Always Get Better

Posts Tagged ‘security’

5 Ways to Keep Your Web Server Secure

Tuesday, September 19th, 2017

Equifax recently revealed that they were hacked and exposed the personal information of over 143 million people. You may not be sitting on such identity-theft rich material, but keeping your server secure is absolutely a must for any business. Fortunately it really isn’t very hard to achieve and maintain a decent level of protection.

1. Hire a Competent Developer

Cloud computing makes web servers super accessible to everyone; unfortunately that means it’s really easy  to get a website running and get a false sense of security thinking everything is right when it’s not. A lot of developers claim they can do it all for you when all the really know is how to install Apache but not how to lock it down.

A good giveaway is: If your developer can’t get by without using a gui tool or web interface to set up and administer the website, they don’t have any business on your server. These are great tools for setting up local development environment but they take shortcuts to make things more convenient for the user – not to improve security.

So if your guy doesn’t have deep command line knowledge and the ability to work without these tools, fine. He’s still a great developer, he can build  you a secure website following all the security best practices. He just doesn’t have any business touching your web server; have someone else set up the “live” environment.

2. Lock Down Ports

When you’re setting up a web server, lots of supporting programs get started that don’t directly affect your website. Things like email, ICMP, DNS, time and DHCP are important to keep the system running but have no business leaving the local network. Everything that you don’t absolutely need to access should be locked down. No access except from inside the server.

Web services like Apache and nginx are specifically designed to prevent people from using them as attack vectors to control your system, and they get compromised routinely. MySQL has no chance at all – don’t open it to the outside world… ever.

3. Separate Database Servers

It’s super common to find database servers improperly configured so they become a major security hole. On MySQL, most people don’t know to add users better than “GRANT ALL PRIVILEGES ON x.* TO y@z;”. Since the SQL server itself is often running with elevated system access, it only takes a single unsecured query to let people create files wherever they want on your server.

The easiest way to prevent this from affecting your websites is to move SQL to another server. Not only do you get the bonus of having a machine configured exclusively for web work and another exclusively for DB work, but bad things happening on one won’t mean bad things happening on the other.

4. Keep Up With Software Patches

If you want to keep your server secure, keep it updated right away when vendors release updates for their software.

In a world full of zero-day exploits, any software with a security update is definitely a risk. Maybe even part of a malware package being sold in some dark corner of the Internet.

Don’t be a victim, keep your server secure by keeping it up to date.

5. Enforce User Permissions

One of the most compelling reasons to use Linux traditionally has been the strong separation between services using user permissions. Even Windows Server supports it these days.

If you’re using PHP, don’t use Apache’s modphp, use php-fpm. Set up your pools to give each website its own user. Again it’s all about compartmentalization. Bad things will happen and a good sysadmin makes sure the damage done by those bad things gets contained to a small area.

BONUS #6: Keep Your Server Secure by Never Logging In

Never allow yourself or anyone else to log into the web server.

There’s no reason for it. If you need to deploy a website update, use a CI tool like Jenkins. If you got rooted, trash the server and launch a new one.

People make mistakes, people forget about config changes, people can’t be trusted. You don’t need to worry about password scheme, RSA keys, iptables goofs or any of a million common problems if you just acknowledge the human risk factor and remove it from the equation.

When we move to programmed servers, we make it easier to bring new people on board, faster to verify and test new software versions, more repeatable in the case of a data failure, and more secure across our entire network. Don’t make humans do the work of computers, automate all the things!

Malware in the iTunes Store – 500M Users Affected

Thursday, November 12th, 2015

Malware found in Xcode (xcode-ghost)People rely on their app stores to provide safe and high quality software for their phones and tablets. With iTunes in particular, we trust Apple’s strict review standards will raise the bar for quality and protect us from the shady apps and trojans we might find on file sharing services and third party app stores. What happens when that trust is misplaced?

A bunch of popular apps on Apple’s App store shipped with malware in September. “Popular”, of course, refers to app used by more than 500 million iPhone users primarily in China where the malware originated. Some apps, like WeChat, are also used in the west but by-and-large the affected programs are names written in hanzi most of my readers would not be able to pronounce let alone install to their devices.

What does the malware do?

First off, what can you expect to happen if your phone gets infected?

This post from MacRumours summarizes things pretty well, but the highlights are:

  • Sends device information, phone number and ID to C2 (command-and-control) servers
  • Fake system alerts phishing for passwords
  • Access clipboard (including stealing secrets from your password manager)
  • Hijack URL opening

We’re not talking about phone-takeover threat levels, which is a testament to the sandboxed environment apps run in. These functions are available to pretty much any developer — you’re not supposed to use the device ID but you can get it if you want it.

How Did Malware Get On the App Store?

The first thing that most people are asking is: how did this happen? With Apple’s notoriously stringent app review process, how did apps with this vulnerability get through?

As it turns out, developers chose to download updated versions of XCode from file sharing networks rather than directly from Apple. XCode is a huge download (larger than 3Gb) so downloading directly from Apple can take a long time. In order to save time these developers thought it would be a good idea to trust an unsigned version rather than the one from Apple.

How Did Malware Get Through the Walled Garden’s Gates?

But what about the review process? The UUID-gathering portion alone should have been enough to trigger warning flags, right?

Not so, according to people who know.

Although the App Store performs a cursory check of submitted apps for private API usage, the XCodeGhost files were added as a dynamically loaded bundle to the compiled app bundle — in other words, not subject to the code scanning… pretty sneaky.

How to Protect Yourself

How can you protect yourself when the store you rely on for your apps is poisoned?

Not much. Other than inspecting every single network connection there are not a lot of things you can do to detect this kind of activity on your device.

Installing app updates as they become available is the best thing you can do for your phone. Although an attack on this scale was made possible by the single-provider model of the App Store, it’s also true that having the App Store as the centre of the ecosystem is the best way to quickly push out fixes for problematic apps as they are discovered.

Surviving Cloud Failures

Saturday, April 23rd, 2011
Fixed
Creative Commons License photo credit: Don Fulano

Amazon is in the news today for the failure their Elastic Block Storage (EBS) service suffered, resulting in loss of service and/or extreme latency for hundreds of sites including some of their largest customers like Foursquare and reddit. AWS has been widely regarded as the most stable and overall leader of the cloud providers, so it was a great shock to many observers that they were able to suffer such a large failure.

I think the failure is not surprising, but rather the fact that it hasn’t happened before now is surprising. It underscores my message that cloud computing is not magical but is in fact an abstraction over very real hardware. There are bound to be flaws and issues just as with “real” hosting options, the difference is the end customer has less control over the hardware, hosting and networking environment.

Not every business can afford the overhead of a large dedicated solution, so what to do?

Spread the Load
The key is redundancy. Start by spreading your content across the internet rather than relying on single server to cough up all of your visitors’ needs. Things like content delivery networks (CDNs) will reduce the incoming load on the server and help it stay online.

How can we tell if a website is offloading the right amount of content? Perform regular speed testing and identify problem areas using tools like YSlow.

Redundancy! Eliminate Single Points of Failure
Whenever you have a single system servicing part of your application, you expose the entire application to failure.

For example, suppose you have four Apache servers and a load balancer sending equal traffic to each. If one of the Apache servers fails, the other three are able to compensate for the loss with no downtime for your visitors. But what happens if the load balancer fails? Even though all four web servers are in fine working order, your site is knocked offline.

Some systems are difficult to cluster: replication schemes in the various SQL servers are a huge drain on performance – newer solutions like MySQL Cluster or DrizzleDB aim to solve this problem, but at extra expense in terms of configuration and application design.

The key to successful redundancy is in scripting your software in such a way that failures can be recovered from fast and automatically. Having a hot spare in the group isn’t useful if you need to reach an administrator at 4am to activate – by that point you’ve already lost your overseas customers for the day.

Twilio has an excellent summary of the engineering process that goes into creating a scalable cloud-ready infrastructure.

Avoid the Cloud? Never
Despite some public failures, cloud computing has not suffered any kind of blow. Large organizations will always want their own private non-cloud hosting, small sites will always be looking for an inexpensive VWS. The middle-tier which is serviced by the cloud will continue to see cost savings that greatly outweigh any physical hosting options available at that level.

Because of the low server cost, cloud computing allows smart customers the freedom to build necessary redundancy without breaking the bank. Even though this pays off big time when catastrophic failures happen, there are longer term benefits of improved overall response times to the end users even when the hosting is working well.

How to Win at Work

Sunday, April 17th, 2011

It isn’t really hard to do well in a job; you just have to apply yourself and put the work first. Just like during the interview, your boss or employer’s motivation is not to give you a hard time or to make your life difficult; all they really want is to get the work done and make money.

A lot of employees seem to approach their job the same way they approached high school: as an institution with fixed rules and authority figures. In this mindset, the best way to succeed is by doing what the teacher (boss) dictates to the minimum acceptable level. Over time, it is possible to rise to the top on the merits of “years of good service”.

Let’s be honest with ourselves: there is surely a more fulfilling way to spend the majority of our day.

Fail Fast
If we look at the best, most successful entrepreneurs, we’ll find a list of failed companies leading up to their home run enterprise. Good entrepreneurs know that there is no secret to success – it is necessary to keep trying and learning from failures until we finally reach our goals. The best thing we can learn is to fail fast so we can move on to success faster.

This flies in the face of the ordinary way of thinking which is to avoid failure. Failure hurts, but if we can learn to accept it, we can open the way to more resounding success.

Do It On Your Own Time
Your boss does not care about your personal growth. As a programmer, the company is not obligated to teach you the newest programming technology. The company is interested in turning a profit, and in order to afford to pay an employee, they need to earn several times the cost of that employee in order to maintain profitability.

So how do you get new skills and remain relevant in a changing work environment? You need to study and learn, especially during your free time. Not sure what you should be studying? Read job boards – you will get a feeling for what is trending and what skills are in demand. You don’t have to be job seeking, but having a polished resume and portfolio will keep your mind sharp and improve the quality of work you already deliver.

Make the Boss Look Good
While you’re busy learning all your new languages and technologies, the boss is responsible for making sure work gets done and that profits are earned for their boss. So what’s the best way to get bumped up in line for that next promotion? Make your boss look good.

If you are pulling your weight plus more, your boss will look more effective, which will raise everybody’s boat. The best way to get noticed is by being responsible for everyone’s success. But wait – didn’t we say to embrace failure? By failing early and fast, we set ourselves up for our greatest successes. Don’t settle for status quo – always get better.

Backup Through Time

Friday, April 15th, 2011

No matter what I do, I never feel fully covered against a disastrous data loss. Despite paranoid backup strategies across many different kinds of media, there is always something missing. I haven’t h ad a hard drive failure yet, but I know it’s a matter of when, not if, it will happen.

If you haven’t had a chance to check out Apple’s Time Machine, you need to do yourself a favour and look it up right now. Time Machine is an incredibly well-put together backup package that automatically saves snapshots of your entire hard drive. Because of the HFS filesystem’s ability to link directories as well as files, Time Machine is able to track incremental changes against your file tree so you can move forward and backwards through time in the history of your computer. A single saved file that you might have lost is now accessible to you regardless of your regular backup regime.

I run my Time Machine from a USB hard drive. A solid state drive would probably be a better choice because if it were to fail the data would still be readable, but my USB drives gives me a conveniently small backup media and extremely fast access speeds – I’m happy with this setup and haven’t lost any data yet. Because time machine copies my entire system and keeps a version of my computer through time, I feel confident that if either my computer’s hard drive or my USB drive were to fail, I would not suffer any long term data loss.

What are your backup rituals?

What is PictureFreakz?

Wednesday, May 20th, 2009

Did you get an MSN message that looks like this?

YourFriend@hotmail.com says (2:26 PM):
http://PictureFreakz.com/?user=yourmsnname&image=DSC00567.JPG ?!?

… HAHAHA!!

Be careful – this is a scam site that invites you to enter your login information and password – then uses it to rope in your contacts with similar messages sent from your account.

Ontario Government Builds Rural Internet Infrastructure

Wednesday, December 3rd, 2008

The Ontario government has a program designed to provide funding for the purposes of building broadband internet infrastructure in rural communities. The Rural Connections Broadband Program has earmarked millions of dollars to build new infrastructure, which will bring high-speed Internet to communities where low population densities preclude the construction of more traditional networks (such as cable).

This is great for users who, until now, have only been able to dream about leaving dial-up behind and joining the rest of the world.  Unfortunately, the solution to rural internet involves either unreliable satellite installations, or line-of-site cellular towers.

I can say from experience that the line-of-site towers work great but they are only able to service a limited number of users.  Service providers don’t want to admit they are over-selling their towers resulting in dropped connections and complete outages for their subscribers.  Trees are another problem; much of rural Ontario exists within bushland, so unless homeowners are willing to shell out for 90-foot towers on their home, they still may not get to count on their Internet.

Although, I will admit, the cost of a tower would be far less than the cost of laying underground cable.