Below is a prime example of providing too much information to the viewers of your web application. With the errors provided below a hacker could get an idea what he is working with and plan out his or her attack. There may be links on the internet that provide details on the error codes below. A great work around for this is creation of your own custom error codes and friendly words when an error occurs. A bonus would be email alerts when there types of errors are generated.
<?php
$link = mysql_connect(“localhost”, “mysql_user”, “mysql_password”); mysql_select_db(“nonexistentdb”, $link);
echo mysql_errno($link) . “: ” . mysql_error($link). “\n”; mysql_select_db(“kossu”, $link);
mysql_query(“SELECT * FROM nonexistenttable”, $link);
echo mysql_errno($link) . “: ” . mysql_error($link) . “\n”;
?>
The above example will output something similar to:
1049: Unknown database ‘nonexistentdb’
1146: Table ‘kossu.nonexistenttable’ doesn’t exist
your ads here (468x60) - after 1st post.
From my experience the developers of the source should own the know security issue once it identified by a group or individual. There should never be a remark about funding, resource of time from the company or indivual who owns the application. My final thought is a developer or company that sells a application should never charge a consumer/client for security patches. These people that change the buys for there poor coding need to be black listed and a list of them posted on the internet.
Here is my personal thoughts about dsktop secuirity for your home computers. Most hackers don’t want to waste there time to get one or two credit card accounts that you may have saved on a text file. There goal is to get large amount of credit card accounts, online banking accounts, paypal or any other sources to large amounts of money. Now there maybe a chance that your computer can be used as a worker bee for other remote task the hackers needs done. So if you think all the hackers on the internet are after your half patched or not patched at all pc think bigger. Most issues on your pc coe from all that trash freeware and shareware applications that you installed to make your browser looks so cool. So a word of advise do some research before you install a free application because it may contain more that you think it does.
If you have read the section on where adware comes from, then you will know that the primary avenues adware uses for travelling across the Internet are through freeware and shareware. The question is, how do you know what freeware and what shareware contain adware?
Honestly, this can be very tricky. According to various laws by the FCC, developers of software containing adware are required to inform users about it. The way users are usually informed are through agreements, where you have to click some sort of “Agree” button to download the software containing the adware. Unfortunately, the marjoity of people do not read these use agreements and just immediately click the “I Agree” button without knowing what they are really downloading. Then, by the time they see the adware on their system, they get aggravated and ponder as to where it came from.
While laws do require developers/distributors/etc. of adware-bundled software to notify their users, many people don’t. Let’s face it, even with all of the laws being developed, the Internet is a very large and anonymous place. While some people don’t tell users about adware, others will just modify clean software and put adware into it, thus making it very difficult to detect.
What is important is when you want to download something and you see some form of use agreement, make sure to read it in its entirety so you know whether or not you will be installing adware on your computer.
The source of the above information was obtained from http://www.adware-source.com
So how secure is your online passwords for all these websites? I’m sure some people still use there pets, girlfriends name or a common dictionary word. These in general are real bad passwords for this evil internet. I personally use a program that is ported to Ubuntu, Windows and Mac OSX which is called Keepass. With this program you will just need to know one password to open it then you can have complex passwords that you can’t even recall. If someone ask me what my online banking account id I would look puzled because it so long and so complex it looks like it’s encryted but it’s not. You can get your own copy of Keepass from the following website http://keepass.info
- Use the maximum length the web site allows you to use
- If they allow characters other then letters and number use them.
- Change your password every 60 days (keepass will alert you if you set this option)
- Never use the same password twice
- Never use your social security number as a logon id
- The longer your password the better it is, the best userid and passwords are ones you can’t recall
The following are the top seven rules when setting up a secure home network.
- Secure your wireless router or access point administration interface
- Don’t broadcast your SSID
- Enable WPA encryption instead of WEP
- Remember that WEP is better than nothing
- Use MAC filtering for access control
- Reduce your WLAN transmitter power
- Disable remote administration
Tips For Creating Strong Passwords You Can Remember
One of the problems with passwords is that users forget them. In an effort to not forget them, they use simple things like their dog’s name, their son’s first name and birthdate, the name of the current month- anything that will give them a clue to remember what their password is. For the curious hacker who has somehow gained access to your computer system this is the equivalent of locking your door and leaving the key under the doormat. Without even resorting to any specialized tools a hacker can discover your basic personal information- name, children’s names, birthdates, pets names, etc. and try all of those out as potential passwords.
To create a secure password that is easy for you to remember, follow these simple steps:
- Do not use personal information. You should never use personal information as a part of your password. It is very easy for someone to guess things like your last name, pet’s name, child’s birth date and other similar details.
- Do not use real words. There are tools available to help attackers guess your password. With today’s computing power, it doesn’t take long to try every word in the dictionary and find your password, so it is best if you do not use real words for your password.
- Mix different character types. You can make a password much more secure by mixing different types of characters. Use some uppercase letters along with lowercase letters, numbers and even special characters such as ‘&’ or ‘%’.
- Use a passphrase. Rather than trying to remember a password created using various character types which is also not a word from the dictionary, you can use a passphrase. Think up a sentence or a line from a song or poem that you like and create a password using the first letter from each word.For example, rather than just having a password like ‘yr$1Hes’, you could take a sentence such as “I like to read the About.com Internet / Network Security web site” and convert it to a password like ‘il2rtA!nsws”. By substituting the number ‘2′ for the word ‘to’ and using an exclamation point in place of the ‘i’ for ‘Internet’, you can use a variety of character types and create a secure password that is hard to crack, but much easier for you to remember.
- Use a password management tool. Another way to store and remember passwords securely is to use some sort of password management tool. These tools maintain a list of usernames and passwords in encrypted form. Some will even automatically fill in the username and password information on sites and applications.
Using the tips above will help you create passwords that are more secure, but you should still also follow the following tips:
- Use different passwords. You should usea different username and password for each login or application you are trying to protect. That way if one gets compromised the others are still safe. Another approach which is less secure, but provides a fair tradeoff between security and convenience, is to use one username and password for sites and applications that don’t need the extra security, but use unique usernames and more secure passwords on sites such as your bank or credit card companies.
- Change your passwords. You should change your password at least every 30 to 60 days. You should also not re-use a password for at least a year.
- Enforce stronger passwords: Rather than relying on every user of the computer to understand and follow the instructions above, you can configure Microsot Windows password policies so that Windows will not accept passwords that don’t meet the minimum requirements.
All the information above was found at http://netsecurity.about.com
It amazing how many time we see on the news of a laptop stolen or lost from major companies these days. The only question I have is do you think the thief is concerned about the data that is stored on that laptop or his goal is to wipe it and sell it off. Is there any confirmed cases where a stolen laptops data was used to open accounts? There should be better security on our portable devices just in case they are lost or stolen. We need to watch our property or our companies property you need to treat it like your baby and never let it out of your eyes. If your company doesn’t use encryption then it needs to be discussed and the next big meeting with IT. The best solution would be a remote option to wipe the drive once it’s been determined it’s missing.
Pressing the delete key does not permanently delete file data.
Instead of removing the contents of a file, Windows will only delete file record markers. As a result, the free space of a hard drive is filled with deleted file data that is easily recoverable. There are many freeware programs out there that can recover these files we thought that were deleted. There is a very good freeware program that will securely erase the file without any chance of recovery. The program that will erase forever is called “Erase” and it can be downloaded from there homepage which is http://www.heidi.ie/eraser/ I personally use this product and would highly recommend it for any Windows user that feels that there deleted data needs to be deleted.
