Security

SQL Injection Training

Categories: Security

Posted on Monday, April 20, 2009 by Tim Fehlman

I’ve found an awesome website that will help you secure your PHP/MySQL website by allowing you to break his! Teach me SQL injection gives you the opportunity to hack into a typical website!

From the website:

Today I’ve given a SQL injection class at the VU University in Amsterdam. I’ve created a website that is vulnerable to SQL injection and I wanted to share this demo/assignment with you. Note that I’ve turned off magic_quotes_gpc to make life a little easier. The assignment is to find out my age. Whenever somebody has deleted the records in the database you can reset it. One hint: it runs on a PHP5/MySQL5 environment.Application: http://server.maussoft.com/~sqlinject/list.php

Reset DB: http://server.maussoft.com/~sqlinject/reset.php

Can you hack this application? Try to do it without looking at the source code. Prove it and post an URL in the comments that injects SQL in such a way that the application shows my age. For the pro’s: try to do the same on safe1_view.php, safe2_view.php and insert.html/insert.php. If you can do the same on safe3_view.php or safe4_view.php you are officially 1337 in my book…

Give it a shot! You might be amazed with what you learn!

[Codingspace.org » Teach me SQL injection]

Trackback link - http://www.dailycupoftech.com/2009/04/20/sql-injection-training/trackback/

Halt Hackers with a Wordpress Firewall

Trackback or

Categories: WordPress, Tumblog, Blog, System Administration, Security

Posted on Sunday, April 12, 2009 by Tim Fehlman

No Comments

Recently found How to Firewall Your WordPress Blog to be useful. From the website:

You already know to use a decent password for your blog, but brute-force or dictionary attacks aren’t the only attacks used against bloggers. It’s much cheaper and faster to exploit software flaws, and that the hackers do. A programmer’s oversight may allow a hacker to gain access to your blog to insert spyware, adware, or links to various pharmaceuticals you’d prefer not to speak about in front of your mother.

And it’s not just WordPress proper. WordPress has caught some major criticism for its security holes — but lately it’s been a bunch of insecure plugins, not WordPress itself. Matt Mullenweg counters the argument that WordPress is insecure over here. I think he’s totally right — WordPress has a rich “plugin ecosystem” that no other blogging platform can touch.

However, the problem remains. WordPress has some great plugins that are written by people with the best of intentions — but who may not understand the importance of sanitizing data provided by untrusted users, and its relationship with security. Upgrading often, setting permissions, using good passwords, etc. — that all helps a lot — but unless you have the time and ability to painstakingly audit all program code for security vulnerabilities, you’d be best off running one of the WordPress firewalls —

Great! Yet something else that needs to be done! But would be well worth tackling!

[How to Firewall Your WordPress Blog]

Quit Begging People To Steal Your Twitter Account!

Trackback or

Categories: Rant, Security

Posted on Thursday, April 9, 2009 by Tim Fehlman

1 Comment

All you need to do is perform a Google search for terms like “twitter tool” or “twitter apps” to find a multitude of different ways people are molding and shaping Twitter into whatever they want it to be. This is, in part, due to it’s very open API standards.

Here is the problem that I am seeing. In order for developers to perform the “really cool” stuff with the API, they need to authenticate against the Twitter servers. In order to do that, they ask you for your username and password on so that they can pass it on to the Twitter servers!

Let me be very clear here. This is providing these people, whomever they may be, with complete and unfettered access to your Twitter account! This means not only can they do all those cool whizbang things that they promise you they can do, they can also:

impersonate you
submit tweets to your account
start sending twitter spam from your account
lock you out of your account
vandalize your account

Not only is this type of information being made available to the developers of these tools, many of these sites are not very secure. It is not uncommon for them to have no SSL security on them so that your username and password are transmitted over the Internet in clear text where anyone with a sniffer can get access to them!

I know that some of this may sound paranoid but with the first twitter lawsuit being filed last month, it is important that you be very careful with this information. Not to mention, twitter accounts are becoming a valuable commodity that needs to be protected just like you protect the PIN number to your bank account or the password to your e-mail account. You wouldn’t give them out so why would you give out your twitter password?

Here are some tips to help you keep your twitter account safe:

Make sure the all online twitter apps that you use are SSL encrypted
If you do decide that you are willing to submit your password online, read the terms of service to ensure that the password is never stored anywhere on their servers and that the communication between their servers and the twitter servers are encrypted
Change your twitter password frequently
Try to use twitter tools that are desktop, not web, based as much as possible
Monitor your tweets and make sure that they are your tweets
Create a unique icon so that it is easy to find among all the other tweeters
If your account is compromized, report it to twitter immediately

Trackback link - http://www.dailycupoftech.com/2009/04/09/quit-begging-people-to-steal-your-twitter-account/trackback/

Howto Stop Conflicker In Its Tracks Immediately

Trackback or

Categories: DIY, Freeware, Consulting, System Administration, From the Files of DCOT..., Support, HowTo, Security

Posted on Tuesday, March 31, 2009 by Tim Fehlman

2 Comments

Everyone is in full Chicken Little mode these days with April 1 just around the corner and the Conflicker virus poised to bring down civilization. Not since Y2K have I seen so much panic about a computer related issue. So, to help everyone out, I thought that I would let you know how you can protect yourself from Conflicker.

Install the Microsoft patch - There has been a patch available for this issue out since October ‘08. Make sure the patch is installed on your system.
Update your antivirus software - make sure that you have the latest version of your antivirus software and that the latest virus signatures are installed. If you do not have antivirus on your computer, may I suggest Avast?
Remove the worm from your system - F-Secure has a free tool that will remove it from your computer to make sure you are not a part of the robot army! Or you can use the Microsoft version of the tool.
Block the worm - I have created a HOSTS file update that can be added to the end of your HOSTS file to block the majority of the websites that the worm is attempting to connect to. (Thanks to F-secure for the original file that I modified). This can also be done from your DNS server if your are running a corporate network.