Alvin's UIR Blog

Sunday, December 03, 2006

Microsoft Security Week 2006 : Security Showdown
Apart from normal UIR posting, I wanted to post something that is quite relevant to what I am doing which is on computer technology. But how come I keep posting about computer technology which even talking about SECURITY!

Nowadays with the advanced in technology, the problem faced by people using internet in the past is very different from what people are facing currently and the problem has been a major problem even in major firms or organizations. In a company point of view, having a secure server/database in them is one of the top priority. Companies can lose millions and millions of dollars if one day their server got crash by a virus or even a HACKER! Therefore, security is so so important!

Therefore, I decided to go down to Microsoft Office on Thursday after school to attend one of the talk given by Stanley Tan, Academic Program Manager, and Chewy Chong, Technical Community Manager, Microsoft Singapore. Very interesting showdown, I will cover a few later on.



This is the venue of the place, very crowded as you can see.


Firstly we learnt that even if we set our password on our windows xp, it is not SECURE AT ALL!
Why do I say so? This is because if you have a bootable Linux for example, you can actually bypass all security of Windows xp and able to access all data inside it! Amazing issn't it?



  • Solutions
    -Use Harddisk password or disk encryption ( Windows Vista's BitLocker)
    -LOCK YOUR HARDDISK IN SAFE OR DRAWER!






Having giving a brief description on how to secure your information well. I learnt of some of the ways to hack website or application but for knowledge and not for bad use. I shall only talk about one of the mode of hacking as not too much information should be disclosed.



  • SQL Injection
    -Input SQL statement into textfield and letting the computer to run the SQL statement
    Example: String sql = "Select * from user where user = "+user+"and password = "pass;
    By input: user = o OR 1=1;-- ( -- means comment the following )
    1 is always equals to 1 , therefore the SQL statement returns true even no password input in it
    - String sql = "Select * from user where user = 0 OR 1 = 1;" // returns true
    *Solutions
    -Validate all input
    -Use a procedure
    -pass all input through a parameter (command.Parameter.Add("@user",user);






This shall end my small post on security.

Security is only as strong as the weakest link - Quote

posted by aLbong @ 10:11 AM

0 Comments:

Post a Comment

<< Home