Web security

20th of March 2017

All too frequently we hear about hacked accounts and stolen data. Users and service providers both need to play their part to keep their data safe.

When hacking is not hacking

Whenever the media reports hacking there's a good chance that they're not actually reporting hacking at all. Hacking is a good catch-all term for people to understand, but it can make something seem more extreme than it really is.

Recently one of my clients, Camelot, was in the news with claims that account details had been hacked. This sort of news can be damaging because it implies that they were negligent with customer data but this is not the case. In this instance another website was hacked and usernames and passwords were stolen. As happens frequently on the web, many of these usernames and passwords matched accounts on other websites including Camelot's. This stolen data was used to breach the accounts, but because the details were genuine there is little that could have been done to prevent it.

What users can do

Never use the same password on multiple websites to minimise your risk of data theft from other sites. When choosing a password make sure that it's not guessable – the cryptographically most secure passwords use a combination of letters, numbers, and symbols that are at least 8 characters long. Even with a common word dictionary attack, ThisIsAPrettySecurePassword1! is less hackable than 11 random upper, lower, number, and symbols – bear this in mind if you need a memorable password. For the best strength use a password management system such as that provided with Google Chrome.

If two factor authentication is available use it – this vastly improves the security of your accounts. Always check that a website is secure (green, padlock, HTTPS) before submitting any personal information through forms.

Don't give away secret question details unwittingly – it may look like a harmless quiz, but if it has a random question asking for your mother's maiden name be wary! Avoid phishing scams by checking the browser URL and preferably by using a browser that blocks suspected phishing sites, such as Google Chrome. You should also have a virus scanner to make sure you don't download anything that can steal your personal information in other ways – AVG is free.

Social engineering can be difficult to avoid. Don't click on minified links sent from your friends without asking for an explanation first. Several Facebook propagated worms have spread very quickly in this way.

What service providers can do

Protect yourself against cross-site scripting (XSS) and cross-site request forgery (CSRF). These are most easily achieved by sanitising any user input and with session tokens sent in hidden fields with forms.

Always use HTTPS. It doesn't matter what type of website you have these days, HTTPS is best and there's evidence to suggest that Google prioritises sites that use it. Be sure to test your site with an SSL test and aim for at least an A grade.

Always salt and hash passwords, preferably with a continually improving algorithm such as that provided by the PHP password_hash function. There is absolutely no excuse to ever store passwords in plain text. Never limit your user's maximum password length and use the maximum field-length available – I'd recommend a varchar 255 for future proofing with password_hash.

Secure your server by keeping software up to date and patched, and implementing a firewall. Third-party penetration testing is recommended to reveal weak areas in your protection.

There are a number of software features that can be enabled / disabled as appropriate from the code serving your pages, such as the Apache and PHP hardening directives included in a previous post.

Stay safe out there!