Tag Archives: web

The great web developer con

Another day, another dodgy web developer story. The premise:

We would like to offer you a website design for X amount. But to do so, we need to transfer your domain to us.

This tale is a pretty old one but it appears to be flourishing – the lure of a good once-off price for the design and what appears to be a reasonable monthly charge lead many to take up offers like these. But are these actually good offers? Let’s dissect this …

The web developer (let’s call them web devs from now on) is offering 2 products here:

  • website design
  • website hosting

The first is up to the client to determine whether they are getting reasonable value.

The 2nd is where we run into trouble, and for a number of reasons:

  1. web development is the core focus for web developers; web hosting is not
  2. many web development companies either subcontract the hosting to someone else or do it themselves with cheap shared hosting systems and then markup the cost to the client
  3. web devs are not skilled nor have experience with hosting – any issues and you are on your own
  4. run-of-the-mill web devs have little to no security skills
    • the platforms they use may be unsecured or have vulnerabilities
    • they do not offer an update service for your site or plugins
    • they do not scan your website for security issues
  5. web devs often have no care for email but will transfer your domain nonetheless leaving your email in limbo
  6. web devs do not understand site backup and recovery so if you have an issue with your site and need to restore it to a previous copy, you may be in trouble
  7. some web devs lock you into contracts – if you aren’t happy with their hosting, you just have to grin and bear it

Unfortunately, many clients don’t understand the relationship between web development and hosting, the 2 being very different things. They sound the same but have 2 very different skills requirements, with the latter skills requirement being something that web devs generally do not have.

As an example, if a web dev transfers your domain, they may not do the email hosting at all, or if they do, they may not migrate existing email from your old hosting provider. This leaves you managing, and paying for, 2 disparate systems.

Some web devs even go so far as to offer free web hosting. You get what your pay (or don’t pay) for.

The core premise of the requirement to transfer your domain is false. There is generally no specific requirement to move your domain – the web dev can design your website and place it with your existing hosting provider.

You then retain your website and email hosting as is, and save on hosting charges (as would have been paid to the web dev had you moved the domain).

Be careful and circumspect when approached by web devs who want to transfer your domain – it’s generally not required, you’ll likely get a poor and insecure service, and you’ll end up paying more.

Here follows some more reading on the subject:

Heartbleed SSL attack

The latest SSL attack in the form of Heartbleed ( ref. CVE-2014-0160 ) has burst onto the scenes in the last 24 hours with a bang. Effectively, Heartbleed is a weakness in OpenSSL that allows the theft of information that is under normal circumstances protected by SSL/TLS. It allows the memory of affected systems to be read and information extracted ( including passwords and other vulnerable information ), and it also allows the keys ( both public and private ) used on those systems to be compromised.

The solution is to upgrade to the latest version of OpenSSL ( 1.0.1g ) – however that alone may not be enough. If your site was compromised previously, there would be no trace of that attack and simultaneously, your keys may be compromised. So you may need to regenerate private and public keys for these systems.

Analysis:

The media coverage of this is extensive, and to be fair, this is a very serious issue. However, we need to consider what the attack surface is. And in my own testing, the attack surface is low to non-existent – every single client of mine that I’ve tested, does not have a vulnerable implementation of OpenSSL or is not using the SSL Heartbeat extension ( this may be simply because I stick to 2 Linux distros alone ). Is this issue being blown out of proportion? I can’t talk for others but my own experience says yes.

That’s not to say you should not be vigilant – as a security professional, it’s always best to err on the side of caution. Prevention is better than cure …

There are a number of tools available for testing purposes as well as online SSL checkers like those from Qualys and Comodo. Test and make sure you’re covered.

UPDATE: The guys who wrote masscan, scanned the entire internet today and released some interesting numbers on vulnerable systems: approximately 600,000 out of ~ 28 million SSL-enabled servers. That’s 2.1% … not an entirely significant no but still a big issue depending on which sites are vulnerable.

There has been a lot of calls in the media for users of websites to change passwords. Make sure though that you change your password AFTER the affected site has been sorted out otherwise you’re just perpetuating the issue.

Mobile Security in a nutshell

Mobile security has morphed in the last few years to become a major area of security concern. It’s no longer just laptops that provide on-the-go networked computing – smartphones, tablets, ultra-portables, e-readers and other networked devices now all vie for a space in your electronic arsenal, and they all come with their unique set of security concerns, specifically because of their mobile nature. The continual and rapid improvement in mobile device size, intelligence and computing power, means that these devices have the ability to mimic the abilities of full-blown desktops and laptops with an easy-of-use that along with their mobile nature, introduces new security threats.

Security standards are no more important than in this area due to the increased security requirements, disconnected-use method and more volatile threat landscape. There are some basic procedures that can be followed to mitigate the increased risks from mobile devices:

  • make sure you have a company-wide security policy for mobile devices
  • use risk assessment regularly to pick up on changing security trends
  • provide training to your user and employees, and increase security awareness

Data types on these devices that can be compromised include email, images/videos/sound bites, contact information, static data/documents, authentication information, calendaring info and other. Tailor your security policies to the type of information that is contained in the mobile devices that are used within the organisation.

Deployment and use

  • make sure mobile devices are patched regularly with the latest vendor-supplied updates
  • disable or remove unnecessary features and services on mobile devices
  • make use of user authentication, encryption and/or vpn to transmit critical information

Maintain security on mobile devices

  • reduce exposure of sensitive data ( eg. use password database applications, encrypt sensitive data )
  • maintain physical control over mobile devices
  • backup data regularly
  • use non-cellular connection options only when required
  • report compromised devices
  • enable additional software such as tracking, anti-virus or anti-malware applications
  • control use of electronic wallets
  • use 2-factor authentication

Centralised security management is a good option as it provides easy control over your mobile devices. Not all devices will support this though so it’s important to look at the enterprise capabilities of mobile devices before purchasing them. The depth of these capabilities will determine the control you have over these devices and the level of exposure they subsequently exhibit.

Areas of importance include:

  • policy control
  • remote password reset or data wipe
  • remote locking
  • network access control
  • camera, microphone and removable media controls
  • remote update capabilities

Policies, standards and procedures are needed to bring a certain level of security to the use of mobile devices within the modern organisation. Without these, mobile devices can become a security nightmare with data loss/compromise, identity theft and company network intrusion being real possibilities.

Take care.

A new search engine? – Cuil

Cuil was launched earlier this week and hailed ( by its founder nonetheless ) as having indexed more than tripple the amount of information than its supposed closest rival, Google. Unfortunately, the first day saw porn results been returned for non-pornography related queries – apparently as a result of high load on the quantum computing-based search engine.

In other news concerning Cuil, one of it’s new employees spills the guts on the Silicon Valley lifestyle ( courtesy of TheReg ) that pervades Cuil.