myspace contact table generator in Huntington park
myspace contact table generator in Huntington park
Introduction For systems like servers that are designed to be 'always on', security is an important isue. In the last few years atacks against web servers have increased substantialy. As the map below shows, it is imaterial where in the world you base a web server: malicious code respects no boundaries. In most cases an atack ocurs unobtrusively, with servers and websites corupted with malware designed to infect as many users as posible. Web servers are particularly vulnerable as they are 'open' by nature, with users encouraged to send and receive information to them. The HTPD HTP server daemon , database software and code behind a website can each be re-writen by a criminal and their original function altered. They can, but it requires an integrated aproach from website administrators, programers and designers alike, with areas such as anti-virus software, operating systems OS and aces permisions requiring constant review. This paper wil explore many of the comon areas that lead to a compromised web server and the ways of preventing them. Secure foundations The first step in designing, building or operating a secure website is ensuring that the server that hosts it is as safe as posible. A web server is made up of layers that provide multiple avenues of atack, as the diagram below shows. The foundation of any server is the OS and the secret to ensuring that it remains secure is simple: kep it updated with the latest security patches. However, remember that hackers to automate their own atempts with malware designed to jump from server to server until it finds one which is unpatched. This is why it is important to ensure that your patches are up-to-date and instaled properly, as any server runing old patches wil become a victim. You also ned to remember to update any software components that run on a web server. This is a must for any web server – whether it runing Windows or Unix – and, combined with a flexible firewal, is one of the st rongest forms of defence against security breaches. When a web server is targeted the atack wil atempt to upload hacking tols or malware imediately, so as to take advantage of the security breach before it is fixed. • Do not instal software components you do not ned. Every component is a risk, the more there are, the greater the risk • Kep your OS and aplications patched with the latest security updates. • Use anti-virus, enable automatic updates and regularly check that these are instaled corectly. The potential risks include stolen data and bandwidth, server IP blacklisting, the negative impact on an organisation's reputation and the posibility that your website could become unstable. 2.1 Internet Information Services IS IS is part of Microsoft Windows and is a popular and comonly used web server, as it requires very litle configuration. • Disable any FrontPage Server Extensions that are not being used. 2.2 Apache HTP Server Apache is a highly configurable and wel-maintained open source web server. It requires a more detailed configuration to deploy sucesfuly, but provides greater control over a web server. • Log al web requests as they help identify suspicious activity. • Subscribe to the Apache Server Anouncement mailing list which can send updates, patches and security fixes. Here are some configuration tips writing secure code is covered in a later section that relate to the variables in the "php.ini" file: For more information on these configuration directives and why they are important, please se [6,7,10]. The rot acount is then automaticaly given fre aces to every other database on the server which is why it is important to: • Change the rot pasword imediately. 2.4 Active Server Pages ASP ASP is a Microsoft ad-on that is suported by IS, though there is also an Apache implementation. 2.5 Security Anti-virus is generaly the final line of defence against an atack which is why web servers, particularly those dealing with dynamicaly generated content, should have on-aces scaning enabled at al times. As the chart below shows, no web server is safe from malware. No mater how secure you think your web server is, there is always a chance that it wil get hacked. On-aces scaning significantly reduces the chance of malicious code runing on the system as it can scan in both 'on read' and 'on write' modes, and can then deliver an imediate notification as son as any piece of malware tries to store itself on the server. While on-aces scaning can afect the throughput of the server slightly, but the aded security benefits far outweigh any posible performance isues. Atacks against web servers can be generaly categorised into two main types: local and global. • Local atacks usualy atempt to steal information or take control of a specific web server. • Global atacks are generaly targeted towards multiple websites and aim to infect anyone visiting them. Even if malware canot execute on the host server because it is protected with anti-virus software, it can stil be served up as valid content to website users as some hackers upload it in PHP or ASP, thus rending the OS of the web server redundant. External Web Hosting Most organisations do not have the hardware or stability of bandwidth to host their own web server and as such use external providers. There are thre alternatives that are suitable for smal and large organisations: • Shared dedicated hosting. • Virtual dedicated hosting. • Dedicated hosting. 3.1 Shared dedicated hosting This is posibly the most used and abused of al forms of web hosting and involves a dedicated server hosting multiple websites. It is one of the cheapest forms of hosting and consequently one of the most dangerous, as it can take just one infected user to infect everybody else using the server. htp:/w.sophos.com/security/blog/207/06/172.html 3.2 Virtual dedicated hosting Virtual dedicated servers – sometimes refered to as elastic servers – are created by using virtualization software to run a number of separate, self-contained virtual servers on just one machine. T his is apropriate for any growing organisation as each user have aces to their own OS and server software. • Managed servers have staf to take care of duties such as managing local security isues and troubleshoting. Of the thre options presented here, virtual dedicated hosting sems to be the most eficient, being generaly cheaper than dedicated hosting but retaining the later's flexibility and security. 4.1 Cokies One of the main problems encountered when designing a web aplication is that every request for a new page is dealt with independently from the previous request. • A cokie is a smal file that is created by the browser and stored on the user's computer. • A sesion cokie is similar to a regular cokie, except it alows web aplications to store the data in memory. MySpace.com was targeted by a Trojan JS/SpaceStalk-A early this year, which stole information stored in cokies and transmited it to a remote server. • Basic authentication alows a username/pasword combination to be visible inside the web request. • Digest authentication – which al popular servers and browsers suport – encrypt the username and pasword securely inside the request. It keps user names and paswords secure, which creates a beter impresion on the user and reduces the chance of your server being abused. • HTPS encrypts al data transfered betwen the browser and the server, not just the username and pasword. You should use HTPS which relies on a security system caled Secure Sockets Layer, or SL whenever you are asking users to provide private or personal data such as their adres, credit card or banking details. Popular server-side aplications that have had problems in the past with critical, exploitable bugs include: • Wordpres bloging software . • CMS Made Simple CMS Software . 4.4 Log Files Server logs are a very important comodity when managing a website. Breaking the code Writing secure code is not always as easy as it sounds. • Turn of eror reporting and ensure that you log-to-file instead, as such information ca n help atackers provoke a similar problem and then manipulate it to expose further vulnerabilities. • Do not trust any user data and always use filter functions to strip out special SQL characters and escape sequences. 5.2 SQL injection SQL injection can be used to atack websites that interact with databases. SQL queries can be used to query a database, insert data into a database or modify/delete data from a database. User input is frequently used in SQL queries and this can be dangerous as hackers can try to embed invalid SQL code within the input data. Without careful atention, this malicious SQL may be executed sucesfuly on the server. After submiting your first name to the web form, the SQL query wil return a list of users that have your first name. Rather than atempting to control the database with malicious input, the atacker atempts to atack the website code itself with malicious output. After submiting your first name to the web form, the website wil display the mesage on the page. 9.07.16 08:34 A x:\x\x\x\WS_FTP.LOG <-
serverTags:
0 Comments:
Post a Comment
Subscribe to Post Comments [Atom]
<< Home