Think about the most basic kind of web page you can create, static HTML. In this sense, you are not expecting any input (either from the user or via a link) to effect the output. This was the easy life back in the early days of the Internet, and life was good. Today, most websites are dynamic. This is most likely why you are using a CMS like Joomla. Now, you may not include any "interactive" features on your website, but the second you start using Joomla your site truly is interactive, because a dynamic site relies upon dynamic content. In most cases, you may (think that you) control the input, but there is really nothing stopping the user from changing the dynamic instructions you set.

Let's take simple example. You have a muli-page article. On the bottom of page one you have a link with a target like this somesite.com/index.php?page=2. At first glance, this looks innocent enough. But there is nothing stopping the user to changing that value and submitting it to your website. But what's the worst that can happen? They change page=2c to page=3 and they go to page 3. That's one possibility, but if you do not filter and validate your input, they may be able to inject arbitrary code and get your application to do something funny.

This may seem fairly obvious in today's world of XSS, CSRF, and other nasty acronyms. However, if you are writing Joomla components you must take this into account. As Joomla grows in popularity, hackers will be drawn to attack your code. Further compounding this issue is that most Joomla site owners know absolutely nothing about HTML never mind web security or procedures. That is why you must make your code as strict is possible - I know this if often very hard in a loose language such as PHP on which Joomla is built.

The following is a demo and presentation I made to explain the Evil Twin AP attack. In the Evil Twin attack, you use software to immitate a real access point in order to trick user into connecting to your AP instead of the real AP. This gives you man-in-the-middle abilities to snoop and inject data. The presentation includes videos direct from YouTube, so you can easily see the attack in action. I recommend going full screen and watching the videos in HD for best viewing.You can also view the demo videos directly by clicking here.

To view the full report on the Evil Twin attack, click here.

A solution to the botnet problem, in response to Aviram’s article I would beg to differ that there is no way to stop botnets. For the most part, botnets are composed of hijacked user PCs which are usually the most open to attack. Aviram is absolutely correct when he says that awareness is very important. Usually awareness implies that the user should have updated virus scan, not fall for scams, etc – be aware of the risk level they operate under and how that risk level is affected by their decisions. I propose a slightly more annoying example for the end user and the service provider:

Security Awareness is really important to me. I believe that creative and long lasting reminders, slogans, and images can really do a lot to help reduce IT security threats. The goal is to keep these ideas and concepts fresh in people’s minds. They may not really understand what the slogan means, but they will be more conscious of what they are doing.

I created this poster for a Security Awareness Competition sponsored by Educase (contest info and past winners). The target placement was for university computer labs, in order to remind users to stay safe on the Internet. One of the big issues in user-space security right now is Phishing and Identity Theft. I decided to tackle this topic in a simple to digest format.