Tools
Subscriptions
Directory
Options
Tutorials
Working with Styles
Working with the DOM
Navigating Documents
Gallery Examples
Search Examples
HTML Entities Reference
Security Considerations
Site Logon
Wikipedia, the free encyclopedia that anyone can edit.
The Mozilla Foundation - dedicated to preserving choice and promoting innovation on the Internet
Account Biography (by name)
Predator or Prey

Security considerations


Malicious attacks on web sites are an industry-wide problem, bringing down web servers, disrupting online commerce, and threatening users' personal data. Such attacks can affect anyone whose platform implementation is not secure or whose system is not maintained.

Typically attacks come from automated software running on the internet seeking vulnerabilities, or ways to enter a web server.  Once found an attacker can upload malicious code or send a destructive email from a trusted site - yours!

Fortunately, Kaboodle manages all aspects of your web site security ensuring that, using the best coding practices, we can avert most attacks. 

As a Kaboodle user there are a variety of things you can do as well.  Most importantly, ensure that only trusted users can access your data.

 

Passwords

We recognise that not all our users have the need for secure online connections.  And perhaps more importantly we recognise when a secure connection is prudent.  We have adopted the block cipher Advanced Encryption Standard (AES - Rijndael) as our encryption methodology, which we use regardless of the Secure Sockets Layer (SSL) cryptographic protocols used to keep online connections secure.

We also take the view that the most damaging form of attack typically occurs from within.  We extend this view to include our own staff, so that no Inzen employee can decipher any username password combination, further ensuring that your data remains secure. 

By far the most common vulnerability however is weak password usage. 

To help circumvent this we require each user to enter some random letters and numbers in addition to their username password combination.  This nicely prevents automated dictionary attacks by limiting the number of authentication attempts that can be performed, and by blocking further attempts after a threshold of failed authentication attempts is reached.  These settings are easily configurable by Kaboodle site administrators. 

In addition we include a number of known password lists (currently in excess of 3.7 million known passwords ranging in languages from Icelandic to Swahili) that help prevent the use of passwords that are publicly available to the hacker community.

Best practice

Passwords by their very nature are fundamentally insecure.  For a password to be strong it must invariably be difficult to type, hard to remember, and only good for a few weeks at best.  There's a much easier method.  Simply create a pass phrase instead.  They're easier to type, easier to remember and much, much stronger. 

If however you must use a password please make sure it is at least 7 characters long (15 characters is better) and use numbers and mixed case letters, ensuring that it cannot be found on any dictionary or published list.  Anything less can be easily cracked by a quick brute force attack.

 

Browser vulnerabilities

As a Kaboodle user, the point of attack that most concerns you (from the perspective of building and managing your own site) is the humble browser.

Browser software allows people to access the vast amounts of data and computer programs on the web. At the same time, browsers need to facilitate interaction between that web content and the user's computer. Therefore browsers need to implement security mechanisms so that malicious web content does not have access to the user's computer. 

To emphasis this point the following is an extract from the Mozilla Foundation Security Center where they have a rather unique but telling method of promoting their own software.

"Recent security failings in Internet Explorer have caused experts (Including the United States Department of Homeland Security's Computer Emergency Readiness Team) to recommend that consumers stop using Internet Explorer and switch to other browsers. For more detail on exploits leading to the suggestion to switch see: http://www.kb.cert.org/vuls/id/713878 and http://secunia.com/advisories/12048/."

To be fair, Microsoft have raised their game considerably over recent years, and continue to do so, particularly in relation to online activities.  Browser technology improves all the time and what may have been true for earlier versions almost certainly is no longer true today.

Microsoft list a series of interesting vulnerabilities in an article entitled Security Considerations: Dynamic HTML.  This document includes a number of dynamic HTML functions that, if used incorrectly, can compromise the security of your applications.

Here at Inzen, we have taken into account the varying degrees of expertise of our users.  To this end Kaboodle incorporates a raft of security measures at the back end, including but by no means least, backing up your data every 15 minutes and keeping our backups off site.  We also track user activity, in so far as we keep a record of who is online, where they came from, their IP address, their browsing activity, who is logged in, when activity has occurred, and more. 

Interestingly even tracking this information can be circumvented as a person or program can masquerade successfully as another.  This technique, or type of attack, is known as a spoofing attack.  In its simplest form someone knowing your password can masquerade as you.

 

AES usage summary

For those technically minded and interested in our logon block cipher methodology the principle is very simple.  The client generates a one time username, password combination.  An attacker will need to know the plain text input values plus a random key to decipher the encrypted text.  As with all cryptography, deciphering the plain text is a matter of knowledge, skill, time and processing power.  The match variables are derived from a private key held on the server and a short lived copy of the one time key.

Once lost, a password cannot be reconstituted.  Neither the encrypted, decrypted nor plain text return values processed by the client are held on the server.  Likewise, the values held on the server cannot be deciphered without knowing the original plain text username and password. 

Is it secure?  If the key is known Rijndael is reversible and message-digest algorithms are akin to plain text, albeit in an obscure format. If enough information were known the block cipher would be weakened, certainly beyond an RSA (public, private key) algorithm using a large prime number.  As both algorithms are a public standard it is reasonable to assume that they are inherently weak, insofar as state authorities find them an acceptable form of encryption for all but the most classified documents.

Known weaknesses include:

  • Careless use of passwords
  • A man-in-the-middle attack between the web server and the database server
  • A man-in-the-middle javascript hack between the web server and the client
  • Wardriving where an automated tool finds internal modems to exploit
  • Session hacking where an attacker places bogus packets in an established session


Of these weaknesses by far the most prevalent is careless use of passwords.  Each of the others requires time and processing power.  Time is in very short supply as the username password random key combination expires quickly.

Alexander Munro, CTO Inzen, January 2006
 

Reference

Microsoft Corporationhttp://msdn.microsoft.com/workshop/author/dhtml/sec_dhtml.asp
Mozilla Foundation:  http://www.mozilla.org/security/
Secunia: http://secunia.com/advisories/12048/
US-CERT:  http://www.kb.cert.org/vuls/id/713878
Wikipedia: http://en.wikipedia.org/
 
Terms Of Use Privacy Return to top
Support +61 2 9034 6000