NYCPHP Meetup

[Anirudhsinh Zala]

On Thursday 30 October 2008 20:59:27 Ben Sgro wrote:
> Hello Mike,
>
> I think you have your real question here:
>
> Having been recently hacked and several of my webmaster email account
> names being hijacked by spammers, I am looking for viable solutions to
> safeguard my websites and the membership of these sites.
>
> How about fixing the problem, instead of adding new security measures?
> Please define "hacked"?
>
> Did they guess the passwords to theses accounts - Enforce
> non-standard/dictionary passwords, implement password expiration policies.
> Did they brute force an account - lock the account after N failed
> attempts in Y minutes (example: 15 failed logins in 1 minute).
> Did they sniff traffic - Require all credentials (and maybe everything)
> be sent over SSL.
> Did they sql inject - Bind your params & validate all user input.
> Don't let someone send out >N emails in Y minutes (example: 50 emails in
> 1 minute) - If you control the front end to the mail, you could add some
> last line of
> defense checks into that.

+1 to this. Prevention is better than cure.

Anirudh Zala

>
> - Ben
>
> mikesz at qualityadvantages.com wrote:
> > Hello NYPHP,
> >
> > Having been recently hacked and several of my webmaster email account
> > names being hijacked by spammers, I am looking for viable solutions to
> > safeguard my websites and the membership of these sites.
> >
> > I just ran across some discussion about openID (yes, I have been in a
> > cave now for some time, lol) and am skeptical that the primary motivation
> > is altruistic like when g$$gle first came on the scene, it too "looked
> > like" a good thing for the planet but evolved into the world's biggest
> > $$$ machine that is likely, if not already, to make micro$ look like
> > chump change.
> >
> > I sense rather that OpenID is yet another marketing ploy to rake in
> > huge piles of cash rather than provide warmth and security that it
> > touts in its hype. Already, I see lots of RED FLAGS about being highly
> > susceptible to phishing, like what isn't these days.
> >
> > All of my websites run php forum and CMS software of varying flavors
> > so I am not convinced that OpenID is a viable solution to secure them
> > against the kinds of attacks I have see recently and wonder about the
> > integrity of a system that claims (from phpMyID):
> >
> >     * The whole point of OpenID is to allow you to manage your own
> > identity, and phpMyID lets you do that without giving control to a third
> > party. * It's easy to install and easy to configure. Edit just a few
> > lines in your config file, and you're off and running! * Allows "Smart
> > Mode OpenID" (more secure) transactions, even if you don't have a "big
> > math" library available. Seriously, phpMyID comes with a pure-PHP math
> > library which can be used if you want to demand that extra level of
> > security. * Ensures secure password transmission even if you don't have
> > SSL! By using HTTP Digest authentication, phpMyID ensures your password
> > is never sent or stored anywhere in clear or decypherable text.
> >
> > I would really appreciate an eye opener on this one. It looks like
> > more flim flam to me.
>
> _______________________________________________
> New York PHP Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
>
> NYPHPCon 2006 Presentations Online
> http://www.nyphpcon.com
>
> Show Your Participation in New York PHP
> http://www.nyphp.org/show_participation.php