Security Governance for your website – Understand your problem!

February 26th, 2010

When I am engaged by a client to rescue a website after an incident a good part of my time is taken up explaining what has happened. It can be a very frustrating and costly experience to be hacked or infected with a virus and the usual instruction from a client is “fix this and stop it form ever happening again”.  Let’s take a quick look at those two elements:

“Fix this” – You need to isolate what type of problem you are experiencing. Some issues are really virus infections while others are true “hacking” episodes.By far the biggest issue in 2009 was the combined and related issues of the gumblar, martuz and iframe viruses. One part of this attack infected PCs and harvested ftp login information that was then used to infect thousands (and possibly millions) of websites around the globe. Less common, but still quite prevalent, was the injection code directly into website databases. These issues are quite different though the effect can be very similar. Fixing wesbite code is very straightforward, and though can be time consuming the damage can be completely reversed with relatively little effort. The database injected code (or SQLinjection) can be far more damaging as it affects the data driving the dynamic parts of your website (and/or your client or product information) – sometimes it can completely sink a website if a backup strategy hasn’t been followed from the start.

“Stop it from ever happening again” It was quite common last year  for me to assess a site and find injected code across the php files (in particular)  and find nothing except ftp uploads in the logs to show how the infection occurred. Often the client would have no idea that their PC was infected and it took much persuading to convince them that rebuilding their PCs was the  solution to prevent continuous infections. It really can be that simple however. Fixing SQL injection issues on the other hand, although often described as “simple” , requires a change in code that many web designers find a challenge.

I will go into a bit more detail on each issue in the next few posts.

Posted in Uncategorized | No Comments »

Security Governance for your website – Responding to Incidents

February 23rd, 2010

So – you have followed all the steps in my previous posts. You have reviewed your code, implemented a backup plan and assessed your site for vulnerability but you STILL got hacked. This is the ultimate frustration. It is also why the last part of “governance” of your site has to be a plan to deal with security issues with your website.

Your plan should follow these high level steps:

  1. Take your site offline! You should have a landing page ready to put in place should you need to take your site offline, and the moment you learn of a defacement or virus infection on your site you MUST take it offline. This protects your reputation both with your users and with page rating authorities – the most important being google, though this is not the only one – You have to consider which is worse… having your site offline for a few hours, or getting a ban from google and/or infecting potential customers with a virus (if this is what has occured with your site).
  2. Look for the hole - You’ve taken your site offline, you need to find out how the infection occurred. If you have proper logging in place it should be straightforward to find where the problem lies. Perhaps it is an unpatched issue with your Wordpress or Joomla install, maybe it’s a permission problem left behind from the last time you updated your site – If you have a clear picture of what happens each day on your website it should not be difficult to track down.  A very prevalant problem at the moment is injected iframe or other code on website index and default pages.
  3. Don’t confine yourself to your website – Much of the infected code on the web is uploaded directly to sites via ftp – this means that the issue probably lies with a virus infected PC leaking login credentials that are then used to infect your site. This is the most likely route for infection if you have followed all the steps in my previous posts.
  4. Put your site back online – Use the most recent backup of your site to bring your site online. If you have isolated the problem to an infected PC this is probably all you need to do (as well as change all passwords to your site of course). If the problem is with an outdated or insecure web application (joomla, Wordpress, shopping carts etc…) then upgrade where neccessary the moment your site goes back online – probably best to use the “holding” address provided with most hosting plans first.

If you have a plan ready for action a virus infection of hacking incident will be no more than an incovenience with minimal impact. With no plan you risk the loss of revenue and reputation….

Posted in IT Security, Security Policy | No Comments »

Security Governance for your website – Assess your site

February 22nd, 2010

So far – and admittedly at a very high level -  we have been looking at the steps you need to take when developing your website and placing it online. Once you are ready to go live you should be sure to engage somone to perform a security assessment of your site. This does not need to be a complete “penetration” test. A full pen test can run to weeks of effort and be extremely costly. If you are on a hosted site with a proper SLA in place then it is debatable whether penetration testing is your responsibility in any case – usually the integrity of the server is the responsability of the hosting provider.

What you are looking to achieve with this type of assessment is:

  1. Information gathering – To search for any data leaks or misconfiguration casually available on the internet. This includes authentication information, personal data that could be used in social engineering or identity theft and server/web application information.
  2. Vulnerability scanning – this should be on a web application level as scanning hosting servers can be seen as a hacking attempt. It should include a scan of open ports to review services and any obvious backdoors to the site.
  3. Vulnerability attempts – the results from the scanning should be used in example exploits on your site – this is particularly important where SQL injection or XSS issues have been identified. It guards against false positives and ensures that any fixes that you put in place are a real response to real threats.
  4. Finally a complete and comprehensive report should be compiled on the state of your site and the various components used within it. This is the baseline security stance of your site which should be reviewed on a regular basis.

It is important that some form of scanning/assessment is performed on a regular basis – at least once a month but by preference weekly.

Posted in IT Security, Security Policy | No Comments »

Security Governance for your website – backup your data!

February 18th, 2010

Last week I discussed how important it is to take security seriously from the very start of your website project. Once you have set out what you want your website to achieve, built the site and reviewed your code for basic well known flaws it’s time to consider how you will manage the website.

I regularly see a situation where a website has been built and put online only for a virus infection or defacement to hit it within days of going live. Without a proper and complete backup strategy this can be very costly indeed. So the very first building block of your security governance has to be the creation of a backup strategy.

If your website is part of a shared hosting plan (where you have no control of the server on which your site resides)  then by all means apply the standard backup service provided by the hosting company. Do not see the backup service as optional – when you need a website restored a penny saved can be pounds lost if you hit a snag.

If you have a Virtual Private Server (VPS)  – ie a server hosting only YOUR website(s) and which you control in full – you will most likely will still have an option to use the hosting companies backup solution.

I’ll discuss the merits of shared hosts versus a Virtual Private Server (VPS) in a later post but I will stress here that regardless of the type of hosting plan you have regular FULL backups ofyour site and database are THE most important part of your security assurance.

You should backup before and after any changes to code or templates of the site. And regardless of changes make a full backup each week. Be sure to keep clean backups for several months.

Posted in IT Security | No Comments »

Security Governance for your website – review that code!

February 11th, 2010

In my last post I discussed some basic steps you should consider when planning your website. One of the recommendations I made was to ensure your designer agrees to follow a standard that could then be used as a benchmark for testing

The question then is – who will do the testing? It is definately advisable to have an independent review of code before going live. This can be someone within your organisation, or hired from outside. It definitely should NOT be someone from the same organisation that built the site in the first place.

It’s not neccessary to be a technical guru to ensure a proper review of your website code. Using the OWASP top 9 security flaws in code as a guide (for example) it is possible to create a checklist for testing that your security resource can work to.  Any report should summarize the what, when, how and by who the code was tested by. It’s important at this stage to keep complete copies of any code and to maintain version control  to ensure whatever ends up being uploaded matches what has been tested!

Posted in Security Policy | No Comments »

Security Governance for your website – Get it right at the start!

February 11th, 2010

It always amazes me when I am engaged to clean up a hacked or infected website just how a minimum of good governanace could A) prevent the issue and/or B) minimize the impact. There really is no mystery to getting this right, and yes it does involve investment in the apparently intangible benefits of good security.

When I am hired to work on a compromised website I’m usually asked to:

  1. Clean up the virus/defacement
  2. Secure the site
  3. Explain how the infection occurred.

Although my mother always told me it was rude to respond to a question with another question in the case of all the points above there is a standard reply for each:

  1. Do you have a recent backup?
  2. Did you  review your code for vulnerabilities?
  3. Have you enabled FULL logging of activity on your website?

No one could expect you as a managing director or senior manager to understand the technical minutiae of creating and maintaining a website but there really is no excuse for not ensuring that the answer to all of my questions above is a big YES!  Planning for any technical implementation no matter how small should include all security considerations.

Leaving aside the issue of backups for the moment let’s consider how to go about assuring security for your website from the outset by applying some basic principles when assembling your team to design and implement your companie’s website.

You need to be clear on what kind of traffic you expect  – is this a website for general information? will there be user interaction? will there be financial transactions through the site, will it link to databases holding important information?

Once you are clear on the objectives you can start getting your team together – many would just hire a “web design” company and leave it at that, and this is where the key failure is usually made – right at the start of your website project. A minimum requirement is to have a somone to design and build your site AND somone to maintain it.  The designer and master can be the same individual of course – but the roles are different.

It’s not that you should be worried just about the integrity of your design team (or individual) you need to be sure at a minimum that they at least follow proper coding principles to prevent SQL injection and XSS attacks. These very common vulnerabilities can be easily prevented  with proper coding at the outset – you need to be sure that your web designer understands the implications of both SQL and XSS . (Don’t worry if you do not fully understand the terms. Think of them in this way – SQLinjection bad for YOU, XSS bad for your USERS – a bit simplistic but really that’s all you need to know from a management perspective!)

There are clear guidlines for preventing SQL injection and XSS through proper user validation in the code of your website – your webdesigner should  be able to quote chapter and verse from these. Make sure they know all about the OWASP guidlines on  SQL injections and XSS prevention.

As part of your governance strategy I would recommend that any web designer you hire should guarantee that they will follow an agreed standard – the one I use is the OWASP Code Review Standard but there are others. By agreeing the standard from the outset you have a benchmark against which you can test the code.

From a design perspective there are other security considerations of course – but take it from me, if you can put controls in place for SQL injection and XSS you are about 90% there in terms of keeping your site safe for you and your users.

Posted in Security Policy | 1 Comment »

Data leakage to social sites

November 13th, 2009

I’ve decided to post this blog entry from my blackberry to illustrate a point. Companies are moving more and more to providing smart phones and mobile devices to their employees. this raises the issue of data leakage through the lack of an adequate separation between work and social “apps” used on blackberrys and ifones.

Companies should look long and hard at what devices to provision or allow on their networks given the growth of facebook and twitter (to name but two). If possible enterprise policies should be applied across the board preventing the use of non-business apps. Without proper care an employee could be posting your latest confidential financial statements to Facebook!

Just because it’s possible doesn’t mean that it is a good idea.

Posted in IT Security, Security Policy | No Comments »

Subtle changes to iframe tags

November 13th, 2009

Since I started getting my hands dirty with iframe and gumblar infected websites I’ve begun to notice some subtle changes that have led to another wave of attacks to hit the websites I’m supporting at the moment.

Initially sites were injected with a variety of iframed domain redirects that were simple enough to tackle with regex searches. The construct of the iframe code was also pretty standard so for example setting your search tool of choice (sed, grep, awk etc on *nix – wingrep on Windows) to search for the  following string:

<iframe.*src\=\”http.*hidden.*\/iframe>

You’ll see that the key element is that this is a hidden iframe – there’s no good reason to hide an iframe on your site! This would find the majority of injected frame code – at least on my affected servers.

Of course a little bit of generalised searching was neccessary, but by and large a few scripts using that regex code would have done the trick.

A few weeks on and I’ve been hit again – the route to infection is yet again a badly secured PC or laptop. I set to the clean up using my tried and trusted regex searches but my complacency in keeping them up to date was exposed… some simple and subtle changes by the coders renedered my searches useless. – Back to square 1!

I thought that I might share the lesson with you all:

  1. A hacked site will always be a target – continued vigilence is essential!
  2. Regex searches need to be as agile and flexible as possible (without searching out valid code)
  3. You’re only as good as your last  bit of coding!

This is the regex I have used for the current crop of site cleanups I have completed. You’ll see that the code hides the iframe by setting the borders and size to 0.

<iframe.*frameborder\=\”0\”.*src\=\’http.*\/iframe>

This is just a bit of a hint – finding code effectively and quickly is important, but preventing a hack/infection is far prefferable!

Posted in IT Security | 2 Comments »

Looking for traces of Gumblar

September 11th, 2009

Over the past several months there has been wave after wave of variants of the Gumblar, Martuz and other types of iframe attacks that seem to be related. Each wave seems worse than the one before. Naturally most efforts have involved cleaning websites and attempting to prevent re-infections.  The scripts and tools now available are extremely effective in putting out the fires and are only improving with time – have a look at the side bar for links to my favourite ones .

As the various domains involved with propagating payload get blacklisted or shut down the immediate effect of the infections will begin to diminish – at least until the next wave appears. If you have a handle on cleaning out your code, and have developed a routine of backing up , monitoring and re-installing infected pages you are , like me,  just about ready to move onto a bit of problem solving instead of firefighting

Given that the method of infection is from infected PCs we need to be sure we are not infected ourselves – the trouble is that even after all of these months there remains some mystification as to how the infection is being spread in the first place. That being said – there are some steps you can take to check if you’re machine is affected. The first and most basic is to check the SHA1 number of a file located in C:\Windows\System32\.  This may sound like mumbo jumbo but it is in fact a very easy check to do.

Step 1 – download and install the free application filealyzer (this is a handy tool for analyzing files)

Step 2 – Navigate to the sqlodbc.chm file in  C:\Windows\System32\ using windows explorer

step2

Step 3. Right click on the file and choose “Analyze with filealyzer 2”

step3

Step 4 Have a look at your file information  – We’re looking for the SHA1 number and the file size

step4

Step 5 – Copy the SHA1 number (you know how to do this right? Left click and highlight then right click and copy)

step5

Step 6 – Go to the nice people at Scansafe.com where they have very kindly listed the NON-INFECTED SHA1 numbers

step6

Step 7 – Check you’re number against the list – I use the find function in firefox – just paste in the SHA1 number we copied in Step 5 above

step7

Step 8 – PHEW! I seem to be clear of the infection – and check out the file size – all good!

step8

So – if you did all of the above and your SHA1 number and/or file size don’t match what next? The best advice at the moment is, unfortunately, a complete rebuild of your PC. The reason for this is the conflicting advice/evidence of how the infection is being spread. Adobe PDF and flash files seem to be one method of infection and you should be sure to upgrade to the latest version of each – but my advice if you suspect an infection on one of your PCs is to completely rebuild. I will get onto some advice on how to use live CDs and/or virtual machines for your website management in a later post.

Posted in IT Security | No Comments »