Choosing strong passwords and user motivation

One of the main reasons for passwords being hacked is because of users choosing weak passwords. Motivation is one of the key driving forces when doing something, which also applies when choosing good passwords. Unless your account login has been hacked before, users have little motivation whatsoever for creating good passwords. (The average user overestimates the strength of his password and underestimates the ingenuity of the hacker). Of-course the user is not to blame. Creating a strong password is hard work; you need to balance the complexity of the password with memorability. Choose a strong password and the chances are high that you will tend to forget it if you do not use it on a regular basis.
(more…)

Read More

Security ‘Challenge Questions’ and the social web

Lately I’ve been a little paranoid about posting details about myself on the social web, especially Facebook. In fact I’ve completely gone off it (never been a fan of it from the first). I’m surprised by the amount of personal information people post on the social web.

One of my concerns is related to the ‘Challenge Questions’ provided by major websites such as Gmail, Hotmail for authentication, mostly during account recovery. Take for example the Challenge Question offered by Gmail:

What is the name of your manager at your first job?
What is the name of your best friend from childhood?
What was the name of your first teacher?

Answers to most of the above questions can be garnered by a little digging around your social stream, making it easier for the malicious person to hack your account. Aggregators such as IdentEngine, a Javascript library, can make it even easier to locate your profiles around the social web. In short, the social web “leaks” security information.
(more…)

Read More

Encode your email links to prevent spam

One of the popular ways to hide your email on a web page from spam bots is to display the email as an image or to use the ‘[at]’ word instead of the ‘@’ sign. The code given here is yet another way to fight spam. The below function will let you to encode email or other links to their equivalent HTML entity encoded syntax. This will enable you to hide your web-page emails from spam bots. As the browser converts and displays the appropriate string from the encoding the user will be able to correctly see the email id, but a spam bot will have a difficult time to decode the encoded string. Of course we now have quite sophisticated crawlers that can work around this types of encoding, but for other crawlers that rely on regular expressions or other such simple methods, they will find it difficult to grab the email links from the page.
(more…)

Read More

Encrypting uploaded files in PHP

During a recent project, the client requested that uploaded files be encrypted for security reasons. As I already had the uploaded code ready and tested I just needed to add some extra encryption capability to the code. As earlier I’d encountered Zends wonderful Zend_Filter class, I decided to go with it and use the Zend_Filter_Encrypt and Zend_Filter_Decrypt to accomplish the work. The Zend_Filter component provides a set of common useful data filters, among which are the encryption filters. Although my project was not developed in Zend, I could easily integrate the required classes in the code. Note that Zend has a great upload library, Zend_File_Transfer, that lets you easily manage file uploading and also encryption, but as I already had the upload code tested, I decided to just add the encryption part.
(more…)

Read More

Prevent hotlinking of your site images

A common problem with image intensive sites is “Image-Theft” also known as hotlinking. If your site hosts images that other sites are linking to, it can cause a substantial increase in your bandwidth costs. For small sites who pay by the gigabyte’s this can be quite a problem. For example, if a hotlinked image of 150K from your site is being accessed 1000 times a day, then that’s around 145MB of wasted data transferred from your site daily. Add a few more images and the bandwidth costs quickly add-up. A simple way is to use .htaccess to disallow other sites from hotlinking to your images.
(more…)

Read More

How to Fix PHP Vulnerabilities (So Your Site Won’t Get Hacked)

As a programming language, PHP has many advantages but security has always been a major issue. Partially these security problems are inherent to the language itself because PHP was meant to be an easy and powerful programming language, while security came second. However, when you add bad coding and non-adherence to even the basic security rules, the situation gets out of control.

Fortunately, it is possible to fix PHP vulnerabilities and make PHP applications more secure. Some of the defenses are common for all programming languages, while others are found only in PHP. Here are some of the best defenses you have when you want to fix PHP vulnerabilities and make your site more secure.
(more…)

Read More

Scanning web pages for malicious scripts

With the recent surge of malicious JavaScript injections on web, it has become necessary to regularly check for malicious code injections on your web sites. I created a small php script that checks a list of urls for malicious Javascript code. This can come handy if you have many client websites under your control.

The PHP script reads two text files – ‘malicious.txt and ‘urls.txt’ : the first containing a list of web pages to be scanned and the other containing malicious script signatures. The script scans the urls for malicious scripts and if any infections are found it saves the result in the ‘infected.txt’ file. The script needs to be run from the command line as you can easily see the progress of the scan if you are scanning a large number of urls.
(more…)

Read More

Top 25 Most Dangerous Programming Errors

Security has always been an issue in software development; mainly due to ignorance, laziness and a nonchalant attitude of programmers (I’m one of the guilty ones). ‘Security’ is the one section in a project scope that gets consistently ignored by not only the developers but also management. In defense of myself and other programmers I would have to say that writing secure software is hard work, and with all the pressure from management and clients to get the software delivered, its no wonder that programmers turn a blind eye towards security. But that is surely not an excuse to deliver a product full of security vulnerabilities.
(more…)

Read More