How to make your Website secure?

For a lot of organizations, websites are these things we’re compelled to build for our customers, constituents, or fans. They need one because “everyone has one” especially their competitors.  In my experience, organizations with this mentality treat their website like cheesy infomercial appliances, and once the site “goes live” little to no resources are spent maintaining it.

Websites are like pets. They’re a long-term commitment. They need constant care and attention. And just like your pet, if you neglect your website bad things will happen. Organizations who to not dedicate resources to website maintenance are punching their one-way train ticket to Hackedville.

As another reminder for the future, here are some highly recommended security tips:

• Keep System up to date:It may seem obvious, but ensuring you keep all software up to date is vital in keeping your site secure. This applies to both the server operating system and any software you may be running on your website such as a CMS or forum. When website security holes are found in software, hackers are quick to attempt to abuse them.Also, make sure that you have up to date Spyware / Malware / Anti Virus protection on any computer that connects to the site via FTP and SSH. Run a scan on these machines and fix whatever issues arise.

• SQL Injection: SQL injection attacks are when an attacker uses a web form field or URL parameter to gain access to or manipulate your database. When you use standard Transact SQL it is easy to unknowingly insert rogue code into your query that could be used to change tables, get information and delete data. You can easily prevent this by always using parametrized queries, most web languages have this feature and it is easy to implement.

• XSS:Cross site scripting is when an attacker tries to pass in JavaScript or other scripting code into a web form to attempt to run malicious code for visitors of your site. When creating a form always ensure you check the data being submitted and encode or strip out any HTML.

• Error Messages:Be careful with how much information you give away in your error messages. For example if you have a login form on your website you should think about the language you use to communicate failure when attempting logins. You should use generic messages like “Incorrect username or password” as not to specify when a user got half of the query right. If an attacker tries a brute force attack to get a username and password and the error message gives away when one of the fields are correct then the attacker knows he has one of the fields and can concentrate on the other field.

• Server Side Form validation: Validation should always be done both on the browser and server side. The browser can catch simple failures like mandatory fields that are empty and when you enter text into a numbers only field. These can however be bypassed, and you should make sure you check for these validation and deeper validation server side as failing to do so could lead to malicious code or scripting code being inserted into the database or could cause undesirable results in your website.

• Passwords: Change all FTP user account passwords. Make sure the passwords you reset are secure. Use upper and lower case lettering and numbers. Everyone knows they should use complex passwords, but that doesn’t mean they always do. It is crucial to use strong passwords to your server and website admin area, but equally also important to insist on good password practices for your users to protect the security of their accounts.
• File Uploads: Allowing users to upload files to your website can be a big website security risk, even if it’s simply to change their avatar. The risk is that any file uploaded however innocent it may look, could contain a script that when executed on your server completely opens up your website. If you have a file upload form then you need to treat all files with great suspicion. If you are allowing users to upload images, you cannot rely on the file extension or the mime type to verify that the file is an image as these can easily be faked. Even opening the file and reading the header, or using functions to check the image size are not full proof. Most images formats allow storing a comment section which could contain PHP code that could be executed by the server.

 

• SSL: SSL is a protocol used to provide security over the Internet. It is a good idea to use a security certificate whenever you are passing personal information between the website and web server or database. Attackers could sniff for this information and if the communication medium is not secure could capture it and use this information to gain access to user accounts and personal data.

• Security Tools: Once you think you have done all you can then it’s time to test your website security. The most effective way of doing this is via the use of some website security tools, often referred to as penetration testing or pen testing for short.

  There are many commercial and free products to assist you with this. They work on a similar basis to scripts hackers will use in that they test all know exploits and attempt to compromise your site using some of the previous mentioned methods such as SQL injection.

References:

http://infospace.ischool.syr.edu/2012/02/07/how-to-keep-your-website-secure-and-avoid-hacking/

http://www.anhosting.com/blog/2011/05/9-ways-to-make-your-website-secure/

http://www.creativebloq.com/web-design/website-security-tips-protect-your-site-7122853

Why use Password Manager?

No matter how many walls are placed around your machine, there is always a key for complete access: your password. There are countless programs that attempt to determine passwords, both by guessing common ones and by randomly generating possibilities and trying them all, or a combination of the two.

The best defense is a “strong password”. A strong password is a combination of numbers, uppercase letters, lowercase letters, and, if possible, other characters. This makes the password nearly impossible to guess in a reasonable amount of time, and ensures that all the hard work you put into keeping your machine well-defended does not go to waste. The longer the password, the harder it is to guess.

Of course, as passwords get closer to random numbers and letters, they also get harder to remember. That doesn’t mean that you have to fall back on a weaker password, though. You can m15peLL w0Rdz intentionally, or use a Password manager/Password Vault software.

A password manager will take a load off your mind, freeing up brain power for doing productive things rather than remembering a long list of passwords.

A dedicated password manager will store your passwords in an encrypted form, help you generate secure random passwords, offer a more powerful interface, and allow you to easily access your passwords across all the different computers, smartphones, and tablets you use.

Some of the best Password Managers are:

1)1Password 4.0

2)Dashlane 2.4.1

3)KeePass 2.26

4)LastPass 3.1.2

5)PasswordBox 1.3

6)SplashID Safe 7.2.3

References:

http://www.infoworld.com/article/2607798/security/review–the-best-password-managers-for-pcs–macs–and-mobile-devices.html

http://en.wikipedia.org/wiki/Password_manager#Online_password_manager

http://www.pcmag.com/article2/0,2817,2407168,00.asp

http://www.columbia.edu/acis/security/users/passwords.html

http://www.techrepublic.com/blog/it-security/how-to-get-people-to-use-strong-passwords/

How to spot, avoid and report phishing attacks?

Phishing is essentially an online con game and phishers are nothing more than tech-savvy con artists and identity thieves.  They use SPAM, malicious Web sites, email messages and instant messages to trick people into divulging sensitive information, such as bank and credit card accounts. Phishing is the attempt to acquire sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an electronic communication.

What does a phishing email message look like?

 

• Spelling and bad grammar. Cybercriminals are not known for their grammar and spelling. Professional companies or organizations usually have a staff of copy editors that will not allow a mass email like this to go out to its users. If you notice mistakes in an email, it might be a scam.
• Beware of links in email. If you see a link in a suspicious email message, don’t click on it. Rest your mouse (but don’t click) on the link to see if the address matches the link that was typed in the message. In the example below the link reveals the real web address, as shown in the box with the yellow background. The string of cryptic numbers looks nothing like the company’s web address.
• Threats. Have you ever received a threat that your account would be closed if you didn’t respond to an email message? The email message shown above is an example of the same trick. Cybercriminals often use threats that your security has been compromised.
• Spoofing popular websites or companies. Scam artists use graphics in email that appear to be connected to legitimate websites but actually take you to phony scam sites or legitimate-looking pop-up windows.

 

How do you know?

• Phishers, pretending to be legitimate companies, may use email to request personal information and direct recipients to respond through malicious web sites.
• Phishers tend to use emotional language using scare tactics or urgent requests to entice recipients to respond.
• The phish sites can look remarkably like legitimate sites because they tend to use the copyrighted images from legitimate sites.
• Requests for confidential information via email or Instant Message tend to not be legitimate.
• Fraudulent messages are often not personalized and may share similar properties like details in the header and footer.

How do you avoid being a victim?

• Don’t reveal personal or financial information in an email, and do not respond to email solicitations for this information. This includes following links sent in email.

• Before sending sensitive information over the Internet, check the security of the website.

• Pay attention to the website’s URL. Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (e.g., .com versus .net).

• If you are unsure whether an email request is legitimate, try to verify it by contacting the company directly. Contact the company using information provided on an account statement, not information provided in an email. Information about known phishing attacks is available online from groups such as the Anti-Phishing Working Group. Report phishing to the Anti-Phishing Working Group (APWG)

• Keep a clean machine. Having the latest operating system, software, web browsers, anti-virus protection and apps are the best defenses against viruses, malware, and other online threats.

What to do if you think you are a victim?

• Report it to the appropriate people within the organization, including network administrators. They can be alert for any suspicious or unusual activity.

• If you believe your financial accounts may be compromised, contact your financial institution immediately and close the account(s).

• Watch for any unauthorized charges to your account.

Some tips:

• When in doubt, throw it out: Links in email, tweets, posts, and online advertising are often the way cybercriminals compromise your computer. If it looks suspicious, even if you know the source, it’s best to delete or, if appropriate, mark it as junk email.

• Think before you act: Be wary of communications that implores you to act immediately, offers something that sounds too good to be true, or asks for personal information.

• Secure your accounts: Ask for protection beyond passwords. Many account providers now offer additional ways for you verify who you are before you conduct business on that site.

• Make passwords long and strong: Combine capital and lowercase letters with numbers and symbols to create a more secure password.

• Unique account, unique password: Separate passwords for every account helps to thwart cybercriminals

Examples of Phishing Scams:

2003 saw the proliferation of a phishing scam in which users received emails supposedly from eBay claiming that the user’s account was about to be suspended unless he clicked on the provided email link and updated the credit card information that the genuine eBay already had. Because it is relatively simple to make a website look like a legitimate organization’s site by mimicking the HTML code, the scam counted on people being tricked into thinking they were actually being contacted by eBay and were subsequently going to eBay’s site to update their account information.

References:

1. http://us.norton.com/security_response/phishing.jsp
2. http://en.wikipedia.org/wiki/Phishing
3. http://www.staysafeonline.org/stay-safe-online/keep-a-clean-machine/spam-and-phishing
4. http://www.webopedia.com/TERM/P/phishing.html
5. http://www.microsoft.com/security/online-privacy/phishing-symptoms.aspx
6. https://www.onguardonline.gov/phishing

 

 

Apache SSL/TLS Certificate Installation

OpenSSL CSR Wizard

1. Fill in the details, click Generate, then paste your customized OpenSSL CSR command into your terminal.

OpenSSL creates both your private key and your certificate signing request, and saves them to two files: .key, and .csr. You can then copy the contents of the CSR file and paste it into the CSR text box in the order form.

Apache server SSL Certificate Installation

1. Copy the certificate files to your server.

Download your Intermediate (DigiCertCA.crt) and Primary Certificate (your_domain_name.crt) files from your Customer Area, then copy them to the directory on your server where you will keep your certificate and key files. Make them readable by root only.

2. Find the Apache config file to edit.

Apache configuration files are typically found in /etc/httpd. The main configuration file is usually named httpd.conf. In some cases the <VirtualHost> blocks will be at the bottom of this httpd.conf file. Sometimes you will find the <VirtualHost> blocks in their own files under a directory like /etc/httpd/vhosts.d/ or /etc/httpd/sites/ or in a file called ssl.conf.

3. Identify the SSL <VirtualHost> block to configure.

If you need your site to be accessible through both secure (https) and non-secure (http) connections, you will need a virtual host for each type of connection. Make a copy of the existing non-secure virtual host and configure it for SSL as described in step 4.

If you only need your site to be accessed securely, configure the existing virtual host for SSL as described in step 4.

4.Configure the <VirtualHost> block for the SSL-enabled site.

The easiest way to do this is to uncomment the following line (i.e. remove the # character) from the httpd.conf file #Include conf/extras/httpd-ssl.conf which has most of the SSL related settings configured out of the box for you. You just have to point the VirtualHost settings to your website, directories and certificate files.

Adjust the file names to match your certificate files:

• SSLCertificateFile should be your DigiCert certificate file (eg. your_domain_name.crt).
• SSLCertificateKeyFile should be the key file generated when you created the CSR.
• SSLCertificateChainFile should be the DigiCert intermediate certificate file (DigiCertCA.crt)

5.Test your Apache config before restarting.

Run the following command:apachectl configtest

6.Restart Apache.

apachectl stop
apachectl start

 

References:

https://www.digicert.com/ssl-certificate-installation-apache.htm

https://www.digicert.com/csr-creation-apache.htm

https://www.digicert.com/easy-csr/openssl.htm

 

How to know if an online transaction is secure?

The Internet has made banking, shopping, and conducting other on-line financial transactions quite convenient. But when it comes to our money, we definitely want to make sure our transactions are safe.

In this post, I will show you the steps you need to take to make on-line shopping a safe and enjoyable experience. Before sending any sensitive or financial information on-line, you want to know that you are communicating with a secure site. Secure sites make sure all information you send is encrypted, or protected, as it travels across the Internet. The HTTPS address heading and your browser’s security symbol are two signs indicating you are on a secure site.

Security Symbol

Web addresses either begin with HTTP or HTTPS. If the address is HTTPS, the information you send to it is encrypted and will look like gibberish if intercepted by cybercriminals. Your browser will use a security symbol or a lock to indicate that the browser verifies the website is a secure site.

SSL Certificate

Secure sites have an SSL certificate. It does two things. First, it acts like a driver’s license. It means, “I am who I say I am”. Second, it enables encryption. This is what you should look for on an SSL Certificate:

1.Check that the website you are doing transactions with matches the website on the certificate.

2.Check that the certificate authority that issued the SSL Certificate is trustworthy.

3.Check if the certificate is not expired.

References:

1. http://windows.microsoft.com/en-us/windows/know-online-transaction-secure#1TC=windows-7

2.http://www.gcflearnfree.org/internetsafety/6/print

Introduction to SSL Certificate Configuration

Secure Sockets layer(SSL) is a standard cryptographic protocol for secure communication over the Internet. SSL allows sensitive information to be transmitted securely. The browser and the server need an SSL certificate to establish a secure connection. SSL certificates have different kinds of keys: public key, private key, session key. The certificate also contains a “subject” which is the title of the certificate/website owner.

Certificate Signing request(CSR) is a process which creates public and private key on your server. The CSR data file that you send to the Certificate Authority(CA) contains the public key. The CA uses public key to create a data structure to match your private key. The CA never sees a private key.

Steps in the creation of Secure Connection:  

1. Browser connects to a web server secured with https and requests it to identify itself.
2. Server sends a copy of SSL certificate that includes its public key.
3. If browser trusts the certificate it encrypts the public key and send a session key to server.
4. Server decrypts the session key using its private key.
5. Both of them now encrypt all transmitted data with the help of session key.

SSL Self Signed Certificate configuration for Apache(Kali Linux):

1. Open terminal and type sudo make-ssl-cert generate-default-snakeoil The snakeoil cert is the default ssl cert for services that use ssl in the linux distribution.

2. Then, type sudo a2enmod ssl. This command enables ssl.

3. Type a2ensite default-ssl.

.

4. Type sudo service apache2 restart. Apache needs to be restarted for implementing new configuration.

5. And Now you will be able to open localhost with https.

Compression Ratio Info Leak Made easy(CRIME) is a security exploit against secret web cookies over connections using the HTTPS protocols that also use data compression. This attack taught us that using compression can endanger confidentiality. In particular, it is dangerous to concatenate attacker-supplied data with sensitive secret data and then compress and encrypt the concatenation. HTTP compression will be enabled only if both the browser and client supports it. Many browsers and servers support it because it enhances performance. To disable compression in Apache,

1. Type sudo a2dismod deflate.

2. Now, restart apache2 by typing sudo service apache2 restart.

For more information:

http://en.wikipedia.org/wiki/Transport_Layer_Security

http://ubuntuforums.org/showthread.php?t=2003654

https://www.digicert.com/ssl.htm

http://en.wikipedia.org/wiki/CRIME