Page 7 of 8 FirstFirst ... 5678 LastLast
Results 61 to 70 of 72

Thread: TechJamaica is unsafe to a degree

  1. #61
    Join Date
    Aug 2004
    Posts
    398
    Rep Power
    0

    Default

    definitely the most expensive one! and i know that's the point you're making. the guys are just saying better safer than sorry. thieves can still take ur car if it has an alarm but its a deterrent.

    well, i have learnt through it all ... and i hope anyone else that has read the thread who has the same username/password all over will understand the possible consequences.

    all the best.

    bless
    --- Bless, 24 HRS !!

  2. #62
    Join Date
    Mar 2015
    Posts
    122
    Rep Power
    0

    Default

    Quote Originally Posted by GPRS Internet View Post
    Did I say he was wrong. NOPE..
    Did I say the info he posted was incorrect. NOPE

    His approach and the manner in which he presented the information is what I have an issue with..

    Have you heard of manufacturer recalls??? It happens. Manufactures recall various things by the millions due to them having flaws..

    Security issues are patched quite often as they are found or based on how vulnerable they are.

    I installed a https plugin on my site and had to disable it as it was conflicting with some other plugins.. another reason being hackers have bots that seek out and find https sites, if you are running https means you have something worth securing or stealing.

    The only sensable advise would be to insist that users chose passwords unrelated to their email/banking passwords etc so in the even a hack does happen your password won't be compromised.
    Oh my....question, do you advise ...better yet, INSIST that the users of your website ch0ose passwords unrelated to their email/banking passwords ??

  3. #63
    Join Date
    Jul 2007
    Posts
    16,974
    Rep Power
    33

    Default

    Quote Originally Posted by Tizen View Post
    Oh my....question, do you advise ...better yet, INSIST that the users of your website ch0ose passwords unrelated to their email/banking passwords ??
    Please dont start har up back.
    SLAPPA Phenom II AM3 Overclocking Essentials
    I HAVE HIGHEST OC ON TECHJA 4.2ghz
    4890oc beats gtx 285
    PS3 FAILCAKE
    ps3 only advantage is bluray
    4890 oc roundup
    http://miniprofile.xfire.com/bg/sh/type/0/skugpezz.png
    Mi know dem fear mi!!!!! Gigabyte 790x ud4p
    phenom 2 955@3.8ghz 24/7 stable , 4GB ddr3 1333@1.5ghz ,3850 256MB (temp card) (4890 soon),700 watt dual rail psu, (overclocking rules) my avatar represents my personality

  4. #64
    Join Date
    Apr 2004
    Posts
    11,129
    Rep Power
    31

    Default

    Quote Originally Posted by Tizen View Post
    Oh my....question, do you advise ...better yet, INSIST that the users of your website ch0ose passwords unrelated to their email/banking passwords ??
    Read the registration agreement that a user is greeted with before he/she registers.........
    http://shopinja.com/forum/index.php?action=register
    ---
    Stay Connected,..

    FaceBook | Twitter | Instagram

  5. #65
    Join Date
    Nov 2004
    Posts
    4,918
    Rep Power
    24

    Default

    Why is this thread still open/active lol? In all my 10 years being active on this site, the only problem I've seen are database issues and that's on the admins side.

    If someone hacks the site then oh well, they must really be bored or nooby cause this site has no monetary potential to them lol.
    Current Android - OnePlus 7T Pro
    PC Specs - Motherboard: Asus PRIME B560-PLUS | Processor: Intel Core i5-11600K (stock) | Memory: 32 gigs Corsair Vengeance DDR4@3200mhz | Video Card: ASUS ROG Strix GeForce RTX 4070 (OC Edition) | Monitor: ASUS TUF Gaming 27" 2K Monitor | Steam ID -> Powpow

  6. #66
    Join Date
    Jul 2007
    Posts
    16,974
    Rep Power
    33

    Default

    Quote Originally Posted by Powpow View Post
    Why is this thread still open/active lol? In all my 10 years being active on this site, the only problem I've seen are database issues and that's on the admins side.

    If someone hacks the site then oh well, they must really be bored or nooby cause this site has no monetary potential to them lol.
    Pow... Smh

    ................
    SLAPPA Phenom II AM3 Overclocking Essentials
    I HAVE HIGHEST OC ON TECHJA 4.2ghz
    4890oc beats gtx 285
    PS3 FAILCAKE
    ps3 only advantage is bluray
    4890 oc roundup
    http://miniprofile.xfire.com/bg/sh/type/0/skugpezz.png
    Mi know dem fear mi!!!!! Gigabyte 790x ud4p
    phenom 2 955@3.8ghz 24/7 stable , 4GB ddr3 1333@1.5ghz ,3850 256MB (temp card) (4890 soon),700 watt dual rail psu, (overclocking rules) my avatar represents my personality

  7. #67
    Join Date
    Feb 2015
    Posts
    23
    Rep Power
    0

    Post

    Quote Originally Posted by Powpow View Post
    Why is this thread still open/active lol? In all my 10 years being active on this site, the only problem I've seen are database issues and that's on the admins side.

    If someone hacks the site then oh well, they must really be bored or nobody cause this site has no monetary potential to them lol.
    Let me open this issue right up because some of the things people are bringing here is off topic but still relevant to security.

    Here is a scenario that is more than possible:

    Scenario 1:

    "An attacker freely scans this website and finds the many security holes mentioned in my report. They then go ahead and exploit multiple vulnerabilities to find a few that can give them complete control of the actual web server since this site owner had a dedicated server. They then use the server to do their malicious deeds while never interfering with this sites functionality. Later, the site owner is charged with malicious activity coming from their server. Who needs that?"

    Scenario 2:

    "Attacker successfully exploits script vulnerabilities in the forum software that enables him to inject malicious code into every page. We login and while logging in, we pass our browser cookies to the attacker who can then use them to login to some of our accounts outside of this site. Your email accounts are compromised and even your social accounts you use for business or otherwise. So your life outside of this site is ruined and it all started because vulnerabilities that are known about for years are still found in this site."

    Scenario 3:

    "An attacker gains access to the server that tells it to force every users who accesses every site hosted on the server to download a virus that has been encrypted to bypass anti virus software. Now your computer is bugged and from a website you trust no less. Bad thing is, now the attacker can monitor you in real time, control your computer in the background and front end when your away and will gather data on you so one day when he's "BORED", he will proceed to literally destroy you."

    These are but a few of the possibilities that are out there and being a tech forum, i dont see why some people are so against this simple warning. Just protect yourself and your users and you will be fine. Dont and you leave yourself open to known risk which is very irresponsible.

  8. #68
    Join Date
    Jan 2011
    Posts
    962
    Rep Power
    14

    Default

    Scenario 2, is the most likely and most profitable. Especially since most people always click the "Remember Me" option when logging in to websites. That remembered cookie containing access tokens would be a good catch.
    1.8 Ghz Pentium 4 (OC'd.) / Intel P4 (478) Motherboard / 800MHz DDR / 256 Mb DDR RAM / 40GB Seagate / RIVA TNT2 Pro 32MB / 24X12X24 Sony CDRW+ / 18" View Sonic CRT / Windows ME Yes it will play Doom... i plan on trying Crysis 3 one of these days.

  9. #69
    Join Date
    Nov 2004
    Posts
    4,918
    Rep Power
    24

    Default

    Quote Originally Posted by GeniusDragon View Post
    Let me open this issue right up because some of the things people are bringing here is off topic but still relevant to security.

    Here is a scenario that is more than possible:

    Scenario 1:

    "An attacker freely scans this website and finds the many security holes mentioned in my report. They then go ahead and exploit multiple vulnerabilities to find a few that can give them complete control of the actual web server since this site owner had a dedicated server. They then use the server to do their malicious deeds while never interfering with this sites functionality. Later, the site owner is charged with malicious activity coming from their server. Who needs that?"

    Scenario 2:

    "Attacker successfully exploits script vulnerabilities in the forum software that enables him to inject malicious code into every page. We login and while logging in, we pass our browser cookies to the attacker who can then use them to login to some of our accounts outside of this site. Your email accounts are compromised and even your social accounts you use for business or otherwise. So your life outside of this site is ruined and it all started because vulnerabilities that are known about for years are still found in this site."

    Scenario 3:

    "An attacker gains access to the server that tells it to force every users who accesses every site hosted on the server to download a virus that has been encrypted to bypass anti virus software. Now your computer is bugged and from a website you trust no less. Bad thing is, now the attacker can monitor you in real time, control your computer in the background and front end when your away and will gather data on you so one day when he's "BORED", he will proceed to literally destroy you."

    These are but a few of the possibilities that are out there and being a tech forum, i dont see why some people are so against this simple warning. Just protect yourself and your users and you will be fine. Dont and you leave yourself open to known risk which is very irresponsible.
    Oh I see. Well all those Scenerios are possible indeed and since none of them have happened yet, then maybe the admins are waiting to see which ones happen and then take action, since they apparently have no reason to at this time.
    Current Android - OnePlus 7T Pro
    PC Specs - Motherboard: Asus PRIME B560-PLUS | Processor: Intel Core i5-11600K (stock) | Memory: 32 gigs Corsair Vengeance DDR4@3200mhz | Video Card: ASUS ROG Strix GeForce RTX 4070 (OC Edition) | Monitor: ASUS TUF Gaming 27" 2K Monitor | Steam ID -> Powpow

  10. #70
    Join Date
    Mar 2015
    Posts
    14
    Rep Power
    0

    Default

    Quote Originally Posted by GeniusDragon View Post
    Let me open this issue right up because some of the things people are bringing here is off topic but still relevant to security.

    Here is a scenario that is more than possible:

    Scenario 1:

    "An attacker freely scans this website and finds the many security holes mentioned in my report. They then go ahead and exploit multiple vulnerabilities to find a few that can give them complete control of the actual web server since this site owner had a dedicated server. They then use the server to do their malicious deeds while never interfering with this sites functionality. Later, the site owner is charged with malicious activity coming from their server. Who needs that?"

    Scenario 2:

    "Attacker successfully exploits script vulnerabilities in the forum software that enables him to inject malicious code into every page. We login and while logging in, we pass our browser cookies to the attacker who can then use them to login to some of our accounts outside of this site. Your email accounts are compromised and even your social accounts you use for business or otherwise. So your life outside of this site is ruined and it all started because vulnerabilities that are known about for years are still found in this site."


    Scenario 3:

    "An attacker gains access to the server that tells it to force every users who accesses every site hosted on the server to download a virus that has been encrypted to bypass anti virus software. Now your computer is bugged and from a website you trust no less. Bad thing is, now the attacker can monitor you in real time, control your computer in the background and front end when your away and will gather data on you so one day when he's "BORED", he will proceed to literally destroy you."

    These are but a few of the possibilities that are out there and being a tech forum, i dont see why some people are so against this simple warning. Just protect yourself and your users and you will be fine. Dont and you leave yourself open to known risk which is very irresponsible.
    Scenario 2 as described isn't possible. As it would violate the Same Origin Policy(SOP). The SOP in a nutshell restricts one site from interacting with another. If the attacker is able to execute as you put it "script vulnerabilities" and is able to inject malicious code into each page(malicious javascript) then that script will not be able to access cookies from other sites. If it could, then it would violate the Same Origin Policy which states that when determining what access a javascript or other protocols have to the DOM(Document Object Model), the following three things must be the same:

    - hostname
    - protocol
    - port

    So let's say the attacker found an XSS(Cross Site Scripting) vulnerability on techja. To dump the cookies he would then execute document.cookie and send the results to a server he controls. The cookies that he dumps however would be specific to the domain from which the script was executed i.e. techjamaica.com. So a script from techjamaica cannot access the DOM from shopinja.com for example. The SOP is probably the most important security control enforced on the web.

    Now having said all that, a more likely scenario would be for the attacker to use the initial script as a dropper for a second malicious file and execute it. And at that point the extent of the compromise would be left up to the imagination of the attacker. He could for example execute code that dumps the plaintext passwords from memory etc..
    Last edited by jasonmarsh; Mar 19, 2015 at 09:19 PM.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •