Categories
Gadgets Hack Mobile

Hack Windows Password in 2 Minutes

hackerAt least, that is how long it would take me to hack into any Microsoft Windows account – 2 minutes! Very worrisome, isn’t it? Goes to show that anyone that thinks his data is safe just because it is tucked away in his passworded Windows account would really need to have a rethink.

I will not go through the process of how to go about hacking a Windows account here,sorry, but a quick search on the Internet would give you a number of options you can use.

So does it mean all hope of having a secured Windows Operating System is lost? Far from it!

One quick option that is within the reach of about anyone is the use of BIOS PASSWORD.

A BIOS password can be very effective at controlling access to your personal computer. All you need do is access the setup menu of your laptop and enable the Bios Password. Subsequently, once you switch on your PC – at the hardware level – you are prompted to insert a password before booting up any Operating System. If the computer won’t boot up until a password is entered, it is effectively useless to most would be opportunist hackers or other intruders.

However, the Bios Password is not hackproof. A determined hacker can still use online resources to hack the password or may just extract the hard-drive from the laptop, insert into another and hack away.

Another option is creating vaults within your hard-drive using tools like Steganos Safe software. The software allows you to protect your data in several ways. It enables you to create a secure area on your hard-drive or on removable media such as a USB key. It works just like a real vault, protecting all of your data from unauthorized third-party access. Without the right password, nobody can retrieve the contents. You can read more about this software here.

Lastly, we have Microsoft’s own Bitlocker. Probably the most secure of the lot, BitLocker Drive Encryption is a full disk encryption feature included with the Ultimate and Enterprise editions of Microsoft’s Windows Vista, Windows 7, and with Pro and Enterprise editions of Windows 8 desktop operating systems. The latest version of BitLocker, included in Windows 7 and Windows 8 adds the ability to also encrypt removable drives, as described here.

Bitlocker is an effective and essential tool for protecting sensitive data, it effectively addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers.

BitLocker lets you encrypt the hard drives allowing you to protect your hard drive from offline attack.  This is the type of attack where a malicious user will take the hard drive from your mobile machine and connect it to another machine so they can harvest your data.  BitLocker also protects your data if a malicious user boots from an alternate Operating System.  With either attack method, BitLocker encrypts the hard drive so that when someone has physical access to the drive, the drive is unreadable.

Now if there is a need to harvest data from a hard drive when a machine fails, there are tools that you can use which will prompt the admin for the recovery key that was given when Bitlocker was being enabled on the drive.

Note that BitLocker does not protect the computer contents while Windows is running.  BitLocker was specifically built for offline attacks.

For those without these versions of Windows, you may consider drive encryption softwares like DiskCryptor or Truecrypt.

There are still many more data security options out there not mentioned but the ones listed are very much tested and so far, trusted. No one knows tomorrow though. 🙁

Categories
Hack

Should I Say Yes … Should I Say No?

s3I have held back from rooting my Samsung S3 phone for this long because of the new feature samsung has introduced into its devices called Flash Count.

The flash count feature is available on the Samsung Galaxy “S” and “Note” series and basically records the number of times your device has been rooted or flashed with custom or cooked ROMs (Non Official builds of Android OS).

The flash count is definitely not a good thing as only the device manufacturer stands to benefit from it. Reason is, the manufacturers want to have a way to keep tab on  compulsive “flashers” who stand a good chance of bricking their devices in the process and passing it off as manufacturer defect. Flashing your device in any way voids your warranty, but “hacking” enthusiasts have always found a way of going round this without Samsung being any wiser – until now.

And worst still, Samsung keeps making improvements against reseting flash counter so much that there is no guarantee that apps like Triangle Away will successfully reset the counter back to zero on your device.

Not that the flash count affects the performance of your device in any way, neither is the notification displayed visibly anywhere, however there may be users who wish to return to stock in order to either to sell or exchange. This definitely would impact negatively on the resale value if selling to someone that has a knowledge of this.

Also, any claim on warranty from the manufacturer would be disregarded. With the rising popularity of modifying Android phones, service center technicians have learned to check for an extra something that may result in their returning your device to you unfixed or sending you an invoice for the repairs.

Knowing this, do i still go ahead and root my device?

For me, the need to root my S3 is borne out of the following:

– To be able to uninstall all the bloatware (promotional, mostly unnecessary softwares) T-Mobile included in their Samsung S3 variant, the T999.
– To have elevated access to use root access softwares. Backup apps like Titanium Backup used to restore apps/data easily comes to mind.
– Browsing the filesystems of my Device.
– Flashing of modified ROMs to enhance device performance.

I have never been the one to shy away from such undertakings like this, so why start now. Ummh, but there is always this nagging fear when you know a task you are about to undertake has the possibility of making your device the most expensive paper weight, ever.

“My mind tells me one thing
Should I listen to my heart
Should I say yes, should I say no”

Sigh.

Categories
Hack

Jesus Saves?

Oh yes, I do believe, unreservedly, that Jesus saves. But like a “doubting Thomas”, I seriously doubt if he would do much to help you when it comes to protecting you from having your online identities hijacked – that is, if you use his name as your password.

Splashdata, a leading provider of password management applications for over 10 years, has just released its list of the 25 worst passwords for 2012, and the name of our Lord, JESUS, was listed as Number 21.

In a year with several high profile password hacking incidents at major sites including Sony, Yahoo, LinkedIn, eHarmony, and Last.fm, SplashData’s list of frequently used passwords shows that many people continue to put themselves at risk by using weak, easily guessable passwords.

SplashData’s top 25 list was compiled from files containing millions of stolen passwords posted online by hackers. The company advises consumers or businesses using any of the passwords on the list to change them immediately.

Compared with that of last year, below is the list of the worst passwords for 2012;

1. password (Unchanged)
2, 123456 (Unchanged)
3. 12345678 (Unchanged)
4. abc123 (Up 1)
5. qwerty (Down 1)
6. monkey (Unchanged)
7. letmein (Up 1)
8. dragon (Up 2)
9. 111111 (Up 3)
10. baseball (Up 1)
11. iloveyou (Up 2)
12. trustno1 (Down 3)
13. 1234567 (Down 6)
14. sunshine (Up 1)
15. master (Down 1)
16. 123123 (Up 4)
17. welcome (New)
18. shadow (Up 1)
19. ashley (Down 3)
20. football (Up 5)
21. jesus (New)
22. michael (Up 2)
23. ninja     (New)
24. mustang (New)
25. password1 (New)

Categories
Gadgets Hack Mobile

To Root, Or Not To Root, That Is The Question!

The arguments for or against  hacking your mobile device to gain elevated access have been raging on for a decade or so now. Things probably became more heated up with the advent of the Apple IOS and, especially, the Android platforms where most consider rooting your android device as unsafe and unnecessary. I think it is time we put a lid on things as it is beginning to get pretty boring (yawn).

The facts are very clear. The decision to root your decision or not boils down to one single thing – YOU!

Many are content with the stock ROM that came with their devices and absolutely see no reason to change anything. It’s all good. Also, chances are that there are even more people out there that do not even know what rooting/jailbreaking is all about.

However, for the few that feel the need to push their devices to the limit, demanding from their devices its God (or is it Man’s) given capability, with the need to circumvent the manufacturer’s commercially motivated restrictions, there is only one option – ROOT!

I consider myself a Power User and I have been that way for close to a decade now. Right from the early days of the Symbian platform in Nigeria, Windows Mobile and lately, Apple IOS, I have fully familiarized myself with the very simple process of gaining elevated access to these platforms and I fully understand the risks and the advantages it confers.

In simple terms, i do liken rooting of a mobile device to gaining administrator access to a PC, it has it’s risks and advantages. You may read more about that here.

Apart from my compulsive desire to fully own what I broke my piggy bank to pay for (Paid almost $500 for my Toshiba Thrive. I live in a Third World country, Nigeria. We live on less than a dollar a day!), the perpetual habit of manufacturers to stuff unnecessary and very irritating bundled apps with our device makes rooting a very attractive option because it is only via rooting that you can uninstall them, recovering your valuable internal storage.

Take for example the trial version of Kaspersky that is being bundled with the Toshiba Thrive. I do not wish to pay for it but, unfortunately, installing another antivirus to the tablet may cause a software conflict. So root, i did.

And talking about alternatives to apps that require root, let us not kid ourselves, they can not just do the job as well.

For example, there are a myriad of apps for use in backing up your app installation files. In fact, it is even possible to do this with the aid of just a file explorer. But the thing is, all you get done is backing up just the installation file (.apk) because you need to root your device to be able to save your app data and settings.

Rooting is not for everyone and i fully understand the reason why most may not find this option attractive – the fear of bricking your device. Only God knows how many days you had to go without your dollar a day ration to save up to buy your device.

Let’s leave it to the real men to deal with.

I rest my case.

Categories
Hack Hosting

How To Secure Your WordPress Blog – Part 2

Experts believe that the best way to secure your WordPress installation is by writing your own codes and not with the use of off-the-shelf codes, known as plugins.

While this may be true, not many possess the skills of writing codes for WordPress. Chances are, you may even be barely capable of finding your way round the blogging platform itself.

However, not all these coding techniques require a knowledge of Nuclear science to be able to apply it to your blog, i would list out some that just anyone can try on their own.

1. IP ACCESS RESTRICTION

Study has shown that a high number of malicious hacking originate from a number of Arab countries. So, why leave it open to them? Chances are that your blog were never intended for their consumption anyway.

There are two options to choose from;

Restrict access to your blog to only selected country / countries or deny a number of countries access.

Allowing Access To Your Blog To Selected Countries

– From your Control Panel (CPanel), Click on your “File Manger”.
– Ensure “Show Hidden Files (dotfiles).” is ticked. You will be taken directly to your root folder.
– Look for the file called “.htaccess”.
– Right click on this file and select “Edit”
– Open another tab in your browser, navigate to ip2location.com
– Select Nigeria from the list of countries. You may click on more countries to extend access to those countries.
– Under the drop down menu labelled “Output Format”, select “Apache .htacess allow”
– Click “download” to download a file labelled “cidr”
– Right click on the downloaded file and open with “Wordpad”. DO NOT USE NOTEPAD.
– Copy the content of this file and paste into your .htaccess file, after the last entries there – if any.
– Save and close.
– Now your site can only be accessed from Nigeria or whatever countries you selected.

NOTE: If you do see a .htaccess file in your root folder, first confirm if you enabled “Show Hidden Files (dotfiles).” from your file manager. If you did, then you would have to create the file yourself;

– Open Notepad
– Go to “Save as type”, choose ” All Files”
– Under Filename, type .htaccess
– Save.
– Copy the content of the downloaded “cidr” file to your .htaccess file
– Save
– Upload to your root folder using your cPanel file manager
– Right click on this file and change permission to 0644.

Denying Access To Selected Countries

– From your Control Panel (CPanel), Click on your “File Manger”.
– Ensure “Show Hidden Files (dotfiles).” is ticked. You will be taken directly to your root folder.
– Look for the file called “.htaccess”.
– Right click on this file and select “Edit”
– Open another tab in your browser, navigate to ip2location.com
– Select the countries you want to block. I suggest including Morocco, Turkey, Algeria, Russia.
– Under the drop down menu labelled “Output Format”, select “Apache .htacess deny”
– Click “download” to download a file labelled “cidr”
– Right click on the downloaded file and open with “Wordpad”. DO NOT USE NOTEPAD.
– Copy the content of this file and paste into your .htaccess file, after the last entries there – if any.
– Save and close.
– Now your site can not be accessed from those countries you selected.

NOTE: If you do see a .htaccess file in your root folder, first confirm if you enabled “Show Hidden Files (dotfiles).” from your file manager. If you did, then you would have to create the file yourself;

– Open Notepad
– Go to “Save as type”, choose ” All Files”
– Under Filename, type .htaccess
– Save.
– Copy the content of the downloaded “cidr” file to your .htaccess file
– Save
– Upload to your root folder using your cPanel file manager
– Right click on this file and change permission to 0644.

2. BACKUPS

While backups may not be view as a security technique, it is the best way of securing your site. The truth is, no website is hack-proof if hackers are determined enough. Not even the high profile

companies with millions budgeted to website security have been spared. Yeah, ask Sony, Fox, Warner Bros, CBS and, lately, LinkedIn. This list is not exhaustive. So what if these guys dont have

their website backed up? Note that with your backups, your website can be up again in minutes.

The latest trend, nowadays, is for hackers not to deface your site but to use it for phishing.

To back up your site,

Option 1

– From your cPanel, under “Files”, click “Backups”
– Under “Full Backup”, click “Download or Generate a Full Website Backup”
– Under “Backup Directory”, select “Home Directory” from the dropdown menu
– You may insert your email address to be notified when the backup has been concluded.
– Navigate to your root folder, not “public_html”, you would see your backup in “tar.gz” compressed format
– Download to your local PC.

Option 2

Alternatively, you may backup to a remote location. It may be another shared hosting account or, preferrably, amazon s3.

Option 3

– Go to your WordPress Admin Page
– Under “Tools”, select “Export”
– Under “Choose what to export”, select “All Content”
– Click “Download Export File”

This will download, to your local PC, all of your posts, pages, comments, custom fields, terms, navigation menus and custom posts.

Your Images will not be downloaded! It is advisable to upload and access your images from 3rd party sites like flikr, dropbox, box, etc. That way, your images would be preserved when you are restoring your backup.

3. Delete Admin User

You will be shocked at the number of “bots” out there, carrying out “brute force” password hacking on the default WordPress Administrative account, “admin”.

– Go to your WordPress Admin Page
– Under “Users”, select “All Users”
– Create a new user, give it a very unique username
– Grant it Administrator role
– Give it a strong password, at least twelve characters long. To make it stronger, use a mix of upper and lower case letters, numbers and symbols like ! ” ? $ % ^ &
– Log in to your blog, now using this new user account
– Delete the admin account.

Next, we do a run down of recommended plugins. stay tuned!

Categories
Hosting

WHMCS.com Compromised

21st May 2012 – Status Update

Dear All,

It may be a little early for this post since at this time, our web hosting provider are still investigating and looking into exactly what happened, and why, and are yet to report back to us. But here is what we know at this point in time.

A little over 4 hours ago our main server was compromised. This server hosts our main website and WHMCS installation.

What we know for sure

1. Our server was compromised by a malicious user that proceeded to delete all files
2. We have lost new orders placed within the previous 17 hours
3. We have lost any tickets or replies submitted within the previous 17 hours

What may be at risk

1. The database appears to have been accessed
2. WHMCS.com client area passwords are stored in a hash format (as with all WHMCS installations by default) and so are safe
3. Credit card information although encrypted in the database may be at risk
4. Any support ticket content may be at risk – so if you’ve recently submitted any login details in tickets to us, and have not yet changed them again following resolution of the ticket, we recommend changing them now.

At this time there is still no evidence to suggest that this compromise actually originated through the WHMCS software itself. This was not merely a WHMCS system access, and since we do not provide hosting ourselves, our WHMCS is not hooked up in any way to our server.

We would like to offer our sincere apologies for any inconvenience caused. We appreciate your support, now more than ever in this challenging time.

Once again, we strongly urge all users to cycle all their passwords, not just for WHMCS, but for any associated services that may have been provided to us at any point in time.

As soon as we know more, we will post further updates.

Matt

————
21st May 2012 – Further Update

Following an initial investigation I can report that what occurred today was the result of a social engineering attack.

The person was able to impersonate myself with our web hosting company, and provide correct answers to their verification questions. And thereby gain access to our client account with the host, and ultimately change the email and then request a mailing of the access details.

This means that there was no actual hacking of our server. They were ultimately given the access details.

This is obviously a terrible situation, and very unfortunate, but rest assured that this was no issue or vulnerability with the WHMCS software itself.

We are immediately reviewing all of our hosting arrangements, and will be migrating to a new setup at the earliest opportunity.

I would like to take this opportunity to thank all of you who have sent in messages of support, and offers of help. It has clearly been a very stressful time, and I thank everyone both personally and on behalf of WHMCS for their loyalty and support.

The matter is now in the hands of the FBI.

——–

Additional information:

The WHMCS database has been released publicly – if they had (through a support ticket or whatnot) any of your login/cpanel information you should change the passwords on your server ASAP! Also you may want to monitor your credit card usuage  or contact your credit card company if whmcs had this information on file. Read more on WHT @ http://www.webhostingtalk.com/showthread.php?t=1156920

Categories
Hack

The Most Infamous Computer Hackers in History

The invention of the computer brought much good and innovation; however, there are always those that like to go against the grain – cue the computer hacker! Below is a list of some of the most notorious computer hacks and hackers in history; men that have used the power of the computer to wreak havoc in one way or another.

#1
THE HACKER: Onel de Guzman
THE HACK: The ILOVEYOU computer worm distributed through e-mail
THE RESULT: More than 50 million reported infections across the world with billions of dollars in damage and overwritten files.

On May 4, 2000 much of the world woke to an e-mail in their inbox with the subject line “ILOVEYOU: A Love Letter for You.” What looked innocent enough was actually an extremely malicious computer worm, created by Onel de Guzman, that when opened, would ransack your system, overwriting important files on workstations and accessible servers.

Worse yet, the worm would send a copy of itself to the first 50 contacts in the victims address book, which allowed the worm to spread across the entire world in just one day, infecting more than 50 million computers in total, including units within the pentagon and CIA.

Although ILOVEYOU caused approximately $5.5 billion in damages, because it was written specifically for Outlook, the damages were only incurred by those running Microsoft Windows operating system – imagine the damage if the worm could affect other operating systems!

Onel de Guzman

#2
THE HACKER: Jonathan James
THE HACK: Accessed vital DTRA and NASA computer servers “for fun”
THE RESULT: 10 military computers were hacked which led to an overhaul of government security systems and $41,000 in damages.

Jonathan James, also known as c0mrade, is one of the most interesting hackers in history because he not only targeted some of the most major government agencies but also because he was only 16 at the time of his arrest – making him the first juvenile to be imprisoned for hacking!

Motivated simply by the challenge of seeing what he could pull off, James created a backdoor into a Defense Threat Reduction Agency server that was responsible for monitoring the threat of weapons of mass destruction, as well as, he intercepted over 3,000 messages between DTRA employees and gained control of passwords to at least 10 military computers. He also worked his way into the very NASA server that controlled the physical environment (temperature and humidity) of the International Space Station. Although he didn’t aim to do any harm, his ability to infiltrate NASA’s mainframe forced a $41,000 shut down of their system and an overhaul of security systems.

Jonathan James

#3
THE HACKER: TiGER-M@TE
The HACK: InMotion/Web Hosting Hub Defacement
THE RESULT: Over 700,000 websites were hacked and defaced.

Having already been successful in hacking and defacing the Google Bangladesh website, a crafty Bangladeshi hacker known as TiGER-M@TE managed to access the entire data center of the InMotion Web Hosting network, accessing and defacing over 700,000 websites and sub-directories in the process. More specifically, TiGER-M@TE replaced the index.php file on each site, which, in turn, altered each site’s home page, making each site a billboard of his exploits that read, HACKED: Server hacked by TiGER-M@TE — #Bangladeshi Hacker..

In a rather non-apologetic statement, TiGER-M@TE’s response to the incident boasted, “I hack 700,000 websites in one shot, this may be a new world Record.”

TiGER-M@TE

#4
THE HACKER: Gary McKinnon
THE HACK: Accessed vital U.S. Military and NASA computer servers
THE RESULT: He accessed 97 NASA computers and deleted operating files that caused an additional 2,000 military computers to fail.

For as many times as NASA has been hacked, you’d think that they’d have a better security system in place, however, in their defense, they’re the target of the most talented hackers on the planet – Gary McKinnon is no exception. Having been described by a prosecutor as the “biggest military hacker of all time,” McKinnon is an infamous British hacker with Asperger’s Syndrome that managed to crack the code of NASA’s computer system while in search of evidence supporting the existence of UFOs. It is said that he hacked 97 NASA computers and deleted operating files that caused the failure of over 2,000 military computers before he was arrested in 2002.

Gary McKinnon

#5
THE HACKER: Vladimir Levin
THE HACK: Intercepted Citibank’s dial-up wire transfer accounts
THE RESULT: $11 million intercepted, $10 million never recovered

Throughout the 90s Vladimir Levin dabbled in many computer hacking schemes but his most notable (by a long shot) was when he successfully tapped into the dial-up wire transfers between Citibank and their most valued corporate customers, intercepting the signal and transferring the funds into various foreign accounts in the process. Before he was arrested in 1995, Levin successfully stole roughly $10.7 million from Citibank, however, when all was said and done, of all the money that was taken, only $400,000 was ever recovered and returned – meaning Levin pirated his way to over $10 million in plunder!

Vladimir Levin

#6
THE HACKER: Anonymous
THE HACK: HostGator cPanel
THE RESULT: 200 servers hacked to re-direct visitors to malicious third-party site where Trojan virus was then planted

In 2006 an anonymous hacker managed to gain access to more than 200 HostGator system servers and all of their subsequent client sites through a an non-secured section of the host’s cPanel. By exploiting an “unpatched VML security hole” within Internet Explorer, the hacker was able to redirect all incoming traffic to a third-party website that would then infect the web surfers’ computers with a malicious Trojan viruses.

To further complicate the issue, even after HostGator identified the problem and eradicated all of the malicious code, the hack would automatically regenerate; causing the host company to have to repeat the correctional process, until it was ultimately forced to reconfigure all of its 200 servers.

Anonymous

#7
THE HACKER: Robert Morris
THE HACK: The invention of the first computer worm
THE RESULT: Over 6,000 computers were rendered useless

Although he is now a respected professor at MIT, Robert Morris’ most notable notoriety comes from inventing the first computer worm that was not so creatively named the Morris worm. Initially launched from MIT in 1988, to test how many computers were connected to the Internet, his worm proved to be a success, depending on whom you ask. Rending over 6,000 computers completely useless and causing nearly a half-million dollars in damages, Morris’ worm landed him the honor of being the first individual to be tried under the American Computer Fraud and Abuse Act of 1986.

Robert Morris

#8
THE HACKER: Kevin Poulsen
THE HACK: Accessed FBI databases and jammed media phone lines
THE RESULT: He won a Porsche 944 S2 and was featured on TV

Working under the pseudonym Dark Dante, Kevin Poulsen is a black hat hacker that has weaseled his way into the FBI’s investigative databases and wiretap information – but that wasn’t his grand opus. Although he has been dubbed “the Hannibal Lecter of computer crime,” his most notable crime wasn’t cannibalism, it was hacking phone lines, twice.

ONE: When KIIS-FM in Los Angeles was going to give away a brand new Porsche 944 S2 to the 102nd caller, Poulsen managed to hack into the station’s phone system and successfully blocked all incoming callers but himself to ensure that he would be that caller.

TWO: After winning the Porsche, he was forced into hiding but struck again as a result of his face being plastered on the TV screen during an episode of Unsolved Mysteries. During the show the phone lines not so mysteriously jammed – of course, it was Poulsen’s work. It bought him some time but not enough as he was eventually charged with wire, mail and computer fraud, as well as, money laundering.

Kevin Poulsen

#9
THE HACKER: Anonymous
THE HACK: Spread of Malware via a NetworkSolutions.com widget
THE RESULT: It is suspected that anywhere from 500,000 to 5 million domains were infiltrated and infected with the Malware

In 2010, a group of Chinese hackers remotely hacked into the NetworkSolutions.com servers and managed to spread vicious Malware through the use of a fraudulent customer service pop-up widget on the host’s many domains. Although the fake widget looked innocent enough, it appeared on many of the host’s parked domains and sites that were under construction and, in turn, added banner ads to the affected sites and attempted to install Malware via the Internet browser. Experts have estimated that anywhere between 500,000 and 5 million Network Solutions domains were involved in the outbreak.

Anonymous

#10
THE HACKER: Joseph Thomas Colon
THE HACK: Accessed classified FBI and government employee passwords
THE RESULT: He gained access to the passwords of 38,000 government employees and sparked the spending of $600 million in security upgrades

The first disgruntled employee to land on our list is Joseph Thomas Colon, a former U.S. government consultant that was able to hack into classified government servers on his way to accessing the passwords of over 38,000 government employees – some as high up as the director of the FBI. The best part is that two free computer hacking programs that Colon downloaded off of the Internet inflicted the majority of the damage! Of course, this obviously showed chinks in the FBI’s computer security armor, therefore, the entire network came to a halt and nearly $600 million was invested to upgrade the digital security and to install 30,000 new desktop computers.

Joseph Thomas Colon

#11
THE HACKER: Mark Zuckerberg
THE HACK: Accessed Harvard University’s private student database
THE RESULT: The invention of Facebook

In 2003 Mark Zuckerberg hacked into the protected areas of Harvard University’s computer network and used private dormitory ID photos to craft a picture comparing program called Facemash. Because the site received 22,000 page views within the first few hours and was using unauthorized data, Harvard officials investigated the source to found that it was the work of Zuckerberg. Of course, it may not be the biggest computer hack in history in terms of size and numbers but Mark Zuckerberg’s hack of the Harvard University student database is certainly one of the most infamous. Why? Well, because without it, we wouldn’t have Facebook.

Mark Zuckerberg

RESULTING LEGISLATION:

Thanks to hacks like these and countless others, the government and private businesses alike have taken great notice in increasing cyber security threats and are therefore acting accordingly.

For example, in Nevada, a law was passed that requires all businesses to encrypt personally-identifiable customer data that is transmitted electronically, including names and credit card numbers. Further, Massachusetts requires any business that collects information about its state’s residents to encrypt the sensitive data stored on any laptop or other portable device — more than 40 states have enacted similar laws pertaining to cyber security.

In the end, each law that has already been established or that is currently under review is in an attempt to maximize the protection of our privacy and our sensitive private data, as well as, minimize the successes of the average hacker. With some basic front-line defense, the hope is that stories like the ones above can be a thing of the past.

 

We hope you’ve enjoyed this review of some of the most notorious hacks and hackers in history. Above all, we hope you’ve learned a lesson; computer security is of the utmost importance so make sure that your computer, your host, your server and your Internet connection are all fully secure!

Categories
Hack

TimThumb – Hacker’s Delight

While no website on the Internet can be deemed 100% safe from hackers, lately, sites based on the WordPress platform have received more than their fare share of such intrusions. WordPress is the most widely adopted Content Management platform, with millions of blogs and websites based on this platform. The relative ease of setup and administration has made the platform quite popular. This is also probably the reason why it is attractive to malicious or opportunist attackers because of the large “target market” available.

Most people think that it is when your website is defaced that your site has been hacked. Far from it. Hackers have varied intents and purposes for hacking sites. Some are just plain malicious. Most script kiddies fall into this class. Script kiddies are largely unskilled hackers testing out information or tools gleaned from the Internet with no real skills on how things work. However, most do it for financial gains, with malicious intents, activism, curiosity or just plain fun!

Usually, these hackers try to exploit loop-holes in the software coding of the wordpress platform, usually, to gain administrative access to the site and unleash whatever their malicious intents may be. Over the years, wordpress has improved significantly on making the platform very secure. However, the same can not be said of third party softwares, called plugins, that is a necessary addon to these websites.

One such script is TimThumb.

TimThumb is a PHP script used for cropping, zooming and dynamically resizing images on websites. While TimThumb can be used on any website, it is ideal for blogs and other websites who use templates and themes (self hosted WordPress blogs, for example). Using TimThumb, you can dynamically fetch a cached copy of an image and proportionally resize it to fit in your blog template. Thumbnails, profile picture of users and signature images are typical examples where TimThumb script is used. Whilst TimThumb has found a home in WordPress themes, it is by no means limited to them – TimThumb can be used on any website to resize almost any image.

TimThumb is usually embedded in most premium themes or plugins. There are a lot of parameters which can be used with TimThumb, it depends on the requirements of your website and how you want to scale internal as well as external images.

Once your script is in place, it will continue to work in the background and store a copy of your images in the cache folder. So if you are scaling a really large image to, say, 100 X 100 using TimThumb, an exact match copy of the image will be saved in the cache folder. This image will be shown to your website visitors.

And here is how the TimThumb vulnerability goes to work.

Since the cache directory is public and is accessible to anyone visiting the website, an attacker can compromise your site by figuring out a way to get TimThumb to fetch a PHP file and put that file in the same directory. Now since the cache directory is preconfigured to execute any file ending with a .PHP extension, you are trapped.

So how do I know if I’m at risk?

Almost everyone using the TimThumb library that downloaded it before August 1, 2011 is likely at risk. If you are not sure if you are using TimThumb, the easiest way to check is to look through your theme folders for a file called timthumb.php or thumb.php. This can be done using an FTP program or the file browser in your CPanel. You may also use the Timthumb Vulnerability Scanner plugin.

Thankfully, there is a fix.

You may delete all instances of timthumb.php in your theme. Deleting the TimThumb script may break certain themes, or at least affect how they manage and display images. But if you need the TimThumb script running on your site, upgrade to the latest version. However, if you find some merit in the many discussions about the safety – or lack thereof – of allowing any scripts on your server to access data from third party sites, then delete the file.

[facebooksimplelike]

Categories
Hack

Scumbags!

December 25, 2011 was a Christmas day like no other.

While most of you fine folks were enjoying the spirit of the festive season and probably, also waiting for the next juicy post on your favourite blog, Diary of a Geek, some low-life, never-do-well, anti-social, society-reject scumbag, nincompoop, scallywag script kiddie was hacking away at your favourite blog!

For security reasons, i would not go into details of the how and the extent to which this reject came close to pulling the blog down but suffice to say, if you are reading this, then we must be back up! Trust me, the scumbag went all out!

To those that do not know, no website is hack-proof, no matter the resources at your disposal. You may ask Sony and Apple about their experiences. However, stupid mistakes like using a single password (as in my case) for all your website and email logins may be akin to leaving your doors ajar at night. For a non-commercial blogsite like Diary of a Geek, without the potential financial bounty that may be found on sites like Sony or Apple, was this scumbag just catching fun? Trying to erase into oblivion my hours of hard work and research?

Yo Momma! Catch me if you can!

MIDDLE-FINGER-CHILD

 

Categories
Articles

Free Internet Browsing

At least half of the people that click on this post would expect to find some hacking tips on how to browse the internet for free. Sorry, no hacking tips here.

However, for those that subscribe to Globacom’s cheaper internet bundles, ever tried dialling 124 to know if you are a beneficiary of Glo’s free data allocation? With a data balance of over 61GB, I doubt if I will be paying for internet access for months to come.

Glo with Pride!