I don’t play poker well. I donate money to my friends every few weeks because I like to eat junk food, breathe bad cigar smoke and hang with the guys. I’m so easy to read; when I get a good hand I stare at my opponents’ chips, willing them into the pot. When I’m bluffing, I fidget. Take my money, just invite me back; my ‘tells’ are legendary amongst my friends.
We’ve all heard of the those poker players who can read us amateurs like a book: we might as well just turn our cards face up. To a talented eye, even subtle ‘tells’ reveal more information than we can imagine. The analogy: reading your open-book website security ‘tells.’From my perspective, your website has already turned over many of its cards. Unlike my poker skills, my security skills are honed from practice and experience. I can read your website’s security status from a mile away (that was an Internet joke).
No, I don’t hack websites and none of my ‘reads’ are anything the Feds would take me to task for. I just wander around your public website with easily obtainable tools and pick up on many security ‘tells’ that your website gives away. I am by no means legendary, not even well known, I just know what to look for and how to interpret what I see – just like thousands of others who might not be as reputable and may have ill intentions.
Some of the ‘tells’ your website is happy to send in my direction include:
• The version and security of your Content Management System (CMS)
• The age, versions and patches of your underlying website technology
• The status of your SSL certificate and its usage throughout your website
• The number and types of attack surfaces your website might contain
• Password encryption
• Open ports
• Sensitive data the website might traffic in
Starting the Review
I always start a website security review with a site crawl to get a complete listing of the pages and files that are publicly visible. The crawling freeware tool that I use not only gives me a complete hierarchical view of the website structure, but also reports on version information of CMS and website technology files. Even better, it also lists details on external links and pages that contain user input controls.
Yep, your entire website is laid out before my eyes.
I use this website hierarchical view to pick my way through your web pages that are obvious candidates for hacking; these are often called ‘attack surfaces’. These attack surfaces include search fields, logins, forms, anything that allows data to be passed between a user and the underlying server. I can easily bring up the pages containing the attack surfaces to see what your site has to offer.
Any attack surface that passes private information, like passwords or financial information, needs to be SSL protected (transported data must be encrypted). Spotting SSL protection, or lack thereof, is as easy as checking out the web page and looking for the SSL indicator.
I will also wander your site to get a feel for private data (i.e., medical, financial, client lists) that might be contained in your database. While I cannot tell if you are properly encrypting or storing this data, the fact that your site does collect private information certainly raises my sensitivity to the level of security your site needs. A ‘cute kitten’ site doesn’t raise any flags, but a ‘medical record’ site makes me dig much harder.
I also get a feel for a website’s use and protection of passwords by visiting the login page and seeing the options for password recovery. A properly configured website never saves a recoverable password. It’s rare, but I still see a few websites every now and then that will e-mail me my original password – meaning it’s not encrypted properly. While this may be singularly dumb, it also gives me a general feeling of the security quality of the entire website.
After a website crawl, I usually run a check on the presence and viability of the site’s SSL certificate. There are several good on-line, free tools for doing this. One of these is a tool from Digicert that you can find here.
Just enter the domain name, and the tool will return the existence and status of the site’s SSL certificate. I cross-reference this information with the attack surfaces noted above. A missing or poorly configured or expired SSL certificate will raise red flags. Qualys also offers a free service that performs an analysis of the configuration of any SSL web server.
One of the biggest security problems with even the most professionally produced website is aging. Even if the site was created using tools and website technology components (i.e., ASP.NET, IIS, WordPress) that were security-safe when the site was created, these same components might have been found to contain numerous security flaws over the last few months or years. My crawl tool and several other technology version discovery tools (http://builtwith.com/) will examine underlying website technology and provide version information whenever possible. My own experience, or a quick Internet lookup, will let me know if aging website technology has opened the site up to easy hacking.
For example, a recent site review turned up a site whose website technology (PHP 5.2.16 and Apache 2.2.3) just screams ‘hack me’ to the outside world.
CMS sites also worry me; first, because they tend to be created and forgotten. It is a rare IT department that will bother to update a CMS with security patches. After a few years the CMS becomes fair game for professional and amateur hackers alike.
Second, CMS sites suffer from the deadly plug-in syndrome. The geek side of the CMS implementation team will implement a security solid product, then turn it over to the design and content folks. After adding a few plug-ins to enhance the visual part of the CMS, the new (and much prettier site) is wide open to simple hacks. Plug-ins are notoriously security-fragile.
Finally, I’ll check the website for open ports (accessible channels into the website through the primary IP address). Again, this is easily done using on-line, free tools like this Port Scan. If I see too many open ports, I’ll have a conversation with the site’s IT team to find out if all those ports are really required.
Depending on the size and complexity of a website, a basic security review could take 30 minutes to an hour. Occasionally, at the end of a review I may be able to say the website is a security breach waiting to happen; and, if private information is involved, strongly suggest the website needs to be immediately taken down and remediated. One recent example was a medical office site running under a very old version of WordPress with well-documented security flaws.
More often than not, ‘tells’ from a review will give me a gut-feel for the security of the website, not an absolute certainty. Without an obvious flawed security component, like the WordPress example above, I can never say a site can actually be hacked. All of the clues taken together may indicate the site’s potential hack is a high probability, but never a certainty. Like my poker fidget ‘tell,’ my bluff may be backed up with a deceit hand, but it will cost you to find out.
Turning Gut-Feel into Certainty
The step to security certainty (or lack thereof) is far more involved than the gut-level review described above. It also requires explicit permission and cooperation from the website owner. This next step uses a web vulnerability scanner tool that simulates a full security attack on a target website. The website will be subject to every security attack method known to the security industry, sometimes taking hours or even days to complete. The resulting report will include a full listing of all actual attack possibilities – ones that can be exploited by a hacker to compromise the website. Gut-feel has moved to certainty.
If funding allows and need dictates, a manual security review and a code review might be included in the security mix. Allowing a few really smart security experts to wander your website, inside and out, is never a bad idea. The web vulnerability scanner tool I mentioned above is good, but it will never replace a human.
Getting Beyond Your Tells
Aside from the many techniques to discover the security details of your website you should have picked up on the fact that there are no secrets on the Internet. Your IT department should be able to hide some of the information I found above (i.e., versions) but you’re still an open book.
As always, your best defense is a secure website. Build it secure, apply patches and check it for security every six months.
But, don’t bother to invite me to your poker game-- I won’t come.