Save content
Have you found this content useful? Use the button above to save it to your profile.
AIA

Web security Part 1: How safe is your site?

by
25th Apr 2005
Save content
Have you found this content useful? Use the button above to save it to your profile.

Website integrity is often overlooked by companies - but that's not the case for hackers, warns security expert Stewart Twynham of Bawden Quinn. With new rules due for online shops, he begins a three-part series on the whys and hows of web security.

Problem? What problem?
In April 2005, LexisNexis acknowledged that over 310,000 people may have had their identities and/or other personal information stolen from their US website. Investigations have revealed up to 59 separate incidents of 'fraudulent activity. If a large corporation can get things so wrong' what about the rest of us?

As a security consultant, barely a week went by in 2004 when I didn't contact a company to warn of a serious flaw in their website. A random Net search for something mundane for the house, baby or cat invariably produces a list of small to medium sized manufacturers, retailers, distributors, or importers ' each with a website. Many of these take personal information, credit card details or ask me to register via the Web ' and most of them can be broken into in seconds with knowledge that's easily found on Google.

Research carried out in 2003 revealed that 97% of commercial sites had some form of security or privacy problem, a figure that is little changed today. And while new rules due to be enforced by credit card companies will require better security of websites as of 30t June 2005, they only applies to the larger sites that make in excess of 20,000 credit card transactions a year.

So why is the problem so big and how do you put things right? Well, there are actually three problems...

A. Hacking is easy and relatively risk-free
Make no mistake about it ' I could teach anyone some simple hacking steps in around thirty seconds. If I didn't have thirty seconds, I could simply point them towards Google ' which currently lists over 13 million pages containing the word 'hacking'.

On the whole, no equipment needed is needed ' most website exploits simply require a web browser such as Internet Explorer or Firefox. We once demonstrated to a client that we could break into their website using the tiny Web browser that's built into my mobile phone ' which in itself could make a genuine hacking attack extremely difficult to trace.

And, of course, unless you are stupid enough to try to break into Barclays, you probably won't ever get caught. XYZ Widgets Ltd with a simple web shop is unlikely to be taking adequate logs, carrying out regular audits or have access to a crack team of IT forensic experts ' so they won't even know that they've been compromised unless one of their customers figures it out. The chances are this will probably be some months after the original attack (usually when the credit card bill arrives), by which time most logs which may have helped to track down the offender will have long since been deleted.

B. Web Designers are not security experts
When it comes to designing and laying out graphics your web designers will rightly be experts. But when it comes to designing and building secure web sites, they cannot be expected to have that knowledge.

Typically, when faced with the need to provide a secure login area, customer registration form, credit card facility or forum ' a web designer will either find an example on the Internet they can copy or buy a commercially available solution.

Many will choose to go the cheaper route, but without the skills to develop or truly understand the code they are using, there is no guarantee that what they are using is safe. And on the whole it isn't. The internet is full of keen amateurs, and even code from reputable sources is often simplified for ease of explanation ' without many of the lengthy checks and balances a 'real life' application would require.

Even when the commercial option is chosen, there is growing evidence that software houses are reluctant to concede security problems in their code, and even when they do there is often no mechanism to ensure old versions which could be scattered across thousands of websites are kept up to date.

C. Businesses don't take security seriously
This may seem a bold statement to make, but as I have contacted dozens of companies to warn them about their websites. In every single case the result was exactly the same. Nothing. Not a Sausage. Nowt. No acknowledgement and no-one ever bothers to fix the problem.

On the whole, we receive a frosty reception from anyone we talk to about security. Website and IT security, it seems, is on a par with male sexual dysfunction ' no-one we speak to ever wants to admit they have a problem!

On the rare occasions somebody does take it seriously, they will of course simply pass the information on to their web designers, which as we've already discussed are then ill-equipped to understand let alone repair the problem. So nothing gets fixed.

The trouble is, security does matter. How exactly will you word that letter to all of your customers, explaining how their personal details have just appeared on Google? How do you think your bank will react to hundreds or even thousands of credit card details going missing?

We're not just talking about a little bad PR or a few lost customers, from 30 June your bank could simply demand full compensation for all of their losses ' potentially running into millions of pounds. You have been warned!

Coming soon
The next installment of Stewart Twynham's website security series will give a layman's guide to what hackers can really do with your website, and some of the very simple techniques they use. The article will explain how newer technologies such as Microsoft's ASP.net can help in the fight against the hacker ' but only if your developer knows what they are doing. Part three will discuss the commercial decisions you will need to make to secure your business ' from carrying out a risk assessment to getting your site properly tested.

Stewart C. Twynham MBCS MIEE
© Bawden Quinn Associates Ltd, 2005

Tags:

Replies (2)

Please login or register to join the discussion.

avatar
By becki_i
26th Apr 2005 14:46

New Legislation
Interesting.....

Could you let me have some details of the new legislation or any web links that could send me to somewhere that could provide technical details?

No joy on Google or HMSO.

Kind regards

Becki

Thanks (0)
avatar
By Stewart Twynham
26th Apr 2005 20:36

PCI Data Security Standard
The information you need is the Payment Card Industry (PCI) Data Security Standard.

This is a roll-up of all the programmes run by all card providers (e.g. in Europe, Visa's progamme was originally known as AIS (Account Information Security), in the USA as CISP - and by other names globally).

It applies to all card providers worldwide.

Visa has a good page which summarises all the requirements plus has a link to the standard. All other providers and most banks have similar pages, but like this one they may be somewhat buried!

www.visaeurope.com/acceptingvisa/securitystandards.html

The PCI standard is actually a very good document. Normally these kind of standards are very woolly, and years out of date written by committees with little or no technical knowledge. This one actually covers most of the risks pretty succintly, and is well worth reading!

www.visaeurope.com/acceptingvisa/PCIDataSecurityStandard.pdf

Here is a Mastercard International link as well:

https://sdp.mastercardintl.com/

Hope this helps,

Kind regards,

Stewart Twynham
[email protected]

Thanks (0)