Types Of Server Sides Risks?

People require high security for internet. Most of people find it convenient to manage their bank accounts and business with the help of the internet. In such situation, the web security becomes the most important field in the network security. The interactive forms are written in HTML. Users type the information and send the request to the server to store the information by the user. 

The request launches a script on the server that processes the data supplied by the user but the result may be much unexpected which raises the need for server side security. URL Manipulation, unexpected user input, cross site scripting, buffer overflows and heap overruns are all famous known server side risks. All of these risks will be explained in this article. 

1. Conventional security

Conventionally, a firewall is placed between the web server and the internet so all the HTTP traffic reaching the web server will be secured. The firewall will allow only that traffic to the web server which fulfills all the requirements of the firewall. In this way, the web server can be saved from attacks to a great extent. 

2. URL Manipulation

In URL manipulation, some parameters of URL are changed to get different results. The user id present in the URL can be manipulated to get the access of the account of any other user. If * is placed at the place of user id, one can get the list of all the members listed in the data base. Input of any user can be accessed and manipulated present on the page which is the great threat to security and privacy. If there’s a site about Medifast and Nutrisystem coupons containing personal details of different users, then you can manipulate the URL to access personal details of other users.

3.  Unexpected User Input

When the server gets the unexpected user input, crashing of the server is the best reaction. Otherwise it will provide the control of the server to the attacker. The attacker may then use the server for whatever he wants to do. He can corrupt your database, download complete database and delete your database. If you don’t have a backup, what are you going to do?

4. Cross site scripting

In cross site scripting, attackers place malicious script on the trusted host’s end. The user may download that malicious script from the trusted host without realizing that this code is dangerous for the security. Sometimes, the server displays error page but due to malicious code, it may appear as a normal login page to the user. The user will enter the required information which can be misused as it will be sent to the attacker.

5. Buffer Overflow

The attackers may launch the attacks which results in access violation, instability and code injection. It may destruct the data stored in the database, causes the malfunctioning of software and many other destructive actions could be performed.

But what’s the solution then? You need to consider a few points to overcome the server side risks. Cryptography should be used to send the whole data in the query string. On the server side, the user input should be filtered and all the characters which are used in the scripting language should be removed.

About The Author

This article is written by Saksham, he loves loves to write on health and related topics. He writes a blog on diet and weight loss program sites that offer coupon code for Medfast and coupons for Nutrisystem meals.

Auditing Weak User Accounts On UNIX System

Whenever we talk about auditing weak user accounts on UNIX or UNIX like systems the very first thought that comes to mind is using John The Ripper or L0phtCrack to audit weak passwords.
This is very big misconception among most of the people that weak user accounts only means accounts with weak passwords.
A normal user account isn't that normal if you haven't edited any of the permissions for it. So lets see how many abnormal tasks a normal user can perform if his account is not properly audited. Lets start with creation of user account.
Usually we type following command to create a normal user in UNIX or UNIX like systems.

[root@localhost~]#useradd newuser
[root@localhost~]#passwd newuser

Now what's the problem with this user creation method.

Problem number 1: This user is not member of any group.
Problem number 2: This user will have his own folder in /home directory.

If a user is in shared network environment then it is mandatory that user must be a member of some group and he/she must not have primary group of his own. By creating user by above method you have given him two powers, power to own his own group and next power of having a separate folder. Here's how you should add a user to avoid above problems.

[root@localhost~]# useradd -d /home/group_name -g group_name newuser
[root@localhost~]#passwd newuser

-d: will set default folder for user to /home/group_name
-g: will add user to group_name as primary group member

Now what might be the scope of the user we created about using and accessing disk space and memory? The answer is unlimited. That means newuser can create as many files and folders he/she wants ultimately covering up all disk-space or alternatively he/she can write or run a program that consumes lot of memory, that means if he writes and executes a program which recursively increases its stack or just able to smash its own stack then a normal user can make complete system to crash down and stand still.
And his rights to access any folder can help him hide a script or program that he/she can use to escalate privileges later to become super user without anyone noticing it.

Above problems can be solved by activating disk quota on system. According to the UNIX or Linux system you are using refer its manual to see how to activate disk quota. Once activated you can set disk quota by typing following commands,

[root@localhost~]#set quota -u newuser abc / 8000 10000 400 500

The above command will set 10000 bytes for newuser in ' / ' partition and he/she will be warned if his/her disk usage goes above 8000 bytes. At maximum he/she can create 500 files with warning on 400th file. You can replace ' / ' with directory name where you want to restrict the user.
The next problem is how to restrict user's power to use unlimited memory access? To set restrictions open “/etc/security/limits.conf” file in VI editor or any familiar editor to you. The syntax of file is quite explanatory and will differ according to the version and base kernel of your system.

Last thing that is problematic is life of account. To check it out type following command,

[root@localhost~]#chage -l newuser

Now have a look on output you'll find account expires never, password expires never, days to change password 99999. Believe it or not this is default user account setting in every UNIX and Linux system. If you are smart enough then you can easily figure out how fatal this kind of account can prove to your system if this information is not changed. To change account permissions type

[root@localhost~]change newuser


and set permissions.

There are several steps involved in auditing a UNIX or UNIX like system depending for what system is configured but auditing weak user accounts for their permissions and passwords is common task in all no matter what your motive is. I know an experienced UNIX administrator will find this article is of little help whereas new administrators will find it useful. Anyways I hope RHA readers like this post, thanks for reading, happy hacking.

About The Author

This Article is written by Nrupen Masram, Nrupen is admin of DEVIL'S BLOG ON SECURITY and this is his very first guest post on RHA. If you are are also looking forward to write a guest post on RHA, Read the guidelines here

Winners Of Facebook Hacking Course

      

Hi Friends finally the time has come, when the winners will be announced for Facebook Hacking Course, Thanks for participating in the contest, I received more entries then I expected, most of them were on our Facebook Fan Page and on the comments section

As I mentioned in the contest declaration article, that I would be only giving two copies of my new Facebook hacking course .

1. Sarwan Baloch(lifelikesarwan@hotmail.com)
2. Hamza Azam
 
So guys, take some time to congratulate contest Winners. If you're one of them, hearty congratulations to you. If you're not one of them, don't worry, there are many more contests to come

An Introduction to Keyloggers And RATS

I have just finished writing my newest book on keyloggers and RATS and the best part is that it will be free of cost, I will launch it very soon.

How To Secure Your Wordpress Blogs?

Hackers are the person like you and us but the only difference is that they use their skills for the negative and destructive purposes, they use their skills to break a website, they normally destroy all the stuff's, so if you are a admin of a website you should care about the security of the website.
 As you know that the wordpress is a common and most popular plate form for blogging, but the security of the wordpress is always a hot discussion and it need more and more concentration because vulnerability discover everyday. Below are some tips to make your blog secure:

Secure WP-Admin By IP

Let suppose if someone can get the ability(username & Password) to enter into your website WP section, you can restrict this area by your IP. It prevent brute forcing attack and only you can able to control on your website because of IP restriction.

Order deny,allow
Deny from All
Allow from 123.456.789.0
You can allow and deny IP's from a range use this:
order deny,allow deny from all # allow my home IP address allow from XX.XX.XXX.XXX # allow my work IP address allow from XX.XX.XXX.XXX


Protect WP-Config.php File

WP-Config.php file has a great importance on wordpress plate form, it need more care and usually an attacker get the required information about the database of your website from WP-Config file. Basically if you use a strong database user-name and password while your WP-Config security is low than an attacker can get your strong user-name and password from wp-config file, because it contain all the information about the security and other things of your website.

Access .htaccess file is located at the root your WordPress installation open it and paste the following code.

order allow,deny
deny from all



Hide WordPress Version Number

You must hide the version of your wordpress because an attacker may find the available exploit by searching it on different exploit database by version number and it may cause a great harm for your blog so be care about it.

This tag is in the header.php file that displays your current version of wordpress

Copy and paste the code in the functions.php file of your theme and than you are done.


remove_action('wp_head', 'wp_generator');

Remove Error Message From Login Screen 

This is your clever move to remove the error message that an attacker would not able to see if the user-name and password incorrect, update your function.php by this code.

add_filter('login_errors',create_function('$a', \"return null;\"));


Some Other Security Tips

Use your mind because mind is an essential part to secure yourself on the jungle of web.

• Create strong passwords that are not easily be guess or crack.

• Secure your own side(your computer) from different malware.

• Make regular backup of your blog.

• Update your wordpress to latest version

• Use SSH instead of FTP

• Avoid using your account on public places

• You must be ware on different attacks to secure yourself.

About The Author

This post is written by an Irfan Shaeel An Ethical hacker and Penetration tester, Irfan blogs At his blog Ehacking.net

Finding A Spoofed Website With A Javascript

Lots of people think that Javascript is an inferior language but Javascript is an extremly powerful language and those people who think the other way they either don't know how to use it or are not familiar with it's capabilities, With javascript you can do lots of cool things such as edit any page, make an image fly etc, but it is a waste of time to spend your time on making images fly with javascripts or editing a page.
Anyways coming to the main topic, did you know that javascript can be used to detect if a page is a spoofed website or phishing website or a legit one, well if you don't know just paste the following code in to the address bar and a pop up will appear telling you whether the website is original or not
Here is the Javascript code:

javascript:alert("The actual URL is:\t\t" + location.protocol + "//" + location.hostname + "/" + "\nThe address URL is:\t\t" + location.href + "\n" + "\nIf the server names do not match, this may be a spoof.");

Web Server Hacking Techniques

Lots of people know use, configure and manage their webservers but only few of them really know how to protect their web server from getting hacked i.e making it hack proof. Today lots of websites are hosted on a dedicated web servers so it's extremely important to make your web server hack proof in order to prevent any theft and data loss, Before I mention techniques used by hackers to compromise a web server and how you can protect your web server you should know what a web server is and how it works.
What is a webserver?

Basically a webserver is a single computer or more used to host websites, For a website to be available to every one (connected to internet) 24/7 it needs to be hosted on a webserver

How webservers work?

Webservers work in a simple manner, When ever you are using browser to surf any page your browser will request that particular page from the webserver and the server sends back the requested page.

 

The above picture illustrates how a webserver works.

How Are Webservers Compromised Or hacked?

There are multiple reasons why a webserver gets compromised or hacked, one of the major reason is installing the webserver with default and lack of updates and weak passwords. Once the server is compromised the hacker can use it to do malicious things online. For Example Hacked webservers can be used to as zombies to for performing a more powerful DDOS attack

Webserver Hacking Techniques

Below mentioned are some of the techniques which can be used by malicious hackers to compromise a webserver.

Orthodox Password Cracking Techniques

1. A hacker can use variety of password Cracking Techniques such as Brute force, Dictionary attacks and rainbow tables to crack weak administrator account passwords, However these attacks create huge logs of presence, so therefore smarter hackers either use a proxy or any other iP hiding method or they use already compromised systems to perform the attack.

2. Man In The Middle Attack

A hacker can also perform a man in the middle attack also known as ARP poisoning to steal credentials of administrator account.

3.  Keyloggers And Trojans

If A hacker can manage to install a trojan or a keylogger on administrator's computer then, the malicious hacker can easily capture the credentials

4. DNS Cache Poisoning Attack

If a hacker can manage to insert fake address records for a domain name into DNS server and can make the webserver accept the fake address record then the hacker or intruder can easily control your browser, This attack is extremely dangerous as it happens without the users knowledge, The topic is quite big and is not possible to explain it here, depending upon readers response I might make a seprate tutorial on this attack

There are many other techniques used by hackers such as Ftp server intrusion, social engineering, exploiting web application bugs which are probably to be explained in the upcoming posts at rha.

Hope you have enjoyed reading the post and have probably got some idea how hackers can attack your web server, In the next post I will continue the series and will introduce some methods you can use to protect your webserver from getting compromised.

Mafia war Cheats - Best kept secrets Revealed!

Are you sick of having so little energy points to complete jobs? Is this causing you to lose valuable time and you find leveling up a nightmare? Are you constantly getting beaten and bullied by other Mafia Wars players? Tired of losing battles and needing to beg people to join your Mafia?
As you know that Mafia wars is one of Top rated Facebook games.While surfing on Internet i came across a wonderful book thats is a complete guide for those who want to take their mafia war experience to the next Level.The book is named as Mafia war Blue print.

You will Learn following things in this Book:

Top Mistakes 99% of Players Always Make 
Why Millions of Players Are Building their Mafias Completely the Wrong Way! Avoid Making them at All Costs.

Create a Massive Mafia Legally Increase your Mafia to over 500+ players within 7 days!

Pimp Out your Mafia
Give your Badass Gang the Rarest, Most Powerful Weapons and Tools in the Game.

Never BEG Again
Reverse the Roles! Make the Best Players Beg you to let them Join your Mafia

Be the Bully. Fight the China vs. Taiwan Way!
How to Never Lose a Fight or Get Robbed Again and Crush all your Opposition

Stockpile your Godfather Points
Regardless of your Level,  Double your Godfather Points in One Day on Autopilot. So Easy, its Unbelievable!

Payback is a Bitch
What I Do to Exact Revenge on Any Mafia that Messes with me. They will Learn their Lesson and Leave you Alone.

Unearth the Hidden Secrets and Loopholes
Learn the Secrets which No One Wants You to Know About. Find out How to Gather and Use Your Godfather Points the Most Efficient Way

How to Master Every Level and Every Job at Top Speed
 

Bring on Cuba, Moscow and Bangkok as I Break Down Everything You need to Know About the Expansions

Endless Updates as I Prepare You For the Upcoming Asia and Western US Addition
  

And Much Much More!

The methods described in the book are completely legal and it will show you step by step method to dominate Mafia wars.So what your waiting for grab the Mafia war blueprint and start dominating Mafia wars.For download links click on the link below:

Mafia war Blueprint

Download Hakin9 Magazine For February

Hackin9 magazine is one of the popular online E-magazine available online, Hackin9 magazine contains information related to latest malware and latest vulnerabilities on the web. This month's issue is related to "Network Security" where the magazine talks about network security and hacking and latest threats related to network.

Here is the list of topics available in Hackin9 Magazine:

• Free Issue (02/2011) to Download!
• Wuala – Secure Online Storage
• A Beginners Guide to Ethical Hacking
• A Security System That Changed The World
• Get in through the backdoor: Post exploitation with Armitage
• Breaking The Code: Brute Forcing The Encryption Key
• Is Data Secure on the Password Protected Blackberry Device?
• Examine your Network With Nmap What is network Scanning?
• Network Security – Data Breaches
• What is Good Enough Coverage?
• Exploring GCIH certification for fun and employability
• Certification Smart?

You can Download Hackin9 Magazine here