06-8-2011, 09:15 AM | #1 |
FFR Simfile Author
|
In honour of LulzSec: Post IT security problems and fixes
0) Your password is hopelessly insecure.
Why this is bad: A computer can test every 6 character long password in a matter of minutes. Computers are only getting faster and botnets bigger. Also, you use the same password for every site you go to because your memory is bad, so cracked once = cracked everywhere. Solution: An IP should be locked out after X number of failed password guessing attempts. That won't protect you, though, if you (or a company's admin!) uses the same password on a site without such protection. The only solution is to use a different password per page - try having a 'master' password that you modify subtly based on the name (but not the whole name) of the website. This way it's easy for you to remember but a program testing cracked passwords on every site it can won't figure it out. More secure are 'keychain' programs which produce high complexity passwords for every site you go to, and permit you access to this keychain with the 'master password' that you memorize. This way stealing your password on one site is useless. Try https://lastpass.com/ or http://keepass.info/ 0.5) Your password is still insecure, even after that salted MD5 database of passwords is leaked. Why this is bad: Even if it's salted so you can't use a rainbow table (do people still use those?) a computer can try every possibility until it works, because most passwords are short and come out of the dictionary with minor modifications on the end. Solution: Use bcrypt. http://codahale.com/how-to-safely-store-a-password/ Why bcrypt and not MD5 or SHA-256? Because bcrypt has a 'work factor' - the higher the work factor, the longer it takes to hash. Meaning that a brute force password guesser will now take years for one password, but a legitimate user won't even notice the difference. 1) SQL injection lets arbitrary SQL get executed on your database. Why this is bad: The hacker can now retrieve the contents of every table, drop every table, query system parameters to find out more about the software and what it's running on, etc. Solution: mysql_real_escape_string. http://php.net/manual/en/function.my...ape-string.php If you're sending a number, however, check that it's composed entirely of 0-9s. Finally, why not just use stored procedures? They have a pre computed query plan so they'll run faster, they explicitly separate code from data by parametrization. 2) XSS vulnerabilities can let a user upload javascript code and have it be executed as part of the page by the next user to access it. Why this is bad:If you can get an admin to execute the code you now have admin privileges. Failing that, you can always mass steal session cookies and impersonate users. Solution: Not easy. Refer to https://www.owasp.org/index.php/XSS_...on_Cheat_Sheet 3) Cookies, passwords and other information you transmit over a wireless connection can be intercepted by other people in the area Why this is bad: There's a plugin for Firefox called Firesheep that automatically notifies you when it picks up other people's cookies! Stealing people's sessions has never been easier. Solution: Only use https:// to connect to sites that you care about or just read a book while you're sitting in the airport. For most people this won't matter because it's difficult to mass mine people's passwords 4) Devices on a company network will respond to all pings and TCP connections by default. Why this is bad: A hacker could do a scan of IP addresses and ports in your network, finding out not just what you have on the network but if they find even one service with a known vulnerability it can be leveraged to do more damage. It's not worth the risk. Solution: Set up access control lists either on the routers or on the firewall to prevent all IP traffic and ports except the ones that need to be open to the internet. Network address translation can be used to allow devices on the network to only be accessed when they start the session. 5) Users can travel to webpages you didn't expect or send parameters you didn't expect by altering the URL/the source code of a page which sends a form. Why this is bad: If you forget to sanity check parameters, your users can send bizzare results. For a while on the site www.epicmafia.com you could use Google Chrome to edit a page letting you rate a user up or down - normally by 1 or -1, but if you change it to 100000 or -100000 then it worked! Webpages can be vulnerable in two ways - they can directly represent actions, which when used will perform the action whether you wanted it to or not (e.g. on www.furaffinity.net you could trick an admin into deleting an image because it was a simple URL) or it can contain content you're not supposed to access as a normal user. ps these sites are coded REALLY badly Solution: Always, always assume data you receive from the user is untrustworthy and sanity check it. URLs that modify the state in some way (like deleting an image) should either be impossible to predict by someone who isn't you or rely on hidden parameters so it's not as easily spoofed. Your web server program, like Apache, can forbid access to web pages that aren't meant to be publicly viewable. I'm not as certain about this kind of vulnerability, so someone with more experience might be able to correct me here, but I definitely know this is a problem 6) Social engineering: An employee can be conned into giving out a working password to a high privilege account to someone pretending to be a member of the company. Why this is bad: All the security in the world won't help you if you'll give out admin access to anyone. Solution: Security policies and vetting I guess, what's the usual tactic?
__________________
Patashu makes Chiptunes in Famitracker: http://soundcloud.com/patashu/8bit-progressive-metal-fading-world http://img.photobucket.com/albums/v216/Mechadragon/smallpackbanner.png Best non-AAAs: ERx8 v2 (14-1-0-4), Hajnal (3-0-0-0), RunnyMorning (8-0-0-4), Xeno-Flow (1-0-0-3), Blue Rose (35-2-0-20), Ketsarku (14-0-0-0), Silence (1-0-0-0), Lolo (14-1-0-1) http://i231.photobucket.com/albums/ee301/xiaoven/solorulzsig.png Last edited by Patashu; 06-8-2011 at 09:21 AM.. |
06-8-2011, 10:21 AM | #2 |
Sun and Stars
|
Re: In honour of LulzSec: Post IT security problems and fixes
coooooooooool
__________________
http://www.facebook.com/?ref=logo#!/Br0wnbread Check out my band profile and give it a like! :P |
06-8-2011, 10:37 AM | #3 |
FFR Player
Join Date: Dec 2005
Age: 34
Posts: 240
|
Re: In honour of LulzSec: Post IT security problems and fixes
great article on xss.
my boss and i were just talking about that. also what do you think of blowfish encryption? like the one you mentioned, it is intentionally time intensive, making brute force attacks much more time consuming. Last edited by perkeyone; 06-8-2011 at 10:41 AM.. |
06-8-2011, 05:20 PM | #4 |
Network Security Analyst
|
Re: In honour of LulzSec: Post IT security problems and fixes
While this is a good write-up, it can at best be described as a beginners guide to basic security. I love the fact that someone, other than me, has taken the time to attempt to warn some people on this site about security. Security is a topic that I have been studying and working with for years and I still consider myself a beginner with these topics. Granted, this is compared to the people at the top of my chosen profession and not compared to most normal people.
There are quite a few good tips here, some that I've been following for years. Some of these things are not easy nor simple to do, but really make it that much harder for someone to "hack" you. Now, I'm using hack very loosely because depending on how your computer is setup you might just be giving this sort of information out, but that is for another topic. To be honest, the majority of "security breaches" are not from the newest and coolest hacks, but the ones that have been around for years and even decades that exploit the simplest things that users just don't take the time to fix. I won't go into details, but I work in the Network Security industry, and this is the majority of what we see and have to help fix. I'll be honest, I don't do everything listed here, but at the same time I know and fully understand all of the risks that are associated with what I do. If you are confused or do not fully understand one of these terms or concepts I highly suggest you do a little research and after doing some research ask some questions. I am inclined to try to help answer any questions, but I really suggest going out and doing some research before posting anything that could easily be answered with a simple search. |
06-8-2011, 05:35 PM | #5 |
FFR Player
Join Date: Sep 2005
Age: 32
Posts: 4,245
|
Re: In honour of LulzSec: Post IT security problems and fixes
Funny this topic was made now because I've just started a personal project learning how to hack as retarded as that sounds. Was at the book store looking to pick up a new book for a personal project and leafed through some book about exploitation and it looked really interesting so I got it. I've learnt so far that no matter what you do you will never have absolute security. Binary executables can be translated into assembly language, and assuming you know the basic processor architecture the binary file was made to run on, you can manipulate the **** out of it, and even find passwords. Encrypted passwords can always be decrypted in time. Packets can have spoofed headers to manipulate protocols or connections. Kinda getting scared I'm specializing in security now.
I've only just started getting into this stuff so excuse me if I'm misunderstanding any of it. Last edited by fido123; 06-8-2011 at 06:23 PM.. |
06-8-2011, 06:41 PM | #6 |
x'); DROP TABLE FFR;--
Join Date: Nov 2010
Posts: 6,332
|
Re: In honour of LulzSec: Post IT security problems and fixes
Go try your and at hackthissite -- last time I was there I completed everything that was available, but I haven't been back since. Was a fun site
|
06-8-2011, 06:54 PM | #7 |
Banned
Join Date: Oct 2010
Location: Las Vegas
Age: 33
Posts: 1,823
|
Re: In honour of LulzSec: Post IT security problems and fixes
I've been there a couple of times, but never tried any of the exercises. Might go back and test myselff though
|
06-8-2011, 08:16 PM | #8 | ||||
FFR Simfile Author
|
Re: In honour of LulzSec: Post IT security problems and fixes
Quote:
Quote:
Quote:
however if it's on the other side of the internet you can only do to it what you can send over the net (or what you can con employees there into doing for you) which is fundamentally limited. if there are no security holes in that then the site is secure (as if you could prove that!) Quote:
__________________
Patashu makes Chiptunes in Famitracker: http://soundcloud.com/patashu/8bit-progressive-metal-fading-world http://img.photobucket.com/albums/v216/Mechadragon/smallpackbanner.png Best non-AAAs: ERx8 v2 (14-1-0-4), Hajnal (3-0-0-0), RunnyMorning (8-0-0-4), Xeno-Flow (1-0-0-3), Blue Rose (35-2-0-20), Ketsarku (14-0-0-0), Silence (1-0-0-0), Lolo (14-1-0-1) http://i231.photobucket.com/albums/ee301/xiaoven/solorulzsig.png |
||||
06-9-2011, 12:07 AM | #9 |
Senior Member
|
Re: In honour of LulzSec: Post IT security problems and fixes
oops this thread looks awesome but **** me if I'm going to try and read it all right now while I'm tired.
Hang on, lemme get the IRC logs between LulzSec and that one whitehat dude, those are hilarious brb http://lulzsecurity.com/releases/***...0STATEMENT.txt edit: lmfao ffr censored the link those asterisks should be 'fuck' http://lulzsecurity.com/releases/Karim%20IRC%20log.txt
__________________
Last edited by MrGiggles; 06-9-2011 at 12:52 AM.. |
06-9-2011, 12:40 AM | #10 |
FFR Player
Join Date: Dec 2005
Age: 34
Posts: 240
|
Re: In honour of LulzSec: Post IT security problems and fixes
|
06-10-2011, 06:55 PM | #11 |
FFR Player
Join Date: Oct 2005
Location: Wisconsin
Posts: 199
|
Re: In honour of LulzSec: Post IT security problems and fixes
Another way to get around SQL injection in PHP is to use mysqli parameterized queries (with mysqli_prepare). It's similar to stored procedures in that the query is pre-computed. It's easier than running mysql_real_escape_string on every bit of input you receive.
__________________
Check out Guessthatalbum.com for a fun music-related game. I make metal files for keyboard players! Check them out at: |
06-10-2011, 06:58 PM | #12 |
FFR Player
Join Date: Sep 2005
Age: 32
Posts: 4,245
|
Re: In honour of LulzSec: Post IT security problems and fixes
I've only heard of MySQLi and from what I've seen when I briefly googled it it's a part of PHP. I guess I should look into it since it's apparently superior although I'm not sure why. Should look that up too. On the other hand I've heard it's buggy when taking in long quires and PDO is better. I'm more of a tried and true sort of person. Unless it offers solid advantages it probably won't really peak my interests.
Last edited by fido123; 06-10-2011 at 07:04 PM.. |
06-10-2011, 11:28 PM | #13 | |
FFR Simfile Author
|
Re: In honour of LulzSec: Post IT security problems and fixes
Quote:
Just watch out for 'second level sql injection attacks' which is where a stored procedure puts data into the database that is later used in dynamic sql. even though the original procedure is safe the second one still isn't
__________________
Patashu makes Chiptunes in Famitracker: http://soundcloud.com/patashu/8bit-progressive-metal-fading-world http://img.photobucket.com/albums/v216/Mechadragon/smallpackbanner.png Best non-AAAs: ERx8 v2 (14-1-0-4), Hajnal (3-0-0-0), RunnyMorning (8-0-0-4), Xeno-Flow (1-0-0-3), Blue Rose (35-2-0-20), Ketsarku (14-0-0-0), Silence (1-0-0-0), Lolo (14-1-0-1) http://i231.photobucket.com/albums/ee301/xiaoven/solorulzsig.png |
|
06-12-2011, 04:12 PM | #14 |
new hand moves = dab
Join Date: Dec 2002
Location: he/they
Age: 33
Posts: 10,094
|
Re: In honour of LulzSec: Post IT security problems and fixes
excellent read, tyvm patashu
|
Currently Active Users Viewing This Thread: 1 (0 members and 1 guests) | |
|
|