Is anything safe? What online image are you giving?

Lifehacker features a pretty interesting list of ways to find information about anyone online. Anything from employment info, to social network connections, to press mentions, to phone numbers and addresses for an individual could be turned up with a quick search of these sites.

I see this as a good chance to check out my online image and to screen what others can see about me. Employers and contacts do check these kind of things to get a feel for what has done or what he or she is like. This is definitely something to take a look at.

  • Pipl – personal sites, social networks, press releases, et.
  • Zabasearch – phone numbers, addresses (often both unlisted and listed)
  • Wink – Many social networking sites, including Friendster, LinkedIn, MySpace, Twitter, and Xanga
  • Zoominfo – employment history and job titles
  • Facebook – there are so many people on facebook.  This one goes without saying
  • Who is this Person Firefox Extension – brings up people search engines from the right-click menu within firefox when clicking on a person’s name
  • Google search tricks:

* Enclose the first and last name of the person you’re searching for in quotes when you enter it into the search box (like “John Smith”).
* Include other relevant words, like the person’s profession, employer, location, or screen name, too (like banker or Austin, Texas.)
* If the person you’re searching for is likely to appear on a particular web site–like a school–search only that site using the site:URL operator (like site:ucla.edu “John Smith”).
* To look up people by face, search for them on Google Images to get a quick visual–especially useful for people with common names, or to determine the gender of a name you never heard before.

Lifehacker: How to Track Anyone Down Online

A Few Web Development Tips to Secure Your Web App

This is somewhat old news (the original blog was written November 2006) but it’s a really good collection of simple things we can all keep in mind to avoid gaping security holes as we develop new web applications. Included are reminders about the vulnerabilities in browsable directories, plain-text variables, and freely-visable web stats from tools such as Webalizer (noted security vulnerabilities).

A few things I would add to the list include warnings about cross-site scripting vulnerabilities involved in careless variable passing (explanation here), SQL injection in forms, and predictability in the locations you place important files (system, admin, or install files). All of these items open doors for malicious outsiders to learn how your system is set up and find ways to exploit it.

You may think you’re safe from hackers, spam or any sort of malicious activity, but this stuff happens all the time to all sorts of websites. All it takes is a small hole and a script-kiddie with too much time on his or her hands to turn your hard work into a nightmare.

Michael Sutton’s Blog: Top 10 Signs You Have an Insecure Web App

Interesting Security Exploits

Talking with my good friend Chris Mueller this afternoon, we stumbled across an article about a cross-site scripting sort of vulnerability that’s pretty wide-spread on the internet.

The general background is that many many dynamic websites, including probably this one, use forms or variables in the url of the page to communicate information from one page to the next. This includes things like login information, page choice, and virtually any link that changes over time. (mousing over the “Most Recent Entries” links at the right gives ….?entry=entry839402874 and such)

This is hackable because, though my password might be unhackable, once I’m logged in to the admin or user-privaleged portion of a site, a hacker can send me to a site that essentially gets me to do their work for them. They do this by adding a tag to a page. Because the user is already logged in on their site, when this page opens the link within the tags, it allows things to go through, changing database entries, deleting pages, or even adding users with administrative privaleges.

If only the vulnerability stopped there….

Unfortunately, it’s also possible to create a form with default values that automatically submits itself to your password protected page when the hosting page loads. And, just as the URL-based hack works, this tricks the site into thinking it’s the authenticated user making the changes and gives a hacker essentially free reign if they know what they’re doing.

Now, this isn’t something that will just randomly happen to anyone – it relies on the hacker deliberately planting these or tags on a page and getting a logged in user to visit the page. Nevertheless, it’s striking how many seemingly secure sites are open to this type of attack.

What can you do? SESSION variables cannot be spoofed in the same way as these POST and GET variables can so using them protects you against this kind of issue. Additionally, there are a variety of frameworks such as xaraya and other tools that generate authentication codes to verify that indeed submitted forms came from a safe location.

It’s a crazy crazy world out there…