Kinect was officially unveiled at the Electronic Entertainment Expo 2010, known as E3 2010, which is an annual trade show for the computer and video games industry. The myspace Xbox page lists November as a possible release date.

Rumors are now circulating through the web that a Slim Xbox 360 will be unveiled soon since an ad for a 360 Xbox slim model appeared at an Italian website. It is expected that Kinect would be priced at around $ 150.

To know more about Microsoft Kinect (Formally Project Natal) you check the following sources:

http://en.wikipedia.org/wiki/Kinect

http://www.redmondpie.com/microsoft-kinect-for-xbox-360/

http://www.engadget.com/2010/06/13/microsoft-kinect-gets-official

- paras

• inurl:”CgiStart?page=”
• inurl:/view.shtml
• intitle:”Live View / – AXIS
• inurl:view/view.shtml
• inurl:ViewerFrame?Mode=
• inurl:ViewerFrame?Mode=Refresh
• inurl:axis-cgi/jpg
• inurl:axis-cgi/mjpg (motion-JPEG) (disconnected)
• inurl:view/indexFrame.shtml
• inurl:view/index.shtml
• inurl:view/view.shtml
• liveapplet
• intitle:”live view” intitle:axis
• intitle:liveapplet
• allintitle:”Network Camera NetworkCamera” (disconnected)
• intitle:axis intitle:”video server”
• intitle:liveapplet inurl:LvAppl
• intitle:”EvoCam” inurl:”webcam.html”
• intitle:”Live NetSnap Cam-Server feed”
• intitle:”Live View / – AXIS”
• intitle:”Live View / – AXIS 206M”
• intitle:”Live View / – AXIS 206W”
• intitle:”Live View / – AXIS 210″
• inurl:indexFrame.shtml Axis
• inurl:”MultiCameraFrame?Mode=Motion” (disconnected)
• intitle:start inurl:cgistart
• intitle:”WJ-NT104 Main Page”
• intitle:snc-z20 inurl:home/
• intitle:snc-cs3 inurl:home/
• intitle:snc-rz30 inurl:home/
• intitle:”sony network camera snc-p1″
• intitle:”sony network camera snc-m1″
• site:.viewnetcam.com -www.viewnetcam.com
• intitle:”Toshiba Network Camera” user login
• intitle:”netcam live image” (disconnected)
• intitle:”i-Catcher Console – Web Monitor”

So happy spying.

Injection attacks can be very easy to discover and exploit, but they can also be extremely obscure. The consequences can also run the entire range of severity, from trivial to complete system compromise or destruction. In any case, the use of external calls is quite widespread, so the likelihood of a web application having a command injection flaw should be considered high.

Shell Commands

Many web applications use operating system features and external programs to perform their functions. Sendmail is probably the most frequently invoked external program, but many other programs are used as well. When a web application passes information from an HTTP request through to the command line, it must be carefully scrubbed. This also applies when opening files in the file system. Otherwise, the attacker can inject special (meta) characters, malicious commands, or command modifiers into the information and the web application will blindly pass these on to the external system for execution.

SQL

SQL injection is a particularly widespread and dangerous form of attack. To exploit a SQL injection flaw, the attacker must find a parameter that the web application passes through to a database. By carefully embedding malicious SQL commands into the content of the parameter, the attacker can trick the web application into forwarding a malicious query to the database. These attacks are not difficult to attempt and more tools are emerging that scan for these flaws. The consequences are particularly damaging, as an attacker can obtain, corrupt, or destroy database contents.

Environments Affected

Every web application environment allows the execution of external commands such as system calls, shell commands, and SQL requests. The susceptibility of an external call to command injection depends on how the call is made and the specific component that is being called, but almost all external calls can be attacked if the web application is not properly coded.

Some environment specific considerations:

• MySQL – older mysql libraries only processes one statement at a time when you pass it a query. Newer mysql libraries (e.g., mysql in PHP) will process multiple SQL commands in one query
• Oracle – most Oracle client libraries support variable binding. This is the best way to avoid SQL injection.
• Perl – check for shell injection when you open a file if the filename is derived from user input

Examples:

• A malicious parameter could modify the actions taken by a system call that normally retrieves the current user’s file to access another user’s file (e.g., by including path traversal “../” characters as part of a filename request).

• Additional commands could be tacked on to the end of a parameter that is passed to a shell script to execute an additional shell command (e.g., “; rm -r *”) along with the intended command.

• SQL queries could be modified by adding additional ‘constraints’ to a where clause (e.g., “OR 1=1″) to gain access to or modify unauthorized data.

Example:

DELETE FROM CRITICALTABLE WHERE USER=’$VAR’

where the user enters

HACKER’ OR ’1′=’1

Notice the mismatched quotes! Inserting this into the SQL statement, we’d get:

DELETE FROM CRITICALTABLE WHERE USER=’BADGUY’ OR ’1′=’1′

This would delete all the information in the critical table.

How to Determine If You Are Vulnerable

The best way to determine if you are vulnerable to command line or SQL injection attacks is to search the source code for all calls to external resources (e.g., system, exec, fork, Runtime.exec, SQL queries, or whatever the syntax is for making requests to interpreters in your environment). Note that many languages have multiple ways to run external commands. Developers should review their code and search for all places where input from an HTTP request could possibly make its way into any of these calls. You should carefully examine each of these calls to be sure that the protection steps outlined below are followed.

How to Protect Yourself

The simplest way to protect against injection is to avoid accessing external interpreters wherever possible. For many shell commands and some system calls, there are language specific libraries that perform the same functions. Using such libraries does not involve the operating system shell interpreter, and therefore avoids a large number of problems with shell commands.

• Use bind variables where ever possible. If not, escape all user variables which be used in a SQL statement or on the command line.
• In Coldfusion, use variable binding by using the CFQueryParam Tag within your CFQuery tags.
• In Perl, prepare your statements using variable binding and then pass the parameters when executing the query:
  $cursor = $db->prepare(“DELETE FROM CRITICALTABLE WHERE USER=?”);
  $cursor->execute($user);
• Use pattern matching to verify user input is an expected value. If input is not what is expected, throw an error. Error messages should be generic.  
• Turn off/control debug messages to avoid giving an attacker potentially useful information.
• Database level: Limit access to the web account that is accessing the database.  Write procedures to insert records and update data rather than give the application direct access to the tables;  Limit application to READ-only access where possible – at user level as well as database level.
• Reuse previously tested code wherever possible.

For those calls that you must still employ, such as calls to backend databases, you must carefully validate the data provided to ensure that it does not contain any malicious content. You can also structure many requests in a manner that ensures that all supplied parameters are treated as data, rather than potentially executable content. The use of stored procedures or prepared statements will provide significant protection, ensuring that supplied input is treated as data. These measures will reduce, but not completely eliminate the risk involved in these external calls. You still must always validate such input to make sure it meets the expectations of the application in question.

Another strong protection against command injection is to ensure that the web application runs with only the privileges it absolutely needs to perform its function. So you should not run the webserver as root or access a database as DBADMIN, otherwise an attacker can abuse these administrative privileges granted to the web application. Some of the J2EE environments allow the use of the Java sandbox, which can prevent the execution of system commands.

If an external command must be used, any user information that is being inserted into the command should be rigorously checked. Mechanisms should be put in place to handle any possible errors, timeouts, or blockages during the call.

All output, return codes and error codes from the call should be checked to ensure that the expected processing actually occurred. At a minimum, this will allow you to determine that something has gone wrong. Otherwise, the attack may occur and never be detected.

The OWASP Filters project is producing reusable components in several languages to help prevent many forms of injection. OWASP has also released CodeSeeker, an application level firewall.

This is the First Question that arises in our mind when we use the Proxy Servers for Surfing the Internet without revealing our Identity to Others. Here all these mindboggling questions are answered with easy to understand examples.

The exchange of information in Internet is made by the “client – server” model. A client sends a request (what files he needs) and a server sends a reply (required files). For close cooperation (full understanding) between a client and a server the client sends additional information about itself: a version and a name of an operating system, configuration of a browser (including its name and version) etc. This information can be necessary for the server in order to know which web-page should be given (open) to the client. There are different variants of web-pages for different configurations of browsers. However, as long as web-pages do not usually depend on browsers, it makes sense to hide this information from the web-server.

What your browser transmits to a web-server:

• name and a version of an operating system
• name and a version of a browser
• configuration of a browser (display resolution, color depth, java / javascript support, …)
• IP-address of a client
• Other information

The most important part of such information (and absolutely needless for a web-server) is information about IP-address. Using your IP it is possible to know about you the following:

• country where you are from
• city
• your provider?s name and e-mail
• your physical address

Information, transmitted by a client to a server is available (accessible) for a server as environment variables. Every information unit is a value of some variable. If any information unit is not transmitted, then corresponding variable will be empty (its value will be undetermined).

These are some environment variables:

REMOTE_ADDR ? IP address of a client

HTTP_VIA ? if it is not empty, then a proxy is used. Value is an address (or several addresses) of a proxy server, this variable is added by a proxy server itself if you use one.

HTTP_X_FORWARDED_FOR ? if it is not empty, then a proxy is used. Value is a real IP address of a client (your IP), this variable is also added by a proxy server if you use one.

HTTP_ACCEPT_LANGUAGE ? what language is used in browser (what language a page should be displayed in)

HTTP_USER_AGENT ? so called “a user?s agent”. For all browsers this is Mozilla. Furthermore, browser?s name and version (e.g. MSIE 5.5) and an operating system (e.g. Windows 98) is also mentioned here.

HTTP_HOST ? is a web server?s name

This is a small part of environment variables. In fact there are much more of them (DOCUMENT_ROOT, HTTP_ACCEPT_ENCODING, HTTP_CACHE_CONTROL, HTTP_CONNECTION, SERVER_ADDR, SERVER_SOFTWARE, SERVER_PROTOCOL, …). Their quantity can depend on settings of both a server and a client.
[eminimall]
These are examples of variable values:

REMOTE_ADDR = 194.85.1.1
HTTP_ACCEPT_LANGUAGE = ru
HTTP_USER_AGENT = Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
HTTP_HOST = www.webserver.ru
HTTP_VIA = 194.85.1.1 (Squid/2.4.STABLE7)
HTTP_X_FORWARDED_FOR = 194.115.5.5

Anonymity at work in Internet is determined by what environment variables “hide” from a web-server.

If a proxy server is not used, then environment variables look in the following way:

REMOTE_ADDR = your IP
HTTP_VIA = not determined
HTTP_X_FORWARDED_FOR = not determined

According to how environment variables “hided” by proxy servers, there are several types of proxies
Transparent Proxies

They do not hide information about your IP address:

REMOTE_ADDR = proxy IP
HTTP_VIA = proxy IP
HTTP_X_FORWARDED_FOR = your IP

The function of such proxy servers is not the improvement of your anonymity in Internet. Their purpose is information cashing, organization of joint access to Internet of several computers, etc.
Anonymous Proxies

All proxy servers, that hide a client?s IP address in any way are called anonymous proxies

Simple Anonymous Proxies

These proxy servers do not hide a fact that a proxy is used, however they replace your IP with its own:
REMOTE_ADDR = proxy IP
HTTP_VIA = proxy IP
HTTP_X_FORWARDED_FOR = proxy IP

These proxies are the most widespread among other anonymous proxy servers.

Distorting Proxies

As well as simple anonymous proxy servers these proxies do not hide the fact that a proxy server is used. However a client?s IP address (your IP address) is replaced with another (arbitrary, random) IP:

REMOTE_ADDR = proxy IP
HTTP_VIA = proxy IP
HTTP_X_FORWARDED_FOR = random IP address
High Anonymity Proxies

These proxy servers are also called “high anonymity proxy”. In contrast to other types of anonymity proxy servers they hide a fact of using a proxy:

REMOTE_ADDR = proxy IP
HTTP_VIA = not determined
HTTP_X_FORWARDED_FOR = not determined

That means that values of variables are the same as if proxy is not used, with the exception of one very important thing ? proxy IP is used instead of your IP address.
Summary

Depending on purposes there are transparent and anonymity proxies. However, remember, using proxy servers you hide only your IP from a web-server, but other information (about browser configuration) is accessible!

If you still have any Question about proxies you can post your queries as a comment and I will try to answer them as quickly as possible or you can use the Contact Us form and ask me directly.