Operation n

For most of us here, we are looking to hack and crack systems. But spare a thought to those poor souls who have try to ensure their code stands up to the hack attack. And coming from a developer background, I should *really* know more about the security aspects of coding.

As you may know there are a number of different programming languages out there. The most commonly used programming languages for web applications are PHP and perl. Both have potential security pitfalls as they mix the ability to send and receive data through web applications with performing system level tasks.

There are number of gotchas that coders can look for. With PHP, OWASP have their own top 5. There’s even a hardening php project. But the best guide I’ve seen so far is i-love-jack-daniels along with these brief PHP thoughts. With Perl, there is CPAN’s perlsec pod and cgisecurity has a good reference as well. One of the things you can apply whilst you code is tainting as described by developer.com, which should flag up issues with any dodgy variables and program arguments.

There some programming languages which offer a framework that handles security more implicitly but it still takes a daft developer to insert some dangerous code. Anyhow, Microsoft have a security guide for asp.net applications, whilst Java have their own.

Generally speaking, a developer should do their own code audit and code review before it is released. Naturally, there’s always pressure from sales, marketing, MD’s, etc. but in an ideal world, things should be done PROPERLY.

Great link of the week: It is old news that an inexpensive Wireless hacking antenna can be made with a simple Pringles tin!

Back in 2002, Gregory Rehm hosted an Antenna Battle Royale between a Lucent popsicle stick, a couple of Pringles Cans, our Coffee Can, a Hunt’s Tomato Sauce can, and a 40oz can of ‘Big Chunk’ beef stew.

I really loved this idea . . . this to me is hacking at its best, using everyday equitment to perform cool and sometimes extraordinary behaviour. Definately a good read.

After recognising the need, and taking hints from KaiTou’s sarcasm :), I am happy to announce the launch of http://blogsecurity.net.

BlogSecurity is a site dedicated to providing useful and critical security information for the blog community. We understand that it is difficult to keep track of the latest security vulnerabilties and version updates, and we believe you shouldn’t have to. BlogSecurity aims to provide you with up to date security information for your blog, allowing you to focus on the important stuff, your content.

I am really excited about the blogsecurity project, and really feel there is a real need for educating bloggers around security related issues. Please support the project by adding it to your feed today. Also, I am looking for contributers, so if your interested please contact me.

FYI, contributers who want to help with the project (we are currently looking for 2-3 people) will be given a topic to write about for an upcoming month. Random articles can also be submitted with notice. Thanks in advance.

The guys at WirelessDefense have put together an awesome wireless penetration testing mindmap. Very nicely done:

Full details can be obtained from the WirelessDefense.org website.

Max Moser and team from remote-exploit.org are doing some great stuff:

- Backtrack
A brilliant linux distribution designed for penetration testers. I have used this distro for a number of tasks (especially WIFI testing) and it just works!

- WIFI Cheat Sheet
Contains up to date information on default WIFI insecurities and vulnerabilities.