By successfully hacking the authentication session, an attacker can log into the system as a known and valid user, which provides them with whatever privileges the victimized user has been assigned by the administrator.  This means that the intruder could only have access to certain information, or global access across the entire system, the latter of which could possibly give them control of the application or website itself.  At this point, the attacker can stir up a lot of trouble.

Tools of the Trade

Most attackers attempt to gain access via the application’s login screen that requests a username and password to enter the system.  This calls for them to match the correct login credentials that application recognizes as valid and hopefully has the highest level of privileges in the system.  While this is not the most sophisticated attack, password cracking can prove to be one of the most effective methods a hacker uses to cripple an authentication scheme.  This common technique can be executed manually or automatically with special software, which makes guessing the password much easier.

If the attacker has no success at password guessing, their next step usually involves automated tools such as Brutus and WebCracker, which unfortunately, are widely available on the web.  These custom applications are designed to defeat authentication and penetrate the target system using a list of predefined usernames and passwords.  However, they are best known for employing dictionary attacks and brute force.  Hence the name, a dictionary attack utilizes a pre-formulated list of common words in a dictionary to compromise web applications, trying thousands of combinations to determine the correct username and password.  Brute force is a technique used to break a cryptographic scheme by consistently trying a large number and  sometimes all, possible keys to decrypt an encrypted password.  Both have proven to be very effective at guessing weak passwords and bypassing authentication.

Prevention and Protection

Stopping an authentication attack can be very difficult.  Especially when factoring in all the sophisticated hacking techniques and tools on the black market.  Fortunately, there is a way to test the strength and overall effectiveness of your authentication methods.  One of the most reliable is authentication testing, a feature commonly found in web vulnerability scanners.  These applications are generally easy to use and configure for automatically testing all the applications within your site that require authentication.  Furthermore, most also scan for other common exploits such as SQL injection, cross site scripting and cross site forgery.

Related posts:

• December 29, 2008 – Browsers Aiding in Website Attacks
• October 16, 2009 – Major Threats to Business Website Security
• January 13, 2009 – How to Find Secure Shared Hosting
• March 18, 2011 – Securing Windows for Web Hosting Safety
• June 28, 2010 – Shared Hosting and Site Downtime
• May 5, 2010 – Healthy Website Security Practices
• February 1, 2010 – False User Authentication: A Common Hacking Tactic
• December 30, 2009 – Five Simple Website Safety Tips
• July 20, 2009 – Hack-Proofing Your Dedicated Server
• April 14, 2009 – Is Your Business Website Secure?

In May 2007, more than 90,000 sites were compromised by hackers, a large scale exploit designed to illegally install malicious code on the computers of visitors who clicked on seemingly harmless search results.  A StopBadware study showed that an estimated 10% of those compromised sites were maintained by one hosting firm in particular, which accounted for 250,000 infectious websites.  This is just one of many examples that prove no website is ever as safe as we might think.

Common Threats to Business Websites

Hackers employ several methods and tricks to exploit websites.  Below we will focus on three that are most commonly used to attack business sites: SQL injection, cross site scripting and CRLF injection.

SQL Injection

SQL injection is by far one of the most popular website attacks employed today.  This technique primarily works by sending false or malicious requests to a back-end database to manipulate the information it contains.  By doing so, the attacker can view whatever information is stored in the database, change it, or erase it completely.  Most websites would not exist without the presence of databases but unfortunately, any site that features shopping carts, search fields, and any type of web form is susceptible to SQL injection.  The fields that require interaction from your visitors and customers could open up the door a hacker needs to thieve sensitive data and destroy your company.

Cross Site Scripting

Cross site scripting is another common attack that exploits holes in dynamic websites.  Dynamic pages can allow an attacker to insert malicious code and trick an end-user into running a harmful script on their computer.  If the user executes the code, the hacker could gain access to all of the sensitive information on their local machine.  Cross site scripting takes advantage of numerous programming technologies including Active X, Flash, Javascript and VBScript.

CLRF Injection

Unlike most exploits, CLRF injection does not take advantage of security vulnerabilities in the operating system or web software.  Instead, it exploits the manner in which the application was scripted.  For instance, an attacker can insert a statement into a web form along with code from CR (Carriage Return) and LF (Line Feed) characters.  The chance for exploit arises when the application mistakes this injection for a CLRF used in the initial development stage.  This attack is very dangerous as it has the power to disable an entire website.

This article is not aimed to make you a website security expert, but make you aware that security for your business site should be equally important as your local machines.  To assume that your business will never be exploited only exposes you to unnecessary risks that could put you out of commission effective immediately.

Related posts:

• January 13, 2009 – How to Find Secure Shared Hosting
• May 5, 2010 – Healthy Website Security Practices
• February 8, 2010 – Website Security – 4 Ways to Secure Your Website
• January 20, 2010 – Maintaining Website Security for Customer Satisfaction
• January 15, 2010 – Website Security: Avoiding Downtime That Results in Loss of Profit
• November 26, 2009 – Authentication Hacking: Is Your Site Vulnerable?
• August 19, 2009 – Three Simple Tips for Protecting Your Site
• December 29, 2008 – Browsers Aiding in Website Attacks
• April 25, 2011 – Bux4Real Attacked by Hackers
• December 20, 2010 – The Eternal Battle – Beware of the Attackers!

The major issue with shared hosting has always been the same – the availability of security and the fact that this platform can only be so secure.  Without adequate protection, the web host’s server is vulnerable to a wide range of threats including DDoS attacks, malware infection and network intrusion.  You could also be exposed to attacks such as SQL injection, cross site scripting and even the malicious actions of your neighbors on the server.  When your hosting environment isn’t properly secured, you stand the risk of losing the most sensitive of information.

Security is definitely an issue in the shared hosting environment, one that could make the low cost an uneven trade.  The good thing is that several web hosting providers are aware of these vulnerabilities and they are taking the necessary approaches to deliver a secure service.  When looking for a company to host your site, we recommend keeping the following security considerations in mind.

Protection from Thy Neighbor

When assessing the security of a particular web host, you must not only analyze the protection offered against outside threats, but security that keeps you protected against other website owners on the server.  You never know who you’re sharing the server with, as they could be into dealing porn, distributing spam or malicious software.  A few of your next door neighbors just might be prolific computer hackers.  To keep yourself protected in this regard, you should make sure the provider doesn’t allow any unsolicited code to be executed or access to your directories.

Clean Code

One of the biggest threats to your website lies in the code used to build your applications.  When they are not properly scripted, intruders can use them as an entrance to your data and reap major havoc.  You can minimize the possibility of common website exploits by ensuring that the web hosting company offers the latest in development tools whether its PHP and MySQL or ASP and MS Access.  Most importantly, it is up to you to make sure you are coding your applications and web pages in a secure manner.

Security Features

There are also a number of features that will give you an idea of how secure a particular web hosting platform is.  This includes protection for the actual server such as software that defends against DDoS attacks and viruses as well firewalls and network intrusion systems to fend off hackers.  If your site is to involve online business transactions, you will also require SSL support to protect your customers’ credit card information.  When making sure all the vital security issues are addressed, you can better your chances of enjoying a smooth run in the shared hosting environment.

Related posts:

• October 16, 2009 – Major Threats to Business Website Security
• May 7, 2009 – Protect Your Site From Maliciously Activities
• December 14, 2011 – Avira Antivirus Features
• November 17, 2011 – Clickjacking: What is it and How You Can Protect Yourself?
• July 29, 2011 – Is SSL Essential for eCommerce Sites?
• July 21, 2011 – How to Combat a DDoS Attack
• April 13, 2011 – Using Captcha Scripts to Prevent Spam
• March 2, 2011 – The Release of the February 2011 Email Security Report
• August 4, 2010 – Top Five Drawbacks to Shared Hosting Services
• December 15, 2009 – The Top 3 Web Hosting Security Issues

Despite the fact that several improvements have been made, none of the top web browsers are completely secure.  Because of this, many web security experts are projecting that website attacks will continue to be an issue.  The combination of enhanced functionality and the lack of adequate security implementations have left a number of browsers vulnerable to sophisticated attacks.  Some researchers are saying that the increasing number of exploits is the direct result of Web 2.0 technologies and advanced web hosting features.

Evolution in Technology Opens Doors to Further Threats

Things were fairly innocent in the early days of the internet when static pages were prevalent, before technologies such as JavaScript and Active X came into play.  Today’s World Wide Web is dominated by dynamic web-based applications and complex server-side scripting languages, factors that enable browsers to be used in various ways to exploit websites.  Gary McGraw of Cigital, a software security company, agrees that these feature-rich designs have made browsers far less secure, stating that they are structured more like complete operating systems.

This past September Google released Chrome, its new web browser which was immediately faced with stiff competition in the form of Microsoft Internet Explorer, Mozilla Firefox, Apple Safari and Opera.  While internet users have a wide variety of browsers to choose from, the options are still limited in terms of security, including Chrome.  Experts contend that the browser war of who can out do one another in the feature department is what ultimately leads to these security vulnerabilities.

Though quite serious, the security issues associated with today’s popular web browsers are not attributed to a lack of effort.  Some say that developers are doing all they can but when considering the fact that website attacks such as cross site scripting and cross site request forgery are typically the result of design, these flaws tend to be much harder to fix than bugs found in software code.  Observers suggest that the vulnerabilities are not going to disappear entirely but do stress that browser developers can do more to enhance security.

In general, development teams only have a little time to address browser vulnerabilities before the hacker community is able to discover them.  Developers are being encouraged to practice browser security just like those who make other software products.  This is extremely important as the major web browsers literally have hundred of millions of users.  One solid approach towards website security is standardized authentication, something that would need to be addressed by system administrators.  Another recommendation is for browser developers to design products that alert users when they are being directed to intranet zones such as localhost or RFC1918 as attackers are increasingly targeting internal devices.  Security firms have also predicted that the manner in which data is handled when requests are made between a browser and website should play a critical part in future designs.

Related posts:

• November 26, 2009 – Authentication Hacking: Is Your Site Vulnerable?
• December 6, 2011 – Comparing The Best Web Browsers
• May 30, 2011 – Google Chrome Browser Cracked
• October 16, 2009 – Major Threats to Business Website Security
• April 9, 2009 – Cross Site Scripting: The Underestimated Website Attack
• January 13, 2009 – How to Find Secure Shared Hosting
• October 20, 2011 – Google Dart – Ready or not, a new Language Arrives
• June 28, 2010 – Shared Hosting and Site Downtime
• February 1, 2010 – False User Authentication: A Common Hacking Tactic
• December 30, 2009 – Five Simple Website Safety Tips