Date post: | 05-Dec-2014 |
Category: |
Technology |
Upload: | owen-winkler |
View: | 4,830 times |
Download: | 1 times |
SECURITY 101Some of what you need to know
Owen WinklerRock River Star
http://RockRiverStar.com/@ringmaster
The plan
What security is Security on the web Types of threats Tools and sites Impact of Security
What security is
Wikipedia Says
Ancient Greek “Se-Cura” – “without fear”
Obtain freedom from fear
Layers of Security
gate house safe
Convenience
What to do when my crap gets stolen…
Call cops Replace it Steal it back File insurance claim
Just like real security
Computer security
Application Security
Password Strength Social Engineering
Password Strength
http://www.wired.com/politics/security/commentary/securitymatters/2006/12/72300
Top 20 Passwordspassword1, abc123, myspace1,
password, blink182, qwerty1, fuckyou, 123abc, baseball1,
football1, 123456, soccer, monkey1, liverpool1, princess1, jordan23,
slipknot1, superman1, iloveyou1,
And of course… monkey
Passwords
People don’t care L3tt3r5 a5 numb3r5 Master password Signed logins Sharing and storing Two-factor!
The inverse of layered security is…
Site Password Database password Server password Account password Datacenter access Global economic failure Thermonuclear war
Permissions
Authentication vs. Authorization See only authorized information Post-deployment accounts
Vulnerabilities
From wikipedia: A weakness that makes a threat possible
Input validation XSRF – Cross site request forgery XSS – Cross site scripting SQL-I – SQL injection
Input Validation
Every input & every output Filter for what you want Validation in Drupal
Ajax View arguments PHP execution Input filters check_plain() and check_markup()
XSS Bad input/output filtering Elevated user privileges
XSRF
Form on a remote site Social engineering
SQL injection
Bad input filtering Insert from the querystring Drupal mostly safe
Testing
Automated testing Eyeball inspection Expectation
Drupal Security
Direct advisories – http://drupal.org/security
Contrib – http://drupal.org/security/contrib
New Reports: [email protected]
Server permissions
Computer-level security User uploads
File types Sizes SFTP Directories
chmod & chown
Mode settings Three octal values UGO – User, Group, Other RWX – Read (4), Write (2), Execute
(1)sudo chmod -R ugo+r *
chown sets owner:groupsudo chown -R owen:apache *
What is +s?
Hosting & PHP
Up to date Patched applications eval() and other evils Performance Reliability
Backups
s3cmd rsync Subversion! Host-based recovery
Impact of Implementation
Why I care about you: Bot-nets
Appreciative users & clients
Any questions or additional topics?
Security 101