Industry Website Hackers • PUBLIC SECTION • Open Discussion • Fugitive Recovery Network (FRN) Forums
FRN Banner
wordpress-ad





Post new topic Reply to topic  [ 25 posts ]  Go to page Previous  1, 2, 3  Next
 
Author Message
 Post subject: Re: Industry Website Hackers
 Post Posted: Fri 28 Aug 2009 13:04 
Offline
Advanced Poster
Advanced Poster
User avatar

Joined: Mon 14 Feb 2005 10:59
Posts: 7563
Location: Arkansas
FRN Agency ID #: 340
Experience: More than 10 years
Cheese please . . .

_________________


Do not consider anything for your interest which makes you break your word, quit your modesty, or inclines you to any practice which will not bear the light, or look the world in the face .... Marcus Antonius

I AM Some Folks "KARMA" and A MODERATOR @ FRN


Top 
 Profile  
 
 Post subject: Re: Industry Website Hackers
 Post Posted: Sat 29 Aug 2009 07:23 
Offline
Advanced Poster
Advanced Poster
User avatar

Joined: Thu 06 Jul 2006 14:22
Posts: 3982
Location: Maryland and Virginia
FRN Agency ID #: 455
Experience: More than 10 years
Phil,

Just exactly what do you have against white people from the south and taxi cab drivers?

You Baltimorons have become such elitist snobs lately...Hon!

Scott

_________________
R.E. "Scott" MacLean III

"Leaders are like Eagles, you never see them in a flock, but one at a time"

Chesapeake Group Investigations, Inc.
Chesapeake Bail Bonds
877-574-0500
301-392-1100 (fax)
301-392-1900 (Office)


Top 
 Profile  
 
 Post subject: Re: Industry Website Hackers
 Post Posted: Sat 29 Aug 2009 07:33 
Offline
Advanced Poster
Advanced Poster
User avatar

Joined: Mon 19 Aug 2002 05:03
Posts: 1163
Location: Orange County, California, USA
FRN Agency ID #: 1
Experience: More than 10 years
Not "Crackers" like us southerners - I was born in the south, raised in the south, and still live in the south (Yes, Baltimore is below the Mason-Dixon!)

The "Evil Crackers" those that use "malware" Malicious Software to cause trouble and destroy!
Attachment:
File comment: A different type of Evil Cracker!
Boss_Hogg.jpg
Boss_Hogg.jpg [ 4.6 KiB | Viewed 7246 times ]


See more:
http://db.glug-bom.org/lug-authors/phil ... ckers.html

http://www.iwriteiam.nl/HackerDef.html

http://journalism.berkeley.edu/projects ... 01168.html

_________________
PHiLL CRoSS
Owner/Administrator
Fugitive Recovery Network
US Bail Bond Directory
Private Investigator Database


Please post questions in the "Comments or Suggestions" Forum
PM is only for private requests or comments


Top 
 Profile  
 
 Post subject: Re: Industry Website Hackers
 Post Posted: Sat 29 Aug 2009 11:32 
Offline
Advanced Poster
Advanced Poster
User avatar

Joined: Thu 06 Jul 2006 14:22
Posts: 3982
Location: Maryland and Virginia
FRN Agency ID #: 455
Experience: More than 10 years
What no comment on the taxi cab drivers (I own the site www.yourcabdriver.com) or the Baltimore only reference to "Hon" something only people from Maryland would understand! I do know both my history and geography and the whole story of the Mason Jar and the Dixie Cup and the line that separated the usage of both!

Scott

_________________
R.E. "Scott" MacLean III

"Leaders are like Eagles, you never see them in a flock, but one at a time"

Chesapeake Group Investigations, Inc.
Chesapeake Bail Bonds
877-574-0500
301-392-1100 (fax)
301-392-1900 (Office)


Top 
 Profile  
 
 Post subject: Re: Industry Website Hackers
 Post Posted: Thu 03 Sep 2009 07:10 
Offline
Senior Poster
Senior Poster
User avatar

Joined: Sat 10 Jan 2009 14:58
Posts: 274
Location: North Carolina
FRN Agency ID #: 0
Experience: 3 - 5 years
Hello....
and thanks for the update!

_________________
R&R
Professional Skip Trace Service
_________________________


Top 
 Profile  
 
 Post subject: Re: Industry Website Hackers
 Post Posted: Thu 03 Sep 2009 22:40 
 
Hi, I'm new around here but this subject has been my bread and butter for over a decade so I thought I'd throw this out there if it can help anyone.

This is most likely the result of what's called a SQL Injection attack. Badbonds.com is built upon a Php based system called SocialEngine and there are articles about this vulnerability.

Essentially what happens is that the hacker finds either a form field (ala a text box like username, password, subject etc) and types malicious commands in it or they discover a page that accepts a query string (the stuff that shows up after a "?" in the url - like on this page that I'm using now. posting.php? mode=reply&f=13&t=10341 ) they replace the expected commands after the ? with malicious ones.

If this has happened it's possible that any of your non encrypted data in the database could have been compromised.

When building any web based solution it's prudent to do a few things, more so when it can be assumed that there are people who will actively want to shut you down.

1. When you talk to your contractor / consultant / agency make sure that when they write you a Statement of Work that they also include a section for security. Other than documentation It's one of the most overlooked part of any development project contract. Clients usually assume that the product that they are paying for will be secure but if it's not in the contract there will be a Project Manager out there who will tell their development team that security measures are "Out of Scope". It's not dissimilar to asking a dealer if the car has air bags / abs etc before you drive off the lot. One of the phrases to include is "All pages and form fields will be made secure against SQL Injection Attacks". Depending on your project it is also a good idea to specify what private data should be encrypted, such as usernames and passwords. This ensures that even if the data is compromised that it's unlikely that the perpetrator can do anything useful with the data collected.

1.a Logging. Not all systems are setup to record every activity that occurs within the system. If security has been breached there are ways to recover, review, and respond but it's a good development and security practice to log things like ip address, date/time of the interaction, username, etc. If you take the time to setup basic security (username / password) it's also good to know who did what, when, and from where. If your developers tell you that's a lot of extra work they either don't know what they're doing or they're bsing you. It's good to get back on your feet but it's also very satisfying to know who did what when so you can follow through.

2. Backups. It is not difficult technically to have your developers make sure that the data that's in your website is backed up. I strongly suggest an automated nightly backup around 2am. You probably don't need an indefinite record of nightly snapshots, an ongoing record of the past 7 days should be sufficient. Your developers should also be using something called "source control". Where the database backups allow you to restore all of the data, source control ensures that you always have a secure record of the most recent, tested, and approved version of your code. If you have source control and nightly backups you can recover from even the most damaging attack within a couple of hours if that. Again this is important to include in the contract. If you have very sensitive / mission critical information it's also prudent to request that data and code be backed up to a physical device or even backed up and then stored at a secure location.

3. Maintenance plan. This is your "Plan B". It's infuriating for a client if you have to call the people who built their product and hear that they don't have the resources available to help them right now. "We're really swamped right now, we might be able to look at it in a few days". Again when you write up your contract outline things like response time to critical, business stoppage issues, rates, etc. Sometimes agencies will want a stipend or monthly fee, you can work that out. What you do want however is to be able to dial the proverbial "911" and have someone pick up who will drop what they're doing, find out what happened, fix your problem, resolve what allowed it to happen, and get you back in business asap.

I hope that this was helpful. I think everyone has felt burned at some time by some sort of service be it contractors, plumbers, mechanics etc and development projects are no different. It's just another subject where if you don't know what you don't know you might not get what you expected. If you have any questions I'd be happy to see if I can help you out.

Brett


Top 
  
 
 Post subject: Re: Industry Website Hackers
 Post Posted: Fri 04 Sep 2009 08:46 
Offline
Advanced Poster
Advanced Poster
User avatar

Joined: Mon 14 Feb 2005 10:59
Posts: 7563
Location: Arkansas
FRN Agency ID #: 340
Experience: More than 10 years
Thank you Brett very valuable advice to those with WebSites. Phill is my SYSOP and a Great SYSOP he is :mrgreen:
I am (actually I have placed the Bail Company I write for) on BadBonds. Being as she is located approx. 31 miles South of me, I felt it would seem rather RUDE should I not. The man that I write for is the President of The Bail Bond Association here and at one time sat on the Licensing Board. Tho I may not know all of the owners and their Bonds people (they change so rapidly ~ the individual BBAs ) I have been writing long enough that a lot know my name :?
That being said . . . who are you on BadBonds?

_________________


Do not consider anything for your interest which makes you break your word, quit your modesty, or inclines you to any practice which will not bear the light, or look the world in the face .... Marcus Antonius

I AM Some Folks "KARMA" and A MODERATOR @ FRN


Top 
 Profile  
 
 Post subject: Re: Industry Website Hackers
 Post Posted: Fri 04 Sep 2009 10:25 
 
LuVonda wrote:
who are you on BadBonds?


I'm not signed up there, I only know of it because it was mentioned in the original post. I made my 'from the hip' diagnosis after about 3 minutes of investigation; going to the site, discovering what technologies it was built on, and seeing what documented vulnerabilities exist with those products - and there are documented vulnerabilities.

I don't think it would be prudent to share much more than that here for two reasons. First is that 'geek stuff' usually bores the pants off of people who aren't engineers and second is that if people are actively trying to shut down these types of communities it's possible that your community could already be compromised. It's never a good strategic move to let 'them' know what you know but I'm sure that you guys understand how that works.

I also know that talking about this subject like this will make me, especially as a new member, look suspicious. All I can say to that is that I'm here to learn from you and to help where I can, this subject just happens to be within an area of my expertise. If an admin wants to contact me to validate my authenticity and credentials I'd be happy to do that.

Just because we're online doesn't mean that HUMINT rules don't apply. In fact, you should be more suspicious. Human engineering is an important tool in the work belt of any black hat.


Top 
  
 
 Post subject: Re: Industry Website Hackers
 Post Posted: Fri 04 Sep 2009 10:54 
Offline
Advanced Poster
Advanced Poster
User avatar

Joined: Fri 18 Apr 2008 10:00
Posts: 760
Location: New York State
FRN Agency ID #: 1973
Experience: 3 - 5 years
"I also know that talking about this subject like this will make me, especially as a new member, look suspicious."
MK-ULTRA
To be honest...That's what I was telling myself when I read your first post.




a......ok................Steve and Phill share the same goat :shock: .........That would make you similar. :lol: :lol:

_________________
If the world didn't suck we would all fall off. (Luvonda)
Nobody has power over you that you do not allow them to have. (Scott)
Be careful of the seeds you plant because one day they will be harvested.

Dave
Private Investigator
Licensed by the NYS DOS Division of Licensing


Top 
 Profile  
 
 Post subject: Re: Industry Website Hackers
 Post Posted: Fri 04 Sep 2009 11:02 
Offline
in memoriam
User avatar

Joined: Fri 02 Mar 2007 10:51
Posts: 5055
Location: South Central Virginia
FRN Agency ID #: 1474
Experience: More than 10 years
WHAT?????????????????????????

Does anyone below the level of MIT graduate, have any idea what these guys are talking about.......... let's bring this down to a level that some of us can understand...............


like..... I liked it when we were on the "crackers, white people, hackers, slackers, quackers and cab drivers" level....

"SQL Injection attack; form field; query string; stuff that shows up after a "?" in the url; posting.php? mode=reply&f=13&t=10341; non encrypted data; Logging; Backups; source control; stipend ;

"I strongly suggest an automated nightly backup around 2am"... now that I understand... I usually get "backed up" around 2am every morning and have to reformat my hard drive or run a spell checker on my browser... that usually does the trick, although sometimes my external disc drive hangs up and I have to dump my fragmented files and replace my system disc with a melted cheese chili hot-dog.

"You probably don't need an indefinite record of nightly snapshots, an ongoing record of the past 7 days should be sufficient." and I also concur with this...... I sometimes take nightly snapshots but I get rid of them before 7 days.... or whenever I sober up, which ever occurs first.

"prudent to request that data and code be backed up to a physical device or even backed up and then stored at a secure location"... yep, my physical device is always kept in a secure location... usually in my bedside table....

"if you don't know what you don't know you might not get what you expected".... that is a bit confusing, however.... is that the truth.... I have had many, many surprises and many times that I got what I did not expect.....

Only question I have is......... "if you don't know, what you don' know... how can you know... what you don't know.... ya know?"

I have the distinct idea that MK ULTRA knows much more than he is letting on..... we need more people dipped in the tech world to help us along with our.............. electronic devices........ and such. :shock:

Whenever I encounter a post that is totally confusing... I usually try and say something intelligent to seem like I fully understand what is being said.......... in this instance......... I am totally baffled.... and anyway, it is hard for me to come up with something intelligent on Fridays... after 2PM..... 8) (or any other day that ends in a Y)

Mr. Brett, please stay with us........ we need your input and thanks for the techy help... believe it or not.........
I have absolutely no idea what you were talking about, but it was really fun to read it......................

It was about as fun as reading the electronic schematic on my Samsung flat screen TV!! Image

_________________
Bill Marx, Sr.
"FREE STATE BAIL BONDS"
"FREE STATE INVESTIGATIONS"

DCJS: 99-176979
Cell: 434-294-0222

"Endeavor to Persevere" "Lone Watie"

"Good judgment comes from experience, and a lot of that , comes from bad judgment" "Will Rogers"


Top 
 Profile  
 
Display posts from previous:  Sort by  
 
Post new topic Reply to topic  [ 25 posts ]  Go to page Previous  1, 2, 3  Next

FRN Forums » PUBLIC SECTION » Open Discussion


Who is online

Users browsing this forum: No registered users and 240 guests

 
 

 
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Fugitive Recovery Network

FRN Forum
Login
Forum
Register
Forum FAQ


directory



ad_here_1




wordpress-ad