webddr

Google Hacking

This is by far the easiest hack of all. It really is extraordinary what you can find in Google’s index. And here’s Newsflash #1: you can find a wealth of actual usernames and passwords using search strings.

Copy and paste these into Google:

inurl:passlist.txt
inurl:passwd.txt

…and this one is just priceless… (more)

Encryption works by encoding the text of a message with a key. In traditional encryption systems, the same key was used for both encoding and decoding. In the new public key or asymmetric encryption systems, keys come in pairs: one key is used for encoding and another for decoding. In this system everyone owns a unique pair of keys. One of the keys, called the public key, is widely distributed and used for encoding messages. The other key, called the private key, is a closely held secret used to decrypt incoming message. (more)

Restriction by IP address is secure against casual nosiness but not against a determined hacker. There are several ways around IP address restrictions. With the proper equipment and software, a hacker can “spoof” his IP address, making it seem as if he’s connecting from a location different from his real one. Nor is there any guarantee that the person contacting your server from an authorized host is in fact the person you think he is. The remote host may have been broken into and is being used as a front. (more)

What should do when viewing a secure page or website with https url and the browser complains that the site certificate doesn’t match the server and asks user to continue?

The host name of the Web server is an unalterable part of the site certificate. If the name of the host doesn’t match the name on the certificate, the browser will notice this fact and alert you of the problem. (more)

If you are a Webmaster, system administrator, or are otherwise involved with the administration of a network, the single most important step you can take to increase your site’s security is to create a written security policy. This security policy should succinctly lay out your organization’s policies with regard to: (more)

Operating systems

Although the Unix and NT communities may not like to hear it. In general, the more powerful and flexible the operating system, the more open it is for attack through its Web (and other) servers.

Unix systems, with their large number of built-in servers, services, scripting languages, and interpreters, are particularly vulnerable to attack because there are simply so many portals of entry for hackers to exploit. Less capable systems, such as Macintosh and special-purpose Web server boxes, are less easy to exploit. The safest Web site is a bare-bones Macintosh running a bare-bones Web server. (more)

SSL uses public-key encryption to exchange a session key between the client and server; this session key is used to encrypt the http transaction (both request and response). Each transaction uses a different session key so that if someone manages to decrypt a transaction, that does not mean that they’ve found the server’s secret key; if they want to decrypt another transaction, they’ll need to spend as much time and effort on the second transaction as they did on the first. (more)