One Article Review
| Source |  Errata Security |
|---|---|
| Identifiant | 391060 |
| Date de publication | 2017-08-01 00:06:00 (vue: 2017-08-01 00:06:00) |
| Titre | Top 10 Most Obvious Hacks of All Time (v0.9) |
| Texte | For teaching hacking/cybersecurity, I thought I'd create of the most obvious hacks of all time. Not the best hacks, the most sophisticated hacks, or the hacks with the biggest impact, but the most obvious hacks -- ones that even the least knowledgeable among us should be able to understand. Below I propose some hacks that fit this bill, though in no particular order.The reason I'm writing this is that my niece wants me to teach her some hacking. I thought I'd start with the obvious stuff first.Shared PasswordsIf you use the same password for every website, and one of those websites gets hacked, then the hacker has your password for all your websites. The reason your Facebook account got hacked wasn't because of anything Facebook did, but because you used the same email-address and password when creating an account on "beagleforums.com", which got hacked last year.I've heard people say "I'm sure, because I choose a complex password and use it everywhere". No, this is the very worst thing you can do. Sure, you can the use the same password on all sites you don't care much about, but for Facebook, your email account, and your bank, you should have a unique password, so that when other sites get hacked, your important sites are secure.And yes, it's okay to write down your passwords on paper.PIN encrypted PDFsMy accountant emails PDF statements encrypted with the last 4 digits of my Social Security Number. This is not encryption -- a 4 digit number has only 10,000 combinations, and a hacker can guess all of them in seconds.PIN numbers for ATM cards work because ATM machines are online, and the machine can reject your card after four guesses. PIN numbers don't work for documents, because they are offline -- the hacker has a copy of the document on their own machine, disconnected from the Internet, and can continue making bad guesses with no restrictions.Passwords protecting documents must be long enough that even trillion upon trillion guesses are insufficient to guess.SQL and other injectionThe lazy way of combining websites with databases is to combine user input with an SQL statement. This combines code with data, so the obvious consequence is that hackers can craft data to mess with the code.No, this isn't obvious to the general public, but it should be obvious to programmers. The moment you write code that adds unfiltered user-input to an SQL statement, the consequence should be obvious. Yet, "SQL injection" has remained one of the most effective hacks for the last 15 years because somehow programmers don't understand the consequence.CGI shell injection is a similar issue. Back in early days, when "CGI scripts" were a thing, it was really important, but these days, not so much, so I just included it with SQL. The consequence of executing shell code should've been obvious, but weirdly, it wasn't. The IT guy at the company I worked for back in the late 1990s came to me and asked "this guy says we have a vulnerability, is he full of shit?", and I had to answer "no, he's right -- obviously so".XSS ("Cross Site Scripting") [*] is another injection issue, but this time at somebody's web browser rather than a server. It works because websites will echo back what is sent to them. For example, if you search for Cross Site Scripting with the URL https://www.google.com/search?q=cross+site+scripting, then you'll get a page back from the server that contains that string. If the string is JavaScript code rather than text, then some servers (thought not Google) send back the code in the page in a way that it'll be executed. This is most often used to hack somebody's account: you send them an e |
| Envoyé | Oui |
| Condensat | $9/year 000 1970s 1980s 1988 1990s 4000 500 @erratarob able about account account: accountant across actually add address addresses adds administration adobe affects afford afghanistan after again against ago all allow allowed allowing allows also among amount amplification analog andrew announcement announcements another answer answering any anybody anymore anything appear apple applies appropriate arbitrary are aren as:why asked asking atm attachments attachments/links attachments/linksi auditor auernheimer baby back backdoor background backup bad band bands bank basic beagleforums because been before being believe below benefit best better between big biggest bill billion bit bits black blackhat blue books botnet bots bound boxes browser buffer bug bunch businesses but button buy/sell bypass bytes call called calling calls came cameras can card cards care careers carefully case cases category cause caused causes causing cell ceo cgi change channels charges check china choose claim classic click code com com/documents com/search combinations combine combines combining come coming command commandthe common companies company competitive competitor competitors complex computer computers conclusiontweet conflicted connect connection connections consequence consequences consider consumers contains continue control convince cookies copy could craft create created creating cross crying custom cyberspace dare data databases day days ddos ddosing deal: debug decades default defaults defcon defend demanded demanding demonstrate denial deserves detecting devices dial did difference differently digit digital digitized digits disconnected discover distance distributed dll dllmain dlls dns document documents does doesn domain don done dos dosing down download drive drives drop early earn easily easy eavesdrop echo edit editing effective either email emails emotional employees encrypt encrypted encryption engineer engineering engines enough entire entire internet entire website entirely especially even every everyone everywhere example excuse execute executed executing execution executive exist expect expected explaining explains exploit exploiting exploits expose exposed extended extortion extra facebook fact factory fair famous fast feature figured file financial find finds firewall first fit fixed flash flood following foray forging form fortune founders four frazzled free frequently friends from full function game gamers gather gave general generating generators get gets gives gmail good google googling got government grab grasping great grrr guess guesses guy hack hacked hacker hackers hacking hacking/cybersecurity hacks had hand handle happily hard harder has have having headquarters heard helping hence her here his historical historically hostile hour how however huge icons/graphics id=138493then id=138494the idea ignored iloveyou impact important impossible inbound incidents included including incoherent indeed index indexes infecting information injection injectionthe innocent input insecure inserted inside instead insufficient insult intelligence interesting internet interneti ipad iphone irresistible isn issue issues itself javascript judges just kiddy knew know knowledgeable labeled ladder language large larger last late lazy learn least leaving legal length letting like link links list little lnk lnks load loading loads log logged login logo long look looks lost lot lots loud machine machines macros made major make makes making manager manually many masscan math may mean members mess metasploit might mile military million millions minimum mirai missed moment money monitor monkey more morris most mostly motivation moves movie much must name names near nearby nearly network never new next niece non not not be nothing notice now number numbers obama obvious obvious hacks obvious: obviously obviousness odd office official offline often okay old once one ones online only onto open opponent order osint other others out outbound outside over overflow overflows overflowsin overwrite own owner owners packet pa |
| Tags | |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.