Jump to content
Killersites Community


  • Content Count

  • Joined

  • Last visited

  • Days Won


Everything posted by LSW

  1. LSW

    Current Threats

    Hackers Steal Customers' Credit Cards From Newegg Electronics Retailer https://thehackernews.com/2018/09/newegg-credit-card-hack.html
  2. LSW

    Current Threats

    The following threads will be updated info on current threats to you. For now you must scroll down to find the newest until we find a better way.
  3. LSW

    Current Threats

    I do believe we have some Indian members: UIDAI’s Aadhaar Software Hacked, ID Database Compromised, Experts Confirm https://www.huffingtonpost.in/2018/09/11/uidai-s-aadhaar-software-hacked-id-database-compromised-experts-confirm_a_23522472/
  4. LSW

    Current Threats

    New Malware Combines Ransomware, Coin Mining and Botnet Features in One https://thehackernews.com/2018/09/ransomware-coinmining-botnet.html
  5. Most internet network cables are installed along the coasts. With rising sea levels, the placement of these cables needs to be moved if the internet is going to survive. https://cheddar.com/videos/the-internet-is-in-danger-of-drowning/
  6. How To Check If Your Twitter Account Has Been Hacked https://thehackernews.com/2018/09/twitter-account-hacked.html
  7. LSW

    Current Threats

    Apple Removes Several Trend Micro Apps For Collecting MacOS Users' Data https://thehackernews.com/2018/09/apple-trendmicro-macos-apps.html
  8. LSW

    Current Threats

    Beware! Unpatched Safari Browser Hack Lets Attackers Spoof URLs https://thehackernews.com/2018/09/browser-address-spoofing-vulnerability.html
  9. LSW

    Patch Tuesday Updates (Windows)

    Microsoft Issues Software Updates for 17 Critical Vulnerabilities https://thehackernews.com/2018/09/microsoft-software-updates.html
  10. For those of you who have never noticed, the second Tuesday of the month is so called "Patch Tuesday" where Microsoft pushes out it's patches and updates. I will be posting notifications here as a reminder when there are important ones released. Remember that one of the base ways to protect yourself from malware and hackers is to keep all your software and Operating System (OS) up to date.
  11. Come on you old-timers, admit it, you missed it! It was the greatest thing since sliced bread, and you all know there are games out there that you miss that never got ported up the line. 😁 Windows 95 is now an app you can download and install on macOS, Windows, and Linux https://www.theverge.com/2018/8/23/17773180/microsoft-windows-95-app-download-features
  12. That is good to hear. I am glad you found it useful. Cheers!
  13. Just an article that I thought some of you may find useful speeding up your wi-fi networks. 5 things that will slow your Wi-Fi network by NetworkWorls Magazine https://www.networkworld.com/article/3256026/lan-wan/5-things-that-will-slow-your-wi-fi-network.html
  14. Most of you think of cyber security as more attacks on your PCs and less a issue for web developers. You worry about keeping your PC and your data safe and worry about improving your design understanding and graphic skills. This is not a condemnation, before security and programming I was a web developer too until 2008 or so. I saw the world this way as well. So finally, I have some fresh training under my belt on web applications, so here are my tips for you to keep your web sites and especially your client’s sites more secure. A good link for more info is http://www.webappsec.org/ as webapp security can be its own standalone job in the general world of cyber security. The facts: 2017 reports show that 21% of breaches were web-based attacks on sites and applications. You need not be a target, just a means to a target. As you know, you can look at your web site as a folder on a server among many other folders, that is why it is cheap unless you pay for something more. So, if we both are on a sever and my folder is to hard to get into from outside, they will hack your site, one in your folder, they can laterally transfer into my folder once they are in the server. One person’s week security is a backdoor into everyone else’s web site. By far, the most serious security vulnerability is SQL injection. There is a 37% likelihood of Information Leakage being the first thing attackers look at. Data being shown that tells attackers what technology you use that they can use to get in. Web Sites: Predictable Resource Locations (PRL, 15%), by this we mean things common to computers, programs or even people. Attackers may just choose to enter a folder or document by typing it in, in a solid guess that it may exist. /admin .config.php /web-console /temp /webdav .bak .old .orig .keep .save Standard Apache folder structure Standard PHP folder structure Robots.txt is another leak many of you should know the use of at least. Theoretically robots.txt holds a list of folders you do not want web crawlers to index for search engines. I used them thinking they could not hurt even if they are ignored by many crawlers. As a hacker, I have to wonder why you are hiding the folder ~joe from search engines? Must be something interesting enough to check out. It is not protected, and they are kept in the same place with the same name, so I just have to type it in the address bar and see what folders out there that you want to hide. How about Directory Indexing that can get me to the contents of folders? Web Servers: Consider the Response Header of web pages, it holds useful information: Date/timestamp can help narrow down where your server is. It will show the server – example: Server: Microsoft-IIS/7.5. Now that you know the server, you can go to the National Vulnerabilities Database and find vulnerabilities for that version of IIS you can use to breach it. It may show for instance what version of ASP.NET you may have used so you can find vulnerabilities for that. It may show what CMS and the version and that can be used to find vulnerabilities for that version. This data is there by default. You/your host must change the server settings in order to block such information Verbose Errors Messages (technical errors messages): You have seen these, the error messages that pop up in the browser but do not really tell you where the issue is. Find one and have a good look at it. See what info it is giving away to the viewer/attacker. A typical one you are likely to see is the HTTP Status 500 error. Look at the data it is broadcasting to the attacker. It may show anything from folder structure to scripts you have running and variables and processes you are using. Again, the more info the attacker has the easier to attack you. Ensure that you have generic error messages in production that will not share info with attackers. You can still get the data from Logs for instance. Keep all un-needed data off production errors, use generic error pages, have default server configuration inspected for security issues and finally, keep everything updated. The worst attacks of 2017/2018 were due to old servers or unpatched servers. 300 Error Multiple Choices, this is when a server cannot find a page and may “suggest” pages. These pages may be unknown to the attacker but now been spotlighted by the server being helpful to the user. Disable support for weak cipher suites, so only strong encryption is used. You want to disable support for: RC4 Null Ciphers Export Ciphers Single DES Triple DES Use AES 128-SHA for TLS 1.0 & 1.1 Use AES 128-GCM-SHA256 for TLS 1.2
  15. Web Developers, much of my posting to date has covered protecting yourself. Lets talk about protecting your customer and their users. I cannot state this any stronger, Strong Passwords! If it takes little effort to break a password than the site you built can be hi-jacked to pass out malware. Database design, consider making it a tiered design. Sensitive data in a red zone, encrypted and password protected with strict access permissions. Less sensitive data in a Yellow zone that has lesser protection and more access and simple stuff in a green zone with just password protection and general permissions. If you use look-up tables that state that "2 = married with children", that is a look-up table and needs liuttle protection. But all sensitive data should be encrypted so that if adversaries do get to it... they can't read it. Be aware of SQL Injection attacks. If you allow data to be added to a website, make sure it is checked. If you allow basic comments with no security, an adversary could insert JavaScript into that comment that does really bad things. Malware Detection - Discovering Cross-Site Scripting Attacks Watering Hole Attacks. I think LastLine blog defined it rather well: "In a network watering hole attack, cybercriminals set traps in websites that their target victims are known to frequent. Often the booby-trapped websites are smaller, niche sites that tend to have limited security. These sites can include business partner sites or small websites that provide specific products, services, or information to the target company or industry. When visited, the compromised website infects the target end-users computer or device with keyloggers, ransomware, and other types of malware." The issue here is really about protecting web sites you build from being the water holes that infects your customers users. Network Security and Watering Hole Attacks As I come across tips for securing your web sites, I will expand this thread.
  16. LSW

    Current Threats

    Cyber security is not just about protecting your data and files. It also includes protecting your-self. Who you are, what you do, what you like. Habits and data describing who you are as well as just data representing you like birthdays and SSNs. SO we need to beware of data collected about us as much as data that is ours. Anything free like Google is collecting data about you and selling it for their own profit, that is why you get the free services. Google Secretly Tracks What You Buy Offline Using Mastercard Data https://thehackernews.com/2018/09/google-mastercard-advertising.html
  17. LSW

    Current Threats

    I must assume we have a few more Canadian types other than our favorite admin, so heads up to all our neighbors: Air Canada Suffers Data Breach — 20,000 Mobile App Users Affected https://thehackernews.com/2018/08/air-canada-data-breach.html
  18. From today, Google Chrome starts marking all non-HTTPS sites 'Not Secure' https://thehackernews.com/2018/07/google-chrome-not-secure.html NOTE: There are browser plugins that will force only HTTPS connections where possible by default. Good safety tool to add.
  19. LSW

    The Issue of Net Neutrality

    Possibly a good example of the loss of Net Neutrality for those of you still not really following along with what it means.I think it is, but Verizon's claim is not without merrit, I just don't buy it myself. Fire dept. rejects Verizon’s “customer support mistake” excuse for throttling County disputes Verizon claim that throttling "has nothing to do with net neutrality." https://arstechnica.com/tech-policy/2018/08/fire-dept-rejects-verizons-customer-support-mistake-excuse-for-throttling/
  20. I am posting this as I feel it is an important issue. You may not have heard of it or simply not really know what it is about. Briefly, the Net Neutrality rules state that High-speed Internet is a utility that all Americans have equal right too. My Internet has to be the same speed as yours. If this is removed, it will mean, for example, that my ISP could charge services for speed. You may watch Netflix at high-speed because they paid for it and Hulu did not so it keeps buffering and snagging etc. Another form of this is poor people get slow speed internet (remember that from the 80's?) while rich people can afford high-speed Internet. The claim is that it will make new jobs, but how often is that the fact? The truth is the ISP and others stand to make lots of money serving the richer and the poorer will get a poorer internet experience. This is coming to a vote soon. Trump wants it gone and it is an Obama legacy. Whether it is to wipe away another Obama legacy, or to increase the wealth of his big business buddies or if Trump really believes it will make new jobs, I do not believe it to be a win for the people and most people do not seem to believe so either. The Internet is now a human right and all should have equal access to it in my opinion. I cannot support ending Net Neutrality anymore than I could support censorship like the Great Firewall of China. If you are an American, read these and do your own investigation and then if you agree, sign a petition or call/write your congressional and house representatives and let them know you do not agree. The vote is before the Holidays. Burger King explains Net Neutrality The New Net Neutrality Rules (From 2016) What Net Neutrality Rules Say I'm on the FCC. Please stop us from killing net neutrality A Lump of Coal in the Internet’s Stocking: FCC Poised to Gut Net Neutrality Rules Most Americans Support the Net Neutrality Rules that Trump’s FCC Wants to Kill Investigate it yourself and make an informed decision as to if you think it will benefit the people. Just please do it soon.
  21. LSW

    Hello Everybody!!

    Good to have you, welcome on board.
  22. LSW

    Patch Tuesday Updates (Windows)

    Microsoft Releases Patches for 60 Flaws—Two Under Active Attack https://thehackernews.com/2018/08/microsoft-patch-updates.html
  23. Top web browsers 2018: Microsoft's IE and Edge shed share as Chrome gains https://www.computerworld.com/article/3199425/web-browsers/top-web-browsers-2018-microsofts-ie-and-edge-shed-share-as-chrome-gains.html
  24. Google Android P is officially called Android 9 Pie https://thehackernews.com/2018/08/android-9-pie.html
  25. LSW

    Drupal Users need to update now.

    Symfony Flaw Leaves Drupal Sites Vulnerable to Hackers - Patch Now https://thehackernews.com/2018/08/symfony-drupal-hack.html