Sunday, August 17, 2014

Doing Web Security the Right Way (Undoing/Unfucking FUD)

Recent came across this interesting little message Via Twitter, just moments ago today:

This message links to this article. You'll notice my first mistake was in retweeting this without even looking at it. Here I was trying to be helpful and... gah. never mind. let me redress some of the points the author made:
...and countless ways for you to counter attack
No. Just no. Hackback is REALLY grey area. There are entire books dedicated to attacking attackers and a lot of legislation is still very unclear surrounding this. Unless you are a professional, known the difference between "Venom and Poison" and are willing to accept the risks... Don't go after would-be hackers. Contact professionals. Like us. People (person) who retweets things randomly.
Begin by running a full local anti-virus/malware scan. If possible, identify the machine which was hacked.
Countless articles and organizations are starting to say what information security professionals have known for years "The Era of A/V is drawing to a close; AV is dead." What does this term mean to you? Doing an Antivirus scan to identify the machine that was hacked is  no longer enough these days; see services like Virustotal. VT takes a file or a file's cryptological hash and compares it with a variety of Antivirus applications. Sometimes the malware is detected, other times it isn't. Most of the time you're lucky maybe half of all antivirus software VT tests against will detect malware. (Disclaimer: If something isn't detected on VirusTotal it is not a be-all-end-all, but it's usually not a good sign.). The point is: A/V scanning is good place to start, but alone is no longer enough.

Additionally the author makes no effort to differentiate between scanning the client workstation versus scanning the attacked web server.
Change your passwords at least once a month. It is also vital to conjure up complex passwords which make use of upper and lower case, symbols and numbers.
Okay, fair enough. Regularly changing account passwords for management consoles *is* a fairly decent idea. Complex passwords will make brute force attacks against admin consoles or SSH access that much more of an impossibility.

Never keep a document on your computer which is labelled, or contains the words ‘password’ or ‘username’. This is the easiest way for hackers to access all of your accounts and cause havoc. If you struggle to remember passwords, make use of an app like 1Password.
Questionable at best. 1Password and/or Keepass require you to store a database on your filesystem locally. Likely any would-be attack would notice a file with a .kdbx extension or whatever the hell extension lastpass uses fairly easily. The better solution would be to ensure that if you use a password management suite (which you really REALLY should) like Keepass , Lastpass or 1Password , that you should take reasonable measures to protect your files. (Password protect your Windows/Linux/Mac user account, Encrypt the drive holding this data, restrict file permissions for your password database file, etc.) That way the point above is entirely moot. Proper access control to your password management tools trumps obscurity anyday.

Do regular updates to ensure that you have the latest version of your operating system available. This way your software can detect and disable most of the latest hacks.
Patching your systems (Your local workstation and, if possible your VPS/hosting server) is a regular part of  system maintenance. If you aren't setting an update schedule for your web server and/or your workstation, you're doing it completely wrong. Be aware that patching is only one part of security; that 0-days, or vulnerabilities to software or an operating system that are unknown to software vendors are a very real thing that no amount of patching will save you from.

In addition to 0-days are "forever day" vulnerabilities; related to the "It's not a bug; it's a feature" crowd. Essentially these are vulnerabilities in Software that will never be patched for whatever reason. Patches are a very big part of software security. Update your webserver, software packages, Workstation and software packages regularly, as soon as new updates are made available, but ensure you know that patching is not the be-all end-all of security.

Consider using source as opposed to open source CMS. However, if you are using open source CMS, make sure that you always have the latest version installed, ensuring that all your plugins are up to date.
Absolute FUD plain and simple. Closed-Source and/or Open CMS systems are almost as likely to be hacked if poor security controls are maintained. Proper web server security, .htaccess, encryption, user account management, are all things that can I can take forever to explain, and In fact am working on writing documentation on doing the right way. Know that for now however this is absolute FUD. Use a CMS that works for you. If it happens to be open-source, all the better.

Avoid investing in low budget hosting plans, as the more costly plans also tend to have all the latest updates in terms of potential threats.
Good gods. This is just folklore at this point. The only differences between low-cost and higher cost hosting plans are usually bandwidth and system resources. Choosing a lower cost hosting solution has no, real tangible impact on the likelihood of your site getting hacked. This statement is bullshit through and through. Again, choose a solution that fits for your organization and budget.

Do not keep client lists on the server; rather access them remotely when you need to. Otherwise your clients may receive spam from the hacker in question.
 In most cases you really won't have a choice in the matter for this; Customer PII will need to be kept in a database that is used by a web application that is hosted on a web server. It's a fact of life. What you CAN do to make it harder for would-be hackers would be to HASH and SALT passwords, and MINIMIZE storage of personal information. Know the law. If you store Credit Card data or other PII that you need to have reasonable measures in place to protect and you may be subject to PCI and other regulatory compliance. Long story short: Storage of customer data on servers is an inevitability. Good security practices will make it less painful. We will discuss some of these practices in the future. Moral of the story: Don't blindly retweet shit.

No comments:

Post a Comment