Traditionally when you hear someone say ‘Our website is Secure’ they imply that their website uses SSL (Secure Sockets Layer) and that the traffic is encrypted (The little lock in your browser usually appears) unfortunately Encryption doesn’t make a website secure. Sure encryption makes sure that nobody can sniff your session (see what you’re doing), but if the site you’re submitting personal data to contains a Vulnerability an attacker can still steal your data. Some sites contain logo’s saying ‘Secured by XXX’ (XXX being a vendor name) but you can’t trust these one bit.
Rather then paying for a security monitoring service a website owner could easily just copy the image and save a few thousands dollars doing it. Unfortunately not everyone knows how to secure a website and some blind trust is needed in order to perform some everyday tasks. To ease your mind there are some rules that certain types of sites must follow in order to remain active. Security Web Security Guard is an application developed by Crawler that prevents the user from entering potentially dangerous Web sites that may cause adware, viruses, spyware, or spam.
Web Security Guard informs of potentially dangerous websites by displaying information and user reviews before entering websites. It uses a database of web site ratings and reviews provided by the users. Crawler Toolbar comes with Web Security Guard keeping it up to date and providing combined search results from major Internet search engines. When a computer connects to a network and begins communicating with others, it is taking a risk. Internet security involves the protection of a computer’s internet account and files from intrusion of an unknown user. 1] Basic security measures involve protection by well selectedpasswords, change of file permissions and back up of computer’s data. Security concerns are in some ways peripheral to normal business working, but serve to highlight just how important it is that business users feel confident when using IT systems. Security will probably always be high on the IT agenda simply because cyber criminals know that a successful attack is very profitable. This means they will always strive to find new ways to circumvent IT security, and users will consequently need to be continually vigilant.
Whenever decisions need to be made about how to enhance a system, security will need to be held uppermost among its requirements. Internet security professionals should be fluent in the four major aspects: ? Penetration testing ? Intrusion Detection ? Incidence Response ? Legal / Audit Compliance Anti-virus Some apparently useful programs also contain features with hidden malicious intent. Such programs are known as Malware, Viruses, Trojans,Worms, Spyware and Bots. Malware is the most general name for any malicious software designed for example to infiltrate, spy on or damage a computer or other programmable device or system of sufficient complexity, such as a home or office computer system, network, mobile phone, PDA, automated device or robot. ? Viruses are programs which are able to replicate their structure or effect by integrating themselves or references to themselves, etc into existing files or structures on a penetrated computer.
They usually also have a malicious or humorous payload designed to threaten or modify the actions or data of the host device or system without consent. For example by deleting, corrupting or otherwise hiding information from its owner. ? Trojans (Trojan Horses) are programs which may pretend to do one thing, but in reality steal information, alter it or cause other problems on a such as a computer or programmable device / system. ? Spyware includes programs that surreptitiously monitor keystrokes, or other activity on a computer system and report that information to others without consent. Worms are programs which are able to replicate themselves over a (possibly extensive) computer network, and also perform malicious acts that may ultimately affect a whole society / economy. ? Bots are programs that take over and use the resources of a computer system over a network without consent, and communicate those results to others who may control the Bots. The above concepts overlap and they can obviously be combined. The terminology is evolving. Antivirus programs and Internet security programs are useful in protecting a computer or programmable device / system from malware.
Such programs are used to detect and usually eliminate viruses. Anti-virus software can be purchased or downloaded via the internet. Care should be taken in selecting anti-virus software, as some programs are not as effective as others in finding and eliminating viruses or malware. Also, when downloading anti-virus software from the Internet, one should be cautious as some websites say they are providing protection from viruses with their software, but are really trying to install malware on your computer by disguising it as something else. Anti-spyware
There are two major kinds of threats in relation to spyware: Spyware collects and relays data from the compromised computer to a third-party. Adware automatically plays, displays, or downloads advertisements. Some types of adware are also spyware and can be classified as privacy-invasive software. Adware often are integrated with other software. Email Security A significant part of the Internet, E-mail encryption is an important subset of this topic. Browser choice Almost 70% of the browser market is occupied by Internet Explorer[1]. As a result, malware writers often exploit Internet Explorer. Often malware exploit ActiveX vulnerabilities.
Internet Explorer market share is continuously dropping (as of 2009; see list of web browsers for statistics) as users switch to other browsers, most notably Firefox, Opera and Google Chrome. Basic Ways To Increase Web Security Now that you know a bit about what can be done to your website by the bad guys, here are some ways to fight them off. Keep Code Up to Date There is no better protection than keeping your code up to date. Outdated versions of WordPress, old installs of PHP and MySQL, even old browsers, all of these are security issues because most updates to software these days are security patches.
It is a rat race between those who want the Web to work and those who want to abuse it to make a quick buck or to steal your identity. So please help the good guys by upgrading whenever a new version is out. Don’t Stay Logged In, and Don’t Entice Others to Either Staying logged in while not using a system is dangerous. Other websites you surf to can check that you are logged in and then clickjack you to make you do something you don’t mean to or aren’t aware of. This is especially dangerous with social media because everything you do will be sent to all your friends and probably replicated by them. It is a snowball effect.
In my perfect world, no form has a “Keep me logged in” option, which of course would be a nuisance to end users. I would love to see a clever, usable solution to this problem. I use a Flex client for Twitter, not a browser, which means I am not vulnerable even on websites with clickjacking and cross-site request forgery (the latter only if people do not abuse the API to phish my followers; see the presentations at the end of this article for a demo of that). Use Clever Passwords, and Entice Users to Do the Same Even on bullet-proof systems, one attack vector is users whose passwords are very easy to guess.
I change my passwords every few weeks, and I take inspiration from a book I am reading or a movie I have just seen. I also replace some characters and with numbers to make dictionary attacks harder. There are two ways to crack a password (other than social engineering, which is making you tell me your password by tricking you or phishing): brute force and dictionary attacks. Brute force entails writing a loop that tries all of the different options (much like playing hangman), which can take ages and uses a lot of computing power. Dictionary attacks use a dictionary database to attempt common words instead of going letter by letter.
Say I am reading a Sherlock Holmes book or have just seen the new screen adaptation, my password could be Sh3rl0ckW4t50n or b4sk3rv! ll3. That may be a bit hardcore for most people but is generally a good idea. Another strategy is to take a sentence that you can memorize easily and string together the initial letters. For example, “I like to buy food for my dog and to walk with it” would beIl2bffmda2wwi or even Il2bffmd&2wwi. So, if you build a new Web product that needs authentication, and you really need to build your own log-in system rather than use Google, Yahoo, Facebook Connect or OpenID which might be a good idea), please do not allow users to use passwords like “password” or the not-much-safer “password1. ” Recently, a list of passwords banned by Twitter leaked onto the Web, shown here as the full code. This is a good idea (the list, that is, not the leak). What To Do On Your Server Even if you are not a server expert, that’s no excuse for running an insecure server. Here are some things to make sure of. Turn Off Folder Listing As explained earlier, allowing people to navigate your folders (i. e. path traversal) is a bad idea. Testing whether your server has path traversal turned on is easy: 1.
Create a new folder on the server; for example, pathtest. 2. Add some files to the folder. But do not add index. html, index. php, default. aspxor whatever else your server uses as the default file name. 3. Check the folder in your browser; for example, by going tohttp://example. com/pathtest/ 4. If you can see a listing, contact your server admin to turn that off! Harden Your PHP If you have a server with PHP, be aware that you are in control of a powerful tool. The worst oversight someone could make is to allow any parameter that comes in from the URI to become a global variable.
This is turned off by default on PHP installs in version 4. 2. 0 and onward, but your configuration may have changed. In fact, some tutorials recommend that you turn it on for a script to work: this is a very, very bad idea. You can easily test if globals are enabled: 1. Create a new file named test. php. 2. Add the following code to it: 3. Upload the file to your server. 4. Browse to the file, and send a parameter called ouch; for example:http://example. com/test. php? ouch=that+hurts 5. If your browser shows “*that hurts*”, then your server has globals registered. . Contact your server admin to get this fixed! Why is this important? Well, in our explanation of XSS earlier, we talked about attackers being able to add code to your page using the URI parameters in your script. If you don’t turn off globals, any variable you use and write out could become an attack. Even worse, consider the following code: if($_POST[‘username’] == ‘muppet’ && $_POST[‘password’] == ‘password1’) { $authenticated = true; } if($authenticated) { // do something only admins are allowed to do } If this is checkuser. hp and global registering is on, then an attacker could call this in the browser as http://example. com/checkuser. php? authenticated=true and could work around the whole user checking; his authentication as$_GET[‘authenticated’] automatically turns into $authenticated. Turn Off Error Messages A lot of servers are set up to show you error messages when the browser encounters a problem. These messages often look cryptic, but they are a great source of information for attackers. Creating an error and seeing what the server spits out is one of the first steps in checking the folder structure of a server.
Funnily enough, error pages stating “File XYZ could not be found” were one of the first XSS attack opportunities, because you could look for a file named alert(document. cookie),. Automatically Checking PHP for Security Issues Uploading PHPSecInfo to a folder is a pretty handy way to perform a quick audit of your PHP server’s security. Opening it in your browser gives you a detailed checklist of common security flaws and how they should be fixed. But never leave this on a live server because it gives attackers a lot of details about your set-up! What To Do On Your Server
Even if you are not a server expert, that’s no excuse for running an insecure server. Here are some things to make sure of. Turn Off Folder Listing As explained earlier, allowing people to navigate your folders (i. e. path traversal) is a bad idea. Testing whether your server has path traversal turned on is easy: 1. Create a new folder on the server; for example, pathtest. 2. Add some files to the folder. But do not add index. html, index. php, default. aspxor whatever else your server uses as the default file name. 3. Check the folder in your browser; for example, by going tohttp://example. om/pathtest/ 4. If you can see a listing, contact your server admin to turn that off! Harden Your PHP If you have a server with PHP, be aware that you are in control of a powerful tool. The worst oversight someone could make is to allow any parameter that comes in from the URI to become a global variable. This is turned off by default on PHP installs in version 4. 2. 0 and onward, but your configuration may have changed. In fact, some tutorials recommend that you turn it on for a script to work: this is a very, very bad idea. You can easily test if globals are enabled: 1.
Create a new file named test. php. 2. Add the following code to it: 3. Upload the file to your server. 4. Browse to the file, and send a parameter called ouch; for example:http://example. com/test. php? ouch=that+hurts 5. If your browser shows “*that hurts*”, then your server has globals registered. 6. Contact your server admin to get this fixed! Why is this important? Well, in our explanation of XSS earlier, we talked about attackers being able to add code to your page using the URI parameters in your script. If you don’t turn off globals, any variable you use and write out could become an attack.
Even worse, consider the following code: if($_POST[‘username’] == ‘muppet’ && $_POST[‘password’] == ‘password1’) { $authenticated = true; } if($authenticated) { // do something only admins are allowed to do } If this is checkuser. php and global registering is on, then an attacker could call this in the browser as http://example. com/checkuser. php? authenticated=true and could work around the whole user checking; his authentication as$_GET[‘authenticated’] automatically turns into $authenticated. Turn Off Error Messages A lot of servers are set up to show you error messages when the browser encounters a problem.
These messages often look cryptic, but they are a great source of information for attackers. Creating an error and seeing what the server spits out is one of the first steps in checking the folder structure of a server. Funnily enough, error pages stating “File XYZ could not be found” were one of the first XSS attack opportunities, because you could look for a file named alert(document. cookie),. Automatically Checking PHP for Security Issues Uploading PHPSecInfo to a folder is a pretty handy way to perform a quick audit of your PHP server’s security.
Opening it in your browser gives you a detailed checklist of common security flaws and how they should be fixed. But never leave this on a live server because it gives attackers a lot of details about your set-up! What To Do To Your Code Because you likely do not have much to do with your server let’s focus on things you do have full control of. HTML HTML is pretty safe. It is simply converted into text—no interaction with the server or calculations—so not much can go wrong. That said, you should always use HTML for what it’s for: ? HTML structures your content.
HTML is not a database to store information. The reason it is not is because you cannot rely on HTML content to stay unchanged. Anyone could use browser debugging tools to mess around with your HTML and change the content. So you run into security issues with JavaScript solutions that rely on data in the HTML and don’t check the server for what that data is allowed to be. ? HTML is fully visible. Don’t use comments in the HTML to store sensitive information, and don’t comment out sections of a page that are not ready yet but that point to parts of an application that are in progress. Hiding things doesn’t make them go away. Even if you hide information with CSS or JavaScript, some people can get it anyway. HTML is not there to give your application functionality; that should always happen on the server. A wonderful example of insecure HTML was the drop-down menu on the website of a certain airline. This menu let you define the seating class you wanted to fly in as the last step before printing your voucher. The website rendered the HTML of the drop-down menu and commented out the sections that were not available for the price you had selected: Economy
Economy Plus The server-side code did not check to see whether you were eligible for a first-class ticket; it simply relied on the option not being available. The form was then sent via JavaScript. So, all you had to do to get a first-class ticket for the price of an economy seat was use FireBug to add a new option to the form, select the value you wanted and send it off. CSS CSS is not really capable of doing much to the document and cannot access the server… for now. One problem with CSS is background images that point to URIs. You can inject code by somehow overriding these.
The same applies to the @importproperty for other style sheets. Using expression() in Internet Explorer to make calculations (or, as in most cases, to simulate what other browsers can already do) is dangerous, though, because what you are doing in essence is executing JavaScript inside a CSS block. So, don’t use it. CSS changing a lot now, and we are giving it more power than ever before. Generating content with CSS, animation, calculations and font embedding all sound absolutely cool, but I get a prickly feeling in the back of my neck when I look at it right now. Attack vectors have two features: they have the ower to change the content of a document, and they are technologies that are not proven and are changing constantly. This is what CSS 3 is right now. Font-embedding in particular could become a big security issue, because fonts are binary data that could contain anything: harmless characters as well as viruses masquerading as a nice charset. It will be interesting to see how this develops. JavaScript JavaScript makes the Web what it is today. You can use it to build interfaces that are fun to use and that allow visitors to reach their goals fast and conveniently.
You can and should use JavaScript for the following: ? Create slicker interfaces (e. g. auto-complete, asynchronous uploading). ? Warn users about flawed entries (password strength, for instance). ? Extend the interface options of HTML to become an application language (sliders, maps, combo boxes, etc. ) ? Create visual effects that cannot be done safely with CSS (animation, menus, etc. ) JavaScript is very powerful, though, which also means that it is a security issue: ? JavaScript gives you full access to the document and allows you to post data to the Internet. You can read cookies and send them elsewhere. ? JavaScript is also fully readable by anyone using a browser. ? Any JavaScript on the page has the same rights as the others, regardless of where it came from. If you can inject a script via XSS, it can do and access whatever the other scripts can. This means you should not try to do any of the following in JavaScript: ? Store sensitive information (e. g. credit card numbers, any real user data). ? Store cookies containing session data. ? Try to protect content (e. g. right-click scripts, email obfuscation). Replace your server or save on server traffic without a fallback. ? Rely on JavaScript as the only means of validation. Attackers can turn off JavaScript and get full access to your system. ? Trust any JavaScript that does not come from your server or a similar trusted source. ? Trust anything that comes from the URI, HTML or form fields. All of these can be manipulated by attackers after the page has loaded. If you usedocument. write() on unfiltered data, you expose yourself to XSS attacks. In other words, AJAX is fun, but do not rely on its security.
Whatever you do in JavaScript can be monitored and logged by an end user with the right tools. Housekeeping One very important part of security is keeping your server clean. If you have old, insecure code lying around, it won’t matter whether your main website is hardened and up to date with the best security measures. Your server is as vulnerable as its weakest and least-maintained code. Check what you have on your server from time to time, and delete or move things that you are not interested in any more or couldn’t be bothered to maintain.
Instead of deleting code, you could move it to a repository such as Google Code or GitHuband redirect the old folder to it. It is also not a good idea to use the same server to test things and run a live product. Use one server as a test platform for playing around and another for grown-up stuff. It is especially important to have a different domain for each to protect your cookies. Web Security: Are You Part Of The Problem? Website security is an interesting topic and should be high on the radar of anyone who has a Web presence under their control.
Ineffective Web security leads to all of the things that make us hate the Web: spam, viruses, identity theft, to name a few. The problem with Web security is that, as important as it is, it is also very complex. I am quite sure that some of you reading this are already part of an network of attack computers and that your servers are sending out spam messages without you even knowing it. Your emails and passwords have been harvested and resold to people who think you need either a new watch, a male enhancement product or a cheap mortgage.
Fact is, you are part of the problem and don’t know what you did to cause it. The reason is that security experts don’t like to talk too much in public about what they do and where the issues lie; and sadly enough, they can also come across as arrogant in their views. This could be the result of people not taking security seriously and not following the most basic advice, such as using passwords that are clever, not “password” or “letmein. ” Another reason is those tutorials that show you how to “do something in five minutes” and conveniently neglect to mention the security implications of their advice.
If it sounds too easy to be true, it probably is. A perfect example of this is PHP solutions that use a file for data storage and ask you to make it writable to the world. This is easy to implement, but it means that any spammer can write to this file. URIs: The Main Way To Attack A Web Service The address of any document (i. e. file on the Internet) is its Uniform Resource Identifier (URI). This is what you enter in the browser bar to access the document and what you embed into code to point to the document.
For example, my website address is http://icant. co. uk, and the document you see when you open it in a browser is http://icant. co. uk/index. php (the server automatically redirects to that document). The logo image resides at the URIhttp://icant. co. uk/iconslogo. png, and the image of me pointing at you is on a totally different server and has the URIhttp://farm4. static. flickr. com/3172/3041842192_5b51468648. jpg. All of these URIs are okay for you to access. Some URIs, though, contain information that should not be accessible to the outside world.
For example, the /etc/passwordfolder on a server contains password and user information that should not leak to the Internet. Every URI can also contain parameters. These are instructions you can send to the script located at that URI and that are appended to the URI starting with a ? and separated by ampersands. If you want to search for puppies on Google, for example, you can use the URI http://www. google. com/search? q=puppies, and if you want to begin your search after the first 50 results, you can usehttp://www. google. com/search? q=puppies=50.
