Results 1 to 13 of 13

Thread: Security

  1. #1
    Join Date
    Jan 2005
    Location
    California
    Posts
    254

    Security

    Alright so I'm curious, how can people hack into someone else's website? Granted, I'm not asking so that I can find out so I can do it, I'm trying to make my programs more secure.. but it seems that if you have a login system that is linked to a database where it checks for username and md5 hashing passworded matches, how can someone get into that?

  2. #2
    Join Date
    Jan 2005
    Location
    California
    Posts
    254

    Getting Into Security

    So I've become curious about internet, server and scripting security and I'm wondering where to start. Where should I begin in learning how to make systems, programs and websites more secure?

  3. #3
    Join Date
    Nov 2005
    Location
    BC, Canada
    Posts
    773
    You can take a look at www.packetstormsecurity.org for various tools on testing your server security, as well as viewing recent security advisories.
    || Higher Intellect || Half a million documents and climbing.
    || CupidClick Dating || Just for Canadians.

  4. #4
    Join Date
    Apr 2003
    Location
    UK
    Posts
    2,560
    a better thing to do would be to add yourself to mailing lists such as bugtraq, infosec and hte like. also vendor lists. try to understand each report, what the fix was, why it was an issue etc

    if you want to go into more depth, both technical and theory (because security as anyone will tell you is layered, not just a firewall and hte latest daemon), i have a list of books that are v. good. you could do a lot worse than some of bruce schneiers books (not applied cryptography, a bit too specialised!) on security

    take a look at securityfocus.com, there are a lot of good articles, as well as an assortment of mailing lists that you might find interesting.. the only other thing i could say is 'dont throw anything away'. keep all advisories, emails on security, bookmarks and code tidbits etc. you never know when you might need them down the line

  5. #5
    Join Date
    May 2003
    Location
    Heartland, USA
    Posts
    733
    Oh my... There's just so much to say here! Others will have way more to add, but for starters read up on such things as:
    * SQL Injection
    * Cross-Site Scripting
    * EMail Header Injection
    You've got to accentuate the positive; Eliminate the negative
    Latch on to the affirmative; Don't mess with Mister In-Between

    -Bob

  6. #6
    Join Date
    Jan 2005
    Location
    Baghdad, Iraq
    Posts
    172
    This article may interest you: http://www.zend.com/zend/art/art-oertli.php
    If in any chance you decided to read a book about this, I recommend you:
    Secure PHP Development: Building 50 Practical Applications
    The Dream is the blueprint of success, the hope is the budget and hard working is the achievement

  7. #7
    Join Date
    Nov 2005
    Location
    BC, Canada
    Posts
    773
    All the way down to weak password attacks for a user's account and then sniffing for any passwords sent plain text. SSH scans, buffer overflows on outdated services, the list goes on.
    || Higher Intellect || Half a million documents and climbing.
    || CupidClick Dating || Just for Canadians.

  8. #8
    Join Date
    Jul 2003
    Location
    Kuwait
    Posts
    5,099
    What you should try to do is patch up your code against known, common vulnerabilities. The point should be to make it so difficult for someone to hack into your site, that they give up. This will discourage 99% of the attackers, because they usually hack as the opportunity arises, not out of spite or hate. If someone is determined to get into your site, there is little you can do as far as coding goes.

    Think about it, if you are one person writing a script, there is only so much you can do to prevent attacks. Even large organizations that dedicate entire teams of programmers for security tasks have vulnerabilities show up

    Some people find out known vulnerabilities in software. Lets say a new security bulletin comes out that xyz script has a vulnerability. The developer releases a patch to fix this vulnerability. Any "hacker" can google for version numbers of the scripts (which, by the way, are almost always in the source code of the footer) and then find all those sites that are not patched, and exploit the known vulnerability (this happens a lot with bulletin board software).
    In order to understand recursion, one must first understand recursion.
    If you feel like it, you can read my blog
    Signal > Noise

  9. #9
    Join Date
    Oct 2004
    Location
    Southwest UK
    Posts
    1,159
    Another source to discover more about webserver security is mod_security. Once you've seen the kind of rules and features it applies, you'll have a much better understanding of what kind of attacks you might encounter, and how they work.

    Otherwise, just start with google and follow some links

  10. #10
    Join Date
    Jan 2005
    Location
    California
    Posts
    254
    Thanks for all thet links, even though this thread is really old I Just got back to check it.

    My next question is, not only website security but web server and general all around security. I want to become fluent not only in programming security, but overall network security so that I can have more broad specialties to work with.

    Any suggestions as to where I should go to look into network, programming, and server security?

  11. #11
    Join Date
    Jul 2005
    Posts
    77
    Again, those are very broad topics... but the main things that pop in mind is setting up a firewall ala ipf, iptables, ipfw, etc... As well as making sure that no services are running and listening for connections that don't absolutely need to be there for your purpose. Also tweaking SSH to use a different port and disallow direct root login (su from another user instead). But the list goes on and on...

    Also, http://www.securityfocus.com/ has some nice articles and tutorials on securing your services such as MySQL, Apache, PHP and so on.

  12. #12
    Join Date
    Sep 2005
    Location
    Sheffield, UK
    Posts
    782
    Sorry to bump up this old topic, but i felt it may benefit a few security concerning people

    I recently purchased a book through amazon called `Essential PHP Security` - another O'Reilly book

    For anybody needing help securing PHP scripts, this book is the best - it explains everything from remote accessing via scripts to SQL Injections...highly recommended!
    WHSuite - Billing, Automation and Client Management Software.

  13. #13
    Join Date
    Oct 2004
    Location
    Kerala, India
    Posts
    4,750
    Thanks for sharing man!!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •