As more and more members of anon and it’s various security ventures are getting outted by various law enforcement agencies I would love to know if you think the members will be doing in 5 years time.
It wouldn’t surprise me if at least some of them land some pretty good IT security jobs as a result.
Would you hire someone from LulzSec? Answer in the comments please.
Some arse seemingly managed to get hold of my FTP password for this site and put some dodgy Javascript into the index.php file. I have completely re-installed WordPress (I had to do an update anyway) and have changed all my related credentials.
My most sincere apologies to anyone who may have been sent somewhere as a result of visiting this site in the past few days and my genuine gratitude to the kind people who reported the issue.
Recently a couple of non-technical friends and family members have been asking me securing Facebook more than just locking down who can see what.
The best way I know of to achieve a more secure Facebook is to do the following:
That is it! 5 steps to a more secure Facebook.
The first thing you tick, use https:// basically means that information that goes from your computer to Facebook will be jumbled up so if any ‘hacker’ type person will have a hard time reading it. (Without it ticked it is surprising easily to get Facebook logins from a Wireless network!)
The second thing you tick, to email you when a new computer logs in essentially means that each time you log into your account from a new computer (one that Facebook hasn’t seen before) it will ask you to give your computer a name. I just use things like ‘TobyMac’ or ‘TobyLaptop’. Once you do this you get two pretty awesome things.
The first is an email. So if someone hacks into your account from their machine you will know about it immediately.
The second thing is you can access a list of who has been on your account (from the different computers), you can get this by going to your Account Security again.
Hopefully this makes sense, is easy to do and will keep you more secure!
If you found this useful please email or Facebook this link around -> http://bit.ly/h8rB8x
The OWASP is a free and open security community based project that provides an absolute wealth of knowledge, tools and papers to help anyone involved in designing, developing, deploying or supporting a web application to insure security is built in from the ground up and that the overall product is as secure as it can be.
Because it is so free and open you can visit the site right now and check out some of the really cool things like;
All for free, literally thousands of hours worth of work from some of the top security professionals in the world, available completely for free. It is brilliant, and why the internet is just a great place to work.
OWASP is split into localised chapters, with new ones popping up all the time. My local chapter would be the Dublin based one (so I use the term local very very loosely, I even have to take out crazy fake money when I go down there!).
Again, you can join chapters for free, this gives you access to mailing lists and free talks that get put on as regularly as can be organised. In my opinion anyone who gives half a crap about the security of the web applications they are creating should be attending these talks as often as they can. I mean it is free, you are getting free security advise from professionals who have proven their chops many times over.
The other thing you can do, and the real point of my post, is that you can become a paid supporter. This costs a minimum of $50, which I think is more than fair for the amount of excellent information available on their site alone (ignoring the talks organised by chapters), in fact, I say more than fair – I have spent more on ale in an evening, and I am willing to bet you have chucked away more than $50 on lesser causes before.
By rights the $50 should just get you the nice feeling of knowing you have contributed to an excellent cause, but it doesn’t end there, OWASP is such an awesome project that occasionally there will be extra talks or training sessions put on for paid up members by way of a thank you. That is just bloody awesome, to get to talk to some of the top security professionals in the world or to get trained by them, $50 is a steal.
Sign up now. (or do what I did and ask your company to sign you up!)
This is my first in a series of 9 posts dealing with PHP Security, my plan is to cover some of the broad topics associated with certain aspects of developing secure PHP applications in plain English.
Whilst I will be providing examples throughout I will not labour on certain points, I will however attempt to provide many sources that you can use to read up more on the various topics.
For this post I want to talk about some general PHP setup Gotchas that you might want to look out for. There is a tendancy amongst some people (especially if they haven’t had to install PHP) to assume that the default setting that their hosts provided them is the most secure. There are three things wrong with thinking like that.
You should always check out your Apache/MySQL/PHP settings on any new server.
The first setting you should be looking up in php.ini is register_globals and making sure it is set to 0. This is the default setting but it is worth having a quick look because this little blighter could get you into a world of trouble (if you are a bad coder).
The reason I say if you are a bad coder is because there is nothing inherently wrong with having it turned on but if your code isn’t tight enough then having register_globals on can let people type something like…
http://yoursite.com/page.php?newVar=h@xx0r
This newVar variable is now set in your code, it doesn’t take a security expert to realise what crap that could land you in.
If you don’t have access to the php.ini file on your server you can include that parameter in your .htaccess file that should be located in the root of your web folder. The line you would need to add is..
php_flag register_globals on
Whilst it is best practice to turn them off in order to try and keep your code a little less vulnerable you should really be turning on Error Reporting to point you in the right direction from time to time, which leads me very nicely onto my next heading…
Error Reporting is concerned with what errors PHP will record, where it will store them, and if it will display them. There are essentially four settings we should be concerning ourselves with, like with register_globals these can be set in php.ini, in a .htaccess file or in your php code.
*E_ALL in basically means report everything, E_STRICT means be damned strict about it, errors and warnings alike will be picked up by PHP.
** Obviously your logs shouldn’t be anywhere close to being inside the www folder, error notifications could really help a potential hacker.
You can set up your own error handling within PHP, but my suggestion would be use a framework to do this for you, only roll your own if you are confident in your abilities because if there is an error in your error handler, well…
You could write a small book on how to securely set up a server, and of course by the time you have written it the tips will be obsolete. I will leave this post here with those 2 categories for now because these are the main ones that keep cropping up when people mention PHP setup and Security.
When I start writing my next post (entitled Forms and Filtering) there will be a lot more content to get your teeth into, because if you can write bullet proof code your app should be able to stand up on all but the most flaky of server setups!
If you thought this post was in any way useful, please share it amongst others who you think would also benifit.
Written by 
