Username and Passwords

Passwords are stronger at 8 characters, so keep that as a minimum. These are 4 simple methods that anyone can follow to create easy to remember strong passwords.

Never be specific

Even student developers are smart enough to just put up a unsuccessful login sign like

• ‘Incorrect password / username’
• ‘Unsuccessful login attempt’

Never give out clues or leads that will help intruders like

• ‘Password is missing one letter’
• ‘Username is not found’

Hiding Errors Messages

Placing @ in front of many of PHP function calls will stop any failure message from showing in the browser window. The ampersand symbol becomes useful when database calls are made during database downtime. This will keep the website looking professional while reducing feedback to intruders.

Encrypt passwords in user account table

Even if the intruder is successful in gaining access to the table, they should only be able to see logins and not passwords. Encrypt all passwords in the table to hold an SHA-1 encrypted string before you compare the user input password to the one stored in the database.

• Example Code
  $encrypted = sha1($password);
• Example database data
  Username : rangit
  Password : d0be2dc421be4fcd0172e5afceea3970e2f3d940

Keep a log of all user activities

Log the total number of logins for each user, as well as the data/time of their last login.

Remove ALL backslashes

Prevent your code from breaking unexpectedly by using ready made PHP functions like strip_tags(), str_replace() and stripslashes().

• Example code
  $login = @strip_tags($login);
  $login = @stripslashes($login);

Use ‘maxlength’ in forms

Limit the user to the allocated input size.

Importance of referrer

Make login scripts to check HTTP_REFERER to see that the request came from the same server. This security measure will stop simple spam bots and amateur attackers.

Use $_POST not $_REQUEST

If your HTML form uses POST to send the data to the login script, then make sure your login script gets the input data using $_POST and not $_REQUEST to prevent someone to pass data via GET, on the end of the URL string.

SSL Encryption (https)

If you think the website deserves the best of data privacy, purchase an SSL certificate to encrypt the pages.

Limit user access according roles

This is one of the most important method to prevent SQL injetions. Classify groups and distribute features and functionality based on roles. For example

• Cashers can only enter in sales, and not delete it
• HR personals should only see employee information, and not the financial data

eioba
Intelligent articles database

Severe Threat – Spywares from this group is the most dangerous of all. They log user keystrokes, which means everything that the person types is gathered. Imagine yourself typing ‘paypal.com’. Surely the next thing that is logged would be the username and password. Imagine the pain for losing all the money in paypal. 15 out of 100 computers infected belong here.

Moderate Threat – Installed programs, internal IP address, OS version, the existence and versions of service packs and security updates and TCP ports the spyware is listening to are some of the data sent across. Though it is less risky that the severe threat group, it’s still bad. It’s like having spycams around the house. 25 out of 100 computers infected are in this group.

Minor Threat – commercial-value information about the end user’s browsing habits are collected. This is like a supermarket installing a spycam in your kitchen, to know what you have and don’t have, so that they can knock on your door and present you with the right stuff that you are missing, with the likelihood of you buying it. 60 out of 100 infected computers lie in this group.

Spywares not only steal personal information, they also :

• consumes resources on your PC which disrupts workflow.
• causes PC crashes
• interferes with the web browser, slowing it down and causing downloads to fail. It can even hijack the browser to redirect you to sites containing unwanted contents.
• annoy you with annoying popup ads that fit your preferences from the information gathered.
• costs you money if your internet service provider charge you by the hour.

Here are 15 commonly used programs distributed with spyware. Seriously, be very careful.

1. Bonzi Buddy
2. Dope Wars
3. ErrorGuard
4. Grokster
5. Kazaa
6. Morpheus
7. RadLight
8. WeatherBug
9. EDonkey2000
10. Sony’s Extended Copy Protection involved the installation of spyware from audio compact discs through autorun. This practice sparked considerable controversy when it was discovered.
11. WildTangent
12. AOL Instant Messenger – it is still bundled with Viewpoint Media Player and WildTangent
13. DivX – prior to version 5.2
14. LimeWire – prior to version 3.9.3
15. FlashGet – before being converted to freeware

Do you know that spyware removal tools won’t remove spywares that are bundled with non-spyware programs? The reason is because there is a clause in the terms and conditions which prevents them from being removed, unless the non-spyware program is removed together with it. I believe 99% of us don’t read the t&c. I don’t. I’ll just keep clicking next until the installation is finished.

Ad-aware and Spybot are the 2 most reliable FREE anti spyware that I have tried so far. They have been doing their job well. I’d recommend those 2, if you haven’t got any.

Computer Security Software Reviews
Are you infected with spyware?

That is according to ScanSafe’s Global Threat Report on February 2007. Unproductive simply means that the sites visited are not in line with the work of the company. Unproductive sites include :

• online chat
• gambling
• music
• porn
• dating & relationships
• webmail

During sporting events like the Super Bowl and World Cup, gambling and sporting sites will top the list. ScanSafe saw a traffic increase of 77% in US based request to gambling and sporting sites during the week before Super Bowl.

The highly unnecessary internet usage risks the company to exposure of :

• legal liability
• disclosure of confidential information
• breaches of compliance requirements
• unnecessary bandwidth consumption

Did you know that MSN is the most threatened IM in the world? and it has been the No.1 since February 2006. A total of 54% of unique threats were blocked for MSN while 21% went to Yahoo.

ScanSafe
Web security as a service

Trace Any IP Address In The World
See a satellite image of the place in the world it comes from

Hackers, Hackers. Dangerous as hell, once you have something of value to them. They could be colleague, classmate, or even a lover. If you use Gmail, Yahoo!, MSN Messenger or you are active in forums, you’re at risk if you use weak passwords. If you use Adsense, Paypal and do online banking, you gotta come up with even stronger passwords.

Sometimes, you do come up with strong passwords, using unfamiliar random characters that are hard to break but also hard to remember at the same time. I have a friend who once kept his ATM Machine password in his wallet. How dumb is that? One fine day, he lost not only his wallet, but also $3000 (withdrawal limit for a day) from his bank. Nothing in the world could be done. In this case, even the bank’s cctv was useless.

A lot of sites that I googled suggested recording passwords on paper or storing it in password managers. That’s dumb cause the password manager will ask you for a password as well. Don’t you think you’d have to come up with an easier key password for the password manager so that you don’t forget? Imagine if you depended on it, and you lost your key password. Imagine if someone managed to break into your password manager. Imagine the loss. Imagine the sadness. There’s no safer place in this world to keep our passwords than the brain.

So here’s my method of coming up with super strong and easy to remember passwords.

Standardization And Uniformity

I suggest using all 3 character types below:

• Alphabets : abc … z
• Numbers : 012 … 9
• Mathematical Symbols : +-*/

Why just these 3? Cause some websites don’t allow spaces, @#$%^&* symbols, or even differentiate upper or lower cases. Let’s just keep it standard by using small case alphabets, numbers and basic maths symbols. This way, we keep our passwords uniformed and easy to remember.

Objects Around You

You can use tvs, flowers, soft toys, computers, tupperware, handphones, anything that you will come across everyday is most suitable. In this case, let me use my house’s toilet. In my house there are 3 toilets. And the toilet bowl and flush tank of all 3 are made by Armitage Shanks of UK.

Arranging And Combining

Think of ways to include alphabets, numbers and the math symbols together. For example,

• 3-armitage-shanks
• armitage-shanks-of-uk/3
• 2+1-very-smelly-toilets (I have 2 toilets upstairs and 1 downstairs)

That’s it. The 3 examples above are very very strong. Very, indeed. And I bet you can remember it easily. No writing down in paper, no keeping it in your computer. If you’re still not satisfied with the 3 steps above, here’s a fourth step, just for you.

Remove The Vowels

• 3-rmtg-shnks
• rmtg-shnks-f-k/3
• 2+1-vr-smll-tlts

Now it’s really much stronger! And you will still remember it really easily. Really.

Last but not least, check your password’s strength at Microsoft’s Password Checker. If passwords you own that guard important stuff is labeled as ‘weak’ or ‘medium’, change them immediately. Start making yourself easy to remember strong passwords. =)

Microsoft Password Checker
Check your password’s strength

According to WhiteHat Security’s statistics, there is a 20% likelihood that 8 out of 10 websites have a vulnerability in the area of SQL Injections.

Keeping It Clean

For example, it is important to make sure that users insert only codes that have these characters in the email field :

• abcdefghijklmnopqrstuvwxyz
  ABCDEFGHIJKLMNOPQRSTUVWXYZ
  0123456789
  @.-_+

Quotes Quotes Quotes

Many database interface languages caters to the need of safe-quoting text. For example, MySQL uses 2 functions to ‘string quote’ and to ‘string parse’ :

• mysql_real_escape_string() adds backslashes in front of all the quotation marks.
• stripslashes() removes backslashes in front of the quotation marks.

Bounding Parameters

• Insecure

Statement s = connection.createStatement();
ResultSet rs = s.executeQuery(“SELECT email FROM member WHERE name = ” + formField); // *boom*

• Secure

PreparedStatement ps = connection.prepareStatement(“SELECT email FROM member WHERE name = ?”);
ps.setString(1, formField);
ResultSet rs = ps.executeQuery();

Above is an example of bound parameters in Java. Neither quotes, semicolons, backslashes nor SQL comment notations are able to corrupt the string because it’s been turned into data. Bounding parameters is one of the most important step anyone can take to truly secure the database from injection attacks.

Rights Management

Web applications should use connections to the database with as little rights as possible. Web applications should start with only 1 type of access which is query access to members table. This method eliminates the possibility of using the ‘UPDATE’ statement to taint the database. Let rights access be progressive, like allowing more flexibility only after a successful user validation.

Making Use Of Stored Procedures

As long as the interface on the stored procedure stays the same, the table structure can change with no consequence to the application that is using the database. This layer of abstraction is like an extra barrier because table permission is implicitly set. By only allowing database modifications through stored procedures, tables are safe from exposure to external applications.

Separating TRUSTED and UNTRUSTED networks

A DMZ is a computer network that is accessible from two other computer networks that have no direct contact with each other. Often, one of these networks is the Internet and the other is a local, internal network. Having a web server with very, very little access in a DMZ prevents total control of all networks, even if one manages to take full control of the machine.

SQL Injection Attacks
Useful tips on SQL injection attacks

• find interesting directories and files on the web site
• look for sample scripts that can be abused
• find known vulnerabilities in the web server implementation itself

So I tested it out in rangit.com and found around 30 light vulnerabilities. I was a bit shocked to find such a list. Really. There were a few requests that hackers can use to execute SQL Injections. Scary but REAL. Remember, with this tool you can scan any website for their vulnerabilities. Here’s a screenshot of mine.

To use Wikto you need to get 2 other things.

1. WinHTTrack
2. HTTprint

After successfully installing all 3 softwares, go to Wikto’s ‘SystemConfig’ tab. There are 4 important things to configure for Wikto to work.

HTTrack

Locate the HTTrack folder and point to the file ‘httrack.exe’ in your program files.

Cache

Create a new folder for storing data. I created one in C: and named it ‘Temp’. After creating, point to it.

HTTPrint

Locate HTTPrint folder and point to the file called ‘win32′.

NiktoDB

Click on the button and download the latest database for scanning. This is essential for first timers.

After that, go to the ‘Wikto’ tab and enter a website. Click ‘Start Wikto’. Basic tests commands will be carried out from NiktoDB. Watch the scanned vulnerabilities appear one by one.

The solution would be to talk to your web host about the scan results. Show what you’ve found and and see what your web host says.

Sensepost Wikto
Web server assessment tool

Configure Windows so that it displays all file extensions, including those of known file types. Note that even with this option set, Windows will still hide the extensions of a few select file types, such as .shs and .pif. To circumvent this, you can delete all occurrences of the string “NeverShowExt” (without the quotes) in the registry using regedit.exe. Be very cautious when you edit the registry! Do it only if you know what you are doing!

Most Windows versions come with the Windows Scripting Host (WSH), which allows for execution of VBS (Visual Basic Script) and JS (JScript) files. These files can contain malicious code.

You can prevent the accidental execution of script based malware by setting the default action for VBS/VBE and JS/JSE to “Edit”, so that such files will be opened in Notepad. If case you really want to run such a file, then you will still be able to right-click on it and select “Open”.

If you are not on a LAN (local area network), disable file and printer sharing in the Network options of the Control Panel. If you need to have file and printer sharing enabled, make sure that you are sharing only the items that really need to be shared. Never share entire drives or important folders like the Windows folder, and do not allow write access unless you have to. It’s also of paramount importance to set strong passwords for the shares. Passwords should be as long as possible and consist of a mix of letters, numbers, punctuation signs, etc.

Take a look at PC Flank.

7. Preserving your privacy

Never, ever :

• use the “Unsubscribe” feature of spam emails or reply to spam mails because by doing so, you confirm the validity of your email address and the spammer can keep on sending you unsolicited commercial email, which you probably don’t want.
• The proper way to deal with spam is to delete it and, if you wish to do so, complain about it to the sender’s Internet Service Provider (you need to analyze the message headers to determine the ISP, do not rely on the sender’s alleged email address which is probably forged or fake in most cases).
• select the option on web browsers for storing or retaining user name and password.
• disclose personal, financial, or credit card information to little-known or suspect web sites.
• use a computer or a device that cannot be fully trusted.
• use public or Internet café computers to access online financial services accounts or perform financial transactions.

8. Be careful with extensions

Pay attention to files with multiple extensions. Generally, the last extension is the relevant one. For example, a file named

hello.mp3.exe

is an executable program (.exe) and not a MP3 file!

However, that if you are using Outlook Express and see a file with three extensions, Outlook Express may consider the second extension to be relevant, so that a file named

hello.mp3.exe.jpg

is an executable program (.exe) and neither an MP3 file nor a JPG file!

That’s why it’s important to follow the procedure outlined in section 4 for opening unknown files. You can’t go wrong by simply ignoring any file with more than one extension.

• Set the boot sequence to C: first in the BIOS. This can be “C only”, “C,A” or whatever you want as long as C: comes first.
• Regularly back-up your data.
• Install a good firewall. I use NetVeda Safety.Net free firewall. Its performance is quite outstanding and it offers application control and content filtering as well. This highly capable product deserves to be better known and experienced users should definitely put it on their short list.

9. If you still get hit by a virus

RELAX!

Very often users will do more damage with panicked recovery attempts than a virus or Trojan horse would have.

Go to these sites to ask for help.
alt.comp.virus on Google
alt.comp.anti-virus on Google

Protect Against Spyware
Microsoft’s anti malware methods