My first post (kinda shy)

Ok, i think Nigerian webmasters shouldn't be mainly concerened about thier graphics,scripts and MONEY alone we should be more concerned with our security we shouldn't allow people from othere countries to disrupt our sites just for fufilment of thier passion and curiosity for hacking.Thanks God we in nigeria can boast of few international standard programmers,Network engineers and Webdevelopers who can share with us few tips and security measures fo hackproofing ourselves i think KAyode(kazie) should be able to do that it seems he know much about it.I could help with some too but i am not a good teacher

Why don't you satrt up some articles for us? We'd be glad to learn.

well,  let me confess. i have done some nasty things to naija websites,  myself,  but not like defacing or hacking,  since you mentioned security,  here is a common security hole i used to exploit when Econet(now VMobile Trading as VeeNetworks) and some Banks had online SMS features.

1: register for the service
2: go to the form you would normally use to send your sms or request to view your customer account
3: Save it to your desktop.
4: Open it in frontpage or any HTML editor.
5: Change the POST form parameter to GET,if the form restricts you by way of limiting your choices using drop-down boxes and check-boxes, (For examle -you have only 3 sms left or select and account name to view) simply edit it and replace with your own, (use your imagination)
6: Submit the form, u should get a long list of parametes in the addressbar of Internet explorer that tells you about the system you are about to hack. (oops,  did i use the 4-letter word?)
7: Go back to your pyrated form and look for hidden form fields, make your changes and submit.

I got loads of free SMS from Econet and some credit-chopping pranks on buddies of mine. plus i kept watch on some of my debtors accounts to know when they got paid,  trust some webmasters to forget security when building bank websites

MY SOLUTION?
I am writing a script that checks whether a form was submitted from the domain it resides or some idiot lime me is trying to pull one off.

so if my site is www.pullmyfinger.com any script that processes form data checks to make sure that the form was submitted from www.pullmyfinger.com by checkign the referrer metatag.

Plus some other checks,  will clue you in when i am done

Wow -- that's cool. I'm writing a Content Management System in PHP -- it's at http://books.zatechcorp.com. Would you mind doing a White Hat on it?

will look into it, tommorrow night, don't know why i prefer nights for these sort of work

Maybe you prefer working by the light of the moon .

Zahymaka:

Wow -- that's cool. I'm writing a Content Management System in PHP -- it's at http://books.zatechcorp.com. Would you mind doing a White Hat on it?

Is this an open invitation for everybody to try? I hope you have a backup of that site somewhere safe.

A White hat wouldn't delete my data but I doubt you'd be able to access it.

http://azuka.superihost.com/

it would seem somene beat me to it, but let's try the others

I switched hosts because of that site -- the security was very poor.

regardless of what you do sites can be hacked and will be hacked, someone out there will be equally or if not more knowledgeable that the person or people that implemented the security systems.

especially web development in asp.net, thats very easy to hack into.

Cactus do you have a suggestion beyond stating the (hypothetically & mathematically) inevitable,  sure systems can be hacked given time and resources. VISA got hacked several times and so do large companies who spend mega-dollars on the issue. it does is not tied to any internet development tool, service or technology

The important thing to recognize is there is a purpose to the hack-job (Steal info, Cause Damage, just Hacker-points or just revealing loop-holes that can be plugged)

If data is your main concern then you will do well to learn how code defensively and proactively, Security infrastructure & technologies such as PKI, Encryption and extensive fields that relate to it did not just crop up due to off-hand statements like this,

especially web development in asp.net, thats very easy to hack into.

It is like saying people who use Night-guards have weak security, they should use java instead (tongue-in-cheek)

RSA Security and the hosts of panels reviewing Kerberos/AES/DES/MD5/Blowfish/Two-fish and other forms of Authentication/Encryption systems are not just there for the spotlight or salaries.

A better internet is based on functionality-trust-security-usability (not in any order). so as a contributor it would help the larger community if your statements are encouraging rather than dismissive

Bottom-line.
1: there is a time value to information beyond which it becomes useless to the hacker
2: Security is not there to block the hacker totally, it is there to delay him/her or make the venture time-consuming and less profitable.
3: How best can we protect ourselves from the casual hacker


I hope i did not come off as brash, it was not intended.

I do clearly understand all what you are trying to explain, my response was in regards to the manner the initial author of the post regarded it to the Nigerian web developent community, which is also applicable to all web developers.

well i do hope someday and sometime soon web security will be more efficient limiting the number of hackers and the possibilities of being hacked.

When I requested a white hat, I was obviously looking for someone to point out the loop holes in my application to me. I hate crackers -- they're an evil sort.