Web Site Security Guide

Web Site Security GuideIf you intend to keep personal or customer information online, especially within e-commerce sites, then some consideration must be given to the security of your data. If a company is wanting to be seen creditable and trustworthy, then the last thing you need is to be contacting your customers with news of lost or stolen personal information. Other negative factors are; false transactions due to fraudulant activity, website downtime to repair the security issues and the possibility of being sued by customers who might have incurred a loss. Of course, any web developer worth his salt will have an understanding of such issues without needing to come to attention of his client.

Note However, there is no such thing as 100% security. It does not exist, especially in the field of computing where there are a few ways quite talented hackers will find an exploit but in general there are three main areas of consideration.

Business Computers and Applications

Almost all business computers use Microsoft software to operate the computer hardware. Microsoft dominate the desktop software packages apart from accounting software like Sage Line etc. Unfortunately, Microsoft systems and software packages are extremely vunerable to security flaws in the programming. Obviously its something Microsoft try to keep quiet. Microsofts pricing and agressive marketing has seen off quite a few worthy alternatives. Only Apple Macintosh, Sun Microsystems, IBM (Linux and Unix open source freeware systems) have survived, which the latter are very robust security wise. In comparison, the most robust systems require a dozen or so security fixes annually, whereas Microsoft Systems require a dozen essential daily security fixes (They call them Updates). Need I say more?

Firewalls, Virus Checking, Spyware and Email

Suffice to say that if you intend to use Microsoft based computers then you will need to employ these security measures to protect your systems and data. I would insist that any computers used in the running of an e-commerce site need to have the following installed and properly configured.

Firewall- There are various software based firewall programms available. I wouldn`t recommend a novice try to configure his Router hardware firewall. One excellent free version is Zone Alarm and Norton offer a very good Firewall and Virus Checking which costs around £40. Firewalls protect the Ports on which computers use to communicate and offers Intrusion protection. For example, Port 80 is reserved for your browser software such as Internet Explorer to send and recieve data from the Internet. There are around 65,000 possible ports available to communicate through. It`s necessary to configure the firewall to accept program access on certain ports you specify. However, the pre-configured settings work very well.

Virus Checking- Virus Checking software is used to scan your computer memory and hard drives for resident computer Viruses, Worms, Trojan Horses and Diallers etc. Mostly, Viruses are used to gain access to your data, replication of infection to other computers or use your computer without your knowledge for illegal activities. Sometimes your computer may be used to attack other computers in conjuction, often called (DOS) Denial of Service attacks. The motive of destruction of the system is far less being seen. The software library is updated regularly with all the known viruses. Most virus software will also, to some extent, protect against software security flaws too.

Spyware Removal- There are a number of very good free Spyware tracing and removal software such as Spybot. Spyware is essentially a small computer program that infects a computer in order to collect data or redirecting to inappropriate website content. It also can take over important settings in the operating system on Microsoft OS run computers because MS had the very strange notion of tying in Internet Explorer, with the core of the operating system. Unbelievable, considering the security flaws in IE. Spyware removal is automated and cleans the computers registry, drives and memory. Spyware can also cause a noticeable performance decrease in operation of the computer.

Email- Email is the most popular way of spreading a virus, however, most virus checking software will check incoming email. More sophisticated methods use email to trick the receiver into giving out personal information. Popular techniques are Phishing, where an email is a fake identical of a well known company or Pharming, where an email takes you to a fake identical website. Both are very realistic though a look at the URL will show the fake domain name. NEVER give out any personal information from an email request. Period.

Here is a good example of how viruses are spread via email. The screenshot below shows an incoming spam email for a Facebook Friends request. Clicking on the Confirm Friend Link or any other link takes you to a sub page on www.gk99.tw website which tries to exploit a potential security flaw in Windows OS and infect your system with the DR/Zapchast.E Trojan virus. The types of operations are limited by user privileges on target computer, which normally includes data theft, modification or deletion of files, keystroke logging, and use of machine as part of a botnet to perform mass spamming or to distribute Denial-of-service attacks.

DR/Zapchast.EnVirus spread through Email

A check of the email headers show: Received-SPF: none (mta1016.bt.mail.ird.yahoo.com: domain of postmaster[at]adp-architects.com does not designate permitted sender hosts), which basically means Facebook did not send the email, adp-architects.com did. The email server functions of that website has been compromised in some way.

One simple check for non tech person is to mouse over any link and look in the bottom of the browser...this will show the URL of the site the link is directed. One would expect the www.facebook.com url to be shown.

LinkedIn Fake Email Example

 LinkedIn password hack

The image above shows a fake email from LinkedIn. Hovering over the link text within the email should point to the www.linkedin.com domain. It actually points to IP address 212.98.167.145, which resolves to a web server in Belarus. I am sure LinkedIn are not located in Belarus! (It`s a US company.) A good antivirus program would probably mark that IP address as suspicious and block the page loading. It is a password hack scam.

Web Server Configuration

Directory Traversal & Browsing- This is a method that a hacker would employ to access sensitive data held on a web server where you e-commerce site is installed. Each domain is generally given its own root directory which restricts access to other parts of the server for obvious security reasons. Filtering HTTP data requests to the server is the best prevention of directory traversal attacks. A web developer should make sure that the latest server software and security fixes have been installed. Removal of default server scripts should also be done.

File Permissions- Each file and directory within the root directory of your e-commerce domain should have the necessary file permissions access set correctly to avoid access to files that should be hidden from browser viewing.

PHP Globals & Error Reporting- There has been quite a few issues with the register_globals function within php programming. The real issue is insecure programming rather than the function itself. Most server PHP engines are now set to "off" and some php code might have to be edited to work correctly. Use server Logs for error reporting rather than returning the information to the user. This can reveal important server settings.

Server Side Scripts

Server Side Scripts are the programming language scripts which are processed on the Operating System of the Web Server. The web pages contain the code, i.e. ASP, ASP.NET, PHP, and CGI languages, so that web pages can have dynamic content retrieval, respond to user queries and save information to a database. The code is used because it makes a web page much more configurable and automated. However, the programming of these languages if not done securely, can lead to a compromise in security.

SQL Injection- SQL is a database application which is used to store information on an e-commerce site. Information such as names, addresses, credit card, product details, purchase information, in fact anything to do with the running of the online store. The database can be vunerable to SQL Injection which breaches the database security. The database can be accessed and information stolen or destroyed in this manner. Around 9% of hacking attempts is accredited to SQL Injection. Applications should have a robust filtering method to prevent important database information being revealed.

Cross Site Scripting (CSS)- Is a technique used to gather personal information or run malicious code whilst using your browser. 27% of reconised hacking attempts are due to CSS. Vunerabilities withing the site scripting languages can allow CSS to be run.

Seventy five percent of hacking is caused a the web application level. Generally, the stolen information is used for illegal actvities and your database would be left intact.

I employ full time security scanning on all e-commerce systems. This constantly checks for known security vunerabilities in server security, programming code and database security. This will help avoid Cross Site Scripting, Server Access and SQL Injection Exploitation.

SQL Injection InformationSQL Injection Information

Cross Site Scripting InformationCross Site Scripting Information