In honour of LulzSec: Post IT security problems and fixes

[Patashu]

0) Your password is hopelessly insecure.
Why this is bad: A computer can test every 6 character long password in a matter of minutes. Computers are only getting faster and botnets bigger. Also, you use the same password for every site you go to because your memory is bad, so cracked once = cracked everywhere.
Solution: An IP should be locked out after X number of failed password guessing attempts.
That won't protect you, though, if you (or a company's admin!) uses the same password on a site without such protection. The only solution is to use a different password per page - try having a 'master' password that you modify subtly based on the name (but not the whole name) of the website. This way it's easy for you to remember but a program testing cracked passwords on every site it can won't figure it out.
More secure are 'keychain' programs which produce high complexity passwords for every site you go to, and permit you access to this keychain with the 'master password' that you memorize. This way stealing your password on one site is useless. Try https://lastpass.com/ or http://keepass.info/

0.5) Your password is still insecure, even after that salted MD5 database of passwords is leaked.
Why this is bad: Even if it's salted so you can't use a rainbow table (do people still use those?) a computer can try every possibility until it works, because most passwords are short and come out of the dictionary with minor modifications on the end.
Solution: Use bcrypt. http://codahale.com/how-to-safely-store-a-password/ Why bcrypt and not MD5 or SHA-256? Because bcrypt has a 'work factor' - the higher the work factor, the longer it takes to hash. Meaning that a brute force password guesser will now take years for one password, but a legitimate user won't even notice the difference.

1) SQL injection lets arbitrary SQL get executed on your database.
Why this is bad: The hacker can now retrieve the contents of every table, drop every table, query system parameters to find out more about the software and what it's running on, etc.
Solution: mysql_real_escape_string. http://php.net/manual/en/function.my...ape-string.php
If you're sending a number, however, check that it's composed entirely of 0-9s.
Finally, why not just use stored procedures? They have a pre computed query plan so they'll run faster, they explicitly separate code from data by parametrization.

2) XSS vulnerabilities can let a user upload javascript code and have it be executed as part of the page by the next user to access it.
Why this is bad:If you can get an admin to execute the code you now have admin privileges. Failing that, you can always mass steal session cookies and impersonate users.
Solution: Not easy. Refer to https://www.owasp.org/index.php/XSS_...on_Cheat_Sheet

3) Cookies, passwords and other information you transmit over a wireless connection can be intercepted by other people in the area
Why this is bad: There's a plugin for Firefox called Firesheep that automatically notifies you when it picks up other people's cookies! Stealing people's sessions has never been easier.
Solution: Only use https:// to connect to sites that you care about or just read a book while you're sitting in the airport. For most people this won't matter because it's difficult to mass mine people's passwords

4) Devices on a company network will respond to all pings and TCP connections by default.
Why this is bad: A hacker could do a scan of IP addresses and ports in your network, finding out not just what you have on the network but if they find even one service with a known vulnerability it can be leveraged to do more damage. It's not worth the risk.
Solution: Set up access control lists either on the routers or on the firewall to prevent all IP traffic and ports except the ones that need to be open to the internet. Network address translation can be used to allow devices on the network to only be accessed when they start the session.

5) Users can travel to webpages you didn't expect or send parameters you didn't expect by altering the URL/the source code of a page which sends a form.
Why this is bad: If you forget to sanity check parameters, your users can send bizzare results. For a while on the site www.epicmafia.com you could use Google Chrome to edit a page letting you rate a user up or down - normally by 1 or -1, but if you change it to 100000 or -100000 then it worked!
Webpages can be vulnerable in two ways - they can directly represent actions, which when used will perform the action whether you wanted it to or not (e.g. on www.furaffinity.net you could trick an admin into deleting an image because it was a simple URL) or it can contain content you're not supposed to access as a normal user. ps these sites are coded REALLY badly
Solution: Always, always assume data you receive from the user is untrustworthy and sanity check it.
URLs that modify the state in some way (like deleting an image) should either be impossible to predict by someone who isn't you or rely on hidden parameters so it's not as easily spoofed.
Your web server program, like Apache, can forbid access to web pages that aren't meant to be publicly viewable.
I'm not as certain about this kind of vulnerability, so someone with more experience might be able to correct me here, but I definitely know this is a problem

6) Social engineering: An employee can be conned into giving out a working password to a high privilege account to someone pretending to be a member of the company.
Why this is bad: All the security in the world won't help you if you'll give out admin access to anyone.
Solution: Security policies and vetting I guess, what's the usual tactic?

[Mans0n]

coooooooooool

[perkeyone]

great article on xss.
my boss and i were just talking about that.

also what do you think of blowfish encryption?
like the one you mentioned, it is intentionally time intensive, making brute force attacks much more time consuming.

[PsYcHoZeRoSk8eR]

While this is a good write-up, it can at best be described as a beginners guide to basic security. I love the fact that someone, other than me, has taken the time to attempt to warn some people on this site about security. Security is a topic that I have been studying and working with for years and I still consider myself a beginner with these topics. Granted, this is compared to the people at the top of my chosen profession and not compared to most normal people.

There are quite a few good tips here, some that I've been following for years. Some of these things are not easy nor simple to do, but really make it that much harder for someone to "hack" you. Now, I'm using hack very loosely because depending on how your computer is setup you might just be giving this sort of information out, but that is for another topic. To be honest, the majority of "security breaches" are not from the newest and coolest hacks, but the ones that have been around for years and even decades that exploit the simplest things that users just don't take the time to fix. I won't go into details, but I work in the Network Security industry, and this is the majority of what we see and have to help fix.

I'll be honest, I don't do everything listed here, but at the same time I know and fully understand all of the risks that are associated with what I do. If you are confused or do not fully understand one of these terms or concepts I highly suggest you do a little research and after doing some research ask some questions. I am inclined to try to help answer any questions, but I really suggest going out and doing some research before posting anything that could easily be answered with a simple search.

[fido123]

Funny this topic was made now because I've just started a personal project learning how to hack as retarded as that sounds. Was at the book store looking to pick up a new book for a personal project and leafed through some book about exploitation and it looked really interesting so I got it. I've learnt so far that no matter what you do you will never have absolute security. Binary executables can be translated into assembly language, and assuming you know the basic processor architecture the binary file was made to run on, you can manipulate the **** out of it, and even find passwords. Encrypted passwords can always be decrypted in time. Packets can have spoofed headers to manipulate protocols or connections. Kinda getting scared I'm specializing in security now.

I've only just started getting into this stuff so excuse me if I'm misunderstanding any of it.

[Reincarnate]

Go try your and at hackthissite -- last time I was there I completed everything that was available, but I haven't been back since. Was a fun site

[AsphyxZero]

I've been there a couple of times, but never tried any of the exercises. Might go back and test myselff though

[Patashu]

Quote:

Originally Posted by perkeyone

great article on xss.
my boss and i were just talking about that.

also what do you think of blowfish encryption?
like the one you mentioned, it is intentionally time intensive, making brute force attacks much more time consuming.

bcrypt IS blowfish encryption but used to hash

Quote:

Go try your and at hackthissite -- last time I was there I completed everything that was available, but I haven't been back since. Was a fun site

sounds awesome, I'll try it in the future

Quote:

Funny this topic was made now because I've just started a personal project learning how to hack as retarded as that sounds. Was at the book store looking to pick up a new book for a personal project and leafed through some book about exploitation and it looked really interesting so I got it. I've learnt so far that no matter what you do you will never have absolute security. Binary executables can be translated into assembly language, and assuming you know the basic processor architecture the binary file was made to run on, you can manipulate the **** out of it, and even find passwords. Encrypted passwords can always be decrypted in time. Packets can have spoofed headers to manipulate protocols or connections. Kinda getting scared I'm specializing in security now.

I've only just started getting into this stuff so excuse me if I'm misunderstanding any of it.

if you have physical access to it you can do anything you want with it given enough resources. (every smartphone can be rooted, every password can have every possible combination tested with nothing to lock you out, et cetera. though brute forcing things like AES and RSA keys is still impossible). anything a game sends as netcode to a server can be spoofed by an altered copy of the game, so you can only have multiplayer security by having a very strong model of what the player can do when and why and only allowing actions that match that model, for instance. every game where the server blindly does what the client says inevitably gets hackers (terraria, minecraft, realm of the mad god, phantasy star online...)

however if it's on the other side of the internet you can only do to it what you can send over the net (or what you can con employees there into doing for you) which is fundamentally limited. if there are no security holes in that then the site is secure (as if you could prove that!)

Quote:

There are quite a few good tips here, some that I've been following for years. Some of these things are not easy nor simple to do, but really make it that much harder for someone to "hack" you. Now, I'm using hack very loosely because depending on how your computer is setup you might just be giving this sort of information out, but that is for another topic. To be honest, the majority of "security breaches" are not from the newest and coolest hacks, but the ones that have been around for years and even decades that exploit the simplest things that users just don't take the time to fix. I won't go into details, but I work in the Network Security industry, and this is the majority of what we see and have to help fix.

yeah, most hacks attempted will be easy basic kinds, pioneers in the area don't care about you unless you're the pentagon.

[MrGiggles]

oops this thread looks awesome but **** me if I'm going to try and read it all right now while I'm tired.

Hang on, lemme get the IRC logs between LulzSec and that one whitehat dude, those are hilarious brb

http://lulzsecurity.com/releases/***...0STATEMENT.txt edit: lmfao ffr censored the link those asterisks should be 'fuck'
http://lulzsecurity.com/releases/Karim%20IRC%20log.txt

[perkeyone]

Quote:

Originally Posted by Patashu

bcrypt IS blowfish encryption but used to hash

oh, derp, i was considering looking bcrypt up but i was getting ready for work.

[Charlo]

Another way to get around SQL injection in PHP is to use mysqli parameterized queries (with mysqli_prepare). It's similar to stored procedures in that the query is pre-computed. It's easier than running mysql_real_escape_string on every bit of input you receive.

[fido123]

I've only heard of MySQLi and from what I've seen when I briefly googled it it's a part of PHP. I guess I should look into it since it's apparently superior although I'm not sure why. Should look that up too. On the other hand I've heard it's buggy when taking in long quires and PDO is better. I'm more of a tried and true sort of person. Unless it offers solid advantages it probably won't really peak my interests.

[Patashu]

Quote:

Originally Posted by Charlo

Another way to get around SQL injection in PHP is to use mysqli parameterized queries (with mysqli_prepare). It's similar to stored procedures in that the query is pre-computed. It's easier than running mysql_real_escape_string on every bit of input you receive.

Yeah, anything like stored procedures that makes an explicit distinction between code and data should be OK

Just watch out for 'second level sql injection attacks' which is where a stored procedure puts data into the database that is later used in dynamic sql. even though the original procedure is safe the second one still isn't

[dAnceguy117]

excellent read, tyvm patashu