web hosting

Is Cloud Computing Behind the Twitter Hack?

The cloud is one of the hottest topics in the world of network computing and more recently, IT hosting and e-commerce.  Though it has proven to be a cost-efficient technology, the cloud does not come without flaws, especially if the latest high-profile internet security breach has anything to say about it.

The Infamous Twitter Hack

What is being dubbed as the “Twitter Hack” has some questioning whether security is an issue for the phenomenon that is cloud computing.  The incident that sparked the debate was actually the hacking of a Google Apps account belonging to a Twitter employee.  It has been reported that the exploit occurred because one of Twitter’s co-founders create a password for Google Apps that was easily guessed by a hacker.  This in turn, enabled the hacker to access the user’s personal information, including the data on his wife’s personal computer.

A War of the Words

Andy Cordial, managing director of data storage solutions firm Origin Storage, stated that a large number of companies and their employees are becoming victims of the cloud.  Cordial’s logic is that because cloud computing is so prevalent, businesses are being rushed into it and forced “to adapt their IT security systems on the fly.” He remarked that Origin Storage saw the shift in the business industry on the horizon and that all the security “breaches occurring on the cloud front” is proof that there are discrepancies that still need to be resolved.  Although the cloud shouldn’t necessarily take all the blame for the most recent debacle, the news isn’t certainly isn’t making anyone feel any better about the overall security of Twitter or Google Apps.

Evan Williams, the Twitter co-founder who essentially caused his wife’s Gmail webmail account to be compromised, explained to blog site TechCrunch, that the hack was absolutely not due to a lack of security on the part of Twitter.  However, Andy Cordial stressed that if Twitter would have paid more focus on security rather than growing their user base at all cost, the company wouldn’t be in the midst of a such an embarrassing situation.  Cordial added that implementing encryption into an organization’s data storage arrangement, be it in on or off the cloud, will ensure that information stored on the server and in transit is protected from malicious intent.  His final shot at the Twitter co-founder was that creating a secure password on top of encryption and sound corporate policies would have likely prevented the matter.  However, it should be stated that it was personal user accounts, not business accounts that were compromised.

Who’s to Blame?

Who should take the bullet for the so-called Twitter Hack?  Is it really the fault of the cloud, or should blame lie with Google apps or the victim?  While it is probably a good combination of all parties, one would think that a co-founder and active member of what is arguably the most popular social networking platform of the moment would have the know-how to be a little more responsible.   In any event, this breach probably will not convince many of the users who are still concerned about internet security any time soon.

Hack-Proofing Your Dedicated Server

Having a dedicated server is one of the true signs that you have made it as a small to medium sized business owner.  Unfortunately, it also makes you a likely target of hacking and other security threats.  Securing any machine equipped with a web or application server is a huge challenge, one you may not be able to overcome alone.  You need to worry about everything from your email and FTP communications to OS and kernel patches.  And let’s not forget about those web technologies that can bring you so much functionality along with a lot of grief when not properly secured.  This web-based world we live in can be very hazardous to any business so if you want to protect your server, we suggest paying close attention to the contents of this article.

Must-Have Defenses

Securing a dedicated server begins with creating a two-layer bullet proof vest to deflect the attempts of the enemy.  Two of the most effective weapons to carry into battle: firewall and intrusion protection technology.  With a firewall, your server will be able to fight off common exploits such as DDoS (distributed denial of service) and brute force attacks.  Usually originating from multiple unsecured, enslaved machines, the dreaded DDoS attack will slam your dedicated server with awful amounts of insignificant traffic, overwhelming critical resources and rendering the hardware inaccessible to legitimate users.  A quality firewall with good configurations will enforce rules that filters access and blocks malicious traffic while allowing legitimate traffic to pass.  This is all done in a way that reduces latency and slow moving processes, so it all appears transparent to the end-user.

Though similar in a nature, intrusion detection and prevention takes a more advanced approach towards server security.  This technology blocks malicious traffic right at the source, locking compromised hosts in a quarantine area all while routing genuine user traffic in a quick and efficient manner.  If a firewall represents your first line of defense, then intrusion protection serves as your behind enemy lines mechanism.  This powerful combination allows you to shift security measures from a reactive to proactive aspect.

Don’t Stop There

While the implementation of firewalls and intrusion protection make good first steps, one should keep in might that this isn’t the set it and forget it type of deal.  In order to stay ahead of the hackers, malware coders and corporate saboteurs you must consistently employ vigilance as well as frequent updates of your patches, blacklists, filters and other vital elements.  Purchasing and installing a few security devices and applications can be viewed as the easy part.  Managing them with efficiency is an entirely different story.

Because properly securing a dedicated server is cost prohibitive for most small and medium sized organizations, you may want to consider a managed service to help keep the intruders away.   Managed hosting is the often overlooked aspect of a dedicated server that could spell the difference between running a successful business, or going down because of a major security breach.  If you are not sure where you stand on server security, consult your IT team or speak with a professional firm for guidance.

Securing Your Business Website in Three Easy Steps

Whether it’s the local shopping market, airport or online, thieves are lurking and just waiting for you to make a critical mistake.  In fact, much of the internet community is in a state of panic as data theft is at an all-time high.  Credit card numbers, bank account information and identities are being stolen from companies who don’t know how to properly secure their website and transactions.  Assuming you don’t want to be the next victim, we have provided three simple tips to keep you one step ahead of the attackers.

1.) Make Use of Encryption

In order to protect the monetary transactions occurring on your site, you at least need to have an SSL certificate with no less than 128-bit encryption.  This security tool can be installed and managed by a third-party vendor such as VeriSign or you can choose to handle the configuration yourself.  What SSL does is scramble the data being sent over the internet in a code that is unreadable to hackers.  Thus, when sales on your website are made, the financial details of your customers is encrypted, securely transmitted and then decrypted by your payment processor.  By placing an SSL certificate seal on your website, you can calm the nerves of consumers and encourage them to shop your store in confidence.

2.) Check Your Buyers

Although you don’t want to look as if you are suspicious of everyone, the prevalence of credit card payments increases the probability of a customer using someone’s financial information without their knowledge or approval.  To minimize situations like this, you should check the identity of your customers.  This can be done by not only obtaining their name and credit card number, but also their home address, telephone numbers and the security code located on the back of the actual credit card.  By doing so, you can better assure that the financial details submitted actually belong to the individual making the purchase.  If the card comes back as stolen, you could end up playing a role in helping authorities track down the criminal.

3.) Research Your Merchant

To ensure that financial information will not be stolen following the transaction, it is imperative that you run a thorough check of the merchant account provider processing your credit card payments.  You can start by reading reviews to learn if they have a history of fraud or security issues.  Don’t hesitate to speak to the company directly about the security measures they employ and most importantly, to make sure you are completely confident in their services.  If you have any doubts about the provider, follow your instinct and move on to the next option.

Security is a hot topic in seemingly every industry these days.  If you are using the internet as a medium for your business, these certainly are not times when you can just sit back and simply hope for the best.  Hackers and their attacking mechanisms grow more advanced everyday, so it is critical that you take the appropriate actions to keep both you and your customers out of harm’s way.

The Insecurity of Web Upload Forms

Convenience aside, allowing anonymous visitors to upload files to your site is pretty much like opening the gates and telling malicious users it is okay to compromise your server.  This puts you, the website owner, in a very tough position when considering that such permissions have become a commonality on today’s internet and has proven to increase business efficiency.

Having the ability to upload files is a regular occurrence on social networking sites such as FaceBook, MySpace and Twitter as well blogs, forums and online banking sites.  This feature is also prevalent in corporate portals as it allows end-users to share files with business employees.  In these environments, users are permitted to upload documents, pictures, music, videos and several other types of files.  The more functionality an end-user is provided with, the greater the probability of creating a vulnerable web application.  It is a known fact that many internet users abuse their privileges to gain access to a specific site or compromise a web server.

During recent tests, security experts have discovered that an alarming number of widely used web applications are not making use of secure upload forms.   According to their findings, many of these vulnerabilities were easily detected and exploited, allowing experts to gain full access to the file system on the web server hosting those applications.   Most of these vulnerabilities were the direct result of improper security configurations, essentially permitting intruders to roll right in.

Viable Solutions

Below is a list of practices you or your system administrator should enforce when file uploads are allowed to your website or web applications:

- Create an .htaccess file that only permits access to files with allowed extensions

- Do not the put the .htaccess file in the same directory where the files uploaded by users will be stored.  This file should be stored in the parent directory that your visitors do not have access to.

- The average .htaccess file that only allows files such as jpg, jpeg, gif and png files should include the following lines:

“deny from all

<Files ~ “^\w+\.(gif|jpe?g|png)$”>

order deny,allow

allow from all

</Files>”

These lines can be adjusted to suit your own personal needs.  Editing the .htaccess file in this manner will not only assure that only these file types are allowed, but also protect you from double extension attacks.

- If at all possible, make sure the files uploaded by users are placed in a directory outside of the server root.

- Do not allow existing files to be overwritten.  This will prevent exploits such as the .hataccess overwrite attack.

- Do not rely solely on client-side validation.  This is simply not enough to ensure an adequate level of security.  It is advisable to implement both client-side and server-side validation.

Conclusion

There are several ways a malicious user can bypass the security configurations applied to a file upload form.  When incorporating such a feature into your web applications, you should make it a priority to follow the best security practices and put them to the test on a regular basis.  While this requires a considerable amount of security expertise, it is worth every bit of time to make sure your website is protected.

The Need for PCI Compliant Hosting

More web hosting providers are offering services that provide customers with the help they need to achieve PCI (Payment Card Industry) compliance.  Achieving compliance requires the use of numerous security tools and policies to meet the standards that apply to any business that accepts, processes and stores credit card information.  Those who do not adhere to these requirements are subject to penalties and may eventually lose their privileges to accept credit card payments, which is the most common method of payment on the web.  If you sell products or services online, investing in a PCI compliant hosting solution may be worthy of your consideration.

Though PCI standards were introduced to protect consumer information and ensure integrity across various industries, they have also introduced a new level of frustration for the smaller business that has a need to sell products or services online, but doesn’t possess the resources to meet compliancy.  There is a lot that goes into protecting sensitive card data and unfortunately, one too many organizations are not equipped to provide this protection.  Everyday, companies are scattering in attempts to gather the necessary resources to not only fend off attackers, but also keep the government out of their business.  Difficulties aside, PCI compliance is needed as threats are growing rapidly in terms of numbers and sophistication.

PCI-Friendly Hosting Features

Achieving compliance requires a multitude of security components.  Some of the essentials include:

Malware Protection – Malicious software such as viruses, worms, Trojans and keyloggers pose a direct threat to card data stored on any computer or web server.  Businesses are strongly advised to keep their systems protected with reliable solutions capable of detecting and eradicating the latest malware programs.

Firewall - A firewall provides an organization with the ability to control inbound and outbound traffic going to and from the system.  With the right configurations, it can halt malicious traffic and also help to prevent basic hacking attacks.

Intrusion Detection – Though very effective, a firewall can only do so much.  An intrusion detection system enables PCI compliance by detecting the presence of malicious activities that pose a potential threat to card data resting on the system.

Network Monitoring – Even with all the right security mechanisms, card data can still be at risk due to a wide range of circumstances.  This could related to hardware failure or a problem with a backbone provider.  Network monitoring allows companies to stay one step ahead of such issues by watching over the network and reporting its status to system administrators.

SSL Certificate System - SSL (Secure Sockets Layer) is a must-have security feature for any business that sells goods or services over the internet.  Credit card data is in jeopardy whenever transactions are made on any website that isn’t protected.   With an SSL certificate, businesses can ensure the protection of sensitive information as the protocol creates an encrypted tunnel for which credit card details to travel through.

Not all hosting providers make the commitment to aid in PCI compliance but more are getting onboard with the concept.  Those who are should be commended for their efforts to aid in business-friendly solutions that take the stress out of meeting these demanding standards.