From: Randall Parker 

George reports on stories he hears about web sites getting taken over due to poor
security in the logic of the web pages and in the technology the web pages
are written in. "rooting" means getting root access to a server.
It's a term from Unix land.



It's just the rent a server folks don't care about security, they care
about having check marks in all the checkboxes on the list of available
features so that everyone will go to them because they offer all the
features the people who don't know security always want.

Look at PHP, it's insecure not because of the server setup but because of
the actual code written in PHP. Security on a web server that's running php
is up to the guys writing the web pages not the admin.

So now that you know this, how can any hosting company offer PHP and still
call their machines secure? I mean it's a joke right?

Ok now look at any other web server extensions that offer real power stuff,
like cold fusion. Cold fusion offers the ability to modify the system
registry. Hello? How can someone who rents websites allow every website
owner on a machine to modify the registry which no doubt affects the
machine security and every other website hosted on that machine? Is that
secure in your opinion?

My point is to be secure and still use any of the power extensions like
.NET or PHP you have to have your own server and you have to understand
basic security or the pages and features you make available may very well
be what opens you up to hacks.

For Randall, he'll need to decide what extensions he needs then he'll need
to learn how the exploits for those extensions work so he knows the weak
points and what sort of stuff to watch out for. Doing the patches and
typica l machine security is easy compared to that and having control over
the machine configuration instead of being stuck with some rent-a-server
standard image config would make things a lot easier. I'd say do it
yourself and deal with the learning curve.

Geo.

If the rent a server folks provide you and 253 other websites with the
ability to write code that can be the doorway a hacker uses to root the
server then who are you supposed to blame when someone elses code is the
reason your website got wiped out? Who do you blame that your server is
unavailable for a week while they rebuild their server farm because that
box was used to root the others? How do you know the hacker isn't one of
the other 253 websites?

The responsible disclosure folks have pretty much silenced the security
community, the defaced websites tracking sites have pretty much been
silenced as well so I can't point you to a site that shows how often this
happens but people talk to me about their websites all the time and
rootings are happening more often now than ever from what I can tell.

When Glenn told me about his server, I showed the form letter to our techs,
one of them who has his site hosted on some india web host laughed and told
me it was nothing. A week later his site went down due to a rooting and was
down for a week. Then again last month his site went down due to a rooting,
he's now getting the idea that maybe there was more to what I was telling
him than he thought although he's still not convinced the problem is all
the checked checkboxes for server extensions.

There are some good hosting services out there but the only way I know to
find them is to ask people who have used them for a year or longer.

Geo.


"Gar

--- BBBS/NT v4.01 Flag-5