Unit 28

Website Production

Website security

Problems and resolutions

25 February 2015

What are the threats?

June 18th 2014, The Sunday Times & The Sun websites

Problems

Identify any security issues on advanced websites

Online payments

Intercepting data – Theft of information in transit

Changing data

Hacking username and passwords

Getting information from Cookies

Use of insecure OS

Authentication access to server

Undeleted files

Weak encryption codes

Solutions

Firewalls

Encryption and Secure Socket Layer (SSL)

Monitoring applications

SPAM Prevention:

File naming

Use strong passwords

Website certificates – validates organisation

SQL injection

Inserting SQL commands into username and

login textboxes

Username

Password

www.cmswire.com/cms/web-cms/how-they-hack-your-website-overview-of-common-techniques-002339.php

SELECT * FROM users WHERE username = ?USRTEXT '

AND password = ?PASSTEXT?

SQL injection

Inserting SQL commands into username and

login textboxes

`OR 1=1 — Username

Password

www.cmswire.com/cms/web-cms/how-they-hack-your-website-overview-of-common-techniques-002339.php

-- signifies ‘comment’

‘ closes the username text field

SELECT * FROM users WHERE username = '' OR 1=1

Google hacks

Get password text files

Some passwords are held in password text

files

inurl:passwd.txt

inurl:passlist.txt

“login: *” “password= *” filetype:xls

Cross Site Scripting attacks -

XSS

Some websites store username and

password in Cookies

XSS gets username and password from the

Cookie

Protection mechanisms

the most important thing after its creation

must be implemented at the stage of development

individual approach taking into consideration: the specific character of the particular web

project.

Protection

No method is 100% foolproof

Majority of attacks are automated -

Block vulnerability checking

Forensically test and recover

http://www.decision-web-design.com/security-

hacking-articles/prevention

Protection

Code scanning – check for unauthorised changes

Known exploits and technique checking

.HTACCESS files

DNS blacklists

Hosting

File & directory permissions

Penetration testing

CAPTCHAS

DDoS – cloud hosting?

Separate files for sensitive data

Be careful with Client-side scripting

High security level for:

website content,

user accounts,

confidential information collected from users

and protection of admin control from illegal capturing.

Requirements

protection from:

spam,

automatic form submission,

use of single account by multiple users, etc.

Also:

not decrease website usability by multiple authorization procedures or slow malicious-code testing mechanisms.

High level of convenience for users.

Methods

encoding of HTML-code or its key parts.

Access control password system

must be invisible through web code i.e. it must be saved in separate file or

database on a web server.

security for site users

Unreliable security system can badly influence your business reputation.

complete protection for users’ personal data,

Much of website protection depends on your hosting service.

TASK

describe the general security risks which

threaten the integrity of data.

Laws and guidelines

Data Protection Act (1998).

Copyright, Designs and Patents Act (1988)

Disability Discrimination Act(1995).

Data Protection Act (1998).

Protects personal information

Information Commissioner

8 principles

Do not allow data to be passed outside the

EU, other than country with laws equivalent

to EU

Copyright, Designs and

Patents Act (1988)

Copyright – protection of intellectual property

©

Disability Discrimination

Act(1995).

Must provide accessibility for your website

Task

define the laws and guidelines which various

types of web-site must conform to.