Hackers have long been known for their tendency to identify weaknesses in programs, but in today’s world, there are a number of programs that people put to use which are incredibly easy to keep safe. CMS or Content Management Systems are standard on the web today, being the software that runs blogs from all over the world. Two common examples of this are Joomla and WordPress, loved by users globally for their ease of use and high number of features. While these blogs are certainly a good way to get content out to the public, they do need to be updated with patches just as soon as those patches are made available because hackers do look for ways to exploit these programs and attack the web application security. While users might be aware that patching is needed, all too often it is not kept up with and when that happens, big problems can arise. SySmox experienced such a problem when a number of users who had not kept with the patching for their Joomla and WordPress installations unwittingly played a role in helping hackers attack the ISP’s shared hosting servers. The hackers were able to run scripts that caused problems and forced the tech support team to go to battle against the scripts to regain control over the servers by exploiting vulnerabilities in the kernel.
Many people understand how important it is to have web application security both in the e-commerce . One of the primary concerns for organizations is attacks by appsec. However, there are many other very dangerous attacks, including cross site scripting, SQL injection and http verbse attack. Data loss is one of the most common issues following one of these attacks. However, data loss would be the least of an organization’s concerns considering attackers are generally also able to get access to the specific pieces of data they are looking for. An example of why web application security is so important is for when SQL injection allows an attacker to get access to credit card information or data relating to a person’s identity. This is often the type of information that hackers are after of course.
select id, firstname, lastname from authors
If one provided:
the query string becomes:
select id, firstname, lastname from authors where forename = ‘evil’ex’ and surname =’newman’
which the database attempts to run as
Incorrect syntax near al’ as the database tried to execute evil. (continue reading…)
Syrian Electronic Army gain access to Aljazeera network .
After English website . Syrian Electronic Army penetrate aljazeera network .
After Syria hackers take down al Jazeera English website ; Success to aljazeera network , in 01/02/2012 confirmed Tuesday that hackers breached security and had access to the network .
The is an interview with the hackers:
Aljazeera have a local publishing system
so you can login to publishing system only from AlJazeera Office- Doha
We hacked aljazeera network and access the publishing system using user and password
we didn’t publish any news because its need approval but we upload some photos
its just the beginning really
Syrian Electronic Army
The image of the pentest :
Screen 2: (continue reading…)
Syria hackers take down al Jazeera English website :
Syrian hackers Target the Al Jazeera’s “Syria Live Blog” which has been providing ongoing coverage of the Arab League’s observer mission to Syria and developments in the ongoing unrest in the country .
The attacked changed to display a picture of bashar assad .
Hacked by Syrian Electronic Army | Th3 Pr0.
You Got Hacked Again By SEA.
We Want Bashar Al-Assad
The hackers website : http://syrian-es.com/
It look like tha the hackers exploit a web application security in the drupal .
This is the reason :
Smartphones and Security: Protecting Yourself in 5 Easy Steps
Many people remain unaware that smartphones face even greater security threats than home computers. Viruses, hacking and theft can put sensitive personal information at risk. An article published in The Star Press during early 2012 warned that hackers frequently obtain account information and credit card details from smartphones. This also happens to the users of home and business computers.
However, the many integrated features of a smartphone make it even more valuable to hackers. It’s possible for them to listen in on your telephone calls and take pictures with the phone’s built-in camera, according to The New York Times. Some hackers can even monitor your personal conversations when the phone appears to be off. Over 1 million smartphones have already been hacked.
Fortunately, you can follow these tips to minimize smartphone security risks:
1. Use care when downloading smartphone applications. It can be very hazardous to download apps that were designed with ill-intent or negligence. Pennsylvania State University warns that such applications may cause serious harm to users, devices and cellphone networks. They can steal private information or make your smartphone more vulnerable to hacking. A study conducted by PSU in 2010 found that two out of three well-known apps transmit private data without user consent. Some retrieve the user’s phone number or location.
One way to find safe applications is to obtain them from reputable companies. You should know who created an app before using it. Some apps have lists of permissions that you can view before starting a download, according to The New York Times. Carefully inspect these lists and see if they make sense. For example, a card game shouldn’t have permission to take pictures or check your current location. (continue reading…)
Web Application Security May Be More Difficult Than Network Security.
With the increased information sharing that has become quite common over the past few years, especially with social networking and business networking, it is inevitable that websites are being attacked. In the past, using a firewall for the computer and putting a lock on the door to the server room were enough to keep anyone from accessing information from a business and web application security wasn’t even envisioned. However, there are browsers that constantly interact with business web applications through websites that sell products or services. Data connections must be open in order to receive customer input and orders, and one never knows when a person accessing their business through the web is a legitimate customer or someone who is trying to hack into the system or attacking the business through the links on the site.
Google’s search result block web pages that contain malware . website owners panic; and they are unsure of how to fix the problem .This article highlights how malware infects a web page and what the woner can do to protect the website .
Your website is running along smoothly until you notice a severe drop in sales and web traffic.You do a quick analysis by searching for your website on google , but when you click the link , you’re redirected to a warning page that annoinces the site poses a danger to visitors.
The message displayed in the browser means the website has been hacked . Before you panic . here ‘s a quick checklist to clean the malware , secure your website , and re-establish a position on google’s search engine .
Several malware applications are spread on the internet through infected web pages and executable downloads . for instance ,The hackers exploit vulnerabilities in web applications and inject malicious code , You may using a vulnerable open source wordpress ,Ckfinder …
An other attack : gumblar virus is spread through PDF documents and flash pages . The malware applications find passwords hidden on the website owner’s computer and infect hist web pages with malicious code . (using ftp services)
The code can be spread of malware . The infected website is detected by google’s search engine spider , and the company provides the warning seen in the user’s browser. (continue reading…)
Saudi Hackers Claims hack of hundreds of thousands of ‘Israelis credit cards’ after hacking one website
Saudi Hackers Claims hack of hundreds of thousands of ‘Israelis credit cards’ after hacking one website Saudi hackers , I seem that hackers exploit a critical vulnerabity in the web applications of one.co.il
Skip the password using SQL Injection in cookies .
SQL Injection via cookies gives an attacker the ability to exploit using cookie parameter .
useraccountid= [sql injection]
Example1: useraccountid= x’ or username=’SYSMOX’#
*log on to account SYSMOX
Example2: useraccountid= x’ or 1=1#
useraccountid= x’ or username like ‘%25com’
In 2009 the twitter dns company got hacked some people think that twitter dns password got brute forced; or web application security flaws .
Attacker can inject via cooke :
Verbose Error Messages :
Description: Developers commonly include verbose error messages in the development of software applications. When software behaves unexpectedly, it generates messages that contain detailed information about how and where an error occurred. These messages are useful within the web development life cycle (since the application is often executed in a remote multi-tiered environment), but these verbose error messages often contain environment variables, path disclosure, and other platform information used to aid in debugging. This information is a valued resource to an attacker attempting to penetrate a system.
HTML Comments :
Description: HTML comments are commonly placed within the source code of a web page. Web site developers often mark portions of their pages with comments which are not normally viewable by the a web site visitor. These comments may contain sensitive information about the structure of the web site, or information intended only for the system owners or developers. These comments can provide an attacker with information about your system, network, or application behavior which may be useful in future attacks.
Known Directory :
Description: A Known Directory vulnerability indicates that a web server directory not intended for public viewing has a name that can easily be guessed, and thus can also be accessed. This directory may contain files with sensitive data or functionality for configuring the web server.