Re: Absolute Sownage (A concise history of recent Sony hacks)

[mrx <mrx () propergander org uk>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/06/2011 20:24, Jeffrey Walton wrote:
> An nice recap of the Sony malfunction by Security Curmudgeon from the
> Dataloss Database (http://www.http://datalossdb.org/):
>
> http://attrition.org/security/rants/sony_aka_sownage.html
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

Jeffrey,

Thanks for the links.

I am surprised that a corporation with the resource of Sony can be hacked so easily.
It it is somewhat frightening and I wonder just how many other large corporations storing millions of users' 
information are also open to such
breaches.

Is this a result of an inadequate security policy or inadequate implementation of a sound security policy?


I have recently developed my first php web application, it is not live yet, it's still under test. I have no control 
over the hosting for the
application, only the code itself.

I am certainly not confident enough to store sensitive information in the database behind the application. Fortunately 
the site does not require
such information to be submitted by the user. However, there is a login and user names and passwords are stored in 
order for the user to post
comments/reviews of product. The password data is salted and hashed. As many people use the same password for different 
sites compromise of my
application could potentially lead to access of other logins for other services. I cannot compromise my application 
myself, but do I think it is
secure? No. I haven't the experience in this field to make such a statement nor believe it to be so.

I have openly admitted to this list that I am an infosec noob and wasn't every one reading this list at some point?

I am a little frightened that my web app will be owned and user credentials exposed. I have read much on SQL injection, 
XSS, remote execution,
session hijacking etc. I only think I have all bases covered, I am not 100% sure. Is there a definitive text/book/white 
paper on such matters
and if so could someone please let me know where I can find this?

Finally would someone care to help me by attempting to compromise my application and letting me know where it fails 
once it does goes live. I
cannot afford to hire a skilled pentester. I will happily place an acknowledgement and thanks on the site and a link 
should you so wish.

I know that I could just post a message here saying something like "Hey I'm a noob and I just made my first commercial 
php website" and place it
behind Honeywall. The blackhats that read this list would likely jump at the chance to turn it into a phishing site. I 
like to think I am an
honest person, I am a honest person that's why I am not rich.


regards
Dave


- -- 
Mankind's systems are white sticks tapping walls.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEVAwUBTfKP6LIvn8UFHWSmAQI3rAf/WvabnornVDcjb0vPr+CD0vdRZA6gMsxj
ma0Z8hs/5OCuDVjXruW1207h9lmUbHcXKaHBmFE35PX/JS9ADbrZ7cpVI+W2fHT9
L3cSwSwNLfSLZX9AF+WVltUiUaG3oXtEtYZdOEE6sTK7BY2iFFeVM0sUPEyqO8jz
UEco6mjFd+1zjDXpHHK1xdOAa8RrKv3VpxEdMdPWjadFEy3oxCysZrSnd6eOWdv/
9nkYsyoMbwV/RX3wjmawT8/yKtPK/x91U/VBvrMb2dasumoniA34F4JW1cIcOsjg
y3wPp2Hko1lYKgfdEY9RyFN9ifp77SAhyQu1uYbbe0OEFwTgTbPSNA==
=gV+A
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/