Tuesday, February 19, 2008

Secure Sites and Forums

There are many cases of websites and forums being hacked , defaced , attacked , ransacked of data from database , corruption of the data ... etc. I am a member of two forums and both forums have been hacked or in the geek word , 'pwned' . I tried to suggest security reforms to the forums but they either do not have the money to implement security and are currently gathering funds or some are just down right stubborn and ignore.

Here's a warning to all website and forums owner and also some basic educational materials for these websites and forums owner to kick up their defenses and do it ASAP !

The most common way to down a website or forum is to use Distributed Denial of Service (DDoS) or if it's a smaller scale and done from a single origins point , it is called simply Denial of Service (DoS). In general , DoS and DDoS are the same except that DDoS is a wider distribution of attack consisting of harvesting the resources from multiple computers over a vast area like a network and all these computers are primed to attack at a single point of time to increase it's deadly effects. A DoS itself may just well be a single computer doing the attack. In simple , in DDoS .. you have more computers over a distributed network... DoS is simply the basic form of DDoS done without a distributed system supporting it.

The most crucial factor in DDoS that makes it deadly is timing. Timing needs to be right so that all the resources can be unleashed on the target at a single time , making a huge 'tsunami' to overwhelm the target with request of service and thus overwhelming the target with an overflood of request. One of the easiest way of DoS is by continually requesting for resources like certain webpages or files. If it is well timed and the resources is huge and all the target request for a single one resource , it would be overwhelming . There are tools to handle DDoS and a couple of open source projects do currently produce DDoS prevention tools. There are also commercial tools for DDoS prevention. A search using Google to look for DDoS protection tools would yield a number of results you may consider. If you don't have the money , head to Open Source or freeware projects.

Web hosting servers should always have Intrusion Detection System (IDS) to identify any attempts of intrusion. Although IDS detects intrusion , many may not have the capability to preven , so you would need to act and prevent yourself. Some are more advance to include prevention capabilities to automatically prevent intrusion. Snort , an open source IDS project is a widely used product that is free of charge.I am currently learning of the capabilities of Snort myself so I could use them on my own computers too.

One of the most common ways to attack is by opportunity and leaks. One of the most common things many coders may leave in their login or code structures are hard coded values. For example , you may think of hard coding some values into your webpage design for easy login access but this is a very bad idea. It is as good as leaving your key in the door knob. All it need is for someone to analyse your codes and if you leave any hard coded important values like login values nand stuff, do know that you are endangering yourself and the users.

Using default settings for your security software e.g. default router or firewall passwords shouldn't be allowed. Default passwords are one of the first few things hackers would be glad to try out since they know how careless people are when using passwords. Do not leak passwords to anyone , not even your friends, unless they are part of the administrative team for the website of forum tasked to handle maintenance.

When you are sending request data or respond data over between the user and the website's hosting servers , data are being exchanged including sensitive data like passwords and username. There are network packet analysis tools like Ethereal and Wireshark (the latest version and the renamed name of Ethereal). Ethereal/Wireshark have a simple GUI interface with manuals on how to use and all you need is simply specify a network device (LAN , Wireless...) and it would sit there and capture all data packet passed within the network and you would be surprised the amount and detail of data being captured. I was doing a test setup with a colleague when we are supposed to use Ethereal/Wireshark (legally) to test the safety of the data being passed between certain applications. Both of us opened a web based messenger and logged in and send message to each other for a while and we when back to look at the Ethereal/Wireshark. The data captured include our email address , password , username , names of the contacts in our contacts list and the chat conversation all in plain html text format. If such tools can capture web chats in nearly plain human readable format , why not for web applications like login and authentication and forum postings ?How do ou handle these sensitive data. You can use Secure Socket Layer (SSL) or Transport Layer Security (TLS) , to encrypt your data and send between each other and also to verify each other's identity if needed. There are many data on TLS and SSL available online. The problem with SSL and TLS is that you need a Certificate Authority (CA) and many companies in the CA business requires you to pay them some money to allow you to use their service and many forums and sites are either created with a constrainted budget or the creators of the site or forums may not have any knowledge into security. I hope some community or companies would be kind enough to open a sort of free CA business for others to use so to promote security. There are a couple of open source free CA software where you have to install into your server but most of the time , these personal CA are not trusted by the web browser and the web browser would prompt the user to either accept for reject the suspicious certificates and thus making your website or forum look a little bad. But if you don't mind your users being prompted by the web browser about your CA as being untrusted , you may want to convince your users to add your personal CA as a trusted one... but these are too deep into the technical end for most people.

SQL injection is bad for your database since it allows corruption of your data and there's a vast amount of data on SQL injection and even examples available on the internet. Do a simple Wikipedia or Google search and you would get the data.

The devastating effects of a hacked site is not merely just defacing your site or forums andhackers spoiling your forum or sites foundations or database. Many hackers do harvest data from your database and may implant backdoors if possible or may corrupt your websites. The most dangerous is the harvesting of data from your database if you have any. The data in the database contains personal information and these personal information can be used to drive other criminal activities like black mailing or other hackings.

Most people use the same passwords for their websites , forums , emails , Operating System login ...etc. Once you have a password leak from the harvesting of data from the compromised website or forums , these passwords can be used to unlock other of the personal stuff like emails rom those users in the database. Do alert your members to be aware of the websites and forums being hacked if it happens in an honest fashion and do tell the users to either change their passwords (not only for the websites of forums database but also for the email addresses they use to register ).

Remember , do always secure your websites and forums. The most important thing is to be alert and always know how to use security tools properly.

No comments: