GeodSoft logo   GeodSoft
Perpetual Insecurity

Another form of damage that I would be very concerned about is quite subtle and unlike the previous two problems, for all intents and purposes, is undetectable. Once a member database is compromised, the association can never again be sure that access to its member only areas is actually limited to members only. With access to the member data used by the web site, the persons who have already successfully compromised the site, have the information used in any automated registration process.

The intruder no longer needs any technical skills to enter the member only areas at will. All they need to do is pick a record from the stolen database and enter the right pieces of information in the automated registration processes. Further, unlike the original intrusion, such access would be indistinguishable from legitimate member access.

If they entered the stolen data into a database management system (DBMS) and deleted each record that no longer contained useable data, they would have a gradually decreasing pool of data to work from. Not until the stolen information about each member at the time of the theft became obsolete, could they be kept out of the member only areas.

Depending on several factors including the nature of the original insecurity that allowed the first compromise and the kinds of functions available in the member only areas, continued access to member only areas would likely provide information to facilitate future thefts or other compromises. Since many web insecurities are related to program bugs in dynamic content, being able get the names and parameters via the displayed forms of web site scripts is a large step towards finding potential bugs in such scripts. Bugs can lead to almost any kind of compromise that can be described.

transparent spacer

Top of Page - Site Map

Copyright © 2000 - 2014 by George Shaffer. This material may be distributed only subject to the terms and conditions set forth in (or These terms are subject to change. Distribution is subject to the current terms, or at the choice of the distributor, those in an earlier, digitally signed electronic copy of (or cgi-bin/ from the time of the distribution. Distribution of substantively modified versions of GeodSoft content is prohibited without the explicit written permission of George Shaffer. Distribution of the work or derivatives of the work, in whole or in part, for commercial purposes is prohibited unless prior written permission is obtained from George Shaffer. Distribution in accordance with these terms, for unrestricted and uncompensated public access, non profit, or internal company use is allowed.

Home >
Book >
Security >

What's New
Email address

Copyright © 2000-2014, George Shaffer. Terms and Conditions of Use.