web hosting

Use Captcha To Keep Spammers At Bay

One of the first and most annoying things that can happen to a new web site owner is being blasted with spam.  There is a dilemma presented when wanting to have potential customers or clients contact you or your company.  Either your email has to be publicly posted or you will need to enable a form to allow quick and easy contact.  When you do implement either choice, spammers will come and they will do as much damage as is possible.

Email link – bad idea

The first thing that should be done is to toss out the idea of publicly placing your email address in any form that can be clicked as a link.  Using a linked email address publicly is an open invitation to spammers.  Nothing can be more unpleasant than having to start off your business day wading through hundreds upon hundreds of spam content in your email in-box.  If you must use this route, simply place your email in text only – this will make it harder for a potential spammer as they will have to physically copy and paste your address into any email.  Inconvenience is the bane of the spammer.

Contact form – can be attacked

If you’ve decided to place a contact form anywhere within your web site, you’ll want to enable some type of security to ensure that an actual human is utilizing the form.  This sounds simple enough because, after all, the purpose of the form is to gather human information.  However, most email forms have a standard “name”, “email”,  “subject”, “content” style to them that is easily recognized and exploited by spammers.  Using this standard information, spammers use automated systems to attack a contact form – computer to computer.  What can stump them is requiring something that only a human can input or answer and that isn’t part of the standard email form.  This is where Captcha comes in.

Contact form with Captcha – better idea

Captcha is a type of test that is used to ensure human interaction.  The premise behind Captcha is that computers should not be able to solve something that requires human input.  The very early implementations of Captcha were simple generations of a word or series of letters with some small amount of warping.  However, spammers quickly adjusted to this warping and this initial Captcha implementation had to be abandoned.  Modern Captcha uses two to three regular words that are segmented and have lines through the words making it much more difficult to automatically guess via a computer system.

This all culminates into a small bit of either PHP or Javascript that is placed within your form before the submit button coding.  After filling out the rest of the form, a user must then enter the correct words generated within the Captcha coding.  You can set the form to lock out a user after a certain number of errors thus staving off the possible attack of spammers for yet another day.

Conclusion

Of course, the simplest way to avoid spammers at all is by not allowing any sort of email contact within your site.  But this is not a feasible option – after all, you have your web site online for the purpose of contacting new and old customers or clients.  So, before putting your email form online, use a bit of quick security and incorporate Captcha.

Web Hosting Security at Risk: Are you?

It seems as if new web hosting companies are emerging on the scene everyday and almost all of them are trying to ease the rising fears of security breaches.  The efforts and reassurance are warranted when considering that any website is vulnerable to an attack.  Intruders are constantly on the prowl in search of sensitive information such as account numbers, invoice records, personally identifiable details and other confidential data.  The best way to ensure the protection of this information is a combination of proven security mechanisms and routine security practices employed by both the hosting provider and end-user.

Why Web Hosting?

You may wonder why the web hosting industry is such a big target of hackers?  The simple answer is that the market is tremendous, consisting of thousands of companies that power millions of websites throughout the world.  There are billions of dollars tied up in the business and hackers are willing to use every trick in the book to get a share of it.  If your site runs mission-critical operations, acts as the central source of information for your niche or enables you to make a living, it is imperative that you make security a priority.  Because your web host is in a better position to ensure reliable protection than yourself, you need to put security on the top of your list when sizing up potential hosting providers.

The Expanding Threat Model

A hacker’s arsenal is made up of numerous tools and techniques.  They typically combine various methods to compromise websites and turn the unsuspecting into victims.  Some blend into social networking sites, playing nice in hopes of enticing community users to visit an infected site and unknowingly execute malicious code on their system.  They trick users into downloading items that appear to be something desirable like a multimedia application or game but is only a deceptive Trojan horse in disguise.  Some utilize more destructive weapons that could result in the theft of one’s assets and identity.  The malicious keylogger is a prime example, a menacing program with the ability to capture every single character you type into your keyboard.  These threats and more, are the very reasons why web hosting providers across the world are increasing their efforts to deliver better security to their customers.

Put Security First

You don’t have to be a security expert in the IT field to keep yourself protected from hacking exploits.  However, your web host should be.  After all, if they are taking money from you and making a commitment to serve your pages over the internet, shouldn’t they also be on top of the security mechanisms and procedures needed to ensure the safety of your website and personal information?   Security is a must in the web hosting arena so you should take no excuses and never settle for less.  With that said, if you feel that your current hosting provider isn’t taking the necessary measures to keep you protected, don’t stand for it – move your files to a responsible server.

Protect Your Site From Maliciously Activities

Thousands of vulnerable websites are exploited everyday.  In many cases, your site can be victimized without you having the slightest clue.  Unfortunately, there are also instances in which your site can be used in malicious ploys without being directly compromised   In the best interests of both you and your visitors, it is imperative that you take the appropriate measures to ensure that your site is a safe place to visit.  In this article we will talk some of the more unusual ways hackers and malware writers plant their harmful seeds.

Malicious Banner Ads

Although most attacks involve taking advantage of vulnerable web applications, attackers have several other weapons that can be used to maliciously exploit your site.  One popular method is through the use of banner ads.  The person you think you’re networking with could be using your site as a medium to propagate their malicious code.  As soon one of your visitors clicks on the compromised banner, they are redirected to a malware hosted site or directly infected depending on the nature of the code.  If you insert third-party advertisements on your website, it is imperative to make sure they do not put you or your visitors in danger.  The best way to do this is knowing how to properly access obfuscated banner code for signs of malicious values.  You could also do some checking to find out if the advertiser you’re working with has a reputation for participating in such activities.

Sneaky Uploads and Downloads

Most website attacks focus on HTML code but it is also possible for malicious items to be uploaded to an improperly secured site.  If you allow users to upload content to your site, they can easily sneak in executables such as Javascript, .exe, .bat and. cmd files.  Attackers have also been known to bundle their harmful programs with applications given away as free downloads.  You will become unpopular if every time someone downloads your free software, they end up with a nasty infection on their PC.  You can learn if your site or applications are being used to distribute malware by downloading the source code from the live site onto a virtual machine and scanning it with a reliable anti-malware tool.

A Few Security Tips

It’s a jungle out there in cyberspace, filled with more hazardous creepy crawlers than you could imagine.  Following these simple tips should help make your website a much safe place to hang out.

Transfer Data Securely – If you allow users to upload to your site or require root access, be sure to utilize SSH and SFTP rather than Telnet or FTP.  These protocols have both been considered insecure because of their tendency to transmit data in plain text.  When using FTP or Telnet, sensitive information such as user names and passwords can be easily read by anyone eavesdropping on the network.  SSH and SFTP are encryption-based protocols that scramble data so it appears in the form of unreadable characters.

Scan Your Website – There are a number of scanning technologies that will comb your site for vulnerabilities.  A good one will not only help you detect insecure applications, but also software packages that require immediate patches.

Secure Hosting - You can take all the preventive measures you want, but if the server you’re hosting on isn’t secure, all those efforts will prove futile.  Make sure your web host is taking the necessary steps to keep you protected behind the scenes.  If they are not making use of features such as firewalls, anti-malware and DDoS protective software, you need pack up your website files and head elsewhere.

Cross Site Scripting: The Underestimated Website Attack

Cross site scripting or simply XSS, is one of most common threats facing website owners today.  This exploit occurs at the application layer, usually targeting scripts embedded in a web page from a client-side browser rather than the server-side.  In general, XSS is an attack that takes advantages of weaknesses in client-side technologies such as HTML and Javascript.  The intent of cross site scripting is to manipulate the scripts within a web application and execute them in a malicious manner for the benefit of the attacker.

Cross site scripting is one of several threats that uses vulnerable applications to exploit a website.  The major difference with XSS is that it does not have the ability to directly steal sensitive information from a back-end database.  Unfortunately, this has led several webmasters to believe that XSS isn’t a high-risk threat.  Ironically, many have gone on to learn the hard way, forced to suffer through public defacement and embarrassment.

The Consequences of Cross Site Scripting

The damaged inflicted by XSS exploits is widely documented.  There have been cases where large corporate websites were hacked by this attack with the results almost always being catastrophic.  Cross site scripting is used to achieve a wide variety of malicious goals and below are some of the most common:

DoS (Denial of Service) Attacks

Accessing sensitive, unauthorized information

Modifying browser and security settings

Spying on victims’ computing activities

Website defacement

Identity theft

The consequences of a successful XSS attack can be crippling for businesses of any size.  Security vulnerabilities in some of the most popular websites have led to the theft of credit card numbers and other identifying customer information.  Consumers have been duped into clicking links that direct them to a rogue site purporting as a legitimate business.  Unaware of the malicious ploy, the customer enters their details into the application, handing them right over to the hacker.  If you are the cause of your customers being compromised, they will rightfully lose trust in your site’s security, a situation that could lead to liability issues and ultimately the loss of your business.

Educate Yourself About Cross Site Scripting

The increasing number of successful attacks is proving that large enterprises are just as vulnerable as organizations working on a smaller budget.  What this really shows is that there is not necessarily a lack of resources, yet a lack of awareness within businesses at all levels.  Numerous security reports reveal that a great number of applications on the web are vulnerable to XSS.  Sadly, is not uncommon to find website owners putting their customers and business at risk by not practicing sound security.

On the surface, cross site scripting may not seem as severe as other threats but that is what makes it so dangerous.  This is one exploit far too many webmasters are not prepared for.  Until more become aware, the problem will only escalate and continuously claim new victims.  Unless you want a disaster on your hands, take every measure you can to ensure that your web applications are secure.

Fighting Back Against Website Attacks

Despite all the advancements that have been made in information security, hacking attacks continue to be a major problem, inflicting damage on some of the biggest companies.  Every year, it seems as if we hear a story where some major company has been hacked and thieved of invaluable information. Although large corporations make better targets, small businesses are not exempt from such attacks.   You may feel that the data on your website is not all that confidential or mission-critical, but an ambitious hacker might think otherwise.

What Motivates a Hacker?

Hackers hack websites for a number of reasons.  Some are after personal information while others merely do it for the thrill and gaining stripes in the hacker community.  While every hacker has their own motivation, a successful attack boils down to one factor – the webmaster’s lack of knowledge.  Even an intermediate hacker can break into your website, change your home page and steal sensitive information all by downloading readily available tools from the internet.  Whether you are a beginner or seasoned webmaster, the best way to protect yourself against website hacking is knowing how a hacker operates.

A Two-step Approach

The first step a hacker will take is to scan your web applications for any known vulnerabilities.  This can be done with a penetrating test process that is performed either manually are automated by certain programs or scripts.  Finding an insecure application is the most crucial step in any website attack and translates to holes you can’t afford to leave open.

The next step in website hacking is coming up with an exploit able to take advantage of the vulnerabilities.  There are many exploits but all share the similar goal of allowing an intruder to penetrate your website.  Here is where you need to be aggressive and take steps to prevent an exploit rather than trying to bounce back after the attack.  If you scripted your own applications, you need to go back carefully and look them over to process any modifications that may be needed to the source codes to close the gaps.  When done correctly, you can dramatically reduce the probability of a website attack.

Practicing Website Security

Properly securing your applications is something that can be accomplished even if you are not an expert in the security field or simply do not have the money required to hire a thorough, experienced web developer.  In fact, security knowledge comes at an inexpensive price and is worth looking into when considering that it can keep your website safe.  Basic knowledge can be obtained by keeping yourself informed on the web applications you are using along with all known vulnerabilities that relate to them.  Additionally, you can minimize vulnerabilities by applying the latest updates and patches to your applications and using the best security practices.

Aside from practicing website security, it also a good idea to have a basic understanding of common techniques attackers employ to hack websites.  Some of the most popular methods include SQL injection and cross site scripting to name a few.  The best way to deter the attempts of a savvy hacker is to defeat them with your own knowledge.