Wednesday, November 24, 2010

Poste Español

Bienvenidas a todos. Para este poste, quiero escribir solamente en español. Yo tomé muchos años de español cuando yo estaba en escuela, y yo quiero practicarlo. Tengo que buscar algunos de las palabras en Internet, pero yo no utilizar un translatador cada vez. Para la semanas proximas, escribiré más articulos españoles y describo la seguridad de computadoras que están en las paises que hablan español.
Posted by at No comments:

Friday, November 19, 2010

SQL Injection

My last post dealt with the topic of SQL injection, so I think it is a good idea to look at this problem in depth. There are various types of code injection, but SQL injection is the most commonly used, making it the most troublesome. Code injection is a very serious security risk, and often results in personal data being compromised. For companies that keep track of high-risk info such as credit card numbers and social security numbers, SQL injection is a major threat that should be taken very seriously. Before I discuss the various methods that are used to protect against code injection, it will be helpful to describe exactly how these attacks work.

Code injection works by placing various programming commands in fields where they don’t belong. These mainly include user name and password fields, along with other user input fields. Although the “name” input field is expecting a name to be entered by a user, someone could easily insert a small line of code and change the function completely. I’ll give a quick example to show how easily SQL injection can be implemented.

When a website asks a user for their name and password, the values are inserted into a SQL statement. This statement checks with the database to make sure the user’s inputs are valid. If the login is unprotected, the SQL query will look like this:

SELECT id
FROM logins
WHERE username = '$username'
AND password = '$password’

If the values for $username and $password are not protected properly, an attacker can easily supply SQL code into one of the input fields and change the function of the query.

Suppose an attacker were to guess “Bob” as a username, and enter this code into the password field:

pass’ OR ‘x’ = ‘x    (“pass” could be named anything)

Now the SQL query will look like this:

SELECT id
FROM logins
WHERE username = 'Bob'
AND password = 'pass' OR 'x'='x'

By placing a single quotation mark after “pass” in the input field, the original SQL statement is replaced by one that now checks for two different things. First, “pass” will be compared against $password, and most likely remain false. Then, the injection occurs when the OR clause checks to see that ‘x’ = ‘x’. Since this statement will always be true, the attacker is able to bypass the login process and gain entry to the site. 

This is a simple example, but with a little knowledge of SQL commands and database naming styles, an attacker could easily navigate through a website’s database and gain access to confidential data. Even worse, once an attacker has gained access to the database, they could potentially delete all existing data. Many programmers today are aware of these risks, and take preventative measures to protect the user’s data. The first step is to make sure only valid text or number combinations are allowed in the input fields. Since the problem of SQL injection has been known for a while, most programming languages have created a way to validate the data being used with a simple function.

In PHP, for example, the function “mysql_real_escape_string” was created. This function simply takes a string entered by the user and strips off any unwanted characters that may have been added. This function is easy to use, and ensures that all user data is protected against injection attacks. Despite the simple solution to this problem, there are still many sites unprotected from these attacks. This is a serious, and dangerous problem since it is eventually the public’s information that is at risk. 
Posted by at No comments:

Tuesday, November 16, 2010

Blog Security

For my first post I thought it would be appropriate to discus the various security flaws that can be found on blogging websites, and what preventative measures need to be taken to protect blogs from malicious attacks. Since the invention of blogging, users have become victims of several different types of cyber attacks. Most of the issues come from HTML or SQL injection, which inserts new, and destructive, code into the bloggers source code. This causes visitors of the blog to be redirected to the attackers site, which often contains malware, spyware, and other phishing sites.

Blogger.com, the site that I am currently using, is no stranger to these attacks. In 2008, an article on CNET described Blogspot.com (now Blogger.com) as the number 1 host of malware. Link

One reason that Blogger.com saw so many of these cases is due to its high number of users. Because Blogger is free for anyone to use, and can be set up in a matter of minutes, it has become a clear target for attackers. Google, who owns Blogger, has taken many steps since 2008 to protect against these known attacks. (The only reason my blog is being posted on the site.) Although Google has helped protect against these SQL attacks, there are still other preventative measures that must be taken to protect your blog.

Now that most of the popular blogging websites have found a way to block SQL-injections, attackers have turned to posting malicious links in the blog’s comment section. These sites are currently working on comment spam filters, however it is eventually up to the blog owner to ensure no malicious links are posted. Although this can be harder to do for large blogs, the easiest way protect against these posts is by constantly monitoring your blog comments, and deleting and suspicious links. If you need to be certain, you might even consider disabling links in your comment section.

Along with these preventative measures, it is also a good idea to back up all of your blogs content as much ass possible. Even if your site is not the victim of a malicious attack, it is still possible for you to lose all your information. This is not only a huge annoyance, but also extremely damaging to anyone using their blog for business purposes. Most blog sites offer a method of saving your content, and I recommend taking full advantage of these methods.

For Blogger.com, the steps are as follows:

1. Log in to Draft.Blogger.Com
2. Click on Settings
3. Click on Export Blog
4. Click Download Blog
Posted by at No comments:

Monday, November 15, 2010

Intro

Hello to everyone that has found this blog. My name is Brian Long and I am a recent graduate from St. Edwards University in Austin, TX. I graduated with a computer science degree and was able to learn a variety of skills in the technology field. The reason I decided to start this blog is to educate others on the importance of security in both business and personal settings. I also hope to discover the newest, cutting-edge technologies in the security field and share them here. In the following posts I will explain what the current security methods are, and what types of improvements are expected to be seen in the near future.
Posted by at No comments:
Subscribe to: Posts (Atom)