web hosting

Understanding Permission Types for Website Security

If you are running a website on a Unix or Linux server, it is important to know that many of your files and directories must be provided with the right permissions in order to function properly.   In the world of Unix-like platforms, the process of giving permissions is known as change mode or simply, CHMOD.  While you definitely want the files and directories of your website to work properly, it is also imperative to set the right permissions for security purposes.

CHMOD Permission Types

There are three types of permission in the Unix environment: Read, Write and Execute.  Below is an explanation on what each type of access means:

Read – This permission provides access that allows files to be read.  When applied to directory, it allows the names of files in a particular directory to read.  However, it does not disclose the type, size, permissions or any other information about the files.

Write - This permission provides access that allows a file to be modified.  When applied to a directory, it allows files in a particular directory to be modified.  This includes creating, renaming and deleting files.

Execute – This permission provides access that allows a file to be executed.  The execute permission must be set for shell scripts and executable binaries in order for them to be run on the underlying operating system. When applied to a directory, it provides access that allows files and subdirectories to be accessed, but not read.  Files and subdirectories can only be viewed if the directory that contains them is set to read.

CHMOD User Types

The above permissions apply to three types of users: the User, Group and Other. The User is the owner of the file and the one that has complete control.  The Group is the group of users that own the file.  This permission can be useful for a website that has group of people working on a project.  In this instance, you could give access to those users and restrict it from others.  Other refers to anyone that does not own in a file or belong in a group of users associated with the file.   So if you set a file to this permission, it will automatically affect everyone else.  For this reason, Other is often referred to as “the rest of the world”.

Defaults and Warnings

Files on a Unix server are usually set to 644 by default.  This simply means that the owner of the file has the ability to read and write to it, while everyone else only have read access.  Directories in the Unix environment are usually set to 755.  This means that the owner has complete authority over the directory while every else can only read and execute the files it contains.  One permission you definitely want to be careful with is CHMOD 777.  When applying this setting, anyone will have the ability to read, write and execute your files or directories.  This is equivalent to leaving your website open to the world and making it easy for hackers to compromise.

CHMOD Tools

While a shell prompt can be used to set permissions, many website owners choose to take the easy route by using an FTP client.  The CHMOD option can usually be accessed through menus or by hovering the mouse over a file or directory and choosing the correct option.  How you access it all depends on the FTP software.  In most cases, you simply check the properties, or enter the corresponding permission numbers in the provided text box to set permissions.

The Top 3 Web Hosting Security Issues

Security is by far one of the most important factors to consider when choosing a web host. With so  many possible threats online, it is not as hard as on might think for a security lapse to occur. Security is not something that should be taken lightly by the consumer or the web host, as there are several threats that could result in serious financial turmoil. The following are three threats in particular that are becoming increasingly common, and that are responsible for a large portion of the security issues involved with web hosting.

Credit Card Fraud

The internet is a massive virtual marketplace, swarming with merchants, customers, and people who would like to take advantage of both the merchant and the consumer. The people looking to exploit any security fault they can are commonly referred to as “hackers.” Hackers see the web as an opportunity to  prey on the weaknesses of other individuals and companies. A vulnerable website makes an ideal target for these hackers, especially if the website is engaged in daily e-commerce. Many of them have access to highly advanced applications that are capable of telling them if there any “loopholes” they can exploit. Any online store they can find with a single security lapse will become a feeding ground for them, resulting in thousands of dollars stolen form your customer’s credit cards. Once the hacker has the credit card details of your customer’s, the situation becomes progressively worse. Of course, the customer is going to be inclined to believe that you are the thief, and they will not want to accept the fact that you are actually the victim. This kind of situation can result in lawsuits, and even the loss of your online business!

Bot Rings

Then there is the possibility of a horrid “DDoS attack.” A DDoS attack is a security exploit that is normally employed by criminals that are members of or have control of  “botnets.”  DDos stands for “Distributed Denial of Service.” A bot ring is a group of hackers, or programmed computer’s that are set up to carry out a specific task. A DDoS attack is executed by a botnet that continually floods the network with DDoS requests. As the network is flooded with requests, it slows down until ultimately traffic screeches to a halt. Even though the DDoS attack is one of the oldest online security exploits, it is still extremely difficult to prevent because of it’s organic and seemingly genuine nature. Once the server’s traffic has been affected the hacker then takes control of the server, using it as a puppet to find   other vulnerable servers. Once the hacker has gained control over several servers, they then begin their attack on the target of their choice.  To prevent your business from being a victim of one of these attacks, make sure you discuss this threat with any prospective web hosts, to be sure they are aware of this threat.

Malicious Software

Then there are the threats that pose a virtual risk to the web hosting providers. Hackers may attempt to attack a web hosts server or network with a malicious application designed to retrieve crucial information.  This malicious software is called “malware” ( a combination of the two words).  While server’s generally have more stringent security measures in place, they are still susceptible to the same threats that a personal computer may be faced with.  You can avoid these kind of security lapses by  ensuring that your prospective host takes the proper precautions to defend against all forms of malware. Do not be afraid to ask questions about the security measures they have in place, before hand.  It is important to remember that once the web host’s server is compromised to malware, every bit of information on the server can be accessed, including your web site’s financial data.

SSL vs. TLS: Which Provides the Best Protection?

SSL (Secure Sockets Layer) and TLS (Transport Layer Security) are two security protocols that provide encryption and authentication between applications where data travels over an insecure network such as the internet.  While the terms are often used interchangeably, one is actually the successor to the other.  In fact, SSL 3.0 laid the foundation for the first version of TLS, which is why it is sometimes called SSL 3.1.  Let’s take a closer look at these protocols to see if we can determine if one is better than the other.

Similarities and Differences

SSL and TLS differ in such a way that they are actually inoperable with one another.  However, they are essentially equal in terms of the level of security they provide.  For instance, both can ensure that your data is protected with reliable encryption when traveling over the internet.  They also make sure the server you are communicating with is the one you intended to contact and not a middle man eavesdropping on your transactions.  This is because any server with SSL or TLS installed must also be equipped with certificates issued by a third-party CA (Certificate Authority) such as Thawte or Verisign.  These certificates essentially verify that the website actually belongs to the domain name owner and server.

The main difference between these two protocols is that an SSL connection starts out by applying security and then proceeds into secured communications while a TLS connection does not.  TLS actually begins with an insecure “hello” to the server.  It only proceeds into secured communications after a successful handshake between the client and server.  Should the handshake fail for any reason, TLS will not create a connection of any sort.  Despite this significant difference, SSL and TLS both make fine options for security.  You really can’t go wrong with either.

The TLS Advantage

There are reasons to choose TLS over SSL, and the most significant relates to how it was developed.  TLS is based on open community standards, which makes it far more extensible and more likely to be supported in the future.  Perhaps the most unique advantage of TLS is that it is backwards compatible, which basically means that it can be scaled to secure client side connections that only support SSL.  Another distinct benefit is that TLS permits secure and insecure connections over a single port, while SSL designates one port for secure connections only.  Even this factor does not make either any more or less secure than the other.

When it comes to SSL or TLS, what you need to know is that by not using either, the communications between you and another server can become the party line for eavesdroppers and cyber criminals.  The data contained in your email, login screens and even financial transactions will be delivered across the net in plaintext for all to see.  In addition, there will be no way to ensure that the server you connect with is valid and not just an interloper or middle man setting you up for the fall.  Therefore, it would be wise to adopt either of these protocols to keep your communications private.

Authentication Hacking: Is Your Site Vulnerable?

Authentication plays an important part in securing a website and its applications.  It works by authenticating and verifying a user’s identity and then either denying or providing them with specific privileges to a system based on the username and password they enter against the established credentials.  Though it adds an extra layer of protection, authentication is quite vulnerable to exploitation.  In most cases, this type of attack does not originate from a security hole in the web server or operating system software.  It actually targets weak passwords and vulnerable areas of the network itself.

By successfully hacking the authentication session, an attacker can log into the system as a known and valid user, which provides them with whatever privileges the victimized user has been assigned by the administrator.  This means that the intruder could only have access to certain information, or global access across the entire system, the latter of which could possibly give them control of the application or website itself.  At this point, the attacker can stir up a lot of trouble.

Tools of the Trade

Most attackers attempt to gain access via the application’s login screen that requests a username and password to enter the system.  This calls for them to match the correct login credentials that application recognizes as valid and hopefully has the highest level of privileges in the system.  While this is not the most sophisticated attack, password cracking can prove to be one of the most effective methods a hacker uses to cripple an authentication scheme.  This common technique can be executed manually or automatically with special software, which makes guessing the password much easier.

If the attacker has no success at password guessing, their next step usually involves automated tools such as Brutus and WebCracker, which unfortunately, are widely available on the web.  These custom applications are designed to defeat authentication and penetrate the target system using a list of predefined usernames and passwords.  However, they are best known for employing dictionary attacks and brute force.  Hence the name, a dictionary attack utilizes a pre-formulated list of common words in a dictionary to compromise web applications, trying thousands of combinations to determine the correct username and password.  Brute force is a technique used to break a cryptographic scheme by consistently trying a large number and  sometimes all, possible keys to decrypt an encrypted password.  Both have proven to be very effective at guessing weak passwords and bypassing authentication.

Prevention and Protection

Stopping an authentication attack can be very difficult.  Especially when factoring in all the sophisticated hacking techniques and tools on the black market.  Fortunately, there is a way to test the strength and overall effectiveness of your authentication methods.  One of the most reliable is authentication testing, a feature commonly found in web vulnerability scanners.  These applications are generally easy to use and configure for automatically testing all the applications within your site that require authentication.  Furthermore, most also scan for other common exploits such as SQL injection, cross site scripting and cross site forgery.

Securing FTP Connections

File Transfer Protocol or simply FTP, is a feature that has become very popular on the web hosting market.  FTP offers capabilities the email system can’t touch, allowing you to transfer large files over the internet from one computer to another.  Regardless of the size or file type, as long as you have access to an FTP server and client, you can upload your files to the web and share it with others.  Although FTP is more efficient and secure than HTTP, it is quite vulnerable in its purest form.  However, there are a few security protocols that exist to make sure this is not the case.  Here is a brief overview:

SSL

SSL (Secure Sockets Layer) has become a critical security tool due to the prevalence of e-commerce and online business.  Designed to ensure privacy for communications made over the internet, SSL can provide excellent security for an FTP connection.  Secure Sockets Layer is a protocol that utilizes symmetric cryptography to facilitate data encryption and maintain the utmost privacy.  All messages transferred over the internet are sent in ciphertext, which is essentially unreadable characters that prevent unauthorized parties from viewing the contents of the file.  One of the best qualities of SSL is that it offers a extensible framework that allows you to incorporate other encryption schemes for an added layer of protection.

TLS

TLS (Transport Layer Security) is another encryption-based security protocol used to ensure data integrity and privacy between two computers communicating over the internet.  This protocol consists of two components: TLS Record Protocol and TLS Handshake Protocol, both of which ensure privacy during internet-based communications in their own unique way.  Just like SSL, it is highly extensible and supports the incorporation of new encryption methods in the framework.  However, TLS is the successor to SSL and thus often considered to be slightly more secure.

SSH

SSH (Secure Shell) is a security protocol and method that provides encrypted channels for internet communications.  This mechanism is often used to provide protection when executing commands on a remote computer, making it perfect for FTP.  With SSH, you can create an encrypted tunnel between you and your users’ computers and protect that information from unauthorized third-parties.  Due to its efficiency and dependability, many FTP hosting service providers use SSH to provide customers with the maximum protection for their file transfer needs.

If you are someone who would like to benefit from all that File Transfer Protocol has to offer, keep in mind that FTP alone does not protect the files you transfer over the internet.  FTP itself does not have any encryption features, therefore provides little to no security at all.  For this reason, you should strongly consider a solution that offers SFTP or secure FTP.  While this type of service is normally coupled with protection by way of SSH, it offers the best of all the security solutions mentioned in this article.  That is strong digital encryption designed to keep sensitive information from prying eyes.