SECURITY 101Some of what you need to know

Owen WinklerRock River Star

http://RockRiverStar.com/@ringmaster

The plan

What security is Security on the web Types of threats Tools and sites Impact of Security

What security is

Wikipedia Says

Ancient Greek “Se-Cura” – “without fear”

Obtain freedom from fear

Layers of Security

gate house safe

Convenience

What to do when my crap gets stolen…

Call cops Replace it Steal it back File insurance claim

Just like real security

Computer security

Application Security

Password Strength Social Engineering

Password Strength

http://www.wired.com/politics/security/commentary/securitymatters/2006/12/72300

Top 20 Passwordspassword1, abc123, myspace1,

password, blink182, qwerty1, fuckyou, 123abc, baseball1,

football1, 123456, soccer, monkey1, liverpool1, princess1, jordan23,

slipknot1, superman1, iloveyou1,

And of course… monkey

Passwords

People don’t care L3tt3r5 a5 numb3r5 Master password Signed logins Sharing and storing Two-factor!

The inverse of layered security is…

Site Password Database password Server password Account password Datacenter access Global economic failure Thermonuclear war

Permissions

Authentication vs. Authorization See only authorized information Post-deployment accounts

Vulnerabilities

From wikipedia: A weakness that makes a threat possible

Input validation XSRF – Cross site request forgery XSS – Cross site scripting SQL-I – SQL injection

Input Validation

Every input & every output Filter for what you want Validation in Drupal

Ajax View arguments PHP execution Input filters check_plain() and check_markup()

XSS Bad input/output filtering Elevated user privileges

XSRF

Form on a remote site Social engineering

SQL injection

Bad input filtering Insert from the querystring Drupal mostly safe

Testing

Automated testing Eyeball inspection Expectation

Drupal Security

Direct advisories – http://drupal.org/security

Contrib – http://drupal.org/security/contrib

New Reports: security@drupal.org

Server permissions

Computer-level security User uploads

File types Sizes SFTP Directories

chmod & chown

Mode settings Three octal values UGO – User, Group, Other RWX – Read (4), Write (2), Execute

(1)sudo chmod -R ugo+r *

chown sets owner:groupsudo chown -R owen:apache *

What is +s?

Hosting & PHP

Up to date Patched applications eval() and other evils Performance Reliability

Backups

s3cmd rsync Subversion! Host-based recovery

Impact of Implementation

Why I care about you: Bot-nets

Appreciative users & clients

Any questions or additional topics?

Security 101