You can check out the full article to learn more about why mobile payments are still vulnerable, how the PCI Security Standards Council is tackling the issue, and what the next year will bring for this popular consumer trend.

“There is vagueness around the safety of consumers’ credit card numbers when they are transmitted through mobile applications. A website that’s been modified for a mobile platform is presumably safer than an actual mobile application, making the latter considered not compliant according to the PCI DSS Council. If your business is working on a payment app to make transactions easier or more convenient for customers, you must consider this before deploying the app into the iPhone, Android, Blackberry or other marketplace.”

Check out the entire article on SecurityWeek. 

Cloud security is a hot topic throughout the industry and the discussion is not complete without mentioning how the Cloud Security Alliance (CSA) has been influential in ensuring major security issues are addressed and averted. Cloud Security Alliance (CSA), a non-profit organization formed to promote security in cloud computing and education on the uses of Cloud Computing to help secure all environments.

“FireHost’s deep experience in virtualized and secure hosting is a welcome expertise for The Cloud Security Alliance,” said Jim Reavis, executive director of the Cloud Security Alliance. “We’re confident FireHost will be an asset in helping the CSA continue to innovate in developing best practices for securing providers in the cloud.”

Joining the CSA is further confirmation of our devotion to security and compliance for our customers. This is another step towards building on a foundation of security, governance and compliance, including PCI DSS, HIPAA compliance, SAS 70 Type II & other compliance mandates.

For more information and details, view the following press release announcing our partnership with CSA – http://www.firehost.com/company/newsroom/firehost-joins-cloud-security-alliance.

Yesterday 8/1 WordPress learned of a vulnerability in TimThumb, a popular image resizing library. TimThumb is used in many WordPress plugins and themes. The vulnerability allows third parties to upload and execute malicious PHP code in the TimThumb cache directory. Once the code is uploaded and executed, your site will become completely vulnerable and could become compromised.

We recommend deleting timthumb.php or thumb.php if you can, or remove the entire theme or plugin directory. If the code is removed successfully double check your site is performing and working correctly . If deleting TimThumb is not an option, then please make sure to update the file with the latest version and remember to check the TimThumb site regularly for updates. To do this, visit the Updates page in your WordPress Admin control panel and ensure each plugin is running the latest version.

For more information regarding the TimThumb vulnerability, please visit the following blog post for complete details - http://markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/.

The FireHost support team is available 24x7x365 to help answer any questions you may have via live chat, phone or support ticket through the MyFireHost.com Secure Customer Portal.

Thank you,
FireHost Security Team

As more company websites run on open source applications like Drupal and with corporate blogs powered by WordPress, more victims may suffer from hacks and costly exploits. Learning jQuery learned this lesson the hard way. Before they took a serious look at hardening the open source platform, embarrassing and costly attacks wrought havoc. Other companies that haven’t taken proper precautions to insulate themselves against such threats could face the same fate.

We’ll highlight some security issues that open source Web applications pose and propose solutions if you’ve considered making open source applications part of your business.

Common vulnerabilities in open source Web applications

Like you, hackers love that open source Web applications are free and provide easy access given their “open” source code. If, for example, a hacker can deploy a script to steal information or take control of a Web application on a single piece of hardware, he can easily reproduce these devastating results to affect multiple users or multiple websites that share the same code base. Here’s why:

Locking down open source Web applications
Knowing is half the battle, and there are many tactics to lock down open source Web applications. To succeed in your online business and gain the trust of end users, proper protection is paramount.

Let’s use Learning jQuery, a customer of FireHost, as a backdrop for discussing common breaches to open source and what can be done to achieve better protection for the rest of us. They experienced a SQL injection that exploited an open security vulnerability in the database layer of WordPress. WordPress and other content management system (CMS) providers work hard to stay ahead of SQL injection vulnerabilities by addressing them proactively via patches. Unfortunately, Learning jQuery’s site was an early victim of this particular problem.

A number of techniques can help prevent your open source powered web application from falling victim to attacks like these:

• Application hardening (includes OS and databases) Operating system and database installations should be completed carefully. Avoid default settings and maintain strict permissions controls. Rewrite file extensions to mask the application type, and remove all unnecessary functions and features to close as many virtual “holes” as possible. Additionally, patch, patch, patch. Particularly in an open source environment, updates go far in preventing compromises. The same rules also apply to scripting languages that may be used on your server.
• Server hardening Remove information (such as response headers) that could help a bot or hacker identify the version and type of application running on a server. Patch and perform frequent manual checks of server logs to help identify unusual occurrences.
• Strong passwords and access controlImplement passwords containing alphanumeric, uppercase, lowercase and special characters, and never use dictionary terms. Additionally, reset them regularly. Control access to administrative passwords and grant database credentials only on an as-needed basis. Never use an SA or root account for the database user, block all public and port access to site administrator areas, and refrain from opening up a server to any ports, except 80/443 because these ports are required to transmit web pages over HTTP or HTTPS respectively.
• System log monitoring Watch your system logs closely and ensure that no unauthorized login attempts are successful. Run vulnerability audits and scans on your application regularly (quarterly at minimum) to help identify threats, breaches and suspect activity quickly.

Cyclically, hackers innovate and adapt while CMS providers just try to keep up. Web application firewalls (WAFs) help bridge the gap between hackers’ innovation and CMS providers’ patching. WAFs inspect Web traffic before it can reach the code and block suspect visitors from reaching your services. The ability to block an attack increases exponentially when WAFs team up with intrusion prevention and intrusion detection systems, and other network-level barriers. Had this type of network-layer protection been in place, Learning jQuery’s site might have never experienced an onslaught of malicious attacks.

Keeping open source Web application breaches at bay

The growth and popularity of open source content management systems have changed the security landscape and made traversing it more perilous. But with the help of a developer or technical engineer experienced in securing Web applications (and their hosting environment), you can implement these methods and keep cyber-thieves at bay. With proper precautions, attention to detail and commitment to maintaining your open source websites, companies that use (or plan to use) open source Web applications can have a successful and fruitful run.

SIDEBAR:

More on web application and Linux security:

Installing the ModSecurity Web application firewall on Red Hat Enterprise Linux

Common security flaws to check for on your Linux-based Web systems

Linux security guide: Linux, open source security tools and tips

A look at real-world exploits of Linux security vulnerabilities

A version of this article was published in TechTarget.

Here is how it works – encrypt databases and files “in place”, no longer is it necessary to re-architect databases, storage networks, or files. Seamless implementation, no coding, no application modification and no schema changes. ezNcrypt is transparent to users, applications, databases, and storage subsystems, by running above the file system as a logical volume. Select the level of detail you wish to administer and encrypt the entire database or only those tables that contain your sensitive data. You now have the option to secure and protect your MySQL log files and protect sensitive data that is often left open to vulnerabilities.

FireHost supports and manages the secure key management process for database encryption. Secure key management with ezNcrypt provides both dual authentication and high availability, ensuring the encryption key is never stored on the protected server’s file system.

Encrypting databases at rest is an important part of most regulatory compliance requirements such as PCI, HIPAA, FISMA and HiTech, and can help protect all of your organizations sensitive data. If you would like to learn more about how you could benefit from secure database encryption, feel free to contact sales or support via chat, email or call us at 877.262.3473.