By successfully hacking the authentication session, an attacker can log into the system as a known and valid user, which provides them with whatever privileges the victimized user has been assigned by the administrator.  This means that the intruder could only have access to certain information, or global access across the entire system, the latter of which could possibly give them control of the application or website itself.  At this point, the attacker can stir up a lot of trouble.

Tools of the Trade

Most attackers attempt to gain access via the application’s login screen that requests a username and password to enter the system.  This calls for them to match the correct login credentials that application recognizes as valid and hopefully has the highest level of privileges in the system.  While this is not the most sophisticated attack, password cracking can prove to be one of the most effective methods a hacker uses to cripple an authentication scheme.  This common technique can be executed manually or automatically with special software, which makes guessing the password much easier.

If the attacker has no success at password guessing, their next step usually involves automated tools such as Brutus and WebCracker, which unfortunately, are widely available on the web.  These custom applications are designed to defeat authentication and penetrate the target system using a list of predefined usernames and passwords.  However, they are best known for employing dictionary attacks and brute force.  Hence the name, a dictionary attack utilizes a pre-formulated list of common words in a dictionary to compromise web applications, trying thousands of combinations to determine the correct username and password.  Brute force is a technique used to break a cryptographic scheme by consistently trying a large number and  sometimes all, possible keys to decrypt an encrypted password.  Both have proven to be very effective at guessing weak passwords and bypassing authentication.

Prevention and Protection

Stopping an authentication attack can be very difficult.  Especially when factoring in all the sophisticated hacking techniques and tools on the black market.  Fortunately, there is a way to test the strength and overall effectiveness of your authentication methods.  One of the most reliable is authentication testing, a feature commonly found in web vulnerability scanners.  These applications are generally easy to use and configure for automatically testing all the applications within your site that require authentication.  Furthermore, most also scan for other common exploits such as SQL injection, cross site scripting and cross site forgery.

]]> http://webhostinggeeks.com/blog/2009/11/26/authentication-hacking-is-your-site-vulnerable/feed/ 0 http://webhostinggeeks.com/blog/2009/10/16/major-threats-to-business-website-security/ http://webhostinggeeks.com/blog/2009/10/16/major-threats-to-business-website-security/#comments Fri, 16 Oct 2009 15:57:55 +0000 CommunicateBetter http://webhostinggeeks.com/blog/?p=577 Any organization would find it irresponsible and downright silly to not have anti-virus software installed on their office systems.  Most would also have solutions in place to compensate for data restoration should their be a hardware failure or disaster caused by some sort of natural disaster.  Surprisingly enough, far two many business owners are unaware that their websites are vulnerable to the same type of attacks as their local machines.  This is especially the case in shared and virtual environments where a multitude of sites are running on the same server.

In May 2007, more than 90,000 sites were compromised by hackers, a large scale exploit designed to illegally install malicious code on the computers of visitors who clicked on seemingly harmless search results.  A StopBadware study showed that an estimated 10% of those compromised sites were maintained by one hosting firm in particular, which accounted for 250,000 infectious websites.  This is just one of many examples that prove no website is ever as safe as we might think.

Common Threats to Business Websites

Hackers employ several methods and tricks to exploit websites.  Below we will focus on three that are most commonly used to attack business sites: SQL injection, cross site scripting and CRLF injection.

SQL Injection

SQL injection is by far one of the most popular website attacks employed today.  This technique primarily works by sending false or malicious requests to a back-end database to manipulate the information it contains.  By doing so, the attacker can view whatever information is stored in the database, change it, or erase it completely.  Most websites would not exist without the presence of databases but unfortunately, any site that features shopping carts, search fields, and any type of web form is susceptible to SQL injection.  The fields that require interaction from your visitors and customers could open up the door a hacker needs to thieve sensitive data and destroy your company.

Cross Site Scripting

Cross site scripting is another common attack that exploits holes in dynamic websites.  Dynamic pages can allow an attacker to insert malicious code and trick an end-user into running a harmful script on their computer.  If the user executes the code, the hacker could gain access to all of the sensitive information on their local machine.  Cross site scripting takes advantage of numerous programming technologies including Active X, Flash, Javascript and VBScript.

CLRF Injection

Unlike most exploits, CLRF injection does not take advantage of security vulnerabilities in the operating system or web software.  Instead, it exploits the manner in which the application was scripted.  For instance, an attacker can insert a statement into a web form along with code from CR (Carriage Return) and LF (Line Feed) characters.  The chance for exploit arises when the application mistakes this injection for a CLRF used in the initial development stage.  This attack is very dangerous as it has the power to disable an entire website.

This article is not aimed to make you a website security expert, but make you aware that security for your business site should be equally important as your local machines.  To assume that your business will never be exploited only exposes you to unnecessary risks that could put you out of commission effective immediately.

]]> http://webhostinggeeks.com/blog/2009/10/16/major-threats-to-business-website-security/feed/ 0 http://webhostinggeeks.com/blog/2009/03/05/malware-attacks-on-the-rise/ http://webhostinggeeks.com/blog/2009/03/05/malware-attacks-on-the-rise/#comments Thu, 05 Mar 2009 18:46:08 +0000 CommunicateBetter http://webhostinggeeks.com/blog/?p=228 When signing up for a web hosting account, most feel confident that the provider takes all the preventive measures to make sure their personal information is safe.  While most companies do try to secure their hosting platforms, one should never assume that these security measures are 100% reliable.  Hackers are determined and very skilled at their craft.  They will employ various techniques and use numerous tools to break into your website.  One of the most effective weapons in their arsenal of tricks is malware.

Appalling Numbers

In 2008, web security firm ScanSafe, released a report that raised a lot of concern in the hosting industry.  The report revealed figures from research conducted between May 2007 to May 2008, showing that 68% of legitimate websites studied were unknowingly hosting malware.  Researchers at ScanSafe say that crafty intruders were able to compromise websites of various sizes from well known entities to small businesses.

Nature.com is one site that was victimized.  According to Quantcast, this site receives more than 700,000 unique visitors each month, making it one of the top 500 most trafficked sites on the web.  ScanSafe’s study found that malicious code was embedded into web pages on Nature.com.  Thankfully, the administrators detected and rectified the issue very quickly.  Although the website was only compromised for a single day, an estimated 30,000 users could have been at the risk of malware infection.

A Double Threat

So, how do intruders sneak these malicious scripts into an innocent website?  They use a wide range of methods and one of them is an attack called SQL (Structured Query Language) injection.  Numerous security reports show that risk of exposure to website hacking has increased by more 400% since 2008.  It has been reported that backdoor installing and password thieving malware accounts for the fastest growing attacks, threats that increased by over 800%.

The ScanSafe report shows that SQL injection is one exploit that aids the most in malware attacks.  With this type of attack, a hacker inserts SQL code into a simple form on a web page, any application that interacts with a backend database.  They can then send requests to steal information from the database or communicate with it in malicious ways to compromise other visitors that may interact with the site.  SQL injections are such a huge problem because so many webmasters do not take the proper security measures when developing applications and administering databases.  Most simply rely on simple authentication based on a username and password.  By using an SQL select query, a hacker can take those values, compare them to the information in the database, find a match and get the access they need.  With all the advanced hacking tools available, this process can be done very quickly.

Keeping Your Website Safe

Malware is a very dangerous security threat with the power to bring down a single website or an entire server.  It comes in various forms and can go undetected for quite sometime.  When the victim finds out, it is usually too late.  You can keep your site protected against spyware, Trojans, viruses and other malware by making sure you web applications are completely secure.  If you are not quite sure, get yourself a vulnerability scanner to scan your site for security holes.  It is a small investment that can spare you a lot of heartache.

The major issue with shared hosting has always been the same – the availability of security and the fact that this platform can only be so secure.  Without adequate protection, the web host’s server is vulnerable to a wide range of threats including DDoS attacks, malware infection and network intrusion.  You could also be exposed to attacks such as SQL injection, cross site scripting and even the malicious actions of your neighbors on the server.  When your hosting environment isn’t properly secured, you stand the risk of losing the most sensitive of information.

Security is definitely an issue in the shared hosting environment, one that could make the low cost an uneven trade.  The good thing is that several web hosting providers are aware of these vulnerabilities and they are taking the necessary approaches to deliver a secure service.  When looking for a company to host your site, we recommend keeping the following security considerations in mind.

Protection from Thy Neighbor

When assessing the security of a particular web host, you must not only analyze the protection offered against outside threats, but security that keeps you protected against other website owners on the server.  You never know who you’re sharing the server with, as they could be into dealing porn, distributing spam or malicious software.  A few of your next door neighbors just might be prolific computer hackers.  To keep yourself protected in this regard, you should make sure the provider doesn’t allow any unsolicited code to be executed or access to your directories.

Clean Code

One of the biggest threats to your website lies in the code used to build your applications.  When they are not properly scripted, intruders can use them as an entrance to your data and reap major havoc.  You can minimize the possibility of common website exploits by ensuring that the web hosting company offers the latest in development tools whether its PHP and MySQL or ASP and MS Access.  Most importantly, it is up to you to make sure you are coding your applications and web pages in a secure manner.

Security Features

There are also a number of features that will give you an idea of how secure a particular web hosting platform is.  This includes protection for the actual server such as software that defends against DDoS attacks and viruses as well firewalls and network intrusion systems to fend off hackers.  If your site is to involve online business transactions, you will also require SSL support to protect your customers’ credit card information.  When making sure all the vital security issues are addressed, you can better your chances of enjoying a smooth run in the shared hosting environment.

Despite the fact that several improvements have been made, none of the top web browsers are completely secure.  Because of this, many web security experts are projecting that website attacks will continue to be an issue.  The combination of enhanced functionality and the lack of adequate security implementations have left a number of browsers vulnerable to sophisticated attacks.  Some researchers are saying that the increasing number of exploits is the direct result of Web 2.0 technologies and advanced web hosting features.

Evolution in Technology Opens Doors to Further Threats

Things were fairly innocent in the early days of the internet when static pages were prevalent, before technologies such as JavaScript and Active X came into play.  Today’s World Wide Web is dominated by dynamic web-based applications and complex server-side scripting languages, factors that enable browsers to be used in various ways to exploit websites.  Gary McGraw of Cigital, a software security company, agrees that these feature-rich designs have made browsers far less secure, stating that they are structured more like complete operating systems.

This past September Google released Chrome, its new web browser which was immediately faced with stiff competition in the form of Microsoft Internet Explorer, Mozilla Firefox, Apple Safari and Opera.  While internet users have a wide variety of browsers to choose from, the options are still limited in terms of security, including Chrome.  Experts contend that the browser war of who can out do one another in the feature department is what ultimately leads to these security vulnerabilities.

Though quite serious, the security issues associated with today’s popular web browsers are not attributed to a lack of effort.  Some say that developers are doing all they can but when considering the fact that website attacks such as cross site scripting and cross site request forgery are typically the result of design, these flaws tend to be much harder to fix than bugs found in software code.  Observers suggest that the vulnerabilities are not going to disappear entirely but do stress that browser developers can do more to enhance security.

In general, development teams only have a little time to address browser vulnerabilities before the hacker community is able to discover them.  Developers are being encouraged to practice browser security just like those who make other software products.  This is extremely important as the major web browsers literally have hundred of millions of users.  One solid approach towards website security is standardized authentication, something that would need to be addressed by system administrators.  Another recommendation is for browser developers to design products that alert users when they are being directed to intranet zones such as localhost or RFC1918 as attackers are increasingly targeting internal devices.  Security firms have also predicted that the manner in which data is handled when requests are made between a browser and website should play a critical part in future designs.