11 June 2009

Infrastructure

Posts relating to the category tag "infrastructure" are listed below.

11 June 2009

100,000 Web Sites Lost

The news that a the UK hosting company VAServ lost 100,000 web sites all at once is devastating for the organisations involved. It appears that many cannot be recovered and a considerable number do not have recent backups.

From the temporary status page dated 10th June:

We have worked tirelessly through the night and over the last 48 hours to recover as many VPS as possible. However, we have now reached the end of all of our servers, and as such, if your server is not currently up, or not partly up (i.e. it is up but not working due to a configuration issue) then it is unfortunate that you will have lost your data due to this third party attack.

The event was widely reported:

Particularly sobering is the news that the CEO of LxLabs, implicated as the developers of the software that was hacked, has committed suicide:

Even if you don't have a formal disaster recovery plan, at least make sure you have backups of all your site code, database and other data.

Posted on: 11 June 2009 at 09:46 hrs

Comments Comments (0) | Permalink | Send Send

26 May 2009

System Hardening

Hardening the underlying server operating system is an important fundamental task to help protect your web applications.

For example, the Payment Card Industry Data Security Standard (PCIDSS) requirement 2.2 states:

Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards.

Two United States organisations producing guidance in this field are:

These are detailed documents and all the recommendations may not be appropriate for your own situation.

Posted on: 26 May 2009 at 10:56 hrs

Comments Comments (0) | Permalink | Send Send

24 April 2009

Put Your Own Organisation's Name On It

This week a friend contacted me about his business website. It seemed his company had paid for both a .co.uk and .com domain name, but the latter was not currently mapped to her site.

It seems the web developer wasn't being co-operative and she was asking for some advice. It appeared that neither domain were registered in my friend's company's name—both named the developers. This makes things much more difficult if the developers are slow to respond to change requests, or fail to renew your domains, or you fall out with them or they go out of business.

But I came across another example on Wednesday. I had to drive through London and later in the day I went to pay the £8.00 charge using the congestion charge online payment service from Transport for London.

Partial screen capture of a web browser's address bar with the URL https://cclondon.tfl.gov.uk/cclondon/payments/paycharge/pay.aspx and showing part of the web page

I looked at the SSL certificate's details and was very surprised to see the organisation named on the certificate (known as the distinguished name field for organization) was not "Transport for London" but "Cobweb Solutions Ltd", presumably this company. SSL certificate security information stating the connection to cclondon.tfl.gov.uk is secure and the certificate is issued by Thawte Premium Server CA SSL certificate information stating the certificate name details are 'cclondon.tfl.gov.uk, Cobweb Solutions Ltd, Sydadmin Team, Fareham, England, GB'

Whilst this may not be contrary to the SSL Protocol Specification, it is contrary to expectations and good practice. If this were a retail website (where you choose to buy rather than being obligated to pay!), would a cautious potential customer trust the site? The information has also given away vital clues to a malicious user on the software development company and thus perhaps possible approaches to breach the system. Cobweb Solutions' own site has a shopping basket/e-commerce system that has a similarly attributed secure certificate:

SSL certificate information stating the certificate name details are 'shop.cobweb.com, Cobweb Solutions Ltd, Sydadmin Team, Fareham, England, GB'

Like domain names, your own website SSL certificates, regardless of SSL certificate type should be in your own organisation's name, not anyone else's. In fact this also usually makes the proces of purchasing a certificate simpler.

On my friend's domain name issue, she has contacted the relevant domain name registrars using their disputes process to ask for the details to be updated. She is also checking whose name is on the web hosting contract.

Posted on: 24 April 2009 at 09:32 hrs

Comments Comments (0) | Permalink | Send Send

27 February 2009

Information Leakage from Public Information Systems

The first stage of attack is reconnaissance. Therefore don't give the enemy information they shouldn't have.

I photographed this public information screen at the weekend. It looks like it's part-way through being commissioned, but it was displaying important network information.

Photograph of a plasma display screen with the words 'Information - This appliance is not yet configured' followed by the IP address, host name and domain

In this case I suspect the information isn't particularly helpful to someone who wants to display their own messages instead of the official ones, but it is leaking information about how the system works. This particular installation probably isn't part of the critical national infrastructure, but is any more case being taken there?

Web sites often give away too much information in their error messages, filenames, source code, headers and cookies. This information can be used to help compromise the site.

Posted on: 27 February 2009 at 06:38 hrs

Comments Comments (3) | Permalink | Send Send

15 August 2008

Is Your Web Site on Virtual Contaminated Land?

When we set up a web site, how much thought should we give to the previous use of the Internet Protocol (IP) address and domain name? Any previous use could spell disaster for a new web site.

When you buy a house your conveyancing solicitor will undertake local searches and review the Home Information Pack. For commercial transactions, organisations will usually undertake some form of due diligence checks including enquiring about previous uses of the site and adjoining properties using old maps and information from the local authority. No-one wants to inherit the liability for contaminated land, for example from a previous gas works, tanning plant or dye manufacturer that occupied the site.

Instead of chemical threats, web sites need some virtual due diligence, when setting up a new site or moving to a new hosting company or domain. It may also be an issue if your hosting company is changing their IP address ranges and this affects your servers. The threats are to your organisation's reputation if it becomes associated with something contrary to its beliefs, objectives or might upset its customers, clients or users. It could also lead to a lack of availability if the address is blocked by spam or web filtering gateways.

The Domain Name Service (DNS) is responsible for translating between human-friendly domain names (e.g. www.clerkendweller.com) and and machine-friendly IP addresses (e.g. 217.33.198.55). If a hosting company loses a client, they are very likely to re-allocate their web site's IP address to a new customer.

For a new IP address on your existing domain (e.g. a server move), my recommendation is to obtain details of:

  • How long the IP address has been allocated to the hosting company
  • All domains assigned to the IP address previously
  • Details of the organisations who own those domains
  • Check what is hosted on 'nearby' IP addresses i.e. in the same address block
  • Check what else is listed on the same domain name servers and the company who operates them

For a new web domain, check:

  • Ownership history
  • Current and prior internet usage (web, email, ftp, etc)
  • Check the IP addresses for both of these (as above)

Then, evaluate whether there is anything you might not want to be associated with or has been excluded by web/email filtering/firewall systems due to what it has been used for or the content it contained. Check other server IP addresses as well (e.g. your mail server) if this is changing as well. Also check what else is hosted on 'nearby' IP addresses in the same range.

For a new web domain, use tools like Netcraft, Site Advisor, The Way Back Machine and Google searches to investigate prior use. Check with suppliers of web filtering gateways and providers of reputational services whether the domains are blacklisted.

For mail, the Spam and Open Relay Blocking System (SORBS) and Spamhaus list potentially problematic spam sources and open mail relays. There are many more similar searchable spam lists listed at dr.moensted. You may also want to check whether Hotmail, GMail and AOL treat the IP or domain as a source of spam.

If you are purchasing an existing domain name, as opposed to registering one from scratch, check its previous and current use. Some companies serve advert pages for domains they own but are not allocated to a web site - be very wary of these.

If your hosting company won't help with this enquiry, go elsewhere.

Posted on: 15 August 2008 at 10:15 hrs

Comments Comments (1) | Permalink | Send Send

Infrastructure : Web Security, Usability and Design
http://www.clerkendweller.com/infrastructure
ISO/IEC 18004:2006 QR code for http://clerkendweller.com

Page http://www.clerkendweller.com/infrastructure
Requested by 38.107.191.115 on Friday, 12 March 2010 at 15:00 hrs (London date/time)

Please read our terms of use and obtain professional advice before undertaking any actions based on the opinions, suggestions and generic guidance presented here. Your organisation's situation will be unique and all practices and controls need to be assessed with consideration of your own business context.

Terms of use http://www.clerkendweller.com/page/terms
Privacy statement http://www.clerkendweller.com/page/privacy
© 2008-2010 clerkendweller.com