Hackers, Hackers. Dangerous as hell, once you have something of value to them. They could be colleague, classmate, or even a lover. If you use Gmail, Yahoo!, MSN Messenger or you are active in forums, you’re at risk if you use weak passwords. If you use Adsense, Paypal and do online banking, you gotta come up with even stronger passwords.

Sometimes, you do come up with strong passwords, using unfamiliar random characters that are hard to break but also hard to remember at the same time. I have a friend who once kept his ATM Machine password in his wallet. How dumb is that? One fine day, he lost not only his wallet, but also $3000 (withdrawal limit for a day) from his bank. Nothing in the world could be done. In this case, even the bank’s cctv was useless.

A lot of sites that I googled suggested recording passwords on paper or storing it in password managers. That’s dumb cause the password manager will ask you for a password as well. Don’t you think you’d have to come up with an easier key password for the password manager so that you don’t forget? Imagine if you depended on it, and you lost your key password. Imagine if someone managed to break into your password manager. Imagine the loss. Imagine the sadness. There’s no safer place in this world to keep our passwords than the brain.

So here’s my method of coming up with super strong and easy to remember passwords.

Standardization And Uniformity

I suggest using all 3 character types below:

• Alphabets : abc … z
• Numbers : 012 … 9
• Mathematical Symbols : +-*/

Why just these 3? Cause some websites don’t allow spaces, @#$%^&* symbols, or even differentiate upper or lower cases. Let’s just keep it standard by using small case alphabets, numbers and basic maths symbols. This way, we keep our passwords uniformed and easy to remember.

Objects Around You

You can use tvs, flowers, soft toys, computers, tupperware, handphones, anything that you will come across everyday is most suitable. In this case, let me use my house’s toilet. In my house there are 3 toilets. And the toilet bowl and flush tank of all 3 are made by Armitage Shanks of UK.

Arranging And Combining

Think of ways to include alphabets, numbers and the math symbols together. For example,

• 3-armitage-shanks
• armitage-shanks-of-uk/3
• 2+1-very-smelly-toilets (I have 2 toilets upstairs and 1 downstairs)

That’s it. The 3 examples above are very very strong. Very, indeed. And I bet you can remember it easily. No writing down in paper, no keeping it in your computer. If you’re still not satisfied with the 3 steps above, here’s a fourth step, just for you.

Remove The Vowels

• 3-rmtg-shnks
• rmtg-shnks-f-k/3
• 2+1-vr-smll-tlts

Now it’s really much stronger! And you will still remember it really easily. Really.

Last but not least, check your password’s strength at Microsoft’s Password Checker. If passwords you own that guard important stuff is labeled as ‘weak’ or ‘medium’, change them immediately. Start making yourself easy to remember strong passwords. =)

Microsoft Password Checker
Check your password’s strength

Basically, SQL injections happens when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. Any webmaster creating web applications that involves database manipulation will have to take these measures to prevent SQL injections.

According to WhiteHat Security’s statistics, there is a 20% likelihood that 8 out of 10 websites have a vulnerability in the area of SQL Injections.

Keeping It Clean

For example, it is important to make sure that users insert only codes that have these characters in the email field :

• abcdefghijklmnopqrstuvwxyz
  ABCDEFGHIJKLMNOPQRSTUVWXYZ
  0123456789
  @.-_+

Quotes Quotes Quotes

Many database interface languages caters to the need of safe-quoting text. For example, MySQL uses 2 functions to ’string quote’ and to ’string parse’ :

• mysql_real_escape_string() adds backslashes in front of all the quotation marks.
• stripslashes() removes backslashes in front of the quotation marks.

Bounding Parameters

• Insecure

Statement s = connection.createStatement();
ResultSet rs = s.executeQuery(”SELECT email FROM member WHERE name = ” + formField); // *boom*

• Secure

PreparedStatement ps = connection.prepareStatement(”SELECT email FROM member WHERE name = ?”);
ps.setString(1, formField);
ResultSet rs = ps.executeQuery();

Above is an example of bound parameters in Java. Neither quotes, semicolons, backslashes nor SQL comment notations are able to corrupt the string because it’s been turned into data. Bounding parameters is one of the most important step anyone can take to truly secure the database from injection attacks.

Rights Management

Web applications should use connections to the database with as little rights as possible. Web applications should start with only 1 type of access which is query access to members table. This method eliminates the possibility of using the ‘UPDATE’ statement to taint the database. Let rights access be progressive, like allowing more flexibility only after a successful user validation.

Making Use Of Stored Procedures

As long as the interface on the stored procedure stays the same, the table structure can change with no consequence to the application that is using the database. This layer of abstraction is like an extra barrier because table permission is implicitly set. By only allowing database modifications through stored procedures, tables are safe from exposure to external applications.

Separating TRUSTED and UNTRUSTED networks

A DMZ is a computer network that is accessible from two other computer networks that have no direct contact with each other. Often, one of these networks is the Internet and the other is a local, internal network. Having a web server with very, very little access in a DMZ prevents total control of all networks, even if one manages to take full control of the machine.

SQL Injection Attacks
Useful tips on SQL injection attacks

Hi guys. Here’s a neat, FREE software called Wikto by Sensepost which allows you and I to quickly perform web server assessments. Wikto will

• find interesting directories and files on the web site
• look for sample scripts that can be abused
• find known vulnerabilities in the web server implementation itself

So I tested it out in rangit.com and found around 30 light vulnerabilities. I was a bit shocked to find such a list. Really. There were a few requests that hackers can use to execute SQL Injections. Scary but REAL. Remember, with this tool you can scan any website for their vulnerabilities. Here’s a screenshot of mine.

To use Wikto you need to get 2 other things.

1. WinHTTrack
2. HTTprint

After successfully installing all 3 softwares, go to Wikto’s ‘SystemConfig’ tab. There are 4 important things to configure for Wikto to work.

HTTrack

Locate the HTTrack folder and point to the file ‘httrack.exe’ in your program files.

Cache

Create a new folder for storing data. I created one in C: and named it ‘Temp’. After creating, point to it.

HTTPrint

Locate HTTPrint folder and point to the file called ‘win32′.

NiktoDB

Click on the button and download the latest database for scanning. This is essential for first timers.

After that, go to the ‘Wikto’ tab and enter a website. Click ‘Start Wikto’. Basic tests commands will be carried out from NiktoDB. Watch the scanned vulnerabilities appear one by one.

The solution would be to talk to your web host about the scan results. Show what you’ve found and and see what your web host says.

Sensepost Wikto
Web server assessment tool