June 1, 2009 at 6:04 pm
Comments posted to this topic are about the item Intruding into Dummy Websites
Best wishes,
Phil Factor
June 2, 2009 at 3:12 am
An excellent idea Phil. Reminds me of Richard Feynman's stories of cracking the combination
locks on his colleagues' filing cabinets at MIT: the numbers were usually based on spouse's birthdays.
I think he also liked to leave gifts inside.
Having a dummy defensive position to attack, out in the public domain, is also not unlike the way
the M.o.D (UK Defence Department) carry on in Salisbury Plain. Perhaps we could use http://www.imbervillage.com
as the domain for your Ninja maneuvers, in memory of the real English village of Imber, which was invaded by Brit and American forces in 1943 to use for attack practice[/url].
Brigadier Dick "Tari" Webstock
June 2, 2009 at 4:20 am
Perhaps we can have multiple databases, each of which demonstrate a different "level" of security. E.g. for SQL injection, one could have none at all, the next could include just some basic escaping of certain SQL commands, one could use stored procedures instead, etc.
That way, we can demonstrate the differences between each technique, along with pros and cons, so junior DBAs can see exactly what each one provides and examples for implementation.
June 2, 2009 at 4:53 am
Just a quick note to warn any Brits reading this, that under British law, attacking a server or database without the owners express permission, is illegal under criminal law. Claiming that it was for educational purposes is not a valid defence.
The article suggested that the author was not aware, or did not care about this.
June 2, 2009 at 6:28 am
Good idea Phil.
Most companies need to actually set up a parallel system, with dummy data, and "tiger team" it, by deliberately hacking the fake site. Any dummy data they pull up would be real data on a real site, and that's enough to know what needs more security.
- Gus "GSquared", RSVP, OODA, MAP, NMVP, FAQ, SAT, SQL, DNA, RNA, UOI, IOU, AM, PM, AD, BC, BCE, USA, UN, CF, ROFL, LOL, ETC
Property of The Thread
"Nobody knows the age of the human race, but everyone agrees it's old enough to know better." - Anon
June 2, 2009 at 6:40 am
It would be great to see a site set up specifically for the purpose of showing how database security measures work. The only downside is that junior hackers could sign up for the site under false credentials and then get quick training on how to hack other's sites. Would we just assume that hackers would get their information from wherever on the web anyway and that the majority of the site users would be good-natured DBAs and developers looking to prevent issues with their own sites? Would there be any sort of governmental rules on setting up a site like this even if it is for educational purposes only?
I definately like the concept.
June 2, 2009 at 6:49 am
I think a practice web site would be a fantastic idea. Just as importantly as this is though, a second web site or the web site duplicated in a different folder should also be setup where everything is setup with each page having an explanation of how it is now secure and what was done to make it secure. It is one thing to figure out how to break into a website but another to figure out what to do to make sure that the websites that you develop do not end up suffering the same fate.
June 2, 2009 at 7:28 am
I believe this is a worthwhile exercise. Nothing educates like experience.
The fear is that nefarious hackers would get hold of the site and turn it into a weapon against those using it for training.
Perhaps the community can develop a Hack-O-Matic canned version for download, complete with instructions and scenarios, rather than relying on a third-party hosted environment. Being able to play with it behind closed doors, as it were, would assist many in evolving not only their security practices but their inherent understanding as well.
You have my vote and support in making this a reality.
Regards;
Greg
June 2, 2009 at 7:45 am
I don't recall the site and I think my employer would take issue with me googling for "website hacking contest", but a number of years ago, there was a public site set up by security researches and it had like 20 or so test on 5-6 levels of hacking skill. One of my old bosses made me go through a number of levels to get a better sense of things I might be doing in a less secure way than I really should.
It built on itself like most of the How to write (insert language here) books on the market. Start with something simple like changing the URL variable from mysite.com?companyid=1 to mysite.com?companyid=2 and progressed from there.
-Luke.
June 2, 2009 at 10:00 am
I would suggest, for those sites that can be entirely built using appropriate licenses (zero cost, transferrable, virtualizable), that this would be an ideal case for virtual appliances. Load on your virtual server, turn on, and see how insecure they can be.
Otherwise, the ideal would be scripts that would allow one to easily set up said sites on one's own computers.
I'm afraid that publically available sites like this would be useful, except that any where the site can be brought down completely likely would be. For such publically available sites, either a read-only virtual image (restart to get back to initial state), or the older "boot CD without any hard drive" method may be appropriate.
June 2, 2009 at 11:46 am
There are some excellent ideas here, and I am awed by their creativity. We ought to do something: and build a straw website to demonstrate intrusion techniques on. The idea of a shrink-wrapped 'hack-o-matic' is excellent.
The whole point I'm trying to make is that, until you've seen how easy it is to do, the whole subject of SQL Injection etc just seems so unreal. It really focuses the mind to see it in practice.
To Mike Brockington, thanks for the legal angle, but I thought I was already arguing against hacking other people's websites. This is why I felt that a community-based 'straw man' would take away the temptation. I am, of course ridiculously averse to breaking the British law, even though the bossy, venal, and sanctimonious occupants of the mother of parliaments have insisted on enacting 3000 new criminal offenses since coming to power, including the cardinal sin of playing piano in a pub without a license, selling a gray squirrel, staging a lone protest within a kilometer of the Houses of Parliament, smoking in a pub as ones forbears were able to do for the past four hundred years, owning a donkey without a passport, or obstructing the work of the Children's commissioner for Wales. (P Johnson: The Daily Telegraph) No, despite all this, I am not advocating any illegal acts, quite the reverse in fact, though I would certainly smile sympathetically on any British people reading this who feel tempted, if they come across any member of parliament who have fiddled their expenses in the past four years,to pursue them through the streets with a stick, shouting 'stop! Thief!'.
I have never hacked a website without being careful to obtain the written permission of the web site's owners first. It is extraordinary, but my request has never been refused. None have, for a moment, beieved that it was possible. I once presented the director of an insurance company with a list of his customers, and he was surprisingly narked with me when I gave it to him, even though he'd allowed me to do so. His IT department had laughed and said it was impossible: their systems were completely secure. Fortunately, his anger was eventually diverted to its' rightful direction.
Best wishes,
Phil Factor
June 2, 2009 at 12:25 pm
I think it's a good idea, Phil, although I worry about concurrency if this were public. People might not get the same lessons.
I think a sample, perhaps in VHD format, would be excellent. It would allow people to work through exercises and see where things are failing.
June 2, 2009 at 1:43 pm
Phil wrote, "I expect that it is even more educational to test out your neighbors’ security systems by attempting to break into their houses. . ."
I can tell you are British. It's OK to break-in to your neighbor's house in GB and in fact, if he isn't at home, you can take it over. In Texas we are generally armed. If you attempt to break-in to my house I or my wife will shoot you. I will use a single finger-size lead bullet traveling at about 800 FPS. My wife will use many pencil-eraser-sized bullets traveling about 400 FPS. Regardless, you likely will either be frightened to death or be killed by the impact.
This is the way things ought to be in England. It's a shame they are not.
June 2, 2009 at 3:17 pm
This is the way things ought to be in England. It's a shame they are not.
There are 24 million in Texas, England expect least 1.5 billion people either through EU, North America or through the commonwealth so if the English start shooting on site as in Texas there could be a problem.
On a side note the angry employee with 1TB usb drive is more dangerous than the hacker. Then there is the unskilled both are unknown factors because cost could be all your assets.
😉
:Whistling:
Kind regards,
Gift Peddie
June 2, 2009 at 3:37 pm
24 million Texans are skillfully armed and there are only about 10,000 Brits in the military and police(just guessing) and they likely don't know how to shoot. The rest of the Brits will likely run away, cry foul or file a lawsuit.
I'll take my chances in the Land of the Alamo.
Viewing 15 posts - 1 through 15 (of 21 total)
You must be logged in to reply to this topic. Login to reply