| |
|
Next  |
|
Protect Yourself |
In the Beginning
In the beginning, the Net was somewhat secure because it was physically secure in the sense that only a limited number of individuals had access to computers that had internet access.
The internet is inherently unsecure right down to it's foundation. Can you name one protocol that is truly secure. So get use to it. Here's why:
- TCP is unsecure with DoS, i.e. SYN floods, Smurf attacks, WinNuke. All those ports, literally thousands of them just waiting to be cracked. Why do you think why firewalls are programmed to only allow ports.
To see how scary things are, go and check the summary of open ports.
- TCP can be spoofed although it is difficult. UDP is much more easily spoofed.
- TFTP (port 69) does not require any user authentication - so shut it down. The only experience where I've used it for good, is to upload firmware patches to switches like Nortel's Alteon AceDirector and SSL Accelerator. Crackers like to use TFTP to download their remote control software such as dameware or one of the many VNC forks.
Just search Source Forge. I've fallen prey to this years ago when I was a newbie.
All I'm hoping for is that I haven't ticked off anyone who is a hacker or even worst a cracker with the knowledge or friends can deface my site (Top Defacers) or even worst, take me down.
Doing business on the internet is not a cheap proposition. It's no different than having a physical store front, very capital intensive.
If you're going to do business on the internet then here's the must have in terms of hardware.
- The net is a stateless environment, therefore session hijacking is going to occur.
- Firewall
- Intrusion Prevention - forget about Intrusion Detection IPSes are ready for prime time at a cost of course!
- Virus Protection
- SSL Accelerator
- BACKUPS that work!!
The Ten Immutable Laws of Security
They are:
- If a bad guy can persuade you to run his program on your computer, it's not your computer anymore.
- If a bad guy can alter the operating system on your computer, it's not your computer anymore.
- If a bad guy has unrestricted physical access to your computer, it's not your computer anymore.
- If you allow a bad guy to upload programs to your Web site, it's not your Web site any more.
- Weak passwords trump strong security.
- A machine is only as secure as the administrator is trustworthy.
- Encrypted data is only as secure as the decryption key.
- An out-of-date virus scanner is only marginally better than no virus scanner at all.
- Absolute anonymity isn't practical, in real life or on the Web
- Technology is not a panacea.
Scott Culp, Microsoft's Security Response Center Manager, The Ten Immutable Laws of Security
OS Religious Wars
First off, I'm not going to get into the OS religious wars in regards to whether Linux, UNIX is more secure than Windows.
Well, OK Windows is less secure. BUT the main reason IMHO is the pure volume of third party software that is totally suspect.
Basically any OS that becomes popular will become a target.
True Black Hats are probably tired of busting into Windows.
And as long as there is software, there's going to be security issues - so keep informed about patches and patch your systems.
This is easier said then done unfortunately.
The Realities
And what's something else that takes 20 minutes?
Oh, that's how long your average unprotected PC running Windows XP will last once it's connected to the Internet ... before it's compromised and effectively 0\/\/n3d.
The SANS Institute tries to help by offering a free download of a great little 1.2 MB PDF wonderfully titled, "Windows XP: Surviving the First Day" (makes XP sound like a communicable disease, doesn't it? "Mrs. Jones, I'm sorry to inform you, but we've run the tests, and it appears that you have XP. Now don't cry - it's bad, but it's not a death sentence. Modern science has advanced in recent years, and it's now possible to live a reasonably happy life with XP. And there's a survivor's group that you'll want to meet as well.").
Scott Granneman, Infected In Twenty Minutes - August 19, 2004
eBay is fighting to repair a software glitch that opens the door to phishing attacks using one of its own legitimate URLs.
The number of phishing threats aimed at the company have "exploded" over the last year or so, Durzy noted. He has indicated his belief that the problem is not likely to slow down anytime soon.
Matt Hines, News.com - March 4, 2005
- Spam and Viruses
- Adware/Spyware
- Comment Spam/Link Spam
- DNS Hacking
- Phishing
- click fraud
Fred, Internet Axis of Evil - March 5, 2005
Tips
- Disable your networking before connecting to the internet. Why? Well, it will give you some quiet time to check for rogue programs/processes!!!
- If you can't afford the hundreds of dollars for all of the specialized pieces of security software, then go and get tested online.
- If you're using a router, you should use WallWatcher to monitor your router logs.
- You can submit your Zone Alarm logs to DShield to perform the analysis for you!!!
As a web developer, you know the security risk. The best defense is acknowledgement and defense. Always validate URL, form and even session vars for junk such as code injection. The killer is obviously SQL scripts!. Well, if you don't have a library of functions or classes, start with the Open Web Application Security Project (OWASP). I've been using PHP Filters. Make sure you read, A Guide to Building Secure Web Application and Web Services. Sure it's 295 pages but well worth the read. There's also a whack of other apps, articles and presentations.
OWASP Top Ten Most Critical Web Application Security Vulnerabilities!
| Vulnerability |
Description |
| Unvalidated Input |
Information from web requests is not validated before being used by a web application. Attackers can use these flaws to attack backend components through a web application. |
| Broken Access Control |
Restrictions on what authenticated users are allowed to do are not properly enforced. Attackers can exploit these flaws to access other users' accounts, view sensitive files, or use unauthorized functions. |
| Broken Authentication and Session Management |
Account credentials and session tokens are not properly protected. Attackers that can compromise passwords, keys, session cookies, or other tokens can defeat authentication restrictions and assume other users' identities. |
| Cross Site Scripting (XSS) Flaws |
The web application can be used as a mechanism to transport an attack to an end user's browser. A successful attack can disclose the end user?s session token, attack the local machine, or spoof content to fool the user. |
| Buffer Overflows |
Web application components in some languages that do not properly validate input can be crashed and, in some cases, used to take control of a process. These components can include CGI, libraries, drivers, and web application server components. |
| Injection Flaws |
Web applications pass parameters when they access external systems or the local operating system. If an attacker can embed malicious commands in these parameters, the external system may execute those commands on behalf of the web application. |
| Improper Error Handling |
Error conditions that occur during normal operation are not handled properly. If an attacker can cause errors to occur that the web application does not handle, they can gain detailed system information, deny service, cause security mechanisms to fail, or crash the server. |
| Insecure Storage |
Web applications frequently use cryptographic functions to protect information and credentials. These functions and the code to integrate them have proven difficult to code properly, frequently resulting in weak protection. |
| Denial of Service |
Attackers can consume web application resources to a point where other legitimate users can no longer access or use the application. Attackers can also lock users out of their accounts or even cause the entire application to fail. |
| Insecure Configuration Management |
Having a strong server configuration standard is critical to a secure web application. These servers have many configuration options that affect security and are not secure out of the box. |
The biggest problem with keyloggers, which silently relay data to attackers, is that they often go undetected, easily slipping past firewalls and antivirus software, iDefense, a division of VeriSign, said.
"There are so many victims because so few know the risk or the early warning signs, " Joe Payne, vice president of VeriSign iDefense Security Intelligence Services, said in a statement. "You simply can't stop what you can't see. "
iDefense said keyloggers are typically spread by organized cybercrime rings, which have used them in the past to conduct large-scale money transfers to fund criminal activities. The programs have grown exponentially since 2001, when the firm detected just 275 of them.
Alorie Gilbert, CNET, Keystroke spying on the rise - November 15, 2005
Freeware!
Here are some great FREE software programs to protect your online experience.
| Software |
Type |
Comments |
| MyPlanetSoft Anti Keylogger |
Anti Keylogger |
The world's smallest fully functional anti keylogger. Deactivates all existing system-wide keyloggers. Absolutely free. A Must Have! |
| Process Explorer |
Process Viewer |
Process Explorer shows you information about which handles and DLLs processes have opened or loaded. |
| WinPatrol |
Intrusion Prevention and Detection |
WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge. You'll be removing dangerous new programs while others download new reference files. |
| Zone Alarm |
Firewall |
Systematically identifies hackers and blocks access attempts and automatically makes your computer invisible to anyone on the Internet |
| avast! 4 Home Edition |
Antivirus |
WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge. You'll be removing dangerous new programs while others download new reference files. Read How Good are Free Security Programs? |
| AdWare |
Spyware |
Ad-Aware Personal provides advanced protection from known data-mining, aggressive advertising, Trojans, dialers, malware, browser hijackers, and tracking components. |
| Spybot Search & Destroy |
Spyware |
Another excellent tool to help get rid of and prevent spyware from infesting your computer. Catches stuff that AdWare doesn't! |
| Hijack This |
Spyware |
HijackThis scans your computer for anything that might attach itself to your computer & browser (IE) - good and bad things. Use some discretion and decide what's good and what's bad. |
| SafeXP |
Utility |
Safe XP allows users to quickly tweak various security and privacy related settings in XP. |
| AxCrypt |
File Encryption |
Free Personal Privacy and Security for Windows 98/ME/NT/2K/XP with AES-128 File Encryption, Compression and transparent Decrypt and Open in the original application |
Kiddie Hack Attempts
Here are some kiddie 101 attempts on dragonCrew.com.
| Software |
Attempt |
Comments |
| PHPAdmin |
/phpmyadmin/index.php |
Trying to get access to my database. hehe! |
| PHPAdmin |
/phpmyadmin/main.php |
Trying to get access to my database. hehe! |
| ? |
/admin |
Trying to access any number of off the self open source apps, i.e. phpBB2, phpBugTracker, CMS or Blog admin |
| MS Media Services |
nsiislog.dll |
Microsoft Windows Media Services NSIISlog.DLL Remote Buffer Overflow Vulnerability. As if. Obviously the guy didn't know how to find out what OS my hoster is using. |
Pharming Attacks
Pharming use to be associated with redirecting request by hijacking DNS but now it has morphed into Web browsers' address bars to redirect users to bogus Web sites
According to Gartner, between May 2004 and May 2005, roughly 1.2 million U.S. computer users suffered phishing losses valued at $929 million.
Pharming is the redirecting of an individual's Web request to another location. For example, if an individual with an infected computer conducts online business with a specific bank, that
person will type the bank link into the address bar, but will be redirected to a designated phishing site that looks very similar to the authentic site but is, in fact, fraudulent. Because the
individual did not click on any obscure link, the site will appear to be legitimate.
Online fraud cost merchants $2.6 billion in 2004, an increase of $700 million from 2003, according to a survey conducted by CyberSource Corporation. Approximately two percent of all online sales are fraudulent.
Dying to be Cracked!
In what the NCSA calls "one of the largest and most comprehensive in-home studies " ever conducted, the group found Americans woefully under-protected when they go online.
The survey found that the majority of consumers think they are safe online but lack basic protections against viruses, spyware, hackers and other threats. It also concluded that "large majorities of home computers " are infected and remain highly vulnerable to future infections.
In addition, 67 percent of home users do not have current antivirus software installed on their computers while 15 percent stated they have no antivirus protection at all.
Firewalls? Three in five users (58 percent) said they don't the difference between a firewall and anti-virus protection. Not surprisingly, 67 percent do not have any firewall protection at all.
Wireless? Almost two in five (38 percent) leave their connections completely open.
Articles
| Article |
Status |
Description |
| How-to: Determine if a server is hacked |
Article |
This guide is going to focus on getting hacked via a php injection attack which is the most common today. There are certainly others but chances are if the server has been compromised by a script kiddie you will be able to find it via this guide. |
Site Security
I see programming mistakes that illustrate an utter lack of concern for security. They are ugly mistakes that are far too prevalent. If you have any of the issues mentioned below in your own web application, it's time to sit down with your developers and have a chat. If these mistakes are being made, dig deeper. You may not like what you see, but its better that you uncover the problems than leave them to be discovered by someone else. For each of the signs listed below, take a look at the included examples for public evidence of just how wide spread the problem is.
- Exposed Usage statistics
- Copies of backup files
- Your site shows up on a "Wall of Shame"
- Browseable directories
- Login credentials passed over clear text
- Outdated SSL certificates
- Vulnerable third party applications
- Verbose error messages
- Developer comments in source code
- You've been defaced!
|
|
|
|
|
|
Web Applications Collapse
|
|
|
|
|
|
|
