Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase 123»»»

Intruding into Dummy Websites Expand / Collapse
Author
Message
Posted Monday, June 1, 2009 6:04 PM


Mr or Mrs. 500

Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500

Group: General Forum Members
Last Login: Yesterday @ 10:22 AM
Points: 588, Visits: 2,555
Comments posted to this topic are about the item Intruding into Dummy Websites


Best wishes,

Phil Factor
Simple Talk
Post #727067
Posted Tuesday, June 2, 2009 3:12 AM
Grasshopper

GrasshopperGrasshopperGrasshopperGrasshopperGrasshopperGrasshopperGrasshopperGrasshopper

Group: General Forum Members
Last Login: Monday, September 15, 2014 10:10 AM
Points: 15, Visits: 166
An excellent idea Phil. Reminds me of Richard Feynman's stories of cracking the combination
locks on his colleagues' filing cabinets at MIT: the numbers were usually based on spouse's birthdays.
I think he also liked to leave gifts inside.

Having a dummy defensive position to attack, out in the public domain, is also not unlike the way
the M.o.D (UK Defence Department) carry on in Salisbury Plain. Perhaps we could use www.imbervillage.com
as the domain for your Ninja maneuvers, in memory of the real English village of Imber, which was invaded by Brit and American forces in 1943 to use for attack practice.

Brigadier Dick "Tari" Webstock
Post #727230
Posted Tuesday, June 2, 2009 4:20 AM
SSC Veteran

SSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC Veteran

Group: General Forum Members
Last Login: Monday, September 29, 2014 2:31 AM
Points: 207, Visits: 960
Perhaps we can have multiple databases, each of which demonstrate a different "level" of security. E.g. for SQL injection, one could have none at all, the next could include just some basic escaping of certain SQL commands, one could use stored procedures instead, etc.

That way, we can demonstrate the differences between each technique, along with pros and cons, so junior DBAs can see exactly what each one provides and examples for implementation.


Paul

Post #727283
Posted Tuesday, June 2, 2009 4:53 AM
SSC-Enthusiastic

SSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-Enthusiastic

Group: General Forum Members
Last Login: Monday, November 11, 2013 2:42 AM
Points: 150, Visits: 245
Just a quick note to warn any Brits reading this, that under British law, attacking a server or database without the owners express permission, is illegal under criminal law. Claiming that it was for educational purposes is not a valid defence.
The article suggested that the author was not aware, or did not care about this.


Throw away your pocket calculators; visit www.calcResult.com

Post #727298
Posted Tuesday, June 2, 2009 6:28 AM


SSChampion

SSChampionSSChampionSSChampionSSChampionSSChampionSSChampionSSChampionSSChampionSSChampionSSChampion

Group: General Forum Members
Last Login: Friday, June 27, 2014 12:43 PM
Points: 13,872, Visits: 9,596
Good idea Phil.

Most companies need to actually set up a parallel system, with dummy data, and "tiger team" it, by deliberately hacking the fake site. Any dummy data they pull up would be real data on a real site, and that's enough to know what needs more security.


- Gus "GSquared", RSVP, OODA, MAP, NMVP, FAQ, SAT, SQL, DNA, RNA, UOI, IOU, AM, PM, AD, BC, BCE, USA, UN, CF, ROFL, LOL, ETC
Property of The Thread

"Nobody knows the age of the human race, but everyone agrees it's old enough to know better." - Anon
Post #727376
Posted Tuesday, June 2, 2009 6:40 AM


Hall of Fame

Hall of FameHall of FameHall of FameHall of FameHall of FameHall of FameHall of FameHall of FameHall of Fame

Group: General Forum Members
Last Login: Yesterday @ 4:06 PM
Points: 3,360, Visits: 2,002
It would be great to see a site set up specifically for the purpose of showing how database security measures work. The only downside is that junior hackers could sign up for the site under false credentials and then get quick training on how to hack other's sites. Would we just assume that hackers would get their information from wherever on the web anyway and that the majority of the site users would be good-natured DBAs and developers looking to prevent issues with their own sites? Would there be any sort of governmental rules on setting up a site like this even if it is for educational purposes only?

I definately like the concept.
Post #727384
Posted Tuesday, June 2, 2009 6:49 AM
SSC Rookie

SSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC Rookie

Group: General Forum Members
Last Login: Friday, March 14, 2014 1:54 PM
Points: 48, Visits: 176
I think a practice web site would be a fantastic idea. Just as importantly as this is though, a second web site or the web site duplicated in a different folder should also be setup where everything is setup with each page having an explanation of how it is now secure and what was done to make it secure. It is one thing to figure out how to break into a website but another to figure out what to do to make sure that the websites that you develop do not end up suffering the same fate.
Post #727395
Posted Tuesday, June 2, 2009 7:28 AM


SSC Rookie

SSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC Rookie

Group: General Forum Members
Last Login: Wednesday, June 4, 2014 7:34 AM
Points: 42, Visits: 398
I believe this is a worthwhile exercise. Nothing educates like experience.

The fear is that nefarious hackers would get hold of the site and turn it into a weapon against those using it for training.

Perhaps the community can develop a Hack-O-Matic canned version for download, complete with instructions and scenarios, rather than relying on a third-party hosted environment. Being able to play with it behind closed doors, as it were, would assist many in evolving not only their security practices but their inherent understanding as well.

You have my vote and support in making this a reality.

Regards;
Greg
Post #727421
Posted Tuesday, June 2, 2009 7:45 AM


SSCrazy

SSCrazySSCrazySSCrazySSCrazySSCrazySSCrazySSCrazySSCrazy

Group: General Forum Members
Last Login: Monday, October 20, 2014 5:34 AM
Points: 2,651, Visits: 5,990
I don't recall the site and I think my employer would take issue with me googling for "website hacking contest", but a number of years ago, there was a public site set up by security researches and it had like 20 or so test on 5-6 levels of hacking skill. One of my old bosses made me go through a number of levels to get a better sense of things I might be doing in a less secure way than I really should.

It built on itself like most of the How to write (insert language here) books on the market. Start with something simple like changing the URL variable from mysite.com?companyid=1 to mysite.com?companyid=2 and progressed from there.

-Luke.


To help us help you read this

For better help with performance problems please read this
Post #727439
Posted Tuesday, June 2, 2009 10:00 AM
SSC Eights!

SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!

Group: General Forum Members
Last Login: Thursday, October 23, 2014 11:56 AM
Points: 880, Visits: 2,435
I would suggest, for those sites that can be entirely built using appropriate licenses (zero cost, transferrable, virtualizable), that this would be an ideal case for virtual appliances. Load on your virtual server, turn on, and see how insecure they can be.

Otherwise, the ideal would be scripts that would allow one to easily set up said sites on one's own computers.

I'm afraid that publically available sites like this would be useful, except that any where the site can be brought down completely likely would be. For such publically available sites, either a read-only virtual image (restart to get back to initial state), or the older "boot CD without any hard drive" method may be appropriate.
Post #727551
« Prev Topic | Next Topic »

Add to briefcase 123»»»

Permissions Expand / Collapse