Joker

Joker

My Ramblings

• Home
• Archives

Securing your site June 21, 2008

Posted by Joker in : FrontPage, Security, blog , add a comment

Since I’ve seen so many customers getting their accounts hacked I figured I’d post the tools I have to try to deal with these types of issues.

One of them can be found here, it was written by one of my co-workers. (His scripts should only work on Linux/Unix based OS’s, sorry no Windows support.) Basically he wrote a script that checks for some easy to discover vulnerabilities such as having register_globals enabled or world writable files among other things. He also wrote a script to fix those issues, one to tell you if any changes have occurred since the last time the script was run, & he converted my FrontPage clean up script for SSH.

I also made it so that the security scanner he wrote can work in php. (Once again this is only for Linux/Unix servers.) You can get it here.

Sphere: Related Content

MD5, Should we really be using just it? December 3, 2007

Posted by Joker in : Security, blog, hash , add a comment

Well why are we still using MD5 hashes? I really want to know as I’ve heard of & seen at least one example where this is happened. This made me think that the solution might be to use multiple methods of saying it is what it says it is. I say this because all of the encryption methods I know of were developed by humans & thus have a good chance of having some sort of flaw in them. I strongly believe in the following, nothing is fool proof against a sufficiently talented fool.

My idea is to use three different hashes to significantly reduce the chances of the file being intercepted & replaced with something else. The three that I’m thinking about are MD5, SHA-1, & cyclic redundancy check. Yes I know that cyclic redundancy check is considered to be highly insecure, but I think that it would help a tiny bit unless someone else has a better idea of what a third hash function that is better. Since they all have different mathematical functions this should reduce the chances of people faking files.

In the example I showed the files they provided only matched on the MD5 hash value with entirely different SHA-1 & CRC values. I only proposed those three because they are the only functions I know of that can determine if the files are the same. Also size is important, but in the example I showed earlier all the pdf files they had are exactly the same size. I guess this proves that one hash & the file size is not enough.

Sphere: Related Content

search

• Countdown Timer

  • DST Ends:
    in 3 weeks, 0 days, 16 hours, 50 minutes, 28 seconds
  • DST Begins:
    in 4 months, 3 weeks, 6 days, 18 hours, 50 minutes, 28 seconds

• WP Hashcash

  • By Elliott Back

  • 5 spam comments blocked out of 1 human comments. 100% of your comments are spam!

• Spam Blocked

  63 spam comments

  blocked by
  Akismet

• Technorati

  

• Managment

  • Register
  • Log in
  • Entries RSS
  • Comments RSS
  • WordPress.org

• Project Honey Pot

  quadrennial

  quadrennial

  quadrennial

  quadrennial

• Feeds

• Full
• Comments