[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
[phoenix-dev] PHP security - EPIC breach
|
Team,
The EPIC site has suffered a security breach late last week and has been
taken offline.
WHAT
- an intruder obtained the username and password to an EPIC admin account
- the intruder logged in and injected malware code (mainly javascript)
into the EPIC pages, in the form of trojan horses
- the intruder sent a SPAM e-mail to all the EPIC users using the "mass
e-mail" function
WHO
- the IP address maps to a computer in New Jersey, but the intruder was
likely hiding behind one or many open proxies
HOW
- there are several ways to obtain credentials to a website: trojan
horses, keystroke loggers, network sniffing, virii/malware installed on
your computer, etc.
- javascript code is dangerous, and can easily be obfuscated to avoid
detection from the best of security applications, even the browser itself
As we are all responsible for code on high-profile sites, it's our job
to be secure. Although most of you find security to be cumbersome, it's
important. The higher level of access you have, the higher the
requirements for security. High-profile sites are targets for attack,
due to the sheer number of visitors and the increased potential for impact.
What you can do to help:
a) if you have admin access to a site, apply the same logic as accessing
your bank account online: DO NOT save your username and password in your
browser. Change your password once in a while. Do not log in from an
untrusted computer. Do not log in from an untrusted network. Do not log
in if the site doesn't support https. If you're unsure, don't.
b) assume data from the browser is out to destroy you. Sanitize HTTP
parameters. Inspect file attachments. DO NOT trust incoming HTML.
c) look at everyone's code. The Phoenix team is not the sole author of
code on our site. Ask for peer review of your code. If you're not sure
if your code is secure, ask.
d) avoid using MSIE. Use Firefox. Make sure your antivirus and
operating system are up-to-date (the Foundation IT has enabled this on
your computer at work, but they don't have access to your computer at
home). Run a firewall. Don't open or download Windows executables.
Thanks for helping maintain the security of our site!
Denis
--
Denis Roy
Manager, IT Infrastructure
Eclipse Foundation, Inc. -- http://www.eclipse.org/
Office: 613.224.9461 x224 (Eastern time)
Cell: 819.210.6481
denis.roy@xxxxxxxxxxx