Ben Tasker's Blog

Why You Shouldn't be using SHA1 or MD5 to Store Passwords

There are a lot of badly coded sites out there, and far too many sites still seem to be falling prey to SQL Injection vulnerabilities resulting in a lot of high profile leaks of user data.

I wrote quite some time ago on The Importance of Salting Stored Passwords And How To Do So Correctly, but whilst the underlying message remains correct, the techniques for doing so have been outpaced by technology.

Although still widely used, checksum algorithms such as SHA1 and MD5 are no longer sufficiently secure.

In this post we'll be exploring why you shouldn't be using MD5/SHA1 and how you should be storing passwords.

Read more ...

Schema.org - Something's afoot..

There's speculation that Schema.org may have been compromised in some manner. A number of people (including myself) have noticed some very spammy links showing up in Webmaster tools as Itemtypes under Structured Data.

Rather than displaying (for example) http://schema.org/SiteNavigationElement, there's an itemtype pointing to various URLs on domains including www.yalwa.com, locanto.fr and askalo.fr. The only thing any of the sites have in common is their use of Schema.org.

Curiously, you can also reproduce the issue using the Structured Data Testing Tool and entering a small HTML snippet. The issue only seems to be affecting those in Europe though, with US users only able to reproduce by using an EU based proxy.

Read more ...

Cookies: Taking Transparency a Step Further

Contrary to the belief of some, the EU E-Privacy Directive was never about stopping cookies. It was always about raising awareness of what they are, which ones are set and how they can be misused. It was, and still is, a cause of annoyance for many - especially as only four member states have currently adopted the provisions.

Whilst I don't think the implementation was correct, the underlying principle is sound - we should be ensuring users are aware of what data we're storing in their browser and how it's used. Most sites, in my opinion, don't go nearly far enough to achieve this, instead just scraping the minimum standard.

In this post, we'll be exploring what I think we're doing wrong, and what we should be aiming for.

Read more ...

Darkleech Apache attacks on the rise, but is it really that hard to detect?

Reports of CDorked.A infections are still on the rise by the looks of things. The attack is reported as 'hard-to-detect', but this should only be true for the more naive sysadmins out there.

Whilst it's true that CDorked changes nothing on disk, except the HTTPD binary, this change alone should be triggering alerts. On a production server, you should be storing checksums of known good files and comparing these regularly to see if anything's changed.

As some obviously aren't following this basic step, in this post we'll look at what you need to do to at least be made aware if CDorked gets onto your system - it'd be nice to be able to do a post on avoiding it, but the attack vector is still unknown!

Read more ...

Changes to the site

Over the last week or so, I've implemented some improvements to the site. Some (like the change in default colours) are obvious, others a more subtle

Read more ...