How to Prevent Hacking

February 14, 2009 at 5:02 pm by

1,660 Total Views

Some ways of getting into trouble is to visit cracks, warez, and keygen websites. There are several ways which your PC may be infected:

1. Clicking on buttons on the site which activates malicious scripts.
2. Told that a particular program does not work and requires you to download a another program or extension.
3. Trojans, virus or spyware hidden in the software cracks, or keygen.

You must have at least one security software program installed on your PC. However, it is impossible to guarantee that the software will definitely protect you against any or all the possible viruses, trojans and malicious programs.

If you find that your PC behaves abnormally, such as unsolicited pop-up ads, shutting down of applications, poor internet connections (or busy connections), etc, there is a good chance that your PC is infected. You will need to waste quite a bit of time to either remove the infected file, or to reformat and reinstall the entire hard disk again. Again, prevention is always better than cure.

There are many different types of attacks hackers can conduct in order to take partial or total control of a website. In general, the most common and dangerous ones are SQL injection and cross-site scripting (XSS)

SQL injection is a technique to inject a piece of malicious code in a web application, exploiting a security vulnerability at the database level to change its behavior. It is a really powerful technique, considering that it can manipulate URLs (query string) or any form (search, login, email registration) to inject malicious code. You can find some examples of SQL injection at the
Web Applications Security Consortium

There are definitely some precautions that can be taken to avoid this kind of attack. For example, it’s a good practice to add a layer between a form on the front end and the database in the back end. In PHP, the PDO extension is often used to work with parameters (sometimes called placeholders or bind variables) instead of embedding user input in the statement. Another really easy technique is character escaping, where all the dangerous characters that can have a direct effect on the database structure are escaped. For
instance, every occurrence of a single quote ['] in a parameter must be replaced by two single quotes [''] to form a valid SQL string literal. These are only two of the most common actions you can take to improve the security of a site and avoid SQL injections. Online you can find many other specific resources that can fit your needs (programming languages, specific web
applications …).

The other technique that we’re going to introduce here is cross-site scripting (XSS). XSS is a technique used to inject malicious code in a webpage, exploiting security vulnerabilities of web applications. This kind of attack is possible where the web application is processing data obtained through user input and without any further check or validation before returning it to
the final user. You can find some examples of cross-site scripting at the Web Application Security Consortium.

There are many ways of securing a web application against this technique. Some easy actions that can be taken include:

-Stripping the input that can be inserted in a form (for example, see the strip tags function in PHP);
-Using data encoding to avoid direct injection of potentially malicious characters (for example, see the htmlspecialchars function in PHP);
-Creating a layer between data input and the back end to avoid direct injection of code in the application.

SQL injection and cross-site scripting are only two of the many techniques used by hackers to attack and exploit innocent sites.

As a general security guideline, it’s important to always stay updated on security issues and, in particular when using third party software, to make sure you’ve installed the latest available version. Many web applications are built around big communities, offering constant support and updates.
To give a few examples, four of the biggest communities of Open Source content management systems—Joomla, WordPress, PHP-Nuke, and Drupal—offer useful guidelines on security on their websites and host big community-driven forums where users can escalate issues and ask for support.
For instance, in the Hardening WordPress section of its website, WordPress offers comprehensive documentation on how to strengthen the security of its CMS. Joomla offers many resources regarding security, in particular a Security Checklist with a comprehensive list of actions webmasters should take to improve the security of a website based on Joomla. On Drupal’s site, you can access information about security issues by going to their Security section. You can also subscribe to their security mailing list to be constantly updated on ongoing issues. PHP-Nuke offers some documentation about Security in chapter 23 of their How to section, dedicated to the system management of this CMS platform. They also have a section called Hacked – Now what? that offers guidelines to solve issues related to hacking.

Code:

If you’re not already familiar with the site: search operator, it’s a way to query Google by restricting your search to a specific site.
For example, the search site:googleblog.blogspot.com will only return results from the Official Google Blog. When adding spammy keywords to this type of query, Google will return all the indexed pages of your website that contain those spammy keywords and that are, with high probability, hacked. To check these suspicious pages, just open the cached version proposed by Google and you will be able to spot the hacked behavior, if any. You could then clean up your compromised pages and also check for any anomalies in the configuration files of your server (for example on Apache web servers: .htaccess and httpd.conf).
If your site doesn’t show up in Google’s search results anymore, it could mean that Google has already spotted bad practices on your site as a result of the hacking and may have temporarily removed it from our index, due to infringement of their
webmaster quality guidelines.

Here are a seven simple, effective steps that small business owners and network administrators can take to protect their systems.

Implement a firewall — A firewall is a barrier that keeps hackers and viruses out of computer networks. Firewalls intercept network traffic and allow only authorized data to pass through.

Develop a corporate security policy – Establish a corporate security policy that details practices to secure the network. The policy should direct employees to choose unique passwords that are a combination of letters and numbers. Passwords should be changed every 90 days to limit hackers’ ability to gain possession of a functioning password. When someone leaves company, immediately delete the user name and password. The corporate policy should outline consequences for network
tampering and unauthorized entry.

Install anti-virus software — All computers should run the most recent version of an anti-virus protection subscription.
Ideally a server should be configured to push virus updates out periodically to all client systems. Employees should be educated about viruses and discouraged from opening e-mail attachments or e-mail from unknown senders.
Keep operating systems up to date — Upgrade operating systems frequently and regularly install the latest patches or versions
of software, which are often free over the Web. If you use Microsoft Windows, check www.windowsupdate.com periodically for the latest patches.
Vulnerabilities in Java and Adobe are well known exploit paths for malware writers so it is just as critical that these software applications are kept up to date. I recommend visiting Securia Online Software Inspector to scan for out of date software applications.

Don’t run unnecessary network services — When installing systems, any non-essential features should be disabled. If a feature is installed but not actively used, it is less likely to be updated regularly, presenting a larger security threat. Also, allow only the software employees need to do their job effectively.

Conduct a vulnerability test — Conducting a vulnerability test is a cost-effective way to evaluate the current security program. This test highlights flaws and limitations in the program, and experts can offer suggestions for improvement. The best method for conducting a vulnerability test is to contact a computer consulting company and provide access to your system for a day or two. This will provide ample time for network appraisal and follow-up discussion and planning.

Keep informed about network security — Numerous books, magazines and online resources offer information about effective security tools and “lessons learned.” Also, the Web provides ample and very current information about security – type in the key words “network security.”

If you invited someone to try and crack your password, you know the one that you use over and over for like every web page you visit, how many guesses would it take before they got it?

This Top-10 list is easier to obtain then you think.

  1. The last 4 digits of your social security number.
  2. 123 or 1234 or 123456.
  3. “password”
  4. Your city, or college, football team name.
  5. Date of birth – yours, your partner’s or your child’s.
  6. “god”
  7. “letmein”
  8. “money”
  9. “love”

Statistically speaking that should probably cover about 20% of you. But don’t worry. If they didn’t get it yet it will probably only take a few more minutes before they do…

Hackers, and I’m not talking about the ethical kind, have developed a whole range of tools to get at your personal data. And the main impediment standing between your information remaining safe, or leaking out, is the password you choose. (Ironically, the best protection people have is usually the one they take least seriously.)

One of the simplest ways to gain access to your information is through the use of a Brute Force Attack. This is accomplished when a hacker uses a specially written piece of software to attempt to log into a site using your credentials.
Insecure.org has a list of the Top 10 FREE Password Crackers.

So, how would one use this process to actually breach your personal security? Simple. Follow my logic:

-You probably use the same password for lots of stuff right?
-Some sites you access such as your Bank or work VPN probably have pretty decent security, so I’m not going to attack them.
-However, other sites like the Hallmark e-mail greeting cards site, an online forum you frequent, or an e-commerce site you’ve shopped at might not be as well prepared. So those are the ones I’d work on.
-So, all we have to do now is unleash Brutus,
wwwhack, or THC Hydra on their server with instructions to try say 10,000 (or100,000 – whatever makes you happy) different usernames and passwords as fast as possible. Once we’ve got several login+password pairings we can then go back and test them on targeted sites. But wait… How do I know which bank you use and what your login ID is for the sites you frequent? All those cookies are simply stored, unencrypted and nicely named, in your Web browser’s cache. (Read this post to
remedy that problem.)

Assuming the hacker has a reasonably fast connection and PC here is an estimate of the amount of time it would take to generate every possible combination of passwords for a given number of characters. After generating the list it’s just a matter
of time before the computer runs through all the possibilities – or gets shut down trying.

Pay particular attention to the difference between using only lowercase characters and using all possible characters (uppercase, lowercase, and special characters – like @#$%^&*). Adding just one capital letter and one asterisk would change the processing time for an 8 character password from 2.4 days to 2.1 centuries.

© 2009 techsupportforum.com

Filed under Security.
  • Prasadpaulson

    the best way and the most secured option of preventing hacking is opening websites which we are sure of.