A New CFC Website??

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • #46
    Re: A New CFC Website?? Security Weakness Is Critical

    Originally posted by Gary Ruben
    Do you think the attacks on the current site are random?
    While I am not Bob, some thoughts:

    On July the chess.ca had a link to "dangerous" site (see my post on http://www.chesscanada.info/forum/sh...64&postcount=1). Other sites reported similar problems (having a link) a little bit early (e.g.: http://isc.sans.org/diary.html?storyid=6811
    Thus I susspect it was a random attack.

    Comment


    • #47
      Re: A New CFC Website??

      Sorry to say, but seems that the site (rating part) was hacked again.

      Now it has a link to "a0v.org/x.js"

      Keep eyes open to any computer message.



      (I censored a tournament name)
      Last edited by Egidijus Zeromskis; Monday, 21st September, 2009, 02:11 PM.

      Comment


      • #48
        Re: A New CFC Website?? Security Weakness Is Critical

        Originally posted by Egidijus Zeromskis View Post
        While I am not Bob, some thoughts:

        Thus I susspect it was a random attack.
        You didn't answer question 2.

        I understand you simply suspect it was random. Are you saying it was co-incidently struck again since it was cleaned up? That would be a real co-incidence!
        Gary Ruben
        CC - IA and SIM

        Comment


        • #49
          Re: A New CFC Website?? Security Weakness Is Critical

          Originally posted by Gary Ruben View Post
          You didn't answer question 2.

          I understand you simply suspect it was random. Are you saying it was co-incidently struck again since it was cleaned up? That would be a real co-incidence!
          It is perhaps not entirely random: there are numerous processes that scan websites looking for known vulnerabilities to exploit. Hackers employ fleets of previously hijacked computers to perform this scanning (and by "fleets" I am talking about hundreds of thousands of computers). It is conceivable that websites that yielded once are on a short list of 'juicy' potential targets.

          I suppose it is possible that someone who is not thrilled with the CFC deliberately is targeting the website (there are likely a few people with a grudge) but that seems rather paranoid to me.
          ...Mike Pence: the Lord of the fly.

          Comment


          • #50
            Re: A New CFC Website??

            Originally posted by Egidijus Zeromskis View Post
            Sorry to say, but seems that the site (rating part) was hacked again.

            Now it has a link to "a0v.org/x.js"

            Keep eyes open to any computer message.
            This is very sad. There are two possibilities. Either the contractors hired by the CFC to clean the database of infected strings didn't do a very good job. Or equally as bad they didn't implement a filter on input data to prevent further injection attacks. In either case, the CFC web site is still in bad shape.

            Some browsers like Chrome and Firefox will warn you not to visit the CFC web site. Internet Explorer won't do you that service. For the time being, I would recommend that CFC members don't query the web site for their ratings. After conducting a limited and unscientific survey of the CFC database, it seems that only some portion of the database has been infected but that's scant comfort if the data you're looking up is polluted with links to malware.

            It looks right now that a fully patched computer will block the malware that is being distributed through the link to "a0v.org/x.js"; however, it is probably best to be safe rather than sorry.

            As of mid-August, over 55,000 web sites worldwide had been compromised by this attack. That doesn't excuse the fact that the CFC web site is a mess -- it just shares its mess with 55,000 other badly maintained web sites.

            Comment


            • #51
              Re: A New CFC Website?? Security Weakness Is Critical

              Originally posted by Gary Ruben View Post
              You didn't answer question 2.

              I understand you simply suspect it was random. Are you saying it was co-incidently struck again since it was cleaned up? That would be a real co-incidence!
              Regarding the second question:
              "2. Do you think the attacks on the site will stop or be unsuccessful with a new setup?"
              I am not a wizard :)
              Attacks will never stop, they will go forever. There are lot scripts walking around and searching for vulnerable sites.

              However, there are ways to prevent (avoid) damages. You must be ahead of this and try not to step on the rake the second time...


              ----

              Two post above mine appeard early while I wrote mine. I totaly agree with both of them.
              Last edited by Egidijus Zeromskis; Monday, 21st September, 2009, 02:48 PM. Reason: postediting

              Comment


              • #52
                Re: A New CFC Website?? Security Weakness Is Critical

                Originally posted by Gary Ruben View Post
                You didn't answer question 2.

                I understand you simply suspect it was random. Are you saying it was co-incidently struck again since it was cleaned up? That would be a real co-incidence!
                I agree with Kerry. The site is infected again just because it is vulnerable. There's nothing deliberate here or malicious in a directed sense against the CFC. It is simply the case that if a vulnerability exists, it will be found and it will be exploited independent of what site it is. It's all done automatically. That's what makes the propagation of malware so efficient.

                Comment


                • #53
                  Re: A New CFC Website?? Security Weakness Is Critical

                  Originally posted by Steve Karpik View Post
                  I agree with Kerry. The site is infected again just because it is vulnerable. There's nothing deliberate here or malicious in a directed sense against the CFC. It is simply the case that if a vulnerability exists, it will be found and it will be exploited independent of what site it is. It's all done automatically. That's what makes the propagation of malware so efficient.
                  I thought the ratings were an add on which could be separately repaired or rewritten.

                  Lots of chess organizations have lookup ratings. FIDE, ICCF, other national federations and at least some private servers.
                  Gary Ruben
                  CC - IA and SIM

                  Comment


                  • #54
                    Re: A New CFC Website??

                    When large sum$ are involved, one has to be cautious. Let us not be naive. Why is the site hacked? When a crime is involved, follow the money. Who stands to benefit? If there are tens of thousand$ to be made by fixing web sites, the person doing the fixing is suspect. If the fixers are infecting web sites they stand to profit from people (or groups) willing to pay huge sums to affect repairs. If the CFC forks out 10 or 20 Gs are they perhaps paying the blackmailer?
                    Am I being paranoid or merely cynical?:(

                    Comment


                    • #55
                      Re: A New CFC Website??

                      Originally posted by Vlad Dobrich View Post
                      Am I being paranoid or merely cynical?:(
                      Someone was suggesting I'm being paranoid.

                      Unless some fantastic deal came along, like almost free, I'd keep the existing site. I can't see anything the CFC is doing, or a large enough membership, to justify spending that kind of money on a new website.

                      It's actually pretty funny. CFC governors wanting to spend that kind of money on a website and kids building their own sites, which are just as good, for free. :)
                      Gary Ruben
                      CC - IA and SIM

                      Comment


                      • #56
                        Re: A New CFC Website?? Security Weakness Is Critical

                        Originally posted by Steve Karpik View Post
                        I agree with Kerry. The site is infected again just because it is vulnerable. There's nothing deliberate here or malicious in a directed sense against the CFC. It is simply the case that if a vulnerability exists, it will be found and it will be exploited independent of what site it is. It's all done automatically. That's what makes the propagation of malware so efficient.
                        Hi Steve:

                        I'm a little out of date on this but I'm assuming this is a SQL injection attack again. Shouldn't this be relatively easy to block/filter since the only parts of the CFC site open to it are the ratings page (maybe the crosstable page?) and anything in the equipment store. So why not just shut down the equipment store and be done with it?

                        (And maybe somebody should re-think how the equipment business is outsourced.)

                        Even so, it's not hard to pass *any* input into a filter function to strip out the unexpected SQL, whether the application is ASP-based or not.

                        Steve

                        P.S. And once somebody's 'bot manages to breach your site once, it will keep on trying.

                        Comment


                        • #57
                          Re: A New CFC Website?? Security Weakness Is Critical

                          Originally posted by Steve Douglas View Post
                          Hi Steve:

                          Even so, it's not hard to pass *any* input into a filter function to strip out the unexpected SQL, whether the application is ASP-based or not.

                          Steve

                          P.S. And once somebody's 'bot manages to breach your site once, it will keep on trying.
                          Yes, a filter on any input would be a good idea. Writing a good filter is non-trivial since attackers often use clever encryption schemes to hide their malicious payload. Additionally using stored procedures for SQL queries can help make a web site more resistant to attacks.

                          Security is possible for classic ASP web sites but it is easier working through these problems in ASP .Net.

                          For classic ASP web sites (like the CFC web site), a really nice tool from Microsoft is called UrlScan. It's a web server add-on that intercepts postbacks, url query strings, etc. and can be told to look for SQL injections. I've used this on legacy ASP sites and it works pretty good. Here's a link to some info on URLscan:

                          http://blogs.iis.net/nazim/archive/2...assic-asp.aspx

                          However I'm not sure that all web hosts would facilitate installing UrlScan. The link I've quoted also includes some ASP code for filtering input.

                          Comment


                          • #58
                            Re: A New CFC Website??

                            Originally posted by Bob Armstrong View Post
                            Hi Vlad:

                            1. I take it that you see no reason that CFC cannot continue on with the existing website.

                            2. You mention ASP support - I do not understand this technical issue. But Stijn de Kerpel, CFC V-P has posted:

                            "Another problem is as Chris has stated is that it requires ASP support - which is (from what I understand) something very few providers provide support to anymore - which makes it all the more difficult when we ask someone to find the problem and solve it, or even to do some enhancements."

                            Has he got a critical concern here, that means we should move to a new website?

                            3. What do you see as the most difficult aspects of continuing on with the existing website?

                            Bob
                            1. Yes.

                            2. Change web hosting companies to Cogeco which will charge $30 per month or a bit less if you pay by the year. ASP support will then become a non-issue and you will have 24 hour support 365 days a year. If you have a problem and call their toll free support line you will get to talk to a real person based in Canada who will understand your problem after you explain it to them and will get it resolved.

                            3. The people running it which will not be resolved by updating the website. The CFC will spend money that could go to funding the Olympic team and Canadian Closed and promoting chess on a website which will not make any difference if you keep everything else the same.

                            I just wish the CFC will drop its propensity to shoot itself in the head but maybe I am hoping for too much and should just shut up and let the inevitable happen again and again and again.

                            Vladimir Drkulec

                            Comment


                            • #59
                              Re: A New CFC Website??

                              Originally posted by Bob Armstrong View Post
                              Hi Chris:

                              If I'm not mistaken, most of what you complain about has to do with content maintenance - misplaced and dated as John Cordes has said. This has more to do with our contract with EKG and the limited 3.5 days Gerry allots to CFC for all " normal " operations, than website design or program coding - he has no time to update the website or rearrange it to make it more organized.

                              Here is a list I have sent to Stijn to be done:

                              1. “ Contact Us “ – a) there are 18 Ontario governors shown, and Ontario is only entitled to 17, according to Gerry. OCA President Chris Mallon must recall one of the Ontario governors;
                              b) the governor Can. Champion and runner-up have to be replaced – Jean Hebert and Mark Bluvshtein;

                              c) I submitted a picture of myself to the Governors’ List, but Gerry had some technical problem posting it and said he needed some expert techie help on what was the problem. Here is the picture attached again;

                              2. Top Females – Hazel Smith ( 2015 ) is still missing ( Yuanling Yuan, who had been missing, has been added however );
                              3. Home Page – Canadian Champions – all needed to be updated to show 2009 Champions ( still showing 2007 & 8 champions );
                              4. Home Page “ Store “ advertisement:
                              The home page shows:

                              Sale
                              Most books and software 50% OFF.
                              No backorders.
                              While supplies last.
                              Free shipping on orders over $100.
                              Go to the CFC store.

                              I thought this was an item from a long time ago, when CFC was selling its own inventory of books when we were just setting up our arrangement with Amazon. Is this still current? Are we still selling off some of our own CFC past inventory?

                              I know we are still in the equipment/supplies business, with FEN as agent to deliver on our contracts - but does it still include books, since the reference is to our “ store “ ?

                              5. Olympic Team, etc. information not labelled to show its relevant date ( one can wrongly think it is current information ) - you mention this - I mentioned it to Gerry some time ago I believe, but forgot to put it on this list ( you also mention it ).

                              And your list of content/presentation updates and reorganizations ( all of which can easily be done on the existing site, given enough time ) adds more outstanding work to be done.

                              But, as I say, I don't see this as the argument for needing a new website.

                              Bob
                              I agree. In my opinion content maintenance is the only important problem. When you manage a website if people send you contents then 90% of the problems are solved. If many people send contents reguraly with some lists of changes then the job of the webmaster is 75% easier. He will always feel that it is too much but since the content is already built, he spend a few hours in the code without having to WRITE texts and the job is done.

                              For the security problems, since there is little DATA INPUT from the users (TRANSACTIONNAL) on the website it is probably easier to let the actual webmaster to work on it and find solutions and slowly take control of the environment by closing the opened doors. If it is too difficult for him to close the hackers doors then he could have a batch job at night to generated HTML list of tournaments schedules and ratings so that their would be no ONLINE TRANSACTIONNAL at all. I have not seen the CFC system in details but you have the idea. With no Transactionnal online then the batch could run on his own home PC and the html pages could be hosted for free at www.emenace.com or www.freewebhostx.com with no servers at all.

                              Carl
                              Last edited by Carl Bilodeau; Tuesday, 22nd September, 2009, 02:13 PM.

                              Comment


                              • #60
                                Re: A New CFC Website??

                                Originally posted by Vlad Drkulec View Post

                                2. Change web hosting companies to Cogeco which will charge $30 per month or a bit less if you pay by the year. ASP support will then become a non-issue and you will have 24 hour support 365 days a year. If you have a problem and call their toll free support line you will get to talk to a real person based in Canada who will understand your problem after you explain it to them and will get it resolved.
                                Not true. No web hosting company is going to supply software support especially for $30/month. Web hosting services like Cogeco provide the physical server and web serving software for your website. They might also include some software to make it easier for you to build a web site. But no one is going to debug your ASP code or instruct you on how to harden the security on your site for that sort of money. Those are services that fall outside of web hosting.

                                There are many good hosting services. The choice usually depends on what you need (IIS or LAMP) and what sort of customer service you want (for example, regular backups of your databases, etc.). Pretty much you get what you pay for. If you go to a discount host (like GoDaddy), you get discount service.

                                For an organization like the CFC with database driven content (the ratings data), you're probably looking at $20 to $60 per month. The Scarborough Chess Club which uses a modern content management system costs $20 per month to host.
                                Last edited by Steve Karpik; Wednesday, 23rd September, 2009, 12:07 AM.

                                Comment

                                Working...
                                X