Security – HM2K http://hm2k.org/ Research and development Fri, 15 Jul 2011 10:45:00 +0000 en-GB hourly 1 https://wordpress.org/?v=5.5.1 181873647 Announcing Phurix Labs https://hm2k.org/posts/announcing-phurix-labs https://hm2k.org/posts/announcing-phurix-labs#respond Thu, 14 Jul 2011 23:06:31 +0000 http://www.hm2k.com/?p=3017 Related posts:
  1. PageRank Viewer Launch Back in 2007, we were developing code for our domain...
  2. Is Google PageRank dead? PageRank is dead, long live PageRank. As we said recently,...
  3. HM2K’s code repository HM2K’s code repository is now open for business! This repository...
  4. What is my IP? An IP address is a unique number which identifies a...
]]>
I’ve been thinking about retiring this site for some time now, but have been toying with the pros and cons.

A decision had to be made.

You see, the context of the HM2K blog has always had a subtle undertone of my business and the work I do online. That business is Phurix web hosting.

Phurix has always supported me and the blog, but unfortunately, because of other commitments I have less and less time to write and publish.

At first I thought the best solution would be to shut down the blog and call it a day, while a colleague said he thinks I should keep it online.

I’ve been thinking about a solution for a long time but then, while I was on holiday, it hit me.

Merge it into the Phurix brand and it made sense too:

  • HM2K.com was a hard concept to explain
    • Easier concept: Phurix Labs:”Where we experiment with ideas and findings”
  • HM2K.com had no context, it would often seem random
    • Makes more sense in the context of the business
  • HM2K.com had no real focus or agenda
    • Focus on what is important: the business
  • HM2K.com was a burden on one person
    • Shared with Phurix
  • HM2K.com was not making money
    • By improving brand awareness business will increase

A proposal was put forward and it went better than expected, it all seemed to fit together nicely. Perfect!

The decision was made and I have no regrets.

Today, we started by introducing a new “Phurix Labs” theme to HM2K.com, so that’s phase one is done.

Over the next few days, the website will be migrated from here to “labs.phurix.net” (where it now belongs). That’s phaze two.

Thanks for reading and I hope you continue to support the new Phurix Labs project.

These are exciting times, watch this space!

About Phurix

Since 2004, Phurix has offered affordable and reliable hosting services with a no nonsense approach. Phurix will continue to provide a high quality of service and engage with customers to ensure its future and growth.

Authorised cPanel Partner and OpenSRS partner.

About Phurix Labs

Phurix Labs is where we experiment with ideas and findings. You’ll find all sorts of useful tools and information.

]]>
https://hm2k.org/posts/announcing-phurix-labs/feed 0 3017
Has friendster been hacked? https://hm2k.org/posts/has-friendster-been-hacked https://hm2k.org/posts/has-friendster-been-hacked#comments Wed, 01 Jun 2011 16:08:14 +0000 http://www.hm2k.com/?p=2925 Related posts:
  1. How I hacked my schools website – a look into the past When I was about 16 I hacked my schools website,...
  2. How not to use PHPMailer I came across PHPMailer usage the other day on a...
  3. Over sixteen ways to obfuscate e-mail addresses Back in 2007 I wrote about email addresses on your...
]]>
I noticed an unusual email when I checked my Gmail account today.

Sure it was spam, but this one was tagged with a “Password” tag, a tag that I used to filter any emails that contain an old password.

Low and behold there was my password displayed right in the email. So, of course, the first thing to do was to check the email headers to see how the email was routed.

I could not believe it!

To: “password1” <[email protected]>

Note: my password is not password1, I replaced it with that.

They had inserted my password instead of my name in the “To” part of the email headers.

The email address they sent to was an alias which I had used specifically for friendster so I knew. However, according to the email headers it definitely did not come from the friendster servers.

How did the spammers manage to get my password and email address?

I’ve certainly not used the account since about 2005, so it can’t be me.

Does friendster store their passwords in plain text?

I figured the easiest way to check is to issue a “forgot password” request and see what happens.

I received an “Your Friendster account information” email which contained my password in plain text right in the email.

Yes, this means is that it is absolutely possible that if somebody did hack into friendster they could recover my password (and everyone elses) from their database.

What does this mean for friendster?

Well, probably not a lot since most people are waving bye-bye to friendster anyway as friendster starts to delete all user data from their servers.

My tip: Don’t delay, delete it today!

Update 02/06/11

Yesterday I emailed friendster to notify them of a serious security concern, today I received this reply:

Thank you for reporting this to us.  We take reports like this seriously and we shall make the proper investigation on your concern.  Unfortunately, we don’t have a specific time frame on when the investigation will be completed. We apologize for the inconvenience.

Regards,

Frank

Customer Support

P.S. Thanks for your comments, I’m glad I’m not alone. Keep them coming!

]]>
https://hm2k.org/posts/has-friendster-been-hacked/feed 8 2925
XSS: Get linked from Dmoz instantly https://hm2k.org/posts/get-linked-from-dmoz-instantly https://hm2k.org/posts/get-linked-from-dmoz-instantly#comments Thu, 24 Mar 2011 09:07:31 +0000 http://www.hm2k.com/?p=1881 Related posts:
  1. SEO Tips Quick List of SEO Tips You must get indexed by...
  2. Free Stuff I love free stuff, it’s probably why I like open...
]]>
Recently, like many of you, I’ve had some trouble getting websites listed on the AOL owned “Open Directory Project” known as Dmoz.

So, looking back at a post written by Oatmeal which explains how to get 20 .gov links in 20 minutes I wondered if the same was possible for Dmoz…

After very little searching I soon discovered that the main search function of Dmoz is vulnerable.

This means malicious users could easily place HTML code into the search form input box and manipulate the markup on the site (aka Cross Site Scripting or XSS).

Here’s a proof of concept showing how you would link to example.com with the anchor text as “Look, I made a link”:

http://www.dmoz.org/search?q=%3Ch1%3E%3Ca+href%3D%22http%3A%2F%2Fexample.com%22%3ELook%2C+I+made+a+link%3C%2Fa%3E%3C/h1%3E

View the compromised page (screenshot)

To make this affective, you would simply need to swap out the domain and the anchor text and (in theory) you would have to link to them from various other websites for them to eventually get indexed and start passing link juice for things like PageRank.

This is not the first time that Dmoz has been subject to such a flaw, as in 2007 they were subject to a similar XSS vulnerability in their blog search.

There are many well established ways Dmoz could fix this (aside from fixing their site code) on the server but they have chosen not to. I’m not sure why.

Is there any SEO value in these type of links? It’s uncertain.

Is there a security risk? Yes, definitely.

Dmoz is not the only site to ever become subject to an XSS exploit, twitter has been vulnerable plenty of times, but by golly they fixed it.

Will Dmoz pull their finger out or is he dead, jim?

Note: Dmoz Staff were unavailable for comment at time of publication (email address was unreachable).

]]>
https://hm2k.org/posts/get-linked-from-dmoz-instantly/feed 5 1881