web hosting

Is Cloud Computing Behind the Twitter Hack?

The cloud is one of the hottest topics in the world of network computing and more recently, IT hosting and e-commerce.  Though it has proven to be a cost-efficient technology, the cloud does not come without flaws, especially if the latest high-profile internet security breach has anything to say about it.

The Infamous Twitter Hack

What is being dubbed as the “Twitter Hack” has some questioning whether security is an issue for the phenomenon that is cloud computing.  The incident that sparked the debate was actually the hacking of a Google Apps account belonging to a Twitter employee.  It has been reported that the exploit occurred because one of Twitter’s co-founders create a password for Google Apps that was easily guessed by a hacker.  This in turn, enabled the hacker to access the user’s personal information, including the data on his wife’s personal computer.

A War of the Words

Andy Cordial, managing director of data storage solutions firm Origin Storage, stated that a large number of companies and their employees are becoming victims of the cloud.  Cordial’s logic is that because cloud computing is so prevalent, businesses are being rushed into it and forced “to adapt their IT security systems on the fly.” He remarked that Origin Storage saw the shift in the business industry on the horizon and that all the security “breaches occurring on the cloud front” is proof that there are discrepancies that still need to be resolved.  Although the cloud shouldn’t necessarily take all the blame for the most recent debacle, the news isn’t certainly isn’t making anyone feel any better about the overall security of Twitter or Google Apps.

Evan Williams, the Twitter co-founder who essentially caused his wife’s Gmail webmail account to be compromised, explained to blog site TechCrunch, that the hack was absolutely not due to a lack of security on the part of Twitter.  However, Andy Cordial stressed that if Twitter would have paid more focus on security rather than growing their user base at all cost, the company wouldn’t be in the midst of a such an embarrassing situation.  Cordial added that implementing encryption into an organization’s data storage arrangement, be it in on or off the cloud, will ensure that information stored on the server and in transit is protected from malicious intent.  His final shot at the Twitter co-founder was that creating a secure password on top of encryption and sound corporate policies would have likely prevented the matter.  However, it should be stated that it was personal user accounts, not business accounts that were compromised.

Who’s to Blame?

Who should take the bullet for the so-called Twitter Hack?  Is it really the fault of the cloud, or should blame lie with Google apps or the victim?  While it is probably a good combination of all parties, one would think that a co-founder and active member of what is arguably the most popular social networking platform of the moment would have the know-how to be a little more responsible.   In any event, this breach probably will not convince many of the users who are still concerned about internet security any time soon.

The Vulnerability of AJAX Applications

When it comes to emerging web technologies, AJAX is leading the charge as one of the most dynamic tool sets on the development market.  Short for Asynchronous Javascript and XML, AJAX is attracting the attention of developers and businesses around the world.  Unknown to some, AJAX isn’t a programming technology like HTML or PHP, yet a collection of technologies that provide a robust facility for developing powerful web-based applications.  The power of AJAX is seen in many applications today including Google Maps and Yahoo!  mail.

What Makes AJAX So Different?

The purpose AJAX is to enhance speed, interactivity and usability.  The combination of technologies provide a more feature-rich, user-friendly experience.  Instead of loading the requested page at the start of the session, an AJAX engine scripted in Javascript is loaded.  This engine acts a middlemen between the user and the web page, enabling communication between the client and server.  The end result of this interaction is noticed almost instantly.  When making a request to an AJAX page, you may see individual elements of the page update before your eyes (asynchronously) rather than waiting for the page to load completely.

The AJAX Disadvantage

AJAX is a very powerful weapon but one must be aware of the security vulnerabilities that exist.  Some developers have the misconception that AJAX applications offer tighter security because it is believed that the server-side script can’t be accessed without the rendered user interface, which is simply the AJAX-based page.  Unfortunately, this couldn’t be further from the truth.  The mere factor of increased interactivity within the application results in increased text, XML and HMTL network traffic.  This in turn, could lead to the exposure of back-end applications that may have not vulnerable otherwise.  Without adequate server-side protection, it could also give unauthenticated users the ability to manipulate privilege configurations.

Another AJAX vulnerability is associated with the process it utilizes to formulate server requests.  Its engine uses Javascript to capture user commands and convert them into function calls.  These function calls are transmitted to the server in plaintext, making them visible to savvy eavesdroppers.  This could allow an intruder to easily access database fields that contain user login credentials and other critical variables that can be manipulated for malicious gain.  With this information, a hacker can victimize AJAX functions all without directly creating specific HTTP requests to the server.  Coupled with the known vulnerabilities of Javascript, AJAX applications are susceptible to attacks like cross site scripting and similar threats that plague scripts created by other development technologies.

While the evolution of web technologies has enabled applications to enjoy more responsive, interactive, efficient functionality, they also increase the vulnerabilities developers and businesses face on a daily basis.  The growing prevalence of AJAX applications has considerably broadened the threat window, essentially giving hackers a greater opportunity to compromise sensitive data and thieve invaluable assets.  For this reason, developers must stop living under a false sense of security and take every measure possible to ensure that their AJAX applications are completely secure.

Practicing FTP Security

One of the most highly sought after features on the web hosting market is FTP.   Short for File Transfer Protocol, FTP provides a means for transferring data from your computer to the web host’s server.  While the protocol is quite useful, FTP also presents many security risks and making yourself aware of them is crucial.

Beware of FTP Attacks

FTP is ideal for transferring files to a remote location.  However, you should know that in its purest form, this protocol is far from secure.  FTP transmits your data over a network in plain text.  If the transmission is intercepted, the contents of those files can be viewed by unauthorized parties.  Furthermore, a knowledgeable hacker can use the FTP server as an entrance into your website.  This is done by repeatedly trying to logon with an incorrect user password.  In most cases, the profile is disabled after reaching the maximum threshold of three sign in attempts, thus giving the hacker all the ammunition they need to launch the attack.

The most effective way to protect yourself from an FTP password attack is through the use of an FTP server logon exit program.  This mechanism can provide security in the following ways:

Rejecting logon requests by any user profiles that you have not granted FTP access to.  With the use of an FTP server logon exit program, the logon attempts from the profiles you decide to block are not counted towards the maximum sign in count.

Limiting the number of clients from which a user profile is able to access the FTP server.  For instance, if someone from accounting is granted access, you can make configurations where only users with an IP address from the accounting department have FTP access.

Recording the credentials and IP addresses of all FTP logon attempts.  This allows you to regularly view the activity of each FTP logon attempt.  If a profile is ever disabled for reaching the maximum count, you can use their IP address, identify the perpetrator and handle the matter accordingly.

FTP Security Recommendations

Because FTP is naturally insecure, you may want to strongly consider backing it up with a reliable security mechanism.  The most highly recommended is Secure Sockets Layer, or simply SSL.  SSL is an encryption protocol that enables secure communications between the FTP server and client.  It ensures that transmissions are encrypted, maintaining confidentiality and integrity for all data that passes through.  This includes files as well as usernames and passwords.  Most FTP severs support SSL through the use of a digital certificate which also provides additional security with client authentication.

Though some recommend the use of anonymous FTP for the sharing of non-confidential data, this can be an even greater security risk.  With anonymous FTP, anyone can upload to your server without a username or password.   They could be transferring pirated software or malicious files.  Before taking such a gamble, be sure to weigh all the risks and take the appropriate measures to ensure that your FTP communications are secure.

Fighting Back Against Website Attacks

Despite all the advancements that have been made in information security, hacking attacks continue to be a major problem, inflicting damage on some of the biggest companies.  Every year, it seems as if we hear a story where some major company has been hacked and thieved of invaluable information. Although large corporations make better targets, small businesses are not exempt from such attacks.   You may feel that the data on your website is not all that confidential or mission-critical, but an ambitious hacker might think otherwise.

What Motivates a Hacker?

Hackers hack websites for a number of reasons.  Some are after personal information while others merely do it for the thrill and gaining stripes in the hacker community.  While every hacker has their own motivation, a successful attack boils down to one factor – the webmaster’s lack of knowledge.  Even an intermediate hacker can break into your website, change your home page and steal sensitive information all by downloading readily available tools from the internet.  Whether you are a beginner or seasoned webmaster, the best way to protect yourself against website hacking is knowing how a hacker operates.

A Two-step Approach

The first step a hacker will take is to scan your web applications for any known vulnerabilities.  This can be done with a penetrating test process that is performed either manually are automated by certain programs or scripts.  Finding an insecure application is the most crucial step in any website attack and translates to holes you can’t afford to leave open.

The next step in website hacking is coming up with an exploit able to take advantage of the vulnerabilities.  There are many exploits but all share the similar goal of allowing an intruder to penetrate your website.  Here is where you need to be aggressive and take steps to prevent an exploit rather than trying to bounce back after the attack.  If you scripted your own applications, you need to go back carefully and look them over to process any modifications that may be needed to the source codes to close the gaps.  When done correctly, you can dramatically reduce the probability of a website attack.

Practicing Website Security

Properly securing your applications is something that can be accomplished even if you are not an expert in the security field or simply do not have the money required to hire a thorough, experienced web developer.  In fact, security knowledge comes at an inexpensive price and is worth looking into when considering that it can keep your website safe.  Basic knowledge can be obtained by keeping yourself informed on the web applications you are using along with all known vulnerabilities that relate to them.  Additionally, you can minimize vulnerabilities by applying the latest updates and patches to your applications and using the best security practices.

Aside from practicing website security, it also a good idea to have a basic understanding of common techniques attackers employ to hack websites.  Some of the most popular methods include SQL injection and cross site scripting to name a few.  The best way to deter the attempts of a savvy hacker is to defeat them with your own knowledge.

The Dangers of Insecure Web Applications

Software can be used for many great things but there is a gloomy dark side.  It also comes in the form of malicious programs and the web is literally infested with these harmful applications.  Sadly, thousands of internet users download malicious software everyday, blind to the fact that they are essentially inviting threats right into their systems.  These risks have the potential to be even more dangerous when a website is involved.  Any software code running on a web server poses a great threat for the mere fact that it contains an executable file.  This means that it can be executed by anyone in the world with an internet connection.  Just imagine if there was an executable file on your desktop computer that could be executed by anyone at anytime.  If this was the case, that program would have to completely secure in order to prevent the execution of malicious code on your system.  The same goes for programs consisting of PHP or CGI scripts.

What makes executable programs even worse is that many of them accept parameters such as a user name or email address, making them more vulnerable to exploitation.  Needless to say, the web was a lot safer some five to eight years ago when the internet phenomenon wasn’t as huge.  Today, hackers are highly skilled and more determined than ever.  They will do whatever it takes to break into home-based PCs, network servers, and even the applications on your website.  If your scripts are not probably secured, you stand the risk of losing essential data that can stir up all sorts of trouble.

Here are just a few examples of what can happen when your scripts are not properly secured:

Hijacking of your mail server: You may ask, “what’s the point?”.  The answer all boils down to legality.  Although you couldn’t tell on the surface, spam is illegal in most countries and if the authorities catch you doing it, you could find yourself in big trouble.  By hijacking the mail server, a spammer can use your domain to distribute mass mailings of spam.  When the authorities find out, it all leads back to you.

Hijacking of your website: Ever run across a family-friendly site and wondered why is was littered with pornographic images?  This my friend is website hijacking, more commonly known as defacing.  A poorly configured script can invite an intruder into your site, give them enough time to setup their own credentials and leave you out in the cold.

Attacks on other machines: Leave the door open for a hacker and they just might force you to participate in a strike against other machines.  Known as a DDoS attack, the hacker slips through your insecure script and installs a rootkit which opens a backdoor that gives them complete control over the server.  This could eventually cause problems for both you and your web host.

With the responsibility of administering the server, it is up to your web host to provide a secure environment.  As a webmaster however, it is up to you to make sure your web applications are properly scripted and secure.  Software can add instantly functionality to your site but if you’re not careful, it can also be your worst nightmare.