What you need to know about website security


Published on

Our resident security guru, Adam Kwiatkowski, outlines the what a security vulnerability is for open sourced websites (the kind energetica builds) and how we protect against hackers.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

What you need to know about website security

  1. 1. Website Security What you need to know.
  2. 2. Example of hacked website
  3. 3. If your website is run on Joomla, Drupal, CiviCRM then your site is at risk of being hacked. Joomla, Drupal and CiviCRM developers often release security patches, which fix security vulnerabilities with their software. Your website (code) needs to be patched regularly with security updates (just like your computer) to keep it secure, in combination with other strategies. How did this happen?
  4. 4. Allows an attacker to: Execute commands as another user. Access data contrary to the specified access restrictions for that data. Pose as another entity. Conduct a denial of service. Conduct information gathering activities. Hide activities. The google search shows an example of an attacker hiding links in your site that redirect your users to their website! Includes a capability that behaves as expected, but can be easily compromised. What is a software vulnerability?
  5. 5. 3. What Actually Executes SELECT Username, Password FROM Users WHERE Username = '' OR 1=1 #' and Password = '' 2. Login Code The developer’s code to check logins: $check = mysql_query("SELECT Username, Password, UserLevel FROM Users WHERE Username = '". $_POST['username']."' and Password = '". $_POST['password']."'"); 1. User Logs In User enters ‘ OR 1=1 # as username. 4. The Result? # is a comment in MySQL, and 1=1 will always be TRUE. Thus, the login code returns all users, and logs in the first user in the database (typically an admin user). A software vulnerability example
  6. 6. Mitigation Strategies Source: Australian Government Department of Defence 2013
  7. 7. The Open Web Application Security Project - owasp.org. Community dedicated to enabling organisations to develop, purchase and maintain applications that can be trusted. 1. Injection - i.e. The login example 2. Cross Site Scripting 3. Broken Authentication and Session Management 4. Insecure Direct Object References 5. Cross-site Request Forgery 6. Security Misconfiguration - i.e. Ensure users have appropriate access. 7. Insecure Cryptographic Storage - i.e. Don’t store sensitive information without appropriate encryption. 8. Failure to restrict URLs - i.e. Ensure sensitive information requires login. 9. Insufficient Transport Layer Protection (No SSL when required) i.e. Use an SSL certificate when appropriate. 10. Unvalidated Redirects and Forwards i.e. When you host with us, we install tools that proactively protect your site for added security. OWASP Top 10 Risks
  8. 8. 1. Use maintained website platforms and modules: Use well known software and modules that don’t feature regularly on the Joomla and Drupal vulnerable extensions list. https://drupal.org/security http://docs.joomla.org/Vulnerable_Extensions_List 2. Don’t use Joomla 1.5 or Drupal 6! If you have a Joomla v1.5 site or Drupal v6 site contact Energetica about upgrading your site. There are many known security vulnerabilities with these versions and we recommend not using them in production. 3. Apply Security Updates when released. We can proactively update core Drupal, CiviCRM and Joomla versions when security updates are released as part of our support packages. 4. Limit administration privileges. Perform regular audits of users and their access. 5. Patch the OS. We routinely patch our web hosting servers with the latest security updates. Prevention better than cure
  9. 9. Go to www.unmaskparasites.com and enter your website. See the links shown are ones you expect or know! The example shows Energetica’s website. All of the links returned are valid for us. If you are unsure of the results of your scan, discuss them with us. If your site has been hacked, Energetica can remove the hack and help prevent it from happening again. Free Quick Check