Contact Us Today!   |   + 1 (301) 424 3903



Proactive server hacker protection - webinar Tues 1/14/14 1pm EST

If your web application is connected to the public Internet, it's under attack right now!

Server Destroyed by hackersWhat's the cost of failing to stop the bad guys?  Your data in the wrong hands, the costs of forensic audits, consumer lawsuits and fines.  A typical data breach could cost a small business merchant tens of thousands of dollars and years of damage to your brand.  

 

 

In this Webinar, Vlad Friedman, CEO of Edgewebhosting, one of the nation’s top mission critical managed hosting companies, will discuss:

  • Current Threats
  • How to architect a high security hosting platform
  • Tools to protect against and detect attacks
  • Configuration Best Practices (including ColdFusion)
  • Strategies for using Cloud Computing while maintaining high security.

 

Join in to learn how some of the world’s top organizations protect sensitive data and strategies successfully used by Edge to stop over 15 million attacks per day.

Bio

Vlad Friedman Vlad founded Edgewebhosting in 1998 as the hosting space was just starting to emerge using a managed hosting model.  The business was built around implementing and supporting complex 100% uptime mission critical platforms at a predictable monthly cost.  Edge’s solutions regularly combine physical and virtual cloud technologies into a single solution that balance’s cost and performance.

Edge started as a single server in a closet, a T1 internet line and 1 employee at startup has transformed into a team of 50 technical gurus managing over a 2000 servers and devices across several geographically diverse data center locations servicing a wide range of customers including enterprise accounts such as Fortune 100 insurance carriers, publicly traded corporations, political parties, nonprofits and commercial entities.

Vlad’s customer centric vision has allowed Edge to achieve 117% growth rate in the last 3 years with less than 1% churn rate. 

Prior to Edge, Vlad founded and operated Atlantic Computer Systems, a system integration and software development firm that focused on creating client/server software solutions helping solve large scale challenges for the automatic logistics and transportation industries.

You can reach Vlad at www.edgewebhosting.net

Webinar details

Title: Proactive server hacker protection
Date: Tuesday, January 14, 2014
Time: 1:00 PM - 2:00 PM EST

After registering you will receive a confirmation email containing information about joining the Webinar.

System Requirements
PC-based attendees
Required: Windows® 8, 7, Vista, XP or 2003 Server
 
Mac®-based attendees
Required: Mac OS® X 10.6 or newer
 
Mobile attendees
Required: iPhone®, iPad®, Android™ phone or Android tablet
 

Space is limited.
Reserve your Webinar seat now at:
https://www4.gotomeeting.com/register/362143823

ColdFusion security and web hacking tools - webinar Wed 6/5/13 1pm EDT

Bored with ColdFusion security presentations that rehash the OWASP Top Ten? Do this and don't do that with terse snippets of code...

 

Are hackers breaking into your ColdFusion app?This session is different. David will demonstate the tools that are available to hackers and shows how a web application is attacked live during the webinar. Using the OWASP Top Ten as a guide, he will attack a demo site using a combination of vulnerabilities to an applicaton. Given the recent ColdFusion security issues this year this session is a must attend for any serious ColdFusion developers, administrations and managers.

 

We will also cover

  • Recent events in ColdFusion security and hacking
  • Overview of OWASP 2013 Top Ten
  • Show how attacks are never a single issue, but combination of vulnerabilities
  • See authentication bypass in action
  • Q&A
Date: Wednesday, June 5, 2013
Time: 1:00 PM - 2:00 PM EDT

After registering you will receive a confirmation email containing information about joining the Webinar.

System Requirements
PC-based attendees
Required: Windows® 7, Vista, XP or 2003 Server
 
Mac®-based attendees
Required: Mac OS® X 10.6 or newer
 
Mobile attendees
Required: iPhone®, iPad®, Android™ phone or Android tablet
 

Space is limited.
Reserve your Webinar seat now at:
https://www4.gotomeeting.com/register/820728951

 

 

Bio:

David ElperDavid Epler is a Software Architect with AboutWeb in Rockville, MD. As a member of AboutWeb's solutions team, he has built, deployed, and maintained systems compliant with the most demanding regulations and mandates needed to pass security certification and accreditation for Federal Government clients. He has been developing with ColdFusion since version 4, is an active member of the ColdFusion community, and is an Adobe Community Professional.

 

David has contributed to several open source ColdFusion projects and frameworks, along with the blog he maintains (www.dcepler.net). He was responsible for creating and maintaining Unofficial Updater 2 (www.uu-2.info) which makes patching ColdFusion 8 and 9 significantly easier before the Hotfix installer was introduced in ColdFusion 10. He also contributed the Security chapter for Learn CF in a Week (www.learncfinaweek.com). David has been a speaker at various user groups and conferences like cf.Objective(), CFUnited, RIACon, and Adobe Government Technology Summit. He also co-mangages the Capital Area Cyber Security User Group in the DC Metro Area (www.meetup.com/Capital-Area-Cyber-Security/)

 

David will be speaking at the Rich Internet Application Conference (RIACon) http://www.riacon.com/ August 5-6 at the Silver Spring Convention Center to learn about creating the next generation of web and mobile based applications.  RIACon includes networking with fellow industry professionals and community leaders while being exposed to the most up to date skills needed for building great applications leveraging the best technologies available today.

Preventing SQL Injection Attacks

SQL Injection can damage your website’s data and spread to other sites in your organization. This article explains how it works and how you can prevent it.

 

Exploited vulnerabilities:

A SQL Injection attack relies on the someone sending an HTTP request (web site visitor) being able to add SQL commands to a URL or form variable, and have it sent in a SQL query so that the SQL Server runs it as another SQL command. Any text passed along in URL or form variables can be modified by the user, or automated. URL/Form variables should only be treated as data, and never trusted.  (See http://www.forta.com/blog/index.cfm/2005/12/21/SQL-Injection-Attacks-Easy-To-Prevent-But-Apparently-Still-Ignored for a quick description). If text entered in the URL can get run on the database server as a SQL command, then a malicious user can pass any SQL commands that that SQL login has access to, including making malicious edits, reading from system tables for the database, bypassing site login code, or possibly (if the SQL login has permissions) creating or deleting tables. 

Over the past few months (since about May 2008) there’s been an automated SQL Injection attack running against first just ASP sites, then others, and now ColdFusion sites (searching for URLs containing “.cfm” files). It tries to pass a SQL script in a URL variable to each page, on the hope that at least some pages will pass it directly to the database in a way that the database server will execute them. (See http://www.coldfusionmuse.com/index.cfm/2008/7/18/Injection-Using-CAST-And-ASCII for details on how this SQL works.) 

The malicious SQL script used in this attack loops over system tables (sysobjects, syscolumns) to find character fields in all user tables, and append an HTML string to all character fields, assuming that at least some of those columns will be output directly on some other web page. This HTML string includes a JavaScript block, which will get the browser to download and run that JavaScript URL. (This JS URL will probably change quite often, but will be available enough to be downloaded.) Apparently, this script then turns the browser hitting the page displaying that data into a “bot” to hit other servers, and can do anything that Javascript in the browser can do, especially exploiting browser vulnerabilities.

It only requires successfully hitting one page on one site to get into that database, then the HTML would be displayed on whatever site uses those tables and columns.

The best way to prevent, is to make sure any data passed to SQL queries is only treated as data. All CF Queries should be parameterized (use CFQueryparam to pass the values in).

 

Action taken for containment:

The best permanent fix is for each and every query to be parameterized, so that no user-supplied text is passed to the database directly.   

There are some ways to block some of the SQL keywords in URL and form variables; this is not guaranteed to match, and may have some false positives, but will buy time to protect all queries. 

We set up some CF code on most public sites, set up in Application.cfm (runs at beginning of each request) to search for these SQL keywords in the URL and then abort the page.

 

Action taken for resolution and recovery:

The best permanent fix is for each and every query to be parameterized, so that no user-supplied text is passed to the database directly.   

In the meantime, block those SQL keywords either through CF code (we put on most public sites) or through rewrite rules. 

To repair the infected database, we are running a SQL script similar to the injected SQL to remove the appended HTML from those columns it was added to.

 

Further recommendations:

  • Have daily backups of all databases.
  • Regular backups of code.
  • Do a security audit on your site (TeraTech can do this)
  • Better CF regex filtering of url/form variables at application level
    • May block this set of attacks enough to buy time.
    • Not a replacement for parameterizing all queries.
  • Blocking on webserver level, using rewrite rules. We haven’t quite found a set of rules that work reliably, but will keep looking.
    • May block this set of attacks enough to buy time.
    • Not a replacement for parameterizing all queries.
    • open-source Ionics ISAPI rewrite filter http://www.codeplex.com/IIRF/
      • Filter requires a copy of the DLL and INI file in separate folder for each site, then point each site to that DLL
    • Helicon ISAPI Rewrite (commercial): http://www.isapirewrite.com/
    • Backup the rule configuration files
  • Optionally, look at an application firewall that can block certain types of requests. Rules are options. Not guaranteed to block everything, and can have false positives, but protects the whole server and individual sites, and is highly configurable. Again, not a replacement for parameterizing all queries.
    • Applicure dotDefender; $4000 for a server
      • http://www.applicure.com/
  • Each and every query should pass variables to database using CFQueryParam. Use QueryParam scanner (http://qpscanner.riaforge.org/) on source folders to find queries that might be missing.
  • Any code that uses URL or Form-supplied values to determine SQL columns or sort order, should check against a list of valid columns etc. Don’t use those values directly in the query without checking.
  • If you have cached queries that get user-entered values, CF before 8.01 doesn’t allow caching queries that use cfqueryparam. Consider other options, like caching the query without that WHERE clause and then doing a query on that query.
  • Validate form fields; check values of ID fields entered in URL before getting to query, then display nicer message to user and don’t need to send an error message.

 

Resources: 

CF-Talk discussions on the issue:

http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57221

http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:57241

http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:310594

 

Good description on how this attack works:

http://www.coldfusionmuse.com/index.cfm/2008/7/18/Injection-Using-CAST-And-ASCII

 

on Ben Forta’s blog:

http://www.forta.com/blog/index.cfm/2005/12/21/SQL-Injection-Attacks-Easy-To-Prevent-But-Apparently-Still-Ignored

http://www.forta.com/blog/index.cfm/2008/7/22/For-Goodness-Sake-Use-CFQUERYPARAM-Already

http://www.forta.com/blog/index.cfm/2008/7/23/Hacker-Webzine-Recommends-Use-Of-CFQUERYPARAM

 

 

QueryParam scanner (search CF code for queries that are probably missing cfqueryparam):

http://qpscanner.riaforge.org/

 

HP Scrawlr: finds web pages vulnerable to SQL injection attacks on your own sites.

http://www.communities.hp.com/securitysoftware/blogs/spilabs/archive/2008/06/23/finding-sql-injection-with-scrawlr.aspx

ColdFusion developer security guidelines

These ColdFusion developer security guidelines from Adobe are cool! And so much code that I review from other (best unnamed) organizations don't follow these simple tips. Check it out at at URL below and make sure that your apps are secure!

http://www.adobe.com/devnet/coldfusion/articles/dev_security/coldfusion_security.pdf

BlogCFC was created by Raymond Camden. This blog is running version 5.9.8.012. Contact Blog Owner