Loading...
image
Hackers will try many different approaches to compromise your site. Social engineering is a technique thats requires little or no technical knowledge and can be just as effective as an attack on a large security hole in the site code

Ongoing Projects

Microcyte Content Management System
Microcyte is a PHP/javascript based website Content Management System. Its main feature is direct inline in-place editing of content.
image
Snatch (Mac OS X)
Snatch is a website scraping tool which can be used to retrieve links, images and email addresses from a given webpage and linked pages.
image
Distribution (Mac OS X)
Distributions is a mailing list management tool for Mac OS X. It features support for Multiple Classifications and some CRM functions.
image
??? (Mac OS X)
This is a new project I am working on for OS X (leopard). more soon!
image

Opinions & Views

image Previous | Next image

Cloud Hosting
You may already have heard of Cloud Computing, Cloud Hosting is an exciting extension of this relatively new area.
Back Online!
I'm now back online after an outage in America caused my Hosting Provider some downtime.
Batch WMA conversion for iTunes
Recently I had to convert a shed load on WMA's to work with iTunes on a Mac, heres how I did it at no cost.
MicroCyte - The Database Question
As I work towards the 2.0 release of MicroCyte I wonder whether I should scrap XML/static files in favor of a database?
Review - iMac 24 inch
I've recently had the opportunity make extensive use of a 24" iMac 2.8Ghz, here's what I thought!
Gig Review - Nizlopi
Recently I went to see Nizlopi perform at the Norwich arts centre, here's what I thought
MicroCyte Released
MicroCyte has been released! head on over to microcyte.co.uk to checkout the demo and download your copy!
Microcyte Gets Firefox Support
Very soon Firefox 3 will be released. This update will mean support for Microcyte CMS.
Site Update - Big things coming
Regulars may have noticed that the site has been quiet for the last few days, click through to find out why!
Microcyte gets comments engine
In the last couple of days I've implemented a comments plugin for my Microcyte CMS
Implementing a Dynamic SQL module
In Part 3 of building a DAL in Classic ASP I look at how I implemented my Dynamic SQL module to fulfull my DAL requirements
Dynamic SQL as a Data Access Layer
In part 2 of building a DAL in Classic ASP I look at how to create a functional Dynamic SQL module.
Data Access Layers in Classic ASP
Classic ASP is not known for its rich data access tools, so I look at how you can build a strong Data Access Layer.
Scripting languages vs frameworks
Are there compelling reasons for an old school scripting house to move to a new fangled framework?
HTML 5 working draft announced
After 9 months of work, the W3C has published the first working draft of HTML 5.
Increasing turnover with e-shots
E-shots can help drive targeted traffic to your website, but how do you avoid making them look like SPAM?
Introduction to A/B testing
A/B testing can be used to dramically increase conversions on your e-commerce site. Here is basic overview.
Security - Social Engineering
In the final part of 'how websites get hacked' I'm going to look at Social Engineering, the non technical hack.
Security - XSS and SQL injection
In part 2 of 'how sites get hacked' we look at XSS and SQL Injection
Security - how sites get hacked
In this brief primer we look at how websites get hacked and what to do to protect yourself (part 1)
MacBook Air - the morning after
After the hype has cooled down, what are the pro's and con's of the new Apple MacBook Air
Macbook air 300 pounds more expensive
Opinion: why is the Macbook Air a full 300 pounds (600 dollars) more expensive than in the US?

Security - Social Engineering - Part 3

In part 1 and part 2 of this series I covered database security and website exploits such as cross site scripting (XSS) and SQL injection. In this article I will look specifically at social engineering.
 
Social engineering, put simply, is the practice of convincing someone that you are trustworthy and should be given something that they have and you need. This practice has been applied to hacking computer systems since the beginning of the Information Age and can be much more cost and time effective than searching for an obscure security hole to exploit.
 
The are many high profile examples of social engineering these days including 419 email scams, 'phishing' websites and phone scams. But it may surprise you that companies and corporations can also be victim to social engineering.
 
Imagine the following scenario:
A large company has a password protected software development server (say CVS or Subversion) which is accessible from the internet. A hacker has been probing the company's network and has found this server but is unable to gain access.
 
The hacker phones the company internal help desk and asks to talk to the technical support team. The hacker says he is working for the software development director (a name probably freely available on the company's website) and needs urgent access to the server because his computer has crashed and lost his log-in credentials.
 
The technical support team member answering the call takes the bait and give away some user credentials (username and password) allowing the hacker to gain access to the server. The hacker gains access to the server and plants a trojan in the source code of the company's flag ship product.
 
This attack required no technical knowledge to gain access to the server.
 
Thats just stupid isn't it?
These scenarios arise because the people holding the keys don't know what procedures to follow and who is and isn't supposed to be given access to what. Also, if there are procedures they are not always well known about or followed by company staff.
 
Solutions
The solutions are simple and you can probably guess what they are from what I've already said:
  • Make sure that there are clear and thorough procedures for accessing company data
  • Make breaking or not knowing those procedures a disciplinary offense
  • If someone wants remote access to the data, make sure there is a secure method they can use to authenticate themselves. (more on this below)
  • Don't needlessly give away information to the general public which could be used to fake an authentication.
  • Pre-agree methods for sending sensitive data to staff when they need it (i.e. a pre-agreed mail box) and make sure they can't change them over the phone or by email.
Authentication
Authentication is a sticky issue and difficult to get right. The best method I've seen for serious authentication is the 'something you know, something you have' method.
 
In this approach you have a piece of information that only you and the system you are trying to access know, like a username or a password (or both), this is the 'something you know'.
 
The 'Something you have' would be something like a random number generator in a key-fob which is syncronised with a random number generator on the system you are trying to access.
 
In this way, only the person with the right username/password and with the random number key-fob in their possession would be able to authenticate themselves to the system (or help desk operative).
 
This might sound a little bit 'mission-impossible' but banks are now starting to use this approach and high-end firewall and VPN vendors have been doing this for a while.
 
Conclusion
This is the last part of my 'how websites get hacked series'. I've tried to cover as many points as possible but security is a huge subject with many subtleties and many encyclopedia size books are written about it every year.
 
Hopefully I will have provoked some thought and raised more questions in your mind and inspired you to go off and find out more.
 
As always, if you have more specific questions or you would like to talk to me about doing some work for you then drop me a line!