Jump to content
Killersites Community

LSW

Moderators
  • Content Count

    1,464
  • Joined

  • Last visited

  • Days Won

    17

LSW last won the day on September 11

LSW had the most liked content!

Community Reputation

35 Excellent

1 Follower

About LSW

  • Rank
    Cybersecurity Advocate

Profile Information

  • Gender
    Male
  • Location
    Alaska
  • Interests
    Avoiding computers because they are evil.

Recent Profile Visitors

36,810 profile views
  1. LSW

    Current Threats

    Hackers Steal Customers' Credit Cards From Newegg Electronics Retailer https://thehackernews.com/2018/09/newegg-credit-card-hack.html
  2. LSW

    Current Threats

    I do believe we have some Indian members: UIDAI’s Aadhaar Software Hacked, ID Database Compromised, Experts Confirm https://www.huffingtonpost.in/2018/09/11/uidai-s-aadhaar-software-hacked-id-database-compromised-experts-confirm_a_23522472/
  3. LSW

    Current Threats

    New Malware Combines Ransomware, Coin Mining and Botnet Features in One https://thehackernews.com/2018/09/ransomware-coinmining-botnet.html
  4. Most internet network cables are installed along the coasts. With rising sea levels, the placement of these cables needs to be moved if the internet is going to survive. https://cheddar.com/videos/the-internet-is-in-danger-of-drowning/
  5. How To Check If Your Twitter Account Has Been Hacked https://thehackernews.com/2018/09/twitter-account-hacked.html
  6. LSW

    Current Threats

    Apple Removes Several Trend Micro Apps For Collecting MacOS Users' Data https://thehackernews.com/2018/09/apple-trendmicro-macos-apps.html
  7. LSW

    Current Threats

    Beware! Unpatched Safari Browser Hack Lets Attackers Spoof URLs https://thehackernews.com/2018/09/browser-address-spoofing-vulnerability.html
  8. LSW

    Patch Tuesday Updates (Windows)

    Microsoft Issues Software Updates for 17 Critical Vulnerabilities https://thehackernews.com/2018/09/microsoft-software-updates.html
  9. That is good to hear. I am glad you found it useful. Cheers!
  10. Most of you think of cyber security as more attacks on your PCs and less a issue for web developers. You worry about keeping your PC and your data safe and worry about improving your design understanding and graphic skills. This is not a condemnation, before security and programming I was a web developer too until 2008 or so. I saw the world this way as well. So finally, I have some fresh training under my belt on web applications, so here are my tips for you to keep your web sites and especially your client’s sites more secure. A good link for more info is http://www.webappsec.org/ as webapp security can be its own standalone job in the general world of cyber security. The facts: 2017 reports show that 21% of breaches were web-based attacks on sites and applications. You need not be a target, just a means to a target. As you know, you can look at your web site as a folder on a server among many other folders, that is why it is cheap unless you pay for something more. So, if we both are on a sever and my folder is to hard to get into from outside, they will hack your site, one in your folder, they can laterally transfer into my folder once they are in the server. One person’s week security is a backdoor into everyone else’s web site. By far, the most serious security vulnerability is SQL injection. There is a 37% likelihood of Information Leakage being the first thing attackers look at. Data being shown that tells attackers what technology you use that they can use to get in. Web Sites: Predictable Resource Locations (PRL, 15%), by this we mean things common to computers, programs or even people. Attackers may just choose to enter a folder or document by typing it in, in a solid guess that it may exist. /admin .config.php /web-console /temp /webdav .bak .old .orig .keep .save Standard Apache folder structure Standard PHP folder structure Robots.txt is another leak many of you should know the use of at least. Theoretically robots.txt holds a list of folders you do not want web crawlers to index for search engines. I used them thinking they could not hurt even if they are ignored by many crawlers. As a hacker, I have to wonder why you are hiding the folder ~joe from search engines? Must be something interesting enough to check out. It is not protected, and they are kept in the same place with the same name, so I just have to type it in the address bar and see what folders out there that you want to hide. How about Directory Indexing that can get me to the contents of folders? Web Servers: Consider the Response Header of web pages, it holds useful information: Date/timestamp can help narrow down where your server is. It will show the server – example: Server: Microsoft-IIS/7.5. Now that you know the server, you can go to the National Vulnerabilities Database and find vulnerabilities for that version of IIS you can use to breach it. It may show for instance what version of ASP.NET you may have used so you can find vulnerabilities for that. It may show what CMS and the version and that can be used to find vulnerabilities for that version. This data is there by default. You/your host must change the server settings in order to block such information Verbose Errors Messages (technical errors messages): You have seen these, the error messages that pop up in the browser but do not really tell you where the issue is. Find one and have a good look at it. See what info it is giving away to the viewer/attacker. A typical one you are likely to see is the HTTP Status 500 error. Look at the data it is broadcasting to the attacker. It may show anything from folder structure to scripts you have running and variables and processes you are using. Again, the more info the attacker has the easier to attack you. Ensure that you have generic error messages in production that will not share info with attackers. You can still get the data from Logs for instance. Keep all un-needed data off production errors, use generic error pages, have default server configuration inspected for security issues and finally, keep everything updated. The worst attacks of 2017/2018 were due to old servers or unpatched servers. 300 Error Multiple Choices, this is when a server cannot find a page and may “suggest” pages. These pages may be unknown to the attacker but now been spotlighted by the server being helpful to the user. Disable support for weak cipher suites, so only strong encryption is used. You want to disable support for: RC4 Null Ciphers Export Ciphers Single DES Triple DES Use AES 128-SHA for TLS 1.0 & 1.1 Use AES 128-GCM-SHA256 for TLS 1.2
  11. LSW

    Current Threats

    Cyber security is not just about protecting your data and files. It also includes protecting your-self. Who you are, what you do, what you like. Habits and data describing who you are as well as just data representing you like birthdays and SSNs. SO we need to beware of data collected about us as much as data that is ours. Anything free like Google is collecting data about you and selling it for their own profit, that is why you get the free services. Google Secretly Tracks What You Buy Offline Using Mastercard Data https://thehackernews.com/2018/09/google-mastercard-advertising.html
  12. LSW

    Current Threats

    I must assume we have a few more Canadian types other than our favorite admin, so heads up to all our neighbors: Air Canada Suffers Data Breach — 20,000 Mobile App Users Affected https://thehackernews.com/2018/08/air-canada-data-breach.html
  13. Come on you old-timers, admit it, you missed it! It was the greatest thing since sliced bread, and you all know there are games out there that you miss that never got ported up the line. 😁 Windows 95 is now an app you can download and install on macOS, Windows, and Linux https://www.theverge.com/2018/8/23/17773180/microsoft-windows-95-app-download-features
  14. LSW

    The Issue of Net Neutrality

    Possibly a good example of the loss of Net Neutrality for those of you still not really following along with what it means.I think it is, but Verizon's claim is not without merrit, I just don't buy it myself. Fire dept. rejects Verizon’s “customer support mistake” excuse for throttling County disputes Verizon claim that throttling "has nothing to do with net neutrality." https://arstechnica.com/tech-policy/2018/08/fire-dept-rejects-verizons-customer-support-mistake-excuse-for-throttling/
  15. LSW

    Hello Everybody!!

    Good to have you, welcome on board.
×