Main Area and Open Discussion > Living Room

Hackers vs. gray matter

<< < (3/3)

wraith808:
Security is a practice that must be adhered to at all times ... It is not something you install and then blindly trust to just work.
-Stoic Joker (September 08, 2014, 11:50 AM)
--- End quote ---

+1000!

MilesAhead:
Banks, mortgage companies, tax records, shipments, money transfers ... These are all common hot topic items that are likely to cause someone to rush through resolving a seemingly really important "problem".
--- End quote ---

If you use a web based email account it can be useful to have an additional "dummy" account.  When you get some notice that some online account needs to be verified/updated it may hit a nerve.  But if you switch to the dummy account and check your mail it makes it more obvious it's a "fishing expedition" (as President Nixon used to bitch about frequently) since the dummy has no account at xyzcorp etc..

SeraphimLabs:
Hmmm, the one that annoyed me was the old "Your IP Address is xxx.xxx.xxx.xxx" in a forum sig graphic.  Some forums when I complained they didn't even understand why I objected to the guy with the sig having my IP.  It's weird when you have to explain why they should not allow the graphical sig to be hosted on a 3rd party site that isn't one of the known image hosting ones.

-MilesAhead (September 07, 2014, 01:33 PM)
--- End quote ---



Its like 10 lines of code to do this, this particular one is actually powered by my own server if you want to play with it on your devices. The server has to know an IP to send information back to, and that information is available to scripts running on that server if you know what variables it is kept in.

One of those where the paranoid will get jumpy on seeing how easily that information is made visible, but in practice its trivial to get and of trivial usefulness outside of possibly tracking who is accessing what.

Though it is worth noting, the script that makes this work will not operate correctly on one of the standard image hosting services. It is in fact a PHP script that forces its output header type to be a png image, which allows the PHP script to execute and generate a png image. The filename of that image is in fact a folder on my server, and the actual code is contained in the index.php of said folder.



These days most 'hacking' going on is done by either phishing or SQL injection type exploits to retrieve poorly stored username/password combinations. Actual 'hard' hacking using exploits that are not easily blocked or are even completely unknown is done too in some situations, but nowhere near as often as there are people getting their accounts broken into.

SQL injection in particular is rather commonplace. All it takes is one unsanitized data input to do a lot of damage to a database system, ranging from account theft to completely erasing a database. If this happens, they will with certainty obtain username/email mappings, but any passwords that are stored unsalted will be compromised.

MilesAhead:
The server has to know an IP to send information back to, and that information is available to scripts running on that server if you know what variables it is kept in.
--- End quote ---


I know how it works.  The point is forums should not allow diversion of this information to 3rd party servers willy nilly.  I think I remember a few members being kicked off forums since they refused to abandon such sig image tricks.

I compare it to the single pixel image trick in html emails.  Now the email sender knows the IP of your machine rather than that of your pop3 server.

Navigation

[0] Message Index

[*] Previous page