What Can Happen

A hacker can use the authentication process to invade a member area by falsely convincing the authentication application that they are indeed a valid user. If the hacker only has the ability to  access  your website as a standard user, then the damage they can inflict will be minimal.  However, if the hacker can gain administrative access to your website, they can take complete control of the website and all of it’s stored data in a very short period of time, usually within an hour or two. Of course this could be a potentially fatal situation to your online business, especially if they gain access to critical financial information.

The Process of False User Authentication

Usually the process begins with the hacker finding the login screen where they can enter the necessary  information to complete authentication. Once they’ve found the location of the authentication login page, they can then enter the URL of the login page into a hacking software that will repeatedly enter random information into both fields until a working combination is found. Many times the hacker will simply try this process manually before resorting to using the automated software. For this reason it is important that you do not use a simple or default administrator username and password such as “admin” or “1234.”  When the hacker uses an automated program to bypass user authentication, it is known as a “brute force attack.”

Preventing and Combating False User Authentication

Hackers use tools that return error codes and other information from the web server to find out when their attacks are working, essentially repeating the process in a trial and error fashion until no error message is returned. One way to keep hackers from accomplishing this is to adjust the server configuration to generate an “HTTP 200 OK” response whenever an unexpected request is ordered. Effectively this will make it very hard for the hacker to understand which attempts work and which attempts were denied. Another effective way to prevent brute force attacks is to place random phrases that must be re-entered by the user requesting access. This is called a “De-captcha” and it can be downloaded as an application and used in conjunction with your control panel. De-captcha tools make the process of false user authentication very difficult to bypass for most hackers.

A Little Common Sense Goes a Long

While many security software solutions exist, some of the best ways to defend yourself can be summed up to applying common sense.  Here are five simple tips to help keep your website safe and secure:

1.) Smart E-commerce – If you plan to sale goods or services through a shopping cart, make sure that the software used is properly figured and secured.  If you do not possess this knowledge, bring someone on board who does.

2.) Password Protection – Use secure passwords for all of your website applications that require a login.  This goes for everything from your control panel to CMS software.  A good rule of thumb is to use a combination of numbers, letters and symbols, in addition to never using something that others can associate with you for a password.

3.) Monitor Your Server Logs – By checking your server logs on a regular basis, you may be able to identify strange or unusual activity.  Because knowing what to look for can be difficult, many software solutions exist that will do the job for you.  These programs analyze your log files and automatically send alerts if strange behavior is detected.

4.) Update Your Web Applications - An outdated web application is one of the most vulnerable points of a website.  Hackers are constantly working on new ways to compromise security so if your applications are not up to date, you could be exploited.  Also keep in mind that most updates consist of critical upgrades that address known security issues.

5.) Backup Your Website – Because no website is ever 100% secure, it would be wise to frequently backup your site and all the files its contains.  Don’t overlook this.  Not only do hackers target websites, but entire web servers.  If the server your site resides on is compromised, you could possibly lose everything you worked so hard to build.  Regular backups give you the assurance that your website data can be restored should a disaster occur.  Be sure to keep a copy of your backup in a location other than your hard drive just in case ill fate happens to strike your computer.

By successfully hacking the authentication session, an attacker can log into the system as a known and valid user, which provides them with whatever privileges the victimized user has been assigned by the administrator.  This means that the intruder could only have access to certain information, or global access across the entire system, the latter of which could possibly give them control of the application or website itself.  At this point, the attacker can stir up a lot of trouble.

Tools of the Trade

Most attackers attempt to gain access via the application’s login screen that requests a username and password to enter the system.  This calls for them to match the correct login credentials that application recognizes as valid and hopefully has the highest level of privileges in the system.  While this is not the most sophisticated attack, password cracking can prove to be one of the most effective methods a hacker uses to cripple an authentication scheme.  This common technique can be executed manually or automatically with special software, which makes guessing the password much easier.

If the attacker has no success at password guessing, their next step usually involves automated tools such as Brutus and WebCracker, which unfortunately, are widely available on the web.  These custom applications are designed to defeat authentication and penetrate the target system using a list of predefined usernames and passwords.  However, they are best known for employing dictionary attacks and brute force.  Hence the name, a dictionary attack utilizes a pre-formulated list of common words in a dictionary to compromise web applications, trying thousands of combinations to determine the correct username and password.  Brute force is a technique used to break a cryptographic scheme by consistently trying a large number and  sometimes all, possible keys to decrypt an encrypted password.  Both have proven to be very effective at guessing weak passwords and bypassing authentication.

Prevention and Protection

Stopping an authentication attack can be very difficult.  Especially when factoring in all the sophisticated hacking techniques and tools on the black market.  Fortunately, there is a way to test the strength and overall effectiveness of your authentication methods.  One of the most reliable is authentication testing, a feature commonly found in web vulnerability scanners.  These applications are generally easy to use and configure for automatically testing all the applications within your site that require authentication.  Furthermore, most also scan for other common exploits such as SQL injection, cross site scripting and cross site forgery.

]]> http://webhostinggeeks.com/blog/2009/11/26/authentication-hacking-is-your-site-vulnerable/feed/ 0 http://webhostinggeeks.com/blog/2009/07/20/hack-proofing-your-dedicated-server/ http://webhostinggeeks.com/blog/2009/07/20/hack-proofing-your-dedicated-server/#comments Mon, 20 Jul 2009 18:32:43 +0000 CommunicateBetter http://webhostinggeeks.com/blog/?p=430 Having a dedicated server is one of the true signs that you have made it as a small to medium sized business owner.  Unfortunately, it also makes you a likely target of hacking and other security threats.  Securing any machine equipped with a web or application server is a huge challenge, one you may not be able to overcome alone.  You need to worry about everything from your email and FTP communications to OS and kernel patches.  And let’s not forget about those web technologies that can bring you so much functionality along with a lot of grief when not properly secured.  This web-based world we live in can be very hazardous to any business so if you want to protect your server, we suggest paying close attention to the contents of this article.

Must-Have Defenses

Securing a dedicated server begins with creating a two-layer bullet proof vest to deflect the attempts of the enemy.  Two of the most effective weapons to carry into battle: firewall and intrusion protection technology.  With a firewall, your server will be able to fight off common exploits such as DDoS (distributed denial of service) and brute force attacks.  Usually originating from multiple unsecured, enslaved machines, the dreaded DDoS attack will slam your dedicated server with awful amounts of insignificant traffic, overwhelming critical resources and rendering the hardware inaccessible to legitimate users.  A quality firewall with good configurations will enforce rules that filters access and blocks malicious traffic while allowing legitimate traffic to pass.  This is all done in a way that reduces latency and slow moving processes, so it all appears transparent to the end-user.

Though similar in a nature, intrusion detection and prevention takes a more advanced approach towards server security.  This technology blocks malicious traffic right at the source, locking compromised hosts in a quarantine area all while routing genuine user traffic in a quick and efficient manner.  If a firewall represents your first line of defense, then intrusion protection serves as your behind enemy lines mechanism.  This powerful combination allows you to shift security measures from a reactive to proactive aspect.

Don’t Stop There

While the implementation of firewalls and intrusion protection make good first steps, one should keep in might that this isn’t the set it and forget it type of deal.  In order to stay ahead of the hackers, malware coders and corporate saboteurs you must consistently employ vigilance as well as frequent updates of your patches, blacklists, filters and other vital elements.  Purchasing and installing a few security devices and applications can be viewed as the easy part.  Managing them with efficiency is an entirely different story.

Because properly securing a dedicated server is cost prohibitive for most small and medium sized organizations, you may want to consider a managed service to help keep the intruders away.   Managed hosting is the often overlooked aspect of a dedicated server that could spell the difference between running a successful business, or going down because of a major security breach.  If you are not sure where you stand on server security, consult your IT team or speak with a professional firm for guidance.

]]> http://webhostinggeeks.com/blog/2009/07/20/hack-proofing-your-dedicated-server/feed/ 0 http://webhostinggeeks.com/blog/2009/04/14/is-your-business-website-secure/ http://webhostinggeeks.com/blog/2009/04/14/is-your-business-website-secure/#comments Tue, 14 Apr 2009 15:38:51 +0000 CommunicateBetter http://webhostinggeeks.com/blog/?p=287 People are using the internet to commit malicious crimes everyday.  And while virus infections and scams pose a significant threat, one of the biggest problems of all is website hacking.  If you’re running a business online, losing sensitive data to a security breach could be enough to shut you down for good.  If you truly want to know how secure your business website, we suggest posing the following questions to yourself:

What are your trying to secure? For most companies, this includes confidential data such as customer records and payroll information.  However, you shouldn’t forget all the essentials like staff morale and most importantly, your company’s reputation.

What are your risks? The scope of today’s threat model is larger than it has ever been.  Not only do you have to worry about malicious software and hackers, but internal theft and physical threats as well.

Who is responsible for security? Do you have an experienced system administrator or are you going at it alone?  Many companies leave themselves wide open all because they do not have the internal resources needed to enable adequate security.

What are your doing about security? What are your plans for security?  Have you installed the appropriate software technologies to protect your network?  Are you enforcing security policies and training staff to make sure they know the risks?

Making sure your business website can be a full-time job.  Fortunately, there are several preventive measures that can be taken to prevent a disaster.  While some of it only seems practical, far too many companies overlook the intangibles and increase their likelihood of being victimized.  This checklist will help you understand what you need to do right now to start protecting your business.

Invest in Physical Security - While cyber crimes have become highly sophisticated, the easiest way to disrupt any business is to still their PC or server.  You can make this far more difficult by physically locking your office and coupling that with motion detectors and alarms.

Frequent Backups - The importance of data backups is something that just can’t be stressed enough.  Even is disaster does strike, you can ensure a speedy recovering by regularly backing up critical data and storing it in an off site location.

Implement Access Controls – As unfortunate as it is, everyone can’t be trusted – even some of the members on your staff. You should only provide employees with access to confidential data on a need-to-know basis in accordance to their role in the organization.  Nothing is guaranteed but this can dramatically minimize the risk of sabotage and data theft.

Continuous Training and Policy Enforcement – The mere behavior of your staff can be a major security risk.  Make sure your staff has a clear understanding of what they are and are not to be doing online.  Put some policies in place to ensure that everyone is operating with security in mind and come up with some repercussions for those who don’t comply.

Protect Your Website - When doing business online, the website is what forms the foundation for your organization.  The more you rely on your site, the bigger target it will become.  Therefore, it is critical to do everything to possible to make sure your applications and the site itself is secure.

What Motivates a Hacker?

Hackers hack websites for a number of reasons.  Some are after personal information while others merely do it for the thrill and gaining stripes in the hacker community.  While every hacker has their own motivation, a successful attack boils down to one factor – the webmaster’s lack of knowledge.  Even an intermediate hacker can break into your website, change your home page and steal sensitive information all by downloading readily available tools from the internet.  Whether you are a beginner or seasoned webmaster, the best way to protect yourself against website hacking is knowing how a hacker operates.

A Two-step Approach

The first step a hacker will take is to scan your web applications for any known vulnerabilities.  This can be done with a penetrating test process that is performed either manually are automated by certain programs or scripts.  Finding an insecure application is the most crucial step in any website attack and translates to holes you can’t afford to leave open.

The next step in website hacking is coming up with an exploit able to take advantage of the vulnerabilities.  There are many exploits but all share the similar goal of allowing an intruder to penetrate your website.  Here is where you need to be aggressive and take steps to prevent an exploit rather than trying to bounce back after the attack.  If you scripted your own applications, you need to go back carefully and look them over to process any modifications that may be needed to the source codes to close the gaps.  When done correctly, you can dramatically reduce the probability of a website attack.

Practicing Website Security

Properly securing your applications is something that can be accomplished even if you are not an expert in the security field or simply do not have the money required to hire a thorough, experienced web developer.  In fact, security knowledge comes at an inexpensive price and is worth looking into when considering that it can keep your website safe.  Basic knowledge can be obtained by keeping yourself informed on the web applications you are using along with all known vulnerabilities that relate to them.  Additionally, you can minimize vulnerabilities by applying the latest updates and patches to your applications and using the best security practices.

Aside from practicing website security, it also a good idea to have a basic understanding of common techniques attackers employ to hack websites.  Some of the most popular methods include SQL injection and cross site scripting to name a few.  The best way to deter the attempts of a savvy hacker is to defeat them with your own knowledge.

Hacking for Sensitive Information

Any who frequents the web can see that almost every website consists of numerous applications.  This goes from simple email forms and login pages to shopping carts and more dynamic creations.  These applications all share the common goal of allowing web surfers to submit and retrieve a given level of personal or sensitive information stored in an underlying database.  When such applications are not secured, you are essentially opening the gate leading to your most confidential data.  Just think if you’re involved in e-commerce – those databases probably contain credit card numbers and details regarding your customers.  If a hacker is able to inflict damage, your business could be in great peril.

Hacking to Steal Bandwidth

Bandwidth is one of the most vital internet resources and plays a major role in the functioning of your website.  Coupled with the expense, the opportunity to conduct illegal business is enough motivation to provoke a website hacking.  A knowledgeable hacker could penetrate a web-based application, leach off a large amount of bandwidth and go on with their illicit activities.  When this occurs, the web hosting provider’s server is being used to help carry out illegal business without them even realizing it.

Hacking to Distribute Illegal Content

One of the most common reasons website attacks occur is to accommodate hackers looking to distribute illegal content while leaving no trace of themselves.  This is often done to trade pirated software or even something as disturbing as child pornography.  When these activities are traced by the authorities, the trail only leads back to the website owner who could likely face legal implications, the loss of credibility or worse.

Hacking for Search Engine Rankings

It is a proven fact that search engines are one of the most effective ways to generate qualified visitors.  Hackers are aware of this as well and will do whatever it takes to get ahead.  Some are so advanced that they have the ability to inject hidden keywords into the websites of unsuspecting owners.  Search engines like Google frown down on such activities and will often penalize anyone caught spamming its database.  In this case, it’s the victimized website owner.  This is something that could really impact the ability to effectively promote your business.

Protect Your Website

The importance of application security just can’t be stressed enough.  These are just a few of several factors that motivate hacking and if your website isn’t secure, you could be the next victim.

Despite the fact that several improvements have been made, none of the top web browsers are completely secure.  Because of this, many web security experts are projecting that website attacks will continue to be an issue.  The combination of enhanced functionality and the lack of adequate security implementations have left a number of browsers vulnerable to sophisticated attacks.  Some researchers are saying that the increasing number of exploits is the direct result of Web 2.0 technologies and advanced web hosting features.

Evolution in Technology Opens Doors to Further Threats

Things were fairly innocent in the early days of the internet when static pages were prevalent, before technologies such as JavaScript and Active X came into play.  Today’s World Wide Web is dominated by dynamic web-based applications and complex server-side scripting languages, factors that enable browsers to be used in various ways to exploit websites.  Gary McGraw of Cigital, a software security company, agrees that these feature-rich designs have made browsers far less secure, stating that they are structured more like complete operating systems.

This past September Google released Chrome, its new web browser which was immediately faced with stiff competition in the form of Microsoft Internet Explorer, Mozilla Firefox, Apple Safari and Opera.  While internet users have a wide variety of browsers to choose from, the options are still limited in terms of security, including Chrome.  Experts contend that the browser war of who can out do one another in the feature department is what ultimately leads to these security vulnerabilities.

Though quite serious, the security issues associated with today’s popular web browsers are not attributed to a lack of effort.  Some say that developers are doing all they can but when considering the fact that website attacks such as cross site scripting and cross site request forgery are typically the result of design, these flaws tend to be much harder to fix than bugs found in software code.  Observers suggest that the vulnerabilities are not going to disappear entirely but do stress that browser developers can do more to enhance security.

In general, development teams only have a little time to address browser vulnerabilities before the hacker community is able to discover them.  Developers are being encouraged to practice browser security just like those who make other software products.  This is extremely important as the major web browsers literally have hundred of millions of users.  One solid approach towards website security is standardized authentication, something that would need to be addressed by system administrators.  Another recommendation is for browser developers to design products that alert users when they are being directed to intranet zones such as localhost or RFC1918 as attackers are increasingly targeting internal devices.  Security firms have also predicted that the manner in which data is handled when requests are made between a browser and website should play a critical part in future designs.