Day after day we hear about yet another major organization from Yahoo to the IRS getting hacked. When we look at the fundamental reason for the hack, its essentially through human error or complacency. The idea that “nobody will ever hack me?” or “Why would anyone want my data?” is a completely blind fallacy.
To give you perspective, I run a small consulting firm and would think, nobody would find me, I’m so small. Well people were finding me and unfortunately not for the best reasons. For example, I have a contact form on my website which I put there as opposed to putting my email address out in plain text for spammers to harvest. Thinking I was such a genius, I went away not thinking about it for a long time.
Eventually, I started getting messages from the contact form. Some were spam telling me how I can raise millions of dollars but others were just empty messages which I cast off as just someone being a nuisance. But there was more to that which I didn’t see. It wasn’t until I dug deeper and analyzed the message that I found that someone was sending me a payload, a program to launch a shell so that they can compromise my systems. That is what woke me up and I came to the realization that I need to take my security more seriously. Thats when I started to research different techniques that hackers use.
So today I wanted to share with you three tips to thinking like a hacker and securing your code.
And where does it all begin? At the coding stage. In particular, where you take in user input as I learned with my contact form.
- Assume each input can lead to a buffer overflow. Place limits on the number of characters you can take in and truncate the rest. An overflow is enough for an attacker to gain access via a remote shell. At the assembly level, all a hacker wants is to gain access to the instruction pointer register in the CPU so that they can then control the machine and upload a launch a shell to gain access to the victim machine.
- Filter out all input that also belongs to the SQL language. Words like Select, Union and so on can be used against your input forms as they may be used as a subquery to any queries you are already doing behind the scenes. Especially when the user is trying to perform a search. So much so that the attacker can retrieve details about the rest of the database on the back end including database version, information schemas, and other tables. Particularly the user table with usernames and passwords. If that table doesn’t have password hashes or weak hashes stored like MD5 then the hacker now has access to the entire system and user data.
- Filter out Javascript commands. Starting with the script tags and then include words like function, if and for with brackets to really sanitize the input. Overall, reduce the ability of an attacker to inject code into your forms. If the attacker can add their own code in, then they have a higher chance of gaining access to the victim machine.
Going back to what I said at the beginning, day in a day out we hear about major organizations getting hacked like Yahoo and the IRS, but it wasn’t until I heard about that hospital in Hollywood California that was hit by a ransomware attack, crippling their network that I said enough is enough. When you go after the sickest, the weak, the frail who can’t help themselves, who knows how many people have died all over the world or had gotten sicker unnecessarily because that hospital’s computer systems were crippled by a hacker. That is low and that is why I stand up and speak to as many organizations as I can and spread the word about how to stay safe.
Leave a Reply
You must be logged in to post a comment.