Security hacking
-
Machine 2 should be behind a very strict firewall that opens only the port your application uses to receive and return data. Run it on a minimal OS without known security concerns Machine 1 and 3 should probably be the same one and it should open a connection to machine 2. Now your only access to machine 2 is your own protocol code for the data transfer so even if someone gets their hands on machine 1/3 they can't do anything more than send data to it (as long as you write your code correctly). Of course in any real situation the security risk is not the technical setup but the people involved in writing, storing and maintaining the code that goes on machine 2.
-
Well, don't get me wrong, but what makes you that paranoid? Setting up a firewall like mcaffee or kaspersky, yeah understandable. Is it a Company Network? There you should have a firewall already! by configuring the firewall you can block several Inputs yes, but mainly datatransfer uses http,ftp port or anythink like that, so the blocking of incoming stuff depends on open ports. Yes you might block ip's but thats inefficent and costs 2 much time. The Point i want to say is, that the attacker intrudes your system through your open ports, if you only opend http (i think 80) and you are currently not using it, he can do! The next i don't quite understand, is the copying code? Your application runs as an .exe file? So how should someone steal that code? This might only work if he steals your .exe file. The important thing for you should be to secure that your data, Input and Output is safe. That is what most hackers like to steal. For example, an application for calculating super secret stuff is worthless without the Input data to begin calculation. But if you want to encapsule everything then set up: -Internet Access Server that Forwards the data -Transfer Server for communication between your servers -application Hardware that runs your code -database Server for the data I personally think that this is unnecessary for private persons. in a Company this is as i know it the usual Network structure
if(this.signature != "") { MessageBox.Show("This is my signature: " + Environment.NewLine + signature); } else { MessageBox.Show("404-Signature not found"); }
Thanks, "Your application runs as an .exe file? So how should someone steal that code? This might only work if he steals your .exe file." This is what I am worried about I understand that it is possible to download everything on your computer. Data coming and going I do not care about, I spent years developing the software, if it got into someone else's hands it will have been a waste of time.
-
Thanks, By what you wrote above it sound like data can travel in both directions, can I block data going in one direction, if not then machine 3 is unnecessary.
-
I an worried about hackers breaking into my program. I was wondering if I could separate my program into three parts on three different computers: 1. Has access to the internet and collects data and transfers data to the second computer. 2. Analyzes data and sends results to part three. 3. Has access to the internet and returns results. I do not want any data getting to the second computer, except the specific data and in one direction only. The same goes for part 2. Is this possible? How would I go about doing this? Any help would be greatly appreciated. Michael
MAW30 wrote:
Is this possible? How would I go about doing this?
Yes, could be done. The more interesting question is "how would one hack such a system".
MAW30 wrote:
I an worried about hackers breaking into my program.
Make sure that PC 2 is not connected to the internet, the LAN, that Wireless and bluetooth is down and make the USB ports inaccessible using glue. Further you'd like to make sure that the client only connects to the specific IP that you define, and communicate over a secure connection using a self-signed certificate. Disable all non-required services, like FTP, remove all non-essential users. Ideally, you'd write the access-log to a DVD-R. A network-admin could elaborate more on how to configure the network to secure it further - consult them, it's worth it. Aw, and don't use Windows for server 2 or 3. Also hook up a huge siren to the speaker of that desktop, and have it holler whenever there's an unknown/unexpected entry in the access log. Why? Well, PC1 will probably be a Windows-PC. Does it update automatically? Does it also update some client-software automatically? Think Adobe Flash or your virusscanner and the likes. If PC1 could be compromised, the next logical step would to be to flood PC2 with garbage-requests. That's assuming the hacker would know that there's a second PC that's "more" interesting; most if them will only be interested in Win-PC's that can easily be turned into spam/mining bots.
Bastard Programmer from Hell :suss: If you can't read my code, try converting it here[^]
-
MAW30 wrote:
Is this possible? How would I go about doing this?
Yes, could be done. The more interesting question is "how would one hack such a system".
MAW30 wrote:
I an worried about hackers breaking into my program.
Make sure that PC 2 is not connected to the internet, the LAN, that Wireless and bluetooth is down and make the USB ports inaccessible using glue. Further you'd like to make sure that the client only connects to the specific IP that you define, and communicate over a secure connection using a self-signed certificate. Disable all non-required services, like FTP, remove all non-essential users. Ideally, you'd write the access-log to a DVD-R. A network-admin could elaborate more on how to configure the network to secure it further - consult them, it's worth it. Aw, and don't use Windows for server 2 or 3. Also hook up a huge siren to the speaker of that desktop, and have it holler whenever there's an unknown/unexpected entry in the access log. Why? Well, PC1 will probably be a Windows-PC. Does it update automatically? Does it also update some client-software automatically? Think Adobe Flash or your virusscanner and the likes. If PC1 could be compromised, the next logical step would to be to flood PC2 with garbage-requests. That's assuming the hacker would know that there's a second PC that's "more" interesting; most if them will only be interested in Win-PC's that can easily be turned into spam/mining bots.
Bastard Programmer from Hell :suss: If you can't read my code, try converting it here[^]
Thanks, What other operating system do you recommend, and is it wise to go out a separate computer PC 3 or does it make any difference to go out the same way it went in (my original thought was it wouldn't be able to send data out the way it came in). Does the firewall operate along with the OS or is it completely different. Is there one I could buy that would meet my requirements or would I need to write it myself, if so suggestions where to start, C# code, etc.
-
Thanks, "Your application runs as an .exe file? So how should someone steal that code? This might only work if he steals your .exe file." This is what I am worried about I understand that it is possible to download everything on your computer. Data coming and going I do not care about, I spent years developing the software, if it got into someone else's hands it will have been a waste of time.
Well in this case. According to following Posts, do what they said. A Firewall that meets your requirements would be any available like kaspersky or mcaffee, they got a lot Options to restrict Connections. Other OS that might fit your restrictions are Linux os'es cause there you can adjust a lot of user restrictions and Settings :) But i really really wonder what might be so valuable to protect it like fort knox :)
if(this.signature != "") { MessageBox.Show("This is my signature: " + Environment.NewLine + signature); } else { MessageBox.Show("404-Signature not found"); }
-
Thanks, What other operating system do you recommend, and is it wise to go out a separate computer PC 3 or does it make any difference to go out the same way it went in (my original thought was it wouldn't be able to send data out the way it came in). Does the firewall operate along with the OS or is it completely different. Is there one I could buy that would meet my requirements or would I need to write it myself, if so suggestions where to start, C# code, etc.
MAW30 wrote:
What other operating system do you recommend
On the maximum paranoia setting, I'd go for any Linux-version that can be compiled by hand (and verify the MD5 after downloading). Any minimum installation would do. Recommended basic settings here[^].
MAW30 wrote:
(my original thought was it wouldn't be able to send data out the way it came in)
That will depend mostly on the client; the hardware and drivers do not care which way the data flows on a TCP-connection. You DO want to block incoming connections - on almost every port, for almost every IP.
MAW30 wrote:
Does the firewall operate along with the OS or is it completely different.
There can be multiple; next to the hardware-firewall there's a firewall in Windows. Additionally, if you're using services, there's a firewall pattern[^]. That's usually something you build yourself, as only your app can validate a request. Happy hunting :) --edit As an alternative; PC2 could block *all* incoming connections - it could fetch it's data from PC1 using a secured service. You'd be polling a bit, but then again, the PC won't be doing much other stuff :)
Bastard Programmer from Hell :suss: If you can't read my code, try converting it here[^]
-
MAW30 wrote:
What other operating system do you recommend
On the maximum paranoia setting, I'd go for any Linux-version that can be compiled by hand (and verify the MD5 after downloading). Any minimum installation would do. Recommended basic settings here[^].
MAW30 wrote:
(my original thought was it wouldn't be able to send data out the way it came in)
That will depend mostly on the client; the hardware and drivers do not care which way the data flows on a TCP-connection. You DO want to block incoming connections - on almost every port, for almost every IP.
MAW30 wrote:
Does the firewall operate along with the OS or is it completely different.
There can be multiple; next to the hardware-firewall there's a firewall in Windows. Additionally, if you're using services, there's a firewall pattern[^]. That's usually something you build yourself, as only your app can validate a request. Happy hunting :) --edit As an alternative; PC2 could block *all* incoming connections - it could fetch it's data from PC1 using a secured service. You'd be polling a bit, but then again, the PC won't be doing much other stuff :)
Bastard Programmer from Hell :suss: If you can't read my code, try converting it here[^]
-
Thanks for your input, I read about Security DMZ and it doesn't appear to be as secure as I would like it to be. I want something that is absolutely full proof.
MAW30 wrote:
I want something that is absolutely full proof.
And I want to be king of the world. But there is absolutely no chance of either happening. Well to be fair it is perhaps likely that I could be king of the world. But as for your desire - it isn't going to happen.
-
MAW30 wrote:
What other operating system do you recommend
On the maximum paranoia setting, I'd go for any Linux-version that can be compiled by hand (and verify the MD5 after downloading). Any minimum installation would do. Recommended basic settings here[^].
MAW30 wrote:
(my original thought was it wouldn't be able to send data out the way it came in)
That will depend mostly on the client; the hardware and drivers do not care which way the data flows on a TCP-connection. You DO want to block incoming connections - on almost every port, for almost every IP.
MAW30 wrote:
Does the firewall operate along with the OS or is it completely different.
There can be multiple; next to the hardware-firewall there's a firewall in Windows. Additionally, if you're using services, there's a firewall pattern[^]. That's usually something you build yourself, as only your app can validate a request. Happy hunting :) --edit As an alternative; PC2 could block *all* incoming connections - it could fetch it's data from PC1 using a secured service. You'd be polling a bit, but then again, the PC won't be doing much other stuff :)
Bastard Programmer from Hell :suss: If you can't read my code, try converting it here[^]
What do you think of the following: http://www.ghacks.net/2009/09/15/firestarter-simple-to-use-powerful-desktop-firewall/
-
What do you think of the following: http://www.ghacks.net/2009/09/15/firestarter-simple-to-use-powerful-desktop-firewall/
Sounds good; I added it to my bookmarks :) The complexity of iptables makes it hard to configure (which makes the chance of mistake bigger) and one is less inclined to check/update a complex system than it is with a kind and easy system.
Bastard Programmer from Hell :suss: If you can't read my code, try converting it here[^]