Tips to help secure your account

From Site5Wiki

The purpose of this page is to outline steps that can and in some cases should be taken to help ensure that your web hosting account is safe and secure thus, hopefully, preventing your data or client data being compromised.

 EVEN IF YOU FOLLOW ALL OF THE PRACTICES DESCRIBED BELOW, IT IS IMPOSSIBLE
TO BE 100% PROTECTED AGAINST SECURITY THREATS!

Contents 1 Your Web Hosting Account 1.1 Password Safety 1.2 Web Application Safety 1.2.1 Web Based 1.2.2 Client-Based 2 General Internet Safety 3 Security Related Resources

[edit] Your Web Hosting Account

[edit] Password Safety

Passwords are meant to provide a means for securing access to content that you wish to keep away from prying hands. Having an insecure password configured is like hanging your house keys on a key hook outside your house door when your away. Like me, you may have more keys than you can count and don't even remember what half of them do but that still won't deter the bad guys from taking advantage of whats been handed to to them.

The following is a set of tips that you may wish to use to assist in preventing yourself becoming a victim.

• Never use the same password for more than one purpose.
• If your password is short or easy to remember, it's most probably insecure.
• Always try to include a mix of Upper and Lower case letters as well as numbers and special characters ( where permitted - @ for instance can cause problems with phpMyAdmin).

Have trouble remembering or thinking up passwords ? There are various utilities available on the web to assist you in generating and remembering passwords. Here are a few samples:

• KeePass - Password generator and Archival
  • alternate link: keepass.info
  • Plugins and extensions
  • Extensive list of translations
  • KeePass, the portable version
• Portable Apps, the OSX collection
• PwManager/KWallet

• White paper concerning standards at the U.S. Department of Commerce
• the United States' government's Computer Security division

[edit] Web Application Safety

[edit] Web Based

When most people think about security and their web site, the first thing that typically comes to mind is "Passwords". Passwords are, of course, an extremely important aspect in ensuring the security of your hosting account but this alone is not enough to grant you protection from the beasts that roam the web.

In a majority of the cases whereby a client may report an account having been exploited, the incident that took place was a result of a lack of proper attention to the applications installed within that individuals account. Outdated web applications, such as (but not limited to) blogs, forums, calendars and mail forms, to name a few, can potentially allow an individual to full access to your account without need for any authentication data. This type of attack is referred to as Cross Site Scripting or XSS and it effectively allows for persons or automated bots/worms or otherwise to execute commands within your account via remote means.

Applications are not subject to attack merely because of the programming language for which they have been developed. Whether developed in PHP, Perl or otherwise, an application is only as secure as it is programmed to be. Programmers are not perfect, and quite frankly, nobody expects them to be (no really, it's the computer that lacks perfection). A good programmer or team of developers, for that matter, will take application security very seriously and will work their fingers to the bone so as to beat out any possible security risks they might have included within their code. It is inevitable, however, that a bug will find its way into an application and that bug could very well be vulnerable to any number of exploits, XSS or otherwise.

If you have or are planing on installing any application to your account, the following checklist if used regularly, should assist you in beating the bad guys.

• Use strong passwords and cycle your passwords regularly (every 2 - 6 weeks)
• Subscribe to the application vendors' product release mailing list or whatever alert system they make available. These lists are generally are only updated when a new update is made available for the product.
• Backup and Update your application regularly!
• Review the file permissions in place for your application files.
• Don't forget to secure your database authentication data! You are most likely leaving this data within a regular text file. Make sure the file is permissioned securely and is not visible or available to anyone on the web.

[edit] Client-Based

An often neglected or overlooked aspect in the security of your account is both the state of the computer provisioning your data or communicating with your account and the means for which it uses to execute these tasks. It has been said that as many as 1 in 4 computers connected to the internet is possibly infected with some sort of botnet related software. You, yes YOU! may very well be that 1 out of 4. Chances are, if you were infected, you wouldn't have the slightest idea.

Right about now you may be thinking "Right, this guy's bonkers, I've got XYZ Anti-Virus / Firewall / Spyware Super Extreme Platinum Pro Edition! I'm safe!". My friends, while you are correct in assuming that I am bonkers, if you rely alone on a software product or two to ensure the security of your computer or local network, my status as officially bonkers hereby permits me to swap you upside the head ( virtually, and in the nicest way possible! ). The truth of the matter is that securing your computer is an ongoing and never ending, not even resting for a coffee task, and you are never truly 100% safe. Most security utilities such as those mentioned at the start of this paragraph are purpose built to address known threats and yes, in some cases they are also built to identify malicious activity of unknown origins but only to a certain extent.

• Lavasoft's Spyware Education Center

[edit] General Internet Safety

• Hardening your control panel accounts and your websites' logins
  • Password Strength Analyser and Generator library -- Java-based, OS-independent

• Protecting yourself online: the FBI's Cybercrimes Unit
• OnGuardOnline.gov

• Google Your Site For Security Vulnerabilities by Nitesh Dhanjani

• Protecting yourself from botnets, spammers, and hackers, thanks to ftc.gov

• Using PGP for email

• How to use SHA-1 to verify downloads

us-cert-gov:

1. Understanding Hidden Threats: Rootkits and Botnets
2. Avoiding Social Engineering and Phishing Attacks

[edit] Security Related Resources

• Common Vulnerabilities and Exposures

• AdAware software for Windows
• Packet Storm Security
  • Forums
  • Help for Macintosh users
    • Systems 7-9
    • OSX
  • Help for Windows users
  • Help for Unix users
  • Information about cryptography
  • Feeds
  • Site map
• Secunia
  • Mailing lists
  • Site feeds
  • Blog
• SecurityFocus
  • Mailing lists
  • News ( Feed)
  • Unix information
  • Windows information
• FreeBSD > Security
• apple.com > security
  • apple.com > security > Common Criteria
• Criteria at the United States government level for consumers:

  The National Information Assurance Partnership (NIAP) is a U.S. Government initiative between the National Institute of Standards and Technology (NIST) and the National Security Agency. The goal of this collaboration is to increase the level of consumer trust in information systems and networks. NIAP sponsors a variety of projects and activities, such as its flagship program, the Common Criteria Evaluation and Validation Scheme (CCEVS) that focuses on meeting the security testing, evaluation, and assessment needs of both information technology (IT) producers and consumers.

• Reporting an incident of cybercrime against you:

Fairmont, WV - The Internet Crime Complaint Center (IC3) has logged its 1 millionth consumer complaint about alleged online fraud or cyber crime. The 1 millionth complaint hit the IC3 system on June 11th, 2007 at 01:26 PM.

IC3 is a partnership between the Federal Bureau of Investigation (FBI) and the National White Collar Crime Center (NW3C).

IC3's mission is to serve as a vehicle to receive, develop, and refer criminal complaints regarding the rapidly expanding arena of cyber crime. The IC3 gives the victims of cyber crime a convenient and easy-to-use reporting mechanism that alerts authorities of suspected criminal or civil violations. (source)