[BlueOnyx:05467] Re: Dealing with /admin URL 'hijacking

Stephanie Sullivan ses at aviaweb.com
Sat Sep 25 22:07:51 -05 2010 

Ah, James,

 

Indeed security through obscurity is not security. However, changing default
paths improves the odds of avoiding an attack and can be an important part
in an overall security plan. In fact suggesting one thing is "the answer" is
not at all my intention and I hope you are not trying to suggest there is "a
solution"...

 

And if the client is breached, gets shell, and well, whatever, the server is
potentially much more at risk. Far more so than if the client was not
breached.

 

In any case, I may not have been clear in my wording when I was writing
about who is responsible where. The client may claim the hosting company had
some complicit negligence. Even if not true, legal fees can be staggering
and the overhead of a defense great.

 

Reputations can be trashed, even when not deserved, and that has
repurcutions. 

 

If my client gets hacked it's bad for them and that is bad for my buisness,
especially if they go out of business.

 

            Thanks,

                        -Stephanie

 

 

 

From: blueonyx-bounces at blueonyx.it [mailto:blueonyx-bounces at blueonyx.it] On
Behalf Of James Darbyshire
Sent: Saturday, September 25, 2010 7:38 PM
To: BlueOnyx General Mailing List
Subject: [BlueOnyx:05466] Re: Dealing with /admin URL 'hijacking

 

Steph,

But what you are suggesting is that security by obscurity is the answer in
this case - which is a dangerous path to follow.

It may be easier for someone to break into the CMS than into the BO backend,
but once they are into BO then they can do everything you suggested, not
only to one site, but to every site on that host.

I don't know how uou run your business, or how the law works in the US, but
here in Australia the client is responsible for the security of what they
install on their website, and the host is responsible for the security of
the server. If a CMS was hacked, I would not be responsible.

Of course the optimal solution would be to use some kind of TLS and
intelligent intrusion detection software on both systems which locks access
out when it thinks an attack is taking place.

Rashid, I suspect you are correct on saying that BO authentication is
probably harder to crack than that of a stock CMS, but the point sound be
that yes an attacker can get into one website and cause havoc, but only
within that CMS on that specific site. Other sites will be unaffected. I
would also hazard a guess that many people are not as vigilant as you or I,
and do not frequently change their passwords.

In short, I don't believe security by obscurity is the answer in either
case, but I would rather the attacker accessed one site only, and not the
server which has access to all.

Regards,

James Darbyshire

Sent from my Samsung DroidT

On 26/09/2010 1:28 AM, "Stephanie Sullivan" <ses at aviaweb.com> wrote:

I must not concur. That's not the worst thing. Picture this:

 

They break into my client's zencart, oscommerce or CC processor integrated
cms (as joomla and drupal have plugins/extensions and I have clients using
them). The get into the client's site and modify the CC credentials to
process using their bogus merchant account. Maybe they put a hack in to
steal their CC numbers. Now you have a security breach that has big legal
implications that you and/or your client have to legally disclose in the US.
You probably have clients screaming at you about bogus charges on their
card. Eventually the site is defaced and their tracks are covered by wiping
most of your database. 

 

Finally your client's reputation is damaged/destroyed and they are angry
with you and spread the word they got hacked on your platform damaging your
reputation, etc.

 

I would think it's far from the worst thing. Of course it may be worse if
you are the client than the hosting company.

 

                Thanks,

                                -Stephanie

 

 

From: blueonyx-bounces at blueonyx.it [mailto:blueonyx-bounces at blueonyx.it] On
Behalf Of James Darbyshire
Sent: Saturday, September 25, 2010 10:30 AM


To: BlueOnyx General Mailing List

Subject: [BlueOnyx:05461] Re: Dealing with /admin URL 'hijacking



 

I disagree. Certainly it is not best practise for any admin functions to be
accessible through ...


_______________________________________________
Blueonyx mailing list
Blueonyx at blueonyx.it
http://www.blueonyx.it/mailman/listinfo/blueonyx

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20100925/39c9ef65/attachment.html>

More information about the Blueonyx mailing list