is NULL. Variables of the "resource" type represent references to resources from external sources. These are typically created by functions from a particular extension, and can only be processed by functions from the same extension; examples include file, image, and database resources. Arrays can contain elements of any type that PHP can handle, including resources, objects, and even other arrays. Order is preserved in lists of values and in hashes with both keys and values, and the two can be intermingled. PHP also supports strings, which can be used with single quotes, double quotes, or heredoc syntax.

The Standard PHP Library (SPL) attempts to solve standard problems and implements efficient data access interfaces and classes

Functions

PHP has hundreds of base functions and thousands more from extensions. These functions are well documented on the PHP site, but unfortunately, the built-in library has a wide variety of naming conventions and inconsistencies. PHP currently has no functions for thread programming.

5.2 and earlier

Functions are not first-class functions and can only be referenced by their name--directly or dynamically by a variable containing the name of the function. User-defined functions can be created at any time without being prototyped. Functions can be defined inside code blocks, permitting a run-time decision as to whether or not a function should be defined. Function calls must use parentheses, with the exception of zero argument class constructor functions called with the PHP new operator, where parentheses are optional. PHP supports quasi-anonymous functions through the create_function() function, although they are not true anonymous functions because anonymous functions are nameless, but functions can only be referenced by name, or indirectly through a variable $function_name();, in PHP.

5.3 and newer

PHP gained support for first-class functions and closures. True anonymous functions are supported using the following syntax:

function getAdder($x)
{
return function ($y) use ($x) {
   return $x + $y;
};
}

$adder = getAdder(8);
echo $adder(2); // prints "10"

Here, getAdder() function creates a closure using parameter $x (keyword "use" forces getting variable from context), which takes additional argument $y and returns it to the caller. Such a function can be stored, given as the parameter to another functions, etc. For more details see Lambda functions and closures RFC.

Objects

Basic object-oriented programming functionality was added in PHP 3. Object handling was completely rewritten for PHP 5, expanding the feature set and enhancing performance. In previous versions of PHP, objects were handled like primitive types. The drawback of this method was that the whole object was copied when a variable was assigned or passed as a parameter to a method. In the new approach, objects are referenced by handle, and not by value. PHP 5 introduced private and protected member variables and methods, along with abstract classes and final classes as well as abstract methods and final methods. It also introduced a standard way of declaring constructors and destructors, similar to that of other object-oriented languages such as C++, and a standard exception handling model. Furthermore, PHP 5 added interfaces and allowed for multiple interfaces to be implemented. There are special interfaces that allow objects to interact with the runtime system. Objects implementing ArrayAccess can be used with array syntax and objects implementing Iterator or IteratorAggregate can be used with the foreach language construct. There is no virtual table feature in the engine, so static variables are bound with a name instead of a reference at compile time.

If the developer creates a copy of an object using the reserved word clone, the Zend engine will check if a __clone() method has been defined or not. If not, it will call a default __clone() which will copy the object's properties. If a __clone() method is defined, then it will be responsible for setting the necessary properties in the created object. For convenience, the engine will supply a function that imports the properties of the source object, so that the programmer can start with a by-value replica of the source object and only override properties that need to be changed.

Resources

PHP includes free and open source libraries with the core build. PHP is a fundamentally Internet-aware system with modules built in for accessing FTP servers, many database servers, embedded SQL libraries such as embedded PostgreSQL, MySQL and SQLite, LDAP servers, and others. Many functions familiar to C programmers such as those in the stdio family are available in the standard PHP build.^[64] PHP has traditionally used features such as "magic_quotes_gpc" and "magic_quotes_runtime" which attempt to escape apostrophes (') and quotes (") in strings in the assumption that they will be used in databases, to prevent SQL injection attacks. This leads to confusion over which data is escaped and which is not, and to problems when data is not in fact used as input to a database and when the escaping used is not completely correct.^[65] To make code portable between servers which do and do not use magic quotes, developers can preface their code with a script to reverse the effect of magic quotes when it is applied.

PHP allows developers to write extensions in C to add functionality to the PHP language. These can then be compiled into PHP or loaded dynamically at runtime. Extensions have been written to add support for the Windows API, process management on Unix-like operating systems, multibyte strings (Unicode), cURL, and several popular compression formats. Some more unusual features include integration with Internet Relay Chat, dynamic generation of images and Adobe Flash content, and even speech synthesis. The PHP Extension Community Library (PECL) project is a repository for extensions to the PHP language.

Zend provides a certification exam for programmers to become certified PHP developers.