Website SecurityWhat you need to know.

Example of hacked website

If your website is run on Joomla, Drupal, CiviCRM then your site is at risk of being hacked.

Joomla, Drupal and CiviCRM developers often release security patches, which fix security vulnerabilities with their software.

Your website (code) needs to be patched regularly with security updates (just like your computer) to keep it secure, in combination with other strategies.

How did this happen?

Allows an attacker to:Execute commands as another user.Access data contrary to the specified access restrictions for that data.Pose as another entity.Conduct a denial of service.Conduct information gathering activities.Hide activities. The google search shows an example of an attacker hiding links in your site that redirect your users to their website!Includes a capability that behaves as expected, but can be easily compromised.

What is a software vulnerability?

3. What Actually ExecutesSELECT Username, Password FROM Users WHERE Username = '' OR 1=1 #' and Password = ''

2. Login CodeThe developer’s code to check logins:$check = mysql_query("SELECT Username, Password, UserLevel FROM Users WHERE Username = '".$_POST['username']."' and Password = '".$_POST['password']."'");

1. User Logs InUser enters ‘ OR 1=1 # as username.

4. The Result?# is a comment in MySQL, and 1=1 will always be TRUE. Thus, the login code returns all users, and logs in the first user in the database (typically an admin user).

A software vulnerability example

Mitigation Strategies

Source: Australian Government Department of Defence 2013

The Open Web Application Security Project - owasp.org. Community dedicated to enabling organisations to develop, purchase and maintain applications that can be trusted.

1. Injection - i.e. The login example2. Cross Site Scripting3. Broken Authentication and Session Management4. Insecure Direct Object References5. Cross-site Request Forgery6. Security Misconfiguration - i.e. Ensure users have appropriate access.7. Insecure Cryptographic Storage - i.e. Don’t store sensitive information

without appropriate encryption.8. Failure to restrict URLs - i.e. Ensure sensitive information requires login. 9. Insufficient Transport Layer Protection (No SSL when required) i.e. Use an SSL

certificate when appropriate.10. Unvalidated Redirects and Forwards i.e. When you host with us, we install

tools that proactively protect your site for added security.

OWASP Top 10 Risks

1. Use maintained website platforms and modules:Use well known software and modules that don’t feature regularly on the Joomla and Drupal vulnerable extensions list.

https://drupal.org/securityhttp://docs.joomla.org/Vulnerable_Extensions_List

2. Don’t use Joomla 1.5 or Drupal 6!If you have a Joomla v1.5 site or Drupal v6 site contact Energetica about upgrading your site. There are many known security vulnerabilities with these versions and we recommend not using them in production.

3. Apply Security Updates when released. We can proactively update core Drupal, CiviCRM and Joomla versions when security updates are released as part of our support packages.

4. Limit administration privileges. Perform regular audits of users and their access.

5. Patch the OS. We routinely patch our web hosting servers with the latest security updates.

Prevention better than cure

Go to www.unmaskparasites.com and enter your website. See the links shown are ones you expect or know!

The example shows Energetica’s website. All of the links returned are valid for us.

If you are unsure of the results of your scan, discuss them with us.

If your site has been hacked, Energetica can remove the hack and help prevent it from happening again.

Free Quick Check