[phoenix-dev] PHP security

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

[phoenix-dev] PHP security - EPIC breach

From: Denis Roy <denis.roy@xxxxxxxxxxx>
Date: Fri, 03 Aug 2007 09:06:16 -0400
Delivered-to: phoenix-dev@xxxxxxxxxxx
List-archive: <https://dev.eclipse.org/mailman/listinfo/phoenix-dev>
List-help: <mailto:phoenix-dev-request@eclipse.org?subject=help>
List-subscribe: <https://dev.eclipse.org/mailman/listinfo/phoenix-dev>, <mailto:phoenix-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://dev.eclipse.org/mailman/listinfo/phoenix-dev>, <mailto:phoenix-dev-request@eclipse.org?subject=unsubscribe>
Organization: Eclipse Foundation, Inc.
User-agent: Thunderbird 2.0.0.6 (X11/20070728)

Team,

The EPIC site has suffered a security breach late last week and has beentaken offline.


WHAT
- an intruder obtained the username and password to an EPIC admin account

- the intruder logged in and injected malware code (mainly javascript)into the EPIC pages, in the form of trojan horses- the intruder sent a SPAM e-mail to all the EPIC users using the "masse-mail" function

WHO

- the IP address maps to a computer in New Jersey, but the intruder waslikely hiding behind one or many open proxies

HOW

- there are several ways to obtain credentials to a website: trojanhorses, keystroke loggers, network sniffing, virii/malware installed onyour computer, etc.- javascript code is dangerous, and can easily be obfuscated to avoiddetection from the best of security applications, even the browser itself

As we are all responsible for code on high-profile sites, it's our jobto be secure. Although most of you find security to be cumbersome, it'simportant. The higher level of access you have, the higher therequirements for security. High-profile sites are targets for attack,due to the sheer number of visitors and the increased potential for impact.


What you can do to help:

a) if you have admin access to a site, apply the same logic as accessingyour bank account online: DO NOT save your username and password in yourbrowser. Change your password once in a while. Do not log in from anuntrusted computer. Do not log in from an untrusted network. Do not login if the site doesn't support https. If you're unsure, don't.

b) assume data from the browser is out to destroy you. Sanitize HTTPparameters. Inspect file attachments. DO NOT trust incoming HTML.

c) look at everyone's code. The Phoenix team is not the sole author ofcode on our site. Ask for peer review of your code. If you're not sureif your code is secure, ask.

d) avoid using MSIE. Use Firefox. Make sure your antivirus andoperating system are up-to-date (the Foundation IT has enabled this onyour computer at work, but they don't have access to your computer athome). Run a firewall. Don't open or download Windows executables.



Thanks for helping maintain the security of our site!


Denis




--
Denis Roy
Manager, IT Infrastructure
Eclipse Foundation, Inc.  --  http://www.eclipse.org/
Office: 613.224.9461 x224 (Eastern time)
Cell: 819.210.6481
denis.roy@xxxxxxxxxxx

Prev by Date: Re: [phoenix-dev] Welcome Matt Ward as a new technology.phoenix Committer
Next by Date: [phoenix-dev] Re: Planet Eclipse Banner
Previous by thread: [phoenix-dev] Welcome Matt Ward as a new technology.phoenix Committer
Next by thread: [phoenix-dev] Re: Planet Eclipse Banner
Index(es):
- Date
- Thread

Breadcrumbs