As with any system written by humans there are bound to remain some vulnerabilities and one of the most common vulnerabilities for web systems are the SQL injections. To a normal user this may not seem like much but to a hacker this is the gateway to have control over entire site at worst even an entire server. So protecting your site from these attacks is quite essential and it should be a systemic design with security kept in mind from the ground up.
Locating sites vulnerable to SQL Injections is trivial and can be done using your favourite search engines, automated assessment tools like Acunetix and can also be observed by checking any input parameter of the target web application. Some common ways these vulnerabilities are added to seemingly secure content management systems like Joomla and WordPress is through use of vulnerable plugins.
Once you’ve located the vulnerability the next step is to exploit it. Exploitation can be done manually by the attacker using any browser of choice or it can be automated by tools such as havij.
I wrote in another publication about authentication but am going to delve into authentication from the view as someone from the hacker underground. Web authentication has evolved immensely from the early days of the web where it was mostly basic authentication and for the more ‘secure’ websites digest authentication was used.
So you if you are scratching your head wondering what the heck I am going on about well….basic authentication requires that a special file .htpasswd, containing the credentials of the individuals who are authorised to access a resource, be placed in the directory which is to be secured and data is sent over the network in unencrypted manner (sniffing attack anyone?...anyone?) anyway so digest authentication then came in and was intended to supersede unencrypted use of the Basic access authentication, allowing user identity to be established securely without having to send a password in plaintext over the network. As technologies improved we made the leap to form based authentication which is much more familiar now due to ability to save credentials to database and easily handle sessions.
Almost half (43%) of Internet users in South Africa believe traditional over-the-counter banking is safer than banking online, according to a survey carried out by Kaspersky Lab and B2B International. Despite these fears most people still make some payments online but many fail to take even basic security measures, putting their money and banks’ reputations at risk.
The survey shows that a significant number of users (64%) feel vulnerable when making financial transactions online. Moreover, just less than half (49%) reported they believe making payments offline is more reliable than online and 43% agreed that offline banking is the safer than online banking.
However, in spite of these fears, the majority of Internet users make online payments: 74% of those surveyed use their desktops or laptops for online payments, 22% locally use their tablets, 32% use their smartphones, and 14% of Smart-TV owners admitted using their Smart-TV for such operations. At the same time, according to the survey, 15% of users do nothing to protect their financial data online.
Google, Microsoft, Yahoo, and AOL joined forces with an anti-fraud startup to help keep phishing messages out of peoples' inboxes.
The major web-based email providers will be providing metadata from messages that get delivered to their customers to AGARI so it can be used to look for patterns that indicate phishing attacks.
According to Agari CEO Patrick Peterson, "Agari collects data from about 1.5 billion messages a day and analyzes them in a cloud-based infrastructure".
The company aggregates and analyzes the data and provides it to about 50 e-commerce, financial services and social network customers, including Facebook and YouSendIt, who can then push out authentication policies to the e-mail providers when they see an attack is happening.
"Facebook can go into the Agari console and see charts and graphs of all the activity going on in their e-mail channel (on their domains and third-party solutions) and see when an attack is going on in a bar chart of spam hitting Yahoo," for instance, Daniel Raskin, vice president of marketing for Agari.
DroidSecurity: Scans Android devices and apps, as well as Web sites you visit, for malware; blocks test-message spam; and offers tools for remotely locating, displaying messages on and wiping data from lost or stolen devices. A backup and restore service is in development. (Android only. Free basic version and $10 Pro app)
F-Secure: A suite of software that includes malware protection, a firewall, technology to keep you safe while browsing the Web, and tools for locating or wiping data off a lost or stolen phone.
(Android, Symbian and Windows Mobile; 40 EUR for one year.)
Kaspersky: Anti-malware, firewall, unwanted call and text-message blocking, anti-theft tools and a “privacy mode” that lets you hide designated contacts, calls and text messages.
(Android, BlackBerry, Symbian and Windows Mobile; $30 for one year.)