Passwords

Published by Evil Bee Wednesday, 22 October 2008 10:22

Web services takes many steps to keep hackers out of your personal files and information; however, poor password management decreases effectiveness and increases information security risk. Creating strong passwords and changing them often are two simple steps you can take to better protect your personal information.

Here are some other guidelines to help you:

Read more: Passwords

The Human Factors of Password Security

Published by Evil Bee Wednesday, 22 October 2008 10:04

Security experts frequently recommend that users choose different passwords for each web service they belong to and that users change their password with regular intervals.

Good advice in theory, but in practice these experts have forgotten to consider the human factors of password security. Most security breaches happen because of various human weaknesses (e.g., users who give their password in response to email from a person claming to be a system administrator who needs the password to investigate a possible intruder!).

Read more: The Human Factors of Password Security

Some thoughts on usage of the MD5 Hash for password storage

Published by Evil Bee Wednesday, 13 August 2008 09:21

The Wikipedia entry for MD5 http://en.wikipedia.org/wiki/MD5 details the vulnerabilites and suggests that several websites now offer online databases to reverse MD5 hashes into text that will generate the same hash.

The examples of MD5 hashes from Wikipedia generate the following collision passwords when entered into http://www.bisix.tk/

Read more: Some thoughts on usage of the MD5 Hash for password storage

Securing your joomla website

Published by Evil Bee Saturday, 26 July 2008 17:21

In addition to understanding the threats, and implementing general defensive strategies, it is important to know more specific details about security in Joomla, as well some specific examples of how to implement security strategies.

The developers of Joomla are constantly striving to improve the overall security of the system by employing good programming techniques and addressing security issues as they arise.  It is therefore important to try to keep up with the latest version of Joomla - 'patches' (collections of replacement files) are released periodically to address bugs and security holes as they are discovered (click here to subscribe to the official Joomla announcements forum, and here for the security announcements forum).

Read more: Securing your joomla website

Website security strategies

Published by Evil Bee Saturday, 26 July 2008 17:18

The following strategies should be considered by anybody who is responsible for a website which contains potentially sensitive data or who is concerned about vandalism and hacking.  These strategies apply equally well to Joomla and non-Joomla sites.

Read more: Website security strategies

Vandalism and hacking

Published by Evil Bee Saturday, 26 July 2008 17:13

Vandals often use hacking techniques to deface a website or destroy data and files, but there are also those who just want to steal resources (make use of other peoples’ servers without their knowledge or permission) or to cover their tracks by stealthily making use of hardware owned by legitimate businesses to carry out processing for illegal operations or to relay spam and viruses to others.

The best defence against the majority of these types of attacks comes through installing and maintaining the latest versions of anti-virus and firewall software. As new threats are identified, updates are issued which can identify and neutralise most harmful operations before they have a chance to do any damage. Having a server fully managed by a reputable hosting company ensures that these defences are always in place.

Read more: Vandalism and hacking

Gmail, PayPal and Ebay embrace DomainKeys to fight phishing emails

Published by Evil Bee Friday, 11 July 2008 10:37

Brad Taylor, Google’s Gmail Spam Czar, has just posted details on the ongoing cooperation with PayPal and Ebay, two of the most targeted brands in phishing emails, the effect of which is rejecting compared to flagging as spam each and every email pretending to be coming from paypal.com and ebay.com as well as from their international domain extensions. It’s a win-win-win move for users, and the companies themselves which are now digitally signing all of their emails, making phishing emails spoofing their origin easier to detect :

Read more: Gmail, PayPal and Ebay embrace DomainKeys to fight phishing emails

Storing passwords in MySQL

Published by Evil Bee Saturday, 05 July 2008 02:09

Securing plain text passwords in MySQL is NEVER a good idea. As a DBA you should take great care in protecting the users' information. Fortunately MySQL provides you with several options to protect passwords.

After a quick scan of the manual, you may be tempted to store the password by applying the password function to it which is NOT a good idea. MySQL itself advises against using PASSWORD to manage application passwords.

Instead of using PASSWORD(), we can use SHA1 or MD5. Unfortunately exploits for both of these encryption functions have been quite common these days. Still, SHA1 or MD5 keep your password more protected than storing them as plain text.

Read more: Storing passwords in MySQL

The art of storing passwords

Published by Evil Bee Friday, 04 July 2008 22:55

Almost every website nowadays needs to maintain a list of users and passwords. Many multi-user applications require a way to authenticate users, and passwords seem like a natural.

You don’t necessarily have to provide your own username/password authentication solution, but if you want to understand the logic behind storing passwords and understand how to correctly implement a password management scheme, this article is for you.

This article assumes a web application – slightly different rules apply to a distributed multi-user application.

Read more: The art of storing passwords

How to create strong password

Published by Evil Bee Monday, 30 June 2008 03:09

Passwords are the primary method CMS use to verify a users identity. This is why password security is enormously important for protection and the single most important thing a user can do to protect his account against a password cracking attack is create a strong password.

When creating a password, it is a good idea to follow these guidelines:

Read more: How to create strong password

Storing passwords in a database

Published by Evil Bee Sunday, 29 June 2008 14:28

Often times we, as developers are required to create authentication systems. When developing an authentication system it is always best to make it as secure as possible. One of the problems that arise when creating an authentication system is storing the username and password of our users. One way to store the username and password would be to simply make a column in a table called usernames and a column called password and store each user’s login credentials in plain text.

Read more: Storing passwords in a database

MD5 hashing method

Published by Evil Bee Sunday, 29 June 2008 13:36

The algorithm takes as input a message of arbitrary length and produces as output a 128-bit "fingerprint" or "message digest" of the input. It is conjectured that it is computationally infeasible to produce two messages having the same message digest, or to produce any message having a given prespecified target message digest. The MD5 algorithm is intended for digital signature applications, where a large file must be "compressed" in a secure manner before being encrypted with a private (secret) key under a public-key cryptosystem such as RSA.

Read more: MD5 hashing method

Hackers attack Joomla / Mambo sites!

Published by Evil Bee Friday, 22 February 2008 15:22

A storm of exploits has come over Joomla and Mambobased websites. Hackers try to replace the page content and also install backdoor or IRC scripts. The security problem of the sites is (normally) not Joomla! Of course, you should run your site with the latest Joomla / Mambo versions.

Nearly all hacks are done through holes in 3rd party components. At the moment, every hour there is a new component found with security problems.

You have to do something:

Read more: Hackers attack Joomla / Mambo sites!

Harvard site hacked and leaked on BitTorrent

Published by Evil Bee Monday, 18 February 2008 18:57

The Harvard Graduate School of Arts and Sciences website appears to have been the subject of a major security breach, as server backups, site databases and contact databases are leaked to BitTorrent. The 125MB file is currently being tracked by The Pirate Bay.

Early reports indicate that a Harvard University website has become the victim of a major security breach. A torrent currently tracked by The Pirate Bay which links to a 125mb .zip file, claims to be the backup from the Harvard Graduate School of Arts and Sciences website.

A note attached to the torrent says that the file contains a backup of the site -- including some contacts files and other files associated with Joomla, an open-source content management system -- along with other various bits. It appears to be legitimate.

The backup -seeded from a Harvard IP address (and others)- carries many files, passwords and what appears to be a full directory structure for the site. Three other major database files are mentioned specifically, details as follows:

Read more: Harvard site hacked and leaked on BitTorrent

Forgotten your password? Google can find it for you

Published by Evil Bee Sunday, 27 January 2008 14:32