12 February 2014


Posts relating to the category tag "hosting" are listed below.

25 October 2009

From Whiteboard to Web Application

Sometimes finding all the web applications in an organisation can be the difficult part in trying to assess what risks exist.

Transport for London don't just have web sites and, I suspect, an intranet. They have been gradually moving from whiteboards for live underground travel news at tube stations:

Photograph of a transport information board at Great Portland Street station where the information is provided on magnetic tiles and by hand written wipe-dry pens

And now have electronic versions:

Photograph of a transport information board at Farringdon station where the information is provided on an LCD or plasma display

I don't know what technology is being used here, but other information boards have been seen to display web browser error messages leaking network information:

Photograph of a transport information display showing an 'address not found' error message from Firefox

But, what about elsewhere? I saw this on the live electronic advertisement boards at Bond Street station this weekend:

Photograph of an advertisement display board at Bond Street station elevators showing the words 'System Name' followed by a code and what looks like an IP address, written vertically up the portrait-orientated unit

Sorry it's a bit blurred, but I was going up the escalator at the time. Several, but not all the displays had their system names shown rather than an advertisement. It certainly looks like an IP address, but is there a web application inside? I've previously highlighted other information systems and displays that seem to be IP-enabled.

An investigation of your network, examining what is listening on which ports, and correlating this with the actual network traffic, might reveal more web applications than you thought.

Posted on: 25 October 2009 at 18:46 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

04 August 2009

Do You Have SSL Configured Correctly?

Do You Have SSL Configured Correctly? Let me start by saying that "correctly" means "best for you". There isn't a single correct answer, although there are certainly some "don'ts" that apply in every situation.

This information is not about whether to use SSL, and is mainly for your systems folk (or hosting company), but do read on and perhaps gain a better understanding.

Partial screen capture of a report from the SSL Labs Public SSL Server Database showing the host name, IP address, an overall score and part of a bar chart

Ivan Ristić recently announced the SSL Server Rating Guide (draft 10, 21 July 2009) and an associated online assessment tool called the Public SSL Server Database. These had reminded me to post my comments last Tuesday about the slightly related Colour Overload with IE8 Tab Grouping.

The SSL Labs' resources describe, and allow you to check, the SSL configuration of your own, or any other public site that has SSL enabled. The checks span the certificate and three categories of web server configuration settings. Previously, it needed more specialist tools that most people wouldn't have the time or inclination to use.

The rating guide contains much useful information, but will be too detailed for many people. However, do read the "Minimal Configuration Requirements" and pass these on to appropriate person responsible for the configuration and operation of your own web sites. Not every site needs an overall rating of 73 or 85 or whatever. You'll see in Table 6 of the guide, an idea of what might be suitable for a range of web site types.

After all, your competitors, and some customers, have probably already checked your site.

Posted on: 04 August 2009 at 17:56 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

16 June 2009

FTP is not an Option

Many websites are updated using File Transfer Protocol (FTP). Don't do it.

A discussion thread How Do You Store FTP Login Information For Your Clients? highlighted what common practices are, but almost entirely missed the issues of transfer of login credentials over unencrypted channels, privileged access to the whole of the server, account sharing, password and user management.

... [I] also put the info in the client file folders (actual paper client folders) for future reference and sometimes in Outlook business Contact Manager...

It's no surprise that some of the most serious hacks are suspected of being undertaken using compromised FTP accounts.

FTP is not an option. Ask your hosting company or systems staff to disable FTP services and block all traffic to/from your web servers on TCP ports 20 and 21, at your network firewall.

Posted on: 16 June 2009 at 09:28 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

11 June 2009

100,000 Web Sites Lost

The news that a the UK hosting company VAServ lost 100,000 web sites all at once is devastating for the organisations involved. It appears that many cannot be recovered and a considerable number do not have recent backups.

From the temporary status page dated 10th June:

We have worked tirelessly through the night and over the last 48 hours to recover as many VPS as possible. However, we have now reached the end of all of our servers, and as such, if your server is not currently up, or not partly up (i.e. it is up but not working due to a configuration issue) then it is unfortunate that you will have lost your data due to this third party attack.

The event was widely reported:

Particularly sobering is the news that the CEO of LxLabs, implicated as the developers of the software that was hacked, has committed suicide:

Even if you don't have a formal disaster recovery plan, at least make sure you have backups of all your site code, database and other data.

Posted on: 11 June 2009 at 09:46 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

26 May 2009

System Hardening

Hardening the underlying server operating system is an important fundamental task to help protect your web applications.

For example, the Payment Card Industry Data Security Standard (PCIDSS) requirement 2.2 states:

Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards.

Two United States organisations producing guidance in this field are:

These are detailed documents and all the recommendations may not be appropriate for your own situation.

Posted on: 26 May 2009 at 10:56 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

24 April 2009

Put Your Own Organisation's Name On It

This week a friend contacted me about his business website. It seemed his company had paid for both a .co.uk and .com domain name, but the latter was not currently mapped to her site.

It seems the web developer wasn't being co-operative and she was asking for some advice. It appeared that neither domain were registered in my friend's company's name—both named the developers. This makes things much more difficult if the developers are slow to respond to change requests, or fail to renew your domains, or you fall out with them or they go out of business.

But I came across another example on Wednesday. I had to drive through London and later in the day I went to pay the £8.00 charge using the congestion charge online payment service from Transport for London.

Partial screen capture of a web browser's address bar with the URL https://cclondon.tfl.gov.uk/cclondon/payments/paycharge/pay.aspx and showing part of the web page

I looked at the SSL certificate's details and was very surprised to see the organisation named on the certificate (known as the distinguished name field for organization) was not "Transport for London" but "Cobweb Solutions Ltd", presumably this company. SSL certificate security information stating the connection to cclondon.tfl.gov.uk is secure and the certificate is issued by Thawte Premium Server CA SSL certificate information stating the certificate name details are 'cclondon.tfl.gov.uk, Cobweb Solutions Ltd, Sydadmin Team, Fareham, England, GB'

Whilst this may not be contrary to the SSL Protocol Specification, it is contrary to expectations and good practice. If this were a retail website (where you choose to buy rather than being obligated to pay!), would a cautious potential customer trust the site? The information has also given away vital clues to a malicious user on the software development company and thus perhaps possible approaches to breach the system. Cobweb Solutions' own site has a shopping basket/e-commerce system that has a similarly attributed secure certificate:

SSL certificate information stating the certificate name details are 'shop.cobweb.com, Cobweb Solutions Ltd, Sydadmin Team, Fareham, England, GB'

Like domain names, your own website SSL certificates, regardless of SSL certificate type should be in your own organisation's name, not anyone else's. In fact this also usually makes the proces of purchasing a certificate simpler.

On my friend's domain name issue, she has contacted the relevant domain name registrars using their disputes process to ask for the details to be updated. She is also checking whose name is on the web hosting contract.

Posted on: 24 April 2009 at 09:32 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

17 April 2009

Web Application Security in the Cloud - Part 1

There have been some good discussions recently on the security of cloud computing services. Are you using or considering using external cloud computing for data storage or to undertake business functions?

A recent post A follow-up on SaaS & Cloud Risk reminded me to raise the topic here. The posting highlighted comments on The Register regarding Multi-site Bug Exposes Cloud Computing's Dark Lining included one by Raife Edwards:

IF... you own, and run, your own servers, or systems/software... AND, a "common vulnerability" exists, and is exploited... You MAY be vulnerable... you MAY have a security issue... you MAY be targeted... you MAY not have adequately protected your system... you MAY be hit by the problem... you MAY have issues, and losses... possibly.

If, however, you are dependent upon any, EXTERNAL, single point-of-attack/vulnerable-point... then you WILL be hit... you WILL be affected... you WILL have losses... and you WILL be totally-dependent upon EXTERNAL-interests in "fixing", and recovering... based upon THEIR competence, and on THEIR time-table... and, to suit THEIR perception of THEIR interests.

Does this affect you? Not sure? Does your business use any of the following (the categories and terminology overlap)?

  • software as a service (SaaS)
  • platform as a service (PaaS)
  • infrastructure as a service (IaaS)
  • hosted application
  • application service provider (ASP)
  • cloud computing
  • online office application (e.g. Microsoft Business Productivity Online Standard Suite, Google Docs)
  • external web mail (e.g. Hotmail, Gmail, Live Mail)
  • peer-to-peer services (e.g. Skype)
  • online backup and synchronisation (e.g. Iron Mountain, iDisk, Live Mesh)
  • other people's content included directly into your software applications (e.g. news feeds, maps)
  • third party online service (e.g. address lookups, payment gateways).

If so, perhaps answer these three questions. Does it matter...

  • if someone else deletes, or an unauthorised person views, your data?
  • in which geographic location your data are stored?
  • if your data or service are unavailable for more than 10 minutes?

If you answered "yes" to any of the above, take time to consider what the effects would be if any of your data was stolen or the service was unavailable for an hour, a day or a week. The considerations are very similar to any other business decision, but it's easy to forget the trust we are placing in another party.

The key security issues to review are software liability, right to audit, service level agreement (SLA), security testing plans, authentication policies, intellectual property, storage locations, system isolation, data encryption in transit and at rest, backup and recovery, archival, support, complaints procedure, contract jurisdiction and legal compliance. If you have cyber liability insurance, you will also need to check whether these cloud services are covered.

In Part 2 (of 2) on Tuesday, I'll highlight some more recent cloud computing issues and provide links to additional discussions.

Update 27th November 2009: See also Cloud Computing Risks.

Posted on: 17 April 2009 at 11:03 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

13 November 2008

A Cry for Help Which Made Me Want to Cry

E-consultancy.com has many excellent online marketing and e-commerce resources, and I read the blogs and forums regularly. The following posting appeared on the forum a couple of days ago:

Partial screen capture of posting to the e-consultancy.com forums asking 'Can anyone tell me if there is a way of finding out who hosts your website? We  need to find out who is hosting our website any help would be appreciated.'

This cry for help worried me. Although the forum replies were helpful, it did make me wonder how many other web site owners have no idea where their web site is hosted.

If this is really the case here, it probably means the owner doesn't have all the resources to rebuild the site elsewhere and possibly is without back-ups of the data. And what about the intellectual property ownership? It's something which all developers should be discussing with their customers. My first suggestion would have been to contact the development company. A cursory examination of the source code reveals:

Partial screen capture of page source code with a commented out hyperlink to the designers Osmodus

This company even showcases the site:

Partial screen capture showing the Gluttonous Gardener web site featured on the Osmodus portfolio pages

Now, we have no idea of the background and cannot guess if there is anything amiss. But the site is a card payment enabled e-commerce site, and surely the owner has had to comply with the Payment Card Industry (PCI) Security Standards Council's Data Security Standard (DSS)? Knowing where your web site is hosted would be one of the earlier things to discover.

Let's hope it's sorted soon.

Posted on: 13 November 2008 at 14:52 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

24 October 2008

Partition the Web Server

Setting up a web server incorrectly can be difficult to change later. Isolating the operating system from web site files and other data using separate partitions or physical devices needs to be done during server commissioning.

It would be usual to have at least three partitions on a typical web server:

  • The operating system
  • The web site files (scripts and static files such as images and style sheets)
  • Server logs

This allows you to restrict permissions - so that if the web site is compromised, it is harder to access the operating system files, and to ensure that logs don't grow excessively and use up all the available space.

Your own data - the database and perhaps other files - should be stored seperately. If possible this should be on other servers, but if not, on a separate partition.

If you allow any user uploaded content, you should also consider storing this on another separate partition, and in any case, never in sub-directories of the web site root. This is to prevent direct access to possibly malicious file content by directly requesting the address in a browser and to ensure the files are stored in an area with limited permissions.

Posted on: 24 October 2008 at 06:42 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

10 October 2008

Plain FTP and PCIDSS

In my post earlier this week on Server Login Protection, I mentioned how file transfer protocol (FTP) is commonly used, and should not be. A data breach this week hints that FTP was the method of access that lead to the data theft.

The Breach blog reported a breach involving Gloria Jean's Coffees' e-commerce site. Their privacy and security statement aludes to higher standards:

Your purchases at gloriajeans.com are safe. Our site has security measures in place to protect the loss, misuse and alteration of information under our control. We make use of appropriate commercially available software to encrypt order information.

The notification letter to the New Hampshire Department of Justice in the United States (US) says the company:

Locked down File Transfer Protocol (FTP) to specific IP's and implemented SSL encryption to this service for our website

But the strange thing is that it is an e-commerce site and that some of the data stolen was credit card information - card number, name, address and card verification value (CVV), also known as the card security code (CSC) - obtained by modification of the application scripts on the web server. In other words, inbetween the encrypted transfer (using SSL) to the web server and before sending this by an encrypted method to the payment gateway.

Enforcement of the Payment Card Industry (PCI) Data Security Standard (DSS) is much further advanced in the US. So either the site wasn't compliant in which case large fines are winging their way towards Gloria Jean's Coffees Corp, or the auditors may have missed something important here.

See also the related Keeping Up-to-Date with Security Breaches.

Posted on: 10 October 2008 at 07:02 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

More Entries

Hosting : Web Security, Usability and Design
ISO/IEC 18004:2006 QR code for http://clerkendweller.com

Requested by on Thursday, 24 April 2014 at 16:44 hrs (London date/time)

Please read our terms of use and obtain professional advice before undertaking any actions based on the opinions, suggestions and generic guidance presented here. Your organisation's situation will be unique and all practices and controls need to be assessed with consideration of your own business context.

Terms of use http://www.clerkendweller.com/page/terms
Privacy statement http://www.clerkendweller.com/page/privacy
© 2008-2014 clerkendweller.com