Security and cyber attacks in the World Wide Web
This month, reading my usual tech news and newspapers, I realized that there were a lot of attacks and security issues to different companies, some of them very important. So, let’s talk about security!
Let see some examples
- Sony: The group whom did the attack said (and confirmed by Sony):
“We recently broke into SonyPictures.com and compromised over 1,000,000 users’ personal information, including passwords, email addresses, home addresses, dates of birth and all Sony opt-in data associated with their accounts. Among other things, we also compromised all admin details of Sony Pictures (including passwords) along with 75,000 ‘music codes’ and 3.5 million ‘music coupons’.”
- Gmail: “…Google has announced that Chinese hackers are at it again — this time, targeting Gmail account holders…”
- WordPress Repositories: “Earlier today the WordPress team noticed suspicious commits to several popular plugins (AddThis, WPtouch, and W3 Total Cache) containing cleverly disguised backdoors. We determined the commits were not from the authors, rolled them back, pushed updates to the plugins, and shut down access to the plugin repository while we looked for anything else unsavory.”
- Citibank: “While Citigroup insisted the breach had been limited, experts called it the largest direct attack on a major U.S. financial institution, and said it could prompt an overhaul of the banking industry’s data security measures.”
How is it possible that these really huge companies, have these kinds of serious problems? The answer is really pretty simple: the software and applications run by these companies are made by, well – people like you and me! No matter what the name of the company, or how big is it or anything… there is always a programmer.
So, what do I mean by this? Well, it means that as humans we can make mistakes – we can have a bad night and start coding while a bit sleepy, or rush to meet a deadline. All the while, thinking/hoping: “It will never happen to me!”. Or, as is often the case, the security layer is something that programmers and software developers leave until the end, because you have to run with the project timeline, and your boss is getting crazy, so what do we avoid to achieve the goals? Yes, don’t worry about all that ‘security’ stuff!
“Note a curious trait of human behavior (formalized in prospect theory – developed by Daniel Kahneman and Amos Tversky in 1979), that people (including managers who buy security) are risk-averse over prospects involving gains, but risk-loving over prospects involving losses.”
Let’s try to explain a few things about security and how can we make our sites more secure. But keep in mind one important point: it doesn’t mean that your site, coded with security in mind, will be impossible to break in to. You should always be suspicious when someone tells you “I can make your site 100% secure”. Instead, it means your site will be protected against many common attacks (there are hundreds, and new kinds of attacks are developed every day), and it will give you some “best practices” for coding.
I like to think that website security is a day by day process, more of a vigilant routine and a way of interacting with a fast-evolving internet than a one-time effort. Just because a site was humming along quietly a month ago with no security issues doesn’t mean it is still secure today.
First of all, what is Security?
“Security is the degree of protection against danger, damage, loss, and crime. Security as a form of protection are structures and processes that provide or improve security as a condition…”
And what about Information Security ?
“Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction…”
So, what can we do from our desks to make our code more secure, to protect our information from unauthorized access, to not loss information, and so on? Be aware! That’s the key! You need to think that every input can be a potential attack.
We will talk about tow of the most commons attack and how can we prevent attacks.
- Sql Injection
- Cross Site Scripting (XSS)
This is one of the ways Sony was hacked. This is a very common security issue, and very easy to let an attacker control everything in your site.
Basically a Sql Injection is the ability to make your application runs SQL code that wasn’t intented to run.
It means that an attacker would be able to run things like “delete * from users”, or “select * from users”, over your user table. Or get any other information in your database, like credit card accounts, passwords, address, grant administrative privileges without supplying a valid user name and password, compromised data integrity, remote command execution, etc.
Cross Site Scripting (XSS)
This kind of attack, has almost the same principle than Sql Injection. Basically it tries to inject Script Code into trusted web sites. Doing this, an attacker can (and more):
- Accessing sensitive or restricted information
- Gaining free access to otherwise paid for content
- Spying on user’s web browsing habits
- Altering browser functionality
- Public defamation of an individual or corporation
- Denial of Service attacks
These are tow of the most important vulnerabilities, but quiet easy to avoid, don’t worry, you will get the rights tool in the next posts!