Web Site that is not that easy to hack - Part 1 HOWTO - the bare necessities

What needs to be understood is that no one can achieve all the needed protection for a fully safe web site. Such a site is offline, on a powered-off web server in a closed and locked room in the basement.

On the other hand, several options are available to a perspective webmaster to own a web site that is reasonably safe from hackers. Software protection measures will be discussed separately.

  1. For now, let's focus on things that do not need special knowledge on the user's side.

  2. Use an off the shelf product for the web engine - preferably an open source one. These products are very fast to develop functionalities as well as to patch vulnerabilities simply because they are open to public scrutiny.

  3. Upon installation of the web engine, remove all installation scripts contained within it - they are an excellent back door into the engine!

  4. If database is needed for the engine to function, do not try to be the DBA yourself. Your hosting company has a DB server, as well as people being paid to make sure the DB server is as safe as possible.

  5. Just in case, have two different passwords for your database, one for the web engine to generate the web site pages, with as little priviledges as possible, and one administrative, whose password you should try not to keep in cleartext on the web site files. If this is not possible, follow the web engine's instructions on how to protect the files that contain this password.

  6. Have a backup of both the engine and the database, at most a week old. This enables you to land on your feet if your site is being compromised.

  7. Never upload or save any files other than what's needed for the functioning of the Web site. What's not there cannot be compromised!

  8. Ask the hosting company do deny directory listing on directories of your web site (if not set by default). For good measure, have an index (default) page in every directory.

  9. Have the web administrator pages hidden in obscurely named path different from the default path of the web engine, and make sure that NO links from the user accessible site have a link to the web administrator pages. As additional measure, change the default name of the login page for the web administration. This way, the attacker cannot use a crawler tool to find the admin page and will have to do a lot of guessing to find this interface.

  10. NEVER, under any circumstances keep personal or credit card information on the web site database or in the web site directory structure.

Tune in for Part 2 of Having a web site that is not that easy to hack, where we will be discussing the most common software vulnerabilities.

Is Skype a good Corporate Tool?

The new age of information technology is strong in all corporations, and people understand that there are fast and easy methods of communication that haven't been available before. One of the most modern being the Instant Messaging tool, in any form possible. And the most popular form of the day is Skype.

Furthermore, the modern corporate employees view the ability to use Skype at work as their constitutional right, not a corporate priviledge.But let's observe the pitfalls of Skype usage in corporate communciation:

  1. Skype is designed to be an Internet communication tool - This means that each SkypeClient MUST connect to a SuperNode somewhere on the internet
  2. The Skype protocol is designed to enable communication between users via possibly blocking paths. It does this by using SuperNodes and Routing Nodes to transfer messages when direct client-to-client communication is impossible
  3. The Skype protocol is propriatery and encrypted, so there is no way to control or audit the content of the messages.
  4. Again through a characteristic of the Skype protocol, any Skype client can choose to become a Routing Node, potentially offering it's services to any client on the Internet.
  5. Skype is designed as internet telephony protocol, and the voice functionality cannot be blocked. Using the voice functionality can cause unnececary bandwidth usage and potential problems on the data network
  6. The Skype client is closed source, and any claims of the encryption alghorithms used in it have to be taken for granted, since there is no way to confirm them. So, nobody really knows whether Skype or anyone else can eavesdrop. Even if all claims are true, the usual problem is not with the alghorthm, but with it's implementation. Bear in mind that one of iPhone hacker unlock mechanisms used a bug in the RSA encryption alghorithm.
  7. The Skype binary is unnaturally large, most of it is encrypted, and it contains numerous controls and hooks that are designed to prevent an active debugging tool to reverse engineer it. Also, it contains intentional garbage code and padding designed to confuse any dissecting of the file. This mess of a binary is an excellent place to hide an undesirable element like backdoor, trojan or spyware tool, which would not be easily detectable through standard spyware tools.
  8. All passwords of the Skype users are kept on a centralized Skype Authentication Server. Skype claims that all passwords are irreversibly hashed. This fact as well as the hashing alghorithm are impossible to confirm. This may not be a problem for private use, but in a corporate envirnoment a large number of employees use the same password for all their business applications, so it is quite possible that they will use the same password for Skype, potentially releasing this passoword in the wild.

So, here is a summary of the pitfalls of using skype:

  • All users must be allowed to connect to some servers on the internet to log on to the Skype network. This connection can be used to piggy-back an attack through the authenticated outbound session.
  • No possibility to perform any audit on the communication - a corporate must!
  • No possibility to block voice, thus opening the potential for bandwidth hogging
  • No guarantees on what is within the Skype code
  • No guarantees on Skype passwords
  • No guarantees on Skype encryption

One must stress that these pitfalls mostly affect the organization as a whole (SysAdmins, NetAdmins, Security, Internal Audit et.c.), while the individual users are usually very happy to be served by Skype.

It is my strong opinion that the goal of easier corporate communication, is not well served by Skype

To address this goal, the corporation should implement an internal corporate messaging tool that has the following functions:

  • Possibility for fine grained activation/deactivation of available services (text, voice, video, file transfer)
  • Possibility for audit of both administrative events (logon, logoff) as well as messages
  • Fully internal infrastructure, thus eliminating the requirement for internet access.

Also, with the advent of IP Telephony in the corporate world, the corporation should decide on a strategic selection of product that will complement the IP Telephony, not compete or conflict with it.

Update: Recover the PC from Vista Stuck on Configuring Updates

While my first priority was to recover the data from the laptop, i also looked into the actual machine recovery.

I was able to boot into Vista System Recovery Options from the Vista DVD, and chose System Restore. Amazingly, Vista was responsible enough to create restore points before installing the updates that sent it crashing.

So i chose the restore point before the installation of the updates, waited about 10 minutes, rebooted when the System Restore asked me to, and voila, a living and breathing Vista :)

Although i am an advocate of secure computing, it seems that in this case an automatic update windows update caused all the trouble. The user didn't even saw the installation, which added to the panic of a failing system and lost data.
With this respect, i would recommend to the users to consider changing the default Vista automatic update setting to notification when updates are available, and reviewing them before installation. This way the responsibility for having an up-to-date system is left on the user, but there is also a significant measure of control what stuff is installed onto your PC.

I hope that Microsoft will acknowledge the problems of the update and post a fix, so the confidence in their published updates can be returned.

Recover Data from Vista Stuck on Configuring Updates

I was asked to assist in recovering information from a Vista Home Premium laptop which fell victim to the "Configuring Updates: Step 3 of 3" loop. This is the process i used, and i copied full 6 gigabytes of files off a stuck laptop.

Please bear in mind that this tutorial is presented as-is and i take no responsibility for lost data or non-functioning operating system which may result from any wrong turn during this process.

0. Have a working PC ready (i recommend an XP PC) and a ethernet hub/switch or a crossover cable
1. Find/Download and burn a CD copy of Ubuntu 7.04 (Feisty Fawn). It has excellent drivers for SATA disks, so this will help you access a SATA drive. I tried the ERD Commander 2005, but it just couldn't see the SATA drive of the laptop.
2. Boot the laptop from CD into Ubuntu
3. Doubleclick the network settings of the Ubuntu, and configure the wired network with a static IP address. Also do the same on the other PC (i used ip addresses and with netmask
4. Connect the ethernet cables of both machines to the hub/switch or to eachother if using a crossover cable
5. On the windows PC, create an empty folder with a short name, like 'recover' and make it a windows share with following security settings:
a) Sharing Permissions - Everyone - Full Control
b) Open Properties on the folder from Windows explorer, go to security tab, add everyone to the list of groups and usernames, and mark the full control Allow checkbox
6. Open Places, select Computer, double click on the disk drive, and identify which files need to be recovered (probably the user's folder under C:\Users
7. Open Places, Network, and from file, select connect to server. The type of conection should be Windows Share. On the dialog box on the server field type the ip address of the Windows PC, and in the share field type the share name (in our example, 'recover'). You must also name this connection (name it 'recover') Then press OK
8. On the left side of the window, you will see a new item, marked SMB and named recover. DoubleClick on it.
9. You may get a dialog box asking for a username and password, type in your username and password from the Windows PC
10. You should now have a view of the shared folder in the right section of the window. The Ubuntu doesn't give any message when connected, but test it by trying to create a folder. If all goes well, you are connected to another PC, and you can start copying your data over to the shared folder

1. I found that the autonegotiation of link speed in ubuntu is not performing at it's best, and you can get stuck with a 100 Mbps Half Duplex link - VEEERY SLOW.
To avoid this, open a terminal (applications, accessories) and type the following:
sudo ethtool -s eth0 speed 100 duplex full autoneg off
This command assumes your thernet network interface is eth0. If you don't know what you are doing, better leave it as it is, it will eventually finish, although aeons slower

2. Be very careful when working with the disk drive while logged in to Ubuntu. Ubuntu is a Linux, and it doesn't care at all about the files on the Vista disk drive. Also, being a linux, using a delete command REALLY DELETES a file, it doesn't send it to a recycle bin.
So again, be careful

Designed by Posicionamiento Web