Cutting Edge Marketing Tips

SQL Injection is one of the most common security vulnerabilities on the web. Here I’ll try to explain in detail this kind of vulnerabilities with examples of bugs in PHP and possible solutions.

If you are not so confident with programming languages and web technologies you may be wondering what SQL stay for. Well, it’s an acronym for Structured Query Language (pronounced “sequel”). It’s “de facto” the standard language to access and manipulate data in databases.

Nowadays most websites rely on a database (usually MySQL) to store and access data.

Our example will be a common login form. Internet surfers see those login forms every day, you put your username and password in and then the server checks the credentials you supplied. Ok, that’s simple, but what happens exactly on the server when he checks your credentials?

The client (or user) sends to the server two strings, the username and the password.

Usually the server will have a database with a table where the user’s data are stored. This table has at least two columns, one to store the username and one for the password. When the server receives the username and password strings he will query the database to see if the supplied credentials are valid. He will use an SQL statement for that that may look like this:

SELECT * FROM users WHERE username=’SUPPLIED_USER’ AND password=’SUPPLIED_PASS’

For those of you who are not familiar with the SQL language, in SQL the ‘ character is used as a delimiter for string variables. Here we use it to delimit the username and password strings supplied by the user.

In this example we see that the username and password supplied are inserted into the query between the ‘ and the entire query is then executed by the database engine. If the query returns any rows, then the supplied credentials are valid (that user exists in the database and has the password that was supplied).

Now, what happens if a user types a ‘ character into the username or password field? Well, by putting only a ‘ into the username field and living the password field blank, the query would become:

SELECT * FROM users WHERE username=”’ AND password=”

This would trigger an error, since the database engine would consider the end of the string at the second ‘ and then it would trigger a parsing error at the third ‘ character. Let’s now what would happen if we would send this input data:

Username: ‘ OR ‘a’='a
Password: ‘ OR ‘a’='a

The query would become
SELECT * FROM users WHERE username=” OR ‘a’='a’ AND password=” OR ‘a’='a’

Since a is always equal to a, this query will return all the rows from the table users and the server will “think” we supplied him with valid credentials and let as in - the SQL injection was successful :).

Now we are going to see some more advanced techniques.. My example will be based on a PHP and MySQL platform. In my MySQL database I created the following table:

CREATE TABLE users (
username VARCHAR(128),
password VARCHAR(128),
email VARCHAR(128))

There’s a single row in that table with data:

username: testuser
password: testing
email: testuser@testing.com

To check the credentials I made the following query in the PHP code:

$query=”select username, password from users where username=’”.$user.”‘ and password=’”.$pass.”‘”;

The server is also configured to print out errors triggered by MySQL (this is useful for debugging, but should be avoided on a production server).

So, last time I showed you how SQL injection basically works. Now I’ll show you how can we make more complex queries and how to use the MySQL error messages to get more information about the database structure.

Lets get started! So, if we put just an ‘ character in the username field we get an error message like
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ”” and password=”’ at line 1

That’s because the query became

select username, password from users where username=”’ and password=”
What happens now if we try to put into the username field a string like ‘ or user=’abc ?
The query becomes

select username, password from users where username=” or user=’abc ‘ and password=”

And this give us the error message
Unknown column ‘user’ in ‘where clause’

That’s fine! Using these error messages we can guess the columns in the table. We can try to put in the username field ‘ or email=’ and since we get no error message, we know that the email column exists in that table. If we know the email address of a user, we can now just try with ‘ or email=’testuser@testing.com in both the username and password fields and our query becomes

select username, password from users where username=” or email=’testuser@testing.com’ and password=” or email=’testuser@testing.com’

which is a valid query and if that email address exists in the table we will successfully login!

You can also use the error messages to guess the table name. Since in SQL you can use the table.column notation, you can try to put in the username field ‘ or user.test=’ and you will see an error message like
Unknown table ‘user’ in where clause

Fine! Let’s try with ‘ or users.test=’ and we have
Unknown column ‘users.test’ in ‘where clause’

so logically there’s a table named users :).

Basically, if the server is configured to give out the error messages, you can use them to enumerate the database structure and then you may be able to use these informations in an attack.

Matija Vidmar is an experienced programmer. He’s also interested in computer security, networking and system administration and internet marketing. He owns a tech blog at calibro.candyham.com

The first known use of the expression “spyware” occurred on October 17th, 1994 in a post that joked about Microsoft’s business model. Spyware later came to allude to snoop equipment such as diminutive cameras. In early 2000, the man who started Zone Labs used the term in a press release for a new product. Since then, the computer-community has used the term in its current definition.

Spyware often comes wrapped-in with shareware or other software, and with music CDs. The user installs a program, for example, a file-trading utility or music program. The installer also installs the spyware. Even though the acceptable software itself may not do harm, the wrapped-in spyware does. Occasionally, spyware authors will pay shareware creators to wrap-in spyware with their software. An example is the Gator spyware distributed by Claria. There are instances when spyware authors will repackage desirable free software with destructive installers that add spyware.

Another way of propagating spyware is by tricking users. A program will manipulate a security feature that is supposed to prevent harmful installations. Internet Explorer is designed to stop websites from starting an unwanted download. Alternately, a user action must normally trigger a download (like clicking on a link). Nevertheless, links can prove misleading. For example, a pop-up may look like a normal Windows dialog box. The box contains wording like “Do you want to improve your Internet experience?” with links that look like real buttons reading No and Yes. It doesn’t matter which button the user selects, a malicious download will start, installing the spyware on the user’s computer. Newer versions of Internet Explorer offer better security against this tactic.

Many unscrupulous spyware creators infect a computer by going after security weaknesses in the Web browser or in other applications on the targeted computer. When the user arrives at a Web site controlled by the spyware creator, the site includes code that forces the download and installation of spyware or infiltrates the browser. This kind of spyware creator will have broad knowledge of commercial-quality firewall and anti-virus programming. This is commonly known as a “drive-by download”. It leaves the user an unfortunate onlooker to the intrusion. Conventional “browser attacks” target security weaknesses in Microsoft Java Runtime and Internet Explorer.

Another problem in the case of some kinds of spyware programs is that they will replace the banner ads on visited web sites. Spyware that acts like a Browser Helper or web proxy can replace a site’s own advertisements with advertisements that benefit the spyware author. This can seriously affect the revenue stream of advertising funded web sites.

There have been instances when a worm or virus has delivered a cargo of spyware. For example, some attackers used the W32.Spybot.Worm to set up spyware that caused pornographic ads to pop up on the screens of an infected system. By re-routing traffic to commercial sites that are set up to funnel funds to the spyware creators, they can profit even by such obviously illegal actions.

Leif Wheeler began marketing on the internet in 1992 and he retired in 2004.
Leif’s internet-time is now spent researching and writing articles
that improve everyone’s internet experience.
Benefit from Leif’s vast experience at http://www.leifwheeler.com.

Just today, a virus hit one of my client’s competitors. It was a trojan with the potential to unlock the door to their entire network. Many people asked me how it got into the network. Some asked me what a trojan was and if it was different from a virus. Others wondered about what kind of person would unleash a virus on other people’s computers.

It started me to thinking. If people knew more about virus programs, they might be better able to avoid being infected.

We will need some definitions before we can begin. Generally, viruses, trojans and worms are classified under the term malware. Malware is any unwanted program intended to cause harm to another’s computer or network.

A virus program corrupts or compromises your computer system. Normally, a virus can replicate, or duplicate itself without outside assistance.

As the original Trojan horse carried Greek soldiers into the City of Troy, so does a trojan program smuggle dangerous software into your network. Once inside this hidden program attacks your computer.

The program carried within the trojan is called the payload. This payload can be any program from a virus to a worm, or even anther trojan.

A worm attaches itself to other programs to spread throughout the computer network. It cannot replicate itself, but it can copy itself to other software.

All three have the potential to modify or destroy your data.

How do you get these nasty programs? The most common way is to download free software from the internet. Another way is to share files with others. Never put software into your computer you did not buy from a reputable dealer. File sharing is an open invitation to disaster.

Five things to do to keep your system clean:

1. Install a firewall on your network

2. Install, and update frequently, a quality anti virus program

3. Install and use a spyware and adware removal program every time you finish surfing the Internet. (Especially if you use Internet Explorer)

4. Download Mozilla, as an alternate to Internet Explorer.

5. DO NOT SHARE FILES WITH ANY ONE

If your business uses computers, and you store confidential information on your customers, you should have your network technicians conduct security scans regularly.

If you do not have a technician to do this for you, get one. It will make your network much more secure.

Finally, train your employees to be computer security aware. Your security program cannot succeed unless everyone joins and actively practices safe security.

Parrott Writing Services, a San Antonio Texas company specializing in web content, ghostwriting, website optimization, online/offline ad copy and technical writing to small businesses.

http://www.rickparrott.com

Send an email to: EBOOK@sasecure.net for a FREE electronic copy of my eBook on Computer Security!

To access a Paypal account you need to have the username and password of the account. The username of a Paypal account is the main email address (primary email address) used to register the account. The owner of the account would also set up a password to be used along with the username to access the account. The security system is quite secure as long as the username and password of the Paypal account are known only to the actual owner of the account. If these details are available to anyone else it would mean that the security of that Paypal account has been compromised. Anyone acquiring the username and password of any Paypal account can access and perform all functions that the actual owner of the account could do.

In this article we will try to explain in simple terms how confidential login information of an actual Paypal account owner can be robbed and misused. We will then provide important and simple suggestions that would reduce the chances of such a fraud being committed on your Paypal account.

(a) Being careless with your information: This type of Paypal fraud can be committed very easily and does not require too much effort on the part of the fraudster. Users very often write down their login details for various websites with the fear of forgetting them. Anyone having access to these written details can login to the Paypal account and treat the account as if it was his own. Another possibility that could easily open a Paypal account to fraud is when the user selects a very simple or easy password that can be easily guessed. People with bad intentions need to make a few guesses before they arrive at the correct password to enter the Paypal account. These are the simplest ways in which a Paypal fraud can be committed and they do not require any email scam to be done.

(b) Identity theft through a Paypal email scam: Paypal phishing or identity theft as it is commonly known, involves an attempt by a fraudster to extract the login details of a Paypal account from the actual owner of the account. Armed with these detais, the fraudster can be very dangerous as full control of the Paypal account can be excercised. In this case, emails will be randomly sent to many email addresses informing the receiver of a certain activity in their Paypal account. For these Paypal email scams to work, the receiver of the email will need to login to his Paypal account by clicking a link on the email. The exact contents of each Paypal email scam might differ but the objective remains the same. Once the user clicks the link in the email, he is taken to a web page that closely resembles a regular Paypal login page. This page is infact a fake and is hosted by the fraudster (not Paypal) with the sole purpose of collecting confidential login details from the actual owner of the Paypal account. If the owner of the Paypal account falls for this trick, his account will soon be operated by the fraudster and this could lead to heavy losses. Attempts to phish Paypal accounts have become quite common and each time a fraudster unleashes his cruel trick a number of innocent Paypal accounts become victims.

The above two methods account for a major share of Paypal frauds and Paypal email scams being committed in recent times. It is not very difficult to stay clear from these frauds and we provide some useful suggestions to help you. You really do not have to give up using your Paypal account with the fear of it being misused or phished by someone else. The internet provides numerous advantages when it comes to selling and buying online and to surrender these benefits to a pack of fradusters would be sad.

Avoiding Paypal fraud and Paypal email scams.
(1) About your Paypal password: Choose a password that is not very easy to guess. Using your first or last name for your Paypal password is not a very good idea. Paypal frauds can be committed easily if you note your pass word in places that are accessible to others. Change your password periodically and whenever you suspect that you have become a victim of a Paypal email scam or other type of Paypal fraud.

(2) Clicking links to login: Never click links on emails to access your Paypal account. Always use your web browser and type in the complete name of the Paypal website to login. Paypal email scams urge you to click a link on the email and access your website. The login information is then saved to a website that is not a Paypal website. This allows fraudsters to login to your Paypal account and make transactions on your account.

(3) Periodic account check: Login to your account periodically and look for any strange or unexpected transactions. The transactions could relate to a receipt or payment of money. If you notice any abnormal movement in your Paypal account, consider it to be a Paypal fraud and inform Paypal immediately. Also change the password immediately to reduce the chances of further damage.

(4) Logging out of your account: If you are in the habit of logging into your Paypal account and then leaving the active account minimized on your browser, you could be helping someone commit frauds on your Paypal account very easily. Such security lapses do not require email scams or other methods. Always logout of your Paypal account once you have finished working on it or when you will not be using it for a couple of minutes.

Follow the above suggestions and you will be pleased with the results. Your Paypal account will be a lot safer and you will at the same time, reap the benefits of transacting online. The contents of this article have been compiled by the network team at Kaisilver. We request you to forward this link to all your friends and acquaintences, they will be grateful that you let them know about a safe way to work with their Paypal account.

You can see the complete report on Paypal fraud and Paypal email scams at this link:
http://www.newsletter.kaijewels.com/paypal-frauds-paypal-email-scams.htm

Thank you for taking this time to read this article.
Regards.
Ms. Roit
http://www.kaisilver.com

Ms.Roit is network assistant at www.kaisilver.com the world’s largest online source for highend custom jewelry. All jewelry can be made in 14k or 18k white or yellow gold with gemstones of your choice. You can also send in images of your favourite designs to be custom made.

Are you the victim of identity theft? According to Joanna Crane of the Federal Trade Commission’s Identity Theft Program, 80% of the victims who call the FTC say they have no idea how it happened.

Furthermore, an FTC survey reported that 4.6% of those polled reported that they had been a victim of identity theft within the past year. Additionally, according to a recent General Accounting Office report, it is estimated that as many as 750,000 Americans are victims of identity theft every year.

Is this an invisible enemy and are American’s personal and financial information that easily accessible to identity thieves? What can the average American do to protect themselves from these personal attacks on their privacy? Although there are no guarantees, here are five simple steps to help prevent identity theft:

1) Shred private credit card statements, tax documents, bank statements, pre-approved credit card offers or any other documentation with private financial information.

2) If you are inundated with pre-approved credit card offers you can call toll free 1-888-567-8688 to opt out and request to have your name removed from the mailing list. In addition, you can call the national do not call registry at 1-888-382-1222 to stop unsolicited telemarketing calls where you could divulge personal information.

3) Monitor your credit report at least once a year. You are entitled to a free credit report and can get one by calling 1-877-322-8228. Look for suspicious activity. It is also wise to subscribe to a credit protection service which will inform you of changes in your credit report.

4) Check your mailbox daily and do not allow mail to sit overnight in your mailbox. Mail theft is an easy way for thieves to secure personal information. It is best to mail outgoing bills and checks at the post office or other secure locations. If you believe your mail has been stolen you must contact the nearest postal inspector. You can look in the white pages under Government Services or call 1-800-ASK-USPS.

5) Be defensive and more guarded with your information. Do not divulge your personal information freely. Never “validate” your personal or financial information when contacted through an email, even if it is a company you do business with; they have this information on file. It may look legitimate and realistic, but these attempts are getting more sophisticated and these types of scams are what is known as “phishing”.

We have explored five simple steps that the average person can do to help themselves prevent identity theft. In this age of advanced communications and technology and with the thieves getting more deceptive than ever, it is imperative to continue to educate yourself. Be cautious and understand that this information can be abused and it is up to you to safeguard yourself and your famliy from this growing trend.

Robert Benson operates www.ezshoppinghere.com a web site devoted to helping shoppers find unique gifts in unique places. Find Three Stooges Memorablilia, Collectibles, Home Decor, Novelties and more articles from Robert at the web site.

With the increasing crime rates these days, it is best that you find ways to protect your belongings whenever you are indoor or outdoors. But the most important thing you have to protect is your home, especially if you and your household members are not at home most of the time.

By equipping your home with security gadgets like wall safes, you can eliminate the worries that fill your mind knowing that your most valuable possessions are safely intact.

Nowadays, keeping valuables in a bank’s safety deposit box is no longer the only available way to safeguard your valuables. With the advent of technology and creative inventions, wall safes are now considered as the next best thing to safekeeping.

Generally, wall safes are mounted and permanently pierced into the walls of your house. Because of its nature, you may mount your wall safes while your house or your office is still under construction or you may opt to mount it a little later. If you prefer to do the latter, mounting wall safes will not be very difficult because most wall safes are equipped with “flange”, thus, you don’t have to re-cover your walls.

When buying wall safes, there are certain elements you need to check first:

1. The ratings.

A quality wall safe has an Underwriters Laboratories rating. This means that the capability and efficiency of your wall safes is manifested by its ratings.

Basically, a safe with a Class-A rating can endure an inferno with a maximum of 2,000-degree heat for long hours. Whereas, a Class B-rated wall safe means that it can only endure a fire with 1,850-degree heat and will last for only two hours. The last rating, class C means that the safe is capable of enduring 1,000-degree heat and last for about an hour.

Like any safes, wall safes are also operated through a series of number combinations, keys, or electronic lock. Its function varies depending on the type you have chosen. It is upon your discretion which type of wall safe would best serve you most.

2. The price.

As with all commodities and products, wall safes are not created equal, and so, their value in the market will also vary from one to the other. Their variations may be due to the quality of composition or the dealer that distributes the material.

In most cases, the average wall safe will cost $400. And so, you have to shop around in order to get the best bargain. You may look at the Internet for available wall safes that will suit your needs.

However, when buying safes online, it is best that you see the items personally so as to scrutinize and evaluate if what the manufacturers claim online is actually true. After all, it is your money that is at risk and also your other valuables, so it is best to obtain a wall safe that can offer you both the protection that you need and the quality that you are looking for.

Generally, wall safes are used for the safekeeping of your valuables like jewelry, money, and even pertinent papers like contracts, deed of sales, and receipts. With wall safes you can be assured that all of your most treasured possessions are kept safely against burglars and accidents like fire.

So, for people who value their possessions, it is best to get wall safes. Not only are they easy to install, easy to access, and easy to manipulate but they are also house-friendly because you can place them in any part of your house without having to destroy or modify your interior decorations.

And so, it is better to think of your family and your finances’ safety now. As they say, an ounce of prevention is better than a pound of cure. Do not hesitate to invest a little amount of money on wall safes. You’ll never know what can happen next, so it is better to be safe than sorry.

For more great wall safe info and advice check out: www.secure-safes.com