Showing posts with label Hacking website?. Show all posts
Showing posts with label Hacking website?. Show all posts

Wednesday, 13 April 2016

Why Hackers Can Target your Website?

Today website hacking does not limited to any one aspect or motive, there are different purpose for which websites are hacked now on a daily basis.
Defacement of website is generally what is considered as website hacking but it is not all, there is a lot more to it and is more than other things. Talking about website hacking we have classified the most sought reasons, 

which are as follows:
  • Lack of Awareness
  • Economic Gains
  • System resources
  • Revenge Hacking or Competition
  • Showing off skills
  • Script Kiddies
Capture

Lack of Awareness

This is one of the major cause of low security of the websites. People work on the outdated technologies and software, and also do not apply the vendor patches. They do not have any security measures installed to protect their websites against the attacks. This happens due to overconfidence or no knowledge about the security.
There are new ways and new vulnerabilities revealed every day which may or may not concern you but it may harm the website in some aspects, thus proper security and care of the website is very important. Once the user lose confidence due to website failure they will move to alternatives which will be a loss to the company. So to avoid this proper security measures are very important.

Economic Gains

As the name suggests this type of hacking is for Monitory Benefits. The attack of this kind are known as Drive by downloads and Blackhat SEO campaigns. Drive by Download means injecting some malicious code into the website and then affecting all the users of that website, by downloading the malicious files to their systems while Blackhat SEO refers to redirecting users to different websites which may have not been intent of the users. In this way, there will be a sense of dismal among the users giving a bad impression of the website and ultimately affecting the number of visits.
Example: Downloading a malware on user system and getting all credentials such as usernames and passwords of all the websites visited, including financial details.

System Resources

This is also a major cause for hacking of websites, the hackers use the resources such as bandwidth and physical server resources for their illegal purposes. The hackers compromise the website using the Bots and the Malicious Scripts which give them access to the server and they can use the resources as an administrator.
The bots can be used in different kind of distributed web attacks like Dos attacks, Brute force attacks or other automated attacks against other websites. Due to these illegal activities from your website your host may shut you down causing a lot of trouble for you and your users.
Example: Hacking to store illegal pirated software copies and pornographic contents. Also indulging in DOS attacks and DDOS

Revenge Hacking or Competition

Due to High competition in today’s world for providing services, there is a greater probability of your website getting hacked for the benefit of other websites.
Also the losses suffered by others due to your good services may come as a revenge threat. There may be some group of people who would like to bring down your website to bring a bad name and a situation of distrust among the users.
Example: Company A & B are into same business, A gets Hacked so the customers of A will be going to B for services thus eliminating A as a competition.

Show Off

Several Hackers just hack the websites for fun and showing off theirs skills to the hacker community to get name and fame. This kind of hacking is done without any purpose it just exploits the security vulnerabilities present in your website. There are a lot of hackers of this kind who continuously look out for vulnerable websites and hack them thus affecting the website and its services for quite some time.
Example: Posting the defaced website links and screen shots on public domain with the coded name and claiming to have hacked it.

Script Kiddies

Script Kiddies are the people who do not have the working knowledge of the computer and networks, they are people who are trying to hack a website using the scripts written by other hackers without understanding the process of hacking.
Script Kiddies do these things to make themselves famous among their peers to get recognition as a hacker or to attract attention of someone. There is no other motive than this, and any website having vulnerability can be exploited by the script kiddies, which will hinder the services of the website and will upset the users.

Conclusion

As your website holds your presence online therefore it is important to secure it. Also it gives your some revenue from the advertisements if it holds any. People are less aware of the website security threats in compare to web applications which leads them to be an easy bait for the hackers to bring down their website.
People will lose their trust on your services if your website is hacked, therefore proper security methods are required to secure your website from the threats, which can be implemented after a security audit by a professional or security company.
We are offering such website security services at a very decent price of $99, if you need any kind of security services do contact us at contact@briskinfosec.com

Posted by at No comments:
Labels: , , , ,

Thursday, 7 April 2016

Security Test Checklist for Joomla 3

Any website can be hacked. There is no set of security steps that you can take to keep your site 100% safe from hacking. Hackers may be malicious and actually steal information from your site. Other hackers may be pranksters that simply want to bring down your site and replace it with obnoxious graphics. Your site could be hacked and you don't even know it, the hackers are just monitoring the site to see if any goodies show up.
There are steps that you can take that increase the security of your site and make it safer. 

Basic security steps:

Only install official versions of Joomla.

Joomla installations are often included with third party templates. They offer a one step install where you install Joomla and their template is already set up as the default with all its custom appearance, functionality, components and plugins. Be very wary of these offers. Be sure that these are popular and highly regarded templates. If they don't offer the option of installing the template separately from the Joomla installation, steer clear. It could be that the Joomla version has core files that have been changed, causing conflicts with other extensions and upgrades. It could be that the plugins they have installed have vulnerabilities.

Never use 'admin' as a login name, never

Do not use admin or other obvious login names for logging into your Joomla site. If you have multiple contributors, do not use some standard way of creating login names, such as last name-first initial. It makes it too easy to figure out for others. You may think that the password will be enough, but having an obvious login name is a foot in the door.

Use well formed and unique passwords

Passwords should never be regular words. They should be a long combination of upper and lower case letters, numbers and a special character or two or three. The more characters in your password, the better.

Change your password from time to time

It is a good idea to change your login password on a regular basis.

Never give your password to others to get into the site

Even if you trust someone completely, it is better to create a user account that you can delete later. 

Backup, backup, backup

Backup your site's files and database regularly. Backup again before making major changes or installing any extension or template. Backup before running upgrades.

Keep your Joomla site up to date

Upgrading can be a bothersome task, but it is still better to take the steps to upgrade if a new version comes out. Newer versions will have fixed known security issues.

Check your Users list in User Manager

See if there are any registered users that should not be there. If there are, it may mean that your site has already been hacked.

Remove the login module if you don't use it

If you don't need people to login into the front end, remove or unpublish the login module. You can still login to the front end of your site by adding
index.php?option=com_users&view=login
to the end of your url if you need to.
The login form creates an open invitation to hackers. Keep in mind, a Joomla hacker will know how to get to the login form even without a login form displayed in a module or page. Removing the login form will only keep out the novice hacker.

Turn off user registration, if you don't need it

If you don't have a forum, allow comments or have some other reason for users to register, turn off Allow User Registration in the Global Configuration for Users Manager. If you do leave it on, never allow users to be any level higher than Registered unless you take manual steps to allow them more permissions.

Installing Extensions

Backup your site before installing extensions

Backup your entire site, folders and database, before installing any extension or running any upgrade.
Learn how to restore the backed up files and database in the case that your site is hacked.

Only use popular and highly rated extensions

Check extensions.joomla.org for the rating on any extension. Popular extensions will likely keep up with Joomla upgrades. Even good and popular extensions can introduce security loopholes. If an extension is not listed at extensions.joomla.org, it probably should not be installed.

Review the Joomla Vulnerable Extension list

You can see a list of extensions that have known issues at vel.joomla.org. Some extension providers will have fixed the problems and have a newer version, so watch what version is on the Vulnerability list.

Only use Open Source extensions

Extensions, whether components or plugins, can come open-source or encrypted. If they are open-source, the code is all visible as PHP, JavaScript or other readable script. If it is encoded, there is an added possibility that it has hidden security risks.

Install Security Extensions

Go to extensions.joomla.org and research Joomla extensions that increase site security, if added security is important for your site. Some of these extensions will have lockouts for someone entering a wrong password too many times, so be sure YOU don't try too many passwords.

Minimize the number of extensions you have installed

The more extensions you have installed, the more places for hackers to break into your site. You should also minimize the number of extensions for site speed and ease of upgrading.

Your Hosting Environment, Folders, Files and Database

Consider using an SSL server 

Sites that have an SSL certificate have https:// for the protocol. This protocol uses encryption to send data over the web. It is not 100% safe, but it is much safer than not having this functionality. This protocol does not protect your site itself from hackers, it simply encrypts the data being uploaded and downloaded. You should purchase an SSL certificate if you:
  • Deal with any personal information about your registered users, even something like email addresses or phone number
  • If your site deals with money transaction
  • If you have forms that ask for personal information, such as event registration, forum registration, etc.

Use dedicated servers if possible

Most discount web hosting use shared hosting to keep the costs down. If you have a site with information that should not be public, consider the added costs of dedicated hosting. This way, your Joomla site is on its own server. As an added benefit, dedicated servers are also much faster than shared servers as far as downloading large web sites.

Protect your hosted folders and files

Watch the permission settings on your folders and files. Hackers can tell you have a Joomla site by simply looking at the source code and will know which files have security vulnerabilities. Folders should have permission level of 755 and files 644. Unfortunately if you assign even higher security permission levels, you can break your site as Joomla needs to access certain files and folders to work properly.

If you create new folders, add an index.html placeholder file

If you create folders in your Joomla installation via FTP or through your hosting control panel, you should include a placeholder index.html file in the folder along with the other files. This keeps hackers from being able to list the content of the folder in a browser window.

Keep your site's folders and files tidy

Remove any unused files or folders. Be sure to remove the installation folder after installing Joomla, don't just rename it.

Use separate login and password for hosting login, database login and Joomla login

Do not use the same login and password for your Joomla site as for your hosting account and/or database. This is like having the same set of keys for every item you own. If the thief has one set of keys, he can steal everything.

.htaccess security steps

You can add lines to your .htaccess file that will keep the casual hacker from accessing specific folders.

My Joomla site has already been hacked, what do I do?

Refer to this Joomla.org article:
https://docs.joomla.org/Security_Checklist/You_have_been_hacked_or_defaced
Posted by at No comments:
Labels: , , , ,

Wednesday, 16 March 2016

Is your WEB SITE safe? No, I’m not asking about your web Application!

 You got the question right? Well-nigh everyone chooses Web Applications over web sites, which clarifies that Web sites are unfortunately prone to security risk. Websites contains only information’s whereas Web Application is a service over website i.e performing certain tasks / interacting with the users etc. 

Web application security is expensive, yields more profit to security companies, and this is why Security companies concern about web applications but not websites. Websites have static content where the data displayed is the same for every visitor and content changes are infrequent. Web applications are dynamic and ever-changing, it relies on user interaction and the contents contributed to it. Everyone cared about Web application hence it contains interacted information, but they forgot websites – The Origin. Can’t believe? Now, Google it yourself and check out the priority!

“Web apps are the new future! Website is your past and present, which can make your future pleasant / unpleasant!! Better treat it right way”. Comparing the both, websites are more in number so as its security issues. Most of the Web Application source codes are kept confidential for security purpose on contrary web site source codes are often openly available. This is one main reason, why websites are easily compromised.

Website compromising-Intentions behind!
  • Heist of personal or sensitive data.
  • Devastating the reputation.
  • Altering website content.
  • Intercepting confidential data.
  • Making Services unavailable by performing DoS attacks.
Website -Security Glitch!
Websites contain both general and confidential information’s such as employee details, contact information and goes on.
  • Reputation of the organization/Institution is devastated.
  • Website compromising often leads to major attack.(Preparation Phase)
  • Initial phase of any attack is information gathering, which is started from the corresponding websites.
  • Phishing attacks are done often by using contact details.
Security Measures
  • Using cross-platform compatible encryption: Choose Encryption method which supports all platform and doesn’t unnecessarily limit user base.
  • Managing Website via encrypted connections: Using unencrypted connections such as unencrypted FTP or HTTP, prevents man-in-the-middle and login/password sniffing attack.
  • Data validation: Any input given by user must be validated; by this attacks like SQL injections are avoided.
  • Encrypted Login pages: If Authentication is to check the validity whereas Encryption is to maintain the validity.
Conclusion:
Remember the proverb? “Elephants are not afraid of mice, but terrified by Ants”, Got it now? How reputed your organizations is, a small attack on your website destroy everything! Almost Everything. Top companies concerned only about web applications (Mice) not the websites (Ants), because mice are what the profit yielders while websites is their assets. Websites are a huge part of the web and plays vital role in offering many information’s. More the information, more it gets compromised soon. Discovering the vulnerabilities / threats is one difficult task .People who are preferred them as Hackers, without much knowledge are often try their skills here only, thus unknown threat like this are more vulnerable compared to identified threats. Thus Security for websites is more significant.

WebsitePentest:
We, Brisk Infosec provide website security services for any organizations. Guarantee for securing your websites from any vulnerabilities and attacks with ethical touch. We offer $99 for website security services. Website security organizations are like a black cat in a coal cellar, very hard to find. Brisk Infosec is one among them with more professional security analyst, who provides services in economical fixed prices and most importantly a trustworthy organization.

References:


Posted by at No comments:
Labels: , , , , ,
Subscribe to: Posts (Atom)