1. How can you hack GMail account?
2. How can you protect your GMail account from hackers?
Hackers at Defcon demonstrated a tool to hack into GMail accounts by snooping unencrypted data (man-in-the-middle attack) with cookie which Google GMail uses for everything other than login by default.

Last week Google introduced the ability to optionally encrypt any transmission to / from GMail and not just the login sequence. Previously GMail used to encrypt the login sequence only. All other data was transmitted unencrypted over the wire making such hacking possible. Every email, every article that you are reading on your GMail account is transmitted unencrypted over the web. Read more (596 words) »

One fine morning you may find an email like this in your mailbox:

Subject: Your ads have been suspended.

Dear Advertiser,
————–
We were unable to process your payment.
Your ads will be suspended soon unless we can process your payment.
To prevent your ads from being suspended, please update your payment information.
—————–
Please sign in
to your account at http://adwords.google.com/select/login,
and update your payment information.
——————————–
We look forward to providing you with the most effective advertising available.
Thank you for advertising with Google AdWords.

If you happen to be an AdWords advertiser this can send a chill down your spine. Relax, you have nothing to worry.

Read more (343 words) »

WordPress wins the dubious distinction of Mass 0wnage Pwnie Award for an unbelievable number of WordPress vulnerabilities, over 140 as of today.

It seems like hardly a week goes by without a new vulnerability in WordPress or one of its many plugins. Many of them are actively being exploited to own popular WordPress blogs and use them to serve spam or client-side exploits to unsuspecting visitors. The popularity of WordPress combined with the abysmal security practices of WordPress plugin developers places the entire Internet at risk and is worthy of a nomination.

Read more (190 words) »

In Apache HTTPD server normally when you have no index or default page in a directory, a visitor may be served with a full list of files in that the directory. This could pose a serious security risk. It also exposes your files to the world at large, allowing them to be indexed by search engines and at the least pose privacy risk. There are well known Google hacks which exploit this feature. To stop default directory listing, add this to the htaccess file.

Read more (137 words) »

On running ./configure in dansguardian (web content filter for Linux), I got the following error - configure: error: pcre-config not found!
configure: WARNING: Cache variable ac_cv_prog_PCRE contains a newline.. The solution, as usual, is simple:
Read more (49 words) »

Every major & minor version of WordPress (1.5, 2.0, 2.1…) comes with teething problems which are then fixed in patch releases. Will WordPress 2.5 release finally break the curse? Maybe not…

Read more (400 words) »

Suhosin is an advanced protection system for PHP installations. It was designed to protect servers and users from known and unknown flaws in PHP applications and the PHP core. Suhosin comes in two independent parts, that can be used separately or in combination. The first part is a small patch against the PHP core, that implements a few low-level protections against bufferoverflows or format string vulnerabilities and the second part is a powerful PHP extension that implements all the other protections.

Read more (141 words) »

You never worry about your site security until after your site has been hacked for the first time. It is always a moment of truth, when you first realize how vulnerable you (your site & your data) truly are. You have probably dozens of scripts running on your server ranging from weblog software, comment form, maybe a CMS like Mambo or Joomla, not to mention your home-grown scripts. Have you ever had them audited? Do you always keep updating them whenever a new release is available? Do you run all your applications and scripts in chroot jail? Do you regularly check for rootkits? The answer to most of the above is probably no. The truth is that any of them can lead to your site and data being compromised. In this context an intrusion detection system can provide you early warning when something goes wrong so you can fight it. Let's look at Samhain, a popular intrusion detection system.

Read more (283 words) »

This WordPress blog was hacked for few hours on 24th December (nice Christmas present!) from Russia. The hacker exploited several WordPress vulnerabilities in administrative scripts to gain full access to the website (as permitted to apache user), including the ability to upload & run scripts, delete any file owned by apache user, view the file and directories etc. This is a full disclosure on the how the site was hacked and how I detected and removed the hack along with few comments on the state of WordPress security. I added a WordPress plugin and made modifications to prevent any such hacking attempts in future using WordPress. This is a must read for WordPress bloggers.

Read more (2226 words) »

SSH is aptly termed as poor man's VPN. You can use it to either forward local host host name and port to a remote server running ssh daemon. You can also use it to forward remote server's port to a local host and port.

Read more (224 words) »