[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Absolute Sownage (A concise history of recent Sony hacks)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/06/2011 20:24, Jeffrey Walton wrote:
> An nice recap of the Sony malfunction by Security Curmudgeon from the
> Dataloss Database (http://www.http://datalossdb.org/):
> 
> http://attrition.org/security/rants/sony_aka_sownage.html
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> 

Jeffrey,

Thanks for the links.

I am surprised that a corporation with the resource of Sony can be hacked so 
easily.
It it is somewhat frightening and I wonder just how many other large 
corporations storing millions of users' information are also open to such
breaches.

Is this a result of an inadequate security policy or inadequate implementation 
of a sound security policy?


I have recently developed my first php web application, it is not live yet, 
it's still under test. I have no control over the hosting for the
application, only the code itself.

I am certainly not confident enough to store sensitive information in the 
database behind the application. Fortunately the site does not require
such information to be submitted by the user. However, there is a login and 
user names and passwords are stored in order for the user to post
comments/reviews of product. The password data is salted and hashed. As many 
people use the same password for different sites compromise of my
application could potentially lead to access of other logins for other 
services. I cannot compromise my application myself, but do I think it is
secure? No. I haven't the experience in this field to make such a statement nor 
believe it to be so.

I have openly admitted to this list that I am an infosec noob and wasn't every 
one reading this list at some point?

I am a little frightened that my web app will be owned and user credentials 
exposed. I have read much on SQL injection, XSS, remote execution,
session hijacking etc. I only think I have all bases covered, I am not 100% 
sure. Is there a definitive text/book/white paper on such matters
and if so could someone please let me know where I can find this?

Finally would someone care to help me by attempting to compromise my 
application and letting me know where it fails once it does goes live. I
cannot afford to hire a skilled pentester. I will happily place an 
acknowledgement and thanks on the site and a link should you so wish.

I know that I could just post a message here saying something like "Hey I'm a 
noob and I just made my first commercial php website" and place it
behind Honeywall. The blackhats that read this list would likely jump at the 
chance to turn it into a phishing site. I like to think I am an
honest person, I am a honest person that's why I am not rich.


regards
Dave


- -- 
Mankind's systems are white sticks tapping walls.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEVAwUBTfKP6LIvn8UFHWSmAQI3rAf/WvabnornVDcjb0vPr+CD0vdRZA6gMsxj
ma0Z8hs/5OCuDVjXruW1207h9lmUbHcXKaHBmFE35PX/JS9ADbrZ7cpVI+W2fHT9
L3cSwSwNLfSLZX9AF+WVltUiUaG3oXtEtYZdOEE6sTK7BY2iFFeVM0sUPEyqO8jz
UEco6mjFd+1zjDXpHHK1xdOAa8RrKv3VpxEdMdPWjadFEy3oxCysZrSnd6eOWdv/
9nkYsyoMbwV/RX3wjmawT8/yKtPK/x91U/VBvrMb2dasumoniA34F4JW1cIcOsjg
y3wPp2Hko1lYKgfdEY9RyFN9ifp77SAhyQu1uYbbe0OEFwTgTbPSNA==
=gV+A
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/