One thing that really irks me is when people publish security vulnerabilities they discover without publishing the fix. Doing so only benefits the hacker (most specifically, the script kiddie) community, begging the question, “which side are you on?” Whenver I discover a vulnerability or exploit, I make it a point to first and foremost contact the vendor (or group responsible if it is not a commercial product) and then only announce the exploit after a fix is available (if then). Not enlisting vendor support or at very least describing how a vulnerability can be patched does not help users of that software unless they are savvy enough to figure out the fix on their own. One such example is the announcement of a SQL injection vulnerability in Zen-Cart <= 1.2.6d.

Here is how to fix it:
Continue reading…

Essential PHP Security a Must Read

Chris Shiflett‘s latest book, Essential PHP Security, should be required reading for all PHP professionals. It is the necessary antidote to the common misperception that PHP applications fall short on security. With sparkling clarity, Chris demystifies dozens of attacks and provides both solid theoretical and practical bases for coding securely in PHP. Throughout his work as a PHP security consultant, and culminating in this book, Chris has defined the lexicon for web security — telling us precisely what it means to filter input, and precisely what it means to escape output — as well as when, how and why. This is nothing short of a seminal work on web application security as it applies specifically to PHP. I intend to make it required reading in my department, and recommend it highly to colleagues in other companies developing web applications in PHP.
Continue reading…

High Security on Mac/Linux Using GPG and a ThumbDrive

Using the free Gnu Privacy Guard and a USB thumb drive (which are often given away in promotionals and should be available for under $10 in small storage capacities), you can implement a strong (AES) encryption system to protect sensitive files on your computer. The process divides the means to decrypting sensitive data into three distinct components:

  • the encrypted file(s) — on your computer
  • the private key needed to decrypt the files — on your thumbdrive
  • the password required in combination with the private key to decrypt files — in your head

The process is simple and affords a great degree of security to your encrypted files, because all three components must be assembled to decrypt the data — a difficult task for a laptop thief or even a nosey coworker to accomplish, especially if you remove your thumb drive from your computer when you are not using it.

Continue reading…

Essential PHP Security Coming Soon

Chris Shiflett announced over the weekend that Essential PHP Security is due out next month. This is great news (not only for Chris, who has been hard at work for some time) but the PHP community to finally have what looks like a concise, accurate, actionable guide to one of PHP’s hottest topics: security. I have already preordered my copy from Amazon, and with free shipping it comes to just $27 and should arrive by November 12th. The countdown begins.

Scamming Back

The BBC released an interesting article about a group called 419 Eater that is baiting and harassing perpetrators of 419 (aka “Nigerian Bank”) scams. From their code of ethics (which really is a FAQ), it seems the group aims to waste the time and resources of fraudsters while having fun stringing them along by their greed. This ostensibly is why the baiters do not consider the “sport” a waste of their own time, since they enjoy seeing how ludicrous a story the fraudsters will buy, and how demeaning a photo they can get the fraudsters to send in of themselves. While I can understand the frustration of anyone stung by an Internet scam (yes, I still capitalize that word — but that’s another post) I still feel that Internet vigilantism of any form often does more harm than good.

Continue reading…