Articles

Most Common Passwords

Published by Evil Bee Wednesday, 25 February 2009 14:16

From the moment people started using passwords, it didn’t take long to realize how many people picked the very same passwords over and over. Even the way people misspell words is consistent. In fact, people are so predictable that most hackers make use of lists of common passwords just like these. To give you some insight into how predictable humans are, the following is a list of the most common passwords. If you see your password on this list, please change it immediately. Keep in mind that every password listed here has been used by at least hundreds if not thousands of other people.

Table below is based on our hash database search statistics...

Passwords

Published by Evil Bee Wednesday, 22 October 2008 10:22

Web services takes many steps to keep hackers out of your personal files and information; however, poor password management decreases effectiveness and increases information security risk. Creating strong passwords and changing them often are two simple steps you can take to better protect your personal information.

Here are some other guidelines to help you:

The Human Factors of Password Security

Published by Evil Bee Wednesday, 22 October 2008 10:04

Security experts frequently recommend that users choose different passwords for each web service they belong to and that users change their password with regular intervals.

Good advice in theory, but in practice these experts have forgotten to consider the human factors of password security. Most security breaches happen because of various human weaknesses (e.g., users who give their password in response to email from a person claming to be a system administrator who needs the password to investigate a possible intruder!).

Some thoughts on usage of the MD5 Hash for password storage

Published by Evil Bee Wednesday, 13 August 2008 09:21

The Wikipedia entry for MD5 http://en.wikipedia.org/wiki/MD5 details the vulnerabilites and suggests that several websites now offer online databases to reverse MD5 hashes into text that will generate the same hash.

The examples of MD5 hashes from Wikipedia generate the following collision passwords when entered into http://www.bisix.tk/

Securing your joomla website

Published by Evil Bee Saturday, 26 July 2008 17:21

In addition to understanding the threats, and implementing general defensive strategies, it is important to know more specific details about security in Joomla, as well some specific examples of how to implement security strategies.

The developers of Joomla are constantly striving to improve the overall security of the system by employing good programming techniques and addressing security issues as they arise. It is therefore important to try to keep up with the latest version of Joomla - 'patches' (collections of replacement files) are released periodically to address bugs and security holes as they are discovered (click here to subscribe to the official Joomla announcements forum, and here for the security announcements forum).

Website security strategies

Published by Evil Bee Saturday, 26 July 2008 17:18

The following strategies should be considered by anybody who is responsible for a website which contains potentially sensitive data or who is concerned about vandalism and hacking. These strategies apply equally well to Joomla and non-Joomla sites.

Vandalism and hacking

Published by Evil Bee Saturday, 26 July 2008 17:13

Vandals often use hacking techniques to deface a website or destroy data and files, but there are also those who just want to steal resources (make use of other peoples’ servers without their knowledge or permission) or to cover their tracks by stealthily making use of hardware owned by legitimate businesses to carry out processing for illegal operations or to relay spam and viruses to others.

The best defence against the majority of these types of attacks comes through installing and maintaining the latest versions of anti-virus and firewall software. As new threats are identified, updates are issued which can identify and neutralise most harmful operations before they have a chance to do any damage. Having a server fully managed by a reputable hosting company ensures that these defences are always in place.

Gmail, PayPal and Ebay embrace DomainKeys to fight phishing emails

Published by Evil Bee Friday, 11 July 2008 10:37

Brad Taylor, Google’s Gmail Spam Czar, has just posted details on the ongoing cooperation with PayPal and Ebay, two of the most targeted brands in phishing emails, the effect of which is rejecting compared to flagging as spam each and every email pretending to be coming from paypal.com and ebay.com as well as from their international domain extensions. It’s a win-win-win move for users, and the companies themselves which are now digitally signing all of their emails, making phishing emails spoofing their origin easier to detect :

Storing passwords in MySQL

Published by Evil Bee Saturday, 05 July 2008 02:09

Securing plain text passwords in MySQL is NEVER a good idea. As a DBA you should take great care in protecting the users' information. Fortunately MySQL provides you with several options to protect passwords.

After a quick scan of the manual, you may be tempted to store the password by applying the password function to it which is NOT a good idea. MySQL itself advises against using PASSWORD to manage application passwords.

Instead of using PASSWORD(), we can use SHA1 or MD5. Unfortunately exploits for both of these encryption functions have been quite common these days. Still, SHA1 or MD5 keep your password more protected than storing them as plain text.

The art of storing passwords

Published by Evil Bee Friday, 04 July 2008 22:55

Almost every website nowadays needs to maintain a list of users and passwords. Many multi-user applications require a way to authenticate users, and passwords seem like a natural.

You don’t necessarily have to provide your own username/password authentication solution, but if you want to understand the logic behind storing passwords and understand how to correctly implement a password management scheme, this article is for you.

This article assumes a web application – slightly different rules apply to a distributed multi-user application.

How to create strong password

Published by Evil Bee Monday, 30 June 2008 03:09

Passwords are the primary method CMS use to verify a users identity. This is why password security is enormously important for protection and the single most important thing a user can do to protect his account against a password cracking attack is create a strong password.

When creating a password, it is a good idea to follow these guidelines:

Storing passwords in a database

Published by Evil Bee Sunday, 29 June 2008 14:28

Often times we, as developers are required to create authentication systems. When developing an authentication system it is always best to make it as secure as possible. One of the problems that arise when creating an authentication system is storing the username and password of our users. One way to store the username and password would be to simply make a column in a table called usernames and a column called password and store each user’s login credentials in plain text.

MD5 hashing method

Published by Evil Bee Sunday, 29 June 2008 13:36

The algorithm takes as input a message of arbitrary length and produces as output a 128-bit "fingerprint" or "message digest" of the input. It is conjectured that it is computationally infeasible to produce two messages having the same message digest, or to produce any message having a given prespecified target message digest. The MD5 algorithm is intended for digital signature applications, where a large file must be "compressed" in a secure manner before being encrypted with a private (secret) key under a public-key cryptosystem such as RSA.

Hackers attack Joomla / Mambo sites!

Published by Evil Bee Friday, 22 February 2008 15:22

A storm of exploits has come over Joomla and Mambobased websites. Hackers try to replace the page content and also install backdoor or IRC scripts. The security problem of the sites is (normally) not Joomla! Of course, you should run your site with the latest Joomla / Mambo versions.

Nearly all hacks are done through holes in 3rd party components. At the moment, every hour there is a new component found with security problems.

You have to do something:

Harvard site hacked and leaked on BitTorrent

Published by Evil Bee Monday, 18 February 2008 18:57

The Harvard Graduate School of Arts and Sciences website appears to have been the subject of a major security breach, as server backups, site databases and contact databases are leaked to BitTorrent. The 125MB file is currently being tracked by The Pirate Bay.

Early reports indicate that a Harvard University website has become the victim of a major security breach. A torrent currently tracked by The Pirate Bay which links to a 125mb .zip file, claims to be the backup from the Harvard Graduate School of Arts and Sciences website.

A note attached to the torrent says that the file contains a backup of the site -- including some contacts files and other files associated with Joomla, an open-source content management system -- along with other various bits. It appears to be legitimate.

The backup -seeded from a Harvard IP address (and others)- carries many files, passwords and what appears to be a full directory structure for the site. Three other major database files are mentioned specifically, details as follows:

Forgotten your password? Google can find it for you

Published by Evil Bee Sunday, 27 January 2008 14:32

There's a certain amount of crowing associated with hacking the blog of a security team - which might be why a hacker, apparently Russian, broke into the blog of the Cambridge University security team at the Light Blue Touchpaper blog.

He did it via some weaknesses in their Wordpress installation, upgrading himself from a plain "can post" user to an admnistrator of the blog using a zero-day (that is, previously unnoted) vulnerability, via SQL injection.

Rainbow hash cracking

Published by Evil Bee Friday, 27 July 2007 14:29

The multi-platform password cracker Ophcrack is incredibly fast. How fast? It can crack the password "Fgpyyih804423" in 160 seconds. Most people would consider that password fairly secure. The Microsoft password strength checker rates it "strong". The Geekwisdom password strength meter rates it "mediocre".

Why is Ophcrack so fast? Because it uses Rainbow Tables . No, not the kind of rainbows I have as my desktop background. Although those are beautiful, too.

Cracking md5 hashes

Published by Evil Bee Friday, 27 July 2007 00:00

This article will give you a good idea how to obtain Access to critical password hashes using your social engineering, and then crack the MD5 hash using Cain

Instead of bothering with CPanel/phpMyAdmin, just go to Google and do a search for "MD5 Hash Generator", choose one, enter a password, generate the hash, and then play around with it as you see fit. These sites are readily available because generating an MD5 hash takes only 1 line of PHP code using md5() (for more info see php.net/md5). There is no need to go to the trouble of using a god-forsaken CPanel + phpMyAdmin combination...

Also, when you get tired of waiting on the brute force to crack the password for you, you should once again consult Google and this time do a search for "MD5 Hash Database", which will give you a very long list of sites that archive collections of known hashes and their corresponding passwords. Why do the work when someone else has already done it for you?

Phil-Taylor security holes list

Published by Evil Bee Sunday, 22 July 2007 15:26

We received an email this morning from Phil-Taylor.com listing security holes in various Joomla components.

I have an awful lot of respect for Phil and his work developing Mambo and now his components. However, I think the tone of the latest email could have been improved. People are understandably jumpy when it comes to security and I think he could have done a better job of pointing people towards freely available solutions rather than to his new security site.

There have always been third-party components with vulnerabilities and I've not seen any evidence that security exploits are increasing. What may be increasing is the number of hacker attacks. Some major Joomla sites are being attacked every 60-90 seconds. However, thats not much different from a computer plugged in to the internet.

Is Joomla a Secure Platform for a Business?

Published by Evil Bee Sunday, 22 July 2007 14:44

Joomla and other content management systems often get a swift kick in their binary crotch when a site gets hacked. Here's a comment from a professional host admin, the guy who is responsible for server security...

"The installed Joomla is trivially crackable"

Here's the problem: Joomla, WHEN properly installed with the most current version is very secure. The key there: "properly installed" which implies more than just making sure the most current security patches/ upgrades have been applied.

What is common in almost all Joomla sites of any size: Multiple components are installed to boost functionality. Editors, image galleries, forums, shopping carts... all these need to be just as secure as Joomla, as one hole is all that's needed.

When we first started getting reports of hacks a year ago, it was mostly overwriting the configuration.php file which resulted in simple defacement. As long as you had a good copy of that file, the fix was in place in a few minutes.

Page 1 of 2

Start
Prev
1
2
Next
End

whoisonline