Thursday, February 3, 2011

Why Your Website is being attacked and what you can do to Prevent it

A couple of years back when we attended Internet Governance meetings, all we did was discuss access and connectivity. Security and Privacy issues that the early adopting nations grappled with, we only mentioned in passing. This is fast changing thanks to the efforts of groups like YOGYACARDERLINK, REALQW, and C4UR who have made it their business to wake up East Africa with their relentless hacking attempts.

Problem
Employing various methods, these groups have and continue to fell targets at alarming rates; The targets include Government, NGO, Businesses. Name it, they have all got a pinch on the ear from this very unequivocal teachers who occasionally leaves messages like “Where is your security!” on hacked sites.

Now, whereas the Target selection seems random, the success rate of these attacks are astounding. This begs the question, what is common about these target and why are these miscreants succeeding on this very malevolent quest?

Background
To answer this question, a few point may be helpful:- 1. Most of the targets felled are websites, 2. Nearly all the hacked sites use CMS's – particularly Joomla and 3. Nearly 90% of the time a SQL injection is used with success.

Solution
Ok, now with few unknowns, Let see how we can protect ourselves against some of the most common forms of attack.

Security Framework
The first and most important aspect of online security, is a security framework. This is a blueprint and without it, website developers and Admins will be unable to develop, or maintain secure web applications. This Document will usually has access levels, File permissions among other Best security practices. It is critical that a corporation involved in any sort of development on the web embed this into every single undertaking. Incidences at Facebook and Twitter are a living testimony of what can happen if Security measures are not adopted earlier in the development life cycle.

Update Web apps
Content Management Systems (CMS'), have greatly improved the speed and manner in which we design, build and deploy websites and other web applications. Because of this, businesses have shifted their focus to rapid deployment and getting as much info out as possible. The unintended consequence is that security is generally overlooked – Fortunately most of the commonly used CMS' :- Joomla, Drupal, Wordpress to name three, allow for automatic updating of modules or extensions. If you use a CMS' be sure to enable updates so that modules with flaws are fixed immediately a vulnerability fix is found. This can drastically lower your attack surface.

Database Prefix and Version Numbers
Many Sql injection tools are written to exploit CMS's in their original form. Take Joomla for instance:- it's nomenclature hass a Database prefix of (jos_). A change in the Database prefix alone will make any SQL exploits on your Database fail most of the time.

And speaking of original form and Joomla, Extensions have vulnerabilities in particular versions and hackers usually abandon a target if reconnaissance gives unreliable information or none at all. By removing the version numbers from your Extensions, you lower your chances of being attacked in the wild to nearly zero. You also create far more work for the targeted attacks given how much gambling the attacker has to do.

Sanitize User input
A SQL injection occurs when a site is unable to preserve it's query structure given certain forms of input (usually malicious). The Web application executes a query that otherwise shouldn't have processed resulting into malicious. Sanitization includes excepting URL's parameters from being executed, Blocking operations that write, delete from the DB.

Rewrite URL's
With Google Hacking, a search term like “inurl:com_contact” can be used to find vulnerable hosts on the internet. If your url's are in their original form they could expose you to real threats. The Good news for you is that most CMS' today have modules to rewrite your url from something like “test.ug/index.php?option=com_content” to “test.ug/index.php/sponsors.html”. The later is easier to read, index for search engines and obfuscates the Web applications components offering you security in the process.

Permissions
During Installation and updating of CMS's, it is common for the modules to write to certain files and directories. It is also common place especially for the less adept Web Admin to allow more permission than is required in an attempt to make administration easier. This creates the potential for upload and execution of files should an attacked be mounted on you. Always allow just sufficient permission to modules, anything over and above can be misused. Also ensure you downgrade these after installation if your modules really require a privilege escalation.

As a standard:- Your PHP files (.php extension), should be set with a mask of 644, Configuration files (.conf) should have the mask set at 666 while other files should generally maintain the 755. Use of the .htaccess file in most webserver environments – especially Apache will allow you make directory level changes and keep the changes uniform across the board.


Changing Default Passwords
During installation CMS' will setup a default password. You must ensure you change these as these trivial Passwords, like “Password”, “Admin” are known by anyone who has ever done an installation. Let alone the hackers. You open up your website to the possibility of a complete take over by leaving your passwords at the default.
Choosing a Long, Hard to guess password that has a combination of Alpha-Numeric as well as special characters will go along way preventing you from getting hacked.


Testing Web Apps
Even with the best security Framework and practices, it is possible to omit certain parts of you applications security. The solutions is vulnerability testing. This can cater for our human flaws.

There are myriads of tools available today - both free and premium with some being complex to install or even requiring Linux to run, while other are as easy as a Firefox Addon. At the end of the day it depends on what you want to achieve.

An example a Firefox addon is “SQL Inject Me”. This will crawl your Webpage and test Form fields and other things for SQL inject vulnerabilities and present you a report at the end of the scan which usually lasts only a couple of minutes.

You have all the information you need. I hope you can prevent attacks on your Web Applications by putting them to use.


No comments:

Post a Comment