Click here to monitor SSC
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


Intruding into Dummy Websites


Intruding into Dummy Websites

Author
Message
Phil Factor
Phil Factor
Right there with Babe
Right there with Babe (754 reputation)Right there with Babe (754 reputation)Right there with Babe (754 reputation)Right there with Babe (754 reputation)Right there with Babe (754 reputation)Right there with Babe (754 reputation)Right there with Babe (754 reputation)Right there with Babe (754 reputation)

Group: General Forum Members
Points: 754 Visits: 2949
Comments posted to this topic are about the item Intruding into Dummy Websites


Best wishes,

Phil Factor
Simple Talk
Richard Collins-243383
Richard Collins-243383
Grasshopper
Grasshopper (15 reputation)Grasshopper (15 reputation)Grasshopper (15 reputation)Grasshopper (15 reputation)Grasshopper (15 reputation)Grasshopper (15 reputation)Grasshopper (15 reputation)Grasshopper (15 reputation)

Group: General Forum Members
Points: 15 Visits: 166
An excellent idea Phil. Reminds me of Richard Feynman's stories of cracking the combination
locks on his colleagues' filing cabinets at MIT: the numbers were usually based on spouse's birthdays.
I think he also liked to leave gifts inside.

Having a dummy defensive position to attack, out in the public domain, is also not unlike the way
the M.o.D (UK Defence Department) carry on in Salisbury Plain. Perhaps we could use www.imbervillage.com
as the domain for your Ninja maneuvers, in memory of the real English village of Imber, which was invaded by Brit and American forces in 1943 to use for attack practice.

Brigadier Dick "Tari" Webstock
Paul.
Paul.
SSC Veteran
SSC Veteran (207 reputation)SSC Veteran (207 reputation)SSC Veteran (207 reputation)SSC Veteran (207 reputation)SSC Veteran (207 reputation)SSC Veteran (207 reputation)SSC Veteran (207 reputation)SSC Veteran (207 reputation)

Group: General Forum Members
Points: 207 Visits: 971
Perhaps we can have multiple databases, each of which demonstrate a different "level" of security. E.g. for SQL injection, one could have none at all, the next could include just some basic escaping of certain SQL commands, one could use stored procedures instead, etc.

That way, we can demonstrate the differences between each technique, along with pros and cons, so junior DBAs can see exactly what each one provides and examples for implementation.

Paul

mike brockington
mike brockington
SSC-Enthusiastic
SSC-Enthusiastic (154 reputation)SSC-Enthusiastic (154 reputation)SSC-Enthusiastic (154 reputation)SSC-Enthusiastic (154 reputation)SSC-Enthusiastic (154 reputation)SSC-Enthusiastic (154 reputation)SSC-Enthusiastic (154 reputation)SSC-Enthusiastic (154 reputation)

Group: General Forum Members
Points: 154 Visits: 245
Just a quick note to warn any Brits reading this, that under British law, attacking a server or database without the owners express permission, is illegal under criminal law. Claiming that it was for educational purposes is not a valid defence.
The article suggested that the author was not aware, or did not care about this.

Throw away your pocket calculators; visit www.calcResult.com


GSquared
GSquared
SSChampion
SSChampion (14K reputation)SSChampion (14K reputation)SSChampion (14K reputation)SSChampion (14K reputation)SSChampion (14K reputation)SSChampion (14K reputation)SSChampion (14K reputation)SSChampion (14K reputation)

Group: General Forum Members
Points: 14385 Visits: 9729
Good idea Phil.

Most companies need to actually set up a parallel system, with dummy data, and "tiger team" it, by deliberately hacking the fake site. Any dummy data they pull up would be real data on a real site, and that's enough to know what needs more security.

- Gus "GSquared", RSVP, OODA, MAP, NMVP, FAQ, SAT, SQL, DNA, RNA, UOI, IOU, AM, PM, AD, BC, BCE, USA, UN, CF, ROFL, LOL, ETC
Property of The Thread

"Nobody knows the age of the human race, but everyone agrees it's old enough to know better." - Anon
Ken Wymore
Ken Wymore
SSCarpal Tunnel
SSCarpal Tunnel (4.4K reputation)SSCarpal Tunnel (4.4K reputation)SSCarpal Tunnel (4.4K reputation)SSCarpal Tunnel (4.4K reputation)SSCarpal Tunnel (4.4K reputation)SSCarpal Tunnel (4.4K reputation)SSCarpal Tunnel (4.4K reputation)SSCarpal Tunnel (4.4K reputation)

Group: General Forum Members
Points: 4444 Visits: 2342
It would be great to see a site set up specifically for the purpose of showing how database security measures work. The only downside is that junior hackers could sign up for the site under false credentials and then get quick training on how to hack other's sites. Would we just assume that hackers would get their information from wherever on the web anyway and that the majority of the site users would be good-natured DBAs and developers looking to prevent issues with their own sites? Would there be any sort of governmental rules on setting up a site like this even if it is for educational purposes only?

I definately like the concept.
michael.wiles
michael.wiles
Valued Member
Valued Member (50 reputation)Valued Member (50 reputation)Valued Member (50 reputation)Valued Member (50 reputation)Valued Member (50 reputation)Valued Member (50 reputation)Valued Member (50 reputation)Valued Member (50 reputation)

Group: General Forum Members
Points: 50 Visits: 176
I think a practice web site would be a fantastic idea. Just as importantly as this is though, a second web site or the web site duplicated in a different folder should also be setup where everything is setup with each page having an explanation of how it is now secure and what was done to make it secure. It is one thing to figure out how to break into a website but another to figure out what to do to make sure that the websites that you develop do not end up suffering the same fate.
BlackHawk-17
BlackHawk-17
SSC Rookie
SSC Rookie (42 reputation)SSC Rookie (42 reputation)SSC Rookie (42 reputation)SSC Rookie (42 reputation)SSC Rookie (42 reputation)SSC Rookie (42 reputation)SSC Rookie (42 reputation)SSC Rookie (42 reputation)

Group: General Forum Members
Points: 42 Visits: 401
I believe this is a worthwhile exercise. Nothing educates like experience.

The fear is that nefarious hackers would get hold of the site and turn it into a weapon against those using it for training.

Perhaps the community can develop a Hack-O-Matic canned version for download, complete with instructions and scenarios, rather than relying on a third-party hosted environment. Being able to play with it behind closed doors, as it were, would assist many in evolving not only their security practices but their inherent understanding as well.

You have my vote and support in making this a reality.

Regards;
Greg
Luke L
Luke L
SSCrazy
SSCrazy (2.7K reputation)SSCrazy (2.7K reputation)SSCrazy (2.7K reputation)SSCrazy (2.7K reputation)SSCrazy (2.7K reputation)SSCrazy (2.7K reputation)SSCrazy (2.7K reputation)SSCrazy (2.7K reputation)

Group: General Forum Members
Points: 2686 Visits: 6103
I don't recall the site and I think my employer would take issue with me googling for "website hacking contest", but a number of years ago, there was a public site set up by security researches and it had like 20 or so test on 5-6 levels of hacking skill. One of my old bosses made me go through a number of levels to get a better sense of things I might be doing in a less secure way than I really should.

It built on itself like most of the How to write (insert language here) books on the market. Start with something simple like changing the URL variable from mysite.com?companyid=1 to mysite.com?companyid=2 and progressed from there.

-Luke.

To help us help you read this

For better help with performance problems please read this
Nadrek
Nadrek
Ten Centuries
Ten Centuries (1K reputation)Ten Centuries (1K reputation)Ten Centuries (1K reputation)Ten Centuries (1K reputation)Ten Centuries (1K reputation)Ten Centuries (1K reputation)Ten Centuries (1K reputation)Ten Centuries (1K reputation)

Group: General Forum Members
Points: 1043 Visits: 2673
I would suggest, for those sites that can be entirely built using appropriate licenses (zero cost, transferrable, virtualizable), that this would be an ideal case for virtual appliances. Load on your virtual server, turn on, and see how insecure they can be.

Otherwise, the ideal would be scripts that would allow one to easily set up said sites on one's own computers.

I'm afraid that publically available sites like this would be useful, except that any where the site can be brought down completely likely would be. For such publically available sites, either a read-only virtual image (restart to get back to initial state), or the older "boot CD without any hard drive" method may be appropriate.
Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum

































































































































































SQLServerCentral


Search