Email link – bad idea

The first thing that should be done is to toss out the idea of publicly placing your email address in any form that can be clicked as a link.  Using a linked email address publicly is an open invitation to spammers.  Nothing can be more unpleasant than having to start off your business day wading through hundreds upon hundreds of spam content in your email in-box.  If you must use this route, simply place your email in text only – this will make it harder for a potential spammer as they will have to physically copy and paste your address into any email.  Inconvenience is the bane of the spammer.

Contact form – can be attacked

If you’ve decided to place a contact form anywhere within your web site, you’ll want to enable some type of security to ensure that an actual human is utilizing the form.  This sounds simple enough because, after all, the purpose of the form is to gather human information.  However, most email forms have a standard “name”, “email”,  “subject”, “content” style to them that is easily recognized and exploited by spammers.  Using this standard information, spammers use automated systems to attack a contact form – computer to computer.  What can stump them is requiring something that only a human can input or answer and that isn’t part of the standard email form.  This is where Captcha comes in.

Contact form with Captcha – better idea

Captcha is a type of test that is used to ensure human interaction.  The premise behind Captcha is that computers should not be able to solve something that requires human input.  The very early implementations of Captcha were simple generations of a word or series of letters with some small amount of warping.  However, spammers quickly adjusted to this warping and this initial Captcha implementation had to be abandoned.  Modern Captcha uses two to three regular words that are segmented and have lines through the words making it much more difficult to automatically guess via a computer system.

This all culminates into a small bit of either PHP or Javascript that is placed within your form before the submit button coding.  After filling out the rest of the form, a user must then enter the correct words generated within the Captcha coding.  You can set the form to lock out a user after a certain number of errors thus staving off the possible attack of spammers for yet another day.

Conclusion

Of course, the simplest way to avoid spammers at all is by not allowing any sort of email contact within your site.  But this is not a feasible option – after all, you have your web site online for the purpose of contacting new and old customers or clients.  So, before putting your email form online, use a bit of quick security and incorporate Captcha.

1.) Create and Maintain a Secure Network

1. Protect cardholder data by implementing and maintaining a reliable firewall configuration.

2. Never use manufacturer-supplied default passwords as means for security mechanisms.

2.) Protect Cardholder Data

3. Protect cardholder data on servers and other storage mediums.

4. Encrypt cardholder data traveling over public and other open networks.

3.) Maintain a Vulnerability Management System

5. Install, use and regularly update malware protective software on all systems commonly affected by malicious programs.

6. Create, deploy and maintain secure systems and applications.

4.) Implement Strong Access Control Polices

7. Restrict access to cardholder data to authorized personnel on a need-to-know basis.

8. Assign each individual with access to cardholder data a unique set of login credentials.

9. Restrict physical access to cardholder data.

5. Test and Monitor Networks Regularly

10. Track and monitor user access to cardholder data and all network resources.

11. Perform regular tests of policies and security systems.

6. Maintain a Policy for Information Security Purposes

12. Implement and upkeep a policy that addresses information security issues.

How PCI Scanning Works

PCI scanning is performed by approved vendors that help online merchants become PCI compliant by providing services that enable them to meet the standards set forth by the Council.  The actual scan itself refers to the process of the vendor going through firewalls and other security elements a business has in place to determine if vulnerabilities exist.  In the end, PCI compliance benefits all parties involved, including the consumer, retailer and credit card company.  After the scanning has been performed, its ensures that your website is free of infection and less vulnerable to threats.  When shoppers see that your site is PCI compliant, they will be more comfortable that their personal and financial information is protected from web criminals.  Not only is this good from a regulatory standpoint, but from a public perspective as it can help lead to more conversions and sales for the retailer.  For the credit card company, it means less reports of fraud and identity theft, thus resulting in fewer headaches.

The market for PCI scanning is growing rapidly, with McAfee and Trust Guard being among the leading service providers.  There are also a number of web hosting firms that offer services with security features to help organizations become PCI compliant.  A wider variety enables small scale retailers to leverage the best of both worlds in regard to PCI scanning and traditional website security.

]]> http://webhostinggeeks.com/blog/2009/10/27/the-importance-of-pci-scanning/feed/ 0 http://webhostinggeeks.com/blog/2009/10/16/major-threats-to-business-website-security/ http://webhostinggeeks.com/blog/2009/10/16/major-threats-to-business-website-security/#comments Fri, 16 Oct 2009 15:57:55 +0000 CommunicateBetter http://webhostinggeeks.com/blog/?p=577 Any organization would find it irresponsible and downright silly to not have anti-virus software installed on their office systems.  Most would also have solutions in place to compensate for data restoration should their be a hardware failure or disaster caused by some sort of natural disaster.  Surprisingly enough, far two many business owners are unaware that their websites are vulnerable to the same type of attacks as their local machines.  This is especially the case in shared and virtual environments where a multitude of sites are running on the same server.

In May 2007, more than 90,000 sites were compromised by hackers, a large scale exploit designed to illegally install malicious code on the computers of visitors who clicked on seemingly harmless search results.  A StopBadware study showed that an estimated 10% of those compromised sites were maintained by one hosting firm in particular, which accounted for 250,000 infectious websites.  This is just one of many examples that prove no website is ever as safe as we might think.

Common Threats to Business Websites

Hackers employ several methods and tricks to exploit websites.  Below we will focus on three that are most commonly used to attack business sites: SQL injection, cross site scripting and CRLF injection.

SQL Injection

SQL injection is by far one of the most popular website attacks employed today.  This technique primarily works by sending false or malicious requests to a back-end database to manipulate the information it contains.  By doing so, the attacker can view whatever information is stored in the database, change it, or erase it completely.  Most websites would not exist without the presence of databases but unfortunately, any site that features shopping carts, search fields, and any type of web form is susceptible to SQL injection.  The fields that require interaction from your visitors and customers could open up the door a hacker needs to thieve sensitive data and destroy your company.

Cross Site Scripting

Cross site scripting is another common attack that exploits holes in dynamic websites.  Dynamic pages can allow an attacker to insert malicious code and trick an end-user into running a harmful script on their computer.  If the user executes the code, the hacker could gain access to all of the sensitive information on their local machine.  Cross site scripting takes advantage of numerous programming technologies including Active X, Flash, Javascript and VBScript.

CLRF Injection

Unlike most exploits, CLRF injection does not take advantage of security vulnerabilities in the operating system or web software.  Instead, it exploits the manner in which the application was scripted.  For instance, an attacker can insert a statement into a web form along with code from CR (Carriage Return) and LF (Line Feed) characters.  The chance for exploit arises when the application mistakes this injection for a CLRF used in the initial development stage.  This attack is very dangerous as it has the power to disable an entire website.

This article is not aimed to make you a website security expert, but make you aware that security for your business site should be equally important as your local machines.  To assume that your business will never be exploited only exposes you to unnecessary risks that could put you out of commission effective immediately.

]]> http://webhostinggeeks.com/blog/2009/10/16/major-threats-to-business-website-security/feed/ 0 http://webhostinggeeks.com/blog/2009/10/14/how-secure-is-virtualization-technology/ http://webhostinggeeks.com/blog/2009/10/14/how-secure-is-virtualization-technology/#comments Wed, 14 Oct 2009 16:22:30 +0000 CommunicateBetter http://webhostinggeeks.com/blog/?p=573 A September 2009 survey released by Centrify revealed that the major barrier facing 46% of the respondents when it comes to adopting virtualization is security. In fact, only an estimated 20% of respondents said they were strongly confident in the security infrastructure of their virtualized environments. Professionals heavy into the technology sector are well aware of the security conundrum that surrounds virtualization. It has become such an issue that EMC recently assembled a panel of experts from its Ionix, RSA and Vmware divisions to put together some guidelines for adequately securing virtualized environments. What they came up with was “Security Compliance in a Virtual World,” a report that focuses on many key points that must be considered for ensuring virtualization security.

OS Hardening

The configuration for virtual machines and switches must be hardened just like your physical boxes and network switches. The underlying operating system must also be hardened through routine patches and updates, removal of unused components and maintaining secure settings. The EMC report suggests modeling virtual systems after the guidelines from the CIS (Center for Internet Security) and DISA (Defense Information Systems Agency) as they are viewed as well established security practices.

Configuration and Change Management

Since virtualization technology makes it simple to deploy new virtual machines and modify their set ups, it becomes very easy to fall into a chaotic state of configuration when it comes time to managing the environment. Even when systems are adequately hardened during installation, it is still important for organizations to stay on top of the environment to ensure a secure configuration. This means that when system settings are modified or new software applications are added, administrators are making sure the virtual system continues to meet what the EMA report calls the “gold standard” of configuration.

Access Control

Practical security polices such as least privilege and separation of duty should not be thrown to the wayside just because virtualization has come into the picture. Instead, such principles should become more essential than ever. The presence of virtualization results in increased density of all the systems and applications on your server. This is more convenient for your organization as well as the intruder who may be able to manipulate these systems if proper access control is not enforced and maintained. The report suggests that solution providers aid their staff and clients in understanding the importance of role-based access control both in and out of the virtual environment.

Network Security and Segmentation

Companies operating virtual servers lacking any sort of segmentation are far more vulnerable to exploit and exposure than organizations making use of virtual switches to incorporate those virtual machines into virtual local area networks like their physical counterparts. The security report explains that one of the most essential factors in compliance is ensuring that data is isolated and not mingled with or available to users on other virtual machines. Organizations that possess expertise in the network security field should put it to use in the virtualization environment. This can be done by obtaining virtual switches and other virtual security mechanisms such as firewalls and intrusion protection systems to protect network perimeters.

]]> http://webhostinggeeks.com/blog/2009/10/14/how-secure-is-virtualization-technology/feed/ 0 http://webhostinggeeks.com/blog/2009/08/19/three-simple-tips-for-protecting-your-site/ http://webhostinggeeks.com/blog/2009/08/19/three-simple-tips-for-protecting-your-site/#comments Wed, 19 Aug 2009 17:50:00 +0000 CommunicateBetter http://webhostinggeeks.com/blog/?p=481 These days, it is more important than ever to keep your website current with the latest security measures.  Why so much emphasis on security?  Because hackers are always looking for ways to penetrate servers and websites to thieve sensitive information.  There are is a lot you can do to ensure better website security and the tips in this article should taken very seriously.

1.) Update Your Applications and Scripts

Running outdated web applications and code on your site is liking giving hackers an open invite.  So if you have older versions of WordPress or Joomla installed, it is advisable that you immediately check for and perform the necessary updates.  This goes for any application or programming languages used for your site.  For a knowledgeable hacker, compromising Joomla 1.0 is as easy as uploading a shell script to an insecure form.  If successful, they could end up with complete control of your account.

2.) Create Strong Passwords

A password can be a simple but effective security mechanism.  However, this is only the case when following a strict set of rules.  When securing login sessions and other areas of your site, never apply a password that can be easily guessed by others or is used for other accounts.  If someone knows just one of your passwords, they can keep trying it for each of your accounts until they are successful.  This could not only lead them to the control panel login of your hosting account, but also the financial institution you do your online banking with.

3.) Mask Your Folders

It is always wise to cloak your website files and folders that are stored on the server.  Many security experts suggest keeping a blank index.html file in each of the folders stored in your public directory.  Doing this will ensure that the contents cannot easily be viewed by internet users.  This process is made simple with the cPanel control panel and its Index Manager function.  You can take this one step further by password protecting the administrator folder that contains the scripts you are running.  This is highly recommended as it provides an added layer of security that will make an intruder have to work that much harder.

What If I Still Get Hacked?

As we eluded to earlier, there is a possibility that even after adhering to all of these tips and more, your website can still be compromised by a hacker.  Should your site be successfully exploited, there are a couple of things you should do right away to minimize the damage.  The first step that needs to be taken involves changing all of the passwords associated with your website.  This goes from your control panel and administrative areas to everything else in between.  Next, go through your hosting account to find and update all old applications and plugins as they could easily be the culprits that led to exposure.  Any website can be compromised and if it happens to you, your sensitive information can be used for criminal gain in one way or another.  Prevention is the key so employ all the measures you can to ensure you are protected against the existing and emerging threats.

]]> http://webhostinggeeks.com/blog/2009/08/19/three-simple-tips-for-protecting-your-site/feed/ 2 http://webhostinggeeks.com/blog/2009/08/04/is-cloud-computing-behind-the-twitter-hack/ http://webhostinggeeks.com/blog/2009/08/04/is-cloud-computing-behind-the-twitter-hack/#comments Tue, 04 Aug 2009 17:24:25 +0000 CommunicateBetter http://webhostinggeeks.com/blog/?p=455 The cloud is one of the hottest topics in the world of network computing and more recently, IT hosting and e-commerce.  Though it has proven to be a cost-efficient technology, the cloud does not come without flaws, especially if the latest high-profile internet security breach has anything to say about it.

The Infamous Twitter Hack

What is being dubbed as the “Twitter Hack” has some questioning whether security is an issue for the phenomenon that is cloud computing.  The incident that sparked the debate was actually the hacking of a Google Apps account belonging to a Twitter employee.  It has been reported that the exploit occurred because one of Twitter’s co-founders create a password for Google Apps that was easily guessed by a hacker.  This in turn, enabled the hacker to access the user’s personal information, including the data on his wife’s personal computer.

A War of the Words

Andy Cordial, managing director of data storage solutions firm Origin Storage, stated that a large number of companies and their employees are becoming victims of the cloud.  Cordial’s logic is that because cloud computing is so prevalent, businesses are being rushed into it and forced “to adapt their IT security systems on the fly.” He remarked that Origin Storage saw the shift in the business industry on the horizon and that all the security “breaches occurring on the cloud front” is proof that there are discrepancies that still need to be resolved.  Although the cloud shouldn’t necessarily take all the blame for the most recent debacle, the news isn’t certainly isn’t making anyone feel any better about the overall security of Twitter or Google Apps.

Evan Williams, the Twitter co-founder who essentially caused his wife’s Gmail webmail account to be compromised, explained to blog site TechCrunch, that the hack was absolutely not due to a lack of security on the part of Twitter.  However, Andy Cordial stressed that if Twitter would have paid more focus on security rather than growing their user base at all cost, the company wouldn’t be in the midst of a such an embarrassing situation.  Cordial added that implementing encryption into an organization’s data storage arrangement, be it in on or off the cloud, will ensure that information stored on the server and in transit is protected from malicious intent.  His final shot at the Twitter co-founder was that creating a secure password on top of encryption and sound corporate policies would have likely prevented the matter.  However, it should be stated that it was personal user accounts, not business accounts that were compromised.

Who’s to Blame?

Who should take the bullet for the so-called Twitter Hack?  Is it really the fault of the cloud, or should blame lie with Google apps or the victim?  While it is probably a good combination of all parties, one would think that a co-founder and active member of what is arguably the most popular social networking platform of the moment would have the know-how to be a little more responsible.   In any event, this breach probably will not convince many of the users who are still concerned about internet security any time soon.

Must-Have Defenses

Securing a dedicated server begins with creating a two-layer bullet proof vest to deflect the attempts of the enemy.  Two of the most effective weapons to carry into battle: firewall and intrusion protection technology.  With a firewall, your server will be able to fight off common exploits such as DDoS (distributed denial of service) and brute force attacks.  Usually originating from multiple unsecured, enslaved machines, the dreaded DDoS attack will slam your dedicated server with awful amounts of insignificant traffic, overwhelming critical resources and rendering the hardware inaccessible to legitimate users.  A quality firewall with good configurations will enforce rules that filters access and blocks malicious traffic while allowing legitimate traffic to pass.  This is all done in a way that reduces latency and slow moving processes, so it all appears transparent to the end-user.

Though similar in a nature, intrusion detection and prevention takes a more advanced approach towards server security.  This technology blocks malicious traffic right at the source, locking compromised hosts in a quarantine area all while routing genuine user traffic in a quick and efficient manner.  If a firewall represents your first line of defense, then intrusion protection serves as your behind enemy lines mechanism.  This powerful combination allows you to shift security measures from a reactive to proactive aspect.

Don’t Stop There

While the implementation of firewalls and intrusion protection make good first steps, one should keep in might that this isn’t the set it and forget it type of deal.  In order to stay ahead of the hackers, malware coders and corporate saboteurs you must consistently employ vigilance as well as frequent updates of your patches, blacklists, filters and other vital elements.  Purchasing and installing a few security devices and applications can be viewed as the easy part.  Managing them with efficiency is an entirely different story.

Because properly securing a dedicated server is cost prohibitive for most small and medium sized organizations, you may want to consider a managed service to help keep the intruders away.   Managed hosting is the often overlooked aspect of a dedicated server that could spell the difference between running a successful business, or going down because of a major security breach.  If you are not sure where you stand on server security, consult your IT team or speak with a professional firm for guidance.

]]> http://webhostinggeeks.com/blog/2009/07/20/hack-proofing-your-dedicated-server/feed/ 0 http://webhostinggeeks.com/blog/2009/07/17/securing-your-business-website-in-three-easy-steps/ http://webhostinggeeks.com/blog/2009/07/17/securing-your-business-website-in-three-easy-steps/#comments Fri, 17 Jul 2009 17:29:27 +0000 CommunicateBetter http://webhostinggeeks.com/blog/?p=428 Whether it’s the local shopping market, airport or online, thieves are lurking and just waiting for you to make a critical mistake.  In fact, much of the internet community is in a state of panic as data theft is at an all-time high.  Credit card numbers, bank account information and identities are being stolen from companies who don’t know how to properly secure their website and transactions.  Assuming you don’t want to be the next victim, we have provided three simple tips to keep you one step ahead of the attackers.

1.) Make Use of Encryption

In order to protect the monetary transactions occurring on your site, you at least need to have an SSL certificate with no less than 128-bit encryption.  This security tool can be installed and managed by a third-party vendor such as VeriSign or you can choose to handle the configuration yourself.  What SSL does is scramble the data being sent over the internet in a code that is unreadable to hackers.  Thus, when sales on your website are made, the financial details of your customers is encrypted, securely transmitted and then decrypted by your payment processor.  By placing an SSL certificate seal on your website, you can calm the nerves of consumers and encourage them to shop your store in confidence.

2.) Check Your Buyers

Although you don’t want to look as if you are suspicious of everyone, the prevalence of credit card payments increases the probability of a customer using someone’s financial information without their knowledge or approval.  To minimize situations like this, you should check the identity of your customers.  This can be done by not only obtaining their name and credit card number, but also their home address, telephone numbers and the security code located on the back of the actual credit card.  By doing so, you can better assure that the financial details submitted actually belong to the individual making the purchase.  If the card comes back as stolen, you could end up playing a role in helping authorities track down the criminal.

3.) Research Your Merchant

To ensure that financial information will not be stolen following the transaction, it is imperative that you run a thorough check of the merchant account provider processing your credit card payments.  You can start by reading reviews to learn if they have a history of fraud or security issues.  Don’t hesitate to speak to the company directly about the security measures they employ and most importantly, to make sure you are completely confident in their services.  If you have any doubts about the provider, follow your instinct and move on to the next option.

Security is a hot topic in seemingly every industry these days.  If you are using the internet as a medium for your business, these certainly are not times when you can just sit back and simply hope for the best.  Hackers and their attacking mechanisms grow more advanced everyday, so it is critical that you take the appropriate actions to keep both you and your customers out of harm’s way.

Having the ability to upload files is a regular occurrence on social networking sites such as FaceBook, MySpace and Twitter as well blogs, forums and online banking sites.  This feature is also prevalent in corporate portals as it allows end-users to share files with business employees.  In these environments, users are permitted to upload documents, pictures, music, videos and several other types of files.  The more functionality an end-user is provided with, the greater the probability of creating a vulnerable web application.  It is a known fact that many internet users abuse their privileges to gain access to a specific site or compromise a web server.

During recent tests, security experts have discovered that an alarming number of widely used web applications are not making use of secure upload forms.   According to their findings, many of these vulnerabilities were easily detected and exploited, allowing experts to gain full access to the file system on the web server hosting those applications.   Most of these vulnerabilities were the direct result of improper security configurations, essentially permitting intruders to roll right in.

Viable Solutions

Below is a list of practices you or your system administrator should enforce when file uploads are allowed to your website or web applications:

- Create an .htaccess file that only permits access to files with allowed extensions

- Do not the put the .htaccess file in the same directory where the files uploaded by users will be stored.  This file should be stored in the parent directory that your visitors do not have access to.

- The average .htaccess file that only allows files such as jpg, jpeg, gif and png files should include the following lines:

“deny from all

<Files ~ “^\w+\.(gif|jpe?g|png)$”>

order deny,allow

allow from all

</Files>”

These lines can be adjusted to suit your own personal needs.  Editing the .htaccess file in this manner will not only assure that only these file types are allowed, but also protect you from double extension attacks.

- If at all possible, make sure the files uploaded by users are placed in a directory outside of the server root.

- Do not allow existing files to be overwritten.  This will prevent exploits such as the .hataccess overwrite attack.

- Do not rely solely on client-side validation.  This is simply not enough to ensure an adequate level of security.  It is advisable to implement both client-side and server-side validation.

Conclusion

There are several ways a malicious user can bypass the security configurations applied to a file upload form.  When incorporating such a feature into your web applications, you should make it a priority to follow the best security practices and put them to the test on a regular basis.  While this requires a considerable amount of security expertise, it is worth every bit of time to make sure your website is protected.

]]> http://webhostinggeeks.com/blog/2009/06/22/the-insecurity-of-web-upload-forms/feed/ 0 http://webhostinggeeks.com/blog/2009/05/29/the-need-for-pci-compliant-hosting/ http://webhostinggeeks.com/blog/2009/05/29/the-need-for-pci-compliant-hosting/#comments Fri, 29 May 2009 13:48:06 +0000 CommunicateBetter http://webhostinggeeks.com/blog/?p=354 More web hosting providers are offering services that provide customers with the help they need to achieve PCI (Payment Card Industry) compliance.  Achieving compliance requires the use of numerous security tools and policies to meet the standards that apply to any business that accepts, processes and stores credit card information.  Those who do not adhere to these requirements are subject to penalties and may eventually lose their privileges to accept credit card payments, which is the most common method of payment on the web.  If you sell products or services online, investing in a PCI compliant hosting solution may be worthy of your consideration.

Though PCI standards were introduced to protect consumer information and ensure integrity across various industries, they have also introduced a new level of frustration for the smaller business that has a need to sell products or services online, but doesn’t possess the resources to meet compliancy.  There is a lot that goes into protecting sensitive card data and unfortunately, one too many organizations are not equipped to provide this protection.  Everyday, companies are scattering in attempts to gather the necessary resources to not only fend off attackers, but also keep the government out of their business.  Difficulties aside, PCI compliance is needed as threats are growing rapidly in terms of numbers and sophistication.

PCI-Friendly Hosting Features

Achieving compliance requires a multitude of security components.  Some of the essentials include:

Malware Protection – Malicious software such as viruses, worms, Trojans and keyloggers pose a direct threat to card data stored on any computer or web server.  Businesses are strongly advised to keep their systems protected with reliable solutions capable of detecting and eradicating the latest malware programs.

Firewall - A firewall provides an organization with the ability to control inbound and outbound traffic going to and from the system.  With the right configurations, it can halt malicious traffic and also help to prevent basic hacking attacks.

Intrusion Detection – Though very effective, a firewall can only do so much.  An intrusion detection system enables PCI compliance by detecting the presence of malicious activities that pose a potential threat to card data resting on the system.

Network Monitoring – Even with all the right security mechanisms, card data can still be at risk due to a wide range of circumstances.  This could related to hardware failure or a problem with a backbone provider.  Network monitoring allows companies to stay one step ahead of such issues by watching over the network and reporting its status to system administrators.

SSL Certificate System - SSL (Secure Sockets Layer) is a must-have security feature for any business that sells goods or services over the internet.  Credit card data is in jeopardy whenever transactions are made on any website that isn’t protected.   With an SSL certificate, businesses can ensure the protection of sensitive information as the protocol creates an encrypted tunnel for which credit card details to travel through.

Not all hosting providers make the commitment to aid in PCI compliance but more are getting onboard with the concept.  Those who are should be commended for their efforts to aid in business-friendly solutions that take the stress out of meeting these demanding standards.

]]> http://webhostinggeeks.com/blog/2009/05/29/the-need-for-pci-compliant-hosting/feed/ 0