Invite Scene - #1 to Buy, Sell, Trade or Find Free Torrent Invites

#1 TorrentInvites Community. Buy, Sell, Trade or Find Free Torrent Invites for Every Private Torrent Trackers. HDB, BTN, AOM, DB9, PTP, RED, MTV, EXIGO, FL, IPT, TVBZ, AB, BIB, TIK, EMP, FSC, GGN, KG, MTTP, TL, TTG, 32P, AHD, CHD, CG, OPS, TT, WIHD, BHD, U2 etc.


Search the Community

Showing results for tags 'security'.

More search options

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


  • Invite Scene Official Information
    • Announcements
    • Suggestions and Ideas
    • Member Introductions
    • Competitions
  • Invite Scene Premium Membership
    • Make a Donation: Grab Your Premium Membership Now
  • Invite Scene VIP Giveaways & Requests
    • VIP Giveaways
    • VIP Requests
  • Invite Scene Official Store
    • Invite Scene Store: The Official Store for Private Torrent Invites
  • Invite Scene Marketplace
    • Premium Sellers Section
    • Buyer's Section
    • Trader's Section
    • Webmaster Marketplace
    • Service Offerings
    • Other Stuffs
  • Invite Scene Giveaways & Requests Section
    • Giveaways
    • Requests
  • Invite Scene Bittorrent World
    • Private Tracker News
    • BitTorrent World Discussion
    • Private Tracker Help
    • Tracker Reviews
    • Open Trackers
  • Invite Scene SeedBox Forum
    • Exclusive SeedBox Sellers Section
    • SeedBox Sellers Section
    • SeedBox Reviews
    • SeedBox Discussions
  • Making Money
    • Monetizing Techniques
    • Crypto Currency
    • Free Money Making Ebooks
  • Webmasters
    • Website Construction
  • Invite Scene General Topics
    • The Lounge
    • Movies, TV, and Videos
    • Melody, Harmony, Rhythm, and MP3
    • General PC Chat and Help
    • Security Hive
    • Guides and Tutorials
    • Gamers Hangout
    • The Graphic Design
  • Invite Scene Deal Disputes & Limitations
    • Deal Disputes
    • Archives


  • Bug Tracker
  • Suggestions Tracker

Find results in...

Find results that contain...

Date Created

  • Start


Last Updated

  • Start


Filter by number of...


  • Start



Website URL

Google+ Hangouts

Yahoo Messenger






Found 19 results

  1. The PR disaster for geo-unblocking software Hola has deepened with a report from cybersecurity firm Vectra. In addition to revealing a console within the software that allows an attacker to "accomplish almost anything", Vectra has discovered that Hola had already been exploited by "bad guys" before reports surfaced against the company last week. After a flurry of reports, last week the people behind geo-unblocking software Hola were forced to concede that their users’ bandwidth is being sold elsewhere for commercial purposes. But for the Israel-based company, that was the tip of the iceberg. Following an initial unproofed report that the software operates as a botnet, this weekend researchers published an advisory confirming serious problems with the tool. “The Hola Unblocker Windows client, Firefox addon, Chrome extension and Android application contain multiple vulnerabilities which allow a remote or local attacker to gain code execution and potentially escalate privileges on a user’s system,†the advisory reads. Yesterday and after several days of intense pressure, Hola published a response in which it quoted Steve Jobs and admitted that mistakes had been made. Hola said that it would now be making it “completely clear†to its users that their resources are being used elsewhere in exchange for a free product. Hola also confirmed that two vulnerabilities found by the researchers at Adios-Hola had now been fixed, but the researchers quickly fired back. “We know this to be false,†they wrote in an update. “The vulnerabilities are *still* there, they just broke our vulnerability checker and exploit demonstration. Not only that; there weren’t two vulnerabilities, there were six.†With Hola saying it now intends to put things right (it says it has committed to an external audit with “one of the big 4 auditing companiesâ€) the company stood by its claims that its software does not turn users’ computers into a botnet. Today, however, an analysis by cybersecurity firm Vectra is painting Hola in an even more unfavorable light. In its report Vectra not only insists that Hola behaves like a botnet, but it’s possible it has malicious features by design. “While analyzing Hola, Vectra Threat Labs researchers found that in addition to behaving like a botnet, Hola contains a variety of capabilities that almost appear to be designed to enable a targeted, human-driven cyber attack on the network in which an Hola user’s machine resides,†the company writes. “First, the Hola software can download and install any additional software without the user’s knowledge. This is because in addition to being signed with a valid code-signing certificate, once Hola has been installed, the software installs its own code-signing certificate on the user’s system.†If the implications of that aren’t entirely clear, Vectra assists on that front too. On Windows machines, the certificate is added to the Trusted Publishers Certificate Store which allows *any code* to be installed and run with no notification given to the user. That is frightening. Furthermore, Vectra found that Hola contains a built-in console (“zconsoleâ€) that is not only constantly active but also has powerful functions including the ability to kill running processes, download a file and run it whilst bypassing anti-virus software, plus read and write content to any IP address or device. “These capabilities enable a competent attacker to accomplish almost anything. This shifts the discussion away from a leaky and unscrupulous anonymity network, and instead forces us to acknowledge the possibility that an attacker could easily use Hola as a platform to launch a targeted attack within any network containing the Hola software,†Vectra says. Finally, Vectra says that while analyzing the protocol used by Hola, its researchers found five different malware samples on VirusTotal that contain the Hola protocol. Worryingly, they existed before the recent bad press. “Unsurprisingly, this means that bad guys had realized the potential of Hola before the recent flurry of public reports by the good guys,†the company adds. For now, Hola is making a big show of the updates being made to its FAQ as part of its efforts to be more transparent. However, items in the FAQ are still phrased in a manner that portrays criticized elements of the service as positive features, something that is likely to mislead non-tech oriented users. “Since [Hola] uses real peers to route your traffic and not proxy servers, it makes you more anonymous and more secure than regular VPN services,†one item reads. How Hola will respond to Vectra’s latest analysis remains to be seen, but at this point there appears little that the company can say or do to pacify much of the hardcore tech community. That being said, if Joe Public still can’t see the harm in a free “community†VPN operating a commercial division with full access to his computer, Hola might settle for that.
  2. The popular TV-torrent distribution group EZTV is going on a hiatus to perform a thorough security audit of its servers. The EZTV team informs TF that new shows won't appear online for a few days, until the team is assured that everything is functioning optimally. EZTV, the go-to place for many torrenting TV fans, has suffered its fair share of troubles in recent months. It started early December when the group’s site was knocked offline as collateral damage in the Pirate Bay raid. A month later the group lost its .it domain name, which was then taken over by impostors in March. To get back online and stay there, EZTV has had to move things around quite a bit. In response to these recent issues the EZTV team has decided to go on a small hiatus, so the current setup can be carefully inspected. This means that in the short term no new releases will go up on the site. “We are not releasing any new content at the moment due to a security audit of all our servers,†EZTV’s Novaking informs TF. “We just want to put things on hold to see where everything is at and make sure everything is running optimally,†he adds. The latest torrents were released on Monday and there is no ETA yet for when new ones will appear. The group is taking its time to carry out a proper audit and will do some code cleanup at the same time. As part of the security audit registered users have also received a request for a password reset. Initially this resulted in some issues where users were unable to login but Novaking notes that people who experienced this problem can get in touch via IRC. If all goes well EZTV may also reopen registrations again, which is something people have requested for a long time. Fueled by the lack of new content and the recent domain troubles, some users were suspicious when they saw a link to the Bitx video player in the torrent list. However, this is a new streaming player the group is testing and nothing to worry about. In a few days EZTV hopes to start releasing new content again. Until then, the group advises TV fans to turn to the ‘competition’ for their daily fix. “There are several other distribution groups people can use while we’re doing the audit,†Novaking says.
  3. Tips | Advices | Questions Overview of popular networks : WARNING! Tor has many security issues! I2P vs Tor I2P vs Freenet Freenet vs Tor/I2P
  4. Kali Linux is an advanced Penetration Testing and Security Auditing Linux distribution. Kali Linux Features More than 300 penetration testing tools: After reviewing every tool that was included in BackTrack, we eliminated a great number of tools that either did not work or had other tools available that provided similar functionality. Free and always will be: Kali Linux, like its predecessor, is completely free and always will be. You will never, ever have to pay for Kali Linux. Open source Git tree: We are huge proponents of open source software and our development tree is available for all to see and all sources are available for those who wish to tweak and rebuild packages. FHS compliant: Kali has been developed to adhere to the Filesystem Hierarchy Standard, allowing all Linux users to easily locate binaries, support files, libraries, etc. Vast wireless device support: We have built Kali Linux to support as many wireless devices as we possibly can, allowing it to run properly on a wide variety of hardware and making it compatible with numerous USB and other wireless devices. Custom kernel patched for injection: As penetration testers, the development team often needs to do wireless assessments so our kernel has the latest injection patches included. Secure development environment: The Kali Linux team is made up of a small group of trusted individuals who can only commit packages and interact with the repositories while using multiple secure protocols. GPG signed packages and repos: All Kali packages are signed by each individual developer when they are built and committed and the repositories subsequently sign the packages as well. Multi-language: Although pentesting tools tend to be written in English, we have ensured that Kali has true multilingual support, allowing more users to operate in their native language and locate the tools they need for the job. Completely customizable: We completely understand that not everyone will agree with our design decisions so we have made it as easy as possible for our more adventurous users to customize Kali Linux to their liking, all the way down to the kernel. ARMEL and ARMHF support: Since ARM-based systems are becoming more and more prevalent and inexpensive, we knew that Kali’s ARM support would need to be as robust as we could manage, resulting in working installations for both ARMEL and ARMHF systems. Kali Linux has ARM repositories integrated with the mainline distribution so tools for ARM will be updated in conjunction with the rest of the distribution. Kali is currently available for the following ARM devices: rk3306 mk/ss808 Raspberry Pi ODROID U2/X2 Samsung Chromebook EfikaMX Beaglebone Black CuBox Galaxy Note 10.1 Kali is specifically tailored to penetration testing and therefore, all documentation on this site assumes prior knowledge of the Linux operating system. Kali is a complete re-build of BackTrack Linux, adhering completely to Debian development standards. All-new infrastructure has been put in place, all tools were reviewed and packaged, and we use Git for our VCS. After almost two years of public development (and another year behind the scenes), we are proud to announce our first point release of Kali Linux – version 1.1.0. This release brings with it a mix of unprecedented hardware support as well as rock solid stability. For us, this is a real milestone as this release epitomizes the benefits of our move from BackTrack to Kali Linux over two years ago. As we look at a now mature Kali, we see a versatile, flexible Linux distribution, rich with useful security and penetration testing related features, running on all sorts of weird and wonderful ARM hardware. But enough talk, here are the goods: The new release runs a 3.18 kernel, patched for wireless injection attacks. Our ISO build systems are now running off live-build 4.x. Improved wireless driver support, due to both kernel and firmware upgrades. NVIDIA Optimus hardware support. Updated virtualbox-tool, openvm-tools and vmware-tools packages and instructions. A whole bunch of fixes and updates from our bug-tracker changelog. And most importantly, we changed grub screens and wallpapers! Download or Upgrade Kali Linux 1.1.0 You can download the new version from our Kali Linux Download page, where you’ll also find mini-installer ISOS for both 32 and 64 bit CPU architectures. You can expect updated VMWare and multiple ARM image releases to be posted in the Offensive Security custom Kali Linux image download page in the next few days. As usual, if you’ve already got Kali Linux installed and running, there’s no need to re-download the image as you can simply update your existing operating system using simple apt commands: apt-get update apt-get dist-upgrade
  5. VPN users are facing a massive security flaw as websites can easily see their home IP-addresses through WebRTC. The vulnerability is limited to supporting browsers such as Firefox and Chrome, and appears to affect Windows users only. Luckily the security hole is relatively easy to fix. The Snowden revelations have made it clear that online privacy is certainly not a given. Just a few days ago we learned that the Canadian Government tracked visitors of dozens of popular file-sharing sites. As these stories make headlines around the world interest in anonymity services such as VPNs has increased, as even regular Internet users don’t like the idea of being spied on. Unfortunately, even the best VPN services can’t guarantee to be 100% secure. This week a very concerning security flaw revealed that it’s easy to see the real IP-addresses of many VPN users through a WebRTC feature. With a few lines of code websites can make requests to STUN servers and log users’ VPN IP-address and the “hidden†home IP-address, as well as local network addresses. The vulnerability affects WebRTC-supporting browsers including Firefox and Chrome and appears to be limited to Windows machines. A demo published on GitHub by developer Daniel Roesler allows people to check if they are affected by the security flaw. IP-address leak The demo claims that browser plugins can’t block the vulnerability, but luckily this isn’t entirely true. There are several easy fixes available to patch the security hole. Chrome users can install the WebRTC block extension or ScriptSafe, which both reportedly block the vulnerability. Firefox users should be able to block the request with the NoScript addon. Alternatively, they can type “about:config†in the address bar and set the “media.peerconnection.enabled†setting to false. TF asked various VPN providers to share their thoughts and tips on the vulnerability. Private Internet Access told us that the are currently investigating the issue to see what they can do on their end to address it. TorGuard informed us that they issued a warning in a blog post along with instructions on how to stop the browser leak. Ben Van Der Pelt, TorGuard’s CEO, further informed us that tunneling the VPN through a router is another fix. “Perhaps the best way to be protected from WebRTC and similar vulnerabilities is to run the VPN tunnel directly on the router. This allows the user to be connected to a VPN directly via Wi-Fi, leaving no possibility of a rogue script bypassing a software VPN tunnel and finding one’s real IP,†Van der Pelt says. “During our testing Windows users who were connected by way of a VPN router were not vulnerable to WebRTC IP leaks even without any browser fixes,†he adds. While the fixes above are all reported to work, the leak is a reminder that anonymity should never be taken for granted. As is often the case with these type of vulnerabilities, VPN and proxy users should regularly check if their connection is secure. This also includes testing against DNS leaks and proxy vulnerabilities.
  6. Dear IS community, on behalf of all staff I'm happy to tell you that: We are fixed all known security bugs on our site! Lots of work has been made to block bots and other minor threats. And all server software up to date! SSL Invite Scene use SSL Encryption for all content! Our SSL configuration implements: Secure Renegotiation, Forward Secrecy and Downgrade attack prevention. We are protected from BEAST, POODLE and Heartbleed attacks. We are working very hard to protect our reputation and users! And we are always look how to make our place even more secure and comfortable for you! Thanks for your trust! / Stay with us! / Be secure!
  7. Security Guide The new branch of PHPBB - PHPBB 3 is quite secure. After some major security flaws in PHPBB 2 the PHPBB developers have paid great attention to the security of their product's new branch - PHPBB 3. According to the script's changelog and the users' reports there have been just several minor security issues. They have been resolved quite fast. Still, in this article we will list useful practices that will additionally improve the security of your PHPBB 3 forum. TIPS Keep your software up--to-date This rule is valid for all the applications that you use. Keep your local computer software (OS, anti-virus program, firewall, web browsers, etc.) and web applications (scripts, extensions, components, modules,plugins) upgraded to the corresponding latest stable versions. Custom Database tables prefix A wise solution is to set a custom database tables prefix during the PHPBB 3 installation. If your hosting provider supports an auto-installer like Softaculous just enter the new value in the "Table Prefix" field. The manual phpBB3 installation also allows to enter the chosen table prefix in the "Prefix for tables in database:" field. The change of the tables prefix in an existing phpBB 3 installation is more difficult. First, you should edit the config.php file and replace the new prefix in the following field: $table_prefix = 'phpbb_'; If you have custom modules integrated in your forum check whether they have additional configuration files. You might need to complete the same change in them. Next, you should rename all the tables in the database. You can run the queries through a tool like phpMyAdmin. The query for each table should be: RENAME TABLE phpbb_table_name TO newprefix_table_name; Additional admin login page To add a new layer of security to your admin login functionality you should password protect the admin folder. In PHPBB 3 the default admin folder is called "adm". Usually the hosting providers have a password protection tool embedded in their control panels. If your hosting provider uses cPanel you can password protect the folder through the Password Protect Directories tool. The tool will create a .htaccess file under the "adm" folder. Make sure that the used password is different from the one set during the initial PHPBB 3 installation Always use strong passwords that contain random sequence of letters, numbers and special characters. Restrict the admin folder access If you are using a computer with static IP to access your forum you can restrict the access to the admin area. Enter the code listed below in the .htaccess file under the "adm" folder. It will allow access only from your local computer. Order Deny, Allow Deny from all Allow from Instead of use your IP. It can be checked at: The file can be edited either with FTP or with cPanel->File Manager. You can add more IPs to the list, separated with blank spaces. Backup your forum Often, keeping backups of your script will allow you fast and easy to restore the stable functionality of your web site. It does not matter if the script has been compromised by hackers or it has been broken by a custom code modification performed from your end. The backup restore will bring the web site to its normal state. Usually the hosting providers create daily or weekly backups of your account. Still, you can additionally take care of this task. Detailed instructions can be found in this knowledge base article. Enhance the users registration PHPBB 3 has some useful options which will stop most of the malicious users' registrations attempts. Open your forum's admin area and load the "User registration settings" section. For the "Account activation" option pick "By user (email verification)". During the registration the user will have to provide a valid e-mail account and approve the registration through a confirmation link message delivered to it. For "Password complexity" select "Must contain symbols". In this way the user will have to enter letters, numbers and symbols in the chosen password. Leave the default values of the other options. Forums that follow the above-mentioned tips experience 80% less security problems. If despite the measures taken, your forum gets hacked, you should contact your host for assistance and try to get more specific security tips from the community via the discussions boards. Credits for this materials: Top 5 Security Mods for phpBB No forum software is fully secure from the onslaught of hackers and spammers, and needs to keep being updated by new modifications and plugins to safeguard against such attacks. The open source nature of phpBB makes it more vulnerable to attacks. phpBB developers are constantly working towards identifying security gaps and trying to fix them. Some of the main features added to provide protection to your forum from being attacked by hackers are: Providing a sophisticated authorization system; Effective encryption which basically helps by ensuring the safety of the passwords in the data base; Proper running of the URL and cookie sessions. 5 Security Mods for phpBB Some helpful security mods for phpBB are: RAC Mod: In this Mod, the administrator defines an auth code which you need to enter while registering. After this, the administrator may ask you a question, the answer to which is the code. The advancements made to this mod are: Language variable being used properly; phpBB templates being used properly; Unnecessary steps have been removed; Instructions are made more detailed. Peoplesign CAPTCHA Plugin: This is a unique and new picture based CAPTCHA which gives its owners millions of different ways to customize and use it as per their liking. It is easy to install. People visiting the forum are given a picture-based text to enter the forum and by this means automated bots can be kept away. Show Password Strength: This mod reflects the strength of the password to its users. It displays a color code to show the password strength which is green for strong and red for weak. Along with this, there is a text indicator such as ‘Very Strong’, ‘Strong’, ‘Good’, ‘Weak’ and ‘Very Weak’ for passwords. The basis on which the password strength is graded are: Mixed case alphabets; Numbers; Special characters; More than 12 characters in the password. Breizh Ajax Checks: This mod is fast and the language can be changed in the ajax on the registration page. Through this mod, checks can be performed in real time in the registration page as well as edit account setting page for email address, password and username. Key CAPTCHA: It is an innovative anti-spam service which is provided free. It provides protection to your website from spam and also works as an instrument for income acquisition. Contrasting other captchas, there is no requirement to type any text here. phpBB is not fully protected from all attacks by hackers and spammers present on the net. While there are people working towards mods to improve the scenario, one should take precautions and be vigilant to ensure that the forum is not attacked. phpBB security does not merely involve protecting your forum from being hacked, but it also involves the security of personal information and data of visitors and the integrity of the member list as well as the community. Some issues that may take up a lot of admin and moderator time may be automated signups, member list abuses, email address harvesting and dropping links. Credits for this materials:
  8. Security Guide NOTICE BEFORE READING: This is not a guide to making your forum completely secure and untouchable but this is a guide to the many different things that one can do to tighen up security. I would also like to note that the latest version of MyBB is very secure even out of the box. Also note that i'm no expert on this, I've never even had a public MyBB forum but i'm hoping to start one soon. This is mostly about securing MyBB itself, look elsewhere for information on securing any other web applications that you are hosting The key points #1 Keep your forum as up to date as possible It is very important you keep everything up to date, this includes plugins. Make sure to manually check for updates in the Admin CP often and/or frequent the downloads section of #2 Check before installing plugins Plugins have the potential to bring down your whole forum if they are insecure/intentionally backdoor-ed. Google is your friend with plugins so ensure you check through any posts/advisories on the plugin and any other sources of the plugin that could are more likely to be secure. Don't use cracked/nulled plugins. If you can understand PhP then look through the code. If the code is encrypted/obfuscated etc.. and the plugin is not commercial then be very careful. Look into the plugin author and their credibility as well. Using a plugin that is used on HF and made by labrocca for example is a much better idea then some random thing you found dumped on the net. #3 Use secure and unique passwords Ensure the passwords to all powerful accounts are different, unique, long and use a large array of chars. *ndEyd7_-38Dne3dhy3(8ednYe}&yDp2@04(jNPKNBGgdue ^ Is the type of thing you are going to want as a password to any account with powers that could damage the forum. Don't use passwords that you use on other forums because they could be easily tracked down. If you can't remember the password store it in an encrypted vault such as a keepass vault. #3 Deny access to directories There are a number of directories in MyBB that contain files that never need to be accessed from browser. It's a good idea to deny access to these. Directories to protect {root}/inc {root}/install (whenever not needed) {root}/{admincpdir}/inc {root}/{admincpdir}/modules As there is no legit reason to access this stuff it's best to create a .htaccess file in the root of these directories containing the following. deny from all Another way to add to security to the files is the add to/create a .htaccess file in the forum root containing Options -Indexes To stop anyone browsing folders without an index. Another thing one can do is the rename the Admin Directory, to do this open {root}/inc/config.php and edit the $config['admin_dir'] to whatever you want your new directory to be then rename the actual directory from 'admin' to whatever you specified in the config.php. --- This does not give much extra security unless you set the $config['hide_admin_links'] to 1 (note you will need to access the adminCP from a stored link rather than from a link on the front end if this is enabled) #4 Obscure, obscure, obscure It's a great idea to make it as hard as possible for a potential attacker to get correct information on your forum. Change the default table prefix (this can be done easily upon when installing a fresh install of MyBB in the installation wizard) This can also be done in the config.php but only people who know what they are doing should attempt to change it after MyBB has been installed also note that a few plugins are broken by non-default table prefixes. This can make it harder for ub3r el1te SQLI masters to attack your DB Other things you can do include giving your main account (the one you post with) super mod perms and giving super-admin to another extremely secure account that has a normal usergroup as it's primary. #5 Lock down the AdminCP It's very important to implement extra security on the admin cp to prevent unwanted access. Here are a few things you can do. Add extra auth with .htpasswd ^ The above links can be used to generate the files needed to do this. Once done simple place the .htpasswd and .htaccess files in the adminCP directory for some extra security. Make sure the user/pass is different to the Admin password. Add an ip whitelist to the AdminCP You can use .htaccess to permit only those with a certain ip to access the AdminCP, this is very secure! (It's not a very good idea to do this if you have a dynamic IP though because you might find your self locked out one day. Just put/add to a .htaccess file in the admincp root containing the following. Order Allow,Deny Allow from Your.static.ip.adress Add a pin to the Admin Cp This pretty much does the same thing as .htpasswd but can look a little better. There are plenty of tutorials on this so just make a search. Remove the backup system from the AdminCp If someone was to gain unauthorized access to the admin cp they could easily dump all the SQL info using the built in backup feature. It's a good idea to disable this if you are not going to use it. Simply go to {root}/{admincpdir}/modules/tools/backupdp.php And add a the following after the <?php die('Backups Disabled'); If you want to use this module then simply comment out the addition and uncomment it when you are done. These are the key points. After this i will just put a few simple extra tips and some links for more info Run MyBB with a database user that is not used with anything else on your website to prevent one failure leading to another Restrict the database user that MyBB uses to only be able to do what it needs and nothing more Restrict PHP to only be able to execute functions that are needed and nothing more Remove any features you don't need (don't use the portal?. then remove it, don't use the calendar? then disable it etc) Make sure you don't have scrutinize IP enabled unless you really, really, really know what you are doing Search through forums/exploit DB's for potential exploits often If you are starting a forum from scratch change how passwords are salted and hashed for some extra obscurity in the event your DB is leaked If you've left anything in Areas the public can access such as a plugin zip file or a phpinfo.php then be sure to remove If something is suspicious... CHECK IT OUT! Credits for this materials:
  9. Security Guide TIPS In this section of the tutorial you will find several tips how to improve the security of your Invision Power Board. 1. Do not allow HTML for your board except for user groups that you can fully trust. When creating a forum you can choose not to allow HTML code to be posted in various sections for the board. You can disallow HTML code in all of the areas listed below: To disable HTML in signatures and the about me section for members go to System tab-> System Settings -> Members tab -> User Profiles. To disable HTML in personal messages between users go to System tab -> System Settings -> Members tab -> Personal Message Set-up To disable the HTML in posts for specific user groups go to Members tab -> Manage User Groups -> Edit for the group -> Global tab 2. For the lost password recovery it is best to use the email random password option. This option can be altered via the IPBoard admincp -> System -> System Settings -> System Tab -> Security and Privacy. Note that it is highly advisable to email the new password instead of letting the user enter it manually as it is much less likely that the user account email address is compromised. 3. Setup a limited amount of failed login attempts. If the number is reached the user is locked out of the forum for a set time. This option can be altered via your the IPBoard admincp -> System -> System Settings -> System Tab -> Security and Privacy -> Brute-force Account Locking section. The other two options below allows you to define if blocked accounts will be automatically unlocked and if so after how many minutes. 4. Use secure mail form for member to member communication. This way it will not be possible to get the emails of your board users and use them for spam and other fraudulent activities. You can enable secure form email for member to member communication via IPBoard admincp -> System -> System Settings -> System Tab -> Security and Privacy -> Use secure mail form for member to member mails 5. Remove the admincp link from your board and modify the name of the administrator directory to something else. The link to the admin panel that is by default included on your forum index can be removed. This is highly advisable along with renaming the admincp folder to something else. The option can be altered via IPBoard admincp -> System -> System Settings -> System Tab -> Security and Privacy -> Remove the ACP link from the board 6. It is highly advisable to manually approve new accounts registration as well as leave the option to verify the registration via email. This option might not be suitable for very popular forums that have lots of new user registrations on a daily basis. However, for closed communities it is best if you have all new user registrations manually approved by forum administrators. This way you can prevent spam bots and unauthorized users from posting on your forum with 100% success. The highest possible security is forcing users to first verify the new account registration via the email address they provided upon registering the new account. Once the new account registration is verified via email it is queued for approval via the board administrator. This option can be chosen via IPBoard admincp -> System -> System Settings -> System Tab -> Security and Privacy -> New registration email validation. You might want to take some time and also adjust the options below to your convenience. 7. Force user login before the board is viewed. This way only registered users can view and post on your online board. Note that in this case guests on your online board won't be able to view any of the forums. The option is available at IPBoard admincp -> System -> System Settings -> System Tab -> Security and Privacy -> Force guests to log in before allowing access to the board The alternative is to set specific permissions for each forum and thus allow some general purpose forums to be viewable for Guest users. For example you might want to make news and forum rules viewable for everyone so they can check them prior to registering. To achieve this all you need to do is use the permissions matrix when creating a new forum or category. Do not add permissions for the group that guest users are automatically assigned to. This way none of your forums will be accessible for users that are not registered and logged in except for forums you explicitly add permissions to. It is highly advisable to set only Show Forum and Read Topics permissions in such cases. 8. Do not display the version of IPB you are running. Otherwise it will be much easier to search for possible exploits for the specific version if one is trying to compromise your board. Displaying the IPBoard version can be turned off via IPBoard admincp -> System -> System Settings -> System Tab -> Security and Privacy -> Privacy section -> Display IPB version on your site. There are various options you can manage for your IPBoard. Most of the other features that can be a security issue are set to the highest possible security by default. Bear in mind that you should carefully read and understand what each option does prior to making changes in order to avoid any issues with your online board. Thanks for this valuable material goes to: HACKS I want to show you a few important things, that many of you may know, but others wont. So lets start with the server and permissions: Never - and really never - set 777 permission on ANY directory/file. That would allow malicious users to execute/delete/move/edit your files easily. Do not make .htaccess files readable - they could leak important data. How to set permissions: chmod xxx -R /dir/to/files Secure phpmyadmin - there are several ways to do so, but a simple .htaccess file should be enough. The htaccess file can look like this (i use it like this): AuthType Basic AuthName "Restricted Files" AuthUserFile /path/to/passwords/.htpasswd Require valid-user add a file called .htaccess (it must have the . before htaccess and it needs to be in the directory you want to secure. For phpmyadmin its usually /usr/share/phpmyadmin) Do not run apache as root - if you do so, a malicious user could use exploits to gain access to the apache2 user - that could lead to a real disaster. use this tutorial to change your user for apache2: Secure php - turn off unnecessary features and set up open_basedir, it could save your server. This should help with turning off features for php: http://stackoverflow...erous-functions If you use apache, use mod_antiloris What does mod_antiloris do? Well its easy: There is a tool called slowloris. People use it to DoS a server - that means, they attack it, so the server shuts down. How does mod_antiloris do this? It opens a lot of apache processes so the apache server simply cant get enough ram anymore and shuts down automatically. Why do they use that tool? Because it uses so little resources that it makes it really easy to bring a server down. What does mod_antiloris do now? Well a server understands requests like this: SYN - ACK - SYN - ACK Well slowloris does this: ACK - ACK - ACK - ACK The server opens processes and never closes them since no SYN is coming back. mod_antiloris detects those malicious requests and closes them itself. Note: To install mod_antiloris, you need to look for it on google, I can not go indepth with the setup, since I only use Ubuntu as my server. Turn off php error reporting. No one needs to see php errors on the page. They could cause to a leak of data and in this case, there is a Full path disclosure script out there that could tell an attacker what your directory is called. To disable it you can add: error_reporting(0); @ini_set('display_errors', 0); to the end of your index file. Now to the IPB Setup and file Setup: Use .htaccess for the admin directory. (Refer to the Security center for this) Rename the admin directory. (Referr to the Security center) Remove dav.php if it isnt necessary. (In terminal: rm /path/to/dav.php) Use hooks like StopForumSpam to prevent fraud on your forum. (Use the StopForumSpam website for more info, they have in-depth tutorials for this on their site) Before you install a skin, check it. The skin "Glare by Tom Christian" reveals your admin directory in the source code for example, no matter what you set it up to do. You can do so by simply opening your source code on the index page of your forum and searching for your ACP link. Then when you found it you can easily referr to the CSS files (Look and Feel - Edit Skin CSS - globalTemplate) Change your display name. Users can use bruteforce to get your password, but what if they don't know what your username is called? They can´t brute it. You can do so in the members tab in the ACP. Do not allow signatures which are too big (I know its not security related but it can slow down your site dramatically) This can be done within the IPB ACP (resize images) Follow the things written in your Security Center, IPB knows what they write. Use the Checkers (Whitespace Checker and so on) weekly so you see if something goes wrong. Remove users using odd usernames. What do I mean with odd? <script>alert(blabla)</script> is surely odd and it shows that the user tried to do an XSS attack. XSS can be used for attacks to get sensitive data or deface your website. Other things you can do is on files that really should not be viewable via php as regardless of the request placing: if (realpath(__FILE__) == realpath($_SERVER['SCRIPT_FILENAME'])) { exit('Denied.'); } After: <?php Result: <?php if (realpath(__FILE__) == realpath($_SERVER['SCRIPT_FILENAME'])) { exit('Denied.'); } Also adding blocks via the htaccess is also wise for things such as conf_global.php, initdata.php, and constants.php <Files conf_global.php> deny from all </Files> <Files initdata.php> deny from all </Files> <Files constants.php> deny from all </Files> Or, you can also do this and it will work. Rename your conf_global.php to w/e you want, make a new conf_global.php and place this in it: <?php if (realpath(__FILE__) == realpath($_SERVER['SCRIPT_FILENAME'])) { exit('Denied.'); } @include('yournewconfigname.php'); ?> Thanks for this valuable material goes to:
  10. Common advices Update all the things Every new release of WordPress contains patches and fixes that address real or potential vulnerabilities. If you don’t keep your website updated with the latest version of WordPress, you could be leaving yourself open to attacks. Many hackers will intentionally target older versions of WordPress with known security issues, so keep an eye on your Dashboard notification area and don’t ignore those ‘Please update now’ messages. Backup your WordPress database regularly Keeping your own website or blog takes time and effort but what happens if you lose even part of your information? Having to re-do content or scrape the Wayback Machine for indexed page records is time consuming and sketchy. Even after that there is no guarantee that you can retrieve all files. You can use this nice plugin - Use strong passwords You will be surprised to know that there are thousands of people that use phrases like "password" or "123456" for their admin login details. Needles to say, such passwords can be easily guessed and they are on the top of the list of any dictionary attack. A good tip is to use an entire sentence that makes sense to you and you can remember easily. Such passwords are much, much better than single phrase ones. Store your passwords in safe place Never use browser password auto-complete! Better option is a good password manager! You can use this nice app - Always use SFTP instead of FTP SFTP is a secure form of the FTP command.Whenever a user opens up a regular FTP session or most other TCP/IP connections, the entire transmission made between the host and the user is sent in plain text.Anyone who has the ability to snoop on the network packets can read the data, including the password information.If an unauthorized user can login, they have the oppurtunity to compromise the system. When using ssh's SFTP instead of the FTP, the entire login sesion, including transmission of password, is encrypted.It is therefore much more difficult for an outsider to observe and collect passwords from a system using ssh/SFTP sessions. Ensure your computer is free of viruses and malware If your computer is infected with virus or a malware software, a potential attacker can gain access yo your login details and make a valid login to your site bypassing all the measures you've taken before. This is why it is very important do have an up-to-date antivirus program and keep the overall security of all computers you use to access your WordPress site on a high level. Valuable Hacks and Tricks Protect WordPress against XSS injection What Is Script Injection? Perhaps a better name for "Script Injection" is "code injection." Here, an attacker literally looks for some type of input element on your site - this could be a search field, a contact field, a name field, or any other type of element that submits data to a server. This is normally done through the use of a script - sometimes it's malicious JavaScript, but attackers can be successful in inserting PHP or MySQL commands, as well. Finally, it's referred to as injection because if the attacker is successful, then they are literally injecting their code into your application. Paste this code into your .htaccess file located in the root of website: Options +FollowSymLinks RewriteEngine On RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR] RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) RewriteRule ^(.*)$ index.php [F,L] Kill the admin. (Say NO to default username "admin")!For attackers is always easier to access the site using brute-force, if username are already known. And in most cases the default username for admin is a primitive... teeth gnashing "admin" Just execute this queries to the database: UPDATE wp_users SET user_login = 'Your new login' WHERE user_login = 'Admin'; and UPDATE wp_posts SET post_author = 'Your new login' WHERE post_author = 'admin'; Remove unnecessary information on unsuccessful log inIf you try to log in the admin area of WordPress and you make a mistake in username or password, engine will tell you about it. Why would attacker know the password, which he tries to pick up is wrong? Let's just cut off this information and little confuse the attacker. Open functions.php lying in the folder of the active theme of our blog (wp-content/themes/name-your-theme/) and add the following code: add_filter('login_errors',create_function('$a', "return null;")); SSL ForcingIf you want to sent your information is secure way, you need to use the SSL Protocol that ensures the integrity and confidentiality of data exchanging. First of all find out that your provider allows you to use SSL. If Yes, then open the file wp-config.php (living in the root of the site) and add the following line: define('FORCE_SSL_ADMIN', true); Use .htaccess to protect wp-config filewp-config.php contains all the information required to connect to the MySQL server and database. Protection of this file is one of the most important tasks. Find the file .htaccess in the root of our website and add the following lines: <files wp-config.php> order allow,deny deny from all </files> Hide the version of WordPressWordPress can track your site, thanks to the footprints it leaves in its software that let the outside world know what version of WordPress you are using. If you don’t regularly update WordPress, these footprints may be a security leak, though simply hiding your version of WordPress is not enough by itself to protect you from potential threats. To hide your version of WordPress in all three areas, simply add the following code to your functions.php file: /* Hide WP version strings from scripts and styles * @return {string} $src * @filter script_loader_src * @filter style_loader_src */ function fjarrett_remove_wp_version_strings( $src ) { global $wp_version; parse_str(parse_url($src, PHP_URL_QUERY), $query); if ( !empty($query['ver']) && $query['ver'] === $wp_version ) { $src = remove_query_arg('ver', $src); } return $src; } add_filter( 'script_loader_src', 'fjarrett_remove_wp_version_strings' ); add_filter( 'style_loader_src', 'fjarrett_remove_wp_version_strings' ); /* Hide WP version strings from generator meta tag */ function wpmudev_remove_version() { return ''; } add_filter('the_generator', 'wpmudev_remove_version'); readme.html and license.txt filesNecessarily remove readme.html and license.txt files from the root folder of the website. In fact, they are useless, but aside from them, you can find information about the version of WordPress. Write a plugin to protect against malicious url requests "Hackers" are very often trying to find weaknesses with the help of all sorts of malicious requests. WordPress is well protected from it, but the extra protection be a plus. Create a new file called blockbadqueries.php and put it in the folder wp-content/plugins. Then just activate it in the admin panel like any other plugin. <?php /* Plugin Name: Block Bad Queries Plugin URI: Description: Protect WordPress Against Malicious URL Requests Author URI: Author: Perishable Press Version: 1.0 */ global $user_ID; if($user_ID) { if(!current_user_can('level_10')) { if (strlen($_SERVER['REQUEST_URI']) > 255 || strpos($_SERVER['REQUEST_URI'], "eval(") || strpos($_SERVER['REQUEST_URI'], "CONCAT") || strpos($_SERVER['REQUEST_URI'], "UNION+SELECT") || strpos($_SERVER['REQUEST_URI'], "base64")) { @header("HTTP/1.1 414 Request-URI Too Long"); @header("Status: 414 Request-URI Too Long"); @header("Connection: Close"); @exit; } } } ?> Protect directories on the server from viewMany hosting companies allow anybody to view the directory on their server. So, if you type in the address bar very often you can see all the contents of this directory. Of course it is unsafe, so it's better to immediately turn-off this feature. Add to .htaccess file line: Options All -Indexes Security plug-in's Limit Login Attempts Limit the number of login attempts possible both through normal login as well as using auth cookies. By default WordPress allows unlimited login attempts either through the login page or by sending special cookies. This allows passwords (or hashes) to be brute-force cracked with relative ease. Limit Login Attempts blocks an Internet address from making further attempts after a specified limit on retries is reached, making a brute-force attack difficult or impossible. Features Limit the number of retry attempts when logging in (for each IP). Fully customizable Limit the number of attempts to log in using auth cookies in same way Informs user about remaining retries or lockout time on login page Optional logging, optional email notification Handles server behind reverse proxy It is possible to whitelist IPs using a filter. But you probably shouldn't. :-) Wordfence Security Looks very promising, but I prefer doing all important jobs by my own, and have some skeptic feelings about "commercial freeware"
  11. Symantec's widely used and much maligned line of Norton security suites will get a major overhaul in September. For the first time since 1991, there won't be a new version of Norton Antivirus on the shelves this fall. Symantec will rebrand its consumer security suites next month by eliminating several similarly named products. The new Norton Security, which debuts September 23, will replace Norton AntiVirus, Norton Internet Security, Norton 360, Norton 360 Multi-Device, and Norton 360 Premier Edition."We're headed towards security as a service," Gerry Egan, the senior director of product management for Norton at Symantec, told CNET. He said that Symantec is pushing Norton to more closely emulate the Netflix subscription service for security, with account-based logins and security as a service. Egan said that around 50 million people currently pay for Norton security, separate from Symantec's enterprise business. Under the new Norton Security interface, the security suite will combine the features of Norton Antivirus and Norton Internet Security. In addition to antivirus and anti-malware protection, it will include browser security without the hassle of an add-on, botnet detection and blocking, and what Egan said was a "smarter" reliance on cloud-based detection. And in a bid to convince consumers that the new Norton is not like the notorious Nortons of the past, which earned a reputation for sacrificing performance in exchange for security, Egan said that the new Norton will offer a money-back guarantee. "We will be offering virus-free guarantee," he said. "If at the end of the day we run into something we can't deal with, we'll give you your money back." Egan would not reveal how much the new Norton Security will cost, although he did compare it to the current cost of the Norton Internet Security suite. That's around $80 to protect three computers, but it's not uncommon to find significant discounts on the Web. As part of the new Norton's business strategy, Symantec will let you register up to five devices to use with Norton, including Windows, Mac, iOS, and Android. A more expensive version of Norton Security will ship with a cloud storage service based on SwapDrive, a startup that Symantec purchased in 2008 and has since built into Norton 360. Egan said that Norton Security with Backup will cover up to 10 devices and will be comparable in price to Norton 360, around $100 before discounts. The consumer security suite market is incredibly competitive, with more than a dozen paid and free security suites vying for attention. Egan explained the change as being necessary to attracting new users to Norton. "You might bounce throughout the day from a Mac to a mobile to a Windows machine," he said. Instead of trying to figure out which Norton product they're using, "we want to say to people that you sign up to Norton, it's as simple as that."
  12. As it prepares for a larger push beyond consumers into the business market, Lookout Mobile Security locks down one of the largest rounds of funding ever disclosed for a tech security firm. John Hering (left), Lookout co-founder and chairman, and Jim Dolce, Lookout CEOLookoutProtecting mobile devices from hackers is big business, as evidenced by the latest round of funding for Lookout Mobile Security. The seven-year-old startup announced on Wednesday that it has secured $150 million in a new round of financing, the largest so far this year and one of the largest ever for a computer security firm. It also totals more than all of Lookout's previous funding combined. Headquartered in downtown San Francisco, the firm started out making freemium mobile security apps for consumers on Android and iOS and securing carrier partnerships. Since then, they've broadened their business into the enterprise space, as well as building a security analytics platform and a small security-centered app marketplace. Lookout reports that more than 50 million people now use its apps, and has "millions" of premium subscribers. Lookout co-founder and executive chairman John Hering told CNET that investor confidence signaled by the new funding meant that his company had the right approach to mobile security. "It is going to take years to accomplish what we believe we are capable of," Hering said. "[O]ur users, operator partners, and enterprise customers can all remain confident that this funding gives us the resources to aggressively pursue our goals while remaining independent." "Mobile is the next frontier for enterprise security globally," Henry Ellenbogen of T. Rowe Price Associates said in a statement. "As an emerging leader in mobile security, we believe that Lookout has a huge opportunity ahead of it." Up until last October, Lookout had raised $76 million. Then a round of funding from Mithril Capital Management, Qualcomm Ventures, Greylock Partners, and Deutsche Telekom scored it another $55 million. Today's funding announcement more than doubles all funds that Lookout has raised to date, and was contributed by a mix of old and new investors in the company including T. Rowe Price Associates, Goldman Sachs, Morgan Stanley Investment, Bezos Expeditions, Wellington Management Company, Khosla Ventures, Accel Partners, Index Ventures, Andreessen Horowitz, and Mithril.
  13. With the goal of better protecting user data, the social network buys a company known for just that. Looking to make user data more secure, Facebook announced Thursday that it has acquired secure server technology company PrivateCore. PrivateCore, which was founded in 2012 and is based in Palo Alto, Calif., develops software that authenticates and secures server data. The company's goal is to protect servers from malware, unauthorized access, and malicious hardware devices. This type of software would be useful to Facebook, given that the company runs tens of thousands of servers. The social network has more than 1 billion monthly active users, which means a lot of data that could be vulnerable without the right protections. The terms of the deal were not disclosed, but a Facebook spokesperson did confirm that the social network plans to add PrivateCore's technology to its server stack."Facebook has done more than any company to connect the world, and we want to use our secure server technology to help make the world's connections more secure," PrivateCore CEO Oded Horovitz said in a statement. "Working together with Facebook, there is a huge opportunity to pursue our joint vision at scale with incredible impact." "PrivateCore and Facebook share a vision of a more connected, secure world," a Facebook spokesperson told CNET. "We plan to deploy PrivateCore's groundbreaking technology into Facebook's server stack to help further our mission to protect the people who use our service."
  14. Account Security Hi Everyone,
  15. After being arrested just over a month ago, Peter Sunde has sent a plea to the authorities over his detention. The Pirate Bay co-founder says that his prison conditions don't match the nature of his crime and that his health is deteriorating as a result. In addition to psychological issues, Sunde says he's lost 11 pounds in weight. In February 2012, Sweden’s Supreme Courtdetermined that the sentences handed out to The Pirate Bay’s Peter Sunde, Fredrik Neij, Gottfrid Svartholm and Carl Lundström would stand. Carl Lundström’s sentence was quickly served but there was a months-long delay before Gottfrid Svartholm could be removed from Cambodia and placed in Swedish detention. It took even longer to trace and detain Peter Sunde. More than two years had passed when the former Pirate Bay spokesman was eventually captured on May 31, 2014, the eight year anniversary of the 2006 raid on the infamous site. A special police unit dedicated to tracking down fugitives found Sunde on a farm in Skåne, Sweden. Sunde is now detained in Västervik Norra, the prison originally allocated to him in 2012. Converted from a hospital over the past nine years, in 2012 the facility had 262 inmates and 250 staff. Sunde feels that the establishment is an inappropriate venue for his incarceration. In a letter recently sent to the probation board, Sunde asks to be removed to a location more in keeping with his offenses. “I hereby appeal the placement decision regarding the institution I am in. I believe that the safety class is too high for the crime I have been convicted of,†Sunde writes. Sweden prisons are split into three security categories. Category One is reserved for the most dangerous of prisoners. Category Two covers the majority of the country’s closed prisons, while Category Three contains trusted prisoners who are believed to pose the lowest risk. Sunde was found guilty of non-violent copyright-related offenses which means he should pose little to no risk to the public. On this basis Sunde believes he should be transferred to a Category Three prison, specifically Tygelsjö, which is close to his family. He says there is no risk of him trying to escape. Health issues also feature prominently in Sunde’s plea to the authorities. “I’m suffering tremendously – socially, physically as well as psychologically – by the shortcomings of Västervik,†he explains. Those shortcomings include problems with food. While Sunde has described himself as a vegetarian, on occasions he has expressed a clear preference for vegan food. It’s not clear where the diet in Västervik falls short, but Sunde says he’s suffering to the point of going hungry. The 35-year-old reports that in the last four weeks he’s lost 11 pounds (5kgs). While Sunde evaded capture for two years, that time didn’t go to waste. Before running for the European Parliament with the Finnish Pirate Party this year, Sunde invested in several tech-focused startups including the micro-donation service Flattr and the NSA-proof messenger app While those operations are likely to continue in his absence, Sunde’s incarceration has already led to issues with a historic domain. Piratbyrån (The Bureau of Piracy) was the group behind the founding of The Pirate Bay and although it disbanded in 2010, Sunde remained the person responsible for administering That domain now has issues which Sunde clearly can’t solve, although others are currently trying. In the meantime, Fredrik Neij – who is also required to serve a Pirate Bay-related 10 month prison sentence – remains a fugitive and currently resides in Asia.
  16. In many European countries, for example, national courts have ordered ISPs to block access to sites such as The Pirate Bay and However, that’s not the only type of blocking and filtering that’s common nowadays. There are thousands of companies, schools and other organizations that voluntarily use commercial blocking software to restrict access to objectionable or threatening sites. As with all filters, however, there are false positives. TorrentFreak, for example, is often categorized as a file-sharing site, and blocked to prevent copyright infringement or other associated “threatsâ€. Apparently this is also happening at Microsoft, where the filter managed by the local information security risk management department blocks TorrentFreak on the internal network. Microsoft employees who try to access our site are welcomed with the following message. “The requested resource has been blocked as an identified risk to your client and the Microsoft corporate network.â€