Posts Tagged ‘hacking’

How not to advertise for a PHP programming job

Wednesday, October 28th, 2009

So I got an email today for a job in Tower Hill (thats central london). The job came with a simple programming test to write a script that parsed a tab separated file and produced a batch script as the output. They kindly provided a working copy of their solution on their website so you could validate the output of your code.

If I was going to advertise a job in a company and provide an online example of my own code I’d make darn sure that, unless the sole purpose of my online code was to find someone who knew what an XSS flaw was, that the link to the script I sent a prospective employee to wasnt vunerable to Cross Site Scripting attacks. Eeek. Worse still as their script seemed to accept either GET or POST variables as inputs (they were probably checking $_REQUEST rather than $_POST or $_GET in their code) it was possible to format a link that injected HTML code straight into their website.

Screenshot of the flaw with 'Cheese!!' being injected.

Screenshot of the flaw

You can mitigate the threat from these types of attacks by properly sanitizing your variables before they are displayed. If this is on a HTML page and you are expecting an integer value then intval might be a good function to use, if its a text field you might try htmlentities. If any data is going into a database then you need to be using mysql_escape_string on all of your variables.

As I’ve not alerted the company to the flaw I wont post the URL to the exploit. Luckily the page in question can’t be found within googles’ indexes. I wonder if anyone else will notice…

Tags: , , , , , ,
Posted in PHP, Security | No Comments »

Mitigating the insider threat

Thursday, June 25th, 2009

If you look at the number of hacking incidents that have been reported 58% of the incidents are known or suspected to have come from outsiders, 27% from insiders, and 15% from an unknown origin.

That is to say it is the very employees of an organisation are responsible for about 30% of the over all hacks. Disgruntled employees, in particular system administrators are in a prime position to sabotage their former businesses and with the onset of the recession the number who might be tempted to take data with them (or even worse, cripple the system) when they leave is ever increasing.

The threat from insiders is far more dangerous than that of an external hacker – insiders know how the system works and are in an excellent position to cause chaos and then expertly cover their tracks.

What can we do? Well if you do have to make someone redundant or need to fire them – make sure they don’t see it coming so they have no time to prepare and no time to retaliate. When they are in the bosses office hearing the news you need to be disabling their user account and all of their access to the system. If you don’t do this then you risk a major security breach.

In an ideal world each user should only have access to the data that they need in order to do their job. Other methods such as two person control should also be in place for important tasks such as removing money or making external payments. System administrators should review each others logs on a regular basis to ensure nothing untoward is occuring.

Insider threat is very real and cannot afford to be dismissed.

Tags: ,
Posted in Security | No Comments »