Hacker Safe Seal

[pauljr]

Has anyone tried to get a hacker safe seal for their classifieds from the many websites that scan your server daily for vulnerabilities? I have found Hackerguardian to be the most affordable at $79 per year. Any thoughts?

[paulsra]

good question, im intrested in this answer as well.

[Blair]

I had a friend who ran an ecommerce site and signed up for one of these services. After a few months, his site got hacked and he received no notices beforehand from the company. He was rightly pissed for wasting the money.

In my opinion, I think that if you're going to spend the money, you should find a host with a higher customer support rating (and probably a bit more expensive) than to spend the money on a third-party monitoring service. A lot of hosts have monitoring services in place anyway.

Also, if you want excellent support and friendly service (and run cPanel on your server), we had very good service from http://www.configserver.com/ -

[pauljr]

Well half of the reason to get these seals in my opinion is to give the consumer more confidence and they will be more likely to buy ads with their cc numbers. They can't prevent an attack but do ensure the consumer you are fully patched for the latest known vulnerabilities. I have applied for a free scan and will share the results with 68classifieds if anything pertains to this program in the coming days.

[Blair]

You're absolutely right, Paul! Having the seal on your site DOES provide a sense of security for your visitors who may not otherwise become customers. So, in the end, it very well may pay for itself.

[Mike-N-Tosh]

Of course on the other hand, it's an open invitation to hackers to attempt to hack you.

It's kind of like the people that put those huge manufacturer stickers on their windshields about their car stereo. It's like saying, "I got a kick-ass car stereo, steal me!"

To each his own.

[cheesegrits]

Quote:

Originally Posted by Mike-N-Tosh

Of course on the other hand, it's an open invitation to hackers to attempt to hack you.

I very much doubt that. The days of "hackers" being spotty kids looking at your site and saying "Oh, they think they are hacker proof, I'll teach them ... clickety click clickety click ..." are long gone. If they ever existed.

The vast majority (like 99.999%) of hacks these days are achieved by the large spambots and zombie nets, scanning the net on autopilot, using exactly the same initial scanning techniques as google and friends. They are looking either known vulnerabilities in popular applications (like Joomla, or vBulletin, or WordPress, etc), or generic weaknesses like carelessly coded forms that allow SQL or code injection, forms that allow third party spamming, etc.

Assuming you run a broadband connection at home, take a look at your router logs some time. You'll probably see several hundred attempts a day to access port 80 on your main external IP. Those are all botnets trying to sniff you out and probe for vulnerabilities.

Basically, we are in an infowar, and most people have no idea whats going on. For instance, the RBN (Russian Business Network) is estimated to have infected anything up to several million PC's with various forms of identity theft and spamming malware. They recently expanded into hacking server sites to deliver their malware payloads, and nobody even has an estimate of how many servers may have been affected. And that's just one example of many.

-- hugh

[civ]

If there was ample, independent proof that these seals did indeed improve conversions by a large enough degree to pay for themselves, we'd use them in a heartbeat. I just have my doubts.

[cheesegrits]

Quote:

Originally Posted by Blair

In my opinion, I think that if you're going to spend the money, you should find a host with a higher customer support rating (and probably a bit more expensive) than to spend the money on a third-party monitoring service. A lot of hosts have monitoring services in place anyway.

Beg to differ.

As long as your hosting company keeps the OS up to date, which most do, then you are as safe as you can be from generic OS/httpd based attacks.

Almost all successful attacks are vectored through weaknesses in specific web applications, not the OS or main service applications like Apache. Stuff like PHP code that doesn't properly clean form inputs, that just casually insert $_REQUEST values into the db, allows HTML input without properly XSS cleaning, doesn't check for directory manipulation in upload paths, allows Register Globals, etc.

And you host has nothing to do with that. Software you run on your server is your responsibility. I've never met a host that will scan your non-mainstream applications for vulnerabilities. Some will test for known problems with popular apps like Joomla or vBulletin, but very few even offer that. As a systems administrator, relying on your hosting company to do your job is a Bad Idea (<TM>).

Sure, you should choose a hosting company with a decent reputation, that keeps the system up to date and applies security patches in a timely manner. But you still need to find every way you can to make sure the web applications you run are well written, and do whatever you can to test them on a regular basis.

If a third party monitoring service can help, then it has to be worth investigating. Especially if it claims to be able to probe for generic weaknesses, rather than a simple list of known vulnerabilities.

Sorry to bang on about this, but I know so many people who got hacked and lost EVERYTHING because they relied on their hosting company to do their job, didn't take basic precautions, didn't keep their applications up to date, and (worst of all) didn't keep their databases backed up!

Have You Hugged Your Database Today?

-- hugh

[Blair]

Quote:

Originally Posted by cheesegrits

Software you run on your server is your responsibility.

I assumed people were already aware of this. However, pointing it out (as you have) was a good idea and I should have done so.

Quote:

Originally Posted by cheesegrits

Sure, you should choose a hosting company with a decent reputation, that keeps the system up to date and applies security patches in a timely manner.

That's what I meant by choosing a good (or better) host.

I view monitoring services just like I view people who stare and point at a fire screaming "FIRE!". What I wanna know is - who's got the extinguisher?