Some general web/DB security questions

jimmybeige

I'm not expert on security so sometimes when I see a site I wonder what precautions they must take to ensure they have a very safe site, especially when using money.

A site like locallotto.ie which I stumbled across recently, what kind of preautions would they need to take, storing info in the DB, transaction info, info about numbers people chose etc? Obviously if someone had access to their DB, they could tamper with results etc.

If their DB was compromised, what would they do? Would they have taken very regular backups of their DB and somehow rectify? Or would there be a complete meltdown?

This is really just curiosity, as I have no idea how someone would make a site like that very secure and would like to know.

Any info about that example, or others, particularly to do with money, I'd love to know!

realgolfgeek

jimmybeige wrote: »

I'm not expert on security so sometimes when I see a site I wonder what precautions they must take to ensure they have a very safe site, especially when using money.

A site like locallotto.ie which I stumbled across recently, what kind of preautions would they need to take, storing info in the DB, transaction info, info about numbers people chose etc? Obviously if someone had access to their DB, they could tamper with results etc.

If their DB was compromised, what would they do? Would they have taken very regular backups of their DB and somehow rectify? Or would there be a complete meltdown?

This is really just curiosity, as I have no idea how someone would make a site like that very secure and would like to know.

Any info about that example, or others, particularly to do with money, I'd love to know!

Hi,

Regarding money/credit cards, if you are not PCI compliant you cannot store credit card info on your systems. Alot of people just store the last 4 digits of the card (Often used for a security question to the user/customer). If you're not PCI compliant then the user enters in the card details on the site, which goes to a third party provider such as Realex. The card is hashed/encrypted on both ends, Realex would make the authorisation and send you back the acknowledgement. In that process you may or may not store the last 4 digits on your own system.

In terms of other data, such a PRSI information as an example, you can use column level encryption to secure the data. You can also use Database level encryption/certificates etc.

From the web servers point of view you can have secure certificates, firewalls etc to really lock down the servers.

PCI Info.

https://www.pcisecuritystandards.org/

CreepingDeath

Web security is a huge area, not something you can pick up on the way,
and that's separate to server administration.

Just to start with.. ensure
- you have strong encryption on the usernames.
- you've salted passwords, preferably with a large number of iterations of hashing, eg. 10,000.
- validate and sanitise all user input
- use prepared statements in SQL to avoid SQL injection attacks
- html encode all user data when displaying it back, to avoid Javascript injection attacks

jimmybeige wrote: »

A site like locallotto.ie which I stumbled across recently, what kind of preautions would they need to take, storing info in the DB, transaction info, info about numbers people chose etc? Obviously if someone had access to their DB, they could tamper with results etc.

Probably have row level checksums on the records.
If someone tampers with a row and the checksum doesn't match, it's been tampered with.

jimmybeige wrote: »

If their DB was compromised, what would they do? Would they have taken very regular backups of their DB and somehow rectify? Or would there be a complete meltdown?

If any companies DB was compromised they "should" contact the data protection office and submit a report, notify all their users especially if their credit cards or the like were potentially released.

There's external security companies that will perform security penetration testing of your site and give you a report plus recommendations on how to rectify it.

awking

Well many things to be taken into consideration here:
1. For locallotto.ie - hard to tell. First thing I see is
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Which I am not a fan of.
2.Every query that is being done needs to be taken into account, all datatypes, what could end up in there and what could go wrong.

A real life example - some years ago a friend of mine made a car blog which turned out to be quite successful so he asked me to give a go and see if I can spot any issues(without giving me the code). So I did. As he was using wordpress, most of the common issues existed. I have a plugin that disables google analytics for websites(I hate the idea of google tracking me) but I had no idea if he had something similar on his side. Unfortunately he had something for tacking visitors. So I used the good old general.useragent.override and set my user agent to something like -
'; drop table wp_posts;
I can't remember if it was a single or a double quote but the wp_posts table was gone. Luckily he had a backup so all was good.

So in general as I said take every query into account, avoid using default settings like the wp_ prefix in wordpress, and most importantly - AVOID GRANTING ALL PRIVILEGES TO A DB USER. Nothing more than what is needed.

Aswerty

awking wrote: »

Well many things to be taken into consideration here:
1. For locallotto.ie - hard to tell. First thing I see is
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Which I am not a fan of.

I don't quite follow. Are you saying you are not a fan of ASP.NET/IIS 6.0 because it is insecure? And if so how? Or are you just saying exposing the server and platform publicly is a security hole (which it is)?

awking

Well firs history teaches us - so far I haven' seen a single line of code done by Microsoft that can be classified as "secure". And ASP is no different - the exploits reported in exploit-db are perhaps more than 1000, many of which as I can see related to SQL injections. And of course exposing the platform it is a security hole - a very big one for that.

ChRoMe

awking wrote: »

Well firs history teaches us - so far I haven' seen a single line of code done by Microsoft that can be classified as "secure". And ASP is no different - the exploits reported in exploit-db are perhaps more than 1000, many of which as I can see related to SQL injections. And of course exposing the platform it is a security hole - a very big one for that.

How much of their closed source have you read?

awking

The answer should be obvious - I've never worked for Microsoft and never will even if that involves a share of the company. I couldn't care less what they do. And Apple for that matter. All I need to see is an exploit report with "confirmed" status.

Graham

awking wrote: »

The answer should be obvious - I've never worked for Microsoft and never will even if that involves a share of the company. I couldn't care less what they do. And Apple for that matter. All I need to see is an exploit report with "confirmed" status.

Sounds like a rational basis for your previous sweeping generalisation security assessment of Microsoft products.

ChRoMe

awking wrote: »

The answer should be obvious - I've never worked for Microsoft and never will even if that involves a share of the company. I couldn't care less what they do. And Apple for that matter. All I need to see is an exploit report with "confirmed" status.

And......... there goes what was left of your credibility.

awking

I haven't used any Microsoft product in more than 15 years. Still those reports have turned out to be 100% accurate for any language, no just Microsoft's crap. The point is that while you can get your way around a certain problem with any of the open source platforms, with the closed source once you can never really be sure that what you've done has solved the problem and i hasn't opened a few new holes. It all boils down to whether you are dealing with a small project that you don't care much about or you are on the other end of the scale and... Well let's say a lot of money is involved and even worse - not your money... And most of all, as I stated earlier - you have to think about what you are doing rather than jiggle some code, hoping it works.

amen

I'm more interested in what production code Awking has written, where we can view it and how many users use it daily ?

markpb

awking wrote: »

Still those reports have turned out to be 100% accurate for any language, no just Microsoft's crap. The point is that while you can get your way around a certain problem with any of the open source platforms, with the closed source once you can never really be sure that what you've done has solved the problem and i hasn't opened a few new holes.

I never bought this argument for open source code. Very few people are capable of reading code and figuring out (beyond the most simplest of cases) whether it's secure or not. So either you're using open source code in the hope that you're good enough or that someone else, who is good enough, has taken the time and effort to check it out. Neither of those are great options.

I presume you also don't work on a network with Cisco firewalls, Juniper routers either or BigIP load balancers either given your distrust of closed source codebase products?

awking

Of course. In the same way you wouldn't ask me to become an astronaut - just on a very low level you wouldn't ask an overweight guy who hasn't done any physical exercise in his life to fly into space. Same goes with code - I wouldn't ask my grandmother to read code for similar reasons. The whole point of open source is not so you yourself can figure out whether it is secure or not but so that large groups of people can investigate that code. At this point I am discussing sql injections, not Cisco or Juniper since:
1.Their target and approach is completely different from the one taken by Microsoft and Apple and hey resemble more RedHat which is fine by me.
2.Load balancers - I've only worked with ifenslave which did a perfect job when I needed it.

@amen - sorry - no idea how many users daily since I am part of a team of 400 people and different people work on different parts - everything is decentralized. What I am currently looking at is 32660 requests/second which is as close to any statistic I can get...

Lemming

jimmybeige; as CreepingDeath has already pointed out, web security is a massive area in its own right. You just don't learn about it overnight and it is something that will continue to evolve as software evolves. But as a start, I would direct you to nose through the OWASP site. If you have access to plural-sight, there is an excellent video tutorial on OWASP sitting at somewhere around the 10+ hours mark.

Please bear in mind that contrary to the false sense of security that Awking would have you believe, badly written software sitting on top of badly maintained/configured platforms is a liability regardless of what technology is used. It can, and does, happen across all platforms and technology stacks, be they open or closed source. There is no such thing as "secure" code or secure platforms; just code or platforms that are less likely, or harder, to compromise. Whilst the admin & the developer must think of all possible attack vectors, the determined attacker only has to find one way in.


edit: to add to the list of things that CreepingDeath listed; some platforms (like ASP.Net on IIS ... ho ho ho) have the ability to encrypt configuration files. This allows you to encrypt things like database connection strings and the like so that if the hosted environment is ever compromised, database access user-names & passwords are not held in plain-text for all to read & see. Further, the encrypted file is only valid for *that* environment, so with a web-farm, the attacker would have to break each user-name/password separately too assuming that the DBA team have configured each environment separately.

amen

no idea how many users daily since I am part of a team of 400 people and different people work on different parts - everything is decentralized.

so is it open source or a closed code base?

kayos

awking wrote: »

And ASP is no different - the exploits reported in exploit-db are perhaps more than 1000, many of which as I can see related to SQL injections.

Ah I'm failing to see how ASP or ASP.NET for that matter is the source of SQL Injection attacks. That's just poor coding by someone using ASP/ASP.NET and a data access component.