NYCPHP Meetup

[Ben Sgro]

Hello Mike,

I think you have your real question here:

Having been recently hacked and several of my webmaster email account
names being hijacked by spammers, I am looking for viable solutions to
safeguard my websites and the membership of these sites.

How about fixing the problem, instead of adding new security measures? 
Please define "hacked"?

Did they guess the passwords to theses accounts - Enforce 
non-standard/dictionary passwords, implement password expiration policies.
Did they brute force an account - lock the account after N failed 
attempts in Y minutes (example: 15 failed logins in 1 minute).
Did they sniff traffic - Require all credentials (and maybe everything) 
be sent over SSL.
Did they sql inject - Bind your params & validate all user input.
Don't let someone send out >N emails in Y minutes (example: 50 emails in 
1 minute) - If you control the front end to the mail, you could add some 
last line of
defense checks into that.

- Ben

mikesz at qualityadvantages.com wrote:
> Hello NYPHP,
>
> Having been recently hacked and several of my webmaster email account
> names being hijacked by spammers, I am looking for viable solutions to
> safeguard my websites and the membership of these sites.
>
> I just ran across some discussion about openID (yes, I have been in a
> cave now for some time, lol) and am skeptical that the primary motivation
> is altruistic like when g$$gle first came on the scene, it too "looked like"
> a good thing for the planet but evolved into the world's biggest $$$ machine
> that is likely, if not already, to make micro$ look like chump change.
>
> I sense rather that OpenID is yet another marketing ploy to rake in
> huge piles of cash rather than provide warmth and security that it
> touts in its hype. Already, I see lots of RED FLAGS about being highly
> susceptible to phishing, like what isn't these days.
>
> All of my websites run php forum and CMS software of varying flavors
> so I am not convinced that OpenID is a viable solution to secure them
> against the kinds of attacks I have see recently and wonder about the
> integrity of a system that claims (from phpMyID):
>
>     * The whole point of OpenID is to allow you to manage your own identity, and phpMyID lets you do that without giving control to a third party.
>     * It's easy to install and easy to configure. Edit just a few lines in your config file, and you're off and running!
>     * Allows "Smart Mode OpenID" (more secure) transactions, even if you don't have a "big math" library available. Seriously, phpMyID comes with a pure-PHP math library which can be used if you want to demand that extra level of security.
>     * Ensures secure password transmission even if you don't have SSL! By using HTTP Digest authentication, phpMyID ensures your password is never sent or stored anywhere in clear or decypherable text.
>
> I would really appreciate an eye opener on this one. It looks like
> more flim flam to me.
>
>