Home → IT Support and Tech Corner →

Hacking: Who's fault?

6 posts

Please Login or Signup to reply.

nehpyh

1,103 posts since Apr '07
- 22 Jul `08, 10:56AM
  
  My company website got hacked. The finding showed that the hacker accessed the website via some loophole that the programmer overlooked.
  
  We have already paid 50% of the production fee and we feel that we should not pay the remaining due to the breach.
  
  Anyone know if there's are policies/regulations/laws/guidelines to safeguard programmers and website owners?
dumbdumb!

12,024 posts since Jan '03
- 22 Jul `08, 11:00AM
  
  hmm.. companies should hire white hats to hammer their systems.
  
  it all depends on the contract i guess.
nehpyh

1,103 posts since Apr '07
- 22 Jul `08, 11:08AM
  
  Thanks Dumb. Are you in the IT line? Do you have a sample of the contructual agreement or clause on this matter? What is the market norm?
hush_tan

2 posts since Dec '02
- 23 Jul `08, 4:59PM
  
  It really depand on the contract, and you must see how much of the damage of the hacking to ur company.
  
  Remember, every website have the risk of being hack......it really depand on how good is ur network adminstartor and programmer to protect it from hacker to access it.
Moderator

kenn3th

16,503 posts since Nov '06
- 23 Jul `08, 7:00PM
  
  Loop holes, as the name said, is something that is overlooked by whoever is protecting/programming it.
  
  It's a tough thing to make.
  
  on one hand, it's the programmer's fault for not identifying
  
  on the other hand, loopholes are not easily found
Moderator

ndmmxiaomayi

53,276 posts since Aug '05
- 25 Jul `08, 10:52PM
  
  It depends on what you mean by overlook. There are so many kinds of programming languages and each does different things.
  
  Since you said it's a website, I assume it's related to SQL? Does the website has some kind of DB? What kind of programming language is used to query the DB?
  
  Most use PHP to query the data in MySQL. SQL queries, if not properly sanitized, can result in an attacker doing all sorts of things to the DB and the website.
  
  Also, how does the company's network layout look like? Where the servers located? Public? De-militarized zone?
  
  Lastly, have all the web pages been checked? There's been a recent spate of SQL injections done via JavaScripts. Sometimes, a website can get attacked without them knowing. If any attacker chances upon the website, he can abuse that info.
  
  Here's one example - http://securitylabs.websense.com/content/Blogs/3053.aspx
  
  If your company is big enough, they should hire pen testers to test the site. Pen testers is short for Penetration Testers. They are a group of hackers which are paid to hack. They have the permission of the management to break into things. Once they done their work, they'll have a report for the company and some recommendations on how to resolve the security issues.
  
  Alternatively, you can use automatic tools to find errors in the website and fix them if the company has got no money to hire such testers.

Please Login or Signup to reply.

Singapore's Online Community

Hacking: Who's fault?

Shoutbox

Links

Latest Posts