Jan 06 2013

Defending your sites from criminals

No, they are not your real estate properties or your neighborhoods. They are your websites and your online communities. Programmers, web administrators and users, should take proactive measures to protect electronic assets, since cyber-criminal activities have exploded with the expansion of the Internet. Here are some tips to protect yourself as a developer, webmaster and as users.

Tips for Developers

  • Make your code clean and if you copied parts of your code from someone, please acknowledge for traceback. Without such information, even if there is a known security issue, it will be hard to trace and fix it.
  • Take the time to test your program for known hacks. Last thing you want is to distribute a piece of software with hundreds of errors. While updates can patch security issues, it will be costly to you and the webmasters.
  • Place a clear disclaimer about how to protect the end user from known or possible vulnerabilities. This will ensure possible legal issues. The added benefit would be given the information you provided is enough and/or the project is open source, a fellow user may even find a solution to the security problem.

Tips for Webmasters

  • Do not use the default administration usernames and passwords for any program. For example, admin or adm would be a bad username because a hacker now only has to figure out half the puzzle.
  • Close all HTTP and FTP access ports and account that you don’t use. Do not allow anonymous FTP access to the same server as your public web folder.
  • Do not store user data in any insecure system. Download and delete all existing older data in random intervals. Never store all user data on a single file, folder, sector or a server.
  • When collecting user data, be clear about what you collect, how you collect, how you store the information and what you do with it. For example, my contact form does not use SSL connection and I have clearly indicated that to the user with a message.
  • Block SQL injection attacks by choosing smart SQL codes. Do not install codes just because you can. A single code issue can open a security hole for all the SQL databases.
  • Create databases with separated storage sectors for data and information. Only link data to information when needed. For example, Sanuja Senanayake can be stored in db_001 and Calgary, Alberta, Canada in db_002. A criminal needs the access to both db_001 and db_002 in order to know that Sanuja Senanayake is from Calgary, Alberta, Canada.
  • Block hot-linking of images and other materials from your web server to prevent bandwidth overrun, load capacity issues and copyrights issues. No one should allow using your servers as a hosting service unless that’s what exactly you want. Use .htaccess files and/or your sever control panel to configure blocking.
  • Only give necessary folder and file access to programs. For example .htaccess file should not have write access from a HTTP/s public connection.
  • When using CMS programs, change all the default values and delete all the initial guide files such as readme and version from the installed directory. In addition, if renaming database prefixes is allowed, rename all the default prefixes to something arbitrary. Warning: renaming database prefixes may cause the site to fail.
  • Finally, do not save your access codes and user account data on any mobile devices. Always enter the passwords and usernames by hand, except in home desktop units.

Tips for users/consumers

  • When submitting data (for transmission or storage) know what you submit.
  • If you are submitting sensitive data (ie, banking info, address, etc), make sure the connection to the server has at least 128-bit SSL encryption. Otherwise a simple “how are you” type submission may be perfectly OK to be sent over unsecured connections.
  • Do not give out your personal data without knowing how they use your data.
  • Always check the web address against what intended to visit before you get to the site you are now. A single misspell can cost you.

Who has the most responsibility?

In this electronics age, with access to the right data and information cyber-criminals can be as dangerous as “traditional” criminals. We all should take responsibility to protect our sites from criminals. In general, most of the responsibility lies within the developers and webmasters. By defending our own sites, we also help our visitors and consumers defend themselves.

Permanent link to this article: http://sanuja.com/blog/defending-your-sites-from-criminals