What is the solution to overcome security(Hacking/Virus attacks) to the start-up job portal?
I run a start up beta job portal which is hosted at 1and1.com in one of their servers webhosting packages.
Of late we have a problem where the user is warned of a malware being downloaded into the system if the site is accessed. The warning comes from Google.
The Hosting service provider says they can't do anything. Is the site hacked. My developer too seem to be in a fix.....any solutions.
For a portal which anticipates more than 10000 visitors shortly, is it advisable to continue hosting in the shared server.....what is the best solutions....is it in dedicated servers, VPS etc....will that make a difference, any solutions.please help.
Kathirvel N
kathirvel.natarajan@gmail.com
Answers (5)
The solution is simple: hire a professional who knows about PHP injection, SQL injection, Cross Site Scripting, brute force password cracking and stealing passwords from places like Total Commander. It is impossible here to write about every aspect of those attack types. Your problem needs a human being dedicated to the problem, not social networking site speaking about the problem.
As already pointed by Marcin. you need to take care of
1. Cross site scripting
2. Sql injection
3. Secure password transmission
4. Limit amount of data which users can upload to site
5. Prohibit automated tools to create account in your system or upload data
6. Implement user verification
My be more....
Mike T
CISSP, CSSLP, MCITP, Seasoned web application architect and developer
Best Answers in: Information Security (2)
If you're truly looking at 10,000 users, you really should spring for a dedicated server. Most hosting companies have dedicated servers in the $100 per month range. With 10,000 users, you should be able to squeeze $1,200 per year for hosting.
Regarding your malware warning, you will need help. Someone who knows what the OWASP Top Ten is is a good start. You might also look at stopbadware.org to figure out why your site got flagged.
Links:
Hi Kathirvel
Posted a blog entry on the subject this morning.
The FAQ at Google’s webmaster/site owner help explains how to making sure that your site is removed from their blacklist. The following is a summary of what needs to be done:
1. Fix the problem
2. Request a malware review: this involves logging into Google’s webmaster tools, selecting your victim site and asking for a review
The article gives suggestions on fixing the problem and explains the situation for the webmaster / website owner.
Links:
J O
Senior Security Architect/Engineer at E-Fensive Security Strategies
Best Answers in: Information Security (33), Telecommunications (9), Software Development (5), Blogging (4), Computers and Software (4), Computer Networking (4), Enterprise Software (3), Using LinkedIn (3), Personnel Policies (2), Career Management (2), Web Development (2), Wireless (2), Purchasing (1), Event Marketing and Promotions (1), Auditing (1), Staffing and Recruiting (1), Employment and Labor Law (1), Events Marketing (1), Business Development (1), Corporate Governance (1), Project Management (1), Quality Management and Standards (1), Small Business (1), Starting Up (1), Databases (1), Information Storage (1)
For starters, you should have your programmers double check their coding practices. Good programming is definitely key in ensuring that no one is going to circumvent the programs/functions of your site. Think about it, without any bugs in their coding, the less likely someone is going to be able to pull of any type of compromise (CRSF, XSS, etc) but it won't stop attackers from the social engineering vectors.
So the malware threat warnings from Google. This sound to me like a "malicious file execution" of sorts coming from your site. Let's (without Googling) think about this for a minute. "Why would Google think my site is dishing out malware?" Because in some shape form or fashion it is. Do you have any kind of file uploading going on. Something on your site is being pushed somewhere that Google deems it as a threat - enough for them to flag it. So how do you mitigate against this, well you could take file integrity route (Tripwire, SAMHAIN, etc) route or the WAF (Web Application Firewall) route (mod_security). This is a broad question considering there are plenty of methods to fix this however, you (or your engineers) need to start from the ground up...
Document what it is your website does and take a look at how it does it.
Document vulnerabilities based on known issues associated with what you're using (framework) - What are you using? Do vulnerabilities exist, if so am I vulnerable to it?
Once you get the framework going, it becomes easier to see which route you have to go to isolate issues. Before wasting time and money on any tools or service, try understanding what you're trying to accomplish first. This will help you understand exactly what you need to do to secure your site regardless of you hosting it, or looking to someone else to host it for you.
Secondly, I'm not and have never been a fan of hosting providers. Your security is at their discretion. If you're looking to base your business on a "machine" regardless if its in the cloud or local to your infrastructure, no one will secure it or place as heavy an emphasis on security as you should. So keep that in mind. As for others who took the time to suggest tools, I suggest you read the following rambling: "Monkeys and Pentesters" (linked)
