State of the Web 2015: One-third of the Sites are Volnerable and Cracked

According to the report the new company Menlo Security, the Internet is a very dangerous place: every third Wednesday of the popular websites vulnerable or already hacked and attacked visitors using exploit packs.

For example, in late 2014, the site of the popular edition of Forbes for a few days to infect users using zero-day vulnerability in Adobe Flash. It is this case that Menlo Security Specialist at a global study of the Internet explained. They tested a million sites from the list of the most popular, according to Alexa. Since each site has been downloaded any content that is sent saved on the computer ordinary visitor: frames, embedded content, widgets, etc.

66% of the sites did not have any malicious software, but the remaining 34% are classified as “risky”. In particular, 22% of servers are working on a vulnerable infrastructure, including vulnerable versions of PHP or vulnerable version of Apache Web Server or IIS. Just a couple of percent of Web sites are running on a vulnerable CMS, moreover they are equally divided between WordPress and Drupal.

The graph shows how vulnerable sites are distributed in thematic categories. Easy to see problems for all categories.

volnurable-websites-in-2015-report

In addition to the existing vulnerabilities, 4% of the largest web sites have been cracked and spread malware. Another 3% is used for spamming or botnets work.

Vital Webmaster, LLC, a web design and development company located in Utah, focuses on security, usability and functionality of the site and provides web design & development services for redesigning an existing or designing a new website. Please call (801) 214-8104 to schedule your free consultation or simply Contact Me by submitting your inquiry online.

Read More

Why do I Need a Website? How to Design & Promote a Website?

In this article I would like to answer these questions: Do I need a website? How much does a website cost? How do I find a web designer (webmaster)? What are the requirements for a website design? What are the Stages of development? What is Search Engine Optimization and and how do I make my website visible online through Internet Promotion?

Read More

Website Security – How to Audit & Secure Your Website Checklist

Recently, I have had experience that a few of the clients reported that our company’s website had a virus or some kind of malware. I was not aware of it, until I started digging into it and found out that a few files have been injected with some kind of malicious code that would either redirect users to other websites or collect users information. I hurried and took care of this issue by removing the malicious software and establishing the security policy for our website. Results were positive and I continue until today to observe security policies and practices for each website that I am working on.

When we create a website most of the times from my personal experiences most of us don’t think of the most important thing, it is its security. Probably because we don’t have much experience working on creating new websites that’s why we do not think about it, but now it’s time to start thinking about it. The most important thing is always ask yourself the question: “What would happen if …?”. If you always ask this question, then your website will always be protected by almost 100%.

The site security is an urgent task for many website owners today. The emergence of a huge number of resources such as “Hacking for Dummies”, even those Internet users who previously had no business to your site or did not know much about Internet in the past, are eager to try their gained knowledge and brag about it by hacking your site.
What to do to protect your website from hacking? Where to start?

I will try to provide a few steps you need to start taking in order to secure your website from hacking. Security policy should start from the safe use of development tools to build your site. But I will not go into the details of programming, and present a number of actions of Safety when working on site that is built on content management system (CMS). I will continue to emphasize that the most secure sites are the ones that are written by yourself, as a programmer, from scratch.

For a start I will list non-programmatic methods that I use to protect the site from hacking. Surely, you have not even heard about them, but maybe you just did not pay attention.

Here is the Website Security List:

Please consider these main “anti-hacking” actions to secure your site:

  • Do not use the services of programmers, amateurs, and use the scripts that are properly written. When testing your scripts on the local machine in debug mode, do not be lazy to fix any bugs in the code that you find.
  • Do not offer free downloads or sell scripts written by you as the resource for others: having your source code before the eyes of others can help the hackers to calculate the principle of how you have written all the rest of your scripts.
  • Make periodic partial or complete testing of the resource from different browsers (especially Internet Explorer, which has a number of bugs (errors), which is actually an “open door” for hackers). Put yourself in the place of a possible intruder and try to find vulnerabilities from all possible positions.
  • Use .htaccess file for your root directory of the site and regularly browse logs. As an example of how your .htaccess file should look like to protect your site from hackers see my sample code below:

# Use PHP5.3 Single php.ini as default
AddHandler application/x-httpd-php53s .php
##### RewriteEngine enabled – BEGIN
RewriteEngine On
##### RewriteEngine enabled – END

##### RewriteBase set – BEGIN
RewriteBase /
##### RewriteBase set – END

##### File execution order — BEGIN
DirectoryIndex index.php index.html
##### File execution order — END

##### No directory listings — BEGIN
IndexIgnore *
# For security reasons, Option followsymlinks cannot be overridden.
#Options +FollowSymLinks All -Indexes
# For security reasons, Option all cannot be overridden.
#Options +SymLinksIfOwnerMatch All -Indexes
Options SymLinksIfOwnerMatch ExecCGI Includes IncludesNOEXEC -Indexes
##### No directory listings — END

##### Rewrite rules to block out some common exploits — BEGIN
RewriteCond %{QUERY_STRING} proc/self/environ [OR] RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR] RewriteCond %{QUERY_STRING} base64_(en|de)code\(.*\) [OR] RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR] RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule .* index.php [F] ##### Rewrite rules to block out some common exploits — END

##### File injection protection — BEGIN
RewriteCond %{REQUEST_METHOD} GET
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http:// [OR] RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [OR] RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC] RewriteRule .* – [F] ##### File injection protection — END

## Disallow access to rogue PHP files throughout the site, unless they are explicitly allowed
RewriteCond %{REQUEST_FILENAME} (\.php)$
RewriteCond %{REQUEST_FILENAME} !(/index[23]?\.php)$
RewriteCond %{REQUEST_FILENAME} -f
#RewriteRule (.*\.php)$ – [F] ## Disallow access to htaccess.txt, php.ini and configuration.php-dist
RewriteRule ^(htaccess\.txt|configuration\.php-dist|php\.ini)$ – [F] ##### Advanced server protection — END

  • When the website engine is used such as CMS, watch for updates and install them in a timely manner. Do not use the demo version of the components, even if they have the appropriate functionality.
  • Use a reliable software:
    • The use of licensed software will ensure that no other person introduced “extra features” that are not needed to your site. Download distributions of web applications and extensions / plugins for CMS, widgets and libraries only from official sites or from trusted sources. Of course, the temptation to use the free, fully functional version of the paid version of the CMS is very large. But you need to understand two things:
    • First, it is often distributed in a network “broken” the engine through the efforts of hackers already have a built-in scripts that simplify hacking.
    • And secondly, even if the download CMS «clean”, it will most often be an older version, which is much easier to break – all of the vulnerability has long been known to hackers. And, of course, the lack of support from unlicensed versions also complicates management.
    • If a distribution is necessary to download a dubious site, be sure to check if it contains malicious code.
    • Carefully study the code of any additional components you want to add to CMS.
    • Update your CMS and server software on regular basis and follow the news about the vulnerabilities used by CMS.
    • Perform regular security audits of servers.
    • After installation, remove the CMS installation and debugging scripts.
  • The choice of hosting should be considered before launching your website. To believe that all hosting offers differ only in terms of disk space, supported languages and other general parameters is a big mistake for such an issue as security. And even though by law, the responsibility of the service provider does not include additional activities to ensure burglar measures, a minimum set of security tools from the host must be present and it is summarized as follows:
    • System directory (public_html, cgi, logs, etc.) should have limited access and is within the directory;
    • To make sure we do not put in the free review of restricted files not intended for outside world when adding files to the server any right to view them should automatically be limited;
    • The equipment must operate without host failures, outages and other factors that reduce the efficiency of the resource.
    • Consider using Linux-hosting, which in itself is incomparably more stable than Windows-based hosting.
  • Use complex passwords for web server software (FTP, SSH, administrative panel of the hosting and CMS).
    • Choose complex passwords. A complex password contains at least 11 characters and includes mixed-case letters, numbers, and special characters. Experience shows that even the most nimble software for simple brute force password guessing copes with a password of eight characters a little less than a year. The fact is that there are 2?1012 combinations of the password with 8 characters, and there are even more combinations of the password with 8 unidentified attacker characters.
    • Do not use the same password to access different services.
    • Even the most secure passwords should be changed every three months to insure that it is not accidently released to anybody.
    • Do not store important passwords in a web browser, file manager such as FTP-, SSH- client, and on any other unproven resources and anywhere electronically. If you need to store passwords, use the special password managers, if not rely on your memory. Password Manager is a special program that allows you to store and organize your passwords in an encrypted file. To access the password manager, a separate password or also known as a key is used. By the way, to remember one password is much easier than the dozens of different passwords. So, if you need to store your passwords, use the Password Manager.
  • Follow the security policies for your PCs used for business purposes. On all computers that are working with the server (the computers of the webmaster, administrator, content manager, sales manager, etc.) must be installed anti-virus software with support for regular updates. Also each computer use need to make time to update their operating system and software applications. There is special anti-virus software designed for installation on the hosting. These programs allow you to quickly identify the entry of unauthorized files on the site, to determine their harmfulness and be promptly removed.
  • You must use a reliable antivirus on the office computer, and if you suspect a virus is then it is better not to go to the admin panel of the site and hosting features until you complete the “recovery” of the original files.
  • Control data entered by users. Monitor user activity on the hosting or the admin panel. If you are the administrator of the resource, you must be aware of what other people or other moderators should have access to. Therefore, attempts to login to the admin panel and the more other management areas from unknown IP-addresses is often a signal the attempts to hijack the site. Most often, you can activate the monitoring of activity of the CMS by installing additional plug-ins or activating logging modules on your hosting.
    • Filter the HTML-code in user input fields, which can be built into the code pages.
    • When getting data from the user, check on the server, for example if their size, is transferred to a value in the list of permissible length.
    • Never insert from users of the data directly into calls to eval (), SQL-queries or conversion. Always check and clean the information received from the harmful elements before storing data.
    • Do not leave in the working version of the code parameters entered for debugging.
    • Use a WAF (Web Application Firewall).
  • Keep a “white list” of the authorized IP addresses from which authorized users can login to use your website’s resources.
  • Control user access rights, in particular, provide protection from cross-site request forgery (CSRF). Do not give permission to the admin panel of the site untested people. Otherwise, do not be surprised why the site has been hacked. Also, do not give the right to add HTML-code for everyone, because unscrupulous users can add to the site with malicious code. Restrict access to the administration panel and CMS database (eg, phpMyAdmin), as well as to the following resources:
    • to backup copies of the code;
    • write to a configuration file;
    • metadata version control systems (such as directories. Svn or. Git).
  • Protect against bots. To protect against robot-hackers you can use special plugins for CMS or you can find IP-addresses of the users in the blacklist online.
  • Here are a few things you can do to check the data that users can enter.
    • Do not give the possibility to insert JavaScript-code inside <script>, in tags or links.
    • Do not put directly on the pages of the site code in the tags <iframe>, <object>, <embed>, or file that is uploaded .jar, .swf and .pdf (with their help, the site can generate such tags automatically.)
    • Maintain a “white list” of allowed HTML-tags so you can without additional processing discard all the rest.
    • Check references or links inserted by users through the Safe Browsing API.
  • Be careful with the ads and third-party code you insert into your site (i.e. affiliate programs).
    • Plug into your site only those commercials that have been provided by a proven advertising system or a program.
    • Before connecting the site to the new affiliate system, look for reviews about it and examples of distributed content.
    • Avoid “unique offerings” (suspiciously high fees for counters and blocks, the monetization of mobile data traffic).
    • If possible embed on your pages static content (such as links and images). Avoid loadable <script> and <iframe>. Flash, Java and ActiveX-components are only accepted in the form of source code, which you can check and compile yourself.
    • Do not use affiliate programs with hidden elements.
    • If your site is static, some affiliate systems can request access to FTP, to independently change the banners. Providing such access is dangerous: if the database of an affiliate system is compromised, the attacker will have direct access to the files on your site.
  • Closely monitor the access to the service interface. Access to the site should have only those to whom access is necessary and as long as it is needed.
  • Revoke access to specialists, performing short-term jobs on your site, previous owners, people who are not responsible for the operation of the site (for example, marketing professionals or managers).
  • If you need to some strangers to work on your site, try to get some recommendations about them. After finishing necessary work disconnect their accounts or change passwords.
  • Change folder permissions (CHMOD) usually to no more 755 and for files to 644. This prevents unsafe scripts to be injected in your hosting.
  • Try to make a backup of your database and the content of your site folders at least 1 time per week.
  • Make sure that the site is free of bugs and errors. If any found, remove them as soon as possible so you dont allow hackers with an opportunity to find vulnerabilities on your site.
  • To ensure that your domain is not flooded add CAPTCHA on all forms, including the registration, comments, feedback, etc.
  • Make sure you find possible modules and components for your site after its creation to ensure the safety of your site and its data.
  • Before adding the file to the site materials, check with the Antivirus on your computer.
  • Make sure to check the server for the last modification date of folders or files. Typically this can be accomplished by checking files and folders creation date in the Control Panel with the file manager.
  • Unfortunately, when it comes to DDoS-attacks, the invulnerable sites do not exist. DDoS-attack is an attack that is produced with a large number of computers trying to connect to your website and the site begins to receive a lot of requests. The Server cannot process a large number of requests and the site can stop working. In addition, if the script is very complex, then to “freeze” the site can be done with a small number of requests.
  • If you don’t know or don’t understand the steps you need to take to secure the site then you need to seek the advice and help of an experienced administrator who will advise, install and set up properly secure operating system (eg, Linux or Mac), which is difficult to infect with viruses. Even on Linux or Mac machines I would suggest using licensed antivirus software.
  • Mask addresses access to the admin panel of the site. Most of the standard CMS addresses have require user login and password to manage the content. For example, to enter the admin area of WordPress it is almost always done by typing in the browser www.yourdomain.com/wp-admin.php. However, in any CMS almost always you are able to change the default login form access to the site, replacing it with a less obvious URL address.
  • Encrypt data on the site. This method is required if the resource contains data that should not be accessible to a wide audience. Hacking threat is always there, and for sites with sensitive information, it is even higher. Encryption complicate the extraction of valuable information from hackers stolen information, and give you time to take the necessary measures to eliminate the consequences of breaking.
  • Always check that the user entered into the form. To do this, use regular expressions.
  • Always pass incoming data through htmlspecialchars (), which replaces the dangerous characters to entities, except in cases where it is necessary to leave the HTML-tags.
  • Check all incoming data for accuracy, using string functions and / or regular expressions.
  • If the user entered a database query, this input should always be escaped using addslashes (). This function should be used only if the directive is disabled magic_quotes_gpc. If it is enabled, all incoming data is escaped automatically.
  • Ignore incoming data through functions such as stripslashes (), if used in a query to the database. Do not worry, that will fall to the base escapes. No, the data in the database will be the same as when they were sent in the form. Simply request itself will be safe.
  • Always check the scripts work on a variety of input data. Do not forget that if a user needs to enter their name, you will not want to enable them to enter any JS-code.
  • Always turn off the directive register_globals in your php.ini file (php_flag register_globals off). As practice shows, the vast majority of programmers do not initialize variables. I will write more about the importance of register_globals in the future. As for now, here is a simple example of the usage of register_globals:

<?php
$mysqli 
=new mysqli(“localhost”,“root”,“”,“mydb”);
$array
[“first”]=“1”;
$array
[“second”]=“2”;
foreach($array as $key => $value){
$mysqli
->query(“DELETE FROM `my_table` WHERE `field`=’$value'”);
}
?>
If you initialized the array so: $ array = array ();, then everything would be in order. However, I am sure that not all of you are doing it. As a result, the attacker goes to the following address: http://www.yourdomain.com/your_script_name.php?array [zero] = 0, and your script safely removes that record, which should not have been removed. And nothing would have happened if it had been that the directive register_globals was disabled.

  • Make sure your web host runs suphp. Under normal PHP, scripts run as “nobody,” your script has open access. With suPHP, access is limited to the user or to those explicitly granted permission. Not all hosts use suPHP, so make sure your host does and set up another potential roadblock for hackers.
  • Use SSL to send emails especially if, somewhere in any of your millions of untrashed emails, you’ve ever sent sensitive info via email.
  • Use SSL to access your control panel or any other site resources (i.e. FTPS for FTP file transfers).
  • Here is what you need to do if the site has been hacked:
  • identify and remove malicious code. If infected many files then restore the site from backup.
  • change passwords and access to super admin FTP.
  • If Google or any other provider had marked your website to be malicious, then write a letter to Google webmaster with a message that the site is safe for visitors, after you made sure that it is.
  • Enable cloud hosting if possible. With cloud hosting, your files are backed up off site in a safe place. In the event of failure of the equipment, you can simply insert a new hard drive to your server and start downloading your backup files to the new hardware.

Conclusion:
Perhaps you will find safety a troublesome occupation, but do not forget that you and only you are responsible for keeping the passwords to access the site safe. Also, you must understand that even the use of all these tools do not give 100% guarantee of protection against hacking. Also remember that the probability of a hacker attack is directly proportional to the value of the information stored on the server. If you own a personal blog, these steps if followed help to forget about the Internet intruders. And, finally, you don’t have to be the one doing all the work. Hire someone who has experience and knows how to do it.

As a webmaster, I perform analysis of the site for malware and viruses and implement reliable protection from them. This is part of the Website Maintenance Services that I offer for my clients. Please visit Website Analysis Audit services page for more details. Please call  to schedule your free consultation or simply  Contact Me  by submitting your inquiry online.

Read More

Basics of DoS / DDoS attack Protection – How to Reduce the Risk

This article covers the basics of DoS / DDoS attack protection and how to reduce its risk.

DDoS-attack is short for Distributed Denial Of Service Attack. The main characteristic of this type of computer crime is that the criminals are not intended to enter into a protected computer system to steal or destroy data. The main purpose of this attack is to paralyze the attacked site. DDoS-attack is a derivative of DoS and differ only a large number of requests to the server with a different IP address. This is why criminals collect their chain Trojans infected computers and cause them to turn to the server, making it not withstand such loads. The first reports of DDoS-attacks were known in 1996.

In most cases, global attack leads to financial losses on the part of the attacked. For example, if a commercial site will drop for a few hours, then it would damage the business, and if for a week, then the owner of the resource may well go under.

Denial of service can be made ​​in two ways: using software vulnerabilities of victims and by sending a large number of specifically composed of network packets (flood). The first method consists in that using the buffer overflow vulnerabilities, by sending the code to the server that performs DoS. Since the attack will be “inside”, then after a very short time the object will be “frozen” or is disconnected from the Internet. This method does not require large computational resources hitter, but this attack uses security vulnerabilities, which in itself complicates the task. The second method is by using of brute force, which practically does not require any special skills. The idea is to send as many as possible requests to the server (those requests also could be the huge number of normal packets, such as GET-requests for HTTP-server hosts.) The fact that the server receives a data packet that is processed by the server. If a packet arrives, but the server is busy receiving or processing of another package, then coming back a request is put in place, taking up part of the system’s resources. In carrying out DoS-attack server sends a large number of packets of a certain size. In this case, the server’s response is not expected. As a result, due to the fact that the server is overloaded with information, it is either disconnected from the Internet, or “frozen”. In any case, normal users some time can not use the services of the affected server.

ddos attackSchematically, DDoS-attack looks like this: on the selected server as a victim collapses a huge amount of false requests from multiple computers from different parts of the world. As a result, the server spends all its resources to service these requests and is virtually inaccessible to ordinary users. Cynicism of the situation lies in the fact that users of computers to which requests are sent are false, may not even be aware that their machine is being used by hackers. Programs installed by hackers on these computers are called “zombies” (examples of such programs could be Trojans). Perhaps this preparatory stage is the most time-consuming for an attacker.

Most often, attackers during the DDoS-attacks are using three-tier architecture, which is called “cluster DDoS”.This hierarchical structure includes:

  • management console (there may be several), ie it is the computer from which the attacker sends a signal the start of an attack;
  • mainframe computers. These are the machines that receive the signal of an attack with a control console and transmit it to the agents, “zombies.” One management console, depending on the size of the attack, can account for up to several hundred of hosts;
  • Agents are directly called “zombie” computers, their requests are attacking a target node.

DDoS software was originally produced in a DDoS “peaceful” purposes and used for experiments on the network bandwidth and their resistance to stresses. Over the years, this software is constantly being modified. For more detailed understanding of DoS-attacks, I will review five most popular types of DDoS-attacks:

  • UDP flood – sending to the address of the target multiple packets UDP (User Datagram Protocol). This method was used in earlier attacks and is now considered the least dangerous. Programs that use this type of attack are easily detected, as in the exchange of a master controller and agents are used unencrypted protocols TCP and UDP.
  • TCP flood – sending to the address of the target set for TCP-packets, which also leads to the “binding” of network resources.
  • TCP SYN flood – sending a large number of requests for initializing TCP-connections with the target node, which, as a result, have to spend all their resources to track these half-open connections.
  • Smurf-attack – ping requests ICMP (Internet Control Message Protocol) address directed broadcast packets using the query fake source address as a result turns out to be the target of attack.
  • ICMP flood – attack, similar to Smurf, but without the use of mailing lists.

The most dangerous are the programs that use multiple types of attacks described. They are called TFN and TFN2K and require a high level of training. One of the latest software for organizing DDoS-attacks is Stacheldracht (barbed wire), which allows you to organize a variety of types of attacks and avalanches broadcast ping requests with encrypted communications between controllers and agents.

Of course, in this review I’ve covered only the most well-known programs and methods of DDoS. In fact, a much wider range of programs and is constantly updated. For the same reason, it would be naive enough description of universal reliable methods of protection from DDoS-attacks. Generic methods do not exist, but the general guidelines to reduce the risk and minimize damage from attacks include such measures as the competent configuration features anti-spoofing and anti-DoS on routers and firewalls. These features limit the number of half-open channels, preventing overload the system.

Here are several ways you can protect yourself against DoS attacks

  • Filtering is method in which blocking outbound traffic from the attacking machines. This can be handled with the help of .htaccess file located in your root folder on the server. Or, it can be achieved by having the correct settings in the control panel (such as Cpanel). If you are unable to use them, you should consult your administrator. If you are the administrator of the site pay attention to the specialized software or option with the acquisition of more reliable servers that can tolerate minor or moderate attacks on the site without serious consequences.
  • Eliminating vulnerabilities is often the result of successful DDoS attacks. It may be the damage of your database such as MySQL, or even the loss of data on the server. However, remember to create copies of data for enhances security.
  • At the server level, it is desirable to have the output of the console server to another IP-address on the SSH-protocol for remote restart the server.
  • Another fairly effective method of combating DDoS-attacks is masking IP-address.
  • Creating a mirror site is a very common way to “stay afloat.” Make sure that the site is hosted on multiple servers, the second of which is an exact replica of the first, and is available with a domain as the mirror. A very good solution, but it requires quite deep knowledge of the administration of the site.
  • The response to DoS or DDoS attack. Cause and effect is clear.
  • The introduction of specialized equipment to repel DoS-attacks: DefensePro ® or Radware, Arbor Peakflow and others.
  • A very important part in this regard is prevention is the software that should be capable of “patching” against all kinds of “holes.”
As a webmaster, I perform analysis of the site for malware and viruses and implement reliable protection from them. This is part of the Website Maintenance Services that I offer for my clients. Please visit Website Analysis Audit services page for more details. Please call to schedule your free consultation or simply  Contact Me  by submitting your inquiry online.

Read More