Security: Where business and technology clash

One thing where business and technology clash is the topic of security. Aside from building the site, we also offer a SLA for managing the software and security updates. Some clients choose to do this, others don't. And so you're left with insecure software on your servers.

One (but I'm sure far from the only) thing where business and technology clash is the topic of security. A lot of the projects that we do for clients are based on Joomla! (previously Mambo) technology. Aside from building the site or application, we also offer a SLA for managing the software and, for instance, installing security updates. Some clients choose to do this, others don't. And so you're left with insecure software on your servers. Two weeks ago, we were hacked. Unfortunately, due to the logging policy of the company we rent our servers from, we could not check the access logs of the moment we got hacked to see how they got in, but we suspect they got in through a security vulnerability in one of those old components of a client that does not have a SLA. However, even clients with a SLA were affected. Why? Because every time you upload a file (something that in Joomla! is common even for component installation), the files are stored on the server with the owner 'www-data', the Apache user. And so if a hacker gets in through a vulnerable PHP script, which is executed by Apache, it can write to every single file writable for the Apache user. As we found out about the hack, we immediately started to clean the mess and figure out what had happened. The latter turned out to be impossible, but the former was of course possible and one hell of a job. It turned out that the "hacker" was really a spammer, who was earning money by getting impression on a site called Free20, by adding his referral ID to a url in an iframe that he appended to all writable PHP, HTML, Javascript and other similar textfiles. Result: Most sites were giving errors and showing tons of iframes instead of the site it should be showing. Luckily, as we found out, the spammer used only two or three different iframe strings, so pretty quickly we were able to write a script that grep-ed for the "free20" string, and then went through all affected files to replace the used strings by an empty string. All in all though, that was a pretty useless Sunday evening to spend of course. But here we thread on dangerous territory. Of course, from a technical standpoint, every time a security patch comes out, this should be installed on all sites that are vulnerable that you manage. But this is where the business comes in. They of course want the client to pay for the time that we spend on this patching. And this is understandable: Time spent on installing security patches is time not spent on projects that are bringing in money. But by not installing it, two expensive senior developers spend their Sunday cleaning up things. And in this case, I immediately also set out to do a full week of assessing other dangers to the server integrity. So that's expensive time that could've otherwise been spent on those paying projects as well. Also, even sites of clients with a SLA were affected. And it's hard to sell to those clients that even though they have a SLA and their sites are kept secure, they got affected by a hack. So at this moment, the server is clean and we have a clear view on what could be seen as a threat to our security. We are in the process of getting a different server setup and clear procedures on the deployment of sites. Yet still the problem remains: How to handle the SLA vs non-SLA clients. Our solution at this time is simply to have one server dedicated to SLA clients. All projects running on this server can be deemed secure, and the changes of hackers getting into this server are very slim, unless we have unknown vulnerabilities in our code. The other server will contain sites of clients that do not have a SLA. We clearly notify them of their risks, and that they will have to pay if ever the server gets hacked and they want us to clean it up. That way, the client will know of the risk and willingly take it, and in the case of a hack on this server, we will be able to get paid for cleaning it up. If there is anyone here with similar experiences or with other solutions to this problem, I'd gladly hear of them.
May 30, 2007 - tags: technology
Add comment

Php5_zce_logo

Upcoming events

I will be speaking 17-02-2012: Techademy Trainingday February
I will be speaking 23-02-2012: Zend Webinar: Git for Subversion Users

Tags

1337 2008 2010 2011 4developers access modifiers accessibility AdaLovelaceDay09 advent agavi agile alfred amsterdam apache api apple article articles atk atkMetaNode audioscrobbler automation azure backwards compatibility barcelona barcodes bash bbc bbq beatstad belgium best practices bittorrent blogging blogs boards of canada book books bughuntday bundle caching cake cal evans calendar career cat cerf certificate cfp clear cms cologne common sense communities community components conference conferences contest continuous integration contribute contribution crisis css custom d-day datetime DbFinderPlugin decorator decorators deployment devdays development directoryindex docblox doctrine documentation download dpc dpc09 dpc10 dpc11 DPC2008 dreamhost drupal dv7 eclipse ed editors efficiency enterprise errors event events expertise ezcomponents facebook finland flickr fork framework frameworks freelance freeze frontend fun game games geoip germany getting real git github gnome-do google google calendar googletalk graceful degradation hack hackers hidden gem hiphop howto hp HR html http i386 ibuildings icann ide ideasofmarch idm imovie indy ingewikkeld integration international php conference internet interview ipad IPC ipc ipc08 ipc10 ipc11se iterm2 javascript jenkins jenkins-php job job openings jobeet john peel joomla joomladays kiva kubuntu launcher launchy left on the web libraries library lighttpd lime linktuesday linux live london loudblog m2ts mac magazines malware mambo marjolein mediterra meeting meme meta methodology micro-financing microframework microsoft migration movie music mysql namespace namespaces netbeans netherlands newsfire nllgg nos odmarco open source opinion ORM osx paradiso paris partnership pavilion pear pecl performance personal pfc10 pfc11 pfcongres pfcongrez pfz photo php php5.3 phpabstract phpazure phpBB phpbb phpbelgium phpbenelux phpbnl10 phpday phpdoc phpdocumentor phpgg phpitalia phpnw phpnw08 phpnw11 phpstorm phptek phptek09 phpuk2009 phpUnderControl phpunit php|architect php|tek podcast politics portability postcrossing presentation presentations private projects protected prototype PSR-0 public python qa qr codes re2c recruiting refactoring review rewrite ruby on rails san francisco schedule scifi script security sensio seven things sfdaycgn sflive2011 shell scripting silex simplexml slides smfony software sogeti solar sound speakers spl ssh standard standards star trek static steer strings stylesheets subversion symfony symfony live Symfony2 symfonycamp symfonyday symfonylive symfonyUnderControlPlugin talk talks techademy technology techportal tek09 telecommuting terratec terrorism testfest testing textmate textpattern the right tool timeout tips tld todo tomas tools training twig uncon unet usability usergroup validation vhost video vim vinyl virus warp webinar weblogging webservices wiki windows winphp women wordpress work workshop world world of warcraft wpi writing wunderlist xml xpath xsd yara year youtube zc11 ZCE zemanta zend zend framework zend server zend studio zendcon Zend_Form zite
© 2004 - 2012 Stefan Koopmanschap + Powered by Symfony, photos powered by Flickr, links powered by Delicious, Shanghai smilies by Iconbuffet. Feeds: rss / atom. Left on the Web v4.4.0.1