[Alpacasite] Re: Hacking: Can Anyone Explain This?

--- In Alpacasite@yahoogroups.com, "Sunrise Edit. Services/D. Belt"
<alpacapubs@y...> wrote:
>
> The only advance notice we had that something funny might be going
on is that the on-line store had a couple of "orders" sent to us that
were either completely blank (no data fields completed), or contained
computer code. The site is encrypted, so we didn't have too much
concern about these annoying "orders" at the time they came in.

This sounds like an "injection" attack. It is possible through
carefully crafted entries into a form field to trick the database into
giving up all of its information, including passwords and account
names.

1st, check to see if your e-store software, or any other software
running on your server, has any updates. For instance, there was a
recent (within the past week) update to PHPMyAdmin to address concerns
such as this. (PHPMyAdmin is a popular MySQL database manager).

Also, be sure to store all passwords in an encrypted form in the
database. MySQL, for instance, will allow you to store passwords using
an MD5 hash, which is pretty darn secure. Any decent DB application
will have a similar option.

Finally, be sure that permissions on your database are clamped down
tight. No webuser needs root access. Any webuser should have only the
most minimal write access (e.g. to update account details), and should
only have read access to the most necessary tables. Do not have a
public link to your admin area. And, do not leave information on your
site identifying the software package you are using. (e.g. "Powered by
OSCommerce").

>
> The reason we are fairly certain that the access took place
through Suzy's website is because the offensive e-mail that was
subsequently transmitted from her e-mail address referenced unique
information (e.g. phone number + marketing tagline) available only on
the website. Our webmaster told us to change our e-mail password
immediately to a "very secure" password (consisting of a lengthy
sequence of upper- and lower-case letters, numbers, and special
characters). Previously, we had used a password that was short and
consisted of only letters.
>

A secure password should be at least 8 characters long, and as you
point out should contain upper and lower case letters as well as
numbers.

I can not tell you how many times I have seen user/password combos
like "jmerrell/alpaca". How long do you suppose it would take someone
to figure that out?

Stay away from things like SSI #'s, birthdates, pet names, etc. In
fact, do not use any dictionary word, or popular names from literature
or movies. How many "Gandalf" user names do you suppose are out
there?

John Merrell
Gateway Farm Alpacas
http://www.gateway-alpacas.com
Alpaca, a natural elegance...

------------------------ Yahoo! Groups Sponsor --------------------~-->
Put more honey in your pocket. (money matters made easy).
http://us.click.yahoo.com/F9LvrA/dlQLAA/cosFAA/jO1qlB/TM
--------------------------------------------------------------------~->

Opinions and postings on this list are the sole responsibility of the person posting the message. The accuracy and content of each message in no way reflect the opinions of the administrator or Yahoo.

List administrator - Rick Horn - All American Alpacas alpacas@alpacaweb.com
http://aaalpacas.com

TO CHANGE OPTIONS visit http://groups.yahoo.com/group/Alpacasite/join
Yahoo! Groups Links

<*> To visit your group on the web, go to:
http://groups.yahoo.com/group/Alpacasite/

<*> To unsubscribe from this group, send an email to:
Alpacasite-unsubscribe@yahoogroups.com

<*> Your use of Yahoo! Groups is subject to:
http://docs.yahoo.com/info/terms/