Explaining Security

SQL Injection is a programmatic attack on websites

OWASP has a great website discussing SQL injection:

The Open web application Security project is an effort to help the programming community in securing their websites

And I will copy a couple of lines from their SQL_Injection_prevention_Cheat_sheet becasue it is important:

Option #1: Use of Prepared Statements (Parameterized Queries)
Option #2: Use of Stored Procedures
Option #3: Escaping all User Supplied Input

A Sigma Scan(Σ ) can help uncover any potential SQL injection vulnerabilities

To truly make sure that your site does not have any vulnerabilities, it is a good idea to test and interdependently verify these

The challenges of Security in a map

This is one of the many mindmaps from Aman Hardikar:

You can see that it is not only network firewalls and websites that need to be reviewed.

A security architecture needs to be developed from security principles within procedures and goals laid out within business objectives.

XSS = Cross Site Scripting – dangerous website vulnerability

XSS is something every website should be aware of – test for it, because the bad hackers do.

Netsparker is a good site to explain some of the potential attacks.

The effect of XSS is to use the website to extract information, and even bypass the defenses of the server.

In some cases if the vulnerability is capable it will take control of he machine by creating a shell command line for the hacker.

Once the hacker has a command a shell line on the server, they can copy the password files, and then the hack goes to the next level of attack.

It goes on from there – until the hacker gets full control. Whatever you have is the hackers.

How would you know if your website was targeted by hackers?

The _only_ way is to test your site…

review your potential services and programs running on the website

Use the alpha service evaluation sample

Or try the Sigma (∑) service evaluation sample

either way you will have a better picture of your hacker liability today.

New Microsoft Word vulnerability

Technet link – specific wording:

The vulnerability could allow remote code execution if a user opens a specially crafted RTF file using an affected version of Microsoft Word, or previews or opens a specially crafted RTF email message in Microsoft Outlook while using Microsoft Word as the email viewer. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.

——————————————————————————————–

So if a malicious RTF(Rich Text Formatting file is opened inside Microsoft Word it will allow the attacker to run commands that normally cannot be run.

So it is possible we have yet to see the full effects on this vulnerability., as viruses and other attacks are being crafted(very likely).

The Microsoft ‘fix’ initially is to not allow RTF files to be opened.

Applying the Microsoft Fix it solution, “Disable opening RTF content in Microsoft Word,” prevents the exploitation of this issue through Microsoft Word.

“This is not a fix, just a kludge” says TonyZ – as people will open these files not knowing what will happen.

Explaining Security

SQL Injection is a programmatic attack on websites

Like this:

The challenges of Security in a map

Like this:

XSS = Cross Site Scripting – dangerous website vulnerability

Like this:

How would you know if your website was targeted by hackers?

Like this:

New Microsoft Word vulnerability

Like this: