I am very happy to see this subject appear in this list, security is so
commonly overlooked. The number one exploit hackers use are buffer over
flows and the top two places that look are format strings and network
packets.
>And ? What can be done if a buffer overflows ? It's perhaps a basic
>question, but I really don't know anything about *hacking*.
>And I'm sure I'm
>not the only one there :)
The most effective defenses are simple:
- NEVER use sprintf and strcpy always use snprintf and strncpy
instead.
- Know how the function works in all cases, for example in what
cases does strncpy not null terminate a string, Does snprintf append a
null terminator beyond the array limit, etc..
- Use dynamic memory allocation verses stack. Most exploits deal
with stack manipulation.
- Initialize all variables to a know value (for example zero).
- Always encrypt passwords, never pass them in clear text (ouch
rcon).
- For encryption always use well tested algos like DES, AES,
etc.
- Never make your own encryption or use XOR's. It may look
secure but very easy to crack.
- Never use time of day for keys or any part of encryption since
TOD is predictable.
- When receiving network traffic VALIDATE ALL FIELDS. Don't look
at one field and assume the rest are valid. There are some really wicked
exploits of the IP protocols because of drivers performing poor boundary
checks.
>But, I wonder if the hacker can hack the program without its source
code... >It looks quite hard if he hasnt the source code, because he
wouldn't know >where there is a risk of buffer overflow, does he ?
Doesn't really matter, an attacker will start at the point he has most
access too (normally text input) and work from there. His first goal is
to find an input that will crash the program. Then using a debugger he
examines the stack of the crashed program and tries a variety of strings
until he can predict how to get what he wants on the stack and boom the
hack is done.
After that they will go to network packets, by sniffing. Once they
identify the packet structure they will start replacing/removing bytes
from the message until the server crashes. Then the exploit progresses
as above.
Bad programming is a hackers best friend!!!!
>I'm also concerned after reviewing the site, I'm not sure if their hat
>colour is black, white, or maybe 'grey'.
Bugtraq is a community of Security Analysts not hackers. They normally
do not post exploits until the vendor is ready with a patch to fix the
exploit. In cases where the vendor ignores the security concern or fails
to take action the exploit is published to inform the community of
possible security risks in their networks.
For what ever it is worth I am not a hacker, I work for a software
security firm that specializes in identifying and preventing software
attacks for fortune 500 companies over the internet.
_______________________________________________
To unsubscribe, edit your list preferences, or view the list archives,
please visit:
http://list.valvesoftware.com/mailman/listinfo/hlcoders
_______________________________________________
To unsubscribe, edit your list preferences, or view the list archives, please visit:
http://list.valvesoftware.com/mailman/listinfo/hlcoders
