lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 10 Jun 2011 22:43:04 +0100
From: mrx <mrx@...pergander.org.uk>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Absolute Sownage (A concise history of recent
 Sony hacks)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/06/2011 20:24, Jeffrey Walton wrote:
> An nice recap of the Sony malfunction by Security Curmudgeon from the
> Dataloss Database (http://www.http://datalossdb.org/):
> 
> http://attrition.org/security/rants/sony_aka_sownage.html
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> 

Jeffrey,

Thanks for the links.

I am surprised that a corporation with the resource of Sony can be hacked so easily.
It it is somewhat frightening and I wonder just how many other large corporations storing millions of users' information are also open to such
breaches.

Is this a result of an inadequate security policy or inadequate implementation of a sound security policy?


I have recently developed my first php web application, it is not live yet, it's still under test. I have no control over the hosting for the
application, only the code itself.

I am certainly not confident enough to store sensitive information in the database behind the application. Fortunately the site does not require
such information to be submitted by the user. However, there is a login and user names and passwords are stored in order for the user to post
comments/reviews of product. The password data is salted and hashed. As many people use the same password for different sites compromise of my
application could potentially lead to access of other logins for other services. I cannot compromise my application myself, but do I think it is
secure? No. I haven't the experience in this field to make such a statement nor believe it to be so.

I have openly admitted to this list that I am an infosec noob and wasn't every one reading this list at some point?

I am a little frightened that my web app will be owned and user credentials exposed. I have read much on SQL injection, XSS, remote execution,
session hijacking etc. I only think I have all bases covered, I am not 100% sure. Is there a definitive text/book/white paper on such matters
and if so could someone please let me know where I can find this?

Finally would someone care to help me by attempting to compromise my application and letting me know where it fails once it does goes live. I
cannot afford to hire a skilled pentester. I will happily place an acknowledgement and thanks on the site and a link should you so wish.

I know that I could just post a message here saying something like "Hey I'm a noob and I just made my first commercial php website" and place it
behind Honeywall. The blackhats that read this list would likely jump at the chance to turn it into a phishing site. I like to think I am an
honest person, I am a honest person that's why I am not rich.


regards
Dave


- -- 
Mankind's systems are white sticks tapping walls.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEVAwUBTfKP6LIvn8UFHWSmAQI3rAf/WvabnornVDcjb0vPr+CD0vdRZA6gMsxj
ma0Z8hs/5OCuDVjXruW1207h9lmUbHcXKaHBmFE35PX/JS9ADbrZ7cpVI+W2fHT9
L3cSwSwNLfSLZX9AF+WVltUiUaG3oXtEtYZdOEE6sTK7BY2iFFeVM0sUPEyqO8jz
UEco6mjFd+1zjDXpHHK1xdOAa8RrKv3VpxEdMdPWjadFEy3oxCysZrSnd6eOWdv/
9nkYsyoMbwV/RX3wjmawT8/yKtPK/x91U/VBvrMb2dasumoniA34F4JW1cIcOsjg
y3wPp2Hko1lYKgfdEY9RyFN9ifp77SAhyQu1uYbbe0OEFwTgTbPSNA==
=gV+A
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ