Posts Tagged with "security"

With this article I want to start a series of articles about web applications security. This topic is truly interesting, sometimes challenging and, of course, very important for any web developer. Even if you think that your website is small and is not attractive to hackers, keep in mind that your website, if it is vulnerable, can be used to trick random users or even attack an external system. For example, using a security hole in your system an attacker can spread an exploit.

In this article I will talk about preventive measures against SQL Injections (aka SQLi). Those are preventive measures that may help in case you have legacy code, or someone in your team accidentally (or blindly) writes code vulnerable to SQLi.

On Monday April 24, 2017 the HipChat Security team has advised their users that there was a security incident detected which affected a server in the HipChat Cloud. The incident lead to a leak of some account information such as names, email addresses and hashed passwords. For a small number of instances (less than 0.05% according to HipChat), messages and content in rooms may have been accessed too. 

HipChat automatically reset user passwords for those accouts that they believe were affected and some users were asked to update their passwords manually.

In their statement the HipChat team assured that no other of Atlassian services were affected:

In 2016-2017 pretty much all media were talking about hacking that happened during the US presidential campaign (did it actually happened or not - that's a different story). You can see many articles in the Internet and in paper books about how it is important to have a strong password. Seems like everybody should know this now. However, security professionals regularly meet passwords that are ridiculously unsafe.

Guys from Keeper Security, authors of the Keeper Password Manager, have compiled a list of the most commonly used passwords involved in data breaches in 2016. According to this blog post, these unsafe passwords are using in about 50% of 10 million password that were analyzed! Mostly, there are no surprises. People still use passwords like "password", "123456", "qwerty", etc.  Nevertheless, there are some interesting examples such as  “18atcskd2w” and “3rjs1la7qe”. Those passwords seem relatively strong, right? It seems like those passwords were created by bots for spam or flood activities and those passwords were used over and over in different sites.

Yesterday received into my Gmail inbox a couple of SPAM messages with animated email subject! Didn't it's possible, have never seen it before...

From very first look it seems like a big secirity whole in gmail!

Interesting...

News agencies reported yesterday and today that a group of Russian hackers has stolen a huge number (1.2 billion!) of usernames and passwords using a botnet. This is apparently could be the largest collection of stolen user credentials in the history (if this fact is actually truth).

According to the news, the theft was discovered by an american security company called Hold Security. They did not disclose exactly what web sites have been attacked, but it was mentioned that it is a number of websites from small to big ones.

I am scratching my head trying to understand two things: 1) How did they discover this theft? 2) How do they know that it was Russian group of hackers?

If in your project you have a publicly accessible directory that has full permissions (777), then it may cause serious security issues. An attacker may put an executable script or binary on your host and then run it remotely. This is a major security whole and it may lead to major problems if someone decides to attack your website.

However, sometimes on some shared webhosting servers you need have a folder that has risky 777 permissions (or, if possible, 775 which is a little bit better). As an example you can consider a folder where website users can upload their photos or images. In this case it opens a security whole for potential attackers. But, there are a few techniques that can help you to keep your website safe.

eBay Inc., the world's largest Internet auction site, just reported a successful attempt of a hacking attack on its servers. Hackers gained access to that part of the eBay database, where website users store their password hashes. The company's specialists claimed that personal data and financial information remains inaccessible to hackers - that type of data is kept separate and well encrypted.

According to the preliminary investigation, the results of which were published on the corporate blog, the attack happened in late February / early March of this year. Hackers gained access to stored user names, password hashes, emails, home address and phone numbers, as well as dates of birth. 

It's been reported that within next 24 hours eBay users should receive an official notification with information about the attack and recommendations on how to reset password on all eBay websites where the user has used the same password.