Tag Archives: Security

Are Unicode Domains Really a Security Risk?

I recently read an interesting piece from Mashable that suggested that ICANN allowing non-Latin (Unicode) domain names is a security risk. The problem is that Unicode characters can be rendered in browsers as Latin characters, which opens a new window of opportunity for phishers.

If the domain, created using Cyrillic scripts “raural.com” was registered, the way that Unicode-browsers will actually render that domain in latin is as “paypal.com.” In theory, phishers could pass around that link and set up a fake version of the PayPal site to harvest logins and credit card data.

It is impossible to tell the difference visually. It’s pretty scary. At least, I thought it was until I realized two things:

  1. You shouldn’t click links in emails claiming to be from PayPal or your bank anyway. Just don’t. Type the address in manually.
  2. Websites dealing with money, or other things that require a higher level of security, generally have an SSL certificate signed by a reputable third party.

So if you don’t click links in emails, and make sure that the SSL certificate checks-out, you’ll be safe.

It’s not that big a deal for those of us who have a good general knowledge of computer security, but it still is worrying that phishers are gaining this tool. I’m sure you know plenty of people who could easily fall into this kind of trap.

How to Secure Your WordPress Installation

Digging into WordPress has recently published a new article on securing WordPress. It covers setting up optimal database privileges, adjustments you can make to your wp-config.php file, changing the table prefix, changing the default admin username, and a couple other things.

Of course, when it comes to the security of your WordPress site, these techniques are merely the beginning. As you continue in your WordPress travels, you will discover many, many more ways to increase the security of your site. By implementing the methods presented in this article during the setup process, you will be strengthening the security of your site’s foundation, providing yourself a solid platform on which to build.

Definitely worth a read if you haven’t already looked into the techniques.

How to Secure Your New WordPress Installation [Digging into WordPress]

Google Buys reCAPTCHA

reCAPTCHA

Google has acquired reCAPTCHA, the service that powers some of those squiggly-letter fields (or CAPTCHAs) you have to fill out before submitting a form. (This is usually done to hinder bots attempting to mass-submit the forms for purposes such as spamming.)

The interesting part of reCAPTCHA is where they get their squiggly letters from. The words are from (public domain) books and newspapers that have been scanned. As computers are bad at interpreting images and finding the words within, the scans are chopped-up and served-up through reCAPTCHA, where users help translate the images into plain text. This is done by showing two words, one that reCAPTCHA knows the plaintext for and one it doesn’t. If you type the known word properly, the CAPTCHA validates and the input for the second word is logged.

reCAPTCHA’s unique technology improves the process that converts scanned images into plain text, known as Optical Character Recognition (OCR). This technology also powers large scale text scanning projects like Google Books and Google News Archive Search. Having the text version of documents is important because plain text can be searched, easily rendered on mobile devices and displayed to visually impaired users. So we’ll be applying the technology within Google not only to increase fraud and spam protection for Google products but also to improve our books and newspaper scanning process.

Security Alert: Upgrade to WordPress 2.8.4

Are you running a version of WordPress prior to 2.8.4? If so, you should upgrade now. There’s a major attack going around that targets older versions of WordPress. Lorelle has the full details.

There are two clues that your WordPress site has been attacked.

There are strange additions to the pretty permalinks, such as example.com/category/post-title/%&(%7B$%7Beval(base64_decode($_SERVER%5BHTTP_REFERER%5D))%7D%7D|.+)&%/. The keywords are “eval” and “base64_decode.”

The second clue is that a “back door” was created by a “hidden” Administrator. Check your site users for “Administrator (2)” or a name you do not recognize.

In case once wasn’t enough, upgrade your copy of WordPress if the version is less than 2.8.4. This security flaw, of which details are lacking, applies to any version of WP prior to 2.8.4, and any site running the older software is at risk.

Twitter Security Goof: “Password” isn’t a Good Password

TechCrunch is reporting that the admin panel for Twitter Search was compromised recently. How? The password for it was “Password.”

Twitter co-founder Biz Stone, responding to our email, said “this bug allowed access to the search product interface only. No personally identifiable user information is accessible on that site.”

Included in the Search admin are the Trending Topics settings, and the tool used to remove individual statuses from search results in some cases.

What were they thinking?

This raises the important question: How secure is Twitter, or any other web service? How do we know that they’re even hashing our passwords to protect them if the database was compromised?

Nielsen Wants Your Passwords to Be Visible to the World

Usability authority Jakob Nielsen recently published a new article suggesting that developers “abandon legacy design” and stop masking password fields with bullets or asterisks, because of “reduced usability to protect against a non-issue.”

Most websites (and many other applications) mask passwords as users type them, and thereby theoretically prevent miscreants from looking over users’ shoulders. Of course, a truly skilled criminal can simply look at the keyboard and note which keys are being pressed. So, password masking doesn’t even protect fully against snoopers.

More importantly, there’s usually nobody looking over your shoulder when you log in to a website.

This is wrong on so many levels.

Continue reading →

40+ Invaluable PHP Tutorials and Resources

My newest post on Net.Tuts+ was published yesterday: 40+ Invaluable PHP Tutorials and Resources

It is a roundup of articles, tutorials and tools of interest to PHP coders, on topics such as security, OOP, frameworks, and WordPress.

PHP is one of the most popular scripting languages on the internet today, and one of the easiest to get into. Whether you’re a PHP newbie, or an experienced code-slinger, there is always something new to discover. A function you’re unfamiliar with a killer timesaving tool, a technique that you forgot about…

Head over to Net.Tuts+ to read the full article.

Securing PHP Web Forms

Chris Coyier has written an interesting article on securing form scripts. Serious Form Security talks about token matching, hack logging, and a few other useful techniques to apply to a form processing script. Token matching is definitely a trick worth learning, since it will do a lot to stop bots from submitting data through your form.

The first thing that we are going to do is generate a “token”, essentially a secret code. This token is going to be part of our “session”, meaning it is stored server side. This token also is going to be applied as a hidden input on the form itself when it is first generated in the browser. That means this token exists both on the client side and the server side and we can match them when the form gets submitted and make sure they are the same.

One of the best (worst?) ways to spam forms is to create a script that uses cURL to send POST requests to the URL listed in the form’s action attribute, with some spammy data in the POST fields. (Or malicious data intended to break your script…) By having a pseudo-random token generated like the article describes, it makes things a lot harder. cURL, whether from a command line or an automated script, isn’t going to be able to store the session data and send the token along with the form.

5 PHP Mistakes and How to Avoid Them

PHP is an easy scripting language to learn, but mastering it is a whole other matter. Here are a few common mistakes that beginners, and even experienced PHP developers, might make once in awhile.

They’re not really visible mistakes, such as the ones that would result in an error message. They’re the sort of thing that might go unnoticed, but could really use fixing.

  1. Calling a function more than once unnecessarily. Suppose you need to, in two places, use the length of a string variable to do something. Don’t call strlen($var) twice, call it once and save the result to a new variable (name it something like $var_len). Then you can use the variable wherever you need the length. If something will have the same result, only do it once. You’ll save a few CPU cycles.
  2. SQL Injection vulnerabilities. SQL Injection is one of the more popular ways for those up to no good to attack a website. Any user-submitted data should be properly escaped before being worked into a database query. Otherwise a seemingly harmless search box or login form could be used as a gateway to your database, opening you up to data theft or deletion. Read up on SQL Injection and how to counter it.
  3. Not encrypting passwords. Please, never store users’ passwords in plain text. Any software that requires a user to log in with a username and password should use a one-way hash to turn passwords into meaningless gibberish. Users trust you with their login credentials, and they likely use the same ones across multiple sites (despite recommendation otherwise). Don’t let them be stolen. Password Hashing.
  4. Using 302 redirects instead of 301s. It’s fairly easy to redirect with PHP’s header function. However, it doesn’t do a 301 redirect automatically. It uses a 302 HTTP code, which can cause duplicate content issues with search engines. To do a 301 redirect, you must send a 301 response header before the location header. Sending a 301 “Moved Permanently” Header with PHP.
  5. Not using OOP. The object-oriented approach to programming takes a bit more planning that the procedural approach, but it’s worth learning if you haven’t already. It makes for much cleaner code. CSS-Tricks.com has a nice tutorial on how to build a basic object-oriented CMS. While not exactly a primer on PHP OOP, it’s a good hands-on experience. For a ground-up introduction to classes and objects, try Killer PHP’s Object Oriented PHP for Beginners.

cURL From the Console

cURL is often used on the server end to pull web pages and RSS feeds for parsing, or for interacting with APIs. It’s a nifty tool, and one that I use quite frequently.

cURL also can be used, in a command line environment, to do some useful things that come in handy when troubleshooting.

cURL From The Console

Continue reading →