[Security] AMS Webhosting Security Features


Saturday, June 19th, 2010 - Security

This is a continuation of our Security Guide see the previous post.

AMS Computer Services tries to help in providing security tools and system checks to insure that your website remains safe. We perform many services in the background regarding the security of your webhosting account.

Routine Security Checks
We perform routine security checks to insure that the files on your account are safe and free from any known malicious code. While it is really impossible to scan for every tiny bit of malicious code, we do make the effort to try and identify malicious code to the best of our ability. Because it is impossible to know about every malicious software code, you should always practice good security behavior for your webhosting account.

Routine Script Checks
We try to perform version checks for certain popular scripts that are out there. If you are using an outdated version of the script, you should be notified and you should consider upgrading. AMS Computer Services cannot upgrade the script for you, this is an action that needs to be performed by the end-user client because that individual would be more knowledgeable of the customization that have been made to their webhosting account. We can only recommend and urge you to upgrade. We can, however, disable outdated scripts if we believe that they will be a security problem.

FTP Login Notifications
This is one of our newer services. We noticed a lot of account hackings taking place via FTP. One way to help in this aspect is to notify you when someone logs in via FTP. You, the account owner, then have to decide the legitimacy of that FTP login. While this does not stop an outright hacking via FTP, it can serve to notify you if and when an unauthorized FTP login occurs and this can warn to you that your login information has been compromised in some way. More information about our FTP login notification system can be found in this post.

Password Strength
One issue we had previously seen was that a lot of users were using simple and easy to guess passwords. A password can be the only thing that distinguishes you from an unauthorized person. If your password is easy to guess, then someone else that is not authorized to make changes to your account, can then become authenticated and authorized to make changes to your hosting account. For this reason a strong account password is encouraged. The more difficult it is for a password to be guessed at, the more secure your account is.

Steven


[Security] Password Security


Friday, June 18th, 2010 - Security

This is a continuation of our Security Guide see the previous post.

What else can you do to protect yourself from hacking? In addition to securing your personal computer from malware and other malicious software, you should practice good overall security on your computer.

Are you storing your passwords on your computer? Are you saving your account’s password in your FTP client’s site manager? Are you saving login information in your browser? If you never have to manually type your password when connecting via FTP or to your cPanel or any other secure area, then you may be at risk. If you are never entering your password, then this means it is being stored somewhere on your computer. If it is stored somewhere on your computer, then it is free for the taking should any malware or malicious software exist on your computer.

Securing Passwords
You may have heard that writing down your password is a bad idea. This depends on your environment. If you work in an office cubicle, then having a piece of paper with your passwords written on it sitting next to your computer is probably not a good idea. But if you work from home, or only access your secure areas at home on your personal computer. Then having your passwords written down beside your computer is less of a security risk, as long as your house and the room that your computer is in stays secure and you do not have any unwanted visitors. Keeping your passwords written down, completely separate from your computer, is probably the best way to keep your passwords secure (I suppose memorizing your passwords completely would be the best way!) But if you work in a cubicle environment and need your passwords, perhaps keeping the password sheet in your wallet or some other item that you always have with you is best. In any case, making an effort to obscure your password, by placing the password sheet in a drawer or underneath something, is probably a good idea.

Why is this a better option than saving your passwords on your computer? By keeping your passwords separate from your computer you are preventing malware from learning of your passwords. Malware may get installed on your computer and it may be able to tell that you are the webmaster for your website, but it can only guess at what your password might be. Because if the password isn’t on your computer, it can’t know what your password is.

If you consider the ideal situation where you only access your website administrative side from your home computer, then generally you would be more trustworthy of any family members that might run across your password sheet. Compare this to the threat of malware stealing your login credentials from your computer and decide for yourself which is the higher risk.

Encrypt your passwords
If you must store your passwords on your computer, then it makes sense to secure these passwords as much as possible. Avoid using built-in site managers or browsers to store and save your passwords, as these can be easily compromised. Instead, I recommend the program KeePass. This is a program that can store password information with, and it encrypts the data, to make it more difficult for hackers and malware to read your password information.

With KeePass you create a single file that has all of your different password information. You can save this file, and encrypt it with a public/private key encryption system and also with a passphrase. The passphrase is not required, but I like having it just because it gives an extra layer of security. Here you can use an easy to remember password, which can then unlock the program to list all of your passwords.

I would recommend that you install this program and give it a try.

Secure your programs
Keeping scripts and applications that are on your website up-to-date is important. But it is also important that you keep the software installed and running on your computer up-to-date. One way to accomplish this is with Secunia’s Personal Software Inspector Program.

Secunia PSI works by scanning your computer to see what programs you have installed and what version. It then compares this information with a list of known software applications and their latest version. Any software that is found to be on your computer, but not up-to-date, it will warn you about. You can then take steps to remove or update the software to the latest version.

Secunia PSI keeps itself up-to-date so that it always has an updated list of application versions. If you keep it running in your System Tray, it will let you know when a new version of software is available.

Keeping the software applications on your computer up-to-date helps to insure that hackers, malware, and malicious software cannot take advantage of known security holes in that outdated software.

Steven

Next Post AMS Webhosting Security Features


[Security] Fighting Malware


Thursday, June 17th, 2010 - General

This is a continuation of our Security Guide see the previous post.

Lately the most prevalent method of hacking a website is not based on outdated scripts or even server-side related. It is a client-side issue, meaning your local computer, the computer you are using right now to read this.

Hackers are using viruses, trojans, spyware, adware, keyloggers and general malware to hack your personal computer and steal your account information (among other things). They can then use this information to access your hosting account and hack your website to include malicious code.

It used to be that the term virus was a straightforward term. Viruses were written and each virus would have a certain signature that virus scanner companies would identify and would write a definition for it. While traditional viruses still remain a threat on your personal computer, the field has actually been expanded to include trojans, spyware, adware, keyloggers (all of which I will refer to as malware from here on out) and just general malicious code. Identifying a threat on your computer is no longer as simple as identifying a virus with a virus scanner, malware detection software must also be used and even then some threats are undoubtedly going to slip through the cracks.

For the purposes of this article I am going to focus on malware on the Windows operating system. This isn’t to say that Linux, Macs, and other operating systems do not have their fair share of viruses and malware, it just seems that Windows malware is more prominent.

If you do not already have anti-malware software installed on your computer, I recommend installing Microsoft’s Security Essentials suite. Microsoft Security Essentials acts as both an anti-virus solution and an anti-malware solution. I have read plenty of good reviews about the software and it seems to be the best around.

What to do if you already have malware or suspect that you have malware installed on your computer?
You may have received a message from us where perhaps someone uploaded malicious content to your hosting account and we suspect that your computer is infected with malware. Or if you just suspect that your account information has leaked out. How do you find what is responsible? How do you resolve it?

Well, the issue is multiplied if you have used multiple computers to access your account. If you have only accessed your account from an administrative perspective (i.e accessed FTP or your cPanel, etc.) from your one computer at home then this would be your target machine. However, if you’ve accessed the administrative aspect of your hosting account from multiple computers (say your home computer, your work computer, your laptop, and a public computer at a library) then identifying which computer is infected is increasingly difficult. You really can’t know which computer is infected and thus you have to scan all of these computers for viruses and malware (except for the public computer at the library, they may not take kindly to you running extensive scans).

The process of scanning for viruses and trojans is long and exhaustive. You may have heard the saying An ounce of prevention is worth a pound of cure. This is true in this regard as well. The more securely you can operate, the less likely you are to become infected, and not be in this predicament.

Scanning for Viruses
You should scan the suspected computer (or computers) for viruses using an up-to-date virus scanner. Generally any anti-virus program will work, but two free ones are AVG and Avast! Just make sure that you have updated to the most recent definitions database for the anti-virus program. In general scanning with multiple anti-virus programs is better, because one program might identify something that another program missed. However you cannot keep two anti-virus programs installed at the same time. So you would have to uninstall or remove an anti-virus program before installing a new one. Scanning with multiple anti-virus programs is not required, I just mention it in case you are increasingly vigilant in your endeavor to find the culprit software.

As stated before, virus scanners won’t necessarily catch everything because today’s threats aren’t necessarily viruses but more malware or malicious code/applications.

Scanning for Malware
If you do not already have any anti-malware software installed on your computer, again I recommend installing Microsoft Security Essentials. But if you suspect that you already have malware installed on your computer and you do not have Microsoft Security Essentials installed, then do not install it right now. Instead I recommend following the steps below.

As with virus scanning, using more than one malware scanner is best. However, unlike virus scanning, using multiple malware scanners is much more effective. Results from different malware scanners is more likely to vary versus results from different virus scanners. This is because virus scanning is fairly straightforward and most virus scanners will search for the same thing. This is not true with malware and malware scanners. Different malware scanners will use different methods to find and detect malware or potential malware. For this reason, I believe it is more important to use multiple malware scanners than it is to use multiple virus scanners.

Note, the anti-malware programs listed below may detect cookies or Tracking cookies, these generally aren’t good but they aren’t really malware in the sense that they could do any real damage to your computer. Removing these Tracking cookies is probably a good thing, but they aren’t considered malware for our purposes.

If you suspect that your computer (or computers) has malware and you do not have any current anti-malware detection software installed, I would follow these steps:

1. Install and scan with MalwareBytes
Install MalwareBytes onto your computer and run it to detect malware. MalwareBytes is an anti-malware solution that comes highly recommended within the anti-malware community.

MalwareBytes Website

Once you have installed MalwareBytes, run it, and be sure to update the definitions to the latest version. Then search for malware on your computer. If it finds anything, resolve the issue accordingly. The scope of this article isn’t able to tell you specifically how to deal with it, because the infected or affected files may have more importance to you. You just need to be able to decide for yourself how to deal with it.

After you have resolved the issues that Malwarebytes has found and/or after a clean run you will want to remove MalwareBytes from your computer. Use Windows’ Add/Remove system to remove the program from your computer.

2. Install and scan with Adaware
Install Adaware on your computer and run it to detect spyware/adware/malware. Adaware is another program that has won some awards for being the best malware detector.

AdAware Website

Once you have installed Adaware, run it and update the Adaware definitions to the latest version. Then use the program to scan your computer for malware. If it finds anything, you will need to resolve those issues accordingly. Again, the scope of this article is not able to tell you specifically how to deal with Adaware’s findings, you will have to decide for yourself how to proceed with its results.

After you have resolved the issues that Adaware has found and/or after a clean Adaware scan, then you will want to remove Adaware from your computer. Again, use Windows’ Add/Remove system to remove the program from your computer.

3. Install and scan with Spybot Search & Destroy
Install Spybot Search & Destroy on your computer and run it to detect malware. Spybot Search and Destory is recommended by anti-malware experts as a solid malware detection program.

Spybot Search & Destroy Website

When you install Spybot Search & Destroy one of the questions will be to enable Tea Timer in the install. You do not have to install this. Tea Timer is Spybot’s real time scanner. It runs in the background constantly looking for malware on your computer. This won’t be necessary because we are going to remove the program after we have scanned with it. When you run Spybot Search & Destroy make sure that you update its definitions so that you are using the latest version. Scan your computer for malware with Spybot Search & Destroy and resolve any issues that it may identify.

After you have resolved any issues that Spybot Search & Destroy found and/or after a clean scan, then you will want to remove Spybot Search & Destroy from your computer using Windows’ Add/Remove system to remove the program from your computer.

4. Install and scan with Microsoft Security Essentials.
Install Microsoft Security Essentials on your computer and run it to detect any malware on your computer.

Microsoft Security Essentials Website

After you install Microsoft Security Essentials make sure that you update it to include the latest malware definitions. Then scan your computer for malware and resolve any issues that it discovers.

I left Microsoft Security Essentials last because if you do not already have any anti-malware software installed on your computer, then you should consider leaving it on your computer. If you already have anti-malware software on your computer or if you feel comfortable with another product, then you can remove Microsoft Security Essentials and leave or reinstall the anti-malware program of your choice.

If none of these scans detected any malware on your computer (or computers) and you still believe that malware is on your computer, the best thing to do is to discuss this at the Badwarebusters.org online community. Describe your symptoms and someone there may be able to help you identify or resolve the malware problem you are experiencing.

Steven

Next Post Password Security


[Security] Securing Configuration Files


Wednesday, June 16th, 2010 - Security

This is a continuation of our Security Guide see the previous post.

Keeping the scripts on your account up-to-date is a good way to protect your account from hacking and exploiting attempts. There are some other things you can do to insure better security.

Database Passwords
This is a common issue and is mentioned a lot in security circles when it comes to securing your account. Never re-use a password for something else. Ideally all of your passwords would be unique and all aspects of your operation would have their own separate login with unique passwords. This is true for scripts that require databases.

Most scripts have some dynamic aspect to them, which requires the use of a database, typically a MySQL database. While it is a good idea to use unique passwords for different aspects of your day-to-day operation, it is imperative that you use a unique database username and password for the scripts on your hosting account.

As a general rule, any time you are going to be using a database on your hosting account, you should set up at least one database username with a unique password. You never want to use your main account username and password in your script for accessing the database. While this username and password combination will work, it is not recommended.

Consider this. You install a WordPress script on your account. You create a new database to host the WordPress data, but you do not create a new database username to access this database or you reuse your account password as the password for the database username.

Now, if this WordPress script gets exploited or hacked, the hacker could conceivably read your WordPress configuration file:

define('DB_NAME', 'username_wp');    // The name of the database
define('DB_USER', 'username');     // Your MySQL username
define('DB_PASSWORD', 'p@$$w0rd'); // ...and password

Now the hacker has full access to your account. They can log into your account’s cPanel or FTP and cause even more damage.

Just to be clear, if a hacker has hacked your script and is able to read its configuration files, then that is a problem. However, by using a separate database username and unique password you are at least preventing the hacker from easily being able to take over your whole account.

Secure Permissions on Config Files
File system permissions may not be something you are familiar with. As a general rule, any time you see files or directories set with permissions of 666 or 777 this is bad. Without going into all of the complexities of file system permissions, just know that 666 and 777 permissions means that the files or directories are open, they are unrestricted. On our servers, directories should hold a permission setting of 755. HTML files should have permissions of 644. PHP files should have permissions of 644 or 600. CGI file scripts (not PHP scripts) should have permissions of 755. And ideally, PHP configuration files, files that contain login information that a PHP script would use to access the database server or any service that requires authentication should have permissions of 600.

Our servers have a process that goes through and attempts to insure that the permissions on these configuration files is correct. However the process is not without flaws, it cannot catch every PHP configuration file.

To insure that your configuration file is safe, you should consider changing the permissions on the configuration file to 600 after you have installed a script. The configuration file would be the file that you edit to add your database login information. You can change the permissions of a file with most FTP clients, just log into your account via FTP and select the configuration file and change its permission to 600.

Configuration File Placement
In addition to using secure permissions on your PHP configuration files, you can further secure the scripts on your account by placing the configuration files outside of your DocumentRoot.

This option really only works for custom written scripts and the like. Premade scripts, such as WordPress or Joomla, will depend on the configuration file being in a certain location, relative to its installed location. For this reason, placing the configuration file outside of your hosting account’s DocumentRoot will not work for those scripts. This is something that can really only apply to custom written PHP script where you have the ability to hardcode include statements into your scripts.

The DocumentRoot of your account refers to the public_html folder of your hosting account. Anything inside your public_html folder is considered to be web accessible and is thus referred to as your DocumentRoot. When you are in the directory above your public_html folder, your account’s home directory, then you are outside your DocumentRoot. Typically when you log into your account via FTP you are logged into your home directory. Here you will see other folders concerning your account: mail, etc, tmp, public_html. You can create a new directory in your home directory to place your configuration files into or you can just place your configuration files directly into your home directory. The main point being that if your PHP configuration files (files with database login information) are not inside your DocumentRoot then it is more difficult for hackers to read this information should your account be hacked into.

Steven

Next Post Fighting Malware


[Security] Keeping Scripts Up-To-Date


Tuesday, June 15th, 2010 - Security

One of the best ways to keep your website safe and secure from hackers is to always keep your scripts up-to-date with the latest version of any software you might have installed. We all know that keeping your operating system up-to-date is important to keep your computer safe. This is why in Windows you will periodically see a popup in your status tray telling you that updates are available. Scripts on your website are just like software on your computer. Bugs and security holes are found in these scripts and they must be patched in order to prevent serious malicious consequences from happening.

In order to keep the scripts on your account secure, the first thing you have to know is what scripts you have installed on your website. This should be pretty straightforward. In order for a script to exist on your account, you or someone has to install that script on the account. Just keep a log or a note of what scripts you install or have installed on your account. You can’t succeed in keeping the scripts on your account up-to-date if you don’t know what scripts are installed on your account.

You will also want to take into consideration any addons, extensions, or plugins that you have installed with those scripts. An example, Joomla!, a popular Content Management Script, has a lot of extensions that can be installed to work with the base Joomla! These extensions add functionality to the script. Joomla! calls these addons “extensions” because it extends functionality, but WordPress, a popular blogging script, calls these “plugins”. Basically, plugins, extensions, addons all do the same thing, by adding extra functions to the base script, but it is important to note that these remain up-to-date as well. You may have an up-to-date Joomla! install on your hosting account, but if you have an old and vulnerable extension still being used, then your hosting account still is not safe.

Bottom line, scripts, base scripts, and any addons you have installed must remain up-to-date in order for your account to be safe.

How do you know when a new version of the scripts is released?
This is not an easy question to answer. The best way to approach this is to subscribe to the script’s or addon’s mailing list, RSS, or Twitter feed. However not all script vendors will provide this avenue for releasing announcements. In those cases, you just have to routinely check the vendor or developer’s website to see if they have released a new version of the script. Most of your more popular scripts have methods for letting you know of new version announcements. However it is your responsibility to sign up for these announcement services with each script.

A lot of these popular scripts have robust community followings, usually through an online forum on their respective websites. Staying involved in these communities is another good way to stay apprised of recent script developments and issues.

Unfortunately there are just too many scripts available for you to use and that prevents us from being able to inform you of script updates. We may periodically check for some of the more popular scripts (Joomla!, WordPress, etc) and check to make sure that these scripts on your account are staying up-to-date. But it is just not possible for us to be able to do this for all scripts, especially when you consider the vast number of addons that are available for each script. The best way to approach this is for you to take on this responsibility yourself and subscribe to announcement feeds for whatever scripts or addons you have installed on your hosting account.

Script Upgrading Issues
Some people are afraid to upgrade their script or addon because they fear that doing so might break their website. This is a valid concern, there is no doubt about it. However, you have to consider that by continuing to run the old version of the script you are leaving doorways open for hackers and malicious visitors to take advantage of your account.

Generally, developers release new versions of their software to correct bugs that have been found in the software. The same is true with website scripts. New bugs are found in the script and the developers have to fix these bugs. Once they have fixed the bugs they release a new version of the script to correct the issue. However they can’t make you update the script on your hosting account.

If you are concerned about upgrading your scripts and breaking your website then you should raise this issue with the developer or vendor of the script through their website. Upgrading the script on your account MIGHT break your website, but leaving it outdated is GUARANTEED to make your website less secure. Don’t be surprised if your account is hacked or exploited if you choose, either knowingly or unknowingly, to continue to use old versions of your scripts.

Below is a list of popular scripts, their websites, and ways to stay up-to-date with their releases.

Joomla! Updates
Website / RSS / Twitter

Joomla! Extensions Updates
Website / RSS

WordPress
Website / RSS / Mailing List / Twitter

WordPress Plugins Recently Updated
Website

PHPList
Website / Mailing List / Twitter

Zen Cart
Website / Mailing List

SMF – Simple Machine Forum
Website / Twitter

Coppermine Photo Gallery
Website / RSS / Twitter

Gallery
Website / RSS / Mailing List / Twitter

Drupal
Website / RSS / Mailing List / Twitter

phpBB
Mailing List / Twitter

osCommerce
Website / RSS / Mailing List / Twitter

Steven

Next Post Securing Configuration Files