Late last year it was announced by a couple of security researchers that cPanel was vulnerable to cross-site request forgery attacks (CSRF).  If you manage your business’ website, you know that cPanel is an administration interface that allows you to perform many tasks related to running a website.  This includes accessing website stats, email accounts, and log files, submitting tickets to the support desk, and a variety of other tasks.  Cross-site request forgery attacks allow attackers to exploit web-based services after the user has already logged into the web-based service.  In a cPanel attack, once you are logged in, you must be lured by the attacker to visit a malicious website that the attacker runs or has compromised.  Once you go to the malicious website, the attacker can execute unauthorized commands since you are already logged into cPanel, and no password would be necessary.

When you are logged into cPanel and go to a malicious website or a website under the attacker’s control, the attacker can reset your password, install software, modify settings, and other similar things that you don’t want done to your website.  While there are a number of security improvements that can be made, some of them you do not have control of if you are using shared hosting.  Since most small businesses start out using shared hosting because it is easier having the web hosting company perform the server administration, I will focus on what most website owners can do without having to administer or configure their own server.

Improving cPanel Security Against CSRF Attacks

As stated before, there are things that your web hosting company can do through the Webhost Manager (WHM) portion of cPanel, but here are things you can do to improve cPanel security:

1. Make sure you are using cPanel version 11.25.0.  At the time of this writing, this is the newest version of cPanel which has preventative measures built into it to reduce these type of attacks. Under cPanel, you should be able to view current versions of the software running on the server.  If you do not have the 11.25.0 or higher version of cPanel, contact your hosting company and request that they upgrade to the newer version.  Since this is not a foolproof measure I would also look at implementing the following additional items.
2. Do not remain logged in when browsing other websites.  This can be a real challenge when you are viewing log files such as your most recent visitors.  It is tempting to click on a referring website link to see more about the website, but it may link to a malicious website.  Don’t click on links to other sites while logged into cPanel.  Also, to be extra cautious, I would clear private data such as cookies after logging out of cPanel and before browsing other websites.  In Firefox, you can do this manually from the tools menu, or you can set it up to perform this automatically when you close the Firefox browser.
3. Change your password for cPanel.  You should do this on a regular basis and also make sure you choose a strong password each time.  This is not so much specific to CSRF attacks but just good practice for any sensitive account you have.  To go along with this, make sure you are logging into cPanel using an SSL connection.  This helps reduce the risk of someone sniffing or capturing network traffic and gathering logins and passwords that are not encrypted.  Most web hosting companies have capabilities to allow users to log in via an SSL connection even if the user does not have their own SSL certificate set up on their own website.
4. Use Web Browser Extensions.  If you are using the Firefox web browser, it has been suggested by other security researchers that you use the NoScript extension that will help reduce a number of types of web-based attacks.  Also, it has been suggested by some that the use of Request Policy Firefox extension would block most of the current CSRF attacks.

I have not tested either of the Firefox extensions I mentioned in this article, but I have heard good things about the NoScript Firefox extension regarding web-browsing security in the past.  Make sure you always log out of your cPanel account and clear the private data cache before browsing other websites.

Are there other solutions you have used or run into regarding this issue?  Please leave a comment  and share your experience with the other readers of this article.

Post from: Business Security Information© 2010

cPanel CSRF Security

Related posts:

1. Cross-Site Scripting
2. Choosing a Secure Web Browser
3. Flaws In SSL Encryption?

Lock boxes can be secured (i.e. bolted) to a desk or a wall plate, or they can be rack-mounted.  Some forms of lock boxes are also temperature-controlled so that they can be used in outdoor situations such as construction sites, recreation areas, or other types of remote locations.

Using a Lock Box

When using a lock box to protect the DVR or Time Lapsed Recorder, make sure you choose a location that is not in plain sight.  It should be located where regular customers or employees cannot see it.  If the recording device allows remote monitoring, it should be located near your network equipment so it can be easily connected to the computer network/internet.  In addition, make sure you actually keep the lock box locked, and keep the key for it in a secure location.  Keeping the key in the lock box or putting the key in a location that can easily be discovered does not provide real security.  I have seen both situations in businesses where lock boxes are used.  It is similar to to writing passwords down to remember them and putting them right next to the computer.  Also, make sure the DVR or Time Lapsed Recorder has some form of backup power such as a UPS (uninterruptible power supply).

The method of securing the lock box is a major consideration.  Make sure you bolt the lock box securely to an immovable object such as a wall or floor.  If the lock box is rack-mounted, make sure the rack it is mounted to is also secured adequately.  Before purchasing a lock box, make sure it is constructed of solid material such as solid steel.  Look at the type of lock or locks used to secure the DVR or Time Lapsed Recorder in the lock box.  Can the lock be easily circumvented or bypassed?  Lastly, make sure the lock box will have adequate airflow to control the temperature of the recording device.  If the recording device overheats, the recording device will become useless.

There are numerous sources of these types of lock boxes, and most are fairly reasonable as far as cost compared to the amount of money already spent in installing a security camera system.  I would highly recommend the use of a lock box if you have a security camera system.  Remember, security camera systems should always be recorded if they are being used by a business or home.

Here is a link to one type of lock box located on the Super Circuits website.  This is a pretty good site for video components, but there are many more sites out there that offer lock boxes.   Look around before purchasing one.

Post from: Business Security Information© 2010

Security Video Lock Box

Related posts:

1. Video Analytics
2. Lock Bumping
3. Should Your Business Use Security Cameras?

The Vulnerability

This most recent vulnerability involves a flaw in VbScript that can be used to install malware or other types of bad software onto your computer.  This vulnerability affects Window 2000, Windows XP and Windows Server 2003, and all versions of Internet Explorer (IE).  If you are running Windows Vista, Windows Server 2008, Windows Server 2008 with R2 and Windows 7, it appears at this time you are safe from this vulnerability.

The vulnerability requires that you must be using the IE web browser, one of the Windows operating systems noted in the above paragraph, and must be on the internet at a website that has malicious code (software program or script).  The risk may seem low, but even trusted web sites have been and will continue to be broken into and have malicious code loaded onto the website.  Any website could contain some malicious code without you knowing about it.

If you end up on an infected website while using IE and one of the vulnerable Windows operating systems, you will receive some form of pop-up or message telling you to press the F1 key.  If you press the F1 key, the attacker can hijack your computer or upload some form of malware to your computer.  Once the attacker has control of the computer, they can do anything that a regular user of the computer can do.  This is another reason not to give regular users administrative rights to the computer.  Basic user accounts should be used.

Solutions or Work Around

Until a patch comes out for this security vulnerability, there are a couple of things that you can do to protect your computer(s).

1. Make all users aware of the security issue and instruct them not to press F1 when prompted.
2. Change what web browser is being used.
3. Disable Windows Help by typing a command that is in Microsoft’s Security Advisory at the command line. You must be logged in as administrator to use the noted command.
4. Upgrade your operating system to one of the unaffected Windows operating systems.  This is an extreme and costly measure but one that appears would work at this time.

Telling users not to press F1 when on the internet may not be the best solution since the notice to press F1 can continue to occur until the F1 key is pressed.  This means the user will most likely be annoyed with the message until they press F1 to get rid of the message.  If you choose not to change the web browser that is being used, I would recommend that the Help function be disabled until a patch for this security vulnerability is created and available from Microsoft.

Let me know what you decide to do to address this security issue.  I would be interested in everyone’s response since it still appears so many users use the IE web browser.

Post from: Business Security Information© 2010

Is It Time To Change Web Browsers?

Related posts:

1. Choosing a Secure Web Browser
2. Updating Software Applications
3. Conficker Worm: Is It Still Around?

It is estimated that approximately 80 percent of security vulnerabilities are related to software applications.  The number of unpatched vulnerabilities on most computers is significant.  For more detail on software vulnerabilities and how attacks occur, go to the SANS website and read this article. It is clear from SANS as well as other sources that the number of third-party software application and web application vulnerabilities is greater than operating system vulnerabilities.  Recent attacks using vulnerabilities in Quicktime and Adobe Reader software applications are just two examples.

7 Ways to Improve Desktop Security

Here are some steps you can take to improve the security related to software applications for your business:

1. Be aware – First, be aware that software application vulnerabilities allow attacks against your network. Just by reading this post, you are now aware that you have numerous applications running on your computers, and that they can contain vulnerabilities.
2. Inventory Software – Inventory the software applications you have running on your computer systems.  It is impossible to protect something you don’t know you have.
3. Patch – After discovering what applications you are running on your computers, research to see if there are any updates or patches available for the applications you are using.  Also, uninstall any applications that are not needed or used in your business.
4. Configure Software – Look what configuration options you have available for each application and make sure the application is configured as securely as possible.
5. Defend Against Malware – Make sure you have software installed and updated to protect the computers against the many variations of malware.  If an attack is successful, you have a better chance of containing the malware and limiting any damage to your network.
6. Limit Administrative Rights – As I have written before, limit the use of administrative rights (LINK TO ADMINISTRATIVE RIGHT ARTICLE) or accounts on a computer.  If all else fails, the attacker initially is limited to only being able to do what a regular user can do on the computer.  Most user accounts do not allow the installation of new software without administrative rights.
7. Check Vulnerability Announcements – Lastly, I would suggest that you sign up for automatic notification through e-mail or an RSS reader from one of the many vulnerability tracking websites.  SANS is one of my favorite, but there are many good ones out there.  You can sign up for the e-mail newsletter of RSS feed at SANS.  I would suggest signing up for the Consensus Security Alert newsletter or RSS feed.

These are some key steps in implementing improved computer security at your business.  If the applications you use are not vulnerable, the number of possible attack methods that can be used against your network is also reduced.  Since software application updates are usually left to the user of the computer, it is important that business owners and managers stay on top of the issue.  How many of your employees would even feel the need or spend the time to update the applications they are using unless you make it a priority!

There are always more things that can be done to address this type of security issue, so please leave a comment and share your knowledge and insight with the rest of the readers.       

Post from: Business Security Information© 2010

Updating Software Applications

Related posts:

1. Reducing Security Holes in Administrative Rights
2. File Sharing Software and Information Security
3. Exploit

From the pictures, you can see I stayed in a ground level room.  The window could open all the way and had no exterior screen.  This type of setup will allow someone to easily enter the room from the outside if the window is open or left unlocked.  Also, the type of lock on the window could be opened from the outside by a knowledgeable criminal.  In most hotels where I have stayed in ground level rooms, the window is equipped with an interior window stop where the window can only be opened 5 or 6 inches to prevent a criminal from easily entering the room.  Upper level rooms that have windows that can open all the way are also a liability risk due to the fact a child or even an adult can open the window and fall out.  The hotel had three stories so a fall from either of the upper floors could ruin someone’s day.  The picture I took of the door leading to the adjoining room does not show the complete picture, but basically the door had a deadbolt lock that did not function properly which resulted in the door being secured with the night latch, which is located right above the deadbolt lock.  This does not provide much security for a door that leads from one hotel room to another.

Another issue I noted as I checked in and walked around the hotel is that a surveillance camera covered the check-in area, but there were no surveillance cameras covering the rest of the hotel or any exterior areas of the hotel such as the parking area.  With the front desk employee being the only person on-duty during the evening and night time hours, there is no way other areas of the hotel could be monitored without the front desk being left unattended.  It is beneficial to have security cameras which address not only the security issues but also the liability issues that come with this type of business.  With adequate surveillance cameras, the front desk employee could easily monitor the hotel from the front desk during their shift.

The next issue also shines a light on the importance of surveillance cameras in this type of operation.  All the exterior doors other than the front entrance were equipped with access control which could only be opened with the use of a room card/access card.  Most hotels have this type of setup to prevent unwanted people from entering the hotel premises.  The one exterior door I used to enter the hotel after check-in stayed open for a good 30 seconds or more before it finally latched and would prevent someone from the outside entering the hotel unnoticed.  I tried the door a few times, and it allowed me to almost make it to my room before it was actually closed.  No door setup is perfect, and if someone was right behind you when you entered the building, the door would not prevent them from entering.  The amount of time it takes to close the door greatly affects who enters the hotel.

These are a few things to think about if you own a hotel or are staying at one.  From a general observation standpoint, it appears the hotel had adequate security.  In reality, security is in the details. Lack of attention to these details may result in a crime occurring or accidents happening.  There are many other security issues related to hotel security, but these few are some of the most obvious.

Post from: Business Security Information© 2010

Hotel Security

Related posts:

1. Seven Kidnapping Security Tips
2. Security Camera Systems
3. Retail Security Cameras

The second item which you can see on the two close-up pictures is how the gate is secured when it is closed during non-business hours.  A padlock is used, but there is also a cover welded on the gate that protects the  padlock from being cut with bolt cutters or other types of equipment.  Most businesses, whether they are dealerships, contractors or other businesses that require lot security, only use a basic padlock with no protected shackle, the U-shaped metal piece that opens when a padlock key is used.  The other pictures illustrate ways that other businesses have used to protect the shackle, which is one of the weak portions of a padlock.  I would always recommend that you purchase a padlock that is either  built with no shackle or that has a protected or shielded shackle built into the padlock, and then implement one of these types of solutions to further protect the padlock.

Those were two examples of good dealership security, but I also found some problems while I was there.  First of all, the dealership used infrared beams to alarm the perimeter of the metal barrier.  You can identify the infrared beams from the black rectangular sensors in the pictures.  Infrared security sensors are not as effective over a long distance as other type of outdoor alarm sensors.  Also,    environmental conditions such as fog, heavy rain, etc. can cause false alarms.  Lastly, most infrared sensors are set up in such a way that they are only set off as someone is leaving the lot with the stolen vehicle or equipment.  As with any type of security sensor, you want to know someone is on the property as soon as possible, not just when they are leaving with your property.

The other problem I noticed is with the use of security cameras to protect and monitor the lot.  While  I do not recommend the use of cameras as a primary security measure, my problem with these cameras is their location.  The cameras are located at about 6 to 7 feet from the ground, allowing an attacker access to them and the transmission cable that transmits the camera’s picture.  What you cannot see from the pictures is that the cameras are placed in such a way that someone walking between the cameras that are located on the corners of the structure will not be picked up by either of the two sets of cameras.  This will allow someone to get to the cameras and tamper with them without ever being recorded by any of the surveillance cameras.  The protection of the transmission cable to the camera is important.  The transmission cable should be protected by some type of conduit.  You can see in the picture that one company used PVC conduit, but other types are also suitable as long as they will protect the transmission cable.  There are also devices on the market that will sound an alarm if a surveillance camera is tampered with.

These are just some of my ideas and observations on lot security.  If you have additional solutions or thoughts related to this topic, please leave a comment.

Post from: Business Security Information© 2010

Dealership Security the Good and the Bad

Related posts:

1. Security Swing Arm Gates
2. Perimeter Security and the Use of Bollards!
3. Security Camera Systems

From a security perspective this type of incident reminds you to have good backups and to make sure that you test those backups before you really need them.  The reason I say this is that our backups were a few days old.  If we could not have repaired the database we would have had to use the database backup, which would have required use to re-post some of the newer articles that were not part of the older backup.  It all worked out and hopefully we won’t experience any more issues like this anytime soon.

Post from: Business Security Information© 2010

Business Security Information Website Issues

Related posts:

1. Small Business Website Attacks
2. Are You Experiencing Information Overload?
3. File Sharing Software and Information Security

While trying to catch up on some of my reading this week, I came across an article from the December 14, 2009 edition of Forbes magazine which discussed computer-controlled vending.  A vending machine is equipped with an add-on box which captures all the transactions and transmits the information back to the company.  The boxes can also send an e-mail or text message when a vending machine sells out of an item.  This type of electronic device saves the vending company money in lower fuel costs and more efficient use of their manpower.  If you are interested in learning more, you can check out the website for Cantaloupe Systems .

What does computer-controlled vending have to do with security?  The Forbes article also discusses the fact that money savings from a more efficient vending operation is not the only benefit of using the computer monitoring box.  Companies have found that security is an added benefit they have experienced when using this type of device.  The device is capable of sending a message to the vending company when the vending machine door opens.  If this not a scheduled restock of the vending machine, the vending company can send a field manager out to investigate.  One company caught a former employee stealing cash and product from the vending machine.

Beyond just an interesting story, there is a point to me writing about computer-controlled vending.  My point is that even non-security devices or measures used by a company can have an unexpected effect on your company’’s security.  Secondly, and more importantly, is that when you plan to implement a particular security measure, look at how else it can benefit your company.  For example, many companies have implemented the use of security cameras to help improve the security at their place of business.  Security cameras can also be used to reduce the number of false liability claims, or they can be used to remotely monitor your place of business if the security cameras are so equipped.  Also, the security camera footage (security cameras should be recorded) can be used to train new employees regarding customer service or other types of business issues.  Do not look at security expenditures as a necessary evil, but look at them to see what other benefits they can have for your business.  Almost any security measure can be used for more than it’s original purpose.

Post from: Business Security Information© 2010

Cantaloupe Security

Related posts:

1. Retail Security Cameras
2. Unified Threat Management–Do I Need It?
3. One Key Ingredient To Good Security

Most companies track business-related information such as inventory, sales, marketing, cost per customer, etc. This is all important information to know so that you can make informed decisions regarding expanding, growing, or investing in your business.  Likewise, protecting your business requires gathering and analyzing security-related information.

Key Security Ingredient

This key ingredient of good security applies no matter if you are trying to protect your business against computer security-related threats such as business espionage, hacking, and information theft or physical security-related threats such as robbery, theft and burglary.  Without good information, you cannot spend your limited resources wisely to protect your business.  You need to know what the problem is before you can determine a solution.  I see many businesses implement a security measure,  then call me after they discover that the security protection they implemented was not effective.  When I go into situations like this, I usually always start off by asking what type of security issues they have experienced as well as what they are trying to protect their business from.  These details are important for anyone, even a seasoned security professional, to suggest ways to adequately protect your business.

What Type of Security Information?

This article is not a self-promotion for this site even though we try to be a good source of business security information.  The security information we provide on this site will help guide you in implementing adequate security for your business, but the type of security information I am talking about in this article is site-specific information for your business.  This requires you to keep track of security (computer or physical) incidents as they occur.  Can you, if someone asked, recall the details of a burglary or a data loss that occurred last year?  I don’t know about you, but sometimes just remembering the details of what happened last week is to much for me.   To keep track of the details, set up a database or some other tracking mechanism where you can record actual security incidents as well as any suspicious activity or close calls.  Close calls are usually incidents such as an attempted car theft in your parking lot in which the thief was unsuccessful.  This database will  provide you with important information or patterns that indicate additional security may be needed in your business.

Other sources of local security information can also be used to make good security decisions for your business.  These include crime statistics from your local police department.   I have used local police crime statistics a number of times when trying to determine potential security problems or threats to a business.  Another possible source is to network with other similar types of businesses in your area and see what security issues they have experienced.  Find out what has worked for them.  Once you have setup such a network, you can even go as far as finding a method for each business in the network to contact the others when they experience a security issue.  This way the other businesses in the network can be aware of current local security issues and take steps to prevent or reduce the chance of such a security incident occurring at their own place of business.

What Should I Do?

There are many other sources of security information, but limit yourself to what really helps protect your business. Business Security Information is a good source for topics covering a variety of security issues without you having to scour the internet or other sources for this information (now that was self-promotion), but also look to local sources of crime information such as your local police and other similar types of businesses in your area.  Most importantly, keep track of security issues and close calls at your own business.

If you have thoughts or comments, please leave them using the comment form at the end of this article.

Post from: Business Security Information© 2010

One Key Ingredient To Good Security

Related posts:

1. Security Issues Related to Insider Threats
2. Cybercrime Small Business Survey
3. PCI — Best Practices or Minimum Security Measures

A couple of weeks ago I went with my family to get some pizza.  It was one of those day we had been rushing around and just wanted to get some good hot food, so pizza it was.  Like most food service businesses, this one had a security camera system that was visible as soon as you walked into the store.  While I was standing there waiting for our pizza, I started looking at the positioning of the security cameras.  What I noticed was that the security cameras covered the cash registers and other employee work areas, but the camera system did not cover the customer area in front of the checkout area.  With this positioning of the cameras, their purpose seemed to be just to monitor employees work and to address internal theft issues.

Internal theft issues are a major area of concern for businesses because most of the money lost by a business usually occurs from internal sources such as employees.  In this case, however, I would also want the camera system to monitor the customer waiting area for two reasons.  First, I would want to gather evidence if someone came in and robbed the business.  Secondly, I would want it to record the area so if anyone claimed to have been injured at my business, I could show what actually happened.

If you currently have or decide to install a security camera system, make sure you cover all important areas of your business, including customer waiting areas.  In the case of the pizza shop, I would have placed another camera where it would get good security footage of the customer as they entered or left the pizza shop.  Despite the extra cost, I would also place another security camera where it would get a good view of the customer waiting area.  It is possible, depending on the layout of the building, to get away with one for both the entry and waiting area, but I would recommend the use of two security cameras.  In the case of a robbery, you want a closeup of the robber entering or leaving but also a wider view of the whole room.  This would require a camera placed further away to get good security footage of the whole area.

I ran into another security camera solution recently.  It is a security camera that is housed covertly in a height strip that most businesses have on the interior of the front door so employees can tell the police approximately how tall the person who robbed the store was.  The height strip camera is sold by a company called Advanced Technology Video.  I do not have any affiliation with this company so this is not an endorsement of them or there product.  There may be other companies out there with similar types of security camera products, but I thought it was a neat idea to integrate the height strip security measure with the security camera security measure.  Good camera footage is always an important security concern.

Post from: Business Security Information© 2010

Retail Security Cameras

Related posts:

1. Should Your Business Use Security Cameras?
2. IP Security Cameras
3. Cantaloupe Security