Hello peeps, just thought I should warn you that the WebWiz site has been a topic of conversation on an Arabic Hacker site. I only know this because the group was responsible for hacker over 100 forums and guest books at the begining of September . The aren't very good, they appear to be just script kiddies taking advantage of ppl that leave install scripts kicking around after installs. I'm afraid I can't read Arabic or I'd tell you the content, but just the fact that WebWiz Guide URL is mentioned in one of the threads means ur gonna be targeted. I've been tracking this group for about a month now, and I've already passed on their details to the relavant countries authorities, but I doubt that much will happen.

The URL if anyone is interested is http://members.lycos.co.uk/abducter/ - http://members.lycos.co.uk/abducter/

You need to register to see any of the posts (surprise surprise) I used an online translator and came up with an Arabic name to avoid drawing attention to myself. I've translated some of their other stuff and they believe they are doing it in the name of Allah.
Take care and be careful.

FAKE ALARM...

simply it says :

A SECURITY HOLE IN Web Wiz Guide

1. Do a search in google for Web Wiz.
2. Find some forums working with Web Wiz.
3. download the access database from the address http://website/admin/wwforum.mdb - http://website/admin/wwforum.mdb
4. open it with Microsoft Access and you'll find the password for the admin area
5. login to the admin area... and..

Semikolon wrote: why shouldn't I believe you? because you are Arabian?

No, but because it is so silly to be believed or considered a hacking attempt for Web Wiz.

MadDog wrote: The only people that get their forum hacked are complete noobs that don't read the ReadMe files!!!! If they cant follow simple directions they need to be hacked to learn a lesson.

Everyone was a newbie at some point, give them a break.

Mart wrote: MadDog wrote: The only people that get their forum hacked are complete noobs that don't read the ReadMe files!!!! If they cant follow simple directions they need to be hacked to learn a lesson. Everyone was a newbie at some point, give them a break.

No really? lol. i was actually hacked twice back in the day

<edit> Like i said, they need to be thought a lesson. No better way to learn than to actually have it done to ya.

Gullanian wrote: Are you a good teacher in that department?

Would you like me to be?

*giving out free lessions on how to kick you in the ass lol jk*

Well... it was nice of the guy to post it to let people know anyways.

And as for "needing to be hacked"... come on Maddog... You can't really think that. It's not so much about the forum owner/admin as all the members who get their passwords stolen.

Imagine you sign up at some site, the site gets hacked, and you lose control of other logins and email accounts... Not a nice picture, but pretty realistic.

Most people only use a few weak passwords for everything.

I hacked some site a while ago - by accident of course - and man... talk about brutal passwords, as in easily bruted  - 1234, love, same as login... Just curiosity really. But I could have done a LOT of damage because I got a LOT of information from it... Thankfully I'm a nice guy  

lol - I spent around a month one year waiting for a new credit card to be issued after a site I bought a cd from got their db hacked. They got their lesson by being driven out of business. I didn't need to share the lesson.

When buying from a new site, I sometimes send them an email asking what 's done to protect my info when it's stored on their site - not while it's in transit between me and their site. If they send me some crap about ssl securing transactions, I figure they don't have a clue.

I get the point - some people need to stick their hand in the fire to find out it burns.

Unfortunately some of those people are holding other people's hands at the same time.

You guys are still not getting my point.

The point is, if someone cant take 2 seconds to read a readme file (must always read the readme files!) and they get hacked because they cant follow directions, they needed to be hacked to learn a lesson that readme files are there for a reason and should be read for a reason.

Bruce didn't spend hours (maybe even days) creating documentation just to hear people say they where hacked and they didn't read the instructions!

MadDog wrote: You guys are still not getting my point. Bruce didn't spend hours (maybe even days) creating documentation just to hear people say they where hacked and they didn't read the instructions!

I agree.

sure he didn't write it for himself.

dpyers wrote: When buying from a new site, I sometimes send them an email asking what 's done to protect my info when it's stored on their site - not while it's in transit between me and their site. If they send me some crap about ssl securing transactions, I figure they don't have a clue.

I agree... once a site owner came to me to re-develop his website, he gave me the database containing all his customers credit cards

Thanks God I'm good

xeerex wrote: Guess you didn't get the point as usual MD --- 10 ? "You are supposed to be a professional." 20 ? "Read my post above" 30 Goto 10

I don't live for yours or other peoples standard. I live how i want and do what i want. Don't tell me what i have to be.

zMaestro wrote: MadDog wrote: You guys are still not getting my point. Bruce didn't spend hours (maybe even days) creating documentation just to hear people say they where hacked and they didn't read the instructions! I agree. sure he didn't write it for himself.

We say RTFM for a reason  ... i.e. Read The  Manual (for those who don't...)

This is just a matter of work ethic - people who are too lazy to RTFM dont' deserve our sympathy when they get hacked. Maybe that's a better way to state it MD - I think that people are zeroing in the "they deserved to get hacked", which kind of seems the same as, "oh, she deserved to get raped", which is a pretty hard pill to swallow. Just because someone is an idiot doesn't mean that they deserve to be victimized. However, neither do they deserve our sympathy.

If that's what you're trying to say, then I'm sure most people will agree.

Semikolon wrote: ro ro til fiskeskjær

Are you doing something with a fish in a jar?

This topic is going nowhere.

I'm with MD, some people must learn the lesson, I mean, when I first started using WWF, I didn't read any manual, but the first thing I did, was to change the MDB location and filename (later I even configured URLScan to deny the downloads of MDB files), it's not a question on whether people must read the manual or not (it's always better if they do) it's also about putting the grey mass to work every now and then, how can you install a board system, then leave the main MDB file in it's original location with it's original filename, or if it's the SQL version, how can you leave the DB creation script file untouched? What are you asking for? That someone will teach you a lesson, the hard way.

As for the users, there's always a risk the forum admin will not be responsible, but if in doubt, mail the guy before you register.

Ok, let's put this in context, if some people don't pick it up even with instructions, many millions of pages out there explaining the ins and outs of just about anything, and go about setting up a board system then because of ignorance, don't secure it, or leave security to second plan, I think that when they get hacked, that will be the day they will start treating things diferently.

Another example, my car has been broke into 3 times, I lost 3 stereos, everytime it happens to me, I change my strategy, I put stickers inside reminding me not to leave the stereo in the car, I park elsewhere, install a better alarm and all that, if it wasn't for the fact that it has been broke into 3 times, I wouldn't have gone about securing it, maybe even leaving the windows open, I learn the lesson, and continue to learn.

This is the kind of thing that some people need, they are too lazy to read technical references, experiment, learn from others, and make the necessary changes when it comes to it, I still stand (they need to learn the lesson the hard way), those that don't need this, are the ones that make the effort to secure their systems and still end up hacked.

As for the board creators, there is still something that could be done, for instances, the Access version, why distribute and MDB with the package, when the MDB can be created, saving distro size, and while you are at it, dinamically create it with a unique name (ie. ddmmyyhhmmss_Forum.mdb), also, and this works for both Access and SQL, after DB creation, the default.asp should delete the DB creation script files the first time the forum run, all this operations should be included on the instructions.

How's that?

Actually, one of the simpler things you can do is just drop the .mdb extension and move it to a directory outside of your webroot.

Rename it to .asp or just leave it off. If it's .asp, IIS will try ro run it as a script instead of downloading it like it's normally configured to do with a .mdb file. If you just leave it off, it'll get treated as a directory by iis. Either way, someone who tries to access it directly gets a screwy error.

xeerex wrote: LMAO -- a little off topic but who exactly pays attention to an annoying car alarm anyway? Beyond that there is rarely anyone in any given situation who would have the fortitude to do something if the alarm was noticed and was legitimate (I would). Put a smoke-producing alarm in the car. People tend to do something about fires....

Speaking streetwise, over here you install on of those smoke-producing alarms, that would certainly get the crook out of the car, just to came back minutes later to set the car on fire because you have abset him.

xeerex wrote: By your logic, if their forum gets hacked then they "deserved it" since they were a newbie? They post here and you are going to tell them that? That is bad logic my friend and bad public relations...

Right, so they get hacked and it's my fault? Maybe I should've anticipated that? They post here and I'm should say "sorry, totally my fault!". Newbies or not, and some people are not newbies at all, they just don't take security seriously, it's common sense and the answer is everywhere if they are bothered to look. I'm trialing a new service for my freelancing hours, that involves telling all my clients, (most are local busineses) about security, and can you believe, the week after when I visit again, they still operate unsecure as they were before. I repeat, some people just don't take security seriously enough, and if/when they get hacked that is not going to be my fault, and no one else deserves the blame but themselfs.

xeerex wrote: ...Its very similar to the car alarm. Having one and getting your car broken into doesn't mean you deserved to have your things tampered with. It means you followed assumed principles, but after a problem you need help.

Off course I deserved it, I left the stereo in it, I parked on the wrong street even I knew that it was a rough street. The crook is to blame also, but over here in the UK, this kind of petty crime won't get them in prison, so no point trying to find out who did it, because that won't get me anywhere, totally my fault. After these problems, I won't need help, I'm even more prepared than I was before, better parking spots, and absolutly no stereos left in the car.

I once had a car stereo put in my first car i bought. 3 months later it was broken into.

After that i had a car alarm put in it and started to park in safer places and never parked it at a public parking lot at night.

What is my point? The point is, you need to have something go wrong for you to pay attention in the future. Being hacked once or having a car broken into once to me is a good thing, it thought me a lession and makes me think when i part my car or start coding something new to make sure its secure.

Its as if someone was to start learning asp by themselves. They start off coding like sh*t (just like anyone would) and probably would continue to do so until something bad happened like their little app was to get hacked or bring down a server. After that first time, it probably wouldn't happen again because they learned from the first mistake.

People make mistakes and learn from them, its a fact of life.

Hold on a sec, if these newbies learned how to connect to the Internet, how to download WWF, extract it loacally, upload it by whatever means, ask for MDB write permissions. Why can't they also learn a little bit about security?

Is it due to lack of time?
Exausted their brain capacity and can't go any further?
Were just about to secure their boards when a lighning strike destroyed their monitor?
Forgetfulness?
Just can't understand it, but manged to do all the rest alright?

Or is it:

Not important to them?
All the bad things won't happen to them?
Who would know about their site anyway?
Why bother?
Why read?
Why secure the thing when they could be watching pr0n?

I bet most of these things go through somepeople's minds when it comes to security.

Who deserves what after all?

I think what goes through their minds is:

"All the bad things won't happen to them?
Who would know about their site anyway?"

There are a lot of barriers to learning about security for newbies. A stupid, but never-the-less important thing is documentation. It should be in PDF to be printed with clear instructions to print and read.

The fact is that reading on a computer screen is bloody hard. A monitor is NOT a replacement for printed materials. If you look at a screen all day, you know what I mean.

I don't proof read on screen because it doesn't work.

Blame is a complex thing. Part lies with the newbie for not RTFMing... Part with the developer... Part with "society" for putting developers in a position where they don't always have time to do everything they should or want to. But ultimately whose fault is it when someone gets hacked? Simple. The ass who did the hacking.

xeerex wrote: bluefrog wrote: But ultimately whose fault is it when someone gets hacked? Simple. The ass who did the hacking. Best quote of this whole thread IMHO!

I'm with you partially, the hacker could only done something is there was something for him to do. But yeah, let's blame the hacker.

theSCIENTIST wrote: xeerex wrote: bluefrog wrote: But ultimately whose fault is it when someone gets hacked? Simple. The ass who did the hacking. Best quote of this whole thread IMHO! I'm with you partially, the hacker could only done something is there was something for him to do. But yeah, let's blame the hacker.

There's a thought that it takes two to make a crime - someone with the inclination, and someone who gives them the opportunity.

However, law in most civilised countries is based upon the idea that citizens have the right to pursue their lives - no matter how stupidly - without being molested by others. I don't believe it's my fault if someone enters my house through a window or hotwires the car I left in the driveway instead of putting in the garage.

dpyers wrote: theSCIENTIST wrote: xeerex wrote: bluefrog wrote: But ultimately whose fault is it when someone gets hacked? Simple. The ass who did the hacking. Best quote of this whole thread IMHO! I'm with you partially, the hacker could only done something is there was something for him to do. But yeah, let's blame the hacker. There's a thought that it takes two to make a crime - someone with the inclination, and someone who gives them the opportunity. However, law in most civilised countries is based upon the idea that citizens have the right to pursue their lives - no matter how stupidly - without being molested by others. I don't believe it's my fault if someone enters my house through a window or hotwires the car I left in the driveway instead of putting in the garage.

Precisely.

Stupidity is not a crime. It should be removed from the gene-pool ()... but stupidity is not a crime...

I think that most of this comes down to appropriate behavior for your location - there are ways you would act in your own friendly little neighborhood that you wouldn't do in a bad neighborhood. I don't expect to get mugged or shot while hanging around the house, but If I wander into a bad crime area, I need to be alert and take precautions.

I think that experienced internet people understand that it is a bad neighborhood and that besides all of the grafitti on the walls, and people trying you sell you things from the trunk of their car, you can get hurt.

ISP's, web hosts, broadband providers lure people by offering the friendly aspects of the neighborhood. It takes newbies a while to realize they have crossed the line and aren't in Kansas anymore Toto. Rather than blaming them for being mugged, we should be taking some responsibility for our neighborhood and be doing a better job of showing them around - explaining which streets and alleys are dangerous.

dpyers wrote: Rather than blaming them for being mugged, we should be taking some responsibility for our neighborhood and be doing a better job of showing them around - explaining which streets and alleys are dangerous.

Right, you do that, and they will then totaly neglet knowing about where to step on next, why should they bother finding out, when someone will eventualy show them? Besides you do that, you may find yourself with not much of a life for yourself.

Kind of what theSCIENTIST said...

People don't care until something actually bad happens. That is why i said they need to be hacked, because it makes them want to learn how to avoid it. Must people will go on life thinking "it wont happen to me", then when it does, they change their attitude and pay attention.

I'm not trying to say it just to be mean, but its one of those things where it makes people learn, and its a good learning experience.

You are that way, but if they are just starting out and they find a script, i bet you that 90% of them ignore the readme files.

if you are a security person, sure i can see you following rules. But i deal with so many people each day that are just starting off, and over 90% of them never read instructions until i actually tell them to.

This has nothing to do with a "community". Its just a fact that people can be lazy and skip steps until they actually find out why they need to read the instructions.

I think that a lot of the posts we see in the forums - both here and at maddogs are by people who don't read the directions. I've recommended both wwf and aspinvison to newbies who followed the directions and installed well. They don't post because they followed the directions.

In a more general sense though, newbies just don't know what are good practices and what are dangerous ones. We need a book like "Avoid Being Net-Wacked for Dummies"  

Something that covers stuff like "just because the email says it's from paypall, doesn't make it true", through "never display an email address in a web page or newsgroup" to "what stuff you don't want someone to do to your web site and how to stop it". Maybe the book could also cover stuff like "how to keep your wireless bandwidth from being swiped.

I think a lot of newbies just don't understand what things can happen to them or the probablility of certain things happening - like some one will try to hack your web site within 12 hours, someone will try to get through your firewall within 2 hours, or someone will grab your email address for a spam list within 30 minutes.

>> So you think they automagically get the forum going??

Actually Yes, hehe. I know when i first found WWF i didnt read any readme file. I now wish i did, because i got hacked. That tought me a pretty good lession.

All you really have to do is upload the forum and its ready. Thats probably one of the problems because it makes newbies think its that easy when in fact there is more to it.

Reminds me - was shown an article from some national news mag talking about how you could get 20,000 zombie pc's for $2,000.

I heard from one guy who did a traffic analysis for a small-mid sized isp that was getting complaints of spam from it's network. Come to find out a couple of thousand clients had malware on their pc that would send 20-30 spams an hour - not enough to raise alarms anywhere, but enough to be profitable.

MadDog wrote: >> So you think they automagically get the forum going?? Actually Yes, hehe. I know when i first found WWF i didnt read any readme file. I now wish i did, because i got hacked. That tought me a pretty good lession. All you really have to do is upload the forum and its ready. Thats probably one of the problems because it makes newbies think its that easy when in fact there is more to it.

Got to agree with you there.  I loaded wwf up first, then read the directions - a little knowledge is a dangerous thing - lol. Even now, I'll load the access version of a new forum version just to play with it and don't care if I get hacked. Good and bad points to being easy to install.

EDIT: Perhaps it would be better if the mdb file were not "pre-intalled" by the zip but had it's own procedure for installation. 

Yup, im a dumbass. But now at least i read the readme files that are in the scripts

xeerex wrote: Well that's typical...You guys are trying to force me to say all computer users are dumba--es aren't ya?????

Aren't they/we?
computer user = dumbass - to one degree or another.

We're all stupid about something regarding computers. It's just that some of us are more stupid about more things.

xeerex wrote: theSCIENTIST wrote: Right, you do that, and they will then totaly neglet knowing about where to step on next, why should they bother finding out, when someone will eventualy show them? Besides you do that, you may find yourself with not much of a life for yourself. MadDog wrote: People don't care until something actually bad happens. Wrong on both counts. How do I know? Simple. I make most of my living from "fixing" security problems for both home and small business users... ...Keep trying guys. Real community spirit and faith there...

Wrong on both counts from your prespective, from your own experiences, but not from where I stand, from my experiences people neglet computer security, they don't use the same common sense as they do for other things in life, again, they assume they are safe, or that if somethings happen, it won't be much of a loss as opposed to leaving the car open outside.

xeerex wrote: ...You guys are trying to force me to say all computer users are dumba--es aren't ya?...

Not all computer users, only those that don't use common sense, maybe they even hear in the news about viruses, hacked places, spyware, fraud and all the rest of it, and still try to defi the nature of the beast assuming it won't happen to them, no one needs to tell them, they must use common sense, the warnings are all around us, so read, take the time to protect yourself, now, not tomorrow or when the security consultant visits next week.

dpyers wrote: Perhaps it would be better if the mdb file were not "pre-intalled" by the zip but had it's own procedure for installation.

Check what I said regarding that a bit earlier:

theSCIENTIST wrote: ...As for the board creators, there is still something that could be done, for instances, the Access version, why distribute and MDB with the package, when the MDB can be created, saving distro size, and while you are at it, dinamically create it with a unique name (ie. ddmmyyhhmmss_Forum.mdb), also, and this works for both Access and SQL, after DB creation, the default.asp should delete the DB creation script files the first time the forum run, all this operations should be included on the instructions.

This is very easy to do, and I beleive it can only benefit the whole newbie/security issue.

xeerex wrote: MadDog wrote: Yup, im a dumbass... OMG -- I'm gonna frame that on my wall now!!

You guys love each other don't you?

xeerex wrote: bluefrog wrote: There's a thought that it takes two to make a crime - someone with the inclination, and someone who gives them the opportunity. I've never subscribed to that bullsh*t. For example, your wife or girlfriend is sitting in the park in a mini-skirt by herself. Does that mean that she is giving a rapist the opportunity and therefore it is her fault? I don't think so. The principle is the same whether in that example, a car theft, or hacking into a site. *snip*

Dude... I did not write that... Check back... I said the exact opposite and even used the rape example.

xeerex wrote: bluefrog -- sorry about that. I usually use the [ quote ] code manually and just overlooked who said what. I've edited my post. *snip*

No problem. We all get lazy sometimes. I rarely ever type in the [ quote ] thing manually because I'm that lazy...  I also never use forum codes for formatting. That what the RTE is for.

Cheers