web hosting

Use Captcha To Keep Spammers At Bay

One of the first and most annoying things that can happen to a new web site owner is being blasted with spam.  There is a dilemma presented when wanting to have potential customers or clients contact you or your company.  Either your email has to be publicly posted or you will need to enable a form to allow quick and easy contact.  When you do implement either choice, spammers will come and they will do as much damage as is possible.

Email link – bad idea

The first thing that should be done is to toss out the idea of publicly placing your email address in any form that can be clicked as a link.  Using a linked email address publicly is an open invitation to spammers.  Nothing can be more unpleasant than having to start off your business day wading through hundreds upon hundreds of spam content in your email in-box.  If you must use this route, simply place your email in text only – this will make it harder for a potential spammer as they will have to physically copy and paste your address into any email.  Inconvenience is the bane of the spammer.

Contact form – can be attacked

If you’ve decided to place a contact form anywhere within your web site, you’ll want to enable some type of security to ensure that an actual human is utilizing the form.  This sounds simple enough because, after all, the purpose of the form is to gather human information.  However, most email forms have a standard “name”, “email”,  “subject”, “content” style to them that is easily recognized and exploited by spammers.  Using this standard information, spammers use automated systems to attack a contact form – computer to computer.  What can stump them is requiring something that only a human can input or answer and that isn’t part of the standard email form.  This is where Captcha comes in.

Contact form with Captcha – better idea

Captcha is a type of test that is used to ensure human interaction.  The premise behind Captcha is that computers should not be able to solve something that requires human input.  The very early implementations of Captcha were simple generations of a word or series of letters with some small amount of warping.  However, spammers quickly adjusted to this warping and this initial Captcha implementation had to be abandoned.  Modern Captcha uses two to three regular words that are segmented and have lines through the words making it much more difficult to automatically guess via a computer system.

This all culminates into a small bit of either PHP or Javascript that is placed within your form before the submit button coding.  After filling out the rest of the form, a user must then enter the correct words generated within the Captcha coding.  You can set the form to lock out a user after a certain number of errors thus staving off the possible attack of spammers for yet another day.

Conclusion

Of course, the simplest way to avoid spammers at all is by not allowing any sort of email contact within your site.  But this is not a feasible option – after all, you have your web site online for the purpose of contacting new and old customers or clients.  So, before putting your email form online, use a bit of quick security and incorporate Captcha.

The Importance of PCI Scanning

Formed in 2004, the PCI SSC (Payment Card Industry Security Standards Council) was established to provide a universal set of security standards that is to be adhered to by merchants who process and transmit credit card data.  The council was founded by five of the top credit card companies: American Express, Discover, JCB, Mastercard and Visa.  In order to become a PCI compliant company, your business must comply with the standards set in place by PCI Security Standards Council.  There are currently 12 standards across six categories that must be met.  These standards are as follows:

1.) Create and Maintain a Secure Network

1. Protect cardholder data by implementing and maintaining a reliable firewall configuration.

2. Never use manufacturer-supplied default passwords as means for security mechanisms.

2.) Protect Cardholder Data

3. Protect cardholder data on servers and other storage mediums.

4. Encrypt cardholder data traveling over public and other open networks.

3.) Maintain a Vulnerability Management System

5. Install, use and regularly update malware protective software on all systems commonly affected by malicious programs.

6. Create, deploy and maintain secure systems and applications.

4.) Implement Strong Access Control Polices

7. Restrict access to cardholder data to authorized personnel on a need-to-know basis.

8. Assign each individual with access to cardholder data a unique set of login credentials.

9. Restrict physical access to cardholder data.

5. Test and Monitor Networks Regularly

10. Track and monitor user access to cardholder data and all network resources.

11. Perform regular tests of policies and security systems.

6. Maintain a Policy for Information Security Purposes

12. Implement and upkeep a policy that addresses information security issues.

How PCI Scanning Works

PCI scanning is performed by approved vendors that help online merchants become PCI compliant by providing services that enable them to meet the standards set forth by the Council.  The actual scan itself refers to the process of the vendor going through firewalls and other security elements a business has in place to determine if vulnerabilities exist.  In the end, PCI compliance benefits all parties involved, including the consumer, retailer and credit card company.  After the scanning has been performed, its ensures that your website is free of infection and less vulnerable to threats.  When shoppers see that your site is PCI compliant, they will be more comfortable that their personal and financial information is protected from web criminals.  Not only is this good from a regulatory standpoint, but from a public perspective as it can help lead to more conversions and sales for the retailer.  For the credit card company, it means less reports of fraud and identity theft, thus resulting in fewer headaches.

The market for PCI scanning is growing rapidly, with McAfee and Trust Guard being among the leading service providers.  There are also a number of web hosting firms that offer services with security features to help organizations become PCI compliant.  A wider variety enables small scale retailers to leverage the best of both worlds in regard to PCI scanning and traditional website security.

Major Threats to Business Website Security

Any organization would find it irresponsible and downright silly to not have anti-virus software installed on their office systems.  Most would also have solutions in place to compensate for data restoration should their be a hardware failure or disaster caused by some sort of natural disaster.  Surprisingly enough, far two many business owners are unaware that their websites are vulnerable to the same type of attacks as their local machines.  This is especially the case in shared and virtual environments where a multitude of sites are running on the same server.

In May 2007, more than 90,000 sites were compromised by hackers, a large scale exploit designed to illegally install malicious code on the computers of visitors who clicked on seemingly harmless search results.  A StopBadware study showed that an estimated 10% of those compromised sites were maintained by one hosting firm in particular, which accounted for 250,000 infectious websites.  This is just one of many examples that prove no website is ever as safe as we might think.

Common Threats to Business Websites

Hackers employ several methods and tricks to exploit websites.  Below we will focus on three that are most commonly used to attack business sites: SQL injection, cross site scripting and CRLF injection.

SQL Injection

SQL injection is by far one of the most popular website attacks employed today.  This technique primarily works by sending false or malicious requests to a back-end database to manipulate the information it contains.  By doing so, the attacker can view whatever information is stored in the database, change it, or erase it completely.  Most websites would not exist without the presence of databases but unfortunately, any site that features shopping carts, search fields, and any type of web form is susceptible to SQL injection.  The fields that require interaction from your visitors and customers could open up the door a hacker needs to thieve sensitive data and destroy your company.

Cross Site Scripting

Cross site scripting is another common attack that exploits holes in dynamic websites.  Dynamic pages can allow an attacker to insert malicious code and trick an end-user into running a harmful script on their computer.  If the user executes the code, the hacker could gain access to all of the sensitive information on their local machine.  Cross site scripting takes advantage of numerous programming technologies including Active X, Flash, Javascript and VBScript.

CLRF Injection

Unlike most exploits, CLRF injection does not take advantage of security vulnerabilities in the operating system or web software.  Instead, it exploits the manner in which the application was scripted.  For instance, an attacker can insert a statement into a web form along with code from CR (Carriage Return) and LF (Line Feed) characters.  The chance for exploit arises when the application mistakes this injection for a CLRF used in the initial development stage.  This attack is very dangerous as it has the power to disable an entire website.

This article is not aimed to make you a website security expert, but make you aware that security for your business site should be equally important as your local machines.  To assume that your business will never be exploited only exposes you to unnecessary risks that could put you out of commission effective immediately.

How Secure is Virtualization Technology?

A September 2009 survey released by Centrify revealed that the major barrier facing 46% of the respondents when it comes to adopting virtualization is security. In fact, only an estimated 20% of respondents said they were strongly confident in the security infrastructure of their virtualized environments. Professionals heavy into the technology sector are well aware of the security conundrum that surrounds virtualization. It has become such an issue that EMC recently assembled a panel of experts from its Ionix, RSA and Vmware divisions to put together some guidelines for adequately securing virtualized environments. What they came up with was “Security Compliance in a Virtual World,” a report that focuses on many key points that must be considered for ensuring virtualization security.

OS Hardening

The configuration for virtual machines and switches must be hardened just like your physical boxes and network switches. The underlying operating system must also be hardened through routine patches and updates, removal of unused components and maintaining secure settings. The EMC report suggests modeling virtual systems after the guidelines from the CIS (Center for Internet Security) and DISA (Defense Information Systems Agency) as they are viewed as well established security practices.

Configuration and Change Management

Since virtualization technology makes it simple to deploy new virtual machines and modify their set ups, it becomes very easy to fall into a chaotic state of configuration when it comes time to managing the environment. Even when systems are adequately hardened during installation, it is still important for organizations to stay on top of the environment to ensure a secure configuration. This means that when system settings are modified or new software applications are added, administrators are making sure the virtual system continues to meet what the EMA report calls the “gold standard” of configuration.

Access Control

Practical security polices such as least privilege and separation of duty should not be thrown to the wayside just because virtualization has come into the picture. Instead, such principles should become more essential than ever. The presence of virtualization results in increased density of all the systems and applications on your server. This is more convenient for your organization as well as the intruder who may be able to manipulate these systems if proper access control is not enforced and maintained. The report suggests that solution providers aid their staff and clients in understanding the importance of role-based access control both in and out of the virtual environment.

Network Security and Segmentation

Companies operating virtual servers lacking any sort of segmentation are far more vulnerable to exploit and exposure than organizations making use of virtual switches to incorporate those virtual machines into virtual local area networks like their physical counterparts. The security report explains that one of the most essential factors in compliance is ensuring that data is isolated and not mingled with or available to users on other virtual machines. Organizations that possess expertise in the network security field should put it to use in the virtualization environment. This can be done by obtaining virtual switches and other virtual security mechanisms such as firewalls and intrusion protection systems to protect network perimeters.

Three Simple Tips for Protecting Your Site

These days, it is more important than ever to keep your website current with the latest security measures.  Why so much emphasis on security?  Because hackers are always looking for ways to penetrate servers and websites to thieve sensitive information.  There are is a lot you can do to ensure better website security and the tips in this article should taken very seriously.

1.) Update Your Applications and Scripts

Running outdated web applications and code on your site is liking giving hackers an open invite.  So if you have older versions of WordPress or Joomla installed, it is advisable that you immediately check for and perform the necessary updates.  This goes for any application or programming languages used for your site.  For a knowledgeable hacker, compromising Joomla 1.0 is as easy as uploading a shell script to an insecure form.  If successful, they could end up with complete control of your account.

2.) Create Strong Passwords

A password can be a simple but effective security mechanism.  However, this is only the case when following a strict set of rules.  When securing login sessions and other areas of your site, never apply a password that can be easily guessed by others or is used for other accounts.  If someone knows just one of your passwords, they can keep trying it for each of your accounts until they are successful.  This could not only lead them to the control panel login of your hosting account, but also the financial institution you do your online banking with.

3.) Mask Your Folders

It is always wise to cloak your website files and folders that are stored on the server.  Many security experts suggest keeping a blank index.html file in each of the folders stored in your public directory.  Doing this will ensure that the contents cannot easily be viewed by internet users.  This process is made simple with the cPanel control panel and its Index Manager function.  You can take this one step further by password protecting the administrator folder that contains the scripts you are running.  This is highly recommended as it provides an added layer of security that will make an intruder have to work that much harder.

What If I Still Get Hacked?

As we eluded to earlier, there is a possibility that even after adhering to all of these tips and more, your website can still be compromised by a hacker.  Should your site be successfully exploited, there are a couple of things you should do right away to minimize the damage.  The first step that needs to be taken involves changing all of the passwords associated with your website.  This goes from your control panel and administrative areas to everything else in between.  Next, go through your hosting account to find and update all old applications and plugins as they could easily be the culprits that led to exposure.  Any website can be compromised and if it happens to you, your sensitive information can be used for criminal gain in one way or another.  Prevention is the key so employ all the measures you can to ensure you are protected against the existing and emerging threats.