Posts tagged: security

Adding Vulnerabilities to Your Code for Fun and Profit

The issue of coders purposely adding time bombs and backdoors to their code has been a potential problem for almost as long as programs have been written.  One of my favorite historical exploits is the one described by Ken Thompson about a modified version of the Unix C compiler.

A programmer’s motives for embedding such exploits into their own code can range from wanting to seek revenge for a real or imagined slight, to retain access to a resource, just to see if it can be done, and of course, to make steal money typically with applications that deal with money.

But Bruce Schneler, in his recent blog posting “The Vulnerabilities Market and the Future of Security“, describes an emerging way for unscrupulous coders to monetize vulnerabilities purposely baked right into the code, or at the very least, not report discovered vulnerabilities to their employer.

Passphrase Security

Bruce Schneier has a recent post about a new research paper that seems to throw a little bit of cold water on the obvious superiority of passphrases over passwords. Schneier has a pointer to the paper and a less-formal blog summary. The bottom line seems to be: users can choose poor “easily guessed” passphrases, and left to their own devices, they probably will. As usual with Schneier’s blog, many of the comments to the post are insightful and worth reading.

It seems that it might also be much more difficult to check the “quality” of a passphrase than a password. You’d like to be able to say things like: “Maybe you shouldn’t use Psalm 23:1 (King James Version) as a passphrase.”

A Couple of Password Links

PHP Data Sanitization w/ Filter

PHP is a widely-used general-purpose scripting language that is especially suited for Web development and can be embedded easily into HTML. PHP is particularly well designed for dynamic Web applications, server-side scripting and database interaction. However the ease of accessing data stores and presenting dynamic information to users can lead to serious security risks when user input is involved.

Data sanitizing is a simple means of taking any data inputted by a user and filtering out any content your application is not expecting (and you want to avoid!). Never trust the data a user may input will be accurate and harmless. PHP 5.2.0 is packaged with the filter() functions that provide basic filtering of specific types of data based on function arguments:

<?php

$myIPaddress = "10.10.141.3";

if (filter_var($ip, FILTER_VALIDATE_IP)){

     echo $myIPaddress." is a valid IP address";

} else {

     echo $myIPaddress." is not a valid IP address";

}
?>

This basic function performs a check against the variable $myIPaddress to ensure it is a valid IP address. Performing these function checks against user-inputted data via the $_GET or $_POST global arrays is an absolute necessity for any user input field in an application. The filter functions provide standard data filtering saving the time and effort of creating custom functions to filter data.

There are many variations of these functions to check various types of data. Visit http://www.w3schools.com/PHP/filter_validate_ip.asp for more information on specific syntax.

Panorama theme by Themocracy