• Website Security: What do I need to know? What do I need to do? – Part 2

    This is the second part of our blog article about the emerging security issues for and threats to websites as well as some of the options to address them.

    To read the first part of our article click: Website Security: What do I need to know? What do I need to do? – Part 1

    In the first part we talked about “How websites are built” and “Why websites are insecure”. We listed a couple of reasons for the latter, e.g.

    • Lack of communication
    • Lack of maintenance processes
    • Vulnerabilities in website software

    And will now add more reasons to that and the discuss the  question ” What can happen if a website is not secured” and ” What can I do to protect my website”.

    (2) Why are websites insecure

    (2.1) Lack of communication

    (2.2) Lack of maintenance processes

    (2.3) Vulnerabilities in website software

    (2.4) Vulnerabilities in server software:

    Computer software that powers the actual server (machine) that is hosting your website is termed as server software. A prime example of this kind of software is the FTP server that allows you to log in and update/upload webpages in your hosting account. Sometimes hosting companies will provide default packages as a convenience to their customers, such as mailman scripts, these help with setting up email related functionality and such. These server level software can cause security issues too. A vulnerable FTP server can allow an attacker to break into a website, so can misconfigurations on part of the hoster.

    Take away: Find out what default packages if any are installed on your hosting account and if they are up to date. If you are not using these packages, remove them. If they cannot be removed make sure you understand who is in charge of keeping them up to date.

    Example: You can simply log into your hosting account and see if you have mailman scripts enabled or not. You can also find the version of your FTP server from your control panel. A good tutorial on using FTP from a windows machine can be found at http://www.textheavy.com/tutorials/winftp.html

    (2.5) Insecure website access:

    Insecure website access is one of the primary reasons of website compromise. A prime example would be easy to guess passwords. There some basic steps that can followed to help make the management of a website more secure. We list these below:

    (2.5.1) Try to not use FTP for uploading website related files to your hosting account. FTP connections can be sniffed by trojans/viruses installed on PCs while a website owner connects to his/her hosting account. Once these trojans/viruses detect a successful login via FTP, the account username, password and ftp location are sent out to a botnet network that proceeds to pump in malware into the hosting account. This process of infecting the hosting account via compromised FTP credentials is extremely prevalent and somewhat hard to detect, since it seems as if a legitimate user has logged into the account and is uploading/modifying some files. Also, do not store your FTP credentials in your FTP client. Instead of FTP consider using SFTP/SCP.

    (2.5.2) Try to use passwords that are 10 to 12 characters or more, with numbers, upper and lower case letters and special symbols.

    (2.5.3) Try to make sure that permissions for all files are set appropriately. A permission of 777 would provide a read, write and execute access to everyone, this is highly undesirable. try to set permissions to 644 for most files.

    Take away: Have secure passwords. Try to move away from FTP, use SCP/SFTP.
    Example: You can WinSCP, and use it to connect to your website and transfer/update files on your hosting account.

    (3) What can happen if a website is not secured:

    Insecure sites can be compromised by malicious hackers. Once compromised these sites can be used to spread malware and spew spam. More than 6,600 websites get blacklisted by Google alone, on a daily basis. Some of the consequences of not protecting your website are listed below:

    (3.1) Compromised website is infected with web-malware, in turn infecting all visitors to the website. This leads to the website getting blacklisted by search engines and security watchdogs in the Internet. Once a site is blacklisted, all modern browsers like Internet Explorer, Safari, Firefox will block access to your website. On average it takes about 7 days for a website to get itself cleaned and off the blacklists.

    (3.2) Compromised website is infected with spam-shells. Spam shells use the hosting account as a staging ground for sending out spam to users in the Internet. This can cause your website to get blacklisted and emails from your domain may be blocked or dropped completely.

    (3.3) Customer confidence can drop greatly if a website is blacklisted. Moreover it takes hours worth of effort to find the web-malware causing issues on a site. This leads to loss in sales as well as expending money ant time on fixing a problem that could have been avoided.

    (3.4) Customer data such as credit card information, customer addresses and other personal information can be stolen and distributed on underground networks.

    Take away: Protect your website, do not take security lightly if you value your reputation and visitors.
    Example: On average is takes 7-10 days for a website to recover from a hacking incident.

    (4) What can I do to protect my website

    There are two primary product categories that can help you secure your website:

    Website Vulnerability Assessment: On a PC, Microsoft will act as the vulnerability assessment tool and tell you where youʼre vulnerable and what you can do about it. Unfortunately, such a service is not available on web sites. But there are tools available that will scan your website and tell you if youʼre vulnerable and what you can do about it. If you understand security issues on a website well and have the time and money to keep your site up to date, this is an excellent tool to reduce the risk of being infected by hackers.

    Website Malware Scans: As with PCs, most website owners and administrators realize they canʼt keep up with all vulnerabilities and that sooner or later they will get infected. As a minimum, they therefore subscribe to a service that scans their website daily and alerts them when a hacker has injected malicious code so they can take immediate action before their users get infected or they get blacklisted. Because the attacks can be more complicated on web sites, signature based virus engines are not enough. An effective scan engine will check for both known viruses and unknown web malware.

    Several vendors offer solutions like this. Pacific Host (www.pacifichost.com) has teamed up with one vendor, StopTheHacker, and is offering their services through our dashboard. Our top priority is the security of your website and youʼre of course free to use any service out there.

    This article has described some good practices that when put in practice can dramatically reduce the chances of getting hacked and blacklisted.

    If you find this article interesting you also may want to check out this blog article “How to Deal with the Latest WordPress Outbreak?

    Let us know what you think and want to learn about website security and malware! Connect With us on Google+ , Twitter and Facebook.

    • […] out Website Security: What do I need to know? What do I need to do? –Part 1 and Website Security: What do I need to know? What do I need to do? –Part 2. Posted in: News, Report, Security post a […]

      Posted by stopthehacker.com | How do cybercriminals profit from infecting websites with malware? on May 31st