Hacking websites/forums and how to protect yourself

[Space Cowboy]

Hey all,

As The Forge was recently hacked.  Personally, I barely know enough about computers to get by, and since Wild Sphere's forums are under construction, I am understandably concerned that something equally malicious might happen to us in the future.

My questions are: Can folks point me in the direction of good, basic information about web hacking? (e.g., how do they work), what are the most common and most difficult to repair types of hacks?, and what can be done to protect against them?

Many thanks in advance!

[DevP]

Well, I can tell you firstly, to make frequent backups (or figure some system for doing so). Once you got that, then even with hackings you'll be okay. You probably want a backup of the site, and frequent backups of the database that powers your forums and whateverelse you got. Beyond that, always getting the latest patches is key. Look for an RSS feed with news/updates for the software you're using.

[Rob Carriere]

Space Cowboy,
There are basically four types of attack you have to deal with:

1- Attacks against the network protocol stack. These are low-level attacks, they have nothing to do with what sort website you offer, or even whether you offer a website. They are possible against any machine that is connected to the Internet.

The defenses are:
. Keep your operating system fully patched.
. Run your machines from behind a firewall.
. If possible, select your operating system with security in mind.

In your case, these are probably the worry of your hosting provider. If you are concerned, check their policies in this regard.

2- Attacks against the webserver. These are mid-level attacks, that depend only on the fact you are offering some sort of website.

The defenses are:
. Keep your webserver fully patched.
. Do not activate any webserver modules/plugins/whatevers that aren't actually needed for your website.
. If possible, select your webserver with security in mind.

Again, this would probably be up to your hosting provider. I took a quick look and it seems that your website is running Apache (good) and it is configured to not publish its configuration (better than 90-odd % of websites out there). Based on that, I suspect you may well have a security-conscious hosting provider. However, you should check to make sure.

3- Attacks against applications running on the website (such as a bulleting board, a wiki, a blog, or even something as silly as a visitor counter.) These are high-level attacks, that will obviously only work if your website is actually running the targetted application. (This is the reason for the defense under 2 above--if it ain't there, they can't hack it.)

The defenses are:
. Choose your applications wisely. Some programs are much more prone to security flaws than others and some programs are much better known than others. Obviously, the worst case is a well-known, poorly-programmed application. Sadly, phpBB comes close to qualifying. It usually has several security problems per year and it is probably the best-known bulletin board code, so these problems are invariably exploited and usually exploited quickly (under a week, in the case of the Forge).
. Keep your application fully patched.
. Be very, very careful with customization and configuration. Far more security problems originate in poor configuration than in poor applications (and, considering the quality of some apps, that's saying a lot!) If you don't understand the configuration, talk it through with, or defer it entirely to, somebody who does.

Between these three kinds of attack, there are many, many possible technical approaches. The good news is: you don't really care how they hack, you just care what they are hacking for. Again, there are a number of classes of goals, but in the wild we really only see three:

- Denial of service. The attack causes your site to be unreachable or otherwise useless. Two examples would be generating such massive amounts of fake traffic that you webserver can no longer handle the real traffic and causing a crash of your webserver.

- Destruction of information. What happened with the Forge: somebody wiped all the data. A more subtle approach would be to introduce errors in the data (fake posts, for example)

- Theft of information. A favorite with sites that record sensitive data such as credit card numbers.

Recovery from Denial of Service consists mostly of waiting it out. Sooner or later the attack stops and life continues.

Recovery from destruction of information depends on having backups. Backups on the webserver are good, because they allow rapid recovery, but not sufficient, because a good hacker will destroy them as well (as happened with the Forge). So have a strategy to feed backups to a secure location...frequently.

There really is no good recovery from Theft of Information, other than waiting through the (usually long) period until the people whose information was stolen stop being mad at you and start trusting you again. For this reason, many sites transfer sensitive information off the webserver to somewhere more secure ASAP. (That means: within seconds.)

4- The fourth kind of attack is not against your site at all, but against your site's visitors via your site. The usual trick with a bulletin board is that I post something that contains code. Anybody who views my post will be running my (hidden) code in their browser. If this code is designed to exploit one of the many open security problems with Internet Explorer, I can do whatever I want on the computers of all your visitors...

The defense is to strip incoming posts of anything that even looks like it might be dangerous--the bulletin board code should be doing this work for you.

The most common problems with bulletin board sites are all input stripping related. Either type 3 or type 4 attacks may be possible if the input stripping isn't good enough in each every place the software ever asks for input (which is many places!)

Was this the sort of info you were looking for?
SR
--

[Ron Edwards]

Hello,

Rob, thanks for being helpful, and I hope your contribution provides a good start.

I've decided, after deliberating for a while, that plenty of websites and other resources exist which can help developers guard against hacking. The Forge might do well to compile a list of such sources in the Publishing forum, but discussion about it isn't really on-topic here.

Best,
Ron

[Space Cowboy]

Hey guys,

Thanks heaps for your posts.  Very informative for a neophtye like myself.  I'll also pass it along to my web designer.

Many thanks!

[Space Cowboy]

I've decided, after deliberating for a while, that plenty of websites and other resources exist which can help developers guard against hacking. The Forge might do well to compile a list of such sources in the Publishing forum, but discussion about it isn't really on-topic here.

Best,
Ron

Hey Ron,

If you want to move this thread over there, that's cool.

Cheers

[Ron Edwards]

When I need non-moderators' help in deciding what to do with a thread, I'll ask, thanks.

Some folks have already asked me about setting up a Publishing thread about this stuff, which I've approved.

This thread's now closed.

Best,
Ron