Session Hacking | Session Management Attacks | The Basics

So we are here to discus one more topic related to web application hacking, that is session hacking. Note that session hijacking and session hacking are closely related terms but are slightly different. In session hacking application level attacks are concerned where as in session hijacking application level attack as well as TCP/IP level attacks are covered. Session hacking in other terms can also be called as Session Management Attack. So here I must clear we are discussing session hacking not session hijacking. People with confusion in session hacking and session hijacking should read this post carefully I hope that would help them clear up their confusion.

So first of all what is session, session can be termed as an entity which is responsible for handling your state over internet like whether you are logged in or not or which item you have added to your cart while shopping etc. And most common and well known method known for managing sessions are cookies.

Web applications become vulnerable to session hacking due to improper generation and mishandling of cookies while undergoing process. The data that is passed as cookie is known as token so in fact we can say that weak token generation methods and weakness in handling them is main reason for session getting hacked.

What are common weak token generation methods ?

One of the most common mistake many new web developers make is they design tokens to be meaningful. That means most likely the token is created from user-name, password, email id, telephone or mobile number, country, region, time and similar information about logged user. And if token does not include password there is 100% chance that hacker can log in as any user he/she wants since all other information is readily available in user's profile to create a new legal tokens as cookie values.

Next weak token generation method may include generation of token value that is predictable. Predictable token can be generated in several ways for example creating a pattern to generate token, using only hexadecimal values, using known token generation methods, using hidden sequences while generating tokens.

Lastly creating a session token which is fully time independent or fully time dependent. One of the biggest mistake that can be done while creating tokens for handling session. In fact many experienced hackers might even crack token generated using this method in few minutes. It's never a good idea to use this method for generating tokens.

What are common token mishandling methods ?

The very first in list is coding for cookies in improper way to work in LAN network.

Next is appearance of tokens in session logs and URL.

And third is storing cookies in wrong way.

Lastly thinking that we have implemented SSL means we are secure to session related attacks.

A session token vulnerable to attack means complete session is vulnerable to attack. Underestimating session handling can prove to be serious. So here we end up with basics of session hacking in next post we will have our look on how to perform session hacking attack against weak cookie generation and then in next post to it how to perform attacks on token mishandling methods and lastly how to perform hacked session CSRF attack. Till then thanks for reading, have a nice time and keep visiting.

Session Management Attacks Countermeasure

From last few posts we are discussing session hacking or we can say attacks against session management. So after having a small look over session hacking and some of its regular types its time to have a look on its countermeasures. Same as any other web application countermeasures session hacking countermeasures also depend upon type of application and its implementation or you can say type of vulnerability a web application can suffer from. In this following post we will discuss some preventive measures which can be practically implemented over any web application against session hacking.

Generating Strong Tokens:

Following are some tips to generate strong tokens for protecting sessions against predictable token vulnerability.

• Use large value for token.
• Check each value for randomness before implementing in session management.
• Make sure token's complexity can't be broken using brute force, so use real large values with possible random characters.
• Never use weak hashes, hexadecimal values, octal values or something like that which generates predictable values for token generation.
• Don't use time dependent variables to generate token.
• Tokens should consist of nothing more than an identifier used by the server to locate the relevant session object to be used for processing the user’s request and make sure there should be enough number of tokens so that it should not be easy for anyone to attack.
• Token generation method should be different for each token.

Now information that can be used to generate tokens,

• IP address of user.
• Port number from which user sent request.
• User's browser protocol or User Agent details.
• Absolute time of request in milliseconds.

Now why above things can be used for generating tokens though they can be predictable. The reason is we are not actually advising you to use any one of them we are advising you to use each of them, by doing so you'll be able to generate a token which will be highly unpredictable and due to time of request you can manage to terminate session after some specific interval of time.

Protecting Tokens From Mishandling:

Following are some measures that should be taken on behalf of developer against mishandling of tokens.

• All tokens should be passed from HTTPS and not from HTTP.
• A page must not use HTTPS and HTTP simultaneously.
• If possible all pages should be implemented using HTTPS including static and help pages. Use HTTPS for all pages rather than switching from HTTP to HTTPS for specific pages since it can act as vulnerability which can help attacker to steal session.
• Session log should never be transmitted in URL.
• Session token should die after some specific interval of time (10 min - 1 hour not more).
• If remember me function is enabled a user must be notified about with how many computers he/she has stored session and whether he/she wants to remove it or not. To get an idea implementation visit http://shetoldme.com.
• A user can't be allowed to login from two computers at the same time.
• The domain and path scope of an application’s session cookies should be set as restrictively as possible.
• A site should be checked for XSS and CSRF attacks which can help an attacker attack session.

To protect users in LAN environment the Network admin should implement SniffJoke. SniffJoke is Linux based anti-sniffing technology developed by Delirandom, for download and more information visit http://www.delirandom.net . You can implement any anti-sniffing technology but we are recommending SniffJoke because its free and open so you can not only download and use it but can also modify according to your needs.

So here we end countermeasure against session management attacks. Thanks for reading, have a nice time and keep visiting.

How to Use Windows 7 Without Activation

Most of you might be aware of the fact that it is possible to use Windows 7 and Vista for 120 days without activation. This is actually possible using the slmgr -rearm command which will extend the grace period from 30 days to 120 days. However in this post I will show you a small trick using which it is possible to use Windows 7 without activation for approximately an year! Here is a way to do that.

1. Goto “Start Menu -> All Programs -> Accessories” . Right click on “Command Prompt” and select “Run as Administrator“. If you are not the administrator then you are prompted to enter the password, or else you can proceed to step-2.

slmgr -rearm

2. Now type the following command and hit enter

3. You will be prompted to restart the computer. Once restarted the trial period will be once again reset to 30 days. You can use the above command for up to 3 times by which you can extend the trial period to 120 days without activation.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform

4. Now comes the actual trick by which you can extend the trial period for another 240 days. Open Registry Editor (type regedit in “Run” and hit Enter) and navigate to the following location

5. In right-side pane, change value of SkipRearm to 1.

6. Now you will be able to use the slmgr -rearm command for another 8 times so that you can skip activation process for another 240 days. So you will get 120 + 240 = 360 days of free Windows 7 usage.

120 days using “slmgr -rearm” command before registry edit

+                                                                                                                                                                  

240 days using “slmgr -rearm” command after registry edit

 =      360 Days

Hacking 151 Softwares

Hack a website using Directory Transversal attack?

What is root directory of web server ?

It is a specific directory on server in which the web contents are placed and can be seen by website visitors. The directories other that root may contain any sensitive data which administrator do not want visitors to see. Everything accessible by visitor on a website is  placed in root directory. The Visitor can not stepout of root directory.

what does ../ or ..\ (dot dot slash) mean  ?

The ..\ instructs the system to go one directory up. For example, we are at this locationC:\xx\yy\zz. On typing ..\ , we would reach at C:\xx\yy.

Again on typing ..\ , we would rech at C:\xx .



Lets again go at location C:\xx\yy\zz. Now suppose we want to access a text file abc.txt placed in folder xx. We can type ..\..\abc.txt . Typing ..\ two times would take us two directories up (that is to directory xx) where abc.txt is placed.

Note : Its ..\ on windows and ../ on UNIX like operating syatem.

What is Directory Transversel attack?

Directory Traversal is an HTTP exploit which allows attackers to access restricted directories and execute commands outside of the web server's root directory.

The goal of this attack is  to access sensitive files placed on web server by stepping out of the root directory using dot dot slash .

The following example will make clear everything

Visit this website vulnerable to directory transversal attack

http://www.chitkara.edu.in/chitkara/chitkarauniversity.php?page=notification.php

This webserver is running on UNIX like operating system. There is a directory 'etc' on unix/linux which contains configration files of programs that run on system. Some of the files are passwd,shadow,profile,sbin  placed in 'etc' directory.

The file etc/passwd contain the login names of users and even passwords too.

Lets try to access this file on webserver by stepping out of the root directory. Carefully See the position of directories placed on the webserver.

We do not know the actual names and contents of directories except 'etc' which is default name , So I have
marked them as A,B,C,E or whatever.

We are in directory in F accessing the webpages of website.


Lets type this in URL field and press enter

http://www.chitkara.edu.in/chitkara/chitkarauniversity.php?page=etc/passwd

This will search the directory 'etc' in F. But obviously, there is nothing like this in F, so it will return nothing

Now type

http://www.chitkara.edu.in/chitkara/chitkarauniversity.php?page=../etc/passwd

Now this will step up one directory (to directory E ) and look for 'etc' but again it will returnnothing.

Now type

http://www.chitkara.edu.in/chitkara/chitkarauniversity.php?page=../../etc/passwd

Now this will step up two directories (to directory D ) and look for 'etc' but again it will return nothing.

So by proceeding like this, we we go for this URL

http://www.chitkara.edu.in/chitkara/chitkarauniversity.php?page=../../../../../etc/passwd

It takes us 5 directories up to the main drive and then to 'etc' directory and show us contents of 'passwd' file.
To understand the contents of 'passwd' file, visit http://www.cyberciti.biz/faq/understanding-etcpasswd-file-format

You can also view etc/profile ,etc/services and many others files like backup files which may contain sensitive data. Some files like etc/shadow may be not be accessible because they are accesible only by privileged users.

Note- If proc/self/environ would be accessible, you might upload a shell on serverwhich is called as Local File Inclusion.

Counter Measures

1. Use the latest web server software
2. Effectively filter the user's input

Secure Webmail Encryption Service eCrypt.me

When it comes to send encrypted email messages the easiest way to do it is by using a webmail service that supports it, with email encryption working in the background you do not have to worry about digital certificates and PGP encryption keys, everyone can use it with zero knowledge about encryption, the responsibility for keeping the messages secure lying with the provider and not the user.
With eCrypt.me you can send messages just like you would do with any other webmail service but their end to end encryption making it impossible for others to read it, eCrypt.me doesn’t have as many features as Gmail, Hotmail and Yahoo have, it appears to have been designed with businesses in mind, maximizing employee productivity and making it very easy to use with a zero training curve, it doesn’t use Java like Hushmail does, its email interface loads quickly, it is simple and easy to use, the communications between eCrypt.me and your browser is secured via SSL with a Verisign digital certificate using AES256 encryption.

eCrypt.me encrypted webmail service

Registering an account with eCrypt.me requires you to have a valid email address where to receive an activation email, check the spam folder because that is where it went in my case, the service allows you to use your own email as username to login, in order for someone to communicate with you using end to end encryption they will need to have an account with eCrypt.me, this happens with all other webmail services using encryption, and it is the biggest drawback of these kind of services, both sides have to use the same service for encryption to take place.
eCrypt.me has a FileVault where you can upload files for storage, the files (photos, pdf,etc) can not be viewed in your browser, it just makes it easy to send encrypted attachments selecting them from the FileVault when you compose an email. There is an account activity log that tells you the last login IP, this log can be exported as CSV, Excel and XML, a basic statistics screen tells you the mailbox and bandwidth usage, the security settings have two basic choices, encrypting email subjects and password time out settings.
Overall this is a very simple webmail service, if you like easy to use no nonsense webmail with encryption that is useful to send email and nothing else you will feel at home, I would consider this webmail service if I had a business with a high turn over employee because I would not have to train people on how to send encrypted email and employees can’t waste their time in messengers and others non work related features that some email services have.
This encryption webmail service is still in beta release, at the moment it is free to use, I doubt it will be once it comes out of beta because someone needs to pay the bills.

Hack Google Searching

• 
• 
  
• Songs
• javascript:Qr=”;if(!Qr){void(Qr=prompt(
• ‘ENTER ARTIST OR SONG NAME:’,”))};if(Qr)location.href=’http://www.google.com/ie?query=%22parent+directory%22+%22‘+escape(Qr)+’%22+mp3+OR+wma+OR+ogg+-html+-htm&num=100&hl=en&lr=&ie=UTF-8&oe=UTF-8&safe=active&sa=N’
• E-book
• javascript:Qr=”;if(!Qr){void(Qr=prompt(‘Enter Author name OR Book name:’,”))};if(Qr)location.href=’http://www.google.com/ie?query=%22parent+directory%22+%22‘+escape(Qr)+’%22+pdf+OR+rar+OR+zip+OR+lit+OR+djvu+OR+pdb+-html+-htm&num=100&hl=en&lr=&ie=UTF-8&oe=UTF-8&safe=active&sa=N’
• Image
• javascript:Qr=”;if(!Qr){void(Qr=prompt(‘ENTER IMAGE NAME:’,”))};if(Qr)location.href=’http://www.google.com/ie?query=%22parent+directory%22+%22‘+escape(Qr)+’%22+jpg+OR+png+OR+bmp+-html+-htm&num=100&hl=en&lr=&ie=UTF-8&oe=UTF-8&safe=active&sa=N’
• Movie
• javascript:Qr=”;if(!Qr){void(Qr=prompt(‘ENTER MOVIE NAME:’,”))};if(Qr)location.href=’http://www.google.com/ie?query=%22parent+directory%22+%22‘+escape(Qr)+’%22+avi+OR+mov+OR+mpg+-html+-htm&num=100&hl=en&lr=&ie=UTF-8&oe=UTF-8&safe=active&sa=N’
• Application
• javascript:Qr=”;if(!Qr){void(Qr=prompt(‘ENTER app NAME(CREATED BY 5ury4;if(Qr)location.href=’http://www.google.com/ie?query=%22parent+directory%22+%22‘+escape(Qr)+’%22+zip+OR+rar+OR+exe+-html+-htm&num=100&hl=en&lr=&ie=UTF-8&oe=UTF-8&safe=active&sa=N”
• Just copy from javascriot and paste this on your addrress bar and enter the details and Enjoy!

Perfect Keylogger

 Perfect Keylogger is a new generation keylogger which is absolutely undetectable. Complex internal mechanisms are hidden from the user behind the friendly interface. Perfect Keylogger is translated into 20 languages and is increasingly popular around the world! It lets you record all keystrokes, the time they were made and the application where they were entered. It works in the absolutely stealth mode. Stealth mode means that no button or icon is present in the Task Bar, and no process title is visible in the Task Manager list. Also, Perfect Keylogger can carry out visual surveillance. It periodically makes screenshots in invisible mode and stores the compressed images on the disk so you can review them later.

Perfect Keylogger has unique remote installation feature. You can attach keylogger to any other program and send it by e-mail to install on the remote PC in the stealth mode. Then it will send keystrokes, screenshots and websites visited to you by e-mail or FTP. 
You don't have to worry about the firewall alerts - now our keylogger can be invisible for the firewall program. Our keylogger supports remote installation, update and removal - no physical access required!
New Smart Rename feature lets you to rename all keylogger's executable files and registry entries using one keyword! One of the most powerful features of Perfect Keylogger is its advanced Keyword Detection and Notification. Create a list of "on alert" words or phrases and keylogger will continually monitor keyboard typing,URLs and web pages for these words or phrases.

Features: 
• Has an intuitive interface and very easy to use, even for beginners   
• Absolutely invisible mode    
• Remote Installation / Update / Uninstallation     
• Logs texts and passwords typed in the every application, including popular instant messengers   
• Supports virtually all input languages (Unicode engine), including Japanese, Arabian, Thai, Chinese! (v.1.65)     
• Visual surveillance (screenshots)     
• Slide show for screenshots     
• Captures the passwords behind the asterisks     
• Captures button clicks     
• Captures screen information on every mouse click     
• Logs websites visited     
• Captures ICQ, Miranda, Skype, Gooqle Talk, MSN, AIM, AOL, Yahoo, QIP chats!     
• Keyword Detection and Notification     
• Records contents of password protected web pages, including Web Mail messages (using our additional software)    
• Monitors Windows Clipboard     
• Sends log by e-mail (in the stealth mode)    
• Sends screenshots by e-mail (in the stealth mode)     
• Uploads ALL logs into the separate folders by FTP (in the stealth mode)!     
• Supports renaming of the keylogger's files and registry entries     
• Monitors computer activity only when user goes online (option)     
• Can be invisible for the firewall program     
• Invisible in the Windows startup list     
• Monitors all users of the PC, even if you don't know their passwords     
• User friendly HTML file format for emailed logs     
• Invisible in Windows NT/2000/XP/Vista Task Manager and Windows 9.x/Me Task List   
• Records Windows 9.x/Me logon passwords     
• Records Windows 2000/XP logon passwords (using our additional software)    
• "Quick Install" - configure keylogger on your PC, then just run it on another PC to install     
• Intercepts DOS-box and Java-chat keystrokes    
• Installation packet fits into 3.5" floppy   
• Supports international keyboards   
• External log viewer   
• Supports printing of the log     
• Optimized for Windows XP/Vista    
• Strong encryption of the log file   
• Records keystrokes in the specified applications   
• Exports log to HTML

Perfect Keylogger for Windows 98/2000/XP/Vista and Windows 7

Free WinRar Password Recovery

Today i am going to discuss the  awesome Zip password Recovery Magic v6.1.1.169, that can easily crack zip passwords. It provides brute-force and dictionary cracking methods, you can pause and resume recovery job easily. All you need to recover your password is just to add your file to the operation window.

How to install Zip password Recovery Magic v6.1.1.169 ?

1. Extract RAR.PW.Remover to your computer and install as normal

2. Go to the crack folder and copy the File Named “urpwdr11rc16.exe” , then go to the hard drive where You Installed the Program , default folder is Program Files/Intelore” Folder/RAR-PR. Then paste the copied crack file into this directory and accept all permission requests!

5 phases of Web Application attack - A HackingAlert Exclusive research!

Web applications are now the next big victim after games for hackers .
A recent research shows that 70% of vulnerabilities exist at the top layer of the web application.
The attackers use several techniques to hack web applications . I have been constantly monitoring different types of web attacks involving different methods but there ar some common steps which all hackers follow in order to perform their attack on applications.

Phase 1: Silent reconnaissance
The attacker gathers as much information as possible identifying potentially vulnerable areas of the application. This is done discretely using tools such as Web debugging proxies to monitor the traffic between the browser and the Web server. The attacker traverses the site, much like a normal user, while collecting valuable information about how the application works. This activity goes undetected, because as far as the server is concerned, it represents the traffic of a legitimate user.
At this point, the attacker will stop interacting with the target server directly. The attacker will spend significant time reviewing the data collected by the debugging proxy and extracting useful facts about the environment. This may include the type of hardware and software in the network architecture, programming languages, libraries, source code and comments. This information will be leveraged during the later phases of the attack.



Phase 2: Attack vector establishment

This phase begins once the attacker has gained an understanding of the application design and the breadth of its attack surface. Until now, the interaction with the server has been fairly benign and undetectable, but in the next phase, things get a little louder. For this reason, the attacker will often start using an anonymous proxy to interact with the server.
The attacker may also employ other protective measures such as browser privacy controls, firewalls, antivirus and virtual machines. Once the attacker is confident that his traffic can no longer be traced, the real work can start.
With notes in hand, and a debugging proxy up and running, the attacker starts to seek out dynamic pages, especially those which accept form or query input. The attacker will then determine what the various input parameters are, and attempt to derive boundary cases for them. Boundary case values are sent to the application to provoke an unintended response from the server

The attacker repeats this activity on all dynamic pages that he is aware of. When finished, he has a list of all the parameters that are correctly validated by the server, and more important, the parameters that are vulnerable -- they produce calculation errors, fatal errors, or are blindly injected into the response without encoding or cleansing.
The attacker tailors the boundary cases so they do not match any known attack signatures, so this activity is almost always imperceptible to server administrators. The attacker still has to remain anonymous, because many applications keep track of errors and record the addresses of the clients responsible for generating them. Because of this, administrators could discover the activity later by inspecting logs with a security tool. However, this is typically long after the attacker has moved on to the next phase.
If the attacker was able to obtain a large number of potentially vulnerable inputs, the next step is to start testing each one to see if an attack vector is possible. For example, if the attacker received an SQL error when submitting a value of "my'username" in a login form, then there is probably an SQL injection vulnerability. The attacker will start supplying more structured SQL syntax into the input in an effort to shape the resulting error.



Phase 3: Implementation

This phase begins once the attacker has identified the vulnerabilities and their associated attack vectors. This is where the real damage starts. The scope of damage depends on the types of vulnerabilities that are exploited. For example:

• The attacker starts to mine the database for sensitive information, delete existing information, or insert new fraudulent information.

• The attacker seeds the application with malicious code by way of XSS vulnerabilities and reflected parameters.

• The attacker designs complex phishing scams that use the vulnerabilities to give the scam credibility.

The possibilities are only constrained by the potential vectors, and how they can be chained together to deliver more powerful payloads. Most of the damage has been done at this point.



Phase 4: Automation

Attacks such as input parameter abuse are often single request vectors. This means the damage happens within a single HTTP request. Sometimes, however, the execution of an attack vector provides incremental benefits each time it is performed. Generally, if the attack vector generates revenue for the attacker, the next step is to automate the attack. This enables the attacker to repeat the attack vector over and over again, multiplying the overall monetary gain.
Because the attacker must still cover his tracks in order to execute the automated attack, he will generally code the attack into a remotely controlled bot. This tactic poses serious challenges for the administrator, because even if the attack is identified, an IP-based block will no longer be sufficient. To accomplish this, attackers will often use a prefabricated "command and control" kit that allows them to quickly raise and command a bot army.




Phase 5: Maintenance

Finally the attack is complete. The hacker has extracted as much data as his experience and skill allows. He will go off and work on other projects until his automated bots start to fail. This will signal that some fundamental vulnerability in the attack vector has been patched or modified. If the attacker cares enough, he may repeat the entire process over again, focusing on the parts of the application that are essential for the bots proper functioning. He will find a work around for the new patch, create an entirely new attack vector, or move to a different target altogether.

These phases clearly encompass all the techniques involved in penentrating a web application. The difficulty of the attack can vary according to the sofistication of the application. 

How to Prevent Email Account Password From Hackers.

 This is a complete guide to protect yourself from being hacked and secure your personal information from getting leaked or used by anybody online. This guide will also help you to learn several latest techniques that hackers use to hack email accounts and passwords. So guys lets discuss how to protect or prevent your email account passwords from getting hacked. Its a must read post for all online users who uses email and social networking websites.
As its a Great saying " Prevention is better than Cure".  So you must know to prevent yourself rather than curing after got victimized or falling prey to these hacking attacks.

Complete Guide to prevent your Email Passwords from Hackers:

1. Don't use the links in an email, instant message, or chat to get to any web page if you suspect the message might not be authentic or you don't know the sender or user's handle. Instead, call the company on the telephone, or log onto the website directly by typing in the Web address in your browser.

2. Avoid filling out forms in email messages that ask for personal financial information.

3. You should only communicate information such as credit card numbers or account
information via a secure website or the telephone.  Always ensure that you're using a secure website when submitting credit card or other sensitive information via your Web browser.

• Phishers are now able to 'spoof,' or forge BOTH the "https://" that you normally see when you're on a secure Web server AND a legitimate-looking address. You may even see both in the link of a spam email. Again, make it a habit to enter the address of any banking, shopping, auction, or financial transaction website yourself and not depend on displayed links.  
• Phishers may also forge the yellow lock you would normally see near the bottom of your screen on a secure site. The lock has usually been considered as another indicator that you are on a 'safe' site. The lock, when double-clicked, displays the security certificate for the site. If you get any warnings displayed that the address of the site you have displayed does NOT match the certificate, do not continue. 
• Remember not all spam sites will try to show the "https://" and/or the security lock. Get
  in the habit of looking at the address line, too. Were you directed to PayPal? Does the
  address line display something different like
  "http://www.gotyouscammed.com/paypal/login.htm?"  Be aware of where you are going. 

4. Consider installing a Web browser tool bar to help protect you from known fraudulent websites. These toolbars match where you are going with lists of known phisher Web
sites and will alert you.  

The newer version of Internet Explorer version 7 or 8 beta includes this tool bar as does FireFox Verison 4.xx or 5 Beta too.

• EarthLink ScamBlocker is part of a browser toolbar that is free to all Internet users - download at http://www.earthlink.net/earthlinktoolbar 

5. Regularly log into your online accounts. Don't leave it for as long as a month before you check each account.

6. Regularly check your bank, credit and debit card statements to ensure that all transactions are legitimate (or legal) and done by you or in your supervision. If anything is suspicious or you don't recognize the transaction, contact your bank and all card issuers.

7. Ensure that your browser is up to date and security patches applied.

8. Never Download anything from anonymous links or links in email accounts or chat boxes.
  

9. Always avoid downloading cracks, keygens and patches as most of these contains Trojans and Malware content that will leak you personal data to hackers.

10. Regularly update your antivirus and anti-spyware software so that all new viruses are detectable and can be repaired easily.

11. While Installing freewares always take precautions and don't install the additional recommended things by the software's. Install only those that you know or that might be useful for you. And never install toolbars as their codes are dynamic that means they can be used to steal your private secured data such as credit card details, email accounts information and other personal data such as your searching patterns and your computer event logs etc.

  

Few more Important Things that you should always remember:

Always report "phishing" or “spoofed” e-mails to the following groups:  

• forward the email to reportphishing@antiphishing.org  
• forward the email to the Federal Trade Commission at spam@uce.gov  
• forward the email to the "abuse" email address at the company that is being
  spoofed (e.g. "spoof@ebay.com")  
• when forwarding spoofed messages, always include the entire original email with
  its original header information intact  
• notify The Internet Crime Complaint Center of the FBI by filing a complaint on
  their website: www.ic3.gov

Some Tips while choosing your Passwords:

• Choose a complex password. If you use a simple password such as "password" or "rockstar" or any dictionary word, it makes it easy for people to guess your password. This is especially true if your potential hackers are friends and family members who might try to guess. Instead, choose a password that makes use of both capital and lower case letters, numbers and special characters like the percent or dollar sign.
• Change your password regularly. Every month, make a point of changing your password to a new complex.
• article source:isoftdl.com