Posts Tagged ‘linux web site security’

Keeping the Hackers Out: I Can Hack You, Part 4

You really have three problems: The sharks, the crackers, and the exploiters.

First, you need to keep the sharks out. Once a live password has been posted for your site, the feeding frenzy kills your server, and you’ll be stuck with the bandwidth bill. So, given that your passwords have already been cracked, you must protect yourself from the freeloaders trying to get in. Your financial survival depends on it. (Several companies offer excellent shark-protection services.)

A good password-choosing policy will keep the crackers from feeding the sharks. It’s that simple! The master crackers themselves confirm that they depend on people (including billing companies) using poorly-chosen passwords. When the passwords become uncrackable, they must either find another way in, or intercept them as plain text. (We’ll discuss a possible password-choosing policy below.)

The exploiters are a very different situation. The exploiters are what we mean by “hackers” in the traditional sense of the word. All software has weaknesses, and those weaknesses can be found. Read more…

Be the first to comment - What do you think?  Posted by admin - September 16, 2012 at 6:00 am

Categories: Web Site Security   Tags: , ,

Exploiting: I Can Hack You, Part 3

Exploiting fits into two stages:

  • Finding the security hole (called scanning for exploits)
  • Using the security hole (called exploiting)

Scanning is easy. Pick a paysite and run through a list of URLs which might be interesting. You can download your own scanning program for free. You can do the same with other peoples’ URL lists. You’re supposed to then shorten your list to include only URLs that you personally know how to exploit. If you’ve noticed a bunch of weird off-the-wall URLs in your server logs from time to time, you’ve seen people scanning your site for exploits. You can safely ignore the scanning – unless they find something.

What they found, with the information necessary for its use, is called an exploit. Exploiters post lists of working exploits on the hackers’ boards, the same as crackers post lists of working passes, as a means of sharing information. At the same time as the sharks are using the passes, the other crackers are adding those passes to their John the Ripper word list. Read more…

Be the first to comment - What do you think?  Posted by admin - September 15, 2012 at 6:00 am

Categories: Web Site Security   Tags: , ,

Advanced Cracking: I Can Hack You, Part 2

The next step would be to apply your skill and experience to the specific password file at hand. If you know all passwords are eight random digits, for example, you can search accordingly. John the Ripper has its own programming language wherein you can tell it what approaches to take.

Suppose you have managed to crack a few passwords, and discover that when the username is firstname.lastname, the password is first initial followed by last name followed by 1-5 random digits. You can crack the rest of the file almost instantly! Tell John the Ripper to keep the first letter, drop everything up to the dot, drop the dot and keep everything following the dot.

With a bit of experience, you can make this example even simpler. Many paysites use standard unix-type passwords, called DES encryption. Only the first eight characters of the password are encrypted! So, to use the example above, if the person’s last name is seven characters or more, you know the password. No guessing is needed.

Do you see why this is so? The password (according to our assumed rules) is first initial followed by last name followed by digits. But… only the first eight characters are used. So, if the name is seven letters or longer, all the leftover characters (including all the digits) are ignored. So far as the paysite is concerned, the password is that person’s initial followed by the first seven characters of their last name.

In the same way, if the person’s last name is six characters, you need only try adding a single digit. That gives you a mere ten possibilities to try. Even if the last name is a single character, you only have a hundred thousand combinations to try. Since John the Ripper can run millions of trials per second, the worst possible case will still have you seeing dozens of passwords cracked per second. Read more…

Be the first to comment - What do you think?  Posted by admin - September 14, 2012 at 6:00 am

Categories: Web Site Security   Tags: , ,

Billing Exploits: How to Hack a Paysite, Part 4

Is somebody exploiting your billing script? How would you know? Many billing scripts have no tracing, no audit trail, no other validation or protection. If you have the keyword, you’re in. Your financial data is safe, but your paysite is wide open.

Other scripts do a bit better with authentication, and do leave an audit trail of sorts. The irony is, that very audit trail is highly prized hacker food! The audit trail shows the passwords, and all too often they’re crackable.

If you visit the “elite” areas of the paysite hackers’ boards, you’ll see that the billing scripts are the most commonly published method of breaking into a server. If you’re having a hacker problem, it’s very likely that a billing company is your problem. The problem could be your billing company; or the problem could be someone else’s billing script on the same server. (This is why you are far more vulnerable on a shared server. You have to worry about your own scripts and the other customers’ scripts.)

Have you noticed that I left out a step? To crack the passwords, you need to display a copy of the password file. You can trick a billing script into thinking you’re the billing company, and add your own password. If you can do that, you don’t need to crack someone else’s password! But that doesn’t get us a copy of the entire password file.

The other thing you can do with a billing script, is break into the server itself. You can use the billing script to display files that you shouldn’t be able to see. You can also display folder contents that you shouldn’t see. That’s how you find the things which are hidden, and how you find the secrets of other paysites on the same server.

How, then, do you get a copy of the password file, so you can crack it? You use a billing script, somewhere on the server, to display the file. Some billing scripts come with online instructions for the hackers. It tells you how to display the password file, how to add your own username and password, and even how to delete all paysite members.

Online help for hackers – remember that this is helping the hacker to hack your paysite – is nice, but far from the worst. Other billing scripts allow your hackers to run any unix command anywhere on the server. They can install their own stuff on your server, or scan your private areas for hidden webmasters’ notes. It doesn’t get much better than that! Read more…

Be the first to comment - What do you think?  Posted by admin - September 12, 2012 at 6:00 am

Categories: Web Site Security   Tags: , ,

The Buck Stops Nowhere: How To Hack a Paysite, Part 3

Let’s step back a moment, and consider the situation. Your billing company should take responsibility for protecting your customers’ billing information, and your server admin should take responsibility for protecting your paysite. After all, the billing info is on the billing company’s server, and the paysite is on the admin’s server.

After carefully analyzing the situation, I strongly disagree. Your customers’ credit card data is (usually) secure. Why is this so? Because that’s what your billing company does. They have firewalls, authentication codes, secure logins, and surely keep a careful watch on outside probing. If they’re being hacked, they know it.

But who’s keeping that close an eye on your members area? If someone got a copy of your password file, would you know it? If someone quietly added a couple of passwords, would you know that either? Nobody’s watching! Your billing company doesn’t consider it their responsibility. But if not, whose is it? Think about it: What are you paying them for?

Exploiting the Billing Companies

The basic problem is this: The billing companies are up against some serious technical difficulties when it comes to protecting your paysite. First, the server itself is outside their control. The server itself is your problem, and your server admin’s problem. Second, there’s a basic security flaw in how servers work. Read more…

Be the first to comment - What do you think?  Posted by admin - September 11, 2012 at 6:00 am

Categories: Web Site Security   Tags: , ,

Let’s Start Hacking: How to Hack a Paysite, Part 2

So you want to hack a paysite. Where do you start? With a password file! If you can’t find one on your own, visit one of the hackers’ boards and you’ll find ’em posted.

Not so long ago – perhaps two years ago – a lot of paysites allowed their security files (.htaccess and .htpasswd) to be visible in a browser. If you knew where to look, there it was! Fortunately most server admins have closed up this hole.

On the other hand… this trend seems to be reversing. More and more people have decided to save some money, and become their own server admins. There are more and more one-man hosting companies with great prices – but no security expertise. There are “web appliances” that will configure your server for you. By all means go the cheap route. The hackers will love you for it!

Meanwhile, though, you have a password file. This is a list of all members of your paysite. The usernames are in plain text (john, jacob, jingle, heimer, and so on). The passwords are encrypted (/Cphz8p6Emb3A, ooxdAVLkmR6/Y, auWXZ/088ALTQ, etc.). That makes them safe, right? Wrong! Read more…

Be the first to comment - What do you think?  Posted by admin - September 10, 2012 at 6:00 am

Categories: Web Site Security   Tags: , ,

Getting the Attitude: How to Hack a Paysite, Part 1

How to Hack a Paysite: What the Good Guys Need to Know

One billing company did come to me and say they had changed their code as a result of reading my article. Another billing company changed their code as well, after rather my thoroughly showing their president the mess they were in.

If you’re plagued by hackers and password traders, it’s probably your own billing company who is letting them in. Is that news to you? It’s probably news to your billing company as well!

Your billing company could make hacking and password trading a thing of the past. Right now, though, there’s no incentive. If you’re plagued by hackers, that’s supposedly your problem. You, not the billing company, are paying that bandwidth bill for the site rippers. You are perhaps even paying for third party password protection. As things stand now, you can’t live without it!

To understand the problem, I need to teach you how to hack a paysite. You’ll understand what your billing companies are up against. And you’ll see that with a remarkably small effort you can make your hacking problem a thing of the past. Read more…

Be the first to comment - What do you think?  Posted by admin - September 9, 2012 at 6:00 am

Categories: Web Site Security   Tags: , ,