I received some emails from a friend today linking to some seemingly legitimate websites, and the page indexz35X.php which redirects to your typical pharmacy website. This appears to be a variation of the LizaMoon style attack, coupled with a takeover of personal webmail accounts and a spam campaign through them.

While the redirected site appears to be a moderately harmless pharmacy website you can close and ignore, I would exercise caution when following any such link. It’s distribution methods are extremely suspect and this could be a source of malware.

You heard it here first, people!

There’s been a lot of news today about an “SQL Injection Attack” that’s affected over half a million websites.

Oh no!

First of all, despite comments to the contrary, I’m going to sit here and say: It’s XSS not SQL. The only evidence I’ve seen so far to contradict me is “it was stored in the database”. Well, XSS attacks commonly are. Here’s the difference:

XSS: Uses Javascript either in the site’s page name or a comment/feedback section of a website. The results can either be visible immediately or after the data is re-presented on a page. Badly written sites that allow HTML in comment forms are particularly susceptible to this. This also affected Twitter some months ago.

SQL: Uses SQL in a comment/feedback section of a website. The results are usually visible later when the data is re-presented on a page. Any badly written website is susceptible to this. You’ll notice this a lot if you have an apostrophe in your name and have trouble entering it on a website.

Let me put this simply.

IT IS CALLED SANITISATION.

Sanitisation. Read up about it.

Seriously, how can a collection of developers responsible for over half a million websites be so stupid as to allow this?

So there we have it. I called potentially thousands of programmers stupid. Would any of you like to defend your position, and explain why a tiny bit of sanitisation was so hard for you?

Dumbasses.

Let me define a few terms in the IT world:

Hackers: Used to be known as the seedy, dodgy guys in films who break PCs. Nowadays hackers are the elite programmers who can turn Lead into Gold and such.

Crackers: Always considered “bad”, and now taken on the original definition of hacker. Crackers break things for their own purposes (spam, taking down servers etc).

I’ve had a run-in with some crackers lately which is starting to annoy me. As a server administrator, I wish I could do more about it. PCs in Saudi Arabia, Korea and China have been doing their best to take over my server through SSH, and in separate attempts, turn my server into a spam “bot”.

The widespread abuse of PCs and servers worldwide is becoming a serious issue. I have enough experience to keep these guys out (though I should have changed my SSH port before today…) and haven’t been seriously affected by it, but what about the other guys?

I’m a strong believer in security above all else, but I’ve been somewhat upset recently by a large company not using basic security consistently in their own card processing example code.

I think the point I’m making is twofold:

1. People need to consider security more carefully. You never know what will happen or when. Change default SSH and Remote Desktop ports. Sanitise all your data. Use passwords that no one could possibly ever guess. Use blacklists and blacklist data providers. Implement brute force limitations.

2. Governments need to consider cracking and PC abuse more seriously. If someone breaks into 1000 houses and steals a little money from each, they’d be in prison. If you steal 1000 bank records and commit minor fraud on each, you stand a fair chance of getting away with it. Hell, if you’re in the right country, no one will care.

The world needs to sit down and enforce specific laws around cracking, proxy servers without sufficient logging and infact any service that doesn’t maintain reasonable IP logging. Server owners worldwide need to be held responsible for continuously allowing (willingly or through negligence) cracking, unlawful or illegal activities on their systems. If you’re not logging it and willing to pass this on to the relevant authorities as required, you should be held partially responsible.

You do something illegal on my server, I’m rollin’ over on ya.

A weird thing happened to me today. A rogue group invite was sent from my Facebook account. While I would normally admit I could have mis-clicked something, it included a message that I would never have typed. This could have been a bug with Facebook, or it could have been someone accessing my account. I used a pretty insecure password there, and this got me thinking.

How secure are your passwords?

Though I use secure passwords on “important stuff” like my server, it got me thinking and frankly a little paranoid.

Courtesy of TrueCrypt and a secure volume protected by a key file on a flash drive (which I’ve printed and kept very safe – you never know when those pesky flash drives will decide to stop working), I now have 20+ letter, number and symbol combination passwords on all my accounts.

This does have me thinking though. No one is going to break the passwords without my flash drive or piece of paper, but there’s always an avenue of attack. Key loggers for one, are a very dangerous thing. Insecure scripts can allow restricted access to some places you may not wish them to.

I’ve seen too many websites get hacked in my time, and too many key loggers installed on other’s PCs. People in general don’t take security seriously enough and don’t really anticipate the consequences of their actions on their PC. Looking at some of the posts on codingforums.com gives me nightmares. Basic security measures aren’t being met by our newest influx of developers, and it scares me.

For all my TrueCrypt volumes, sanitized and snapshotted virtual machines and overly zealous security precautions in my code, I wonder: Am I going too far? Am I too paranoid? Should I relax a little?

Without a moment’s hesitation:

NO. I am not.

This is my data, and the data of my clients. Paranoia is good.

I’m an avid reader of ZDNet for my technology news, and today came across Adobe screw-up leaves Flash flaw unpatched for 16 months.

I’ve never been a fan of Flash, I see it as some kind of blight on the internet. When I was a Windows network administrator, I often had to tell users to shut down tabs running flash because they were using 50% of the CPU. I side with Jakob Nielsen too, with his opinions on usability and ergonomic website design. Though flash applications can be easy to use, most developers seem to take the flexibility and power afforded by it as an excuse to go over the top on garish, cryptic designs. Steve Jobs (though I’m not a fan of Apple, more on that another time) has even earned some begrudging respect for his recent stance.

The internet is moving forward with HTML5 and exceptional Javascript libraries like jQuery. I believe the need for flash is rapidly diminishing, and that makes me very happy. It’s just a shame the community and contributing organisations couldn’t agree on one video codec (Vorbis would have been good, if not for the greed of large corporations, in my opinion).

This security issue should undermine a lot of respect and support people have in flash, but unfortunately I don’t see the “flash fanclub” doing anything but pushing forward ever more aggressively.

Just do me a favour: Next time you think “Oooh, I could use flash for that”, pause a moment and wonder “Can I use Javascript instead?”.