Category Archives: Site Security

Hacking – A Fullstop on E-system (Page 1 of 3)

May 13, 2023   Site Security   No comments

Passion or Madness: Now days, it has become a passion to learn about hacking and information security. Sometimes I do not understand that whether it is a passion or a kind of madness. This passion has resulted due to several news articles, media stories and the excitement showing hacking related thrills in films. But, on the other hand there is a fact also that very few peoples know anything in-depth about the topic of hacking and information security. So, I would suggest that without adequate knowledge please do not get mad behind passion. Sometimes this passion may become dangerous from the legal point of view. There is nothing wrong to gain expertise, but there is need to realize a fact about incorrect issues behind hacking. I will come to this topic in depth, later in the same chapter. Be Alert and Aware: Do you think that hacking is an expert level work? Do you think that information security and hacking are one and same things? If yes! Then you are absolutely wrong. Many children in the age group of 14-16 years are having sufficient knowledge to hack any website or collect important data facts from the internet. So, internet being the big source of information it’s a child game to perform hacking related activities. Many hackers whose aim is to just earn money from you, they give seminars and workshops along with misguide you that, “learn hacking in an ethical way for a brilliant career”. But, I am not going to explain in this way, to any of you. Instead, I would like to explain the fact in a positive way with a positive attitude. A teacher’s task is to show right path to students and not misguide them for gaining their personal benefits. So I would suggest that instead of going for the knowledge of hacking, gain the knowledge by learning something, which is said to be an expert level job. And this expert level job is known as information security expertise in technical terms. Hope you might have understood the difference between hacking (not expert level job) and information security (expert level job) from this topic. So, be alert from such misguidance.

Other then passion, one more side of coin also exists. Many institutes and independent peoples call themselves hacker and/or information security experts. But the reality behind their expertise and skills gets displayed in front of non-technical peoples and the victims who undergo for training, courses, certifications, seminars and workshop with such types of self-claimed hackers or institutes, when such victims and non-technical peoples realize that they are not satisfied for which they have spent time and money. The actual reality behind fooling is that the peoples who undergo for such seminars, workshops, courses, etc. most probably undergo through a psychology that, “the person or institute from which we will receive knowledge during the training sessions is an expert or is providing quality education as he was published by media agencies or that it’s a branded name in market for related subject talent or that he is an author of any book”. I believe in practical, official and those tasks or actions for which evidence lies in front of my eyes. Thus, I am trying to explain to everyone that always be alert and aware, so that your hardly earned income does not get spend in such unnecessary waste of time.

Read More

Is your website hackable? Why you need to worry (Page 1 of 3)

May 11, 2023   Site Security   No comments

Apocalypse Now

Just because you think your data is safe does not mean your database of sensitive organization information has not already been cloned and is resident elsewhere ready to be sold to the highest bidder. To make matters worse, only recently, it has been discovered that hackers are not simply selling your; they’re also selling the fact that you have vulnerabilities to others be they hackers, industrial spies or terrorists.

It all sounds apocalyptic, doesn’t it? Well, rather than being an angel of doom, I’ll let the stats speak for themselves.

TJX Companies Inc.,

TJX Companies, owners of T.J. Maxx, Marshalls, Winners, HomeGoods, A.J. Wright, and Bob’s stores, on the 17th January this year, disclosed that 40 million of their customers’ credit and debit card details were stolen. In parallel, federal credit union SEFCU published a similar warning that the personal details of 10,000 of its customers were compromised in the hack attack.

Another 60 banks including Citizen Union Savings Bank and Bank of America seem to have customers whose credit and debit cards have been breached in this attack.

Ben Cammarata, Chairman and Acting Chief Executive Officer of TJX Companies, stated that the nature of the hack is not known and two computer security experts are at hand examining the problem. The warning issued by SEFCU sheds greater light and states “A fraudster may have gained access to … card information through one of those entities in the payment network, including the merchant.”

SC Magazine reports that hackers used data from the breach to purchase goods in a number of states in the US, in Hong Kong and in Sweden.

A digest of the latest developments follows:

* According to 3WCAX-TV Website, the attack is expected to cost consumers one-point-five (M) million dollars. This article was published before law suits started sprouting. * Brian Fraga, Standard-Times, reports that a class action lawsuit filed this week in U.S. District Court (Boston) against TJX. The amount of damages sought is undisclosed. According to SC Magazine, yesterday a West Virginia resident slapped another lawsuit and is suing TJX for $5 million. * U.S. Rep. Ed Markey, D-Mass., chairman of the House Subcommittee on Telecommunications and the Internet, has called for the Federal Trade Commission to investigate the hacking, according to a eport today in the Boston Globe. * Today, the Government of Canada, stated that it is launching an investigation into TJX and the data breach. * Of note is that the hacking may have started in May 2006 and the breach was discovered only in December 2006 (and publicized in January 2007).

Universities

University systems are usually highly decentralized which makes it hard to ensure tight security. To the extent that one department may have deployed a hardened security infrastructure while others loll in lax measures making the whole system weak.

Read More

Security – Keeping it Off the Web (Page 1 of 2)

April 28, 2023   Site Security   No comments

The topic of website security is seldom brought up among non-programmers and those who may not be technically inclined, yet if you operate a website, it is an issue of substantial concern to you.

Addressed in this article is a nearly universal problem, it affects almost every single PHP or CGI script I’ve ever seen. We won’t delve into the technical issues too far, this is intended for the web site owner, someone who might install the occasional PHP file or CGI script. I will assume you are not a software developer.

A general rule I like to follow when installing php scripts or web applications is this: If it doesn’t need to be on the web, it shouldn’t be there. This is obvious, but it has implications that are not always clear.

What we are mainly referring to is configuration and to a lesser extent, program libraries and source code. It may also apply to files and other resources that are controlled through a script interface. An example of this would be scripts that charge money for downloading files or set up newsletters. Lets start with an example, we’ll call it program.php. In our example, program.php is a database application using mysql to store information.

For our script to do it’s job, it will need access to your mysql password and user-name. It may also need access to many other program files and so-forth.

During installation, a control panel probably asked for your mysql credentials, it may even have asked you to change the file permissions on a configuration file of some sort. You’ve probably been through this type of install process at one time or another.

What it will do next, is write your database password and other private information to a configuration file. This usually happens without your knowledge, it is also where our problems begin.

Most people don’t catch this right away, if the configuration file is in the same directory (or sub-directory) it is web accessible. Quite often it is a php file, usually with write permissions turned on.

The extension .php does afford some degree of protection, under normal circumstances these files aren’t sent to a visitors browser but it is still unsafe.

If someone makes a slight mistake in the configuration or .htaccess file, it will dump the actual contents of “conf.php” to the users web browser, complete with your database password and other private information.

As anyone who has been around web servers very long can tell you, this is a common occurrence. I’ve personally seen it happen on several occasions.

Furthermore, many other web editing tools need to create backup files, resulting in something like config.php.BAK or perhaps config.php.tmp.

We now have a file ripe for hackers and other would-be intruders to gain access to your mysql database passwords as well as any other private information kept there.

What is most alarming is that almost every single off the shelf web based program exhibits this very problem in some form or another.

Read More
« Older posts