Saturday, March 14, 2009

The most interesting security dates

In 1962, the director of the Advance Research Projects Agency (ARPA) in the United States, J.C.R. Licklider, suggested using existing computer communications for military purposes. The goal was to create a distributed communications system based on the fundamental principle that it would continue to function even after a part of the system had been disabled. This suggestion resulted in computer networks becoming the main direction of the agency's research. This can be called the birth of the Advanced Research Projects Agency Network (ARPANET).

This failure is what gave rise to the development of the Internet. Why do I say failure? Because the system's fundamental principle was that it would continue functioning even if a part of it failed. The possibility of a failure was built into the system at its very inception. The main principle was system security, for it was developed for U.S. military needs. But security was exactly what no one paid attention to. This was the case because only professionals had access to computers. Personal computers still being the stuff of science fiction. No one ever thought that a home computer could be used to connect to the military research network. It gets even worse later.

There is no general consensus as to the exact date of the birth of the network. Different sources give different dates, ranging from 1965 to 1970. Many single out 1969, the year ARPANET was created. This was also the year in which the UNIX operating system was developed, which would form the backbone of the Internet for decades to follow.

At the beginning of the 1970s, ARPANET started to expand and connect various research universities. It boundaries extended from one building to include the neighboring states. At first no one even imagined that the network would grow so rapidly and connect so many computers. Consequently, the original communications and data exchange technologies became obsolete in the first 10 years.

The phreaker decade started in 1970. Phreakers were also called hackers, even though they were not directly involved with computers. Their main field of activity was the telephone network. Telephone services were expensive, so teenagers (and quite often not even teenagers) tried to save some money on using this service.

The phreaker era begins from the moment Bell published the phone network control tone frequencies in Technical Assistance Program magazine. 1971 saw the appearance of the Blue Box, used to generate control signal tones. Over the following 10 years, many people used these boxes to save a pretty penny on long-distance calls while the phone companies suffered corresponding losses. Starting in 1980, this disease began to wane, because too many phreakers began getting caught and prosecuted, making this a dangerous endeavor.

Among phreakers were some well-known known individuals, including the founders of Apple Computers, for example. They sold students electronic kits, which included blue boxes.

In 1972, the first electronic mail application appeared, and a year later the network extended beyond U.S. borders, with computers in England becoming connected. The first propositions for and talks about the construction of an international network began in the same year.

But only in 1981 was the computer security center at the U.S. Defense Security Center established. This center was supposed to evaluate computer systems offered to the defense department with regard to their compliance with security requirements.

On Dec. 16, 1981, the trial started against Lewis De Payne, a.k.a. Roscoe, the most infamous of the phreakers. The notorious hacker Kevin Mitnick was also present at this trial, but this time only as a witness. Less than a year later he was not so lucky, was caught during one of his exploits, and was sentenced to a juvenile correction facility.

In 1982, the Transmission Control Protocol/Internet Protocol (TCP/IP) became the main Internet protocol. The number of hosts was increasing and their addresses were used to access network computers. With the appearance of TCP/IP, the development of the Domain Name System (DNS) began. This system allows computers to be addressed by names, taking care of converting names intelligible to humans into addresses understood by computers.

In 1983, Kevin Mitnick was set free. He did not, however, enjoy his liberty for long. Yielding instead to his hacker itch, he again reverted to breaking into computers and, again, was found out. He went underground on the run from the law, successfully evading the authorities until 1985.

In 1984 the DNS system was put into service. Four years later the world learned about the worm threat. In 1988, one of the most extensive Internet worm infections took place. A young Digital worker and Cornell University graduate, Robert Morris, was developing a worm program that was supposed to travel over networks autonomously and infect the files of all compromised computers.

The worm used the password list to obtain logon passwords. The worm program had a list of the most commonly used passwords and looped through them to find those needed to obtain access to other computers. If the password could not be guessed by this method, the worm used the system dictionary to pick the necessary password. Over 7 percent of all Internet computers were infected using this simple method. This was quite a significant number, given the overall number of network computers. The worm was released accidentally and its code was not even finalized. It frightening to ponder what would have happened had Robert Morris finished the worm program.

This was not the end of it, however, for the year. 1988 was the most fruitful in terms of break-ins and resonant hacker trials. The law finally caught up with Kevin Mitnick during the year and, this time, he had to forget about computers for a much longer period.

In 1990, ARPANET ceased to exist, being simply absorbed by the Internet, which continues to swallow all separate networks.

In 1991, the world saw web pages, without which no one could imagine the worldwide web today, for the first time. The Internet community started seeing the Internet in a different light. In the same year, PGP, one of the most successful encryption systems, was introduced. It gradually became a standard in most areas, including E-Mail encryption.

In 1994, Internet users numbered in the millions. So as not to have people just wasting their time staring at monitors, the first attempts at full-fledged commercial activity were undertaken. The Internet was no longer just an information exchange conduit; it had become a vehicle for advertising and moving goods to the masses.

In 1995 domain registration became paid and the era of the domain wars began. Hackers tried to buy up all of the domain names the same as or similar to brand names, or simply to words that are easy to remember. Companies that wanted their domain names match their brand name had to spend big money to “buy back” domain names of this type.

This year was also notable for my buying a modem and joining the Internet community. Before this, I made only occasional and short forays into the net because it was a too expensive pleasure for me.

Tuesday, March 3, 2009

Last month events

Last month was full of events. First of all I had influenza. It was horrible. I don’t like to be sick with flu.

I started a new WEB blog about security and WEB development: Blog: Professional WEB Development. I have several WEB logs, but I do not copy one message on every blog. Each of them has unique information for my readers. At this time the blog contains some useful information for PHP developers. The information is for beginners.

Yesterday I published a new record about security: Fundamentals of Hacker Attacks. I hope it would be interesting for you.

Profwebdev.com built on ASP.NET. In my opinion ASP.NET is one of the most convenient development languages for WEB. I have used several WEB development languages. Most of all I use PHP, but ASP.NET is the second language I use in my WEB projects.

In the end I finished one of my best works I have ever made. It was incredible experience for me. I do not want to say what it was now. I want to take a secret for a while.

Wednesday, February 18, 2009

Proprietary software do not have backdoors

Some people in have an innate fear of closed source. The argument go this way is closed software is bad, because the vendor might have put some backdoors in there. Mmmm. Are you sure open source software do not have backdoors? I’m not. I install Linux on my servers without recompilation of source code files. I use the version compiled by Linux vendor. I don’t know what in there. The source code and compiled version may be different. Any way you can debug closed code and be sure that there are no any backdoors.

Most of users do not look at source code. Most of software developers do not analyze open source files. I don’t have a time to look in other code to see what is wrong. I trust to Microsoft! I trust to Adobe. I trust to other big companies. They don’t have a reason to include the backdoors in their programs. Hackers will know about it. Professional hacker could find backdoor without debugging. To do it you need a sniffer and firewall to find abnormal connections from your computer to any other servers in the Internet.

Excellent post about the problem was published by Joanna Rutkowska: Closed Source Conspiracy.

Wednesday, February 4, 2009

Comprehensive information about SQL Injection

SQL Injection is the most commonly used database attack in the Internet. The best place to get know about the problem is a SQL Injection and PHP. It is my old article written about 4 years ago and published on the blog about a year ago. The story tells us about inserting SQL command into a SQL query. Many websites are exposed to SQL injection attacks but their administrators and owners don't know it. Almost every day I hear about new vulnerabilities. The article describes basic information about the SQL Injection.

I have been working as WEB developer and security tester for a long time. I have seen a lot of WEB sites that have SQL Injection errors. The vulnerability is known for a long time. The most horrible thing is WEB developers still make errors in their scripts. The source of errors is the human factor and lack of knowledge.

To avoid the human factor I use automatic checking software. The software test can't give us 100% guaranty. No one can do it. A good automatic test allows you to save your time. Check you scripts before uploading on a test system with the automatic test. Use the manual test for changed files as additional inspection.
A real example of the SQL Injection vulnerability may be found in the Critical SQL Injection article. The vulnerability on the berkeley server was quite critical. The attacker could discover usernames of the server (view the /etc/passwd system file) and open any file in system directories. The article shows us how to use LOAD_FILE function to load the file's content to WEB page using SQL Injection error. The article shows us an example of manual test for the SQL Injection error.

Monday, February 2, 2009

ProfWebDev.com: WEB consulting company

I have been working as WEB consultant for a long time. The WEB consulting includes the WEB development and WEB security analytic. People contact me quite often. They want my help with the WEB development or security testing their websites. I decided to make my own WEB site to help my clients to know about the services I could provide: WEB Development and security testing. The address of the new WEB site is: www.profwebdev.com.
The main services I could provide to my clients are:
  • WEB development - I can develop a new WEB site or enhance an existing WEB site.
  • WEB optimization - I can optimize your WEB presence to bring you new customers. The service includes search engine optimization.
  • Security testing - I can test your WEB site for vulnerabilities.

My services are useful for small companies, small businesses and startup projects. The Internet services are very expensive. Small businesses can't afford to have their own high quality professional. I share my experience with my clients to bring their business to a new level.
Small companies don't have to have their own security specialist or WEB promoter who provide these services at full time. Using WEB consulting allows anyone to reduce the Internet presence expenses.

Friday, January 23, 2009

WEB Development and WEB Security

I created this blog to talk about WEB development and security. I’m fond of security and I’m fond of WEB development. I have many several WEB sites I created myself using PHP and ASP.NET. My favorite language is PHP but I like ASP.NET too. It is a great WEB programming language created by Microsoft.

I'm interest in security because I'm WEB developer. When you write WEB scripts you have to be assured that your WEB site will not be broken by hackers. In my opinion every WEB developer must be the security specialist in WEB technologies to write secure code.

The first WEB site I created about 10 years ago was software for security specialists and network administrators (www.cydsoft.com). All software products at the site are developed by me. At this blog I'm going to talk about by software too. My favorite software development language is C#. Besides I know and I use in my work C++, Java and Delphi.