I'm fascinated by Web App Security. The constant fight between adversaries and security experts has always thrilled me. Plus I love the algorithms and the math behind cryptography. In real life though, as a Software Architect, App Security is not a fun game; at least not always.
This is my little story from January 1st 2016, and the lessons I learned.
I used to rent a Virtual Private Server, mainly for hosting my friends' websites, my wife's business email server, plus some of my own pet-projects. That server got seriously hacked, and as I was working as a Security Architect back then, my negligence to secure my own server was not something I could easily digest.
One of those websites, a custom PHP website, had an SQL Injection vulnerability which an attacker exploited to get admin access on its back-office. That, plus several other vulnerabilities eventually gave the attacker root access on my server.
Fortunately, he was not as evil as he could be and didn't do any serious harm. But still, I had to spend several hours changing all my passwords, several hours collecting traces and several hours to notify everyone who was running her website on the server.
Interestingly, the attacker left some (very few) traces behind, making it easy for me to, at least, contact him directly! The trace I used was a URL of a malicious php script he downloaded (via
wget) which was a dropbox-share link. I hadn't noticed before that Dropbox let you post comments on shared files, even if you don't know the owner. So...that was a beginning of our "friendship" with the attacker and for the next few days we exchanged several professional emails, where he explained in lots of details what exactly he did to get access to my server. And to be honest, I initially had the wrong impression on what went wrong.
Here's the presentation I gave at Larissa Developers Meetup with a few tips to apply if you don't want to make new friends the way I did ;-)
Use left-right arrows to move to different topic, and up-down to see next slide in the current topic. Or just press the space bar to go through the whole presentation