Support

Admin Tools

#9858 Web Security Summarised in oh - what a mannar

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by nicholas on Thursday, 28 April 2011 06:15 CDT

Thursday, 28 April 2011 04:24 CDT

slaes

I could sit here a write literally TONNES about the below link. Unfortunately, i don't think i would stop.

If your here, obviously your serious and understand the importance of web security.

The below article is one of the best (in plain English) examples i have seen in recent times.

What an absolute effing joke, in fact its laughable.

Far too many points to make, so i wont make any :)

Read the article, its 15 minutes of your life, you wont mind giving up.

Enjoy!

http://arstechnica.com/tech-policy/news/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack.ars/

Thursday, 28 April 2011 04:39 CDT

nicholas
I had actually read many more articles regarding that hack. It is a textbook example of why security is a process, not an event, i.e. you need to think about security all the time and adapt to new challenges. I, for one, have found that using a password manager and 14-25 character "line noise" (upper/lower case letter, numbers and symbols) passwords is the best alternative to reusing the same old password all over again. Keeping and replicating encrypted backups of the password database is paramount, of course. Updates? My motto is "update, yesterday" and that's the second slide in my security presentation (the first being "backup, backup and backup").

The most disturbing aspect of the HBGary case is the social engineering part. If someone forgets his username and his password and the server's IP he's most likely a hacker. I'd call the guy right away on his cellphone and ask him straight up "are you being hacked or are you becoming senile?". That's why I ask tons of question when someone emails me about a password reset ;)

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Thursday, 28 April 2011 05:16 CDT

slaes
the whole things is almost like a big joke.

- server kernels 4 months old, you serious or what
- a custom cms, laughable. Joomla core could probably be considered fairly secure as is. I always find it funny when companies think they can develop a custom made cms for lets say a few hundred K and consider it better and more secure. Almost Impossible
- and the passwords, lol
- the social engineering, brilliant however i suspect they would have found another path anyhow. Considering the condition of the rest

among a hundred other things.

The other disturbing aspect is the fact that nothing about this hack is unknown. Its all right out of the text book stuff. People get hacked all the time, almost a fact of life, however if your a security company as such (who supposedly specialize in penetration testing) and your compromised due to such school boy errors, well i dont know what should be done with you :) I guess that companies entire rep is more or less ruined.

Thursday, 28 April 2011 06:15 CDT

nicholas
Yeah, most of the errors where very basic and could have easily been avoided. Custom CMS are a joke. You can never possibly get the level of scrutiny a major Open Source CMS goes. Just the mere fact that its code goes through thousands upon thousands of pairs of eyes, each person having a different experience level and mindset than the other, ensures that vulnerabilities are reported and fixed on time.

For the record, I consider no site or IT infrastructure in general to be unhackable. You can just make it less easy to hack by following common sane security practices, unlike HBGary ;)

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!