List Info

Thread: PHP security - EPIC breach
PHP security - EPIC breach
country flaguser name
Canada		 2007-08-03 08:06:16 
Team,

The EPIC site has suffered a security breach late last week
and has been 
taken offline.

WHAT
- an intruder obtained the username and password to an EPIC
admin account
- the intruder logged in and injected malware code (mainly
javascript) 
into the EPIC pages, in the form of trojan horses
- the intruder sent a SPAM e-mail to all the EPIC users
using the "mass 
e-mail" function

WHO
- the IP address maps to a computer in New Jersey, but the
intruder was 
likely hiding behind one or many open proxies

HOW
- there are several ways to obtain credentials to a website:
trojan 
horses, keystroke loggers, network sniffing, virii/malware
installed on 
your computer, etc.
- javascript code is dangerous, and can easily be obfuscated
to avoid 
detection from the best of security applications, even the
browser itself


As we are all responsible for code on high-profile sites,
it's our job 
to be secure. Although most of you find security to be
cumbersome, it's 
important.  The higher level of access you have, the higher
the 
requirements for security. High-profile sites are targets
for attack, 
due to the sheer number of visitors and the increased
potential for impact.

What you can do to help:

a) if you have admin access to a site, apply the same logic
as accessing 
your bank account online: DO NOT save your username and
password in your 
browser.  Change your password once in a while. Do not log
in from an 
untrusted computer. Do not log in from an untrusted network.
Do not log 
in if the site doesn't support https. If you're unsure,
don't.

b) assume data from the browser is out to destroy you. 
Sanitize HTTP 
parameters. Inspect file attachments. DO NOT trust incoming
HTML.

c) look at everyone's code.  The Phoenix team is not the
sole author of 
code on our site.  Ask for peer review of your code.  If
you're not sure 
if your code is secure, ask.

d) avoid using MSIE. Use Firefox.  Make sure your antivirus
and 
operating system are up-to-date (the Foundation IT has
enabled this on 
your computer at work, but they don't have access to your
computer at 
home). Run a firewall. Don't open or download Windows
executables.


Thanks for helping maintain the security of our site!


Denis




-- 
Denis Roy
Manager, IT Infrastructure
Eclipse Foundation, Inc.  --  http://www.eclipse.org/
Office: 613.224.9461 x224 (Eastern time)
Cell: 819.210.6481
denis.royeclipse.org

_______________________________________________
phoenix-dev mailing list
phoenix-deveclipse.org

https://dev.eclipse.org/mailman/listinfo/phoenix-dev
[1]

about | contact  Other archives ( Real Estate discussion Medical topics )