• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: WebObjects App Open To Hackers - [ THE ENGINEER'S REPORT ]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: WebObjects App Open To Hackers - [ THE ENGINEER'S REPORT ]

  • Subject: Re: WebObjects App Open To Hackers - [ THE ENGINEER'S REPORT ]
  • From: "Jonathan Fleming" <email@hidden>
  • Date: Wed, 09 Jul 2003 13:53:57 +0100
Right then Guys,

I got hold of the Microsoft Engineer that caused this alarm and here is what he said...

He stated that person that passed the message on to me was probably panicking more than was necessary and made more of the situation than was warranted, but the engineer pointed out that there are holes in the security of any server. What he was pointing to in particular was that

1 ) If you know about networks you could easily work out the subnet of the IP address, if the IP address is exposed, you might then be able to make yourself or your machine a part of the local subnet, so using a basic security measure such as an alias to cover this up the IP address is a recommended move.

2 ) If you have tools like a port scanner and a password scanner then you are very well armed to hack into a good selection of sites either through ftp which runs on port 80 and is a two way open connection or any other port that has to be open to the net like the obvious port 21, these are holes that not even a firewall can stop as the firewall has to leave them open for user access, therefore it is always wise to make sure your passwords include digits, underscores and other special characters that can be used. I'm told that in some cases an especially clever trick is to use an arrow key as it registers as a special character but does not show up it's characteristics, basically the character is blank, but it doesn't always work.

3 ) He said to block off ping -- something about ping of death or long ICMP
and to make ports stealth -- but he didn't elaborate on this and moved on quickly with out much explanation, so I couldn't grasp what he was saying exactly. Anyhow he did say to go on the net (Google) and type in Black Hat and White Hat Security. Black Hat being where you would want to hack stuff and White Hat being where you would want to secure stuff. Through the list of sites that would come up you will learn about all of these hacking and security practices. By typing in any of the word descriptions presented in this post will present a good variant of examples and knowledge.

4 ) By visiting these sites you will find tools such as our engineer has described that you might want to use to hack your own site in order to secure the loop holes you may find, tools such as the port scanner and password scanner are freeware readily available for download. Scary ah!

5 ) What he did point out is that he used his port scanner to see what was open and found himself looking at the tree of the machine. Now he only done this because he is a good friend of the client just to see how secure he site was and how much tighter it could be made, but he did say that unless the hacker was just a sabator, then there was not much that the hacker would be interested in with that particular site. However, if it was something of interest like a bank or other security dependent site, then these tiny loop holes would need to be addressed seriously as they will in actual fact cause a big problem later on.

6 ) The good thing is that with WebObjects providing it's own security and the web server being locked down by your server administrator, if they're good at their job, you've not got a lot to worry about. The key lies in a good server admin locking all this stuff down in the first place, but it wouldn't hurt to highlight loop holes to them if they've missed stuff that you can find by doing your own bit of hacking... after all we are only human and humans are full of mistakes.

There were many other thing he said he could have covered but that would take as long as it has taken me to learn WebObjects... Exactly, i'm still learning as many or all of us are.

Jonathan ;^)

Knowledge is a gift that is not ours to keep, but ours to pass on for the benefit of others.

_________________________________________________________________
Stay in touch with absent friends - get MSN Messenger http://www.msn.co.uk/messenger
_______________________________________________
webobjects-dev mailing list | email@hidden
Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/webobjects-dev
Do not post admin requests to the list. They will be ignored.
  • Prev by Date: Re: how to set the "CLASSPATH environment variable"
  • Next by Date: coexisting with apache and images in .wo files
  • Previous by thread: Re: External Command Call [ LATEST ] - More Java Than WebObjects
  • Next by thread: coexisting with apache and images in .wo files
  • Index(es):
    • Date
    • Thread