Web Security? Impossible
by Andrew Bowser
Think you can secure your World Wide Web site like a Brinks truck? Forget it. Consider Rootshell, a premier depot for Internet-security information. On Oct. 28, a group of hackers subtly defaced its main page (www.rootshell.com), apparently just to prove they’d been there.“If anybody knows about breaking into Web sites and system security, it’s Rootshell,” says Lincoln Stein, author of Web Security: A Step by Step Reference Guide.
Following recent hacking incidents at newspapers both big and small, the subject hits much closer to home. In perhaps the most visible attack to date, The New York Times on the Web was shut down for a day this fall after staffers couldn’t find a way to stop a hacker-inserted program from repeatedly replacing the paper’s home page with text calling for the release of jailed computer criminal Kevin Mitnick, among other demands (see box).
The lesson learned from such incidents? “There is no way you can make your site completely impenetrable,” Stein says. “All you can hope to do is make it hard enough [to hack] that it’s not worth the effort.” |
|
Web administrators can start by keeping up with the known exploits, installing the latest patches and closing the known holes, thus knocking away all but the expert hackers looking to exploit new and unknown vulnerabilities. |
“It’s not that everyone is doomed to destruction,” says Dan Farmer, a security researcher with Earthlink Networks, “but it’s kind of like the credit-card business. They just accept a certain amount of graft and loss, and it’s a part of normal business operations. I think we just have to view vandalism and theft as a way of life on the ’Net now.”
As part of a non-intrusive study last year, Farmer found he was able to compromise the security of 215 North American newspaper Web sites (Presstime, May 1997, p. 78). “The truth is, when you have a complicated system, there is no way to verify whether it is secure or not,” he says. “Any complex system is almost by definition insecure.”
Most security breaches are due to unauthorized name/password access. Choosing unguessable passwords and changing them frequently can help reduce that risk.
Passwords can be encrypted; even better, using difficult-to-forge client-side certificates can ensure that remote access to the site is limited to authorized reporters, editors and administrators.
Security concerns don’t stop at the point of access. Buggy old versions of CGI scripts hanging around on a server can be exploited to delete or alter HTML, according to Stein. And if configured incorrectly, one of the popular Web-site authoring and administration programs can be used to write to files outside the Web-document tree.
Limiting the use of tunneling software and other remote-access tools tends to make a Web site more secure. According to Dave Gipp, manager of Internet services for the Bozeman (Mont.) Daily Chronicle, system security is directly proportional to the amount of remote administration allowed.
“If you can lock up the machine tight enough that the only way for even the administrator to get at it is using the keyboard, then any person trying to attack it is going to have diminishing returns,” Gipp says.
Like The New York Times, the Chronicle suffered a vandalizing hack to its Web site that caused an estimated $2,000 in damages. Chronicle staffers still aren’t entirely sure how the hack was perpetrated, though remote-access systems installed for an office relocation played a role.
“[Servers] are so complex that in some cases security holes persist for years before someone finds them,” Gipp says.
Security audits, performed either in-house or through an outside company, can help identify trouble spots and keep everyone briefed on the latest threats. Once the initial audit is conducted, periodic audits are “no-brainers” that take little time and money, according to Brian Martin, senior security engineer with Repent Security, a Scottsdale, Ariz., consulting firm.
“It’s much like car maintenance,” he says. “If you let it slide, you end up paying more in the long run.”
How much money to spend maintaining security is a thorny issue. Farmer recommends newspapers spend at least as much to protect online assets as they would protecting physical assets of the same value. But Chris Jenne-wein, vice president of technology and operations for Knight Ridder New Media, cautions that excessive paranoia can chew up more resources than would an actual security breach.
“The chance that a hacker is going to focus on your Web site is pretty slim,” Jennewein says.
“You have to make sure the costs of security don’t exceed the risks.”
All bets are off, however, if your site becomes the object of a hacker’s fancy.
“People will resort to going through the trash, interrogating old employees—whatever they need to do to get into that machine,” Gipp warns.
Andrew Bowser is a free-lance technology and science writer based in New Orleans. E-mail, andrew@bowser.com. Additional tips and tools for improving site security can be obtained through the CERT Coordination Center (www.cert.org), a federally funded research and development program.