Security and Access
So how good do you think your website would be if it were hacked on a daily basis?
Over two-thirds of corporate executives view ensuring reliable network security
as the single most critical factor in the successful implementation of a
converged IP network according to a new survey from AT&T in co-operation with the Economist Intelligence Unit (EIU).
More than sixty percent of all executives surveyed say that processing customer data online exposes their firms to electronic security breaches, more than any other type of vulnerability. Yet three years from now, 62% of the respondents expect to have implemented IP through most or all of their organizations.
So how do you, as a designer, play a roll in this? First by keeping up with the latest Security Bulletins and Advisory's. Microsoft has a nice site called TechNet Security that contains the latest information. Install an Anti-Virus program and keep the .dat files (virus definitions) up to date. Don't forget to routinely scan your computer for virus's too! Contact your host and insure they have the latest technologies and firewalls in place. Don't just assume that once you upload, your site is safe. 90 out of 100 times, it's not. With that in mind, back-up your page information routinely. Nothing is worse then lost data that has to be regenerated from scratch.
Also check programs that you use for updates and patches. The programs themselves can add code that allows hackers into your site. Web Net 77 gives excellent advice, most which should be considered common sense but let's take a moment to look them over anyway!
AS A WEBMASTER WHAT SHOULD YOU DO:
Even if you are an experienced, seasoned desktop programmer, unless you are an experienced Perl, PHP or Python programmer this probably applies to you too! (Fact is, most programmers are familiar with Desktop, PC and client software. Server software -- especially Internet software -- is an entirely different animal).
- Never download software from hey check out my cool free software type of sites. You will be buying yourself a whole lot of trouble in most cases.
- Never modify scripts if you are not 100% sure. A customer recently modified a script he bought - he changed 4 lines of code. In just one of them he made a mistake. Just one line is all it took to get his mail server hijacked!
- Never download and install software you cannot find running on other [reputable] sites somewhere else on the Internet.
- Never use Form mail from Matt's Script archive. On our servers we will suspend any domain that uses Form Mail. See Top ten security attacks in the last quarter of 2002 for more information.
- DO NOT download software from places like CGI Resources, Hot Scripts etc unless are sure the author knows what s/he is doing. (We have nothing against these websites. On the contrary, they have many excellent scripts. The problem is anyone who thinks he's a programmer can write code and submit it to them and they make no distinction between secure and badly written software). If you want to find decent software to use on your site go to places like Perl.com or the Comprehensive Perl Archive Network and look there. Use the sites they recommend to get the software you need. (There is still no guarantee the software you download will be secure, but you stand a far better chance there than at the places where any wannabee can publish code.
- Always be extra careful of using software that invokes any of the following. These are not security risks per se but are often the point of entry to a badly written script for the crafty hacker.
- Executes system commands from within the script,
- sends email,
- Accesses and manipulates files on a server,
- receives information from the internet e.g. name, email address etc.
- Deletes files or directories,
- accesses and manipulates an SQL database,
- There are probably many more but these are the ones we have found to be most problematic.
- Always check with your server admin before installing software on your site.
- Always check with webmasters more experienced -- if you can -- that yourself if a script is safe to use.
- Always search for more information on the background of the author of the particular script you want to use. Look for sites that do software and security reviews and see if you can dig up anything there. The search engine is your friend. Use it.
If you are not an experienced programmer find someone who is to help you find secure CGI programs for your site.
NOTE: Delphi, VB, any flavor of C for Desktop PC's doesn't count, experienced means experienced with web servers.
- Executes system commands from within the script,
- sends email,
- Accesses and manipulates files on a server,
- receives information from the internet e.g. name, email address etc.
- Deletes files or directories,
- accesses and manipulates an SQL database,
- There are probably many more but these are the ones we have found to be most problematic.