Our resident security guru, Adam Kwiatkowski, outlines the what a security vulnerability is for open sourced websites (the kind energetica builds) and how we protect against hackers.

1. Website Security
What you need to know.

2. Example of hacked website

3. If your website is run on Joomla, Drupal, CiviCRM
then your site is at risk of being hacked.
Joomla, Drupal and CiviCRM developers often release
security patches, which fix security vulnerabilities
with their software.
Your website (code) needs to be patched regularly
with security updates (just like your computer) to keep
it secure, in combination with other strategies.
How did this happen?

4. Allows an attacker to:
Execute commands as another user.
Access data contrary to the specified access restrictions for
that data.
Pose as another entity.
Conduct a denial of service.
Conduct information gathering activities.
Hide activities. The google search shows an example
of an attacker hiding links in your site that redirect your
users to their website!
Includes a capability that behaves as expected, but can
be easily compromised.
What is a software vulnerability?

5. 3. What Actually Executes
SELECT Username, Password FROM Users
WHERE Username = '' OR 1=1 #' and
Password = ''
2. Login Code
The developer’s code to check logins:
$check = mysql_query("SELECT
Username, Password, UserLevel FROM
Users WHERE Username = '".
$_POST['username']."' and Password = '".
$_POST['password']."'");
1. User Logs In
User enters ‘ OR 1=1 # as
username.
4. The Result?
# is a comment in MySQL, and 1=1 will
always be TRUE. Thus, the login code
returns all users, and logs in the first user
in the database (typically an admin user).
A software vulnerability example

6. Mitigation Strategies
Source: Australian Government
Department of Defence 2013

7. The Open Web Application Security Project - owasp.org. Community
dedicated to enabling organisations to develop, purchase and maintain
applications that can be trusted.
1. Injection - i.e. The login example
2. Cross Site Scripting
3. Broken Authentication and Session Management
4. Insecure Direct Object References
5. Cross-site Request Forgery
6. Security Misconfiguration - i.e. Ensure users have appropriate access.
7. Insecure Cryptographic Storage - i.e. Don’t store sensitive information
without appropriate encryption.
8. Failure to restrict URLs - i.e. Ensure sensitive information requires login.
9. Insufficient Transport Layer Protection (No SSL when required) i.e. Use an SSL
certificate when appropriate.
10. Unvalidated Redirects and Forwards i.e. When you host with us, we install
tools that proactively protect your site for added security.
OWASP Top 10 Risks

8. 1. Use maintained website platforms and modules:
Use well known software and modules that don’t feature regularly on the Joomla
and Drupal vulnerable extensions list.
https://drupal.org/security
http://docs.joomla.org/Vulnerable_Extensions_List
2. Don’t use Joomla 1.5 or Drupal 6!
If you have a Joomla v1.5 site or Drupal v6 site contact Energetica about
upgrading your site. There are many known security vulnerabilities with these
versions and we recommend not using them in production.
3. Apply Security Updates when released. We can proactively update core
Drupal, CiviCRM and Joomla versions when security updates are released as
part of our support packages.
4. Limit administration privileges. Perform regular audits of users and their
access.
5. Patch the OS. We routinely patch our web hosting servers with the latest
security updates.
Prevention better than cure

9. Go to
www.unmaskparasites.com
and enter your website.
See the links shown are
ones you expect or know!
The example shows
Energetica’s website. All
of the links returned are
valid for us.
If you are unsure of the
results of your scan,
discuss them with us.
If your site has been
hacked, Energetica can
remove the hack and
help prevent it from
happening again.
Free Quick Check