Archive for hacking
Shared Hosting and Site Downtime
Posted by: | CommentsThe reliability of a hosting company is perhaps it’s most important attribute, as every other feature of the hosting account is useless without an active server. Some types of web hosting are more reliable than others, such as dedicated hosting which is considered one of the most reliable kinds of hosting accounts available. With shared hosting your site is hosted on a server with hundreds of other sites simultaneously. While this usually does not present problems, there are times when the server crashes or requires maintenance.
DDoS Attacks
Hacking attacks are prevalent in the hosting community, so it is important to pick a hosting plan that takes adequate security precautions. While most shared hosting accounts are hosted by companies which are generally reliable, there are a lot of independent resellers that are selling hosting accounts that are less than secure.
Since shared hosting accounts are the cheapest, they are more likely to be vulnerable. A DDoS attack is a simple yet effective attack that is capable of bringing down a server in a few minutes. The problem with shared hosting accounts is that a single site could be attacked, and as a result the entire server could go down, affecting all of the other unrelated sites on that server.
Server Maintenance
Shared web servers also require more maintenance, since there are many web sites hosted on the same server. In fact, in many cases the servers can be reset as much as three or four times per month. When the server is being reset the site goes down for about 30 minutes to a half an hour. This can create a very bad impression for site visitors that arrive during this time period. Using a VPS or dedicated server would minimize if not completely eliminate site down time, because the server is not being used by more than one person at a time.
Server Limitations
Aside from the above problems, shared web servers also have significant limitations due to the limited resources and diversified server usage. With so many sites using the same server it can be impossible to predict the reliability of the server. A traffic surge could occur at any time of the day, and that could result in a server crash that could debilitate all sites on the server in just a few seconds. These limitations are not a factor with hosting types such as VPS and dedicated hosting. Any serious site owner may want to consider another option with less limitations and more reliability when investigating prospective web hosting service providers. If you do decide to purchase a shared hosting account, then it is best to purchase from a reputable company.
Conclusion
Shared hosting accounts are perfect for novice webmasters with minimal needs, however they are not recommended for online business owners. If you want to keep your site visitors coming back then you need a reliable site that is online every 24 hours of the day.
False User Authentication: A Common Hacking Tactic
Posted by: | CommentsUser authentication is an important security measure put in place to protect your website and it’s applications, however this very same system can be used to a hacker’s advantage as well. When your website’s users require access to a certain area of the site, they must provide their login information (username and password) to prove that they are an authentic member of your website. Once the identity of the user has been validated based on the provided information, the authentication application then grants them access to that area of the site. While this helps to deter the novice hacker, a more advanced intruder can use simple HTTP protocol to circumvent this process and gain access to sensitive ares of your website.
What Can Happen
A hacker can use the authentication process to invade a member area by falsely convincing the authentication application that they are indeed a valid user. If the hacker only has the ability to access your website as a standard user, then the damage they can inflict will be minimal. However, if the hacker can gain administrative access to your website, they can take complete control of the website and all of it’s stored data in a very short period of time, usually within an hour or two. Of course this could be a potentially fatal situation to your online business, especially if they gain access to critical financial information.
The Process of False User Authentication
Usually the process begins with the hacker finding the login screen where they can enter the necessary information to complete authentication. Once they’ve found the location of the authentication login page, they can then enter the URL of the login page into a hacking software that will repeatedly enter random information into both fields until a working combination is found. Many times the hacker will simply try this process manually before resorting to using the automated software. For this reason it is important that you do not use a simple or default administrator username and password such as “admin” or “1234.” When the hacker uses an automated program to bypass user authentication, it is known as a “brute force attack.”
Preventing and Combating False User Authentication
Hackers use tools that return error codes and other information from the web server to find out when their attacks are working, essentially repeating the process in a trial and error fashion until no error message is returned. One way to keep hackers from accomplishing this is to adjust the server configuration to generate an “HTTP 200 OK” response whenever an unexpected request is ordered. Effectively this will make it very hard for the hacker to understand which attempts work and which attempts were denied. Another effective way to prevent brute force attacks is to place random phrases that must be re-entered by the user requesting access. This is called a “De-captcha” and it can be downloaded as an application and used in conjunction with your control panel. De-captcha tools make the process of false user authentication very difficult to bypass for most hackers.
Five Simple Website Safety Tips
Posted by: | CommentsGoogle, Microsoft, and The New York Times are just a few of many big names that have suffered notable security breaches in recent times. Hacking has become an industry all its own and there is a lot of money to be made for unscrupulous characters who are good at it. While there is a good chance your website is safe and secure, there is also the possibility that it is vulnerable and open to a wide range of threats. Unfortunately, many new customers have the presumption that just because they have signed up with a well known web hosting firm, they are automatically protected from a security breach. They believe that the host will handle all the security measures while they sit back and simply maintain their website. It is this type of thinking that could make you an easy victim. In fact, your best defense against a security breach involves taking the necessary measures to protect yourself.
A Little Common Sense Goes a Long
While many security software solutions exist, some of the best ways to defend yourself can be summed up to applying common sense. Here are five simple tips to help keep your website safe and secure:
1.) Smart E-commerce – If you plan to sale goods or services through a shopping cart, make sure that the software used is properly figured and secured. If you do not possess this knowledge, bring someone on board who does.
2.) Password Protection – Use secure passwords for all of your website applications that require a login. This goes for everything from your control panel to CMS software. A good rule of thumb is to use a combination of numbers, letters and symbols, in addition to never using something that others can associate with you for a password.
3.) Monitor Your Server Logs – By checking your server logs on a regular basis, you may be able to identify strange or unusual activity. Because knowing what to look for can be difficult, many software solutions exist that will do the job for you. These programs analyze your log files and automatically send alerts if strange behavior is detected.
4.) Update Your Web Applications - An outdated web application is one of the most vulnerable points of a website. Hackers are constantly working on new ways to compromise security so if your applications are not up to date, you could be exploited. Also keep in mind that most updates consist of critical upgrades that address known security issues.
5.) Backup Your Website – Because no website is ever 100% secure, it would be wise to frequently backup your site and all the files its contains. Don’t overlook this. Not only do hackers target websites, but entire web servers. If the server your site resides on is compromised, you could possibly lose everything you worked so hard to build. Regular backups give you the assurance that your website data can be restored should a disaster occur. Be sure to keep a copy of your backup in a location other than your hard drive just in case ill fate happens to strike your computer.
Authentication Hacking: Is Your Site Vulnerable?
Posted by: | CommentsAuthentication plays an important part in securing a website and its applications. It works by authenticating and verifying a user’s identity and then either denying or providing them with specific privileges to a system based on the username and password they enter against the established credentials. Though it adds an extra layer of protection, authentication is quite vulnerable to exploitation. In most cases, this type of attack does not originate from a security hole in the web server or operating system software. It actually targets weak passwords and vulnerable areas of the network itself.
By successfully hacking the authentication session, an attacker can log into the system as a known and valid user, which provides them with whatever privileges the victimized user has been assigned by the administrator. This means that the intruder could only have access to certain information, or global access across the entire system, the latter of which could possibly give them control of the application or website itself. At this point, the attacker can stir up a lot of trouble.
Tools of the Trade
Most attackers attempt to gain access via the application’s login screen that requests a username and password to enter the system. This calls for them to match the correct login credentials that application recognizes as valid and hopefully has the highest level of privileges in the system. While this is not the most sophisticated attack, password cracking can prove to be one of the most effective methods a hacker uses to cripple an authentication scheme. This common technique can be executed manually or automatically with special software, which makes guessing the password much easier.
If the attacker has no success at password guessing, their next step usually involves automated tools such as Brutus and WebCracker, which unfortunately, are widely available on the web. These custom applications are designed to defeat authentication and penetrate the target system using a list of predefined usernames and passwords. However, they are best known for employing dictionary attacks and brute force. Hence the name, a dictionary attack utilizes a pre-formulated list of common words in a dictionary to compromise web applications, trying thousands of combinations to determine the correct username and password. Brute force is a technique used to break a cryptographic scheme by consistently trying a large number and sometimes all, possible keys to decrypt an encrypted password. Both have proven to be very effective at guessing weak passwords and bypassing authentication.
Prevention and Protection
Stopping an authentication attack can be very difficult. Especially when factoring in all the sophisticated hacking techniques and tools on the black market. Fortunately, there is a way to test the strength and overall effectiveness of your authentication methods. One of the most reliable is authentication testing, a feature commonly found in web vulnerability scanners. These applications are generally easy to use and configure for automatically testing all the applications within your site that require authentication. Furthermore, most also scan for other common exploits such as SQL injection, cross site scripting and cross site forgery.