Penetration testing, commonly referred to as pen testing, involves an authorized simulation of a cyber attack on a computer system to uncover exploitable vulnerabilities. This process is conducted by ethical hackers who simulate a potential unauthorized attack to assess the system’s response and reveal any weaknesses or flaws.

By subjecting your company’s defenses to simulated attacks, cyber security testing enables you to refine your security measures. A penetration test not only focuses on identifying vulnerabilities but also helps highlight strengths, contributing to a comprehensive risk assessment for auditing purposes. We recommend this guide to learn more about what penetration testing is.

In this guide, we explore some of the top penetration testing tools that are essential for your arsenal. These tools play a crucial role in pinpointing security weaknesses in servers, networks, or web applications. Given that they facilitate the identification of unknown vulnerabilities in both networks and software applications, these tools are indispensable in preventing potential security breaches.

Below is a list of the top Penetration testing Tools

1. Network Mapper (Nmap)

Nmap is an open source and free utility for network security auditing and network discovery. Most network administrators use it for tasks such as network inventory monitoring services and host uptime. It uses raw IP packets to determine hosts that are available on the network, and the services the hosts are providing. From IDS evasion to OS detection, Network Mapper is an essential tool for both large and small gigs.

2. Aircrack-ng

Aircrack-ng is a complete suite of tools to asses your wifi network security. In particular, it focuses on different areas of wifi security including:

Testing: Checking WiFi driver capabilities and cards, both injection and capture.

Attacking: Replay fake access points and attacks.

Monitoring: It help monitor packet capture and export of data to text files for further processing by third-party software. Besides, you can use it crack WPA PSK and WEP.

3. Wifiphiser

This is a rogue access point tool. It enables automated phishing attacks against wireless networks. A full assessment using Wfiphisher may lead to credential harvesting and actual infection.

4. Netsparker

It is an easy to use web application security scanner. It can automatically find XSS and SQL injection vulnerabilities in your web applications and service. Additionally, it is available in both SAAS or on-premise solution.

5.Metasploit

Metasploit is one of the most advanced and popular frameworks. The tool is open source, and it is based on the precepts of “exploit”; hence, you can pass a code that breaches the security and enters a system. Once the code enters the system, it runs a payload on the target machine and creates a perfect framework for penetration. Metasploit can be used in applications, network, and servers.

6. SQLmap

SQLmap is an automatic database, and SQL injection takes over the tool. It supports all kind of database platforms ranging from MySQL, Access, PostgreSQL, MSSQL, and SQLite.

7. CrackMapExec

Also known as CME, it is a post exploitation tool that gives you the leverage to automate the tasks of assessing the security of a vast Active directory network.

The tool works by leaving behind the land by abusing the built-in AD features to achieve functionality and allow it to evade most endpoint protection.

8. PowerSploit

PowerSploit is a collection of modules that are used during assessment. In windows, the modules are the PowerShell. Some of its features include exfiltration, script modification, code execution and Av bypass.

9. Social Engineer Toolkit (SET)

SET is a pen testing framework geared towards social engineering. SET is a favorite tool among hackers and at one point, it was featured on TV and was actively involved in USA Network robot.

10. Acunetix

This is a fully automated pen testing tool. It is a web-based security application scanner. It accurately scans HTML5, single page applications and Javascript.

Acunetix can be used to audit multiple authenticated web pages to issue compliance and management reports on a vast array f network vulnerabilities.

The post Top Penetration Testing Tools appeared first on Spam Daily News.

Clues That May Indicate An Email is From A Scammer

• The email in most times is not addressed to the recipient, probably because the scammer doesn’t know the recipient. The Identifier “Dear Customer” is used so many times.

• When you try to log in to their ‘web account’, it could easily indicate that you have exceeded the number of login attempts allowed, yet you have never even logged in.

• Their messages often contain grammatical errors: Tricking words such as ‘Online Banking’ could all be capitalized. And, if you continue reading keenly, you will find so many wrong sentences that do not make any sense grammatically. Most people usually scan emails quickly, and therefore small grammatical errors could go unnoticed.

• They insist on assuring the recipients by encouraging them to confirm ‘their’ email by using a scammer link they provide.

• A true email address gets displayed when the mouse is made to hover over any link on that particular page. I doubt if there exists a company that has all these kind of actions pointing to the same link. This is just directly a scam!

If you happen to see anyone kind of these flaws, that’s just enough for you to know that email is an attempt of phishing.

How To Protect Yourself From Online Email-Scams

1. Use your own link

In case you use the company often, you most likely have a bookmark for the site you can use. If not, use an online search engine such as Google and type in the company’s name. you can then use the genuine link to go to the correct site. If the email is legit, the information you will see is the same as the one you have when you log into your account on the legitimate site. This is just the ONLY way to guarantee that you land on the legit site.

2.Detection software

Install a software that will help you identify malicious sites so that you can get to know whether the site you found is legitimate. Most browsers now have add-ons that can be turned on to provide alerts if a site you are about to fall victim by clicking a malicious link. Be mindful to only install add-ons from the store and watch out for phishing add-ons for browsers.

If you happen to find out that you have already fallen victim to a phishing scam, the best option is to change all of your passwords, immediately.

The post What is Phishing? appeared first on Spam Daily News.

Start by reviewing bank statements regularly. Look out for suspicious transactions or small transactions. There have been instances where credit card companies have scammed their customers, thinking small purchases would not be noticed.

Keep all financial information in a place that can guarantee safety at home. A safe can be used for this purpose. Your wallet should be kept inside this safe when expecting guests.

Any financial information received in print must be shredded if they’re unwanted. If fallen into the wrong hands, this info can be used against you if necessary measures to prevent this aren’t taken.

Passwords must regularly be changed so that they can be hard to guess. Avoid using personal information as passwords such as your birthday or arbitrary passwords such as “12345”. They are easy to guess and cannot be held successfully in a brute force test.

Do not write your passwords as a list on a piece of paper or a notebook. Instead, write a unique clue that can only be made sense by you on a piece of paper.

Be wary of anyone who you do not know that sends you a request in social media websites. This can either put you or anyone in your friends’ list in harm. Do not accept duplicate accounts unless the owner of the original vouches for them.

Be sure to logout after you’re done with any website especially if you’re using a friend’s computer or using an internet café.

Make sure the person you’d be sharing information with is trustworthy. Be it online or offline. Question their need for your personal information and ensure you know why and how they use it. Keep in mind to ask them if they have precautions in place if they lose your private information.

Government-issued ID numbers like Aadhar number and license number are also a known starting point for identity thieves to steal. You might have to issue a new one if the original is known by someone else other than you. Hence, contact the issuing department and determine what they’d suggest you do in a situation such as this.

Keep a clean harddrive and delete out of date information. Only keep the data that’s needed to avoid giving surplus information in a potential attack. If the old data is indispensable, archive them in a safe, offline harddrive and store it in the safe.

Follow these tips and make sure to keep an eye out for potential thieves as they would settle for any data or metadata that they can get their hands on. Stay safe!

The post How to Keep Your Personal Information Secure appeared first on Spam Daily News.

“With the damage of malicious online activities continuing to rise, new and creative technologies and approaches are needed to stem the tide,” said Nico Popp, vice president, Authentication Services, VeriSign Security Services. “VeriSign is working on a solution that marries Microsoft technology with our intelligent network infrastructure to create a solution to identity theft and make the Internet more secure, more trusted and safer for all of us.”

To help end-users clearly differentiate between a legitimate and spoofed Web site, Microsoft’s IE7 browser and “InfoCard” technology will use VeriSign’s “Enhanced Validation” SSL certificates to provide clear and un- spoofable visual feedback about the sites’ authenticity.

Only organizations that pass VeriSign’s rigorous authentication process will be issued “Enhanced Validation” SSL Certificates for their Web sites. When a consumer visits such a site, the IE7 address bar turns green and shows the name of the organization owning the certificate and the identity of the Certificate Authority, such as VeriSign, in the browser’s interface.

Providers or financial institutions will be able to strongly identify a user with the integration of Microsoft “InfoCard” technology with the VIP network. This integration will form the next generation of solutions for securely authenticating users, utilizing built-in Windows functionality that allows consumers to link any type of strong authentication device to their “InfoCard” and present it as an identity card to any VIP-enabled website.

“InfoCard” is a Microsoft technology that simplifies and improves the safety of accessing resources and sharing personal information on the Internet, and represents a key component of Microsoft’s implementation of an “identity metasystem” — an open, extensible framework based on the Web services WS-* Architecture that spans new and existing platforms and technologies across the industry. With “InfoCard,” consumers can download these credentials from trusted identity providers such as their bank, employer, government agency, or membership organization, or create their own self-issued cards. Moreover, digital identity and related personal information can be more securely stored and managed in a variety of ways, including via the online identity security providers such as VeriSign, which offers a choice of security and portable devices such as USB keychain devices, smart cards, and mobile devices.

“‘InfoCard’ provides customers with the control and flexibility they need to more safely access Internet-based resources,” said Richard Turner, product manager, Web Services Strategy at Microsoft. “This demonstration shows how ‘InfoCard’ can combine the collective strengths of our technology with service partners’ offerings to provide new and unique proactive fraud and identity theft measures.”

VIP is a modern approach to combating digital identity theft targeted at both consumers and online services that enables the use of stronger authentication across multiple Web sites by promoting a shared authentication network approach. With VIP, the same authentication device will work across any network member sites, leveraging a shared infrastructure and enabling everyday devices in consumer hands to become authentication devices.

The post VeriSign and Microsoft tie-up to tackle phishing appeared first on Spam Daily News.

The deals have been made following a trip by Chinese president Hu Jintao to America, during which he spoke highly of Bill Gates and openly welcomed an increase in Microsoft’s investment in his country.

“I admire what you have achieved at Microsoft. Because you, Mr Bill Gates, are a friend of China, I’m a friend of Microsoft,” said President Hu.

The memorandum of understanding (MOU) signed on April 18 between Microsoft and NDRC lays out the terms for a second phase of cooperation between Microsoft and Beijing authorities.

The first phase, signed in June of 2002 with NDRC’s predecessor, the State Planning Commission, involved a $750-million investment by Microsoft in a Beijing-based research and development center and software development training programs for Chinese software engineers.

“Over the last five years, NDRC and Microsoft have built a strong foundation for cooperation and achieved results that go beyond the expectations of all parties,” said Ma Kai, minister of NDRC, in a joint press release. “As a result, we have decided to take this endeavor to the next level.”

Microsoft CTO Craig Mundie said the company has a five-year plan.

“In the next five years, we will take solid measures to implement the second phase of the MOU and make concrete contributions to the development of a healthy IT ecosystem for China’s knowledge economy,” said Mundie.

Bill Gates, chairman and chief software architect of Microsoft said in a written statement that he is delighted to see China’s efforts made in IPR protection, and the signing of the MOU shows Microsoft’s long-term commitment to China software industry.

From a business perspective, the deal represents another step in China’s modernization, according to Bruce McKern, director of the Sloan Master’s Program at Stanford University’s Graduate School of Business and author of an abstract on “The Competitive Advantage of China.”

“It’s a part of the stage of development,” McKern said. Software piracy has traditionally been rampant in China, with some estimates that as much as 90 percent of the software in use is copied illegally. This situation, McKern said, “was exacerbated because China had weak enforcement, and in such a big country enforcement is difficult.”

Microsoft and other U.S. tech companies have long lobbied for stricter rules and enforcement against piracy, and in his visit last week, President Hu promised to do better.

“I think it stems from the visit of Hu last week,” McKern said. “It’s a step in the right direction for China from the perspective of dealing with issues of piracy and intellectual property.”

Under pressure over rampant intellectual property violations, Beijing banned sales of PCs without operating systems earlier this month.

That move prompted Chinese PC manufacturer Lenovo, which acquired IBM’s PC unit in May 2005, to announce it would purchase $1.2 billion worth of Windows operating systems, to be pre-loaded into Lenovo PCs made in China.

China’s other top PC makers have placed software orders with Microsoft totaling $430 million.

Microsoft’s commitment to invest in China is regarded as a “return” for the deal.

Chinese authorities have backed open-source initiatives, mandated the purchase of domestically produced operating systems and productivity suites by government ministries, and accused Microsoft of including “back doors” in Microsoft operating systems that could compromise state security.

Given Beijing’s goal of developing homegrown technology standards, it is not in the government’s interest to allow Microsoft to become a dominant player in China, according to Mark Natkin, managing director of Beijing-based IT consultancy Marbridge.

The post Microsoft to spend $4B in China appeared first on Spam Daily News.

The settlement doesn’t shut down the businesses but will bar future violations of the spam laws, will require the operators to monitor affiliates closely to assure that they are not violating state and federal laws, and requires that they give up approximately $475,000 in ill-gotten gains.

In April 2005, the FTC and the Attorney General of California charged that the defendants used third-party affiliates or “button pushers” to send spam hawking mortgage loans and other products and services.

The operation used hyperlinks in the spam to refer consumers to Web sites operated by the defendants.

Consumers forwarded more than 1.8 million of the defendants’ e-mail messages to the FTC. Those messages demonstrated that the defendants were violating almost every provision of the CAN-SPAM Act, the law enforcers said.

The FTC and California charged that the defendants e-mail:

— contained false or forged header information;

— included deceptive subject headings;

— failed to identify e-mail as advertisements or solicitations;

— failed to notify consumers they had a right to opt out of receiving more e-mail;

— failed to provide an opt-out mechanism;

— failed to include a valid physical postal address.

At the agencies’ request, the court ordered a temporary halt to the illegal spamming, pending trial, and froze the defendants’ assets. The settlement announced today ends that litigation.

The settlement bars future violations of the CAN-SPAM Act. Specifically, it prohibits the defendants from sending commercial e-mail that contains false or misleading headers; contains misleading subject headings; does not contain a valid physical postal address; and does not identify the message as an advertisement. It requires that they include an opt-out mechanism for consumers who do not wish to receive their messages in the future.

The settlement requires that the defendants establish an aggressive monitoring regime for any future affiliate program to assure that their affiliates are complying with the provisions of the CAN-SPAM Act and California law. In addition to reviewing, in advance, the subject line, text, and other particulars of the affiliates proposed campaign, the defendants are required to establish an opt-out mechanism for any e-mail campaign conducted on their behalf and requires that they ensure that all opt-out requests are honored.

The order imposes a $2.4 million judgement – representing the total of the defendants’ ill-gotten gains. Based on financial records provided by the defendants, the judgment will be suspended upon payment of $385,000 in cash and approximately $90,000 from the sale of real property. Should the court find that the defendants misrepresented their financial situations, the entire $2.4 million will be due.

The settlement also contains certain bookkeeping and record keeping requirements to allow the agencies to monitor compliance.

The post FTC levies fine against big-league spammers appeared first on Spam Daily News.

In 2003, the National Security Agency set up a secret room inside the phone company’s San Francisco office building that was not accessible to AT&T; technicians, Klein said.

The former employee’s statement, as well as several documents saved by him after he left the company in 2004, shows further evidence of domestic spying initiatives by the federal government.

Klein’s statement is being incorporated into a class action filed in San Francisco federal court, in which lawyers with the Electronic Frontier Foundation (EFF), Lerach Coughlin Stoia Geller Rudman & Robbins, and Traber & Voorhees in Pasadena claim that AT&T; illegally allowed the NSA taps.

“Despite what we are hearing, and considering the public track record of this administration, I simply do not believe their claims that the NSA’s spying program is really limited to foreign communications or is otherwise consistent with the NSA’s charter or with FISA [the Foreign Intelligence Surveillance Act],” Klein said.

News that the NSA was working with major telecommunications companies first surfaced shortly before Christmas. The Bush administration has acknowledged the existence of a domestic spying program, but claims the executive order was limited to those individuals with known terrorist ties.

The Electronic Frontier Foundation filed a class-action lawsuit against AT&T; on January 31, 2006, accusing the telecom giant of violating the law and the privacy of its customers by collaborating with the National Security Agency in its massive program to wiretap and data-mine Americans’ communications.

“The evidence that we are filing supports our claim that AT&T; is diverting Internet traffic into the hands of the NSA wholesale, in violation of federal wiretapping laws and the Fourth Amendment,” EFF Staff Attorney Kevin Bankston said in a statement.

On Wednesday, the EFF asked the court to issue an injunction prohibiting AT&T; from continuing the alleged wiretapping, and filed a number of documents under seal, including three AT&T; documents that purportedly explain how the wiretapping system works.

After asking for a preview copy of the documents last week, the government did not object to the EFF filing the paper under seal, although the EFF asked the court Wednesday to make the documents public.

One of the documents is titled “Study Group 3, LGX/Splitter Wiring, San Francisco,” and is dated 2002. The others are allegedly a design document instructing technicians how to wire up the taps, and a document that lists the equipment installed in the secret room.

The list includes a Narus STA 6400, which is a semantic traffic analyzer. The Narus STA technology is known to be used particularly by government intelligence agencies because of its ability to sift through large amounts of data looking for preprogrammed targets.

In a letter to the EFF, AT&T; objected to the filing of the documents, arguing that they contain sensitive trade secrets, Wired magazine reports.

According to court rules, AT&T; has until Thursday to file a motion to keep the documents sealed. The government could also step in to the case and request that the documents not be made public, or even that the entire lawsuit be barred under the seldom-used State Secrets Privilege, says Wired.

AT&T; Corp. (which was recently acquired by the new AT&T;, Inc,. formerly known as SBC Communications) maintains domestic telecommunications facilities over which millions of Americans’ telephone and Internet communications pass every day. It also manages some of the largest databases in the world, containing records of most or all communications made through its myriad telecommunications services.

The post Whistleblower outs NSA’s secret spy room at AT&T appeared first on Spam Daily News.

The perceived security and privacy of these campus LANs give many students incentive to engage in activity they have otherwise learned is illegal and unacceptable.

“We are appreciative of our partners in the university community and all they have done in recent years to tackle the problem of digital piracy at campuses across the country,” said RIAA President Cary Sherman. “Despite the progress achieved by our collaborative efforts, this remains an ever-evolving problem. We cannot ignore the growing misuse of campus LAN systems or the toll this means of theft is taking on our industry. As we prioritize our focus on campus LAN piracy in the coming year, we hope administrators will take this opportunity to fully evaluate their systems and take action to stop theft by all means.”

MPAA Chairman and CEO Dan Glickman said, “Universities are taking action in a host of ways to address the problem of piracy on campus. We are working to provide as much information as we can to help make those efforts effective, and to stay on top of emerging trends in intellectual property theft. Providing information about LAN systems serves to raise awareness and encourage action.”

In letters sent today, the RIAA and MPAA notified 40 university presidents of information indicating campus LAN piracy problems on their campuses. The universities receiving these letters are located in the following 25 states: California, Connecticut, Georgia, Illinois, Indiana, Louisiana, Massachusetts, Maryland, Maine, Minnesota, Missouri, New Hampshire, New Jersey, New York, Ohio, Oregon, Pennsylvania, South Carolina, South Dakota, Tennessee, Texas, Utah, Vermont, Washington, and Washington, DC.

The letters encourage administrators to review the use of their computer networks and, if appropriate, take steps to stop and prevent such theft. Blocking and filtering devices are currently available to help administrators restrict inappropriate use of a campus network.

In April 2003, the RIAA brought lawsuits against the student operators of four campus LAN networks at three schools. In the wake those enforcement actions, university administrators pulled down at least a dozen campus LAN servers where music theft had been prevalent. Since then, in addressing university file- sharing, campus LAN piracy is increasingly identified as a key challenge by lawmakers in Congress as well as the Joint Committee of the Higher Education and Entertainment Communities.

“Campus LAN piracy is not new, yet the problem has taken on new urgency,” Sherman said. “We know from past experience that bringing this problem to light can effect real change. We are hopeful that this new systematic program will yield even more positive results.”

The post RIAA, MPAA alert 40 university presidents in 25 states of LAN piracy appeared first on Spam Daily News.