Bonus points for explaining how you improved it.
views:
641answers:
16
+1
A:
Seen: phpMyAdmin moved into the directory _phpmyadmin
Improvement: Disallowed access from outside the company's network.
stesch
2008-12-07 19:38:55
Sneaky! That'll fool em...
Rich Bradshaw
2008-12-07 19:40:32
+2
A:
Seen: Websites use a complex url to access ajax components rather than actually password protect them such as:
domain.com/3r809d8f09feefhjkdjfhjdf/delete.php?a=03809803983djfhkjsdfsadf
the string has remained constant, the query is random and is designed to stop attackers.
Improvement: Restrict the page to being accessed only from certain IP addresses. Add an authentication string to the query that is a salted hash of the access time.
Rich Bradshaw
2008-12-07 19:40:00
+1
A:
People writing their password on pieces of paper and putting it under their keyboard.
I solved it by logging into their computer with their account and sending out an embarrassing email to the group.
JaredPar
2008-12-07 19:41:48
I don't think there is anything wrong with writing your password down at your computer. Its is fairly well established that if you have physical access to the computer that all bets are off anyway. What you did was to break trust that your company had with you.
Peter M
2008-12-07 20:33:53
Physical access means all bets are off with the system to which you have physical access. After that access has been gained, it may not translate into resources across the network. That is, until the keylogger or trojan is installed.
Kris Kumler
2008-12-07 20:54:57
+2
A:
Some people like to make their javascript difficult to read (and therefore hack) by using obfuscation. Google is among the users of this technique. At the simplest level, they change the variable and method names to a single inscrutable letter. The first variable is named "a", the second is named "b" and so on. It does succeed in making the javascript exceedingly difficult to read and follow. And it adds some protection to the intellectual property contained in the javascript code, which must be downloaded to the user's browser to be usable, therfore making it accessible to all.
In addition to making it difficult to read the code, this shortening of variable names reduces the size of the javascript code that has to be downloaded to the user's browser. Theoretically, this can reduce network traffic.
Here's an article about Google's obfuscation, and here's a list of available tools.
DOK
2008-12-07 19:51:54
Um... no. That obfuscation is a result of packing the JS to save bandwidth. Reducing "getSomeValue() to "g()" saves considerable bandwidth over time in a large script library. Take a look at www.javascriptcompressor.com
Chris
2008-12-07 20:02:17
Um, yes. As I said, javascript minification accomplishes two objectives, one of which is obfuscation. Among the many proponents of this use is this website: http://www.javascript-source.com/javascript-obfuscator.html
DOK
2008-12-07 21:11:23
+3
A:
On a website I did some contract work on I noticed that they were storing double-hashed passwords. From memory, they were storing something like
$encrypted_password = md5( sha1( plaintext_password ) );
When I asked what the purpose of this was, I found out that the guy who wrote the account creation/login script had been reading about dictionary attacks. He figured that no one would ever think to create a dictionary where they hash inputs with md5 and sha1.
I improved the system by adding a random salt column to their user table. I left the double-hashing in though. It doesn't do anything to hurt the security of the system, and to be honest, I thought it was pretty clever for someone who didn't really know much about security to think of this.
Bill the Lizard
2008-12-07 20:05:45
I'm not quite sure for md5( sha1( but when doing something like md5( md5( you are actually hurting your security because there now are more strings which match the hash.
Pim Jager
2008-12-07 20:17:04
@Pim: Can you provide a reference for this? I'm not doubting you, I'm just curious about this.
Bill the Lizard
2008-12-07 21:17:25
@Pim it actually increases the security in 2 ways (assuming original password is shorter than 32) first your passwords is 32 characters, secondly offline attacks will take longer.
dr. evil
2008-12-30 09:37:37
So reducing your hash length from 160-bits to 128-bits (which is effectively what you're doing with md5(sha1())) doesn't hurt the security of the system? It increases the risk of the pigeon-hole principle. I think it would be better to just stick with sha1(stuff + salt) :)
Bob Somers
2008-12-30 10:20:50
Anytime your security scheme includes the phrase "nobody will ever think to...", it's not secure.
Graeme Perrow
2009-02-10 20:25:23
@Graeme: That's a pretty good rule of thumb. Of course, I immediately thought of "Nobody will ever think to factor the product of two large primes..." as a counter-example.
Bill the Lizard
2009-02-10 21:27:26
That's different because it's not hidden, we all *know* that that's how public key cryptography can be broken. It's just really freakin' hard. :-)
Graeme Perrow
2009-02-10 22:08:28
+1
A:
Similar to @stech's solution.
Some of the admin pages in our application on the web, check for a local IP subnet range, else display access denied. Improvement is accessed is restricted to users who are inside the network or VPNed to it.
kushin
2008-12-07 20:14:03
+1
A:
Back in the old DBase/Clipper days I worked for a guy who developed an application for a friend of his. This friend wanted to have some "secretly" accessible program or data (I don't recall) that required a password only known to him.
The solution, I was told, was that Clipper opened a DOS prompt in the secret directory, with black text on black background colors (some ANSI control characters accomplished this).
The user had to type in the password, but this being input line of the DOS command prompt, the "password" was really the name of a batch file that was then executed.
devio
2008-12-07 20:39:00
+6
A:
Real life security by obscurity?
The key to the front door is stashed under a rock nearby, or under the welcome mat, or on top of a high railing.
These are all instances of security through obscurity, as in, it is right out in the open for anyone to grab, but most people wont be able to find it without huge amounts of searching. However, a dedicated attacker can walk right in.
Karl
2008-12-07 20:44:56
+1
A:
I once saw a photography website where you could strip some characters off from the photo thumbnail pictures url to get the full version.
James Van Boxtel
2008-12-07 20:59:02
"photography" website....? Sure, uhhuh, and the models all think its "art" ;-)
AviD
2009-08-18 07:21:53
+1
A:
Many professional photographer websites use Javascript to prevent people from right-clicking on images to "save as ...". Most of those sites also don't do any watermarking.
I used to surf with referer headers disabled... it's quite surprising how many websites will blow up or flat-out reject you if they don't know where you came from.
One website had a poll and used cookies to prevent you from voting multiple times. You could simply erase that cookie and keep voting. And you could script it all using wget, too.
Tom
2008-12-07 21:28:33
A:
The example I see of this all the time is something being done in source code that the developer assumes no one will ever see. You see this a lot with crypto-keys in particular, embedded right in the source code. A lot of times it is not even a question of decompiling the code, they could outright just use the library.
The solution is always to teach the developer to assume that someone has the source code and can use it against you.
Flory
2008-12-08 14:15:01
A:
Going to great lengths to hide software names and version numbers .
Ie. changing Tomcat server name and version to some quotes and random numbers (like 666), changing the name and version numbers of regular javascript libraries like scriptaculous and prototype and so on.
In a current project we're using Google Web toolkit (GWT) and this sneaky little thing compiles Java to javascript (which you have little to no control over) and includes the string "GWT" and version number. Totally unacceptable of course so we'll need to make a script that will run after GWT compile to remove all these references(!).
stian
2008-12-30 08:58:03
+2
A:
In a more "real life" example, I don't know if it's intentional or not, but I like the way none of the doorbells in my block have any names on them, and that their numbers seem to have no correlation to the apartement numbers whatsoever. Ie. ring on #25 for apartement 605, #13 for apartement 404 and so on. :)
stian
2008-12-30 09:02:00
A:
One vendor we deal with requires us to post the username and password in the querystring in ROT-13 "encrypted" format. No joke.
Kevin Tighe
2009-02-10 20:28:19
A:
Security through obscurity is a valid tactic. Plenty of people have turned off replying with version information as a best practice for ftp and apache. Honeypots can be considered an obscured practice, since the attacker doesn't know the layout of the network and gets sucked into them. One high security site I know of assigns their username by a five digit alphanumeric phrase (such as '0a3bg') instead of using logical usernames. Anything that makes breaking into a system more difficult, or take longer, is a valid measure.
Security exclusively through obscurity is bad.
Mike DeMaria
2009-06-04 15:56:40
I think that the point is that your security should be good enough that it doesn't need to be obscured.
Rich Bradshaw
2009-06-05 09:54:16