[nycphp-talk] Basic security question
Phillip Powell
phillip.powell at adnet-sys.com
Wed Jul 14 16:00:31 EDT 2004
Chris Bielanski wrote:
>I had a much longer response in preparation, but Andrew just nailed it.
>Obscurity is not security. And yes, it only stops the timid assailant. A
>determined cracker will take it *personally* that you configured your server
>to tell *lies* to its "friendly users"!! The NERVE!! He'll fix YOU, buddy!
>:)
>
>
>
I don't think they did it for the added "security through obsecurity"
inasmuch as the fact that they were PHP programmers that were working on
a federal government contract that mandated that everything web-wise be
done in ASP. So that was their "workaround". Not "obscurity" as much
as plain ol' foolin'.
Phil
>And *poof* another one bites the dust, nah?
>
>
>Thanks,
>Chris Bielanski
>Web Programmer,
>International Trademark Association,
>1133 Avenue of the Americas, 33rd Floor
>New York, NY 10036
>+1 (212) 642-1745, f: +1 (212) 768-7796
>mailto:cbielanski at inta.org, www.inta.org
>INTA -- 125 Years of Excellence
>
>
>
>
>
>>-----Original Message-----
>>From: Paul Reinheimer [mailto:preinheimer at gmail.com]
>>Sent: Wednesday, July 14, 2004 3:35 PM
>>To: NYPHP Talk
>>Subject: Re: [nycphp-talk] Basic security question
>>
>>
>>See, if that was convincing enough prospective attacker would spend a
>>lot of time going after IIS and ASP vulnerabilities that presumably
>>(in the same form) exist in Apache and php.
>>
>>
>>paul
>>
>>On Wed, 14 Jul 2004 15:33:08 -0400, Phillip Powell
>><phillip.powell at adnet-sys.com> wrote:
>>
>>
>>>I can tell you PHP folk up in NY do not work for the US
>>>
>>>
>>Feds nor for a
>>
>>
>>>federal contractor, but were you ever to do so, you'd find
>>>
>>>
>>how horribly
>>
>>
>>>security measures that deal with the Web fly in the face of
>>>federally-mandated Section 508 Compliance.
>>>
>>>Augh! You have to put your EMAIL address on your website,
>>>
>>>
>>how secure is
>>
>>
>>>THAT???
>>>
>>>I do know of some PHP programmers in DC for the Labor Dept that once
>>>"spoofed" Apache into interpreting PHP files as ".asp" (and to show
>>>itself as IIS!) to spoof the higher-ups that everything was in a M$
>>>environment to "make them happy".
>>>
>>>Phil
>>>
>>>
>>>
>>>Paul Reinheimer wrote:
>>>
>>>
>>>
>>>>Every attack wether web or otherwise I have heard about starts with
>>>>learning as much as you can about the target's systems,
>>>>
>>>>
>>then seeking
>>
>>
>>>>to exploit some either known or unknown security holes in
>>>>
>>>>
>>the software
>>
>>
>>>>that system is running.
>>>>
>>>>Knowing that, why reveal anything? Make the potential attacker work
>>>>for every peice of information they want. Set the apache
>>>>
>>>>
>>server string
>>
>>
>>>>to claim it is some recent release of IIS, tell all the
>>>>
>>>>
>>services not
>>
>>
>>>>to advertise they are running, save your .php files as
>>>>
>>>>
>>.exe and tell
>>
>>
>>>>apache just to interpret apropriatly. etc. Obviously if
>>>>
>>>>
>>you choose to
>>
>>
>>>>run some off the shelf application (ie phpBB) you will let
>>>>
>>>>
>>the cat out
>>
>>
>>>>of the bag, but seperating it to a subdomain may only add to the
>>>>confusion.
>>>>
>>>>Does anyone see any real advantage to this approach?
>>>>
>>>>
>>>>paul
>>>>_______________________________________________
>>>>talk mailing list
>>>>talk at lists.nyphp.org
>>>>http://lists.nyphp.org/mailman/listinfo/talk
>>>>
>>>>
>>>>
>>>>
>>>>
>>>--
>>>
>>>
>>>
>>--------------------------------------------------------------
>>-------------------
>>
>>
>>>Phil Powell
>>>Multimedia Programmer
>>>BPX Technologies, Inc.
>>>#: (703) 709-7218 x107
>>>Fax: (703) 709-7219
>>>
>>>_______________________________________________
>>>talk mailing list
>>>talk at lists.nyphp.org
>>>http://lists.nyphp.org/mailman/listinfo/talk
>>>
>>>
>>>
>>_______________________________________________
>>talk mailing list
>>talk at lists.nyphp.org
>>http://lists.nyphp.org/mailman/listinfo/talk
>>
>>
>>
>_______________________________________________
>talk mailing list
>talk at lists.nyphp.org
>http://lists.nyphp.org/mailman/listinfo/talk
>
>
>
--
---------------------------------------------------------------------------------
Phil Powell
Multimedia Programmer
BPX Technologies, Inc.
#: (703) 709-7218 x107
Fax: (703) 709-7219
More information about the talk
mailing list