Full Disclosure mailing list archives
Re: Absolute Sownage (A concise history of recent Sony hacks)
From: mrx <mrx () propergander org uk>
Date: Fri, 10 Jun 2011 22:43:04 +0100
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 10/06/2011 20:24, Jeffrey Walton wrote:
An nice recap of the Sony malfunction by Security Curmudgeon from the Dataloss Database (http://www.http://datalossdb.org/): http://attrition.org/security/rants/sony_aka_sownage.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Jeffrey, Thanks for the links. I am surprised that a corporation with the resource of Sony can be hacked so easily. It it is somewhat frightening and I wonder just how many other large corporations storing millions of users' information are also open to such breaches. Is this a result of an inadequate security policy or inadequate implementation of a sound security policy? I have recently developed my first php web application, it is not live yet, it's still under test. I have no control over the hosting for the application, only the code itself. I am certainly not confident enough to store sensitive information in the database behind the application. Fortunately the site does not require such information to be submitted by the user. However, there is a login and user names and passwords are stored in order for the user to post comments/reviews of product. The password data is salted and hashed. As many people use the same password for different sites compromise of my application could potentially lead to access of other logins for other services. I cannot compromise my application myself, but do I think it is secure? No. I haven't the experience in this field to make such a statement nor believe it to be so. I have openly admitted to this list that I am an infosec noob and wasn't every one reading this list at some point? I am a little frightened that my web app will be owned and user credentials exposed. I have read much on SQL injection, XSS, remote execution, session hijacking etc. I only think I have all bases covered, I am not 100% sure. Is there a definitive text/book/white paper on such matters and if so could someone please let me know where I can find this? Finally would someone care to help me by attempting to compromise my application and letting me know where it fails once it does goes live. I cannot afford to hire a skilled pentester. I will happily place an acknowledgement and thanks on the site and a link should you so wish. I know that I could just post a message here saying something like "Hey I'm a noob and I just made my first commercial php website" and place it behind Honeywall. The blackhats that read this list would likely jump at the chance to turn it into a phishing site. I like to think I am an honest person, I am a honest person that's why I am not rich. regards Dave - -- Mankind's systems are white sticks tapping walls. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEVAwUBTfKP6LIvn8UFHWSmAQI3rAf/WvabnornVDcjb0vPr+CD0vdRZA6gMsxj ma0Z8hs/5OCuDVjXruW1207h9lmUbHcXKaHBmFE35PX/JS9ADbrZ7cpVI+W2fHT9 L3cSwSwNLfSLZX9AF+WVltUiUaG3oXtEtYZdOEE6sTK7BY2iFFeVM0sUPEyqO8jz UEco6mjFd+1zjDXpHHK1xdOAa8RrKv3VpxEdMdPWjadFEy3oxCysZrSnd6eOWdv/ 9nkYsyoMbwV/RX3wjmawT8/yKtPK/x91U/VBvrMb2dasumoniA34F4JW1cIcOsjg y3wPp2Hko1lYKgfdEY9RyFN9ifp77SAhyQu1uYbbe0OEFwTgTbPSNA== =gV+A -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Absolute Sownage (A concise history of recent Sony hacks) Jeffrey Walton (Jun 10)
- Re: Absolute Sownage (A concise history of recent Sony hacks) mrx (Jun 10)
- Re: Absolute Sownage (A concise history of recent Sony hacks) Nick FitzGerald (Jun 10)
- Re: Absolute Sownage (A concise history of recent Sony hacks) mrx (Jun 10)
- Re: Absolute Sownage (A concise history of recent Sony hacks) Valdis . Kletnieks (Jun 10)
- Re: Absolute Sownage (A concise history of recent Sony hacks) Georgi Guninski (Jun 10)
- Re: Absolute Sownage (A concise history of recent Sony hacks) Nick FitzGerald (Jun 11)
- Re: Absolute Sownage (A concise history of recent Sony hacks) Bruce Ediger (Jun 12)
- Re: Absolute Sownage (A concise history of recent Sony hacks) Thor (Hammer of God) (Jun 12)
- Re: Absolute Sownage (A concise history of recent Sony hacks) Georgi Guninski (Jun 12)
- Re: Absolute Sownage (A concise history of recent Sony hacks) Nick FitzGerald (Jun 10)
- Re: Absolute Sownage (A concise history of recent Sony hacks) Sihan (Jun 11)
- Re: Absolute Sownage (A concise history of recent Sony hacks) coderman (Jun 14)
- Re: Absolute Sownage (A concise history of recent Sony hacks) mrx (Jun 10)