Lowyat.NET: Latest topics by highwind

[WTS] Eastin Hotel Petaling Jaya Room - RM 190

highwind — Fri, 01 Aug 2014 14:59:52 +0800

Item(s):
Eastin Hotel Petaling Jaya - Room Only

Package includes:
This package is for room only and does not include breakfast. Can top up additional RM 100 to go Executive Deluxe

Price:
RM 190

Warranty:
N/A

Dealing method:
Online Banking Transfer

Location:
N/A

Contact method/details:
PM
---

Item(s) conditions:
N/A

Picture:
N/A

Reason for sale:
Initially plan to use for my parents when they visit KL but they had cancelled their trip.

[WTS] Web Hosting + Website Creation

highwind — Wed, 07 May 2014 07:39:52 +0800

Web Hosting + Website Creation @ RM 300 per year

Company Name: Latte Web Hosting (002247574-H)

Package includes:
- Website creation on WordPress + Genesis Framework from Studiopress
- Lifetime Domain Name
- 4 pages of Web Page Design (Home, Services, About, Contact)
- 2GB of Disk Space
- 20 GB of Bandwidth
- Up to maximum of 4 hosted domain names
- Unlimited Subdomain
- Unlimited Email Accounts
- Unlimited MYSQL Database

**Find out more info at here

Buffet + Free flow drinks

highwind — Tue, 22 Apr 2014 15:58:46 +0800

Item(s):
Korean BBQ & Steamboat Buffet + Free Flow of Drinks at Seoul Garden

Package includes:
Vouchers for 2 Pax

Price:
RM 79.80

Warranty:
None

Dealing method:
Online Payment + Email to transfer voucher

Location of seller:
Puchong

Contact method/details:
PM or SMS 016-4902831

Age of item:
New

---

Item(s) conditions:
New

Picture:

Reason for sale:
Extra vouchers being bought.

[WTS] PANASONIC CEILING FAN - FM15B0

highwind — Thu, 05 Dec 2013 22:46:45 +0800

Item(s):
PANASONIC CEILING FAN - FM15B0

Package includes:
- 60" Decorative Ceiling Fan
- 5-speed Electronic Regulator
- Enhanced Safety Features
- Low Noise
- Durable Advanced Motor
- Thermal Safety Fuse

Price:
RM 145.00

Warranty:
New unit - warranty included

Dealing method:
COD

Location of seller:
Puchong, Bukit Jalil, Subang, PJ, KL

Contact method/details:
PM or SMS or Whatsapp @ 016-4902831

Age of item:
N/A

---

Item(s) conditions:
New

Picture:
[attachmentid=3755319]

More info at:
Home Mart Plus
Senheng

Reason for sale:
I had bought these fan initially to install into my new house but due to the reason that my relative had given me a better fan, I decided to use that and sell this out.

PC Fix 2011 Registry Cleaner Giveaway

highwind — Mon, 26 Sep 2011 13:05:23 +0800

Hi

I'm launching a lucky draw contest to give away 3 copies of licensed Registry Cleaner. The product name is called PC Fix 2011. It is a product that is going to give you a registry clean up and better performance. If you are interested, just head over to this page for more details.

P/S: Hope I did not violate any T&C of this forum by posting this.

Top 10 Web Application Vulnerabilites

highwind — Tue, 31 May 2011 09:18:03 +0800

The top 10 list are:

10. Unvalidated Redirects and Forwards
In common, web application usually redirects or forwards users to another page or website and then use the data within to determine where the user should go. If the data is not validated properly, it could redirect the user to some malicious website as the data mentioned is going to determine where the user will go. By accessing the malicious URL, it is highly potential that the user will get his computer infected with Malware. This could potentially lead to a phishing attack.
Example of attack:
· http://www.your-site.com/redirect.jsp?url=phshing-site.com
· http://www.your-site.com/main.jsp?fwd=phishing-site.com

9. Insufficient Transport Layer Protection
Applications sometimes failed to protect the transport layer well. The transport layer that I mean here is using SSL/TLS as a methodology to protect the application data when transmitting between client and server or vice-versa. The purpose of this method is of course to encrypt the transmitting data. If the data are not encrypted, it can be easily stolen via man in the middle attack. In addition to this web application vulnerability, configuration of this method can be vital. Application should always use a strong encryption algorithm (at least FIPS 140-2) and it should also never use expired or invalid certificate. This is because it will cause the users to force themselves to accept the invalid certificate in order to browse the application. By doing this, it will eventually result in phishing attack easily as the user already have the habit to accept invalid certificates. As a conclusion to this, it is important to protect the transport layer in order to keep the data confidential and secured.

8. Failure to Restrict URL Access
Failure to restrict URL access here means that the application failed to restrict certain users who are not supposed to view restricted page. In other words, this means the user might not have the privilege to access or it could also possible that the user did not perform any authentication also able to gain access to the restricted page. If the attacker found out the page is vulnerable to this attack, he can just forge the URL to access the page especially administrator’s page. Once the attacker is there, he can just do whatever settings or actions that supposedly only administrator can perform. Thus, developer should ensure the restricted page is only accessible by the right person.

7. Insecure Cryptographic Storage
Passwords, credit card information and other sensitive data should be encrypted before storing into the database. If let say the attacker somehow manage to get the data in your database, it is still not completely compromised as it is already encrypted and the attacker will require a long long time to decrypt it. This of course only can happen if you encrypt the data properly with strong encryption algorithm and securely store the encryption key. In certain application, the developer did encrypt the data but left the key together with the data. Hence, the encrypted data can be easily decrypted by running some brute force to crack down the password the encryption key. The encryption key should always be separated from the application server. It is also recommended to use a hardware key container (HSM – Hardware Security Module) in your application to bring the security level of your application to another level.

6. Security Misconfiguration
Having a good security also means having a good security configuration. The security configuration here means that everything under the sky that is deployed to your web application such as web server, application server, database, files and folders, and also framework are all properly configured. This includes as well ensuring all the items mentioned are fully updated as the older version tend to have vulnerabilities that attacker can take advantage of. The usage of default account and password are strictly not recommended. Not only that, the error stack trace should be managed properly in the way that it does not exposed to the user. Attacker will love to see all the stack trace message as it can give them more clue on how to attack your web application. Therefore, only display a very high level message or general error message to the user. Security configuration needed to be planned properly and check carefully before deploying the web application to the public.

5. Cross-Site Request Forgery (CSRF)
The cross-site request forgery is quite a tricky vulnerability. What this vulnerability does is that it will forge the request through web URL when the victim clicked on any infected image link or even through cross-site scripting (XSS). This will change information that he did not actually requested to as an authenticated user. However, this require the user to be authenticated first by logging into the application and stored his authentication token into the session cookie.
Example of attack:
The user login into the application at www.myapp.com
The user then does his normal web browsing probably googling some image and click on a panda image that he found interesting.
Not realizing that the panda link is actually look like this in the html code:
<img src=”http://www.myapp.com/main?transferfund=1500&destination=hackerAcc” />
Once the image is clicked, the user will immediately perform the transfer to hacker’s account.
The drawback is that the attacker still need to guess the criteria to forge into the URL. Above is just an illustration as transferring funds should not be that simply implemented. However do bear in mind that if the attacker can do something that requires your authentication without him authenticating first, isn’t that sounds dangerous?

...

To continue reading this, you can refer to this Top 10 Web Application Vulnerabilities.

Is My Google Adsense Illegal?

highwind — Sat, 28 May 2011 12:54:45 +0800

Hi

I run a blog which has adsense ads and recently I made an amendment due to not getting clicks from the ads i put above my header. I had shifted to slightly lower which is above my content. However, usually before I start my post, I will put a picture first and I am not too sure whether did I violate the Google Adsense T&C. I heard rumours said that one cannot put the adsense ads near to a picture. Glad to be helped.

My site is:
IT Security Column

P/S: You can only see my problem in a single post page and not my home page.

Thanks again

Sony Hacked Again

highwind — Wed, 25 May 2011 09:41:09 +0800

Sony hacked again after the issue where 77 million Sony Playstation Network users were affected. It really seems like Japan is not having a good time. Apart from the old issue that just mentioned regarding the 77 million users, they were hit as well with the natural disasters, Tsunami and earthquake. Everyone would thought that Sony should be temporarily safe as they just got hacked, but no. Something Sony must had done to anger the hackers around to keep on penetrating their system.

Full Story

Mac immunity might be over soon

highwind — Thu, 19 May 2011 14:32:58 +0800

Check out the latest information on Mac Malware.

Securing online banking

highwind — Tue, 05 Apr 2011 16:36:55 +0800

Few tips here that can help out in the online banking security

http://www.itscolumn.com/2011/03/how-to-en...is-secured.html

Malaysia FIFA Clans

highwind — Sat, 22 Sep 2007 17:49:55 +0800

Hey guys,

Let me introduce myself first. I'm LoOn4tiC from [W|nDs]. As we all know, recently the FIFA gaming scene had improved so much. 128 participants for WCG 07, and 90 over participants for WGT 07 and still counting. Besides number of players participating, number of clans also increasing. As far as i know, there are 5 clan existed in Malaysia's FIFA scene, who are W|nDs, MyFES, FOX, METC and M|sT. The reason i started this topic is because i wanna gather all the clan members in a place where everyone can spread any incoming news on FIFA. Last year, W|nDs and MyFES have the first ever FIFA Clan War (as far as i know). So maybe next year we can have bigger clan war consist of 5 clans, or other clans can have their own respective clan war. If you don't mind, I hope the representative of each clan can PM me your contact number so that i can contact you all in future for any upcoming events.

The following representatives are:

[W|nDs] : LoOn4tiC
[MyFES] : Sildes, Arroyos
[ToRn@d0] : ken0777
[FOX] : BigBoss
[DEGASA] : Effy14
[METC] : -
[M|sT] : -

And if there are any new clan forming, you guys can post at this forum here to let the other FIFA players know about this

Regards,
[W|nDs] LoOn4tiC

WCG.MY Closing Video

highwind — Sun, 16 Sep 2007 14:08:47 +0800

Anyone has the closing video for wcg.my 2007? Not the prize giving, it's sort of like the overall review of what happened in WCG.MY 2007 throughout the whole WCG theme song (Beyong the Game).

Thanks !

PES5 Free Kick Help

highwind — Wed, 25 Jan 2006 18:58:54 +0800

Anyone can guide me through how to take a good free kick.... ?

My free kick always hit the wall or keeper catches the ball.........any guide to score better ?