Thursday, March 20, 2008

Doing Website Development or Browsing Internet - Ensure these Internet Security Measures


After hearing the virus reported in two more websites today that we have made, I thought to finally spend some more time and figure out what we can do seriously about it. I found that we are receiving complains from our clients (our own site, cxx, mxx, lxx, txx, bxx and ixx) because our computers are infected by viruses called Malware (Malicious Software) and also our programming approach also does not follow enough secure programming guidelines. Please see below:


Common Virus (Malware) Attacks on websites:
1. Cross-site scripting (XSS) http://en.wikipedia.org/wiki/Cross_site_scripting
2. Cross-site request forgery (XSRF) http://en.wikipedia.org/wiki/Cross-site_request_forgery
3. SQL injection http://en.wikipedia.org/wiki/SQL_Injection
4. Buffer overflow http://en.wikipedia.org/wiki/Buffer_Overflow

Currently we have mostly suffered from XSS an example of which is having some unknown JavaScript code included in our web pages which look like this:

< ! -- [ 9a9dad19172063cabfafadfea2351b31 ] -- >
<>
eval(unescape('function%20hvG%28iGl%29%7Bfunction%20igCr ... %255d%2573%2579%27%29%3B'));
< / script >
< ! -- end -- >

In above piece of code, three dots ... represents at least 15 lines of garbage looking code as you can see it adjacent to these dots.


Number 1 Reason that websites we have developed are being victim of XSS Malware:

We have noticed that we have changed our FTP / hosting passwords multiple times but still this script gets added in our web pages. If we look at the file sizes, ftp logs, or "file last modified" stamp, there is no indication of change. The only possible way for attacker to attack our web page and add that script is using the HTML form (because of our poor validation, not using whitelabeling, and security loop holes).


Damages of XSS Malware:

The damage it causes is actually to the visitors who visit the website which is under XSS attack. The user / visitor of the website is sometimes asked to download active-x from a unverified publisher and his computer can get infected and all his pwds can be possibly accessed.


How a Developer can avoid Malware / XSS attacks and make his website secure?

Do proper / secure input form validation using whitelabeling approach and follow these guidelines for further help:
1.
http://neelneel.blogspot.com/2006/07/how-safe-we-are-from-malicious.html (Very nicely written)
2. http://www.datasprings.com/Resources/ArticlesInformation/SecureProgrammingScriptsInputValidation/tabid/848/language/en-US/Default.aspx (Input Validation Tips)
3. http://msdn2.microsoft.com/en-us/magazine/cc188938(printer).aspx (Microsoft MSDN - Defend Your Code with Top Ten Security Tips Every Developer Must Know)
4. Use Captchas (And Session Tokens, HTTP Referer header checking)
5. NEVER ever use your default passwords such as admin/admin for any backend. Use custom and safe & secure enough passwords.
6. Must read and implement suggestions of above given MSDN article "Defend Your Code with Top Ten Security Tips Every Developer Must Know" (written with more like Microsoft based development but anyone can use guidelines and take respective plaftorm's preventive measures).
7. If you are still in doubt that some hacker has accessed your website control panel, admin panel, or FTP (although this is not the cause of website problems discussed here, you can change these passwords and also you may make your web pages read-only)


Website is already infected, what to do now?

If a website is already infected, restore using previous version (if you were sensable enough to keep backups) but before uploading previous version make sure that any single file of previous version is not infected and does not include above given example JavaScript.


As an Internet User, how can I browse Safely?

1. DO NOT CLICK on any link / website address that you are not aware of and it is going to some weird website address or if it is itself too long or is pointing to a very long web address.
2. Use Mozilla Firefox with "NoScript" add-on. Winner of the "2006 PC World World Class Award", NoScript tool makes Firefox the safest browser around. It gives much better protection from XSS than IE 7 does. Check it out
https://addons.mozilla.org/en-US/firefox/addon/722 and start using it. If still using IE, disable JavaScript, Java, and ActiveX.


As a Computer User (connected to Internet), how can I ensure my computer's safety?

Use Microsoft's 4 simple "Protect Your Computer" steps
http://www.microsoft.com/protect/computer/default.mspx
which are:

1. Keep your computer's Firewall Turned-on
2. Keep your system updated (Run Windows Updates or set them to run automatically at least once a day)
3. Keep your antivirus software's virus definitions updated
4. Use updated Anti spyware software. Options are following among many:
i) Microsoft Anti Spyware http://www.antispyware.com/
ii) Microsoft Windows Live One Care Free PC Safety Scan http://onecare.live.com/site/en-us/default.htm (Web based free scan)
iii) Google "antispyware" for some more free options
5. You may also use some additional firewall such as Zone Alarm (firewall http://www.download.com/ZoneAlarm-Firewall-Windows-2000-XP-/3000-10435_4-10039884.html) that I found very effective.

Also checkout very helpful tips at http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Grossman.pdf.


Be safe, happy Website Development, Happy Website Browsing!!! :-)

Friday, March 14, 2008

Software Engineer (Java/J2EE) - Dallas, TX, flexible/part-time

Dear Prospective Candidate,

* A dream career opportunity is knocking your door as it allows you to grow your career at your own convenience / your own timings.

* This career opportunity has come to you from an employer whose primary aim is to take care of its clients and its team members.
* This career opportunity gives you a reward in terms of salary which is most likely comparable or better than your current one.

* This career opportunity has come to you from an employer who is committed to ensure the protection of your privacy.

What else you want? Read on...

Title: Software Engineer (Java, J2EE)
Location: Dallas, TX
Industry: Marketing / Communications / Branding / Creative
Contract Type: Contract (Part-time)
Duration: 6 Months+
Work hours: Flexible / 20 hours per week

Number of openings: 1
Experience: 2 to 3 years+ / Mid-level
Start Date: April 01, 2008
Work Authorization: H1, TN, EAD, Green Card, US Citizen
Pay Rate: Open / DOE
Willingness to Travel: No Travel
Telecommute: No

About the Company:
* The client is a Dallas based fastest growing Marketing Communication Company who loves to meet and exceed the expectations of its clients and its team members.
* The company has one of the best employee retention rates over the past two decades.

Major Responsibilities:
* The person will be responsible for designing multi-tier e-commerce, enterprise, scalable applications using Java/J2EE technologies.
* The primary responsibilities will include designing, developing and maintaining J2EE applications.
* The individual will be also involved in researching and implementing new tools and technologies to improve Company's offerings to its clients.
* The candidate needs to have experience of using Oracle and SQL Server databases in enterprise applications development


Required Skills:
* JSP
* XML
* SQL
* Struts
* Core Java
* Servlets
* JDBC
* EJB
* The candidate must have excellent communication skills.

Desired Skills:
* Hibernate
* XSL
* XSD
* JAXB
* Java Performance/Memory Management
* JavaScript
* XML

Benefits:
* The new team member will join an existing technology solutions team in a creative fun workplace culture.
* This opening allows the opportunity to learn, grow, and accomplish career goals while allowing a healthy balance between work and personal life.
* The candidate will be working on Java/J2EE based internal applications including a back-office and an e-commerce application
* This opportunity can turn into the full-time employment for the right candidate.

How to Apply:
If you are interested and fulfill the specified requirements, please apply online through the link at the bottom. Or please pass it on to anyone you know who could be the close match of this opening and I will really appreciate this big favor from you.

Best regards,

Asif
Technical Recruiter
214-256-4061
http://fsdsolutions.catsone.com/careers/