Sorry for not informing everyone, but this topic has been closely for some time now. We completed the test successfully. Thank you for your support
We've publicly released one of many lists of features, for testing
Topic: ❎Need web/Php and penetration testers❎ (Read 1730 times)
@altcoinhosting Thank you very much for taking the time to inform us about the threats you faced. The information provided has been very helpful indeed.
Sorry for not informing everyone, but this topic has been closely for some time now. We completed the test successfully. Thank you for your support
We've publicly released one of many lists of features, for testing
Sorry for not informing everyone, but this topic has been closely for some time now. We completed the test successfully. Thank you for your support
We've publicly released one of many lists of features, for testing
My servers have been compromised numerous times in the last 16 years... What i've learnt (the hard way)
95% of my security breaches happened because of unpatched scripts (commercial, open source or homebrewn).
To have some basic security you need to:
- chose a secure OS, i would personally recommand suse or RHEL if you're actually working with money. I would personally stay away from windows server (altough they've become pretty secure over the last couple of years)
- harden your OS... an example for RHEL5: https://www.nsa.gov/ia/_files/os/redhat/NSA_RHEL_5_GUIDE_v4.2.pdf
- make sure you don't install any software that isn't strictly necessary, always chose for the most secure option (for example, i like to use postgresql instead of mysql if my script is properly written and allows me to chose)
- make sure your OS, installed binarys and installed scripts are always up-to-date
- if you do your own scripting, make sure what you're doing. One of the most used techniques (SQL injection) was already mentioned, but there are numerous other errors a scripter can make
- if possible, find somebody to do a decent penetration test (i guess that's what you're trying to do here)...
- spend some time thinking about rules and procedures for your staff, it wouldn't be the first time a business is compromised by social engineering instead of "real" hacking
I probably forgot some extra points of attention. And don't forget: the only service that can't be compromised is the service you never put online. Everything can be compromised, even the most secure and well-written systems.
My main point is: don't put all your eggs into one basket, make sure your whole concept is as secure as possible instead of just checking if all your scripts follow security standards...
95% of my security breaches happened because of unpatched scripts (commercial, open source or homebrewn).
To have some basic security you need to:
- chose a secure OS, i would personally recommand suse or RHEL if you're actually working with money. I would personally stay away from windows server (altough they've become pretty secure over the last couple of years)
- harden your OS... an example for RHEL5: https://www.nsa.gov/ia/_files/os/redhat/NSA_RHEL_5_GUIDE_v4.2.pdf
- make sure you don't install any software that isn't strictly necessary, always chose for the most secure option (for example, i like to use postgresql instead of mysql if my script is properly written and allows me to chose)
- make sure your OS, installed binarys and installed scripts are always up-to-date
- if you do your own scripting, make sure what you're doing. One of the most used techniques (SQL injection) was already mentioned, but there are numerous other errors a scripter can make
- if possible, find somebody to do a decent penetration test (i guess that's what you're trying to do here)...
- spend some time thinking about rules and procedures for your staff, it wouldn't be the first time a business is compromised by social engineering instead of "real" hacking
I probably forgot some extra points of attention. And don't forget: the only service that can't be compromised is the service you never put online. Everything can be compromised, even the most secure and well-written systems.
My main point is: don't put all your eggs into one basket, make sure your whole concept is as secure as possible instead of just checking if all your scripts follow security standards...
I would suggest you read up on server security in general, rather than hoping 'encryption' by itself will magically solve all your problems for you.
General things to keep in mind with your DB. Make sure no MYSQL injection is possible, secure ALL user input. Any most importantly encrypt passwords and maybe even emails with SHA256. This means if the hacker gets in your database he wont know the users real passwords and emails which he could use to log into other sites if they use the same password for multiple sites. Please
Hash an email and you wont be able to email your customers!
General things to keep in mind with your DB. Make sure no MYSQL injection is possible, secure ALL user input. Any most importantly encrypt passwords and maybe even emails with SHA256. This means if the hacker gets in your database he wont know the users real passwords and emails which he could use to log into other sites if they use the same password for multiple sites. Please spend the money on a quality tester so that your site and money is safe, you should not cheap out on security.
The security is bigger than that. Everything except names are encrypted or hashed (AES 196bit, sha1, sha256) on a different database separate from the server, and another client, connected via client-server model to backup data which cannot be encrypted. In this day and age where every business is getting hacked, you can never be too secure.
General things to keep in mind with your DB. Make sure no MYSQL injection is possible, secure ALL user input. Any most importantly encrypt passwords and maybe even emails with SHA256. This means if the hacker gets in your database he wont know the users real passwords and emails which he could use to log into other sites if they use the same password for multiple sites. Please spend the money on a quality tester so that your site and money is safe, you should not cheap out on security.
You want us to hack your web?
I'm always willing to help out where I can, I have quite a bit of security background and php experience.
We're working on NyeFe, which is similar to bitpesa and robocoin, however cheaper, allows the use of Visa, debt card, includes user stores (similar to eBay) and additional payment methods.
We need extra web developers to push the project, so it can be release in less than 4 months. Penetration testers are need to exhaust our security, so we can identify security breaches, sooner, rather than later.
We need extra web developers to push the project, so it can be release in less than 4 months. Penetration testers are need to exhaust our security, so we can identify security breaches, sooner, rather than later.
Jump to: