Archive for hackers
The Most Prevalent PHP-Related Security Risks
Posted by: | CommentsPHP is thought to be most useful programming language around, by many web developers. For this reason PHP use is becoming increasingly popular in corporate programming and building independent applications. While PHP scripting has the ability to create just about anything you’d like with it, the programming framework is not without it’s security flaws. There are hackers that know how to take advantage of the loopholes in PHP scripting, and they do so everyday through simple web platforms such as WordPress and Drupal. To prevent this from happening to you, you’ll want to know what the most significant PHP security lapses are so you can take the proper security measures.
Code Exploits
Sometimes hackers can use certain lines of code to request and retrieve information from your website. For example, the “allow_url_fopen” option allows users to request file functions such as “file_get_contents()”, which would in turn allow a perpetrator to retrieve sensitive data from your website via a remote FTP connection. If you PHP is configured with default settings, then this this function is still enabled, and you will need to manually disable it to keep hackers from executing code exploits on your website. Disabling this function will not take away from the functionality of your website at all, as it is not commonly used. If you do need to use it personally in the future, you can simply enable it as you see fit.
Risky Functions
Just as in the above situation, every risky PHP function should be disabled to prevent a similar scenario. There are three functions in particular that pose especially dangerous threats, and those are the “EVAL” “shell_ exec” and the “passthru” functions. Disabling these functions is simple, and can be done by making slight adjustments to the “disable_functions” values in the “php.ini” file. Disabling the EVAL function is actually vital, because it allows a user to request remote control of PHP coding on your website. If this is used in conjunction with another exploit, it can mean serious problems for you and your website. Before you disable these functions, it is a good idea to make sure they are not needed for any particular applications or plugins you are using on your website.
Unsafe Application Coding
The flexibility of PHP is what usually makes it easy for a hacker to breach the security of a website or server. The problem is that the security gaps are most likely not your fault, but rather they lie within the content management system you are using. Many of the applications that people use to make their website management easier, also make it easier for hackers to infiltrate their administrative interface. This is why it is important to make sure you are using only the most secure plugins and applications to manage your website. In all actuality, it is better to have less functionality than to have a severe security breach on your website. Try to keep the amount of plugins you use to a minimum, and make sure the plugins you use have very secure coding.
Responsible Programmers
Being a programmer is not a simple task, and there are many things to consider when creating an application. The problem is, there is so much to know, and not every programmer is up to the task of making sure their applications are fool-proof. In fact most of them only want to make an application that will have enhanced functionality and will be popular in the e-community. However, if you are truly serious about maintaining the security of your website then you will use applications that are developed by responsible programmers. This is the primary reason why corporations hire their own private programmers.
Maintaining Website Security for Customer Satisfaction
Posted by: | CommentsThere are many vengeful characters on the internet that would love nothing more than to deface your online business by hijacking your home page and placing inappropriate content there. If you are a successful business owner, then chances are you have plenty of people who are jealous of you. If one of these jealous individuals has the skills, they can possibly take control of your website temporarily and scare away some of your potential customers. Sometimes these individuals are your competition, but most of the time they are just annoying hackers that do it for fun. On occasion opposing corporations will even pay hackers to deface websites in order to keep a stronghold on the market! Being the victim of one of these attacks can be embarrassing and financially detrimental.
How do Hacker’s Deface Websites?
Hackers employ a number of tools and methods to gain control of a website’s content. In most instances they will gain access to the server via a security lapse in the operating system, unsafe web site applications, or another flaw in the server’s security. If the hacker cannot access the server through a basic loophole, they may execute browser based attacks with remote code. Regardless of how the hacker gains access to your site, you should be prepared and secured against such an attack.
Preventing Defacement With Website Security
To prevent defacement, you will need to make sure your data is secured on both your server and your computer. Website security should be a top priority any time you are looking for a web hosting provider. Make sure you ask about protection against website defacement when you are inquiring with the companies customer service rep. If you host a private server then you will want to make sure the server is in a safe place. Co-location hosting is an option for people who are looking or top-notch security without having their own warehouse or storage facility.
Preventing Defacement with Server Security
Having your server stored in a secure place will keep your hardware secure, but it will not fully secure the data stored on the hardware. In fact, most hackers don’t even consider stealing your hardware, they would rather access it remotely through a security lapse in an application stored on the server. Keeping your operating system updated with the latest patches will make the hacker’s job much more difficult. It is also a good idea to keep your web applications and any other software associated with your server updated and secure. Even after you have acquired all of the updates needed, it is still necessary to encrypt any data stored on, or sent through the server.
Preventing Defacement with Secure Applications
Quite often, hackers gain access to the server through a web application with weak security. In fact, most web applications have faults that can be easily exploited. For this reason you should only use web applications that you know are secure. If you have the resources, you may want to have your web applications designed by a personal team of developers who are aware of your security needs. If you cannot have this done then it is prudent to minimally research the possible security flaws that exist within the applications you are currently using.
Website Security: Avoiding Downtime That Results in Loss of Profit
Posted by: | CommentsRunning an online business is not an easy task, and it can be very difficult to stay on top of all of the responsibilities that come with it. Customer satisfaction and safety is of the utmost importance when running an ecommerce site, and the only way to ensure the security of your website is by following strict security protocols on a regular basis. Hackers are constantly searching for security loopholes and lapses that they can exploit to gain access to sensitive information such as credit card numbers. Sometimes, even when they are not successful at retrieving this information, they can still cause your site to crash by consuming server resources. When you site goes down, even for a few minutes, you could possibly lose several customers and thousands of dollars. To prevent yourself form losing business due to poor security measures, the following precautions should be exercised.
Serious Firewalls
Even though most web hosting providers employ firewalls by default, a lot of these firewalls are not properly configured and the restrictions can easily be circumvented by a knowledgeable hacker. If you want to ensure the security of your website(s), then you should inquire about he strength of the firewalls and it is important to have the capability to adjust firewalls to your specifications. If your web hosting company does not allow you to make changes to your site’s firewall, then you need to consider another service.
A good example of the need for firewall administration abilities, would be when a hacker is sending malicious traffic to your site form a certain IP. In this instance, it would be crucial to block this IP, and as a domain owner with a hosting account, you should have the right to do so. The safest web hosting services offer IDS (Intrusion Detection Systems). Any breaches to your firewall can cause downtime and loss of business, therefore it is crucial to have the serious firewalls protecting your website a all times.
Protection from Distributed Denial of Service Attacks (DDoS)
Although a DDoS attack is a very basic and commonly used attack, it is also extremely difficult to prevent and treat. This simple yet effective attack can cause downtime in many websites by affecting the server functionality. This means that even users who are unrelated to the attack will suffer. Therefore it is important to inquire about an Anti-DDoS feature before purchasing a web hosting plan.
Proper Data Encryption
If you plan on selling your services or products online, then data encryption is essential. All web hosting plans should include SSL encryption. SSL encryption will transform sensitive date from plain text into special code that make interception by a hacker very difficult. While most web hosting companies offer this feature by difficult. You may want find one that will give you the option to purchase a private certificate for added security benefits.
The Top 3 Web Hosting Security Issues
Posted by: | CommentsSecurity is by far one of the most important factors to consider when choosing a web host. With so many possible threats online, it is not as hard as on might think for a security lapse to occur. Security is not something that should be taken lightly by the consumer or the web host, as there are several threats that could result in serious financial turmoil. The following are three threats in particular that are becoming increasingly common, and that are responsible for a large portion of the security issues involved with web hosting.
Credit Card Fraud
The internet is a massive virtual marketplace, swarming with merchants, customers, and people who would like to take advantage of both the merchant and the consumer. The people looking to exploit any security fault they can are commonly referred to as “hackers.” Hackers see the web as an opportunity to prey on the weaknesses of other individuals and companies. A vulnerable website makes an ideal target for these hackers, especially if the website is engaged in daily e-commerce. Many of them have access to highly advanced applications that are capable of telling them if there any “loopholes” they can exploit. Any online store they can find with a single security lapse will become a feeding ground for them, resulting in thousands of dollars stolen form your customer’s credit cards. Once the hacker has the credit card details of your customer’s, the situation becomes progressively worse. Of course, the customer is going to be inclined to believe that you are the thief, and they will not want to accept the fact that you are actually the victim. This kind of situation can result in lawsuits, and even the loss of your online business!
Bot Rings
Then there is the possibility of a horrid “DDoS attack.” A DDoS attack is a security exploit that is normally employed by criminals that are members of or have control of “botnets.” DDos stands for “Distributed Denial of Service.” A bot ring is a group of hackers, or programmed computer’s that are set up to carry out a specific task. A DDoS attack is executed by a botnet that continually floods the network with DDoS requests. As the network is flooded with requests, it slows down until ultimately traffic screeches to a halt. Even though the DDoS attack is one of the oldest online security exploits, it is still extremely difficult to prevent because of it’s organic and seemingly genuine nature. Once the server’s traffic has been affected the hacker then takes control of the server, using it as a puppet to find other vulnerable servers. Once the hacker has gained control over several servers, they then begin their attack on the target of their choice. To prevent your business from being a victim of one of these attacks, make sure you discuss this threat with any prospective web hosts, to be sure they are aware of this threat.
Malicious Software
Then there are the threats that pose a virtual risk to the web hosting providers. Hackers may attempt to attack a web hosts server or network with a malicious application designed to retrieve crucial information. This malicious software is called “malware” ( a combination of the two words). While server’s generally have more stringent security measures in place, they are still susceptible to the same threats that a personal computer may be faced with. You can avoid these kind of security lapses by ensuring that your prospective host takes the proper precautions to defend against all forms of malware. Do not be afraid to ask questions about the security measures they have in place, before hand. It is important to remember that once the web host’s server is compromised to malware, every bit of information on the server can be accessed, including your web site’s financial data.
Major Threats to Business Website Security
Posted by: | CommentsAny organization would find it irresponsible and downright silly to not have anti-virus software installed on their office systems. Most would also have solutions in place to compensate for data restoration should their be a hardware failure or disaster caused by some sort of natural disaster. Surprisingly enough, far two many business owners are unaware that their websites are vulnerable to the same type of attacks as their local machines. This is especially the case in shared and virtual environments where a multitude of sites are running on the same server.
In May 2007, more than 90,000 sites were compromised by hackers, a large scale exploit designed to illegally install malicious code on the computers of visitors who clicked on seemingly harmless search results. A StopBadware study showed that an estimated 10% of those compromised sites were maintained by one hosting firm in particular, which accounted for 250,000 infectious websites. This is just one of many examples that prove no website is ever as safe as we might think.
Common Threats to Business Websites
Hackers employ several methods and tricks to exploit websites. Below we will focus on three that are most commonly used to attack business sites: SQL injection, cross site scripting and CRLF injection.
SQL Injection
SQL injection is by far one of the most popular website attacks employed today. This technique primarily works by sending false or malicious requests to a back-end database to manipulate the information it contains. By doing so, the attacker can view whatever information is stored in the database, change it, or erase it completely. Most websites would not exist without the presence of databases but unfortunately, any site that features shopping carts, search fields, and any type of web form is susceptible to SQL injection. The fields that require interaction from your visitors and customers could open up the door a hacker needs to thieve sensitive data and destroy your company.
Cross Site Scripting
Cross site scripting is another common attack that exploits holes in dynamic websites. Dynamic pages can allow an attacker to insert malicious code and trick an end-user into running a harmful script on their computer. If the user executes the code, the hacker could gain access to all of the sensitive information on their local machine. Cross site scripting takes advantage of numerous programming technologies including Active X, Flash, Javascript and VBScript.
CLRF Injection
Unlike most exploits, CLRF injection does not take advantage of security vulnerabilities in the operating system or web software. Instead, it exploits the manner in which the application was scripted. For instance, an attacker can insert a statement into a web form along with code from CR (Carriage Return) and LF (Line Feed) characters. The chance for exploit arises when the application mistakes this injection for a CLRF used in the initial development stage. This attack is very dangerous as it has the power to disable an entire website.
This article is not aimed to make you a website security expert, but make you aware that security for your business site should be equally important as your local machines. To assume that your business will never be exploited only exposes you to unnecessary risks that could put you out of commission effective immediately.